Re: [Freeipa-users] Configuring a Fedora 15 client to connect to a FreeIPA 1.2 server
On Tue, 2011-06-21 at 11:06 -0400, Dan Scott wrote: Hi, I'm still running a FreeIPA 1.2 server but have started installing Fedora 15 clients and am trying to figure out how to manually setup the Krb/LDAP configuration. I've run the 'authconfig-tui' command and manually setup Krb authentication and LDAP authorisation, using DNS discovery for the servers. The authentication is working correctly, but when I run 'id $USERNAME' I don't receive the correct groups, so I believe that Kerberos is working, but the LDAP configuration is wrong. I've turned the sssd loglevel up to 100, but I can't figure out why I'm not getting the correct groups My system has a variety of files and I'm not sure which are still in use: /etc/krb5.conf /etc/pam_ldap.conf /etc/sssd/sssd.conf On Fedora 14 and earlier, there used to be an '/etc/nss_ldap.conf' - this is not present on F15. Can anyone help me figure out how to get the group lookups working? Probably you need to add ldap_schema=rfc2307bis into the [domain/default] section of /etc/sssd/sssd.conf. If you just set authconfig up as an LDAP server, it defaults to ldap_schema = rfc2307, which uses a different attribute on the server to contain group memberships. signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Configuring a Fedora 15 client to connect to a FreeIPA 1.2 server
On Tue, 2011-06-21 at 11:31 -0400, Dan Scott wrote: Hi, On Tue, Jun 21, 2011 at 11:20, Stephen Gallagher sgall...@redhat.com wrote: On Tue, 2011-06-21 at 11:06 -0400, Dan Scott wrote: Hi, I'm still running a FreeIPA 1.2 server but have started installing Fedora 15 clients and am trying to figure out how to manually setup the Krb/LDAP configuration. I've run the 'authconfig-tui' command and manually setup Krb authentication and LDAP authorisation, using DNS discovery for the servers. The authentication is working correctly, but when I run 'id $USERNAME' I don't receive the correct groups, so I believe that Kerberos is working, but the LDAP configuration is wrong. I've turned the sssd loglevel up to 100, but I can't figure out why I'm not getting the correct groups My system has a variety of files and I'm not sure which are still in use: /etc/krb5.conf /etc/pam_ldap.conf /etc/sssd/sssd.conf On Fedora 14 and earlier, there used to be an '/etc/nss_ldap.conf' - this is not present on F15. Can anyone help me figure out how to get the group lookups working? Probably you need to add ldap_schema=rfc2307bis into the [domain/default] section of /etc/sssd/sssd.conf. If you just set authconfig up as an LDAP server, it defaults to ldap_schema = rfc2307, which uses a different attribute on the server to contain group memberships. Thanks, but I've tried both of those entries - it doesn't appear to make any difference. Dan Could you attach your (sanitized) /etc/sssd/sssd.conf, /etc/krb5.conf, /etc/nsswitch.conf and /etc/pam.d/system-auth? signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Configuring a Fedora 15 client to connect to a FreeIPA 1.2 server
On Tue, Jun 21, 2011 at 11:37, Stephen Gallagher sgall...@redhat.com wrote: On Tue, 2011-06-21 at 11:31 -0400, Dan Scott wrote: Hi, On Tue, Jun 21, 2011 at 11:20, Stephen Gallagher sgall...@redhat.com wrote: On Tue, 2011-06-21 at 11:06 -0400, Dan Scott wrote: Hi, I'm still running a FreeIPA 1.2 server but have started installing Fedora 15 clients and am trying to figure out how to manually setup the Krb/LDAP configuration. I've run the 'authconfig-tui' command and manually setup Krb authentication and LDAP authorisation, using DNS discovery for the servers. The authentication is working correctly, but when I run 'id $USERNAME' I don't receive the correct groups, so I believe that Kerberos is working, but the LDAP configuration is wrong. I've turned the sssd loglevel up to 100, but I can't figure out why I'm not getting the correct groups My system has a variety of files and I'm not sure which are still in use: /etc/krb5.conf /etc/pam_ldap.conf /etc/sssd/sssd.conf On Fedora 14 and earlier, there used to be an '/etc/nss_ldap.conf' - this is not present on F15. Can anyone help me figure out how to get the group lookups working? Probably you need to add ldap_schema=rfc2307bis into the [domain/default] section of /etc/sssd/sssd.conf. If you just set authconfig up as an LDAP server, it defaults to ldap_schema = rfc2307, which uses a different attribute on the server to contain group memberships. Thanks, but I've tried both of those entries - it doesn't appear to make any difference. Dan Could you attach your (sanitized) /etc/sssd/sssd.conf, /etc/krb5.conf, /etc/nsswitch.conf and /etc/pam.d/system-auth? Attached, thanks. The only changes are domain names and 'dc=*' entries. One thing that I just noticed, the system-auth file has pam_krb5.so entries, previously, these were pam_sss.so - I've tried using both, but neither appears to work. Thanks, Dan nsswitch.conf Description: Binary data system-auth Description: Binary data krb5.conf Description: Binary data sssd.conf Description: Binary data ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Configuring a Fedora 15 client to connect to a FreeIPA 1.2 server
On Tue, 2011-06-21 at 11:58 -0400, Dan Scott wrote: On Tue, Jun 21, 2011 at 11:37, Stephen Gallagher sgall...@redhat.com wrote: On Tue, 2011-06-21 at 11:31 -0400, Dan Scott wrote: Hi, On Tue, Jun 21, 2011 at 11:20, Stephen Gallagher sgall...@redhat.com wrote: On Tue, 2011-06-21 at 11:06 -0400, Dan Scott wrote: Hi, I'm still running a FreeIPA 1.2 server but have started installing Fedora 15 clients and am trying to figure out how to manually setup the Krb/LDAP configuration. I've run the 'authconfig-tui' command and manually setup Krb authentication and LDAP authorisation, using DNS discovery for the servers. The authentication is working correctly, but when I run 'id $USERNAME' I don't receive the correct groups, so I believe that Kerberos is working, but the LDAP configuration is wrong. I've turned the sssd loglevel up to 100, but I can't figure out why I'm not getting the correct groups My system has a variety of files and I'm not sure which are still in use: /etc/krb5.conf /etc/pam_ldap.conf /etc/sssd/sssd.conf On Fedora 14 and earlier, there used to be an '/etc/nss_ldap.conf' - this is not present on F15. Can anyone help me figure out how to get the group lookups working? Probably you need to add ldap_schema=rfc2307bis into the [domain/default] section of /etc/sssd/sssd.conf. If you just set authconfig up as an LDAP server, it defaults to ldap_schema = rfc2307, which uses a different attribute on the server to contain group memberships. Thanks, but I've tried both of those entries - it doesn't appear to make any difference. Dan Could you attach your (sanitized) /etc/sssd/sssd.conf, /etc/krb5.conf, /etc/nsswitch.conf and /etc/pam.d/system-auth? Attached, thanks. The only changes are domain names and 'dc=*' entries. One thing that I just noticed, the system-auth file has pam_krb5.so entries, previously, these were pam_sss.so - I've tried using both, but neither appears to work. Thanks, Dan Your /etc/nsswitch.conf is wrong. I just noticed that you were using authconfig-tui which is deprecated upstream and does not properly set up SSSD. Only 'authconfig' (command-line) or 'authconfig-gtk' (GUI) works properly. Feel free to file a bug against authconfig. /etc/nsswitch.conf needs to specify 'sss' instead of 'ldap' to use SSSD. Similarly system-auth needs to use pam_sss.so, not pam_krb5.so. If you run 'authconfig --enablesssd --enablesssdauth --update' you should be fine. This will update the config files with the correct SSSD-related settings. signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Configuring a Fedora 15 client to connect to a FreeIPA 1.2 server
On Tue, Jun 21, 2011 at 14:19, Stephen Gallagher sgall...@redhat.com wrote: On Tue, 2011-06-21 at 11:58 -0400, Dan Scott wrote: On Tue, Jun 21, 2011 at 11:37, Stephen Gallagher sgall...@redhat.com wrote: On Tue, 2011-06-21 at 11:31 -0400, Dan Scott wrote: Hi, On Tue, Jun 21, 2011 at 11:20, Stephen Gallagher sgall...@redhat.com wrote: On Tue, 2011-06-21 at 11:06 -0400, Dan Scott wrote: Hi, I'm still running a FreeIPA 1.2 server but have started installing Fedora 15 clients and am trying to figure out how to manually setup the Krb/LDAP configuration. I've run the 'authconfig-tui' command and manually setup Krb authentication and LDAP authorisation, using DNS discovery for the servers. The authentication is working correctly, but when I run 'id $USERNAME' I don't receive the correct groups, so I believe that Kerberos is working, but the LDAP configuration is wrong. I've turned the sssd loglevel up to 100, but I can't figure out why I'm not getting the correct groups My system has a variety of files and I'm not sure which are still in use: /etc/krb5.conf /etc/pam_ldap.conf /etc/sssd/sssd.conf On Fedora 14 and earlier, there used to be an '/etc/nss_ldap.conf' - this is not present on F15. Can anyone help me figure out how to get the group lookups working? Probably you need to add ldap_schema=rfc2307bis into the [domain/default] section of /etc/sssd/sssd.conf. If you just set authconfig up as an LDAP server, it defaults to ldap_schema = rfc2307, which uses a different attribute on the server to contain group memberships. Thanks, but I've tried both of those entries - it doesn't appear to make any difference. Dan Could you attach your (sanitized) /etc/sssd/sssd.conf, /etc/krb5.conf, /etc/nsswitch.conf and /etc/pam.d/system-auth? Attached, thanks. The only changes are domain names and 'dc=*' entries. One thing that I just noticed, the system-auth file has pam_krb5.so entries, previously, these were pam_sss.so - I've tried using both, but neither appears to work. Thanks, Dan Your /etc/nsswitch.conf is wrong. I just noticed that you were using authconfig-tui which is deprecated upstream and does not properly set up SSSD. Only 'authconfig' (command-line) or 'authconfig-gtk' (GUI) works properly. Feel free to file a bug against authconfig. /etc/nsswitch.conf needs to specify 'sss' instead of 'ldap' to use SSSD. Similarly system-auth needs to use pam_sss.so, not pam_krb5.so. If you run 'authconfig --enablesssd --enablesssdauth --update' you should be fine. This will update the config files with the correct SSSD-related settings. Excellent! Thanks - that makes much more sense. I've been using authconfig-tui all this time and had no idea that it was doing things incorrectly. One small issue that I found, if I switch on the Use DNS to resolve hosts to realms option, then the krb5_realm (in sssd.conf) and default_realm (in krb5.conf) are removed and my authentication fails. I'm pretty sure that I have DNS correctly configured (_kerberos IN TXT EXAMPLE.COM). Does the sssd client look for different DNS records for realm discovery? Thanks for your help, Dan ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Configuring a Fedora 15 client to connect to a FreeIPA 1.2 server
On Tue, 2011-06-21 at 14:41 -0400, Dan Scott wrote: Excellent! Thanks - that makes much more sense. I've been using authconfig-tui all this time and had no idea that it was doing things incorrectly. One small issue that I found, if I switch on the Use DNS to resolve hosts to realms option, then the krb5_realm (in sssd.conf) and default_realm (in krb5.conf) are removed and my authentication fails. I'm pretty sure that I have DNS correctly configured (_kerberos IN TXT EXAMPLE.COM). Does the sssd client look for different DNS records for realm discovery? Actually, we don't currently support *realm* discovery. We only support KDC discovery (using ._kerberos._tcp IN SRV EXAMPLE.COM) Feel free to open an RFE at https://fedorahosted.org/sssd (Fedora Account required to open tickets) for support of detecting the realm by TXT record. signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users