[Freeipa-users] Group Policy-like features in FreeIPA

[Dale Macartney]

Morning folks

I am currently working on a little pet project which I think some would
find useful.

I would like to introduce some group policy like functionality into a
FreeIPA domain.

For example:
In an environment running FreeIPA Server with Fedora or RHEL based
workstations, I would like to be able to introduce a few extra features
which initially may be pushed via a login script (maybe even configure a
dbus session as well, who knows?).

My intentions here would be to be able to apply host specific policies as
well as have the option for user specific policies which would be applied
when the user logs in.

Practically speaking, adding an attribute to LDAP to specify a login script
file name is easy enough, however actually fetching this is where I am
hoping for a bit of brain storming. My thoughts would be the local user
would fetch the name of the login script via ldap, and then perhaps fetch
the file from a shared resource on the FreeIPA masters in order to be
executed locally.

LDAP is obviously replicated, however to my knowledge, there is no file
synchronization between masters. I am thinking something similar to the MS
equivalent of the SYSVOL data that replicates between MS Domain
Controllers. One option would be to store all data within LDAP, however
I've seen many scenarios where admins store CD ISO's in replicated domain
data, so I am not certain this would be the best option.

With this replicated data folder, I would be able to store centrally
managed scripts which would be used for hosts or users, and then configure
the default user template on each workstation (/etc/skel/) to add the login
script file name which would be fetched from the users LDAP attributes.


Real world usability for what I am thinking of is a way to manage users who
can have their corporate email mailbox configured on login, automatically
setting the users session to point to an internal SSO enabled proxy server
or perhaps any other number of things which an admin may wish to achieve
without the need to manually do the work themselves.

Has anyone undertaken a similar scenario in their environments or would
perhaps have any suggestions on how to manage the centrally accessible file
stores?

Many thanks

Dale
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Dovecot/Postfix Auth, howto not working ?

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On 05/04/2014 10:22 PM, Matt . wrote:
> Hi Guys,
>
> I'm trying to auth Dovecot agains FreeIPA using this tut:
>
>
http://www.freeipa.org/page/Dovecot_IMAPS_Integration_with_FreeIPA_using_Single_Sign_On
>
> (and also Postfix using this:
https://www.dalemacartney.com/2013/03/14/deploying-postfix-with-ldap-freeipa-virtual-aliases-and-kerberos-authentication/
(as it should be working with dovecot at the end I believe)
>
> I'm having some issues here and get the following errors no matter
what I do:
Hi Matt

Apologies for the delayed response.

>> May  4 23:13:28 mail-01 dovecot: imap-login: Disconnected (no auth attempts):
rip=xxx.xxx.xxx.xxx, lip=xxx.xxx.xxx.xxx

This particular log output is consistent with a failed login attempt
when using SSL, however the Dovecot howto will setup StartTLS and not SSL.

Could you please confirm how you are testing this setup? OS version of
both IPA server and mail server, OS version and also mail client of the
workstation.

I'm setting up a new demo lab with these how tos at present to verify
the steps on RHEL 6.5 to ensure there are no changes required.


Dale

> May  4 23:13:28 mail-01 postfix/smtpd[2949]: fatal: no SASL authentication 
> mechanisms
> May  4 23:13:29 mail-01 postfix/master[1627]: warning: process
/usr/lib/postfix/smtpd pid 2949 exit status 1
> May  4 23:13:29 mail-01 postfix/master[1627]: warning:
/usr/lib/postfix/smtpd: bad command startup -- throttling
> May  4 23:14:18 mail-01 dovecot: auth: Fatal: No passdbs specified in
configuration file. LOGIN mechanism needs one
> May  4 23:14:18 mail-01 dovecot: master: Error: service(auth): command
startup failed, throttling
> May  4 23:15:09 mail-01 postfix/anvil[2952]: statistics: max
connection rate 1/60s for (smtp:xxx.xxx.xxx.xxx) at May  4 23:13:18
> May  4 23:15:09 mail-01 postfix/anvil[2952]: statistics: max
connection count 1 for (smtp:xxx.xxx.xxx.xxx) at May  4 23:13:18
> May  4 23:15:09 mail-01 postfix/anvil[2952]: statistics: max cache
size 1 at May  4 23:13:18
>
> Outside the issue that it cannot find the aliasses db, I'm kinda stuck
here... the tut should be working "out of the box", but I have the
feeling I'm missing something here.
>
> I hope someone can help me out!
>
> Thanks!
>
> Matt
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJTa+rJAAoJEAJsWS61tB+qbHIP/jO5VYmc7wzTo0btdV5DqU5T
1UdqrqeCrZAOppJLJdkCq/nQpbz2SATkTgaT1++uIJRoLVb5NeVkpM70dMD4o7mB
3tAIUp0FtYZOi71flaPNIFzjv2aTybE0Ctp4bg8dhBa/LrdPtp4kBTWpAaUKH07X
ahSuZ1wyOPPAXRtC2Aa7dbfVIRIuowzm6XEQPj7ocJfF0GOHId10JzHg2oTPm5yD
ICs95tyyA5qzkx1t6f5iWPOReEVbb3MXMXAisNMblZriQ6I/gOAH4HhvCWD4ZU+a
X3wkrL3aPgQTzLVX9fJvvrGDDDAml0ZieNCKxPEjwwt0RrTcs9FzoHVvZeZjW0PM
011YFP30dNSvK1qqJRlWwgSErDbdbaNQv6lIfpE6jDZlpaLv9Os+RqPo/DMIaLGO
ZTccGe2fo2+774uU4c0ogINSk14xkt1K1KGkVpfyzpTVFlKSNBxt06QA/9iu9iWm
v4l5rzJ+cxLWFltGobkSWuJQVGXkcI2VpYzZNVCYpkb4B79VziX/7euZfnjErlRu
PPMlmlzCQ9wJtoBAqYaMWtl9oOpJbMrwwXHh3bVDzGgXUXRRh7+i8ARihpKXwbmk
jz/Mjm3o7Y1rUTC83qLb90CB0E+59DYrt8CVpT+YKiMjOHLcqI2B/MyUtqma84Sd
xegOX8dy/zWnoJRdTpvm
=80WR
-END PGP SIGNATURE-

<>___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Adding Display Pictures/Avatars into FreeIPA

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On 07/12/13 19:22, Dmitri Pal wrote:
> On 12/06/2013 08:56 AM, Simo Sorce wrote:
>> Maybe you can open a RFE to let the framework support jpegphoto
>> natively ? Simo.
>
> Yes, that would be really nice.
>
Here you go folks, first trac ticket so be gentle!! :-)

https://fedorahosted.org/freeipa/ticket/4073


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJSpNDHAAoJEAJsWS61tB+qaSIQAML3oEsiw14IeKBUjqRViszA
7soZ/9ya+aDGa4sPhsfbH0vpu2SwZkZrdH+Xdmm58OiU3m0UBGfFs7Pg2Kddw9Ud
4B+Ohsk32JkdYlCJsGV3BRt0m1vfjNwv4B2ettAokYcKTYFCkqsZnOVidqwO81iP
m1pYB0AWBoYeCGlx/GeC0EvWaqx769KvTmmUly033oISkgrJbYoedXtqXYVAJYaQ
Zx73Oc53mWKxJcDHwsTaLSS4E7v2Q9Jnw40sBId/3SilDZqWoHsFJNuf+MjF7VBC
bGcWlC6+y9wS8gP0BSeXrsuRGXtNmye1L4lgwLiqa5OpK18jP1iefjJMMJTe19EB
w/4FTsSew26xlcST8BStiSKI9RUlo3vh2/ApubYrtDeXhrNK0HCm2JL5n2sPE/ml
mDrgid2eJfqT4cSGlZ+Fv7ki0s9F2kJgZN1tM13+n6S1N2ja0wXP9Wfg9/jhdmby
xeT5jCTMKhDsfqX4VdRmbF7gOXvN1n28O8nL5amhM/Q40oPNv+tn83n/r2IVsTBr
mS6N3M8XMVn0uP8KgjXEU6rlFI3TFv6Dyctv4PsOqDo6CK2dXSAJz7gOjtqsaKIP
8G0GhOQKdfS/u3JZeDkbAi5jXqBaS210U8G5oA+hZpzhDN9jTt/dtQ0LsT5LQELV
zZTGR/7im1RGCT9C7hia
=l2LI
-END PGP SIGNATURE-

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Adding Display Pictures/Avatars into FreeIPA

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On 05/12/13 22:58, Simo Sorce wrote:
> On Thu, 2013-12-05 at 22:32 +0000, Dale Macartney wrote:
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> Hi folks
>>
>> Just a quick mail from me before I call it a night.
>>
>> Today I've added user display pictures/avatars into FreeIPA, detailed
here.
>>
>>
https://www.dalemacartney.com/2013/12/05/adding-display-picturesavatars-red-hat-idmfreeipa/
>>
>> As well as pulling those images into a GNOME3 desktop session, detailed
>> here.
>>
>>
https://www.dalemacartney.com/2013/12/05/loading-display-picturesavatars-red-hat-idmfreeipa-gnome3/
>>
>> Would love some feedback if anyone is interested in these items.
>>
>> G'night all.
>>
>
> Great stuff Dale, I wonder if ipa user-mod --addattr could be used to
> load the avatar, instead of using ldap commands.
>
> Simo.
G'day Simo
Thanks for the suggestion however I haven't been able to do it with an
ipa command for this task.

I've tried the following:

[root@ds01 ~]# ipa user-mod --addattr="objectClass=jpegPhoto"
--addattr="jpegPhoto:< file:///root/hulk.jpg" bbanner
ipa: ERROR: invalid 'addattr': Invalid format. Should be name=value
[root@ds01 ~]#
[root@ds01 ~]#
[root@ds01 ~]# ipa user-mod --addattr="objectClass=jpegPhoto"
--addattr="jpegPhoto:/root/hulk.jpg" bbanner
ipa: ERROR: invalid 'addattr': Invalid format. Should be name=value
[root@ds01 ~]# ipa user-mod --addattr="objectClass=jpegPhoto"
--addattr="jpegPhoto=< file:///root/hulk.jpg" bbanner
ipa: ERROR: unknown object class "jpegPhoto"
[root@ds01 ~]# ipa user-mod --addattr="jpegPhoto=<
file:///root/hulk.jpg" bbanner
- ---
Modified user "bbanner"
- ---
  User login: bbanner
  First name: Bruce
  Last name: Banner
  Home directory: /home/bbanner
  Login shell: /bin/sh
  Email address: bban...@example.com
  UID: 212800012
  GID: 212800012
  Account disabled: False
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False
[root@ds01 ~]# ipa user-show --all bbanner
  dn: uid=bbanner,cn=users,cn=accounts,dc=example,dc=com
  User login: bbanner
  First name: Bruce
  Last name: Banner
  Full name: Bruce Banner
  Display name: Bruce Banner
  Initials: BB
  Home directory: /home/bbanner
  GECOS field: Bruce Banner
  Login shell: /bin/sh
  Kerberos principal: bban...@example.com
  Email address: bban...@example.com
  UID: 212800012
  GID: 212800012
  Account disabled: False
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False
  ipauniqueid: b4009286-5e53-11e3-9d5e-001a4abb
  jpegphoto: PCBmaWxlOi8vL3Jvb3QvaHVsay5qcGc=
  krbpwdpolicyreference:
cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com
  mepmanagedentry: cn=bbanner,cn=groups,cn=accounts,dc=example,dc=com
  objectclass: top, person, organizationalperson, inetorgperson,
inetuser, posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject,
ipasshuser, ipaSshGroupOfPubKeys, mepOriginEntry
[root@ds01 ~]#

You can see that the last command of " ipa user-mod
--addattr="jpegPhoto=< file:///root/hulk.jpg" bbanner"  however as the
jpegPhoto attribute is encoded with base64, it appears to be encoding
the characters "< file:///root/hulk.jpg" instead of the image file.

The above details from showing the user after the change only shows the
following text for jpegPhoto
jpegphoto: PCBmaWxlOi8vL3Jvb3QvaHVsay5qcGc=

When using ldapmodify, that attribute looks like the following

[root@ds01 ~]# ipa user-show --all bbanner
  dn: uid=bbanner,cn=users,cn=accounts,dc=example,dc=com
  User login: bbanner
  First name: Bruce
  Last name: Banner
  Full name: Bruce Banner
  Display name: Bruce Banner
  Initials: BB
  Home directory: /home/bbanner
  GECOS field: Bruce Banner
  Login shell: /bin/sh
  Kerberos principal: bban...@example.com
  Email address: bban...@example.com
  UID: 212800012
  GID: 212800012
  Account disabled: False
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False
  ipauniqueid: b4009286-5e53-11e3-9d5e-001a4abb
  jpegphoto:
/9j/4AAQSkZJRgABAgAAAQABAAD/4AAcT2NhZCRSZXY6IDE0Nzk3ICQAABj/2wCEAAIEBAYIBggICAgICAgICAgKCgoKCgoKCgoKCgoKCgoKCgoKCgwMDAwMDAwMDA0MDAwMDAwMDAwODw0MDgwMDAwBAhAQICAgICAgIEBAQEBAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgP/AABEIAHgAeAMBEQACEQEDEQH/xACVAAACAwEBAQEGBwQFCAMJAgEBAAIDAQEBAAMEAgUGAQAHEAABAgQDBAcHAQUGBwABAgMABBEhBRIxEyJBUQYyYXGhsfAHFEJSgZHRchUjYsHhFyRDgqLxFjNTY5LC4hEBAAMAAgICAgMAAAECEQMSITETQVFhBCIy/9oADAMBAAIRAxEAPwDyylFuEUICFDUEXjYMcNW5Z6lcyY88nNMO15x5wUZDlvrHkURSecdeQdjXtP38o4gIX2mJFsPzIdIAqEJBFf1G1vVIxFuT8LmKhj+1x2WSUyMpJ

[Freeipa-users] Adding Display Pictures/Avatars into FreeIPA

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi folks

Just a quick mail from me before I call it a night.

Today I've added user display pictures/avatars into FreeIPA, detailed here.

https://www.dalemacartney.com/2013/12/05/adding-display-picturesavatars-red-hat-idmfreeipa/

As well as pulling those images into a GNOME3 desktop session, detailed
here.

https://www.dalemacartney.com/2013/12/05/loading-display-picturesavatars-red-hat-idmfreeipa-gnome3/

Would love some feedback if anyone is interested in these items.

G'night all.

Dale


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJSoP8RAAoJEAJsWS61tB+qfMgP/244KCvHZsQEVEym1ZZOMwXt
zcznmRoik6sGKac1CWYO+BkPvHjEN+/IEKEW35x6OYfhSRcmJ72GFXXnOCG2ZR8c
ppFcj41qZBtOKSHwrpmpLbUCa1BqAD8TAwaF4mfqy5ykqGu6z5j8M7xVPXU0GBig
xzqYoEdJ23ZaSroxC+FPWB17D1IEezgiCQ7Ti9goZRv1WaH3GNvMHG8wIblM5zKG
7PqUkrvGxsNaV5ueFkJKnOqvLdJtcLMswmEcj5noUqTDRJZzygMZgsr65r5eId9k
fnHSVKUOpxW6WEg2FfM7bAfhN4PyvjnMQppfp/1varplywvp4bZNngCJRKgIRZ45
Jl4rWWJrwlr5nXzBZjCm/n8s3d0OziUQqOTZvHp6ijNoGnLksUQuYgdXWJDI5Mz9
Zb5x4DrYhlOHR0sG8tUK0ezSEF/UL+4MySjNaljM2cBKC/GMjIRWG5Dz8rKI2W2I
fBg20mYNdIracpfzN01Kl4bbJitVKaFsWF4QgkLMCAFfdNmktrXNnBVl6OpQduLy
+zGswEL4KrDw0hsWH/6aTjEtElLInhS50ONJIXZzv0mNxJMnZUiEdxrdg5GCConh
83v9DSyc7AAPN2CJ1/AtdKh/PohNPy6CaLOFRvfEGwuUX1k47gx29F0JZ80W233o
HVUWHwCtaRr/ecg48R7U
=vyRU
-END PGP SIGNATURE-

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Trouble verifying domain trust IPA 3.0, AD 2012

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On 03/15/2013 10:06 AM, Dale Macartney wrote:
>
>
> On 03/15/2013 10:03 AM, Dale Macartney wrote:
>
>
> > On 03/15/2013 09:52 AM, Sumit Bose wrote:
> > > On Fri, Mar 15, 2013 at 09:38:04AM +, Dale Macartney wrote:
> > >>
> > > Morning all
>
> > > I have setup the domain trust set up and have errors when trying
to map
> > > groups from AD to IPA
>
> > > Environment is IPA 3.0 on RHEL 6.4 and Windows 2012
>
> > > When adding groups, I get the following.
>
> > > [root@ds01 ~]# ipa group-add --desc='Active Directory Domain Admins
> > > external map' domain_admins_map --external
> > > [root@ds01 ~]# ipa group-add-member domain_admins_map --external
> > > 'NT\Domain Admins'
> > > [member user]:
> > > [member group]:
> > > ipa: ERROR: cannot connect to
> > > u'https://ds01.example.com/ipa/session/xml': Internal Server Error
> > > [root@ds01 ~]#
>
> > > When the above error occurs I see the following in
/var/log/httpd/error_log
>
> > > ==> /var/log/httpd/error_log <==
> > > [Fri Mar 15 09:35:15 2013] [error] ipa: ERROR: release_ipa_ccache:
> > > ccache_name (FILE:/var/run/ipa_memcached/krbcc_5374) != KRB5CCNAME
> > > environment variable (/var/run/ipa_memcached/krbcc_TDN)
> > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] mod_wsgi
> > > (pid=5374): Exception occurred processing WSGI script
> > > '/usr/share/ipa/wsgi.py'.
> > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] Traceback (most
> > > recent call last):
> > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> > > "/usr/share/ipa/wsgi.py", line 49, in application
> > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] return
> > > api.Backend.wsgi_dispatch(environ, start_response)
> > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> > > "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line
248, in
> > > __call__
> > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] return
> > > self.route(environ, start_response)
> > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> > > "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line
260, in
> > > route
> > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] return
> > > app(environ, start_response)
> > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> > > "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line
1193, in
> > > __call__
> > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] response =
> > > super(xmlserver_session, self).__call__(environ, start_response)
> > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> > > "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line
709, in
> > > __call__
> > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] response =
> > > super(xmlserver, self).__call__(environ, start_response)
> > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> > > "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line
375, in
> > > __call__
> > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] response =
> > > self.wsgi_execute(environ)
> > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> > > "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line
334, in
> > > wsgi_execute
> > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] result =
> > > self.Command[name](*args, **options)
> > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> > > "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 435,
in __call__
> > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] ret =
> > > self.run(*args, **options)
> > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> > > "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 747,
in run
> > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] return
> > > self.execute(*args, **options)
> > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> > > "/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py", line
> > > 1590, in execute
> > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] **options)
> > > [Fri Mar 15 09:35:15 

Re: [Freeipa-users] Trouble verifying domain trust IPA 3.0, AD 2012

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On 03/15/2013 10:03 AM, Dale Macartney wrote:
>
>
> On 03/15/2013 09:52 AM, Sumit Bose wrote:
> > On Fri, Mar 15, 2013 at 09:38:04AM +, Dale Macartney wrote:
> >>
> > Morning all
>
> > I have setup the domain trust set up and have errors when trying to map
> > groups from AD to IPA
>
> > Environment is IPA 3.0 on RHEL 6.4 and Windows 2012
>
> > When adding groups, I get the following.
>
> > [root@ds01 ~]# ipa group-add --desc='Active Directory Domain Admins
> > external map' domain_admins_map --external
> > [root@ds01 ~]# ipa group-add-member domain_admins_map --external
> > 'NT\Domain Admins'
> > [member user]:
> > [member group]:
> > ipa: ERROR: cannot connect to
> > u'https://ds01.example.com/ipa/session/xml': Internal Server Error
> > [root@ds01 ~]#
>
> > When the above error occurs I see the following in
/var/log/httpd/error_log
>
> > ==> /var/log/httpd/error_log <==
> > [Fri Mar 15 09:35:15 2013] [error] ipa: ERROR: release_ipa_ccache:
> > ccache_name (FILE:/var/run/ipa_memcached/krbcc_5374) != KRB5CCNAME
> > environment variable (/var/run/ipa_memcached/krbcc_TDN)
> > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] mod_wsgi
> > (pid=5374): Exception occurred processing WSGI script
> > '/usr/share/ipa/wsgi.py'.
> > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] Traceback (most
> > recent call last):
> > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> > "/usr/share/ipa/wsgi.py", line 49, in application
> > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] return
> > api.Backend.wsgi_dispatch(environ, start_response)
> > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> > "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 248, in
> > __call__
> > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] return
> > self.route(environ, start_response)
> > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> > "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 260, in
> > route
> > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] return
> > app(environ, start_response)
> > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> > "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 1193, in
> > __call__
> > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] response =
> > super(xmlserver_session, self).__call__(environ, start_response)
> > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> > "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 709, in
> > __call__
> > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] response =
> > super(xmlserver, self).__call__(environ, start_response)
> > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> > "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 375, in
> > __call__
> > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] response =
> > self.wsgi_execute(environ)
> > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> > "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 334, in
> > wsgi_execute
> > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] result =
> > self.Command[name](*args, **options)
> > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> > "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 435, in
__call__
> > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] ret =
> > self.run(*args, **options)
> > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> > "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 747, in run
> > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] return
> > self.execute(*args, **options)
> > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> > "/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py", line
> > 1590, in execute
> > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] **options)
> > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> > "/usr/lib/python2.6/site-packages/ipalib/plugins/group.py", line 387, in
> > post_callback
> > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] actual_sid =
> > domain_validator.get_sid_trusted_domain_object(sid)
> > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> > "/usr/lib/python2.6/site-packages/ipaserver/dcerpc.py&qu

Re: [Freeipa-users] Trouble verifying domain trust IPA 3.0, AD 2012

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On 03/15/2013 09:52 AM, Sumit Bose wrote:
> On Fri, Mar 15, 2013 at 09:38:04AM +0000, Dale Macartney wrote:
>>
> Morning all
>
> I have setup the domain trust set up and have errors when trying to map
> groups from AD to IPA
>
> Environment is IPA 3.0 on RHEL 6.4 and Windows 2012
>
> When adding groups, I get the following.
>
> [root@ds01 ~]# ipa group-add --desc='Active Directory Domain Admins
> external map' domain_admins_map --external
> [root@ds01 ~]# ipa group-add-member domain_admins_map --external
> 'NT\Domain Admins'
> [member user]:
> [member group]:
> ipa: ERROR: cannot connect to
> u'https://ds01.example.com/ipa/session/xml': Internal Server Error
> [root@ds01 ~]#
>
> When the above error occurs I see the following in
/var/log/httpd/error_log
>
> ==> /var/log/httpd/error_log <==
> [Fri Mar 15 09:35:15 2013] [error] ipa: ERROR: release_ipa_ccache:
> ccache_name (FILE:/var/run/ipa_memcached/krbcc_5374) != KRB5CCNAME
> environment variable (/var/run/ipa_memcached/krbcc_TDN)
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] mod_wsgi
> (pid=5374): Exception occurred processing WSGI script
> '/usr/share/ipa/wsgi.py'.
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] Traceback (most
> recent call last):
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> "/usr/share/ipa/wsgi.py", line 49, in application
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] return
> api.Backend.wsgi_dispatch(environ, start_response)
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 248, in
> __call__
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] return
> self.route(environ, start_response)
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 260, in
> route
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] return
> app(environ, start_response)
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 1193, in
> __call__
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] response =
> super(xmlserver_session, self).__call__(environ, start_response)
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 709, in
> __call__
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] response =
> super(xmlserver, self).__call__(environ, start_response)
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 375, in
> __call__
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] response =
> self.wsgi_execute(environ)
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 334, in
> wsgi_execute
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] result =
> self.Command[name](*args, **options)
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 435, in
__call__
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] ret =
> self.run(*args, **options)
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 747, in run
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] return
> self.execute(*args, **options)
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> "/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py", line
> 1590, in execute
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] **options)
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> "/usr/lib/python2.6/site-packages/ipalib/plugins/group.py", line 387, in
> post_callback
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] actual_sid =
> domain_validator.get_sid_trusted_domain_object(sid)
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> "/usr/lib/python2.6/site-packages/ipaserver/dcerpc.py", line 212, in
> get_sid_trusted_domain_object
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] entry =
> self.resolve_against_gc(domain, components['name'])
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> "/usr/lib/python2.6/site-packages/ipaserver/dcerpc.py", line 285, in
> resolve_against_gc
> [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] entry =
> self.__resolve_against_gc

[Freeipa-users] Trouble verifying domain trust IPA 3.0, AD 2012

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Morning all

I have setup the domain trust set up and have errors when trying to map
groups from AD to IPA

Environment is IPA 3.0 on RHEL 6.4 and Windows 2012

When adding groups, I get the following.

[root@ds01 ~]# ipa group-add --desc='Active Directory Domain Admins
external map' domain_admins_map --external
[root@ds01 ~]# ipa group-add-member domain_admins_map --external
'NT\Domain Admins'
[member user]:
[member group]:
ipa: ERROR: cannot connect to
u'https://ds01.example.com/ipa/session/xml': Internal Server Error
[root@ds01 ~]#

When the above error occurs I see the following in /var/log/httpd/error_log

==> /var/log/httpd/error_log <==
[Fri Mar 15 09:35:15 2013] [error] ipa: ERROR: release_ipa_ccache:
ccache_name (FILE:/var/run/ipa_memcached/krbcc_5374) != KRB5CCNAME
environment variable (/var/run/ipa_memcached/krbcc_TDN)
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] mod_wsgi
(pid=5374): Exception occurred processing WSGI script
'/usr/share/ipa/wsgi.py'.
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] Traceback (most
recent call last):
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]   File
"/usr/share/ipa/wsgi.py", line 49, in application
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] return
api.Backend.wsgi_dispatch(environ, start_response)
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]   File
"/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 248, in
__call__
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] return
self.route(environ, start_response)
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]   File
"/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 260, in
route
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] return
app(environ, start_response)
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]   File
"/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 1193, in
__call__
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] response =
super(xmlserver_session, self).__call__(environ, start_response)
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]   File
"/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 709, in
__call__
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] response =
super(xmlserver, self).__call__(environ, start_response)
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]   File
"/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 375, in
__call__
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] response =
self.wsgi_execute(environ)
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]   File
"/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 334, in
wsgi_execute
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] result =
self.Command[name](*args, **options)
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]   File
"/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 435, in __call__
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] ret =
self.run(*args, **options)
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]   File
"/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 747, in run
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] return
self.execute(*args, **options)
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]   File
"/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py", line
1590, in execute
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] **options)
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]   File
"/usr/lib/python2.6/site-packages/ipalib/plugins/group.py", line 387, in
post_callback
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] actual_sid =
domain_validator.get_sid_trusted_domain_object(sid)
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]   File
"/usr/lib/python2.6/site-packages/ipaserver/dcerpc.py", line 212, in
get_sid_trusted_domain_object
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] entry =
self.resolve_against_gc(domain, components['name'])
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]   File
"/usr/lib/python2.6/site-packages/ipaserver/dcerpc.py", line 285, in
resolve_against_gc
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] entry =
self.__resolve_against_gc(info, host, port, name)
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]   File
"/usr/lib/python2.6/site-packages/ipaserver/dcerpc.py", line 315, in
__resolve_against_gc
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]
conn.sasl_interactive_bind_s(None, sasl_auth)
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]   File
"/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py", line 566,
in sasl_interactive_bind_s
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] return
self.conn.sasl_interactive_bind_s(who, auth, serverctrls, clientctrls,
sasl_flags)
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]   File
"/usr/lib64/python2.6/site-pa

Re: [Freeipa-users] Postfix and FreeIPA in a secure setup

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On 03/13/2013 12:48 PM, Anthony Messina wrote:
> On Wednesday, March 13, 2013 12:41:05 PM Dale Macartney wrote:
>> Silly mistake on my part. Simple perms issue with keytab file.
>>
>> Below is a working config of postfix with IPA user lookups and kerberos
>> authenticated sending.
>>
>> ipa-getkeytab -s ds01.example.com -p smtp/$(hostname) -k
>> /etc/postfix/smtp.keytab chown root:mail /etc/postfix/smtp.keytab
>> chmod 644 /etc/postfix/smtp.keytab
>>
>> postconf -e 'inet_interfaces = all'
>> postconf -e 'mydestination = $myhostname, localhost.$mydomain, localhost,
>> $mydomain' postconf -e 'myorigin = $mydomain'
>> postconf -e 'import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ
>> XAUTHORITY DISPLAY LANG=C KRB5_KTNAME=/etc/postfix/smtp.keytab'
postconf -e
>> 'smtpd_recipient_restrictions = permit_sasl_authenticated,
>> permit_mynetworks, reject_unauth_destination' postconf -e
>> 'smtpd_sasl_auth_enable = yes'
>> postconf -e 'smtpd_sasl_security_options = noanonymous'
>> postconf -e 'smtpd_sasl_tls_security_options =
$smtpd_sasl_security_options'
>> postconf -e 'broken_sasl_auth_clients = yes'
>> postconf -e 'smtpd_sasl_authenticated_header = yes'
>> postconf -e 'smtpd_sasl_local_domain = $mydomain'
>>
>>
>> cat >> /etc/postfix/main.cf << EOF
>> virtual_alias_domains = example.com
>> virtual_alias_maps = ldap:/etc/postfix/ldap_aliases.cf
>> EOF
>>
>> cat > /etc/postfix/ldap_aliases.cf << EOF
>> server_host = ds01.example.com
>> search_base = cn=accounts,dc=example,dc=com
>> query_filter = (mail=%s)
>> result_attribute = uid
>> bind = no
>> start_tls = yes
>> version = 3
>> EOF
>>
>> postmap /etc/postfix/ldap_aliases.cf
>> restorecon -R /etc/postfix/
>>
>> cat > /etc/sasl2/smtpd.conf << EOF
>> pwcheck_method: saslauthd
>> mech_list: GSSAPI PLAIN LOGIN
>> EOF
>>
>> sed -i 's/MECH=pam/MECH=kerberos5/g' /etc/sysconfig/saslauthd
>
> Glad you got it working. -A
New article published for those interested. Will copy across to wiki also.

https://www.dalemacartney.com/2013/03/14/deploying-postfix-with-ldap-freeipa-virtual-aliases-and-kerberos-authentication/

Dale


>
>
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJRQbJJAAoJEAJsWS61tB+q7VcP/2S2AURARXTcLbIgEYa2euhh
yN2I6BK/lyUOxA4U2Zgxi3f9BVr4wmV56I+DItijDYMSc0kSMQg6rP8SRnfHlyxH
m7tl05u0h+UOmIr3DOUStl+QESje9V9fQ9SC0oB11D7VKchWkjWS9bp4LRgF9ClL
PpJ+/GFnb9Rn7yzvFCXePz4k9kcqBansDCvgAO/042qRg5ki+kfAF4b+XeGISNQG
Xdoe2MWpFERDHDFr6K471wNF34u+sFJay2H/uBjKm2IrpoAQEOefoI3z3UoF6CPs
G5OOPkxApduR9RcaraoactqvOyfCxGyYVdT1g01CbBg9WrRZd8WZj/zg1+9rfwmL
EwZDjEVFXuEL3s+oGHCw0VP3DVAzxbHsmvPBIglve8iP8HTo4nxey+FFKi6CIeQj
Sz8GhXVuOTQCzPtLZ9IyPd2HtFhDBHH0eUvAqN2OtoVf+XWnUA2GUu2wlRidGbwC
shlODnPAezMyf8UJKbtv8rf++yrwIvflI/NJB6RFnPr0OgweSh8tS2wvS6BQhNYh
CysTtO41DINhdr3z8JtY7HG+OFNL7YGhdLemeWtVu56mYgHOWr+rpBmFFGyMbRxB
/wx2jOXsto+ZgiL4j2N6dVntbfOPLI+zxeo80oDz5STJgS9aqjU/UjGEZT9Gykpu
5duxt+Auwpxsbulesb/n
=bM0O
-END PGP SIGNATURE-

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] squid problems when upgrading to 6.4

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On 03/14/2013 08:11 AM, Dale Macartney wrote:
>
>
> On 03/14/2013 08:07 AM, Martin Kosek wrote:
> > On 03/13/2013 11:02 PM, Natxo Asenjo wrote:
> >> On Wed, Mar 13, 2013 at 10:45 PM, Dale Macartney
> >>  wrote:
> >>> I've just deployed a RHEL 6.4 proxy and the guide is still
accurate and
> >>> works.. however I agree a config file would be a better place for the
> >>> options. Both work at the end of the day.
> >>
> >> yes, the guide is accurate, but upgrading to meet a bunch of angry
> >> users is not nice ;-)
> >>
> >>> I'm more curious as to why your squid init script was replaced instead
> >>> of the usual scenario of having the new file saved as .rpmsave.
> >>
> >> beats me. Anyway, config stuff should go in /etc/sysconfig, period ;-)
> >> ; we should not be touching the init scripts. The init scripts source
> >> the files in /etc/sysconfig/*
> >>
> >>>> By the way, I came accross http://squidkerbauth.sourceforge.net/
> >>>> squid_kerb_ldap to allow/block stuff in the proxy depending on ldap
> >>>> group membership. I have not tested it yet, but will post it if(when)
> >>>> I get it working.
> >>> You can also check out SquidGuard, which is available in EPEL.
> >>
> >> ha, squid_kerb_ldap is not a proxy, it is an authenticator for squid
> >> and what it does is verify the group membership of the users so you
> >> can build ACLs based on that.
> >>
> >> squidguard is nice. I like privoxy too ;-)
> >>
> >>> I've written an article for Active Directory, however it is just
as easy
> >>> to use it with IPA.
> >>>
>
https://www.dalemacartney.com/2012/07/06/web-proxy-filtering-with-squidguard-using-active-directory-group-memberships/
> >>
> >> cool, thanks.
> >>
>
> > Hi guys,
>
> > Dale, do you plan to update the howto on FreeIPA wiki to fix the
> configuration
> > section? If not, I can try to update it myself. I agree with Natxo
> that having
> > the configuration in /etc/sysconfig/squid is safer than having it
> hacked in the
> > init script.
>
> > Thanks both to sharing this info btw :-)
>
> > Martin
> Yes mate,
> I've literally just walked into the office and connected to vpn. Will be
> updating momentarily.
>
> Dale
Article updated
http://www.freeipa.org/page/Squid_Integration_with_FreeIPA_using_Single_Sign_On

>
>
>
>

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJRQY1RAAoJEAJsWS61tB+q+30P/jTcKGqeiqOM7o92e94wdS8x
GlSW3VorfEqywD2CFmhSQhK3G1d5XLsqXjth70s0Iup0Ciqt27BwdTmaDNRry8x7
Fp0yWFwFYk72h808ZHggAt9zTTLzZcx1cLeax6Z7/T0++E4zCL6ZFg+vXfJhVp9A
ntaFBs/u6+ctKO9ySTTNWtNk1AF9coWrAUl7AlTdT+w7qQCSt6WCVIiu66cvYsQ8
MAt4kdsbXo21su1fReHD7lclemkdqCT5EGoahQllSkFZXhB93iAeJc3SWE80GZEd
7oYyvX41fqKCCnr4G+O1/hZE8FSwtHHUNI9PIsD/in407HZLPQ8Llix3eBUkwwuP
C/HjDbNJIc8VYISvnlmZk64Wx4DF2KK//9CsfLldbNhqRjCFtbjgkrLzYKw2efv2
Dngj2H+V1lxDa6Senqv7JLMlUnXY69di7zWRptIeSH6qrJy+Q8JDQX/zT3Pb8Fxu
/28v9UMuao4hDYX/atIw3z08SPvMqsI7fu3sefYhUDwQSbYqH4yr3yZTPO10Js0B
kdxTY/RNAkzkgYn0ufIo3reZxMh9g2qGqKsGqotKfI3cVQ1UVBkIDiy0+R6sgVNU
Ixw2LSS94j4yWsAndpbkTJSjsRAB4pVNvEmszI3dI++oPteRyXdY7zcyfls561dL
J3oeOuqaDFF7047nxHpV
=j9EX
-END PGP SIGNATURE-

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] squid problems when upgrading to 6.4

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On 03/14/2013 08:07 AM, Martin Kosek wrote:
> On 03/13/2013 11:02 PM, Natxo Asenjo wrote:
>> On Wed, Mar 13, 2013 at 10:45 PM, Dale Macartney
>>  wrote:
>>> I've just deployed a RHEL 6.4 proxy and the guide is still accurate and
>>> works.. however I agree a config file would be a better place for the
>>> options. Both work at the end of the day.
>>
>> yes, the guide is accurate, but upgrading to meet a bunch of angry
>> users is not nice ;-)
>>
>>> I'm more curious as to why your squid init script was replaced instead
>>> of the usual scenario of having the new file saved as .rpmsave.
>>
>> beats me. Anyway, config stuff should go in /etc/sysconfig, period ;-)
>> ; we should not be touching the init scripts. The init scripts source
>> the files in /etc/sysconfig/*
>>
>>>> By the way, I came accross http://squidkerbauth.sourceforge.net/
>>>> squid_kerb_ldap to allow/block stuff in the proxy depending on ldap
>>>> group membership. I have not tested it yet, but will post it if(when)
>>>> I get it working.
>>> You can also check out SquidGuard, which is available in EPEL.
>>
>> ha, squid_kerb_ldap is not a proxy, it is an authenticator for squid
>> and what it does is verify the group membership of the users so you
>> can build ACLs based on that.
>>
>> squidguard is nice. I like privoxy too ;-)
>>
>>> I've written an article for Active Directory, however it is just as easy
>>> to use it with IPA.
>>>
https://www.dalemacartney.com/2012/07/06/web-proxy-filtering-with-squidguard-using-active-directory-group-memberships/
>>
>> cool, thanks.
>>
>
> Hi guys,
>
> Dale, do you plan to update the howto on FreeIPA wiki to fix the
configuration
> section? If not, I can try to update it myself. I agree with Natxo
that having
> the configuration in /etc/sysconfig/squid is safer than having it
hacked in the
> init script.
>
> Thanks both to sharing this info btw :-)
>
> Martin
Yes mate,
I've literally just walked into the office and connected to vpn. Will be
updating momentarily.

Dale

>

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJRQYYOAAoJEAJsWS61tB+qsxQQAIYH66+JbEfCYzz8IwFmRsMF
S1sypbom5pyVcUlw9Bcd846dLoKF5iD+FxPOHG+kQY5qyz2I7lx6MW47jE0Giimc
w3T5ZdkqC85KLIrr+zLievy922j+MFaMQKMMbURS0DTcl4KI7vLpRy6hnCelXPb3
KMoEDsSxtN0K3nxs9nokKWIjCOrMUBCH9AtZb94nVbwPeyzo58v9cN7kqSIVVXQO
aQCz8fipM9dgoCPMpxT53nWd5+CTMURuhdf1MVHCcvRyUNFyFWTPo97lZ5Gzyqjd
svT0ho4q2jn9+hxawyfkI0tNY57DXKGF+5iti2X1EQmC43V1Grg+WbSiZIxPDOZg
hzX6Eh7STLRmj6IHdoiX0kqAirYFp54Uma4uZdWQYRKr0PY+gOXDDjaSdqmqvEZK
qvJRxQiP8ouT5QgwS2lp9KiEfjk5p/X1QvXKNWFKVB6B31rxYNBcpcYTLvjSUl9l
74Q5kTlr37xnmwNGVGQETLZXu3rHa9UfZrwdcEVGWu2exUxeKJI05iMqhqj8WO5X
R/bWkQxmDIgA9M26o1bBJP1gVWUW6/bNpGlhpgIwTx2A2UTfzNmhqeEyVjPnT/B1
a4smehAJRLDvxQXBH9e5+pI9GK5esp3rYcrm6sYJNDhrdZ0D2MuF5gmaotEMZqCH
B47sN4nub3xYZTWc4fYG
=5Wzd
-END PGP SIGNATURE-

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] squid problems when upgrading to 6.4

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On 03/13/2013 09:20 PM, Natxo Asenjo wrote:
> hi,
>
> following the howto
>
http://freeipa.org/page/Squid_Integration_with_FreeIPA_using_Single_Sign_On
> I had setup squid.
>
> Tonight running the updates the changes to the init script
>
http://freeipa.org/page/Squid_Integration_with_FreeIPA_using_Single_Sign_On#Change_the_.2Fetc.2Finit.d.2Fsquid_startup_script_to_read_in_the_keytab_on_service_start.
> were gone and so the internet was not working. Not nice.
>
> The howto should specify that the config must come in
> /etc/sysconfig/squid instead. Then the upgrade has no nasty
> consequences. So /etc/sysconfig/squid should look like this:
>
> # default squid options
> SQUID_OPTS=""
>
> # Time to wait for Squid to shut down when asked. Should not be necessary
> # most of the time.
> SQUID_SHUTDOWN_TIMEOUT=100
>
> # default squid conf file
> SQUID_CONF="/etc/squid/squid.conf"
>
> # kerberos stuff
> KRB5_KTNAME=/etc/squid/krb5.keytab
> export KRB5_KTNAME

Hi Natxo

I've just deployed a RHEL 6.4 proxy and the guide is still accurate and
works.. however I agree a config file would be a better place for the
options. Both work at the end of the day.

I'm more curious as to why your squid init script was replaced instead
of the usual scenario of having the new file saved as .rpmsave.
>
>
> By the way, I came accross http://squidkerbauth.sourceforge.net/
> squid_kerb_ldap to allow/block stuff in the proxy depending on ldap
> group membership. I have not tested it yet, but will post it if(when)
> I get it working.
You can also check out SquidGuard, which is available in EPEL.

I've written an article for Active Directory, however it is just as easy
to use it with IPA.
https://www.dalemacartney.com/2012/07/06/web-proxy-filtering-with-squidguard-using-active-directory-group-memberships/


>
>
> --
> Groeten,
> natxo
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJRQPN6AAoJEAJsWS61tB+qG8kQAJU3bKwnzwWoiD5jhl0CM6jq
3n2GnbRLY8AIO3wuSKeyaLi1IHq/DcpLME85bcR/6JqM2PaqcDs0J1swhF8Z8436
5UWqVsnsdWKP/oamY4XAI7E+gZHE0eggNPgq8a7rYX/97epmPpZTBSfGDEYkJEMZ
tJx3DrATvvmJ97c6XzASgbjd8D459a7MBilxyUf5+w4yexlqmxcxyb3dezgZ+mgT
MHP7Ex7i7+2sWsBQb2E72CeqoLrwsgTgMT8Ywl5E5m5w2atstUTGCKUSt7uem+o1
xeD4z2hUp6GEzy+IeHf/Ro/dvzax7t0+Ya32doWXozKvYMU6qk6fmqQWjw07EJME
oo4FIAy3b5tjDCrvve/JRYTsbOXdLYEMZx6fRb65gbplbgxK/R0Yp6V5BQHgesqF
3nCLQv8iBAzeokPg0VOysKOkfhHvRqX+q1hB0FgDMIRCgzpqPdOAb4I6SeInttah
hKoPfnp6njGmOTlCqKccLq5RyZMTbvxlJ2hcNoYVwGpftUkY4I0dsUAXDoQ8UDyk
xQ/QsDMO+3oMX+4yynJm3/I3AQltOMXZUliJDz99fcyRbLI3pV0eJybumrLuHdxA
7+/CokuFHAcchjWS19BGuOn3a6NWXTG2qmisZgaoVc8k3Uwi2PLp4puJQBtlY5o0
6Np35uYyfdcWZC3jIhTg
=5DAX
-END PGP SIGNATURE-

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Postfix and FreeIPA in a secure setup

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On 03/13/2013 01:17 PM, Simo Sorce wrote:
> On Wed, 2013-03-13 at 12:41 +0000, Dale Macartney wrote:
>> chown root:mail /etc/postfix/smtp.keytab
>> chmod 644 /etc/postfix/smtp.keytab
>>
> NEVER ever use 644 on a keytab file.
>
> A keytab is like a password, if you make it accessible to everybody on a
> system you gave it up.
>
> Sorry to be harsh but I want to make it very clear for our uses that
> keytabs are *secrets* and should *never* be made available to the whole
> system, It is exactly like putting a password in the clear in a file and
> making it accessible to everyone.
>
> In your case I guess you want to use 660 or 640.
Thanks for pointing out the typo.. 640 is usual practice as the services
only need read access to the keytab.
>
>
> Simo.
>

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJRQH1rAAoJEAJsWS61tB+qPzkQAK7c9YK88iTMeyclwH8hn1Y1
fK2kaqYdcc/irdbH6oQzew+lmkg7hmK9oJf4GF1o/yDDwVDXwJrA1pS+8+FCrPH/
k+rlO+cRKa0rg5A+CfsaP7j31qvZZOD8prIXm5MCmRg5US6eN4wk706Mr5iAflE6
BUnav5acejmkD/86FFTm/AsuaAYObjnh00Oaf2hWcEQSloVU3/Pv+trEOJZklcPd
vK1Qg6U0A7QuZGFk7/1SqWybPtUR6fVTbqevXwIZnQfTrf63yNlbiPV8zl+LfNaE
/+28DNOGLmrKSNfuzDOXjgH3ys4rdqfMwyb7RJzI6FZgE3VjQ/otgIyw1MwS/4cA
E3Dp8FYeKl6WbJTlQ3py4mlnSIHl6ozWZe0ePecKlJiYAHzUWP9XFLw21u9afxep
pncL11sLXWuvEQT3NL1xHepoYNik0zgDJP3urt+9Htje8jGgBrDUN9ljzWfnyro1
Qrszj++QI1zefejM9LtOSz/hLL722Z+uLP724pum14gErlhDnhrqbzUVbjEdRdXW
PZtqdG+Fz+7nWM89kcvKJIenBhoW1axY5+JXuDQ7oT+neoRie+aCzeO1LsmIALuj
7m52jtB5ao3HH70TY86sHBGnlLYZj97qdTK/kb+aVktwRh/H8vO3GeR5Ew4vOm0p
kpGTy+/lWzQv0WYISqJC
=QPwA
-END PGP SIGNATURE-

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Postfix and FreeIPA in a secure setup

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On 03/13/2013 10:47 AM, Dale Macartney wrote:
>
>
> On 03/12/2013 02:05 PM, Anthony Messina wrote:
> > On Tuesday, March 12, 2013 08:53:59 AM Anthony Messina wrote:
> >> On Tuesday, March 12, 2013 01:50:47 PM Dale Macartney wrote:
> >>> > # Import environment for Kerberos v5 GSSAPI
> >>> >
> >>> > import_environment =
> >>> >
> >>> > MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY
> >>>
> >>> LANG=C
> >>>
> >>> > KRB5_KTNAME=/etc/postfix/smtp.keytab
> >>>
> >>>
> >>> Anthony, where were you declaring the above? In Squid, I've added the
> >>> keytab to the service startup script. Presumably it would be somewhere
> >>> similar?>
> >>>
> >>>
> >>> Dale
> >>
> >> In /etc/postfix/main.cf
>
> > Sorry, I sent too fast. from man (5) postconf:
>
> > import_environment (default: see postconf -d output)
> > The list of environment parameters that a Postfix process will import
> > from a non-Postfix parent process. Examples of relevant parameters:
>
> > TZ Needed for sane time keeping on most System-V-ish systems.
>
> > DISPLAY
> > Needed for debugging Postfix daemons with an X-windows debugger.
>
> > XAUTHORITY
> > Needed for debugging Postfix daemons with an X-windows debugger.
>
> > MAIL_CONFIG
> > Needed to make "postfix -c" work.
>
> > Specify a list of names and/or name=value pairs, separated by
> > whitespace or comma. The name=value form is supported with Postfix
version 2.1
> > and later.
> Things aren't really playing ball here
>
> I've configured postfix from default install with the below changes..
>
> Am I missing something?
>
> ipa-getkeytab -s ds01.example.com -p smtp/$(hostname) -k
/etc/postfix/smtp.keytab
> postconf -e 'inet_interfaces = all'
> postconf -e 'mydestination = $myhostname, localhost.$mydomain,
localhost, $mydomain'
> postconf -e 'myorigin = $mydomain'
> postconf -e 'import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG
TZ XAUTHORITY DISPLAY LANG=C KRB5_KTNAME=/etc/postfix/smtp.keytab'
> postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks, reject_unauth_destination'
> postconf -e 'smtpd_sasl_auth_enable = yes'
> postconf -e 'smtpd_sasl_security_options = noanonymous'
> postconf -e 'smtpd_sasl_tls_security_options =
$smtpd_sasl_security_options'
>
> cat >> /etc/postfix/main.cf << EOF
> virtual_alias_domains = example.com
> virtual_alias_maps = ldap:/etc/postfix/ldap_aliases.cf
> EOF
>
> cat > /etc/postfix/ldap_aliases.cf << EOF
> server_host = ds01.example.com
> search_base = cn=accounts,dc=example,dc=com
> query_filter = (mail=%s)
> result_attribute = uid
> bind = no
> start_tls = yes
> version = 3
> EOF
>
> postmap /etc/postfix/ldap_aliases.cf
> restorecon -R /etc/postfix/
>
> cat > /etc/sasl2/smtpd.conf << EOF
> pwcheck_method: saslauthd
> mech_list: GSSAPI PLAIN LOGIN
> EOF
>
>
>
> LDAP lookups work perfectly, however kerberos authentication doesn't
seem to want to work. I should mention, I am not using SSL (yet). Does
sasl/gssapi have some form of prereq of SSL by any chance?
>
> Logs from maillog are as follows
>
> Mar 12 15:51:27 mail01 postfix/smtpd[26240]: connect from
unknown[10.0.1.101]
> Mar 12 15:51:27 mail01 postfix/smtpd[26240]: warning: SASL
authentication failure: GSSAPI Error: Unspecified GSS failure. Minor
code may provide more information ()
> Mar 12 15:51:27 mail01 postfix/smtpd[26240]: warning:
unknown[10.0.1.101]: SASL GSSAPI authentication failed: generic failure
> Mar 12 15:51:27 mail01 postfix/smtpd[26240]: disconnect from
unknown[10.0.1.101]
>
> Thanks all
>

Silly mistake on my part. Simple perms issue with keytab file.

Below is a working config of postfix with IPA user lookups and kerberos
authenticated sending.

ipa-getkeytab -s ds01.example.com -p smtp/$(hostname) -k
/etc/postfix/smtp.keytab
chown root:mail /etc/postfix/smtp.keytab
chmod 644 /etc/postfix/smtp.keytab

postconf -e 'inet_interfaces = all'
postconf -e 'mydestination = $myhostname, localhost.$mydomain,
localhost, $mydomain'
postconf -e 'myorigin = $mydomain'
postconf -e 'import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ
XAUTHORITY DISPLAY LANG=C KRB5_KTNAME=/etc/postfix/smtp.keytab'
postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated, 
permit_mynetworks,  reject_unauth_

Re: [Freeipa-users] Postfix and FreeIPA in a secure setup

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On 03/12/2013 02:05 PM, Anthony Messina wrote:
> On Tuesday, March 12, 2013 08:53:59 AM Anthony Messina wrote:
>> On Tuesday, March 12, 2013 01:50:47 PM Dale Macartney wrote:
>>> > # Import environment for Kerberos v5 GSSAPI
>>> >
>>> > import_environment =
>>> >
>>> > MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY
>>>
>>> LANG=C
>>>
>>> > KRB5_KTNAME=/etc/postfix/smtp.keytab
>>>
>>>
>>> Anthony, where were you declaring the above? In Squid, I've added the
>>> keytab to the service startup script. Presumably it would be somewhere
>>> similar?>
>>>
>>>
>>> Dale
>>
>> In /etc/postfix/main.cf
>
> Sorry, I sent too fast. from man (5) postconf:
>
> import_environment (default: see postconf -d output)
> The list of environment parameters that a Postfix process will import
> from a non-Postfix parent process. Examples of relevant parameters:
>
> TZ Needed for sane time keeping on most System-V-ish systems.
>
> DISPLAY
> Needed for debugging Postfix daemons with an X-windows debugger.
>
> XAUTHORITY
> Needed for debugging Postfix daemons with an X-windows debugger.
>
> MAIL_CONFIG
> Needed to make "postfix -c" work.
>
> Specify a list of names and/or name=value pairs, separated by
> whitespace or comma. The name=value form is supported with Postfix
version 2.1
> and later.
Things aren't really playing ball here

I've configured postfix from default install with the below changes..

Am I missing something?

ipa-getkeytab -s ds01.example.com -p smtp/$(hostname) -k
/etc/postfix/smtp.keytab
postconf -e 'inet_interfaces = all'
postconf -e 'mydestination = $myhostname, localhost.$mydomain,
localhost, $mydomain'
postconf -e 'myorigin = $mydomain'
postconf -e 'import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ
XAUTHORITY DISPLAY LANG=C KRB5_KTNAME=/etc/postfix/smtp.keytab'
postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated, 
permit_mynetworks,  reject_unauth_destination'
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'smtpd_sasl_security_options = noanonymous'
postconf -e 'smtpd_sasl_tls_security_options = $smtpd_sasl_security_options'

cat >> /etc/postfix/main.cf << EOF
virtual_alias_domains = example.com
virtual_alias_maps = ldap:/etc/postfix/ldap_aliases.cf
EOF

cat > /etc/postfix/ldap_aliases.cf << EOF
server_host = ds01.example.com
search_base = cn=accounts,dc=example,dc=com
query_filter = (mail=%s)
result_attribute = uid
bind = no
start_tls = yes
version = 3
EOF

postmap /etc/postfix/ldap_aliases.cf
restorecon -R /etc/postfix/

cat > /etc/sasl2/smtpd.conf << EOF
pwcheck_method: saslauthd
mech_list: GSSAPI PLAIN LOGIN
EOF



LDAP lookups work perfectly, however kerberos authentication doesn't
seem to want to work. I  should mention, I am not using SSL (yet). Does
sasl/gssapi have some form of prereq of SSL by any chance?

Logs from maillog are as follows

Mar 12 15:51:27 mail01 postfix/smtpd[26240]: connect from
unknown[10.0.1.101]
Mar 12 15:51:27 mail01 postfix/smtpd[26240]: warning: SASL
authentication failure: GSSAPI Error: Unspecified GSS failure.  Minor
code may provide more information ()
Mar 12 15:51:27 mail01 postfix/smtpd[26240]: warning:
unknown[10.0.1.101]: SASL GSSAPI authentication failed: generic failure
Mar 12 15:51:27 mail01 postfix/smtpd[26240]: disconnect from
unknown[10.0.1.101]

Thanks all



>
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJRQFlOAAoJEAJsWS61tB+qHFcP+gJWHxYHh+VdnpEGBg0gFMdm
iHEe568jU7gDe5UdUP52RzUKIRYdSH3QRoYi4X8VIVjSIo8wlSWHEspvJlgjLDXE
zsV9hGzINF/XNBnX9kA/h94fzvWjgHq5DsTXrCiymtjAyDSQJVWR10j4zCEN6Nwp
rA68xlWpnqRE54zlSJx1QTF+pHp7KIvTbJ2QZQuOVBpXKK4HuKkt4XSrSgHvNAaZ
lqxINgbfrApde8wuaGcz7JgfcMGeOiDA08oUSyZCch8gyLC1DdMvbtaElECce6ea
dhbzchbz8sVtUFyXcsNk3M9x6dLWUFPuQ5IzPfwGv8UjXAaXeYKIXpwlNkAyb0lC
x7COqcGRMArl6e+YY6VyMHgwHgAEcn69WfVbkGZAgGAkMs3gEce2a7JtmiYm/Os5
Ax757W4dJjxkJg3iu11kAfO90dhwYL3O9JB8yYPHuZYQpSogbp6aQUhiWXgydp1d
7rgZfitJehEPLKqwbOzYi7nBy9N+2zbP6pdom1oApHpXkC6iSro31wzQ5qCy1+Z2
m2CDExrFXEEu0UPIQvCd7BW43L2CYac91g89gwK3tLfT0tyX6zb6vKeFZ2tdrI8D
FogyxaKLDE5gFhdk+O2SZghLniN0YefF/wKWAa++tC8o1U3SQKAP5aH15p9Le8Rt
+NefKeJRsREs0Fx5XXQN
=nOEI
-END PGP SIGNATURE-

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Postfix and FreeIPA in a secure setup

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On 03/08/2013 02:34 PM, Anthony Messina wrote:
> On Friday, March 08, 2013 08:09:20 AM Loris Santamaria wrote:
>>> 2. Kerberos / GSSAPI (I heard SASL can be used here as well ) for
>>> authenticated SSO mail sending
>>
>> Create the service in ipa, "ipa service-add smtp/myserver.mydomain.com".
>> On the mail server you should obtain the keytab with ipa-getkeytab and
>> save it in /etc/krb5.keytab. Then add to /etc/postfix/main.cf :
>>
>> smtpd_sasl_auth_enable = yes
>> smtpd_sasl_security_options = noanonymous
>> smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
>> broken_sasl_auth_clients = yes
>> smtpd_recipient_restrictions =
>> permit_sasl_authenticated,
>> permit_mynetworks,
>> reject_unauth_destination
>>
>> Lastly, add to /etc/sasl2/smtpd.conf:
>> pwcheck_method: saslauthd
>> mech_list: GSSAPI PLAIN LOGIN
>>
>> Restart postfix and saslauthd and it should work.
>
> You *may* also need to update Postfix's environment:
>
> # Import environment for Kerberos v5 GSSAPI
> import_environment =
> MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY LANG=C
> KRB5_KTNAME=/etc/postfix/smtp.keytab
Anthony, where were you declaring the above? In Squid, I've added the
keytab to the service startup script. Presumably it would be somewhere
similar?

Dale

>
> -A
>
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJRPzK1AAoJEAJsWS61tB+qPuIQAIfFv9uSxgjOx0iItVrOiTJ1
vPNd2pxQwednomutiHtZA8dTfXG1O/pEhbQFytpTm5Gmy4z3HKaVxq2Yb88ebzS5
ANm87rDmmQVRG9SOJhjVCyfFrlelM87Qtt0LBDvyPUUykuYh1j93TWH6E+QITWFJ
r+wBn+dVvA4HbhXENpv2drPFMmmdJgRDjvHa4TL2kF8E62Tjp8EkeIwkcTVTK8px
HypFZ1CrCh2ZxmNwG0akN4bipZWFzAoWlUXWWJmEwT8TutpaQrdvBIuhSab5UdWv
nRsdzpfUpA8z0+qeF6cf2Inw0vCJFFrhezDzow3H/xEsaIEreAz/VriP5kavkoLr
NJAZkX/BHCCqqUDGyAI3HYucgcVHlM5K+P4btT0ULZTzxCdeC9vv6IhPyeoeGjyS
9Ox+ipw8Yv+a/le7eFZIhwbU5VePjpAhJTflCya7Rj8YJ2+jBE5UWtut+qCVDduQ
KIfZhDaT3o3Vi5aBzK/ziHhDiOg90Et0pyOgwb2u/Bsqqm3TJ7bg/GL9szA/dNH0
PQezfoazK1kE6rAItPvN3++5Xgo7kK0wMm4zNZyevAZ/McKikioec0P0HSLhZcyT
/c8JLz3SbYPY2941DvR8n2yrb7vrV8ud6tc2pz0NL30I+2qCOUfr5INNBA+a7f3F
leHvuBX3WxuY/ylxV3mW
=52yq
-END PGP SIGNATURE-

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Discussion: What would be the best way to create service principles via provisioning

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On 03/11/2013 11:39 AM, Christian Horn wrote:
>
>
>
> Dale Macartneyさんが書きました：
>>
>> On 03/11/2013 11:04 AM, Christian Horn wrote:
>>>
>>> How about having service-add/ipa-getkeytab done on the server,
>>> and having the keytab deployed onto the clientsystem using scp from
>>> the server, or via configmanagement?
>> That definitely gets around security concerns, however still requires
>> some manual intervention... the keytab could be pushed using config
>> management, but generating it in the first place still requires work as
>> a trusted user.
>
> Yes, but this could be automated.
> If you deploy i.e. with cobbler there were IIRC hooks so one can do
> serverside tasks, as soon as a system gets added. So the secret could
> be embedded in a script there.
In my current lab, I just use my own script which pushes api calls to
rhev to deploy machines. I know there is a way to use a user keytab to
auth to IPA. I could do that and have my provisioning script push the
necessary admin commands and leave the client to pull to the client
during %post...

I guess it depends on the provisioning model within the organisation.

>
>
> Christian
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJRPcNdAAoJEAJsWS61tB+qjuUQAK34npb0p8M0U64499r/Y/ZP
RswnOiTLgylGv/Lwt3Tb5aNQvA75Qu2i45BBB3q5NuqN6/m7c2Re7HkMQpfzdEhz
l72Iytz1m9WG802Ibd77MmTGNX1rapYv9JKb1K9QhQVoPCZHwWye6pXGuGAbacab
LXmm0hR3ajZhJwYBh7/6oqaZwXv01qI8Xv/vYmD+ZtDevxmHWeaTGiwUq7gUDCeo
B/McDGd6SiT0juPuAzr694eqryRN1qMDsQu9rv8FsBmFaTtW0WQ0JUMrJKdvYNCm
O6zCdqJKRI536JNUxm49Zot1K8PnlTgkE0jBHkQJn9XeCt63nr2NUuVRgWjEuoXK
FfYsDSEM7SZ3b69WuOnmhKuk697Yn8lMolvWKOFQR/RNa8wa+gNo3uaAXyTnulBv
ba0S2Iehd6pBknuyDN8c1xmGcTSaDIgFeXUnKCVYw5rTo4pfLO/g/zTQwK4wvlJB
ODhOy/n2BiLh/zDu5qadYdPUTbbKZyrYV/ulrhSiMBqFzc7plsFyMQ1uEnvrRFyE
9VgX92u5h2Vw6+mURWZLdFYp3jTMgOsKe+IX6g85hcNyg7JkuP732FCNPkEjoX4O
OSLvx3i2dtSkrKOXKnnf2pHoiRKnzRZ/NVFmOvYHy8Js2WO8TPBXyTkL6bf/Y8QH
z/tB69rCpBy80wyTWAKn
=B5hc
-END PGP SIGNATURE-

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Discussion: What would be the best way to create service principles via provisioning

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On 03/11/2013 11:04 AM, Christian Horn wrote:
> Hoi,
>
> Dale Macartneyさんが書きました：
>>
>> I'm open to hear some opinions and thoughts on what the best way to
>> auto-provision service principles in an environment with a 100%
>> autonomous build process..
>>
>> Lets say for example, I wanted to provision a mail server and configure
>> dovecot SSO in the same process.
>>
>> Obviously something like this would be terrible in a production
>> environment as having this in the %post of a kickstart gives away the
>> admin password
>>
>> %post
>> echo redhat123 | kinit admin --
>> ipa service-add imap/$(hostname)
>> ipa-getkeytab -s ds01.example.com -p imap/$(hostname) -k
>> /etc/dovecot/krb5.keytab
>>
>> Is there are more secure way to perform such a task via kickstart or
>> other provisioning method?
>
> How about having service-add/ipa-getkeytab done on the server,
> and having the keytab deployed onto the clientsystem using scp from
> the server, or via configmanagement?
That definitely gets around security concerns, however still requires
some manual intervention... the keytab could be pushed using config
management, but generating it in the first place still requires work as
a trusted user.

>
>
> Christian
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJRPcFCAAoJEAJsWS61tB+qqZMP/RM51shHoYGwK+L91OKru61c
aJc/ubBt1sCLcnxazDC5nAsuRrKtwGg3b76r2B8FE1Mhi4gBYOm/G5+lLITjiDTx
3BR7Uh9ruTpRkdt1YE1Cptj0aFSL8MUdb/I3f8yPaGbBdLmJL/pXNg44Oz8Kmc2Q
ZVxIar5aMpMG+gkHPNNS5jeay867dyV+P3r1RUuYhDQX0ALGBnE69OxZnwdiFkDE
G+ZqS8SNORndyMKb+jIzfuasdrL831sfwT7xpODQUzyTGT9OWO1PE6PRfm5wkdpi
pWvLE3tvKiokb+fEuQnC6PTCjZfEIR0HWNF1J6eeAYQJ3827dKvA2nISQBD10GUc
R3eIVgUszW+8GUpAt9vVqu0PKiTPCUNGV+JCuCBLVVHXlHxkd1PpfMDPtmOCh8Y1
Nk46AyAqJ7UIY45piJTgoRUhYR/sQzcXYSjyQlL4UTFxLE/7iK2DE+GJsdywlWOB
qfgWTyWnWjLd9+FJHUe1vSNw/C8VO+eT0mh+s4yIN32QmgdieoHShKQ6eAAh+m46
vXM7YFi+UdUFuMb0lSeCu+DOkASpm4AhoHDQULqQdusQO8orG0vV8JxJtGKa/E/n
icBUjTt2IJvV1pNMUKRDNfjqVx7NPulDszOIjaOJ/Y7ohMtFkhpuGQaX/NIQ+zqJ
MzQPcBAy1pxeJuJWYJTN
=CQBx
-END PGP SIGNATURE-

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Discussion: What would be the best way to create service principles via provisioning

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi all

I'm open to hear some opinions and thoughts on what the best way to
auto-provision service principles in an environment with a 100%
autonomous build process..

Lets say for example, I wanted to provision a mail server and configure
dovecot SSO in the same process.

Obviously something like this would be terrible in a production
environment as having this in the %post of a kickstart gives away the
admin password

%post
echo redhat123 | kinit admin --
ipa service-add imap/$(hostname)
ipa-getkeytab -s ds01.example.com -p imap/$(hostname) -k
/etc/dovecot/krb5.keytab


Is there are more secure way to perform such a task via kickstart or
other provisioning method?

Thanks all

Dale

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJRPaOtAAoJEAJsWS61tB+qzXQQAJr7M1CR+P0lLsxy7gM3/twG
FJNCyPdaOgMwVP83R2i2X3WlnNI2nCAF3b+ANBm4SBhseA1Xmidn1+CUltDw20/w
wO+NzNBdMYVyQXVr0LziBZPWcdScHuJWp1fAC2DPKI5DmKeWdNf5nmWfBgiRKb6X
Xdo2cRbLmxkbqbJvTdVGTOz8LujGuiTHsHXPertB3QKob7tvkZDoSBGI3ZoYckFO
dgg7lqaMBeaflOb/uuxV4evjmLIrI48jfKPAVXlp7m8jw47aNgFRxPn0YJxrQXAF
9uV/Y61jVsI5HqW9ofcLeYdKFfWCx1VZwQqpqZRv0Ge0X7npnbMomcTOpSli8Moz
4GVbRLa9YcuXX2AYCJ6F6SpL7M77ogw7CyxgQNGu3LAnGDs8EkN7iwreGrvVF0p3
xx0w9WD0PXLMPpaQxTDba1hO+Lxa/rtAhTHw5/J4qk1sjPjEP4SI/ZlbXeESaEPK
XN1WVYV9pbm2j1KRYMM6WsSCWigNg7PMrk7otPiZZQK3XexQzVpsOawfaDcWQoUH
YCCb/fBdKHr57wzv93nV4LYhI/vnM/9CV4tI82Vrv3rlQJa0TJJeZKdNvWyKW2WA
ldIFpA+Tf3TSBVa+i2fnD8Rp0flWRg7HcX+uMYrmh36qTXvdgF5dlxtRMnmpToQl
MBoHhPn6fuGVVdVsNSS/
=0ONW
-END PGP SIGNATURE-

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Postfix and FreeIPA in a secure setup

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On 03/08/2013 02:34 PM, Anthony Messina wrote:
> On Friday, March 08, 2013 08:09:20 AM Loris Santamaria wrote:
>>> 2. Kerberos / GSSAPI (I heard SASL can be used here as well ) for
>>> authenticated SSO mail sending
>>
>> Create the service in ipa, "ipa service-add smtp/myserver.mydomain.com".
>> On the mail server you should obtain the keytab with ipa-getkeytab and
>> save it in /etc/krb5.keytab. Then add to /etc/postfix/main.cf :
>>
>> smtpd_sasl_auth_enable = yes
>> smtpd_sasl_security_options = noanonymous
>> smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
>> broken_sasl_auth_clients = yes
>> smtpd_recipient_restrictions =
>> permit_sasl_authenticated,
>> permit_mynetworks,
>> reject_unauth_destination
>>
>> Lastly, add to /etc/sasl2/smtpd.conf:
>> pwcheck_method: saslauthd
>> mech_list: GSSAPI PLAIN LOGIN
>>
>> Restart postfix and saslauthd and it should work.
>
> You *may* also need to update Postfix's environment:
>
> # Import environment for Kerberos v5 GSSAPI
> import_environment =
> MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY LANG=C
> KRB5_KTNAME=/etc/postfix/smtp.keytab
>
> -A
Thanks Anthony, that was actually going to be my next question as I
prefer to keep service specific keytabs.

Dale
>
>
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJROfyPAAoJEAJsWS61tB+qG8MP/2MMt+BQWcOKe4jvxeQJrOBi
xYzPnh5OtrUoEMtgvKdghQHdI/okxDjxgoZwCzThupGnzyZ+bQa08m+l7njcPCwo
byQJwyab19PY4qXQxx6yledRd0qG5+854YYXBZ35ZslTd7eOalIPwczW0qyb4Qv6
OqOe6a9H9xGt+cKzAWE/B8TXiWR7Td2hlRdX7hUWh1/0ghRRR0lFR9HQsCHx6fm5
EFTpIqKqxksO+7hk17ZyOoyOo0aV51l8Ns3QzK3d7GMKZ89uuBQEBI6ChNdAG942
ncSKgAgshgrVzozhX4qhIDqOiQc52D9X8EU03OSRcniEDNsNz2yz0ZtQiLQYDiwT
41re5rmq/yu7PmOK+AGKCZA5MQjwf9yMz2GJz5vwIhcjcLIYO2vftI+luKCylVXt
p5c/UcEcaNKyIjOMBM8GlBSGt3KXW/XAMD2kpq6sPjHDsjvPlLa1AvJFPl5tMJrd
hMKGs+YTwr96TOlbN/8a3WCTZWL61WqXAAlO192xJKsXavadmSIODXXUCkeVfK9i
Um1WhQmg7fCAvIq7/zDzdDuB2BQ2B01dVCSCdMNmpChV8h2XYIEQ+J7ZoYvfwD+Q
pubvgNwe4+z+OR6d9rf2ZUujHJodmjkojdzDfV2+QQAUelkdWyYzHwHXdjuQpzwi
hVujreS8h7MA6LJVdj3Y
=TVUW
-END PGP SIGNATURE-

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Postfix and FreeIPA in a secure setup

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On 03/08/2013 12:39 PM, Loris Santamaria wrote:
> I can help you with items #1 and #2:
>
> El vie, 08-03-2013 a las 08:56 +0000, Dale Macartney escribió:
>> Hi all
>>
>> I've been reading through threads and threads of mailing lists and
>> google search results on this but most of the documentation isn't very
>> specific and is just vague enough for me not to make any progress.
>>
>> Would anyone be able to assist with the following setup of Postfix?
>>
>> Criteria is as follows
>>
>> 1. Alias list comes from IPA via LDAPS to verify a legitimate mail user
>> (specific attribute or group membership might be required here as all
>> ipa users now have an email address value.)
>
> There are many ways to solve this, this is using the virtual transport.
> In /etc/postfix/main.cf:
>
> virtual_alias_domains = mydomain.com
> virtual_alias_maps = ldap:/etc/postfix/ldap_aliases.cf
>
> In /etc/postfix/ldap_aliases.cf:
>
> server_host = myipa1, myipa2
> search_base = cn=accounts,dc=mydomain,dc=com
> query_filter = (mail=%s)
> result_attribute = uid
> bind = no
>
> After editing /etc/postfix/ldap_aliases.cf you should run
> "postmap /etc/postfix/ldap_aliases.cf". Not using LDAPS here, but you
> should be able to reading "man 5 ldap_table"
Now that worked like a charm, thanks very much. Will work on ldaps
support and see if its possible.
>
>> 2. Kerberos / GSSAPI (I heard SASL can be used here as well ) for
>> authenticated SSO mail sending
>
> Create the service in ipa, "ipa service-add smtp/myserver.mydomain.com".
> On the mail server you should obtain the keytab with ipa-getkeytab and
> save it in /etc/krb5.keytab. Then add to /etc/postfix/main.cf :
>
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_security_options = noanonymous
> smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
> broken_sasl_auth_clients = yes
> smtpd_recipient_restrictions =
> permit_sasl_authenticated,
> permit_mynetworks,
> reject_unauth_destination
>
> Lastly, add to /etc/sasl2/smtpd.conf:
> pwcheck_method: saslauthd
> mech_list: GSSAPI PLAIN LOGIN
>
> Restart postfix and saslauthd and it should work.
Getting the below output in logs when attempting to auth via gssapi on
port 25 (is gssapi supported on port 25? could this be the cause?) Is
there any way to verify sasl auth remotely from a client other than in
postfix?

I am using an ipa workstation and SSO with dovecot works fine so I know
the users tickets are valid.

==> /var/log/maillog <==
Mar  8 14:15:02 mail03 postfix/smtpd[6226]: connect from unknown[10.0.1.101]
Mar  8 14:15:02 mail03 postfix/smtpd[6226]: warning: SASL authentication
failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide
more information ()
Mar  8 14:15:02 mail03 postfix/smtpd[6226]: warning:
unknown[10.0.1.101]: SASL GSSAPI authentication failed: generic failure
Mar  8 14:15:02 mail03 postfix/smtpd[6226]: disconnect from
unknown[10.0.1.101]

>
>
>> 3. Mail sending permission based on an LDAPS group membership, to
>> prevent unauthorised sending of mail from unknown users.
>
> Never done that but there is the definitive documentation:
> http://www.postfix.org/RESTRICTION_CLASS_README.html
>
>

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJROfNMAAoJEAJsWS61tB+qPHUQAMFbaCnEJEfIwU7znQkM6Wvc
LKGnra14CZ9Xq1kAWD4xGdzGVwBjOJ4bZ/DqCSvEBY6lRP7a/fh66TiU+DGBIxTX
SpIFN2oKz/iuFOTMK1GQQRx99mYZuHGlB5vE0ibxW0J7U/y6A+mCvraRYhhvYA4a
RzVH0wi5OZhyBhwHjbS5GtI/pzMutyV/vpElUQLT7X1YpwyuxUWgGX5Zbuuj60F6
KB56cXcpiMmbB8LAgQBPcYqz4co2KRurZ4pZxabGIH0RLI3Luy2gUnbmBgz/sFMv
tlCSYr/QrZlZY4imSm7jLe5KP9/EILJ+FJPZnzzFDJ71Hgq45jWtjDO/BqV4gM4E
aY26lZXfjtpuSBY2BLUqZC/o9mrvDPCCNLUF/dcCVM9++pvDObxjAxbNcydhknvA
KC9IwMsbwZnDnXGratn/mv8MlHzQc2Stf2UEhXzDdXq+9rQBNg+LdPZCqJMCwuGf
+WepTmCCrr53eUoCsb4acE5RVV7Tn+UV9jAZ/aHoc8zvPtSn5ZMEEIMEKqC9ISAK
NVG/iWKunisf433IvBqcNgKwKg/tGdik9wOyjWEb1YaTMurHGGz/bHaEuh4PBQjF
BqC7yuMMXbJjR27o8Trjr65cwRVPZqYaz/8LdalS7s5XLm3YsE++n/DDp2MDveCB
6SmL3vbCXJxNfiktJhAV
=C+Xz
-END PGP SIGNATURE-

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Errors when trying IPA,Dovecot GSSAPI.

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On 03/08/2013 09:38 AM, Petr Spacek wrote:
> On 7.3.2013 18:06, Dale Macartney wrote:
>>
>> I have just updated the article to have dovecot automatically creating a
>> maildir in a custom location.
>>
>>
http://www.freeipa.org/page/Dovecot_IMAPS_Integration_with_FreeIPA_using_Single_Sign_On
>>
>> Its not NFS based in the homedir, but technically if you're using a mail
>> client with offline support, the mail in the homedir would be
available if the
>> imap server became unavailable anyway. Just a thought.
>
> Thank you for nice article!
>
> Please, could you add some notes like "Don't use NFS" etc.? What you
tried and what failed? It would be beneficial for other users to not
waste time again :-)
>
> Thank you again!
>
New section added to top of article covering automounted home dirs.



-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJRObaTAAoJEAJsWS61tB+qXx0QAIDuUkej72FG7OSxEr7Z9nV2
jb2CWK0C6SSHwVplBRCqO8gc+vYsYyx3cKtdt3HbkVibCPT/SxC7vIKNMl1uhPWe
dwZAWDoq8YOD+FktdZa6VMBDZoZ/6OnUCrDs6l8bA7fBivUMwPzyIGGpVpclD/vM
5Qc8TJwiKDkb7NjIPrJPiwPvYSYaPFYHMj/RO1lxvfzJdEqSj6RnPxwmbImkdTVA
J/l5nbtP19ULo/cXyuYdTw/5h08yl+Ja7thCN2Fk823nFObdA6xBj9u7rQVcRMsf
8MOAHCMcJoLnZXieqahm7KoGt6MiTQsTNf6TBfg+9V5yQK24q0qPuXhYW6xoftGx
JQ3l4upJ22KDvqosxJ3zvs8PA0vbyr7cTcj6y1weUX/JX3VJiZQIGbAsAzIVo56W
LvqcKkWtnhTW2pDwVWBZK2pWBsA5/8alMUf5q01WfISws5dbykFFnqtpaDhSuhIR
Ue1vdm47vXkcHCTbUvLUoXBPO8ipOsSxw/3YZW2SYMT6dSaepO2PTMWKqjllhj0F
m/ow2u5pPDO/Ed1KHudDwB8B9YdLqngmTBRqrM0/kF6r8Zs8xVisVvc8b/jHi/eZ
KMgS1duAcXq8og2LwffE4CDsNiplmG1MPOHV75JkIK+4fIPr8tinI6TwZWW56gw7
3aF7N6FAkVwBrtd9eYkB
=UoX1
-END PGP SIGNATURE-

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Postfix and FreeIPA in a secure setup

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi all

I've been reading through threads and threads of mailing lists and
google search results on this but most of the documentation isn't very
specific and is just vague enough for me not to make any progress.

Would anyone be able to assist with the following setup of Postfix?

Criteria is as follows

1. Alias list comes from IPA via LDAPS to verify a legitimate mail user
(specific attribute or group membership might be required here as all
ipa users now have an email address value.)
2. Kerberos / GSSAPI (I heard SASL can be used here as well ) for
authenticated SSO mail sending
3. Mail sending permission based on an LDAPS group membership, to
prevent unauthorised sending of mail from unknown users.

I know a few list members have deployments of postfix and IPA already up
and running so if you could share your experience here that would be
fantastic.

Many thanks.

Dale


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJROaerAAoJEAJsWS61tB+qaRoP/35C1po2tDzx2dMxXA8fmW6Q
8luyy6suHeGaLhzc5L0P3gelUSnxBQlBElRrysvVjQ0yfNHX7qzvUaDem84FGE7c
aWEwmWhw6SjKUbtLKjPLKMJdgCSdwbaNIvdDp3ok4Qk7gWAl9XXJFCeh+puKgcml
u8rwuye3pS5mlnBmkVSESEeHD8T6uFO8UuzjdgxjXp7eXfQkyvWUXD5B11p1Xj8w
8BvPMYb0l5UHwaIMuUhc8SWBTRZKV9wQXw0nd1T4VeoC51Ze9jib/VZbDHrOrufB
Wy3dXgej3mlckw/T0mcSezPFZiLOwAI6g0hmeoxboMEwtvHhFu+wCHdWJn+dDFR/
IkWovKZYyg0alIezVkBOZVLYn2YiUpsoCM5lqRTOdgfCzK+NQ4mq1kuBJrVpAtcE
18FX9gBkRFEBHtHhT4Xz7z/79QO3kGW/aAkza5Tq02HpU4+lAyBgrzFgMUqh/n1d
TdFrVgxsc4q6M3B8mLGdQQcIHFcybvqTl8cZJxZb7YE29vclvBvNT5j1VeLchiFq
BS3mUwHO4PHGZA09fqMIxajvgvFsNqyimvaxZMAYDxGdWYRcEISGwPhsTGx3c2tR
hAh3qylSmifC42OIk19tgG1kUt1AOoFpbWziwdVkwuqkLakuXdB4+qWUcyg6hyrW
k5zBEHzRMdz/h9+OGKpZ
=hlNj
-END PGP SIGNATURE-

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Errors when trying IPA,Dovecot GSSAPI.

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On 03/07/2013 02:30 PM, Johan Petersson wrote:
> Thank you for the information, i have come to the same conclusion after 
> forcing myself to delve deeper
into the mysteries of kerberos and its limitations.
> Local storage of the users mail on the mail server seem to be the only
valid option (or make the NFS server work double as mail server too.)
> I am definitely looking forward to reading your article when it is done.

I have just updated the article to have dovecot automatically creating a
maildir in a custom location.

http://www.freeipa.org/page/Dovecot_IMAPS_Integration_with_FreeIPA_using_Single_Sign_On

Its not NFS based in the homedir, but technically if you're using a mail
client with offline support, the mail in the homedir would be available
if the imap server became unavailable anyway. Just a thought.

Dale

>
> Regards,
> Johan.
>
>
> -
> *From:* freeipa-users-boun...@redhat.com
[freeipa-users-boun...@redhat.com] on behalf of Dale Macartney
[d...@themacartneyclan.com]
> *Sent:* Thursday, March 07, 2013 13:35
> *To:* freeipa-users@redhat.com
> *Subject:* Re: [Freeipa-users] Errors when trying IPA,Dovecot GSSAPI.
>
>
>
> On 03/06/2013 02:33 PM, Johan Petersson wrote:
> > Hi,
> > I hope someone here can shed some light on what is wrong in my test
environment.
> > The error seem to be that Dovecot on mail server wants to access
mail folder in my home directory on the NFS Server but can't get
credentials for it. rpc.gssd on Mail Server try either to open a
cachefile in /tmp that is corrupt or expired or if no cache file exists
it just do error downcall.
> > No try to update the key or create a new one.
> > Should not forwardable tickets update the cache or generate a new one?
> > The permission denied error in maillog i believe is because of no
valid kerberos credentials.
>
> > IPAserver
> > NFS Server for Home Directory through autofs, IPA Client with
nfs/share.test.net
> > Mail server IPA Client with imap/mail.test.net,smtp/mail.test.net
>
> > Clients pc's that are also IPA clients
>
> > Everything is Red Hat 6.4 server and Client with default settings
for IPA server and client.
>
> > When trying to get mail i get ticket not accepted but i do get a
imap ticket that i can see with klist.
>
> > Ticket cache: FILE:/tmp/krb5cc_164483_UsqtSh
> > Default principal: jo...@test.net
>
> > Valid starting Expires Service principal
> > 03/06/13 14:34:28 03/07/13 14:34:28 krbtgt/test@test.net
> > 03/06/13 14:40:41 03/07/13 14:34:28 imap/mail.test@test.net
> > 03/06/13 14:44:43 03/07/13 14:34:28 host/share.test@test.net
>
> > Hopefully relevant logs:
>
> > Mail Server /var/log/messages with rpc.gssapi -vvv:
>
> > Mar 6 14:43:21 mail rpc.gssd[1143]: handling gssd upcall
(/var/lib/nfs/rpc_pipefs/nfs/clnt12)
> > Mar 6 14:43:21 mail rpc.gssd[1143]: handle_gssd_upcall: 'mech=krb5
uid=164483 enctypes=18,17,16,23,3,1,2 '
> > Mar 6 14:43:21 mail rpc.gssd[1143]: handling krb5 upcall
(/var/lib/nfs/rpc_pipefs/nfs/clnt12)
> > Mar 6 14:43:21 mail rpc.gssd[1143]: process_krb5_upcall: service is
''
> > Mar 6 14:43:21 mail rpc.gssd[1143]: getting credentials for client
with uid 164483 for server share.test.net
> > Mar 6 14:43:21 mail rpc.gssd[1143]: CC file
'/tmp/krb5cc_machine_TEST.NET' being considered, with preferred realm
'TEST.NET'
> > Mar 6 14:43:21 mail rpc.gssd[1143]: CC file
'/tmp/krb5cc_machine_TEST.NET' owned by 0, not 164483
> > Mar 6 14:43:21 mail rpc.gssd[1143]: CC file
'/tmp/krb5cc_164481_MOFHds' being considered, with preferred realm
'TEST.NET'
> > Mar 6 14:43:21 mail rpc.gssd[1143]: CC file
'/tmp/krb5cc_164481_MOFHds' owned by 0, not 164483
> > Mar 6 14:43:21 mail rpc.gssd[1143]: CC file '/tmp/krb5cc_0' being
considered, with preferred realm 'TEST.NET'
> > Mar 6 14:43:21 mail rpc.gssd[1143]: CC file '/tmp/krb5cc_0' owned by
0, not 164483
> > Mar 6 14:43:21 mail rpc.gssd[1143]: WARNING: Failed to create krb5
context for user with uid 164483 for server share.test.net
> > Mar 6 14:43:21 mail rpc.gssd[1143]: doing error downcall
>
> > Mail Server /var/log/maillog:
>
> > Mar 06 14:43:11 master: Info: Dovecot v2.0.9 starting up (core dumps
disabled)
> > Mar 06 14:43:21 auth: Debug: Loading modules from directory:
/usr/lib64/dovecot/auth
> > Mar 06 14:43:21 auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/libauthdb_ldap.so
> > Mar 06 14:43:21 auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/libdriver_sqlite.so
> > Mar 06 14:43:21 auth: Debug: Module 

Re: [Freeipa-users] Errors when trying IPA,Dovecot GSSAPI.

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On 03/06/2013 02:33 PM, Johan Petersson wrote:
> Hi,
> I hope someone here can shed some light on what is wrong in my test
environment.
> The error seem to be that Dovecot on mail server wants to access mail
folder in my home directory on the NFS Server but can't get credentials
for it. rpc.gssd on Mail Server try either to open a cachefile in /tmp
that is corrupt or expired or if no cache file exists it just do error
downcall.
> No try to update the key or create a new one.
> Should not forwardable tickets update the cache or generate a new one?
> The permission denied error in maillog i believe is because of no
valid kerberos credentials.
>
> IPAserver
> NFS Server for Home Directory through autofs, IPA Client with
nfs/share.test.net
> Mail server IPA Client with imap/mail.test.net,smtp/mail.test.net
>
> Clients pc's that are also IPA clients
>
> Everything is Red Hat 6.4 server and Client with default settings for
IPA server and client.
>
> When trying to get mail i get ticket not accepted but i do get a imap
ticket that i can see with klist.
>
> Ticket cache: FILE:/tmp/krb5cc_164483_UsqtSh
> Default principal: jo...@test.net
>
> Valid starting Expires Service principal
> 03/06/13 14:34:28 03/07/13 14:34:28 krbtgt/test@test.net
> 03/06/13 14:40:41 03/07/13 14:34:28 imap/mail.test@test.net
> 03/06/13 14:44:43 03/07/13 14:34:28 host/share.test@test.net
>
> Hopefully relevant logs:
>
> Mail Server /var/log/messages with rpc.gssapi -vvv:
>
> Mar 6 14:43:21 mail rpc.gssd[1143]: handling gssd upcall
(/var/lib/nfs/rpc_pipefs/nfs/clnt12)
> Mar 6 14:43:21 mail rpc.gssd[1143]: handle_gssd_upcall: 'mech=krb5
uid=164483 enctypes=18,17,16,23,3,1,2 '
> Mar 6 14:43:21 mail rpc.gssd[1143]: handling krb5 upcall
(/var/lib/nfs/rpc_pipefs/nfs/clnt12)
> Mar 6 14:43:21 mail rpc.gssd[1143]: process_krb5_upcall: service is
''
> Mar 6 14:43:21 mail rpc.gssd[1143]: getting credentials for client
with uid 164483 for server share.test.net
> Mar 6 14:43:21 mail rpc.gssd[1143]: CC file
'/tmp/krb5cc_machine_TEST.NET' being considered, with preferred realm
'TEST.NET'
> Mar 6 14:43:21 mail rpc.gssd[1143]: CC file
'/tmp/krb5cc_machine_TEST.NET' owned by 0, not 164483
> Mar 6 14:43:21 mail rpc.gssd[1143]: CC file
'/tmp/krb5cc_164481_MOFHds' being considered, with preferred realm
'TEST.NET'
> Mar 6 14:43:21 mail rpc.gssd[1143]: CC file
'/tmp/krb5cc_164481_MOFHds' owned by 0, not 164483
> Mar 6 14:43:21 mail rpc.gssd[1143]: CC file '/tmp/krb5cc_0' being
considered, with preferred realm 'TEST.NET'
> Mar 6 14:43:21 mail rpc.gssd[1143]: CC file '/tmp/krb5cc_0' owned by
0, not 164483
> Mar 6 14:43:21 mail rpc.gssd[1143]: WARNING: Failed to create krb5
context for user with uid 164483 for server share.test.net
> Mar 6 14:43:21 mail rpc.gssd[1143]: doing error downcall
>
> Mail Server /var/log/maillog:
>
> Mar 06 14:43:11 master: Info: Dovecot v2.0.9 starting up (core dumps
disabled)
> Mar 06 14:43:21 auth: Debug: Loading modules from directory:
/usr/lib64/dovecot/auth
> Mar 06 14:43:21 auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/libauthdb_ldap.so
> Mar 06 14:43:21 auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/libdriver_sqlite.so
> Mar 06 14:43:21 auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/libmech_gssapi.so
> Mar 06 14:43:21 auth: Debug: auth client connected (pid=2183)
> Mar 06 14:43:21 auth: Debug: client in: AUTH 1 GSSAPI service=imap
secured lip=192.168.0.33 rip=192.168.0.202 lport=143 rport=36424
> Mar 06 14:43:21 auth: Debug: gssapi(?,192.168.0.202): Using all keytab
entries
> Mar 06 14:43:21 auth: Debug: client out: CONT 1
> Mar 06 14:43:21 auth: Debug: client in: CONT
> Mar 06 14:43:21 auth: Debug: gssapi(jo...@test.net,192.168.0.202):
security context state completed.
> Mar 06 14:43:21 auth: Debug: client out: CONT 1
YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRv1MwL+M8NJprfWznLmhNSKz2ONwOwvw+2nJkIlLZiRLgIfQECmsAnkj6v54ukCkFNkcl0eCKTuHX9/8CTSpBQZL0RpeHHqfqMDDVRtKuiVaK7DzFOf/RC2ZTKmRD4l54p4PF5KA39L3VTNbkKhsIN
> Mar 06 14:43:21 auth: Debug: client in: CONT
> Mar 06 14:43:21 auth: Debug: gssapi(jo...@test.net,192.168.0.202):
Negotiated security layer
> Mar 06 14:43:21 auth: Debug: client out: CONT 1
BQQF/wAMN4/a0gH///+o8Mw0PdRlusfHcCo=
> Mar 06 14:43:21 auth: Debug: client in: CONT
> Mar 06 14:43:21 auth: Debug: client out: OK 1 user=johan
> Mar 06 14:43:21 auth: Debug: master in: REQUEST 1818361857 2183 1
2f9e416bebaaac9a0a3f266165753c1b
> Mar 06 14:43:21 auth: Debug: passwd(johan,192.168.0.202): lookup
> Mar 06 14:43:21 auth: Debug: master out: USER 1818361857 johan
system_groups_user=johan uid=164483 gid=164483 home=/nethome/johan
> Mar 06 14:43:21 imap-login: Info: Login: user=, method=GSSAPI,
rip=192.168.0.202, lip=192.168.0.33, mpid=2186, TLS
> Mar 06 14:43:21 imap(johan): Error: chdir(/nethome/johan/) failed:
Permission denied (euid=164483(johan) egid=164483(johan) missing
+x p

[Freeipa-users] Preparing for domain trust breaks IPA services, RHEL 6.4 IPA 3.0

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi all

I've been trying to document the domain trust process for the past two
days and I am seeing the same results no matter the configuration.

Basically I have nuked and rebuilt my environment several times and all
yields the same results.

Steps to reproduce

1, Clean install of RHEL 6.4
2, yum install ipa-server bind bind-dyndb-ldap
3, ipa-server-install --setup-dns
4, yum install ipa-server-trust-ad
5, kinit admin
6, ipa-adtrust-install

all the above steps work perfectly, however I thought the problem was an
issue in running "ipa trust-add" but I have just tried "ipa host-find"
and get the same output.

If someone is able to reproduce the issue to remove myself from the
equation that would be fantastic. Its either something I'm doing wrong
or there is a bug here somewhere.. (note, no problems at all with same
procedure with Fedora 18 and IPA 3.1)

output is below from adding "debug=true" to /etc/ipa/default.conf

[root@ds01 ~]# ipa host-find
ipa: DEBUG: importing all plugin modules in
'/usr/lib/python2.6/site-packages/ipalib/plugins'...
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/config.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/group.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/host.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/idrange.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/privilege.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py'
ipa: DEBUG: args=klist -V
ipa: DEBUG: stdout=Kerberos 5 version 1.10.3

ipa: DEBUG: stderr=
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/role.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/service.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/trust.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/user.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py

Re: [Freeipa-users] Errors when trying IPA,Dovecot GSSAPI.

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On 03/06/2013 02:46 PM, M.R Niranjan wrote:
> On 03/06/2013 08:03 PM, Johan Petersson wrote:
> > Hi,
> > I hope someone here can shed some light on what is wrong in my test
> > environment.
> > The error seem to be that Dovecot on mail server wants to access mail
> > folder in my home directory on the NFS Server but can't get credentials
> > for it. rpc.gssd on Mail Server try either to open a cachefile in /tmp
> > that is corrupt or expired or if no cache file exists it just do error
> > downcall.
> > No try to update the key or create a new one.
> > Should not forwardable tickets update the cache or generate a new one?
> > The permission denied error in maillog i believe is because of no valid
> > kerberos credentials.
>
> > IPAserver
> > NFS Server for Home Directory through autofs, IPA Client with
> > nfs/share.test.net
> > Mail server IPA Client with imap/mail.test.net,smtp/mail.test.net
>
> > Clients pc's that are also IPA clients
>
> > Everything is Red Hat 6.4 server and Client with default settings for
> > IPA server and client.
>
> > When trying to get mail i get ticket not accepted but i do get a imap
> > ticket that i can see with klist.
>
> > Ticket cache: FILE:/tmp/krb5cc_164483_UsqtSh
> > Default principal: jo...@test.net
>
> > Valid starting Expires Service principal
> > 03/06/13 14:34:28 03/07/13 14:34:28 krbtgt/test@test.net
> > 03/06/13 14:40:41 03/07/13 14:34:28 imap/mail.test@test.net
> > 03/06/13 14:44:43 03/07/13 14:34:28 host/share.test@test.net
>
> > Hopefully relevant logs:
>
> > Mail Server /var/log/messages with rpc.gssapi -vvv:
>
> > Mar 6 14:43:21 mail rpc.gssd[1143]: handling gssd upcall
> > (/var/lib/nfs/rpc_pipefs/nfs/clnt12)
> > Mar 6 14:43:21 mail rpc.gssd[1143]: handle_gssd_upcall: 'mech=krb5
> > uid=164483 enctypes=18,17,16,23,3,1,2 '
> > Mar 6 14:43:21 mail rpc.gssd[1143]: handling krb5 upcall
> > (/var/lib/nfs/rpc_pipefs/nfs/clnt12)
> > Mar 6 14:43:21 mail rpc.gssd[1143]: process_krb5_upcall: service is
> > ''
> > Mar 6 14:43:21 mail rpc.gssd[1143]: getting credentials for client with
> > uid 164483 for server share.test.net
> > Mar 6 14:43:21 mail rpc.gssd[1143]: CC file
> > '/tmp/krb5cc_machine_TEST.NET' being considered, with preferred realm
> > 'TEST.NET'
> > Mar 6 14:43:21 mail rpc.gssd[1143]: CC file
> > '/tmp/krb5cc_machine_TEST.NET' owned by 0, not 164483
> > Mar 6 14:43:21 mail rpc.gssd[1143]: CC file
> > '/tmp/krb5cc_164481_MOFHds' being considered, with preferred realm
> > 'TEST.NET'
> > Mar 6 14:43:21 mail rpc.gssd[1143]: CC file
> > '/tmp/krb5cc_164481_MOFHds' owned by 0, not 164483
> > Mar 6 14:43:21 mail rpc.gssd[1143]: CC file '/tmp/krb5cc_0' being
> > considered, with preferred realm 'TEST.NET'
> > Mar 6 14:43:21 mail rpc.gssd[1143]: CC file '/tmp/krb5cc_0' owned by 0,
> > not 164483
> > Mar 6 14:43:21 mail rpc.gssd[1143]: WARNING: Failed to create krb5
> > context for user with uid 164483 for server share.test.net
> > Mar 6 14:43:21 mail rpc.gssd[1143]: doing error downcall
>
> > Mail Server /var/log/maillog:
>
> > Mar 06 14:43:11 master: Info: Dovecot v2.0.9 starting up (core dumps
> > disabled)
> > Mar 06 14:43:21 auth: Debug: Loading modules from directory:
> > /usr/lib64/dovecot/auth
> > Mar 06 14:43:21 auth: Debug: Module loaded:
> > /usr/lib64/dovecot/auth/libauthdb_ldap.so
> > Mar 06 14:43:21 auth: Debug: Module loaded:
> > /usr/lib64/dovecot/auth/libdriver_sqlite.so
> > Mar 06 14:43:21 auth: Debug: Module loaded:
> > /usr/lib64/dovecot/auth/libmech_gssapi.so
> > Mar 06 14:43:21 auth: Debug: auth client connected (pid=2183)
> > Mar 06 14:43:21 auth: Debug: client in: AUTH 1 GSSAPI
> > service=imap secured lip=192.168.0.33 rip=192.168.0.202
> > lport=143 rport=36424
> > Mar 06 14:43:21 auth: Debug: gssapi(?,192.168.0.202): Using all keytab
> > entries
> > Mar 06 14:43:21 auth: Debug: client out: CONT 1
> > Mar 06 14:43:21 auth: Debug: client in: CONT
> > Mar 06 14:43:21 auth: Debug: gssapi(jo...@test.net,192.168.0.202):
> > security context state completed.
> > Mar 06 14:43:21 auth: Debug: client out: CONT 1
> >
YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRv1MwL+M8NJprfWznLmhNSKz2ONwOwvw+2nJkIlLZiRLgIfQECmsAnkj6v54ukCkFNkcl0eCKTuHX9/8CTSpBQZL0RpeHHqfqMDDVRtKuiVaK7DzFOf/RC2ZTKmRD4l54p4PF5KA39L3VTNbkKhsIN
> > Mar 06 14:43:21 auth: Debug: client in: CONT
> > Mar 06 14:43:21 auth: Debug: gssapi(jo...@test.net,192.168.0.202):
> > Negotiated security layer
> > Mar 06 14:43:21 auth: Debug: client out: CONT 1
> > BQQF/wAMN4/a0gH///+o8Mw0PdRlusfHcCo=
> > Mar 06 14:43:21 auth: Debug: client in: CONT
> > Mar 06 14:43:21 auth: Debug: client out: OK 1 user=johan
> > Mar 06 14:43:21 auth: Debug: master in: REQUEST 1818361857 2183
> > 1 2f9e416bebaaac9a0a3f266165753c1b
> > Mar 06 14:43:21 auth: Debug: passwd(johan,192.168.0.202): lookup
> > Mar 06 14:43:21 auth: Debug: master out: USER 1818361857 johan
> > system_groups_user=johan uid=1644800

Re: [Freeipa-users] Non-Prod instance

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On 02/25/2013 02:58 PM, Guy Matz wrote:
> Hello! Does anyone out there run two instances of freeipa, prod & non-prod 
> instances? Are there any
issues to be wary of in this scenario? Any gotchas? Do you use the same
realms & domain names between instances?
I've seen in many organizations, the common practice of having two
directory server environments. One for testing and development, and the
other for production. It is rare that the same dns zones are used as it
would be a nightmare to manage.

In my own environments, I simply run a different domain name on a
different IP range, and set up all my infrastructure that I want to test
against that, before implementing into production.

The important thing to remember is its for testing of the identity
management solution, not for testing applications to interface with it.

>
> Perhaps the fellow who upgraded his prod server to 6.4 might
appreciate this . . .
>
> Thanks a lot,
> Guy
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJRK34sAAoJEAJsWS61tB+qDzsP/2DqZsJkjaQlgB6m6j4yesET
uGp3yOCWgMaNADHEQi8NQRNaJg51dLkTShZK7bHIcf1YRnLXLnjcgcnAgSG/SWHR
vfDHQt+JZYViUcNGZSx7bD8X29yvauy0VsZlBvQ2+ArWo8iyCTVoW6xj0wobobrZ
bhSx0B5odUUaQkEyptPI/FhhZDdRHvQ8MaOKF1RT47pFrubTU6ozwaR3uYMbQU7W
vKxHVQtuTWPiQNSALAy+4KIVRi3KLMs1ZYxj87aQ64jxqD8TuBykamg1S9qrDwYh
nBYEaRUggkKWRLy+MudWb6cutqY3gVqdCHjNVhyZ5+B2wEpzE7lnDaMuMZTwVDgw
YU3BngXHMzbuPraPsqIYGfk0JQk7iBE42NGCtijXKdQe5EFIfL7XejV1q6lPhTEv
4zBL2Krws39jNrdvp7rE7/ff3OB0xNR2GVgRwroXUbYoV0CxeQzNw6F7IbJ4YSqi
qYry9WSHdCxUrkX3X8j7bQ9nuTzdtz8xkRcyZL7q1RBO+b89LWUAPWOetXbTeFdd
BT+vILwRnNazy7WSJiJqBK/IU0iK0vWs1+dbLPXGLvrtHPGyVpD68hHk2s9O2NoB
sVXHd4oWkpnoG5qza5aGFVNozNX/SIyWNovjUyT6DhQ+G1lHs8w8EAlh15w91vyE
URaMX0JzSpXRvGKTRs5G
=W0I4
-END PGP SIGNATURE-

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] RHEL 6.4 ipa-client install on ipa member server

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On 02/25/2013 11:15 AM, Jakub Hrozek wrote:
> On Mon, Feb 25, 2013 at 11:06:09AM +0000, Dale Macartney wrote:
>>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>>
>> On 02/25/2013 10:58 AM, Jakub Hrozek wrote:
>>> On Mon, Feb 25, 2013 at 10:30:44AM +, Dale Macartney wrote:
>>>>>> What state is your SELinux in? Permissive/Enforcing/Disabled ?
>>>> Another fail on my part. Works fine in permissive mode.
>>>>
>>>
>>> No, the SSSD should be working out of the box with SELinux Enforcing.
>>>
>>>> AVC denials listed below..
>>>>
>>>> type=AVC msg=audit(1361788146.020:28315): avc: denied { read } for
>>>> pid=2271 comm="sshd" name="passwd" dev=dm-0 ino=914246
>>>> scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
>>>> tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file
>>>> type=AVC msg=audit(1361788146.020:28315): avc: denied { open } for
>>>> pid=2271 comm="sshd" name="passwd" dev=dm-0 ino=914246
>>>> scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
>>>> tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file
>>>> type=AVC msg=audit(1361788146.020:28316): avc: denied { getattr } for
>>>> pid=2271 comm="sshd" path="/var/lib/sss/mc/passwd" dev=dm-0 ino=914246
>>>> scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
>>>
>>> ^ This is SElinux denying access to the fast in-memory cache.
>>>
>>>> tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file
>>>> type=AVC msg=audit(1361788155.330:28318): avc: denied { read } for
>>>> pid=2275 comm="krb5_child" name="config" dev=dm-0 ino=392854
>>>> scontext=system_u:system_r:sssd_t:s0
>>>> tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
>>>> type=AVC msg=audit(1361788155.330:28318): avc: denied { open } for
>>>> pid=2275 comm="krb5_child" name="config" dev=dm-0 ino=392854
>>>> scontext=system_u:system_r:sssd_t:s0
>>>> tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
>>>> type=AVC msg=audit(1361788155.330:28319): avc: denied { getattr } for
>>>> pid=2275 comm="krb5_child" path="/etc/selinux/config" dev=dm-0
>>>> ino=392854 scontext=system_u:system_r:sssd_t:s0
>>>
>>> Interesting, I'm not aware of any code in the krb5 child process that
>>> would do anything selinux-related. I wonder if libkrb5 might be the
>>> culprit..rpm says it *is* linked against libselinux as well.
>>>
>>>> tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
>>>> type=AVC msg=audit(1361788156.367:28321): avc: denied { write } for
>>>> pid=1380 comm="sssd_pam" name="logins" dev=dm-0 ino=392943
>>>> scontext=system_u:system_r:sssd_t:s0
>>>> tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir
>>>> type=AVC msg=audit(1361788156.367:28321): avc: denied { add_name }
>>>> for pid=1380 comm="sssd_pam" name="adminoTfIUQ"
>>>> scontext=system_u:system_r:sssd_t:s0
>>>> tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir
>>>> type=AVC msg=audit(1361788156.367:28321): avc: denied { create } for
>>>> pid=1380 comm="sssd_pam" name="adminoTfIUQ"
>>>> scontext=system_u:system_r:sssd_t:s0
>>>> tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
>>>> type=AVC msg=audit(1361788156.367:28321): avc: denied { write } for
>>>> pid=1380 comm="sssd_pam" name="adminoTfIUQ" dev=dm-0 ino=393233
>>>> scontext=system_u:system_r:sssd_t:s0
>>>> tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
>>>> type=AVC msg=audit(1361788156.367:28322): avc: denied { remove_name }
>>>> for pid=1380 comm="sssd_pam" name="adminoTfIUQ" dev=dm-0 ino=393233
>>>> scontext=system_u:system_r:sssd_t:s0
>>>> tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir
>>>> type=AVC msg=audit(1361788156.367:28322): avc: denied { rename } for
>>>> pid=1380 comm="sssd_pam" name="adminoTfIUQ" dev=dm-0 ino=393233
>>>> scontext=system_u:system_r:sssd_t:s0
>>>> tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
>>>> type=AVC msg=audit(1361788156.367:28322): avc: denied { unlink } for
>>>> pid=1380 c

Re: [Freeipa-users] RHEL 6.4 ipa-client install on ipa member server

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On 02/25/2013 10:58 AM, Jakub Hrozek wrote:
> On Mon, Feb 25, 2013 at 10:30:44AM +0000, Dale Macartney wrote:
>>>> What state is your SELinux in? Permissive/Enforcing/Disabled ?
>> Another fail on my part. Works fine in permissive mode.
>>
>
> No, the SSSD should be working out of the box with SELinux Enforcing.
>
>> AVC denials listed below..
>>
>> type=AVC msg=audit(1361788146.020:28315): avc: denied { read } for
>> pid=2271 comm="sshd" name="passwd" dev=dm-0 ino=914246
>> scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
>> tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file
>> type=AVC msg=audit(1361788146.020:28315): avc: denied { open } for
>> pid=2271 comm="sshd" name="passwd" dev=dm-0 ino=914246
>> scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
>> tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file
>> type=AVC msg=audit(1361788146.020:28316): avc: denied { getattr } for
>> pid=2271 comm="sshd" path="/var/lib/sss/mc/passwd" dev=dm-0 ino=914246
>> scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
>
> ^ This is SElinux denying access to the fast in-memory cache.
>
>> tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file
>> type=AVC msg=audit(1361788155.330:28318): avc: denied { read } for
>> pid=2275 comm="krb5_child" name="config" dev=dm-0 ino=392854
>> scontext=system_u:system_r:sssd_t:s0
>> tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
>> type=AVC msg=audit(1361788155.330:28318): avc: denied { open } for
>> pid=2275 comm="krb5_child" name="config" dev=dm-0 ino=392854
>> scontext=system_u:system_r:sssd_t:s0
>> tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
>> type=AVC msg=audit(1361788155.330:28319): avc: denied { getattr } for
>> pid=2275 comm="krb5_child" path="/etc/selinux/config" dev=dm-0
>> ino=392854 scontext=system_u:system_r:sssd_t:s0
>
> Interesting, I'm not aware of any code in the krb5 child process that
> would do anything selinux-related. I wonder if libkrb5 might be the
> culprit..rpm says it *is* linked against libselinux as well.
>
>> tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
>> type=AVC msg=audit(1361788156.367:28321): avc: denied { write } for
>> pid=1380 comm="sssd_pam" name="logins" dev=dm-0 ino=392943
>> scontext=system_u:system_r:sssd_t:s0
>> tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir
>> type=AVC msg=audit(1361788156.367:28321): avc: denied { add_name }
>> for pid=1380 comm="sssd_pam" name="adminoTfIUQ"
>> scontext=system_u:system_r:sssd_t:s0
>> tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir
>> type=AVC msg=audit(1361788156.367:28321): avc: denied { create } for
>> pid=1380 comm="sssd_pam" name="adminoTfIUQ"
>> scontext=system_u:system_r:sssd_t:s0
>> tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
>> type=AVC msg=audit(1361788156.367:28321): avc: denied { write } for
>> pid=1380 comm="sssd_pam" name="adminoTfIUQ" dev=dm-0 ino=393233
>> scontext=system_u:system_r:sssd_t:s0
>> tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
>> type=AVC msg=audit(1361788156.367:28322): avc: denied { remove_name }
>> for pid=1380 comm="sssd_pam" name="adminoTfIUQ" dev=dm-0 ino=393233
>> scontext=system_u:system_r:sssd_t:s0
>> tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir
>> type=AVC msg=audit(1361788156.367:28322): avc: denied { rename } for
>> pid=1380 comm="sssd_pam" name="adminoTfIUQ" dev=dm-0 ino=393233
>> scontext=system_u:system_r:sssd_t:s0
>> tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
>> type=AVC msg=audit(1361788156.367:28322): avc: denied { unlink } for
>> pid=1380 comm="sssd_pam" name="admin" dev=dm-0 ino=392951
>> scontext=system_u:system_r:sssd_t:s0
>> tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
>
> This is SSSD trying to write the user login mapping.
>
> What version is your selinux-policy?
>
> Was your system properly labeled?
>
> Does restorecon -Rvv /etc/selinux help?
Interesting, after using restorecon, yes it now allows a successful
login. I am curious how the contexts would have become incorrectly set
as the machine was provisioned with a rather trivial kickstart.

output of restorecon is below.

[root@workstation01 ~]# restorecon -Rvv /etc/selinux/
restorecon reset /etc/selinux/targeted/logins context
s

Re: [Freeipa-users] RHEL 6.4 ipa-client install on ipa member server

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On 02/25/2013 10:15 AM, Jakub Hrozek wrote:
> On Sat, Feb 23, 2013 at 10:40:03PM +0000, Dale Macartney wrote:
>>
>
> On 02/23/2013 10:36 PM, Rob Crittenden wrote:
> >>> Dale Macartney wrote:
> >>>>
> >>>> -BEGIN PGP SIGNED MESSAGE-
> >>>> Hash: SHA1
> >>>>
> >>>> Even folks
> >>>>
> >>>> I've verified this both in a kickstart and via manual install to
verify
> >>>> any user error on my part.
> >>>>
> >>>> I have a clean installation of RHEL 6.4 for an IPA domain of
example.com
> >>>>
> >>>> I also have several clients which are also clean installs of rhel 6.4
> >>>> and although I can see ipa users via getent and even acquire a tgt's
> >>>> successfully, I am unable to login with any ipa user on any ipa
member
> >>>> server.
> >>>>
> >>>> I see the same results for any type of login attempt, e.g. gnome
desktop
> >>>> or ssh
> >>>>
> >>>> My client installation is done by this command.
> >>>>
> >>>> ipa-client-install -U -p admin -w redhat123 --mkhomedir
> --enable-dns-updates
> >>>>
> >>>> IPA client version 3.0.0-25
> >>>> SSSD version 1.9.2-82
> >>>>
> >>>>
> >>>> Logs from client as as follows.
> >>>>
> >>>> ==> /var/log/secure <==
> >>>> Feb 23 22:10:07 workstation02 sshd[2419]: pam_unix(sshd:auth):
> >>>> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> >>>> rhost=10.0.1.254 user=admin
> >>>> Feb 23 22:10:08 workstation02 sshd[2419]: pam_sss(sshd:auth):
User info
> >>>> message: Your password will expire in 89 day(s).
>
> > FTR, this is a known bug that will be fixed in an asynchronous errata
> > Very Soon Now.
>
> >>>> Feb 23 22:10:08 workstation02 sshd[2419]: pam_sss(sshd:auth):
> >>>> authentication success; logname= uid=0 euid=0 tty=ssh ruser=
> >>>> rhost=10.0.1.254 user=admin
> >>>>
> >>>> ==> /var/log/btmp <==
> >>>> s ssh:nottyadmin10.0.1.254@>)Q
> >>>> 
?
> >>>> ==> /var/log/secure <==
> >>>> Feb 23 22:10:08 workstation02 sshd[2419]: pam_sss(sshd:account):
Access
> >>>> denied for user admin: 4 (System error)
>
> > What state is your SELinux in? Permissive/Enforcing/Disabled ?
Another fail on my part. Works fine in permissive mode.

AVC denials listed below..

type=AVC msg=audit(1361788146.020:28315): avc:  denied  { read } for 
pid=2271 comm="sshd" name="passwd" dev=dm-0 ino=914246
scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file
type=AVC msg=audit(1361788146.020:28315): avc:  denied  { open } for 
pid=2271 comm="sshd" name="passwd" dev=dm-0 ino=914246
scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file
type=AVC msg=audit(1361788146.020:28316): avc:  denied  { getattr } for 
pid=2271 comm="sshd" path="/var/lib/sss/mc/passwd" dev=dm-0 ino=914246
scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file
type=AVC msg=audit(1361788155.330:28318): avc:  denied  { read } for 
pid=2275 comm="krb5_child" name="config" dev=dm-0 ino=392854
scontext=system_u:system_r:sssd_t:s0
tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
type=AVC msg=audit(1361788155.330:28318): avc:  denied  { open } for 
pid=2275 comm="krb5_child" name="config" dev=dm-0 ino=392854
scontext=system_u:system_r:sssd_t:s0
tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
type=AVC msg=audit(1361788155.330:28319): avc:  denied  { getattr } for 
pid=2275 comm="krb5_child" path="/etc/selinux/config" dev=dm-0
ino=392854 scontext=system_u:system_r:sssd_t:s0
tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
type=AVC msg=audit(1361788156.367:28321): avc:  denied  { write } for 
pid=1380 comm="sssd_pam" name="logins" dev=dm-0 ino=392943
scontext=system_u:system_r:sssd_t:s0
tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir
type=AVC msg=audit(1361788156.367:28321): avc:  denied  { add_name }
for  pid=1380 comm="sssd_pam" name="adminoTfIUQ"
scontext=system_u:system_r:sssd_t:s0
tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir
type=AVC msg=audit(1361788156.367:28321): 

Re: [Freeipa-users] RHEL 6.4 ipa-client install on ipa member server

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On 02/23/2013 10:36 PM, Rob Crittenden wrote:
> Dale Macartney wrote:
>>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> Even folks
>>
>> I've verified this both in a kickstart and via manual install to verify
>> any user error on my part.
>>
>> I have a clean installation of RHEL 6.4 for an IPA domain of example.com
>>
>> I also have several clients which are also clean installs of rhel 6.4
>> and although I can see ipa users via getent and even acquire a tgt's
>> successfully, I am unable to login with any ipa user on any ipa member
>> server.
>>
>> I see the same results for any type of login attempt, e.g. gnome desktop
>> or ssh
>>
>> My client installation is done by this command.
>>
>> ipa-client-install -U -p admin -w redhat123 --mkhomedir
--enable-dns-updates
>>
>> IPA client version 3.0.0-25
>> SSSD version 1.9.2-82
>>
>>
>> Logs from client as as follows.
>>
>> ==> /var/log/secure <==
>> Feb 23 22:10:07 workstation02 sshd[2419]: pam_unix(sshd:auth):
>> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
>> rhost=10.0.1.254 user=admin
>> Feb 23 22:10:08 workstation02 sshd[2419]: pam_sss(sshd:auth): User info
>> message: Your password will expire in 89 day(s).
>> Feb 23 22:10:08 workstation02 sshd[2419]: pam_sss(sshd:auth):
>> authentication success; logname= uid=0 euid=0 tty=ssh ruser=
>> rhost=10.0.1.254 user=admin
>>
>> ==> /var/log/btmp <==
>> s ssh:nottyadmin10.0.1.254@>)Q
>> 
?
>> ==> /var/log/secure <==
>> Feb 23 22:10:08 workstation02 sshd[2419]: pam_sss(sshd:account): Access
>> denied for user admin: 4 (System error)
>> Feb 23 22:10:08 workstation02 sshd[2419]: Failed password for admin from
>> 10.0.1.254 port 4 ssh2
>> Feb 23 22:10:08 workstation02 sshd[2421]: fatal: Access denied for user
>> admin by PAM account configuration
>>
>> ==> /var/log/Xorg.0.log <==
>> [ 604.308] AUDIT: Sat Feb 23 22:12:10 2013: 1908: client 17 connected
>> from local host ( uid=42 gid=42 pid=1958 )
>> Auth name: MIT-MAGIC-COOKIE-1 ID: 284
>> [ 604.312] AUDIT: Sat Feb 23 22:12:10 2013: 1908: client 17 disconnected
>>
>> ==> /var/log/messages <==
>> Feb 23 22:12:45 workstation02 ntpd[2359]: synchronized to LOCAL(0),
>> stratum 5
>> Feb 23 22:13:48 workstation02 ntpd[2359]: synchronized to 10.0.1.12,
>> stratum 11
>>
>>
>> interactive shell output as follows
>>
>> [mac@rhodey ~]$ ssh admin@10.0.1.102
>> admin@10.0.1.102's password:
>> Your password will expire in 89 day(s).
>> Connection closed by 10.0.1.102
>> [mac@rhodey ~]$
>>
>>
>> Am I doing something rather trivially wrong or is there something fishy
>> going on here?
>>
>> Thanks in advance.
>
> I'd check your HBAC configuration.
>
> rob
>
That is actually the very first thing I did. As it is a 100% clean
installation of IPA, plus the addition of one user and one IPA replica.

all users are granted access to all hosts.

[root@ds01 ~]# ipa hbacrule-find
- ---
1 HBAC rule matched
- ---
  Rule name: allow_all
  User category: all
  Host category: all
  Source host category: all
  Service category: all
  Description: Allow all users to access any host from any host
  Enabled: TRUE
- 
Number of entries returned 1
- 
[root@ds01 ~]#



-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJRKUVAAAoJEAJsWS61tB+qmMwQAJgO3zJsbQkKqhgdj6qjfvbH
EJHQOCEA55Mf2FgY4cUjeOj2oulny3HLxFQJql6OGYOk73zx48JR0VZdalyXp4Jc
bUKkog+5jnamcEpm5qcRfvpLrITayamqMTgPzvOdrCWnVYSNTxjA07y7Sh/ZOpK5
XSsYTaMBKFLsE20CAE/a/PPJpL/43fP59+nK0yGgClwA5V3FIMBLZo7WKOGFsVJK
lK+Couo3FPwiThp3klHudokQ4w24MdDc9aNKz4ZatcnqHK9nXeBNIya8FdYAtMqT
Us6Lzkq0YOk7IKFU5qgqUtkXuCmRfRLZDZYngpug4S97S0wmG7eo191VPliKsCOO
CuWDaSDtUMbD5li7yzUEnhwUOI+9tLSD98rTO7oqGADQQqvmgz78/A9uQAVfRSIS
7PpmqUsl2pdC1XZ7Vy0K6vrqc7ojQkwwlFVmvY+TMBs2ukKrDz38bnRzfevxpZNe
pm77dn8iF2NGqGpPqbrRvXwenIqi35j/6adBhGtDkAkdSKFXyZbDXRms+ro3oxXI
StrYPHy4td02Fe4MyFrc3s7uIJvYuZGB+ULRKDAptnZetKhaP58VoapQJYrKrxdd
N5hqf4EMwQ9b++Y5Bf9fzlA4osIDgf3uS+8/orL0KuXBq0vGYMqyTDE9leRMqamh
ruH0DYhFtmabbPzxv7uA
=sdSi
-END PGP SIGNATURE-

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] RHEL 6.4 ipa-client install on ipa member server

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Even folks

I've verified this both in a kickstart and via manual install to verify
any user error on my part.

I have a clean installation of RHEL 6.4 for an IPA domain of example.com

I also have several clients which are also clean installs of rhel 6.4
and although I can see ipa users via getent and even acquire a tgt's
successfully, I am unable to login with any ipa user on any ipa member
server.

I see the same results for any type of login attempt, e.g. gnome desktop
or ssh

My client installation is done by this command.

ipa-client-install -U -p admin -w redhat123 --mkhomedir --enable-dns-updates

IPA client version 3.0.0-25
SSSD version 1.9.2-82


Logs from client as as follows.

==> /var/log/secure <==
Feb 23 22:10:07 workstation02 sshd[2419]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=10.0.1.254  user=admin
Feb 23 22:10:08 workstation02 sshd[2419]: pam_sss(sshd:auth): User info
message: Your password will expire in 89 day(s).
Feb 23 22:10:08 workstation02 sshd[2419]: pam_sss(sshd:auth):
authentication success; logname= uid=0 euid=0 tty=ssh ruser=
rhost=10.0.1.254 user=admin

==> /var/log/btmp <==
sssh:nottyadmin10.0.1.254@>)Q

?
==> /var/log/secure <==
Feb 23 22:10:08 workstation02 sshd[2419]: pam_sss(sshd:account): Access
denied for user admin: 4 (System error)
Feb 23 22:10:08 workstation02 sshd[2419]: Failed password for admin from
10.0.1.254 port 4 ssh2
Feb 23 22:10:08 workstation02 sshd[2421]: fatal: Access denied for user
admin by PAM account configuration

==> /var/log/Xorg.0.log <==
[   604.308] AUDIT: Sat Feb 23 22:12:10 2013: 1908: client 17 connected
from local host ( uid=42 gid=42 pid=1958 )
  Auth name: MIT-MAGIC-COOKIE-1 ID: 284
[   604.312] AUDIT: Sat Feb 23 22:12:10 2013: 1908: client 17 disconnected

==> /var/log/messages <==
Feb 23 22:12:45 workstation02 ntpd[2359]: synchronized to LOCAL(0),
stratum 5
Feb 23 22:13:48 workstation02 ntpd[2359]: synchronized to 10.0.1.12,
stratum 11


interactive shell output as follows

[mac@rhodey ~]$ ssh admin@10.0.1.102
admin@10.0.1.102's password:
Your password will expire in 89 day(s).
Connection closed by 10.0.1.102
[mac@rhodey ~]$


Am I doing something rather trivially wrong or is there something fishy
going on here?

Thanks in advance.

Dale


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJRKUIGAAoJEAJsWS61tB+q4p8P/jtKbSPIRlBiXolg/NyEv0jz
tbOKb3OWITv5DzZ73+SsoaAnaRfvbZh0AvwmkOfT8BV3x87ogFrxPblNME23TT07
7kiwg2g+T2b/2Tq7zE3kgdNNrRQo02fwAMdtobmPa/jDzftCOe/01t5psAK+Jabd
DcGnCFss4tif1IA5BRVa8tw8rn5XJ4J7ef3owF+LdEsKqpzdVV5xsq3W45EPJHQy
pjEgsJemwrxosLg6NoJuKsSjNGrGCikEGV9E83fBQiFhp5muaU3yZcoKsttbnGXa
KHZw+MdJWU7xHsFsP+kshWFjpyxt1mgtSI9JHurGdYvIPta3UJ15D+KetU78R24+
csL8zc+/qe+6qwzed5xgWYEjtrYnwNP6SnUgpupkDkl5GrSIzPCLz9elcye7IzPN
mPu73wKJvwet88YpZ2+dVcYcDh68Mm2c5YPlIR31VsiiHkNcwniCT+Fed16RjoED
uPxwRjNFcOWFYK7MWuFxjtNpx+8UhOrMYRbRYkYk1M/6Zxg1TvjTe92p17Hsb0dA
NlJV0VvZu9lApR8hzhZ/Xke4NoyZrGR+y3NVWAwObGEmsxSX7Gg6VwNZvMgVMekJ
blHbkp2LwU9KVLZRJpPRxn98UZclFdlQl/fPOKWKwVKiG6y0xIhUpPlDrhs0XYBQ
NqNeBfEHUH0tSSpbhf1K
=ZsnW
-END PGP SIGNATURE-

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] RHEL 6.4 , IPA 3.0 and bind-chroot

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On 02/23/2013 09:47 PM, Dmitri Pal wrote:
> On 02/23/2013 12:48 PM, Dale Macartney wrote:
> >
>> Hi all
>>
>> I've just performed a clean IPA installation and noticed that if you're
>> using integrated DNS, you are still unable to use bind in a chrooted
>> environment with a default IPA install.
>>
>> Basically if its a chrooted environment, named will fail to start.
>>
>> To replicate what I've done, do the following.
>>
>> # yum install ipa-server bind bind-chroot bind-dyndb-ldap -y
>> # ipa-server-install --setup-dns (do your usual thing here)
>>
>> - From what I've been testing, there needs to be quite a few libraries
>> located in the chroot environment.
>>
>> I've done the below to get a little further (I should probably use
>> symbolic links, but for now copying the files is a start).
>>
>> mkdir /var/named/chroot/lib64/
>> cp /lib64/libldap-2.4.so.2 /var/named/chroot/lib64/
>> cp /lib64/liblber-2.4.so.2 /var/named/chroot/lib64/
>> cp /lib64/libplds4.so /var/named/chroot/lib64/
>> cp /lib64/libplc4.so /var/named/chroot/lib64/
>> cp /lib64/libnspr4.so /var/named/chroot/lib64/
>> cp /lib64/libcrypt.so.1 /var/named/chroot/lib64/
>> cp /lib64/libfreebl3.so /var/named/chroot/lib64/
>>
>> mkdir /var/named/chroot/usr/lib64/
>> cp /usr/lib64/libssl3.so /var/named/chroot/usr/lib64/
>> cp /usr/lib64/libsmime3.so /var/named/chroot/usr/lib64/
>> cp /usr/lib64/libnss3.so /var/named/chroot/usr/lib64/
>> cp /usr/lib64/libnssutil3.so /var/named/chroot/usr/lib64/
>> cp /usr/lib64/libsasl2.so.2 /var/named/chroot/usr/lib64/
>>
>>
>>
>> Now when I restart named, I get the below error in /var/log/messages.
>>
>> Does anyone have any ideas of the best way to get around this error?
>>
>> Feb 23 17:35:29 ds01 named[2425]: Failed to parse the principal name
>> DNS/ds01.example.com (Configuration file does not specify default realm)
>
> It should be
> DNS/ds01.example.com@YOURREALMNAME.SOMETHING
oh of course.. what a face palm moment.

Where does the default ipa installation put the DNS keytab file? I did
notice an /etc/named.keytab was present, but placing that in
/var/named/chroot/etc didn't seem to improve matters.
>
>
> I do not know the exact reason but it might be that bind ldap driver
can't locate its kerberos configuration.
> I hope it will give you a hint and unblock you before the real masters
of DNS chime in. i
I know this has been a rather long lasting rfe/bug/how ever you want to
label it.
https://fedorahosted.org/freeipa/ticket/126

If I make any progress I'll let the team know.

>
>>
>>
>> Thanks folks.
>>
>> Dale
>>
> >
> > ___
> > Freeipa-users mailing list
> > Freeipa-users@redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> ---
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
>
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJRKTwpAAoJEAJsWS61tB+qzUEQAIgijKHJx8tSOps5avQ58HU2
8ZDSHzeokeXqvZxHGnZ3O1AsOPukS9G37TdCdEe2GqvK3c159tgYCHoV7FrksYm9
9n6cWohVdwFBdSB/Qzc+G/w/lITtt5hnXf/yT1H1b5ERtUoJUCg+dc76FCfBhJ9q
DQUBfXKwbbdctGRZpo8V2tq4Vc56Rt2cQ+XsFj1Tsvz8NfW6fSx24rYnpu0FEPnp
2CDeQufE3cbeViGE9AEM8sa/pqXqgL16KNoFZoRqtYWCcE/Ct/rTCrITkx8xMinw
8dc+6kvG0xvuQXpfi/iCEZq+sAr2WA/3vwBg2VDDjNrCQZurGEgD6/wmcNXclN8X
jasRaAfw2YqnR40wB9zqNZS50KzF2F72xIDjiFsWF/DssJnEOR6QxxKWaZbjPH4K
Ud/aEhk5p3NSOlz5XBMBlnHkrElbA9/c6J396fPqgyMNXFrc1t5ofaPtzaYNJzSz
PdpCWmZ8+L4aJfci2vFo6aKuQHKgYetRLA/pemNEdQK1gYvD0/LJ8zExrXKHRszC
ILPhpacO4n/SXcWx2EKY4rtD0RNyiWxdQAjAtFfyvwqXuD7a1mXNkaCL71dhvWWU
xvrsGid6Bb5ca2/6A1C/VZvYFIQ9Fg6dYZrEERvbcPeV80qizVeWYDSetZwGhfPZ
GiYyWRDdRZrUb5tW8Xtd
=aaLP
-END PGP SIGNATURE-

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] RHEL 6.4 , IPA 3.0 and bind-chroot

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi all

I've just performed a clean IPA installation and noticed that if you're
using integrated DNS, you are still unable to use bind in a chrooted
environment with a default IPA install.

Basically if its a chrooted environment, named will fail to start.

To replicate what I've done, do the following.

# yum install ipa-server bind bind-chroot bind-dyndb-ldap -y
# ipa-server-install --setup-dns (do your usual thing here)

- From what I've been testing, there needs to be quite a few libraries
located in the chroot environment.

I've done the below to get a little further (I should probably use
symbolic links, but for now copying the files is a start).

mkdir /var/named/chroot/lib64/
cp /lib64/libldap-2.4.so.2 /var/named/chroot/lib64/
cp /lib64/liblber-2.4.so.2 /var/named/chroot/lib64/
cp /lib64/libplds4.so /var/named/chroot/lib64/
cp /lib64/libplc4.so /var/named/chroot/lib64/
cp /lib64/libnspr4.so /var/named/chroot/lib64/
cp /lib64/libcrypt.so.1 /var/named/chroot/lib64/
cp /lib64/libfreebl3.so /var/named/chroot/lib64/

mkdir /var/named/chroot/usr/lib64/
cp /usr/lib64/libssl3.so /var/named/chroot/usr/lib64/
cp /usr/lib64/libsmime3.so /var/named/chroot/usr/lib64/
cp /usr/lib64/libnss3.so /var/named/chroot/usr/lib64/
cp /usr/lib64/libnssutil3.so /var/named/chroot/usr/lib64/
cp /usr/lib64/libsasl2.so.2 /var/named/chroot/usr/lib64/



Now when I restart named, I get the below error in /var/log/messages.

Does anyone have any ideas of the best way to get around this error?

Feb 23 17:35:29 ds01 named[2425]: Failed to parse the principal name
DNS/ds01.example.com (Configuration file does not specify default realm)


Thanks folks.

Dale

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJRKQD4AAoJEAJsWS61tB+qN4QP/1yICe5uzSQFvARf1wFPfLzV
YWzS8orBTwtPAhVcTCfD6GNuFqiypzjumdqNwL75Gm4jBeB1dIoZnaMKaVWaTvau
0sryplL1YZVu4UBLWc5igOK5HRkIeV4yrzCnH/1vnDEiEkJQ8xPCRw7IEfXdD4/N
Cas5uOL9aJo9TQf22cHoIRoESeULzkLmn+tIOYpeTFQlnrhIpFhLcNO35gJmuwyG
revPahRhm4FsW368K+ZnhEouF3cBK+0rMpaC/yi7rUD6PXxK1LaSNMUREG9e6dh/
hx3LoR1tEhzu7buYymwQ33wKM3J9o+HOZiUkxann5YXG+4HBk96XgJ8Mh4bQ03ZJ
A6kMh4CFQxxuOMzQ65c2jj94zvSZFnLRMFgbWuWdZklEyVFk7m1aZ+b7wRwRafBB
BAnEYf+3yCnBjpXyKJSTIs1PZaOSQ0GFg1pLmLYr601ATJ5omcl/a5J4x/l2ofUq
PjFOmARAOb7hIX6zrlGuHFoXoctrweAmorO1suWsUR3beecaQAfMqpfpS9OkDsng
YM8C0IXAo31GGhJDOO0IzuGx+PMtb/ASrW+9ogWM9OI0cTPZvbZtUi0zrIt3lMzJ
62rTHJHvHbEk5sXZvZT9Omd42Tq2yNyt+40TrSZsQX5EBcTxiFD1aeI/UiISRQFI
vEJAbiE+LtGGDrso+6J+
=QR+Y
-END PGP SIGNATURE-

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] User info lookup via LDAP with Jabber +FreeIPA

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On 02/10/2013 04:39 PM, Dmitri Pal wrote:
> On 02/10/2013 07:15 AM, Dale Macartney wrote:
> >
>> Hi all
>>
>> So I have started testing more of the end user experience of FreeIPA
>> with my integration docs of different services over the weekend and when
>> I logged in as an IPA test user to Jabber, I noticed that the user
>> details are not being populated.
>>
>> Article is here:
>>
https://www.dalemacartney.com/2012/07/05/configuring-ejabberd-to-authenticate-freeipa-users-using-ldap-group-memberships
>>
>> As an admin, these details probably seem pretty trivial and unneeded,
>> but as an end user, this could be useful. Otherwise those fields
>> wouldn't be in the client at all really.
>>
>> I used Empathy on Fedora 18 as the connecting client as it is an
>> authenticated IPA workstation.
>>
>> Does anyone have any ideas/suggestions/experience on pulling those user
>> attributes from IPA into the jabber client?
>>
>> Screenshot attached.
>>
>> Thanks all
>>
>> Dale
>>
>>
> Would be nice to understand which attributes are expected for those.
> I do not think we keep a birthday in IPA.

I did have a chuckle when I noticed that one.
- From what i've been reading its just an additional section I need in
the ejabberd config..

There seems support for display photos as well. Might have to pick that
one up as well when I have a free moment.

I'll keep the list informed on progress.
>
> >
> >
> >
> > ___
> > Freeipa-users mailing list
> > Freeipa-users@redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> ---
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
>
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJRF88kAAoJEAJsWS61tB+qWxgQALhwUOEjZS2cN0NPpdh4WXEJ
Ouo41EAgAsQt4HYM6m74g/sp0hYpMwexwIDGFHydfoKtUSokHzKwOknOMubAqvOr
QGbtuBfg3u95kb7bMkE7mhAhCC1U67g6fsYwYIQZ5/Dm+RfQxP2QxRdggPAG63cD
ECIxLJVydf0PiI+pWp5lEHGYtxc4mLpgnJeEbd+UKUcBss+lY0ftyvMmvMeuxPip
NMW62xHws0iGbldHcQPYCztfcyPoxaZXNjFknPcASf7H3gAUE9kjb8XVcVf8QN+Y
HHDywahqWxFvT0+LxB8EKWLdcOsCcj0Inb9TWJuBhh+n7GKwlNI73JUlrbNThkys
LysMiRoID32huHV5WDbvRJW+wOzCW8LoFQHvSao5GV1WMMPquayblNRgTIr0Vuwz
HezzSFghG4r/pXl2Q9jawcOvVky3M/D03EdknrgIPSsQCKsSnb9/aQER2Q4v2Olq
PMpH4hiCIH1tUH16KG6HOfcDCksxhZTd4OXn3GGc55A+u0tcM0ev9amvFkmUfHV/
up4TtSphQH3IZq4JKrs14u2QaGBm6+jT8pKU4+tVYD80nlCAd0YAjEu7RejKQPH9
3P6rbWqXkYrSA03f3VU7/DgE/f2RXhuSKBAOOQtmC+KJOdv0gpSN/xMYaQxfIV8s
rygkO+Cmw0AyKNPRilvL
=Ya55
-END PGP SIGNATURE-

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] User info lookup via LDAP with Jabber +FreeIPA

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi all

So I have started testing more of the end user experience of FreeIPA
with my integration docs of different services over the weekend and when
I logged in as an IPA test user to Jabber, I noticed that the user
details are not being populated.

Article is here:
https://www.dalemacartney.com/2012/07/05/configuring-ejabberd-to-authenticate-freeipa-users-using-ldap-group-memberships

As an admin, these details probably seem pretty trivial and unneeded,
but as an end user, this could be useful. Otherwise those fields
wouldn't be in the client at all really.

I used Empathy on Fedora 18 as the connecting client as it is an
authenticated IPA workstation.

Does anyone have any ideas/suggestions/experience on pulling those user
attributes from IPA into the jabber client?

Screenshot attached.

Thanks all

Dale


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJRF48/AAoJEAJsWS61tB+q/88QAJ65I8U2nsInKBW8G8Mn241E
M54fUYrhUdJm9o5PW0mgQePDsaOWYPlww8ccB7Z7k00guG3WQ0nmNuaUsSTSfd63
LBCBYTBECs9fJhU9TbQkdUlXFjGtnJmhWazuXUHOwDUAK5yFsIZxgFtLQQd9F38j
TNZd87sGbrJZ4/+O4ocXWBQlzE9PcrplkXMk0pCsnbeQpzhdLUMfgnhwpK0Pfnyp
dabSDdQE0HYFYFqOq7rn8W2OC9IgUk1pknapSHyqyAjIkDeh/dQem6p6CgZyrqx/
GNcf1P75UnYT6PvxQXfxQeGzLBxunQClKS+7KsxwhhsQGIMCVX0cH/1/3xzZuPjS
x1PAgBSPXg7CKchoW7tmdY7S9CZ8qAuwXEzDI+++XzzPl39OXuWWL6PQk8kWVnq+
M0IGQyk2Xzrvkgr6BEOsUeQHNbfOPDQGjjjvJnUu2VLXqSeS0d2JluaFQmf7mm/P
40HvJxL7R0wkdqjOgkd+I4GbbEOtiTJyH3gPf6EKSyu423jHTpbed8GOLRX6Cq6j
knhUvLXgOJQEntR1iNcs7o7e1XCpOP06J1mEknLTcnApMszPcHjDDX+3/Z6CDalP
LXHe9OZglgD28xmBm4pBaLQN1q5DoXGxRExOO+BylVIn3ZkTn7A1RCkKHNIJgTxF
NWk492cJ/Y99HPAd5vAi
=Eiki
-END PGP SIGNATURE-

<>

Jabber+IPA.png.sig
Description: PGP signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Some interrogations about the freeipa deployment

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On 01/22/2013 09:51 PM, Steven Jones wrote:
> Hi,
>
> I have all done this, so from what you write I think IPA would be a
good fit for what you want, except that is the single sign on bit I have
not looked to see if that can be done. For http restart you control that
via sudo in IPA so its centrally managed, I have this working for one
such server though I use the reload option instead.
to enable SSO with SSH from a ipa workstation, just edit
/etc/ssh/sshd_config and make sure the line below is set to yes
"GSSAPIAuthentication yes"

If you've just made the change, it won't take effect until SSH is
restarted. So do the usual service sshd restart.

>
> I would also not run one instance of IPA myself but with such a small
site that's your call.
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> -
> *From:* freeipa-users-boun...@redhat.com
[freeipa-users-boun...@redhat.com] on behalf of Bob Sauvage
[bob.sauv...@gmx.fr]
> *Sent:* Wednesday, 23 January 2013 9:51 a.m.
> *To:* freeipa-users@redhat.com
> *Subject:* [Freeipa-users] Some interrogations about the freeipa
deployment
>
> Hi *,
>
> I plan to review the network architecture of my office. 10
Windows/Linux desktops and 2 Linux servers will be deployed on the network.
>
> I want to install freeipa on the first server to act like an AD DS. I
want to authenticate users on the server and controlling what can be
done or not by them on the network. 10 other linux web servers should be
accessible (console) by specific users and without the need to
authenticating again (single sign on). On these web servers, users can
issue specific commands like "/etc/init.d/httpd restart".
>
> Is it possible to achive this with freeipa ? Do you have some articles ?
>
> Thanks in advance,
>
> Bob !
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJQ/w8VAAoJEAJsWS61tB+q2+8P/0voaYOSa/ZnwiQmvrqLsaPE
oYm4j/m88STSXvDdhDsgNQJZJFY9XDv7y3njnuSWElqHD0yGBEbJvc+pmoi8uZf0
8EORIarUQhCf6awI4RIHxg6+nOOwVkllx/FDVSJldGnKlv3OSvOrln+tTK9gITkg
ZzsMvtFTYIjrF4nMSEtTCGfFi7lnmCrvXhXijKSCRjUfZI51t78SamI5ldKzV6Zy
RE4ofJQexUpWhCXnDyWg5I/fDY6EQc9UAjeiVjmC462Sp32Rso5bQBYUwrQtD8uG
d1b1sfOW3v+oExmnOfSeGwzssl8SzYk1jr9kak9JU1DctPIgp5aCjpKYtRTnh5GB
44bNMXATFHRWVU21QlaTYwmQue12cb1BaehMUjZfvHTvNcK171RF9DfAhxS+U1Z4
ZCyv8mUGDB28xWKx0fH5639CGjPYCZxltOOF/053W7ZyrrRN38O2AD7LUkYdH3kb
ci04L/tB8znXcP6OQaTeDzJHY12bkspJz+tBNvM/KeFhJQxw/FQqtFi55KrhlKMN
XCsHdj3fqEzV/h6+3wu0Na7Y4hDt5mf0i3i1UTO9nj941QIr2BYKrQLzKSKLu/Md
Z+E04ZgiQWgzb+Yw4bFv6I8g4y6nrUFVvDxt970bqgbk9cbfAGLEMjd6xRm6QDgq
CJUkZcaWqi3SYPeGHx0x
=fTHE
-END PGP SIGNATURE-

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Fedora 18 - FreeIPA + AD

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On 01/19/2013 07:16 PM, Dmitri Pal wrote:
> On 01/19/2013 01:25 PM, MaSch wrote:
>> Hello all,
>>
>> I'm trying to setup FreeIPA on Fedora 18 (Final) with AD integration
on a test server. However I do not even get past
>> the initial (local) steps described in :
http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Add_trust_with_AD_domain
>> The last step of the section "Install and configure IPA server" gives
me the following error :
I am having similar issues, however I only have the problem when
attempting a trust with AD 2012. Works perfectly on AD 2008r2.

Critical pre-req is definitely make sure DNS resolution is working in
advance. Its always a killer.

If you use IPA managed DNS, use the following.

ipa dnszone-add nt.example.com --name-server=dc01.nt.example.com
--admin-email="administra...@nt.example.com" --force
--forwarder=10.0.2.11 --forward-policy=only

the IP address is the IP of the domain controller dc01.nt.example.com

>>
>>
>> "Outdated Kerberos credentials. Use kdestroy and kinit to update your
ticket"
>>
>> However "kdestroy" followed by a consequent "kinit admin" does not
help, I get the error again when trying
>> to "ipa-adtrust-install"
>>
>> The ipaserver-install.log says :
>> 2013-01-19T17:19:56Z DEBUG stderr=
>> 2013-01-19T17:19:56Z DEBUG will use ip_address: 172.16.135.141
>>
>> 2013-01-19T17:19:56Z DEBUG Starting external process
>> 2013-01-19T17:19:56Z DEBUG args=kinit admin
>> 2013-01-19T17:19:57Z DEBUG Process finished, return code=0
>> 2013-01-19T17:19:57Z DEBUG stdout=Password for admin@MATRIX.LOCAL:
>>
>> 2013-01-19T17:19:57Z DEBUG stderr=
>> 2013-01-19T17:19:57Z INFO File
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
line 617, in
>> run_script
>> return_value = main_function()
>>
>> File "/usr/sbin/ipa-adtrust-install", line 304, in main
>> sys.exit("Outdated Kerberos credentials. Use kdestroy and kinit to
update your ticket")
>>
>> 2013-01-19T17:19:57Z INFO The ipa-adtrust-install command failed,
exception: SystemExit: Outdated Kerberos credentials.
>> Use kdestroy and kinit to update your ticket
>>
>>
__
>>
>>
>> I tried to follow the instructions and stick to the plan - here is
the history of commands I executed on an fresh Fedora
>> 18 Installation (after installing vmware tools in the vm) (long
output is omitted and replaced by ...) :
>>
>>
>> [root@linux user]# yum update -y
>> ...
>> [root@linux user]# reboot
>> [root@linux user]# yum install -y "*ipa-server"
"*ipa-server-trust-ad" samba4-winbind-clients samba4-winbind
>> samba4-client bind bind-dyndb-ldap
>> ...
>> [root@linux user]# echo "172.16.135.141 ipa-server.matrix.local
ipa-server" >> /etc/hosts
>> [root@linux user]# hostname ipa-server.matrix.local
>> [root@linux user]# hostname
>> ipa-server.matrix.local
>> [root@linux user]# ping ipa-server.matrix.local
>> PING ipa-server.matrix.local (172.16.135.141) 56(84) bytes of data.
>> 64 bytes from ipa-server.matrix.local (172.16.135.141): icmp_seq=1
ttl=64 time=0.058 ms
>> [root@linux user]# ipa-server-install -a mypassword1 -p mypassword2
--domain=matrix.local --realm=MATRIX.LOCAL
>> --setup-dns --no-forwarders -U
>> ... setup completes without errors
>> [root@linux user]# kinit admin
>> Password for admin@MATRIX.LOCAL:
>> [root@linux user]# klist
>> Ticket cache:
DIR::/run/user/1000/krb5cc_c9794d10f5cd59bd63c423ac50fad257/tktT3hTsU
>> Default principal: admin@MATRIX.LOCAL
>>
>> Valid starting Expires Service principal
>> 01/19/13 12:19:06 01/20/13 12:19:02 krbtgt/MATRIX.LOCAL@MATRIX.LOCAL
>> [root@linux user]# id admin
>> uid=139640(admin) gid=139640(admins) groups=139640(admins)
>> [root@linux user]# getent passwd admin
>> admin:*:139640:139640:Administrator:/home/admin:/bin/bash
>> [root@linux user]# ipa-adtrust-install --netbios-name=MATRIX -a
mypassword1
>> The log file for this installation can be found in
/var/log/ipaserver-install.log
>>
==
>> This program will setup components needed to establish trust to AD
domains for
>> the FreeIPA Server.
>>
>> This includes:
>> * Configure Samba
>> * Add trust related objects to FreeIPA LDAP server
>>
>> To accept the default shown in brackets, press the Enter key.
>>
>>
>> The following operations may take some minutes to complete.
>> Please wait until the prompt is returned.
>>
>> Outdated Kerberos credentials. Use kdestroy and kinit to update your
ticket
>>
>>
__
>>
>> The freeipa packages installed are :
>>
>> freeipa-server-trust-ad-3.1.0-2.fc18.x86_64
>> freeipa-python-3.1.0-2.fc18.x86_64
>> freeipa-server-selinux-3.1.0-2.fc18.x86_64
>> freeipa-admintools-3.1.0-2.fc18.x86_64
>> freeipa-server-3.1.0-2.fc18.x86_64
>> freeipa-client-3.1.0-2.fc18

[Freeipa-users] FreeIPA + Yubikey conditional login process

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Evening all

So, basis of my testing environment is as follows

RHEL 6 running IPA 2.2 or 3.0 (Will be looking to test on both versions)
RHEL 6 and Fedora 18 workstations connected as ipa clients to IPA domain.

I am using this article in place with my testing environment.
https://www.dalemacartney.com/2012/12/19/integrating-yubikey-token-details-within-ldap-with-freeipa-and-red-hat-enterprise-linux-6/

What I would like to achieve is:

Scenario 1:
- From IPA client workstation
remote SSH session authenticates using current TGT from workstation
session. No password or yubikey prompt. This should be completely SSO.

Scenario 2:
- From Non-IPA client workstation
remote SSH session authenticates via password AND yubikey prompt as no
TGT is available.


What I don't know how to achieve is Scenario 2.

Is this possible? I'm processing it in my mind of pam having a
conditional required option, but I don't know of a way to make it happen.

Thanks all

Dale


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBAgAGBQJQ8f0sAAoJEAJsWS61tB+qxLkQAL/mb1gIUpAocHwZBLoM6T0q
bsuDnaMMr80J96q5loPLHyMBDf32VphE9oqVjzh81MIm0Xl2OBrO2egVyvtGFlo9
W71Vy1eoGZzPnrrhnQP3bBWrBXWk0Kbld99boZBv6v9QX/gS9AX3U4WyBrqGCy/7
3ia8agNAmZI+8ZNmELk2/ObvkvFwrcQlj+L4I8EmwwwiZSTsSVm9xKVd/1mcvj1f
h87nnrmxHpOFjZ74YnA71AOWMzie8w3Yuodnpr90vngFCMxfGfVTeU90HQheItAV
/Ls8bR7Ks3aTr+XwEkVl3b4c1gFEu9SIMOGXtQidl/FVx7cMHGLsBzaVZ9jTCw6K
RS0dUuX8nOVBwYWxFYTwjaI0Ypv54xmZvplynlp7f4jsj3WzWC2GZmdBFYk4iQju
XLuJWXCgOkDdgDIkMEdu1Pv6f8VX7EkKFUp3amlibgSKfNdDQ2KMdT85beRcab4N
2on6lL6QzEB7AjZ0qIF/p+LGOItP0evl+tpWhcgXXICGWb1OBAp/MwjpO16Yyp8K
AA8/vJT2/aUsxImzOmAdG19RzmdZQlN6+l8tLJAmh2UzKpaRc8Lm6klMUnsI1T5Q
Hge5t+Tn+zqeUb8It5xExJnkhCzQGNaNZvEAPskO2y0p5qUabBENF133e7HR9Pub
2BqtI2Je1Mg1PmPxSwI+
=+lqh
-END PGP SIGNATURE-

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Fedora 18 + FreeIPA 3.1

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On 01/02/2013 12:42 AM, Rob Crittenden wrote:
> Dale Macartney wrote:
>>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>>
>> On 01/01/2013 11:42 PM, Rob Crittenden wrote:
>>> Dale Macartney wrote:
>>>>
>>>> -BEGIN PGP SIGNED MESSAGE-
>>>> Hash: SHA1
>>>>
>>>>
>>>> On 12/29/2012 06:38 PM, Rob Crittenden wrote:
>>>>> Dale Macartney wrote:
>>>>>>
>>>>>> -BEGIN PGP SIGNED MESSAGE-
>>>>>> Hash: SHA1
>>>>>>
>>>>>> Afternoon all
>>>>>>
>>>>>> using Fedora 18 Beta and attempting to install FreeIPA 3.1
>>>>>>
>>>>>> when running through the install of "ipa-server-install
--setup-dns" I
>>>>>> end up with a failure with the below output
>>>>>>
>>>>>>
>>>>>> [root@ds01 ~]# ipa-server-install --setup-dns
>>>>>> .
>>>>>> .
>>>>>> Done configuring directory server (dirsrv).
>>>>>> Configuring certificate server (pki-tomcatd): Estimated time 3
minutes
>>>>>> 30 seconds
>>>>>> [1/20]: creating certificate server user
>>>>>> [2/20]: configuring certificate server instance
>>>>>> [3/20]: disabling nonces
>>>>>> [4/20]: creating RA agent certificate database
>>>>>> [5/20]: importing CA chain to RA certificate database
>>>>>> [6/20]: fixing RA database permissions
>>>>>> [7/20]: setting up signing cert profile
>>>>>> [8/20]: set up CRL publishing
>>>>>> [9/20]: set certificate subject base
>>>>>> [10/20]: enabling Subject Key Identifier
>>>>>> [11/20]: enabling CRL and OCSP extensions for certificates
>>>>>> [12/20]: setting audit signing renewal to 2 years
>>>>>> [13/20]: configuring certificate server to start on boot
>>>>>> [14/20]: restarting certificate server
>>>>>> [15/20]: requesting RA certificate from CA
>>>>>> [16/20]: issuing RA agent certificate
>>>>>> Unexpected error - see /var/log/ipaserver-install.log for details:
>>>>>> CalledProcessError: Command '/usr/bin/sslget -v -n ipa-ca-agent -p
>>>>>>  -d /tmp/tmp-kUFAyN -r /ca/agent/ca/profileReview?requestId=7
>>>>>> ds01.domain.com:8443' returned non-zero exit status 6
>>>>>>
>>>>>>
>>>>>> there is absolutely nothing in any logs at all apart from a few
selinux
>>>>>> audit logs (system running in permissive mode).
>>>>>>
>>>>>> Any thoughts?
>>>>>
>>>>> This usually means a problem with DNS.
>>>> Hmm... normally I set a dns forwarder of 10.0.0.254... This time I
tried
>>>> it with no forwarder at all... Same error occurs...
>>>
>>> Not really sure. The errors out of sslget are not particularly helpful.
>>>
>>> I'd check /etc/hosts to be sure it is sane, and perhaps dig/host to be
>> sure that the forward and reverse entries match up.
>> that'll teach me for using non-kickstarted systems...
>>
>> error is caused by mis or unconfigured /etc/hosts
>
> It's hard to programmatically check for some things but I was pretty
sure we did some /etc/hosts sanity checking. What was the problem, and I
guess more importantly, is it something we can/should check for prior to
starting the install?
so.. i've just deployed a new guest to test it..

with no entries in /etc/hosts with the exception of localhost... the
below appears as part of the ipa-server-install process.. (i am using
"ipa-server-install --setup-dns)

Server host name [ds01.domain.com]:

Warning: skipping DNS resolution of host ds01.domain.com
The domain name has been determined based on the host name.

Please confirm the domain name [domain.com]:

The server hostname resolves to more than one address:
  fe80::21a:4aff:fe00:a8%eth0
  10.0.3.11
Please provide the IP address to be used for this host name: 10.0.3.11
The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.

Please provide a realm name [DOMAIN.COM]:

If I configure the host details in /etc/hosts (10.0.3.11
ds01.domain.com ds01), then the above selection process is not prompted

so in short no hosts file 

Re: [Freeipa-users] Fedora 18 + FreeIPA 3.1

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On 01/01/2013 11:42 PM, Rob Crittenden wrote:
> Dale Macartney wrote:
>>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>>
>> On 12/29/2012 06:38 PM, Rob Crittenden wrote:
>>> Dale Macartney wrote:
>>>>
>>>> -BEGIN PGP SIGNED MESSAGE-
>>>> Hash: SHA1
>>>>
>>>> Afternoon all
>>>>
>>>> using Fedora 18 Beta and attempting to install FreeIPA 3.1
>>>>
>>>> when running through the install of "ipa-server-install --setup-dns" I
>>>> end up with a failure with the below output
>>>>
>>>>
>>>> [root@ds01 ~]# ipa-server-install --setup-dns
>>>> .
>>>> .
>>>> Done configuring directory server (dirsrv).
>>>> Configuring certificate server (pki-tomcatd): Estimated time 3 minutes
>>>> 30 seconds
>>>> [1/20]: creating certificate server user
>>>> [2/20]: configuring certificate server instance
>>>> [3/20]: disabling nonces
>>>> [4/20]: creating RA agent certificate database
>>>> [5/20]: importing CA chain to RA certificate database
>>>> [6/20]: fixing RA database permissions
>>>> [7/20]: setting up signing cert profile
>>>> [8/20]: set up CRL publishing
>>>> [9/20]: set certificate subject base
>>>> [10/20]: enabling Subject Key Identifier
>>>> [11/20]: enabling CRL and OCSP extensions for certificates
>>>> [12/20]: setting audit signing renewal to 2 years
>>>> [13/20]: configuring certificate server to start on boot
>>>> [14/20]: restarting certificate server
>>>> [15/20]: requesting RA certificate from CA
>>>> [16/20]: issuing RA agent certificate
>>>> Unexpected error - see /var/log/ipaserver-install.log for details:
>>>> CalledProcessError: Command '/usr/bin/sslget -v -n ipa-ca-agent -p
>>>>  -d /tmp/tmp-kUFAyN -r /ca/agent/ca/profileReview?requestId=7
>>>> ds01.domain.com:8443' returned non-zero exit status 6
>>>>
>>>>
>>>> there is absolutely nothing in any logs at all apart from a few selinux
>>>> audit logs (system running in permissive mode).
>>>>
>>>> Any thoughts?
>>>
>>> This usually means a problem with DNS.
>> Hmm... normally I set a dns forwarder of 10.0.0.254... This time I tried
>> it with no forwarder at all... Same error occurs...
>
> Not really sure. The errors out of sslget are not particularly helpful.
>
> I'd check /etc/hosts to be sure it is sane, and perhaps dig/host to be
sure that the forward and reverse entries match up.
that'll teach me for using non-kickstarted systems...

error is caused by mis or unconfigured /etc/hosts

>
> rob
>

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBAgAGBQJQ44ADAAoJEAJsWS61tB+qo9cP/RR+zhZ4tX7lSmeD5MOK1ACa
aci0s9HfROU2K/deiS8qLFKtxVdvm8itc2lda4TVwTHbhVompKi3mpp3KBlB8te/
6WLpuC2agQeSPSlxlaDi6+6ue9/5c0bLogf5EJDEjGae/hsC3AJfYiW661WgAnZg
qrU3X0rn00giy+sAOd0oFuqeBo+Hu/KZF3sDHF/YVK8fDMtajnZcj7C6zy1zOmdP
bWj7flqZSZA3LlsOyq0e77U0VW5aFnEGE87ywNyCiXvuZjI/02iOijpPKpppk1If
9zVLPncDDU2smyGbEBE4/aylNbwzXa4izWQ9KwjqU2kWLd+tIq/74/gu7dDVjeOP
dTnQuGWsSJlrEEuLlwks09BmOl2kIBr/EB/EZt1R31ldL+d1vK8aV3pBmXgptVsG
l3R8rAvhu5WoJCKG4gtQVGSn1HkoSPHjc5FGIw/UjXbANcZlIONwujh6gdNHm2vk
syk47+7ThamYTx3Hpq+dggxFcEekq+z1MWLP5gv5Odt/Vc810ziTn+QK97gY5UMM
OD1kR34QN1FQsjn5qsjX9TumU4xvtvnuqgpj+0RTWGFk+55HFfdcTr+8rJKLsxrW
g+Runt3DCu3YlUU+7Nc1FNLfwzjh227OzX1NxsMNTUYyCoOAHM85Ty6nGmFdkoBG
XJeYI5r3FYZ1e/9Jtysq
=TlwR
-END PGP SIGNATURE-



0xB5B41FAA.asc
Description: application/pgp-keys


0xB5B41FAA.asc.sig
Description: PGP signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Fedora 18 + FreeIPA 3.1

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On 12/29/2012 06:38 PM, Rob Crittenden wrote:
> Dale Macartney wrote:
>>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> Afternoon all
>>
>> using Fedora 18 Beta and attempting to install FreeIPA 3.1
>>
>> when running through the install of "ipa-server-install --setup-dns" I
>> end up with a failure with the below output
>>
>>
>> [root@ds01 ~]# ipa-server-install --setup-dns
>> .
>> .
>> Done configuring directory server (dirsrv).
>> Configuring certificate server (pki-tomcatd): Estimated time 3 minutes
>> 30 seconds
>> [1/20]: creating certificate server user
>> [2/20]: configuring certificate server instance
>> [3/20]: disabling nonces
>> [4/20]: creating RA agent certificate database
>> [5/20]: importing CA chain to RA certificate database
>> [6/20]: fixing RA database permissions
>> [7/20]: setting up signing cert profile
>> [8/20]: set up CRL publishing
>> [9/20]: set certificate subject base
>> [10/20]: enabling Subject Key Identifier
>> [11/20]: enabling CRL and OCSP extensions for certificates
>> [12/20]: setting audit signing renewal to 2 years
>> [13/20]: configuring certificate server to start on boot
>> [14/20]: restarting certificate server
>> [15/20]: requesting RA certificate from CA
>> [16/20]: issuing RA agent certificate
>> Unexpected error - see /var/log/ipaserver-install.log for details:
>> CalledProcessError: Command '/usr/bin/sslget -v -n ipa-ca-agent -p
>>  -d /tmp/tmp-kUFAyN -r /ca/agent/ca/profileReview?requestId=7
>> ds01.domain.com:8443' returned non-zero exit status 6
>>
>>
>> there is absolutely nothing in any logs at all apart from a few selinux
>> audit logs (system running in permissive mode).
>>
>> Any thoughts?
>
> This usually means a problem with DNS.
Hmm... normally I set a dns forwarder of 10.0.0.254... This time I tried
it with no forwarder at all... Same error occurs...
>
> rob
>
>

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBAgAGBQJQ30AZAAoJEAJsWS61tB+qJBQP/3c6YjecgM2+cSntcX5ZYoL0
SIxrIkSKg4DK2SAjlZiaDHCMEm05MxE1D0Px7CaRmx+pO4RCFTQJxKbn4wbrZW0G
QzXZ22Vq64NuNqerKy0tSpp9owupKnOQuxiSIKVY1kWfx7+FuoydAzjlrvfOCNCO
U/wV0XPd3W3HSRjklCRnQ+rn578zhAnyLJOVGcPBTAEzlqrEzgbAs5nRCdco1hnU
WN0LDu662LgB7p0Uiwhz02FbMWEQ1WMEJLyvRHEj57R6n9O+GeXXUByCz4kknFme
esCGmhM6iW6DVPjQ+HGd9V2JritDTt6eKLR9RNoFiX5aw6TJKH4D4Q40GtsyxL+D
CvqMGJ0F8KBHDrm8ZbqP18MPlE3/VmVdx0qJPqlfYCPrZZpZxsU6rYt6rZJ9GzV4
O/TiYdhJ01USkqvE1YtMNnnQ5r29xgsnhQoeTZLRcFsEYuxrbsB2pJ6hn8x33/QM
OfJyE+cen36iE3A2QC/ELwhLaQnbxpr7NqaSxpOUs3bm1vpXxXgmu1wB6kLuR8SS
xAb+5QHUYgTWyJLPMfgnWofX0DHexAsrGrnNMBnzc74Mtbh2rFEXrTOVezyFX4Ot
wX3UQI/SPE3MLRyDC4nJEel/b2Vr7A94KV/HDDccLUVekJb/HkAMwlM+Uc+kSJIz
ViJuv3HKmZ/CTKPXCXHh
=Vr+L
-END PGP SIGNATURE-



0xB5B41FAA.asc
Description: application/pgp-keys


0xB5B41FAA.asc.sig
Description: PGP signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Fedora 18 + FreeIPA 3.1

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Afternoon all

using Fedora 18 Beta and attempting to install FreeIPA 3.1

when running through the install of "ipa-server-install --setup-dns" I
end up with a failure with the below output


[root@ds01 ~]# ipa-server-install --setup-dns
.
.
Done configuring directory server (dirsrv).
Configuring certificate server (pki-tomcatd): Estimated time 3 minutes
30 seconds
  [1/20]: creating certificate server user
  [2/20]: configuring certificate server instance
  [3/20]: disabling nonces
  [4/20]: creating RA agent certificate database
  [5/20]: importing CA chain to RA certificate database
  [6/20]: fixing RA database permissions
  [7/20]: setting up signing cert profile
  [8/20]: set up CRL publishing
  [9/20]: set certificate subject base
  [10/20]: enabling Subject Key Identifier
  [11/20]: enabling CRL and OCSP extensions for certificates
  [12/20]: setting audit signing renewal to 2 years
  [13/20]: configuring certificate server to start on boot
  [14/20]: restarting certificate server
  [15/20]: requesting RA certificate from CA
  [16/20]: issuing RA agent certificate
Unexpected error - see /var/log/ipaserver-install.log for details:
CalledProcessError: Command '/usr/bin/sslget -v -n ipa-ca-agent -p
 -d /tmp/tmp-kUFAyN -r /ca/agent/ca/profileReview?requestId=7
ds01.domain.com:8443' returned non-zero exit status 6


there is absolutely nothing in any logs at all apart from a few selinux
audit logs (system running in permissive mode).

Any thoughts?

Thanks all

Dale


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBAgAGBQJQ3xpiAAoJEAJsWS61tB+qCdkP/RDaf4vRHXxWvriR+9fugLWD
pynBdSncrqyGCmvHoGczXrHcEb50JX34I1kDoEsEcVqtBDnSi4mwHErRBYV1FYwi
PVU6OWMOJa+0eplXqQHGSEPCuaXDWL5vWOrXHGcniYJwuwMIE10d10muVFIZYIeF
fze97raaB1HgS6oJaT5bCT8qvMscbJ0Ccer2zPFEBwwxq5WZ8DzOH0pBN8DINWLd
qUb6KC2WQzq2/c/tZGVTqfApB9IFhh9VjwQPm3axnuM24THNb4hwt0ngW5/KVFSN
+uSEgRELeNv1IqfvRsGnxpsOsmRwPh77PyGfCjtpGV97Nq+/7c1tvEkxxilkLWVj
W/UK70/9HQEm8+4LpRcUHgZhzf14WDY+7bjtz+TkNGQZe+h2xtDMU7aIiUTrQBhe
bUGOAgoM0HsLAtQDVJ73ZvNFmVAyvg0G1uiGtbVg6NTQnMdts7IYmWfuyH645s2+
GpsrPzkW8hkY31l7aN47du6Ic2gOnLFm3W9pbXw0eDduEVPA87Kd/G/M8S16+BEh
LJ9pHf4eUbN+Tlu0pObPdN4VnLvM8pmapdqAIBfBh2Wre8A+BN3hTzCKyk21Lrxb
xxAdOlLhcVB6dOojIzDvrvK0MWiIO5KNejY3s6z+jMOiopq41khDS1OJ9u/pORTn
qJ3SjPCNMcUwml9eUAjx
=wYce
-END PGP SIGNATURE-



0xB5B41FAA.asc
Description: application/pgp-keys


0xB5B41FAA.asc.sig
Description: PGP signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Integrating Yubikey tokens into FreeIPA

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On 12/19/2012 01:20 PM, Simo Sorce wrote:
> On Wed, 2012-12-19 at 12:30 +0000, Dale Macartney wrote:
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> Morning all
>>
>> Heres something I was working on last night with Gavin Spurgeon.
>>
>> If anyone would like to comment on better ways to achieve this, i'd love
>> to here it so I can update my own procedures (and the article of course)
>>
>>
https://www.dalemacartney.com/2012/12/19/integrating-yubikey-token-details-within-ldap-with-freeipa-and-red-hat-enterprise-linux-6/
>>
>> I hope some people find it useful.
>
> Hi Dale,
> what problem do you have adding new schema ?
we weren't able to add any objectIdentifier fields... when trying to
search for existing schema entries, we received the below output.

[root@ds01 ~]# ldapsearch -LLL -h localhost -D "cn=Directory Manager" -x
-w redhat123 -b "cn=schema"
dn: cn=schema
objectClass: top
objectClass: ldapSubentry
objectClass: subschema
cn: schema

[root@ds01 ~]#


We were trying to use this schema which what created by Michal, however
we never managed to get it imported with the objectidentifier values there.

dn: cn=yubikey,cn=config
objectClass: SchemaConfig
cn: yubikey
#
# YubiKey LDAP schema
#
# Author: Michal Ludvig 
# Consider a small PayPal donation:
# http://logix.cz/michal/devel/yubikey-ldap/
#
# Common Logix OID structure
# ...<...>
ObjectIdentifier: {0}logixOID1.3.6.1.4.1.40789
ObjectIdentifier: {1}YubiKeyPrjlogixOID:2012.11.1
ObjectIdentifier: {2}YkSNMPYubiKeyPrj:1
ObjectIdentifier: {3}YkLDAPYubiKeyPrj:2
# YubiKey schema sub-tree
ObjectIdentifier: {4}YkAttribute   YkLDAP:1
ObjectIdentifier: {5}YkObjectClass YkLDAP:2
AttributeTypes: {0}( YkAttribute:1
  NAME 'yubiKeyId'
  DESC 'Yubico YubiKey ID'
  EQUALITY caseIgnoreIA5Match
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} )
ObjectClasses: {0}( YkObjectClass:1
  NAME 'yubiKeyUser'
  DESC 'Yubico YubiKey User'
  SUP top
  AUXILIARY
  MAY ( yubiKeyId ) )

we ended up having to settle for

dn: cn=schema
#
attributeTypes: ( 1.3.6.1.4.1.40789.2012.11.1.2.1 NAME 'yubiKeyId' DESC
'Yubico YubiKey ID' EQUALITY caseIgnoreIA5Match SYNTAX
1.3.6.1.4.1.1466.115.121.1.26{1
objectClasses: ( 1.3.6.1.4.1.40789.2012.11.1.2.2 NAME 'yubiKeyUser' DESC
'Yubico YubiKey User' SUP top AUXILIARY MAY ( yubiKeyId ) )


Is there any security restrictions on the schema or perhaps something
done differently to normal LDAP? Unless of course I'm doing something silly.

thoughts?

>
>
> Simo.
>

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBAgAGBQJQ0cHaAAoJEAJsWS61tB+qwhwQAJF96eCzWsD2RYXZJpu9p2X9
bItiGZ5i1TYwc37CtSKkMaCf1TQzPcSvgCc3dGdUqpLYzO0zbiUmxJBXBCplTaXi
J4ETOnkJQ5gheW1LpsCXGmGpX1eDIxC3PjtyjOFHKkFavdpvcxxgdzKhR7w1BK9J
vw+QjPBs5DoUDQaihE0DbhEOPkZR2aqFHenI5ozv7ifSWpV3yq/zLpGADRAcOAEh
/8FrYCu4GpIMKD7UTAee8U/Mrmekq8z2ZUVn5P1c/QOU41dy6aKMBS7tN6Evgpp6
SFOxX23wWd6ukIh3QSWCcwSOafiF0SQI9B9Ds2SHogf9FToq+R3xfXXM6bDEfU7B
FhRQhIeqqUrz9zsj/FeL1rDvXgD7Moynm6x3pBokBEvQlHPdWwQteSzVi841eJg+
+akNxR9pJtvuigTF4md71M0JqBUx+vJVkpIN3SU5u/L2LOud6/d14GcybdIynrC6
FRYfvglR5NuwhcVEZZIn5fZmiROERXtgqqmxy0nTFDpJ1njm80jOH4blmmqtRFGM
lumq+0jFDrWCpv4bJIPmlu3xlORSOpp8WcwqzKVS3Ss07owMXXqGmXCpmSxNMdJk
6hfnKvewQrH8Lpf9A8M92hFrvaXfbWp55EmN4VokiQjoFRpS51YjuLYPwMkT/8vA
PNDkBUrrn2eUu/41BaNc
=yKMg
-END PGP SIGNATURE-



0xB5B41FAA.asc
Description: application/pgp-keys


0xB5B41FAA.asc.sig
Description: PGP signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Integrating Yubikey tokens into FreeIPA

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Morning all

Heres something I was working on last night with Gavin Spurgeon.

If anyone would like to comment on better ways to achieve this, i'd love
to here it so I can update my own procedures (and the article of course)

https://www.dalemacartney.com/2012/12/19/integrating-yubikey-token-details-within-ldap-with-freeipa-and-red-hat-enterprise-linux-6/

I hope some people find it useful.


Dale



-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBAgAGBQJQ0bNbAAoJEAJsWS61tB+q7GIQAMXapL6GzaemqR9R6WgwmixE
zVt6QBv7+4KBY9xRJHvf1ZW0qXAAvE93Vtv1TwxfK3NrUULnLS6kMEkht5U9SPrs
vDDuF214WC2iyL/3afTX0Bxx63UTGtX5RYdsSRv7udV0Ambgyif1FbMbu9zhpIKN
nvG22tDYrh2EjEdJKV5yaZZPkgR5Id/xZ/4objax9WEatV3G7L/xQUaD/YpisUXp
hXGgdfwAw+2RtxsLxsmdc8bU29J7Gk2jJKHKTJj0TIZp9MkVanC0Xr78v3YdxHGz
yxy/D7j71qrDiXYRxS/ioJ1QrCfN1DHx9AYDLh3S0/HCbFUn2e8fFTqFEY3J/aok
0ffI79JhxFZZifeqywthun7jXaPAK/mhiZZxa0da3ivToBWPx1EK58K2+J/ylANW
cwjGz5E/LzzzV8rcVIfnvwjPhQEISGtKvRCRSNnfcFzD8DpMGuGmAU9rtn2jn28O
VXuVfKIQZnFZL/yQVSuG7zUbqYJbYapW0BBC2AIizFxqQ7jIfDkQkdYX8GgqgKRR
6G4uKBQJR8av9y0stnx/ZkU93/B9V2SVhpD7d6A6Q3Uwxma2sQ9ViiQFCdmkiTIF
bcTb4avmMLmEAJCwVHbcl5fxu+vRT7YVS3hRkX/NMcuL9U4DHZr7o1do7JMUniXd
zkFHj48GnS5Rt2LXkYwc
=Yh/1
-END PGP SIGNATURE-



0xB5B41FAA.asc
Description: application/pgp-keys


0xB5B41FAA.asc.sig
Description: PGP signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Backup and Restore procedures for IPA 2.2.0?

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On 12/19/2012 09:25 AM, Innes, Duncan wrote:
> Are there any results you can even talk about at this stage?
Although, not offical supported by Red Hat. Here's something I wrote for
my own environments. It is just a scripted tool to tar up what I can see
are the necessary directories.
I've done more backup's and restores with this than I'd care to admit,
but if you wish to use it, please test it yourself in your own test
environment before you use on production.

https://www.dalemacartney.com/2012/09/08/how-to-backup-restore-freeipa-2-2-0-on-red-hat-enterprise-linux-6/

> 
> If not, I'd suggest turning up the heat a notch or two to get it on
the boil :-)
>
> I know this is FreeIPA, but RedHat shipping Identity Management as a
supported feature without any backup/restore mechanism is a pretty big
hole in functionality.
I completely agree with Duncan here.
> 
> D
>
> Duncan Innes | Linux Architect
>
> -
> *From:* freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Dmitri Pal
> *Sent:* 18 December 2012 18:42
> *To:* freeipa-users@redhat.com
> *Subject:* Re: [Freeipa-users] Backup and Restore procedures for IPA
2.2.0?
>
> On 12/18/2012 01:39 PM, David Copperfield wrote:
>> Hi all,
>>
>> Is the backup and restore procedure for IPA available now? It's
rumored months back that some one was working on it but not sure what is
the progress on it. Please shed a light if you have any ideas.
>>
>> I'm running the default latest 2.2.0 IPA on Redhat/Centos 6.3.
>
>
> Yes there is a simmering effort. But there are unfortunately no
results we can share yet.
>
>>
>> Thanks.
>> David
>>
>>
>> ___
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> ---
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
>
> This message has been checked for viruses and spam by the Virgin Money
email scanning system powered by Messagelabs.
>
> -
> This e-mail is intended to be confidential to the recipient. If you
receive a copy in error, please inform the sender and then delete this
message.
>
> Virgin Money plc - Registered in England and Wales (Company no.
6952311). Registered office - Jubilee House, Gosforth, Newcastle upon
Tyne NE3 4PL. Authorised and regulated by the Financial Services Authority.
>
> The following companies also trade as Virgin Money and are registered
in England and Wales and have their registered office at Discovery
House, Whiting Road, Norwich NR4 6EJ:
>
> Virgin Money Personal Financial Service Limited (Company no. 3072766)
and Virgin Money Unit Trust Managers Limited (Company no. 3000482) are
authorised and regulated by the Financial Services Authority.
>
> Virgin Money Cards Limited (Company no. 4232392) is introducer
appointed representative only of Virgin Money Personal Financial Service
Limited.
>
> For further details of Virgin Money group companies please visit our
website at virginmoney.com
>
> This e-mail is intended to be confidential to the recipient. If you
receive a copy in error, please inform the
>
> sender and then delete this message.
>
> Virgin Money plc - Registered in England and Wales (Company no.
6952311). Registered office - Jubilee House,
>
> Gosforth, Newcastle upon Tyne NE3 4PL. Authorised and regulated by the
Financial Services Authority.
>
> The following companies also trade as Virgin Money and are registered
in England and Wales and have their
>
> registered office at Discovery House, Whiting Road, Norwich NR4 6EJ:
>
> Virgin Money Personal Financial Service Limited (Company no. 3072766)
and Virgin Money Unit Trust Managers Limited
>
> (Company no. 3000482) are authorised and regulated by the Financial
Services Authority.
>
> Virgin Money Cards Limited (Company no. 4232392) is introducer
appointed representative only of Virgin Money
>
> Personal Financial Service Limited.
>
>
> For further details of Virgin Money group companies please visit our
website at virginmoney.com
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBAgAGBQJQ0bLAAAoJEAJsWS61tB+qkT8P/jFqnAz+KNW2uDXuJFrSE0xh
6ArZ8ucjc2Fp8vTTHlThDceOTgXMKIDi8XMyfwUy8yazx01D3iZn4C1wMPb5SSsL
8CT8CR4sNsvahxOg6FLqWIDlwlky+TRL8fG7aGPon3W9Ra2rRrWsAh6OYfAQgFDJ
OrIbFbaxxS+FEy5Jc94/2Ks2xciebZhJbXP4TyLRJTFRV/tGQUIuJ+R15mrwrLC+
OfLSvwQaLZ51lrxn0pxXM9NljNnrIfr6glAuJwXP/H8x6mBYginSHrbwe+HEVq8L
zVFgvNiFJHM0rJH8dw8bchEPkCHV6mqYibwLhLyV7i+9xfihCGNwKaRdjmMypqpi
OxdIYKCjZ/uA/uBlWCQbx3SsSUC1twgr38VFg419B/gnlhsGGwZD0CcSAJ2Ur1k

Re: [Freeipa-users] RHEV-M + service accounts in IPA

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On 05/09/12 13:39, Rob Crittenden wrote:
> Dale Macartney wrote:
>>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> Afternoon all
>>
>> I have a demo lab set up with RHEV 3.0 and IPA running on RHEL 6.3 (
>> ipa-server-2.2-16)
>>
>> I have an api script that handles all my deployments and I am trying to
>> set up a role account for my script to run within a jenkins environment.
>>
>> I have created an ldap sysaccount, however that doesn't appear in the
>> RHEV users list when I do a search. So its clear its looking for
>> specific IPA users.
>>
>> Is there a way (or on the roadmap), to create service/role accounts in
>> IPA where the password doesn't expire?
>>
>> I'm trying to avoid scenarios like this
>>
>> https://access.redhat.com/knowledge/solutions/67562
>>
>> Any comments / suggestions are welcome
>>
>> Thanks everyone
>>
>> Dale
>>
>
> A work-around is to set krbpasswordexpiration of the user somewhere
far in the future to prevent expiration.
That'll work.. Do I need to do anything fancy though? I tried running
the below on a new user called rhev-build but it keeps erroring out. I
know I have a current TGT otherwise I wouldn't be able to add the user
in the first place.

[root@ds01 ~]# ipa user-mod rhev-build
--setattr=krbPasswordExpiration=20131231011529Z
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the
'krbPasswordExpiration' attribute of entry
'uid=rhev-build,cn=users,cn=accounts,dc=example,dc=com'.
[root@ds01 ~]#

>
> We have a ticket open on this,
https://fedorahosted.org/freeipa/ticket/2111, currently targeted for IPA
3.3.
Good to know its on its way. This is a demo lab so setting a long
password expiry addresses my needs.
>
> rob



-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQR2UNAAoJEAJsWS61tB+qAkEQAIc5mY45SckcSw97SOCIdbKE
TDEX5Fl40EYPX7uqwJRa0VFtQukslpL2U9oQMyYY7uCA8KxNh7RbffgJVZb7H588
qGvrsOcK3zLt6lXkxJdIV/YsupkA23HDJgomZHLchwoBEQmwfioz3dguEdIt+lFt
X9x6ZN80PV6K2BrOtKmUAGUB/yjFCZyImIqTUxi/uZU+Pf64KHA0bPcJFbi2+JI7
pZytlxmXKFKjks8650Mb+RJsDw+lb8k7fqV9TnwjmQGOYHjrK89znIwoSosPTzGJ
r6oI1PCNKWwWFzC3UeNx6TSBBfNlGRdm6a+EuWzq50LzrhYzp7NWudtX4Hu6C7we
bpG/umQaaHTlLzK/MGon0RH8Q20foaJCDALBhQk1S7IFmVgtjWraTaxCwtio1d2v
CHPFSpe4v+Gl/JypU42V+2nC5qBLYkeAukEKjhHOVPcbS04lZpy2nfJjWMEOBTXo
ow2tUCMkPHojE5qQl1DM7pzb2luW3wARTtBnpMNtHnaLz++VwbH6vW6J6MZCCFnu
yBtJ8vuClYobdVzh6NLlQCpCn5zGopkIDFO25VUoPqMgfRH8v9TlkNb1VKOIB/3u
4GaYeNX3k7weG6UFyReKCA2QSOqh8r2RjaW0s9vuPvk0l5yka0jmrojog6bfZDDm
7KJE5xzMlLXdqu+Ivo+D
=P57b
-END PGP SIGNATURE-



0xB5B41FAA.asc
Description: application/pgp-keys


0xB5B41FAA.asc.sig
Description: PGP signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] RHEV-M + service accounts in IPA

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Afternoon all

I have a demo lab set up with RHEV 3.0 and IPA running on RHEL 6.3 (
ipa-server-2.2-16)

I have an api script that handles all my deployments and I am trying to
set up a role account for my script to run within a jenkins environment.

I have created an ldap sysaccount, however that doesn't appear in the
RHEV users list when I do a search. So its clear its looking for
specific IPA users.

Is there a way (or on the roadmap), to create service/role accounts in
IPA where the password doesn't expire?

I'm trying to avoid scenarios like this

https://access.redhat.com/knowledge/solutions/67562

Any comments / suggestions are welcome

Thanks everyone

Dale


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQRz5OAAoJEAJsWS61tB+qt78QALc+ocH5PAKbhHKJ24QeYzfe
pZNeyQZ98UwTfCCdWrr4hwPrILhqZwCFogBsQPnM5uiAT1n+pbfvAaypsbBtsJM1
Gw9bajHkkb663twOlsOdetXxQt/jzKo8FdxHgAhTU7PSA6sr3O/SEjAaObUBw3yd
wS1XOErGD/6IkKCbLZVO0gkoyt29Ir8HTq1dTX9JYAmG+i0XseZ1C5be9vtUvT7E
G/am0ICyd4mErSwaA/RRyrRxDzjfbi0XtlqlAuMsirDGyPTqPhisoB2ZMmY00ix3
nAaJp/fECqW20jmPJ1u+YktCYRou4LC4vZUnbmMWMJTOhRO5J90GhIh74OjjHMnp
kmj6r88QpSl7QDVRjWxTZdPj60WvhAp1/FRDZnBjUlfR0ENk2xxemLq9Ek2SRkJQ
FqS++FQ1+lIERx4ng5rPR0DBLvd7xnaTvcGjRou/h/5tvmERbrUVtCKn9kJ6b6jJ
KY0o89uJRgdiH1eEwIasq8zUnrrEPIxJXzl6iJV52kN705bob3rSXacGDWr9poOE
eALPQQzxv743TKr4O41owOienwxw9pWR2Yw/pSvCua4rTJ+ryiZztWAX9HNVClBt
krtgn+GHjAukxVdhboXTHabF1zGj1REle36sK0+0/NMYxTYgdZrPkwAhv0kp/n36
WWl86kBI+IhIxvlbKTs+
=TUAu
-END PGP SIGNATURE-



0xB5B41FAA.asc
Description: application/pgp-keys


0xB5B41FAA.asc.sig
Description: PGP signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] whats the recommended way to change OU structures in IPA?

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On 06/08/12 16:22, John Dennis wrote:
> On 08/06/2012 11:07 AM, Dale Macartney wrote:
>> Although I can use any ldapmodify capable tool to do this, I was
>> wondering what the "recommended" way that we should be telling customers
>> who want to change OU trees?
>>
>> e.g, say in a high school using IPA, they wished to create a parent OU
>> called cn=school accounts,dc=example,dc=com and inside that OU there are
>> two more OU's. One for staff and one for students?
>>
>> Presumably this is not possible through the webUI.
>>
>> Also what are the implications if I move a user that was created with
>> "ipa user-add" into a non-default OU? will it break anything? Whats the
>> best way to move an existing user into one of the above OU's?
>
> IPA only supports flat name spaces, you cannot partition the default
containers. This was an early IPA design decision.
>
> If you use ldapmodify to move entries it will break your IPA installation.
Oh that sounds fun ;-)
>
> You can however assign users, hosts, etc. to groups. Then use group
membership to control how a particular group of users behaves. It's easy
to automate group membership via automember.
I agree with using Groups instead of OU's for for application roles to
be honest. I find it much neater. I was curious for certain software
that does not make it very easy to use groups instead of OU's..
Thanks for giving me more firepower when asking them to raise an RFE ;-).



-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJQH/WcAAoJEAJsWS61tB+q/B8QAJIhywkZqWVohykzqBT9CvLH
e2f462HySAQFNyarJ42p16lXai92F7sWS8o6L5N5B25oBJCHrBUsza95wn+BGiq8
W2qI0KZw22TPEMrF4Sl/TO4HnNPht+gkPtO9bAYxeE/l/m3I3CNIVA4AKDJAZtP9
7d1BveT+pXtyF85+5ncwEtNwETe77mDvwnCVkZW/nc2F8Dwf45QCDLync52oEJxG
J4McW1pxAdpad6MXHWrVxvQSwJtisNxKV3L/Biq453ISX+e/EXp4qZ1cvhwhq+7+
Gz7cnOnRO6co8ArI2BHhCNKGbVGOhFb8f8AHPKg0DyMytU78RJYUwgTt6zshn2cW
bSXFvh/64CrQ88boGutdf9Z30LQ6932k12tJbvxAs4hgirQBLyAZS7b8bRqGJQLl
oEx6j9Z+mBy7rzKbmmvdQhtb5ovG6dt1iOWkJZeHVwUtIroP4NYGItZK8qw4DdGX
crK+bPK/E5BpNGTIIvSXYhml9IDPH3k5ulS3MfRnSQjXe4jcXE8eXSsfb+IC9M9O
IRYg3mp0LG8D5jMAUxwPTx6GlRb3l43Mg3Zo4yR80qrAaANC+1vPFk7bEm1BLSzs
KPP9Ryqa/I57Twf+tXrJtcQo/14qMzcToFr+q81eX0paxrCvYflZSf7v6nvVnohs
9ngrnlk1VZpWAahC0zhm
=av31
-END PGP SIGNATURE-



0xB5B41FAA.asc
Description: application/pgp-keys


0xB5B41FAA.asc.sig
Description: PGP signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] whats the recommended way to change OU structures in IPA?

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Afternoon all

Although I can use any ldapmodify capable tool to do this, I was
wondering what the "recommended" way that we should be telling customers
who want to change OU trees?

e.g, say in a high school using IPA, they wished to create a parent OU
called cn=school accounts,dc=example,dc=com and inside that OU there are
two more OU's. One for staff and one for students?

Presumably this is not possible through the webUI.

Also what are the implications if I move a user that was created with
"ipa user-add" into a non-default OU? will it break anything? Whats the
best way to move an existing user into one of the above OU's?

Any thoughts?

Thanks

Dale


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJQH93DAAoJEAJsWS61tB+qlz0P/3p7Cun4Cv73s9XMbH8borkK
7KaFj/NH6DLBpvRWtiQYvjMI1pD2c70JjKCiEFINkowyf0oR8yNRCo13AAecGTbk
VYmdy7XhxHSqyj8wtybjMbF+sEZWeY+2VzFmhgnL5RiUC/MPtRSLoP58xZ04wAYU
5wm0Di4KBpQkUsUyYSCEsNJkfCLwE/TzGUaSFJ1nyYUOAWy8l9hxTIVm/cTBKelz
xPZqnxZcQ1TlKPhQkRIL5VUp/p+t73aHB/plyacEiarja8wAe9a0DsXZ8uTiUqsF
OHVfEF44YhSa3epYY5+CUmFmD0HCY90isWkAImy2Qhfupbuphe1yxa+8qWjjXXa1
lgFScQx6tQoLwDyjUhqriwmt59yU6R0YCiWnevOdS6CjY3MwH0zrssdnNq34H2LI
9XO9oIHmE2FtRyBqDH+rf9bH1ZkB5XcYhP9RjNOYFgX86yfkxIX/rTq6PhG0oip2
jwq4lFM4sGYel/hWa4Ej+p6YzXABUJBwjSEdDXGGy33c+AsaX8CgC68cJycrN/kL
ZiiCuo95j9E+h8fPT/4a8eNX9Sy0ZRcV3vCiBwCg6wQQajrAvGvqK5v1MwqFOl07
P9NPHo9l2kwCFI58w30P5vxsPyIQsWdUg5SbSlzQo2+nfBZaQ1zl+u2ipMmjPlCM
02kAlnlppnissXuQfd5P
=1idN
-END PGP SIGNATURE-



0xB5B41FAA.asc
Description: application/pgp-keys


0xB5B41FAA.asc.sig
Description: PGP signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Backup & Restore

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi Duncan

I spent a substantial amount of time on restorations last week. I was
working towards a "System State Backup" method of backing up IPA.

I managed to get a restoration working on a completely clean system by
doing a file level restore.

What type of restoration are you seeking? complete server rebuild, or
partial restoration?

Dale



On 17/07/12 11:39, Innes, Duncan wrote:
> Hi folks,
>
> Just wondering if there's any specifically designed tools to allow
backups & restores of a FreeIPA design - or if there are any best
practice guidelines at least.
>
> Thanks
>
> Duncan Innes | Linux Architect | Virgin Money | +44 1603 215476 | +44
7801 134507 | _duncan.innes@virginmoney.com_

>
> -
> Northern Rock plc is part of the Virgin Money group of companies.
>
> This e-mail is intended to be confidential to the recipient. If you
receive a copy in error, please inform the sender and then delete this
message.
>
> Virgin Money Personal Financial Service Limited is authorised and
regulated by the Financial Services Authority. Company no. 3072766.
>
> Virgin Money Unit Trust Managers Limited is authorised and regulated
by the Financial Services Authority. Company no. 3000482.
>
> Virgin Money Cards Limited. Introducer appointed representative only
of Virgin Money Personal Financial Service Limited. Company no. 4232392.
>
> Virgin Money Management Services Limited. Company no. 3072772.
>
> Virgin Money Holdings (UK) Limited. Company no. 3087587.
>
> Each of the above companies is registered in England and Wales and has
its registered office at Discovery House, Whiting Road, Norwich NR4 6EJ.
>
> Northern Rock plc. Authorised and regulated by the Financial Services
Authority. Registered in England and Wales (Company no. 6952311) with
its registered office at Northern Rock House, Gosforth, Newcastle upon
Tyne NE3 4PL.
>
> The above companies use the trading name Virgin Money.
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJQBUaqAAoJEAJsWS61tB+qg5EP/0kjbey/+EylGgDyZdBAcV+e
/23HkJlmTJLfaKhh/41blBxnuS/gwU4k69hVkMTpoeqKXiHoc3pZ20SqJqawBsZT
B2TwzCeBVpKA81Zfi6KeAzpbiw5rozCWBF3fLiEzMHkHCk9VoNkuh7LNqTK/bVkV
UJedV88nByakmgs4sii27etwMY1dw4Hh99vPD2L9KMOAEiKA5eZG013vavpXOtl6
oUjLuLy6+3j9x9FW6izHlN9BG3ko/KJSXIS3CthEZ3mTJUHUVqvbMET4/DFglo0b
iRkszMWi5Kryb9jxyg3B5J1H1Xk5ciUv82AIO+jNBnJ6P/KemiJ+78KYHd6pAi1K
+cp69DatN6vrJQnbqsMq28bHVJ3mihntDbI8JGRRumvp4SesHzwJ6fQiYZ3aXyX7
vpwqIqzHYhTFAbfvcJUfhT6y5Qv85VJON5SOMzlmsWDFXiUpGxlSCptbGUddEv28
fw77S6GQ3/eKzcfAyRhn8m+c0lGkiuLb9LHpcVbJSSrdj1uN3pkRQhjS/rI5fomN
3SRViMEWgr4iVVt8f9ONBYWZ99e2bHFmGjN2tikyaa6dpUo1G075GthGUZGOi6AC
SjiT+MmQYrTdqgO+4BK5HK+pNiAGwqpbah3dMxUVTgqSZaRwRynG+xv1JvsahleV
Wu4POyb205lHoayeS3Zu
=zMDl
-END PGP SIGNATURE-



0xB5B41FAA.asc
Description: application/pgp-keys


0xB5B41FAA.asc.sig
Description: PGP signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] New HowTo Doc: YubiRadius integration with group-validated FreeIPA Users using LDAPS

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Morning all

I've just published a walk through on tapping the YubiRadius virtual
appliance into FreeIPA.

Target audience level : Beginner

Link to page is :
http://freeipa.org/page/YubiRadius_integration_with_group-validated_FreeIPA_Users_using_LDAPS


Have a great weekend all.

Dale



-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJQASalAAoJEAJsWS61tB+qcnYP/3VvXUKeY5pQC5XW1vwORLwm
pm+NunMspcgIyatbPg+Olfk3KIbFo2NsyaiA1mnubNMsWbuk65Hy4KC0qSCMm+E5
sonsG6jIUz4fT1OI+CuWwFcIMU7tJvlPo8wPtcQDltd5twHVCwcZo8QITOTqClC5
aXyf4muQkpz8dZD3u8OFvCRHwcjaT8zlshoMHC0t9UR3HCubYMU3uDbXU3e4enF2
52rNPlDN5us3EL9Q61gETMxqSr8WESP4NbD7PoZwPfoDOp15v+m37nqGRcu0pKZL
yLvOPbzVOA6v4YtbPpkK0or6OeBUjlhRtvLdAC2SK4gN0ehXzkUj1N3ebzROq6Pv
lhbJ++4lWmZZElv/y83NAYvdpfN+3ukOrCaMABxiKcKpsxK8FjV0o8YetTT60/4T
OKFASkZLT9KPafPLgRY4zxiGEKwyiw+IJ4F2cs2n2KRd+XrmamVQh9ZrBXbib8Fi
cc4YfV31wYIWD/AIGY9wiKG9KXG1Lb+ETkAmStZRsaql0I0BU9K75jdBsyWtqxNZ
VeRgInwbGz0Hp8/wcaLMpdW+km7aPDY6wGk3DlfUlF+Yv047p6e6FvyX3RuoKVcj
qS3KKLovw10psV/m5c8R28GaHL760TjEWyLv86bKG1P+xxXt9W86215RSdA9LA1J
TptVrN/s5tbK9G34AbGc
=Poca
-END PGP SIGNATURE-



0xB5B41FAA.asc
Description: application/pgp-keys


0xB5B41FAA.asc.sig
Description: PGP signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] strange gss failures in RHEL 6.3

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On 28/06/12 06:52, Sumit Bose wrote:
> On Wed, Jun 27, 2012 at 10:35:00PM +0100, Dale Macartney wrote:
>>
> Evening all
>
> I have just updated my local RHEL 6 repositories from 6.2 to 6.3 and
> installed a new ipa server in a test network.
>
> I get the following errors now despite having a valid tgt. This worked
> perfectly a few hours ago (before I updated the repos)
>
> [root@ds01 ~]# date
> Wed Jun 27 22:31:01 BST 2012
> [root@ds01 ~]# kinit admin
> Password for ad...@example.com:
> [root@ds01 ~]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: ad...@example.com
>
> Valid starting Expires Service principal
> 06/27/12 22:31:06 06/28/12 22:31:04 krbtgt/example@example.com
> [root@ds01 ~]# date
> Wed Jun 27 22:31:10 BST 2012
> [root@ds01 ~]#
> [root@ds01 ~]#
> [root@ds01 ~]# ipa user-find
> ipa: ERROR: Local error: SASL(-1): generic failure: GSSAPI Error:
> Unspecified GSS failure. Minor code may provide more information
> (Ticket not yet valid)
> [root@ds01 ~]#
>
> > Please check if there are some old tickets which might bestill used by
> > apache. Run
>
> > find /tmp/systemd-namespace-* -name krb5cc_48
>
> > (assuming your apache user has uid 48), delete the files listed here and
> > try ipa user-find again.
>
> > HTH
>
> > bye,
> > Sumit
>
>
Thanks Sumit,
Despite having this issue for a good while last night. I finished up for
the night and it is no longer present this morning. I'll give your
suggestion a try if the problem comes back.

Dale
>
> Has something changes from 6.2 to 6.3 that would cause this by any chance?
>
> thanks
>
> Dale
>
>
>>
>
>> pub 4096R/B5B41FAA 2010-11-27 Dale Macartney 
>> uid Dale Macartney 
>> uid Dale Macartney 
>> sub 4096R/CF50A682 2010-11-27 [verfällt: 2012-11-26]
>
>
>> ___
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJP7BM4AAoJEAJsWS61tB+qWUUP/iQHr2cdgnYMbQOkwP5u4Ddy
CinIb8sWtKbBDdcNAULJqTfsD+juncGI+Hf/9Mig8hQ/OTsq6fjGBQN804TTQHPL
ALkoUoeX7KHKsU40D5H1OltELv/z5/8L9cd3RXHel+1n7TcSSpCDVgVmOVK/mgBh
Bxc5DkJ/FwEdkD9zzAZuhRmtCCcXluPtwtwegz8I31jxUN+BOH1c4OzYRnOhkPe8
O9onckphtJ0UsB29DYxuj0TNVfYOmw7xRIW+otUYmva7V5UZhRTjaBTt284Cnq2S
6ZV9fikOkzBEbD+CSHT7lzAsP68vgmoSJVLDD9CwTN4hgmCe8T5vbN+ZblfC5+08
rt/rkbLWBwcf/iptYAOkAW080/HnX0gA4SAfEIESw+bqIO36XyFmRSDucnUACX/R
wU2X3adYeUDBy4xSOU8Fls25X0JKbpCShS9nsYcjMtRjXB6AcRwWq2RtozEN0vnK
0Ba3BgFoMZfRVvTdMCXc/HdqnokjGav4igKOkMu6RMi5hBqPYkwr9So1yTTVObro
bwjDVwyYb0DgZm6UVnPq0/ih0T7PcXxEnlKnU58x2nJy9TMWGJocPbQSwbbhpmy5
4Gf7zB5MafzOF82xuVFYUOhN1jWIJ5uhDzO2UPAxcViCucnKwV++0zfskRWOEvzE
IJ5DTfLgE/gSf39DVRIx
=u4eN
-END PGP SIGNATURE-



0xB5B41FAA.asc
Description: application/pgp-keys


0xB5B41FAA.asc.sig
Description: PGP signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] IPA Backup / Restore - Everyone's favourite problem child!

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On 27/06/12 22:25, Steven Jones wrote:
> Hi,
>
> I have successfully restored IPA servers from an ldif...more times
than I care to recall in the last 2 months. In fact at one stage I took
an ldif from the replica and used it to restore the masterso it
seems pretty robust.

If you're about on irc at all tomorrow I may pick your brains about your
experiences. I kind of ruined my test environment this afternoon. I had
to redeploy about 15 virtualized guests on my tiny microserver at home.
That took quite a while ;-)
>
> In terms of filling with water, depends on how long for but the
physical parts of the hds ie platters and arms should survive
that.electronics might as well.in which case swapping one half
(I assume you have a raid1) to a new box and syncing it might
workthen drop out the old disk and slot in a new one...same with
fire / smoke damage. NB One of the recommended ways to put out a fire in
a server room is water misting using de-mineralised water

I was merely giving a radical scenario in jest. My main purpose is to
produce an IPA 'specifc' backup/restore procedure that doesn't rely on
other technologies. Starting with a similar goal to restoring an AD
system state backup for example.

Dale

>
> 1 to 4 looks OK to mesomething I want to fully try.
>
> There are some interesting tech like gluster which give you a
distributed raid1Im wondering on using virtualisation and gluster
together...IPA for your scenario would be very small 1 core and
2gbnot much disk useuse kvm and gluster might work well. The
second machine could be a reasonable spec'd desktoplike <$2k should
be good enough
>
> I have a single Esxi machine at home, when I get the chance and buy a
second one then I want to try something along the above lines...the idea
is to avoid having a NAS and that expenseso 2 ESXi boxes running a
gluster node on each and then the rest of the VMware guests inside
gluster's "disk". Another way might be rsyncing the ldif over ssh to a
remote site..maybe even email it to say googleit shouldnt be
very big, ours is 400k at the moment.
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> ____
> From: freeipa-users-boun...@redhat.com
[freeipa-users-boun...@redhat.com] on behalf of Dale Macartney
[d...@themacartneyclan.com]
> Sent: Wednesday, 27 June 2012 11:27 p.m.
> To: 
> Subject: [Freeipa-users] IPA Backup / Restore - Everyone's favourite
problem child!
>
> Howdy all
>
> We have had quite alot of discussions on the list about this process but
> I'd like to get some documentation together so we are all speaking the
> same language.
>
> So last night I wrote a script to backup IPA based on the below article.
>
> https://access.redhat.com/knowledge/solutions/67800
>
> This is fine and dandy. I have an easy way where I end up with a config
> tarball, an LDIF export of Dogtag and an LDIF export of LDAP.
>
>
> Now my question is "how on earth am I meant to restore it?
>
>
> My test scenario is as follows. And you'll have to humour me a bit with
> my imagination.
>
> Background: Customer has a very small environment. Single IPA server
> installation on a physical server. Several member servers and clients
> all pointing to that one server for IPA / CA and DNS.
>
> Incident: A very unhappy employee has just been fired for being a
> naughty boy and decided, for revenge to test how water tight the server
> was by filling the chassis with 5 litres of water.
>
> Result: Server is no longer happy either. A new server deployment is
> required to replace old server.
>
> Thoughts for restoration:
>
> My thinking was, to build a replacement server with all dependency
> packages and then:
>
> 1. restore config files in order to start IPA services
> 2. restore LDAP ldif file to ensure LDAP data was correct
> 3. restore Dogtag ldig file to ensure Dogtag data was correct.
> 4. restart IPA services to bring things back online smoothly.
>
> Of course Steps 2-4 didn't happen as they DEFINITELY were not happy to
> co-operate.
>
> I'm trying to get to a stage, where we have a method or procedure for
> simple restoration. Once we have the ability to restore everything, then
> we can move beyond that, and restore individual components. E.g OU /
> User / Group Data.
>
> Any takers for this one? Will be on IRC today if anyone fancies having a
> bun fight for bouncing ideas.
>
> Dale
>
>
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.

[Freeipa-users] strange gss failures in RHEL 6.3

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Evening all

I have just updated my local RHEL 6 repositories from 6.2 to 6.3 and
installed a new ipa server in a test network.

I get the following errors now despite having a valid tgt. This worked
perfectly a few hours ago (before I updated the repos)

[root@ds01 ~]# date
Wed Jun 27 22:31:01 BST 2012
[root@ds01 ~]# kinit admin
Password for ad...@example.com:
[root@ds01 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ad...@example.com

Valid starting ExpiresService principal
06/27/12 22:31:06  06/28/12 22:31:04  krbtgt/example@example.com
[root@ds01 ~]# date
Wed Jun 27 22:31:10 BST 2012
[root@ds01 ~]#
[root@ds01 ~]#
[root@ds01 ~]# ipa user-find
ipa: ERROR: Local error: SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure.  Minor code may provide more information
(Ticket not yet valid)
[root@ds01 ~]#


Has something changes from 6.2 to 6.3 that would cause this by any chance?

thanks

Dale


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJP63x5AAoJEAJsWS61tB+qQfAQAI8uUnPqculxBQvFI8vvCeXF
9rH59lAuhXw6a4lo9Fs+oSwYC0+s78ONRfp9SxhdLFQ1P1lEUffNq5EpO76RQlBT
IbT0+UOZwmLzZPOFCPhB/CFhVnnM27yNSp0QzskP/hjkkapJt5T1bszd7b/LTbXp
F/Y3RnzXsW7iR7ccAPdj8iEAQOO2lBDYfMx35xuE6LQmvpjcvK1kltuFQWnHRTqf
pHKnZHcsUw53WbqpGmBQElBzQ4hCdsXAEuMaxj87FmHgubIo4Tv/886260yIrWpr
IHzUfrvTwhC1hMNeeXPhaFIUb0PGJLPkaOOLMKwFSdXMYTlpU4ZZma9Qo2XuMXEY
BmJO3ae8vU7i4SdkJP9qq5HpYMyo31PtPN+axjc7f8rXNX7GUrCLe3gekanCimH4
xzAC0bPTPRPH5GOPbSxw60KrGBXr3Ed0LyTpu2Ajg9h6AgJOKzEcezMnGNHyp6sv
DXPL/AU1LWioiOR6kQ7ZqHuziSCj6vIRAEybljCwo8hKXeKcrTkExtCQgtCAVH9x
cZlFT9vc5Hz4W2v4O2YCUPiZTQb1Ua+diq3RtzTb3oICZ/AxKfwJ7CsS5yZhOxRU
kt0hbkkyDstO8M9zS0tvyKtXIMdIwAtthesOkQO2YGUsFBxQI0juPYlfWKY0/mKU
tyCxmUcN3SEpKF2UTRFj
=bxPG
-END PGP SIGNATURE-



0xB5B41FAA.asc
Description: application/pgp-keys


0xB5B41FAA.asc.sig
Description: PGP signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] IPA Backup / Restore - Everyone's favourite problem child!

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Howdy all

We have had quite alot of discussions on the list about this process but
I'd like to get some documentation together so we are all speaking the
same language.

So last night I wrote a script to backup IPA based on the below article.

https://access.redhat.com/knowledge/solutions/67800

This is fine and dandy. I have an easy way where I end up with a config
tarball, an LDIF export of Dogtag and an LDIF export of LDAP.


Now my question is "how on earth am I meant to restore it?


My test scenario is as follows. And you'll have to humour me a bit with
my imagination.

Background: Customer has a very small environment. Single IPA server
installation on a physical server. Several member servers and clients
all pointing to that one server for IPA / CA and DNS.

Incident: A very unhappy employee has just been fired for being a
naughty boy and decided, for revenge to test how water tight the server
was by filling the chassis with 5 litres of water.

Result: Server is no longer happy either. A new server deployment is
required to replace old server.

Thoughts for restoration:

My thinking was, to build a replacement server with all dependency
packages and then:

1. restore config files in order to start IPA services
2. restore LDAP ldif file to ensure LDAP data was correct
3. restore Dogtag ldig file to ensure Dogtag data was correct.
4. restart IPA services to bring things back online smoothly.

Of course Steps 2-4 didn't happen as they DEFINITELY were not happy to
co-operate.

I'm trying to get to a stage, where we have a method or procedure for
simple restoration. Once we have the ability to restore everything, then
we can move beyond that, and restore individual components. E.g OU /
User / Group Data.

Any takers for this one? Will be on IRC today if anyone fancies having a
bun fight for bouncing ideas.

Dale


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJP6u4RAAoJEAJsWS61tB+q5p4QALg3rGAfh5eDzZPefJPMA9Um
UsgPqahHbcwuYFR0t1HlBrbgo4HetEcK95VsOkHJTrqBRIuQTaBYHwoYcVDCgUlS
9HDyNXIqNRyhiJKb2F1Ahyh0lcPs/ZX7xwo0kWIr8CHo57BuPfCSh7YqPoCCLNnI
o85S5Xt4fKUbHI1ioOPxV596lPDHgTzRRXLax6BtT5oF/KkB/9gxsc6hq9UIPfbj
gjdBGxjd0F1It+gxZ5YAtTsYaAONr8n5yJStChJkC14E2l5xOroCePkx8oIowxCB
DyG4ZT/AWWdEqCDohAYBZoIdxJODV30X/NJLekNd2tuOMQR1xbt/fvRJP5Ey2zSC
4yL1CRpQd+9JWrDiIsyeLoi/vnyZE8H5u4srvXdp5yVzNrEWoxGpt+WnfQCoEXTV
ygXjRJcVIdkuEL+YKR4tTmuhNvEAOPeqyg/y91MbVMKa+hY+SilZa/LCgUkL8S+F
Di1UwwyUvV4OsFCJpdkUrdS+hIYdXURzsQRI895PAZTZH1S1WmN+mPt1PHBRQAmM
3NC8iyQzeIPgyaf6+nuKu+Wr0+31WweVAhfRoWh8TzP05Skx11XZrf8m1HYPX7oh
g2e64Ku0L0qGHkTcCQUBPZrfrSZVC23t5Bo4JdSkO1TJBdINYttbKXJf0t+z5pRF
RHoSd77BcxF3B929Bi8P
=3vaB
-END PGP SIGNATURE-



0xB5B41FAA.asc
Description: application/pgp-keys


0xB5B41FAA.asc.sig
Description: PGP signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] unable to add service principle from F17

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On 25/06/12 22:37, Rob Crittenden wrote:
> Dale Macartney wrote:
>>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>>
>> On 25/06/12 19:53, Rob Crittenden wrote:
>>> Dale Macartney wrote:
>>>>
>>>> -BEGIN PGP SIGNED MESSAGE-
>>>> Hash: SHA1
>>>>
>>>> Hi all
>>>>
>>>> I have a RHEL 6.2 ipa domain and I am running through one of my known
>>>> working kickstarts for kerberised squid but instead of using RHEL i'm
>>>> setting it up on Fedora 17.
>>>>
>>>> I get the following error on the fedora system which has
>>>> freeipa-admintools installed
>>>>
>>>> [root@proxy02 ~]# klist
>>>> Ticket cache: FILE:/tmp/krb5cc_0
>>>> Default principal: ad...@example.com
>>>>
>>>> Valid starting Expires Service principal
>>>> 06/25/12 20:34:33 06/26/12 20:34:31 krbtgt/example@example.com
>>>> [root@proxy02 ~]# ipa service-add HTTP/$(hostname)
>>>> ipa: ERROR: did not receive Kerberos credentials
>>>> [root@proxy02 ~]# ipa service-add HTTP/proxy02.example.com
>>>> ipa: ERROR: did not receive Kerberos credentials
>>>> [root@proxy02 ~]#
>>>>
>>>>
>>>>
>>>> Nothing appears in the logs apart from
>>>>
>>>> ==> /var/log/messages<==
>>>> Jun 25 20:35:34 proxy02 pcscd[25567]: 35998884
>>>> winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found
>>>> Jun 25 20:35:34 proxy02 pcscd[25567]: 1428
>>>> winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found
>>>> Jun 25 20:35:34 proxy02 pcscd[25567]: 1013
>>>> winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found
>>>> Jun 25 20:35:34 proxy02 pcscd[25567]: 1230
>>>> winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found
>>>>
>>>>
>>>> Any ideas?
>>>>
>>>> This doesn't block me from what I am trying to achieve as I can add the
>>>> service principle from the IPA server. Just thought I might ask the
>>>> question.
>>>
>>> What version of client and server?
>>>
>>> rob
>>
>> Server details
>>
>> [root@ds01 ~]# yum info ipa-server
>> Loaded plugins: product-id, security, subscription-manager
>> Updating certificate-based repositories.
>> Installed Packages
>> Name : ipa-server
>> Arch : x86_64
>> Version : 2.1.3
>> Release : 9.el6
>> Size : 3.2 M
>> Repo : installed
>> - From repo : Red Hat Enterprise Linux
>> Summary : The IPA authentication server
>> URL : http://www.freeipa.org/
>> License : GPLv3+
>> Description : IPA is an integrated solution to provide centrally managed
>> Identity (machine,
>> : user, virtual machines, groups, authentication
>> credentials), Policy
>> : (configuration settings, access control information) and
>> Audit (events,
>> : logs, analysis thereof). If you are installing an IPA
>> server you need
>> : to install this package (in other words, most people
>> should NOT install
>> : this package).
>>
>>
>> Client details
>>
>> [root@proxy02 ~]# yum info freeipa-client
>> Loaded plugins: langpacks, presto, refresh-packagekit
>> Installed Packages
>> Name : freeipa-client
>> Arch : x86_64
>> Version : 2.2.0
>> Release : 1.fc17
>> Size : 239 k
>> Repo : installed
>> - From repo : fedora
>> Summary : IPA authentication for use on clients
>> URL : http://www.freeipa.org/
>> Licence : GPLv3+
>> Description : IPA is an integrated solution to provide centrally managed
>> Identity (machine,
>> : user, virtual machines, groups, authentication
>> credentials), Policy
>> : (configuration settings, access control information) and
>> Audit (events,
>> : logs, analysis thereof). If your network uses IPA for
>> authentication,
>> : this package should be installed on every client machine.
>>
>> [root@proxy02 ~]# yum info freeipa-admintools
>> Loaded plugins: langpacks, presto, refresh-packagekit
>> Installed Packages
>> Name : freeipa-admintools
>> Arch : x86_64
>> Version : 2.2.0
>> Release : 1.fc17
>> Size : 43 k
>> Repo : installed
>> - From repo : fedora
>> Summary : IPA administrative tools
>> URL : http://www.freeipa.org/
>> Licence : GPLv3+
>> Descr

Re: [Freeipa-users] unable to add service principle from F17

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On 25/06/12 19:53, Rob Crittenden wrote:
> Dale Macartney wrote:
>>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> Hi all
>>
>> I have a RHEL 6.2 ipa domain and I am running through one of my known
>> working kickstarts for kerberised squid but instead of using RHEL i'm
>> setting it up on Fedora 17.
>>
>> I get the following error on the fedora system which has
>> freeipa-admintools installed
>>
>> [root@proxy02 ~]# klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: ad...@example.com
>>
>> Valid starting Expires Service principal
>> 06/25/12 20:34:33 06/26/12 20:34:31 krbtgt/example@example.com
>> [root@proxy02 ~]# ipa service-add HTTP/$(hostname)
>> ipa: ERROR: did not receive Kerberos credentials
>> [root@proxy02 ~]# ipa service-add HTTP/proxy02.example.com
>> ipa: ERROR: did not receive Kerberos credentials
>> [root@proxy02 ~]#
>>
>>
>>
>> Nothing appears in the logs apart from
>>
>> ==> /var/log/messages<==
>> Jun 25 20:35:34 proxy02 pcscd[25567]: 35998884
>> winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found
>> Jun 25 20:35:34 proxy02 pcscd[25567]: 1428
>> winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found
>> Jun 25 20:35:34 proxy02 pcscd[25567]: 1013
>> winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found
>> Jun 25 20:35:34 proxy02 pcscd[25567]: 1230
>> winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found
>>
>>
>> Any ideas?
>>
>> This doesn't block me from what I am trying to achieve as I can add the
>> service principle from the IPA server. Just thought I might ask the
>> question.
>
> What version of client and server?
>
> rob

Server details

[root@ds01 ~]# yum info ipa-server
Loaded plugins: product-id, security, subscription-manager
Updating certificate-based repositories.
Installed Packages
Name: ipa-server
Arch: x86_64
Version : 2.1.3
Release : 9.el6
Size: 3.2 M
Repo: installed
- From repo   : Red Hat Enterprise Linux
Summary : The IPA authentication server
URL : http://www.freeipa.org/
License : GPLv3+
Description : IPA is an integrated solution to provide centrally managed
Identity (machine,
: user, virtual machines, groups, authentication
credentials), Policy
: (configuration settings, access control information) and
Audit (events,
: logs, analysis thereof). If you are installing an IPA
server you need
: to install this package (in other words, most people
should NOT install
: this package).


Client details

[root@proxy02 ~]# yum info freeipa-client
Loaded plugins: langpacks, presto, refresh-packagekit
Installed Packages
Name: freeipa-client
Arch: x86_64
Version : 2.2.0
Release : 1.fc17
Size: 239 k
Repo: installed
- From repo   : fedora
Summary : IPA authentication for use on clients
URL : http://www.freeipa.org/
Licence : GPLv3+
Description : IPA is an integrated solution to provide centrally managed
Identity (machine,
: user, virtual machines, groups, authentication
credentials), Policy
: (configuration settings, access control information) and
Audit (events,
: logs, analysis thereof). If your network uses IPA for
authentication,
: this package should be installed on every client machine.

[root@proxy02 ~]# yum info freeipa-admintools
Loaded plugins: langpacks, presto, refresh-packagekit
Installed Packages
Name: freeipa-admintools
Arch: x86_64
Version : 2.2.0
Release : 1.fc17
Size: 43 k
Repo: installed
- From repo   : fedora
Summary : IPA administrative tools
URL : http://www.freeipa.org/
Licence : GPLv3+
Description : IPA is an integrated solution to provide centrally managed
Identity (machine,
: user, virtual machines, groups, authentication
credentials), Policy
: (configuration settings, access control information) and
Audit (events,
: logs, analysis thereof). This package provides
command-line tools for
: IPA administrators.

[root@proxy02 ~]#

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJP6NfaAAoJEAJsWS61tB+qe4gP/jTFZn1FKat8psw+Zkhnv6Rw
mqw13SvcpndaXYqS0e0pikV7EVophHgxZ2Y+APg3sk3xIOLMDxtv6AdU1RyMyFHT
tg15vxZ83mSSwMYiFjw6UWJp2Q6em4CC+e/8uZBziAtl5sz4XX8+HAQkYUZfaOcu
uYoP8S7dIAvRxUp7h53Cfxy4XcRdVNSELymY2wcFGXb/xQJ3IDZ03Y26nlFLrSXL
xg88TgwZlBtnJINlcsAA0c7QjilVB9ei619W+YRf+81Hs9ld4s72Zll5Sv7r9yHh
3CVQFvwNJl5tHGWr+5Ja7dZwgeJlWBLyeN6bYovycQL0+USV+sEl6H

[Freeipa-users] unable to add service principle from F17

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi all

I have a RHEL 6.2 ipa domain and I am running through one of my known
working kickstarts for kerberised squid but instead of using RHEL i'm
setting it up on Fedora 17.

I get the following error on the fedora system which has
freeipa-admintools installed

[root@proxy02 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ad...@example.com

Valid starting ExpiresService principal
06/25/12 20:34:33  06/26/12 20:34:31  krbtgt/example@example.com
[root@proxy02 ~]# ipa service-add HTTP/$(hostname)
ipa: ERROR: did not receive Kerberos credentials
[root@proxy02 ~]# ipa service-add HTTP/proxy02.example.com
ipa: ERROR: did not receive Kerberos credentials
[root@proxy02 ~]#



Nothing appears in the logs apart from

==> /var/log/messages <==
Jun 25 20:35:34 proxy02 pcscd[25567]: 35998884
winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found
Jun 25 20:35:34 proxy02 pcscd[25567]: 1428
winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found
Jun 25 20:35:34 proxy02 pcscd[25567]: 1013
winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found
Jun 25 20:35:34 proxy02 pcscd[25567]: 1230
winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found


Any ideas?

This doesn't block me from what I am trying to achieve as I can add the
service principle from the IPA server. Just thought I might ask the
question.

Dale

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJP6K9ZAAoJEAJsWS61tB+qMjcP/1nuNhaYFgOvL6P7RdumhDBQ
j4nHJTwZIzOOMiL6xzfLkngO5K1Qdx3KYfphWG991yzi9vWA8uE1QUdrV654QTIW
5HAjMNnOyIxX6Tib0EoAox/Kphr96gyM2YJNpazx1SnrHllcX8bCv5I9Gb1wR7d3
oYbZqknyzp5RplDlDvjWRU9OQqe6M0+cp7s0IeIfgSivjT14Zsbwval6H/WfldsL
uIhht9i4HCAwRiUaycMkleIHTNXW9U/uMOjAx4NYqXqaPslVA9EysZ7WrcAqNbXL
+mXjRTv7gfrKMowrZjIUdPjHzoKk5YD0DfkL8RuP+tjRyknoebyCXxJNVj8hy3RT
nmSaBUMmxvv1gt6WzdpV/O60ww2tBI47oYrruYkzs416UoQZfwvMbJnx1mhkMaHa
OaivQiNeszBxOmgYpZDiDFxkjeQ2zntwppQEcT3boWSuFXlnRjp9K2Jzm7MXetcP
H7jPGOO8FjH5wfQV47eddtFK/pXGiU18WSGCzrCY3Tfh4dIh/ZqsG6/YLUrGlhg3
dSt00pSMhY8W9/LUU5uiN70JukXAHNu03w2CzWgax4wMFt6T7B/DIOHdDt0Yzmy0
kFeO6RskexKH2Sm70fs2Wn5uEmxKWXYJ2rZrPHR4gOX0yJbhmYw0sOYfL/2VSKst
rQgDniI9AjkxZg5sPG1m
=iGUe
-END PGP SIGNATURE-



0xB5B41FAA.asc
Description: application/pgp-keys


0xB5B41FAA.asc.sig
Description: PGP signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] eJabberd authentication with FreeIPA via LDAP with Group member validation

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On 14/06/12 18:24, Natxo Asenjo wrote:
> On Thu, Jun 14, 2012 at 12:54 PM, Dale Macartney mailto:d...@themacartneyclan.com>> wrote:
>
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> I've just placed another wiki article for adding Jabber services to IPA.
> This is a work in progress as I'm aiming for SSO ability, but thought
> someone might find it useful in the interim.
>
> The link is as follows
>
>
http://freeipa.org/page/EJabberd_Integration_with_FreeIPA_using_LDAP_Group_memberships
>
>
> hi,
>
> thanks! It looks good.
>
> I am thinking of trying to implement a jabber openfire server, it
supports gssapi apparently. I'll post the howto if I get it working :-).
>
> NIce to see a growing community.
>
> --
> natxo

Give me a buzz if you'd like to bounce any ideas around with your
implementation. I'm quite interested to see other use cases and
variations of deployments. The more technologies we can cover, I think
the better user adoption will be.

Dale

>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJP2h97AAoJEAJsWS61tB+q7M4P/jGfDuXIqnZ011LHs3LinoC0
BKvu/WoWQDnHr+MttCOyDy+bn0P4lq4Zlt60BaEzry5FC7BEkrfmSTJGqsRYVo/z
jze08E91dhN5h1P38+DJAWpCPAHgUlQmPQ5f/2oovqpfvIUwOcgdjxxuuVaE/t5q
5JMw9glb935f14Qp/Oh5Au1oM9+cC22UeeSbs950uSQxwuZ/kAQTzMzQ/gi0eNA7
yjsdZi2JcnMpUJ2bfxL1UYYeUJNK5WwBDeGxKFFtM0gAIuNjAqN43DJfK3+z2g6+
lTn2Q1akOl5Fc05s7Q3QzXvYZOH9SBvr6NsMgmvrV58MgFC5ygZsYgD7IoUVY6VS
T2n1E7PMr7M9X5FSfy7I4xMIcz0FcjJn3y8dvqgDpp9yGfwqcMTsrH11T9FeC8+h
npZo7kcf/6owCH4xSuEPwEBWlFv6Y1O9i8+dOxb2lw4g4x4nlb5jnD7wzDiTcuIw
JBjApHYoyFz6NOhPFZGWWhLi1XhcpaILydE073cEwct50Zc6jjT9bbbG/zCVku0U
NEe2P2SKTPY6vF1/d/KJhNKon2ific4sN/6fpQwvR+h+Ot9N6kTt8wiuCq3rgIgf
mj9r0qk19Sfdfz0Lax9DXKTaUwctdt/Ia5ekgDwrD/55vsq7Ord4OXqxM51R2zzA
ZH3mmr99VoiXJ5zzv0UK
=BIUD
-END PGP SIGNATURE-



0xB5B41FAA.asc
Description: application/pgp-keys


0xB5B41FAA.asc.sig
Description: PGP signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] eJabberd authentication with FreeIPA via LDAP with Group member validation

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Morning all

I have to say I am a little disappointed with myself to be honest as I
thought I published this a while ago.

I've just placed another wiki article for adding Jabber services to IPA.
This is a work in progress as I'm aiming for SSO ability, but thought
someone might find it useful in the interim.

The link is as follows

http://freeipa.org/page/EJabberd_Integration_with_FreeIPA_using_LDAP_Group_memberships

Would love some feedback from other ejabberd users as I am not happy,
personally, recommending people to use unencrypted LDAP queries for
authentication purposes. I would appreciate some assistance from others
on this if possible. I wasn't able to get LDAP with TLS or SSL working
in the end.

Best regards
Dale


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJP2cL1AAoJEAJsWS61tB+q/NgP/2GGqZBNtBkSQC/Wsq5fuU96
q43k9QVZL6FAnJsyPBj8TNOwBS6ER9RPVIkSH54ge5kGk+Qfd7DB2mPBB1ojodVr
BMhlv8kSNGy2sgsb2E58KDISpewD/OLHkKABzOt7Gbfjzwx3gVy97oCfSJKnd7zj
SS0zCbhaeh5SRxJYXSQKbS4DqXJgPidDhenifSyns1R4li5hqIRaEoJIFIcksMi5
U17NJP8Up6UgsLYuby3bDZ4ffebX5IvxByF6cRYFY/bbMSGwS1LJhWksktqSPuCg
izt2UjkCKfWQw3rFBLD3XriPlUjTQXPDQWYI4lshyZtTh6umovI5qPVrt1geY8/B
cFU+6F164duk3BUWeXjq+5HXiYedpsGa8GJjhreZjP+rf2H0Ju2quxM4WNOQM4EO
5EFuSqiW+oMHnuVOTtMhtoHJiiUb6yA0ORQTSexM0jcQrySgwb2tV3VljrWXN3Aw
1naKO51JD7vCv63abA0kFSQv5XXTtTe9BP/siVvvB+TigVN5TJ0bhbGBNIH7nGJu
XlnLBhZcKbk+uucG+hKEid6DpRPYRG3Ip8s3yceSxmT20nMc5LUUu7Tdo25ocjow
55DJIByUHS/n2Tjqj6DqtVuTF6pGV4Cpw3HEWEN7iiFuywSWbuTvjMlnCzD96J6j
8DLzkKYsmebz3rWCwsuS
=W08C
-END PGP SIGNATURE-



0xB5B41FAA.asc
Description: application/pgp-keys


0xB5B41FAA.asc.sig
Description: PGP signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] IPA managed DNS stub-zones

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Evening all

I am trying to set up a stub zone from my IPA domain (example.com) to my
Windows domain (nt.example.com.

Network details as follows

example.com
managed by IPA server ds01.example.com 10.0.1.11

nt.example.com
managed by Win server dc01.nt.example.com 10.0.2.11

I have tried adding the stub zone on the IPA server from the cli and now
also from the web UI but results are both the same.

When adding the stub zone, IPA seems to think of it as managing the
entire zone and not pointing it to the remote DNS server. It basically
add's itself as the SOA.



see below output from dig. Queries have been run against ds01.example.com

[root@ds01 ~]# dig -t soa example.com

; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 <<>> -t soa example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2632
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;example.com.INSOA

;; ANSWER SECTION:
example.com.86400INSOAds01.example.com.
root.ds01.example.com. 2037 3600 900 1209 3600

;; AUTHORITY SECTION:
example.com.86400INNSds01.example.com.

;; ADDITIONAL SECTION:
ds01.example.com.86400INA10.0.1.11

;; Query time: 0 msec
;; SERVER: 10.0.1.11#53(10.0.1.11)
;; WHEN: Sat Jun  9 22:13:51 2012
;; MSG SIZE  rcvd: 105

[root@ds01 ~]# dig -t soa nt.example.com

; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 <<>> -t soa nt.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37259
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;nt.example.com.INSOA

;; ANSWER SECTION:
nt.example.com.86400INSOAds01.example.com.
root.nt.example.com. 2012090601 3600 900 1209600 3600

;; AUTHORITY SECTION:
nt.example.com.86400INNSdc01.nt.example.com.

;; Query time: 2 msec
;; SERVER: 10.0.1.11#53(10.0.1.11)
;; WHEN: Sat Jun  9 22:14:02 2012
;; MSG SIZE  rcvd: 97

[root@ds01 ~]#


from the cli and webUI there is no way of adding an alternative SOA
record. I would prefer to keep all DNS attributes inside of LDAP,
otherwise there isnt much purpose in running both ldap integrated DNS as
well as standard bind servers. These should ideally be working together.

Does anyone have any recommendations for setting an alternative SOA
record for a stub zone in IPA? Has anyone encountered this before?

Many thanks

Dale





-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJP07CiAAoJEAJsWS61tB+qG/UQAI9OtYSMfjIoUxDdryE5KPTB
gRrszTMaQYGTN0gjUctnwuY5ZVetcIP9JFposRP/9uLgElkAvnmd1hQyBjbMCqLN
1VykTr4tgkqc4w3eJlimlYACV7w2Whq06Du3TCfo2seCzjNjEkh9nIoiJvNBgVVF
noLTxbpaE5gbAqtXRfhF2CbQYyPJJLxVPmxDH2bDro3Pjt5+ohkdMRSWgckq+QQv
iHW0Eca0A8GCBPTRt4/qMBo8piN8/meAcORUc73PWba0CJzgUPMTSngxkoAwo76T
uEeZ18EjdZE6htRiiIY5K5CEUctX5Xgz2NhP5Nfb9+or3GGClouJLJJaYeHS3HGC
9X0EBVH0pT/LUWkbBvg3sAwd1oPuBfFm/X6/EJFvMG4HGPPEi2860N/SFutTflhf
PbxGN/PHw9rEveJS80QmOJpLdOQkGWz2+7vsxeYvCoXMg3jMR4KTQ7OCUn5IElud
7bWlx4ovtkAHaljTN95B8cl/CUL058JsUKqZOleMNhPp7Tp9dCVkZgjyDzIfGDqE
1ehhTWLXOwM9aFN7I1RT8C/EY7K2a4eSsKet45wiHd3TF/ck27ZvuuRWFdnsURbJ
h9MVtzKgPg/Sw6OODWNZkiuKnOSM6lyvo5llHlBzA/uo6lPNY5lejvE1IWsMOdcx
bdRXu6OBBgBk5c99Wf7c
=smD6
-END PGP SIGNATURE-



0xB5B41FAA.asc
Description: application/pgp-keys


0xB5B41FAA.asc.sig
Description: PGP signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] token/swipe pass deployments with IPA

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



On 05/06/12 23:50, Dmitri Pal wrote:
> On 06/01/2012 03:14 AM, Dale Macartney wrote:
> >
>>
>>
>> On 31/05/12 23:54, Dmitri Pal wrote:
>> > On 05/31/2012 03:03 PM, Dale
>> Macartney wrote:
>>
>> > >
>>
>> >> Evening all
>>
>> >>
>>
>> >> http://www.youtube.com/watch?v=uvfkj8V6ylM
>>
>> >>
>>
>> >> This video was floating around Google plus a few days ago
>> which is
>>
>> >> brilliant to show off RHEV's VDI technologies. I was
>> wondering if anyone
>>
>> >> has some a similar business case of vdi deployments with
>> swipe passes or
>>
>> >> token, but using IPA as the backing authentication store?
>>
>>
>>
>> > I am not quite sure what is used as an authentication source
>> in this case.
>>
>> > I can ask.
>>
>>
>> I was just thinking as I seem to be doing alot lately, "can it be done
with ipa?"
>>
>> is token support on the road map? If some are not already supported.
>>
>
> Define token?
> You mean smart cards or 2FA using tokens like SecurID?
> All on the roadmap.
>
I was thniking anything along the lines of a physical medium which an
end user can use to authenticate themselves with. This can be single
auth or 2FA. I was thinking things like SecurID, smartcards, yubikeys,
RSA keyfobs, Citrix CAG tokens etc.

If its on the road map thats fine. I'll keep an eager eye open for the
integration in the future ;-)

>> >>
>>
>> >> Has anyone done something similar themselves?
>>
>> >>
>>
>> >> Dale
>>
>> >>
>>
>>
>>
>> > ___
>>
>> > Freeipa-users mailing list
>>
>> > Freeipa-users@redhat.com
>>
>> > https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>>
>>
>>
>> > --
>>
>> > Thank you,
>>
>> > Dmitri Pal
>>
>>
>>
>> > Sr. Engineering Manager IPA project,
>>
>> > Red Hat Inc.
>>
>>
>>
>>
>>
>> > ---
>>
>> > Looking to carve out IT costs?
>>
>> > www.redhat.com/carveoutcosts/
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> > ___
>>
>> > Freeipa-users mailing list
>>
>> > Freeipa-users@redhat.com
>>
>> > https://www.redhat.com/mailman/listinfo/freeipa-users
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>
>
> ---
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
>
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPzxnqAAoJEAJsWS61tB+qMdcQAMXTuOy8hljyIMS/U1vIZKHT
WgkRGrm3gspyVcJQqWLIFcOBp/EL0NzVEBJ1CjwmkDA5IYL2Ezzj24YMnqjOYQqV
rrj94K8beXmvAC+HTJ73P/AC24L3fd0ZzhCcojKdtlbSKeKH0DTsHlCLKUX3uL3L
c0YjfY+J+6aIYdtMB78DOGGWhgCXmJM/BGvVcTbmWYH3HulYVDypjYKe/9c8Usqn
QU6Cm7zFoIC1jlZuvWorC4c0kpmR0bSmP6lVFjWjAYw/BETpjxOYKxAtZKZHZiAu
D0MviZSiZHCtH0RuU4sm/+BqBa2XjERbSsTKS89kAvTT4CB4KvX5i1SoEMMyu1j8
pqPCaIiBhLmpKLuMAdqMg61/mRSqMFUAKvRpdhStFRN2uzYLLnt6he6WxC1zta5e
9VS3yj+rjG46Xy/uwcv+IJdV/6bW3OOoIiUZxboc+6NcHtRQZKDxKfKVxQWO8fbb
+9wrOEcDe1s1efCl5mJ83xot5YMa15plmkqdnGxOhDkCrqehXVJ42xRygi3dE6o2
7wHeWk8soduty18wLioPLwNs9sbE699fAQa+wYG3sBsolhGyqh7HO1mz4ypLuv4P
EaQV3T5xa/Xxswfx1HZCtKysdSLolirzapPOXXnQNvFzdthuBpKMljFye9Yl/Kk3
H1VzUGfUgp42D807MN47
=e3T0
-END PGP SIGNATURE-



0xB5B41FAA.asc
Description: application/pgp-keys


0xB5B41FAA.asc.sig
Description: PGP signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] mail entries not populated for users

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



On 05/06/12 14:21, Rob Crittenden wrote:
> Dale Macartney wrote:
>>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>>
>>
>> On 05/06/12 14:09, Rob Crittenden wrote:
>>> Dale Macartney wrote:
>>>>
>>>> -BEGIN PGP SIGNED MESSAGE-
>>>> Hash: SHA1
>>>>
>>>> Hi all
>>>>
>>>> I may be overlooking something here, but from what I can gather, the
>>>> value in the ipa config of "Default e-mail domain for new users" should
>>>> automatically create the mail attribute for said user upon creation?
>>>>
>>>> Do I need to do an additional step or something to activate the mail
>>>> attribute or is it missing?
>>>>
>>>> Any pointers on what I'm missing to mail-enable a user in ldap?
>>>>
>>>>
>>>> Running RHEL 6.2 x86_64 with ipa-server 2.1.3-9.el6
>>>>
>>>> Output from ipa server as follows
>>>>
>>>> [root@ds01 ~]# ipa config-show
>>>> Max. username length: 32
>>>> Home directory base: /home
>>>> Default shell: /bin/bash
>>>> Default users group: ipausers
>>>> Default e-mail domain for new users: example.com
>>>> Search time limit: 2
>>>> Search size limit: 100
>>>> User search fields: uid,givenname,sn,telephonenumber,ou,title
>>>> Group search fields: cn,description
>>>> Enable migration mode: FALSE
>>>> Certificate Subject base: O=EXAMPLE.COM
>>>> Password Expiration Notification (days): 4
>>>> [root@ds01 ~]#
>>>>
>>>>
>>>>
>>>> [root@ds01 ~]# ldapsearch -x -b dc=example,dc=com -P 3 -b
>>>> "uid=testuser,cn=users,cn=accounts,dc=example,dc=com"
>>>> # extended LDIF
>>>> #
>>>> # LDAPv3
>>>> # base with scope
>>>> subtree
>>>> # filter: (objectclass=*)
>>>> # requesting: ALL
>>>> #
>>>>
>>>> # testuser, users, accounts, example.com
>>>> dn: uid=testuser,cn=users,cn=accounts,dc=example,dc=com
>>>> displayName: testuser 1
>>>> cn: testuser 1
>>>> objectClass: top
>>>> objectClass: person
>>>> objectClass: organizationalperson
>>>> objectClass: inetorgperson
>>>> objectClass: inetuser
>>>> objectClass: posixaccount
>>>> objectClass: krbprincipalaux
>>>> objectClass: krbticketpolicyaux
>>>> objectClass: ipaobject
>>>> objectClass: mepOriginEntry
>>>> loginShell: /bin/bash
>>>> sn: 1
>>>> gecos: testuser 1
>>>> homeDirectory: /home/testuser
>>>> krbPwdPolicyReference:
>>>> cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,
>>>> dc=com
>>>> krbPrincipalName: testu...@example.com
>>>> givenName: testuser
>>>> uid: testuser
>>>> initials: t1
>>>> uidNumber: 166864
>>>> gidNumber: 166864
>>>> ipaUniqueID: 0d620620-acfd-11e1-943c-52540025e829
>>>> mepManagedEntry: cn=testuser,cn=groups,cn=accounts,dc=example,dc=com
>>>> krbPasswordExpiration: 20120831215158Z
>>>> krbLastPwdChange: 20120602215158Z
>>>> krbExtraData:: AAL+ispPdGVzdHVzZXJARVhBTVBMRS5DT00A
>>>> krbExtraData:: AAgBAA==
>>>> krbLastSuccessfulAuth: 20120602215703Z
>>>> krbLoginFailedCount: 0
>>>>
>>>> # search result
>>>> search: 2
>>>> result: 0 Success
>>>>
>>>> # numResponses: 2
>>>> # numEntries: 1
>>>> [root@ds01 ~]#
>>>
>>> It looks like it isn't creating the mail attribute by default. I opened
>> ticket https://fedorahosted.org/freeipa/ticket/2810
>>>
>>> rob
>>
>> Thanks for pointing out it wasn't me doing something silly ;-)
>>
>> On thinking deeper onto the issue, perhaps it is beneficial not to have
>> it done by default? e.g if I have a mail server accepting mail for ldap
>> lookups for mail entries, this would mean EVERYONE has a mailbox whereas
>> that might not be beneficial in many situations..
>>
>> In the AD side of things, a user has to be mail enabled, in order to
>> become valid for mail purposes.
>>
>> In this situation, I can manually add the mail address with "ipa
>&g

Re: [Freeipa-users] mail entries not populated for users

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



On 05/06/12 14:09, Rob Crittenden wrote:
> Dale Macartney wrote:
>>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> Hi all
>>
>> I may be overlooking something here, but from what I can gather, the
>> value in the ipa config of "Default e-mail domain for new users" should
>> automatically create the mail attribute for said user upon creation?
>>
>> Do I need to do an additional step or something to activate the mail
>> attribute or is it missing?
>>
>> Any pointers on what I'm missing to mail-enable a user in ldap?
>>
>>
>> Running RHEL 6.2 x86_64 with ipa-server 2.1.3-9.el6
>>
>> Output from ipa server as follows
>>
>> [root@ds01 ~]# ipa config-show
>> Max. username length: 32
>> Home directory base: /home
>> Default shell: /bin/bash
>> Default users group: ipausers
>> Default e-mail domain for new users: example.com
>> Search time limit: 2
>> Search size limit: 100
>> User search fields: uid,givenname,sn,telephonenumber,ou,title
>> Group search fields: cn,description
>> Enable migration mode: FALSE
>> Certificate Subject base: O=EXAMPLE.COM
>> Password Expiration Notification (days): 4
>> [root@ds01 ~]#
>>
>>
>>
>> [root@ds01 ~]# ldapsearch -x -b dc=example,dc=com -P 3 -b
>> "uid=testuser,cn=users,cn=accounts,dc=example,dc=com"
>> # extended LDIF
>> #
>> # LDAPv3
>> # base with scope
>> subtree
>> # filter: (objectclass=*)
>> # requesting: ALL
>> #
>>
>> # testuser, users, accounts, example.com
>> dn: uid=testuser,cn=users,cn=accounts,dc=example,dc=com
>> displayName: testuser 1
>> cn: testuser 1
>> objectClass: top
>> objectClass: person
>> objectClass: organizationalperson
>> objectClass: inetorgperson
>> objectClass: inetuser
>> objectClass: posixaccount
>> objectClass: krbprincipalaux
>> objectClass: krbticketpolicyaux
>> objectClass: ipaobject
>> objectClass: mepOriginEntry
>> loginShell: /bin/bash
>> sn: 1
>> gecos: testuser 1
>> homeDirectory: /home/testuser
>> krbPwdPolicyReference:
>> cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,
>> dc=com
>> krbPrincipalName: testu...@example.com
>> givenName: testuser
>> uid: testuser
>> initials: t1
>> uidNumber: 166864
>> gidNumber: 166864
>> ipaUniqueID: 0d620620-acfd-11e1-943c-52540025e829
>> mepManagedEntry: cn=testuser,cn=groups,cn=accounts,dc=example,dc=com
>> krbPasswordExpiration: 20120831215158Z
>> krbLastPwdChange: 20120602215158Z
>> krbExtraData:: AAL+ispPdGVzdHVzZXJARVhBTVBMRS5DT00A
>> krbExtraData:: AAgBAA==
>> krbLastSuccessfulAuth: 20120602215703Z
>> krbLoginFailedCount: 0
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 2
>> # numEntries: 1
>> [root@ds01 ~]#
>
> It looks like it isn't creating the mail attribute by default. I opened
ticket https://fedorahosted.org/freeipa/ticket/2810
>
> rob

Thanks for pointing out it wasn't me doing something silly ;-)

On thinking deeper onto the issue, perhaps it is beneficial not to have
it done by default? e.g if I have a mail server accepting mail for ldap
lookups for mail entries, this would mean EVERYONE has a mailbox whereas
that might not be beneficial in many situations..

In the AD side of things, a user has to be mail enabled, in order to
become valid for mail purposes.

In this situation, I can manually add the mail address with "ipa
user-mod --email=testu...@example.com" which does what I was needing.

Theres a few reasons for and against having default email access for new
users...

I'm just bouncing some ideas out loud at the moment. Thoughts?

Dale

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPzgZCAAoJEAJsWS61tB+qMasQAJgC3lSdU5HvteVvnNLFF1wz
yAlwtE00NaWhF/VOToafxQdwjHfcf5PRYgqVXi92DnVzCBkOUIGUnMvumsXTEDic
+WwVgQgU+p4kEDtHfyTXdwP5g8C4fZXpwdDdexLrB3lTWcelhgZCx2dd4vUIuMRj
z4JUWSin0BOjtH80N/hwL4pj7m+Bn2lzBQYlm5LBU9d5Y2YhAJwJcgAbixWHzzsg
fDhCNNrxttkcLBzUVbeax1cyj16HotR9d3YdPsdwJqzonwTYHK20Hf109clujbUS
nesmL8AXdapCrZtrrBw8SeTmN32/G9OhoBvND9hqPLNa10MrMxOs8Mj+8UWMQnL+
nWniUHueIYCECdYOwCkydBHkFOVXDE5HiWbTAv9nYOQ7AzI2xKfE8YtezUypmWLP
NeFW/bER3eZZN54tQz6KbO2+5BjS+iBe6H39j8sKQv99FN1qpKLJOo3y5JxChzWU
WsXasm41INXSeneB6plVHuCXqO70Mh0fv/TG+bGWysQm3hwporIQs7/pzp8uFnRI
zfAewysabykMTDgnJdLzKzr7C1q3lyCX5WWR5OdZambY6nR853cP5bjvTnbDHE0t
yfza/F2PNMuT9mehmAroKKKb8GZ6YTxOenpVvgW/c+VB5i8iM+NO/8gBa5XUqzLt
vQTqo/XQcB3bqC+KP1b5
=pYR/
-END PGP SIGNATURE-



0xB5B41FAA.asc
Description: application/pgp-keys


0xB5B41FAA.asc.sig
Description: PGP signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] mail entries not populated for users

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi all

I may be overlooking something here, but from what I can gather, the
value in the ipa config of "Default e-mail domain for new users" should
automatically create the mail attribute for said user upon creation?

Do I need to do an additional step or something to activate the mail
attribute or is it missing?

Any pointers on what I'm missing to mail-enable a user in ldap?


Running RHEL 6.2 x86_64 with ipa-server 2.1.3-9.el6

Output from ipa server as follows

[root@ds01 ~]# ipa config-show
  Max. username length: 32
  Home directory base: /home
  Default shell: /bin/bash
  Default users group: ipausers
  Default e-mail domain for new users: example.com
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: FALSE
  Certificate Subject base: O=EXAMPLE.COM
  Password Expiration Notification (days): 4
[root@ds01 ~]#



[root@ds01 ~]# ldapsearch -x -b dc=example,dc=com -P 3 -b
"uid=testuser,cn=users,cn=accounts,dc=example,dc=com"
# extended LDIF
#
# LDAPv3
# base  with scope
subtree
# filter: (objectclass=*)
# requesting: ALL
#

# testuser, users, accounts, example.com
dn: uid=testuser,cn=users,cn=accounts,dc=example,dc=com
displayName: testuser 1
cn: testuser 1
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: mepOriginEntry
loginShell: /bin/bash
sn: 1
gecos: testuser 1
homeDirectory: /home/testuser
krbPwdPolicyReference:
cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,
 dc=com
krbPrincipalName: testu...@example.com
givenName: testuser
uid: testuser
initials: t1
uidNumber: 166864
gidNumber: 166864
ipaUniqueID: 0d620620-acfd-11e1-943c-52540025e829
mepManagedEntry: cn=testuser,cn=groups,cn=accounts,dc=example,dc=com
krbPasswordExpiration: 20120831215158Z
krbLastPwdChange: 20120602215158Z
krbExtraData:: AAL+ispPdGVzdHVzZXJARVhBTVBMRS5DT00A
krbExtraData:: AAgBAA==
krbLastSuccessfulAuth: 20120602215703Z
krbLoginFailedCount: 0

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
[root@ds01 ~]#


Thanks all


Dale



-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPzdTpAAoJEAJsWS61tB+qR10QAKjseNaPocrJ91JhLBzWpA6G
fwMp4PzLDrKHSaKIeA/ir36ckOGWgLk0g6VQ+xzSoC+h1CJdUy0h9BfMkPXY5TTG
yVJzvWnbIFJo+RsN/oR1sIBh9ME0AyS5D6iFCKpXIhXvQnW+u+T2Bd+4bzbzejVG
KS99k8kBVl/Djf9oOXBN9tPe5riNfuXVp+5xLQ2TEzMlbHQj3IuUYQrKpDKAJFK6
WQftM7/kLVeZ9AxGemBXF3LYtmP42aafSPtJhq2l3v4WVrtGkKBetxds5ErsmxFk
58g/QHXc/XNwpzkT49kE+PvEK9kW+fOtJUoy441gaq2LgqYASlPkMEKGa9Hm1KfL
U1PB2IxfQOi10NEsfU+iyXH87Y9cpkt3x1sTwCEqL+gcoNqFSirrhmwEtOQegN76
60Py3RBgPrlW5YFlgkKgApO9zV9g+fL7VUtlcxDAJFUZcjvp8TAY9bccosZbxRin
GWKZyVzQbAYL7z6lRtp++f2Wri9Z183dyEIBCGZRkYu5+d49nlHMRld0fIlTb72H
8hLuRfqPm9f7H3gspSGxxmVkHzBALLJmizfDvcd3J8LiUGY/8YenFRf/39YVEjbC
7Aun++FKMPwpeMmxb7Qwo/SozZyjzu0VnkktYJnXNxY8QHIZgdMu/H8+mubWPdkR
GseH0Hf4mKzHYURtIupg
=79q/
-END PGP SIGNATURE-



0xB5B41FAA.asc
Description: application/pgp-keys


0xB5B41FAA.asc.sig
Description: PGP signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] SSH Keys?

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



On 04/06/12 18:28, Kline, Sara wrote:
>
> Some of my users have expressed concerns about moving to FreeIPA
because they prefer to use SSH. The main reason behind that is because
they can use agent forwarding and only have to sign on once. I did find
information on forwardable Kerberos tickets, kinit ?f. Has anyone used
this in place of SSH keys, or do you have other suggestions? There are a
few service accounts scripted to work with SSH keys so we may have to
leave a few local accounts on the servers. I don?t particularly like
that idea.
>
Hi Sara

The big difference here is your users will see this as you taking
something away from them. Yes kerberos tickets will work perfectly in
this situation, I do this myself. The issue you need to be aware of is
that they will expire, as they should. An SSH key is nothing more than
bypassing an authentication process.

I would recommend using centralized service accounts in place of more
local accounts, as this way you will always be able to manage them in
the future.

Does this help?

>
>
> Sara Kline
>
> System Administrator
>
> Transaction Network Services, Inc
>
> 4501 Intelco Loop, Lacey WA 98503
>
> Wk: (360) 493-6736
>
> Cell: (360) 280-2495
>
>
>
>
> -
> This e-mail message is for the sole use of the intended recipient(s)and may
> contain confidential and privileged information of Transaction Network
Services.
> Any unauthorised review, use, disclosure or distribution is prohibited.
If you
> are not the intended recipient, please contact the sender by reply
e-mail and destroy all copies of the original message.
>
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPzPItAAoJEAJsWS61tB+qtfEP/irmelW0sGNW9l2W80DX4piY
E209XSH6/F6/5Duj6LpY3ISELjJdwS/eRikeG+49oivOZWbvEzZ9VSl3TE6TuI7U
wnrpvMt6kdxcgeeTZ31f97nPRwYv50xO9iWU+4ymzW3tzWQt96Er1LXxO8UP++KN
LQ5eUF2gxe0f5WMtKpWwJkTSZlqlCztco5red7Xadze4phUWt3y2OfzLJV3DUqig
/Y44kgtrQfI+Qm8mjrNfZFTnqSALW6kgZ3Ad7hh+1SuNn7D6WyOOkedn5169fYlf
UiDr28G2MM2wdWoh0l9ldqQN3acMDYFDdT0vHXeIq9ygbO1NfTBVC4iRnICCAc+O
GWnmVPY2qGM6/qA7BY11YRNG5Y7PVgEjB6P/zAkMgTds9m87VLpH4QjiifT77R5h
Gt/FNqnT/h9fTF2eoK9RjSdFHcPmplqCUDzfgoLrpDsscyS0RccG6O9z8QCKyeI5
wNl6NtSIb8yqGNN9wfZd3UAbGE5omaofDchMAOV7pcDnenYEju2bXXX9GU4VB09i
GSloEpXRyK189B+oRgd/kmb1DlUuDDMoevHZ/161QI6TuriORyQkqtAq9dOl1Xwl
H7RbwtW0iDxcYfslN3NlF+NOEXOemagQLb7uZU0ARPDbMFobJMdrVHSFTcDsa+Zg
L85opgHXJxOWs0nBERcc
=dvkx
-END PGP SIGNATURE-



0xB5B41FAA.asc
Description: application/pgp-keys


0xB5B41FAA.asc.sig
Description: PGP signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] HOWTO: Zimbra Authentication and GAL lookups with FreeIPA backend

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Morning all

Just a quick mail to to let everyone know that I have placed a new wiki
page for integrating Zimbra authentication and GAL lookups into IPA.

Link is here
http://freeipa.org/page/Zimbra_Collaboration_Server_7.2_Authentication_and_GAL_lookups_against_FreeIPA

This was my first time using Zimbra to be honest, so this is a straight
forward "get it working" integration document. I'll work on getting SSO
working in the future when I have a greater understanding of the product.

If anyone has access to a dev/test lab or has any experience with Zimbra
who wouldn't mind giving the steps a go, I would love to get some
feedback or comments.

I have screenshots to go with the document as well, however they aren't
uploading correctly at presents. I will upload when I can.

Let me know what you think.

Hoo roo for now.

Dale


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPyqgnAAoJEAJsWS61tB+qgXkP/iObTQyXO50obqdXivSkmpUy
NwOTvirKNL/UNZnbFZdOYtDhVfX8H91IuyEK0GkGncVgFlyQH1xFw+zKFJtzmkdC
LTRRa7ZI3pvW5V5zR4ZeGRENPbxBGc/ulsIucdCrJeg/fqimtyGJ9H3uYhDnTkj2
FuVNBiCo5o+AfgpET2AImdcgNeckRJjAW9FUxEeS4RRlDRdpUr0HYOupTZ3ugQXp
2+ShXOs94BlcQ3mrzaav5vn3o0HPFUzPpmP8CMwk65Z44/6V33YB66+qZC54vAwq
9bRNoTxaOJtzvJ25xtjVkPBSTJ5ZJ7CUpkgjyhncupx51D1SXJjCqj6hFXtJIpji
Ae25qefxMUBp9+QzezjRdg00ydHJAMMhED+hduOWLE3VeQqpjRyLeu/twBO9/GfR
0WBpnKi3tjSOgJT0gf6ur1paZa+o7IWzf1HsngUhAMpeM/8cfrJoCapoglpadE9L
S+KK+97JJ7yNpRXUKquiiEUKVCikJzXft5xRBO+AKnnPWUR8JuYY/FULbyuA2oZy
5cUKeTnkyqKeRHbcrZEFtZzt83xdFjiyPffsYimTs5JG3M/FjCKed8pIn8hY2M0Q
PtOqAYndSqyqD2UawwBeeu3b6P8CO/bAWsRoyPUNxLCHkYu3shi/Vt960Ly/8rkS
msA2utaAz6JvhnfE65Yq
=9yOP
-END PGP SIGNATURE-



0xB5B41FAA.asc
Description: application/pgp-keys


0xB5B41FAA.asc.sig
Description: PGP signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] IPA Service accounts (Bind accounts)

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



On 02/06/12 20:31, Alexander Bokovoy wrote:
> On Sat, 02 Jun 2012, Dale Macartney wrote:
>>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> Evening all
>>
>> What's the recommended method for using service accounts with IPA?
>>
>> For example, using a piece of software that needs to bind to LDAP (aka
>> Zimbra, Moodle, Joomla, etc), having a password expiry on that specific
>> bind user would result in the application constantly needing the
>> password changed.
>>
>> I can see that you can modify the default password policy (i personally
>> don't want to change this as this works for my requirements), and also
>> have the ability to create additional pw policies if needed.
>>
>> What's the best method to create a user, however have that password for
>> the new user that never expires? Am I thinking along the right lines of
>> using a different pw policy for the service accounts?
> A recommended way is to use system accounts. See, for example, how it is
> set up for sudo (section 13.4.1):
> http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/example-configuring-sudo.html
>
> We have this particular case covered with following sudobind.ldif file
> (available in /usr/share/ipa/sudobind.ldif at IPA server):
> ---
> #SUDO bind user
> dn: uid=sudo,cn=sysaccounts,cn=etc,$SUFFIX
> changetype: add
> objectclass: account
> objectclass: simplesecurityobject
> uid: sudo
> userPassword: $RANDOM_PASSWORD
> passwordExpirationTime: 20380119031407Z
> nsIdleTimeout: 0
> ---
>
> As you can see, it has SimpleSecurityObject and Account object classes, and
> password is set to expire at the end of Unix time. You'd need to add
> also appropriate ACIs to limit what such account could perform against
> IPA's LDAP store.
>
> We use this method for passync (AD replication), sudo integration,
> and will use it also for cross-realm trusts with AD in FreeIPAv3,
> albeit a bit differently (by making a container in sysaccounts to
> include all 'AD agents' from IPA servers exposed via CIFS and limiting
> what they can do).
>
> A downside is that you don't see these system accounts through IPA UI/CLI,
> they are only managed manually.
>
Thanks very much Alexander, this worked brilliantly.

Dale

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPyptbAAoJEAJsWS61tB+qB38P/iBt+P6JNwycIIzskaxjoZUo
2cCPO5Nt/VgiKn55ffjgpgyEKpMhVnSW69tiCpTj+7vgO3swei1Je55kIUEP1hpR
0OHd4fqIUNQnDsO+gAnT1VMFPeuCKPKCoItwhv0uwgmI7FvKdHnGwcFTTASZbSLa
eLnpFxvl44NgTJ8aib7tnWeqj9YE1b/DfowouxQVsY1HsIiYztDUNM23M94Are0D
uJ9wLV+y4Np9CnTSuttHn2a8zmj2AZr5keMwqFc1g6j8I7z3cpqJb7UViULzxSJ4
OxpKXv8C+imDDX4dBXNQCr2Cx9uUJkA8zQUN7t0UjAkuFMD1+Ie51/3zKK/NeJly
kUYHVcFBWmYBRtMbh1GIPfVxUCUj3DHcGg6HxEZOpFVBipjxareazvpgnTVg/EMa
9V85vS11aIPs7lrGlGnJi/r+oBAGfyH8jt4ZV95FV9QgY4VezmT+14s7nnFMEpiU
mYxkL3NuIDXdgkmj0hTpCgkqESNw/SNDsHmgUhHNd9H3y964xk7z+fSG7gK02bIR
zRhmW4YSqaHWZrgoe+w/CvcDRypXxfn2QQY/BvM6TwYxPphuwShtk70mtmp+5ci+
BV5q480bulO1ye7T2rGUTZT4n0aa7DHKmSdX3uJjG+VRyE/yy+LjmXbL+gWLC0ws
egafCMvLvzuRqcsODsGX
=hzMm
-END PGP SIGNATURE-



0xB5B41FAA.asc
Description: application/pgp-keys


0xB5B41FAA.asc.sig
Description: PGP signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] IPA Service accounts (Bind accounts)

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Evening all

What's the recommended method for using service accounts with IPA?

For example, using a piece of software that needs to bind to LDAP (aka
Zimbra, Moodle, Joomla, etc), having a password expiry on that specific
bind user would result in the application constantly needing the
password changed.

I can see that you can modify the default password policy (i personally
don't want to change this as this works for my requirements), and also
have the ability to create additional pw policies if needed.

What's the best method to create a user, however have that password for
the new user that never expires? Am I thinking along the right lines of
using a different pw policy for the service accounts?

Thanks all

Dale

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPylxVAAoJEAJsWS61tB+qkh8P/3EJFM0jf2nV0KfIBN9kb0AI
bOekObz1xhObvhWSqPczM1T+35irKoyxqlfZRAl2reGLGR1vWxqBKA1gdkTFuXM5
X8wtElzMDVOIhTWQ2YdnSd6nDgyIH964NDgSRMC2Qx8iS7naSyj7NTGuFwLD+4jm
wVVK/nCgusGXCuvhbDTz++NN4/3y4VZu7nyWrRDkXKmjp07RtcqM9RPHwvEjpvPI
yNs0DYJ10fHicwHJdFFmZPNMFpEk+GXrAxzsuUZ0efeAg4lpWkP/0RUZz8VNVcGA
eiUeoTab23P0OvmYgquSYFrv2uVrVOAofhpLWvQZC2IOwlVrRbP3VYV9ALr7Ue4k
bkrVatRaSV87tOrPUnbRvLwKZvaCsoYv1O4Yso2SMsaO9KWgPTjXMRwl3mLS9uhB
/GNddGV8r0V7+DPhi+IXesGpnwSPu2PpHZuJVQyuReGRk/oK2NUaIGmcYY5yhBEc
S/oVtENBmcVS3JqyfzUYlFsn1FqtLpKiS26H2Hd63gmHADcV/I8nigg/3AsO1RD7
A4A1HQkz0zXYyZyA0RQt0Gq292IJCREgDB+Dm1AXCaIh4y+2RKTXL2o8Lii7iPSt
mWGTmtQKGBcyaNkTFrKPNz4xCmUJeOvDSRDPJn5QOp8yHIbtaHZR34mB12H1kNFq
zBMMbbEX38OZ90X5zWj8
=dM8M
-END PGP SIGNATURE-



0xB5B41FAA.asc
Description: application/pgp-keys


0xB5B41FAA.asc.sig
Description: PGP signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] token/swipe pass deployments with IPA

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



On 31/05/12 23:54, Dmitri Pal wrote:
> On 05/31/2012 03:03 PM, Dale Macartney wrote:
> >
>> Evening all
>>
>> http://www.youtube.com/watch?v=uvfkj8V6ylM
>>
>> This video was floating around Google plus a few days ago which is
>> brilliant to show off RHEV's VDI technologies. I was wondering if anyone
>> has some a similar business case of vdi deployments with swipe passes or
>> token, but using IPA as the backing authentication store?
>
> I am not quite sure what is used as an authentication source in this case.
> I can ask.
>
I was just thinking as I seem to be doing alot lately, "can it be done
with ipa?"

is token support on the road map? If some are not already supported.

>>
>> Has anyone done something similar themselves?
>>
>> Dale
>>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>
>
> ---
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
>
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPyGu/AAoJEAJsWS61tB+qPVYQAJu+O2KREizLtAiLaQS6bw7h
8vmpN8ymCYSKsn/Lh/igZq1m6pqJ0DAUZvDJT+SxFxxODIiqSjsetQLvgO8gPhQi
tXOVKEvKim5ZhIOrxfWgtGoeQVfFgCbIk3ZCceEi6IMXm3rFS6yQzSyieHSaUFD+
UdyaxEHl2qsupg5r5B3TfU59rciyUYLnH2F1Z5IKt4ZVCzAGzzyn3n1g+YSnNxaD
JB+0rAD9ncTuyjTR+8RoufyA6Ogk5f06mErZLSXUd1XBdIQ6j7R+lyXak2R/9dsb
XKabaiwZTxDAOgHTv1YBYiMBYXZr5pk20vwvlEyV3oi3HtxUk+5M+YnqwRxxvHuT
O1/bNVd4XY+zCO1uf+wnCN2WTmgn1Cpkge3cGPPKquNAnGo+50LMb/d8QoN2xlfm
6Qrz2WEZ+6X3jAAleO1ZirFVNps84jGWeCsswzkRX2YTxkom0jFQKRwUVVgr2Qoo
Ak2o4TZpM7+in12YmrqQNfmZEQ2Zej4WX+eqENNMI6GMtvV9TluPPVt4g8DqCI2U
naOPgSCIPe0OU1jiv61prT3mGmE1Mfeo8pp04xIRX2Hl0PrNqpg7ucB0SykzupIG
R3PWX3UnOSbEW8iutK6AJjLGI2BUbO9syPLyFbCosMNTbcFjhq/kmcNprdaQoEJ5
Y5DYJS8GaIFHww8HaUHg
=KVMS
-END PGP SIGNATURE-



0xB5B41FAA.asc
Description: application/pgp-keys


0xB5B41FAA.asc.sig
Description: PGP signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] token/swipe pass deployments with IPA

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Evening all

http://www.youtube.com/watch?v=uvfkj8V6ylM

This video was floating around Google plus a few days ago which is
brilliant to show off RHEV's VDI technologies. I was wondering if anyone
has some a similar business case of vdi deployments with swipe passes or
token, but using IPA as the backing authentication store?

Has anyone done something similar themselves?

Dale

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPx8BiAAoJEAJsWS61tB+qPhUP/i6XCrl0d0N5p/801C+IOEHr
EDlw3hNOmGrmP6oum5uQoglqVT4QD1Um/bcVvCwD0mnWXX2BKzFbmLIsfQ5sy/XI
2/e808RXME+dyn2plMfed3z31cRgtafBVIkyN1UJmsgXXgUzISlLHwcpLK4EgNlJ
m0jHu2+wKhsDz3aw0AG5LWwtigU2r3k8+UhhfLiA8ew3WH9VNY+IbtVwVGbubmlz
WYbATDI9OOozo/k9l2Ardw9aKMEPSzAlwKz2HXL0fKnw8+y4ceZA1c9Li5Zvc+1k
1gqxMOC3G7T5cB4v/dHiGaFc+p8mP1+BZ3Ugrmok4ozrvAy1MZj/stn5APn30XJP
/oeLyMLk14/aFQ3vTqJc89S8SyT/J5RtXSMdfDvN8RGKkJHCpVX73re9BPq2G42s
TZuCk6c0zlpFQd2FxUQs95Hd1LSMEVTyaQYqi6KwehEi3DYH/kfUgYL9HkpTuBFk
NcgCUrlFseL5vagFCm27iaHemAoEwEVsJOO61NVyqjINkDa5vdY+RPggNF/i0Tha
0V+l7YkB+scKZmE76+CF9czTFOd9mBmVrdMSE/8aH6jw0Dd38zmj7eeDSOCmBCT0
oW5R9W9JSDACAztEYGDtrY/jR6VoXShu3Wy2p1DRLiCDaVHfJ2Oy7eTknAB3KzXC
xXjWpJA+KpBTijGyx8mJ
=6ZvW
-END PGP SIGNATURE-



0xB5B41FAA.asc
Description: application/pgp-keys


0xB5B41FAA.asc.sig
Description: PGP signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] RHEL + IPA + Zimbra = ?

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



On 31/05/12 15:10, Simo Sorce wrote:
> On Thu, 2012-05-31 at 07:55 +0100, Dale Macartney wrote:
>>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>>
>>
>> On 31/05/12 00:13, Dmitri Pal wrote:
>>> On 05/30/2012 06:12 PM, Dale Macartney wrote:
>>>>
>>>> Evening all
>>>>
>>>> Has anyone dabbled with Zimbra integration with IPA as yet? I just
>> had a
>>>> brief brainstorm moment of thinking "Now that would be useful".
>>>>
>>>> I'm curious to see if anyone else has tried it? Otherwise I'll give
>> a go
>>>> and see what docs I can produce from my endeavours. Pointers,
>> requests
>>>> and opinions welcomed.
>>>>
>>>> Night all
>>>>
>>>> Dale
>>>>
>>>
>>> Are you talking about SSO or just using IPA as a back end identity
>> store.
>>> I do not think it was tried but I do not see a lot of issues.
>>> If there are I would like to see tickets.
>>> As for kerberos SSO it might be quite a different situation which
>> needs to be investigated.
>>>
>> I was thinking as a solution in general to be honest. I'll fire it up
>> with IPA as a backend store initially just to see it working. The
>> endgame goal though would be SSO. Like all my projects SSO is what I
>> am aiming for, but in some cases its not possible.
>>
>> I've requested an eval key for the enterprise supported release. I'll
>> try to get them involved in the process as well if push comes to
>> shove. They will benefit from this as well in the end.
>>
>> I'll feed back to the list with progress.
>
> As far as I know Zimbra supports retrieving users from LDAP and using
> Kerberos for authentication.
> In the very latest code they also fixed using Negotiate auth to login
> using Kerberos against the Web interface even when their proxy is being
> used, so now all components of Zimbra should be usable with krb auth.
> This means a properly configured Browser/MUA should be able to do full
> SSO auth against Zimbra.
>
> If you can test their latest release and report any gotchas in
> configuration that would be awesome!
>
> Simo.
>
I'm definitely up for it. I had a day off today actually, so most of the
day has been spent on my test lab. Will follow up soon. I haven't used
Zimbra before so I'll do it a few times to get things consistent, then I
might ask for some community QA on my steps to be honest.

keep you all posted. I have received a license key and was playing
earlier today with 7.2 (downloaded last night). Hopefully they don't
change that too frequently.

Dale

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPx3yDAAoJEAJsWS61tB+q8XUP/2r2qTvJA+JGaPrUr1V7cLbv
Z+zGwQDt1uqbtfyYSBDCQ9OeKb4NjXK0HEj7fQc/RjkWM1xRxJVpngd1ypRhYUKZ
u8Go6JNxYSgOTTE8QCozWBKDzgYbVg8RGAtIjHFZDtfW/hODuz01q9RUdWsPGAvJ
PS1RRxTWPB3zkNO8OYDIcPRslHKbilGJAGQzcq5evQhgIsHTNNHwKsRFoXzXM4FV
qxbSRJsu5NFg7Gs0/qundVb8c6v6Rv9abd3nlpxkKa272fAFYm5eOneNWfV1qMQt
/0KZMbeUQxRnL6P6mJrTzuLxvN8Hr338E0nIyVGMxKaJu9F9nvU+99DHyalK/Qdi
zhmZrxUyQjxYUqZjSruaxmScMUvPBYq8grzni5wu2KrBKKLSwU/fV3F5V5xpYZHw
vcdKw7X96YKqEHNER3SAKJZaJpOo+6/w4areeWw8XJ3cey0ClG9qpiFZNhNevZ29
0osr5gEU+N4Mf6M9mMj8oVWE05W0TT1z2E55IFT9EuT3n3pJ9hf2A2TSWOqVkmzh
W7ACTDvrFvPJzcoQf2Pc46Qx5TMrURhtvwAxCDplO3cVPKiiBEf0BPBrFbh7WjRa
Ydc42mJUlfZohYCApnhr5vfNn7lVVV4DKC61BaafU41L+oRcCsCuS8rY4bWI4Uit
lHUDueD8aL9ZzEZiFTjm
=ai51
-END PGP SIGNATURE-



0xB5B41FAA.asc
Description: application/pgp-keys


0xB5B41FAA.asc.sig
Description: PGP signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] RHEL + IPA + Zimbra = ?

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



On 31/05/12 00:13, Dmitri Pal wrote:
> On 05/30/2012 06:12 PM, Dale Macartney wrote:
> >
>> Evening all
>>
>> Has anyone dabbled with Zimbra integration with IPA as yet? I just had a
>> brief brainstorm moment of thinking "Now that would be useful".
>>
>> I'm curious to see if anyone else has tried it? Otherwise I'll give a go
>> and see what docs I can produce from my endeavours. Pointers, requests
>> and opinions welcomed.
>>
>> Night all
>>
>> Dale
>>
>
> Are you talking about SSO or just using IPA as a back end identity store.
> I do not think it was tried but I do not see a lot of issues.
> If there are I would like to see tickets.
> As for kerberos SSO it might be quite a different situation which needs
to be investigated.
>
I was thinking as a solution in general to be honest. I'll fire it up
with IPA as a backend store initially just to see it working. The
endgame goal though would be SSO. Like all my projects SSO is what I am
aiming for, but in some cases its not possible.

I've requested an eval key for the enterprise supported release. I'll
try to get them involved in the process as well if push comes to shove.
They will benefit from this as well in the end.

I'll feed back to the list with progress.

Dale

> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>
>
> ---
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
>
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPxxXZAAoJEAJsWS61tB+q/PUP/3VxZJ0pXgvaUZN0C3RjGLli
+ka27kZpOMtdo1AJPHv7CQFk5lJGCBT9gijO3XBtoyH9Zkm4O7Wmvnv8x1ySgh3U
2yJisWPjPIWy3GpVPrqKgxMVc6U7DlNX66ygjSq9NkvZkb8DNWXuUSRBeqAkPbqG
RohL3zueP7KTCLqYyRG41G9qkNqE++MOsm9lSVbCBpZbYtVF+cEeh1mUPQ85aiNA
tdgY6uB1xr8EVfKlNpYCgfij5j5UYz0VMQPlGJFAAve+PnbhCqTsCFV2N5YghjJF
2NtHDkzjdzxZib+cS6P7DFqWUn/AT49YLckR5cLshWaPnqKd5O9MAZbKOrf9s8xc
/vLNiTusk26VunCDP04MOYDecwzdhZBQJmvPCOsyLNRJ348Jv0Pbgb1b5+l6W2EV
RxkX/MBzOjh6wL4GQnTI/4favFsp1WyeEMLa9bMG1lmwT9R0sS0zRq6usAK3Ne8A
KxbBeamqmqgEjllpLLXjSO88D18hSYsJi17TonIXJehNARbia1WWIzq4RssCYIhn
bGDxEyVRUQCKL7dd8yselvfDQmD5ZxeABUSbfFaITYfKltCSywmi3Xf/guR+DIku
FdR5t5EtV5jwwkBk0MkFnM/99grYGwuMUAGnf5EmnolUXrHa+BaETMYjDILUJgRl
nSd+1DK6yAOLAM52GBGi
=67ib
-END PGP SIGNATURE-



0xB5B41FAA.asc
Description: application/pgp-keys


0xB5B41FAA.asc.sig
Description: PGP signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] RHEL + IPA + Zimbra = ?

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Evening all

Has anyone dabbled with Zimbra integration with IPA as yet? I just had a
brief brainstorm moment of thinking "Now that would be useful".

I'm curious to see if anyone else has tried it? Otherwise I'll give a go
and see what docs I can produce from my endeavours. Pointers, requests
and opinions welcomed.

Night all

Dale

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPxptCAAoJEAJsWS61tB+qw5kQAJEe/NwZVgvZBgwYLRUsKmLQ
Rgtr04LaGC9jDv5yvdsdzGqFZxFN/4ohNrxxyybJXKonkYhCjo3rccIzGPRvzH0f
gsjEdHTpKM/0WqrLdlaIAwStYUyGuQ5TpoIFgOPl71/dSBphR6duHluzT3gsS+vP
EJDlt2kMqEXlIeRHlmKV9aFl9pTKiJ962f7flRtl14Ldhy75NzMe7714JOo8KXE9
k60hDESzOXUCN7+DuNEb038iM5osDl0XYKnJvhFUP+dOVw4t+Q5eeLYagvrsWiJZ
6Ar+HMXUn5DA5e5QEiQPhmDwl6PCpr117V0WBdmNUsHRRReUaAcw50JMvZSSnT0F
N29Qfy9Pe0QO+G3J5xmPvJnSREgMYAxr08K4+rKxmedcN/q3r7L6UDvtNfG7usnC
xT8QwYb50cAmBmv2XWlYpvxqWQS37MyyaJDid6EndlDV3dXPZGZ8KnF9653UN3t7
13C85APOKgvMFYlXnsfFcgWiWOZO/rX9tbDe2SaJSlYX9QFEjzOAOTscWHvpe5mJ
+57T337Rn8JEYlLStNxY8Q3JW0mpCWfRte0KdYbJmSY+bLQPwc/dDUH3cPQA6nj9
Ao8mqgP826k1nVHEBmIpFKXvBugqDrEIVQzpXm59Q+gH80kJHavnxBNMWTF9Fg+Y
qkE9vuiWnAIYV/aYzYqB
=ewn2
-END PGP SIGNATURE-



0xB5B41FAA.asc
Description: application/pgp-keys


0xB5B41FAA.asc.sig
Description: PGP signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Please help: How to restore IPA Master/Replicas from daily IPA Replica setup???

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

cc'ing group list back in for other opinions.

On 05/22/2012 03:38 PM, Rich Megginson wrote:
> On 05/22/2012 08:36 AM, Dmitri Pal wrote:
>> On 05/22/2012 10:10 AM, Rich Megginson wrote:
>>> On 05/22/2012 04:38 AM, Dmitri Pal wrote:
>>>> On 05/22/2012 04:28 AM, Dale Macartney wrote:
>>>>> Dmitri, Rob
>>>>>
>>>>> I thought I might reply to you both directly, just in case others on
>>>>> the list vent frustrations on the ongoing discussion of this topic.
>>>>>
>>>>> I've been reading through the archives of the list for hot backup
>>>>> solutions, and this email thread really stood out. I am seeing a
>>>>> general consensus of backing up everything, and in some cases, even
>>>>> backing up a virtualized guest disk image to maintain a backup. I
>>>>> personally feel this is the wrong message people should be getting
>>>>> into their heads about a DR solution for restoring IPA.
>>>>>
>>>>> I was wondering, and feel free to correct me here if you see fit, if
>>>>> it would be beneficial to have a similar method of backing up IPA (and
>>>>> replicas), in a similar fashion to how Microsoft recommend their
>>>>> Domain Controllers to be backed up. A "system state backup" of sorts.
>>>>> Where a backup is performed on all Domain Controllers (or in our case,
>>>>> IPA servers). Basically, resulting in an individual restore point for
>>>>> each replica. From here, you have an entire backup, which will only
>>>>> ever bee used for that ONE server it was intended for. Essentially a
>>>>> complete dump and load approach.
>>>>>
>>>>> It is best practice in a Windows environment to perform these backups
>>>>> several times a week in small non-changing environments. So my
>>>>> thinking is, if we have a "daily backup" solution which could be used
>>>>> to run on each replica or master, then this should suffice in an
>>>>> adequate procedure to give to customers.
>>>>>
>>>>> In short, I'm more than happy to put my hand up on this one to help
>>>>> free up your time. I can easily take this on with a few of the lads
>>>>> here in the UK and get some customer feed back from mates within my
>>>>> former employment who are quite well versed in the realms of IPA.
>>>>>
>>>>> Would this be of any help to you? Do you see this as the right
>>>>> direction to take on this matter? I'd love to hear your thoughts
>>>>>
>>>>> Rhys, Gav, cc'ing you in on this one. I'd like to throw this onto our
>>>>> running list of IPA integration projects.
>>>>>
>>>>> Regards
>>>>>
>>>>> Dale
>>>> First of all thank you for the offer!
>>>>
>>>> It seems that there are two main use cases:
>>>> 1) Catastrophic failure
>>>> 2) Data deletion
>>>>
>>>> In the case of the catastrophic failure you want to have all
>>>> data+configuration+keys backed up to be able to effectively start over
>>>> and re-install/recover from the backup.
could we not have the ability of restoring only specific data? Like most
backup solutions?

for example
having a utility where you can run "ipa backup all" could cover the
data+config+keys, however depending on a catastrophic failure or data
deletion, maybe have something along the lines of "ipa restore data" if
we simply wanted to restore the data element of the backup.

Thoughts? IMO, i think we should look for a KISS method which is
specific to the application stack at hand.
>>>> In this case IMO having a VM approach like the one JR uses is a viable
>>>> solution. Rob, Simo, Rich do you agree?
>>> We would need to test this to make sure VM snapshots don't cause
>>> problems with replication and/or kerberos since those are sensitive to
>>> time. All of the testing we have ever done for RHDS/389 for
>>> backup/restore is based on simple database binary and ldif backups.
>>> We've never had to take into account restoring to a filesystem time in
>>> the past or a VM state that is in the past.
>> Why in the past?
>> If you take snapshots regularly say every other day when you restart a
>> VM it should act as if the connection to it was lost for couple d

[Freeipa-users] Child Domains in IPA?

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Evening all

Does IPA currently accommodate for child domains? As in the equivalent
of Active Directory child domains?

I can't seem to find any documentation mentioning this..

Dale




-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPNrewAAoJEAJsWS61tB+qqYcQAIIPM77RaxIIrSH7CQFxPtpn
gVTdBuzTQM91yLzUood0clOP82ePUr/WMI/BOn+kgaPbFBk91u/rMArILipYIDZs
AEdlyigP7BsO1bCqkqAivMemiUnXPzjSnDNwNFRt+3vGgYeh9c2FzC7euh0+6QDP
PZg+LxWfppRpGRiXO9rJj6xLbs3Lp0Nb0noPgIIEF1P32bmmoTccKeKDcXON+y/r
WLD0U5Gf4W9882y9A+fbhiE18XhnPMB73HF8fc/s4vlNWDiSrbBdk8tq23MS2PkD
V03IpB0hlJpo/ACgpVYnDwxCjUq+OxF/dZZR8a25Ukp9+8s7WrOWde56K+ouLbBy
XVo6I6z3Ow7ufw1ZbQ9r8/vRT2SIr4zZtZyVNHfl/TZjvzWFCDD7xj59+n/+f4Q7
9SJ/Oai/86n3tp3oN2RKFHYU6a969hnJ1YlOBhfhW9eOwkr7Av/9aqQIES+ckOgn
euSHHi5YlvV3/LlTlfOpwtvZ+W9H1dUEhdaL2Dy560bthuCetXZZW+sarpSCdtny
3ZMcnwaPWq8LA50bhgZG1A/ye8q6HiV9iZLRemsWtu3FYogehaCK3tStbb7zHjuE
Xa2Z6brbtl3bCs7vN5d0V33OPMPyfEsns6w6dwALfUbXDTigvIbtuB0zPZ0Vhdcr
2Q02DEqMTsanlGR4J70g
=UNc/
-END PGP SIGNATURE-



0xB5B41FAA.asc
Description: application/pgp-keys


0xB5B41FAA.asc.sig
Description: PGP signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Dovecot SSO Authentication HowTo is now available on Wiki

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi All

I have added a walk through on configuring Dovecot to use IMAPS with SSO
support to the Wiki.

http://freeipa.org/page/Dovecot_IMAPS_Integration_with_FreeIPA_using_Single_Sign_On

Feed back is more than welcome

Dale

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPNSkQAAoJEAJsWS61tB+qr/oP/i+pzZx1GaxC8e1/MRDsURGj
krhFZr+3es/SHdAAUAP22MDU7mZDk7uQClPk+SYYO+kVfrWKmUNtp1drtJJblXrb
+0olCJKz8yjJzfJRnrLGwv8T8tvU+R41xv+2kdxKzJ74rB/LV12dh9bmmOf1g2bM
wk9X4FZrG9d1EpNeB5F/OB60yC6jV5LIDsGHp6ObA0PEY/RXtMqNoowQBkHp1+4A
2b9ID7OgbIRbuLLzVckOxPsTcZ/hYeY0yhPrHDCZJt+L7+8zcqq5DZndBK4UktxV
1zlZux9jwfaoNXirf40bGfTxA8BeALbJtYycJtLFDNwmO/QkKMRSh5K6vOAiQFLY
JUtAcTIg9IObGDvbEaGq58xuJHSl5PcZtvb9bAQjnnqO+oCO6GAte8mtENaTppHd
DwhutjvHpY94CR1XnbYOEeS1k7yOc6zJWO1KSdSlht409Cc6xjbqoEvtwqx15H2K
juRg0OPH8sege6LhiQLfun3BDwnrrny9gaZYLX7ZZzjn2v4p+yklBSbe8aAdBtWk
dBT6gm48kvb1MON8u5SqWMWL8/g4SUjn4TOVoC86FJHHqtCYz7eSHHWzR5bUA1IO
qii5fN1IPqZ5gbu4ri9RBECTgmPmiLiu8cJ4IJe/Q3fn2bGT+Ht8+PJM2k7lqIAN
u4DsCTLrKgQvGHyVGp6u
=a2h+
-END PGP SIGNATURE-



0xB5B41FAA.asc
Description: application/pgp-keys


0xB5B41FAA.asc.sig
Description: PGP signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Dovecot SSO Authentication HowTo is now available on Wiki

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi All

I have added a walk through on configuring Dovecot to use IMAPS with SSO
support to the Wiki.

http://freeipa.org/page/Dovecot_IMAPS_Integration_with_FreeIPA_using_Single_Sign_On

Feed back is more than welcome

Dale


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPNSetAAoJEAJsWS61tB+qossP/1v7doKC1fliPUAvOywcIH+n
WLYFnXoGIO4mlRUXEcdU+TDUO1gdFp5v+gXxx5ERWBYbEMOXDEer9tRkxVIyDd1x
YcqShRq5Fh8M7Cj0EsurzKEoW36LbUmPaG5TXA3ImEU+wvVNJOUnPazKwUvfrAtO
4PV34rBW5cZD1Y5vVgV2cWut7W8fVqyFS/sOt0mS3Zf2N33lTne3ak4RnZ2f6i5B
2P/zUvbi8GYOVZvjibWTwwiE+o1SJlst7cLJxCaIhpZ0FmVZkq+LG7Q3ObGScwto
zXGHiL2d7UA1RJTzp6tn+rPGJgVVh9JQ9ndVVmGk5kskhPbaCuqDknk/f12qB4/X
PAmE7jPKIN/Eysp7q1V5MuU9Y6ngxVLkdYENZcq45k6mnZ1EWuidt7W93ax/R9ai
ywKTbMaHw5JUqEgt4ij8bA6WJgN4VSaLbBms5w3JmepOd3UTSINH7ghcTsctBfuZ
65FdKc732UvZCb/jJ0q7BribMj4dSOmA5Z6vTE5r9k0Ef+a1dtvdJ8jwpAZD93cg
arZeJgva7cnbkrZ1uDbJ/oLiUTJjLDccCEciSyPRzTTBWvGXCoRDgVloSwwLLfFS
Y8RZOPCKslfgFqTZR3VpNJJeXBUscagyUt11y4c/yqef2444jKWJ549nhpZXVb94
7MNXWOzHHzDbNHyTcESS
=TnXT
-END PGP SIGNATURE-



0xB5B41FAA.asc
Description: application/pgp-keys


0xB5B41FAA.asc.sig
Description: PGP signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] SELinux error during ipa-server-install

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi Marco

I had a very similar issue trying to do the same thing a while back on
the day RHEL 6.2 went GA..

My situation was

SElinux enforcing, then run ipa-server-install.. it gets half way
through the process and it fails

then I tried

SELinux permissive, to get the exact same issue

I then completely disabled SElinux in /etc/sysconfig/selinux, rebooted
and ran the setup again, and I was able to install successfully.

In my situation, it was related to the selinux pki policy. When this was
loaded, it caused the ipa setup to fail... an update was made available
in rhel which allowed me to move forward with selinux in enforcing mode.

Have you patched Fedora 16 with the latest updates? my situation was
quite a while ago so I would have imagined that there would be an update
to that issue with Fedora as well if this is actually the same issue I
encountered. ..

Do you get the same issue with selinux disabled at all?

Dale



On 02/10/2012 12:30 PM, Marco Pizzoli wrote:
> Hi guys,
> I'm working on Fedora16 and FreeIPA 2.1.4.
> I executed the command ipa-server-install and during the setup digging
in the logs i can find this error, related to SELinux.
> I'm running in Permissive mode, so nothing prevented me to successfully
complete my setup.
>
> Is this an error in the policy?
>
> Thanks in advance
> Marco
>
> [root@freeipa01 ~]# sealert -l 885f3218-de29-4254-b095-0439320b3a50
> SELinux is preventing
/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/bin/java from
name_connect access on the None .
>
> * Plugin catchall (100. confidence) suggests
***
>
> If you believe that java should be allowed name_connect access on the
 by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # grep java /var/log/audit/audit.log | audit2allow -M mypol
> # semodule -i mypol.pp
>
>
> Additional Information:
> Source Context system_u:system_r:pki_ca_t:s0
> Target Context system_u:object_r:ephemeral_port_t:s0
> Target Objects [ None ]
> Source java
> Source Path /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre
> /bin/java
> Port 59940
> Host freeipa01.unix.mydomain.it 
> Source RPM Packages java-1.6.0-openjdk-1.6.0.0-61.1.10.4.fc16.x86_64
> Target RPM Packages
> Policy RPM selinux-policy-3.10.0-75.fc16.noarch
> Selinux Enabled True
> Policy Type targeted
> Enforcing Mode Permissive
> Host Name freeipa01.unix.mydomain.it 
> Platform Linux freeipa01.unix.mydomain.it
 3.2.3-2.fc16.x86_64
> #1 SMP Fri Feb 3 20:08:08 UTC 2012 x86_64 x86_64
> Alert Count 2
> First Seen Fri 10 Feb 2012 01:16:43 PM CET
> Last Seen Fri 10 Feb 2012 01:17:29 PM CET
> Local ID 885f3218-de29-4254-b095-0439320b3a50
>
> Raw Audit Messages
> type=AVC msg=audit(1328876249.581:170): avc: denied { name_connect }
for pid=2663 comm="java" dest=59940
scontext=system_u:system_r:pki_ca_t:s0
tcontext=system_u:object_r:ephemeral_port_t:s0
tclass=tcp_socketnode=freeipa01.unix.mydomain.it
 type=SYSCALL
msg=audit(1328876249.581:170): arch=c03e syscall=42 success=yes
exit=0 a0=29 a1=7fc00b462680 a2=1c a3=7fc00b462410 items=0 ppid=1
pid=2663 auid=4294967295 uid=993 gid=990 euid=993 suid=993 fsuid=993
egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="java"
exe="/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/bin/java"
subj=system_u:system_r:pki_ca_t:s0 key=(null)
>
>
> Hash: java,pki_ca_t,ephemeral_port_t,None,name_connect
>
> audit2allow
>
>
> audit2allow -R
>
>
>
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPNRJxAAoJEAJsWS61tB+qfxwP/0NwjnWGYw0VjKJmKcob73a+
9Ei7VSj8byE0Aa5VnPtYqvKn0ug082JlwL1g/Ojq0A3d6vJVEHBda+vGoCDafh0z
Vko6pxXBqBmYbafvhB+AABr03xKUQV6ttbKvDUHt1miWq3F8qKJKCeHywNf5TOW4
Tnf3f9b6yWLsh89LbBqGWvtTSMdnuHXNleNmPjgInfY3Y3NvYVcmBTIUG6kWVMus
YmKrhAK31gaTlj+iGfwIojayhUbplW3whYiCn38USMoVxNYfUYlyYN2WaAjHFNhT
iapFpZ5ScYsA1Ki3OjA27JHvswZXVjIRqjfD+LZdQRhjbaUqCVB0IUIhFW+D+Qqf
ydsDgtYzMaSOSmCiwHiFql6wczK8BplCVeeCKca8z6FEjkDLoGYCAMqE294VPA5e
0lB/ltVxzFGWMLuFyLsdn2RuzTE6pP5BT/Wd0nIvUxHkOTusI7P7Ir4Yg6uyLEP0
3rgIz//nxxI/udBmBjgD8E/At7VpV/gKa4CA0o3qLKtLU8tMvdFtnCFGv9Z7yZzW
igfZYPeCINZk8WkwEio2R5Sqkt88ldr4JNQ4yGnoiEMTcxMYqQjeeo615bovHix6
07CjXjIBlNYSDPW1pFyDc2O+AOq5jhF2A36bHRHFNATNDv/tpjw3AZGjxpOCWqAV
HPn/clZOVTamNdkXPRiC
=iR+/
-END PGP SIGNATURE-



0xB5B41FAA.asc
Description: application/pgp-keys


0xB5B41FAA.asc.sig
Description: PGP signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailma

Re: [Freeipa-users] Jabber services for IPA

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hey Erin

that would be fantastic, thanks very much.

I have to admit, i had a bit of a chuckle re: your comment of kerberos
acting in the event of no password. I would have *never* thought of that
haha.

Dale



On 02/09/2012 04:01 PM, Erinn Looney-Triggs wrote:
> On 02/09/2012 06:48 AM, Dale Macartney wrote:
>>
>> Morning all
>>
>> I have a working setup of ejabberd authenticated to pam on an IPA client
>> which works great.. However, unlike my other projects to provide
>> details of integration with IPA, I am struggling with the SSO aspect of
>> it, simply because of a lack of knowledge of jabber packages. (Currently
>> I have used ejabberd and pidgin for testing, and from an end user view
>> point, there doesn't appear to be an option to select kerberos to
>> authenticate with).
>>
>> My goal, like other services is to tap *a* jabber service (can be
>> anything) into ipa for single sign on.
>>
>> What is the general feeling in the community around jabber in the
>> enterprise? (Useful or not? Best practices?)
>> What is your preferred jabber software (server and client would be handy
>> to know for testing) and why?
>> Does it support GSSAPI?
>>
>> Many thanks
>>
>> Dale
>>
>>
>>
>>
>> ___
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> Dale,
> I built a setup using openfire (the IM server) that utilized kerberos.
> It is slightly tricky unfortunately, kerberos has been the realm of
> universities and big business for a long time so a lot of things are not
> straight forward.
>
> Pidgin does natively support kerberos so you can use that easily, the
> way to use kerberos in pidgin is simply not to provide it with any
> password info, it will try kerberos in the process. This works both on
> windows (using kfw) and linux systems, probably macs too, but I have
> never tested it on macs.
>
> I will see if I can dig up some notes from configuring openfire.
>
> -Erinn
>
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPM/MvAAoJEAJsWS61tB+qbv4QAIfSQ2Bs9L7S0Wryz3wePrTB
S3HqRx8UWoFxom2PJOaR5X+IELU2r80gko+k+ZiOIJU6uIeLby5CZQwIEwtdskAg
1KO99rUTBeX2Y77SnyCDJvF6nk+8a4qgLWpiuBA0l5e3PYJrsvGqSae2BafhJkTe
CXH9tXrq6+2myg1VMrZYXo2SVskKAjZdJkEZAEAiuBv3FOEPRMKztaS07hIfQgvk
RWHqm7gVNFTKm3/v7iqTcZzE+htP5CYpU1euA0v24IpHENQQuogukzrzel47Oc5/
ewntjLJ8oKuB0ES01/yzTbXsv/EE3a0W9SLH27lpyQ8SL+Ie41sEQpPfojv4AzPi
5wVvoQsqB4QsGF9EBemiQ2iVE1nkAXkLo4n/CLJcsITNchqrVQFMfNp4YRuCsvri
rXmnYwCQC7Pkv4Visbu5H+MEWbB1g3p3I2m0ZmB/st7qoDi2wS/ErYNQTxeXinLV
f8uHwl2S9HgDagfxPmPzGy0HLHtKQFvD3+ZlFl1E5XOWIEqLdaNRrwISSjPag1Ct
eS0p+FoLn7i1aUv3mQlB+P8t5DY9rNU92NtKGRqRsfHL6RPcBqDmED9Zu1UQdi3Y
dn+Fh+0jT2bv6u1ATWj1Giq06VZHEn+Ece0LeQvW6JfZWHbwyFINxHyN7CCEJrJM
JAZBQzx0s2jUJLfvAoe1
=d5Wc
-END PGP SIGNATURE-



0xB5B41FAA.asc
Description: application/pgp-keys


0xB5B41FAA.asc.sig
Description: PGP signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Jabber services for IPA

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Morning all

I have a working setup of ejabberd authenticated to pam on an IPA client
which works great..  However, unlike my other projects to provide
details of integration with IPA, I am struggling with the SSO aspect of
it, simply because of a lack of knowledge of jabber packages. (Currently
I have used ejabberd and pidgin for testing, and from an end user view
point, there doesn't appear to be an option to select kerberos to
authenticate with).

My goal, like other services is to tap *a* jabber service (can be
anything) into ipa for single sign on.

What is the general feeling in the community around jabber in the
enterprise? (Useful or not? Best practices?)
What is your preferred jabber software (server and client would be handy
to know for testing) and why?
Does it support GSSAPI?

Many thanks

Dale
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPM+qvAAoJEAJsWS61tB+qgfkP/33HWAQAgUbIuXFnWrmBLjDQ
Wa4RZXlAf4h59v1JpZmwATMmyLzTzZ+aBeDDBuzgITSo2CtIwEIEbWufaRfyhtu1
sZeJTzoAXOCQntFlTaXkvHWaZ6RM7pkvSPrjX3JFvrno/9v5yiLYn4v3ayWmXSnx
iQS3w/J9bQzbbO4tL83evL9dG8rCsZP1zbvZj6Q3HYMoMhjh9e8f9+erZh/sLBvL
+H/HAXgpxaHwUrijm2UdVABRfVZAid2wAPirotudhCO2z/Sm7Xy1NnjcZxfdmk31
5xOSnVYs/szfsyn2Ggdt0sWNP1uWjZr5UZxNZqi/Zem3+uGuLVx7dcMyqsLOyMtM
MZV4sOW9jg5fFD9IPxVXVEiVpkLTFhfVdf3rv2IlmQ7JM40+XcrJPIbRdv4L1gAH
itjE7T93sWmo3pjUZpgdpte3os6MCGI5F+4Dp1bWbpUnBbEpuMtubcwboN56ul0p
DBZAgauuQgl13fMrFs7tSb3YWU98rNi79Dc/EZ6JWLtXyLS5Dx15Rc1gbhu119G3
kNZtCd7j64kPh31w9c/J2b1YC+/Tkkbo3ffttMOJRvQDblpDN1CiDQz2jWqQ8O/i
drKPcTrcwESf9BZgVlE9aZKmORjIYUTexAOaIXTuaBAzxK6d5otcSUXdDCmFE44B
QW+ZH7fwnC4R5i/PY1xc
=0DWj
-END PGP SIGNATURE-



0xB5B41FAA.asc
Description: application/pgp-keys


0xB5B41FAA.asc.sig
Description: PGP signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Jabber services for IPA

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Morning all

I have a working setup of ejabberd authenticated to pam on an IPA client
which works great..  However, unlike my other projects to provide
details of integration with IPA, I am struggling with the SSO aspect of
it, simply because of a lack of knowledge of jabber packages. (Currently
I have used ejabberd and pidgin for testing, and from an end user view
point, there doesn't appear to be an option to select kerberos to
authenticate with).

My goal, like other services is to tap *a* jabber service (can be
anything) into ipa for single sign on.

What is the general feeling in the community around jabber in the
enterprise? (Useful or not? Best practices?)
What is your preferred jabber software (server and client would be handy
to know for testing) and why?
Does it support GSSAPI?

Many thanks

Dale






-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPM6U3AAoJEAJsWS61tB+qbiAP/2dYscZ/UTRQfd5GYMt4d7Cx
ztjHFGzsiG1QBeIQX8f/eC/sqVo9cS+0EJRIbwVewOtAMT5gRDRmpZN0wE00iijQ
AH9Md8EfQqJcpiUiCLw0wEeZKOUc7qoUnRvW6klsdNmtE4uRevr4684AHWCfFwZy
B2sHwQt+ah8YAJi1kuZuKv06JuAnzLin9Ohhay+nqTA+/jJE82L2Qgy9ZoXl87CQ
1Tnd4rNGtjrbOXlrJU9OyjIiKa/LSAGFz5DWT7wH/jrN+JHfWZrwpzeUV4SGpKSo
7T60VMRpze1QaVXEi/fXzWjt4JA1xhGlb4bLP8NGz83a0k5B2VAiKfDhi/w0+m1B
vEfFUQ1NhyR9BN26g9gM0LcgJuLCA4Z6mZjbFp8t3vASSHJ16zS5JXrnsaqOpMiP
ovAOBETJ6OSH2TV2XXP50frdr3qOuQSaZxhBEn7RF9orfEimtMI7+EabfcHcP+48
+FGmr03hQcoVUQxE5E4DSZkrpRZH2e9/jTTrIOo338bM3vR9wr0eyFBWYV/3YWmU
gy+BIIdvMcxeay4jpDm3T4a9yQRhRnrJA5VGmMokX4EoPhHK49qYnF9XOXz15XfX
H+h2uhc3CoVhWFV2siGnQKePjvr34RMEXX3OnVuFPh3Ds/H6QwfBYIGyD+wecCaj
LGyS2NCRWL5RaYv0mnlP
=9VhS
-END PGP SIGNATURE-



0xB5B41FAA.asc
Description: application/pgp-keys


0xB5B41FAA.asc
Description: application/pgp-keys


0xB5B41FAA.asc.sig
Description: PGP signature


0xB5B41FAA.asc.sig
Description: PGP signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa-getkeytab during %post

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

thanks for the confirmation earlier Rob, that does make a lot of sense.

am I right in assuming that to run the following, would not work with a
host principle? Presumably I'd need admin priviledges to create a
service principle for a host.

ipa service-add HTTP/$(hostname)

I will be giving this a go for testing sake tonight.

Dale




On 02/08/2012 04:00 PM, Rob Crittenden wrote:
> Dale Macartney wrote:
>>
> Hi JR
>
> I agree with your statement of acceptable risk.. this is my main reason
> for questioning..
>
> The ideal situation would be to run this as a satellite kickstart
> snippet for provisioning with kickstart profiles... That way I can
> utilize the existing provisioning platform for everything.
>
> At the moment everything is in dev using scripted kickstarts for testing.
>
> > A host should be able to get keytabs for its own services so you
should be able to kinit to the host service principal in /etc/keytab and
use ipa-getkeytab.
>
> > rob
>
>
> Dale
>
>
>
> On 02/08/2012 03:33 PM, JR Aquino wrote:
> >>> If you are really trying to go the route of using the password, the
> best way to accomplish that is to procedurally ADD the host ahead of
> time with the -random flag to generate a one-time-pass. Then insert that
> 1 time password dynamically into the kickstart script.
> >>>
> >>> If you want to approach the problem from a technical side and not
> procedural... I don't suppose you have Puppet ?
> >>>
> >>> You can utilize puppet to deploy a 'host provisioning' keytab that you
> then kinit -kt before issuing the other commands that require
> authentication. When it is finished, delete the keytab.
> >>>
> >>> The problem with authentication and complete hands off automation is
> that you always have to whittle it down to an area of acceptable risk
> with lots of compensating controls and logging.
> >>>
> >>>
> >>> On Feb 8, 2012, at 6:44 AM, Dale Macartney wrote:
> >>>
> >>> >
> >>> Hi Simo
> >>>
> >>> ipa-client-install is provided by the ipa-client rpm. Details below
> >>>
> >>> Name : ipa-client
> >>> Arch : x86_64
> >>> Version : 2.1.3
> >>> Release : 9.el6
> >>> Size : 222 k
> >>> Repo : installed
> >>>
> >>>
> >>> What I am trying to achieve is these two commands in a post...
> >>>
> >>> ipa service-add HTTP/$(hostname)
> >>> this definitely requires an authenticated user to add i'm sure
> >>>
> >>>
> >>> ipa-getkeytab -s ds01.example.com -p HTTP/$(hostname) -k
> >>> /etc/squid/krb5.keytab
> >>> this one I suspect might be able to be retrieved using the host/
> >>> principle from the system after running ipa-client-install.
> >>>
> >>>
> >>> Does this help paint a picture?
> >>>
> >>>
> >>> Dale
> >>>
> >>>
> >>> On 02/08/2012 01:49 PM, Simo Sorce wrote:
> >>> >>> On Wed, 2012-02-08 at 11:13 +, Dale Macartney wrote:
> >>> >>>> -BEGIN PGP SIGNED MESSAGE-
> >>> >>>> Hash: SHA1
> >>> >>>>
> >>> >>>> morning all...
> >>> >>>>
> >>> >>>> i'm dabbling with automated provisioning of ipa client servers,
> and i'm
> >>> >>>> a little perplexed on how to add a keytab to a system during the
> %post
> >>> >>>> section of a kickstart...
> >>> >>>>
> >>> >>>> i've run ipa-client-install -U -p admin -w redhat123 which works
> >>> >>>> perfect, but in order to run ipa-getkeytab i need a tgt, which
> doesn't
> >>> >>>> appear to be generated during the ipa-client-install.
> >>> >>>>
> >>> >>>> any suggestions on doing this during a post?
> >>> >>>
> >>> >>> What version of ipa-client-install are you using ?
> >>> >>>
> >>> >>> Newer versions (2.x) should fetch a keytab for your system (needs
> >>> >>> credentials or OTP password.
> >>> >>>
> >>> >>> Simo.
> >>> >>>
> >>> >
> >>> >
> <0xB5B41FAA.asc><0xB5B41FAA.asc.sig>

Re: [Freeipa-users] ipa-getkeytab during %post

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi JR

I agree with your statement of acceptable risk.. this is my main reason
for questioning..

The ideal situation would be to run this as a satellite kickstart
snippet for provisioning with kickstart profiles... That way I can
utilize the existing provisioning platform for everything.

At the moment everything is in dev using scripted kickstarts for testing.

Dale



On 02/08/2012 03:33 PM, JR Aquino wrote:
> If you are really trying to go the route of using the password, the
best way to accomplish that is to procedurally ADD the host ahead of
time with the -random flag to generate a one-time-pass. Then insert that
1 time password dynamically into the kickstart script.
>
> If you want to approach the problem from a technical side and not
procedural... I don't suppose you have Puppet ?
>
> You can utilize puppet to deploy a 'host provisioning' keytab that you
then kinit -kt before issuing the other commands that require
authentication. When it is finished, delete the keytab.
>
> The problem with authentication and complete hands off automation is
that you always have to whittle it down to an area of acceptable risk
with lots of compensating controls and logging.
>
>
> On Feb 8, 2012, at 6:44 AM, Dale Macartney wrote:
>
>>
> Hi Simo
>
> ipa-client-install is provided by the ipa-client rpm. Details below
>
> Name : ipa-client
> Arch : x86_64
> Version : 2.1.3
> Release : 9.el6
> Size : 222 k
> Repo : installed
>
>
> What I am trying to achieve is these two commands in a post...
>
> ipa service-add HTTP/$(hostname)
> this definitely requires an authenticated user to add i'm sure
>
>
> ipa-getkeytab -s ds01.example.com -p HTTP/$(hostname) -k
> /etc/squid/krb5.keytab
> this one I suspect might be able to be retrieved using the host/
> principle from the system after running ipa-client-install.
>
>
> Does this help paint a picture?
>
>
> Dale
>
>
> On 02/08/2012 01:49 PM, Simo Sorce wrote:
> >>> On Wed, 2012-02-08 at 11:13 +, Dale Macartney wrote:
> >>>> -BEGIN PGP SIGNED MESSAGE-
> >>>> Hash: SHA1
> >>>>
> >>>> morning all...
> >>>>
> >>>> i'm dabbling with automated provisioning of ipa client servers,
and i'm
> >>>> a little perplexed on how to add a keytab to a system during the %post
> >>>> section of a kickstart...
> >>>>
> >>>> i've run ipa-client-install -U -p admin -w redhat123 which works
> >>>> perfect, but in order to run ipa-getkeytab i need a tgt, which doesn't
> >>>> appear to be generated during the ipa-client-install.
> >>>>
> >>>> any suggestions on doing this during a post?
> >>>
> >>> What version of ipa-client-install are you using ?
> >>>
> >>> Newer versions (2.x) should fetch a keytab for your system (needs
> >>> credentials or OTP password.
> >>>
> >>> Simo.
> >>>
>>
>>
<0xB5B41FAA.asc><0xB5B41FAA.asc.sig>___
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPMplpAAoJEAJsWS61tB+q294QAJZELZhAD4Xsq8z+q4xbeMdy
R9g2XT6WuY0Bi42mTi4EJbcupIiWm3q1etU7mhsXJ7zVRHrzHfCZGz3m5ksYxBdm
FTT4Q2zssc2Q1kIH6wp9XobBrXSA+RsZn7huBa+klShLBRGkZTABAJ/DkR7j1yRw
Fch1CU9cytXMHXRdJiUaIm8lj38u4mwIZxzU2R7gE3aXUX1p+K9A2uXswPvr4Ouc
oHx46bfu4GMGQt9Sek8GeV1YcAGPrH5QT0ChejBalsREuKYx+GbAz6lMW/YA+rdL
sfqFS5fkWLlzffw0M5HqGg4JNt2l/KsJsqKLnkwShMCNFy2j0M2dt+gujUCkSBAD
wAohFnNerTyC6jypo0oSgvDbBSVo+oZUENeIacQEi8m2EkrgRE1/S3eTAS7SKxOc
wbyPZp4JXzqyOQVw2rAKEpRd56qdQV3lCElJB9SMUK73sCL3TSTHJ7NP7pEMeaJs
JEfJQCjMgJwI/Ok9v5pskkX8uDF0FYptwcwVze2w+ap/hNahaU8uHQOGnVzTTPU2
eA6d0T6opV7YpNbUczOYsEvTJYDUHqX1sf5lN0DfvSP9l9dncr3jRArkdG6X5kuj
9Yrc+d8cEG5Ol4xD3g3ZvtLhL7VuKEhecLP4xsFgQI8NukcFAfpGrPLBklcFzJ1I
wSWQZseFSumVD9glWtMz
=NzzG
-END PGP SIGNATURE-



0xB5B41FAA.asc
Description: application/pgp-keys


0xB5B41FAA.asc.sig
Description: PGP signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa-getkeytab during %post

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi Simo

ipa-client-install is provided by the ipa-client rpm. Details below

Name: ipa-client
Arch: x86_64
Version : 2.1.3
Release : 9.el6
Size: 222 k
Repo: installed


What I am trying to achieve is these two commands in a post...

ipa service-add HTTP/$(hostname)
this definitely requires an authenticated user to add i'm sure


ipa-getkeytab -s ds01.example.com -p HTTP/$(hostname) -k
/etc/squid/krb5.keytab
this one I suspect might be able to be retrieved using the host/
principle from the system after running ipa-client-install.


Does this help paint a picture?


Dale


On 02/08/2012 01:49 PM, Simo Sorce wrote:
> On Wed, 2012-02-08 at 11:13 +0000, Dale Macartney wrote:
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> morning all...
>>
>> i'm dabbling with automated provisioning of ipa client servers, and i'm
>> a little perplexed on how to add a keytab to a system during the %post
>> section of a kickstart...
>>
>> i've run ipa-client-install -U -p admin -w redhat123 which works
>> perfect, but in order to run ipa-getkeytab i need a tgt, which doesn't
>> appear to be generated during the ipa-client-install.
>>
>> any suggestions on doing this during a post?
>
> What version of ipa-client-install are you using ?
>
> Newer versions (2.x) should fetch a keytab for your system (needs
> credentials or OTP password.
>
> Simo.
>
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPMopXAAoJEAJsWS61tB+qyg8QAJPJJB8/9sxjKmKaEreRQyRb
NgHUaaY1FRGs7CvtTeSTY177bnVerr8dJGj3nmqMCwlveUEXZS2T8mBWxVpRm/BW
HrNR5i9kEIXL6HiaYfZMCVX1pyaxsStCnZJCiBjDDL5PsIX6FCsuUEYX4BGXyLAU
s212Ugn46vYY4E5d8Cwi6BS0MW6c9a3yoPXAH4A8JCSjIptYXMuBY8YFHiQLLAPi
AID7Q4N3U5FC6B0ahqhL64tAL8EggMkxhJ0Flhz7aWboz14bL7+M+vx3qVxF2W0z
WgaO13ai/lTL/jTy1n3dBVegqdACRTgH/K094+iaq96flhBrfzYiDaeCtj9OgoAV
ntHJksEPuC2X2lc8IRgzWVFa847+GMYl3YdYt0jflCcRAoWnpsaNW5F4HKG9K2Ob
sXEo+/4sSku85Ezu7rJyS5zNn6BfdynxOGfaYqavWK3lyegxpHaIBdxR3YPi9Esm
mrRvN3mkfAaUWboxImOJvZTgv+P/jq7CFlokaTGakeJT2N5/HpQADw1haNLDDvoY
DFfE3EgkmkT04Lcg+tCxouybYYdWdNSLl86maDsxeIHbyrnHQjgZ+Pw2KsMd1BUD
huqromxtFnUoY6DY2cwRFTGFJihkX3/Grai2ojPGFgiNA5H1G1APs5J2i9dafp1x
UftjI6x2lzTqQw/BNqLL
=mInj
-END PGP SIGNATURE-



0xB5B41FAA.asc
Description: application/pgp-keys


0xB5B41FAA.asc.sig
Description: PGP signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa-getkeytab during %post

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Thanks Christian

I was thinking the same to be honest..

the issue with having a password in a kickstart is obviously that
someone can read it in clear text. here I would see the need to use a
specific role account with limited ability, but the issue remains the
same... its a clear text password and has the ability to read ipa data.

I was pondering the idea of fetching a keytab file, however as the
system has not yet registered itself into ipa, there is no host data
available to be exported to a key..

has anyone performed this kind of task in an environment of their own so
far?

Dale



On 02/08/2012 09:28 AM, Christian Horn wrote:
> On Wed, Feb 08, 2012 at 11:13:36AM +0000, Dale Macartney wrote:
>>
>> i'm dabbling with automated provisioning of ipa client servers, and i'm
>> a little perplexed on how to add a keytab to a system during the %post
>> section of a kickstart...
>>
>> i've run ipa-client-install -U -p admin -w redhat123 which works
>> perfect, but in order to run ipa-getkeytab i need a tgt, which doesn't
>> appear to be generated during the ipa-client-install.
>>
>> any suggestions on doing this during a post?
>
> The password does not look nice here thou..
>
> echo 'redhat123' | kinit admin --
>
> One might also be able to fetch the ticket as a file and deploy
> it on the system for usage.
>
> Christian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPMl2QAAoJEAJsWS61tB+qhMgQAJYPwAWUFr7jNzl5C6qVcAPS
1q8dNniu9atPLzQUQQN596S/8Ca9nrUDtf2O0La5B2ULwq2ljZH7XebWlMzcA+ns
1TL9qfg9baDmhioQx1ACX4VvwT/RUxQtcmWCVOkYxSYJQvd4wH8XeXAS9xzyceix
ie0S0apWyhP0Z3TWhhmxJqImBUQf/ddymZHhLPJhOzgqepYvWDRzpX5YuJNcLEag
WXsEXOmXxfmj3YTOGkFkX4Fj21fXuHEV6LTcpF7v8kFmSNKPGsAAy5SQL6pTuJVt
2rcVYLuwT/75rX4eTnD2JvWdQtOqTLd/wHv7cYDCrpTT5GDgOIit+KppQHi0VTNe
leBoFFz83XF6fvUCCZzDkhdkOw+Dqr14LTag3pwiLvSYSbcksMWPFnpNiP26yYmH
neR3Y8MRTwoVn5XF6PqYgGSAb2JXDGKV8KJeVMGWuwkkyxPNUuXwLsCxUqQlfn+h
KLintABb1YJn9AXCgA2h1U3QJJ8undqETovcVHyoY+OUYfDCD1T+zAgL4ol6P9N9
kqJGUcF7/EM5DzHh0Doglqx9U1MkXcdXFB/OQHIZ+Xc0PLKTsr7HL2bDdxmAbYoX
MgNxK63Vrl10+5m1bAi4jSe3t+hhvagAMXtZ4iW/iuvtDAUllp5JBVQ0CMMh2ClA
iCMetup5cwqOHcLsG5n6
=4A+9
-END PGP SIGNATURE-



0xB5B41FAA.asc
Description: application/pgp-keys


0xB5B41FAA.asc.sig
Description: PGP signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] ipa-getkeytab during %post

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

morning all...

i'm dabbling with automated provisioning of ipa client servers, and i'm
a little perplexed on how to add a keytab to a system during the %post
section of a kickstart...

i've run ipa-client-install -U -p admin -w redhat123 which works
perfect, but in order to run ipa-getkeytab i need a tgt, which doesn't
appear to be generated during the ipa-client-install.

any suggestions on doing this during a post?


Dale

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPMljYAAoJEAJsWS61tB+qi74P/2aNhu4ztqcyhLwBsg7ukYi3
kH+BYA6miuunxwAKbDR7nd3vbL5g2gqjNFUNiD5tVoFSxtKgRPlEizLdQX+BeHJm
KOHq51DPNulkf5QeFh9FntTSWxQHr2ow5UgL9z1Xyv4wVhIgkL/L898/TRvY/tmZ
JFWX4eaK07EELV64vopqo20bR70F3DFB0Om7RXla45BYFBN/TMvXqmv8qvRe8Ibe
IGJNWo+dF9Oc/CCHU5B0+3AeTCVUt//Rlagpdw70h7Y6BJ1vfpn+CgTMcQ80Utip
q/CCF887kxL2o6+8zGN2mtEOqjr26+0l2Lh3Tjbx5ADs49VPOMC98Wc18M+IKgaV
3d6x1KrkliBJBMmBK2tdKxl7JnAPG1wkeRWz7UC5k39UzYH8JVw0Gt42M7EV8iv2
xp+/GKhTn5kfL1qv6mv3Dy558+b1iOZSkLpPS8n5b5dfcX4LkLNs/+hunwXyAd3C
noW8Wed2ACgh03PavqHCIu11NJjzaSXIAcsemBGF7yDOtaaaI5swkNM8U9WdegjR
flTtxlbTyfMhqusZgxHCcEMRWcO6J+Bfv7SPJpO2gF3OEQyT4hLt+6mlf+/kXv4A
AdxJLfM9q8MXyvO4Fim1VPw68eyZdpljey+bmP5Fr9LAukeezZRMrKaBKbL0HF5u
QfewGFkfvPFJq9PMX2ZH
=K4Qv
-END PGP SIGNATURE-



0xB5B41FAA.asc
Description: application/pgp-keys


0xB5B41FAA.asc.sig
Description: PGP signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Dovecot IMAP with IPA 2.x?

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



On 02/03/2012 08:13 AM, Natxo Asenjo wrote:
> On Fri, Feb 3, 2012 at 9:02 AM, Natxo Asenjo 
wrote:
>> On Fri, Feb 3, 2012 at 8:31 AM, Dale Macartney
>>  wrote:
>>
>>> I have been experimenting with how best to address this, however I am
>>> constantly being pushed back to the only way of having a userdir that
>>> actually exists would be a homdir which would be created when a user
>>> first logs in.
>>>
>>> Yes, if you ssh to the dovecot server as the user (with oddjobd running
>>> in the background) it will create the homedir with no problems and the
>>> issue is resolved, however users should not *have to* interactively log
>>> into a server just to allow them to access mail.
>>>
>>> my only thinking here is shared homedirs (nfs?) between clients and
>>> servers, however my thoughts on this are "if dovecot is redirecting a
>>> users mail to their homedir, then why do we need dovecot to access it
>>> via imap when the mail will already appear in their homedir?"
>>>
>>> does anyone have any thoughts on this?
>
> further you do not need to have the Maildirs on the users' homedirs:
>
> http://wiki.dovecot.org/Authentication/Kerberos
> 
> If you only want to use Kerberos ticket-based authentication:
>
> auth default {
> mechanisms = gssapi
> userdb static {
> args = uid=vmail gid=vmail home=/var/vmail/%u
> }
> }
> 
>
> I have not tested it, but then you could have all the Maildirs in the
> imap server.
>
just to clarify, I have just re-tested to verify... without the
mail_location the below message is present in maillog

Feb  3 08:32:37 mail04 dovecot: imap(user1): Error: user user1:
Initialization failed: mail_location not set and autodetection failed:
Mail storage autodetection failed with home=/home/user1
Feb  3 08:32:37 mail04 dovecot: imap(user1): Error: Invalid user
settings. Refer to server log for more information.


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPK5w9AAoJEAJsWS61tB+qS2sP/1Mq+UdjJAWLwCLWpXLX8ZL9
NUGKzEdspObOzRNDQxrgIxmSLhDpnXGW0fIu+3FU2QVyAa+bilROlHJhcGasSRwG
E72dsRaxwCk1B/9beTs6LdeMuZ6pgSzRgfpJNEZNF1TZI7c8mSZsrEiH5r6eCzzK
RSWbsT2FasCGsKPN05fJPNOv8qh7ByP17wymlxgSHx1FpekvtM8UlrzjKvT66KWq
oibJS3U8wD8NyRoz5GIPg4kWYSicv859OGV9FyhNwg0mTb+rinjGoYWYb8WHVGVl
QWfb/jUQJucJB5i+l5sYyTaiIoURiusvW8XW/vlutqzzjqMFV6yV5IzISDagjoLX
Dm3ONl32wSBlCkuIrmvkA7zaIA5SvQG5fuE7jlrGqmZc3dLArbsShFGjjB+JYCFh
EAcecx59jI5WYjcLT357uO1k1OU8bXWtr+6eiSYbME41/me8hmE9DjGpD1j9L3nI
SoIATjGkNoHVaO8N7h8ENzJvDqaKoHn/nT7gCtodziIV1dN3BSbARnFrW0452JVP
fiTdnXhNXHDYiN+FGTOYFGRrO3DGr9bKBAG4yRl5qVRzH7XFC1IkE43OU+PdSz9R
UzKqfT28fcAEA1vgC3XlhEtWd5nN2YF1OH0oLZBR+/Kx5OEB5GVIFwlzHGkm+fhG
W6RifcyCbFExaRG1k5xr
=wnil
-END PGP SIGNATURE-



0xB5B41FAA.asc
Description: application/pgp-keys


0xB5B41FAA.asc.sig
Description: PGP signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Dovecot IMAP with IPA 2.x?

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



On 02/03/2012 08:02 AM, Natxo Asenjo wrote:
> On Fri, Feb 3, 2012 at 8:31 AM, Dale Macartney
>  wrote:
>
>> I have been experimenting with how best to address this, however I am
>> constantly being pushed back to the only way of having a userdir that
>> actually exists would be a homdir which would be created when a user
>> first logs in.
>>
>> Yes, if you ssh to the dovecot server as the user (with oddjobd running
>> in the background) it will create the homedir with no problems and the
>> issue is resolved, however users should not *have to* interactively log
>> into a server just to allow them to access mail.
>>
>> my only thinking here is shared homedirs (nfs?) between clients and
>> servers, however my thoughts on this are "if dovecot is redirecting a
>> users mail to their homedir, then why do we need dovecot to access it
>> via imap when the mail will already appear in their homedir?"
>>
>> does anyone have any thoughts on this?
>
> If you have an imap server instead of local mail, people do not have
> to login a desktop/text session to check their e-mail. They can access it
> from any imap client, even webmail.
>
agreed, however the issue at hand, is that dovecot is failing to store
the mail anyway in order to make it accessible in the first place.

does anyone have any thoughts on how to have the homedirs auto created
(with the correct perms and selinux contexts) by a process/service that
is not initiated by the login process? oddjob and pam_mkhomedir do not
get involved here as it is not an interactive login. (i could be wrong
however this is what I am seeing).

Dale




-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPK5YVAAoJEAJsWS61tB+qdyYP/1oTLFXYFminTNhV/kOmFaCe
j3w6tn5VyIqrBm4Qis8tZ3FCh7LxkoLyY+8Z4F0z0wh6yIjDGFdIMahiQw+0OhuQ
dR5RxQMAAF5Zv0DfNH+rKHgy1pSlZN8X/nJKggQQGr9b4ehjUQqC039zRKqO5gh+
IF5ZIbwpoiimyFyppLsEdbaEYbH5Fsxifub2efY+thc3z72o5QZ+qaFsMXxoeCnr
F+LXuckCyHN2SlU4B0ChwpaUd8uO3XS4tKqZOnJhFQqK2fBYDL7OXjSo94dpY8+2
KSYx2nOXwIX0QtnoEfr5NbVkKAh7eWfDJAcZjywciP2xwkhwHQXAVRPFSF3T9f0/
nmHGdxchfjIgO7Nr60fjLQSdmVnhFWOIAPSPIiGyE6xCsukzonExiTjRUOVqiGRN
Fvcup3oF794IHwfhzIUC6cOlTKxq+YwChMBuiMrV+1raKM0dVYRSCFp3HxpGXZwZ
GEJXmrRNZ0KDFT/Jye73wQQdepmrKb/kqakrtwxpvp7AxCkrgdUHLEaZ5sUH0ldr
6BF/TJ0NPBaRa9eBK+D7Lv4gy7OcsPiTbU5q3H9rkOm4Q8AY/9kSBYGAwcSbLML4
sQSgbRc2opZwndQ3gdxRPwRFH/olPiFtwDcl8Ha7hubDdjQ13dxGicQLkYuSt/sB
ygTO8TlH2z+nAjcebWFH
=oLBa
-END PGP SIGNATURE-



0xB5B41FAA.asc
Description: application/pgp-keys


0xB5B41FAA.asc.sig
Description: PGP signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Dovecot IMAP with IPA 2.x?

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi Craig

I am actually working on this very thing at the moment.

there is a very basic config here
(http://freeipa.org/page/Dovecot_Integration), however this is using pam
for everything

The end goal of course is sso in which I have managed to get gssapi for
authentication working and pam is used for the user lookups..

Here is what I have in a working state on rhel 6.2

#

yum install -y oddjob-mkhomedir
chkconfig oddjobd on
service oddjobd start

ipa-client-install -U -p admin -w redhat123 --mkhomedir

# configure dovecot
chkconfig dovecot on
sed -i 's/#protocols = imap pop3 lmtp/protocols = imap/g'
/etc/dovecot/dovecot.conf
sed -i "s-#mail_location-mail_location =
mbox:~/mail:INBOX=/var/spool/mail/%u-g" /etc/dovecot/conf.d/10-mail.conf
echo "userdb {" >> /etc/dovecot/conf.d/10-auth.conf
echo "  driver = static" >> /etc/dovecot/conf.d/10-auth.conf
echo "  args = uid=dovecot gid=dovecot home=/var/spool/mail/%u" >>
/etc/dovecot/conf.d/10-auth.conf
echo "}" >> /etc/dovecot/conf.d/10-auth.conf
sed -i 's/auth_mechanisms = plain/auth_mechanisms = gssapi/g'
/etc/dovecot/conf.d/10-auth.conf
sed -i "s/#auth_gssapi_hostname =/auth_gssapi_hostname = $(hostname)/g"
/etc/dovecot/conf.d/10-auth.conf
sed -i "s-#auth_krb5_keytab =-auth_krb5_keytab =
/etc/dovecot/krb5.keytab-g" /etc/dovecot/conf.d/10-auth.conf
sed -i "s/#auth_realms =/auth_realms = $(hostname --domain)/g"
/etc/dovecot/conf.d/10-auth.conf
sed -i "s/#auth_default_realm =/auth_default_realm = $(hostname
--domain)/g" /etc/dovecot/conf.d/10-auth.conf

kinit admin

ipa service-add imap/$(hostname)
ipa service-add imaps/$(hostname)
ipa-getkeytab -s ds01.example.com -p imap/$(hostname) -k
/etc/dovecot/krb5.keytab
ipa-getkeytab -s ds01.example.com -p imaps/$(hostname) -k
/etc/dovecot/krb5.keytab
chown dovecot:dovecot /etc/dovecot/krb5.keytab

service dovecot restart



By having the system tapped into the ipa domain, pam allows dovecot to
pass user lookups successfully. With the gssapi changes to
/etc/dovecot/conf.d/10-auth.conf and using a keytab for the service
principles, users can log in successfully without issue (i have only
tested this with gssapi only at the moment)

successful authentication appears in /var/log/maillog as follows

Feb  2 22:50:45 mail04 dovecot: imap-login: Login:
user=, method=GSSAPI, rip=192.168.122.61,
lip=192.168.122.44, mpid=2216, TLS

the only issue I am presently facing is with the mail_location directive
in dovecot..

unless the users homedir actually exists you will get errors like this.

Feb  2 21:52:34 mail04 dovecot: imap(user1): Error: user user1:
Initialization failed: Initializing mail storage from mail_location
setting failed: mkdir(/home/user1/mail) failed: Permission denied
(euid=120163(user1) egid=120163(user1) missing +w perm: /home,
euid is not dir owner)

I have been experimenting with how best to address this, however I am
constantly being pushed back to the only way of having a userdir that
actually exists would be a homdir which would be created when a user
first logs in.

Yes, if you ssh to the dovecot server as the user (with oddjobd running
in the background) it will create the homedir  with no problems and the
issue is resolved, however users should not *have to* interactively log
into a server just to allow them to access mail.

my only thinking here is shared homedirs (nfs?) between clients and
servers, however my thoughts on this are "if dovecot is redirecting a
users mail to their homedir, then why do we need dovecot to access it
via imap when the mail will already appear in their homedir?"

does anyone have any thoughts on this?

Dale


On 02/03/2012 04:33 AM, Craig T wrote:
> hi,
>
> Has anyone setup Dovecot IMAP to work with IPA 2.x yet?
> I'm thinking the best config would be to use;
> * IMAPS between the mail clients and Dovecot server
> * LDAPS with "Passdb LDAP with authentication binds" to connect to IPA?
> ref: http://wiki2.dovecot.org/AuthDatabase/LDAP/AuthBinds
>
> cya
>
> Craig
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPK408AAoJEAJsWS61tB+qjy4P/A5+y69wZg7hxg6xgohA6256
pTPEaSAi77zZZ1X3CgEbgGcRjlN8iRECbzb+2QDZ501uP4v+IrKSrE9VPwQuGIek
baLbHExVBhusUGxQ8l51aZrM0FZMtNnidCtGPVl7pp2EHcGGnquNdNs8T4FuNSfz
ngGaekSOWlvENUzYpMFxdxTJJZJ7+7ensV4Jaoe6MgOgGW8ytPuFxECO8kMrcqPq
tOJ1Vb4gaeAfJWLPnKSU1lw9nIMW8ze4ftxaSSbdyiLl8cU9LMC16Sz4Lrkg/B1c
PnT7thLI1yLjNfPwiGXQUtSc8VE/29f3g1D1ky0hnaZz1HYX34lQ85Eqw9hQ14lm
1/YY/M6DhFqiO3uxUSMRsL5iCWG6fP6LIxRrHZYenS20qRhEcjwi90z/DNqs5wH1
j5ERuTQFGFBfnhFX7bPs9EDrh736icQc1GJE8rOFvUnvenEZRCm/3NhxW1XrNmr0
lftzbE0X7U+eEANOsNzOS+37bxo3rfcPbafZFYfgyf7WUorEkMUvbRaUNaiGr6FS
cZyLU6jioJjVIqhDGnst5rP8JZdIcKI+Xfmmh0V3LoAGLzz+9NzncV+MV/Bq71uJ
UyJHArk5RJ4NDxTM34OjIvzl

Re: [Freeipa-users] Dovecot imap authentication with IPA/Kerberos

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi Simo

I have used oddjob in the past and it works a treat, however this was
with ipa-client-install..

I was just dappling around with the script over diner and saw you were
an author...

whenever I use the flag --mkhomedir with ipa-client-install, i get the
wrong contexts on the home dirs...

I raised a bugzilla ticket just before I left the office. Bug *786223*
<https://bugzilla.redhat.com/show_bug.cgi?id=786223>.

I'll keep playing with it an see what I come across. I'll feed back if
anything useful comes up.

Dale



On 01/31/2012 06:48 PM, Simo Sorce wrote:
> On Tue, 2012-01-31 at 18:22 +0000, Dale Macartney wrote:
>>
> All
>
> I just found the culprit for the selinux error
>
> I have the user's home dir automatically created when I was testing
> the account was working.
>
> ssh us...@mail02.example.com... etc
>
> for some reason, the selinux context of the users homedir is set to
> home_root_t instead of user_home_dir_t.
>
> > If you use pam_mkhomedir I suggest changing to use pam_oddjob_mkhomedir
> > The seocnd one can properly deal with SELinux labeling on creation.
>
> once a restorecon was run on /home (restorecon -R /home) the selinux
> errors disappeared when accessing mail via imap.
>
> I'll do a write up of the details for the wiki so it is documented.
>
>
> Dale
>
>
>
> On 01/31/2012 04:40 PM, Dale Macartney wrote:
> >>>
> >>> thanks Siggi,
> >>>
> >>> I was just browsing past those mails from earlier today as well...
> I'll
> >>> make those changes before it goes on the wiki.
> >>>
> >>>
> >>>
> >>> On 01/31/2012 04:37 PM, Sigbjorn Lie wrote:
> >>>> On 01/31/2012 05:07 PM, Dale Macartney wrote:
> >>>>>
> >>>>> sed -i "s-#auth_krb5_keytab =-auth_krb5_keytab
> = /etc/krb5.keytab-g"
> >>>>> /etc/dovecot/conf.d/10-auth.conf
> >>>>>
> >>>
> >>>> Perhaps I could recommend to retreive the imap/imaps keytabs into
> a
> >>> seperate keytab file, and configure the auth_krb5_keytab config file
> >>> option in dovecot.conf to point to this file. This increases the
> >>> security by a tenfold as pointed out earlier in this thread.
> >>>
> >>>
> >>>
> >>>> Regards,
> >>>> Siggi
> >>>
> >>>> ___
> >>>> Freeipa-users mailing list
> >>>> Freeipa-users@redhat.com
> >>>> https://www.redhat.com/mailman/listinfo/freeipa-users
> >>>
>>
>> ___
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPKFcYAAoJEAJsWS61tB+qA6IP/0ciTfwfa/Tz4GAYu8HdMHBL
NQvfPyZaVhDjpBrhxTv01/E8P71uDqOYcTjfeOGPiykthrmNJKeDBhi09vs5fL9K
NNUO1TovyACtuF9Z/Hrzm5ziZQ6wDQdXq+Hmh3lncMThLxzLpq+31/3NFKoNkID/
T88zodOp9j0QZT7fIzoLbnJteiQy0APZD2L4Y7p5hGKBrXrRK81UxjrRW1B6HF5C
WhRYGngXRT3sEFMvL95ReckHMsJFLbBDbAPSfNZt6fsMrQ2ZS7lGl0U8jq8EoAkT
kJ/FDUcwSup0PUy+W55zrTuc6pIK8rJ/bRjtzGuAnBDONy52uazU7fiTsljtupnG
AvZFbPDJOmhQx1ea/K/uRjFkn02eng7wIhWaLzCEKqAR/yfdR+lsT6SN8LvzIz62
WcwCLaur6909OEQP7nJrsHVbCOqmThwOUKiowUWV60rA69neeOZ/OLptkXxY3+3m
UAitAd4mESuB8vWKBpZU51pgq0SKGexbSnLK3T8ch1eNM+1hQyYZBbRO5O2DWoRW
xgu7SM0W/qXvlqfnStQj1KVnnKGiLwGIVeKkxaYZTAaFdLQULASqO86b2UN3+kxj
QHSY4lciyu2J8nds1fWQ0H94VXBebEwQ+XbfldkaQ71rwgUfToOJTEiS51kDQ318
YXgRmVB+fAFxegdQiF5t
=b8Gw
-END PGP SIGNATURE-



0xB5B41FAA.asc
Description: application/pgp-keys


0xB5B41FAA.asc.sig
Description: PGP signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Dovecot imap authentication with IPA/Kerberos

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

All

I just found the culprit for the selinux error

I have the user's home dir automatically created when I was testing the
account was working.

ssh us...@mail02.example.com... etc

for some reason, the selinux context of the users homedir is set to
home_root_t instead of user_home_dir_t.

once a restorecon was run on /home (restorecon -R /home) the selinux
errors disappeared when accessing mail via imap.

I'll do a write up of the details for the wiki so it is documented.


Dale



On 01/31/2012 04:40 PM, Dale Macartney wrote:
>
> thanks Siggi,
>
> I was just browsing past those mails from earlier today as well... I'll
> make those changes before it goes on the wiki.
>
>
>
> On 01/31/2012 04:37 PM, Sigbjorn Lie wrote:
> > On 01/31/2012 05:07 PM, Dale Macartney wrote:
> >>
> >> sed -i "s-#auth_krb5_keytab =-auth_krb5_keytab = /etc/krb5.keytab-g"
> >> /etc/dovecot/conf.d/10-auth.conf
> >>
>
> > Perhaps I could recommend to retreive the imap/imaps keytabs into a
> seperate keytab file, and configure the auth_krb5_keytab config file
> option in dovecot.conf to point to this file. This increases the
> security by a tenfold as pointed out earlier in this thread.
>
>
>
> > Regards,
> > Siggi
>
> > ___
> > Freeipa-users mailing list
> > Freeipa-users@redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
>
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPKDFpAAoJEAJsWS61tB+qmn4P/32sD+bJJWd2J8XjqFti6lC2
BZhahWgYiEpfwgGX5B3YSwx7v6URq+dYdp0ZIYJFTAMitq6qDD8Y0wJ7bpd1zxb1
GyVLDDBxkpzLOSFe21CqQVsWvOLU9AHlOWcT4AaKYU8M2s4XqyIqiY8WduAzJcen
l1Q2yryZ6uAYdpLsG4WHxu9WvfSE+85K0cvFlc302tVa/JyML40gsRueRN7gRAHa
zhPOu605ZgEP890CvP1jHN77hH7WU52MZqBJrscnFIbxEhuJtjMzXIPcGeJev+TR
aHiBzdGVsQUssFAL6B589l+Q3NxRSlU/zxCk9pERF3Ql8m/YPnlBiTdqa0Am3y6+
PJF5ggmkDIeWCWuJwT9f1Rpm2zF/ooytnPlcIfm3hbETHFdzPjNBH52M/whXrCx6
XdUw5Bk3sYkSdmrbgjqVY/gz+We3JzkWBPbiKf1I8DD7EOTT4lb5BNxsSKAslwZn
apbnIcTkMn9du22zIn5/o1iYbnUi52BEJkTj0ZNrmNDeVNMYA/A/ssUcC4ecEiql
aIDftfH+2sFvzDBIyB1eygibpcI2ILTy4J8gwLSAZyZ3oF65icnfTUldkqB/JBC8
6yVJKXMNIojTQo7NKaBJ3pDF1mALLzfXldGOqxudF7U7TlhGyvqA+SpTPxA9IM77
qKHqWoOCfTci/4C+ncLn
=0kQn
-END PGP SIGNATURE-



0xB5B41FAA.asc
Description: application/pgp-keys


0xB5B41FAA.asc.sig
Description: PGP signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Dovecot imap authentication with IPA/Kerberos

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

thanks Siggi,

I was just browsing past those mails from earlier today as well... I'll
make those changes before it goes on the wiki.



On 01/31/2012 04:37 PM, Sigbjorn Lie wrote:
> On 01/31/2012 05:07 PM, Dale Macartney wrote:
>>
>> sed -i "s-#auth_krb5_keytab =-auth_krb5_keytab = /etc/krb5.keytab-g"
>> /etc/dovecot/conf.d/10-auth.conf
>>
>
> Perhaps I could recommend to retreive the imap/imaps keytabs into a
seperate keytab file, and configure the auth_krb5_keytab config file
option in dovecot.conf to point to this file. This increases the
security by a tenfold as pointed out earlier in this thread.
>
>
>
> Regards,
> Siggi
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPKBl+AAoJEAJsWS61tB+qIaEQAKvmMIbXaf8xoExx4I2zNSf6
Vz0cmCH5DLzOLnIJR13qqsSCOcYiYRow6o/F5hlsoN1sbdvPDKXpg2xDviWqUI4V
wNyC7/HLCjNyufqj+El/V9hQfGbu6CggIei5cPB716R9Lq+5Wwi6Wbv0l/4KB3aV
K6c0iow93cVA7Z9F1LfYynxKpsYAMX+0jnc+hybnVqlQHk1F24LIkfCKO5vQLz/N
qw0h+PddqD57sfJNxUxjQ9OpPeWDZYuCtIeFnCsbG8LnfLhkU6oHoxJYFCySpynN
tTkBLDLG94CAsav5rWmttzuxLvVQR7dFpemOvgaAXMOHrOGl75+XTH1b4AyEU9XP
BuX87CrzhuNWNCDV5lI82DGgjeOH2O5UN16vpE8KTT94fstH3OvOjpwBIQoMq+1A
/3Rj3hL+Q5UYkPm30+0eCPTlFwnlwUQpeNI27DuzV/SnjCvqtNeqTBxP6o3CdGHL
0/vNWVOVgbhCYkPp5c+mceLrJVihtVNFhhVv1v7KNmITbu2PVklkDhwLgDY3T3Cw
YuYqSkO7AgQSb7eirw4t/KRhEvvwOTmrAB61l4WFtgonrr3pH6+zwYoyZvBTDwd8
UN2VfyjjGc6Sdc7NYKfOi7EgNaGJlxL/z0yJN6gz8LU1sWfv6Ol4vPoyE7obc68z
wQLL9IVwG/7btEoWdFA3
=Dpue
-END PGP SIGNATURE-



0xB5B41FAA.asc
Description: application/pgp-keys


0xB5B41FAA.asc.sig
Description: PGP signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Dovecot imap authentication with IPA/Kerberos

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

howdy all

just another update from me.

I have a workable gssapi setup working with dovecot for imap... (i
didn't test pop yet).
the below setup was tested against rhel6.2

# enable dovecot on startup
chkconfig dovecot on

# set dovecot to listen on imap
sed -i 's/#protocols = imap pop3 lmtp/protocols = imap/g'
/etc/dovecot/dovecot.conf

# set mailbost location
echo "mail_location = mbox:~/mail:INBOX=/var/spool/mail/%u" >>
/etc/dovecot/dovecot.conf

# enable user/mailbox lookups
echo "userdb {" >> /etc/dovecot/conf.d/10-auth.conf
echo "  driver = static" >> /etc/dovecot/conf.d/10-auth.conf
echo "  args = uid=dovecot gid=dovecot home=/var/spool/mail/%u" >>
/etc/dovecot/conf.d/10-auth.conf
echo "}" >> /etc/dovecot/conf.d/10-auth.conf

# set all gssapi goodies for SSO against IPA
sed -i 's/auth_mechanisms = plain/auth_mechanisms = gssapi/g'
/etc/dovecot/conf.d/10-auth.conf
sed -i "s/#auth_gssapi_hostname =/auth_gssapi_hostname = $(hostname)/g"
/etc/dovecot/conf.d/10-auth.conf
sed -i "s-#auth_krb5_keytab =-auth_krb5_keytab = /etc/krb5.keytab-g"
/etc/dovecot/conf.d/10-auth.conf
sed -i "s/#auth_realms =/auth_realms = $(hostname --domain)/g"
/etc/dovecot/conf.d/10-auth.conf
sed -i "s/#auth_default_realm =/auth_default_realm = $(hostname
--domain)/g" /etc/dovecot/conf.d/10-auth.conf

# create keytab for service principles.
kinit admin
ipa service-add imap/mail02.example.com
ipa service-add imaps/mail02.example.com
ipa-getkeytab -s ds01.example.com -p imap/mail02.example.com -k
/etc/krb5.keytab
ipa-getkeytab -s ds01.example.com -p imaps/mail02.example.com -k
/etc/krb5.keytab
setfacl -m u:dovecot:r /etc/krb5.keytab

service dovecot restart


there 2 things I want to get resolved before i put the details on the
wiki and thats around selinux and automated deployments (kickstart)..

when selinux is enforcing, i receive these messages in /var/log/maillog.
The second line shows the error.

Jan 31 15:54:28 mail02 dovecot: imap-login: Login:
user=, method=GSSAPI, rip=192.168.122.61,
lip=192.168.122.32, mpid=20737, TLS
Jan 31 15:54:28 mail02 dovecot: imap(user1): Error:
open(/home/user1/mail/.imap/INBOX/dovecot.index.log) failed: Permission
denied (euid=120163(user1) egid=120163(user1) missing +r perm:
/home/user1/mail/.imap/INBOX/dovecot.index.log, euid is not dir owner)

the first line shows the successful gssapi authentication. (gotta love
not entering passwords).

I am no guru on dovecot, but does anyone have any recommendations for
the second line? I presume it has to do with the format that I am
setting the mail_location variable.

I reproduced this twice to verify the settings. The only part that I
can't automate via kickstart, is the kinit admin section, of course
because we have to enter a password here..

any thoughts?


Dale




On 01/31/2012 02:23 PM, Simo Sorce wrote:
> On Tue, 2012-01-31 at 07:32 -0500, Stephen Gallagher wrote:
>> On Tue, 2012-01-31 at 10:22 +0100, Ondrej Valousek wrote:
>>>
> Hey sounds good to me, just glad it is working for you :). The only
> other question/suggestion I have is that it looks like you aren't
> leveraging kerberos in your configuration for SSO, You might want to
> think about doing this as it can be a pretty nice configuration.
>
> Essentially you would just need to add service principles for the host
> in the form of imap and or pop, and change the auth line in your
dovecot
> config to allow for gssapi auth, like so:
>
> sed -i -r "s&(\smechanisms =).*&\1 gssapi plain&"
>
> Then assuming your user has a ticket, and their client is properly
> configured, they no longer need to do anything upon logging into their
> system, kerb will auth the rest.
>
> If you are on a multihomed system, you will need two additional
changes,
> service principles for the other host name, and the following
modification:
> sed -i -r 's&#auth_gssapi_hostname.*&auth_gssapi_hostname = $ALL&'
>
> I got a little caught up when you referenced the /etc/krb5.keytab file
> as possibly part of the problem so I thought this was more a kerb
issue.
>
>>> Exactly, I was confused by this as well - I would like to see this
>>> working, too. But I would say we would need to do something with the
>>> permissions on /etc/krb5.keytab which is now (by default) only
>>> readable by root. We need to address this problem more in general as
>>> when inegrating Bind DNS server, you hit the same thing.
>>> I would say something like ACL entry would help.
>>
>>
>> I fail to see why non-root processes should be trying to
>> read /etc/krb5.keytab at all. You should be generating a per-service
>> keytab with only the keys necessary for that service to authenticate
>> itself to the KDC. So you might have /etc/dovecot/dovecot.keytab which
>> is readable only by the dovecot user.
>>
>> The problem with allowing access to /etc/krb5.keytab is that it means
>> that an exploit in another p

Re: [Freeipa-users] Dovecot imap authentication with IPA/Kerberos

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

;-) will do mate. I'm writing a list of items to cover at the moment
actually.


On 01/30/2012 08:02 PM, Dmitri Pal wrote:
> On 01/30/2012 02:50 PM, Dale Macartney wrote:
> >
>> Hey Erinn, funny you mention that actually, I was adding service
>> principles when i was first troubleshooting that.
>>
>> SSO is definitely on the planned cards for me to be honest. I'll send
>> through the details to the list one I have a reproducible
configuration :-)
> And to the page, please
>
>>
>> thanks for the positive feedback.
>>
>> Dale
>>
>>
>>
>> On 01/30/2012 07:41 PM, Erinn Looney-Triggs wrote:
>> > On 01/30/2012 10:20 AM, Dale Macartney wrote:
>> >>
>> >> Hi Erinn
>> >>
>> >> I originally asked the question as I was thinking my auth attempts were
>> >> failing when using ipa, however this was not the case.
>> >>
>> >> On closer inspection, i found that the authentication was
successful yet
>> >> dovecot was failing to read a "missing" mailbox.
>> >>
>> >> I found that dovecot was simply missing the mailbox_location directive,
>> >> detailed below.
>> >>
>> >> mail_location = mbox:~/mail:INBOX=/var/mail/%u
>> >>
>> >> Once I restarted dovecot with this extra line, the authentication was
>> >> again validated. I was then prompted to accept the self-signed
>> >> certificate from dovecot and I was able to retrieve the mail as
intended.
>> >>
>> >> Does this help clear things up?
>> >>
>> >>
>> >> Dale
>>
>> >>> So I am a bit confused here, is this working for you or not? It looked
>> >>> like you were asking a question to begin with, but then at then
end you
>> >>> are saying it is 100% working?
>> >>
>> >>> Just trying to figure out whether you need help,
>> >>> -Erinn
>> >>
>>
>> > Hey sounds good to me, just glad it is working for you :). The only
>> > other question/suggestion I have is that it looks like you aren't
>> > leveraging kerberos in your configuration for SSO, You might want to
>> > think about doing this as it can be a pretty nice configuration.
>>
>> > Essentially you would just need to add service principles for the host
>> > in the form of imap and or pop, and change the auth line in your dovecot
>> > config to allow for gssapi auth, like so:
>>
>> > sed -i -r "s&(\smechanisms =).*&\1 gssapi plain&"
>>
>> > Then assuming your user has a ticket, and their client is properly
>> > configured, they no longer need to do anything upon logging into their
>> > system, kerb will auth the rest.
>>
>> > If you are on a multihomed system, you will need two additional changes,
>> > service principles for the other host name, and the following
modification:
>> > sed -i -r 's&#auth_gssapi_hostname.*&auth_gssapi_hostname = $ALL&'
>>
>> > I got a little caught up when you referenced the /etc/krb5.keytab file
>> > as possibly part of the problem so I thought this was more a kerb issue.
>>
>> > -Erinn
>>
>>
>>
>>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>
>
> ---
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
>
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPJvqrAAoJEAJsWS61tB+qnecP/3JhcdNm/OQU+meGtP2TxjG2
Zjbhy12WF+Yxo1fW74W2cp21GdHbpvmCfQCCDRMtlCQso3kxpoEyPsU0Y+7+3kQ+
cL34l2f8jATvY6EqljxsGaeqstvfVSMtAUbWHbCJ3YOO4s2pYI3sfvENPL+bjOFV
LzzgQ8CKnpspzyMoDapPnLFkfwNzGIjvnX7BMgy3pdJRk9oAHP8IRaa6U7H15Plu
7joC1ElbH09VyOhrjPwf7Jy9+3ayHeB/WLPJ4U0DR0rYsDjErFkDXA7R95Kw6MYQ
N3DPsFELgIvxGxt5h8sXcbg9/MBpuPLtcpLaANoscNO76OLhy9qLSZjDgykbq6Kp
zXOxNLWLwTHBWq8cv2Ul3H+WzM8mjYaE46VE9pksDAz0H+PljY5f0cHjUx/1sqqR
cD/txgR32xZxGYJjfnODGwVrysNVpvqjsBysV7exdk4byldTXB4CbfhznyII+Ewk
fIWh7h0gjx8U3uRAUcXZXNIcmmcyc9Z232J6hmlKN4Tc71GX/MLp7YfvGtVSbhzu
rrlH16u7CAsi3DqMcwsb5zUW03CcJAp6qjmBoTHbSbhE4XmO6Gs+thlAkTKo1tzo
ixdvApq3k8HcAlCvR9Uzwg90huWBmn9BcWAJY/DL5Sb6U5YbUwDzFX/gh9jgY1cr
8zYKbYb9LR9W8UqfwwpP
=PkH/
-END PGP SIGNATURE-



0xB5B41FAA.asc
Description: application/pgp-keys


0xB5B41FAA.asc.sig
Description: PGP signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Dovecot imap authentication with IPA/Kerberos

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hey Erinn, funny you mention that actually, I was adding service
principles when i was first troubleshooting that.

SSO is definitely on the planned cards for me to be honest. I'll send
through the details to the list one I have a reproducible configuration :-)

thanks for the positive feedback.

Dale



On 01/30/2012 07:41 PM, Erinn Looney-Triggs wrote:
> On 01/30/2012 10:20 AM, Dale Macartney wrote:
>>
>> Hi Erinn
>>
>> I originally asked the question as I was thinking my auth attempts were
>> failing when using ipa, however this was not the case.
>>
>> On closer inspection, i found that the authentication was successful yet
>> dovecot was failing to read a "missing" mailbox.
>>
>> I found that dovecot was simply missing the mailbox_location directive,
>> detailed below.
>>
>> mail_location = mbox:~/mail:INBOX=/var/mail/%u
>>
>> Once I restarted dovecot with this extra line, the authentication was
>> again validated. I was then prompted to accept the self-signed
>> certificate from dovecot and I was able to retrieve the mail as intended.
>>
>> Does this help clear things up?
>>
>>
>> Dale
>
>>> So I am a bit confused here, is this working for you or not? It looked
>>> like you were asking a question to begin with, but then at then end you
>>> are saying it is 100% working?
>>
>>> Just trying to figure out whether you need help,
>>> -Erinn
>>
>
> Hey sounds good to me, just glad it is working for you :). The only
> other question/suggestion I have is that it looks like you aren't
> leveraging kerberos in your configuration for SSO, You might want to
> think about doing this as it can be a pretty nice configuration.
>
> Essentially you would just need to add service principles for the host
> in the form of imap and or pop, and change the auth line in your dovecot
> config to allow for gssapi auth, like so:
>
> sed -i -r "s&(\smechanisms =).*&\1 gssapi plain&"
>
> Then assuming your user has a ticket, and their client is properly
> configured, they no longer need to do anything upon logging into their
> system, kerb will auth the rest.
>
> If you are on a multihomed system, you will need two additional changes,
> service principles for the other host name, and the following modification:
> sed -i -r 's&#auth_gssapi_hostname.*&auth_gssapi_hostname = $ALL&'
>
> I got a little caught up when you referenced the /etc/krb5.keytab file
> as possibly part of the problem so I thought this was more a kerb issue.
>
> -Erinn
>
>
>
>
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPJvSFAAoJEAJsWS61tB+qG9oP/0pDktSo4y5iRKEvMVOplSEx
NFIl2cRm3OsjcOJuCMoFotMTFon90H6KxYQz0sYvtERZZWrB7nkpKneRGHZ/ri9R
e4eEV/Edp/3yck8INAZ2COMGTKGCm8SFdN1ihnAU7QQ1EDC+kKq/pKUfxyq4LKH2
2KDkCnR02zRfjr+bzaL5tWZkNIAxifsFr6ycuT0GrX03y1KErjPAbre4BPjTq3lG
b5xHkZBGVCfFp6bxdfQSs2d4BLcNOwCA1vW0KXAUy4ps1dS220ceeutO+9WbM6Y/
f0g1Iupsa/mIHIIAr6SBi0RGqSEUVkYaRzSxqRSEckfYAK+hPlnl5r46O1UxOFaw
jaiizMTgkK3Q2skEtsaVSmPGleNoK0sefvf+Tkuea+1qdSdPUQaqiLwteLGo/QxR
KsNPcO8+SN/YtXMynSw2bCY/uejn+NWNJVAW39vWsTlUV4+dtm0SIIcp8s57CLb0
3fZ2XLsfAajF83EucYv0BJE/flnZBQkLFEK6WdM0d/6jcEwn3RE17gOm/ufzvyVQ
c3fpRinNSoO+nxwg/wzyljSkd2vsZFIB0oPSeapg+OTccQooXg/QKxGD2ViDIJeq
y0pqV6wl3YreKTrdNFG4Eurz99EBG3vZcXFDq7JNd3NMo5nxrrExHDYU9brrTsyN
E8BCvhI6AIwHW/5rwOlN
=QFxQ
-END PGP SIGNATURE-



0xB5B41FAA.asc
Description: application/pgp-keys


0xB5B41FAA.asc.sig
Description: PGP signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Dovecot imap authentication with IPA/Kerberos

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi Erinn

I originally asked the question as I was thinking my auth attempts were
failing when using ipa, however this was not the case.

On closer inspection, i found that the authentication was successful yet
dovecot was failing to read a "missing" mailbox.

I found that dovecot was simply missing the mailbox_location directive,
detailed below.

mail_location = mbox:~/mail:INBOX=/var/mail/%u

Once I restarted dovecot with this extra line, the authentication was
again validated. I was then prompted to accept the self-signed
certificate from dovecot and I was able to retrieve the mail as intended.

Does this help clear things up?


Dale



On 01/30/2012 07:11 PM, Erinn Looney-Triggs wrote:
> On 01/30/2012 07:42 AM, Dale Macartney wrote:
>>
>> Of course Dmitri
>>
>> Here you go. I was actually trying to resolve this for an automated
>> kickstart process anyway. The details specific to dovecot are in the
middle.
>>
>> # Connect server to IPA domain (ensure DNS is working correctly
>> otherwise this step will fail)
>> ipa-client-install -U -p admin -w mysecretpassword
>>
>> # install postfix if necessary (installed by default in rhel6)
>> yum -y install postfix
>>
>> # set postfix to start on boot
>> chkconfig postfix on
>>
>> # configure postfix with hostname, domain and origin details
>> sed -i 's/#myhostname = host.domain.tld/myhostname =
>> servername.example.com/g' /etc/postfix/main.cf
>> sed -i 's/#mydomain = domain.tld/mydomain = example.com/g'
>> /etc/postfix/main.cf
>> sed -i 's/#myorigin = $mydomain/myorigin = $mydomain/g'
/etc/postfix/main.cf
>>
>> # configure postfix to listen on all interfaces
>> sed -i 's/#inet_interfaces = all/inet_interfaces = all/g'
>> /etc/postfix/main.cf
>> sed -i 's/inet_interfaces = localhost/#inet_interfaces = localhost/g'
>> /etc/postfix/main.cf
>>
>> # apply postfix changes
>> service postfix restart
>>
>> # Install dovecot
>> yum -y install dovecot
>>
>> # set dovecot to start on boot
>> chkconfig dovecot on
>>
>> # set dovecot to listen on imap and imaps only
>> sed -i 's/#protocols = imap pop3 lmtp/protocols = imap imaps/g'
>> /etc/dovecot/dovecot.conf
>>
>> # point dovecot to required mailbox directory (This is the section that
>> was previously failing)
>> echo "mail_location = mbox:~/mail:INBOX=/var/mail/%u" >>
>> /etc/dovecot/dovecot.conf
>>
>> # reload dovecot to apply changes
>> service dovecot restart
>>
>> # Apply working IPtables
>> cat > /etc/sysconfig/iptables << EOF
>> # Generated by iptables-save v1.4.7 on Tue Jan 10 12:17:41 2012
>> *filter
>> :INPUT ACCEPT [0:0]
>> :FORWARD ACCEPT [0:0]
>> :OUTPUT ACCEPT [29:4596]
>> -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
>> -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
>> -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
>> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>> -A INPUT -p icmp -j ACCEPT
>> -A INPUT -i lo -j ACCEPT
>> -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
>> -A INPUT -j REJECT --reject-with icmp-host-prohibited
>> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
>> COMMIT
>> # Completed on Tue Jan 10 12:17:41 2012
>> EOF
>>
>> With the above details, I am able to replicate a 100% working IPA
>> authenticated mail server, allowing IPA users to retrieve mail via
>> imap/imaps.
>>
>> I hope this helps.
>>
>>
>> Dale
>>
>>
>>
>> On 01/30/2012 01:46 PM, Dmitri Pal wrote:
>>> On 01/30/2012 07:16 AM, Dale Macartney wrote:
>>>>
>>>> Hi all
>>>>
>>>> I'm working on a test lab setup at the moment with RHEL 6.2 running IPA
>>>> 2.1 and experimenting with simple mail server setups. .
>>>>
>>>> I have mail being received base on pam lookups from IPA. The mail server
>>>> is tapped into IPA via the ipa-client-install.
>>>>
>>>> I am using a default install of the dovecot rpm from RHN, and dovecot is
>>>> listening via imap/imaps, however all authentication requests fail when
>>>> attempting to login via imap..
>>>>
>>>> I added the necessary keytabs for imap/mail.example.com and
>>>> imaps/mail.example.com to /etc/krb5.keytab but this hasn't allowed
>>>> authentication.
>>>>
>>>> has a