Re: [Freeipa-users] Installed ipa-client for CentOS 5.9 and joined it to IPA-domain, but hows AD trusts are handled?
On Wed, Apr 03, 2013 at 06:25:54PM -0400, Dmitri Pal wrote: On 04/02/2013 01:57 AM, pekka.pan...@sofor.fi wrote: From: Dmitri Pal d...@redhat.com I want also my AD users (from IPA trust) to login inside thru ssh but afaik this seems to have some older SSSD version and same configuration options that goes ok with CentOS 6 ipa-client wont work with CentOS 5. So what should i modify that i can login to my CentOS 5 machine that i can to login AD trust users from IPA? Is there newer SSSD daemon available for centos 5? No, it is not and it would be quite hard to build it, I think. You'd need pretty recent version of Kerberos to support the PAC responder that handles users coming via trusts for instance. Yes this is quite a problem with the current solution. Is there any guides for rhel 5.x/centos 5.x when using IPA and if that same system needs also AD users logins enabled, should we just enable some PAM module and all works if SSSD/IPA is also used? You would need to backport 1.9 to rhel 5/centos 5 AFAIR you can still build those for RHEL5 (I mean 1.9 can still be built on RHEL5) but you also need to build all the dependencies (samba, kerberos etc. and those would be quite a challenge). Ping jhrozek on #sssd on free node if you need more details, but it is a big endeavor so be prepared for a tough journey. You can build the core SSSD with no problems and you'll get the fast cache, AD provider and other improvements but the PAC responder needed for trusts needs the latest Kerberos (1.10+) and unless I'm wrong also samba4. You'd have to compile these yourself. But we are looking for some ways to mitigate that. Question for you about the older systems: What would you prefer: those systems pointing to IPA and IPA having a way to serve account and authentication or point them directly to AD? Do you require kerberos authentication and SSO from those machines or simple LDAP authentication is OK? Do you have a requirement for all the authentications to actually happen in AD for audit purposes or they can happen in IPA when users come from the old clients and in AD with trusts when users access newer clients? Thanks for the input! Dmitri For me, would be good if all comes from (thru) IPA, but thats not an requirement for me. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] ipa-replica-install errors
Hello, I'm trying to setup a replica server with ipa-2.2.0-16 on both the Server and the Replica Server. Here are the steps I ran (From the Red Hat 6.3 IdM Administration Guide); IPA_Server: ipa-replica-prepare ipareplica.example.com --ip-address 192.168.1.2 scp /var/lib/ipa/replica-info-ipareplica.example.com.gpg root@ ipareplica:/var/lib/ipa/ IPA_Replica: ipa-replica-install --setup-ca --setup-dns /var/lib/ipa/replica-info-ipareplica.exam ple.com.gpg -- Below is the error I am getting when running ipa-replica-install; Directory Manager (existing master) password: Run connection check to master Check connection from replica to remote master 'IPA_Server.domain.ca': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master ad...@domain.ca password: Execute check on remote master Check connection from master to remote replica 'IPA_Replica.domain.ca': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK Connection from master to replica is OK. Connection check OK Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server for the CA: Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server done configuring pkids. Configuring certificate server: Estimated time 3 minutes 30 seconds [1/13]: creating certificate server user [2/13]: creating pki-ca instance [3/13]: configuring certificate server instance [4/13]: disabling nonces [5/13]: creating RA agent certificate database [6/13]: importing CA chain to RA certificate database [7/13]: fixing RA database permissions [8/13]: setting up signing cert profile [9/13]: set up CRL publishing [10/13]: set certificate subject base [11/13]: enabling Subject Key Identifier [12/13]: configuring certificate server to start on boot [13/13]: Configure HTTP to proxy connections done configuring pki-cad. Restarting the directory and certificate servers Configuring directory server: Estimated time 1 minute [1/30]: creating directory server user [2/30]: creating directory server instance [3/30]: adding default schema [4/30]: enabling memberof plugin [5/30]: enabling referential integrity plugin [6/30]: enabling winsync plugin [7/30]: configuring replication version plugin [8/30]: enabling IPA enrollment plugin [9/30]: enabling ldapi [10/30]: configuring uniqueness plugin [11/30]: configuring uuid plugin [12/30]: configuring modrdn plugin [13/30]: enabling entryUSN plugin [14/30]: configuring lockout plugin [15/30]: creating indices [16/30]: configuring ssl for ds instance [17/30]: configuring certmap.conf [18/30]: configure autobind for root [19/30]: configure new location for managed entries [20/30]: restarting directory server [21/30]: setting up initial replication Starting replication, please wait until this has completed. [IPA_Server.domain.ca] reports: Update failed! Status: [-11 - System error] creation of replica failed: Failed to start replication Also in the error log(/var/log/dirsrv/slapd-DOMAIN-CA/errors) is the following error; NSMMReplicationPlugin - agmt=cn=metoIPA_Server.domain.ca (ipa_server:389): Replica has a different generation ID than the local data. Any thoughts or ideas on this issue? Searching google I don't see anyone getting the Status:-11 - System Error. Thanks, Matt ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Shadow/Unix Password Import/Migrate
Hello, I am setting up IPA server for our all Linux Machines mostly CentOS 5/6. As of now all user shadow passwords are managed by puppet. And as part of moving to IPA I could not find a way to import all passwords to IPA without forcing users to reset the password. Thanks Chandan -- -- http://about.me/chandank ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] NIS Compat Password Issues
Hello, I've having issues with trying to login to our NIS clients that are looking at IPA as a NIS Server. The NIS Client can view all of the usernames when I do a ypcat passwd but when I try to login a with a user account it will not accept the password. I've even tried setting it as simple as Password123 and still nothing. I don't see anything NIS related in the error logs on the IPA server. Can someone point me in the right direction for this? Thanks, Matt ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Shadow/Unix Password Import/Migrate
Chandan Kumar wrote: Hello, I am setting up IPA server for our all Linux Machines mostly CentOS 5/6. As of now all user shadow passwords are managed by puppet. And as part of moving to IPA I could not find a way to import all passwords to IPA without forcing users to reset the password. To close the loop on this, we discussed this in #freeipa and if you enable migration mode and set the password using the hash and {CRYPT} then it should work fine. Something like: user-add --first=Tim --last=User --setattr userPassword={CRYPT}hash tim_user rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] NIS Compat Password Issues
Joseph, Matthew (EXP) wrote: Hello, I’ve having issues with trying to login to our NIS clients that are looking at IPA as a “NIS” Server. The NIS Client can view all of the usernames when I do a ypcat passwd but when I try to login a with a user account it will not accept the password. I’ve even tried setting it as simple as Password123 and still nothing. I don’t see anything NIS related in the error logs on the IPA server. Can someone point me in the right direction for this? What does your nsswitch.conf look like? Note that IPA does not provide the shadow map (because it sends hashes in the clear). rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Issues after setup
Hi, I have configured a ipa-server, replica and client. In the GUI I can see that all hosts are in the hosts list.. I have created a single user as well and attached that user to the client. When trying to login as the user to the client, I see this in the secure.log. fatal: Access denied for user username by PAM account configuration. any suggestions on steps to troubleshoot this? Thanks -- *- Shawn Taaj* ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Replication Issue
Ok, I have done as Steven Jones requested... here is the output from the replica I am able to kinit to admin using the password. issuing the ipa-replica-manage command on the replica for the replica replcia.mydomain.com: replica last init status: None last init ended: None last update status: -2 - System error last update ended: None Same command but for the master Failed to get data from 'master.example.com': {'info': SASL (-1): generic failure: GSSAPI Error: An invalid name was supplied (Cannot determine realm for numeric host address)', 'desc':'Local error'} I can ping, telnet on all the IPA ports and ssh to the main server from the replica. So... im confused. Also on a whim, I was able to add a server to the replica and that host info did make it to the master. -- Brent S. Clark This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Issues after setup
I am able to login to my replica and master with users no problem, just having issues with clients.. On Thu, Apr 4, 2013 at 3:27 PM, Shawn taaj.sh...@gmail.com wrote: Hi, I have configured a ipa-server, replica and client. In the GUI I can see that all hosts are in the hosts list.. I have created a single user as well and attached that user to the client. When trying to login as the user to the client, I see this in the secure.log. fatal: Access denied for user username by PAM account configuration. any suggestions on steps to troubleshoot this? Thanks -- *- Shawn Taaj* -- *- Shawn Taaj* ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Replication Issue
Brent Clark wrote: Ok, I have done as Steven Jones requested... here is the output from the replica I am able to kinit to admin using the password. issuing the ipa-replica-manage command on the replica for the replica replcia.mydomain.com http://replcia.mydomain.com: replica last init status: None last init ended: None last update status: -2 - System error last update ended: None Same command but for the master Failed to get data from 'master.example.com http://master.example.com': {'info': SASL (-1): generic failure: GSSAPI Error: An invalid name was supplied (Cannot determine realm for numeric host address)', 'desc':'Local error'} I can ping, telnet on all the IPA ports and ssh to the main server from the replica. So... im confused. Also on a whim, I was able to add a server to the replica and that host info did make it to the master. Sounds like a DNS issue. Make sure forward and reverse DNS works for master.example.com. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Issues after setup
Shawn wrote: Hi, I have configured a ipa-server, replica and client. In the GUI I can see that all hosts are in the hosts list.. I have created a single user as well and attached that user to the client. When trying to login as the user to the client, I see this in the secure.log. fatal: Access denied for user username by PAM account configuration. Did you disable or remove the default allow_all HBAC rule? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-replica-install errors
On 04/04/2013 07:14 AM, Joseph, Matthew (EXP) wrote: Hello, I'm trying to setup a replica server with ipa-2.2.0-16 on both the Server and the Replica Server. Here are the steps I ran (From the Red Hat 6.3 IdM Administration Guide); *IPA_Server:* ipa-replica-prepare ipareplica.example.com --ip-address 192.168.1.2 scp /var/lib/ipa/replica-info-ipareplica.example.com.gpg root@ ipareplica:/var/lib/ipa/ *IPA_Replica:* ipa-replica-install --setup-ca --setup-dns /var/lib/ipa/replica-info-ipareplica.exam ple.com.gpg -- Below is the error I am getting when running ipa-replica-install; Directory Manager (existing master) password: Run connection check to master Check connection from replica to remote master 'IPA_Server.domain.ca': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master ad...@domain.ca password: Execute check on remote master Check connection from master to remote replica 'IPA_Replica.domain.ca': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK Connection from master to replica is OK. Connection check OK Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server for the CA: Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server done configuring pkids. Configuring certificate server: Estimated time 3 minutes 30 seconds [1/13]: creating certificate server user [2/13]: creating pki-ca instance [3/13]: configuring certificate server instance [4/13]: disabling nonces [5/13]: creating RA agent certificate database [6/13]: importing CA chain to RA certificate database [7/13]: fixing RA database permissions [8/13]: setting up signing cert profile [9/13]: set up CRL publishing [10/13]: set certificate subject base [11/13]: enabling Subject Key Identifier [12/13]: configuring certificate server to start on boot [13/13]: Configure HTTP to proxy connections done configuring pki-cad. Restarting the directory and certificate servers Configuring directory server: Estimated time 1 minute [1/30]: creating directory server user [2/30]: creating directory server instance [3/30]: adding default schema [4/30]: enabling memberof plugin [5/30]: enabling referential integrity plugin [6/30]: enabling winsync plugin [7/30]: configuring replication version plugin [8/30]: enabling IPA enrollment plugin [9/30]: enabling ldapi [10/30]: configuring uniqueness plugin [11/30]: configuring uuid plugin [12/30]: configuring modrdn plugin [13/30]: enabling entryUSN plugin [14/30]: configuring lockout plugin [15/30]: creating indices [16/30]: configuring ssl for ds instance [17/30]: configuring certmap.conf [18/30]: configure autobind for root [19/30]: configure new location for managed entries [20/30]: restarting directory server [21/30]: setting up initial replication Starting replication, please wait until this has completed. [IPA_Server.domain.ca] reports: Update failed! Status: [-11 - System error] creation of replica failed: Failed to start replication Also in the error log(/var/log/dirsrv/slapd-DOMAIN-CA/errors) is the following error; NSMMReplicationPlugin -- agmt=cn=metoIPA_Server.domain.ca (ipa_server:389): Replica has a different generation ID than the local data. This is probably just fallout from the replica initialization failure. If a replica is never initialized, it will get a generation ID mismatch error when the master contacts it. Any thoughts or ideas on this issue? Searching google I don't see anyone getting the Status:-11 -- System Error. There was a bug in 389-ds-base that was fixed a while back where negative LDAP error codes were all printed as System Error. The -11 is a connection error. Here is how it is defined in /usr/include/ldap.h: #define LDAP_CONNECT_ERROR (-11) It sounds like this connection error is occurring
Re: [Freeipa-users] Issues after setup
On Thu, Apr 04, 2013 at 03:27:37PM -0400, Shawn wrote: Hi, I have configured a ipa-server, replica and client. In the GUI I can see that all hosts are in the hosts list.. I have created a single user as well and attached that user to the client. When trying to login as the user to the client, I see this in the secure.log. fatal: Access denied for user username by PAM account configuration. any suggestions on steps to troubleshoot this? Hi Shawn, I would start with checking the HBAC rules using the ipa hbactest command. $ ipa hbactest --help might get you started. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Issues after setup
Run an hbactest: ipa hbactest --user=youruser --host=fqdn.of.host --service=sshd Make sure that works, if it does, then you can move on to troubleshooting the host itself. On Thu, Apr 4, 2013 at 2:27 PM, Shawn taaj.sh...@gmail.com wrote: Hi, I have configured a ipa-server, replica and client. In the GUI I can see that all hosts are in the hosts list.. I have created a single user as well and attached that user to the client. When trying to login as the user to the client, I see this in the secure.log. fatal: Access denied for user username by PAM account configuration. any suggestions on steps to troubleshoot this? Thanks -- *- Shawn Taaj* ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users