Re: [Freeipa-users] Services and Keytabs for load-balanced hostnames
On 29.9.2014 23:12, Simo Sorce wrote: On Mon, 29 Sep 2014 23:25:08 +0300 Alexander Bokovoy wrote: On Mon, 29 Sep 2014, Mark Heslin wrote: Folks, I'm looking for the best approach to take for configuring IdM clients to access web services (HTTP) with keytabs when a front-end load-balanced hostname is in place. I have a distributed OpenShift Enterprise configuration with three broker hosts (broker1, broker2, broker3) with all three configured as IdM clients. IdM is configured with one server (idm-srv1.example.com), one replica (idm-srv2.example.com); an HTTP service has been created for each broker host: # ipa service-add HTTP/broker1.example.com # ipa service-add HTTP/broker2.example.com # ipa service-add HTTP/broker3.example.com A DNS round-robin hostname called '*broker**.example.com*' has also been configured to distribute broker requests across the three brokers: # ipa dnsrecord-add example.com broker --a-ip-address=10.0.0.11 # ipa dnsrecord-add example.com broker --a-ip-address=10.0.0.12 # ipa dnsrecord-add example.com broker --a-ip-address=10.0.0.13 Effectively, this creates a DNS A record that acts as a pseudo DNS load-balancer. To access the HTTP services, we have been creating keytabs for for the first broker host: # ipa-getkeytab -s idm-srv1.example.com -p HTTP/*broker1*.example@example.com -k /var/www/openshift/broker/httpd/conf.d/http.keytab and copying the keytab over to the other two OpenShift broker hosts. This all works fine but in the event that *broker1* should go down, the other broker hosts will lose access to the web service. Ideally, we would like to have web services use the more generic, "load balanced" hostname (*broker.example.com*) and in turn have the keytabs use this name as well. I tried creating an HTTP service using the "load balanced" hostname (*broker.example.com*) but that appears to fail due to *broker.example.com* not being a valid host within IdM: # ipa service-add HTTP/broker.example.com ipa: ERROR: The host 'broker.example.com' does not exist to add a service to. In the F18 FreeIPA guide it discusses creating a combined keytab file (Section 6.5.4) using ktutil: http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/managing-services.html#Using_the_Same_Service_Principal_for_Multiple_Services but would that still work as intended should a broker host go down? The next section (6.5.5) mentions creating a keytab to create a service principal that can be used across multiple hosts: # ipa-getkeytab -s kdc.example.com -p HTTP/server.example.com -k /etc/httpd/conf/krb5.keytab -e des-cbc-crc Which seems more in-line with my thinking and exactly what we've been doing but again, if I try to do that using the "load balanced" hostname (*broker.example.com*) it fails sicne it's not a valid host within IdM. What is the best method to doing this? Make a host named broker.example.com ipa host-add broker.example.com --force --force will make sure to create the host object even if there is no such name in the DNS. Then create services for this host. You'll need to set up your balancer hosts to use the proper service principal instead of allowing them to construct the principal themselves based on the hostname. Even better tell them to not assume any name if the server name is NULL GSSAPI will try every key in the keytab. YUou can even force that behavior with a krb5 config hack even if the app insist setting a name by adding "ignore_acceptor_hostname true" in [libdefaults] I consider this as a 'workaround'. Even better option is to teach your client application to use DNS SRV records instead of plain A records. SRV records allow you to do more fancy things like non-equal load balancing etc. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] gravatar image, IM fields
On 09/29/2014 12:35 PM, Martin Kosek wrote: On 09/29/2014 11:51 AM, Tamas Papp wrote: hi All, Is there a solution to integrate gravatar images and IPA? Something like a field for the gravatar url or actually I am not sure, what the right solution would be. Also is there a solution the add IM details to users, like skype id, hangouts id..etc? 10x tamas Hello Tamas, For the custom user fields, I think the best way will be to simply write a plugin extending the User object allowing these attribute in new objectClass. You can check an example with "favoriteColorName" in this presentation: http://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf Thanks Martin. Is there any plan to officially integrate such a fields? Just out of curiosity any plan to add fields easier (from gui or with ipa command)? Can a plugin make a server future upgrade broken? Thanks, tamas -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Fedora 21 and 4.0.3
Hi, I'm new to IPA - and was trying out the newest version of 4.0.3 with Fedora Server 21 testing -- it continues to die during the install at: Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/26]: creating certificate server user [2/26]: configuring certificate server instance [3/26]: stopping certificate server instance to update CS.cfg [4/26]: backing up CS.cfg [5/26]: disabling nonces [6/26]: set up CRL publishing [7/26]: starting certificate server instance <--- consistently dies at step 7 and checking install log show: 2014-09-29T21:14:30Z DEBUG wait_for_open_ports: localhost [8080, 8443] timeout 300 2014-09-29T21:19:31Z DEBUG File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 639, in run_script return_value = main_function() File "/usr/sbin/ipa-server-install", line 1095, in main dm_password, subject_base=options.subject) File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 484, in configure_instance self.start_creation(runtime=210) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 367, in start_creation method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 490, in __start self.start() File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 282, in start self.service.start(instance_name, capture_output=capture_output, wait=wait) File "/usr/lib/python2.7/site-packages/ipaplatform/services.py", line 193, in start instance_name, capture_output=capture_output, wait=wait) File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", line 262, in start self.wait_for_open_ports(self.service_instance(instance_name)) File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", line 228, in wait_for_open_ports self.api.env.startup_timeout) File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 1153, in wait_for_open_ports raise socket.timeout() Would anyone have any ideas on finding out what is going on here? I see the timeout of 5 minutes - but why waiting on ports that are not part of IPA? Thank you Janelle -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Fedora 21 and 4.0.3
On Tue, Sep 30, 2014 at 06:19:37AM -0700, Janelle wrote: > Hi, > > I'm new to IPA - and was trying out the newest version of 4.0.3 with Fedora > Server 21 testing -- it continues to die during the install at: > > Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 > seconds > [1/26]: creating certificate server user > [2/26]: configuring certificate server instance > [3/26]: stopping certificate server instance to update CS.cfg > [4/26]: backing up CS.cfg > [5/26]: disabling nonces > [6/26]: set up CRL publishing > [7/26]: starting certificate server instance <--- consistently dies at > step 7 > > and checking install log show: > > 2014-09-29T21:14:30Z DEBUG wait_for_open_ports: localhost [8080, 8443] > timeout 300 [...] > Would anyone have any ideas on finding out what is going on here? I see the > timeout of 5 minutes - but why waiting on ports that are not part of IPA? I strongly suspect you are hitting https://bugzilla.redhat.com/show_bug.cgi?id=1117673 Is there a particular reason why you want to go with unreleased Fedora? -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Fedora 21 and 4.0.3
On Tue, 30 Sep 2014, Janelle wrote: Hi, I'm new to IPA - and was trying out the newest version of 4.0.3 with Fedora Server 21 testing -- it continues to die during the install at: Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/26]: creating certificate server user [2/26]: configuring certificate server instance [3/26]: stopping certificate server instance to update CS.cfg [4/26]: backing up CS.cfg [5/26]: disabling nonces [6/26]: set up CRL publishing [7/26]: starting certificate server instance <--- consistently dies at step 7 You need to update selinux-policy to the latest one. https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-84.fc21 -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Fedora 21 and 4.0.3
Jan Pazdziora wrote: > On Tue, Sep 30, 2014 at 06:19:37AM -0700, Janelle wrote: >> Hi, >> >> I'm new to IPA - and was trying out the newest version of 4.0.3 with Fedora >> Server 21 testing -- it continues to die during the install at: >> >> Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 >> seconds >> [1/26]: creating certificate server user >> [2/26]: configuring certificate server instance >> [3/26]: stopping certificate server instance to update CS.cfg >> [4/26]: backing up CS.cfg >> [5/26]: disabling nonces >> [6/26]: set up CRL publishing >> [7/26]: starting certificate server instance <--- consistently dies at >> step 7 >> >> and checking install log show: >> >> 2014-09-29T21:14:30Z DEBUG wait_for_open_ports: localhost [8080, 8443] >> timeout 300 > > [...] > >> Would anyone have any ideas on finding out what is going on here? I see the >> timeout of 5 minutes - but why waiting on ports that are not part of IPA? But it *is* part of IPA, hence we wait for it to come up and fail if it doesn't. The installer would just blow up later without dogtag running. > I strongly suspect you are hitting > > https://bugzilla.redhat.com/show_bug.cgi?id=1117673 > > Is there a particular reason why you want to go with unreleased > Fedora? > Probably because it's the only place one can (easily) test 4.0.3 right now due to missing dependencies. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Fedora 21 and 4.0.3
On Tue, 30 Sep 2014, Rob Crittenden wrote: Jan Pazdziora wrote: On Tue, Sep 30, 2014 at 06:19:37AM -0700, Janelle wrote: Hi, I'm new to IPA - and was trying out the newest version of 4.0.3 with Fedora Server 21 testing -- it continues to die during the install at: Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/26]: creating certificate server user [2/26]: configuring certificate server instance [3/26]: stopping certificate server instance to update CS.cfg [4/26]: backing up CS.cfg [5/26]: disabling nonces [6/26]: set up CRL publishing [7/26]: starting certificate server instance <--- consistently dies at step 7 and checking install log show: 2014-09-29T21:14:30Z DEBUG wait_for_open_ports: localhost [8080, 8443] timeout 300 [...] Would anyone have any ideas on finding out what is going on here? I see the timeout of 5 minutes - but why waiting on ports that are not part of IPA? But it *is* part of IPA, hence we wait for it to come up and fail if it doesn't. The installer would just blow up later without dogtag running. Dogtag messes up with SELinux labels when copying CS.cfg to back it up, then SELinux AVC prevents it to do so, then a failure to copy causes Dogtag to complain but the code in /usr/share/pki/scripts/operations is syntactically incorrect and shell breaks its execution. This all results in dogtag not being able to start. I've filed a bug for the syntax error for pki-server and SELinux policy fix is on its way to updates-testing. With that fix (https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-84.fc21) you can get over the issue and never trigger the syntax error in the shell script. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Fedora 21 and 4.0.3
Hi again, Ok, so that fixed the issues with Fedora - and 4.0.3 is working fine. A related question - would the COPR repo have 4.0.3 for Fedora 20? Maybe that would be the way to go for more solid testing of supported IPA than running it on Alpha of Fedora? Your thoughts/suggestions? Janelle On 9/30/14 6:56 AM, Alexander Bokovoy wrote: On Tue, 30 Sep 2014, Janelle wrote: Hi, I'm new to IPA - and was trying out the newest version of 4.0.3 with Fedora Server 21 testing -- it continues to die during the install at: Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/26]: creating certificate server user [2/26]: configuring certificate server instance [3/26]: stopping certificate server instance to update CS.cfg [4/26]: backing up CS.cfg [5/26]: disabling nonces [6/26]: set up CRL publishing [7/26]: starting certificate server instance <--- consistently dies at step 7 You need to update selinux-policy to the latest one. https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-84.fc21 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Fedora 21 and 4.0.3
On 30.9.2014 17:42, Janelle wrote: Hi again, Ok, so that fixed the issues with Fedora - and 4.0.3 is working fine. A related question - would the COPR repo have 4.0.3 for Fedora 20? Maybe that would be the way to go for more solid testing of supported IPA than running it on Alpha of Fedora? Your thoughts/suggestions? Feel free to use https://copr.fedoraproject.org/coprs/mkosek/freeipa/ Have a nice day! -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] gravatar image, IM fields
On 09/30/2014 04:59 AM, Tamas Papp wrote: On 09/29/2014 12:35 PM, Martin Kosek wrote: On 09/29/2014 11:51 AM, Tamas Papp wrote: hi All, Is there a solution to integrate gravatar images and IPA? Something like a field for the gravatar url or actually I am not sure, what the right solution would be. Also is there a solution the add IM details to users, like skype id, hangouts id..etc? 10x tamas Hello Tamas, For the custom user fields, I think the best way will be to simply write a plugin extending the User object allowing these attribute in new objectClass. You can check an example with "favoriteColorName" in this presentation: http://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf Thanks Martin. Is there any plan to officially integrate such a fields? Just out of curiosity any plan to add fields easier (from gui or with ipa command)? Can a plugin make a server future upgrade broken? Thanks, tamas I think if you contribute the patch back we will be able to include it into the project. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
