Re: [Freeipa-users] hostgroups not working for Sudo commands
Yes I'd missed this, echo nisdomainname ods.vuw.ac.nz /etc/rc.d/rc.local Is it not possible to automate this (sudo setup) more in the ipa-client-install ? control whether you want it via a sudo_enable=yes or no somewhere? Ive added it to my kickstart for now so my sudo setup is mostly automated. RHEL 6.3 added NISDOMAIN as a usable entry in /etc/sysconfig/network by the way - it's a bit cleaner than sticking stuff in rc.local ... ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] cross domain trust between two IPA servers
Hi everyone, Is it possible to create a cross domain trust between two IPA servers? I would have thought FreeIPA would have dealt with this use case first rather than jump directly into integrating with AD. The reason for this is because your more likely to have satellite sites of Redhat servers you want to manage. Example of this is shown below. You require user details to be separated for two separate organizations that merge together. In the interim period or permanently you may want members data to be stored in the two separate Realms for either legal reasons or for company structure reasons (Management). As you do this quiet freqently with Microsoft AD environments when corporations merge or buy one another out. Or a parent company buys a smaller company but want to hook the two systems together with out merging them completely to keep the companies identity and major operations separate. Is there anyway to do this with two IPA servers? -- Johnathan Phan ox-consulting T: +44 (0)784 118 7080 j...@ox-consulting.com ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] cross domain trust between two IPA servers
On Tue, 2012-08-07 at 14:54 +0100, Johnathan Phan wrote: Hi everyone, Is it possible to create a cross domain trust between two IPA servers? I would have thought FreeIPA would have dealt with this use case first rather than jump directly into integrating with AD. Not yet, the reason we dealt with AD first is that there was more request for that use case. The reason for this is because your more likely to have satellite sites of Redhat servers you want to manage. Example of this is shown below. You require user details to be separated for two separate organizations that merge together. In the interim period or permanently you may want members data to be stored in the two separate Realms for either legal reasons or for company structure reasons (Management). As you do this quiet freqently with Microsoft AD environments when corporations merge or buy one another out. Or a parent company buys a smaller company but want to hook the two systems together with out merging them completely to keep the companies identity and major operations separate. Is there anyway to do this with two IPA servers? We are planning to add FreeIPA-FreeIPA trusts in due course, and a kerberos level trust between 2 IPA servers can be done with some manual work, but there are some details when it comes to providing identity to the other domain that are missing. (Although SSSD can be configured easily enough to use 2 separate FreeIPA domains if really needed). Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] pam su configuration to ignore certain ipa/ldap users
I have an unusual situation. Our DBAs want different passwords for the oracle account on production and development machines. I'm using local authentication for oracle on all the boxes, but they're also not allowed to log in directly as oracle, only su, but su always wants to go to ldap first. Does anyone know what I need to do to get su to look at local auth first, then go to ldap? Another consideration is that this is AIX. I'm pretty sure if given a Linux solution to this I could adapt (AIX *can* use PAM, it just doesn't by default.) -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] cross domain trust between two IPA servers
On Tue, 2012-08-07 at 16:36 +0100, Johnathan Phan wrote: Hi Simo, This document here implies that this does it. http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/Setting_Up_Cross_Realm_Authentication.html#basic-trust This document do not apply to Identity Management (FreeIPA in RHEL speak), it is for a classic Kerberos KDC. However it is a resonable guide to experiment with trusts. However during testing it does not behave as expected. Do you have any documentation on how SSSD can be configured so that when logging in on a server in a.example.com with a users that exists in the IPA server responsible for domain b.example.com can happen. Only based on the rights the group has in b.example.com. any reference material on how that could work will help me a long way. You should look into the fact SSSD can be defined to have multiple domains. This means tho that the 'receiving' machines need to be configured for both realms. This is one of the gotchas, given the current lack of actual integration, moving forward when we will have official integration manual configuration of a separate SSSD domain will not be necessary and group memberships will work better. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] pam su configuration to ignore certain ipa/ldap users
I've figured this out on AIX. If anyone googles this later: in /etc/security/user the default: stanza needs to have: system = compat or KRB5ALXAP or LDAP instead of: SYSTEM = KRB5ALXAP or LDAP or compat It could probably be done other ways (using PAM,) but this was easiest for now. On Tue, Aug 7, 2012 at 10:02 AM, KodaK sako...@gmail.com wrote: I have an unusual situation. Our DBAs want different passwords for the oracle account on production and development machines. I'm using local authentication for oracle on all the boxes, but they're also not allowed to log in directly as oracle, only su, but su always wants to go to ldap first. Does anyone know what I need to do to get su to look at local auth first, then go to ldap? Another consideration is that this is AIX. I'm pretty sure if given a Linux solution to this I could adapt (AIX *can* use PAM, it just doesn't by default.) -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Multiple hostnames
I suspect I'm SOL on this one, but I'd like confirmation. We have two servers in an HA cluster: source: sla710ph1.unix.magellanhealth.com target: slahat01.unix.magellanhealth.com and a service name of: sla710ph.unix.magellanhealth.com The service name will float between the HA source and target. The DBAs tell me that in order for Oracle to work, the hostname has to return the service name. There's absolutely no way to do this and remain kerberized, right? I can't have two servers (with two different IP addresses) be the same in IPA, right? -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] New FreeIPA Install; Testing for Proof of Concept
Good Afternoon, I'm testing FreeIPA for a proof-of-concept replacement of NIS on OEL 6.3 (RHEL 6.3). I followed the guide to set up the FreeIPA server, and it seems to be working great on the IPA server itself. I can ssh in as admin, type my password, and I'm in. I then have been struggling with getting it going on client systems. As I'm not setting any of this up with DNS (I want this to be as un-obtrusive as possible), I executed the following command: ipa-client-install --no-dns-sshfp --no-ntp --server=ovm-auth.domain --domain=domain It asked me for admin's username and password and threw a warning about getent passwd admin not returning anything. Sure enough, it doesn't return anything on the client (although it does on the server). From the client, I'm able to kinit admin, type my password, and then passwordlessly ssh over to the auth server. I do see these entries in my log file on the client: Aug 7 12:52:56 ovm-c19-db [sssd[ldap_child[2010]]]: Failed to initialize credentials using keytab [(null)]: Client 'host/ovm-c19-dbdomain@REALM' not found in Kerberos database. Unable to create GSSAPI-encrypted LDAP connection. Aug 7 12:52:56 ovm-c19-db [sssd[ldap_child[2010]]]: Client not found in Kerberos database I'm pretty new at Kerberos, so am unsure exactly what this might mean. Thanks for any pointers! Rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Multiple hostnames
On Tue, 2012-08-07 at 14:56 -0500, KodaK wrote: I suspect I'm SOL on this one, but I'd like confirmation. We have two servers in an HA cluster: source: sla710ph1.unix.magellanhealth.com target: slahat01.unix.magellanhealth.com and a service name of: sla710ph.unix.magellanhealth.com The service name will float between the HA source and target. The DBAs tell me that in order for Oracle to work, the hostname has to return the service name. There's absolutely no way to do this and remain kerberized, right? I can't have two servers (with two different IP addresses) be the same in IPA, right? Not sure what 'source' and 'target' means, I guess they are the names of 2 peers in an active/passive HA solution ? There are ways to deal with that. A simple way is to share the same keytab using the common name for the fqdn part of the service (means you have to copy and keep the keytab in sync whenever you reconfigure it). Of course the service must be able to be configured to pass a specific name (not use the hostname) or, even better not specify *any* name, and let gssapi check if any key is able to decrypt the incoming ticket ignoring the service name entirely. Other ways entail using a CNAME for the common name and have DNS switch it from one to the other 'hard' name. In that case clients will resolve the CNAME and then acquire a ticket for the correct target host. however name caching and TTL issue may make failing over this way less desirable. The CNAME trick works better for load balancing (using DNS round robin) in active/active solutions. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept
On Tue, 2012-08-07 at 13:00 -0700, Rob Ogilvie wrote: Good Afternoon, I'm testing FreeIPA for a proof-of-concept replacement of NIS on OEL 6.3 (RHEL 6.3). I followed the guide to set up the FreeIPA server, and it seems to be working great on the IPA server itself. I can ssh in as admin, type my password, and I'm in. I then have been struggling with getting it going on client systems. As I'm not setting any of this up with DNS (I want this to be as un-obtrusive as possible), I executed the following command: ipa-client-install --no-dns-sshfp --no-ntp --server=ovm-auth.domain --domain=domain It asked me for admin's username and password and threw a warning about getent passwd admin not returning anything. Sure enough, it doesn't return anything on the client (although it does on the server). From the client, I'm able to kinit admin, type my password, and then passwordlessly ssh over to the auth server. I do see these entries in my log file on the client: Aug 7 12:52:56 ovm-c19-db [sssd[ldap_child[2010]]]: Failed to initialize credentials using keytab [(null)]: Client 'host/ovm-c19-dbdomain@REALM' not found in Kerberos database. Unable to create GSSAPI-encrypted LDAP connection. Aug 7 12:52:56 ovm-c19-db [sssd[ldap_child[2010]]]: Client not found in Kerberos database I'm pretty new at Kerberos, so am unsure exactly what this might mean. Kerberos depends on proper name resolution. If a hostname cannot be resolved you cannot acquire tickets for it. So if your host ovm-c19-db does not have a DNS entry (either using IPA's DNS server or an external DNS server) you can't get tickets. also name resolution generally must match the hostname as that is what is used to register a client into ipa. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept
On Tue, Aug 7, 2012 at 1:24 PM, Simo Sorce s...@redhat.com wrote: Kerberos depends on proper name resolution. If a hostname cannot be resolved you cannot acquire tickets for it. So if your host ovm-c19-db does not have a DNS entry (either using IPA's DNS server or an external DNS server) you can't get tickets. also name resolution generally must match the hostname as that is what is used to register a client into ipa. That seems fair. DNS is well set up, though. ovm-c19-db.fqdn exists in DNS and ovm-auth is able to resolve it by short hostname and FQDN. On the client, hostname returns the FQDN, as well. Is there anything in my log entries that make it look like it's a DNS problem? Again, I must stress, I'm new with Kerberos. Thanks for your help! Rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept
On Tue, 2012-08-07 at 13:35 -0700, Rob Ogilvie wrote: On Tue, Aug 7, 2012 at 1:24 PM, Simo Sorce s...@redhat.com wrote: Kerberos depends on proper name resolution. If a hostname cannot be resolved you cannot acquire tickets for it. So if your host ovm-c19-db does not have a DNS entry (either using IPA's DNS server or an external DNS server) you can't get tickets. also name resolution generally must match the hostname as that is what is used to register a client into ipa. That seems fair. DNS is well set up, though. ovm-c19-db.fqdn exists in DNS and ovm-auth is able to resolve it by short hostname and FQDN. On the client, hostname returns the FQDN, as well. Is there anything in my log entries that make it look like it's a DNS problem? Again, I must stress, I'm new with Kerberos. Does klist -kt /etc/krb5.keytab return entries with the right hostname ? If that works does ipa host-find list it ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept
On Tue, Aug 7, 2012 at 1:59 PM, Simo Sorce s...@redhat.com wrote: Does klist -kt /etc/krb5.keytab return entries with the right hostname ? It lists four entries, each with the correct FQDN: [root@ovm-c19-db ~]# klist -kt /etc/krb5.keytab Keytab name: WRFILE:/etc/krb5.keytab KVNO Timestamp Principal - 1 08/07/12 12:51:03 host/ovm-c19-db.domainname@DOMAINNAME 1 08/07/12 12:51:03 host/ovm-c19-db.domainname@DOMAINNAME 1 08/07/12 12:51:03 host/ovm-c19-db.domainname@DOMAINNAME 1 08/07/12 12:51:03 host/ovm-c19-db.domainname@DOMAINNAME If that works does ipa host-find list it ? It does, but not with a certificate listed (ovm-auth, the server, does have a certificate listed). Thanks! Rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept
I just found this additional log file entries on my IPA server. The vm-mapsdc2 is one of the domain controllers/DNS servers not associated with IPA other than being one of our authoritative DNS servers. Is something misconfigured in IPA on the server side? Aug 07 14:01:02 ovm-auth.domain krb5kdc[1180](info): AS_REQ (4 etypes {18 17 16 23}) 172.30.40.60: NEEDED_PREAUTH: host/ovm-c19-db.domain@DOMAIN for krbtgt/DOMAIN@DOMAIN, Additional pre-authentication required Aug 07 14:01:02 ovm-auth.domain krb5kdc[1178](info): AS_REQ (4 etypes {18 17 16 23}) 172.30.40.60: ISSUE: authtime 1344373262, etypes {rep=18 tkt=18 ses=18}, host/ovm-c19-db.domain@DOMAIN for krbtgt/DOMAIN@DOMAIN Aug 07 14:01:02 ovm-auth.domain krb5kdc[1180](info): TGS_REQ (4 etypes {18 17 16 23}) 172.30.40.60: ISSUE: authtime 1344373262, etypes {rep=18 tkt=18 ses=18}, host/ovm-c19-db.domain@DOMAIN for krbtgt/DOMAIN@DOMAIN Aug 07 14:01:02 ovm-auth.domain krb5kdc[1178](info): TGS_REQ (4 etypes {18 17 16 23}) 172.30.40.60: UNKNOWN_SERVER: authtime 0, host/ovm-c19-db.domain@DOMAIN for ldap/vm-13thdc2.domain@DOMAIN, Server not found in Kerberos database Aug 07 14:01:02 ovm-auth.domain krb5kdc[1178](info): AS_REQ (4 etypes {18 17 16 23}) 172.30.40.60: NEEDED_PREAUTH: host/ovm-c19-db.domain@DOMAIN for krbtgt/DOMAIN@DOMAIN, Additional pre-authentication required Aug 07 14:01:02 ovm-auth.domain krb5kdc[1180](info): AS_REQ (4 etypes {18 17 16 23}) 172.30.40.60: ISSUE: authtime 1344373262, etypes {rep=18 tkt=18 ses=18}, host/ovm-c19-db.domain@DOMAIN for krbtgt/DOMAIN@DOMAIN Aug 07 14:01:02 ovm-auth.domain krb5kdc[1178](info): TGS_REQ (4 etypes {18 17 16 23}) 172.30.40.60: ISSUE: authtime 1344373262, etypes {rep=18 tkt=18 ses=18}, host/ovm-c19-db.domain@DOMAIN for krbtgt/DOMAIN@DOMAIN Aug 07 14:01:02 ovm-auth.domain krb5kdc[1180](info): TGS_REQ (4 etypes {18 17 16 23}) 172.30.40.60: UNKNOWN_SERVER: authtime 0, host/ovm-c19-db.domain@DOMAIN for ldap/vm-mapsdc2.domain@DOMAIN, Server not found in Kerberos database ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept
On Tue, Aug 7, 2012 at 4:48 PM, Rob Ogilvie r...@axpr.net wrote: I just found this additional log file entries on my IPA server. The vm-mapsdc2 is one of the domain controllers/DNS servers not associated with IPA other than being one of our authoritative DNS servers. Is something misconfigured in IPA on the server side? It's hard to tell with the obfuscation, but is your DOMAIN the same as the one handled by the domain controller vm-mapsdc2? You can only have one Kerberos realm named DOMAIN. For example, if you have the windows domain/Kerb realm MYCOMPANY.COM, you will not be able to have it coexist with an IPA server controlling the realm MYCOMPANY.COM. If it's an oldschool NT type domain you should be OK, but if it's Active Directory (which uses Kerberos) you can't do it. -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users