Re: [Freeipa-users] using kerberos
On Fri, Dec 09, 2011 at 02:15:18AM +, Steven Jones wrote: > Hi > > >From the HNAS manual > > 8><- > Kerberos Configuration > Configuring the NAS server requires three steps: > 1. Create the principal and key of the service (the EVS) on the KDC (Key > Distribution Center). > 2. Export a keytab file from the KDC. We recommend using MIT Kerberos > version 5. > 3. Import the keytab file into the NAS server. > 4. Set the Kerberos realm for the NAS server. > 8><- > > How is 1) and 2) performed on the IPA server? I think you are looking for: ipa service-add cifs/my.nas.test ipa-getkeytab -s my.ipa.server -p cifs/my.nas.test -k /tmp/nas.keytab I'm guessing here that you want to use cifs on the NAS box. You might want to change this if you use other methods to access the NAS box. HTH bye, Sumit > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] dns delegated zone issue
On Fri, Dec 9, 2011 at 1:55 AM, Simo Sorce wrote: >> If I login using a fqdn instead of the simple one, then it works. The >> funny thing is, I can use the simple dns name to login the kdc server. >> Why? > > Not sure why it work on your kdc, perhaps you have entries in /etc/hosts that > resolves it first. spot on, adding that entry in the ipaclient01 host allows simple name logins to the the host. >> I use both the example.com as the ipa.example.com in the laptop's >> search field in /etc/resolv.conf, by the way. > > This is the issue. Your client is trying to use the name > ipaclient01.example.com and seeing it is not in the ipa.example.com your > krb libs are trying to search for a trsuted realm named 'EXAMPLE.COM' > whic does not exist of course. > > Using the fqdn there is no ambiguity and therefore your krb libs know > what is the full name an the principal they should look for. ok. I guess I have to think about the order I want the clients have search their default dns domains and realms. I mean, for members of the ipa realm it appears to make more sense to get the ipa realm dns as first search option and the parent domain as second search option. I should also use the kdc dns server as default name server for those clients and have the example.com as forwareder in the kdc. I changed the dhcp server range and the kdc name server picked up the change and modified the A rr for the ipaclient01 (impressive, dyndns without any configuration of the dchp server), but the example.com ns still had a cached resolution op the ipaclient01 A rr that pointed to the old range. >> Another question: why is it not possible to add simple hostnames as a >> service principal? > > In theory you could, and turning off canonicalization completely you > would be able to get a ticket. But in general a FQDN name is needed to > connect to another host if you do not have a specific search domain. > > A simple host name would be ambiguous, how do you know which ticket to > fetch if you have both www.example.com and www.ipa.example.com and want > to do kerb auth against one or the other server? Clearly the > HTTP/w...@ipa.example.com principal can only be used by one of them while > a FQDN instead makes it pretty unambiguous in all cases. > > Also a FQDN is sometimes used because there are historically protocols > where the name of the server is not know directly, but only through a > PTR record which is resolved into a FQDN name. Thanks for your explanation. The reason I was asking this is because I have seen that in AD those simple spn attributes are automatically added to computers that join the AD domain. So maybe IPA could do the same if we have explicitely set the ipa dns domain as first search domain. I'll look into this later. Thanks! -- natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Limiting group/user visibility
On 2011-12-08 17:36, Rob Crittenden wrote: > Lassi Pölönen wrote: >> On 7.12.2011 21:28, Dmitri Pal wrote: So I came in to conclusion I just create a role for each customer, e.g "Customer1" and assign that role to all customer's user groups and hosts (too bad it isn't possible to assign a role to a hostgroup) . This requires an aci to be created for each customer though: Actually it seems to be possible to assign roles to host groups as well. Just not from Identity -> Host groups. IPA Server -> RBAC -> Roles has the option though. > Unless you need per-object acis you can probably simplify the filter > to cover the entire DIT by dropping the target and using just the > targetfilter. > > I'd recommend verifying that data doesn't leak via schema compat if > you have that enabled. > > rob Looks like dropping the target prevents a user from logging in, so apparently there's some entries that need to be accessible other than those labeled with memberOf . One additional thing came in to my mind: user private groups probably need to be accessible as well. At least by default there doesn't seem to be a way to assign the same role for those as well. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] CA replication
Dan Scott wrote:
Hi,
On Thu, Dec 8, 2011 at 13:29, Rob Crittenden wrote:
Dan Scott wrote:
Hi,
I just tried to add a CA replica to my IPA replica (Both Fedora 15) using:
ipa-ca-install replica-info-ohm.gpg
It proceeds to configure the directory server for the CA, but fails
when 'configuring certificate server':
Configuring certificate server: Estimated time 3 minutes 30 seconds
[1/11]: creating certificate server user
[2/11]: creating pki-ca instance
[3/11]: configuring certificate server instance
root: CRITICAL failed to configure ca instance Command
'/usr/bin/perl /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname'
'ohm.example.com' '-cs_port' '9445' '-client_certdb_dir'
'/tmp/tmp-Mbw1ut' '-client_certdb_pwd' '-preop_pin'
'X' '-domain_name' 'IPA' '-admin_user' 'admin' '-admin_email'
'root@localhost' '-admin_password' '-agent_name'
'ipa-ca-agent' '-agent_key_size' '2048' '-agent_key_type' 'rsa'
'-agent_cert_subject' 'CN=ipa-ca-agent,O=EXAMPLE.COM' '-ldap_host'
'ohm.example.com' '-ldap_port' '7389' '-bind_dn' 'cn=Directory
Manager' '-bind_password' '-base_dn' 'o=ipaca' '-db_name'
'ipaca' '-key_size' '2048' '-key_type' 'rsa' '-key_algorithm'
'SHA256withRSA' '-save_p12' 'true' '-backup_pwd'
'-subsystem_name' 'pki-cad' '-token_name' 'internal'
'-ca_subsystem_cert_subject_name' 'CN=CA Subsystem,O=EXAMPLE.COM'
'-ca_ocsp_cert_subject_name' 'CN=OCSP Subsystem,O=EXAMPLE.COM'
'-ca_server_cert_subject_name' 'CN=ohm.example.com,O=EXAMPLE.COM'
'-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=EXAMPLE.COM'
'-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=EXAMPLE.COM'
'-external' 'false' '-clone' 'true' '-clone_p12_file' 'ca.p12'
'-clone_p12_password' '-sd_hostname' 'curie.example.com'
'-sd_admin_port' '443' '-sd_admin_name' 'admin' '-sd_admin_password'
'-clone_start_tls' 'true' '-clone_uri'
'https://curie.example.com:443'' returned non-zero exit status 255
creation of replica failed: Configuration of CA failed
Some errors from /var/log/ipareplica-ca-install.log
Error in DomainPanel(): updateStatus value is null
ERROR: ConfigureCA: DomainPanel() failure
ERROR: unable to create CA
File "/usr/sbin/ipa-ca-install", line 156, in
main()
File "/usr/sbin/ipa-ca-install", line 141, in main
(CA, cs) = cainstance.install_replica_ca(config, postinstall=True)
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line 1136, in install_replica_ca
subject_base=config.subject_base)
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line 537, in configure_instance
self.start_creation("Configuring certificate server", 210)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 248, in start_creation
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line 680, in __configure_instance
raise RuntimeError('Configuration of CA failed')
Anyone have any ideas?
/var/log/pki-ca/debug probably has more details.
This file contains the following errors:
[08/Dec/2011:12:24:40][http-9445-2]: SecurityDomainPanel: validating
SSL Admin HTTPS . . .
[08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase pingCS: started
[08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase: pingCS: parser
failedorg.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50;
White spaces are required between publicId and systemId.
[08/Dec/2011:12:24:40][http-9445-2]: SecurityDomainPanel: pingAdminCS
no successful response for SSL Admin HTTPS
[08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase
getCertChainUsingSecureAdminPort start
[08/Dec/2011:12:24:40][http-9445-2]:
WizardPanelBase::getCertChainUsingSecureAdminPort() -
Exception=org.xml.sax.SAXParseException; lineNumber: 1; columnNumber:
50; White spaces are required between publicId and systemId.
[08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase:
getCertChainUsingSecureAdminPort: java.io.IOException:
org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White
spaces are required between publicId and systemId.
[08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase pingCS: started
[08/Dec/2011:12:24:40][http-9445-1]: CMSServlet:service() uri =
/ca/admin/ca/getStatus
[08/Dec/2011:12:24:40][http-9445-1]: CMSServlet: caGetStatus start to service.
[08/Dec/2011:12:24:40][http-9445-1]: CMSServlet: curDate=Thu Dec 08
12:24:40 EST 2011 id=caGetStatus time=32
[08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase pingCS: got XML parsed
[08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase pingCS: state=0
[08/Dec/2011:12:24:40][http-9445-2]: panel no=3
[08/Dec/2011:12:24:40][http-9445-2]: panel name=securitydomain
[08/Dec/2011:12:24:40][http-9445-2]: total number of panels=19
[08/Dec/2011:12:24:40][http-9445-2]: WizardServlet: found xml
[08/Dec/2011:12:24:40][http-9445-2]: Error: unknown type
org.apache.catalina.connector.ResponseFacade
[08/Dec/2011:12:24:40][http-9445-2]: Error: un
Re: [Freeipa-users] CA replication
Hi,
On Fri, Dec 9, 2011 at 09:24, Rob Crittenden wrote:
> Dan Scott wrote:
>>
>> Hi,
>>
>> On Thu, Dec 8, 2011 at 13:29, Rob Crittenden wrote:
>>>
>>> Dan Scott wrote:
Hi,
I just tried to add a CA replica to my IPA replica (Both Fedora 15)
using:
ipa-ca-install replica-info-ohm.gpg
It proceeds to configure the directory server for the CA, but fails
when 'configuring certificate server':
Configuring certificate server: Estimated time 3 minutes 30 seconds
[1/11]: creating certificate server user
[2/11]: creating pki-ca instance
[3/11]: configuring certificate server instance
root : CRITICAL failed to configure ca instance Command
'/usr/bin/perl /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname'
'ohm.example.com' '-cs_port' '9445' '-client_certdb_dir'
'/tmp/tmp-Mbw1ut' '-client_certdb_pwd' '-preop_pin'
'X' '-domain_name' 'IPA' '-admin_user' 'admin' '-admin_email'
'root@localhost' '-admin_password' '-agent_name'
'ipa-ca-agent' '-agent_key_size' '2048' '-agent_key_type' 'rsa'
'-agent_cert_subject' 'CN=ipa-ca-agent,O=EXAMPLE.COM' '-ldap_host'
'ohm.example.com' '-ldap_port' '7389' '-bind_dn' 'cn=Directory
Manager' '-bind_password' '-base_dn' 'o=ipaca' '-db_name'
'ipaca' '-key_size' '2048' '-key_type' 'rsa' '-key_algorithm'
'SHA256withRSA' '-save_p12' 'true' '-backup_pwd'
'-subsystem_name' 'pki-cad' '-token_name' 'internal'
'-ca_subsystem_cert_subject_name' 'CN=CA Subsystem,O=EXAMPLE.COM'
'-ca_ocsp_cert_subject_name' 'CN=OCSP Subsystem,O=EXAMPLE.COM'
'-ca_server_cert_subject_name' 'CN=ohm.example.com,O=EXAMPLE.COM'
'-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=EXAMPLE.COM'
'-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=EXAMPLE.COM'
'-external' 'false' '-clone' 'true' '-clone_p12_file' 'ca.p12'
'-clone_p12_password' '-sd_hostname' 'curie.example.com'
'-sd_admin_port' '443' '-sd_admin_name' 'admin' '-sd_admin_password'
'-clone_start_tls' 'true' '-clone_uri'
'https://curie.example.com:443'' returned non-zero exit status 255
creation of replica failed: Configuration of CA failed
Some errors from /var/log/ipareplica-ca-install.log
Error in DomainPanel(): updateStatus value is null
ERROR: ConfigureCA: DomainPanel() failure
ERROR: unable to create CA
File "/usr/sbin/ipa-ca-install", line 156, in
main()
File "/usr/sbin/ipa-ca-install", line 141, in main
(CA, cs) = cainstance.install_replica_ca(config, postinstall=True)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line 1136, in install_replica_ca
subject_base=config.subject_base)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line 537, in configure_instance
self.start_creation("Configuring certificate server", 210)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 248, in start_creation
method()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line 680, in __configure_instance
raise RuntimeError('Configuration of CA failed')
Anyone have any ideas?
>>>
>>>
>>>
>>> /var/log/pki-ca/debug probably has more details.
>>
>>
>> This file contains the following errors:
>>
>> [08/Dec/2011:12:24:40][http-9445-2]: SecurityDomainPanel: validating
>> SSL Admin HTTPS . . .
>> [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase pingCS: started
>> [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase: pingCS: parser
>> failedorg.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50;
>> White spaces are required between publicId and systemId.
>> [08/Dec/2011:12:24:40][http-9445-2]: SecurityDomainPanel: pingAdminCS
>> no successful response for SSL Admin HTTPS
>> [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase
>> getCertChainUsingSecureAdminPort start
>> [08/Dec/2011:12:24:40][http-9445-2]:
>> WizardPanelBase::getCertChainUsingSecureAdminPort() -
>> Exception=org.xml.sax.SAXParseException; lineNumber: 1; columnNumber:
>> 50; White spaces are required between publicId and systemId.
>> [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase:
>> getCertChainUsingSecureAdminPort: java.io.IOException:
>> org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White
>> spaces are required between publicId and systemId.
>> [08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase pingCS: started
>> [08/Dec/2011:12:24:40][http-9445-1]: CMSServlet:service() uri =
>> /ca/admin/ca/getStatus
>> [08/Dec/2011:12:24:40][http-9445-1]: CMSServlet: caGetStatus start to
>> service.
>> [08/Dec/2011:12:24:40][http-9445-1]: CMSServlet: curDate=Thu Dec 08
>> 12:24:40 EST 2011 id=caGetStatus time=32
>> [08/Dec/2011:12:24
Re: [Freeipa-users] CA replication
Dan Scott wrote:
Hi,
On Fri, Dec 9, 2011 at 09:24, Rob Crittenden wrote:
Dan Scott wrote:
Hi,
On Thu, Dec 8, 2011 at 13:29, Rob Crittendenwrote:
Dan Scott wrote:
Hi,
I just tried to add a CA replica to my IPA replica (Both Fedora 15)
using:
ipa-ca-install replica-info-ohm.gpg
It proceeds to configure the directory server for the CA, but fails
when 'configuring certificate server':
Configuring certificate server: Estimated time 3 minutes 30 seconds
[1/11]: creating certificate server user
[2/11]: creating pki-ca instance
[3/11]: configuring certificate server instance
root: CRITICAL failed to configure ca instance Command
'/usr/bin/perl /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname'
'ohm.example.com' '-cs_port' '9445' '-client_certdb_dir'
'/tmp/tmp-Mbw1ut' '-client_certdb_pwd' '-preop_pin'
'X' '-domain_name' 'IPA' '-admin_user' 'admin' '-admin_email'
'root@localhost' '-admin_password' '-agent_name'
'ipa-ca-agent' '-agent_key_size' '2048' '-agent_key_type' 'rsa'
'-agent_cert_subject' 'CN=ipa-ca-agent,O=EXAMPLE.COM' '-ldap_host'
'ohm.example.com' '-ldap_port' '7389' '-bind_dn' 'cn=Directory
Manager' '-bind_password' '-base_dn' 'o=ipaca' '-db_name'
'ipaca' '-key_size' '2048' '-key_type' 'rsa' '-key_algorithm'
'SHA256withRSA' '-save_p12' 'true' '-backup_pwd'
'-subsystem_name' 'pki-cad' '-token_name' 'internal'
'-ca_subsystem_cert_subject_name' 'CN=CA Subsystem,O=EXAMPLE.COM'
'-ca_ocsp_cert_subject_name' 'CN=OCSP Subsystem,O=EXAMPLE.COM'
'-ca_server_cert_subject_name' 'CN=ohm.example.com,O=EXAMPLE.COM'
'-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=EXAMPLE.COM'
'-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=EXAMPLE.COM'
'-external' 'false' '-clone' 'true' '-clone_p12_file' 'ca.p12'
'-clone_p12_password' '-sd_hostname' 'curie.example.com'
'-sd_admin_port' '443' '-sd_admin_name' 'admin' '-sd_admin_password'
'-clone_start_tls' 'true' '-clone_uri'
'https://curie.example.com:443'' returned non-zero exit status 255
creation of replica failed: Configuration of CA failed
Some errors from /var/log/ipareplica-ca-install.log
Error in DomainPanel(): updateStatus value is null
ERROR: ConfigureCA: DomainPanel() failure
ERROR: unable to create CA
File "/usr/sbin/ipa-ca-install", line 156, in
main()
File "/usr/sbin/ipa-ca-install", line 141, in main
(CA, cs) = cainstance.install_replica_ca(config, postinstall=True)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line 1136, in install_replica_ca
subject_base=config.subject_base)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line 537, in configure_instance
self.start_creation("Configuring certificate server", 210)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 248, in start_creation
method()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line 680, in __configure_instance
raise RuntimeError('Configuration of CA failed')
Anyone have any ideas?
/var/log/pki-ca/debug probably has more details.
This file contains the following errors:
[08/Dec/2011:12:24:40][http-9445-2]: SecurityDomainPanel: validating
SSL Admin HTTPS . . .
[08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase pingCS: started
[08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase: pingCS: parser
failedorg.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50;
White spaces are required between publicId and systemId.
[08/Dec/2011:12:24:40][http-9445-2]: SecurityDomainPanel: pingAdminCS
no successful response for SSL Admin HTTPS
[08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase
getCertChainUsingSecureAdminPort start
[08/Dec/2011:12:24:40][http-9445-2]:
WizardPanelBase::getCertChainUsingSecureAdminPort() -
Exception=org.xml.sax.SAXParseException; lineNumber: 1; columnNumber:
50; White spaces are required between publicId and systemId.
[08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase:
getCertChainUsingSecureAdminPort: java.io.IOException:
org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White
spaces are required between publicId and systemId.
[08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase pingCS: started
[08/Dec/2011:12:24:40][http-9445-1]: CMSServlet:service() uri =
/ca/admin/ca/getStatus
[08/Dec/2011:12:24:40][http-9445-1]: CMSServlet: caGetStatus start to
service.
[08/Dec/2011:12:24:40][http-9445-1]: CMSServlet: curDate=Thu Dec 08
12:24:40 EST 2011 id=caGetStatus time=32
[08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase pingCS: got XML
parsed
[08/Dec/2011:12:24:40][http-9445-2]: WizardPanelBase pingCS: state=0
[08/Dec/2011:12:24:40][http-9445-2]: panel no=3
[08/Dec/2011:12:24:40][http-9445-2]: panel name=securitydomain
[08/Dec/2011:12:24:40][http-9445-2]: total number of panels=19
[08/Dec/2011:12:24:40][http-9445-2]: WizardServlet: found xml
[08/Dec/2011:12:24:40][http-9445-2]: Error: unknown type
org.apa
