On 05/02/2012 04:59 PM, Steven Bernstein wrote: > Free IPA List peeps, > > I'm looking to set up FreeIPA on a Fedora 14 or 15 server I'm setting > up at home. I came across a reference at one point dealing with smart > cards being associated with the user's that hold them. > > I can't find the reference at this point and was wondering if there > might be a list on the Wiki or someplace that details the errors that > come back when trying to initialize or register a smart card with the > server? >
Smart card support has been on our road map for some time but it is not implemented yet. May be you are confusing us with Dogtag project that we leverage for the certificate management. It supports SC management and provisioning for end users. IPA can handle certs for hosts and services only for the the time being. HTH Dmitri > Thanks so much! > > Steven > > On Wed, May 2, 2012 at 1:57 PM, <freeipa-users-requ...@redhat.com > <mailto:freeipa-users-requ...@redhat.com>> wrote: > > Send Freeipa-users mailing list submissions to > freeipa-users@redhat.com <mailto:freeipa-users@redhat.com> > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.redhat.com/mailman/listinfo/freeipa-users > or, via email, send a message with subject or body 'help' to > freeipa-users-requ...@redhat.com > <mailto:freeipa-users-requ...@redhat.com> > > You can reach the person managing the list at > freeipa-users-ow...@redhat.com > <mailto:freeipa-users-ow...@redhat.com> > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Freeipa-users digest..." > > > Today's Topics: > > 1. Re: red hat 5 and red hat 6 compatability (Matthew Davidson) > 2. Re: red hat 5 and red hat 6 compatability (Dmitri Pal) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Wed, 2 May 2012 14:50:06 -0400 > From: Matthew Davidson <m...@mldserviceslex.com > <mailto:m...@mldserviceslex.com>> > To: <d...@redhat.com <mailto:d...@redhat.com>>, > <freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>> > Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability > Message-ID: <snt104-w395afebcc767d220ca34aaa3...@phx.gbl> > Content-Type: text/plain; charset="iso-8859-1" > > > Dmitri,1) Do you have admin account on IPA side? > Yes. And judging by the command below admin does log in, or am I > mistaken? > [root@rhel5 ~]# kinit adminPassword for ad...@example.com > <mailto:ad...@example.com>: > [root@rhel5 ~]# klistTicket cache: FILE:/tmp/krb5cc_0Default > principal: ad...@example.com <mailto:ad...@example.com> > Valid starting Expires Service principal05/02/12 > 14:47:40 05/03/12 14:47:36 krbtgt/example....@example.com > <mailto:example....@example.com> > Kerberos 4 ticket cache: /tmp/tkt0klist: You have no tickets cached > 2) Is there a firewall between client and server? Is LDAP and > LDAPS allowed via the FW? > No firewall. shut those down at the first sign of trouble. > > ThanksMatt > Date: Wed, 2 May 2012 13:51:15 -0400 > From: d...@redhat.com <mailto:d...@redhat.com> > To: freeipa-users@redhat.com <mailto:freeipa-users@redhat.com> > Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability > > > > > > > > On 05/02/2012 12:43 PM, Matthew Davidson wrote: > > > > Hi Rob > > > > [root@rhel5 ~]# ipa-client-install --domain=EXAMPLE.COM > <http://EXAMPLE.COM> > --server=rhel6.example.com <http://rhel6.example.com> > DNS domain 'example.com <http://example.com>' is not > configured for automatic > KDC address lookup. > KDC address will be set to fixed value. > > > > Discovery was successful! > Hostname: rhel6.example.com <http://rhel6.example.com> > Realm: EXAMPLE.COM <http://EXAMPLE.COM> > DNS Domain: EXAMPLE.COM <http://EXAMPLE.COM> > IPA Server: rhel6.example.com <http://rhel6.example.com> > BaseDN: dc=example,dc=com > > > > Continue to configure the system with these values? [no]: > yes > User authorized to enroll computers: admin > Synchronizing time with KDC... > Password for ad...@example.com <mailto:ad...@example.com>: > > > > Enrolled in IPA realm EXAMPLE.COM <http://EXAMPLE.COM> > Created /etc/ipa/default.conf > Configured /etc/sssd/sssd.conf > Configured /etc/krb5.conf for IPA realm EXAMPLE.COM > <http://EXAMPLE.COM> > SSSD enabled > Unable to find 'admin' user with 'getent passwd admin'! > > > > > 1) Do you have admin account on IPA side? > > 2) Is there a firewall between client and server? Is LDAP and LDAPS > allowed via the FW? > > > > > > Recognized configuration: SSSD > Changed configuration of /etc/ldap.conf to use hardcoded > server name: rhel6.example.com <http://rhel6.example.com> > NTP enabled > Client configuration complete. > > > > /var/log/secure > May 2 12:31:14 rhel5 sshd[3250]: Invalid user mdavidson > from 192.168.1.5 > May 2 12:31:14 rhel5 sshd[3251]: input_userauth_request: > invalid user mdavidson > May 2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth): > check pass; user unknown > May 2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=rhel6.example.com <http://rhel6.example.com> > May 2 12:31:19 rhel5 sshd[3250]: > pam_succeed_if(sshd:auth): error retrieving information about > user mdavidson > May 2 12:31:21 rhel5 sshd[3250]: Failed password for > invalid user mdavidson from 192.168.1.5 port 52511 ssh2 > > > > /var/log/sssd/ldap_child.log > (Wed May 2 11:52:08 2012) [[sssd[ldap_child[3091]]]] > [ldap_child_get_tgt_sync] (0): Failed to init credentials: > Client not found in Kerberos database > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3252]]]] > [ldap_child_get_tgt_sync] (0): Failed to init credentials: > Client not found in Kerberos database > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3253]]]] > [ldap_child_get_tgt_sync] (0): Failed to init credentials: > Client not found in Kerberos database > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3254]]]] > [ldap_child_get_tgt_sync] (0): Failed to init credentials: > Client not found in Kerberos database > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3255]]]] > [ldap_child_get_tgt_sync] (0): Failed to init credentials: > Client not found in Kerberos database > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3256]]]] > [ldap_child_get_tgt_sync] (0): Failed to init credentials: > Client not found in Kerberos database > > > > /var/log/sssd/sssd.log > (Tue May 1 13:53:26 2012) [sssd] [monitor_quit] (0): > Monitor received Terminated: terminating children > (Wed May 2 11:34:59 2012) [sssd] [monitor_quit] (0): > Monitor received Terminated: terminating children > > > > thanks for helping! > Matt > > > > Date: Wed, 2 May 2012 11:30:52 -0400 > > > From: rcrit...@redhat.com <mailto:rcrit...@redhat.com> > > > To: m...@mldserviceslex.com > <mailto:m...@mldserviceslex.com> > > > CC: freeipa-users@redhat.com > <mailto:freeipa-users@redhat.com> > > > Subject: Re: [Freeipa-users] red hat 5 and red hat 6 > compatability > > > > > > Matthew Davidson wrote: > > > > To clarify one point. > > > > > > > > I used the current redhat documents to setup the two > systems. > > > > > > > > > > Red_Hat_Enterprise_Linux-5-Configuring_Identity_Management-en-US > > > > > > > > > Red_Hat_Enterprise_Linux-6-Identity_Management_Guide-en-US > > > > > > > > SSH does not seem to be discussed and that is when I > started web surfing > > > > in an attempt to fix my problem before reaching out > for help. > > > > > > A host service principal is created during enrollment so > no additional > > > work should be needed for SSH to work. The problem you're > having is > > > related to the fact that user lookup services are > failing. > > > > > > Can you look in /var/log/secure and/or /var/log/sssd/* to > see if there > > > are any errors reported regarding sssd? > > > > > > What options did you pass to ipa-client-install? > > > > > > rob > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com> > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/> > > > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com> > https://www.redhat.com/mailman/listinfo/freeipa-users > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > > <https://www.redhat.com/archives/freeipa-users/attachments/20120502/51a0eaec/attachment.html> > > ------------------------------ > > Message: 2 > Date: Wed, 02 May 2012 14:57:24 -0400 > From: Dmitri Pal <d...@redhat.com <mailto:d...@redhat.com>> > To: Matthew Davidson <m...@mldserviceslex.com > <mailto:m...@mldserviceslex.com>> > Cc: freeipa-users@redhat.com <mailto:freeipa-users@redhat.com> > Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability > Message-ID: <4fa18394.7080...@redhat.com > <mailto:4fa18394.7080...@redhat.com>> > Content-Type: text/plain; charset="iso-8859-1" > > On 05/02/2012 02:50 PM, Matthew Davidson wrote: > > Dmitri, > > 1) Do you have admin account on IPA side? > > > > Yes. And judging by the command below admin does log in, or am I > mistaken? > > > > [root@rhel5 ~]# kinit admin > > Password for ad...@example.com <mailto:ad...@example.com>: > > > > [root@rhel5 ~]# klist > > Ticket cache: FILE:/tmp/krb5cc_0 > > Default principal: ad...@example.com <mailto:ad...@example.com> > > > > Valid starting Expires Service principal > > 05/02/12 14:47:40 05/03/12 14:47:36 > krbtgt/example....@example.com <mailto:example....@example.com> > > > > Kerberos 4 ticket cache: /tmp/tkt0 > > klist: You have no tickets cached > > > > Is this from the client or from the server? I bet on the server. > Rob might be right that the client fails to find the right > authentication server due to the DNS configuration. > > > 2) Is there a firewall between client and server? Is LDAP and LDAPS > > allowed via the FW? > > > > No firewall. shut those down at the first sign of trouble. > > > > Thanks > > Matt > > > > > ------------------------------------------------------------------------ > > Date: Wed, 2 May 2012 13:51:15 -0400 > > From: d...@redhat.com <mailto:d...@redhat.com> > > To: freeipa-users@redhat.com <mailto:freeipa-users@redhat.com> > > Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability > > > > On 05/02/2012 12:43 PM, Matthew Davidson wrote: > > > > Hi Rob > > > > [root@rhel5 ~]# ipa-client-install --domain=EXAMPLE.COM > <http://EXAMPLE.COM> > > --server=rhel6.example.com <http://rhel6.example.com> > > DNS domain 'example.com <http://example.com>' is not > configured for automatic KDC > > address lookup. > > KDC address will be set to fixed value. > > > > Discovery was successful! > > Hostname: rhel6.example.com <http://rhel6.example.com> > > Realm: EXAMPLE.COM <http://EXAMPLE.COM> > > DNS Domain: EXAMPLE.COM <http://EXAMPLE.COM> > > IPA Server: rhel6.example.com <http://rhel6.example.com> > > BaseDN: dc=example,dc=com > > > > Continue to configure the system with these values? [no]: yes > > User authorized to enroll computers: admin > > Synchronizing time with KDC... > > Password for ad...@example.com <mailto:ad...@example.com>: > <mailto:ad...@example.com <mailto:ad...@example.com>:> > > > > Enrolled in IPA realm EXAMPLE.COM <http://EXAMPLE.COM> > > Created /etc/ipa/default.conf > > Configured /etc/sssd/sssd.conf > > Configured /etc/krb5.conf for IPA realm EXAMPLE.COM > <http://EXAMPLE.COM> > > SSSD enabled > > *Unable to find 'admin' user with 'getent passwd admin'!* > > > > > > 1) Do you have admin account on IPA side? > > 2) Is there a firewall between client and server? Is LDAP and LDAPS > > allowed via the FW? > > > > Recognized configuration: SSSD > > Changed configuration of /etc/ldap.conf to use hardcoded server > > name: rhel6.example.com <http://rhel6.example.com> > > NTP enabled > > Client configuration complete. > > > > /var/log/secure > > May 2 12:31:14 rhel5 sshd[3250]: Invalid user mdavidson from > > 192.168.1.5 > > May 2 12:31:14 rhel5 sshd[3251]: input_userauth_request: > invalid > > user mdavidson > > May 2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth): check > pass; > > user unknown > > May 2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth): > > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= > > rhost=rhel6.example.com <http://rhel6.example.com> > > May 2 12:31:19 rhel5 sshd[3250]: pam_succeed_if(sshd:auth): > error > > retrieving information about user mdavidson > > May 2 12:31:21 rhel5 sshd[3250]: Failed password for > invalid user > > mdavidson from 192.168.1.5 port 52511 ssh2 > > > > /var/log/sssd/ldap_child.log > > (Wed May 2 11:52:08 2012) [[sssd[ldap_child[3091]]]] > > [ldap_child_get_tgt_sync] (0): Failed to init credentials: > Client > > not found in Kerberos database > > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3252]]]] > > [ldap_child_get_tgt_sync] (0): Failed to init credentials: > Client > > not found in Kerberos database > > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3253]]]] > > [ldap_child_get_tgt_sync] (0): Failed to init credentials: > Client > > not found in Kerberos database > > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3254]]]] > > [ldap_child_get_tgt_sync] (0): Failed to init credentials: > Client > > not found in Kerberos database > > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3255]]]] > > [ldap_child_get_tgt_sync] (0): Failed to init credentials: > Client > > not found in Kerberos database > > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3256]]]] > > [ldap_child_get_tgt_sync] (0): Failed to init credentials: > Client > > not found in Kerberos database > > > > /var/log/sssd/sssd.log > > (Tue May 1 13:53:26 2012) [sssd] [monitor_quit] (0): Monitor > > received Terminated: terminating children > > (Wed May 2 11:34:59 2012) [sssd] [monitor_quit] (0): Monitor > > received Terminated: terminating children > > > > thanks for helping! > > Matt > > > > > Date: Wed, 2 May 2012 11:30:52 -0400 > > > From: rcrit...@redhat.com <mailto:rcrit...@redhat.com> > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>> > > > To: m...@mldserviceslex.com > <mailto:m...@mldserviceslex.com> <mailto:m...@mldserviceslex.com > <mailto:m...@mldserviceslex.com>> > > > CC: freeipa-users@redhat.com > <mailto:freeipa-users@redhat.com> <mailto:freeipa-users@redhat.com > <mailto:freeipa-users@redhat.com>> > > > Subject: Re: [Freeipa-users] red hat 5 and red hat 6 > compatability > > > > > > Matthew Davidson wrote: > > > > To clarify one point. > > > > > > > > I used the current redhat documents to setup the two > systems. > > > > > > > > > Red_Hat_Enterprise_Linux-5-Configuring_Identity_Management-en-US > > > > > > > > Red_Hat_Enterprise_Linux-6-Identity_Management_Guide-en-US > > > > > > > > SSH does not seem to be discussed and that is when I started > > web surfing > > > > in an attempt to fix my problem before reaching out for > help. > > > > > > A host service principal is created during enrollment so no > > additional > > > work should be needed for SSH to work. The problem you're > having is > > > related to the fact that user lookup services are failing. > > > > > > Can you look in /var/log/secure and/or /var/log/sssd/* to > see if > > there > > > are any errors reported regarding sssd? > > > > > > What options did you pass to ipa-client-install? > > > > > > rob > > > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com> > <mailto:Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>> > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > > > -- > > Thank you, > > Dmitri Pal > > > > Sr. Engineering Manager IPA project, > > Red Hat Inc. > > > > > > ------------------------------- > > Looking to carve out IT costs? > > www.redhat.com/carveoutcosts/ > <http://www.redhat.com/carveoutcosts/> > <http://www.redhat.com/carveoutcosts/> > > > > > > > > _______________________________________________ Freeipa-users > mailing > > list Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com> > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/> > > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > > <https://www.redhat.com/archives/freeipa-users/attachments/20120502/cea8af43/attachment.html> > > ------------------------------ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com> > https://www.redhat.com/mailman/listinfo/freeipa-users > > End of Freeipa-users Digest, Vol 46, Issue 10 > ********************************************* > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
