Re: [Freeipa-users] FreeIPA 3.3 and Solaris 10 Client Integration:
Hi Martin
On Wed, Sep 24, 2014 at 2:18 PM, Martin Kosek wrote:
> On 09/24/2014 01:06 PM, Traiano Welcome wrote:
> > Hi List
> >
> > I'm currently running IPA 3.3 on Centos 7, and successfully
> authenticating
> > Linux clients (Centos 6.5).
> >
> > I'd like to setup Solaris 10 as an IPA client, but this seems
> > problematic. I am following this guide:
> >
> >
> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html#Configuring_an_IPA_Client_on_Solaris_10
> >
> > I have the following setup:
> >
> > Solaris client:
> >
> > - Solaris 10u11 (SunOS 5.10 Generic_147148-26 i86pc i386 i86pc)
> >
> > IdM Server:
> >
> > - Linux kwtpocipa001.orion.local 3.10.0-123.el7.x86_64 #1 SMP Mon Jun 30
> > 12:09:22 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
> >
> >
> >
> > Going through the steps in the guide: at step 3 ("Create the
> cn=proxyagent
> > account"), ldapadd fails with the following error:
> >
> >
> >
> > "ldapadd: invalid format (line 6) entry:
> > "cn=proxyagent,ou=profile,dc=orion,dc=local""
> >
> > ---
> >
> > [root@kwtpocipa001 ~]# ldapadd -h 172.16.107.102 -p 389 -D "cn=directory
> > manager" -w Cr4ckM0nk3y
> > dn: cn=proxyagent,ou=profile,dc=orion,dc=local
> > objectClass: top
> > objectClass: person
> > sn: proxyagent
> > cn: proxyagent
> > userPassword::
> > e1NTSEF9Mm53KytGeU81Z1dka1FLNUZlaDdXOHJkK093TEppY2NjRmt6Wnc9PQ=
> >
> > ldapadd: invalid format (line 6) entry:
> > "cn=proxyagent,ou=profile,dc=orion,dc=local"
> > ---
> >
> > I've made the assumption that the extra ":" is a typo in the
> documentation
> > and removed it, so the command runs successfully as follows:
> >
> >
> > ---
> > [root@kwtpocipa001 ~]# ldapadd -h 172.16.107.102 -p 389 -D "cn=directory
> > manager" -w Cr4ckM0nk3y
> >
> > dn: cn=proxyagent,ou=profile,dc=orion,dc=local
> > objectClass: top
> > objectClass: person
> > sn: proxyagent
> > cn: proxyagent
> > userPassword:
> > e1NTSEF9Mm53KytGeU81Z1dka1FLNUZlaDdXOHJkK093TEppY2NjRmt6Wnc9PQ=
> > adding new entry "cn=proxyagent,ou=profile,dc=orion,dc=local"
> > ---
> >
> >
> > At step 9 (Configure NFS ), I get an error, seems to indicate the
> > "des-cbc-crc" encryption type is unsupported:
> >
> > ---
> > [root@kwtpocipa001 ~]# ipa-getkeytab -s kwtpocipa001.orion.local -p
> > nfs/kwtpocipasol10u11.orion.local -k /tmp/kwtpocipasol10u11.keytab -e
> > des-cbc-crc
> > Operation failed! All enctypes provided are unsupported
> > [root@kwtpocipa001 ~]#
> > ---
> >
> > (Question: How would I add support for des-cbc-crc encryption in
> > freeipa?). I've now worked around this by not specifying any encryption
> > type:
> >
> > ---
> > [root@kwtpocipa001 ~]# ipa-getkeytab -s kwtpocipa001.orion.local -p
> > nfs/kwtpocipasol10u11.orion.local -k /tmp/kwtpocipasol10u11.keytab
> > Keytab successfully retrieved and stored in:
> /tmp/kwtpocipasol10u11.keytab
> > [root@kwtpocipa001 ~]#
> > ---
> >
> > Testing that I can see nfs mounts on the centos IPA server from the
> solaris
> > machine:
> >
> > ---
> > bash-3.2# showmount -e kwtpocipa001.orion.local
> > export list for kwtpocipa001.orion.local:
> > /data/centos-repo 172.16.0.0/24
> > bash-3.2#
> >
> >
> >
> > Checking we can kinit:
> >
> > ---
> > bash-3.2#
> > bash-3.2# kinit admin
> > Password for admin@ORION.LOCAL:
> > bash-3.2#
> > bash-3.2#
> > bash-3.2# klist
> > Ticket cache: FILE:/tmp/krb5cc_0
> > Default principal: admin@ORION.LOCAL
> > Valid startingExpiresService principal
> > 09/24/14 11:20:36 09/24/14 12:20:36 krbtgt/ORION.LOCAL@ORION.LOCAL
> > renew until 10/01/14 11:20:36
> > bash-3.2#
> > bash-3.2#
> > bash-3.2#
> > bash-3.2# uname -a
> > SunOS kwtpocipasol10u11 5.10 Generic_147148-26 i86pc i386 i86pc
> > bash-3.2#
> > ---
> >
> > Testing I can mount the remote FS (without Kerberos auth). This is
> > successful (when not using kerberos5 authentication):
> >
> > ---
> > bash-3.2# mount -F nfs 172.16.107.102:/data/centos-repo /remote/
> > bash-3.2# mount |grep remote
> > /remote on 172.16.107.102:/data/centos-repo
> > remote/read/write/setuid/devices/rstchown/xattr/dev=4fa on Wed Sep 24
> > 13:45:32 2014
> > bash-3.2#
> > ---
> >
> > Testing with KRB5:
> >
> > ---
> > bash-3.2# mount -F nfs -o sec=krb5 172.16.107.102:/data/centos-repo
> /remote/
> > nfs mount: mount: /remote: Permission denied
> > bash-3.2#
> > ---
> >
> > Looking at the krbkdc logs on the IPA master server, I get the following
> > error:
> >
> > ---
> > Sep 24 13:48:17 kwtpocipa001.orion.local krb5kdc[2371](info): AS_REQ (6
> > etypes {18 17 16 23 3 1}) 172.16.107.107: NEEDED_PREAUTH:
> > host/kwtpocipasol10u11.orion.local@ORION.LOCAL for
> > krbtgt/ORION.LOCAL@ORION.LOCAL, Additional pre-authentication required
> > Sep 24 13:48:17 kwtpocipa001.orion.local krb5kdc[2373](info): DISPATCH:
> > repeated (retransmitted?) request from 172.16.107.107, resending previous
> > response
> > Sep 24 13:48:17 kwtpocipa001.orion.local krb5kdc[2374](info): DISPATCH:
> > repeated
Re: [Freeipa-users] 3.3.3 - Unable to install remote client
On Wed, Sep 24, 2014 at 01:02:34PM -0600, ToBeReplaced wrote:
> In details below, the domain name, server host name, and ip address has
> been changed.
>
> The server is sitting behind a router with ip 12.34.56.78. The server
> was configured with `--enable-dns` and `192.168.1.100 ipa.example.com
> ipa` in /etc/hosts.
>
> firewalld has been set to open up ports for ldap, ldaps, kerberos,
> kpasswd, dns, ntp, http, https on both the client and server. Port 7389
> is also open on the server.
>
> The router has been configured to forward all of the above ports through
> 12.34.56.78 to 192.168.1.100.
>
> The client is sitting on a different network (say, behind a router with
> ip 98.76.54.32).
>
> Its /etc/hosts includes `12.34.56.78 ipa.example.com ipa`.
> Its /etc/resolv.conf includes `nameserver 12.34.56.78`
>
> ipa-client-install fails with:
>
> Discovery was successful!
> Hostname: laptop-1.example.com
> Realm: EXAMPLE.COM
> DNS Domain: example.com
> IPA Server: ipa.example.com
> BaseDN: dc=example,dc=com
> Synchronizing time with KDC...
> Successfully retrieved CA cert
> Subject: CN=Certificate Authority,O=EXAMPLE.COM
> Issuer: CN=Certificate Authority,O=EXAMPLE.COM
> Valid From: Wed Sep 24 17:44:28 2014 UTC
> Valid Until: Sun Sep 24 17:44:28 2034 UTC
>
> Enrolled in IPA realm EXAMPLE.COM
> Created /etc/ipa/default.conf
> New SSSD config will be created
> Configured /etc/sssd/sssd.conf
> Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
> trying https://ipa.example.com/ipa/xml
> Forwarding 'ping' to server 'https://ipa.example.com/ipa/xml'
> Cannot connect to the server due to Kerberos error: Kerberos
> error: ('Unspecified GSS failure. Minor code may provide more
> information', 851968)/("Cannot contact any KDC for realm
> 'EXAMPLE.COM'", -1765328228). Trying with delegate=True
> trying https://ipa.example.com/ipa/xml
> Forwarding 'ping' to server 'https://ipa.example.com/ipa/xml'
> Second connect with delegate=True also failed: Kerberos error:
> ('Unspecified GSS failure. Minor code may provide more
> information', 851968)/("Cannot contact any KDC for realm
> 'EXAMPLE.COM'", -1765328228)
> Cannot connect to the IPA server XML-RPC interface: Kerberos
> error: ('Unspecified GSS failure. Minor code may provide more
> information', 851968)/("Cannot contact any KDC for realm
> 'EXAMPLE.COM'", -1765328228)
> Installation failed. Rolling back changes.
> Unenrolling client from IPA server
> Unenrolling host failed: Error obtaining initial credentials:
> Cannot contact any KDC for requested realm.
> Removing Kerberos service principals from /etc/krb5.keytab
> Disabling client Kerberos and LDAP configurations
> Redundant SSSD configuration file /etc/sssd/sssd.conf was moved
> to /etc/sssd/sssd.conf.deleted
> Restoring client configuration files
> nscd daemon is not installed, skip configuration
> nslcd daemon is not installed, skip configuration
> Client uninstall complete.
>
> `cat /var/log/ipaclient-install.log | grep ERROR -C 25 -m 1`
> 2014-09-24T18:11:49Z INFO Configured /etc/krb5.conf for IPA
> realm EXAMPLE.COM
> 2014-09-24T18:11:49Z DEBUG Starting external process
> 2014-09-24T18:11:49Z DEBUG args=keyctl search @s user
> ipa_session_cookie:host/laptop-1.example@example.com
> 2014-09-24T18:11:49Z DEBUG Process finished, return code=1
> 2014-09-24T18:11:49Z DEBUG stdout=
> 2014-09-24T18:11:49Z DEBUG stderr=keyctl_search: Required key
> not available
>
> 2014-09-24T18:11:49Z DEBUG Starting external process
> 2014-09-24T18:11:49Z DEBUG args=keyctl search @s user
> ipa_session_cookie:host/laptop-1.example@example.com
> 2014-09-24T18:11:49Z DEBUG Process finished, return code=1
> 2014-09-24T18:11:49Z DEBUG stdout=
> 2014-09-24T18:11:49Z DEBUG stderr=keyctl_search: Required key
> not available
>
> 2014-09-24T18:11:49Z DEBUG failed to find session_cookie in
> persistent storage for principal
> 'host/laptop-1.example@example.com'
> 2014-09-24T18:11:49Z INFO trying https://ipa.example.com/ipa/xml
> 2014-09-24T18:11:49Z DEBUG Created connection context.xmlclient
> 2014-09-24T18:11:49Z DEBUG Try RPC connection
> 2014-09-24T18:11:49Z INFO Forwarding 'ping' to server
> 'https://ipa.example.com/ipa/xml'
> 2014-09-24T18:12:07Z DEBUG Destroyed connection
> context.xmlclient
> 2014-09-24T18:12:07Z INFO Cannot connect to the server due to
> Kerberos error: Kerberos
Re: [Freeipa-users] Virtual DIT view howto
On Thu, 25 Sep 2014, Sandor Juhasz wrote: Hello, i need a bit of help on how to create virtual dit structure on an existing ipa. I need it to create separate structure to authenticate users for services which don't support ldap search filters. I did not find anything in the manual or any howto to start with. Look into slapi-nis documentation. You can use examples of compat tree as configured by IPA already. Note though that slapi-nis has support for authentication in RHEL 7 and Fedora 20 only. Earlier versions don't have proper support for LDAP BIND over compat tree. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] AD Trust - Cannot resolve servers for KDC after reboot [SOLVED]
On Thu, 25 Sep 2014, Genadi Postrilko wrote: The NetworkManager service was overriding the /etc/resolv.conf, so kinit couldn't resolve with the right DNS server. After stopping the NetworkManager and canceling its start up on boot, i can kinit with no problem. Didn't even had to change to forward-policy=only. Thank you for the help, and sorry i haven't noticed it sooner. I'd recommend you to switch NetworkManager into using dnsmasq backend for resolver. Then you can define additional parameters and even redefine where to look at for specific zones. I'm using this to get home networks accessible properly even when there are multiple VPN sessions opened and number of servers in resolv.conf would otherwise be out of proportion. # cat /etc/NetworkManager/NetworkManager.conf [main] plugins=ifcfg-rh dns=dnsmasq # cat /etc/NetworkManager/dnsmasq.d/interfaces interface=lo except-interface=virbr0,vnet0,vnet1,vnet2,tun0,tun1,tun2 bind-interfaces # cat /etc/NetworkManager/dnsmasq.d/fixed-servers server=/ipa.example.com/1.2.3.4 server=/ad.example.com/3.4.2.1 -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Virtual DIT view howto
On 09/25/2014 01:08 PM, Sandor Juhasz wrote: > Hello, > > i need a bit of help on how to create virtual dit structure on an existing > ipa. > I need it to create separate structure to authenticate users for services > which > don't support ldap search filters. Ah, I think you want to do what FreeIPA already does in cn=compat,dc=example,dc=com, i.e. usage of Schema Compatibility plugin (slapi-nis package). > I did not find anything in the manual or any howto to start with. I would start here: https://fedorahosted.org/slapi-nis/ https://git.fedorahosted.org/cgit/slapi-nis.git/plain/doc/sch-getting-started.txt https://git.fedorahosted.org/cgit/slapi-nis.git/plain/doc/examples/sch-plugin-example.ldif.in HTH, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Virtual DIT view howto
Hello, i need a bit of help on how to create virtual dit structure on an existing ipa. I need it to create separate structure to authenticate users for services which don't support ldap search filters. I did not find anything in the manual or any howto to start with. Sándor Juhász System Administrator ChemAxon Ltd . Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031 Cell: +36704258964 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] AD Trust - Cannot resolve servers for KDC after reboot [SOLVED]
The NetworkManager service was overriding the /etc/resolv.conf, so kinit couldn't resolve with the right DNS server. After stopping the NetworkManager and canceling its start up on boot, i can kinit with no problem. Didn't even had to change to forward-policy=only. Thank you for the help, and sorry i haven't noticed it sooner. > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa host-del not authorised
On 09/25/2014 04:11 AM, Alex Harvey wrote: > Hi all > > I'm new to IPA and struggling a bit to automate some tasks. > > I am unable to delete hosts from the command line although have no problem > doing this using the GUI, e.g. > > [root@myipaserver ~]# ipa host-del myhost.example.com > > ipa: ERROR: Insufficient access: not allowed to perform this command > > I guess I need to somehow pass the admin user's username and password? > However the man page doesn't seem to provide any option for doing this. > > Thanks > Alex Hello Alex, I assume you created a non-admin user with some permissions allow deleting a host. This error message is thrown when a virtual operation check fails. This is raised for example when a user is trying to do unathorized operation with certificates, like if user having host deletion permission does not also have permission to revoke certificates for deleted users. Does the privileged user has "Revoke Certificate" permission assigned through some privilege/role? The mismatch of behavior between CLI and UI is strange. They call the same code, maybe you run it with different users. Also, what is your FreeIPA version? Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] AD Trust - Cannot resolve servers for KDC after reboot
On 24.9.2014 18:00, Genadi Postrilko wrote: 2014-09-22 9:29 GMT+03:00 Petr Spacek : 'IPA forwarders' are exactly the same as normal 'BIND forward zone' so they involve normal DNS cache. Which type of forwarder do you have configured? Is your 'forwarding policy' set to 'first' (default) or 'only'? I have default forwarding policy: [root@ipaserver1 ~]# ipa dnsconfig-show Global forwarders: 192.168.227.60 Okay, your configuration is using default forwarding policy 'first'. You can set it to 'only' using command $ ipa dnsconfig-mod --forward-policy=only I guess that it will fix the problem. Forwarding policy 'first' (combined with cache) could be the cause of your problem. 'First' policy instructs BIND to contact the configured server and if it fails (because of timeout) BIND will re-try the same query using normal recursion. Depending on your network configuration, the normal DNS recursion can return different results than forwarding(^1). In this case BIND can cache e.g. NXDOMAIN answer from some other server and this answer will stay in cache for TTL value in the given answer. As a result, IPA could get cached NXDOMAIN instead of correct SRV records for AD until the TTL in cache expires. This is of course a wild guess. Detailed logs from named (log level 5 or higher+querylog) could tell us what exactly happened. This the named log after i increased the debug level to 5 and enabled querylog: https://gist.github.com/anonymous/89308cbca3b07252674c Unfortunately the log doesn't contain any information. I guess that you did not reproduce the problem after changing the debug level ... -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
