Re: [Freeipa-users] Accessing IPA servers on no-standard port

2013-09-27 Thread Chandan Kumar 
Ticket created : Ticket #3955




--
http://about.me/chandank


On Fri, Sep 27, 2013 at 12:40 AM, Petr Spacek  wrote:

> On 27.9.2013 07:23, Chandan Kumar wrote:
>
>> Hi Rob,
>>
>> Thanks for the info. Sure I will create the ticket and will certainly try
>> to pick the low-hanging fruit :-)
>>
>>
>> --
>> http://about.me/chandank
>>
>>
>> On Thu, Sep 26, 2013 at 7:51 PM, Rob Crittenden 
>> wrote:
>>
>>  Chandan Kumar wrote:
>>>
>>>  Hello,
>>>>
>>>> I have basic configuration question, my apologies if it has already been
>>>> discussed.
>>>>
>>>> I have ipa-server-3 server installed with default parameters with
>>>> replication.
>>>>
>>>> We have Linux machines across different geo location and I would like to
>>>> integrate them into IPA server, however, I don't want external clients
>>>> to connect the server on standard port.
>>>>
>>>> For example, during ipa-client registration it requires all IPA services
>>>> to be running on default port.
>>>>
>>>> Such as : trying https://ipa01.my.net/ipa/xml
>>>>
>>>> kdc = ipa01.my.net:88 <http://ipa01.my.net:88>
>>>> master_kdc = ipa01.my.net:88 <http://ipa01.my.net:88>
>>>> admin_server = ipa01.my.net:749 <http://ipa01.my.net:749>
>>>>
>>>>
>>>> Is there any way in ipa-client-install or sssd file to instruct IPA
>>>> client to connect to IPA server on no-standard ports such as
>>>>
>>>> trying 
>>>> https://ipa01.my.net:8080/ipa/xml<https://ipa01.my.net:8080/ipa/**xml>
>>>> <https://ipa01.my.net:**8080/ipa/xml<https://ipa01.my.net:8080/ipa/xml>
>>>> >
>>>>
>>>>
>>>> This way I don't have to allocate a separate IP or additional web server
>>>> to redirect the requests a simple NAT at firewall will do such as
>>>> external 8080 -> internal 443
>>>>
>>>>
>>> Currently there is no way to do this. I'd have sworn we had a ticket to
>>> add this but a quick search didn't turn it up. If you'd like this
>>> supported
>>> feel free to open a ticket at https://fedorahosted.org/
>>> freeipa/newticket <https://fedorahosted.org/**freeipa/newticket><
>>> https://**fedorahosted.org/freeipa/**newticket<https://fedorahosted.org/freeipa/newticket>
>>> >
>>>
>>>
>>> I don't think this would be tremendously difficult to do, the trick would
>>> be communicating the port to clients somehow while they are trying to
>>> enroll. A command-line option would probably be the shortest path.
>>>
>>> This may be decent low-hanging fruit if you're interested in being a
>>> contributor to IPA.
>>>
>>
> Speaking specifically about Kerberos, LDAP and NTP - it should be possible
> to change port number in SRV records in DNS and that is it. I'm not sure if
> client libraries really support this, but you can try it.
>
> HTTP and HTTPS will be more problematic because there there are no SRV
> records for them.
>
> --
> Petr^2 Spacek
>
> __**_
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users>
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Accessing IPA servers on no-standard port

2013-09-26 Thread Chandan Kumar 
Hi Rob,

Thanks for the info. Sure I will create the ticket and will certainly try
to pick the low-hanging fruit :-)


--
http://about.me/chandank


On Thu, Sep 26, 2013 at 7:51 PM, Rob Crittenden  wrote:

> Chandan Kumar wrote:
>
>> Hello,
>>
>> I have basic configuration question, my apologies if it has already been
>> discussed.
>>
>> I have ipa-server-3 server installed with default parameters with
>> replication.
>>
>> We have Linux machines across different geo location and I would like to
>> integrate them into IPA server, however, I don't want external clients
>> to connect the server on standard port.
>>
>> For example, during ipa-client registration it requires all IPA services
>> to be running on default port.
>>
>> Such as : trying https://ipa01.my.net/ipa/xml
>>
>> kdc = ipa01.my.net:88 <http://ipa01.my.net:88>
>> master_kdc = ipa01.my.net:88 <http://ipa01.my.net:88>
>> admin_server = ipa01.my.net:749 <http://ipa01.my.net:749>
>>
>>
>> Is there any way in ipa-client-install or sssd file to instruct IPA
>> client to connect to IPA server on no-standard ports such as
>>
>> trying https://ipa01.my.net:8080/ipa/**xml<https://ipa01.my.net:8080/ipa/xml>
>>
>> This way I don't have to allocate a separate IP or additional web server
>> to redirect the requests a simple NAT at firewall will do such as
>> external 8080 -> internal 443
>>
>
> Currently there is no way to do this. I'd have sworn we had a ticket to
> add this but a quick search didn't turn it up. If you'd like this supported
> feel free to open a ticket at 
> https://fedorahosted.org/**freeipa/newticket<https://fedorahosted.org/freeipa/newticket>
>
> I don't think this would be tremendously difficult to do, the trick would
> be communicating the port to clients somehow while they are trying to
> enroll. A command-line option would probably be the shortest path.
>
> This may be decent low-hanging fruit if you're interested in being a
> contributor to IPA.
>
> rob
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Accessing IPA servers on no-standard port

2013-09-26 Thread Chandan Kumar 
Hello,

I have basic configuration question, my apologies if it has already been
discussed.

I have ipa-server-3 server installed with default parameters with
replication.

We have Linux machines across different geo location and I would like to
integrate them into IPA server, however, I don't want external clients to
connect the server on standard port.

For example, during ipa-client registration it requires all IPA services to
be running on default port.

Such as : trying https://ipa01.my.net/ipa/xml

kdc = ipa01.my.net:88
master_kdc = ipa01.my.net:88
admin_server = ipa01.my.net:749

Is there any way in ipa-client-install or sssd file to instruct IPA client
to connect to IPA server on no-standard ports such as

trying https://ipa01.my.net:8080/ipa/xml

This way I don't have to allocate a separate IP or additional web server to
redirect the requests a simple NAT at firewall will do such as external
8080 -> internal 443

Thanks
--
http://about.me/chandank
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Limiting Host access by UID/GID

2013-06-05 Thread Chandan Kumar 
Sorry for late reply. Thanks for helping out. Yes after deleting the sssd
cache from /var/lib it does not allow user groups outside min/max_id.


Thanks
Chandan

On Tuesday, June 4, 2013, Jakub Hrozek wrote:

> On Fri, May 31, 2013 at 08:50:29AM -0700, Chandan Kumar wrote:
> > As far as my understanding goes it does not stop even if I disable cache
> > credentials. I set following parameters in sssd.conf but still UID 2
> is
> > able to login.
> >
>
> Sorry, there was some terminology confusion. I didn't ask for disabling
> cache credentials, but removing the on-disk cache and starting afresh.
>
> The cache is stored in /var/lib/sss/db/cache_$domname.ldb, so you can mv
> or rm it and check again if the IDs are still allowed.
>
> > cache_credentials = False
> > krb5_store_password_if_offline = False
> > min_id=5000
> > max_id=5010
> > enumerate = False
> > entry_cache_timeout=3
> >
> > Package Info:
> > Client;
> > sssd-client-1.9.2-82.7.el6_4.x86_64
> >
> > Server:
> > ipa-server-2.2.0-16.el6.x86_64
> >
> > Thanks
> > Chandan
> >
> > On Friday, May 31, 2013, Jakub Hrozek wrote:
> >
> > > On Fri, May 31, 2013 at 09:26:40AM -0400, Simo Sorce wrote:
> > > > On Fri, 2013-05-31 at 11:55 +0200, Jakub Hrozek wrote:
> > > > > On Thu, May 30, 2013 at 07:23:38PM -0400, Dmitri Pal wrote:
> > > > > > On 05/30/2013 06:52 PM, Chandan Kumar wrote:
> > > > > > > Hello,
> > > > > > >
> > > > > > > As part of migration from passwd/shadow to IPA, I want to roll
> out
> > > > > > > IPA/SSSD based password first for a small number of users and
> then
> > > for
> > > > > > > all. (same goes with host. first small number of host and then
> > > all).
> > > > > > >
> > > > > > > I was trying to limit it using max_id/min_id parameters in sssd
> > > but it
> > > > > > > does not seems to work the way I expected.
> > > > > > > ---
> > > > > > > min_id = 5000
> > > > > > > max_id = 5100
> > > > > > > --
> > > > > > > So there is a user "kchandan" with UID/GID 2
> > > > > > > --
> > > > > > > [root@tipa1 ~]# id kchandan
> > > > > > > uid=2(kchandan) gid=2 groups=2
> > > > > > > ---
> > > > > > >
> > > > > > > But It is allowing me to login with that ID with only error
> showing
> > > > > > > GID 2 not found.
> > > > > > > ---
> > > > > > > ssh 10.2.3.105 -l kchandan
> > > > > > > kchandan@10.2.3.105 <mailto:kchandan@10.2.3.105>'s password:
> > > > > > > id: cannot find name for group ID 2
> > > > > > > -
> > > > > > >
> > > > > > > Is there any way to achieve this?
> > > > > >
> > > > > > So you want to allow only a subset of users with a specific
> range to
> > > log
> > > > > > into the systems controlled by SSSD before you open it to a
> broader
> > > public?
> > > > > > I would defer to SSSD gurus but the hack that comes to mind is to
> > > > > > configure a simple access provider to limit the access to just
> the
> > > users
> > > > > > you care about (man sssd-simple) or configure ldap access
> provider
> > > based
> > > > > > on a filter (man sssd-ldap).
> > > > >
> > > > > Hi,
> > > > >
> > > > > The user shouldn't be even saved to cache if it's filtered out of
> > > range.
> > > > >
> > > > > But looking at the current NSS code, the entry would have been
> > > returned if
> > > > > it was saved *before* you changed the min_id/max_id parameters.
> Could
> > > that be
> > > > > the case? Can you check if after removing the cache the entry still
> > > shows up?
> > > > >
> > > > > I think that the fact that the entry is returned from cache even
> if it
> > > > > should be filtered out is a bug:
> > > > > https://fedorahosted.org/sssd/ticket/1954
> > > >
> > > > So far we always maintained that if you consistently change
> > > > configuration (and a change of ranges is a big change) then it's on
> the
> > > > admin to wipe the cache file.
> > >
> > > Yes, that's why the ticket is minor. But mostly I don't like the
> > > inconsistency where some requests check the ranges even in the
> responder
> > > and some don't.
> > >
> > > ___
> > > Freeipa-users mailing list
> > > Freeipa-users@redhat.com
> > > <https://www.redhat.com/mailman/listinfo/freeipa-users>



-- 

--
http://about.me/chandank
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Limiting Host access by UID/GID

2013-05-31 Thread Chandan Kumar 
As far as my understanding goes it does not stop even if I disable cache
credentials. I set following parameters in sssd.conf but still UID 2 is
able to login.

cache_credentials = False
krb5_store_password_if_offline = False
min_id=5000
max_id=5010
enumerate = False
entry_cache_timeout=3

Package Info:
Client;
sssd-client-1.9.2-82.7.el6_4.x86_64

Server:
ipa-server-2.2.0-16.el6.x86_64

Thanks
Chandan

On Friday, May 31, 2013, Jakub Hrozek wrote:

> On Fri, May 31, 2013 at 09:26:40AM -0400, Simo Sorce wrote:
> > On Fri, 2013-05-31 at 11:55 +0200, Jakub Hrozek wrote:
> > > On Thu, May 30, 2013 at 07:23:38PM -0400, Dmitri Pal wrote:
> > > > On 05/30/2013 06:52 PM, Chandan Kumar wrote:
> > > > > Hello,
> > > > >
> > > > > As part of migration from passwd/shadow to IPA, I want to roll out
> > > > > IPA/SSSD based password first for a small number of users and then
> for
> > > > > all. (same goes with host. first small number of host and then
> all).
> > > > >
> > > > > I was trying to limit it using max_id/min_id parameters in sssd
> but it
> > > > > does not seems to work the way I expected.
> > > > > ---
> > > > > min_id = 5000
> > > > > max_id = 5100
> > > > > --
> > > > > So there is a user "kchandan" with UID/GID 2
> > > > > --
> > > > > [root@tipa1 ~]# id kchandan
> > > > > uid=2(kchandan) gid=2 groups=2
> > > > > ---
> > > > >
> > > > > But It is allowing me to login with that ID with only error showing
> > > > > GID 2 not found.
> > > > > ---
> > > > > ssh 10.2.3.105 -l kchandan
> > > > > kchandan@10.2.3.105 <mailto:kchandan@10.2.3.105>'s password:
> > > > > id: cannot find name for group ID 2
> > > > > -
> > > > >
> > > > > Is there any way to achieve this?
> > > >
> > > > So you want to allow only a subset of users with a specific range to
> log
> > > > into the systems controlled by SSSD before you open it to a broader
> public?
> > > > I would defer to SSSD gurus but the hack that comes to mind is to
> > > > configure a simple access provider to limit the access to just the
> users
> > > > you care about (man sssd-simple) or configure ldap access provider
> based
> > > > on a filter (man sssd-ldap).
> > >
> > > Hi,
> > >
> > > The user shouldn't be even saved to cache if it's filtered out of
> range.
> > >
> > > But looking at the current NSS code, the entry would have been
> returned if
> > > it was saved *before* you changed the min_id/max_id parameters. Could
> that be
> > > the case? Can you check if after removing the cache the entry still
> shows up?
> > >
> > > I think that the fact that the entry is returned from cache even if it
> > > should be filtered out is a bug:
> > > https://fedorahosted.org/sssd/ticket/1954
> >
> > So far we always maintained that if you consistently change
> > configuration (and a change of ranges is a big change) then it's on the
> > admin to wipe the cache file.
>
> Yes, that's why the ticket is minor. But mostly I don't like the
> inconsistency where some requests check the ranges even in the responder
> and some don't.
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>


-- 

--
http://about.me/chandank
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Limiting Host access by UID/GID

2013-05-30 Thread Chandan Kumar 
Hello,

As part of migration from passwd/shadow to IPA, I want to roll out IPA/SSSD
based password first for a small number of users and then for all. (same
goes with host. first small number of host and then all).

I was trying to limit it using max_id/min_id parameters in sssd but it does
not seems to work the way I expected.
---
min_id = 5000
max_id = 5100
--
So there is a user "kchandan" with UID/GID 2
--
[root@tipa1 ~]# id kchandan
uid=2(kchandan) gid=2 groups=2
---

But It is allowing me to login with that ID with only error showing GID
2 not found.
---
ssh 10.2.3.105 -l kchandan
kchandan@10.2.3.105's password:
id: cannot find name for group ID 2
-

Is there any way to achieve this?

Thanks
Chandan


-- 

--
http://about.me/chandank
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] User Roles and access in GUI

2013-04-15 Thread Chandan Kumar 
I agree it won't be a security feature nor you are doing wrong by not
adding it. However, it might come as nice to have feature. Let me explain
you my condition.

We host web application where lot of DNS entries (Public and Internal) are
created for different kind of requests and features. Now we already have a
separate DNS server, Separate Manual Linux User/Access Control management
by puppet. Linux users   ACL have no relationship with the web application
user (which is internal to the web app).

So FreeIPA can help me to centralize the Linux user-management as well as
(Public and Internal) DNS. However, the problem is : traditionally the
access levels were different for DNS users (support guys) and user
management (sysadmins). Now bring both system together even the Host based
access control, sudoers rule everything becomes visible to non-sysadmin
group.

You are right that every user could query all entries from command line and
hence it won't help  to secure the system, but not having it on GUI may
help to avoid "obvious" visibility of the whole directory.

I believe similar GUI "views" could be applied for discussion

http://osdir.com/ml/freeipa-users/2013-03/msg00218.html

where geographically separate Organization units may share the same
directory with limited visibility on other branches.


Having said that, I am not sure how feasible/logical my view is owing to my
limited knowledge in 389 directory server and IPA.

Thanks
Chandan


On Monday, April 15, 2013, Dmitri Pal wrote:

>  On 04/15/2013 11:11 AM, Chandan Kumar wrote:
>
>
>  I think controlling Visibility of tabs would be the best option, if
> possible, based on Roles as mentioned by Rob. As long as other entries are
> not visible in UI, even though they have read only access with command
> line, should be enough.
>
>
> It would not be a security feature though. Just a convenience because the
> same admin would be able to bind directly to ldap and run a search. This is
> why we did not go this route. Yes we can hide panels but it would not mean
> that the user can't easily get that info. So is there really a value in
> hiding? So far we did not see any this is why we did not do it, but may be
> you have some arguments that might convince us that we are wrong. Can you
> please share these arguments with us?
>
>
> On Monday, April 15, 2013, Alexander Bokovoy wrote:
>
>> On Mon, 15 Apr 2013, Petr Spacek wrote:
>>
>>> On 15.4.2013 15:39, Rob Crittenden wrote:
>>>
>>>> There is no easy way to do this. We start with granting all
>>>> authenticated
>>>> users read access to the tree with the exception of certain attributes
>>>> (like
>>>> passwords).
>>>>
>>>> You'd have to start by removing that, then one by one granting read
>>>> access to
>>>> the various containers based on, well, something.
>>>>
>>>
>>> Would it be possible to create a new role to allow current 'read-all
>>> access' and add this role to all users by default?
>>>
>>> It could be much simpler to change the behaviour with this role, or not?
>>> :-)
>>>
>> It would affect service accounts (include host/fqdn@REALM) since roles
>> cannot be applied to them, if I remember correctly. We would need to
>> make an exclusive ACI that allows all services to gain read only access...
>>
>> --
>> / Alexander Bokovoy
>>
>> ___
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>
>
> --
>
> --
> http://about.me/chandank
>
>
>
> ___
> Freeipa-users mailing 
> listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> ---
> Looking to carve out IT costs?www.redhat.com/carveoutcosts/
>
>

-- 

--
http://about.me/chandank
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] User Roles and access in GUI

2013-04-15 Thread Chandan Kumar 
I think controlling Visibility of tabs would be the best option, if
possible, based on Roles as mentioned by Rob. As long as other entries are
not visible in UI, even though they have read only access with command
line, should be enough.


On Monday, April 15, 2013, Alexander Bokovoy wrote:

> On Mon, 15 Apr 2013, Petr Spacek wrote:
>
>> On 15.4.2013 15:39, Rob Crittenden wrote:
>>
>>> There is no easy way to do this. We start with granting all authenticated
>>> users read access to the tree with the exception of certain attributes
>>> (like
>>> passwords).
>>>
>>> You'd have to start by removing that, then one by one granting read
>>> access to
>>> the various containers based on, well, something.
>>>
>>
>> Would it be possible to create a new role to allow current 'read-all
>> access' and add this role to all users by default?
>>
>> It could be much simpler to change the behaviour with this role, or not?
>> :-)
>>
> It would affect service accounts (include host/fqdn@REALM) since roles
> cannot be applied to them, if I remember correctly. We would need to
> make an exclusive ACI that allows all services to gain read only access...
>
> --
> / Alexander Bokovoy
>
> __**_
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/**mailman/listinfo/freeipa-users
>


-- 

--
http://about.me/chandank
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] User Roles and access in GUI

2013-04-12 Thread Chandan Kumar 
Thanks for the response.

The way we can turn off the anonymous bind in 389 Server. using
 "nsslapd-allow-anonymous-access: off".

Is there any way to limit the read access of user to only to the DNS
entries? In that way I can create a user who could/will be able to see/edit
DNS entries only.

Thanks,
Chandan

On Friday, April 12, 2013, Dmitri Pal wrote:

> On 04/12/2013 02:23 AM, Martin Kosek wrote:
> > On 04/12/2013 01:07 AM, Chandan Kumar wrote:
> >> Hello,
> >>
> >> I have a question regarding Uer Roles and Access in GUI. What I have
> found that
> >> irrespective of Role assigned to a user, he gets read only access
> across the
> >> directory.
> >>
> >> For example, I created one user say "dnsadmin" with only Roles related
> to DNS
> >> such as DNS Servers, DNS Administrator. Now that user has read only
> access to
> >> entire directory. Is there any way of controlling it?
> >>
> >>
> >> Thanks,
> >> Chandan
> >>
> > Hello Chandan,
> >
> > If you create a new role, assign "DNS Administrators" privilege to it,
> and
> > assign that role to user dnsadmin, that user will have write access to
> DNS tree
> > and configuration.
> >
> > Beyond that tree, dnsadmin will have read-only access just like all other
> > non-admin users. If you want dnsadmin to have write access also to other
> > entries, you would need to assign more privileges/roles to it.
> >
> > HTH,
> > Martin
> >
> > ___
> > Freeipa-users mailing list
> > Freeipa-users@redhat.com 
> > https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> If you are worried about the read access the LDAP data is traditionally
> readable by any authenticated user.
> In the past is was even possible to read the tree as anonymous user
> which is a bad security practice and not recommended.
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> ---
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com 
> https://www.redhat.com/mailman/listinfo/freeipa-users
>


-- 

--
http://about.me/chandank
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] User Roles and access in GUI

2013-04-11 Thread Chandan Kumar 
Hello,

I have a question regarding Uer Roles and Access in GUI. What I have found
that irrespective of Role assigned to a user, he gets read only access
across the directory.

For example, I created one user say "dnsadmin" with only Roles related to
DNS such as DNS Servers, DNS Administrator. Now that user has read only
access to entire directory. Is there any way of controlling it?


Thanks,
Chandan




-- 

--
http://about.me/chandank
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Shadow/Unix Password Import/Migrate

2013-04-04 Thread Chandan Kumar 
Hello,

I am setting up IPA server for our all Linux Machines mostly CentOS 5/6.
 As of now all user shadow passwords are managed by puppet.

And as part of moving to IPA I could not find a way to import all passwords
to IPA without forcing users to reset the password.

Thanks
Chandan


-- 

--
http://about.me/chandank
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Issue while setting up Replication

2013-04-01 Thread Chandan Kumar 
Finally I worked. It must have been some configuration issues at my end. I
spin up fresh VMs and followed steps again and it worked like a cake.

https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Setting_up_IPA_Replicas.html


Thank you so much for all help.


On Monday, April 1, 2013, Chandan Kumar wrote:

> Thanks for prompt response. I was wrong in mentioning that krb is not
> running on UDP port it is running.
>
> Now this time, I did not specify --skip-conncheck and ended up with same
> error. I could see ldap requests are reaching to the Primary IPA server
> from secondary (both from tshark and directory server logs).
>
> #ipa-replica-install --setup-ca /var/lib/ipa/replica-info-ipa02.ma.net.gpg
>
> (I tried with/without --setup-ca got same result)
>
> I have pasted the directory server (Primary ipa01 machine) logs in the
> blow paste bin
>
> http://pastebin.com/HxAwMiDw
>
> And replication logs (on the replica ipa02 machine)
>
> http://pastebin.com/QNNRVw2k.
>
> I am not using IPA server for DNS, I have separate DNS server and both
> host names are getting resolved.
>
> Connection with ldap search command.
>
> It appears the it is not able to connect at secure port (this could be the
> reason)
>
> #ldapsearch -x -D "cn=Directory Manager" -W -H ldaps://ipa01.ma.net
> Enter LDAP Password:
> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
>
> -
> Works perfect on non Secure port
>
> # ldapsearch -x -D "cn=Directory Manager" -W -H ldap://ipa01.ma.net
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <> (default) with scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # search result
> search: 2
> result: 32 No such object
>
> # numResponses: 1
>
> ---------
>
> I was under impression that ipa-replica-install does the SSL stuff, may be
> I am wrong.
>
> Thanks
> Chandan
>
> On Monday, April 1, 2013, Rob Crittenden wrote:
>
>> Chandan Kumar wrote:
>>
>>> Hello,
>>>
>>> I am new to FreeIPA so far I have setup the Server and few test clients,
>>> all went really smooth. However, I am having hard time in setting up the
>>> replication and any help will great!.
>>>
>>> I am using CentOS 6.4. Package Info
>>>
>>> ipa-server-3.0.0-26.el6_4.2.**x86_64
>>> 389-ds-base-1.2.11.15-12.el6_**4.x86_64
>>>
>>> I followed the steps mentioned in
>>>
>>> http://freeipa.org/docs/1.2/**Installation_Deployment_Guide/**
>>> en-US/html/chap-Installation_**and_Deployment_Guide-Setting_**
>>> up_Multi_Master_Replication.**html<http://freeipa.org/docs/1.2/Installation_Deployment_Guide/en-US/html/chap-Installation_and_Deployment_Guide-Setting_up_Multi_Master_Replication.html>
>>>
>>
>> FYI, these are very out-of-date.
>>
>>  When I try to setup the replica with the replica prepare file from the
>>> master  with --skip-conneccheck  (because krb is not running on UDP
>>> ports)
>>>
>>
>> I don't understand, you got an error about KRB not running on the UDP
>> ports?
>>
>>  ipa-replica-install /var/lib/ipa/replica-info-**ipa02.ma.net.gpg
>>> --skip-conncheck.
>>>
>>> At the end I get below error
>>>
>>> --**---
>>>[22/31]: setting up initial replication
>>> Starting replication, please wait until this has completed.
>>> [ipa01.ma.net <http://ipa01.ma.net>] reports: Update failed! Status: [-1
>>>   - LDAP error: Can't contact LDAP server]
>>>
>>
>> Well, something is blocking the connection, or the server on ipa01 isn't
>> running. This is a really low-level networking error.
>>
>>
>>> I also find similar error reported while setting up ipa on Fedora 18 at
>>> https://www.redhat.com/**archives/freeipa-users/2013-**
>>> February/msg00440.html<https://www.redhat.com/archives/freeipa-users/2013-February/msg00440.html>
>>>
>>> But could not find its resolution.
>>>
>>
>> We never heard back from the user. You're saying you see the same error?
>>
>>  I am able to connect to the 389/636 port from the slave. Firewall is off
>>> on both ends and hostnames resolves properly.
>>>
>>
>> On ipa02 you might try:
>>
>> $ ldapsearch -x -H ldap://ipa01.ma.net -s base -b '' namingContexts
>>
>> You might also try wireshark to monitor the connection request.
>>
>> rob
>>
>
>
> --
>
> --
> http://about.me/chandank
>
>

-- 

--
http://about.me/chandank
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Issue while setting up Replication

2013-04-01 Thread Chandan Kumar 
Thanks for prompt response. I was wrong in mentioning that krb is not
running on UDP port it is running.

Now this time, I did not specify --skip-conncheck and ended up with same
error. I could see ldap requests are reaching to the Primary IPA server
from secondary (both from tshark and directory server logs).

#ipa-replica-install --setup-ca /var/lib/ipa/replica-info-ipa02.ma.net.gpg

(I tried with/without --setup-ca got same result)

I have pasted the directory server (Primary ipa01 machine) logs in the blow
paste bin

http://pastebin.com/HxAwMiDw

And replication logs (on the replica ipa02 machine)

http://pastebin.com/QNNRVw2k.

I am not using IPA server for DNS, I have separate DNS server and both host
names are getting resolved.

Connection with ldap search command.

It appears the it is not able to connect at secure port (this could be the
reason)

#ldapsearch -x -D "cn=Directory Manager" -W -H ldaps://ipa01.ma.net
Enter LDAP Password:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

-
Works perfect on non Secure port

# ldapsearch -x -D "cn=Directory Manager" -W -H ldap://ipa01.ma.net
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1

-

I was under impression that ipa-replica-install does the SSL stuff, may be
I am wrong.

Thanks
Chandan

On Monday, April 1, 2013, Rob Crittenden wrote:

> Chandan Kumar wrote:
>
>> Hello,
>>
>> I am new to FreeIPA so far I have setup the Server and few test clients,
>> all went really smooth. However, I am having hard time in setting up the
>> replication and any help will great!.
>>
>> I am using CentOS 6.4. Package Info
>>
>> ipa-server-3.0.0-26.el6_4.2.**x86_64
>> 389-ds-base-1.2.11.15-12.el6_**4.x86_64
>>
>> I followed the steps mentioned in
>>
>> http://freeipa.org/docs/1.2/**Installation_Deployment_Guide/**
>> en-US/html/chap-Installation_**and_Deployment_Guide-Setting_**
>> up_Multi_Master_Replication.**html<http://freeipa.org/docs/1.2/Installation_Deployment_Guide/en-US/html/chap-Installation_and_Deployment_Guide-Setting_up_Multi_Master_Replication.html>
>>
>
> FYI, these are very out-of-date.
>
>  When I try to setup the replica with the replica prepare file from the
>> master  with --skip-conneccheck  (because krb is not running on UDP ports)
>>
>
> I don't understand, you got an error about KRB not running on the UDP
> ports?
>
>  ipa-replica-install /var/lib/ipa/replica-info-**ipa02.ma.net.gpg
>> --skip-conncheck.
>>
>> At the end I get below error
>>
>> --**---
>>[22/31]: setting up initial replication
>> Starting replication, please wait until this has completed.
>> [ipa01.ma.net <http://ipa01.ma.net>] reports: Update failed! Status: [-1
>>   - LDAP error: Can't contact LDAP server]
>>
>
> Well, something is blocking the connection, or the server on ipa01 isn't
> running. This is a really low-level networking error.
>
>
>> I also find similar error reported while setting up ipa on Fedora 18 at
>> https://www.redhat.com/**archives/freeipa-users/2013-**
>> February/msg00440.html<https://www.redhat.com/archives/freeipa-users/2013-February/msg00440.html>
>>
>> But could not find its resolution.
>>
>
> We never heard back from the user. You're saying you see the same error?
>
>  I am able to connect to the 389/636 port from the slave. Firewall is off
>> on both ends and hostnames resolves properly.
>>
>
> On ipa02 you might try:
>
> $ ldapsearch -x -H ldap://ipa01.ma.net -s base -b '' namingContexts
>
> You might also try wireshark to monitor the connection request.
>
> rob
>


-- 

--
http://about.me/chandank
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Issue while setting up Replication

2013-04-01 Thread Chandan Kumar 
Hello,

I am new to FreeIPA so far I have setup the Server and few test clients,
all went really smooth. However, I am having hard time in setting up the
replication and any help will great!.

I am using CentOS 6.4. Package Info

ipa-server-3.0.0-26.el6_4.2.x86_64
389-ds-base-1.2.11.15-12.el6_4.x86_64

I followed the steps mentioned in

http://freeipa.org/docs/1.2/Installation_Deployment_Guide/en-US/html/chap-Installation_and_Deployment_Guide-Setting_up_Multi_Master_Replication.html

When I try to setup the replica with the replica prepare file from the
master  with --skip-conneccheck  (because krb is not running on UDP ports)

ipa-replica-install /var/lib/ipa/replica-info-ipa02.ma.net.gpg
--skip-conncheck.

At the end I get below error

-
  [22/31]: setting up initial replication
Starting replication, please wait until this has completed.
[ipa01.ma.net] reports: Update failed! Status: [-1  - LDAP error: Can't
contact LDAP server]

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Failed to start replication
---
On the log file
---

2013-04-01T16:25:53Z DEBUG retrieving schema for SchemaCache url=ldaps://
ipa01.ma.net:636 conn
=
2013-04-01T16:25:54Z INFO   File
"/usr/lib/python2.6/site-packages/ipaserver/install/installut
ils.py", line 614, in run_script
return_value = main_function()

  File "/usr/sbin/ipa-replica-install", line 473, in main
ds = install_replica_ds(config)

  File "/usr/sbin/ipa-replica-install", line 150, in install_replica_ds
pkcs12_info)

  File "/usr/lib/python2.6/site-packages/ipaserver/install/dsinstance.py",
line 300, in create_replica
self.start_creation(runtime=60)

  File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py",
line 358, in start_creation
method()
:
  File "/usr/lib/python2.6/site-packages/ipaserver/install/dsinstance.py",
line 313, in __setup_replica
r_bindpw=self.dm_password)

  File "/usr/lib/python2.6/site-packages/ipaserver/install/replication.py",
line 865, in setup_replication
raise RuntimeError("Failed to start replication")

2013-04-01T16:25:54Z INFO The ipa-replica-install command failed,
exception: RuntimeError: Failed to start replication



I also find similar error reported while setting up ipa on Fedora 18 at
https://www.redhat.com/archives/freeipa-users/2013-February/msg00440.html

But could not find its resolution.

I am able to connect to the 389/636 port from the slave. Firewall is off on
both ends and hostnames resolves properly.



Thanks





-- 

--
http://about.me/chandank
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Help regarding Basic FreeIPA setup

2012-05-15 Thread Chandan Kumar 
The kinit does show that the keys are there.

[root@ipaserver ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ad...@example.com

Valid starting ExpiresService principal
05/15/12 09:13:35  05/16/12 09:13:32  krbtgt/example@example.com




Thanks
Chandan





On Tue, May 15, 2012 at 7:35 AM, Chandan Kumar wrote:

> Hi,
> I am running the default Firefox that comes with centos 6.2 . I guess that
>  Whatever time I do kinit it just does not working for me even for single
> time.
>
> Also it shows as that I am logged in as u...@freeipa.org In the main
> back ground web page. Not sure whether it's relevant with this error.
>
>
> On Monday, 14 May 2012, Steven Jones wrote:
>
>>  Hi,
>>
>>
>>
>> I have run it on Macosx and RHEL6.2, firefox and chrome, safari wont
>> connect but thats a safari issue Im sure.
>>
>>
>>
>> After running "kinit admin" I find the kerberos ticket expires about 24
>> hours later so you have to renew?  What you can do if it simply wont
>> work is get IPA to fall back to asking for a password, which is what I have
>> had to set for Windows 7 firefox users.
>>
>>
>>
>> It might depend on which version of firefox, 3 and 10 do work..I
>> think RH say firefox 10 is the long term supported version for them so I'd
>> run that at least.
>>
>>
>>
>> regards
>>
>> Steven Jones
>>
>> Technical Specialist - Linux RHCE
>>
>> Victoria University, Wellington, NZ
>>
>> 0064 4 463 6272
>>   --
>> *From:* freeipa-users-boun...@redhat.com [
>> freeipa-users-boun...@redhat.com] on behalf of Chandan Kumar [
>> chandank.ku...@gmail.com]
>> *Sent:* Tuesday, 15 May 2012 9:25 a.m.
>> *To:* d...@redhat.com
>> *Cc:* freeipa-users@redhat.com
>> *Subject:* Re: [Freeipa-users] Help regarding Basic FreeIPA setup
>>
>>
>> System: Centos 6.2
>> IPA version : ipa-server-2.1.3-9.el6.x86_64
>>
>>
>> Thanks
>> Chandan
>>
>>
>>
>>
>>
>> On Mon, May 14, 2012 at 2:21 PM, Dmitri Pal  wrote:
>>
>>> **
>>>  On 05/14/2012 05:09 PM, Chandan Kumar wrote:
>>>
>>> I am a newbie in IPA and was experimenting it on my couple of VMs before
>>> considering it for production level.
>>>
>>> Installation went fine, however, I am getting the kerberos key
>>> expiration error at firefox. I am running firefox on the same machine where
>>> I have installed/configured ipa-server. On googling and some help in IRC I
>>> checked documentation to trouble shoot it as this appear to be a known
>>> problem.
>>>
>>> Moreover, I did follow
>>>
>>> http://freeipa.org/page/InstallAndDeploy
>>> http://freeipa.org/page/TroubleshootingGuide
>>>
>>> Fire fox logs
>>>
>>> 1977841888[7fc789f5b040]:   leaving nsAuthGSSAPI::GetNextToken
>>> [rv=80004005]
>>> -1977841888[7fc789f5b040]:   using REQ_DELEGATE
>>> -1977841888[7fc789f5b040]:   service = ipaserver.example.com
>>> -1977841888[7fc789f5b040]:   using negotiate-gss
>>> -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::nsAuthGSSAPI()
>>> -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::Init()
>>> -1977841888[7fc789f5b040]: nsHttpNegotiateAuth::GenerateCredentials()
>>> [challenge=Negotiate]
>>> -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::GetNextToken()
>>> -1977841888[7fc789f5b040]: gss_init_sec_context() failed: Unspecified
>>> GSS failure.  Minor code may provide more information
>>> SPNEGO cannot find mechanisms to negotiate
>>> -1977841888[7fc789f5b040]:   leaving nsAuthGSSAPI::GetNextToken
>>> [rv=80004005]
>>>
>>> [root@ds var]# klist
>>> Ticket cache: FILE:/tmp/krb5cc_0
>>> Default principal: ad...@example.com
>>>
>>> Valid starting ExpiresService principal
>>> 05/14/12 13:50:32  05/15/12 13:50:30  krbtgt/example@example.com
>>> 05/14/12 13:53:58  05/15/12 13:50:30  HTTP/
>>> ipaserver.example@example.com
>>> 05/14/12 13:54:13  05/15/12 13:50:30  ldap/
>>> ipaserver.example@example.com
>>> [root@ds var]#
>>>
>>> Output of ldapsearch -Y GSSAPI -b "dc=example,dc=com" uid=admin
>>>
>>> at http://fpaste.org/9hXX/
>>>
>>> I am not sure what I am missing though. Appreciate any help.
>>>
>>> Thanks
>>> Chandan
>>>
>>>
>>>
>>>
>>>  Are you running FF on windows?
>>> Which version of IPA are you using?
>>>
>>>
>>>
>>> ___
>>> Freeipa-users mailing 
>>> listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>>
>>>
>>> --
>>> Thank you,
>>> Dmitri Pal
>>>
>>> Sr. Engineering Manager IPA project,
>>> Red Hat Inc.
>>>
>>>
>>> ---
>>> Looking to carve out IT costs?www.redhat.com/carveoutcosts/
>>>
>>>
>>> ___
>>> Freeipa-users mailing list
>>> Freeipa-users@redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>
>>
>
> --
> Sent from my iPad
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Help regarding Basic FreeIPA setup

2012-05-15 Thread Chandan Kumar 
Hi,
I am running the default Firefox that comes with centos 6.2 . I guess that
 Whatever time I do kinit it just does not working for me even for single
time.

Also it shows as that I am logged in as u...@freeipa.org In the main
back ground web page. Not sure whether it's relevant with this error.

On Monday, 14 May 2012, Steven Jones wrote:

>  Hi,
>
>
>
> I have run it on Macosx and RHEL6.2, firefox and chrome, safari wont
> connect but thats a safari issue Im sure.
>
>
>
> After running "kinit admin" I find the kerberos ticket expires about 24
> hours later so you have to renew?  What you can do if it simply wont
> work is get IPA to fall back to asking for a password, which is what I have
> had to set for Windows 7 firefox users.
>
>
>
> It might depend on which version of firefox, 3 and 10 do work..I think
> RH say firefox 10 is the long term supported version for them so I'd run
> that at least.
>
>
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>   ------
> *From:* freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com]
> on behalf of Chandan Kumar [chandank.ku...@gmail.com]
> *Sent:* Tuesday, 15 May 2012 9:25 a.m.
> *To:* d...@redhat.com
> *Cc:* freeipa-users@redhat.com
> *Subject:* Re: [Freeipa-users] Help regarding Basic FreeIPA setup
>
>
> System: Centos 6.2
> IPA version : ipa-server-2.1.3-9.el6.x86_64
>
>
> Thanks
> Chandan
>
>
>
>
>
> On Mon, May 14, 2012 at 2:21 PM, Dmitri Pal  wrote:
>
>> **
>>  On 05/14/2012 05:09 PM, Chandan Kumar wrote:
>>
>> I am a newbie in IPA and was experimenting it on my couple of VMs before
>> considering it for production level.
>>
>> Installation went fine, however, I am getting the kerberos key expiration
>> error at firefox. I am running firefox on the same machine where I have
>> installed/configured ipa-server. On googling and some help in IRC I checked
>> documentation to trouble shoot it as this appear to be a known problem.
>>
>> Moreover, I did follow
>>
>> http://freeipa.org/page/InstallAndDeploy
>> http://freeipa.org/page/TroubleshootingGuide
>>
>> Fire fox logs
>>
>> 1977841888[7fc789f5b040]:   leaving nsAuthGSSAPI::GetNextToken
>> [rv=80004005]
>> -1977841888[7fc789f5b040]:   using REQ_DELEGATE
>> -1977841888[7fc789f5b040]:   service = ipaserver.example.com
>> -1977841888[7fc789f5b040]:   using negotiate-gss
>> -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::nsAuthGSSAPI()
>> -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::Init()
>> -1977841888[7fc789f5b040]: nsHttpNegotiateAuth::GenerateCredentials()
>> [challenge=Negotiate]
>> -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::GetNextToken()
>> -1977841888[7fc789f5b040]: gss_init_sec_context() failed: Unspecified GSS
>> failure.  Minor code may provide more information
>> SPNEGO cannot find mechanisms to negotiate
>> -1977841888[7fc789f5b040]:   leaving nsAuthGSSAPI::GetNextToken
>> [rv=80004005]
>>
>> [root@ds var]# klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: ad...@example.com
>>
>> Valid starting ExpiresService principal
>> 05/14/12 13:50:32  05/15/12 13:50:30  krbtgt/example@example.com
>> 05/14/12 13:53:58  05/15/12 13:50:30  HTTP/
>> ipaserver.example@example.com
>> 05/14/12 13:54:13  05/15/12 13:50:30  ldap/
>> ipaserver.example@example.com
>> [root@ds var]#
>>
>> Output of ldapsearch -Y GSSAPI -b "dc=example,dc=com" uid=admin
>>
>> at http://fpaste.org/9hXX/
>>
>> I am not sure what I am missing though. Appreciate any help.
>>
>> Thanks
>> Chandan
>>
>>
>>
>>
>>  Are you running FF on windows?
>> Which version of IPA are you using?
>>
>>
>>
>> ___
>> Freeipa-users mailing 
>> listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager IPA project,
>> Red Hat Inc.
>>
>>
>> ---
>> Looking to carve out IT costs?www.redhat.com/carveoutcosts/
>>
>>
>> ___
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>
>

-- 
Sent from my iPad
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Help regarding Basic FreeIPA setup

2012-05-14 Thread Chandan Kumar 
System: Centos 6.2
IPA version : ipa-server-2.1.3-9.el6.x86_64


Thanks
Chandan





On Mon, May 14, 2012 at 2:21 PM, Dmitri Pal  wrote:

> **
> On 05/14/2012 05:09 PM, Chandan Kumar wrote:
>
> I am a newbie in IPA and was experimenting it on my couple of VMs before
> considering it for production level.
>
> Installation went fine, however, I am getting the kerberos key expiration
> error at firefox. I am running firefox on the same machine where I have
> installed/configured ipa-server. On googling and some help in IRC I checked
> documentation to trouble shoot it as this appear to be a known problem.
>
> Moreover, I did follow
>
> http://freeipa.org/page/InstallAndDeploy
> http://freeipa.org/page/TroubleshootingGuide
>
> Fire fox logs
>
> 1977841888[7fc789f5b040]:   leaving nsAuthGSSAPI::GetNextToken
> [rv=80004005]
> -1977841888[7fc789f5b040]:   using REQ_DELEGATE
> -1977841888[7fc789f5b040]:   service = ipaserver.example.com
> -1977841888[7fc789f5b040]:   using negotiate-gss
> -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::nsAuthGSSAPI()
> -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::Init()
> -1977841888[7fc789f5b040]: nsHttpNegotiateAuth::GenerateCredentials()
> [challenge=Negotiate]
> -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::GetNextToken()
> -1977841888[7fc789f5b040]: gss_init_sec_context() failed: Unspecified GSS
> failure.  Minor code may provide more information
> SPNEGO cannot find mechanisms to negotiate
> -1977841888[7fc789f5b040]:   leaving nsAuthGSSAPI::GetNextToken
> [rv=80004005]
>
> [root@ds var]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: ad...@example.com
>
> Valid starting ExpiresService principal
> 05/14/12 13:50:32  05/15/12 13:50:30  krbtgt/example@example.com
> 05/14/12 13:53:58  05/15/12 13:50:30  HTTP/
> ipaserver.example@example.com
> 05/14/12 13:54:13  05/15/12 13:50:30  ldap/
> ipaserver.example@example.com
> [root@ds var]#
>
> Output of ldapsearch -Y GSSAPI -b "dc=example,dc=com" uid=admin
>
> at http://fpaste.org/9hXX/
>
> I am not sure what I am missing though. Appreciate any help.
>
> Thanks
> Chandan
>
>
>
>
> Are you running FF on windows?
> Which version of IPA are you using?
>
>
>
> ___
> Freeipa-users mailing 
> listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>
>
> ---
> Looking to carve out IT costs?www.redhat.com/carveoutcosts/
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA and others

2012-05-13 Thread Chandan Kumar 
Yeah you are right. Basically now our network does not have a overall user
authentication module such as OpenLPAD or 389. I was looking around for a
better solution that could work on Win + Linux environment. At the same
time it should be so painful to setup that I have invest weeks of my full
efforts to get it run.

Thanks
Chandan





On Sun, May 13, 2012 at 2:20 PM, Steven Jones wrote:

>  Hi,
>
> >From a user perspective such as myself,
>
> If its mission critical and complex need today then you need to also look
> at more mature solutions. These however will cost you a lot of time and
> money to deploy. We have been there and the costs are obscene and the
> support worryingly poor in AP.  Since you have only mentioned 389 and
> Openldap as options I suspect IPA will suit you its the best of the three,
> so take a look.
>
>  regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>   --
> *From:* freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com]
> on behalf of Chandan Kumar [chandank.ku...@gmail.com]
> *Sent:* Saturday, 12 May 2012 6:18 a.m.
> *To:* Freeipa-users@redhat.com
> *Subject:* [Freeipa-users] FreeIPA and others
>
>  Hi All,
>
> I was considering different centralized authentication/authorization
> services such as FreeIPA, 389 and Open ldap to deploy into our network in
> order to have a good centralized user authentication/authorization
> machanism. I was wondering what are they key that FreeIPA provides as
> compared to other directory servies in terms of extra feature, ease of
> deployment and use etc.
>
> Thanks
> Chandan
>
>
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA and others

2012-05-11 Thread Chandan Kumar 
Thanks for the info. Now I will start working on to setup FreeIPA,
hopefully it heals rather than aggravating the pains :-)

Thanks
Chandan





On Fri, May 11, 2012 at 1:16 PM, John Dennis  wrote:

> On 05/11/2012 03:51 PM, Chandan Kumar wrote:
>
>> Thanks John for reply.
>>
>> Ok. So basically it integrate various subsystems required to have a full
>> fledged AAA system and give the end user a single controlling interface
>> to control various components.
>>
>
> Excellent summary.
>
>
>  So will its webgui enable to control 389, Krb and Radius configurations
>> too?
>>
>
> The web gui controls 389 and KRB configuration and the data those services
> operate on.
>
> We currently do not support radius, however it's on the roadmap. A
> fundamental problem with radius is many of the authentication protocols
> used in radius require access to a cleartext password or hash. So far we've
> been assiduous in not storing and exposing this material for security
> reasons. There are possible solutions but we've decided there are more
> import features to address first.
>
>
>  Because if I see each of these components individually each needs
>> to be setup separately with lot of pain.
>>
>
> Absolutely, the pain threshold of setting those component up and getting
> them to play together is high. One of the primary design goals of FreeIPA
> is to eliminate those pain points so you can focus on administrating your
> user base.
>
>
>
> --
> John Dennis 
>
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA and others

2012-05-11 Thread Chandan Kumar 
Thanks John for reply.

Ok. So basically it integrate various subsystems required to have a full
fledged AAA system and give the end user a single controlling interface to
control various components.

So will its webgui enable to control 389, Krb and Radius configurations
too? Because if I see each of these components individually each needs to
be setup separately with lot of pain.

Thanks
Chandan





On Fri, May 11, 2012 at 12:23 PM, John Dennis  wrote:

> On 05/11/2012 02:18 PM, Chandan Kumar wrote:
>
>> Hi All,
>>
>> I was considering different centralized authentication/authorization
>> services such as FreeIPA, 389 and Open ldap to deploy into our network
>> in order to have a good centralized user authentication/authorization
>> machanism. I was wondering what are they key that FreeIPA provides as
>> compared to other directory servies in terms of extra feature, ease of
>> deployment and use etc.
>>
>
> FreeIPA is an integrated solution that includes DNS, kerberos SSO, host
> management, HBAC, role based authorization, integration with SSSD,
> sophisticated group management, sudo support, certificate management, can
> replace NIS and netgroups, supports replication for redundant servers, etc.
> It supports both a scriptable command line utility set as well as a web
> based GUI. The next version will include support for cross realm trusts
> allowing for powerful integration with Active Directory.
>
> FreeIPA is built on top of 389 DS, MIT Kerberos KDC and the Dogtag
> certificate management system. Openldap is well, just an LDAP server (some
> assembly required).
>
> The whole idea of FreeIPA is to take the basic primitive services supplied
> by an LDAP server but make it vastly more powerful by layering a lot of
> sophisticated functionality on top it which is fully integrated and easy to
> use.
>
>
> --
> John Dennis 
>
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] FreeIPA and others

2012-05-11 Thread Chandan Kumar 
Hi All,

I was considering different centralized authentication/authorization
services such as FreeIPA, 389 and Open ldap to deploy into our network in
order to have a good centralized user authentication/authorization
machanism. I was wondering what are they key that FreeIPA provides as
compared to other directory servies in terms of extra feature, ease of
deployment and use etc.

Thanks
Chandan
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users