Re: [Freeipa-users] FreeIPA on Debian
Hi guys,
I do not know whether it will reach ALL the lists Dmitri put in, but anyway:
I do am interested heavily in getting a nice inter distro product (and
if sth works both on RH-like and Deb-like distros that's quite some
bases covered...)
I'm afraid I'm not able to take the responsibility of building the deb
support myself (no skills, no time), but feel like I do need it and I
can spent some considerable time testing
(I'm still having a production NIS around and I would like to test the
interoperability when it stops being 'production'...) builds if they
appear...
I feel like IPA is getting the well established components and builds
an added value ON them and not AGAINST them, making life easier (and
hiding the not so beatiful guts under a nice interface, too...):
Integrating KRB5 and LDAP is something people do every now and then,
but it comes with cnsiderable pain of reading contradictory guides not
updated for 10 years,
dealing with examples using crypto mechanism that should be long forgotten...
('first, before configuring LDAP set up KRB5, having a test principal
get back to this LDAP guide'
and some two links away:
'first, get the your LDAP feet wet, when you're able to do ldapsearch
get back and construct those ldifs to build krb5 database in ldap'
followed by 'make a new realm, but don't use krb5_newrealm'...).
Freeipa gives hope of NOT having to deal with cn=config manually,
(it's a really nice thing, but ldifs are sth that should be hidden
from view, and most guides
for ldap/krb5 integration require creating LOTS of those 'by hand',
which makes quite a steep learning curve...).
The abundance of PAM modules for ldap/krb5 does not make it any easier
(shishi? heimdall? MIT?; libpam-ldap or libpam-ldapd?), nor the
multitude of different caching tools.
(to mention only nslcd, nsscache, libpam-ccreds, nss_updatedb...).
Having something solid to start with todays hordes of products
requiring some auth integration thingie would be really nice
OTOH that would be nice to have some documentation without EXAMPLE.COM inside :>
I think getting freeipa working on Debian would be a great 'social'
move, sure to be valued among the Linux community (ok, at least the
part of community not centered on their own personal computers...),
but the transition to 'Freeipa is wideely adopted product for ...'
would surely need more people than a couple of guys in RH raising the
Debian cause and a few Debian users like me.
Thanks to work by Alexandre Ellert it's possible to get freeipa
working with wheezy with relatively no hassle, but I'm afraid the
world needs more than him :>
Trying that I haven't seen any obvious 'fedorisms' inside...
As for 'let's have a dream' part -> I would like to see sth similar to
nsscache included with the freeipa suite for some really lightweight
clients,
for more than one reason...
Dmitri, thanks for raising the flag!
Michał
PS:Any idea for some advertisement on Debian side?
On Fri, Aug 30, 2013 at 11:04 PM, Dmitri Pal wrote:
> Hello,
>
> Sorry for cross posting to 4 different lists but it seems that this is
> the best way to include most of people who might be interested in this
> discussion.
>
> The question of "When FreeIPA will be available on Debian?" has been
> coming up periodically on the list(s) without any resolution. However it
> is clear that it would be beneficial for the community and the project.
>
> May be it is time to try again?
> Let us see why it yet has not happened?
>
> 1) Some components need to be ported to Debian especially Dogtag and a
> slew of its new RESTEasy dependencies. This requires time and quite an
> effort from someone familiar with the domain.
> 2) The code needs to be changed in installer and potentially in other
> places as it might have had some Fedorizms blended in
> 3) Someone needs to own packages in Debian and maintain them, someone
> with good knowledge of the distro and time to take ownership of about 50
> packages.
>
> Can we pull it off together this time?
> Say we plan for some Dogtag and IPA domain experts to work on the port
> during Nov 13 - Feb 14 and address 1) and 2). Would there be any
> interest to join forces with them? Would there be anyone to take on item
> 3) from the list above?
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> ---
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Michal Dwuznik
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] setting up a client on Debian squeeze
Ok, I somehow assumed certs are very much needed for ldaps... In the meantime, I set up a debian wheezy machine to try the freeipa-client from debs. I managed to get working ipa-client (with a few quirks...- default nss database needed to be created) with packages from deb http://apt.numeezy.fr wheezy main deb-src http://apt.numeezy.fr wheezy main. So now I have a ready set of debian-like configs for wheezy, making it work with squeeze seems easier now (it comes with learning, too...) I must admit ipa-client debug option is lovely as a step-by-step guide for trying by hand :> Going back to thinking whether to try getting ipa on squeeze or getting the legacy software working with squeeze... (some of the scientists seem to be the happiest if the system is totally unchanged for some 20 years...). Regards Michal PS:I do see hope for rooting out the last instance of NIS on the campus :> ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] setting up a client on Debian squeeze
Sorry for quick continuation...
Certificate added to nss DB in /etc/pki
certutil -A -d /etc/pki/ -n "IPA CA" -t CT,C,C -a -i pki/ca.crt
sssd configured according to
http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/linux-manual.html
How do I test now, before changing PAM options that the pieces fit together?
(Sorry for being a bit too tired...)
M.
On Fri, Aug 30, 2013 at 1:49 AM, Michał Dwużnik wrote:
> Ok, going step by step I did the following on squeeze:
>
> set up ntp, time synced with ipa server
>
> test setup is done on
> ipa.localdomain (server)
> client.localdomain
> (client on Scientific Linux 6.4, looks ok after ipa-client-install, ssh
> works for test users tester and tester2)
>
> client2.localdomain is the Debian Squeeze client
>
> added host client2.localdomain on IPA server, added 'managedby', got the
> keytab and put the 'client2.keytab' in /etc/krb5.keytab on client2
>
> most important part of /etc/krb5.conf:
>
> [realms]
> LOCALDOMAIN = {
> kdc = ipa.localdomain
> admin_server = ipa.localdomain
> }
>
> [domain_realm]
> .localdomain = LOCALDOMAIN
> localdomain = LOCALDOMAIN
> default_domain = localdomain
>
> [libdefaults]
> default_realm = LOCALDOMAIN
>
>
> The following lets me think the KRB5 part of the setup is done correctly:
>
> root@client2:/etc# kinit admin
> Password for admin@LOCALDOMAIN:
> root@client2:/etc# kdestroy
> root@client2:/etc# kinit tester
> Password for tester@LOCALDOMAIN:
> root@client2:/etc# klis
> -su: klis: command not found
> root@client2:/etc# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: tester@LOCALDOMAIN
>
> Valid starting ExpiresService principal
> 08/30/13 00:35:50 08/31/13 00:35:47 krbtgt/LOCALDOMAIN@LOCALDOMAIN
>
>
> root@client2:/etc# kpasswd tester
> Password for tester@LOCALDOMAIN:
> Enter new password:
> Enter it again:
> Password changed.
>
>
> I guess that's the point of snapshotting 'KRB done' state (can I be wrong?)
>
> DNS for all the hosts involved is similar to:
> root@client2:/etc# nslookup ipa
> Server: 192.168.137.29
> Address:192.168.137.29#53
>
> Name: ipa.localdomain
> Address: 192.168.137.13
>
> root@client2:/etc# nslookup 192.168.137.13
> Server: 192.168.137.29
> Address:192.168.137.29#53
>
> 13.137.168.192.in-addr.arpa name = ipa.localdomain.
>
> Now I guess it's time for certificates, where I do have some doubts...
>
> I've added the SSH host keys via web interface, now the cert part:
>
> having generated the CSR afte creating the new database:
>
> certutil -R -d . -a -g 2048 -s 'CN=client2.localdomain,O=LOCALDOMAIN'
> (in the /etc/pki dir) I paste the CSR and Issue the certificate for host
>
> (/etc/pi contains newly created cert8.db key3.dbsecmod.db )
>
> Which of those should be used to add the cert to?
>
> (like certutil -A -d /etc/pki/nssdb -n "IPA CA" -t CT,C,C -a -i */path/to/
> *ca.crt)
>
> All of the tries result in:
> root@client2:/etc/pki# certutil -A -d /etc/pki/cert8.db -n "IPA CA" -t
> CT,C,C -a -i ./ca.crt
> certutil: function failed: security library: bad database.
> root@client2:/etc/pki# certutil -A -d /etc/pki/secmod.db -n "IPA CA" -t
> CT,C,C -a -i ./ca.crt
> certutil: function failed: security library: bad database.
> root@client2:/etc/pki# certutil -A -d /etc/pki/key3.db -n "IPA CA" -t
> CT,C,C -a -i ./ca.crt
> certutil: function failed: security library: bad database.
>
> Could someone show me my mistake?
>
> Regards
> Michal
>
>
>
> On Thu, Aug 29, 2013 at 9:00 PM, Michał Dwużnik
> wrote:
>
>> As for now I have set up a 'known good' client on RH based distro, to get
>> the feeling how the config files
>> look like when configured correctly.
>>
>> Thanks for the nice reference
>>
>> M.
>>
>>
>> On Thu, Aug 29, 2013 at 7:56 PM, Rob Crittenden wrote:
>>
>>> Michał Dwużnik wrote:
>>>
>>>> Hi folks,
>>>>
>>>> did anyone succeed in connecting such an old thing recently to freeipa
>>>> server?
>>>>
>>>> Is there a document (or an archive post) about connecting a 'non ipa
>>>> aware' client step by step?
>>>> I got as far as woing Kerberos with no issues, hit a wall with ldap
>>>> part..
>>>>
>>>
>>> You might try this: http://docs.fedoraproject.org/**
>>> en-US/Fedora/17/html/FreeIPA_**Guide/linux-manual.html<http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/linux-manual.html>
>>>
>>> rob
>>>
>>>
>>
>>
>> --
>> Michal Dwuznik
>>
>
>
>
> --
> Michal Dwuznik
>
--
Michal Dwuznik
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] setting up a client on Debian squeeze
Ok, going step by step I did the following on squeeze:
set up ntp, time synced with ipa server
test setup is done on
ipa.localdomain (server)
client.localdomain
(client on Scientific Linux 6.4, looks ok after ipa-client-install, ssh
works for test users tester and tester2)
client2.localdomain is the Debian Squeeze client
added host client2.localdomain on IPA server, added 'managedby', got the
keytab and put the 'client2.keytab' in /etc/krb5.keytab on client2
most important part of /etc/krb5.conf:
[realms]
LOCALDOMAIN = {
kdc = ipa.localdomain
admin_server = ipa.localdomain
}
[domain_realm]
.localdomain = LOCALDOMAIN
localdomain = LOCALDOMAIN
default_domain = localdomain
[libdefaults]
default_realm = LOCALDOMAIN
The following lets me think the KRB5 part of the setup is done correctly:
root@client2:/etc# kinit admin
Password for admin@LOCALDOMAIN:
root@client2:/etc# kdestroy
root@client2:/etc# kinit tester
Password for tester@LOCALDOMAIN:
root@client2:/etc# klis
-su: klis: command not found
root@client2:/etc# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: tester@LOCALDOMAIN
Valid starting ExpiresService principal
08/30/13 00:35:50 08/31/13 00:35:47 krbtgt/LOCALDOMAIN@LOCALDOMAIN
root@client2:/etc# kpasswd tester
Password for tester@LOCALDOMAIN:
Enter new password:
Enter it again:
Password changed.
I guess that's the point of snapshotting 'KRB done' state (can I be wrong?)
DNS for all the hosts involved is similar to:
root@client2:/etc# nslookup ipa
Server: 192.168.137.29
Address:192.168.137.29#53
Name: ipa.localdomain
Address: 192.168.137.13
root@client2:/etc# nslookup 192.168.137.13
Server: 192.168.137.29
Address:192.168.137.29#53
13.137.168.192.in-addr.arpa name = ipa.localdomain.
Now I guess it's time for certificates, where I do have some doubts...
I've added the SSH host keys via web interface, now the cert part:
having generated the CSR afte creating the new database:
certutil -R -d . -a -g 2048 -s 'CN=client2.localdomain,O=LOCALDOMAIN'
(in the /etc/pki dir) I paste the CSR and Issue the certificate for host
(/etc/pi contains newly created cert8.db key3.dbsecmod.db )
Which of those should be used to add the cert to?
(like certutil -A -d /etc/pki/nssdb -n "IPA CA" -t CT,C,C -a -i */path/to/*
ca.crt)
All of the tries result in:
root@client2:/etc/pki# certutil -A -d /etc/pki/cert8.db -n "IPA CA" -t
CT,C,C -a -i ./ca.crt
certutil: function failed: security library: bad database.
root@client2:/etc/pki# certutil -A -d /etc/pki/secmod.db -n "IPA CA" -t
CT,C,C -a -i ./ca.crt
certutil: function failed: security library: bad database.
root@client2:/etc/pki# certutil -A -d /etc/pki/key3.db -n "IPA CA" -t
CT,C,C -a -i ./ca.crt
certutil: function failed: security library: bad database.
Could someone show me my mistake?
Regards
Michal
On Thu, Aug 29, 2013 at 9:00 PM, Michał Dwużnik wrote:
> As for now I have set up a 'known good' client on RH based distro, to get
> the feeling how the config files
> look like when configured correctly.
>
> Thanks for the nice reference
>
> M.
>
>
> On Thu, Aug 29, 2013 at 7:56 PM, Rob Crittenden wrote:
>
>> Michał Dwużnik wrote:
>>
>>> Hi folks,
>>>
>>> did anyone succeed in connecting such an old thing recently to freeipa
>>> server?
>>>
>>> Is there a document (or an archive post) about connecting a 'non ipa
>>> aware' client step by step?
>>> I got as far as woing Kerberos with no issues, hit a wall with ldap
>>> part..
>>>
>>
>> You might try this: http://docs.fedoraproject.org/**
>> en-US/Fedora/17/html/FreeIPA_**Guide/linux-manual.html<http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/linux-manual.html>
>>
>> rob
>>
>>
>
>
> --
> Michal Dwuznik
>
--
Michal Dwuznik
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] setting up a client on Debian squeeze
As for now I have set up a 'known good' client on RH based distro, to get the feeling how the config files look like when configured correctly. Thanks for the nice reference M. On Thu, Aug 29, 2013 at 7:56 PM, Rob Crittenden wrote: > Michał Dwużnik wrote: > >> Hi folks, >> >> did anyone succeed in connecting such an old thing recently to freeipa >> server? >> >> Is there a document (or an archive post) about connecting a 'non ipa >> aware' client step by step? >> I got as far as woing Kerberos with no issues, hit a wall with ldap part.. >> > > You might try this: http://docs.fedoraproject.org/** > en-US/Fedora/17/html/FreeIPA_**Guide/linux-manual.html<http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/linux-manual.html> > > rob > > -- Michal Dwuznik ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] setting up a client on Debian squeeze
Hi folks, did anyone succeed in connecting such an old thing recently to freeipa server? Is there a document (or an archive post) about connecting a 'non ipa aware' client step by step? I got as far as woing Kerberos with no issues, hit a wall with ldap part.. Regards Michal -- Michal Dwuznik ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
