date:20150326

Hi,

We are getting error while trying to ssh using users created in IPA server.

root@yogesh-ubuntu-pc:~# ssh -vvv cm8158@52.74.84.94
OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to 52.74.84.94 [52.74.84.94] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug3: Incorrect RSA1 identifier
debug3: Could not load /root/.ssh/id_rsa as a RSA1 public key
debug1: identity file /root/.ssh/id_rsa type 1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c00
debug2: fd 3 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host 52.74.84.94 from file
/root/.ssh/known_hosts
debug3: load_hostkeys: found key type RSA in file /root/.ssh/known_hosts:89
debug3: load_hostkeys: loaded 1 keys
debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-rsa-cert-...@openssh.com,
ssh-rsa-cert-...@openssh.com,ssh-rsa
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: curve25519-sha...@libssh.org
,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa-cert-...@openssh.com,
ssh-rsa-cert-...@openssh.com,ssh-rsa,
ecdsa-sha2-nistp256-cert-...@openssh.com,
ecdsa-sha2-nistp384-cert-...@openssh.com,
ecdsa-sha2-nistp521-cert-...@openssh.com,ssh-ed25519-cert-...@openssh.com,
ssh-dss-cert-...@openssh.com,ssh-dss-cert-...@openssh.com
,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-dss
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
aes128-...@openssh.com,aes256-...@openssh.com,chacha20-poly1...@openssh.com
,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
rijndael-...@lysator.liu.se
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
aes128-...@openssh.com,aes256-...@openssh.com,chacha20-poly1...@openssh.com
,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
rijndael-...@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5-...@openssh.com,
hmac-sha1-...@openssh.com,umac-64-...@openssh.com,umac-128-...@openssh.com,
hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,
hmac-ripemd160-...@openssh.com,hmac-sha1-96-...@openssh.com,
hmac-md5-96-...@openssh.com,hmac-md5,hmac-sha1,umac...@openssh.com,
umac-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,
hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5-...@openssh.com,
hmac-sha1-...@openssh.com,umac-64-...@openssh.com,umac-128-...@openssh.com,
hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,
hmac-ripemd160-...@openssh.com,hmac-sha1-96-...@openssh.com,
hmac-md5-96-...@openssh.com,hmac-md5,hmac-sha1,umac...@openssh.com,
umac-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,
hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,z...@openssh.com,zlib
debug2: kex_parse_kexinit: none,z...@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
rijndael-...@lysator.liu.se
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
rijndael-...@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac...@openssh.com
,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd...@openssh.com
,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac...@openssh.com
,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd...@openssh.com
,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,z...@openssh.com
debug2: kex_parse_kexinit: none,z...@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:

Re: [Freeipa-users] Clients are reading AD info inconsistently

2015-03-26 Thread Sumit Bose

On Wed, Mar 25, 2015 at 08:01:36PM -0400, Dmitri Pal wrote:
 On 03/25/2015 11:44 AM, Simo Sorce wrote:
 On Wed, 2015-03-25 at 14:46 +, Guertin, David S. wrote:
 Follow-up: today I tried clearing the sssd cache and restarting sssd on all 
 three clients, and all three lost their AD users:
 
 # rm -f /var/lib/sss/db/*
 # service sssd restart
 Stopping sssd: [  OK  ]
 Starting sssd: [  OK  ]
 # id 'MIDD\juser'
 id: MIDD\juser: No such user
 
 David Guertin
 
 This is normal, users are loaded in when they actually try to Log In.
 
 Simo.
 
 Yes. The ability to look up AD users that never authenticated was added in
 7.1 and 6.7 (i.e. SSSD 1.12)

I would like to just clarify tis a bit. The support to lookup up
secondary groups (the group list the id command shows) for user which
never authenticated was added in 7.1/6.7.

The plain user lookup as e.g. done with the 'getent passwd username'
always worked.

David, the IPA clients will connect the IPA server to get the user data.
This means if the server cannot resolve the user the clients cannot
either. So the IPA server should be checked first.

You said that you have three IPA servers (master and replicas). Did you
run ipa-adtrust-install on all server? If not, please do. If you are not
sure, running ipa-adtrust-install multiple times does not so any harm.

 Since you are using RHEL-6 clients I assume your IPA servers are on
RHEL-6 as well. In this case please try if the command

wbinfo -n 'MIDD\juser'

returns the SID of the user on the IPA server.

HTH

bye,
Sumit

 
 -- 
 Thank you,
 Dmitri Pal
 
 Sr. Engineering Manager IdM portfolio
 Red Hat, Inc.
 
 -- 
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] subjectAlternitiveName for webservice

When digging around I see this documentation:

http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/load-balancing.html

I would except that server.example.com is not going to be accepted by
IPA when you visit the webgui like that ?

2015-03-26 1:57 GMT+01:00 Matt . yamakasi@gmail.com:
 OK, quite clear but I think that is not going to help me, if you ask
 me, I might be wrong here as this is what I get:

 # wget https://ldap.mydomain.tld/ipa/json
 --2015-03-26 01:22:51--  https://ldap.mydomain.tld/ipa/json
 Resolving ldap.mydomain.tld (ldap.mydomain.tld)... 10.100.0.250
 Connecting to ldap.mydomain.tld
 (ldap.mydomain.tld)|10.100.0.250|:443... connected.
 ERROR: cannot verify ldap.mydomain.tld's certificate, issued by
 '/O=MYDOMAIN.TLD/CN=Certificate Authority':
   Self-signed certificate encountered.
 ERROR: certificate common name 'ldap-01.mydomain.tld' doesn't
 match requested host name 'ldap.mydomain.tld'.
 To connect to ldap.mydomain.tld insecurely, use `--no-check-certificate'.

 (I used the gui that actually worked quite OK following the docs,
 tried your version also but got stuck as I did it on the IPA server,
 need to recheck that)

 I think this happens because I use the ca.crt from /etc/ipa/ca.crt and
 the one I generated in the same file. I need to have them both in my
 curl certificate.

 I might be wrong here, but this is where I'm at.

 Thanks again for your patience.

 Matt



 2015-03-20 15:39 GMT+01:00 Rob Crittenden rcrit...@redhat.com:
 Matt . wrote:
 The right way to sequest a SAN, this seems to need some extra config file ?

 Like I said before, use certmonger, it makes life easier.

 I'll create a new host balancer.example.com with a HTTP service. I'll
 generate a cert with a SAN for idp.example.com in that service. I'm
 generating the cert on idp.example.com, hence the service-add-host bit.

 On 4.1 (freeipa-server-4.1.3-2.fc22.x86_64)

 # kinit admin
 # ipa host-add balancer.example.com
 # ipa service-add HTTP/balancer.example.com --force
 # ipa service-add-host --hosts=idp.example.com HTTP/balancer.example.com
 # ipa-getcert request -f /etc/pki/tls/certs/balancer.pem -k
 /etc/pki/tls/private/balancer.key -N CN=balancer.example.com -K
 HTTP/balancer.example.com -D idp.example.com
 # getcert list -i id until it goes to MONITORING
 # openssl x509 -text -in /etc/pki/tls/certs/balancer.pem
 Certificate:
 Data:
 Version: 3 (0x2)
 Serial Number: 11 (0xb)
 Signature Algorithm: sha256WithRSAEncryption
 Issuer: O=EXAMPLE.COM, CN=Certificate Authority
 Validity
 Not Before: Mar 20 14:29:33 2015 GMT
 Not After : Mar 20 14:29:33 2017 GMT
 Subject: O=EXAMPLE.COM, CN=balancer.example.com
 [SNIP]
 X509v3 extensions:
 [SNIP]
 X509v3 Subject Alternative Name:
 DNS:idp.example.com, othername:unsupported,
 othername:unsupported
 [SNIP]

 SAN was definitely not supported in 3.0. Not sure about 3.3, should work
 in 4.0+.

 rob


 2015-03-19 15:04 GMT+01:00 Rob Crittenden rcrit...@redhat.com:
 Matt . wrote:
 Isn't this documented well (yet) ?

 Is what documented yet?

 rob


 The RH docs are always very detailed about it, but I'm not sure
 here... I see solutions but not 100% from A to Z to make sure we do it
 the proper way.

 2015-03-12 16:59 GMT+01:00 Matt . yamakasi@gmail.com:
 Not worried, I need to try.

 I think it's not an issue as we use persistance for the connection. We
 only do some user adding/chaging stuff, nothing really fancy but it
 needs to be decent. As persistence comes in I think we don't have to
 worry about it, we discussed that here earlier as I remember.

 Or do I ?

 Something else; did you had a nice PTO ?

 2015-03-12 15:54 GMT+01:00 Rob Crittenden rcrit...@redhat.com:
 Matt . wrote:
 Hi,

 Security wise I can understand that.

 Yes I have read about that... but that would let me use the
 loadbalancer to connect ? I was not sure if the SAN would connect as
 other host.

 Kerberos through a load balancer can be a problem. Is this what you're
 worried about?

 rob


 2015-03-12 15:07 GMT+01:00 Rob Crittenden rcrit...@redhat.com:
 Matt . wrote:
 Hi Guys,

 Is Rob able to look at this ? I hope he has some sparetime as I'm
 kinda stuck with this issue.

 Wildcard certs are not supported.

 You can request a SAN with certmonger using -D FQDN. That will work
 with IPA 4.x for sure, maybe 3.3.5.

 rob


 Thanks!



 2015-03-08 12:30 GMT+01:00 Matt . yamakasi@gmail.com:
 I'm reviewing some things.

 When I'm using a loadbalancer, which I prefer in this setup I need 
 to
 have the same certificates on both servers. Maybe a wildcard for my
 domain could do instead of having only both fqdn's of the servers
 including the loadbalancer's fqdn.

 But the question remains, how?



 2015-03-07 10:37 GMT+01:00 Matt . yamakasi@gmail.com:
 Hi,

 I will balance with IP persistance so I think there won't be any
 mixing as long as that used server is online.

Re: [Freeipa-users] bind-dyndb-ldap vs DLZ

2015-03-26 Thread Petr Spacek

Hello Jorgen and list,

On 26.3.2015 01:25, Jorgen Lundman wrote:
Thanks for your email, (I have included the ML in this reply)

We run Solaris with bind+DLZ+ldap on the DNS servers, and are looking at
better performance. Which means evaluating bind-dyndb-ldap. I did some
minor tweaks to compile bind-dyndb on Solaris.

Perfect! I can merge your changes upstream if you send me a patch with your
changes. It would make your life easier later when you need to pick new code.

Since we already have large systems running in production, with
provisioning, and support tools, it is unlikely we would change the schema.
It would probably be less work for me to fork bind-dyndb and massage it
into handling DLZ schema directly.

Hmm, that might be a challenge. bind-dyndb-ldap code implicitly assumes that
there is 1:1 mapping between DNS name-LDAP DN. This makes implementation of
dynamic updates much easier.

Anyway, please be so kind and send your patches to us too. It is well possible
that some chunks will be applicable to bind-dyndb-ldap too.

Hopefully this approach would improve code quality upstream and at the same
time allow you to maintain minimal patch set and pull new code from upstream
often and with minimal pain.

BTW there is outstanding patch set which touches record-parsing logic:
https://github.com/pspacek/bind-dyndb-ldap/tree/unknown_record_types

It is not a final version yet but it might be a good idea to base your patches
on that to save some patch rebasing.

But before that, we are just evaluating bind-dyndb to decide if it fits
with our systems.

I loaded the 300k zones we have in DLZ-LDAP, into bind-dyndb schema (Just
SOA records with a single ARecord).

[1]
The first issue is that to start named takes about 50 mins. This is a bit
of an issue as there is no resolving while it is starting. This seems to be

It is expected that bind-dyndb-ldap does not serve anything until whole zone
is loaded:

Basically the driver downloads all data from LDAP and feeds the data into
BIND's RBTDB implementation. This is the reason why it has read performance on
nearly same level as plain BIND but it also adds the same limitations - all
the zone data have to be in memory before the zone can be loaded.

(Also, the driver supports DNSSEC in-line signing and it does not make sense
to sign the zone before it is fully loaded.)

Unfortunately there is no way to detect that one zone is fully loaded because
SyncRepl is running on the whole dns sub-tree so we have to wait until initial
synchronization is done.

the same delay each time I start it. slapd is running on localhost, and is
otherwise idle.

Hmm, that stinks! I would be happy to look into it if you can provide me with
output from a profiler of your choice. (It might be a good idea to profile
bind-dyndb-ldap together with whole named process to see all the interactions.)

It is just a large syncrepl for 300k records, always
starting from epoch...

This is a limitation of current implementation and it can be fixed, see below.

[2]
Is it supposed to be able to use the dump-file on exit for faster loads?

Yes, something like that is planned but not implemented yet.

You are basically interested in resolving following two tickets:
https://fedorahosted.org/bind-dyndb-ldap/ticket/124
https://fedorahosted.org/bind-dyndb-ldap/ticket/125

With these two in place it should be fairly easy to read all data from disk,
start serving the zone and do synchronization with LDAP server in background.

A pre-requisite for this are basically these:
1) Answering questions on
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/RBTDB#Filesystemcachemaintenance
2) Implementation of meta-database for LDAP UUID-DNS node mapping
https://fedorahosted.org/bind-dyndb-ldap/ticket/151

Trac Report #3 shows currently planned work ordered by priority:
https://fedorahosted.org/bind-dyndb-ldap/report/3

As you might see, the necessary meta-database is pretty high on the list (it
should be done in ~ 1 month) but start-up performance has very low priority at
the moment and is very unlikely to be ready in Fedora 22 time frame.

If you want to get better start-up performace earlier I would suggest you to
work with us on it. Patches are more than welcome! :-)

We can provide you guidance but currently we do not have capacity to implement
it ourselves in near future, sorry!

Perhaps I broke something while porting it to Solaris. I see it create

No you did not, it is not implemented yet :-)

directories for each zone, only to create an empty keys directory. In
addition to that, having 300k entries in one directory might need hashing.
ZFS is ok with it, but it tends to slow down.

However, once it is loaded, it is much faster than DLZ+LDAP. Previous
system would see about 300qps. (All zones, plus
/usr/share/dict/words+.com with dnsperf)

bind-dyndb gave the same benchmarking test 18796qps.

Now, interestingly, I can also define a DLZ+LDAP line in named.conf after

Re: [Freeipa-users] Is systemd really a requirement for freeipa 4.x?

2015-03-26 Thread Coy Hile



Quoting Andrew Holway andrew.hol...@gmail.com:



When I look at the SPEC file for freeipa-4.1.3, I see requirements

around Systemd.  Is that really a hard requirement, or is it possible to
run newer FreeIPA (that is to say 4.x) on a host that hasn't been
infested by systemd




From an SELinux standpoint systemd is far superior to initd as it allows

far more graceful domain transitions.

Apart from the binary logging and it being a bit monolithic; I really don't
understand the anit-systemd crowd problems. Its advantages over the now
ancient initd seem to be obvious.


hijack
The binary logging is a big problem. Log to the filesystem usefully, or log to
syslog. Then one can get that data into Splunk or similar.  Aside from that,
systemd feels like the answer to the question no one asked.  It's a bit like
what Oracle has done to bastardize smf(5) in Oracle Solaris 11 over what was
there in Solaris 10 (and the former OpenSolaris, now illumos).  The S10
incarnation was awesome, even though the definition of service  
manifests in xml

makes me want to claw my eyes out. Oracle's Microsoftened embrace and extend?
Yeah, not so much

For full disclosure here, the reason I was enquiring about support on  
CentOS 6 is
because my virtualization platform of choice is SmartOS.  For CentOS 6  
and Ubuntu
14.04, I am able to use a 'Branded zone' natively without having to  
add the KVM

hardware emulation layer in there, implying better network and IO performance.
That said, for this particular case, the KVM overhead really doesn't  
matter since
a box that's only doing LDAP and kerb really needn't be all that  
beefy.  Hell, I
could probably run an authoritative KDC for ATHENA.MIT.EDU on an rpi  
if I were so

inclined.
/hijack

Understanding the reason behind the requirements is quite helpful, so  
thanks to all
who provided that.  I'll work with Joyent to add systemd support to  
the lx brand,
and in the meantime, I'll just deploy on KVM infrastructure and take  
the hit.  I

assume there's no good reason to deploy a net new setup using the 3.x release?

-c
--
Coy Hile
coy.h...@coyhile.com

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Is systemd really a requirement for freeipa 4.x?

2015-03-26 Thread Jan Pazdziora

On Thu, Mar 26, 2015 at 10:49:22AM +0100, Andrew Holway wrote:

 From an SELinux standpoint systemd is far superior to initd as it allows
 far more graceful domain transitions.

Have you got a link which would demonstrate how systemd helps
with domain transitions?

-- 
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install failing on new ipa-server

great, thanks.

On a related note: the server still doesn't get a (client) kerberos ticket,
which means I can't kinit as a user and then log into a client machine
without a password. Going the other way works fine, however.

thx
anthony

On Thu, Mar 26, 2015 at 7:14 AM, Martin Kosek mko...@redhat.com wrote:

 Ok, thanks for reaching back. BTW, next RHEL-6 minor release should have
 the
 keyutils dependency fixed anyway :-)

 Martin

 On 03/25/2015 06:59 PM, Anthony Lanni wrote:
  keyutils is already installed but /bin/keyctl was 0 length (!). Anyway I
  reinstalled keyutils and then ran the ipa-server-install again, and this
  time it completed without error.
 
  Thanks very much, Martin and Dmitri!
 
  thx
  anthony
 
  On Wed, Mar 25, 2015 at 5:34 AM, Martin Kosek mko...@redhat.com wrote:
 
  On 03/25/2015 04:11 AM, Dmitri Pal wrote:
  On 03/24/2015 09:17 PM, Anthony Lanni wrote:
  While running ipa-server-install, it's failing out at the end with an
  error
  regarding the client install on the server. This happens regardless of
  how I
  input the options, but here's the latest command:
 
  ipa-server-install --setup-dns -N --idstart=1000 -r EXAMPLE.COM
  http://EXAMPLE.COM -n example.com http://example.com -p passwd1
 -a
  passwd2 --hostname=ldap-server-01.example.com
  http://ldap-server-01.example.com --forwarder=10.0.1.20
  --forwarder=10.0.1.21 --reverse-zone=1.0.10.in-addr.arpa. -d
 
  Runs through the entire setup and gives me this:
 
  [...]
  ipa : DEBUG  args=/usr/sbin/ipa-client-install --on-master
  --unattended --domain example.com http://example.com --server
  ldap-server-01.example.com http://ldap-server-01.example.com
 --realm
  EXAMPLE.COM http://EXAMPLE.COM --hostname
 ldap-server-01.example.com
  http://ldap-server-01.example.com
  ipa : DEBUGstdout=
 
  ipa : DEBUGstderr=Hostname: ldap-server-01.example.com
  http://ldap-server-01.example.com
  Realm: EXAMPLE.COM http://EXAMPLE.COM
  DNS Domain: example.com http://example.com
  IPA Server: ldap-server-01.example.com 
  http://ldap-server-01.example.com
  BaseDN: dc=example,dc=com
  New SSSD config will be created
  Configured /etc/sssd/sssd.conf
  Traceback (most recent call last):
File /usr/sbin/ipa-client-install, line 2377, in module
  sys.exit(main())
File /usr/sbin/ipa-client-install, line 2363, in main
  rval = install(options, env, fstore, statestore)
File /usr/sbin/ipa-client-install, line 2135, in install
  delete_persistent_client_session_data(host_principal)
File /usr/lib/python2.6/site-packages/ipalib/rpc.py, line 124, in
  delete_persistent_client_session_data
  kernel_keyring.del_key(keyname)
File /usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py,
  line
  99, in del_key
  real_key = get_real_key(key)
File /usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py,
  line
  45, in get_real_key
  (stdout, stderr, rc) = run(['keyctl', 'search', KEYRING, KEYTYPE,
  key],
  raiseonerr=False)
 
  Is keyctl installed? Can you run it manually?
  Any SELinux denials?
 
  You are likely hitting
  https://fedorahosted.org/freeipa/ticket/3808
 
  Please try installing keyutils before running ipa-server-install. It is
  fixed
  in RHEL-7, I filed us a RHEL-6 ticket, to fix it in this platform also:
  https://bugzilla.redhat.com/show_bug.cgi?id=1205660
 
  Martin
 
  --
  Manage your subscription for the Freeipa-users mailing list:
  https://www.redhat.com/mailman/listinfo/freeipa-users
  Go to http://freeipa.org for more info on the project
 
 


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install failing on new ipa-server

Anthony Lanni wrote:
 I'm referring to the host certificate; I was looking at the web UI,
 under Identity-Hosts in the server details page. The Host Certificate
 section says 'No Valid Certificate'.
 The server has a /etc/krb5.keytab file, and on the same page the
 Enrollment section says 'Kerberos Key Present, Host Provisioned'.

No, masters never got this certificate issued. It was intended to be an
alternate way to authenticate a host to IPA. The host certificate is not
used by IPA currently, and in 4.1 one isn't issued for clients by
default any more.

rob

 
 thx
 anthony
 
 thx
 anthony
 
 On Thu, Mar 26, 2015 at 10:01 AM, Martin Kosek mko...@redhat.com
 mailto:mko...@redhat.com wrote:
 
 On 03/26/2015 05:52 PM, Anthony Lanni wrote:
  kinit USER works perfectly; but I can't ssh into the client machine from
  the server without it requesting a password.
 
  I think this is a DNS issue, actually. The server isn't resolving the 
 name
  of the client, so I'm ssh'ing with the IP address, and that's not going 
 to
  work since it's not in the Kerberos db (Cannot determine realm for 
 numeric
  host address).
 
 So it looks like you have found your problem - Kerberos tends to
 break if DNS
 is not set properly.
 
  Except, of course, that the server did not get its own valid Kerberos 
 host
  certificate. It should, right? during the ipa-client-install --on-master
  step of the server install?
 
 Are you asking about host certificate or a Kerberos keytab
 (/etc/krb5.keytab)?
 They are 2 distinct things.
 
  In fact, the global DNS config is completely empty. But I'm going to 
 have
  to tear down the server and rebuild because it's on the same domain as 
 an
  AD server, and ipa-client-install finds that server rather than the new 
 IPA
  server by default: that won't work because I want LDAP to dynamically
  update the records, and establish a trust with the AD server.
  Also we've got 2 linux DNS root servers that act as forwarders. I 
 pointed
  the IPA server at them, but I don't know enough about FreeIPA or 
 DNS/Bind
  to configure IPA to use them properly. SO I'm sure that's where most of 
 my
  problems lie.
 
  I've got to RTFM a bit more before I really start asking the right
  questions, I think. At that point I'll start a new thread.
 
 Ok :-)
 
 Martin
 
 
 
 
  thx
  anthony
 
  On Thu, Mar 26, 2015 at 9:31 AM, Martin Kosek mko...@redhat.com
 mailto:mko...@redhat.com wrote:
 
  I am not sure what you mean. So are you saying that kinit USER
 done on
  server
  fails? With what error?
 
  On 03/26/2015 05:28 PM, Anthony Lanni wrote:
  great, thanks.
 
  On a related note: the server still doesn't get a (client) kerberos
  ticket,
  which means I can't kinit as a user and then log into a client
 machine
  without a password. Going the other way works fine, however.
 
  thx
  anthony
 
  On Thu, Mar 26, 2015 at 7:14 AM, Martin Kosek mko...@redhat.com
 mailto:mko...@redhat.com wrote:
 
  Ok, thanks for reaching back. BTW, next RHEL-6 minor release
 should have
  the
  keyutils dependency fixed anyway :-)
 
  Martin
 
  On 03/25/2015 06:59 PM, Anthony Lanni wrote:
  keyutils is already installed but /bin/keyctl was 0 length
 (!). Anyway
  I
  reinstalled keyutils and then ran the ipa-server-install
 again, and
  this
  time it completed without error.
 
  Thanks very much, Martin and Dmitri!
 
  thx
  anthony
 
  On Wed, Mar 25, 2015 at 5:34 AM, Martin Kosek
 mko...@redhat.com mailto:mko...@redhat.com
  wrote:
 
  On 03/25/2015 04:11 AM, Dmitri Pal wrote:
  On 03/24/2015 09:17 PM, Anthony Lanni wrote:
  While running ipa-server-install, it's failing out at the
 end with
  an
  error
  regarding the client install on the server. This happens
 regardless
  of
  how I
  input the options, but here's the latest command:
 
  ipa-server-install --setup-dns -N --idstart=1000 -r
 EXAMPLE.COM http://EXAMPLE.COM
  http://EXAMPLE.COM -n example.com http://example.com
 http://example.com -p passwd1
  -a
  passwd2 --hostname=ldap-server-01.example.com
 http://ldap-server-01.example.com
  http://ldap-server-01.example.com --forwarder=10.0.1.20
  --forwarder=10.0.1.21 --reverse-zone=1.0.10.in-addr.arpa. -d
 
  Runs through the entire setup and gives me this:
 
  [...]
  ipa : DEBUG  args=/usr/sbin/ipa-client-install
 --on-master
  --unattended --domain example.com http://example.com
 http://example.com --server
  ldap-server-01.example.com
 http://ldap-server-01.example.com http://ldap-server-01.example.com
  --realm
  EXAMPLE.COM

Re: [Freeipa-users] ipa-client-install failing on new ipa-server

On 03/26/2015 05:52 PM, Anthony Lanni wrote:
 kinit USER works perfectly; but I can't ssh into the client machine from
 the server without it requesting a password.
 
 I think this is a DNS issue, actually. The server isn't resolving the name
 of the client, so I'm ssh'ing with the IP address, and that's not going to
 work since it's not in the Kerberos db (Cannot determine realm for numeric
 host address).

So it looks like you have found your problem - Kerberos tends to break if DNS
is not set properly.

 Except, of course, that the server did not get its own valid Kerberos host
 certificate. It should, right? during the ipa-client-install --on-master
 step of the server install?

Are you asking about host certificate or a Kerberos keytab (/etc/krb5.keytab)?
They are 2 distinct things.

 In fact, the global DNS config is completely empty. But I'm going to have
 to tear down the server and rebuild because it's on the same domain as an
 AD server, and ipa-client-install finds that server rather than the new IPA
 server by default: that won't work because I want LDAP to dynamically
 update the records, and establish a trust with the AD server.
 Also we've got 2 linux DNS root servers that act as forwarders. I pointed
 the IPA server at them, but I don't know enough about FreeIPA or DNS/Bind
 to configure IPA to use them properly. SO I'm sure that's where most of my
 problems lie.
 
 I've got to RTFM a bit more before I really start asking the right
 questions, I think. At that point I'll start a new thread.

Ok :-)

Martin

 
 
 
 thx
 anthony
 
 On Thu, Mar 26, 2015 at 9:31 AM, Martin Kosek mko...@redhat.com wrote:
 
 I am not sure what you mean. So are you saying that kinit USER done on
 server
 fails? With what error?

 On 03/26/2015 05:28 PM, Anthony Lanni wrote:
 great, thanks.

 On a related note: the server still doesn't get a (client) kerberos
 ticket,
 which means I can't kinit as a user and then log into a client machine
 without a password. Going the other way works fine, however.

 thx
 anthony

 On Thu, Mar 26, 2015 at 7:14 AM, Martin Kosek mko...@redhat.com wrote:

 Ok, thanks for reaching back. BTW, next RHEL-6 minor release should have
 the
 keyutils dependency fixed anyway :-)

 Martin

 On 03/25/2015 06:59 PM, Anthony Lanni wrote:
 keyutils is already installed but /bin/keyctl was 0 length (!). Anyway
 I
 reinstalled keyutils and then ran the ipa-server-install again, and
 this
 time it completed without error.

 Thanks very much, Martin and Dmitri!

 thx
 anthony

 On Wed, Mar 25, 2015 at 5:34 AM, Martin Kosek mko...@redhat.com
 wrote:

 On 03/25/2015 04:11 AM, Dmitri Pal wrote:
 On 03/24/2015 09:17 PM, Anthony Lanni wrote:
 While running ipa-server-install, it's failing out at the end with
 an
 error
 regarding the client install on the server. This happens regardless
 of
 how I
 input the options, but here's the latest command:

 ipa-server-install --setup-dns -N --idstart=1000 -r EXAMPLE.COM
 http://EXAMPLE.COM -n example.com http://example.com -p passwd1
 -a
 passwd2 --hostname=ldap-server-01.example.com
 http://ldap-server-01.example.com --forwarder=10.0.1.20
 --forwarder=10.0.1.21 --reverse-zone=1.0.10.in-addr.arpa. -d

 Runs through the entire setup and gives me this:

 [...]
 ipa : DEBUG  args=/usr/sbin/ipa-client-install --on-master
 --unattended --domain example.com http://example.com --server
 ldap-server-01.example.com http://ldap-server-01.example.com
 --realm
 EXAMPLE.COM http://EXAMPLE.COM --hostname
 ldap-server-01.example.com
 http://ldap-server-01.example.com
 ipa : DEBUGstdout=

 ipa : DEBUGstderr=Hostname: ldap-server-01.example.com
 http://ldap-server-01.example.com
 Realm: EXAMPLE.COM http://EXAMPLE.COM
 DNS Domain: example.com http://example.com
 IPA Server: ldap-server-01.example.com 
 http://ldap-server-01.example.com
 BaseDN: dc=example,dc=com
 New SSSD config will be created
 Configured /etc/sssd/sssd.conf
 Traceback (most recent call last):
   File /usr/sbin/ipa-client-install, line 2377, in module
 sys.exit(main())
   File /usr/sbin/ipa-client-install, line 2363, in main
 rval = install(options, env, fstore, statestore)
   File /usr/sbin/ipa-client-install, line 2135, in install
 delete_persistent_client_session_data(host_principal)
   File /usr/lib/python2.6/site-packages/ipalib/rpc.py, line 124,
 in
 delete_persistent_client_session_data
 kernel_keyring.del_key(keyname)
   File
 /usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py,
 line
 99, in del_key
 real_key = get_real_key(key)
   File
 /usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py,
 line
 45, in get_real_key
 (stdout, stderr, rc) = run(['keyctl', 'search', KEYRING,
 KEYTYPE,
 key],
 raiseonerr=False)

 Is keyctl installed? Can you run it manually?
 Any SELinux denials?

 You are likely hitting
 https://fedorahosted.org/freeipa/ticket/3808

 Please try installing keyutils before running ipa-server-install. It
 is
 fixed
 in

Re: [Freeipa-users] ipa-client-install failing on new ipa-server

I am not sure what you mean. So are you saying that kinit USER done on server
fails? With what error?

On 03/26/2015 05:28 PM, Anthony Lanni wrote:
 great, thanks.
 
 On a related note: the server still doesn't get a (client) kerberos ticket,
 which means I can't kinit as a user and then log into a client machine
 without a password. Going the other way works fine, however.
 
 thx
 anthony
 
 On Thu, Mar 26, 2015 at 7:14 AM, Martin Kosek mko...@redhat.com wrote:
 
 Ok, thanks for reaching back. BTW, next RHEL-6 minor release should have
 the
 keyutils dependency fixed anyway :-)

 Martin

 On 03/25/2015 06:59 PM, Anthony Lanni wrote:
 keyutils is already installed but /bin/keyctl was 0 length (!). Anyway I
 reinstalled keyutils and then ran the ipa-server-install again, and this
 time it completed without error.

 Thanks very much, Martin and Dmitri!

 thx
 anthony

 On Wed, Mar 25, 2015 at 5:34 AM, Martin Kosek mko...@redhat.com wrote:

 On 03/25/2015 04:11 AM, Dmitri Pal wrote:
 On 03/24/2015 09:17 PM, Anthony Lanni wrote:
 While running ipa-server-install, it's failing out at the end with an
 error
 regarding the client install on the server. This happens regardless of
 how I
 input the options, but here's the latest command:

 ipa-server-install --setup-dns -N --idstart=1000 -r EXAMPLE.COM
 http://EXAMPLE.COM -n example.com http://example.com -p passwd1
 -a
 passwd2 --hostname=ldap-server-01.example.com
 http://ldap-server-01.example.com --forwarder=10.0.1.20
 --forwarder=10.0.1.21 --reverse-zone=1.0.10.in-addr.arpa. -d

 Runs through the entire setup and gives me this:

 [...]
 ipa : DEBUG  args=/usr/sbin/ipa-client-install --on-master
 --unattended --domain example.com http://example.com --server
 ldap-server-01.example.com http://ldap-server-01.example.com
 --realm
 EXAMPLE.COM http://EXAMPLE.COM --hostname
 ldap-server-01.example.com
 http://ldap-server-01.example.com
 ipa : DEBUGstdout=

 ipa : DEBUGstderr=Hostname: ldap-server-01.example.com
 http://ldap-server-01.example.com
 Realm: EXAMPLE.COM http://EXAMPLE.COM
 DNS Domain: example.com http://example.com
 IPA Server: ldap-server-01.example.com 
 http://ldap-server-01.example.com
 BaseDN: dc=example,dc=com
 New SSSD config will be created
 Configured /etc/sssd/sssd.conf
 Traceback (most recent call last):
   File /usr/sbin/ipa-client-install, line 2377, in module
 sys.exit(main())
   File /usr/sbin/ipa-client-install, line 2363, in main
 rval = install(options, env, fstore, statestore)
   File /usr/sbin/ipa-client-install, line 2135, in install
 delete_persistent_client_session_data(host_principal)
   File /usr/lib/python2.6/site-packages/ipalib/rpc.py, line 124, in
 delete_persistent_client_session_data
 kernel_keyring.del_key(keyname)
   File /usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py,
 line
 99, in del_key
 real_key = get_real_key(key)
   File /usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py,
 line
 45, in get_real_key
 (stdout, stderr, rc) = run(['keyctl', 'search', KEYRING, KEYTYPE,
 key],
 raiseonerr=False)

 Is keyctl installed? Can you run it manually?
 Any SELinux denials?

 You are likely hitting
 https://fedorahosted.org/freeipa/ticket/3808

 Please try installing keyutils before running ipa-server-install. It is
 fixed
 in RHEL-7, I filed us a RHEL-6 ticket, to fix it in this platform also:
 https://bugzilla.redhat.com/show_bug.cgi?id=1205660

 Martin

 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project




 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install failing on new ipa-server

I'm referring to the host certificate; I was looking at the web UI, under
Identity-Hosts in the server details page. The Host Certificate section
says 'No Valid Certificate'.
The server has a /etc/krb5.keytab file, and on the same page the Enrollment
section says 'Kerberos Key Present, Host Provisioned'.

thx
anthony

thx
anthony

On Thu, Mar 26, 2015 at 10:01 AM, Martin Kosek mko...@redhat.com wrote:

 On 03/26/2015 05:52 PM, Anthony Lanni wrote:
  kinit USER works perfectly; but I can't ssh into the client machine from
  the server without it requesting a password.
 
  I think this is a DNS issue, actually. The server isn't resolving the
 name
  of the client, so I'm ssh'ing with the IP address, and that's not going
 to
  work since it's not in the Kerberos db (Cannot determine realm for
 numeric
  host address).

 So it looks like you have found your problem - Kerberos tends to break if
 DNS
 is not set properly.

  Except, of course, that the server did not get its own valid Kerberos
 host
  certificate. It should, right? during the ipa-client-install --on-master
  step of the server install?

 Are you asking about host certificate or a Kerberos keytab
 (/etc/krb5.keytab)?
 They are 2 distinct things.

  In fact, the global DNS config is completely empty. But I'm going to have
  to tear down the server and rebuild because it's on the same domain as an
  AD server, and ipa-client-install finds that server rather than the new
 IPA
  server by default: that won't work because I want LDAP to dynamically
  update the records, and establish a trust with the AD server.
  Also we've got 2 linux DNS root servers that act as forwarders. I pointed
  the IPA server at them, but I don't know enough about FreeIPA or DNS/Bind
  to configure IPA to use them properly. SO I'm sure that's where most of
 my
  problems lie.
 
  I've got to RTFM a bit more before I really start asking the right
  questions, I think. At that point I'll start a new thread.

 Ok :-)

 Martin

 
 
 
  thx
  anthony
 
  On Thu, Mar 26, 2015 at 9:31 AM, Martin Kosek mko...@redhat.com wrote:
 
  I am not sure what you mean. So are you saying that kinit USER done on
  server
  fails? With what error?
 
  On 03/26/2015 05:28 PM, Anthony Lanni wrote:
  great, thanks.
 
  On a related note: the server still doesn't get a (client) kerberos
  ticket,
  which means I can't kinit as a user and then log into a client machine
  without a password. Going the other way works fine, however.
 
  thx
  anthony
 
  On Thu, Mar 26, 2015 at 7:14 AM, Martin Kosek mko...@redhat.com
 wrote:
 
  Ok, thanks for reaching back. BTW, next RHEL-6 minor release should
 have
  the
  keyutils dependency fixed anyway :-)
 
  Martin
 
  On 03/25/2015 06:59 PM, Anthony Lanni wrote:
  keyutils is already installed but /bin/keyctl was 0 length (!).
 Anyway
  I
  reinstalled keyutils and then ran the ipa-server-install again, and
  this
  time it completed without error.
 
  Thanks very much, Martin and Dmitri!
 
  thx
  anthony
 
  On Wed, Mar 25, 2015 at 5:34 AM, Martin Kosek mko...@redhat.com
  wrote:
 
  On 03/25/2015 04:11 AM, Dmitri Pal wrote:
  On 03/24/2015 09:17 PM, Anthony Lanni wrote:
  While running ipa-server-install, it's failing out at the end with
  an
  error
  regarding the client install on the server. This happens
 regardless
  of
  how I
  input the options, but here's the latest command:
 
  ipa-server-install --setup-dns -N --idstart=1000 -r EXAMPLE.COM
  http://EXAMPLE.COM -n example.com http://example.com -p
 passwd1
  -a
  passwd2 --hostname=ldap-server-01.example.com
  http://ldap-server-01.example.com --forwarder=10.0.1.20
  --forwarder=10.0.1.21 --reverse-zone=1.0.10.in-addr.arpa. -d
 
  Runs through the entire setup and gives me this:
 
  [...]
  ipa : DEBUG  args=/usr/sbin/ipa-client-install --on-master
  --unattended --domain example.com http://example.com --server
  ldap-server-01.example.com http://ldap-server-01.example.com
  --realm
  EXAMPLE.COM http://EXAMPLE.COM --hostname
  ldap-server-01.example.com
  http://ldap-server-01.example.com
  ipa : DEBUGstdout=
 
  ipa : DEBUGstderr=Hostname:
 ldap-server-01.example.com
  http://ldap-server-01.example.com
  Realm: EXAMPLE.COM http://EXAMPLE.COM
  DNS Domain: example.com http://example.com
  IPA Server: ldap-server-01.example.com 
  http://ldap-server-01.example.com
  BaseDN: dc=example,dc=com
  New SSSD config will be created
  Configured /etc/sssd/sssd.conf
  Traceback (most recent call last):
File /usr/sbin/ipa-client-install, line 2377, in module
  sys.exit(main())
File /usr/sbin/ipa-client-install, line 2363, in main
  rval = install(options, env, fstore, statestore)
File /usr/sbin/ipa-client-install, line 2135, in install
  delete_persistent_client_session_data(host_principal)
File /usr/lib/python2.6/site-packages/ipalib/rpc.py, line 124,
  in
  delete_persistent_client_session_data
  kernel_keyring.del_key(keyname)
File

[Freeipa-users] AIX client integration

2015-03-26 Thread David Beck

All,
 
This for anyone using AIX clients with freeipa.  I have the client up and 
running just fine (No KRB5, AIX Bug); however I cannot seem to get the client 
to load the groups attributes properly.  The users primary group shows up in 
the groups attribute from lsuser but not any subsequent groups the user is a 
member of in IPA.  In the outputs below, I do a lookup for IPA user 0016751and 
I would expect the groups= attirbute to match those that are listed in the 
Member of Groups from freeipa.
 
I experiemented with the groups attribute and mapping to the memberOf ldap 
attribute in the IPAuser.map file but that hasn't changed the outcome.  If 
anyone has any pointers or advice it would ge greatly appreciated!
 
AIX Client:
6100-09-04-1441
 
LDAP Client version:
idsldap.clt32bit61.rte6.1.0.57  COMMITTED  Directory Server - 32 bit
idsldap.clt_max_crypto32bit61.rte
idsldap.cltbase61.adt 6.1.0.57  COMMITTED  Directory Server - Base Client
idsldap.cltbase61.rte 6.1.0.57  COMMITTED  Directory Server - Base Client
idsldap.ent61.rte 6.1.0.26  COMMITTED  Directory Server - Entitlement
idsldap.clt32bit61.rte6.1.0.57  COMMITTED  Directory Server - 32 bit
idsldap.cltbase61.rte 6.1.0.57  COMMITTED  Directory Server - Base Client
 
 
IDM Server:
RHEL 6.6 x64
ipa-server-3.0.0-42
 
 
 
AIX Client LDAP Config:
ldapservers:idm1-corp-p1.idm.abc.com,idm2-corp-p1.idm.abc.com
binddn:uid=0016751,cn=users,cn=accounts,dc=idm,dc=abc,dc=com
bindpwd:password
authtype:ldap_auth
userattrmappath:/etc/security/ldap/IPAuser.map
groupattrmappath:/etc/security/ldap/IPAgroup.map
userbasedn:cn=users,cn=accounts,dc=idm,dc=abc,dc=com
groupbasedn:cn=groups,cn=accounts,dc=idm,dc=abc,dc=com
 
 
 
#IPAuser.map file
keyobjectclass  SEC_CHARposixaccounts na
usernameSEC_CHAR  uid  s na
idSEC_INT   idnumbers na
pgrp   SEC_CHARgidnumber   s na
#groups  SEC_LISTmemberOf m na
homeSEC_CHARhomedirectory   s na
shell   SEC_CHARloginshell  s na
gecos   SEC_CHARgecos   s na
spassword   SEC_CHARuserpasswords na
lastupdate  SEC_INT   shadowlastchange  s  days
 
 
 
 
#IPAgroup.map file
groupname   SEC_CHARcn   s na
idSEC_INT   gidNumber   s na
users SEC_LISTmemberm na
 
 
 
 
LDAP User lookup
root@aix:/home/root  lsuser -f -R LDAP 0016751
0016751:
id=1329001106
pgrp=0016751
groups=0016751
home=/home/0016751
shell=/bin/bash
gecos=David Beck
login=true
su=true
rlogin=true
daemon=true
admin=false
sugroups=ALL
admgroups=
tpath=nosak
ttys=ALL
expires=0
auth1=SYSTEM
auth2=NONE
   umask=77
registry=LDAP
SYSTEM=compat or LDAP
logintimes=
loginretries=3
pwdwarntime=14
account_locked=false

 
 
 
LDAP Group lookup
root@aix:/home/root  lsgroup -R LDAP aix-admins
aix-admins 
id=1329004961users=0016066,0016751,0002885,0016896,0016304,0014269,0015513,0015611,0016721registry=LDAP
 
User Group lookup
root@aix:/home/root  groups 0016751
0016751 : 0016751
 
 
From the IDM server:
[root@idm1-corp-p1 ~]# ipa user-show 0016751
  User login: 0016751
  First name: David
  Last name: Beck
  Home directory: /home/0016751
  Login shell: /bin/bash
  Email address: david.b...@abc.com
  UID: 1329001106
  GID: 1329001106
  Telephone Number: 555-555-
  Job Title: 
  Account disabled: False
  Password: True
  Member of groups: unixss, linux-admins, aix-admins, smb-linfs-linadm, 
tam-admins
  Roles: IPA Administration
  Member of Sudo rule: nmap-intaudit
  Member of HBAC rule: aix-sshd-test
  Indirect Member of group: smb-linfs
  Indirect Member of Sudo rule: serverAdmin
  Indirect Member of HBAC rule: ssh_all, cvs_access
  Kerberos keys available: True
 -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] AIX client integration

2015-03-26 Thread Alexander Bokovoy


On Thu, 26 Mar 2015, David Beck wrote:

All,

This for anyone using AIX clients with freeipa.  I have the client up
and running just fine (No KRB5, AIX Bug); however I cannot seem to get

If you mean inability to use GSSAPI authentication against LDAP, it is not
a bug in AIX. Rather, it is a bug in CyrusSASL which is fixed in
RHEL-6.6.z. We have plans to fix RHEL 7.x too but for your situation an
update is going to help.

https://rhn.redhat.com/errata/RHBA-2015-0721.html


the client to load the groups attributes properly.  The users primary
group shows up in the groups attribute from lsuser but not any
subsequent groups the user is a member of in IPA.  In the outputs
below, I do a lookup for IPA user 0016751and I would expect the groups=
attirbute to match those that are listed in the Member of Groups from
freeipa.

I experiemented with the groups attribute and mapping to the memberOf
ldap attribute in the IPAuser.map file but that hasn't changed the
outcome.  If anyone has any pointers or advice it would ge greatly
appreciated!

Use /var/log/dirsrv/slapd-ABC-COM/access to find out a connection
corresponding to AIX operations around your lookups and show all lines
with the same conn=number element.

Ideally, it would help to get a network trace between AIX and IPA LDAP
server. Given that you are not using SASL GSSAPI and SSL, it should be
easy to see what exactly is requested by AIX and returned by IPA LDAP.


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install failing on new ipa-server

kinit USER works perfectly; but I can't ssh into the client machine from
the server without it requesting a password.

I think this is a DNS issue, actually. The server isn't resolving the name
of the client, so I'm ssh'ing with the IP address, and that's not going to
work since it's not in the Kerberos db (Cannot determine realm for numeric
host address).

Except, of course, that the server did not get its own valid Kerberos host
certificate. It should, right? during the ipa-client-install --on-master
step of the server install?

In fact, the global DNS config is completely empty. But I'm going to have
to tear down the server and rebuild because it's on the same domain as an
AD server, and ipa-client-install finds that server rather than the new IPA
server by default: that won't work because I want LDAP to dynamically
update the records, and establish a trust with the AD server.
Also we've got 2 linux DNS root servers that act as forwarders. I pointed
the IPA server at them, but I don't know enough about FreeIPA or DNS/Bind
to configure IPA to use them properly. SO I'm sure that's where most of my
problems lie.

I've got to RTFM a bit more before I really start asking the right
questions, I think. At that point I'll start a new thread.



thx
anthony

On Thu, Mar 26, 2015 at 9:31 AM, Martin Kosek mko...@redhat.com wrote:

 I am not sure what you mean. So are you saying that kinit USER done on
 server
 fails? With what error?

 On 03/26/2015 05:28 PM, Anthony Lanni wrote:
  great, thanks.
 
  On a related note: the server still doesn't get a (client) kerberos
 ticket,
  which means I can't kinit as a user and then log into a client machine
  without a password. Going the other way works fine, however.
 
  thx
  anthony
 
  On Thu, Mar 26, 2015 at 7:14 AM, Martin Kosek mko...@redhat.com wrote:
 
  Ok, thanks for reaching back. BTW, next RHEL-6 minor release should have
  the
  keyutils dependency fixed anyway :-)
 
  Martin
 
  On 03/25/2015 06:59 PM, Anthony Lanni wrote:
  keyutils is already installed but /bin/keyctl was 0 length (!). Anyway
 I
  reinstalled keyutils and then ran the ipa-server-install again, and
 this
  time it completed without error.
 
  Thanks very much, Martin and Dmitri!
 
  thx
  anthony
 
  On Wed, Mar 25, 2015 at 5:34 AM, Martin Kosek mko...@redhat.com
 wrote:
 
  On 03/25/2015 04:11 AM, Dmitri Pal wrote:
  On 03/24/2015 09:17 PM, Anthony Lanni wrote:
  While running ipa-server-install, it's failing out at the end with
 an
  error
  regarding the client install on the server. This happens regardless
 of
  how I
  input the options, but here's the latest command:
 
  ipa-server-install --setup-dns -N --idstart=1000 -r EXAMPLE.COM
  http://EXAMPLE.COM -n example.com http://example.com -p passwd1
  -a
  passwd2 --hostname=ldap-server-01.example.com
  http://ldap-server-01.example.com --forwarder=10.0.1.20
  --forwarder=10.0.1.21 --reverse-zone=1.0.10.in-addr.arpa. -d
 
  Runs through the entire setup and gives me this:
 
  [...]
  ipa : DEBUG  args=/usr/sbin/ipa-client-install --on-master
  --unattended --domain example.com http://example.com --server
  ldap-server-01.example.com http://ldap-server-01.example.com
  --realm
  EXAMPLE.COM http://EXAMPLE.COM --hostname
  ldap-server-01.example.com
  http://ldap-server-01.example.com
  ipa : DEBUGstdout=
 
  ipa : DEBUGstderr=Hostname: ldap-server-01.example.com
  http://ldap-server-01.example.com
  Realm: EXAMPLE.COM http://EXAMPLE.COM
  DNS Domain: example.com http://example.com
  IPA Server: ldap-server-01.example.com 
  http://ldap-server-01.example.com
  BaseDN: dc=example,dc=com
  New SSSD config will be created
  Configured /etc/sssd/sssd.conf
  Traceback (most recent call last):
File /usr/sbin/ipa-client-install, line 2377, in module
  sys.exit(main())
File /usr/sbin/ipa-client-install, line 2363, in main
  rval = install(options, env, fstore, statestore)
File /usr/sbin/ipa-client-install, line 2135, in install
  delete_persistent_client_session_data(host_principal)
File /usr/lib/python2.6/site-packages/ipalib/rpc.py, line 124,
 in
  delete_persistent_client_session_data
  kernel_keyring.del_key(keyname)
File
 /usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py,
  line
  99, in del_key
  real_key = get_real_key(key)
File
 /usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py,
  line
  45, in get_real_key
  (stdout, stderr, rc) = run(['keyctl', 'search', KEYRING,
 KEYTYPE,
  key],
  raiseonerr=False)
 
  Is keyctl installed? Can you run it manually?
  Any SELinux denials?
 
  You are likely hitting
  https://fedorahosted.org/freeipa/ticket/3808
 
  Please try installing keyutils before running ipa-server-install. It
 is
  fixed
  in RHEL-7, I filed us a RHEL-6 ticket, to fix it in this platform
 also:
  https://bugzilla.redhat.com/show_bug.cgi?id=1205660
 
  Martin
 
  --
  Manage your subscription for the Freeipa-users mailing list:

Re: [Freeipa-users] inserting users via java

2015-03-26 Thread Timothy Worman

On Mar 26, 2015, at 11:42 AM, Martin Kosek mko...@redhat.com wrote:
 
 On 03/26/2015 07:37 PM, Timothy Worman wrote:
 Thanks everyone for the input.
 
 I do agree that I don’t like the sound of option 1. I don’t want to be 
 sending CLI commands from a remote host. And option 3 sounds sounds a bit 
 brittle to me.
 
 2 sounds like the most solid option available right now. I like the fact 
 that there’s an existing/working API there. I’ll need to look into 
 converting my objects into json.
 
 This area honestly seems like one of the weakest aspects of freeipa. There 
 really needs to be a way to push known person entities into the directory 
 easily.
 
 There may be some disconnect, the JSONRPC/XMLRPC API is the way we still see 
 as an easy way to manipulate the entries (besides CLI and Web UI). In Python, 
 adding new user is that easy:
 
 ~~~
 from ipalib import api
 from ipalib import errors
 
 api.bootstrap(context='cli')
 api.finalize()
 api.Backend.rpcclient.connect()
 api.Command['user_add'](u'newuser', givenname=u'New', sn=u'User')
 ~~~
 
 What way would you suggest to make it more conforming to your use case? Are 
 you suggesting REST interface doing the above or something else?

Oh, I think the JSON option is the best one currently available. But I do think 
REST-ful service would be a good idea.

 I would be willing to test option 4 if that is where the future is headed.
 
 Ok, just note that this still means LDAP interface a need to talk in LDAP 
 protocol.

This may not be a bad thing if you’re using an ORM like Webobjects/EOF or 
Cayenne since you can model those ldap entities and simply set their attributes 
and insert. At a lower level JNDI will handle it. I personally prefer this over 
building strings, sending commands, etc.

Tim

 
 Tim
 
 On Mar 24, 2015, at 12:58 AM, Martin Kosek mko...@redhat.com wrote:
 
 On 03/24/2015 01:29 AM, Dmitri Pal wrote:
 On 03/23/2015 05:56 PM, Timothy Worman wrote:
 I have an existing web app built with java/WebObjects that currently 
 handles
 some user/groups tasks with our current directory server (Open 
 Directory). We
 are investigating a move to FreeIPA for our directory services.
 
 Just in mucking around, I’ve found that if I try to insert a new user
 (inetOrgPerson) into into IPA’s implementation, the new user does not 
 inherit
 all the object classes it should. It only inherits the ones leading to
 inetOrgPerson. This does result in a successful inetOrgPerson insertion, 
 but
 that user record does not show up in the Web GUI management tools.
 
 Usually, I have focused on inetOrgPerson because that is where the bulk of
 the info about a user lives.
 
 We have a SQL database that contains people in our organization (used by
 other services), so, we need to be able to leverage that and push users 
 into
 IPA when appropriate and we have an existing app to do this.
 
 Tim W
 
 You have several options:
 1) Call ipa CLI from your application - this is possible right now (but not
 quite nice)
 2) Call ipa JSON API from your application - this is not supported but
 possible. We use python API. You can do it in Java but it will be a lot of 
 work.
 3) Use more elaborate LDAP add commands (with all the object classes 
 needed for
 users). Hard, but doable.
 4) Help us with testing the upcoming feature
 http://www.freeipa.org/page/V4/User_Life-Cycle_Management that would allow
 creating users via simple ldap command in a staging area and them moving 
 them
 to normal users area with automatic creation of missing attributes by 
 means of
 a cron job.
 
 I would vote for 1) as a temp solution and 4) as a longer term one.
 
 I do not fully agree with preferring 1) over 2). Java has libraries for
 JSON-RPC protocol, it should be pretty doable to write a call that calls the
 user_add command.
 
 We are lacking proper documentation for the API, but what you can look in 
 the
 sources or in the Web UI with and see the JSONs sent to the server, if you 
 are
 interested in the real life examples.
 
 Advantage of 2) over 1) is that you get the native objects (strings, arrays,
 numbers) and you do not need to parse it from CLI.
 
 Martin
 
 


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Understanding the migration mode

2015-03-26 Thread Prasun Gera

Hello,
I followed
https://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords in
order to migrate our NIS installation, and for the most part it worked. The
server responds to ypcat from the NIS clients, and users can log in.
However, I'm seeing a couple of weird issues. Normally, ypcat returns
username:cryptpass:uid:gid:gecos:homedir:shell  for users and
authentication works fine. For new users that were added directly to IPA,
instead of the cryptpass, I see an asterisk(*), which is also
understandable. However, for a couple of migrated users, I'm seeing that
their cyrptpasses have also been replaced with *s (in ypcat's output) over
the course of time. This creates problems for authentication on clients
that haven't been migrated, and they can't log in with their passwords.
These users didn't explicitly call kinit or go to the webui for migration.
Is it normal for the crypt passes to be replaced by *? I migrated a couple
of clients, and these users would have sshed to the migrated clients or
possibly to the server. That didn't seem to affect ypcat's behaviour
directly, and yet that is the only thing I can think of that has any
connection to this.

Regards,
Prasun
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] inserting users via java


On 03/26/2015 07:37 PM, Timothy Worman wrote:

Thanks everyone for the input.

I do agree that I don’t like the sound of option 1. I don’t want to be sending 
CLI commands from a remote host. And option 3 sounds sounds a bit brittle to me.

2 sounds like the most solid option available right now. I like the fact that 
there’s an existing/working API there. I’ll need to look into converting my 
objects into json.

This area honestly seems like one of the weakest aspects of freeipa. There 
really needs to be a way to push known person entities into the directory 
easily.


There may be some disconnect, the JSONRPC/XMLRPC API is the way we still see as 
an easy way to manipulate the entries (besides CLI and Web UI). In Python, 
adding new user is that easy:


~~~
from ipalib import api
from ipalib import errors

api.bootstrap(context='cli')
api.finalize()
api.Backend.rpcclient.connect()
api.Command['user_add'](u'newuser', givenname=u'New', sn=u'User')
~~~

What way would you suggest to make it more conforming to your use case? Are you 
suggesting REST interface doing the above or something else?



I would be willing to test option 4 if that is where the future is headed.


Ok, just note that this still means LDAP interface a need to talk in LDAP 
protocol.


Tim


On Mar 24, 2015, at 12:58 AM, Martin Kosek mko...@redhat.com wrote:

On 03/24/2015 01:29 AM, Dmitri Pal wrote:

On 03/23/2015 05:56 PM, Timothy Worman wrote:

I have an existing web app built with java/WebObjects that currently handles
some user/groups tasks with our current directory server (Open Directory). We
are investigating a move to FreeIPA for our directory services.

Just in mucking around, I’ve found that if I try to insert a new user
(inetOrgPerson) into into IPA’s implementation, the new user does not inherit
all the object classes it should. It only inherits the ones leading to
inetOrgPerson. This does result in a successful inetOrgPerson insertion, but
that user record does not show up in the Web GUI management tools.

Usually, I have focused on inetOrgPerson because that is where the bulk of
the info about a user lives.

We have a SQL database that contains people in our organization (used by
other services), so, we need to be able to leverage that and push users into
IPA when appropriate and we have an existing app to do this.

Tim W


You have several options:
1) Call ipa CLI from your application - this is possible right now (but not
quite nice)
2) Call ipa JSON API from your application - this is not supported but
possible. We use python API. You can do it in Java but it will be a lot of work.
3) Use more elaborate LDAP add commands (with all the object classes needed for
users). Hard, but doable.
4) Help us with testing the upcoming feature
http://www.freeipa.org/page/V4/User_Life-Cycle_Management that would allow
creating users via simple ldap command in a staging area and them moving them
to normal users area with automatic creation of missing attributes by means of
a cron job.

I would vote for 1) as a temp solution and 4) as a longer term one.


I do not fully agree with preferring 1) over 2). Java has libraries for
JSON-RPC protocol, it should be pretty doable to write a call that calls the
user_add command.

We are lacking proper documentation for the API, but what you can look in the
sources or in the Web UI with and see the JSONs sent to the server, if you are
interested in the real life examples.

Advantage of 2) over 1) is that you get the native objects (strings, arrays,
numbers) and you do not need to parse it from CLI.

Martin




--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Not able to SSH with User Created in IPA Server

Yogesh Sharma wrote:
 Hi,
 
 We are getting error while trying to ssh using users created in IPA server.
 
 root@yogesh-ubuntu-pc:~# ssh -vvv cm8158@52.74.84.94

You don't have a Kerberos ticket and you don't have ssh keys for this
user. kinit cm8158 first or get the ssh keys.

You'll need to use the FQDN of the host as well, rather than th IP
address, if using Kerberos.

rob

 mailto:cm8158@52.74.84.94
 OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
 debug1: Reading configuration data /etc/ssh/ssh_config
 debug1: /etc/ssh/ssh_config line 19: Applying options for *
 debug2: ssh_connect: needpriv 0
 debug1: Connecting to 52.74.84.94 [52.74.84.94] port 22.
 debug1: Connection established.
 debug1: permanently_set_uid: 0/0
 debug3: Incorrect RSA1 identifier
 debug3: Could not load /root/.ssh/id_rsa as a RSA1 public key
 debug1: identity file /root/.ssh/id_rsa type 1
 debug1: identity file /root/.ssh/id_rsa-cert type -1
 debug1: identity file /root/.ssh/id_dsa type -1
 debug1: identity file /root/.ssh/id_dsa-cert type -1
 debug1: identity file /root/.ssh/id_ecdsa type -1
 debug1: identity file /root/.ssh/id_ecdsa-cert type -1
 debug1: identity file /root/.ssh/id_ed25519 type -1
 debug1: identity file /root/.ssh/id_ed25519-cert type -1
 debug1: Enabling compatibility mode for protocol 2.0
 debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2
 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
 debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c00
 debug2: fd 3 setting O_NONBLOCK
 debug3: load_hostkeys: loading entries for host 52.74.84.94 from file
 /root/.ssh/known_hosts
 debug3: load_hostkeys: found key type RSA in file /root/.ssh/known_hosts:89
 debug3: load_hostkeys: loaded 1 keys
 debug3: order_hostkeyalgs: prefer hostkeyalgs:
 ssh-rsa-cert-...@openssh.com
 mailto:ssh-rsa-cert-...@openssh.com,ssh-rsa-cert-...@openssh.com
 mailto:ssh-rsa-cert-...@openssh.com,ssh-rsa
 debug1: SSH2_MSG_KEXINIT sent
 debug1: SSH2_MSG_KEXINIT received
 debug2: kex_parse_kexinit: curve25519-sha...@libssh.org
 mailto:curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
 debug2: kex_parse_kexinit: ssh-rsa-cert-...@openssh.com
 mailto:ssh-rsa-cert-...@openssh.com,ssh-rsa-cert-...@openssh.com
 mailto:ssh-rsa-cert-...@openssh.com,ssh-rsa,ecdsa-sha2-nistp256-cert-...@openssh.com
 mailto:ecdsa-sha2-nistp256-cert-...@openssh.com,ecdsa-sha2-nistp384-cert-...@openssh.com
 mailto:ecdsa-sha2-nistp384-cert-...@openssh.com,ecdsa-sha2-nistp521-cert-...@openssh.com
 mailto:ecdsa-sha2-nistp521-cert-...@openssh.com,ssh-ed25519-cert-...@openssh.com
 mailto:ssh-ed25519-cert-...@openssh.com,ssh-dss-cert-...@openssh.com
 mailto:ssh-dss-cert-...@openssh.com,ssh-dss-cert-...@openssh.com
 mailto:ssh-dss-cert-...@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-dss
 debug2: kex_parse_kexinit:
 aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-...@openssh.com
 mailto:aes128-...@openssh.com,aes256-...@openssh.com
 mailto:aes256-...@openssh.com,chacha20-poly1...@openssh.com
 mailto:chacha20-poly1...@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se
 mailto:rijndael-...@lysator.liu.se
 debug2: kex_parse_kexinit:
 aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-...@openssh.com
 mailto:aes128-...@openssh.com,aes256-...@openssh.com
 mailto:aes256-...@openssh.com,chacha20-poly1...@openssh.com
 mailto:chacha20-poly1...@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se
 mailto:rijndael-...@lysator.liu.se
 debug2: kex_parse_kexinit: hmac-md5-...@openssh.com
 mailto:hmac-md5-...@openssh.com,hmac-sha1-...@openssh.com
 mailto:hmac-sha1-...@openssh.com,umac-64-...@openssh.com
 mailto:umac-64-...@openssh.com,umac-128-...@openssh.com
 mailto:umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com
 mailto:hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com
 mailto:hmac-sha2-512-...@openssh.com,hmac-ripemd160-...@openssh.com
 mailto:hmac-ripemd160-...@openssh.com,hmac-sha1-96-...@openssh.com
 mailto:hmac-sha1-96-...@openssh.com,hmac-md5-96-...@openssh.com
 mailto:hmac-md5-96-...@openssh.com,hmac-md5,hmac-sha1,umac...@openssh.com
 mailto:umac...@openssh.com,umac-...@openssh.com
 mailto:umac-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd...@openssh.com
 mailto:hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96
 debug2: kex_parse_kexinit: hmac-md5-...@openssh.com
 mailto:hmac-md5-...@openssh.com,hmac-sha1-...@openssh.com
 mailto:hmac-sha1-...@openssh.com,umac-64-...@openssh.com
 mailto:umac-64-...@openssh.com,umac-128-...@openssh.com
 mailto:umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com

Re: [Freeipa-users] Not able to SSH with User Created in IPA Server

2015-03-26 Thread Simo Sorce

On Thu, 2015-03-26 at 15:42 +0530, Yogesh Sharma wrote:
 Hi,
 
 We are getting error while trying to ssh using users created in IPA
 server.
 
 root@yogesh-ubuntu-pc:~# ssh -vvv cm8158@52.74.84.94

You should use the machine's fully qualified name if you want to login
using GSSAPI/Krb5, an IP address cannot be resolved to a proper key as
keys are registerd into the KDC as
host/machine.fully.qualified.name@REALM.

It's the same thing as with HTTPS, the client need to know the name of
the server in order to be able to properly communicate with it.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] subjectAlternitiveName for webservice

Matt . wrote:
 When digging around I see this documentation:
 
 http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/load-balancing.html
 
 I would except that server.example.com is not going to be accepted by
 IPA when you visit the webgui like that ?

These are SRV records for the ldap service. Think of it as discovery for
who provides ldap service in the domain. It isn't something used by a
web browser.

I'm no DNS expert (by far) but this example looks a little wonky. I'd
think it should be example.com and not server.example.com. But in any
case it is irrelevant to a browser.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] subjectAlternitiveName for webservice

HI Rob,

Yes something is wrong there I guess.

But still, I actually need to add a SAN to the webserver cert, which
is different I think than the services at least.

So the question there is... how ?

Cheers,

Matt

2015-03-26 14:50 GMT+01:00 Rob Crittenden rcrit...@redhat.com:
 Matt . wrote:
 When digging around I see this documentation:

 http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/load-balancing.html

 I would except that server.example.com is not going to be accepted by
 IPA when you visit the webgui like that ?

 These are SRV records for the ldap service. Think of it as discovery for
 who provides ldap service in the domain. It isn't something used by a
 web browser.

 I'm no DNS expert (by far) but this example looks a little wonky. I'd
 think it should be example.com and not server.example.com. But in any
 case it is irrelevant to a browser.

 rob


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Understanding the migration mode


On 03/26/2015 02:29 PM, Prasun Gera wrote:

Hello,
I followed 
https://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords 
in order to migrate our NIS installation, and for the most part it 
worked. The server responds to ypcat from the NIS clients, and users 
can log in. However, I'm seeing a couple of weird issues. Normally, 
ypcat returns username:cryptpass:uid:gid:gecos:homedir:shell  for 
users and authentication works fine. For new users that were added 
directly to IPA, instead of the cryptpass, I see an asterisk(*), which 
is also understandable. However, for a couple of migrated users, I'm 
seeing that their cyrptpasses have also been replaced with *s (in 
ypcat's output) over the course of time. This creates problems for 
authentication on clients that haven't been migrated, and they can't 
log in with their passwords. These users didn't explicitly call kinit 
or go to the webui for migration. Is it normal for the crypt passes to 
be replaced by *? I migrated a couple of clients, and these users 
would have sshed to the migrated clients or possibly to the server. 
That didn't seem to affect ypcat's behaviour directly, and yet that is 
the only thing I can think of that has any connection to this.


Regards,
Prasun




Based on what you describe I assume that you:
- Migrated users to IPA
- Enabled slapi-nis plugin
- Use old clients with slapi-nis as a NIS server and expect to be able 
to authenticate with new and old users against IPA NIS map.


Right?

So the authentication does not work and this is by design since 
passwords in files are insecure and distributing them centrally as NIS 
did is security problem.
The suggestion is to change the authentication method on old clients to 
LDAP or Kerberos first, whatever they support (they usually do even if 
they are quite old), and leave NIS for identity information only since 
some old clients do not support LDAP for that part and only support NIS.


--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Log filling up a couple of times per day


On 03/26/2015 05:37 PM, Matt . wrote:

Hi Guys,

I'm facing every day a fast filling log of:

/var/log/krb5kdc.log
/var/log/dirsrv/slapd-DOMAIN/access*

I need to remove the files and restart ipa. The kerberos log is
filling up most, the access logs are quite fast on 100MB and a new one
is created.

Now I do some LDAP loging/logout per day, servers that chedck if they
are registered for SSSD so that it logs it is normal, but I want to
get rid of it I guess.

I'm throwing out I think about 6GB per day of logs, all loglevels are low.

Any idea ?

It's 3.x on CentOS 6.6

Any idea ?

Thanks Matt

Do you have some services that are repeatedly doing something kerberos 
related and failing?
I guess getting a snippet of the kerberos log would give some hint on 
what is it logging all the time.


--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] inserting users via java


On 03/26/2015 03:19 PM, Timothy Worman wrote:

On Mar 26, 2015, at 11:42 AM, Martin Kosek mko...@redhat.com wrote:

On 03/26/2015 07:37 PM, Timothy Worman wrote:

Thanks everyone for the input.

I do agree that I don’t like the sound of option 1. I don’t want to be sending 
CLI commands from a remote host. And option 3 sounds sounds a bit brittle to me.

2 sounds like the most solid option available right now. I like the fact that 
there’s an existing/working API there. I’ll need to look into converting my 
objects into json.

This area honestly seems like one of the weakest aspects of freeipa. There 
really needs to be a way to push known person entities into the directory 
easily.

There may be some disconnect, the JSONRPC/XMLRPC API is the way we still see as 
an easy way to manipulate the entries (besides CLI and Web UI). In Python, 
adding new user is that easy:

~~~
from ipalib import api
from ipalib import errors

api.bootstrap(context='cli')
api.finalize()
api.Backend.rpcclient.connect()
api.Command['user_add'](u'newuser', givenname=u'New', sn=u'User')
~~~

What way would you suggest to make it more conforming to your use case? Are you 
suggesting REST interface doing the above or something else?

Oh, I think the JSON option is the best one currently available. But I do think 
REST-ful service would be a good idea.


I would be willing to test option 4 if that is where the future is headed.

Ok, just note that this still means LDAP interface a need to talk in LDAP 
protocol.

This may not be a bad thing if you’re using an ORM like Webobjects/EOF or 
Cayenne since you can model those ldap entities and simply set their attributes 
and insert. At a lower level JNDI will handle it. I personally prefer this over 
building strings, sending commands, etc.


So this will be ready upstream within several weeks or so. Would you 
test it once it it is available before the official upstream release?



Tim


Tim


On Mar 24, 2015, at 12:58 AM, Martin Kosek mko...@redhat.com wrote:

On 03/24/2015 01:29 AM, Dmitri Pal wrote:

On 03/23/2015 05:56 PM, Timothy Worman wrote:

I have an existing web app built with java/WebObjects that currently handles
some user/groups tasks with our current directory server (Open Directory). We
are investigating a move to FreeIPA for our directory services.

Just in mucking around, I’ve found that if I try to insert a new user
(inetOrgPerson) into into IPA’s implementation, the new user does not inherit
all the object classes it should. It only inherits the ones leading to
inetOrgPerson. This does result in a successful inetOrgPerson insertion, but
that user record does not show up in the Web GUI management tools.

Usually, I have focused on inetOrgPerson because that is where the bulk of
the info about a user lives.

We have a SQL database that contains people in our organization (used by
other services), so, we need to be able to leverage that and push users into
IPA when appropriate and we have an existing app to do this.

Tim W


You have several options:
1) Call ipa CLI from your application - this is possible right now (but not
quite nice)
2) Call ipa JSON API from your application - this is not supported but
possible. We use python API. You can do it in Java but it will be a lot of work.
3) Use more elaborate LDAP add commands (with all the object classes needed for
users). Hard, but doable.
4) Help us with testing the upcoming feature
http://www.freeipa.org/page/V4/User_Life-Cycle_Management that would allow
creating users via simple ldap command in a staging area and them moving them
to normal users area with automatic creation of missing attributes by means of
a cron job.

I would vote for 1) as a temp solution and 4) as a longer term one.

I do not fully agree with preferring 1) over 2). Java has libraries for
JSON-RPC protocol, it should be pretty doable to write a call that calls the
user_add command.

We are lacking proper documentation for the API, but what you can look in the
sources or in the Web UI with and see the JSONs sent to the server, if you are
interested in the real life examples.

Advantage of 2) over 1) is that you get the native objects (strings, arrays,
numbers) and you do not need to parse it from CLI.

Martin



--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Is systemd really a requirement for freeipa 4.x?


On 03/26/2015 08:18 AM, Coy Hile wrote:


Quoting Andrew Holway andrew.hol...@gmail.com:



When I look at the SPEC file for freeipa-4.1.3, I see requirements
around Systemd.  Is that really a hard requirement, or is it 
possible to

run newer FreeIPA (that is to say 4.x) on a host that hasn't been
infested by systemd



From an SELinux standpoint systemd is far superior to initd as it 
allows

far more graceful domain transitions.

Apart from the binary logging and it being a bit monolithic; I really 
don't

understand the anit-systemd crowd problems. Its advantages over the now
ancient initd seem to be obvious.


hijack
The binary logging is a big problem. Log to the filesystem usefully, 
or log to
syslog. Then one can get that data into Splunk or similar.  Aside from 
that,
systemd feels like the answer to the question no one asked.  It's a 
bit like
what Oracle has done to bastardize smf(5) in Oracle Solaris 11 over 
what was

there in Solaris 10 (and the former OpenSolaris, now illumos). The S10
incarnation was awesome, even though the definition of service 
manifests in xml
makes me want to claw my eyes out. Oracle's Microsoftened embrace and 
extend?

Yeah, not so much

For full disclosure here, the reason I was enquiring about support on 
CentOS 6 is
because my virtualization platform of choice is SmartOS.  For CentOS 6 
and Ubuntu
14.04, I am able to use a 'Branded zone' natively without having to 
add the KVM
hardware emulation layer in there, implying better network and IO 
performance.
That said, for this particular case, the KVM overhead really doesn't 
matter since
a box that's only doing LDAP and kerb really needn't be all that 
beefy.  Hell, I
could probably run an authoritative KDC for ATHENA.MIT.EDU on an rpi 
if I were so

inclined.
/hijack

Understanding the reason behind the requirements is quite helpful, so 
thanks to all
who provided that.  I'll work with Joyent to add systemd support to 
the lx brand,
and in the meantime, I'll just deploy on KVM infrastructure and take 
the hit.  I
assume there's no good reason to deploy a net new setup using the 3.x 
release?


-c

We recommend using latest - 4.1.

--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] subjectAlternitiveName for webservice

Hi Rob,

Thank you very much!

I think this will work out as it's only https traffic.

I will report back!

Thanks a lot!

Matt

2015-03-26 16:48 GMT+01:00 Rob Crittenden rcrit...@redhat.com:
 Matt . wrote:
 HI Rob,

 Yes something is wrong there I guess.

 In any case, it doesn't apply to what you're trying to do.

 But still, I actually need to add a SAN to the webserver cert, which
 is different I think than the services at least.

 So the question there is... how ?

 What webserver cert? Are you trying to load balance the IPA services via
 DNS?

 Not knowing what you want, I'm just answering what you are ASKING. That
 is not the same as giving a proper answer. I have the feeling you want
 to load balance IPA in general which isn't going to work without a ton
 of (ongoing) manual effort. Even Microsoft recommends against trying
 this in its AD environment: http://support.microsoft.com/en-us/kb/325608

 In any case, the instructions I've already provided still apply.

 If you want to replace the Apache webserver cert you'll just need to do
 a couple of things first which has the potential of completely breaking
 IPA, so you'll need to be careful.

 Before you do anything, backup *.db in /etc/httpd/alias.

 Stop tracking the Apache cert in certmonger:

 # ipa-getcert stop-tracking -d /etc/httpd/alias -n Server-Cert

 Delete the existing cert:

 # certutil -D -d /etc/httpd/alias -n Server-Cert

 Like I said, destructive.

 Finally use certmonger to get a new cert that includes a SAN. The syntax
 is slightly different than before, mostly because I'm just guessing in
 the dark because you aren't including enough details into what you're
 trying.

 # ipa-getcert -d /etc/httpd/alias -n Server-Cert -N CN=ipa1.example.com
 -K HTTP/ipa1.example.com -D ipa.example.com -p /etc/httpd/alias/pwdfile.txt

 In this case the IPA server is ipa1.example.com and you're creating a
 SAN for ipa.example.com.

 Restart httpd.

 Note that this doesn't solve the Kerberos problem so cli access will
 still not work as expected. The UI _might_ work using forms-based
 authentication.

 I'd strongly urge you to think about the top of this e-mail before
 proceeding onto the bottom.

 rob


 Cheers,

 Matt

 2015-03-26 14:50 GMT+01:00 Rob Crittenden rcrit...@redhat.com:
 Matt . wrote:
 When digging around I see this documentation:

 http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/load-balancing.html

 I would except that server.example.com is not going to be accepted by
 IPA when you visit the webgui like that ?

 These are SRV records for the ldap service. Think of it as discovery for
 who provides ldap service in the domain. It isn't something used by a
 web browser.

 I'm no DNS expert (by far) but this example looks a little wonky. I'd
 think it should be example.com and not server.example.com. But in any
 case it is irrelevant to a browser.

 rob



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Log filling up a couple of times per day

Hi Guys,

I'm facing every day a fast filling log of:

/var/log/krb5kdc.log
/var/log/dirsrv/slapd-DOMAIN/access*

I need to remove the files and restart ipa. The kerberos log is
filling up most, the access logs are quite fast on 100MB and a new one
is created.

Now I do some LDAP loging/logout per day, servers that chedck if they
are registered for SSSD so that it logs it is normal, but I want to
get rid of it I guess.

I'm throwing out I think about 6GB per day of logs, all loglevels are low.

Any idea ?

It's 3.x on CentOS 6.6

Any idea ?

Thanks Matt

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] subjectAlternitiveName for webservice

Hi,

This should be it and worked for generating the cert with the altname
ldap.domain.tld

When I login and I go to services I get the following:

cannot connect to
'https://ldap-01.domain.tld:443/ca/agent/ca/displayBySerial':
(SSL_ERROR_BAD_CERT_DOMAIN) Unable to communicate securely with peer:
requested domain name does not match the server's certificate.

So I'm a little bit confused here as the certificate contains both hostnames.

A simple wget says the ldap-01 doesn't exist also:

 https://ldap-01.domain.tld/ipa/json
Connecting to ldap-01.domain.tld
(ldap-01.domain.tld)|10.100.0.251|:443... connected.
ERROR: no certificate subject alternative name matches
requested host name 'ldap-01.domain.tld'.
To connect to ldap-01.domain.tld insecurely, use `--no-check-certificate'.



2015-03-26 20:43 GMT+01:00 Matt . yamakasi@gmail.com:
 Hi Rob,

 Thank you very much!

 I think this will work out as it's only https traffic.

 I will report back!

 Thanks a lot!

 Matt

 2015-03-26 16:48 GMT+01:00 Rob Crittenden rcrit...@redhat.com:
 Matt . wrote:
 HI Rob,

 Yes something is wrong there I guess.

 In any case, it doesn't apply to what you're trying to do.

 But still, I actually need to add a SAN to the webserver cert, which
 is different I think than the services at least.

 So the question there is... how ?

 What webserver cert? Are you trying to load balance the IPA services via
 DNS?

 Not knowing what you want, I'm just answering what you are ASKING. That
 is not the same as giving a proper answer. I have the feeling you want
 to load balance IPA in general which isn't going to work without a ton
 of (ongoing) manual effort. Even Microsoft recommends against trying
 this in its AD environment: http://support.microsoft.com/en-us/kb/325608

 In any case, the instructions I've already provided still apply.

 If you want to replace the Apache webserver cert you'll just need to do
 a couple of things first which has the potential of completely breaking
 IPA, so you'll need to be careful.

 Before you do anything, backup *.db in /etc/httpd/alias.

 Stop tracking the Apache cert in certmonger:

 # ipa-getcert stop-tracking -d /etc/httpd/alias -n Server-Cert

 Delete the existing cert:

 # certutil -D -d /etc/httpd/alias -n Server-Cert

 Like I said, destructive.

 Finally use certmonger to get a new cert that includes a SAN. The syntax
 is slightly different than before, mostly because I'm just guessing in
 the dark because you aren't including enough details into what you're
 trying.

 # ipa-getcert -d /etc/httpd/alias -n Server-Cert -N CN=ipa1.example.com
 -K HTTP/ipa1.example.com -D ipa.example.com -p /etc/httpd/alias/pwdfile.txt

 In this case the IPA server is ipa1.example.com and you're creating a
 SAN for ipa.example.com.

 Restart httpd.

 Note that this doesn't solve the Kerberos problem so cli access will
 still not work as expected. The UI _might_ work using forms-based
 authentication.

 I'd strongly urge you to think about the top of this e-mail before
 proceeding onto the bottom.

 rob


 Cheers,

 Matt

 2015-03-26 14:50 GMT+01:00 Rob Crittenden rcrit...@redhat.com:
 Matt . wrote:
 When digging around I see this documentation:

 http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/load-balancing.html

 I would except that server.example.com is not going to be accepted by
 IPA when you visit the webgui like that ?

 These are SRV records for the ldap service. Think of it as discovery for
 who provides ldap service in the domain. It isn't something used by a
 web browser.

 I'm no DNS expert (by far) but this example looks a little wonky. I'd
 think it should be example.com and not server.example.com. But in any
 case it is irrelevant to a browser.

 rob



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] subjectAlternitiveName for webservice

OK some new update:

When I do a curl -k https://ldap.domain.tld/ipa/config/ca.crt I get a
301 to https://ldap-01.core.prod.msp.cullie.local/ipa/config/ca.crt

But when I visit the https://ldap.domain.tld/ipa/config/ca.crt with my
browser it just works fine.

2015-03-26 22:11 GMT+01:00 Matt . yamakasi@gmail.com:
 Hi,

 This should be it and worked for generating the cert with the altname
 ldap.domain.tld

 When I login and I go to services I get the following:

 cannot connect to
 'https://ldap-01.domain.tld:443/ca/agent/ca/displayBySerial':
 (SSL_ERROR_BAD_CERT_DOMAIN) Unable to communicate securely with peer:
 requested domain name does not match the server's certificate.

 So I'm a little bit confused here as the certificate contains both hostnames.

 A simple wget says the ldap-01 doesn't exist also:

  https://ldap-01.domain.tld/ipa/json
 Connecting to ldap-01.domain.tld
 (ldap-01.domain.tld)|10.100.0.251|:443... connected.
 ERROR: no certificate subject alternative name matches
 requested host name 'ldap-01.domain.tld'.
 To connect to ldap-01.domain.tld insecurely, use `--no-check-certificate'.



 2015-03-26 20:43 GMT+01:00 Matt . yamakasi@gmail.com:
 Hi Rob,

 Thank you very much!

 I think this will work out as it's only https traffic.

 I will report back!

 Thanks a lot!

 Matt

 2015-03-26 16:48 GMT+01:00 Rob Crittenden rcrit...@redhat.com:
 Matt . wrote:
 HI Rob,

 Yes something is wrong there I guess.

 In any case, it doesn't apply to what you're trying to do.

 But still, I actually need to add a SAN to the webserver cert, which
 is different I think than the services at least.

 So the question there is... how ?

 What webserver cert? Are you trying to load balance the IPA services via
 DNS?

 Not knowing what you want, I'm just answering what you are ASKING. That
 is not the same as giving a proper answer. I have the feeling you want
 to load balance IPA in general which isn't going to work without a ton
 of (ongoing) manual effort. Even Microsoft recommends against trying
 this in its AD environment: http://support.microsoft.com/en-us/kb/325608

 In any case, the instructions I've already provided still apply.

 If you want to replace the Apache webserver cert you'll just need to do
 a couple of things first which has the potential of completely breaking
 IPA, so you'll need to be careful.

 Before you do anything, backup *.db in /etc/httpd/alias.

 Stop tracking the Apache cert in certmonger:

 # ipa-getcert stop-tracking -d /etc/httpd/alias -n Server-Cert

 Delete the existing cert:

 # certutil -D -d /etc/httpd/alias -n Server-Cert

 Like I said, destructive.

 Finally use certmonger to get a new cert that includes a SAN. The syntax
 is slightly different than before, mostly because I'm just guessing in
 the dark because you aren't including enough details into what you're
 trying.

 # ipa-getcert -d /etc/httpd/alias -n Server-Cert -N CN=ipa1.example.com
 -K HTTP/ipa1.example.com -D ipa.example.com -p /etc/httpd/alias/pwdfile.txt

 In this case the IPA server is ipa1.example.com and you're creating a
 SAN for ipa.example.com.

 Restart httpd.

 Note that this doesn't solve the Kerberos problem so cli access will
 still not work as expected. The UI _might_ work using forms-based
 authentication.

 I'd strongly urge you to think about the top of this e-mail before
 proceeding onto the bottom.

 rob


 Cheers,

 Matt

 2015-03-26 14:50 GMT+01:00 Rob Crittenden rcrit...@redhat.com:
 Matt . wrote:
 When digging around I see this documentation:

 http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/load-balancing.html

 I would except that server.example.com is not going to be accepted by
 IPA when you visit the webgui like that ?

 These are SRV records for the ldap service. Think of it as discovery for
 who provides ldap service in the domain. It isn't something used by a
 web browser.

 I'm no DNS expert (by far) but this example looks a little wonky. I'd
 think it should be example.com and not server.example.com. But in any
 case it is irrelevant to a browser.

 rob



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install failing on new ipa-server

ah, ok. So I'm going to assume the problem with my server not being able to
get a DNS record for any of the clients is why the user can't ssh into the
clients.

Thanks for the help, everyone!

thx
anthony

On Thu, Mar 26, 2015 at 10:44 AM, Rob Crittenden rcrit...@redhat.com
wrote:

 Anthony Lanni wrote:
  I'm referring to the host certificate; I was looking at the web UI,
  under Identity-Hosts in the server details page. The Host Certificate
  section says 'No Valid Certificate'.
  The server has a /etc/krb5.keytab file, and on the same page the
  Enrollment section says 'Kerberos Key Present, Host Provisioned'.

 No, masters never got this certificate issued. It was intended to be an
 alternate way to authenticate a host to IPA. The host certificate is not
 used by IPA currently, and in 4.1 one isn't issued for clients by
 default any more.

 rob

 
  thx
  anthony
 
  thx
  anthony
 
  On Thu, Mar 26, 2015 at 10:01 AM, Martin Kosek mko...@redhat.com
  mailto:mko...@redhat.com wrote:
 
  On 03/26/2015 05:52 PM, Anthony Lanni wrote:
   kinit USER works perfectly; but I can't ssh into the client
 machine from
   the server without it requesting a password.
  
   I think this is a DNS issue, actually. The server isn't resolving
 the name
   of the client, so I'm ssh'ing with the IP address, and that's not
 going to
   work since it's not in the Kerberos db (Cannot determine realm
 for numeric
   host address).
 
  So it looks like you have found your problem - Kerberos tends to
  break if DNS
  is not set properly.
 
   Except, of course, that the server did not get its own valid
 Kerberos host
   certificate. It should, right? during the ipa-client-install
 --on-master
   step of the server install?
 
  Are you asking about host certificate or a Kerberos keytab
  (/etc/krb5.keytab)?
  They are 2 distinct things.
 
   In fact, the global DNS config is completely empty. But I'm going
 to have
   to tear down the server and rebuild because it's on the same
 domain as an
   AD server, and ipa-client-install finds that server rather than
 the new IPA
   server by default: that won't work because I want LDAP to
 dynamically
   update the records, and establish a trust with the AD server.
   Also we've got 2 linux DNS root servers that act as forwarders. I
 pointed
   the IPA server at them, but I don't know enough about FreeIPA or
 DNS/Bind
   to configure IPA to use them properly. SO I'm sure that's where
 most of my
   problems lie.
  
   I've got to RTFM a bit more before I really start asking the right
   questions, I think. At that point I'll start a new thread.
 
  Ok :-)
 
  Martin
 
  
  
  
   thx
   anthony
  
   On Thu, Mar 26, 2015 at 9:31 AM, Martin Kosek mko...@redhat.com
  mailto:mko...@redhat.com wrote:
  
   I am not sure what you mean. So are you saying that kinit USER
  done on
   server
   fails? With what error?
  
   On 03/26/2015 05:28 PM, Anthony Lanni wrote:
   great, thanks.
  
   On a related note: the server still doesn't get a (client)
 kerberos
   ticket,
   which means I can't kinit as a user and then log into a client
  machine
   without a password. Going the other way works fine, however.
  
   thx
   anthony
  
   On Thu, Mar 26, 2015 at 7:14 AM, Martin Kosek mko...@redhat.com
  mailto:mko...@redhat.com wrote:
  
   Ok, thanks for reaching back. BTW, next RHEL-6 minor release
  should have
   the
   keyutils dependency fixed anyway :-)
  
   Martin
  
   On 03/25/2015 06:59 PM, Anthony Lanni wrote:
   keyutils is already installed but /bin/keyctl was 0 length
  (!). Anyway
   I
   reinstalled keyutils and then ran the ipa-server-install
  again, and
   this
   time it completed without error.
  
   Thanks very much, Martin and Dmitri!
  
   thx
   anthony
  
   On Wed, Mar 25, 2015 at 5:34 AM, Martin Kosek
  mko...@redhat.com mailto:mko...@redhat.com
   wrote:
  
   On 03/25/2015 04:11 AM, Dmitri Pal wrote:
   On 03/24/2015 09:17 PM, Anthony Lanni wrote:
   While running ipa-server-install, it's failing out at the
  end with
   an
   error
   regarding the client install on the server. This happens
  regardless
   of
   how I
   input the options, but here's the latest command:
  
   ipa-server-install --setup-dns -N --idstart=1000 -r
  EXAMPLE.COM http://EXAMPLE.COM
   http://EXAMPLE.COM -n example.com http://example.com
  http://example.com -p passwd1
   -a
   passwd2 --hostname=ldap-server-01.example.com
  http://ldap-server-01.example.com
   http://ldap-server-01.example.com --forwarder=10.0.1.20
   --forwarder=10.0.1.21 --reverse-zone=1.0.10.in-addr.arpa.

[Freeipa-users] can't specify DNS name or subject in cert request in FreeIPA 3.3

2015-03-26 Thread Steve Neuharth

I'm trying to specify a subject name in a cert request like this:

ipa-getcert request -K HTTP/web.test.org -N *cn=www.test.org
http://www.test.org,o=TEST.ORG http://TEST.ORG* -f /tmp/webserver.crt
-k /tmp/webprivate.key -r

or like this

ipa-getcert request -K HTTP/web.test.org -D www.test.org -f
/tmp/webserver.crt -k /tmp/webprivate.key -r

The resulting certificate, however, just has the hostname of the server
like this:

Request ID '20150326060555':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/tmp/webprivate.key'
certificate: type=FILE,location='/tmp/webserver.crt'
CA: IPA
issuer: CN=Certificate Authority,O=TEST.ORG
subject: *CN=web.test.org http://web.test.org,O=TEST.ORG
http://TEST.ORG*
expires: 2017-03-26 05:46:29 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes

Is this a bug or am I doing something wrong in certmonger?

--steve
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] inserting users via java

2015-03-26 Thread Timothy Worman

Thanks everyone for the input.

I do agree that I don’t like the sound of option 1. I don’t want to be sending 
CLI commands from a remote host. And option 3 sounds sounds a bit brittle to 
me. 

2 sounds like the most solid option available right now. I like the fact that 
there’s an existing/working API there. I’ll need to look into converting my 
objects into json.

This area honestly seems like one of the weakest aspects of freeipa. There 
really needs to be a way to push known person entities into the directory 
easily. I would be willing to test option 4 if that is where the future is 
headed.

Tim

 On Mar 24, 2015, at 12:58 AM, Martin Kosek mko...@redhat.com wrote:
 
 On 03/24/2015 01:29 AM, Dmitri Pal wrote:
 On 03/23/2015 05:56 PM, Timothy Worman wrote:
 I have an existing web app built with java/WebObjects that currently handles
 some user/groups tasks with our current directory server (Open Directory). 
 We
 are investigating a move to FreeIPA for our directory services.
 
 Just in mucking around, I’ve found that if I try to insert a new user
 (inetOrgPerson) into into IPA’s implementation, the new user does not 
 inherit
 all the object classes it should. It only inherits the ones leading to
 inetOrgPerson. This does result in a successful inetOrgPerson insertion, but
 that user record does not show up in the Web GUI management tools.
 
 Usually, I have focused on inetOrgPerson because that is where the bulk of
 the info about a user lives.
 
 We have a SQL database that contains people in our organization (used by
 other services), so, we need to be able to leverage that and push users into
 IPA when appropriate and we have an existing app to do this.
 
 Tim W
 
 You have several options:
 1) Call ipa CLI from your application - this is possible right now (but not
 quite nice)
 2) Call ipa JSON API from your application - this is not supported but
 possible. We use python API. You can do it in Java but it will be a lot of 
 work.
 3) Use more elaborate LDAP add commands (with all the object classes needed 
 for
 users). Hard, but doable.
 4) Help us with testing the upcoming feature
 http://www.freeipa.org/page/V4/User_Life-Cycle_Management that would allow
 creating users via simple ldap command in a staging area and them moving them
 to normal users area with automatic creation of missing attributes by means 
 of
 a cron job.
 
 I would vote for 1) as a temp solution and 4) as a longer term one.
 
 I do not fully agree with preferring 1) over 2). Java has libraries for
 JSON-RPC protocol, it should be pretty doable to write a call that calls the
 user_add command.
 
 We are lacking proper documentation for the API, but what you can look in the
 sources or in the Web UI with and see the JSONs sent to the server, if you are
 interested in the real life examples.
 
 Advantage of 2) over 1) is that you get the native objects (strings, arrays,
 numbers) and you do not need to parse it from CLI.
 
 Martin


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Unexpected IPA Crashes

2015-03-26 Thread David Kreuter

We have been using FreeIPA since two years and were more than happy. But since 
two weeks we are facing unexpected crashed and can not really debug the strange 
behaviours. The crashes are definitely not caused by connecting a new system or 
changing the LDAP schema heavily. Following IPA is used: 




Name : ipa-server 
Arch : x86_64 
Version : 3.3.3 
Release : 28.0.1.el7.centos.3 
Size : 4.1 M 


I have followed the troubleshooting guide 
http://directory.fedoraproject.org/docs/389ds/FAQ/faq.html#Troubleshooting and 
activated logging and activated the core dumping. Unfortunately, I cannot 
provide you any core dump, because it is not created after the ipa servers 
crashes. I'm sure the dirsrv is causing the problem, because when i restart the 
389, then ipa works fine for a while. Currently I have activated the 
replication log level 8192. The error log shows no suspicious error or any 
fatal error. Following 389* versions are used: 


Installed Packages 
389-ds-base.x86_64 1.3.3.1-15.el7_1 @/389-ds-base-1.3.3.1-15.el7_1.x86_64 
389-ds-base-debuginfo.x86_64 1.3.1.6-26.el7_0 @base-debuginfo 

389-ds-base-libs.x86_64 1.3.3.1-15.el7_1 


Can you please provide some hint how I can debug this problem in more detail. 
Btw, the ipa infrastructure consist of one master and one replica. The server 
was also crashing, when the replica server was turned off. Do you thing an 
upgrade would solve the problem as the last resort? 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Log filling up a couple of times per day

Hi Dimitri,

I can do, we already analyzed it once.

There is a loadbalancer checking the ldap protocol which seems to be
seen as fail.

Is there a check I can perform on the ldap ports to see if the service
is available without generating the errors ?

I will post a snippet later on if you have no clue.

Thanks,

Matt

2015-03-26 23:01 GMT+01:00 Dmitri Pal d...@redhat.com:
 On 03/26/2015 05:37 PM, Matt . wrote:

 Hi Guys,

 I'm facing every day a fast filling log of:

 /var/log/krb5kdc.log
 /var/log/dirsrv/slapd-DOMAIN/access*

 I need to remove the files and restart ipa. The kerberos log is
 filling up most, the access logs are quite fast on 100MB and a new one
 is created.

 Now I do some LDAP loging/logout per day, servers that chedck if they
 are registered for SSSD so that it logs it is normal, but I want to
 get rid of it I guess.

 I'm throwing out I think about 6GB per day of logs, all loglevels are low.

 Any idea ?

 It's 3.x on CentOS 6.6

 Any idea ?

 Thanks Matt

 Do you have some services that are repeatedly doing something kerberos
 related and failing?
 I guess getting a snippet of the kerberos log would give some hint on what
 is it logging all the time.

 --
 Thank you,
 Dmitri Pal

 Sr. Engineering Manager IdM portfolio
 Red Hat, Inc.

 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Understanding the migration mode

2015-03-26 Thread Prasun Gera

Yes, that is right. I added the users with ipa user-add [username]
--setattr userpassword={crypt}yourencryptedpass

Actually, the authentication does work for the users added this way. i.e.
Without making any changes to NIS clients. I just repurposed the NIS server
to be the IPA server, turned off the ypserv  yppasswd service, and enabled
the slapi-nis plugin. So far so good, and the NIS clients continue to
function normally. i.e. The NIS plugin on the IPA server DOES distribute
the cryptpasses. I also didn't expect the old NIS clients to authenticate
any new users added to IPA directly, and that is all right. I just want the
clients to function for the existing users until they are migrated. The
only thing that is slightly puzzling is that a couple of users have been
migrated unintentionally, so to speak.

A user can be explicitly migrated to IPA if (s)he generates the kerberos
keys, at which point the slapi-nis stops distributing the crypt pass for
that user. This is what I have observed so far, and it sounds reasonable.
(This can also be confirmed with ipa user-show, which in case of these old
users shows Kerberos keys available: False, which turns to True once
properly migrated. It can also be confirmed from the webui. The old
password won't work in the webui until migrated, and once migrated, NIS
cryptpasses will stop working).

However, what I'm seeing is that in a couple of cases, the users have been
migrated to IPA automatically. Their status shows Kerberos keys available:
True, and their cryptpasses have changed to * in ypcat passwd's output.





On Thu, Mar 26, 2015 at 5:59 PM, Dmitri Pal d...@redhat.com wrote:

  On 03/26/2015 02:29 PM, Prasun Gera wrote:

 Hello,
 I followed
 https://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords
 in order to migrate our NIS installation, and for the most part it worked.
 The server responds to ypcat from the NIS clients, and users can log in.
 However, I'm seeing a couple of weird issues. Normally, ypcat returns
 username:cryptpass:uid:gid:gecos:homedir:shell  for users and
 authentication works fine. For new users that were added directly to IPA,
 instead of the cryptpass, I see an asterisk(*), which is also
 understandable. However, for a couple of migrated users, I'm seeing that
 their cyrptpasses have also been replaced with *s (in ypcat's output) over
 the course of time. This creates problems for authentication on clients
 that haven't been migrated, and they can't log in with their passwords.
 These users didn't explicitly call kinit or go to the webui for migration.
 Is it normal for the crypt passes to be replaced by *? I migrated a couple
 of clients, and these users would have sshed to the migrated clients or
 possibly to the server. That didn't seem to affect ypcat's behaviour
 directly, and yet that is the only thing I can think of that has any
 connection to this.

  Regards,
 Prasun



 Based on what you describe I assume that you:
 - Migrated users to IPA
 - Enabled slapi-nis plugin
 - Use old clients with slapi-nis as a NIS server and expect to be able to
 authenticate with new and old users against IPA NIS map.

 Right?

 So the authentication does not work and this is by design since passwords
 in files are insecure and distributing them centrally as NIS did is
 security problem.
 The suggestion is to change the authentication method on old clients to
 LDAP or Kerberos first, whatever they support (they usually do even if they
 are quite old), and leave NIS for identity information only since some old
 clients do not support LDAP for that part and only support NIS.

 --
 Thank you,
 Dmitri Pal

 Sr. Engineering Manager IdM portfolio
 Red Hat, Inc.


 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] bind-dyndb-ldap vs DLZ

2015-03-26 Thread Jorgen Lundman



Petr Spacek wrote:
 
 Perfect! I can merge your changes upstream if you send me a patch with your
 changes. It would make your life easier later when you need to pick new code.

Not a problem, I need to figure out why Solaris mkdir returns -1, with
errno = 0. Goes against the manpage and all logic. Checking for ||errno==0
after mkdir fixes it but it is still odd.

I also compiled without krb5. It basically compiled, but running would fail
to find gss/mech_krb5.so  - no idea how that is supposed to link, but since
it was a quick test, I just took it out.

Otherwise it compiled smoothly, some minor linux-ism with linker flags.




 
 Hmm, that might be a challenge. bind-dyndb-ldap code implicitly assumes that
 there is 1:1 mapping between DNS name-LDAP DN. This makes implementation of
 dynamic updates much easier.

Actually yes, I did mean to ask about this too. DLZ-LDAP is pretty much a
read-only setup (for us), so a quick scan of the sources led me to believe
that simple string replacement of idnsName with DNSZoneName (and of
course, all the others), should get a large chunk of it done. The schemas
are quite close, on a whole..

But I was surprised to see bind-dyndb actually modify the LDAP data, for my
test, just idnsSOAserial. What is the purpose of this? I would guess for
zone xfers? By why update LDAP (and not just internal DNS memory), if you
essentially do not use it on restart (just gets updated again on restart,
from the looks of it?)




 the same delay each time I start it. slapd is running on localhost, and is
 otherwise idle. 
 
 Hmm, that stinks! I would be happy to look into it if you can provide me with
 output from a profiler of your choice. (It might be a good idea to profile
 bind-dyndb-ldap together with whole named process to see all the 
 interactions.)

It is in line with what we experience with LDAP generally. If I blow away
the DNS-ldap tree, a full syncrepl update takes about 1 hour. If I remove
the whole LDAP tree, about 4 hours. It is not something that goes faster
with more threads afaik.



 Is it supposed to be able to use the dump-file on exit for faster loads?
 
 Yes, something like that is planned but not implemented yet.

Ah ok great, good to know it is planned. We could probably live with 50
mins startup time, as there are 28 servers in the DNS cluster. Just needs
some care in case they are restarted, or worse, some bug causes coredump
which affects all of them





 [3]
 However, that has a side-effect that, once bind-dyndb is loaded, it will
 also query DLZ+LDAP on negative entries. Thus decreasing the performance to
 3884qps.  Wonder if there is a way to have bind-dyndb ignore DLZ+LDAP /once
 it has loaded/.
 
 Wow, I'm surprised that this combination actually works! I expect that there
 will be some nasty surprises in there, especially when it comes to dynamic
 updates.

I must admit it would be tempting to see if bind-dyndb could issue a
definitive reply (once loaded) for both positive and negative lookups,
thereby causing DLZ-LDAP to be inert. Or making it a feature of bind-dyndb
to use DLZ-LDAP during load. But only in the case that they both use the
same schema and source tree in LDAP.

Feels a bit hackish but just evaluating possible solutions.



-- 
Jorgen Lundman   | lund...@lundman.net
Unix Administrator   | +81 (0)3 -5456-2687 ext 1017 (work)
Shibuya-ku, Tokyo| +81 (0)90-5578-8500  (cell)
Japan| +81 (0)3 -3375-1767  (home)

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Unexpected IPA Crashes

2015-03-26 Thread Richard Megginson



- Original Message -
 We have been using FreeIPA since two years and were more than happy. But
 since two weeks we are facing unexpected crashed and can not really debug
 the strange behaviours. The crashes are definitely not caused by connecting
 a new system or changing the LDAP schema heavily. Following IPA is used:
 
 
 
 Name : ipa-server
 
 Arch : x86_64
 
 Version : 3.3.3
 
 Release : 28.0.1.el7.centos.3
 
 Size : 4.1 M
 
 
 
 
 I have followed the troubleshooting guide
 http://directory.fedoraproject.org/docs/389ds/FAQ/faq.html#Troubleshooting
 and activated logging and activated the core dumping.

Do you see the string segfault in /var/log/messages or in journalctl?

 Unfortunately, I
 cannot provide you any core dump, because it is not created after the ipa
 servers crashes. I'm sure the dirsrv is causing the problem, because when i
 restart the 389, then ipa works fine for a while. Currently I have activated
 the replication log level 8192. The error log shows no suspicious error or
 any fatal error. Following 389* versions are used:
 
 
 
 
 Installed Packages
 
 389-ds-base.x86_64 1.3.3.1-15.el7_1 @/389-ds-base-1.3.3.1-15.el7_1.x86_64
 
 389-ds-base-debuginfo.x86_64 1.3.1.6-26.el7_0 @base-debuginfo
 
 
 
 389-ds-base-libs.x86_64 1.3.3.1-15.el7_1
 
 
 
 
 Can you please provide some hint how I can debug this problem in more detail.
 Btw, the ipa infrastructure consist of one master and one replica. The
 server was also crashing, when the replica server was turned off. Do you
 thing an upgrade would solve the problem as the last resort?
 
 
 
 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Log filling up a couple of times per day

2015-03-26 Thread Richard Megginson



- Original Message -
 Hi Dimitri,
 
 I can do, we already analyzed it once.
 
 There is a loadbalancer checking the ldap protocol which seems to be
 seen as fail.
 
 Is there a check I can perform on the ldap ports to see if the service
 is available without generating the errors ?

If you just need to check ldap i.e. that port 389 is listening:

ldapsearch -xLLL -h ldaphost -s base -b  objectclass=* 1.1

That will still log to the directory server access log.

 
 I will post a snippet later on if you have no clue.
 
 Thanks,
 
 Matt
 
 2015-03-26 23:01 GMT+01:00 Dmitri Pal d...@redhat.com:
  On 03/26/2015 05:37 PM, Matt . wrote:
 
  Hi Guys,
 
  I'm facing every day a fast filling log of:
 
  /var/log/krb5kdc.log
  /var/log/dirsrv/slapd-DOMAIN/access*
 
  I need to remove the files and restart ipa. The kerberos log is
  filling up most, the access logs are quite fast on 100MB and a new one
  is created.
 
  Now I do some LDAP loging/logout per day, servers that chedck if they
  are registered for SSSD so that it logs it is normal, but I want to
  get rid of it I guess.
 
  I'm throwing out I think about 6GB per day of logs, all loglevels are low.
 
  Any idea ?
 
  It's 3.x on CentOS 6.6
 
  Any idea ?
 
  Thanks Matt
 
  Do you have some services that are repeatedly doing something kerberos
  related and failing?
  I guess getting a snippet of the kerberos log would give some hint on what
  is it logging all the time.
 
  --
  Thank you,
  Dmitri Pal
 
  Sr. Engineering Manager IdM portfolio
  Red Hat, Inc.
 
  --
  Manage your subscription for the Freeipa-users mailing list:
  https://www.redhat.com/mailman/listinfo/freeipa-users
  Go to http://freeipa.org for more info on the project
 
 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project
 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Not able to SSH with User Created in IPA Server

2015-03-26 Thread Jakub Hrozek

On Thu, Mar 26, 2015 at 07:47:34PM +0530, Yogesh Sharma wrote:
 Once I manually initialize the user Ticket on IPA Server using kinit
 username, I am able to login with and without FQDN.

It's expected that IPA users are created with expired password. But SSSD
should have prompted you for a password change if you logged in the
first time you logged in with the expired password...as seen from the
krb5_child.log, it got the correct response from the KDC..

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Not able to SSH with User Created in IPA Server

2015-03-26 Thread Natxo Asenjo

On Thu, Mar 26, 2015 at 3:12 PM, Yogesh Sharma yks0...@gmail.com wrote:

 Thanks, but when I trying to use admin user (default user created by IPA),
 I am able to login. The issue is happening only with new users we are
 trying to create.

 (Thu Mar 26 19:30:52 2015) [[sssd[krb5_child[13625 [get_and_save_tgt]
 (0x0020): 981: [-1765328361][Password has expired]
 (Thu Mar 26 19:30:55 2015) [[sssd[krb5_child[13625 [map_krb5_error]
 (0x0020): 1043: [-1765328360][Preauthentication failed]


password expired?

-- 
regards,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Not able to SSH with User Created in IPA Server

Hi Jakub,

SSSD prompted to change the password. After changing the password, when we
try to ssh again using the new password, it failed.






*Best Regards,__*

*Yogesh Sharma*
*Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in
http://www.initd.in*

RHCE, VCE-CIA, RackSpace Cloud U
[image: My LinkedIn Profile] http://in.linkedin.com/in/yks


On Thu, Mar 26, 2015 at 7:55 PM, Jakub Hrozek jhro...@redhat.com wrote:

 On Thu, Mar 26, 2015 at 07:47:34PM +0530, Yogesh Sharma wrote:
  Once I manually initialize the user Ticket on IPA Server using kinit
  username, I am able to login with and without FQDN.

 It's expected that IPA users are created with expired password. But SSSD
 should have prompted you for a password change if you logged in the
 first time you logged in with the expired password...as seen from the
 krb5_child.log, it got the correct response from the KDC..

 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Clients are reading AD info inconsistently

2015-03-26 Thread Guertin, David S.

I would like to just clarify tis a bit. The support to lookup up secondary 
groups
(the group list the id command shows) for user which never authenticated
was added in 7.1/6.7.

Thanks. This makes sense, and indeed with Client 1 I can indeed log in, and id 
'MIDD\juser' shows all the groups again.

However, logins to Client 2 (also running RHEL 6.6 and sssd 1.11.6) still fail, 
and id 'MIDD\juser' on that client shows only local IPA groups, not AD groups.

And logins to Client 3 also fail, and id 'MIDD\juser' there shows No such 
user. (This is the RHEL 5 box with sssd 1.5.1.) So we're back to my original 
problem of three clients all behaving differently.

David, the IPA clients will connect the IPA server to get the user data.
This means if the server cannot resolve the user the clients cannot either. So
the IPA server should be checked first.

All three servers can resolve the user. The user can log in to all the servers 
and id 'MIDD\juser' shows the correct AD groups.

You said that you have three IPA servers (master and replicas). Did you run
ipa-adtrust-install on all server? If not, please do. If you are not sure, 
running
ipa-adtrust-install multiple times does not so any harm.

Yes, the trust relationship is set up correctly on all three servers, and ipa 
trust-find --all gives identical results on all three servers, correctly 
showing the trust relationship with our AD domain.

 Since you are using RHEL-6 clients I assume your IPA servers are on
RHEL-6 as well. 

No, the servers are all running RHEL 7.1, so we're not using winbind at all -- 
just sssd.

The clients are a mix of RHEL 6 and RHEL 5 machines.

David Guertin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] subjectAlternitiveName for webservice

Matt . wrote:
 HI Rob,
 
 Yes something is wrong there I guess.

In any case, it doesn't apply to what you're trying to do.

 But still, I actually need to add a SAN to the webserver cert, which
 is different I think than the services at least.
 
 So the question there is... how ?

What webserver cert? Are you trying to load balance the IPA services via
DNS?

Not knowing what you want, I'm just answering what you are ASKING. That
is not the same as giving a proper answer. I have the feeling you want
to load balance IPA in general which isn't going to work without a ton
of (ongoing) manual effort. Even Microsoft recommends against trying
this in its AD environment: http://support.microsoft.com/en-us/kb/325608

In any case, the instructions I've already provided still apply.

If you want to replace the Apache webserver cert you'll just need to do
a couple of things first which has the potential of completely breaking
IPA, so you'll need to be careful.

Before you do anything, backup *.db in /etc/httpd/alias.

Stop tracking the Apache cert in certmonger:

# ipa-getcert stop-tracking -d /etc/httpd/alias -n Server-Cert

Delete the existing cert:

# certutil -D -d /etc/httpd/alias -n Server-Cert

Like I said, destructive.

Finally use certmonger to get a new cert that includes a SAN. The syntax
is slightly different than before, mostly because I'm just guessing in
the dark because you aren't including enough details into what you're
trying.

# ipa-getcert -d /etc/httpd/alias -n Server-Cert -N CN=ipa1.example.com
-K HTTP/ipa1.example.com -D ipa.example.com -p /etc/httpd/alias/pwdfile.txt

In this case the IPA server is ipa1.example.com and you're creating a
SAN for ipa.example.com.

Restart httpd.

Note that this doesn't solve the Kerberos problem so cli access will
still not work as expected. The UI _might_ work using forms-based
authentication.

I'd strongly urge you to think about the top of this e-mail before
proceeding onto the bottom.

rob

 
 Cheers,
 
 Matt
 
 2015-03-26 14:50 GMT+01:00 Rob Crittenden rcrit...@redhat.com:
 Matt . wrote:
 When digging around I see this documentation:

 http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/load-balancing.html

 I would except that server.example.com is not going to be accepted by
 IPA when you visit the webgui like that ?

 These are SRV records for the ldap service. Think of it as discovery for
 who provides ldap service in the domain. It isn't something used by a
 web browser.

 I'm no DNS expert (by far) but this example looks a little wonky. I'd
 think it should be example.com and not server.example.com. But in any
 case it is irrelevant to a browser.

 rob


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Not able to SSH with User Created in IPA Server

This message is coming as user is trying to login for first time. IPA Admin
has set a password and when user try to login it will prompt to change.
sssd log it as password expired.




*Best Regards,__*

*Yogesh Sharma*
*Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in
http://www.initd.in*

RHCE, VCE-CIA, RackSpace Cloud U
[image: My LinkedIn Profile] http://in.linkedin.com/in/yks


On Thu, Mar 26, 2015 at 7:55 PM, Natxo Asenjo natxo.ase...@gmail.com
wrote:



 On Thu, Mar 26, 2015 at 3:12 PM, Yogesh Sharma yks0...@gmail.com wrote:

 Thanks, but when I trying to use admin user (default user created by
 IPA), I am able to login. The issue is happening only with new users we are
 trying to create.

 (Thu Mar 26 19:30:52 2015) [[sssd[krb5_child[13625 [get_and_save_tgt]
 (0x0020): 981: [-1765328361][Password has expired]
 (Thu Mar 26 19:30:55 2015) [[sssd[krb5_child[13625 [map_krb5_error]
 (0x0020): 1043: [-1765328360][Preauthentication failed]


 password expired?

 --
 regards,
 natxo

 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Not able to SSH with User Created in IPA Server

2015-03-26 Thread Jakub Hrozek

On Thu, Mar 26, 2015 at 08:05:03PM +0530, Yogesh Sharma wrote:
 Hi Jakub,
 
 SSSD prompted to change the password. After changing the password, when we
 try to ssh again using the new password, it failed.

And what do the logs say then, with the new password?

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Not able to SSH with User Created in IPA Server

I have tried with FQDN of host also as registered, but error remain same:

(Thu Mar 26 19:43:01 2015) [[sssd[krb5_child[13730 [unpack_buffer]
(0x0100): cmd [241] uid [131284] gid [131284] validate [true]
enterprise principal [false] offline [false] UPN [te...@sd.int]
(Thu Mar 26 19:43:01 2015) [[sssd[krb5_child[13730 [unpack_buffer]
(0x0100): ccname: [FILE:/tmp/krb5cc_131284_XX] keytab:
[/etc/krb5.keytab]
(Thu Mar 26 19:43:01 2015) [[sssd[krb5_child[13730
[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME]
from environment.
(Thu Mar 26 19:43:01 2015) [[sssd[krb5_child[13730
[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from
environment.
(Thu Mar 26 19:43:01 2015) [[sssd[krb5_child[13730
[set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
(Thu Mar 26 19:43:01 2015) [[sssd[krb5_child[13730 [k5c_setup_fast]
(0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/
dns-inf-stg-sg1-01.sd@sd.int]
(Thu Mar 26 19:43:02 2015) [[sssd[krb5_child[13730 [get_and_save_tgt]
(0x0020): 981: [-1765328361][Password has expired]
(Thu Mar 26 19:43:06 2015) [[sssd[krb5_child[13730 [map_krb5_error]
(0x0020): 1043: [-1765328360][Preauthentication failed]
(Thu Mar 26 19:43:06 2015) [sssd[be[sd.int]]] [child_sig_handler] (0x0100):
child [13730] finished successfully.
(Thu Mar 26 19:43:06 2015) [sssd[be[sd.int]]] [ipa_get_migration_flag_done]
(0x0100): Password migration is not enabled.
(Thu Mar 26 19:43:06 2015) [sssd[be[sd.int]]] [be_pam_handler_callback]
(0x0100): Backend returned: (0, 17, NULL) [Success]





Once I manually initialize the user Ticket on IPA Server using kinit
username, I am able to login with and without FQDN.


[root@ldap-inf-stg-sg1-01 lib]# kinit test1
Password for te...@sd.int:
Password expired.  You must change it now.
Enter new password:
Enter it again:
Password change rejected: Password is too short

Password not changed..  Please try again.

Enter new password:
Enter it again:


root@yogesh-ubuntu-pc:/home/yogesh# ssh te...@dns-inf-stg-sg1-01.sd.int
te...@dns-inf-stg-sg1-01.sd.int's password:
Last login: Thu Mar 26 19:45:36 2015 from 125.63.90.34
-sh-4.1$ logout
Connection to dns-inf-stg-sg1-01.sd.int closed.


root@yogesh-ubuntu-pc:/home/yogesh# ssh test1@52.74.84.94
test1@52.74.84.94's password:
Last login: Thu Mar 26 19:45:55 2015 from 125.63.90.34
-sh-4.1$





*Best Regards,__*

*Yogesh Sharma*
*Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in
http://www.initd.in*

RHCE, VCE-CIA, RackSpace Cloud U
[image: My LinkedIn Profile] http://in.linkedin.com/in/yks


On Thu, Mar 26, 2015 at 7:42 PM, Yogesh Sharma yks0...@gmail.com wrote:

 Thanks, but when I trying to use admin user (default user created by IPA),
 I am able to login. The issue is happening only with new users we are
 trying to create.



 ===
 TEST user Login Logs:

 (Thu Mar 26 19:30:51 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100):
 Requesting info for [t...@sd.int]
 (Thu Mar 26 19:30:51 2015) [sssd[be[sd.int]]] [be_get_account_info]
 (0x0100): Got request for [4097][1][name=test]
 (Thu Mar 26 19:30:51 2015) [sssd[be[sd.int]]]
 [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
 domain SID from [(null)]
 (Thu Mar 26 19:30:51 2015) [sssd[be[sd.int]]] [sdap_attrs_get_sid_str]
 (0x0080): No [objectSIDString] attribute while id-mapping. [0][Success]
 (Thu Mar 26 19:30:51 2015) [sssd[be[sd.int]]]
 [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
 domain SID from [(null)]
 (Thu Mar 26 19:30:51 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100):
 Requesting info for [t...@sd.int]
 (Thu Mar 26 19:30:51 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100):
 Requesting info for [test] from [ALL]
 (Thu Mar 26 19:30:51 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100):
 Requesting info for [t...@sd.int]
 (Thu Mar 26 19:30:51 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100):
 Requesting info for [test] from [ALL]
 (Thu Mar 26 19:30:51 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100):
 Requesting info for [t...@sd.int]
 (Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_cmd_authenticate] (0x0100):
 entering pam_cmd_authenticate
 (Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100): command:
 PAM_AUTHENTICATE
 (Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100): domain:
 not set
 (Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100): user:
 test
 (Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100): service:
 sshd
 (Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh
 (Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100): ruser:
 not set
 (Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100): rhost:
 125.63.90.34
 (Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100): authtok
 type: 1
 (Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data]

Re: [Freeipa-users] Not able to SSH with User Created in IPA Server

Thanks, but when I trying to use admin user (default user created by IPA),
I am able to login. The issue is happening only with new users we are
trying to create.



===
TEST user Login Logs:

(Thu Mar 26 19:30:51 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100):
Requesting info for [t...@sd.int]
(Thu Mar 26 19:30:51 2015) [sssd[be[sd.int]]] [be_get_account_info]
(0x0100): Got request for [4097][1][name=test]
(Thu Mar 26 19:30:51 2015) [sssd[be[sd.int]]]
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
domain SID from [(null)]
(Thu Mar 26 19:30:51 2015) [sssd[be[sd.int]]] [sdap_attrs_get_sid_str]
(0x0080): No [objectSIDString] attribute while id-mapping. [0][Success]
(Thu Mar 26 19:30:51 2015) [sssd[be[sd.int]]]
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
domain SID from [(null)]
(Thu Mar 26 19:30:51 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100):
Requesting info for [t...@sd.int]
(Thu Mar 26 19:30:51 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100):
Requesting info for [test] from [ALL]
(Thu Mar 26 19:30:51 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100):
Requesting info for [t...@sd.int]
(Thu Mar 26 19:30:51 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100):
Requesting info for [test] from [ALL]
(Thu Mar 26 19:30:51 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100):
Requesting info for [t...@sd.int]
(Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_cmd_authenticate] (0x0100):
entering pam_cmd_authenticate
(Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100): command:
PAM_AUTHENTICATE
(Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100): domain:
not set
(Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100): user: test
(Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100): service:
sshd
(Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh
(Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100): ruser:
not set
(Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100): rhost:
125.63.90.34
(Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100): authtok
type: 1
(Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100):
newauthtok type: 0
(Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100): cli_pid:
13615
(Thu Mar 26 19:30:51 2015) [sssd[be[sd.int]]] [acctinfo_callback] (0x0100):
Request processed. Returned 0,0,Success
(Thu Mar 26 19:30:51 2015) [sssd[be[sd.int]]] [be_get_account_info]
(0x0100): Got request for [3][1][name=test]
(Thu Mar 26 19:30:51 2015) [sssd[be[sd.int]]]
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
domain SID from [(null)]
(Thu Mar 26 19:30:51 2015) [sssd[be[sd.int]]]
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
domain SID from [(null)]
(Thu Mar 26 19:30:51 2015) [sssd[be[sd.int]]] [sdap_attrs_get_sid_str]
(0x0080): No [objectSIDString] attribute while id-mapping. [0][Success]
(Thu Mar 26 19:30:51 2015) [sssd[be[sd.int]]]
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
domain SID from [(null)]
(Thu Mar 26 19:30:51 2015) [sssd[be[sd.int]]]
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
domain SID from [(null)]
(Thu Mar 26 19:30:51 2015) [sssd[be[sd.int]]] [sdap_attrs_get_sid_str]
(0x0080): No [objectSIDString] attribute while id-mapping. [0][Success]
(Thu Mar 26 19:30:51 2015) [sssd[be[sd.int]]]
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
domain SID from [(null)]
(Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_check_user_search] (0x0100):
Requesting info for [t...@sd.int]
(Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending
request with the following data:
(Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100): command:
PAM_AUTHENTICATE
(Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100): domain:
sd.int
(Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100): user: test
(Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100): service:
sshd
(Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh
(Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100): ruser:
not set
(Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100): rhost:
125.63.90.34
(Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100): authtok
type: 1
(Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100):
newauthtok type: 0
(Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100): cli_pid:
13615
(Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_dom_forwarder] (0x0100):
pam_dp_send_req returned 0
(Thu Mar 26 19:30:51 2015) [sssd[be[sd.int]]] [acctinfo_callback] (0x0100):
Request processed. Returned 0,0,Success
(Thu Mar 26 19:30:51 2015) [sssd[be[sd.int]]] [be_pam_handler] (0x0100):
Got

Re: [Freeipa-users] ipa-client-install failing on new ipa-server