/archives/freeipa-users/2015-February/msg00371.html
And this bug: https://fedorahosted.org/sssd/ticket/2569
Since it's fixed, it should appear in sssd 1.13 release?
l...@avc.su писал 2015-07-03 18:29:
Hello.
I've encountered an issue with ssh login to freeipa clients in trusted
environment.
getent/id
Rob Crittenden: Thank you for your help!
This is RESOLVED, and I want to make some notes here, because finding the magic
combination of syntax has been... trying.
Products affected:
FreeIPA 2.0.1, Zimbra 7.1 OSE
NOTES: 'humperdinck' is my IPA server and 'z7' is my Zimbra Collaboration
On 05/31/2011 05:12 PM, Steven Jones wrote:
Ive tried googling and found nothing really...it doesnt bode
well.
The general theme: is use standard NSS_LDAP + PAM_KRB5 instructions
provided on the platforms that do not support SSSD.
There is nothing better than that.
Maybe this
I'm trying to create a replica.
I have two F15 boxen with all updates.
The first IPA is humperdinck, running right with DNS and manage-able from the
CLI and web.
vizzini wants the to be the second IPA, but is failing with the console output
below:
I'm really not sure where to begin the
Second round of tries today.
I've tried dropping the firewall on both servers, and disabling enforcement for
SELinux, and a full yum upgrade.
No change in the symptoms so far... :-(
Attached is /var/log/ipa* and below is my console output.
Any hints? Clues? Links to things I should know to read?
that, because I doc'd it when I did it (here, in fact).
David L. Willson
Trainer, Engineer, Enthusiast
RHCE MCT MCSE Network+ A+ Linux+ LPIC-1 NovellCLA UbuntuCP
tel://720.333.LANS
Freedom is better when you earn it. Learn Linux.
- Original Message -
From: David L. Willson dlwill...@thegeek.nu
On Thu, 2013-02-14 at 18:56 +0100, Sigbjorn Lie wrote:
On 02/13/2013 04:10 PM, Rob Crittenden wrote:
Also since we also require compatibility with Solaris, and roles (RBAC)
is currently used on Solaris, does IPA support RBAC on Solaris ? (We
noticed that RBAC mentioned in the IPA web
On Thu, 2013-02-14 at 21:44 +0100, Sigbjorn Lie wrote:
I agree with schema support being enough for now. I do not expect the
ipa mgmt tools to support Solaris rbac mgmt.
The ipa mgmt tools are great, but I already have other data in the ipa
ldap that I have to manage manually anyway.
What is the preferred IPA platform for performing this endeavor?
Would it be best to create an environment, virtual or physical, that has
RHEL6 update 4 fully patched and IdM installed?
or would
Fedora 18 with the
http://jdennis.fedorapeople.org/ipa-devel/fedora/18/x86_64/os/
yum repository
I've used this to extend the password expiration. It should work for
setting an expired password expiration. You have to hit enter twice
after the krbPasswordExpiration: 2013100800Z line.
# ldapmodify -x -D 'cn=Directory Manager' -W
Enter LDAP Password:
dn:
: userPassword
userPassword: {MD5}QvdJref54ZW/R183pEyvyw==
EOF
Do I need to modify another attribute?...any clue?
Thanks in advance!
On 10/08/2013 12:07 PM, Rodney L. Mercer wrote:
I've used this to extend the password expiration. It should work for
setting an expired password
Did we confirm that this is a bug?
Was it filed?
The user added this information to
https://bugzilla.redhat.com/show_bug.cgi?id=953488 last week.
rob
Bug still appears on F19 (ran into it again installing another FreeIPA
server for my lab). Will look at re-creating in a virtual
Hello,
I manage a suite of machines and services which are used for collaborative
projects with external partners. I want to allow users within our organization
to authenticate with their existing Active Directory accounts, and I have set
up an External Users LDAP directory to establish
Hi Dimitri,
Just to be sure I understand.
You have internal users - they are in AD. You have external users - they are
in LDAP.
You merge two directories and you want to replace this setup with IPA.
Yes.
It seems that to support your use case you would need to make the external
users be IPA
In my previous message, I asked about one-way trust with AD to provide a means
of extending our corporate AD with accounts for external cooperators. I
expect this is just a technical matter: either FreeIPA supports it or not, and
there's no conceptual obstacles. So, my password is the same, and
Both AD integration solutions we have (synchronization and
cross-forest domain trusts) assume having higher level access
privileges at the time integration is set up.
My problem here is that I'm too ignorable. :) There's over 15000 users in our
AD; I'm in Montana, the admins are in DC.
I think that the requirement is to have two distinct sets of users
while you don't have control over one set (AD users) but you have to
manage the other set (IPA users) somehow.
Yup.
I'm yet to see what is the benefit over having only IPA users. Given single
sign-on wasn't a concern, it makes
I don't know if this is your issue, but I noticed this:
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: WARNING: Failed to create krb5
context for user with uid 0 for server nfs-server.example.local
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: WARNING: Failed to create machine
krb5 context with
You raise a good point regarding kinit - do I have to be kinit'ed in as anybody
before trying to mount the share? I thought as the host and service principals
are in the /etc/krb5.keytab I didn't need to specifically authenticate against
the IPA server? - I might be showing a fundamental lack
On Wed, Feb 26, 2014 at 04:24:54PM -0500, Steve Dainard wrote:
Would it not be possible for root to disable selinux enforcement?
It should also be possible to copy private keys out of ~user/.ssh and login to
other machines as user, assuming no password on the ssh key pair.
It's probably
But I
would argue that in this case root can just add some other module to the
pam stack that would dump passwords for any user who uses pam stack
regardless whether SSSD is in the picture or not so it is not SSSD problem and
I do not think it can be generally solved with the software. It
Caching credentials is disabled by default[1]. Even when credential caching is
enabled, the cache is only ever readable by root, the hashes are
*never* exposed to the system. FYI, the hash is a salted sha512.
Ah. Much better.
What leads you to believe the cached credentials can be
Offline password caching is also optional and a different method.
In this case the actual password is maintained in the kernel keyring
in locked memory until the machine goes online and can acquire a TGT.
On success it is deleted.
however it doesn't really matter from an evil-root
UID/GID solution
https://fedorahosted.org/sssd/ticket/1715
Chaining access providers:
https://fedorahosted.org/sssd/ticket/1326
I'm not sure these two are enough for a thesis..
I think at least the first one is.
You change UID and/or GID on the server. And then you need a
You *could* build a system that can work w/o synchronization, if you
carefully restrict what protocols and applications you use (think about
distributed filesystems) although you'd still need a local persistent map at
least. Backups and restore to other machines would need to be done
I'm jumping in kind of late, but I may have a way for you to eliminate your
current man in the middle password proxy.
On Mon, 2014-03-03 at 18:42 -0600, Trey Dockendorf wrote:
Is it possible with FreeIPA to use an external KDC or pass some
or all authentication to an external KDC? The
But let me say I am not at all against having thesis' that explore some of
these
theoretical questions, however one need to understand that the deliverable
may end up being something that cannot be implemented or that it would
require a long time to do so. As long as that is clear everything
In the default case IPA, will automatically allocate a non conflicting range
to
AD SIDs and pa SIDs to UIDs automatically. however if you want to use posix
Ids stored in AD then yes, you will have to take care manually to avoid
conflicts.
A perhaps doable, more applied thesis still
I’m not, in general, in favor of solutions which promiscuously sling Kerberos
passwords around the net. ☺ pGina + Kerberos authenticating directly off of IPA
would be the way to go, I think.
Presumably Dimitri’s statement about the user being “foreign” and having
limited access to windows
Collaboration can be in different ways. It all depends on the use case. It can
be OpenID, SAML, Kerberos, etc. There are different technologies and they suit
better different use cases.
Can you please share under what circumstances such inversion would actually
be needed?
Console logins in a
I think it does not really differ from what I described, conceptually.
It is, however, requiring much more work than what I described.
FreeIPA has flat LDAP DIT. Adding support for separate OUs is in itself a non-
trivial task.
Ah. Well since that's the case, separate OUs are gone. (You may
Close. The problem is to expose kerberized services in the local realm to
users holding foreign credentials, supporting SSO wherever possible. This
includes file sharing via NFS, kerberized web apps, ssh logins, and anything
else the local realm has to offer. SSSD can handle ssh logins (if
There is a groups pf people that belong to different organizations, for
example universities that launch a project together. They have the identities
in their own home organization (domains). There is a hosting organization
that some of the members of the group might belong to. Jointly all
Variant (A) - IdP + PKINIT:
A1) User authenticates to his SAML/OpenID provider (external domain)
A2) User locally generates CSR
A3) User contacts IdP (gssapi/saml ; gssapi/openid) and sends CSR to
the IdP
A4) IdP returns short-lived certificate (validity period matches
policy for
I've run out of time for today, but the external collaboration pages are slowly
evolving.
http://www.freeipa.org/page/External_Users_in_IPA
Dimitri observed that my RFE page was too long. I observe it also has too much
stuff unrelated to the actual meat of the RFE. So I factored out most of
in the future.
Bryce
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal
Sent: Wednesday, May 14, 2014 4:13 PM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] External collaboration edits
On 04/19/2014 07:46 PM, Nordgren, Bryce L -FS
[...talking about views...]
It's not only about AD, but use-case and examples in the design page
currently all refer to AD. The key is to find a unique reference to the
upstream object which in the AD case is obviously the SID. In a previous
version of the page there were a bit more details
-Original Message-
From: Sumit Bose [mailto:sb...@redhat.com]
Sent: Tuesday, June 17, 2014 3:27 AM
Case one would represent vanilla Kerberos trusts, or the quite likely
scenario where an external collaboration domain is separated from corporate
AD by a firewall. (e.g.,
When thinking about gateways and what Ipsilon may do, I came across this thesis:
https://davidben.net/thesis.pdf
and source
https://github.com/davidben/webathena
His approach to unifying web and non-web technologies was to build gateways for
non-web services such that browser based clients
Inconsistently managed AD user entries.
Many accounts in my AD are posixAccounts, but I encountered one today (created
in 2013) which had no posix information whatsoever. This crumpled my assumption
that I could leverage posix information from the institutional source. Under my
current system,
The second @ is not provided by kerberos, it is rpcimapd making false
assumptions, it does a getpwuid and gets back adt...@ad.example.org as
the username, to which it decides to slap on the local REALM name with an @
sign in between.
I think this is something that may be handled with
Hi guys,
I set up freeipa 4.0.0 on a brand new Fedora 20 box, from your copr repos.
Install and config went fine. Kinit: fine. Trying to migrate from my old ldap
setup: problem. Old ldap setup primarily had accounts for web apps
(inetOrgPerson) and a few accounts with everything needed for
Hi Aron,
the support case you referenced is linked to bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1066153 which is fully acked
for RHEL-6.6, the state of the bugzilla is ON_QA, so currently it looks the
patch will be released in 6.6..
username@domain is coded in the NFS spec as an
Thing is, nfsidmap always adds and then substracts '@' plus domain,
assuming that the part prior to '@' is what going to be mapped by the
domain-specific idmap mapper.
That's the crux of the problem right there. Sssd is not a domain-specific
idmap mapper. Sssd is a domain-aware,
On a clean Fedora 20, minimal install, system using the netinstall iso, I'm
getting an error all the way at the end of the ipa-server-install process (when
it tries to run ipa-client-install). I put the fqdn of the hostname in
/etc/hostname and ipaddr ipa.usfs-i2.umt.edu ipa in /etc/hosts and
On Wed, 16 Jul 2014, Nordgren, Bryce L -FS wrote:
DNS A, SRV, and TXT
entries are in place. Reverse DNS works.
My text DNS entry is possibly hosed, as it's in lowercase. I put in a request
to capitalize it.
[root@ipa yum.repos.d]# host -t TXT _kerberos.usfs-i2.umt.edu
_kerberos.usfs-i2
DNS is fixed, 4.0.0 is installed, and my external users have been migrated from
an LDAP store via the migrate-ds script.
The password migration page keeps telling me that the password or username I
entered is incorrect. (username: test.user, password: test) I did not mistype
this. I did set
Someone has reported an issue with password migration where 389-ds is
rejecting the passwords with: passwords with storage scheme are not
allowed. That may be part of the problem.
That was me, but the context was 'ipa user-add' with a password hash rather
than migrate-ds. Although it makes
I will work with DS team to backport the switch option to Fedora 20 389-ds-
base and to release FreeIPA 4.0.1 with appropriate patch to fix this problem
ASAP, ideally this week.
Thanks much, Martin!
This electronic message contains information generated by the USDA solely for
the
We are evaluating RHEL7 IdM (FreeIPA 3.3) for identity management for our
UNIX infrastructure. All of our Linux hosts currently have standard and
consistent UID/GIDs for at least all of our administrative users. I'm looking
for advice on how to migrate these users into IPA.
...
Eventually
Well, the users are definitely going to be in IPA (or AD via IPA). However,
they *will* exist in both IPA and locally during the migration period. If
they
have the same UID/GIDs in both places (local and IPA), then I will need to
prefer IPA to 'files' in nsswitch.conf. The main reason I
Hey all,
On CentOS 7 (presumably RHEL7 too), the tutorial on
http://www.freeipa.org/page/PKI breaks (when applied to installing a
certificate in /etc/openldap/certs). The offending line is ipa-getcert request
-d /etc/openldap/certs ..., and the failure message is /etc/openldap/certs
must be a
Spoke too soon. I needed the following extra selinux policy module to make
all the AVCs go away.
BTW: the instructions on http://www.freeipa.org/page/PKI really only work if
you leave the password blank when you create a new database with certutil.
Otherwise, the ipa-getcert request command
Hey,
I have been trying to build rpms from different releases without much
success. I can build 4.0+ rpms but I have not tested them. Going backward
like with release-3-3-5, it fails on lint/pylint routine. I comment out the
lint call in the Makefile and further along it cannot find some ui
On Tue, Aug 5, 2014 at 7:21 AM, Martin Kosek mko...@redhat.com wrote:
On 08/05/2014 12:32 PM, Martin Kosek wrote:
On 08/05/2014 12:05 PM, Curtis L. Knight wrote:
...
#./make-lint $(LINT_OPTIONS)
run 'make rpms' again to get beyond lint errors shown below
cd install; if [ ! -e
On Tue, Aug 5, 2014 at 11:26 PM, Rob Crittenden rcrit...@redhat.com wrote:
Curtis L. Knight wrote:
On Tue, Aug 5, 2014 at 7:21 AM, Martin Kosek mko...@redhat.com
mailto:mko...@redhat.com wrote:
On 08/05/2014 12:32 PM, Martin Kosek wrote:
On 08/05/2014 12:05 PM, Curtis L
Assume that FQDN is constructed as static hostname.domainname from
DHCP or via reverse DNS lookup. What happens if the machine (laptop)
moves from one network to another? What if the machine have multiple
interfaces?
As a result, any change in FQDN will break your Kerberos setup.
The
Let me elaborate. We haven't had time to work on this but it would be
really valuable if you could experiment with it a little bit.
Simo, Alexander, could you propose some dirty tricks to try?
The thread mentioned above has all needed information already.
Should we turn it into a HOWTO
I’ve got a prototype setup for cross-realm operations. I don’t know if that’s
useful for you or not. I don’t have control over “my” AD, and I’m managing this
during our CIO’s migration from one AD realm to another (so duplicate users
having distinct DNs and Kerberos principals are the norm,
Over the past month, I rearranged my local systems for our collaboration
environment. The essence of the work is to combine employee identities (defined
in AD) with identities for external users (defined in FreeIPA), massage them so
that they look the same, and export them to every posix
-Original Message-
From: Alexander Bokovoy [mailto:aboko...@redhat.com]
Sent: Monday, August 25, 2014 3:04 AM
To: Nordgren, Bryce L -FS
Cc: 'freeipa-users@redhat.com'; 'sssd-us...@lists.fedorahosted.org'
Subject: Re: [Freeipa-users] A prototype of merged domains (views)
What
Is it sane to request that freeipa store ssh keys for users who come into the
environment via a trust? Not all of them, of course, but those who want to
store public keys there.
My freeipa server is mostly there to manage machines, and users (incl. me)
mostly come in over trusts from the
Sweet! Yes I am apparently talking about that. Consider this an independent
request for that. :)
You are talking about this, right?
https://fedorahosted.org/freeipa/ticket/4509
This electronic message contains information generated by the USDA solely for
the intended recipients. Any
Overwriting certain attributes may be more directly addressed by:
https://fedorahosted.org/freeipa/ticket/3979
You are to some extent describing a feature that we call views that is
currently in works.
But there are two parts:
a) Ability to overwrite POSIX attributes for AD users - this is
Hi Rob,
How does the NFS server map the apache user to “something” it recognizes? I
would suggest that the easiest solution may be to use an IPA account called
“apache”, so that the mappings would just work, but currently I’m having
trouble running a service as a domain user via systemd.
The hostname put by ipa-client-install corresponds to the server to which this
client is enrolled. You enroll with a single server, after all.
How would one enroll with multiple IPA servers? For instance, a standard
configuration for a Rocks HPC cluster is to have at least two and usually
with sec=host)?
Thanks,
Bryce
-Original Message-
From: Alexander Frolushkin [mailto:alexander.frolush...@megafon.ru]
Sent: Sunday, April 12, 2015 9:27 PM
To: Nordgren, Bryce L -FS; 'Martin Kosek'; freeipa-users@redhat.com
Subject: RE: [Freeipa-users] user account without password
An RHEL 7 host filesystem may have the same basic structure as an Ubuntu trusty
container filesystem, but may have different users defined, particularly for
running services and for owning the files those services must touch. To what
extent do you want the same users to be enforced between the
en <tjaal...@ubuntu.com> wrote:
> On 18.02.2017 03:24, Robert L. Harris wrote:
> >
> >I have an Ubuntu 16.04 test system which is currently clean. I'm
> > trying to install freeipa-server via apt and I'm getting an error about
> > files missing :
> >
>
I have an Ubuntu 16.04 test system which is currently clean. I'm trying
to install freeipa-server via apt and I'm getting an error about files
missing :
Setting up freeipa-server (4.3.1-0ubuntu1) ...
Running ipa-server-upgrade...
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and
Ok, I removed the files in that directory, manually removed 389-ds-base,
cleaned up the user/group and some left over directories and all
installed/configured correctly.
-R
On Tue, Feb 21, 2017 at 1:03 PM Timo Aaltonen <tjaal...@ubuntu.com> wrote:
> On 21.02.2017 17:33, Robert L. Har
/dpkg returned an error code (1)
If I run the python command you gave me at this point I get this:
python2 -c 'from ipaserver.install import installutils; print "yes" if
installutils.is_ipa_configured() else "no";'
yes
On Tue, Feb 21, 2017 at 1:38 AM Timo Aaltonen <tjaal...
Ummm,
Kinit should work from any host, whether that host is part of the domain or
not. It contains no inherent knowledge of any passwords. If it succeeds, then
you either picked a bad password, stored the password in a plaintext file, or
an actual authorized user ran it. It seems that it would
My guess aligns with this response:
http://stackoverflow.com/questions/31153584/why-is-there-such-a-performance-difference-on-raspberry-pi-between-open-and-orac
Bryce
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Winfried de Heiden
Sent:
So twice now I've tried installing freeipa on an Ubuntu 16.04 system.
Both times I've gotten an error and followed the instructions to "fix it"
and they didn't work so I removed files ( with purge ), cleaned up
everything I could find related to freeipa, sssd and kerb but trying to run
it again
Bašti <mba...@redhat.com> wrote:
>
>
> On 26.04.2017 20:07, Robert L. Harris wrote:
>
> So twice now I've tried installing freeipa on an Ubuntu 16.04 system.
> Both times I've gotten an error and followed the instructions to "fix it"
> and they didn't work so I removed
ote:
> Martin Bašti wrote:
> >
> >
> > On 26.04.2017 20:07, Robert L. Harris wrote:
> >> So twice now I've tried installing freeipa on an Ubuntu 16.04
> >> system. Both times I've gotten an error and followed the instructions
> >> to "fix it"
I'm trying to install freeipa-server on an ubuntu 16.04 box, fresh
install, but it keeps failing:
{0}:/etc/apt>lsb_release -r
Release:16.04
{0}:/etc/apt>dpkg -l | egrep -i 'slapd|ipa'
ii python-ipaddress 1.0.16-1
all Backport of Py
Ok, I gave up on Ubuntu. I'm now trying the latest CentOS7. I built out
a "minimal server" with some normal base packages which did include the
freeipa-client but otherwise, just standard tools. Here's a pastebin of
the output of the install: https://pastebin.com/zAWCgkUU
Robert
--
Manage
<data...@gmail.com> wrote:
> Robert, did you look in /var/log/ipaserver-install.log as it says?
>
> Was there any other information?
>
> cheers
> L.
>
> --
> "Mission Statement: To provide hope and inspiration for collective action,
> to buil
Ok, I reverted to a completely fresh install, literally just after the
first reboot. It installed cleanly. So there's something in a package
upgrade that's breaking things. I may try to figure it out later.
On Tue, May 16, 2017 at 3:08 PM Dagan McGregor <l...@sudo.nz> wrote:
>
are-vmsvc.log
root@ipa
{1}:/var/log>rpm -q -l http
package http is not installed
root@ipa
{1}:/var/log>rpm -q -a | grep -i http
perl-HTTP-Tiny-0.033-3.el7.noarch
root@ipa
{0}:/var/log>rpm -q -a | grep -i tomcat
Doesn't look like an httpd was installed as a dependancy?
On Fri, May 12, 201
gest to use it. Otherwise there is an
> option --ignore-last-of-role to unblock uninstallation.
>
> Martin
>
> On 11.05.2017 16:00, Robert L. Harris wrote:
>
>
> Looks like you hit it, apache didn't have a group:
>
> -- Logs begin at Wed 2017-05-10 19:56:27 MDT, end at Thu 2017-
makes admin super fun! :)
>
>
> On 16 May 2017 at 21:57, Robert L. Harris <robert.l.har...@gmail.com>
> wrote:
>
>>
>> I did disable selinux as it gave errors setting up my standard users,
>> etc. I can roll back the snapshot, set it at 4Gigs of RAM and re-en
unning out.
>
> Ta,
>
> Andrew
>
> On 16 May 2017 at 17:16, Robert L. Harris <robert.l.har...@gmail.com>
> wrote:
>
>>
>> Last night I rolled back my snapshot. Here's what I have after the yum
>> install
>>
>> "minimal" install of Centos
tallation normally works.
>
> Has the operating system image been changed or optimised somehow? Perhaps
> SELinux has been disabled? Have you tried installing Centos7 from the ISO?
>
> On 16 May 2017 at 21:48, Robert L. Harris <robert.l.har...@gmail.com>
> wrote:
>
>&g
Checking the /var/log/httpd/error.log has 2 days of just this:
[Tue May 16 09:14:42.941476 2017] [:error] [pid 1182] NSS_Initialize
failed. Certificate database: /etc/httpd/alias.
[Tue May 16 09:14:42.941499 2017] [:error] [pid 1182] SSL Library Error:
-8038 SEC_ERROR_NOT_INITIALIZED
[Tue May 16
On 16 May 2017 at 22:37, Robert L. Harris <robert.l.har...@gmail.com>
> wrote:
>
>>
>> I left SELinux enabled, no change, still streaming the same error:
>>
>> [Tue May 16 14:36:48.957848 2017] [:error] [pid 10780] NSS_Initialize
>> failed. Certificate
Gave up on freeipa and Ubuntu 17.10. Re-installed with 16.04 and some
base packages which does include freeipa-client. When I do an apt-get
install on freeipa-server it runs along happily until I find this:
.
...
Setting up pki-server (10.2.6+git20160317-1) ...
Job for pki-tomcatd.service
tent-Type: text/plain; charset=us-ascii
__
On Tue, Nov 29, 2016 at 06:21:11PM +0000, Daly, John L CIV NAVAIR, 4GD
wrote:
> Greetings,
> I thumbed through the archive, but didn't find an answer. If I missed it,
> perhaps someone will be kind enough
Greetings,
I thumbed through the archive, but didn't find an answer. If I missed it,
perhaps someone will be kind enough to point me in the right direction.
I'm testing replacing our OpenDirectory server with a FreeIPA server for
authenticating our Mac systems. So far, I have the server and
91 matches
Mail list logo