Re: [Freeipa-users] Ubuntu sssd client -- FreeIPA Server fed from AD

2015-03-29 Thread g . fer . ordas 


Hey Guys

Not sure if I am missing any bit but this was the thing in the end:


http://generations.menteyarte.org/archives/195-freeipa-server-and-SSSD-on-Ubuntu.html

I managed to have it working and I have documented all those nasty bits 
which might save people's time. The whole weekend gone but for the less 
has been productive.


I am including the SUDO bit which is usually a pain in my experience..

Thanks




On 2015-03-26 08:31, Jakub Hrozek wrote:

If you have SSSD 1.9.6 or newer all the sudo configuration boils down
to including 'sss' for 'sudoers' in nsswitch.conf and
sudo_provider=ipa in sssd.conf.

You also need a reasonably recent sudo itself. Posting versions of
SSSD and sudo would help.

- Original Message -
From: "Gonzalo Fernandez Ordas" 
To: "Rob Crittenden" , d...@redhat.com
Cc: freeipa-users@redhat.com
Sent: Thursday, 26 March, 2015 6:21:19 AM
Subject: Re: [Freeipa-users] Ubuntu sssd client -- FreeIPA Server fed 
from AD


I have to test a few options to see how I can overcome that issue.
A pity as I nearly got everything setup in full.
Any findings I will get back to the list as this might be relevant for
other users.


On 25/03/2015 19:56, Rob Crittenden wrote:

Gonzalo Fernandez Ordas wrote:

Exactly the document i was having a look at.
In simple words,is possible to work this around and how,?
Otherwise i have to drop freeipa and get back to 389_ds as still 
seems

fully ldap sssd compatible.

Have you got any doc clearly stating how to get this done?
I really invested many days on reaching this far being  sudo the last
tiny bit to get sorted which is hugely frustrated.
How to configure sudo largely depends on the version of SSSD you have 
in
Ubuntu. I'm not sure how configuring SSSD is going to affect your 
choice

of server though. If you still use SSSD the same problem will exist
regardless, right?

rob


Thanks for all the support
Sent from Type Mail 

On Mar 25, 2015, at 5:35 PM, Dmitri Pal mailto:d...@redhat.com>> wrote:

 On 03/25/2015 08:32 PM, g.fer.or...@unicyber.co.uk wrote:

 Hi

 I am setting up a plain and simple sssd service against my 
FreeIPA

 Server.
 The FreeIPA Server is a Centos 7.1 box with IPA version 4.1 
and the

 client box is ubuntu: Ubuntu 12.04.5 LTS

 The Users and Credentials are being Synched out of an AD 
Server

 (the
 passwords happened to be transferred using the PassSync 
Service)


 Now.. I wanted to setup a very simple sssd service (not the 
FreeIPA

 client service)
 And so far I succeeded on synching the users along with the
 passwords
 using SSSD.

 Now, Trying to get the sudo access sorted I cannot see that
 working,
 and I came across some documentation mentioning SSSD is NOT
 currently
 supporting IPA schema for the SUDOers
 if that is the case

 Can anybody point me to the right document or procedure in 
terms of

 getting also the sudoers installed?

 Would be possible , somehow, to have this sorted WITHOUT 
using the

 ipa-client?

 many thanks!



 
http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf








--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] using dogtag outside of freeIPA?

2015-03-29 Thread Fraser Tweedale 
On Fri, Mar 27, 2015 at 03:52:12PM -0500, Steve Neuharth wrote:
> Hello,
> 
> Is it possible or perhaps not recommended to use the dogtag API and/or UI
> on a FreeIPA system without using the freeIPA CLI or UI? I have a
> requirement to submit a certificate to a service without kerberos and
> without client software installed using a RESTful API. Dogtag API is very
> well documented and I do not want to associate all my certificates with a
> Kerberos principal because it adds complexity to the cert signing process.
> I just need to sign a cert without the FreeIPA overhead.
> 
> I tried to get to the Dogtag web UI through the url
> http://ipa.example.com/ca/ee/ca but I get an unauthenticated web page (no
> password prompt) and broken image links. This tells me that perhaps the
> Dogtag UI in a FreeIPA installation is not meant to be used without
> FreeIPA. Is that correct?
> 
The page being unauthenticated is normal - anyone can submit a
certificate request; it is then enqueued for a CA admin or agent to
review and approve/reject.  Alternatively, you can configure a
certificate profile to authenticate against the IPA directory for
automatic approval (but the overall interface will still be
unauthenticated).

The certificate and key for admin access to Dogtag (so you can
approve certificate requests) are found in /root/ca-agent.p12 on the
FreeIPA server.

> I know this is a weird use case and not necessarily a FreeIPA problem but
> if someone could advise, I'd greatly appreciate it.
> --steve

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Additional pre-authentication required, Ticket Wrong ?

2015-03-29 Thread Matt . 
Hi,

I just tot home and typing from my cell so i'm suite short in words

Create keytab for ldap-01.domain
Kinit with that to ldap.domain
Curl against ldap.domain
Get a 301 which I manage from curl (goes well)
Get kerberos ticket error

now I don't kinit anymore so re-use my existing ticket and curl against
ldap-01.domain and I'm accepted and can execute stuff.

My ssl is OK, ticket also it seems.

Thanks M.
Op 30 mrt. 2015 03:50 schreef "Dmitri Pal" :

> On 03/29/2015 04:47 AM, Matt . wrote:
>
>> Hi Guys,
>>
>> Now my Certification issues are solved for using a loadbalancer in
>> front of my ipa servers I get the following:
>>
>> Unable to verify your Kerberos credentials
>>
>> and in my logs:
>>
>> Additional pre-authentication required.
>>
>> This happens when I connect throught my loadbalancers, I see my server
>> coming ni with the right IP.
>>
>> When I access my ipa server directly, not using the loadbalancer IP
>> between it, my kerberos Ticket is valid.
>>
>> I get the feeling that when I use my loadbalancers and because of that
>> I get a 301 redirect it needs a preauth. I see some issues on
>> mailinglists but it doesn't fit my situation.
>>
>> Why wants it the preauth when I already have a valid ticket and my
>> redirect is followed by CURL and posted the right way ?
>>
>
> Can you describe the sequence?
> What do you do?
>
> From the client you try IPA CLI and this is where you see the problem even
> with the valid ticket or is the flow different?
>
>  I hope someone has an idea.
>>
>> Thanks,
>>
>> Matt
>>
>>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Can freeIPA work without Kerberos and DNS

2015-03-29 Thread Gokulnath 
Thanks for getting back.

1. As security Kerberos can ticket and in memory can be taken and that session 
key 
Can be used to gain access every where. Primarily this because the plan is to 
use the solution in cloud.

2. Can I disable DNS as well? And have IPA to run only ldap, ssh key rotation 
and pki ?

3. As during the install, DNS and Kerberos are getting installed and configured.

I would really appreciate if you can get back.

Thank you
Gokul
Sent from iPhone

> On Mar 29, 2015, at 8:44 PM, Dmitri Pal  wrote:
> 
>> On 03/29/2015 11:50 AM, Gokul wrote:
>> Hi,
>> 
>> I am tried to run some of my user cases with FreeIPA.
>> 
>> Have FreeIPA to do only SSH key management in LDAP and PKI management.
>> 
>> The understand that every request is kerberized and it has the DNS is must 
>> configuration.
>> 
>> Can I have FreeIPA to run only SSH Key management with LDAP and a PKI server 
>> with dogtag?
>> 
>> Thank you
>> Gokul
> You can't turn off Kerberos. You would need Kerberos for administration.
> But other clients can take advantage of LDAP and SSH only.
> However you are significantly limiting your functionality and capabilities.
> Kerberos is really the key of the solution.
> 
> What is the reason you try to avoid using it?
> 
> 
> -- 
> Thank you,
> Dmitri Pal
> 
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-cliebt-automount problem

2015-03-29 Thread Rob Crittenden 
Dmitri Pal wrote:
> On 03/29/2015 06:00 PM, Günther J. Niederwimmer wrote:
>> Hello,
>>
>> My automount is not working correct?
>>
>> I have a centos 7 with "cr" Update, this is IPA 4.1 and sssd 1.12
>>
>> I have this Error in the logs
>>
>> automount[1899]: lookup_read_map: lookup(sss): getautomntent_r: No
>> such file or
>> directory
>>
>> Is this correct with IPA 4.1
>>
>> /etc/sysconfig/autofs and /etc/autofs_ldap_auth.config was not
>> configured with
>> ipa-client-automount, or have I to do this manual?
> Do you have libsss_autofs installed?

The default is to configure automount using SSSD so no configuration in
those files is expected.

What isn't working?

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Freeipa Server down !!

2015-03-29 Thread Rob Crittenden 
Dmitri Pal wrote:
> On 03/29/2015 06:35 AM, Peter Fern wrote:
>> On 29/03/15 05:46, Rob Crittenden wrote:
>>> Should be back up now.
>>>
>>> rob
>>
>> Appears to be dead again.
>>
> It is in fact down again.
> 

The quote is exceeded in the openshift gear. I cleaned up a log file
which should buy a bit of time.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Steps for automount

2015-03-29 Thread Dmitri Pal 

On 03/28/2015 12:22 PM, Jose Luis Mantilla wrote:

Adding below mail:

[root@server2 home]# ssh jmantilla@desktop2
jmantilla@desktop2's password:
Creating home directory for jmantilla.
Last login: Sat Mar 28 11:05:48 2015 from server2.example.com 

Could not chdir to home directory /home/remoteusers/jmantilla: No such 
file or directory

-sh-4.1$ pwd
/

[root@server2 home]# getent passwd jmantilla
jmantilla:*:6001:6001:Jose Mantilla:/home/remoteusers/jmantilla:/bin/sh

Service nfs is running
Service autofs is stopped

What can I do?



Why are you trying to do it manually?
Steps:
Install the server.
Configure your NFS server. Do you plan to use Kerberos authentication 
for automount? If so then you need to issue keytab for the NFS principal 
for NFS server. NFS principal/keytab is not not needed on the client, 
client uses host keytab.
So on the client install the client using ipa-client-install, then you 
can configure automount on it.


Freeipa.org is down at the moment but when it is back i nthe morning 
please check HOWTOs there, I recall there wore instructions about NFS.


**Verificacion de certificado 


Click to verify



**

*Ing. José Luis Mantilla G.
*Red Hat Certified Instructor / Examiner RHEL***6, 7
*RHCE - RHCV - RHCI - RHCX - RHCSA*
*Developer PHP, Member TeamQA Centos*
*Cell phone: (1) 832-908-6210
Public GPG Key = FC3B3963 
 


United States - Houston Texas -2015


On Sat, Mar 28, 2015 at 10:19 AM, Jose Luis Mantilla 
mailto:joseluismanti...@gmail.com>> wrote:


Can someone help me please?

I would like that anyone write the steps only with 2 machines
(server ipa with nfs, and ipa client), I executed the guide but
isn't make it, I think that need some steps!!.

There are 2 machines, server2.example.com
 (with ipa server and NFS) and
desktop2.example.com  (only with
ipa-client)

My steps:
Server
After install ipa-server.
1) Add service with web UI
2) Add automount location with
Location=test
key=/jmantilla
description=-ro,soft,server2.example.com:/home/remoteusers/jmantilla

User=jmantilla
Home directory=/home/remoteusers/jmantilla

Configuring automount on server system
--Auto.master
/home/remoteusers   /etc/auto.ipa
--auto.ipa
jmantilla -rw server2.example.com:/home/remoteusers/jmantilla

After
#kinit admin
I don't need to run:
#ipa-getkeytab -s server2.example.com 
-p nfs/server2.example.com  -k
/etc/krb5.keytab
#ipa-getkeytab -s server2.example.com 
-p nfs/server2.example.com  -k
/root/nfs-client.keytab
#(  echo rkt /root/nfs-client.keytab; echo wkt /etc/krb5.keytab)
|ktutil
My server and client and in an IPA domain, the keytabs should only
be generated to /etc/krb5.keytab on the IPA server. (Ipa domain)

Verifying
[root@server2 ~]# ipa service-show nfs/server2.example.com

  Principal: nfs/server2.example@example.com

  Keytab: True
  Managed by: server2.example.com 

Client
#kinit admin
#ipa-client-automount --location=test
#ipa-getkeytab -s server2.example.com 
-p nfs/server2.example.com  -k
/etc/krb5.keytab
#ipa-getkeytab -s server2.example.com 
-p nfs/server2.example.com  -k
/tmp/nfs.keytab
#( echo rkt /tmp/nfs.keytab; echo wkt /etc/krb5.keytab) |ktutil
#service rpcgssd start
#/etc/init.d/rpcbind restart
#/etc/init.d/rpcidmapd restart
#authconfig --update --enablesssd --enablesssdauth --enablemkhomedir
#/etc/init.d/sshd restart
#vim /etc/sssd/sssd.conf
...
[domain/EXAMPLE.COM ]
...
krb5_renewable_lifetime = 50d
krb5_renew_interavl = 3600

#/etc/init.d/sssd restart

Testing
[root@server2 ~]# ssh cboyle@desktop2
cboyle@desktop2's password:
Last login: Tue Mar 17 21:13:49 2015 from server2.example.com

-sh-4.1$

And nothing!! (what happened)
What I need to do it?

Thanks

**Verificacion de certificado


Click to verify



**

*Ing. José Luis Mantilla G.
*Red Hat Certified Instructor / Examiner RHEL***6, 7
*RHCE - RHCV - RHCI - RHCX - RHCSA*
*Developer PHP, Member TeamQA Centos*
*Cell p

Re: [Freeipa-users] Additional pre-authentication required, Ticket Wrong ?

2015-03-29 Thread Dmitri Pal 

On 03/29/2015 04:47 AM, Matt . wrote:

Hi Guys,

Now my Certification issues are solved for using a loadbalancer in
front of my ipa servers I get the following:

Unable to verify your Kerberos credentials

and in my logs:

Additional pre-authentication required.

This happens when I connect throught my loadbalancers, I see my server
coming ni with the right IP.

When I access my ipa server directly, not using the loadbalancer IP
between it, my kerberos Ticket is valid.

I get the feeling that when I use my loadbalancers and because of that
I get a 301 redirect it needs a preauth. I see some issues on
mailinglists but it doesn't fit my situation.

Why wants it the preauth when I already have a valid ticket and my
redirect is followed by CURL and posted the right way ?


Can you describe the sequence?
What do you do?

From the client you try IPA CLI and this is where you see the problem 
even with the valid ticket or is the flow different?



I hope someone has an idea.

Thanks,

Matt




--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Freeipa Server down !!

2015-03-29 Thread Dmitri Pal 

On 03/29/2015 06:35 AM, Peter Fern wrote:

On 29/03/15 05:46, Rob Crittenden wrote:

Should be back up now.

rob


Appears to be dead again.


It is in fact down again.

--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Can freeIPA work without Kerberos and DNS

2015-03-29 Thread Dmitri Pal 

On 03/29/2015 11:50 AM, Gokul wrote:

Hi,

I am tried to run some of my user cases with FreeIPA.

Have FreeIPA to do only SSH key management in LDAP and PKI management.

The understand that every request is kerberized and it has the DNS is 
must configuration.


Can I have FreeIPA to run only SSH Key management with LDAP and a PKI 
server with dogtag?


Thank you
Gokul



You can't turn off Kerberos. You would need Kerberos for administration.
But other clients can take advantage of LDAP and SSH only.
However you are significantly limiting your functionality and capabilities.
Kerberos is really the key of the solution.

What is the reason you try to avoid using it?


--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-cliebt-automount problem

2015-03-29 Thread Dmitri Pal 

On 03/29/2015 06:00 PM, Günther J. Niederwimmer wrote:

Hello,

My automount is not working correct?

I have a centos 7 with "cr" Update, this is IPA 4.1 and sssd 1.12

I have this Error in the logs

automount[1899]: lookup_read_map: lookup(sss): getautomntent_r: No such file or
directory

Is this correct with IPA 4.1

/etc/sysconfig/autofs and /etc/autofs_ldap_auth.config was not configured with
ipa-client-automount, or have I to do this manual?

Do you have libsss_autofs installed?


--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] anonymous binds limits?

2015-03-29 Thread Dmitri Pal 

On 03/27/2015 08:22 PM, Janelle wrote:

Hello,

Just wondering if there is an easy way to increase anonymous binds on 
the back end for non Kerberos clients?
I have seen some mention of it, and that IPA has limits, can't can't 
find a lot of detail?


Thank you
~J


I am not sure I understand what you are asking.
What do you mean by "increase anonymous binds" ?
Increase timeout? Or you want to allow anonymous binds?

--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Steps for automount

2015-03-29 Thread Jose Luis Mantilla 
Adding below mail:

[root@server2 home]# ssh jmantilla@desktop2
jmantilla@desktop2's password:
Creating home directory for jmantilla.
Last login: Sat Mar 28 11:05:48 2015 from server2.example.com
Could not chdir to home directory /home/remoteusers/jmantilla: No such file
or directory
-sh-4.1$ pwd
/

[root@server2 home]# getent passwd jmantilla
jmantilla:*:6001:6001:Jose Mantilla:/home/remoteusers/jmantilla:/bin/sh

Service nfs is running
Service autofs is stopped

What can I do?


[image: Verificacion de certificado]

Click to verify


*Ing. José Luis Mantilla G.*Red Hat Certified Instructor / Examiner RHEL
*6, 7*RHCE - RHCV - RHCI - RHCX - RHCSA
Developer PHP, Member TeamQA Centos
Cell phone: (1) 832-908-6210
Public GPG Key = FC3B3963

United States - Houston Texas -2015

On Sat, Mar 28, 2015 at 10:19 AM, Jose Luis Mantilla <
joseluismanti...@gmail.com> wrote:

> Can someone help me please?
>
> I would like that anyone write the steps only with 2 machines (server ipa
> with nfs, and ipa client), I executed the guide but isn't make it, I think
> that need some steps!!.
>
> There are 2 machines, server2.example.com (with ipa server and NFS) and
> desktop2.example.com (only with ipa-client)
>
> My steps:
> Server
> After install ipa-server.
> 1) Add service with web UI
> 2) Add automount location with
> Location=test
> key=/jmantilla  description=-ro,soft,server2.example.com:
> /home/remoteusers/jmantilla
>
> User=jmantilla
> Home directory=/home/remoteusers/jmantilla
>
> Configuring automount on server system
> --Auto.master
> /home/remoteusers   /etc/auto.ipa
> --auto.ipa
> jmantilla -rw   server2.example.com:/home/remoteusers/jmantilla
>
> After
> #kinit admin
> I don't need to run:
> #ipa-getkeytab -s server2.example.com -p nfs/server2.example.com -k
> /etc/krb5.keytab
> #ipa-getkeytab -s server2.example.com -p nfs/server2.example.com -k
> /root/nfs-client.keytab
> #(  echo rkt /root/nfs-client.keytab; echo wkt /etc/krb5.keytab) |ktutil
> My server and client and in an IPA domain, the keytabs should only be
> generated to /etc/krb5.keytab on the IPA server. (Ipa domain)
>
> Verifying
> [root@server2 ~]# ipa service-show nfs/server2.example.com
>   Principal: nfs/server2.example@example.com
>   Keytab: True
>   Managed by: server2.example.com
>
> Client
> #kinit admin
> #ipa-client-automount --location=test
> #ipa-getkeytab -s server2.example.com -p nfs/server2.example.com -k
> /etc/krb5.keytab
> #ipa-getkeytab -s server2.example.com -p nfs/server2.example.com -k
> /tmp/nfs.keytab
> #( echo rkt /tmp/nfs.keytab; echo wkt /etc/krb5.keytab) |ktutil
> #service rpcgssd start
> #/etc/init.d/rpcbind restart
> #/etc/init.d/rpcidmapd restart
> #authconfig --update --enablesssd --enablesssdauth --enablemkhomedir
> #/etc/init.d/sshd restart
> #vim /etc/sssd/sssd.conf
> ...
> [domain/EXAMPLE.COM]
> ...
> krb5_renewable_lifetime = 50d
> krb5_renew_interavl = 3600
>
> #/etc/init.d/sssd restart
>
> Testing
> [root@server2 ~]# ssh cboyle@desktop2
> cboyle@desktop2's password:
> Last login: Tue Mar 17 21:13:49 2015 from server2.example.com
> -sh-4.1$
>
> And nothing!! (what happened)
> What I need to do it?
>
> Thanks
>
>
> [image: Verificacion de certificado]
> 
> Click to verify
>
>
> *Ing. José Luis Mantilla G.*Red Hat Certified Instructor / Examiner RHEL
> *6, 7*RHCE - RHCV - RHCI - RHCX - RHCSA
> Developer PHP, Member TeamQA Centos
> Cell phone: (1) 832-908-6210
> Public GPG Key = FC3B3963
> 
> United States - Houston Texas -2015
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] passwordStorageScheme

2015-03-29 Thread Andy Thompson 
> -Original Message-
> From: Sankar Ramlingam [mailto:sraml...@redhat.com]
> Sent: Sunday, March 29, 2015 4:35 AM
> To: Andy Thompson
> Cc: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] passwordStorageScheme
> 
> On 03/28/2015 12:32 AM, Andy Thompson wrote:
> >
> >> -Original Message-
> >> From: Sankar Ramlingam [mailto:sraml...@redhat.com]
> >> Sent: Friday, March 27, 2015 2:00 PM
> >> To: Andy Thompson
> >> Subject: Re: [Freeipa-users] passwordStorageScheme
> >>
> >> On 03/27/2015 11:17 PM, Andy Thompson wrote:
>  Can you show me the output for this command?
>  ldapsearch -LLL -x -p $PORT -h localhost -D "cn=Directory Manager"
>  -w x -b "cn=config" |grep -i passwordStorageScheme
> >>> Returns
> >>>
> >>> passwordStorageScheme: SSHA
> >>>
> >>>
>  Also, can you paste me the content of pw.ldif file? and tell me
>  what
> >>> dn: cn=config
> >>> changetype: modify
> >>> replace: passwordStorageScheme
> >>> passwordStorageScheme: SHA512
> >> It looks like some whitespace characters in your ldif file. Can you
> >> recreate the ldif file with no special/whitespace characters? or can
> >> you run ldapmodify from command line and change the value directly? .
> >>
> >> I copied your ldif file content and it failed for me too. Then, I
> >> tried copying my ldif file and it was a success. Pasting the content 
> >> here...
> >>
> >> dn: cn=config
> >> changetype: modify
> >> replace: passwordStorageScheme
> >> passwordStorageScheme: SHA512
> >> EOF
> >>
> > Thanks much for the assist.  Haven't ever run into that before.
> Hi Andy,
> 
> So, I understand it was a problem with the LDIF file. I hope the problem is
> solved now.
> Please confirm.
> 

Yes the problem is solved.   Was just some extra spaces or something not 
visible to the eye that snuck in when I copied and pasted it from a document 
I've been compiling on all of my setup and testing.

Thanks again

-andy


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Steps for automount

2015-03-29 Thread Jose Luis Mantilla 
Can someone help me please?

I would like that anyone write the steps only with 2 machines (server ipa
with nfs, and ipa client), I executed the guide but isn't make it, I think
that need some steps!!.

There are 2 machines, server2.example.com (with ipa server and NFS) and
desktop2.example.com (only with ipa-client)

My steps:
Server
After install ipa-server.
1) Add service with web UI
2) Add automount location with
Location=test
key=/jmantilla  description=-ro,soft,server2.example.com:
/home/remoteusers/jmantilla

User=jmantilla
Home directory=/home/remoteusers/jmantilla

Configuring automount on server system
--Auto.master
/home/remoteusers   /etc/auto.ipa
--auto.ipa
jmantilla -rw   server2.example.com:/home/remoteusers/jmantilla

After
#kinit admin
I don't need to run:
#ipa-getkeytab -s server2.example.com -p nfs/server2.example.com -k
/etc/krb5.keytab
#ipa-getkeytab -s server2.example.com -p nfs/server2.example.com -k
/root/nfs-client.keytab
#(  echo rkt /root/nfs-client.keytab; echo wkt /etc/krb5.keytab) |ktutil
My server and client and in an IPA domain, the keytabs should only be
generated to /etc/krb5.keytab on the IPA server. (Ipa domain)

Verifying
[root@server2 ~]# ipa service-show nfs/server2.example.com
  Principal: nfs/server2.example@example.com
  Keytab: True
  Managed by: server2.example.com

Client
#kinit admin
#ipa-client-automount --location=test
#ipa-getkeytab -s server2.example.com -p nfs/server2.example.com -k
/etc/krb5.keytab
#ipa-getkeytab -s server2.example.com -p nfs/server2.example.com -k
/tmp/nfs.keytab
#( echo rkt /tmp/nfs.keytab; echo wkt /etc/krb5.keytab) |ktutil
#service rpcgssd start
#/etc/init.d/rpcbind restart
#/etc/init.d/rpcidmapd restart
#authconfig --update --enablesssd --enablesssdauth --enablemkhomedir
#/etc/init.d/sshd restart
#vim /etc/sssd/sssd.conf
...
[domain/EXAMPLE.COM]
...
krb5_renewable_lifetime = 50d
krb5_renew_interavl = 3600

#/etc/init.d/sssd restart

Testing
[root@server2 ~]# ssh cboyle@desktop2
cboyle@desktop2's password:
Last login: Tue Mar 17 21:13:49 2015 from server2.example.com
-sh-4.1$

And nothing!! (what happened)
What I need to do it?

Thanks


[image: Verificacion de certificado]

Click to verify


*Ing. José Luis Mantilla G.*Red Hat Certified Instructor / Examiner RHEL
*6, 7*RHCE - RHCV - RHCI - RHCX - RHCSA
Developer PHP, Member TeamQA Centos
Cell phone: (1) 832-908-6210
Public GPG Key = FC3B3963

United States - Houston Texas -2015
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ipa-cliebt-automount problem

2015-03-29 Thread Günther J . Niederwimmer 
Hello,

My automount is not working correct?

I have a centos 7 with "cr" Update, this is IPA 4.1 and sssd 1.12

I have this Error in the logs

automount[1899]: lookup_read_map: lookup(sss): getautomntent_r: No such file or 
directory

Is this correct with IPA 4.1

/etc/sysconfig/autofs and /etc/autofs_ldap_auth.config was not configured with 
ipa-client-automount, or have I to do this manual? 
-- 
mit freundlichen Grüßen / best Regards,

  Günther J. Niederwimmer

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA Client Install on Amazon Linux

2015-03-29 Thread Gokulnath 
Quick question, if you have used Deion for ldap and Sudo, are all connections 
through Kerberos ? And all client and registered hosts will be in the same 
domain ?

Gokul

Sent from iPhone

> On Mar 29, 2015, at 12:14 PM, Yogesh Sharma  wrote:
> 
> Thanks Gonzalo. Appreciate your help here, Let me try this.
> 
> 
> Best Regards,
> __
> Yogesh Sharma
> Email: yks0...@gmail.com | Web: www.initd.in
> 
> RHCE, VCE-CIA, RackSpace Cloud U
> 
> 
> 
>> On Sat, Mar 28, 2015 at 11:23 PM, Gonzalo Fernandez Ordas 
>>  wrote:
>> Yogesh
>> 
>> you do not need to explain me anything. Most people around here  are on 
>> the same boat and working on this stuff already for quite awhile.
>> 
>> I forgot to mention this is for a PROPER sssd run, still you will need all 
>> those below as you will get some issues sorted (specially sudo related)
>> 
>> So...you need the following If I remember well..:
>> 
>> system-arch --> system Architecture
>> 
>> libipa_hbac-1.9.2-129.el6.-system_arch-.rpm
>> sssd-client-1.9.2-129.el6.-system_arch-.rpm
>> sssd-1.9.2-129.el6_5.4.-system_arch-.rpm
>> sudo-1.8.6p3-12.el6.-system_arch-
>> 
>> I haven't installed the freeIPA client but I have run sssd successfully for 
>> a 389-ds server and the above combination worked all right, specially the 
>> sudo bit which was a bit of a hell.
>> To get to that point I spent a number of fun days thanks to the limitations 
>> provided by amazon on their packages.
>> 
>> Do not forget to install the epel and try to look for either "ipa" or 
>> "ipa-server" as I doubt that will be called freeipa at all.(I haven't tested 
>> that though.)
>> 
>> Gonzalo
>> 
>> 
>>> On 27/03/2015 01:03, Yogesh Sharma wrote:
>>> Gonzalo,
>>> 
>>> We have some running servers on Amazon Linux and it would be difficult to 
>>> migrate all those to CentOS or RHEL as of now. Hence If you can provide the 
>>> package's version then it would really help us till the time we do 
>>> migration.
>>> 
>>> For sure all over new Servers are going to be CentOS or RHEL.
>>> 
>>> 
>>> Best Regards,
>>> __
>>> Yogesh Sharma
>>> Email: yks0...@gmail.com | Web: www.initd.in
>>> 
>>> RHCE, VCE-CIA, RackSpace Cloud U
>>> 
>>> 
>>> 
 On Fri, Mar 27, 2015 at 1:03 PM, Gonzalo Fernandez Ordas 
  wrote:
 Yogesh
 
 My personal experience using AWS Linux and LDAP is not a good one and 
 mostly an utter nightmare in relation to packages.
 Personally I would recommend you to keep away from AWS Linux and get a 
 Centos, Fedora or Redhat.
 Still, if you want to go ahead, I can give you the right versions for a 
 couple of packages as the default sudo given by Amazon simply DOES NOT 
 work (no idea what they   have done to it..)
 
 Thanks
 
> On 27/03/2015 00:03, Yogesh Sharma wrote:
> Hello,
> 
> Is there any repo available for Amazon Linux to install IPA Client OR 
> below is the only way to do as found from freeipa-user mail archive.
> 
> http://www.redhat.com/archives/freeipa-users/2013-October/msg00058.html
> 
> 
> Thanks for the help.
> 
> Best Regards,
> __
> Yogesh Sharma
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA Client Install on Amazon Linux

2015-03-29 Thread Yogesh Sharma 
Thanks Gonzalo. Appreciate your help here, Let me try this.




*Best Regards,__*

*Yogesh Sharma*
*Email: yks0...@gmail.com  | Web: www.initd.in
*

RHCE, VCE-CIA, RackSpace Cloud U
[image: My LinkedIn Profile] 


On Sat, Mar 28, 2015 at 11:23 PM, Gonzalo Fernandez Ordas <
g.fer.or...@unicyber.co.uk> wrote:

>  Yogesh
>
> you do not need to explain me anything. Most people around here  are on
> the same boat and working on this stuff already for quite awhile.
>
> I forgot to mention this is for a PROPER sssd run, still you will need all
> those below as you will get some issues sorted (specially sudo related)
>
> So...you need the following If I remember well..:
>
> system-arch --> system Architecture
>
> libipa_hbac-1.9.2-129.el6.-system_arch-.rpm
> sssd-client-1.9.2-129.el6.-system_arch-.rpm
> sssd-1.9.2-129.el6_5.4.-system_arch-.rpm
> sudo-1.8.6p3-12.el6.-system_arch-
>
> I haven't installed the freeIPA client but I have run sssd successfully
> for a 389-ds server and the above combination worked all right, specially
> the sudo bit which was a bit of a hell.
> To get to that point I spent a number of fun days thanks to the
> limitations provided by amazon on their packages.
>
> Do not forget to install the epel and try to look for either "ipa" or
> "ipa-server" as I doubt that will be called freeipa at all.(I haven't
> tested that though.)
>
> Gonzalo
>
>
> On 27/03/2015 01:03, Yogesh Sharma wrote:
>
>  Gonzalo,
>
>  We have some running servers on Amazon Linux and it would be difficult
> to migrate all those to CentOS or RHEL as of now. Hence If you can provide
> the package's version then it would really help us till the time we do
> migration.
>
>  For sure all over new Servers are going to be CentOS or RHEL.
>
>
>
>
> * Best Regards, __ *
>
> *Yogesh Sharma *
> *Email: yks0...@gmail.com  | Web: www.initd.in
> *
>
> RHCE, VCE-CIA, RackSpace Cloud U
> [image: My LinkedIn Profile] 
>
>
> On Fri, Mar 27, 2015 at 1:03 PM, Gonzalo Fernandez Ordas <
> g.fer.or...@unicyber.co.uk> wrote:
>
>>  Yogesh
>>
>> My personal experience using AWS Linux and LDAP is not a good one and
>> mostly an utter nightmare in relation to packages.
>> Personally I would recommend you to keep away from AWS Linux and get a
>> Centos, Fedora or Redhat.
>> Still, if you want to go ahead, I can give you the right versions for a
>> couple of packages as the default sudo given by Amazon simply DOES NOT work
>> (no idea what they have done to it..)
>>
>> Thanks
>>
>> On 27/03/2015 00:03, Yogesh Sharma wrote:
>>
>>  Hello,
>>
>>  Is there any repo available for Amazon Linux to install IPA Client OR
>> below is the only way to do as found from freeipa-user mail archive.
>>
>>  http://www.redhat.com/archives/freeipa-users/2013-October/msg00058.html
>>
>>
>>  Thanks for the help.
>>
>>
>>
>> * Best Regards, __ *
>>
>> *Yogesh Sharma *
>>
>>
>>
>>
>>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Can freeIPA work without Kerberos and DNS

2015-03-29 Thread Gokul 
Hi,

I am tried to run some of my user cases with FreeIPA.

Have FreeIPA to do only SSH key management in LDAP and PKI management.

The understand that every request is kerberized and it has the DNS is must
configuration.

Can I have FreeIPA to run only SSH Key management with LDAP and a PKI
server with dogtag?

Thank you
Gokul
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] how can i give set of users to one particular host

2015-03-29 Thread Ben .T.George 
HI

i have compiled the pam_access modules successfuly and copied access.conf
to /etc/security folder.

i included

other   account requiredpam_access.so

 and added
-:ben b...@infra.com:ALL

but still user ben can able to access the machine

anyone achieved this?


On Tue, Mar 24, 2015 at 9:19 PM, Rob Crittenden  wrote:

> Ben .T.George wrote:
> > please anyone share bit more information on this like real example
>
> As we've said many times before, we have very little real experience on
> Solaris. We do the best we can and sometimes that is going to be in the
> form of bread crumbs that may be usable to finding your way to a solution.
>
> Access control via PAM is a very-well understood problem on Solaris.
> Once you have users and groups via nss then IPA is largely out of the
> equation. The OS vendor or Solaris-specific groups will know how to do
> this far better than us.
>
> If you find a detailed answer I'd be happy to add it to the freeIPA wiki.
>
> rob
>
> >
> > On Tue, Mar 24, 2015 at 9:03 PM, Rob Crittenden  > > wrote:
> >
> > Dmitri Pal wrote:
> > > On 03/24/2015 01:15 PM, Ben .T.George wrote:
> > >> Hi
> > >>
> > >> current stage is AD users can able to login to solaris box. But i
> > >> don't up to what level i can control the user.
> > >>
> > >> i don't think to there is much pan modules in solaris. still i
> cannot
> > >> able to make home directory with pam.
> > >
> > > I think pam_groupdn (if available on Solaris) might help but I
> could not
> > > find a clear example to share with you here.
> >
> > I'd suggest looking at pam_access.
> >
> > rob
> >
> > >
> > >>
> > >>
> > >>
> > >> On Tue, Mar 24, 2015 at 4:42 PM, Dmitri Pal  
> > >> >> wrote:
> > >>
> > >> On 03/24/2015 07:20 AM, Ben .T.George wrote:
> > >>> HI
> > >>>
> > >>> i am using IPA 3.3 and my client is solaris 10.
> > >>>
> > >>> how can i give only some set of users to this client without
> > >>> creating user group in ad?
> > >>>
> > >>> thanks & Regards,
> > >>> Ben
> > >>>
> > >>>
> > >>
> > >> You can create a group in IPA and make Solaris check that
> > group at
> > >> the access phase of PAM if Solaris is capable of checking
> groups
> > >> this way.
> > >>
> > >> --
> > >> Thank you,
> > >> Dmitri Pal
> > >>
> > >> Sr. Engineering Manager IdM portfolio
> > >> Red Hat, Inc.
> > >>
> > >>
> > >> --
> > >> Manage your subscription for the Freeipa-users mailing list:
> > >> https://www.redhat.com/mailman/listinfo/freeipa-users
> > >> Go to http://freeipa.org for more info on the project
> > >>
> > >>
> > >
> > >
> > > --
> > > Thank you,
> > > Dmitri Pal
> > >
> > > Sr. Engineering Manager IdM portfolio
> > > Red Hat, Inc.
> > >
> > >
> > >
> >
> >
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Freeipa Server down !!

2015-03-29 Thread Peter Fern 

On 29/03/15 05:46, Rob Crittenden wrote:

Should be back up now.

rob


Appears to be dead again.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Additional pre-authentication required, Ticket Wrong ?

2015-03-29 Thread Matt . 
Hi Guys,

Now my Certification issues are solved for using a loadbalancer in
front of my ipa servers I get the following:

Unable to verify your Kerberos credentials

and in my logs:

Additional pre-authentication required.

This happens when I connect throught my loadbalancers, I see my server
coming ni with the right IP.

When I access my ipa server directly, not using the loadbalancer IP
between it, my kerberos Ticket is valid.

I get the feeling that when I use my loadbalancers and because of that
I get a 301 redirect it needs a preauth. I see some issues on
mailinglists but it doesn't fit my situation.

Why wants it the preauth when I already have a valid ticket and my
redirect is followed by CURL and posted the right way ?

I hope someone has an idea.

Thanks,

Matt

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] passwordStorageScheme

2015-03-29 Thread Sankar Ramlingam 

On 03/28/2015 12:32 AM, Andy Thompson wrote:



-Original Message-
From: Sankar Ramlingam [mailto:sraml...@redhat.com]
Sent: Friday, March 27, 2015 2:00 PM
To: Andy Thompson
Subject: Re: [Freeipa-users] passwordStorageScheme

On 03/27/2015 11:17 PM, Andy Thompson wrote:

Can you show me the output for this command?
ldapsearch -LLL -x -p $PORT -h localhost -D "cn=Directory Manager" -w
x -b "cn=config" |grep -i passwordStorageScheme

Returns

passwordStorageScheme: SSHA



Also, can you paste me the content of pw.ldif file? and tell me what

dn: cn=config
changetype: modify
replace: passwordStorageScheme
passwordStorageScheme: SHA512

It looks like some whitespace characters in your ldif file. Can you recreate the
ldif file with no special/whitespace characters? or can you run ldapmodify
from command line and change the value directly? .

I copied your ldif file content and it failed for me too. Then, I tried copying 
my
ldif file and it was a success. Pasting the content here...

dn: cn=config
changetype: modify
replace: passwordStorageScheme
passwordStorageScheme: SHA512
EOF


Thanks much for the assist.  Haven't ever run into that before.

Hi Andy,

So, I understand it was a problem with the LDIF file. I hope the problem 
is solved now.

Please confirm.

Thanks,
-Sankar R.


-andy


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project