Re: [Freeipa-users] IPA Query Tuning and a Recovery Question
Hi Update on the errors kinit charlesd kinit: Generic error (see e-text) while getting initial credentials krb5kdc.log - LOOKING_UP_CLIENT: charl...@example.com for krbtg/ example@example.com, Server Error Starting the IPA service (dirsrv in particular) gives Failed to read data from Directory Service: Failed to get list of services to probe status! Configured hostname 'ipa3.example.com' doesn't match any master server in LDAP: No master found because of error: {'matched': dc=example,dc=com', 'desc': 'No such object'} Shutting down The errors log has a load of different services schema-compat-plugin. dna-plugin, ipalockout_preop/postop all complaining in one way or another about being unable to retrieve entries or no entries being set up. Cheers, Charlie On Fri, Sep 13, 2013 at 2:49 PM, Rich Megginson rmegg...@redhat.com wrote: On 09/12/2013 08:04 PM, Charlie Derwent wrote: On Mon, Sep 9, 2013 at 5:32 PM, Rich Megginson rmegg...@redhat.comwrote: On 09/09/2013 10:20 AM, Charlie Derwent wrote: Hi, 2 questions, some of our automation accounts are needlessly querying the IPA server every time they call a command via sudo. This is generating a lot of noise in our access logs. Is there any way to ensure certain system accounts don't call out to the IPA server for additional groups or sudo permission when completing tasks? What are your client platforms? Does sssd or newer versions of sudo cache? The other question is slightly more embarrassing, one of our guys saw /var filling and noticed that /var/lib/dirsrv/slapd-EXAMPLE-COM/db/ had a load of log files which looked like they weren't being tidied. They are automatically cleaned up. If you have a lot of updates, it may take longer. One stupid decision later and I'm now here asking on his behalf if there is anyway of restoring the database from a replica or is a complete rebuild required? Just reinit the replica using ipa-replica-manage. I just tried to reinit the replica but I'm getting an error about failure to connect to LDAP server I'm guessing that's because it's impossible for me to kinit on the server now given the state of the DB. It depends. What error? Can you provide the exact error message and/or excerpts from /var/log/dirsrv/slapd-DOMAIN-COM/errors? Second question is obviously a little bit more urgent than the first but any advice is greatly appreciated. Thanks, Charlie ___ Freeipa-users mailing listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Elliptic curves with the CA
Hello all, Is it possible to setup the FreeIPA's CA use ECC cryptographic methods (ECDSA co) instead of RSA? That includes generating ECC CA certificates, and so on. I don't think I was given any option towards this in the default installation process. Would appreciate instructions and/or pointers towards this. Also, can the default generated RSA CA switched later to ECC/ECDSA? Why doesn't the CA allow cross-signing (RSA/ECDSA hybrid keychains) certificates? It seems to validate the types, although it is not strictly forbidden as crypthographic practice (mostly just inconvenient, but it's legal). I gave the CA ECC CSR (generated by openSSL on one of the servers), and to my amazement it failed to sign it properly complaining about the type not being RSA. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Incorrect user information
On Sat, Sep 14, 2013 at 01:11:36PM -0400, Brian Lindblom wrote: Of course, I would imagine that since the GECOS field is set upon account creation based on the values provided for first and last name, and since GECOS is not a provided field in the UI for user attributes, that GECOS should be updated automatically to reflect those changes. Bug perhaps? You're right, I didn't realize that the reporter was modifying first and last name separately, I was under the assumption he had modified GECOS. Thanks for pointing that out. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] remove me from list
please remove* tainswo...@vsi-corp.com* from the distro email list. Thanks, Tom Ainsworth ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] remove me from list
On 09/16/2013 12:43 PM, Ainsworth, Thomas wrote: please remove tainswo...@vsi-corp.com from the distro email list. Thanks, Tom Ainsworth Hello, This list is managed by Mailman. You can unsubscribe yourself at https://www.redhat.com/mailman/listinfo/freeipa-users (bottom of the page), or by sending an e-mail to freeipa-users-le...@redhat.com -- Petr³ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Date of last access attribute
Dmitri Pal wrote: On 09/13/2013 01:46 PM, Rob Crittenden wrote: Simo Sorce wrote: On Fri, 2013-09-13 at 10:58 -0400, Rob Crittenden wrote: Dmitri Pal wrote: On 09/13/2013 05:16 AM, Marina Moreda wrote: Hi all, I need to add in my LDAP an attribute to save the date of last access to mail account, or something similar, to know when an user has stopped using his mail account. I can't find any attribute like this one. Any suggestions on how I can do this? Thanks so much. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users I think there are some operational, i.e. meta attributes that store information when some attribute was last modified so if there is a way to associate mail activity with a modification of some user attribute then you can check the time stamp of this modification rather than create a separate attribute. With a new attribute the question comes: who, when and how updates it and whether the software you have is capable of doing it? May be software already updates something on every activity for the account and if this is the case then operation attributes would help. There is no mail-specific activity attribute. I think about the closest you could get is last successful Kerberos authentication (krblastsuccessfulauth), but again this isn't specific to mail activity (unless that is all the users can do). Note too that this attribute is by default not replicated so if you have several IPA masters you'd need to check them all. This attribute not updated on LDAP binds. Rob, should we open a ticket to update this for plain text binds too ? Simo. That's an interesting question. The attribute has krb in it which suggests a kerberos authentication, so I wonder if this would cause other confusion. Wasn't there an intent not to update data on a successful auth? Only on a failure or first time after a failure to clear the counts? It certainly seems like an argument I'd make, but I don't recall specifically. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Date of last access attribute
On Mon, 2013-09-16 at 08:44 -0400, Rob Crittenden wrote: Dmitri Pal wrote: On 09/13/2013 01:46 PM, Rob Crittenden wrote: Simo Sorce wrote: On Fri, 2013-09-13 at 10:58 -0400, Rob Crittenden wrote: Dmitri Pal wrote: On 09/13/2013 05:16 AM, Marina Moreda wrote: Hi all, I need to add in my LDAP an attribute to save the date of last access to mail account, or something similar, to know when an user has stopped using his mail account. I can't find any attribute like this one. Any suggestions on how I can do this? Thanks so much. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users I think there are some operational, i.e. meta attributes that store information when some attribute was last modified so if there is a way to associate mail activity with a modification of some user attribute then you can check the time stamp of this modification rather than create a separate attribute. With a new attribute the question comes: who, when and how updates it and whether the software you have is capable of doing it? May be software already updates something on every activity for the account and if this is the case then operation attributes would help. There is no mail-specific activity attribute. I think about the closest you could get is last successful Kerberos authentication (krblastsuccessfulauth), but again this isn't specific to mail activity (unless that is all the users can do). Note too that this attribute is by default not replicated so if you have several IPA masters you'd need to check them all. This attribute not updated on LDAP binds. Rob, should we open a ticket to update this for plain text binds too ? Simo. That's an interesting question. The attribute has krb in it which suggests a kerberos authentication, so I wonder if this would cause other confusion. Wasn't there an intent not to update data on a successful auth? Only on a failure or first time after a failure to clear the counts? It certainly seems like an argument I'd make, but I don't recall specifically. No, we need to update as it is used to unlock auto-locked accounts. What we decided on was to not propagate any of these operations via replication to avoid huge churn across all of the enterprise. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA Query Tuning and a Recovery Question
On 09/16/2013 03:21 AM, Charlie Derwent wrote: Hi Update on the errors kinit charlesd kinit: Generic error (see e-text) while getting initial credentials krb5kdc.log - LOOKING_UP_CLIENT: charl...@example.com mailto:charl...@example.com for krbtg/example@example.com mailto:example@example.com, Server Error Starting the IPA service (dirsrv in particular) gives Failed to read data from Directory Service: Failed to get list of services to probe status! Configured hostname 'ipa3.example.com http://ipa3.example.com' doesn't match any master server in LDAP: No master found because of error: {'matched': dc=example,dc=com', 'desc': 'No such object'} Shutting down The errors log has a load of different services schema-compat-plugin. dna-plugin, ipalockout_preop/postop all complaining in one way or another about being unable to retrieve entries or no entries being set up. I think you'll have to use the workaround where you change replication to use simple bind in order to initialize the consumer, then switch back to sasl/gssapi. Simo/Rob - which ticket was this? Does freeipa.org have the workaround? Cheers, Charlie On Fri, Sep 13, 2013 at 2:49 PM, Rich Megginson rmegg...@redhat.com mailto:rmegg...@redhat.com wrote: On 09/12/2013 08:04 PM, Charlie Derwent wrote: On Mon, Sep 9, 2013 at 5:32 PM, Rich Megginson rmegg...@redhat.com mailto:rmegg...@redhat.com wrote: On 09/09/2013 10:20 AM, Charlie Derwent wrote: Hi, 2 questions, some of our automation accounts are needlessly querying the IPA server every time they call a command via sudo. This is generating a lot of noise in our access logs. Is there any way to ensure certain system accounts don't call out to the IPA server for additional groups or sudo permission when completing tasks? What are your client platforms? Does sssd or newer versions of sudo cache? The other question is slightly more embarrassing, one of our guys saw /var filling and noticed that /var/lib/dirsrv/slapd-EXAMPLE-COM/db/ had a load of log files which looked like they weren't being tidied. They are automatically cleaned up. If you have a lot of updates, it may take longer. One stupid decision later and I'm now here asking on his behalf if there is anyway of restoring the database from a replica or is a complete rebuild required? Just reinit the replica using ipa-replica-manage. I just tried to reinit the replica but I'm getting an error about failure to connect to LDAP server I'm guessing that's because it's impossible for me to kinit on the server now given the state of the DB. It depends. What error? Can you provide the exact error message and/or excerpts from /var/log/dirsrv/slapd-DOMAIN-COM/errors? Second question is obviously a little bit more urgent than the first but any advice is greatly appreciated. Thanks, Charlie ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Incorrect user information
Brian, Simo and Jakub, Thanks so much for your help. I will create a ticket for this problem. Thanks! On 09/16/2013 05:31 AM, Jakub Hrozek wrote: On Sat, Sep 14, 2013 at 01:11:36PM -0400, Brian Lindblom wrote: Of course, I would imagine that since the GECOS field is set upon account creation based on the values provided for first and last name, and since GECOS is not a provided field in the UI for user attributes, that GECOS should be updated automatically to reflect those changes. Bug perhaps? You're right, I didn't realize that the reporter was modifying first and last name separately, I was under the assumption he had modified GECOS. Thanks for pointing that out. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA Query Tuning and a Recovery Question
Rich Megginson wrote: On 09/16/2013 03:21 AM, Charlie Derwent wrote: Hi Update on the errors kinit charlesd kinit: Generic error (see e-text) while getting initial credentials krb5kdc.log - LOOKING_UP_CLIENT: charl...@example.com mailto:charl...@example.com for krbtg/example@example.com mailto:example@example.com, Server Error Starting the IPA service (dirsrv in particular) gives Failed to read data from Directory Service: Failed to get list of services to probe status! Configured hostname 'ipa3.example.com http://ipa3.example.com' doesn't match any master server in LDAP: No master found because of error: {'matched': dc=example,dc=com', 'desc': 'No such object'} Shutting down The errors log has a load of different services schema-compat-plugin. dna-plugin, ipalockout_preop/postop all complaining in one way or another about being unable to retrieve entries or no entries being set up. I think you'll have to use the workaround where you change replication to use simple bind in order to initialize the consumer, then switch back to sasl/gssapi. Simo/Rob - which ticket was this? Does freeipa.org have the workaround? http://freeipa.org/page/TroubleshootingGuide#Replica_Re-Initialization rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Timeout (?) issues
Yet another AIX related problem: The AIX LDAP client is called secldapclntd (sure, they could make it more awkward, but the budget ran out.) I'm running into the issue detailed here: http://www-01.ibm.com/support/docview.wss?uid=isg1IV11344 If an LDAP server fails to answer an LDAP query, secldapclntd caches the non-answered query negatively. This may happen if the LDAP server is down for example. After the LDAP server is back again secldapclntd will use the negative cache entry and the application initiating the original query will still fail until the cache entry expires. IBM is working on porting the fix to our specific TL and SP levels. What I'm concerned with here, though, is *why* is it timing out? I don't know what the current timeout values are (AIX sucks, etc.) I don't see timeout issues on my Linux boxes, which leads me to believe that either the sssd timouts are longer or that sssd is just more robust when dealing with timeouts. I believe I'm seeing similar behavior with LDAP sudo on AIX as well, because I occasionally have to re-run sudo commands because they initially fail (and I know I'm using the right passwords.) However, sudo doesn't appear to have a cache (or it handles caching better.) Does anyone have any troubleshooting suggestions? Any general speed things up suggestions on the IPA side? Thanks, --Jason -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] IE or Firefox Apache Kerberos authentication
Hi list, Is there any howto describing Firefox (or IE, if possible) authenticating against Apache web server using GSSAPI/Kerberos? Both client server in the same IPA domain. Ideally I would like to know FF and Apache setup + compatibility info (i.e. does IE + IIS use the same thing or not) Many thanks for any hints. Ondrej ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IE or Firefox Apache Kerberos authentication
Thanks, Is the article about http principals for apache still relevant? I would guess that with gss-proxy (F19) it is much simpler. Ondrej Odesláno ze Samsung Mobile Původní zpráva Od: Christian Horn ch...@fluxcoil.net Datum: Komu: freeipa-users@redhat.com Předmět: Re: [Freeipa-users] IE or Firefox Apache Kerberos authentication Hi, On Mon, Sep 16, 2013 at 04:04:49PM +, Ondrej Valousek wrote: Is there any howto describing Firefox (or IE, if possible) authenticating against Apache web server using GSSAPI/Kerberos? Both client server in the same IPA domain. Ideally I would like to know FF and Apache setup + compatibility info (i.e. does IE + IIS use the same thing or not) Not aware of a includes all-guide, but would start here: - adding the HTTP service principal: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html#adding-service-entry-cmd http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/managing-services.html#adding-service-entry - when you host multiple kerberized sites on the server (access required a Red Hat subscription): https://access.redhat.com/site/solutions/206623 - apache side config: http://modauthkerb.sourceforge.net/configure.html - firefox client side config: http://www.grolmsnet.de/kerbtut/firefox.html Christian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IE or Firefox Apache Kerberos authentication
On Mon, 2013-09-16 at 18:35 +, Ondrej Valousek wrote: Thanks, I hoped that with gssproxy I could use a single central /etc/krb5.keytab (with all necessary principals) for nfs, apache, dhcpd,... and not worrying about file permissions. The beauty would be saved work with copying principals to separate files. Is it true? Yes, you can keep the principal's keys wherever you want with gssproxy, although I would personally still use separate keytabs for ease of management should you need to change just one set of keys. Simo. Ondrej Odesláno ze Samsung Mobile Původní zpráva Od: Simo Sorce s...@redhat.com Datum: Komu: Ondrej Valousek ovalou...@vendavo.com Kopie: ch...@fluxcoil.net,freeipa-users@redhat.com Předmět: Re: [Freeipa-users] IE or Firefox Apache Kerberos authentication On Mon, 2013-09-16 at 17:04 +, Ondrej Valousek wrote: Thanks, Is the article about http principals for apache still relevant? I would guess that with gss-proxy (F19) it is much simpler. You still need a princiapl and a keytab yes. Here instructions if you want to use iot with GSS-Proxy: https://fedorahosted.org/gss-proxy/wiki/Apache HTH, Simo. Ondrej Odesláno ze Samsung Mobile Původní zpráva Od: Christian Horn ch...@fluxcoil.net Datum: Komu: freeipa-users@redhat.com Předmět: Re: [Freeipa-users] IE or Firefox Apache Kerberos authentication Hi, On Mon, Sep 16, 2013 at 04:04:49PM +, Ondrej Valousek wrote: Is there any howto describing Firefox (or IE, if possible) authenticating against Apache web server using GSSAPI/Kerberos? Both client server in the same IPA domain. Ideally I would like to know FF and Apache setup + compatibility info (i.e. does IE + IIS use the same thing or not) Not aware of a includes all-guide, but would start here: - adding the HTTP service principal: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html#adding-service-entry-cmd http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/managing-services.html#adding-service-entry - when you host multiple kerberized sites on the server (access required a Red Hat subscription): https://access.redhat.com/site/solutions/206623 - apache side config: http://modauthkerb.sourceforge.net/configure.html - firefox client side config: http://www.grolmsnet.de/kerbtut/firefox.html Christian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Simo Sorce * Red Hat, Inc * New York -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IE or Firefox Apache Kerberos authentication
Thanks, I hoped that with gssproxy I could use a single central /etc/krb5.keytab (with all necessary principals) for nfs, apache, dhcpd,... and not worrying about file permissions. The beauty would be saved work with copying principals to separate files. Is it true? Ondrej Odesláno ze Samsung Mobile Původní zpráva Od: Simo Sorce s...@redhat.com Datum: Komu: Ondrej Valousek ovalou...@vendavo.com Kopie: ch...@fluxcoil.net,freeipa-users@redhat.com Předmět: Re: [Freeipa-users] IE or Firefox Apache Kerberos authentication On Mon, 2013-09-16 at 17:04 +, Ondrej Valousek wrote: Thanks, Is the article about http principals for apache still relevant? I would guess that with gss-proxy (F19) it is much simpler. You still need a princiapl and a keytab yes. Here instructions if you want to use iot with GSS-Proxy: https://fedorahosted.org/gss-proxy/wiki/Apache HTH, Simo. Ondrej Odesláno ze Samsung Mobile Původní zpráva Od: Christian Horn ch...@fluxcoil.net Datum: Komu: freeipa-users@redhat.com Předmět: Re: [Freeipa-users] IE or Firefox Apache Kerberos authentication Hi, On Mon, Sep 16, 2013 at 04:04:49PM +, Ondrej Valousek wrote: Is there any howto describing Firefox (or IE, if possible) authenticating against Apache web server using GSSAPI/Kerberos? Both client server in the same IPA domain. Ideally I would like to know FF and Apache setup + compatibility info (i.e. does IE + IIS use the same thing or not) Not aware of a includes all-guide, but would start here: - adding the HTTP service principal: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html#adding-service-entry-cmd http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/managing-services.html#adding-service-entry - when you host multiple kerberized sites on the server (access required a Red Hat subscription): https://access.redhat.com/site/solutions/206623 - apache side config: http://modauthkerb.sourceforge.net/configure.html - firefox client side config: http://www.grolmsnet.de/kerbtut/firefox.html Christian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IE or Firefox Apache Kerberos authentication
On Mon, 2013-09-16 at 17:04 +, Ondrej Valousek wrote: Thanks, Is the article about http principals for apache still relevant? I would guess that with gss-proxy (F19) it is much simpler. You still need a princiapl and a keytab yes. Here instructions if you want to use iot with GSS-Proxy: https://fedorahosted.org/gss-proxy/wiki/Apache HTH, Simo. Ondrej Odesláno ze Samsung Mobile Původní zpráva Od: Christian Horn ch...@fluxcoil.net Datum: Komu: freeipa-users@redhat.com Předmět: Re: [Freeipa-users] IE or Firefox Apache Kerberos authentication Hi, On Mon, Sep 16, 2013 at 04:04:49PM +, Ondrej Valousek wrote: Is there any howto describing Firefox (or IE, if possible) authenticating against Apache web server using GSSAPI/Kerberos? Both client server in the same IPA domain. Ideally I would like to know FF and Apache setup + compatibility info (i.e. does IE + IIS use the same thing or not) Not aware of a includes all-guide, but would start here: - adding the HTTP service principal: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html#adding-service-entry-cmd http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/managing-services.html#adding-service-entry - when you host multiple kerberized sites on the server (access required a Red Hat subscription): https://access.redhat.com/site/solutions/206623 - apache side config: http://modauthkerb.sourceforge.net/configure.html - firefox client side config: http://www.grolmsnet.de/kerbtut/firefox.html Christian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Elliptic curves with the CA
On Mon, 2013-09-16 at 13:05 +0300, mees virk wrote: Hello all, Is it possible to setup the FreeIPA's CA use ECC cryptographic methods (ECDSA co) instead of RSA? That includes generating ECC CA certificates, and so on. At the moment our code (dogtag and nss) does not support ECC crypto. I will let Dogtag developers chime in fopr when they plan to introduce ECC based crypto in the codebase. Simo. I don't think I was given any option towards this in the default installation process. Would appreciate instructions and/or pointers towards this. Also, can the default generated RSA CA switched later to ECC/ECDSA? Why doesn't the CA allow cross-signing (RSA/ECDSA hybrid keychains) certificates? It seems to validate the types, although it is not strictly forbidden as crypthographic practice (mostly just inconvenient, but it's legal). I gave the CA ECC CSR (generated by openSSL on one of the servers), and to my amazement it failed to sign it properly complaining about the type not being RSA. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA integrating samba4 + AD
2013/9/12 Dmitri Pal d...@redhat.com On 09/11/2013 11:27 PM, Christovam Paynes Silva wrote: 2013/9/11 Dmitri Pal d...@redhat.com On 09/11/2013 04:02 PM, Christovam Paynes Silva wrote: It is a pity! Thank you! I did not get a feeling that we understand the whole picture correctly to say that we provided the full answer.. What I get from the description: 1) Presence of Windows Clients = 100 Correct! 2) Presence of AD to rule them Correct! 3) Presence of users (I deduce in AD too, but unclear) = 1000 Correct! Users are wirelessly. Use windows and linux without domain. Intent: use open source technologies instead of proprietary solution. That's right! What is not clear: a) Are the users that come through the portal the same users that use Windows Clients or not? Is there an overlap? Users are via wireless. Authenticate users on a captive portal with Squid. Customers are windows, linux and without domain. b) Is there any kind of Linux servers/machines in the picture? This question was not clear to me. FreeIPA is a domain controller for Linux/UNIX systems. It main value it to manage Linux environment inside your enterprise. It can manage users and groups too as any directory can. It can also authenticate users but its value is in creating a integrated Linux environment in terms of identity management. It seems that the setup you have does not actually have such Linux environment, i.e. Linux machines to join to IPA domain and manage. The question was: Do you have Linux systems to manage?. I have 5 servers. But that's just me working on them. I believe we do not need the IPA. I appreciate the attention. Thank you. If you do not have Linux systems and all users can be stored in one place it might be that you do not need FreeIPA. It might be that you can solve the problem by using Samba4 instead of AD, connecting your clients to it, putting your external portal users into a special OU in Samba4, configuring FreeRADIUS to use this OU for authentication. Configure your portal to use RADIUS. Sorry, I may not have understood the concept of FreeIPA. I would like to continue using the AD, because of Group Policy Objects (GPO). You need to check whether Samba 4 supports GPO and to what extent. http://wiki.samba.org/index.php/FAQ#Is_it_possible_to_set_user_specific_password_policies_in_Samba4_.28e._g._on_a_OU-base.29.3F It has the ability to authenticate email services, applications, among others directly in Samba4? Yes as with any LDAP server but if you are planning to use AD than you do not need Samba 4 either. You then point your mail service and applications to AD directly. Most of modern applications have some sort of LDAP integration for identity lookup and authentication. That means you would be able to point them to prety much any directory: AD, Samba4, IPA, 389 ... HTH Thanks Dmitri 2013/9/11 Simo Sorce s...@redhat.com On Wed, 2013-09-11 at 16:37 -0300, Christovam Paynes Silva wrote: Hello Simo, thanks for the feedback. I would use the Samba4 with AD and authenticate my clients windows in FreeIPA. Is this possible? It is not possible at this point to combine Samba4 AD and freeIPA. Simo. 2013/9/11 Simo Sorce s...@redhat.com On Wed, 2013-09-11 at 14:06 -0300, Christovam Paynes Silva wrote: Hello! First I apologize if this topic is redundant. I'm looking on the implementation of FreeIPA . Looking for the forums , have some comments that authentication does not work with Samba4 . Elsewhere say that that possibility exists . Today we have nearly 200 computers in the domain with the Active Directory and one wireless captive portal with 1000 + proxy users . I would like to see if the following scenario is possible : 1 - Integrating Samba4 with Active Directory , to use their GPO and authenticate network users through the FreeIPA . 2 - Authenticate proxy servers in FreeIPA . 3 - And if it is possible some integration with FreeRADIUS Hi Christovam, it is a bit unclear what you mean by integrating here. Is your intent to use Samba4 as an AD domain controller for your Windows client s and IPA for your servers ? If that's the case unfortunately this is not possible at the moment as samba4 does not yet support Forest level trusts. A Microsoft AD server can be used this way instead. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing
Re: [Freeipa-users] IE or Firefox Apache Kerberos authentication
Hi, On Mon, Sep 16, 2013 at 04:04:49PM +, Ondrej Valousek wrote: Is there any howto describing Firefox (or IE, if possible) authenticating against Apache web server using GSSAPI/Kerberos? Both client server in the same IPA domain. Ideally I would like to know FF and Apache setup + compatibility info (i.e. does IE + IIS use the same thing or not) Not aware of a includes all-guide, but would start here: - adding the HTTP service principal: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html#adding-service-entry-cmd http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/managing-services.html#adding-service-entry - when you host multiple kerberized sites on the server (access required a Red Hat subscription): https://access.redhat.com/site/solutions/206623 - apache side config: http://modauthkerb.sourceforge.net/configure.html - firefox client side config: http://www.grolmsnet.de/kerbtut/firefox.html Christian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Elliptic curves with the CA
On 09/16/2013 06:05 AM, mees virk wrote: Hello all, Is it possible to setup the FreeIPA's CA use ECC cryptographic methods (ECDSA co) instead of RSA? That includes generating ECC CA certificates, and so on. I don't think I was given any option towards this in the default installation process. Would appreciate instructions and/or pointers towards this. Also, can the default generated RSA CA switched later to ECC/ECDSA? Why doesn't the CA allow cross-signing (RSA/ECDSA hybrid keychains) certificates? It seems to validate the types, although it is not strictly forbidden as crypthographic practice (mostly just inconvenient, but it's legal). I gave the CA ECC CSR (generated by openSSL on one of the servers), and to my amazement it failed to sign it properly complaining about the type not being RSA. IPA uses NSS, NSS support of ECC algorithms is very fresh, we have not looked at this area yet. I suspect it would require changes in Dogtag first. Would be best if you can file and RFE ticket, then we would be able to follow up. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Timeout (?) issues
On 09/16/2013 12:02 PM, KodaK wrote: Yet another AIX related problem: The AIX LDAP client is called secldapclntd (sure, they could make it more awkward, but the budget ran out.) I'm running into the issue detailed here: http://www-01.ibm.com/support/docview.wss?uid=isg1IV11344 If an LDAP server fails to answer an LDAP query, secldapclntd caches the non-answered query negatively. This may happen if the LDAP server is down for example. After the LDAP server is back again secldapclntd will use the negative cache entry and the application initiating the original query will still fail until the cache entry expires. IBM is working on porting the fix to our specific TL and SP levels. What I'm concerned with here, though, is *why* is it timing out? I don't know what the current timeout values are (AIX sucks, etc.) I don't see timeout issues on my Linux boxes, which leads me to believe that either the sssd timouts are longer or that sssd is just more robust when dealing with timeouts. I believe I'm seeing similar behavior with LDAP sudo on AIX as well, because I occasionally have to re-run sudo commands because they initially fail (and I know I'm using the right passwords.) However, sudo doesn't appear to have a cache (or it handles caching better.) Does anyone have any troubleshooting suggestions? Any general speed things up suggestions on the IPA side? Thanks, --Jason -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Is the server FreeIPA? Can see in the server logs what is actually happening is it the server that really takes time or there is a network connectivity issue or FW is dropping packets? I would really start with the server side logs. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users