Re: [Freeipa-users] LDAP authentication into FreeIPA

2011-11-17 Thread Sigbjorn Lie 

On 11/16/2011 01:09 PM, Stephen Gallagher wrote:

On Tue, 2011-11-15 at 16:51 -0500, Boris Epstein wrote:

 >
 >
 >
 >
 >  Just tried to install sssd from the above repo.
 >
 >  There's only packages for the old 10.04 lucid and
 >  10.10 maverick, nothing for 11.04 natty or 11.11
 >  oneiric. I tried to install on natty using packages
 >  from maverick, but it depends on packages no longer
 >  available in the natty package tree. :(
 >
 >  However for oneric sssd 1.5.13 seem to have made it
 >  into the universe package tree:
 >  http://packages.ubuntu.com/oneiric/sssd
 >
 >
 >
 >  Rgds,
 >  Siggi
 >
 >
 >  Siggi,
 >
 >
 >  Thanks, but why would I want sssd on my client machine?
 >
 >
 >  Or - why would the current LDAP client that Ubuntu at least
 >  claims to have not work?
 >
 >


 The reasons I've found so far is:

 * Lack of support for the host based access control rules
 found in IPA
 * Need to have the config file with a username/password for
 the system to bind to the ldap directory readable by
 everyone... (not secure)
 * SSSD uses the kerberos host key to talk to LDAP (secure)
 * No daemon keeping track of available ldap servers, e.g. in a
 failover situation you'll keep asking the server that's down,
 delaying your client response.
 * No offline caching of credentials (very handy if you have
 laptops).

 I'm sure the SSSD developers can give you lots more. :)


I think you've hit most of the major points. The less-obvious one is
that at it reduces load on the LDAP server as well, since all
communications come from a single connection in the SSSD, whereas with
traditional nss_ldap, each client application would be holding its own
connection.



Siggi,


Thanks, all of those are valid. I just installed sssd on an Ubuntu
machine here, may end up using it.


But from what you are saying it still sounds like the existing LDAP
client on Ubuntu ought to still work, even if in a less than secure
fashion. And it doesn't seem to.

I've seen people successfully configure pam_ldap and pam_krb5 on Ubuntu
before, so I know it's possible. I assume you have a configuration bug.
I don't know where Ubuntu keeps its config, so I can't easily help you
there.



See my previous postings to the list for details. Below is what should 
be a complete list of files that need modifications. They are self 
explanatory, with syntax provided in the default file.


Various LDAP config files. I've symlinked all these config files into 
/etc/ldap.conf and set all settings there.

/etc/ldap.conf
/etc/ldap/ldap.conf
/etc/libnss-ldap.conf
/etc/pam_ldap.conf
/etc/sudo-ldap.conf

Kerberos:
/etc/krb5.conf

automount :
/etc/autofs_ldap_auth.conf
/etc/default/autofs

If you want nfs4+krb5, you'll need to edit these as well:
/etc/default/nfs-common
/etc/idmapd.conf

For making some apps such as thunderbird not crash with nss_ldap, 
install nscd.

/etc/nscd.conf

Modify sshd_config and ssh_config to use GSSAPI, and to delegate 
credentials to hosts on your network:

/etc/ssh/sshd_config
/etc/ssh/ssh_config

ntp:
/etc/ntp.conf

Remember to make a copy of /etc/ipa/ca.crt from the IPA server to the 
Ubuntu machine to make SSL connections to the LDAP server.


And that should be all the files you need to edit (besides nsswitch.conf 
and perhaps resolv.conf). If you want the automount to work fully, 
you'll have to do a workaround for fixing the race condition that often 
occur at bootup, as the network is not always up when the automounter 
starts.



Rgds,
Siggi


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] LDAP authentication into FreeIPA

2011-11-16 Thread Simo Sorce 
On Tue, 2011-11-15 at 20:44 -0500, Jimmy wrote:
> I did supply this to the list at the middle of September, but will
> re-send. I know things get lost in the flow of emails/lists. 
> 
> ==IPA and ksetup steps=
> I can't find the technet article right now, but here's what I did
> that makes Win7(and xp, but xp doesn't need the gpedit step) work. 
> 
> 
> One note about this, I kept getting strange errors with any encryption
> besides rc4-hmac. For my situation I think it is suitable(a static
> environment once the systems are deployed,) but if others want to
> spend more time hacking on the system MS messed up, go for it ;). 
> 
> On FreeIPA:
> 
> i.create the host principal in the web interface
> ii.   create IPA users to correspond to windows users
> iii.  reset the user's IPA password to a known password using the web
> interface, the user will be prompted to change at first log in.
> (is there a default password or is this random? sorry if that's
> somewhere else in docs and I missed it)
> iv.on the IPA server run `ipa-getkeytab -s [kdc DNS name]
> -p host/[machine-name] -e  arcfour-hmac -k krb5.keytab.[machine-name]
> -P`  (enter the password that will be used in the
> `ksetup /secomputerpassword` below)
> 
> configure windows ksetup:
> 
> i.ksetup /setdomain [REALM NAME]
> ii.ksetup /addkdc [REALM NAME] [kdc DNS name]
> iii.ksetup /addkpassword [REALM NAME] [kdc DNS name]
> iv.ksetup /setcomputerpassword [PASSWORD]
> v.ksetup /mapuser * *
> vi.   Run gpedit.msc. Under >Computer Configuration\Windows Settings
> \Security Settings\Local Policies\Security Options open the key called
> “Network Security: Configure encryption types allowed for Kerberos”
> unselect everything except RC4_HMAC_MD5 

Hi Jimmy and all,
at this year Kerberos Conference interop we found out what was causing
issues with AES and we have a patch in the master tree. This step will
hopefully not be necessary anymore quite soon.

Simo.


> vii.*** REBOOT ***
> viii. log in as [user]@[REALM] with the initial password, you will be
> prompted to change the password then logged in.
> 


-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] LDAP authentication into FreeIPA

2011-11-16 Thread Stephen Gallagher 
On Tue, 2011-11-15 at 16:51 -0500, Boris Epstein wrote:
> > 
> > 
> > 
> > 
> > Just tried to install sssd from the above repo.
> > 
> > There's only packages for the old 10.04 lucid and
> > 10.10 maverick, nothing for 11.04 natty or 11.11
> > oneiric. I tried to install on natty using packages
> > from maverick, but it depends on packages no longer
> > available in the natty package tree. :(
> > 
> > However for oneric sssd 1.5.13 seem to have made it
> > into the universe package tree:
> > http://packages.ubuntu.com/oneiric/sssd
> > 
> > 
> > 
> > Rgds,
> > Siggi
> > 
> > 
> > Siggi,
> > 
> > 
> > Thanks, but why would I want sssd on my client machine?
> > 
> > 
> > Or - why would the current LDAP client that Ubuntu at least
> > claims to have not work?
> > 
> > 
> 
> 
> The reasons I've found so far is:
> 
> * Lack of support for the host based access control rules
> found in IPA
> * Need to have the config file with a username/password for
> the system to bind to the ldap directory readable by
> everyone... (not secure)
> * SSSD uses the kerberos host key to talk to LDAP (secure)
> * No daemon keeping track of available ldap servers, e.g. in a
> failover situation you'll keep asking the server that's down,
> delaying your client response.
> * No offline caching of credentials (very handy if you have
> laptops).
> 
> I'm sure the SSSD developers can give you lots more. :)


I think you've hit most of the major points. The less-obvious one is
that at it reduces load on the LDAP server as well, since all
communications come from a single connection in the SSSD, whereas with
traditional nss_ldap, each client application would be holding its own
connection.


> 
> Siggi,
> 
> 
> Thanks, all of those are valid. I just installed sssd on an Ubuntu
> machine here, may end up using it.
> 
> 
> But from what you are saying it still sounds like the existing LDAP
> client on Ubuntu ought to still work, even if in a less than secure
> fashion. And it doesn't seem to.

I've seen people successfully configure pam_ldap and pam_krb5 on Ubuntu
before, so I know it's possible. I assume you have a configuration bug.
I don't know where Ubuntu keeps its config, so I can't easily help you
there.



signature.asc
Description: This is a digitally signed message part
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] LDAP authentication into FreeIPA

2011-11-15 Thread Jimmy 
I did supply this to the list at the middle of September, but will re-send.
I know things get lost in the flow of emails/lists.

==IPA and ksetup steps=
I can't find the technet article right now, but here's what I did that makes
Win7(and xp, but xp doesn't need the gpedit step) work.

One note about this, I kept getting strange errors with any encryption
besides rc4-hmac. For my situation I think it is suitable(a static
environment once the systems are deployed,) but if others want to spend
more time hacking on the system MS messed up, go for it ;).

On FreeIPA:

i.create the host principal in the web interface
ii.   create IPA users to correspond to windows users
iii.  reset the user's IPA password to a known password using the web
interface,
the user will be prompted to change at first log in. (is there a default
password or is this random? sorry if that's somewhere else in docs and I
missed it)
iv.on the IPA server run `ipa-getkeytab -s [kdc DNS name] -p
host/[machine-name]
-e  arcfour-hmac -k krb5.keytab.[machine-name] -P`  (enter the password
that will be used in the `ksetup /secomputerpassword` below)

configure windows ksetup:

i.ksetup /setdomain [REALM NAME]
ii.ksetup /addkdc [REALM NAME] [kdc DNS name]
iii.ksetup /addkpassword [REALM NAME] [kdc DNS name]
iv.ksetup /setcomputerpassword [PASSWORD]
v.ksetup /mapuser * *
vi.   Run gpedit.msc. Under >Computer Configuration\Windows Settings\Security
Settings\Local Policies\Security Options open the key called “Network
Security: Configure encryption types allowed for Kerberos” unselect
everything except RC4_HMAC_MD5
vii.*** REBOOT ***
viii. log in as [user]@[REALM] with the initial password, you will be
prompted to change the password then logged in.



On Tue, Nov 15, 2011 at 6:32 PM, Dmitri Pal  wrote:

> **
> On 11/15/2011 04:01 PM, Jimmy wrote:
>
> I know the Windows systems don't have full integration with FreeIPA, but I
> have Windows systems authenticating to FreeIPA the same as they would to a
> regular MIT Kerberos system. The are not using the same config that is
> posted on the FreeIPA website where the IPA users are mapped to a single
> workstation user.
>
>
> Would you mind sharing your configuration and steps with us?
>
>
> Thank you
> Dmitri
>
>
>  Jimmy
>
> On Tue, Nov 15, 2011 at 3:40 PM, Steven Jones wrote:
>
>> Hi,
>>
>> I dont think there is much realistic hope of getting windows to
>> authenticate to freeIPA..the others should be able to and the fedora
>> docs on the freeipa documentation web page list a specific method for macs
>> for one (but I have not tried it yet, but I will be)ubuntu has been
>> mentioned beforeI have to try/do that as well
>>
>> Siggi sent me some notes a while back,
>>
>> =
>>
>> Ubuntu client install
>>
>>
>> https://help.ubuntu.com/10.04/serverguide/C/kerberos.html
>>
>>
>> sudo apt-get install krb5-user libpam-krb5 libpam-ccreds
>> auth-client-config
>>
>>
>> maybe also need libpam-ldap libnss-ldap
>>
>>
>> Use ipa-getkeytab on a IPA server to retrieve the keytab for the host,
>> and copy this to /etc/krb5.keytab on the Ubuntu client.
>>
>> [root@ipa1 ~]# ipa-getkeytab -s ipa1.ix.test.com -p host/
>> ubuntu-client.ix.test.com -k /tmp/buntuclient_krb5.keytab
>>
>> If you prefer you can use something like CFengine to automate the whole
>> process.
>>
>> =
>>
>> Hope that helps.
>>
>>
>> regards
>>
>> Steven Jones
>>
>> Technical Specialist - Linux RHCE
>>
>> Victoria University, Wellington, NZ
>>
>> 0064 4 463 6272
>>
>> 
>> From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com]
>> on behalf of Boris Epstein [borepst...@gmail.com]
>> Sent: Wednesday, 16 November 2011 9:03 a.m.
>> To: freeipa-users@redhat.com
>> Subject: [Freeipa-users] LDAP authentication into FreeIPA
>>
>> Hello all,
>>
>> This may be my general LDAP illiteracy - I only dealth with it briefly
>> years ago - but I am trying to set up a FreeIPA server on Fedora 16 to have
>> my Macs and Ubuntu Linux machines as well as a couple of Windows boxes to
>> authenticate to - and seem not to be making much forward progress. Is there
>> a step-by-step writeup on how to do that sort of thing?
>>
>> Thanks for any and all help.
>>
>> Boris.
>>
>>  ___
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>
>
> ___
> Freeipa-users mailing 
> listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>
>
> ---
> Looking to carve out IT costs?www.redhat.com/carveoutcosts/
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com

Re: [Freeipa-users] LDAP authentication into FreeIPA

2011-11-15 Thread Dmitri Pal 
On 11/15/2011 04:01 PM, Jimmy wrote:
> I know the Windows systems don't have full integration with FreeIPA,
> but I have Windows systems authenticating to FreeIPA the same as they
> would to a regular MIT Kerberos system. The are not using the same
> config that is posted on the FreeIPA website where the IPA users are
> mapped to a single workstation user.
>

Would you mind sharing your configuration and steps with us?


Thank you
Dmitri

> Jimmy
>
> On Tue, Nov 15, 2011 at 3:40 PM, Steven Jones  > wrote:
>
> Hi,
>
> I dont think there is much realistic hope of getting windows to
> authenticate to freeIPA..the others should be able to and the
> fedora docs on the freeipa documentation web page list a specific
> method for macs for one (but I have not tried it yet, but I will
> be)ubuntu has been mentioned beforeI have to try/do that
> as well
>
> Siggi sent me some notes a while back,
>
> =
>
> Ubuntu client install
>
>
> https://help.ubuntu.com/10.04/serverguide/C/kerberos.html
>
>
> sudo apt-get install krb5-user libpam-krb5 libpam-ccreds
> auth-client-config
>
>
> maybe also need libpam-ldap libnss-ldap
>
>
> Use ipa-getkeytab on a IPA server to retrieve the keytab for the
> host, and copy this to /etc/krb5.keytab on the Ubuntu client.
>
> [root@ipa1 ~]# ipa-getkeytab -s ipa1.ix.test.com
>  -p host/ubuntu-client.ix.test.com
>  -k /tmp/buntuclient_krb5.keytab
>
> If you prefer you can use something like CFengine to automate the
> whole process.
>
> =
>
> Hope that helps.
>
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> 
> From: freeipa-users-boun...@redhat.com
> 
> [freeipa-users-boun...@redhat.com
> ] on behalf of Boris
> Epstein [borepst...@gmail.com ]
> Sent: Wednesday, 16 November 2011 9:03 a.m.
> To: freeipa-users@redhat.com 
> Subject: [Freeipa-users] LDAP authentication into FreeIPA
>
> Hello all,
>
> This may be my general LDAP illiteracy - I only dealth with it
> briefly years ago - but I am trying to set up a FreeIPA server on
> Fedora 16 to have my Macs and Ubuntu Linux machines as well as a
> couple of Windows boxes to authenticate to - and seem not to be
> making much forward progress. Is there a step-by-step writeup on
> how to do that sort of thing?
>
> Thanks for any and all help.
>
> Boris.
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com 
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] LDAP authentication into FreeIPA

2011-11-15 Thread Boris Epstein 
>
>
>>>
>>>
>>  Just tried to install sssd from the above repo.
>>
>> There's only packages for the old 10.04 lucid and 10.10 maverick, nothing
>> for 11.04 natty or 11.11 oneiric. I tried to install on natty using
>> packages from maverick, but it depends on packages no longer available in
>> the natty package tree. :(
>>
>> However for oneric sssd 1.5.13 seem to have made it into the universe
>> package tree:
>> http://packages.ubuntu.com/oneiric/sssd
>>
>>
>>
>> Rgds,
>> Siggi
>
>
>  Siggi,
>
>  Thanks, but why would I want sssd on my client machine?
>
>  Or - why would the current LDAP client that Ubuntu at least claims to
> have not work?
>
>
> The reasons I've found so far is:
>
> * Lack of support for the host based access control rules found in IPA
> * Need to have the config file with a username/password for the system to
> bind to the ldap directory readable by everyone... (not secure)
> * SSSD uses the kerberos host key to talk to LDAP (secure)
> * No daemon keeping track of available ldap servers, e.g. in a failover
> situation you'll keep asking the server that's down, delaying your client
> response.
> * No offline caching of credentials (very handy if you have laptops).
>
> I'm sure the SSSD developers can give you lots more. :)
>
>
> Rgds,
> Siggi
>

Siggi,

Thanks, all of those are valid. I just installed sssd on an Ubuntu machine
here, may end up using it.

But from what you are saying it still sounds like the existing LDAP client
on Ubuntu ought to still work, even if in a less than secure fashion. And
it doesn't seem to.

Boris.
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] LDAP authentication into FreeIPA

2011-11-15 Thread Sigbjorn Lie 

On 11/15/2011 10:37 PM, Boris Epstein wrote:



On Tue, Nov 15, 2011 at 4:28 PM, Sigbjorn Lie > wrote:


On 11/15/2011 09:54 PM, Stephen Gallagher wrote:

On Tue, 2011-11-15 at 20:40 +, Steven Jones wrote:

Hi,

I dont think there is much realistic hope of getting
windows to
authenticate to freeIPA..the others should be able to
and the
fedora docs on the freeipa documentation web page list a
specific
method for macs for one (but I have not tried it yet, but
I will
be)ubuntu has been mentioned beforeI have to
try/do that as
well

Siggi sent me some notes a while back,

=

Ubuntu client install


I don't have all of the details handy right now, but I know Timo
Aaltonen was working on porting SSSD and ipa-client to Ubuntu
in order
to support the enhanced client enrollment available with those two
packages.

The SSSD and its dependencies are available in his PPA here:
https://launchpad.net/~tjaalton/+archive/ppa



Just tried to install sssd from the above repo.

There's only packages for the old 10.04 lucid and 10.10 maverick,
nothing for 11.04 natty or 11.11 oneiric. I tried to install on
natty using packages from maverick, but it depends on packages no
longer available in the natty package tree. :(

However for oneric sssd 1.5.13 seem to have made it into the
universe package tree:
http://packages.ubuntu.com/oneiric/sssd



Rgds,
Siggi


Siggi,

Thanks, but why would I want sssd on my client machine?

Or - why would the current LDAP client that Ubuntu at least claims to 
have not work?




The reasons I've found so far is:

* Lack of support for the host based access control rules found in IPA
* Need to have the config file with a username/password for the system 
to bind to the ldap directory readable by everyone... (not secure)

* SSSD uses the kerberos host key to talk to LDAP (secure)
* No daemon keeping track of available ldap servers, e.g. in a failover 
situation you'll keep asking the server that's down, delaying your 
client response.

* No offline caching of credentials (very handy if you have laptops).

I'm sure the SSSD developers can give you lots more. :)


Rgds,
Siggi










___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] LDAP authentication into FreeIPA

2011-11-15 Thread Boris Epstein 
Jimmy,

Thanks! I thought this way myself - FreeIPA provides a proper LDAP
implementation, no reason Windows should be unable to use it.

Now if only I could find a better documentation on how to make this
happen...

Boris.

On Tue, Nov 15, 2011 at 4:01 PM, Jimmy  wrote:

> I know the Windows systems don't have full integration with FreeIPA, but I
> have Windows systems authenticating to FreeIPA the same as they would to a
> regular MIT Kerberos system. The are not using the same config that is
> posted on the FreeIPA website where the IPA users are mapped to a single
> workstation user.
>
> Jimmy
>
> On Tue, Nov 15, 2011 at 3:40 PM, Steven Jones wrote:
>
>> Hi,
>>
>> I dont think there is much realistic hope of getting windows to
>> authenticate to freeIPA..the others should be able to and the fedora
>> docs on the freeipa documentation web page list a specific method for macs
>> for one (but I have not tried it yet, but I will be)ubuntu has been
>> mentioned beforeI have to try/do that as well
>>
>> Siggi sent me some notes a while back,
>>
>> =
>>
>> Ubuntu client install
>>
>>
>> https://help.ubuntu.com/10.04/serverguide/C/kerberos.html
>>
>>
>> sudo apt-get install krb5-user libpam-krb5 libpam-ccreds
>> auth-client-config
>>
>>
>> maybe also need libpam-ldap libnss-ldap
>>
>>
>> Use ipa-getkeytab on a IPA server to retrieve the keytab for the host,
>> and copy this to /etc/krb5.keytab on the Ubuntu client.
>>
>> [root@ipa1 ~]# ipa-getkeytab -s ipa1.ix.test.com -p host/
>> ubuntu-client.ix.test.com -k /tmp/buntuclient_krb5.keytab
>>
>> If you prefer you can use something like CFengine to automate the whole
>> process.
>>
>> =
>>
>> Hope that helps.
>>
>>
>> regards
>>
>> Steven Jones
>>
>> Technical Specialist - Linux RHCE
>>
>> Victoria University, Wellington, NZ
>>
>> 0064 4 463 6272
>>
>> 
>> From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com]
>> on behalf of Boris Epstein [borepst...@gmail.com]
>> Sent: Wednesday, 16 November 2011 9:03 a.m.
>> To: freeipa-users@redhat.com
>> Subject: [Freeipa-users] LDAP authentication into FreeIPA
>>
>> Hello all,
>>
>> This may be my general LDAP illiteracy - I only dealth with it briefly
>> years ago - but I am trying to set up a FreeIPA server on Fedora 16 to have
>> my Macs and Ubuntu Linux machines as well as a couple of Windows boxes to
>> authenticate to - and seem not to be making much forward progress. Is there
>> a step-by-step writeup on how to do that sort of thing?
>>
>> Thanks for any and all help.
>>
>> Boris.
>>
>> ___
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] LDAP authentication into FreeIPA

2011-11-15 Thread Boris Epstein 
On Tue, Nov 15, 2011 at 4:28 PM, Sigbjorn Lie  wrote:

> On 11/15/2011 09:54 PM, Stephen Gallagher wrote:
>
>> On Tue, 2011-11-15 at 20:40 +, Steven Jones wrote:
>>
>>> Hi,
>>>
>>> I dont think there is much realistic hope of getting windows to
>>> authenticate to freeIPA..the others should be able to and the
>>> fedora docs on the freeipa documentation web page list a specific
>>> method for macs for one (but I have not tried it yet, but I will
>>> be)ubuntu has been mentioned beforeI have to try/do that as
>>> well
>>>
>>> Siggi sent me some notes a while back,
>>>
>>> =
>>>
>>> Ubuntu client install
>>>
>>
>> I don't have all of the details handy right now, but I know Timo
>> Aaltonen was working on porting SSSD and ipa-client to Ubuntu in order
>> to support the enhanced client enrollment available with those two
>> packages.
>>
>> The SSSD and its dependencies are available in his PPA here:
>> https://launchpad.net/~**tjaalton/+archive/ppa
>>
>>
> Just tried to install sssd from the above repo.
>
> There's only packages for the old 10.04 lucid and 10.10 maverick, nothing
> for 11.04 natty or 11.11 oneiric. I tried to install on natty using
> packages from maverick, but it depends on packages no longer available in
> the natty package tree. :(
>
> However for oneric sssd 1.5.13 seem to have made it into the universe
> package tree:
> http://packages.ubuntu.com/**oneiric/sssd
>
>
>
> Rgds,
> Siggi


Siggi,

Thanks, but why would I want sssd on my client machine?

Or - why would the current LDAP client that Ubuntu at least claims to have
not work?

Boris.

>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] LDAP authentication into FreeIPA

2011-11-15 Thread Sigbjorn Lie 

On 11/15/2011 09:54 PM, Stephen Gallagher wrote:

On Tue, 2011-11-15 at 20:40 +, Steven Jones wrote:

Hi,

I dont think there is much realistic hope of getting windows to
authenticate to freeIPA..the others should be able to and the
fedora docs on the freeipa documentation web page list a specific
method for macs for one (but I have not tried it yet, but I will
be)ubuntu has been mentioned beforeI have to try/do that as
well

Siggi sent me some notes a while back,

=

Ubuntu client install


I don't have all of the details handy right now, but I know Timo
Aaltonen was working on porting SSSD and ipa-client to Ubuntu in order
to support the enhanced client enrollment available with those two
packages.

The SSSD and its dependencies are available in his PPA here:
https://launchpad.net/~tjaalton/+archive/ppa



Just tried to install sssd from the above repo.

There's only packages for the old 10.04 lucid and 10.10 maverick, 
nothing for 11.04 natty or 11.11 oneiric. I tried to install on natty 
using packages from maverick, but it depends on packages no longer 
available in the natty package tree. :(


However for oneric sssd 1.5.13 seem to have made it into the universe 
package tree:

http://packages.ubuntu.com/oneiric/sssd



Rgds,
Siggi

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] LDAP authentication into FreeIPA

2011-11-15 Thread Jimmy 
I know the Windows systems don't have full integration with FreeIPA, but I
have Windows systems authenticating to FreeIPA the same as they would to a
regular MIT Kerberos system. The are not using the same config that is
posted on the FreeIPA website where the IPA users are mapped to a single
workstation user.

Jimmy

On Tue, Nov 15, 2011 at 3:40 PM, Steven Jones wrote:

> Hi,
>
> I dont think there is much realistic hope of getting windows to
> authenticate to freeIPA..the others should be able to and the fedora
> docs on the freeipa documentation web page list a specific method for macs
> for one (but I have not tried it yet, but I will be)ubuntu has been
> mentioned beforeI have to try/do that as well
>
> Siggi sent me some notes a while back,
>
> =
>
> Ubuntu client install
>
>
> https://help.ubuntu.com/10.04/serverguide/C/kerberos.html
>
>
> sudo apt-get install krb5-user libpam-krb5 libpam-ccreds auth-client-config
>
>
> maybe also need libpam-ldap libnss-ldap
>
>
> Use ipa-getkeytab on a IPA server to retrieve the keytab for the host, and
> copy this to /etc/krb5.keytab on the Ubuntu client.
>
> [root@ipa1 ~]# ipa-getkeytab -s ipa1.ix.test.com -p host/
> ubuntu-client.ix.test.com -k /tmp/buntuclient_krb5.keytab
>
> If you prefer you can use something like CFengine to automate the whole
> process.
>
> =
>
> Hope that helps.
>
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> 
> From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com]
> on behalf of Boris Epstein [borepst...@gmail.com]
> Sent: Wednesday, 16 November 2011 9:03 a.m.
> To: freeipa-users@redhat.com
> Subject: [Freeipa-users] LDAP authentication into FreeIPA
>
> Hello all,
>
> This may be my general LDAP illiteracy - I only dealth with it briefly
> years ago - but I am trying to set up a FreeIPA server on Fedora 16 to have
> my Macs and Ubuntu Linux machines as well as a couple of Windows boxes to
> authenticate to - and seem not to be making much forward progress. Is there
> a step-by-step writeup on how to do that sort of thing?
>
> Thanks for any and all help.
>
> Boris.
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] LDAP authentication into FreeIPA

2011-11-15 Thread Stephen Gallagher 
On Tue, 2011-11-15 at 20:40 +, Steven Jones wrote:
> Hi,
> 
> I dont think there is much realistic hope of getting windows to
> authenticate to freeIPA..the others should be able to and the
> fedora docs on the freeipa documentation web page list a specific
> method for macs for one (but I have not tried it yet, but I will
> be)ubuntu has been mentioned beforeI have to try/do that as
> well
> 
> Siggi sent me some notes a while back,
> 
> =
> 
> Ubuntu client install


I don't have all of the details handy right now, but I know Timo
Aaltonen was working on porting SSSD and ipa-client to Ubuntu in order
to support the enhanced client enrollment available with those two
packages.

The SSSD and its dependencies are available in his PPA here:
https://launchpad.net/~tjaalton/+archive/ppa


signature.asc
Description: This is a digitally signed message part
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] LDAP authentication into FreeIPA

2011-11-15 Thread Steven Jones 
Hi,

I dont think there is much realistic hope of getting windows to authenticate to 
freeIPA..the others should be able to and the fedora docs on the freeipa 
documentation web page list a specific method for macs for one (but I have not 
tried it yet, but I will be)ubuntu has been mentioned beforeI have to 
try/do that as well

Siggi sent me some notes a while back,

=

Ubuntu client install


https://help.ubuntu.com/10.04/serverguide/C/kerberos.html


sudo apt-get install krb5-user libpam-krb5 libpam-ccreds auth-client-config


maybe also need libpam-ldap libnss-ldap


Use ipa-getkeytab on a IPA server to retrieve the keytab for the host, and copy 
this to /etc/krb5.keytab on the Ubuntu client.

[root@ipa1 ~]# ipa-getkeytab -s ipa1.ix.test.com -p 
host/ubuntu-client.ix.test.com -k /tmp/buntuclient_krb5.keytab

If you prefer you can use something like CFengine to automate the whole process.

=

Hope that helps.


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Boris Epstein [borepst...@gmail.com]
Sent: Wednesday, 16 November 2011 9:03 a.m.
To: freeipa-users@redhat.com
Subject: [Freeipa-users] LDAP authentication into FreeIPA

Hello all,

This may be my general LDAP illiteracy - I only dealth with it briefly years 
ago - but I am trying to set up a FreeIPA server on Fedora 16 to have my Macs 
and Ubuntu Linux machines as well as a couple of Windows boxes to authenticate 
to - and seem not to be making much forward progress. Is there a step-by-step 
writeup on how to do that sort of thing?

Thanks for any and all help.

Boris.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users