Re: [Freeipa-users] Where and how are passwords stored?

2015-02-11 Thread Dmitri Pal 

On 02/12/2015 01:25 AM, Michael Lasevich wrote:
Ok, after a  few awkward questions from an auditor, I am starting to 
face the uncomfortable truth that my understanding about how FreeIPA 
works is a lot fuzzier than I would like.


Specifically, the question I could not answer - where are the 
passwords stored and how are they encrypted? My understanding is that 
all authentication is handled by Kerberos server, which stores its 
data in LDAP - but where and how is a bit of a mystery to me. Any way 
to dump out the password hashes?


Passwords are stored in LDAP in two different attributes per entry. One 
with LDAP password hash and another is Kerberos password hash allowing 
authentication either with Kerebros or LDAP. Both follow best practices 
in terms of using hash algorithms. The attributes themselves are 
protected by the access control instructions (ACI) so only a super 
priviledged admin or user himself can interact with this attribute. 
During normal operations it is not fetched and read. The core of the DS 
processes it behind the closed doors so it is possible to reset but not 
to read.

This is how LDAP works and not different from any modern directory server.




Thanks,

-M





--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] ad relation with winsync

2015-02-11 Thread Dmitri Pal 

On 02/12/2015 12:37 AM, Nicolas Zin wrote:

That was that:

in the logs (/var/log/dirsrv/slapd-HQ-EMIRATES-COM/errors) I got:
slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect 
error) errno 0 (Success)


And when i did "LDAPTLS_CACERTDIR=/etc/dirsrv/... ldapsearch ...", it began to 
be interesting:
ldap_start_tls: Connect error (-11)
  additionnal info: TLS: hostname does not match CN in peer certificate

So I correct my problem: put the correct hostname in the ipa-replica-manage ( 
and not the ip). And it connects!


Next step: having the replication working. The customer dont want to give to my sync user "Replicating directory 
changes", "Account Operator" and "Enterprise Read-Only Domain Controller" attributs and just 
want a  "oneway replication".
For the one way replication, I followed the documentation

But I don't see any imported users. Do you have an idea? Are some of the 
Windows attributs necessary even for a one way (windows to linux) 
synchronisation?


Regards,



Nicolas

- Mail original -
De: "Rich Megginson" 
À: freeipa-users@redhat.com
Envoyé: Mercredi 11 Février 2015 18:57:43
Objet: Re: [Freeipa-users] ad relation with winsync

On 02/11/2015 04:18 AM, Nicolas Zin wrote:

I reply to myself.
This was certainly a Windows configurarion issue. I went further:
ipa-replica-manage connect --winsync --binddb 
cn=Administrator,cn=Users,dc=company,dc=com --bindpwd  --passsync 
whatever --cacert /etc/openssl/cacerets/adRootCa.crt dc.company.com -v
Directory Manager password: 

Added CA certificate /etc/openldap/cacerts/adRootCA.crt to certificate database 
for srv7idm2.ipa.company.com
ipa: INFO: AD Suffix is: DC=company,DC=com
The user for Windows PassSync service is 
uid=passsync,cn=sysaccounts,cn=etc,dc=company,dc=com
ipa: INFO: Added new sync agreement, waiting for it to become ready. . .
ipa: INFO: Replication Update in progress: FALSE: status: -11 - LDAP error: 
Connect error: start: 0 end: 0
ipa: INFO: Agreement is ready, starting replication . . .
Starting replication, please wait until this has completed.

[srv7idm2.ipa.company.com] reports: Update failed! Status: [-11  - LDAP error: 
Connect error]



So apparently I manage to connect to AD but something went wrong after?
How can I debug it?

You can test it like this:

# LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-DOMAIN ldapsearch -xLLLZZ -H
ldap://fqdn.of.ad.host -s base -b "DC=company,DC=com" -D
"cn=Administrator,cn=Users,dc=company,dc=com" -w "password"




Regards,



Nicolas Zin



- Mail original -
De: "Nicolas Zin" 
À: freeipa-users@redhat.com
Envoyé: Mercredi 11 Février 2015 12:06:47
Objet: [Freeipa-users] ad relation with winsync

Hi,

I now try to establish a winsync relation with a Windows 2008R2.
I installed IDM 3.3 on RHEL7.

When I try to create the replication:
ipa-replica-manage connect --winsync --binddb 
cn=Administrator,cn=Users,dc=company,dc=com --bindpwd  --passsync 
whatever --cacert /etc/openssl/cacerets/adRootCa.crt dc.company.com
Directory Manager password: 

Added CA certificate /etc/openldap/cacerts/adRootCA.crt to certificate database 
for srv7idm2.ipa.company.com
ipa: INFO: Failed to connect to AD srever dc.company.com
ipa: INFO: The error was: {'info': 'TLS error -8157:Certificate extension not 
found','desc': 'Connect error'}
Failed to setup winsync replication


Do you have an idea, what's wrong?
Also is it possible to point to port 636 instead?


Notes:
- On the windows side, ssl has been activated (with pain) and ldp.exe manage to 
connect via ssl on the 636 port correctly (so the certificate is in place). I 
don't know how to check it is working properly on port 389, i.e. START_TLS works
- I checked that the 2 box have the same time (ntp)
- I nearly manage to make it working once, but I got another error during 
replication



The is is treated as the ultimate source so adds should go only from AD 
to IPA but you need the modify to work both ways otherwise your account 
state will get out of sync.
Whatever is required by docs is the minimal privilege you need to have 
to sync users.


However did you consider trust?
It us a two way trust but it acts as a one way trust.






Nicolas Zin
nicolas@savoirfairelinux.com
Ligne directe: 514-276-5468 poste 135

Fax : 514-276-5465
7275 Saint Urbain
Bureau 200
Montréal, QC, H2R 2Y5






--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Integrating Freeipa with Samba server through ldapsam or ipasam ? How to compile ipasam separetely on Centos 7 ?

2015-02-11 Thread Alexander Bokovoy 

On Wed, 11 Feb 2015, Israel Miranda wrote:

I did follow 
http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA
but first I was always getting NT_STATUS_UNSUCCESSFUL
First I thought it was related to a bad parameter in my samba
configuration, because
http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA
says it is about ipa v4 and I found this ticket
https://fedorahosted.org/freeipa/ticket/3999 I thought the
documentation was incomplete.

Documentation regarding Samba integration is incomplete. We are working
on improving it but nothing is ready for review yet.


I debugged kerberos log file and I realized I was using just username
instead of usern...@realm.com in windows 8 machine. It showed REALM as
a groupname and I thought samba would do the translation but even on
windows share logon you have to use usern...@realm.com otherwise it
doesn´t work.

Yes. When you are using cross-forest trust to AD this will happen
automatically. If you are not using cross-forest trust to AD, this use
case is not yet officially supported so I glad that it works for you.


Also what about all those ldap objects I created earlier ?
Are they worth or need for a kerberized CIFS server ?
Because they are not mentioned in
http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA

You don't need to create any additional LDAP objects.

What you need is basically following:

1. Run ipa-adtrust-install on all masters that will be serving AD users.
Right now this means effectively all masters but we are working on
separating the heavy parts (runnning smbd/winbindd on each master) soon.

2. Use 
http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA
to configure your Fedora 21+ or RHEL7.1beta or later servers to host
Samba.



It is working flawlessly now. Thanks a lot for the tip, now my
smb.conf is just like in the example of the howto and it is working
through sssd-libwbclient accessing the keytab.

I have detailed the steps and commands to create the ldap objects,
there is a typo many places on the internet because it was reproduced
from http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html

Notice that it is against Fedora 17 which is way old now and obsolete.


I also think should be documented somewhere that ipa-adtrust-install
creates/populates the ipaNTHash, I couldn't find it anywhere, someone
told me this on freenode.

Given that you don't need to know about ipaNTHash to use
http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA,
all you need is documented there. I've added a note that IPA masters
have to be configured with ipa-adtrust-install.



And one more doubt.
ipa config-mod --userobjectclasses=aaa,bbb,ccc
or ipa config-mod --groupobjectclasses=aaa,bbb,ccc
doesn't work on iPA 4.
Is there a way of doing this on the command line on ipa 4 ?

Use shell expansion.

ipa object-command --attribute={value1,value2,value3,...}


--
/ Alexander Bokovoy


pgpHYjaIFhrlr.pgp
Description: PGP signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] Where and how are passwords stored?

2015-02-11 Thread Michael Lasevich 
Ok, after a  few awkward questions from an auditor, I am starting to face
the uncomfortable truth that my understanding about how FreeIPA works is a
lot fuzzier than I would like.

Specifically, the question I could not answer - where are the passwords
stored and how are they encrypted? My understanding is that all
authentication is handled by Kerberos server, which stores its data in LDAP
- but where and how is a bit of a mystery to me. Any way to dump out the
password hashes?

Thanks,

-M
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] ad relation with winsync

2015-02-11 Thread Nicolas Zin 
That was that:

in the logs (/var/log/dirsrv/slapd-HQ-EMIRATES-COM/errors) I got:
slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect 
error) errno 0 (Success)


And when i did "LDAPTLS_CACERTDIR=/etc/dirsrv/... ldapsearch ...", it began to 
be interesting:
ldap_start_tls: Connect error (-11)
 additionnal info: TLS: hostname does not match CN in peer certificate

So I correct my problem: put the correct hostname in the ipa-replica-manage ( 
and not the ip). And it connects!


Next step: having the replication working. The customer dont want to give to my 
sync user "Replicating directory changes", "Account Operator" and "Enterprise 
Read-Only Domain Controller" attributs and just want a  "oneway replication".
For the one way replication, I followed the documentation

But I don't see any imported users. Do you have an idea? Are some of the 
Windows attributs necessary even for a one way (windows to linux) 
synchronisation?


Regards,



Nicolas

- Mail original -
De: "Rich Megginson" 
À: freeipa-users@redhat.com
Envoyé: Mercredi 11 Février 2015 18:57:43
Objet: Re: [Freeipa-users] ad relation with winsync

On 02/11/2015 04:18 AM, Nicolas Zin wrote:
> I reply to myself.
> This was certainly a Windows configurarion issue. I went further:
> ipa-replica-manage connect --winsync --binddb 
> cn=Administrator,cn=Users,dc=company,dc=com --bindpwd  --passsync 
> whatever --cacert /etc/openssl/cacerets/adRootCa.crt dc.company.com -v
> Directory Manager password: 
>
> Added CA certificate /etc/openldap/cacerts/adRootCA.crt to certificate 
> database for srv7idm2.ipa.company.com
> ipa: INFO: AD Suffix is: DC=company,DC=com
> The user for Windows PassSync service is 
> uid=passsync,cn=sysaccounts,cn=etc,dc=company,dc=com
> ipa: INFO: Added new sync agreement, waiting for it to become ready. . .
> ipa: INFO: Replication Update in progress: FALSE: status: -11 - LDAP error: 
> Connect error: start: 0 end: 0
> ipa: INFO: Agreement is ready, starting replication . . .
> Starting replication, please wait until this has completed.
>
> [srv7idm2.ipa.company.com] reports: Update failed! Status: [-11  - LDAP 
> error: Connect error]
>
>
>
> So apparently I manage to connect to AD but something went wrong after?
> How can I debug it?

You can test it like this:

# LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-DOMAIN ldapsearch -xLLLZZ -H 
ldap://fqdn.of.ad.host -s base -b "DC=company,DC=com" -D 
"cn=Administrator,cn=Users,dc=company,dc=com" -w "password"

>
>
>
> Regards,
>
>
>
> Nicolas Zin
>
>
>
> - Mail original -
> De: "Nicolas Zin" 
> À: freeipa-users@redhat.com
> Envoyé: Mercredi 11 Février 2015 12:06:47
> Objet: [Freeipa-users] ad relation with winsync
>
> Hi,
>
> I now try to establish a winsync relation with a Windows 2008R2.
> I installed IDM 3.3 on RHEL7.
>
> When I try to create the replication:
> ipa-replica-manage connect --winsync --binddb 
> cn=Administrator,cn=Users,dc=company,dc=com --bindpwd  --passsync 
> whatever --cacert /etc/openssl/cacerets/adRootCa.crt dc.company.com
> Directory Manager password: 
>
> Added CA certificate /etc/openldap/cacerts/adRootCA.crt to certificate 
> database for srv7idm2.ipa.company.com
> ipa: INFO: Failed to connect to AD srever dc.company.com
> ipa: INFO: The error was: {'info': 'TLS error -8157:Certificate extension not 
> found','desc': 'Connect error'}
> Failed to setup winsync replication
>
>
> Do you have an idea, what's wrong?
> Also is it possible to point to port 636 instead?
>
>
> Notes:
> - On the windows side, ssl has been activated (with pain) and ldp.exe manage 
> to connect via ssl on the 636 port correctly (so the certificate is in 
> place). I don't know how to check it is working properly on port 389, i.e. 
> START_TLS works
> - I checked that the 2 box have the same time (ntp)
> - I nearly manage to make it working once, but I got another error during 
> replication
>
>
>
> Nicolas Zin
> nicolas@savoirfairelinux.com
> Ligne directe: 514-276-5468 poste 135
>
> Fax : 514-276-5465
> 7275 Saint Urbain
> Bureau 200
> Montréal, QC, H2R 2Y5
>
>
>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Integrating Freeipa with Samba server through ldapsam or ipasam ? How to compile ipasam separetely on Centos 7 ?

2015-02-11 Thread Israel Miranda 
I did follow 
http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA
but first I was always getting NT_STATUS_UNSUCCESSFUL
First I thought it was related to a bad parameter in my samba
configuration, because
http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA
says it is about ipa v4 and I found this ticket
https://fedorahosted.org/freeipa/ticket/3999 I thought the
documentation was incomplete.

I debugged kerberos log file and I realized I was using just username
instead of usern...@realm.com in windows 8 machine. It showed REALM as
a groupname and I thought samba would do the translation but even on
windows share logon you have to use usern...@realm.com otherwise it
doesn´t work.
Also what about all those ldap objects I created earlier ?
Are they worth or need for a kerberized CIFS server ?
Because they are not mentioned in
http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA

It is working flawlessly now. Thanks a lot for the tip, now my
smb.conf is just like in the example of the howto and it is working
through sssd-libwbclient accessing the keytab.

I have detailed the steps and commands to create the ldap objects,
there is a typo many places on the internet because it was reproduced
from http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html

on the creation of
dn: cn=SambaCoS,cn=groups,cn=accounts,dc=example,dc=com
objectclass: top
objectclass: cosSuperDefinition
objectclass: cosPointerDefinition
cosTemplateDn: cn=SambaCoS,cn=ipaConfig,dc=etc,dc=example,dc=com
cosAttribute: sambaGrouptType

there is a typo on the cosAttribute: a double tT on sambaGrouptType
and I wasn't being able to create the object because the template was not found.
I was found this error on the log:
Skipping CoS Definition cn=Password
Policy,cn=accounts,dc=example,dc=com--no CoS Templates found, which
should be added before the CoS Definition.

I also think should be documented somewhere that ipa-adtrust-install
creates/populates the ipaNTHash, I couldn't find it anywhere, someone
told me this on freenode.

And one more doubt.
ipa config-mod --userobjectclasses=aaa,bbb,ccc
or ipa config-mod --groupobjectclasses=aaa,bbb,ccc
doesn't work on iPA 4.
Is there a way of doing this on the command line on ipa 4 ?

Thanks a lot, ipa 4 is excellent.


2015-02-11 6:32 GMT-02:00, Alexander Bokovoy :
> On Tue, 10 Feb 2015, Israel Miranda wrote:
>>I have a freeipa installation of v4 on Fedora 21.
>>I have a separate fileserver with freeipa packages installed from
>>mkosek-freeipa-epel-7.repo on centos 7.
>>
>>I have:
>>* created sambaSAMAccount,sambaGroupMapping UserObjects
>>* created an entry for DNA plugin to populate them
>>cn=SambaGroupSid,cn=Distributed Numeric Assignment
>>Plugin,cn=plugins,cn=config
>>* added a CoS template for sambaGroupType
>>* added a CoS definition for sambaGroupType
>>* used ipa-adtrust-install to create and populate ipaNTHash
>>* checked with the creation of these attributes with an ldap browser all
>> ok
>>* put the fileserver machine on the domain
>>* added necessary permission, previleges and roles
>>* installed kerberos keytab on the fileserver
>>* was able to retrieve ipaNTHash attribute with the keytab from samba
>> server
>>
>>and now the only thing missing is to integrate the fileserver with the
>>ipaserver.
>>I don´t mind in using ipasam, but to install in on my centos7
>>fileserver, which only has samba installed and nothing else, it also
>>pulls the whole freeipa-server package, and this is overkill just to
>>get ipasam.so. So I'd like some help in compiling it separately.
>>I am using standard samba server distributed with centos 7.
>>
>>So I tried to use  passdb backend = ldapsam:ldap//ipaserver
>>but samba tries to bind using admin user, and doesn't use keytab, even
>>though I put
>>dedicated keytab file = FILE:/etc/samba/samba.keytab
>>kerberos method = dedicated keytab
>>in smb.conf.
> ldapsam currently does not yet support keytab use. With CentOS7/mkosek
> COPR repo you don't need to use any special passdb module anymore, just
> follow
> http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA
>
>
>>
>>So please help me in getting these two things done:
>>
>>1. use samba with freeipa through ldap( I know it is worse than
>>ipasam, but would be nice to know how to integrate freeipa with samba
>>with ldap on systems where ipasam might not be available )
> Don't do that, use sssd-libwbclient integration. It requires pretty
> fresh sssd version (1.12.2+) but systems you mentioned (F21 and CentOS7
> with mkosek COPR repo) have it.
>
>>2. compile an ipasam.so module so we can work on creating an rpm
>>package in the future, since it is necessary to install ipasam.so
>>separately.
> No need to that when using sssd-libwbclient integration.
>
> --
> / Alexander Bokovoy
>


-- 
Free software philosophy :

Information is for free.
People are not.
Contributors are priceless.


Filosofia

Re: [Freeipa-users] slight problem when integrating certmonger with dogtag on fedora 21

2015-02-11 Thread Rob Crittenden 
marcin kowalski wrote:
> |Edit: i acceditanlly forgot to send copy to the list, so resubmitting.
> 
> 
> I tried this command :
> 
> getcert request -c dogtag-ipa -f /etc/pki/testcert -k /etc/pki/testkey
> -N "cn=mywebserver"
> 
> i've setup the 'dogtag-ipa' ca in certmonger like so :
> 
> id=dogtag-ipa
> ca_aka=Dogtag (IPA,renew,agent) (certmonger 0.76.8)
> ca_is_default=0
> ca_type=EXTERNAL
> ca_external_helper=/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit
> -E https://fedora.box.net:8443/ca/ee/ca -A
> https://fedora.box.net:8443/ca/agent/ca/ -n "CN=BOX.NET 
> admin" -d /var/lib/pki/pki-tomcat/alias/  -i /etc/ipa/ca.crt -v
> 
> 
> Since i haven't fully figured out how to setup authentication for
> certmonger yet, i've temporarily reused one from the dogtag's pki
> instance. Hopefully it's not a fatal mistake on my end.

What is your reasoning for setting up your own CA configuration? Why not
just use either ipa-getcert or getcert -c IPA?

rob

> 
> From the certmonger logs i get :
> 
> lut 11 09:52:19 fedora.box.net 
> dogtag-ipa-renew-agent-submit[2887]: GET
> https://fedora.box.net:8443/ca/ee/ca/profileSubmit?profileId=caServerCert&cert_request_type=pkcs10&cert_request=-BEGIN+NEW+CERTIFICATE+REQUEST-%0AMIICyTCCAbECAQAwFjEUMBIGA1UEAxMLbXl3ZWJzZXJ2ZXIwggEiMA0GCSqGSIb3%0ADQEBAQUAA4IBDwAwggEKAoIBAQDLZKK8dUqmiY2YAS2LrNE9DsB7QVhuATEcXkrc%0AB121jafN9BMyNSGQjWlpb15P4xqaXHrplQl60d4sSZA1d4GAxoywDUvoUA7R%2FrJ7%0AVcFyA7R5mRzK%2BfNUg%2FdLqTrnWM6GC1ecYwUwAmI%2FOFa5OomQczdGoV1ippguR2Un%0ArCCdXImZtni845FI1Wx745GP4mH2od7otSqGeLiQR9I6RLdrcs%2FC%2FWhWqPgUmyxp%0AEb%2BFS%2FAGPXG1nE2eT64z2OLQLJWfOT1uYRClsrQ9Bw96Cv20KPupEr4BPwfX%2BQzs%0AR7p9E%2BW1TuQhqX2NrWl4V%2F0tqc0omXGQZx62jCZM0m%2B2eoYJAgMBAAGgbjArBgkq%0AhkiG9w0BCRQxHh4cADIAMAAxADUAMAAyADEAMQAwADgANQAyADEAODA%2FBgkqhkiG%0A9w0BCQ4xMjAwMAwGA1UdEwEB%2FwQCMAAwIAYDVR0OAQEABBYEFEEoeB59tZYgOLSg%0AHV3fzBtlQCiaMA0GCSqGSIb3DQEBCwUAA4IBAQCpc3v8wp6csgKN3H8TfXe5Ay5h%0ATTqKyN2iLQKurTlTbwv%2FhZsE3ketuSfEOCJpE7Z58jlLB7VlMl6Uyl2MrOmC7Ro5%0Ai13LpVvVd%2FLsCedhM%2BTlYPtsk68DVcf1XKZARH6MIRmiDWSr0gajeP6bZK8znQ!
 K%2B%0A6O7
LaHKv1HaVcjxTZ%2Fdep3OF7aYtsz5tnyoaP1D2CI2WRRGnwjX4bBmr%2FQIZe7ba%0AOQt1yznFPjonEwVaOg3wkx0uaxdkyMz3MZC8nJxYCvBnNgV72tbA6As93laQaTQ2%0A24HhzdEWnJ019W72qJdTDpPg4DtloU0W%2BJYiIIpCfQIn1%2FjJLOnJcWiGPDDd%0A-END+NEW+CERTIFICATE+REQUEST-%0A&xml=true
> lut 11 09:52:19 fedora.box.net 
> dogtag-ipa-renew-agent-submit[2887]:  encoding="UTF-8"
> standalone="no"?>2Request Deferred
> - {0}  49
> 
> 
> And the request #49 is placed in Dogtag's CA Agent services, and can be
> acknowledged/rejected correctly. It's just that certmonger is stuck and
> doesn't notice the successful delivery.
> 
> Machine is in isolated network, so there is probably no issue wrt using
> box.net  as test domain.|
> 
> 2015-02-10 18:40 GMT+01:00 Dmitri Pal  >:
> 
> On 02/10/2015 12:35 PM, marcin kowalski wrote:
>> Hi all, i'm getting dogtag figured out slowly, and i noticed one
>> odd thing.
>>
>> I've setup certmonger to request an arbitrary certificate through
>> dogtag, and while the request seems to go into the dogtag system,
>> certmonger acts as if communication with the CA failed. The
>> certificate is considered in need of user attention because the
>> process got stuck.
>>
>> Request ID ‘20150210125814’:
>> status: NEED_GUIDANCE
>> stuck: yes
>> key pair storage: type=FILE,location=’/etc/pki/testkey’
>> certificate: type=FILE,location=’/etc/pki/testcert’
>> CA: dogtag-ipa
>> issuer:
>> subject:
>> expires: unknown
>> pre-save command:
>> post-save command:
>> track: yes
>> auto-renew: yes
>>
>>
>> [root@fedora pki]# systemctl status -l certmonger
>> (….)
>> lut 10 13:57:04 fedora.box.net 
>> certmonger[7845]: Request for certificate to be stored in file
>> “/etc/pki/testcert” rejected by CA.
>>
>>
>> The request is present in dogtag and is valid, can be
>> accepted/rejected, etc. Even though certmonger never notices that.
>> I wonder if there is some obvious mistake in my setup, or perhaps
>> there is  known bug in interaction of both components on F21 (i'm
>> using only standard repositories).
>>
>> When i post the query from certmonger's agent defined in ca
>> definition through curl, i get no errors.
>>
>> What would be the best way to debug this issue?
>>
>>
> Can you post your certmonger get-cert command?
> 
> 
> -- 
> Thank you,
> Dmitri Pal
> 
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
> 
> 
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
> 
> 
> 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.c

Re: [Freeipa-users] slight problem when integrating certmonger with dogtag on fedora 21

2015-02-11 Thread Nalin Dahyabhai 
On Wed, Feb 11, 2015 at 10:04:42AM +0100, marcin kowalski wrote:
> I forgot to add - usually removing the "-v" bit in ca external helper
> definition produces the aforementioned 'rejected by CA' message, instead of
> verbose output.

Ah.  Yes, the verbose output goes to stdout, where it confuses the main
daemon (it's expecting a very specific format from stdout), rather than
stderr, which probably would have been a better idea.

> > Since i haven't fully figured out how to setup authentication for
> > certmonger yet, i've temporarily reused one from the dogtag's pki instance.
> > Hopefully it's not a fatal mistake on my end.

The agent authentication is set up using a combination of the -d, -n,
and optionally the -P or -p flags.  If you leave off all options,
dogtag-ipa-renew-agent-submit more or less assumes:
 -d /etc/httpd/alias -n ipaCert -p /etc/httpd/alias/pwdfile.txt

I tried this on my own box, and Dogtag threw a curve ball by putting a
blank line in before the -END CERTIFICATE- line at the end of
the issued certificate.  It's something we can work around, but it's not
something the current version knows that it needs to do.

HTH,

Nalin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] ad relation with winsync

2015-02-11 Thread Rich Megginson 

On 02/11/2015 04:18 AM, Nicolas Zin wrote:

I reply to myself.
This was certainly a Windows configurarion issue. I went further:
ipa-replica-manage connect --winsync --binddb 
cn=Administrator,cn=Users,dc=company,dc=com --bindpwd  --passsync 
whatever --cacert /etc/openssl/cacerets/adRootCa.crt dc.company.com -v
Directory Manager password: 

Added CA certificate /etc/openldap/cacerts/adRootCA.crt to certificate database 
for srv7idm2.ipa.company.com
ipa: INFO: AD Suffix is: DC=company,DC=com
The user for Windows PassSync service is 
uid=passsync,cn=sysaccounts,cn=etc,dc=company,dc=com
ipa: INFO: Added new sync agreement, waiting for it to become ready. . .
ipa: INFO: Replication Update in progress: FALSE: status: -11 - LDAP error: 
Connect error: start: 0 end: 0
ipa: INFO: Agreement is ready, starting replication . . .
Starting replication, please wait until this has completed.

[srv7idm2.ipa.company.com] reports: Update failed! Status: [-11  - LDAP error: 
Connect error]



So apparently I manage to connect to AD but something went wrong after?
How can I debug it?


You can test it like this:

# LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-DOMAIN ldapsearch -xLLLZZ -H 
ldap://fqdn.of.ad.host -s base -b "DC=company,DC=com" -D 
"cn=Administrator,cn=Users,dc=company,dc=com" -w "password"






Regards,



Nicolas Zin



- Mail original -
De: "Nicolas Zin" 
À: freeipa-users@redhat.com
Envoyé: Mercredi 11 Février 2015 12:06:47
Objet: [Freeipa-users] ad relation with winsync

Hi,

I now try to establish a winsync relation with a Windows 2008R2.
I installed IDM 3.3 on RHEL7.

When I try to create the replication:
ipa-replica-manage connect --winsync --binddb 
cn=Administrator,cn=Users,dc=company,dc=com --bindpwd  --passsync 
whatever --cacert /etc/openssl/cacerets/adRootCa.crt dc.company.com
Directory Manager password: 

Added CA certificate /etc/openldap/cacerts/adRootCA.crt to certificate database 
for srv7idm2.ipa.company.com
ipa: INFO: Failed to connect to AD srever dc.company.com
ipa: INFO: The error was: {'info': 'TLS error -8157:Certificate extension not 
found','desc': 'Connect error'}
Failed to setup winsync replication


Do you have an idea, what's wrong?
Also is it possible to point to port 636 instead?


Notes:
- On the windows side, ssl has been activated (with pain) and ldp.exe manage to 
connect via ssl on the 636 port correctly (so the certificate is in place). I 
don't know how to check it is working properly on port 389, i.e. START_TLS works
- I checked that the 2 box have the same time (ntp)
- I nearly manage to make it working once, but I got another error during 
replication



Nicolas Zin
nicolas@savoirfairelinux.com
Ligne directe: 514-276-5468 poste 135

Fax : 514-276-5465
7275 Saint Urbain
Bureau 200
Montréal, QC, H2R 2Y5





--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] ad relation with winsync

2015-02-11 Thread Nicolas Zin 
I reply to myself.
This was certainly a Windows configurarion issue. I went further:
ipa-replica-manage connect --winsync --binddb 
cn=Administrator,cn=Users,dc=company,dc=com --bindpwd  --passsync 
whatever --cacert /etc/openssl/cacerets/adRootCa.crt dc.company.com -v
Directory Manager password: 

Added CA certificate /etc/openldap/cacerts/adRootCA.crt to certificate database 
for srv7idm2.ipa.company.com
ipa: INFO: AD Suffix is: DC=company,DC=com
The user for Windows PassSync service is 
uid=passsync,cn=sysaccounts,cn=etc,dc=company,dc=com
ipa: INFO: Added new sync agreement, waiting for it to become ready. . .
ipa: INFO: Replication Update in progress: FALSE: status: -11 - LDAP error: 
Connect error: start: 0 end: 0
ipa: INFO: Agreement is ready, starting replication . . .
Starting replication, please wait until this has completed.

[srv7idm2.ipa.company.com] reports: Update failed! Status: [-11  - LDAP error: 
Connect error]



So apparently I manage to connect to AD but something went wrong after?
How can I debug it?



Regards,



Nicolas Zin



- Mail original -
De: "Nicolas Zin" 
À: freeipa-users@redhat.com
Envoyé: Mercredi 11 Février 2015 12:06:47
Objet: [Freeipa-users] ad relation with winsync

Hi,

I now try to establish a winsync relation with a Windows 2008R2.
I installed IDM 3.3 on RHEL7.

When I try to create the replication:
ipa-replica-manage connect --winsync --binddb 
cn=Administrator,cn=Users,dc=company,dc=com --bindpwd  --passsync 
whatever --cacert /etc/openssl/cacerets/adRootCa.crt dc.company.com
Directory Manager password: 

Added CA certificate /etc/openldap/cacerts/adRootCA.crt to certificate database 
for srv7idm2.ipa.company.com
ipa: INFO: Failed to connect to AD srever dc.company.com
ipa: INFO: The error was: {'info': 'TLS error -8157:Certificate extension not 
found','desc': 'Connect error'}
Failed to setup winsync replication


Do you have an idea, what's wrong?
Also is it possible to point to port 636 instead?


Notes:
- On the windows side, ssl has been activated (with pain) and ldp.exe manage to 
connect via ssl on the 636 port correctly (so the certificate is in place). I 
don't know how to check it is working properly on port 389, i.e. START_TLS works
- I checked that the 2 box have the same time (ntp)
- I nearly manage to make it working once, but I got another error during 
replication



Nicolas Zin
nicolas@savoirfairelinux.com
Ligne directe: 514-276-5468 poste 135

Fax : 514-276-5465
7275 Saint Urbain
Bureau 200
Montréal, QC, H2R 2Y5



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] slight problem when integrating certmonger with dogtag on fedora 21

2015-02-11 Thread marcin kowalski 
I forgot to add - usually removing the "-v" bit in ca external helper
definition produces the aforementioned 'rejected by CA' message, instead of
verbose output.

2015-02-11 10:00 GMT+01:00 marcin kowalski :

> Edit: i acceditanlly forgot to send copy to the list, so resubmitting.
>
>
> I tried this command :
>
> getcert request -c dogtag-ipa -f /etc/pki/testcert -k /etc/pki/testkey -N
> "cn=mywebserver"
>
> i've setup the 'dogtag-ipa' ca in certmonger like so :
>
> id=dogtag-ipa
> ca_aka=Dogtag (IPA,renew,agent) (certmonger 0.76.8)
> ca_is_default=0
> ca_type=EXTERNAL
> ca_external_helper=/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit
> -E https://fedora.box.net:8443/ca/ee/ca -A
> https://fedora.box.net:8443/ca/agent/ca/ -n "CN=BOX.NET admin" -d
> /var/lib/pki/pki-tomcat/alias/  -i /etc/ipa/ca.crt -v
>
>
> Since i haven't fully figured out how to setup authentication for
> certmonger yet, i've temporarily reused one from the dogtag's pki instance.
> Hopefully it's not a fatal mistake on my end.
>
> From the certmonger logs i get :
>
> lut 11 09:52:19 fedora.box.net dogtag-ipa-renew-agent-submit[2887]: GET
> https://fedora.box.net:8443/ca/ee/ca/profileSubmit?profileId=caServerCert&cert_request_type=pkcs10&cert_request=-BEGIN+NEW+CERTIFICATE+REQUEST-%0AMIICyTCCAbECAQAwFjEUMBIGA1UEAxMLbXl3ZWJzZXJ2ZXIwggEiMA0GCSqGSIb3%0ADQEBAQUAA4IBDwAwggEKAoIBAQDLZKK8dUqmiY2YAS2LrNE9DsB7QVhuATEcXkrc%0AB121jafN9BMyNSGQjWlpb15P4xqaXHrplQl60d4sSZA1d4GAxoywDUvoUA7R%2FrJ7%0AVcFyA7R5mRzK%2BfNUg%2FdLqTrnWM6GC1ecYwUwAmI%2FOFa5OomQczdGoV1ippguR2Un%0ArCCdXImZtni845FI1Wx745GP4mH2od7otSqGeLiQR9I6RLdrcs%2FC%2FWhWqPgUmyxp%0AEb%2BFS%2FAGPXG1nE2eT64z2OLQLJWfOT1uYRClsrQ9Bw96Cv20KPupEr4BPwfX%2BQzs%0AR7p9E%2BW1TuQhqX2NrWl4V%2F0tqc0omXGQZx62jCZM0m%2B2eoYJAgMBAAGgbjArBgkq%0AhkiG9w0BCRQxHh4cADIAMAAxADUAMAAyADEAMQAwADgANQAyADEAODA%2FBgkqhkiG%0A9w0BCQ4xMjAwMAwGA1UdEwEB%2FwQCMAAwIAYDVR0OAQEABBYEFEEoeB59tZYgOLSg%0AHV3fzBtlQCiaMA0GCSqGSIb3DQEBCwUAA4IBAQCpc3v8wp6csgKN3H8TfXe5Ay5h%0ATTqKyN2iLQKurTlTbwv%2FhZsE3ketuSfEOCJpE7Z58jlLB7VlMl6Uyl2MrOmC7Ro5%0Ai13LpVvVd%2FLsCedhM%2BTlYPtsk68DVcf1XKZARH6MIRmiDWSr0gajeP6bZK8znQK%2B%0A6O7LaHKv1HaVcjxTZ%2Fdep3OF7aYtsz5tnyoaP1D2CI2WRRGnwjX4bBmr%2FQIZe7ba%0AOQt1yznFPjonEwVaOg3wkx0uaxdkyMz3MZC8nJxYCvBnNgV72tbA6As93laQaTQ2%0A24HhzdEWnJ019W72qJdTDpPg4DtloU0W%2BJYiIIpCfQIn1%2FjJLOnJcWiGPDDd%0A-END+NEW+CERTIFICATE+REQUEST-%0A&xml=true
> lut 11 09:52:19 fedora.box.net dogtag-ipa-renew-agent-submit[2887]:  version="1.0" encoding="UTF-8"
> standalone="no"?>2Request Deferred -
> {0}  49
>
>
> And the request #49 is placed in Dogtag's CA Agent services, and can be
> acknowledged/rejected correctly. It's just that certmonger is stuck and
> doesn't notice the successful delivery.
>
> Machine is in isolated network, so there is probably no issue wrt using
> box.net as test domain.
>
> 2015-02-10 18:40 GMT+01:00 Dmitri Pal :
>
>>  On 02/10/2015 12:35 PM, marcin kowalski wrote:
>>
>> Hi all, i'm getting dogtag figured out slowly, and i noticed one odd
>> thing.
>>
>> I've setup certmonger to request an arbitrary certificate through dogtag,
>> and while the request seems to go into the dogtag system, certmonger acts
>> as if communication with the CA failed. The certificate is considered in
>> need of user attention because the process got stuck.
>>
>> Request ID ‘20150210125814’:
>> status: NEED_GUIDANCE
>> stuck: yes
>> key pair storage: type=FILE,location=’/etc/pki/testkey’
>> certificate: type=FILE,location=’/etc/pki/testcert’
>> CA: dogtag-ipa
>> issuer:
>> subject:
>> expires: unknown
>> pre-save command:
>> post-save command:
>> track: yes
>> auto-renew: yes
>>
>>
>>  [root@fedora pki]# systemctl status -l certmonger
>> (….)
>> lut 10 13:57:04 fedora.box.net certmonger[7845]: Request for certificate
>> to be stored in file “/etc/pki/testcert” rejected by CA.
>>
>> The request is present in dogtag and is valid, can be accepted/rejected,
>> etc. Even though certmonger never notices that. I wonder if there is some
>> obvious mistake in my setup, or perhaps there is  known bug in interaction
>> of both components on F21 (i'm using only standard repositories).
>>
>> When i post the query from certmonger's agent defined in ca definition
>> through curl, i get no errors.
>>
>> What would be the best way to debug this issue?
>>
>>
>>  Can you post your certmonger get-cert command?
>>
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager IdM portfolio
>> Red Hat, Inc.
>>
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go To http://freeipa.org for more info on the project
>>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] slight problem when integrating certmonger with dogtag on fedora 21

2015-02-11 Thread marcin kowalski 
Edit: i acceditanlly forgot to send copy to the list, so resubmitting.


I tried this command :

getcert request -c dogtag-ipa -f /etc/pki/testcert -k /etc/pki/testkey -N
"cn=mywebserver"

i've setup the 'dogtag-ipa' ca in certmonger like so :

id=dogtag-ipa
ca_aka=Dogtag (IPA,renew,agent) (certmonger 0.76.8)
ca_is_default=0
ca_type=EXTERNAL
ca_external_helper=/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit -E
https://fedora.box.net:8443/ca/ee/ca -A
https://fedora.box.net:8443/ca/agent/ca/ -n "CN=BOX.NET admin" -d
/var/lib/pki/pki-tomcat/alias/  -i /etc/ipa/ca.crt -v


Since i haven't fully figured out how to setup authentication for
certmonger yet, i've temporarily reused one from the dogtag's pki instance.
Hopefully it's not a fatal mistake on my end.

>From the certmonger logs i get :

lut 11 09:52:19 fedora.box.net dogtag-ipa-renew-agent-submit[2887]: GET
https://fedora.box.net:8443/ca/ee/ca/profileSubmit?profileId=caServerCert&cert_request_type=pkcs10&cert_request=-BEGIN+NEW+CERTIFICATE+REQUEST-%0AMIICyTCCAbECAQAwFjEUMBIGA1UEAxMLbXl3ZWJzZXJ2ZXIwggEiMA0GCSqGSIb3%0ADQEBAQUAA4IBDwAwggEKAoIBAQDLZKK8dUqmiY2YAS2LrNE9DsB7QVhuATEcXkrc%0AB121jafN9BMyNSGQjWlpb15P4xqaXHrplQl60d4sSZA1d4GAxoywDUvoUA7R%2FrJ7%0AVcFyA7R5mRzK%2BfNUg%2FdLqTrnWM6GC1ecYwUwAmI%2FOFa5OomQczdGoV1ippguR2Un%0ArCCdXImZtni845FI1Wx745GP4mH2od7otSqGeLiQR9I6RLdrcs%2FC%2FWhWqPgUmyxp%0AEb%2BFS%2FAGPXG1nE2eT64z2OLQLJWfOT1uYRClsrQ9Bw96Cv20KPupEr4BPwfX%2BQzs%0AR7p9E%2BW1TuQhqX2NrWl4V%2F0tqc0omXGQZx62jCZM0m%2B2eoYJAgMBAAGgbjArBgkq%0AhkiG9w0BCRQxHh4cADIAMAAxADUAMAAyADEAMQAwADgANQAyADEAODA%2FBgkqhkiG%0A9w0BCQ4xMjAwMAwGA1UdEwEB%2FwQCMAAwIAYDVR0OAQEABBYEFEEoeB59tZYgOLSg%0AHV3fzBtlQCiaMA0GCSqGSIb3DQEBCwUAA4IBAQCpc3v8wp6csgKN3H8TfXe5Ay5h%0ATTqKyN2iLQKurTlTbwv%2FhZsE3ketuSfEOCJpE7Z58jlLB7VlMl6Uyl2MrOmC7Ro5%0Ai13LpVvVd%2FLsCedhM%2BTlYPtsk68DVcf1XKZARH6MIRmiDWSr0gajeP6bZK8znQK%2B%0A6O7LaHKv1HaVcjxTZ%2Fdep3OF7aYtsz5tnyoaP1D2CI2WRRGnwjX4bBmr%2FQIZe7ba%0AOQt1yznFPjonEwVaOg3wkx0uaxdkyMz3MZC8nJxYCvBnNgV72tbA6As93laQaTQ2%0A24HhzdEWnJ019W72qJdTDpPg4DtloU0W%2BJYiIIpCfQIn1%2FjJLOnJcWiGPDDd%0A-END+NEW+CERTIFICATE+REQUEST-%0A&xml=true
lut 11 09:52:19 fedora.box.net dogtag-ipa-renew-agent-submit[2887]: 2Request Deferred -
{0}  49


And the request #49 is placed in Dogtag's CA Agent services, and can be
acknowledged/rejected correctly. It's just that certmonger is stuck and
doesn't notice the successful delivery.

Machine is in isolated network, so there is probably no issue wrt using
box.net as test domain.

2015-02-10 18:40 GMT+01:00 Dmitri Pal :

>  On 02/10/2015 12:35 PM, marcin kowalski wrote:
>
> Hi all, i'm getting dogtag figured out slowly, and i noticed one odd
> thing.
>
> I've setup certmonger to request an arbitrary certificate through dogtag,
> and while the request seems to go into the dogtag system, certmonger acts
> as if communication with the CA failed. The certificate is considered in
> need of user attention because the process got stuck.
>
> Request ID ‘20150210125814’:
> status: NEED_GUIDANCE
> stuck: yes
> key pair storage: type=FILE,location=’/etc/pki/testkey’
> certificate: type=FILE,location=’/etc/pki/testcert’
> CA: dogtag-ipa
> issuer:
> subject:
> expires: unknown
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
>
>
>  [root@fedora pki]# systemctl status -l certmonger
> (….)
> lut 10 13:57:04 fedora.box.net certmonger[7845]: Request for certificate
> to be stored in file “/etc/pki/testcert” rejected by CA.
>
> The request is present in dogtag and is valid, can be accepted/rejected,
> etc. Even though certmonger never notices that. I wonder if there is some
> obvious mistake in my setup, or perhaps there is  known bug in interaction
> of both components on F21 (i'm using only standard repositories).
>
> When i post the query from certmonger's agent defined in ca definition
> through curl, i get no errors.
>
> What would be the best way to debug this issue?
>
>
>  Can you post your certmonger get-cert command?
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Integrating Freeipa with Samba server through ldapsam or ipasam ? How to compile ipasam separetely on Centos 7 ?

2015-02-11 Thread Alexander Bokovoy 

On Tue, 10 Feb 2015, Israel Miranda wrote:

I have a freeipa installation of v4 on Fedora 21.
I have a separate fileserver with freeipa packages installed from
mkosek-freeipa-epel-7.repo on centos 7.

I have:
* created sambaSAMAccount,sambaGroupMapping UserObjects
* created an entry for DNA   plugin to populate them
cn=SambaGroupSid,cn=Distributed Numeric Assignment
Plugin,cn=plugins,cn=config
* added a CoS template for sambaGroupType
* added a CoS definition for sambaGroupType
* used ipa-adtrust-install to create and populate ipaNTHash
* checked with the creation of these attributes with an ldap browser all ok
* put the fileserver machine on the domain
* added necessary permission, previleges and roles
* installed kerberos keytab on the fileserver
* was able to retrieve ipaNTHash attribute with the keytab from samba server

and now the only thing missing is to integrate the fileserver with the
ipaserver.
I don´t mind in using ipasam, but to install in on my centos7
fileserver, which only has samba installed and nothing else, it also
pulls the whole freeipa-server package, and this is overkill just to
get ipasam.so. So I'd like some help in compiling it separately.
I am using standard samba server distributed with centos 7.

So I tried to use  passdb backend = ldapsam:ldap//ipaserver
but samba tries to bind using admin user, and doesn't use keytab, even
though I put
   dedicated keytab file = FILE:/etc/samba/samba.keytab
   kerberos method = dedicated keytab
in smb.conf.

ldapsam currently does not yet support keytab use. With CentOS7/mkosek
COPR repo you don't need to use any special passdb module anymore, just
follow
http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA




So please help me in getting these two things done:

1. use samba with freeipa through ldap( I know it is worse than
ipasam, but would be nice to know how to integrate freeipa with samba
with ldap on systems where ipasam might not be available )

Don't do that, use sssd-libwbclient integration. It requires pretty
fresh sssd version (1.12.2+) but systems you mentioned (F21 and CentOS7
with mkosek COPR repo) have it.


2. compile an ipasam.so module so we can work on creating an rpm
package in the future, since it is necessary to install ipasam.so
separately.

No need to that when using sssd-libwbclient integration.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] ad relation with winsync

2015-02-11 Thread Nicolas Zin 
Hi,

I now try to establish a winsync relation with a Windows 2008R2.
I installed IDM 3.3 on RHEL7.

When I try to create the replication:
ipa-replica-manage connect --winsync --binddb 
cn=Administrator,cn=Users,dc=company,dc=com --bindpwd  --passsync 
whatever --cacert /etc/openssl/cacerets/adRootCa.crt dc.company.com
Directory Manager password: 

Added CA certificate /etc/openldap/cacerts/adRootCA.crt to certificate database 
for srv7idm2.ipa.company.com
ipa: INFO: Failed to connect to AD srever dc.company.com
ipa: INFO: The error was: {'info': 'TLS error -8157:Certificate extension not 
found','desc': 'Connect error'}
Failed to setup winsync replication


Do you have an idea, what's wrong?
Also is it possible to point to port 636 instead?


Notes:
- On the windows side, ssl has been activated (with pain) and ldp.exe manage to 
connect via ssl on the 636 port correctly (so the certificate is in place). I 
don't know how to check it is working properly on port 389, i.e. START_TLS works
- I checked that the 2 box have the same time (ntp)
- I nearly manage to make it working once, but I got another error during 
replication



Nicolas Zin
nicolas@savoirfairelinux.com
Ligne directe: 514-276-5468 poste 135

Fax : 514-276-5465
7275 Saint Urbain
Bureau 200
Montréal, QC, H2R 2Y5



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project