[Freeipa-users] Kerberos realm for different domain

[Stephen Ingram]

Can you have a domain that belongs to a Kerberos realm with a completely
different domain? For example, could example.com belong to the
ANOTHERDOMAIN.COM realm as long as we control DNS for both and have all the
necessary SRV and TXT records to locate it and krb5.conf is configured
properly?

Steve
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Debugging failed password checks (SSH) for AD users at the other end of 1-way trusts

[Sumit Bose]

On Thu, Dec 08, 2016 at 11:37:25AM -0500, Chris Dagdigian wrote:
> 
> Massive thank you; will test ASAP.
> 
> We mainly have to support CentOS/RHEL-6 and CentOS/RHEL-7 clients. Is there
> any established guidance on upgrading SSSD in these environments? Some sort
> of trusted repo where RPMs are built? I can hit the wiki and website but
> figured I'd ask as well. Not sure what other dependencies the SSSD framework
> may have or pull in.

You might want to have a look at
https://copr.fedorainfracloud.org/coprs/g/sssd/sssd-1-14/ . Lukas is
doing a great job here in providing test-builds of the latest versions
release in Fedora for other/older platforms.

But please note those are test-build. You have to wait until CentOS
release the 7.3 packages to have an 'official' sssd-1.14 build.

HTH

bye,
Sumit
> 
> Sumit Bose wrote:
> > }
> > 
> > at the very beginning of /etc/krb5.conf before and include or includedir
> > directives should fix it. With the broken configuration libkrb5 thinks
> > that there direct trust between NAFTA.COMPANY.ORG and COMPANYIDM.ORG
> > which is not the case, everything has to go via COMPANY.ORG because
> > that's the domain which trusts COMPANYIDM.ORG.
> > 
> > Updating SSSD to a version with the fix might help as well.
> > 
> > HTH
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Still unclear about relation between IPA DNS domain and company DNS domain.

[Alexander Bokovoy]

On pe, 09 joulu 2016, Brian Candler wrote:

On 08/12/2016 08:50, Pieter Nagel wrote:


Concrete scenario, I wonder if this will work:

A greenfields deployment, no other kerberos, no Active Directory. 
Internal DNS to be int.lautus.net  and 
FreeIPA manages that DNS domain and adds internal hosts to it as 
they enroll. Public-facing servers are manually registered in 
lautus.net  DNS which is hosted elsewhere. But 
FreeIPA is installed with realm LAUTUS.NET  so it 
adds _kerberos entries for realm LAUTUS.NET  to 
int.lautus.net , and I manually copy those 
entries to lautus.net , so everone agrees that 
they belong to the same realm.


The reason I want the realm to be LAUTUS.NET  is 
because it makes more sense to me that the internal desktops in the 
subdomain int.lautus.net  to enroll into a 
realm related to the parent DNS domain
I see a red flag with "desktops". Do you mean Windows desktops? Then 
you are talking Active Directory (or the Samba implementation of AD) 
and there are very specific rules for how the hostnames and the realms 
interact.


If you are talking Linux/BSD desktops, then it doesn't matter. 
Personally I would do it the other way round than you propose: let 
machines foo.lautus.net and bar.int.lautus.net use IPA.LAUTUS.NET as 
their kerberos realm, because this gives you the *option* of adding a 
distinct kerberos realm like AD.LAUTUS.NET later.


If you ever introduce Active Directory into your network then you 
don't want it to be either a subdomain or a parent domain of your IPA 
domain, unless you enjoy pain.

This is not a big deal, really. Red Hat customers routinely deploy IPA
as a subdomain or a parent domain to Active Directory deployments.



Changing your IPA realm later is also extremely painful.

Right now there is no a procedure to do so. Partially because realm name
is part of the salt used by Kerberos hashes.

, than it makes sense for the public-facing servers in the parent 
lautus.net  domain enroll into a realm related to 
an internal DNS subdomain.

It's not really a problem. In the DNS you create TXT records:

_kerberos.lautus.net.  TXT  "IPA.LAUTUS.NET"
_kerberos.int.lautus.net  TXT  "IPA.LAUTUS.NET"

and the auto-mapping of hosts to realms just works (in the *nix world 
anyway)

Correct. Windows systems don't request _kerberos TXT record at all.



Personally I would have no problem publishing
_kerberos.lautus.net.  TXT  "IPA.LAUTUS.NET"
in the public DNS. It's up to you whether you put *.ipa.lautus.net and 
*.int.lautus.net in the public DNS.


Or am I making an issue of a cosmetic triviality, and it is not all 
all strange in the kerberos realm to enroll a server into a realm 
related to a DNS subdomain it is not part of?



In my opinion, not at all strange. You have three things:

1. The DNS domain of the host
2. The Kerberos realm that the host is in
3. The DNS domain of the Kerberos realm

2+3 are bound together, but 1 does not need to relate to 2+3 (unless 
you are Microsoft)

Even in Microsoft world there are means to add DNS domains to the same
Active Directory domain (they are called name routing suffixes). They
aren't flexible enough though and you are not advised to create many of
them (to the tune of thousands) because they are checked every time a
Kerberos ticket is issued by the AD DC.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Still unclear about relation between IPA DNS domain and company DNS domain.

[Brian Candler]

On 08/12/2016 08:50, Pieter Nagel wrote:


Concrete scenario, I wonder if this will work:

A greenfields deployment, no other kerberos, no Active Directory. 
Internal DNS to be int.lautus.net  and FreeIPA 
manages that DNS domain and adds internal hosts to it as they enroll. 
Public-facing servers are manually registered in lautus.net 
 DNS which is hosted elsewhere. But FreeIPA is 
installed with realm LAUTUS.NET  so it adds 
_kerberos entries for realm LAUTUS.NET  to 
int.lautus.net , and I manually copy those 
entries to lautus.net , so everone agrees that they 
belong to the same realm.


The reason I want the realm to be LAUTUS.NET  is 
because it makes more sense to me that the internal desktops in the 
subdomain int.lautus.net  to enroll into a 
realm related to the parent DNS domain
I see a red flag with "desktops". Do you mean Windows desktops? Then you 
are talking Active Directory (or the Samba implementation of AD) and 
there are very specific rules for how the hostnames and the realms interact.


If you are talking Linux/BSD desktops, then it doesn't matter. 
Personally I would do it the other way round than you propose: let 
machines foo.lautus.net and bar.int.lautus.net use IPA.LAUTUS.NET as 
their kerberos realm, because this gives you the *option* of adding a 
distinct kerberos realm like AD.LAUTUS.NET later.


If you ever introduce Active Directory into your network then you don't 
want it to be either a subdomain or a parent domain of your IPA domain, 
unless you enjoy pain.


Changing your IPA realm later is also extremely painful.

, than it makes sense for the public-facing servers in the parent 
lautus.net  domain enroll into a realm related to 
an internal DNS subdomain.

It's not really a problem. In the DNS you create TXT records:

_kerberos.lautus.net.  TXT  "IPA.LAUTUS.NET"
_kerberos.int.lautus.net  TXT  "IPA.LAUTUS.NET"

and the auto-mapping of hosts to realms just works (in the *nix world 
anyway)


Personally I would have no problem publishing
_kerberos.lautus.net.  TXT  "IPA.LAUTUS.NET"
in the public DNS. It's up to you whether you put *.ipa.lautus.net and 
*.int.lautus.net in the public DNS.


Or am I making an issue of a cosmetic triviality, and it is not all 
all strange in the kerberos realm to enroll a server into a realm 
related to a DNS subdomain it is not part of?



In my opinion, not at all strange. You have three things:

1. The DNS domain of the host
2. The Kerberos realm that the host is in
3. The DNS domain of the Kerberos realm

2+3 are bound together, but 1 does not need to relate to 2+3 (unless you 
are Microsoft)


Regards,

Brian.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] IPA Server & LDAP Replication Monitoring

[Deepak Dimri]

Hi All,


Has any one worked on IPA server integration with collectd for its and LDAP 
replication? I am newbie to collectd and still exploring its plug-ins option. 
Would be thankful if some one can share some insight on it..


Thanks,

Deepak
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Problem with Free IPA Client Ubuntu Precise (12.04) authenticating with AD account

[Lukas Slebodnik]

On (08/12/16 16:10), James Harrison wrote:
>Hi,From this URL: https://launchpad.net/~sssd/+archive/ubuntu/updates
>i updated sssd on Trusty and I can now ssh to it using a FreeIPA user's  
>credentials. AD Still doesn't work.
>Thanks
>
That just mean that 1.12.5-1~trusty1 has still some bugs
which are fixed in sssd-1.13.4 (in ubuntu 16.04).
You mentioned that in different mail.

I would recommend to use LTS version of sssd-1.13
which is the oldest version maintaned by upstream.
You might file bugs to ubuntu for fixing old version of sssd in trusty
(1.11) but it will be much simpler to ask for backporting
1.13.4 into launchpad.

Based on ubuntu page[1] precise(12.04) will be EOL very soon
you should really consider to use newer version
The ideal would be to use ubuntu 16.04.

LS

[1] https://www.ubuntu.com/info/release-end-of-life

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Naming a FreeIPA domain and router differences

[Petr Spacek]

On 8.12.2016 22:40, Harry Kashouli wrote:
> Ah, I think I totally misread the DNS page, the first time...
> https://www.freeipa.org/page/DNS
> 
> 
> Looks like I should put the router on int.custom.com as a domain, and I can
> create the freeipa domain as domain.custom.com

It depends on you how you want to name the machines. FreeIPA does not care as
long as requirements in the DNS page are met.

Meeting the requirements is significantly easier when you use actual names you
own as it mitigates risk of name collisions.

If you have some specific question do not hesitate to ask.
Petr^2 Spacek


> 
> -Harry
> 
> On 8 December 2016 at 13:15, Harry Kashouli  wrote:
> 
>> Hi all,
>>
>> I want to make sure I'm understanding how to name my FreeIPA server.
>>
>> (following names are placeholders)
>> On my router, I've set the domain to localdomain, so my server
>> automatically gets the full name as server.localdomain. I want my FreeIPA
>> domain to be domain.custom.com because I own the custom.com domain; so
>> when I'm setting it up, I answer the "server host name" question as
>> pc.domain.custom.com.
>>
>> Is this wrong? Does the domain on my router have to match the FreeIPA
>> domain in any way?
>>
>> Thanks,
>> -Harry
>>
> 
> 
> 


-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project