[Freeipa-users] New FreeIPA Install; Testing for Proof of Concept
Good Afternoon, I'm testing FreeIPA for a proof-of-concept replacement of NIS on OEL 6.3 (RHEL 6.3). I followed the guide to set up the FreeIPA server, and it seems to be working great on the IPA server itself. I can ssh in as admin, type my password, and I'm in. I then have been struggling with getting it going on client systems. As I'm not setting any of this up with DNS (I want this to be as un-obtrusive as possible), I executed the following command: ipa-client-install --no-dns-sshfp --no-ntp --server=ovm-auth. --domain= It asked me for admin's username and password and threw a warning about getent passwd admin not returning anything. Sure enough, it doesn't return anything on the client (although it does on the server). >From the client, I'm able to kinit admin, type my password, and then passwordlessly ssh over to the auth server. I do see these entries in my log file on the client: Aug 7 12:52:56 ovm-c19-db [sssd[ldap_child[2010]]]: Failed to initialize credentials using keytab [(null)]: Client 'host/ovm-c19-db@' not found in Kerberos database. Unable to create GSSAPI-encrypted LDAP connection. Aug 7 12:52:56 ovm-c19-db [sssd[ldap_child[2010]]]: Client not found in Kerberos database I'm pretty new at Kerberos, so am unsure exactly what this might mean. Thanks for any pointers! Rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept
On Tue, Aug 7, 2012 at 1:24 PM, Simo Sorce wrote: > Kerberos depends on proper name resolution. If a hostname cannot be > resolved you cannot acquire tickets for it. > So if your host ovm-c19-db does not have a DNS entry (either using IPA's > DNS server or an external DNS server) you can't get tickets. > also name resolution generally must match the hostname as that is what > is used to register a client into ipa. That seems fair. DNS is well set up, though. ovm-c19-db. exists in DNS and ovm-auth is able to resolve it by short hostname and FQDN. On the client, hostname returns the FQDN, as well. Is there anything in my log entries that make it look like it's a DNS problem? Again, I must stress, I'm new with Kerberos. Thanks for your help! Rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept
On Tue, Aug 7, 2012 at 1:59 PM, Simo Sorce wrote: > Does klist -kt /etc/krb5.keytab return entries with the right hostname ? It lists four entries, each with the correct FQDN: [root@ovm-c19-db ~]# klist -kt /etc/krb5.keytab Keytab name: WRFILE:/etc/krb5.keytab KVNO Timestamp Principal - 1 08/07/12 12:51:03 host/ovm-c19-db.@ 1 08/07/12 12:51:03 host/ovm-c19-db.@ 1 08/07/12 12:51:03 host/ovm-c19-db.@ 1 08/07/12 12:51:03 host/ovm-c19-db.@ > If that works does ipa host-find list it ? It does, but not with a certificate listed (ovm-auth, the server, does have a certificate listed). Thanks! Rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept
I just found this additional log file entries on my IPA server. The
vm-mapsdc2 is one of the domain controllers/DNS servers not associated
with IPA other than being one of our authoritative DNS servers. Is
something misconfigured in IPA on the server side?
Aug 07 14:01:02 ovm-auth. krb5kdc[1180](info): AS_REQ (4
etypes {18 17 16 23}) 172.30.40.60: NEEDED_PREAUTH:
host/ovm-c19-db.@ for krbtgt/@,
Additional pre-authentication required
Aug 07 14:01:02 ovm-auth. krb5kdc[1178](info): AS_REQ (4
etypes {18 17 16 23}) 172.30.40.60: ISSUE: authtime 1344373262, etypes
{rep=18 tkt=18 ses=18}, host/ovm-c19-db.@ for
krbtgt/@
Aug 07 14:01:02 ovm-auth. krb5kdc[1180](info): TGS_REQ (4
etypes {18 17 16 23}) 172.30.40.60: ISSUE: authtime 1344373262, etypes
{rep=18 tkt=18 ses=18}, host/ovm-c19-db.@ for
krbtgt/@
Aug 07 14:01:02 ovm-auth. krb5kdc[1178](info): TGS_REQ (4
etypes {18 17 16 23}) 172.30.40.60: UNKNOWN_SERVER: authtime 0,
host/ovm-c19-db.@ for
ldap/vm-13thdc2.@, Server not found in Kerberos
database
Aug 07 14:01:02 ovm-auth. krb5kdc[1178](info): AS_REQ (4
etypes {18 17 16 23}) 172.30.40.60: NEEDED_PREAUTH:
host/ovm-c19-db.@ for krbtgt/@,
Additional pre-authentication required
Aug 07 14:01:02 ovm-auth. krb5kdc[1180](info): AS_REQ (4
etypes {18 17 16 23}) 172.30.40.60: ISSUE: authtime 1344373262, etypes
{rep=18 tkt=18 ses=18}, host/ovm-c19-db.@ for
krbtgt/@
Aug 07 14:01:02 ovm-auth. krb5kdc[1178](info): TGS_REQ (4
etypes {18 17 16 23}) 172.30.40.60: ISSUE: authtime 1344373262, etypes
{rep=18 tkt=18 ses=18}, host/ovm-c19-db.@ for
krbtgt/@
Aug 07 14:01:02 ovm-auth. krb5kdc[1180](info): TGS_REQ (4
etypes {18 17 16 23}) 172.30.40.60: UNKNOWN_SERVER: authtime 0,
host/ovm-c19-db.@ for
ldap/vm-mapsdc2.@, Server not found in Kerberos
database
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept
On Tue, Aug 7, 2012 at 7:03 PM, KodaK wrote: > It's hard to tell with the obfuscation, but is your DOMAIN the same as > the one handled by the domain controller vm-mapsdc2? Indeed, it is > You can only have one Kerberos realm named DOMAIN. How do they know about each other? > For example, if you have the windows domain/Kerb realm MYCOMPANY.COM, > you will not be able to have it coexist with an IPA server controlling > the realm MYCOMPANY.COM. That's quite unfortunate. How can I work around this? Can I create the realm BLAH.MYCOMPANY.COM or maybe even NOTMYCOMPANY.COM without a DNS domain to match, or will I need to interface with the DNS admins? Is there a good document that describes the nature of these realms and their relation to DNS? > If it's an oldschool NT type domain you should be OK, but if it's > Active Directory (which uses Kerberos) you can't do it. It's an Active Directory domain. Rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept
On Wed, Aug 8, 2012 at 9:06 AM, Petr Spacek wrote: > Best way is to create subdomain UNIX.MYCOMPANY.COM and fill it with proper > SRV records (or let IPA to manage it). Ugh, I hope this doesn't end up pushing us back to NIS. If I can get our infrastructure guys to buy off on making a unix.mycompany.com subdomain in DNS, would I need to move all the hosts to be under that subdomain in DNS? I have some services configured that are difficult to rename the DNS domain of. Could, for instance, host-one.mycompany.com be part of the UNIX.MYCOMPANY.COM realm, given a MYCOMPANY.COM realm also exists? I could then put some SRV records into the subdomain's zone to point the kerberos stuff to the IPA server, change the domain on the IPA server, change the realm on the IPA server, re-register clients, and everything would be happy? Ugh... actually... now that I think about this, I don't think I want half my servers in a unix subdomain in DNS, which means DNS and realm wouldn't match... Thoughts? Aside from rebuilding the infrastructure I've built already? :-) Rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept
So here's my plan, then... let me know if it seems like it'll make sense? -I'm going to uninstall everything IPA from the IPA server (ovm-auth.mycompany.com) after I unregister the client machines. -I'm going to set up the IPA server with a new realm; UNIX.MYCOMPANY.COM (do I need to have our DNS folks put an SRV record up there for that? If so, what?) -I'm going to try registering testserver.mycompany.com server as part of the UNIX.MYCOMPANY.COM realm. Sound reasonable and/or sane? :-) Rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept
On Wed, Aug 8, 2012 at 11:52 AM, Simo Sorce wrote: > On Wed, 2012-08-08 at 11:23 -0700, Rob Ogilvie wrote: > > -I'm going to set up the IPA server with a new realm; > > UNIX.MYCOMPANY.COM (do I need to have our DNS folks put an SRV record > > up there for that? If so, what?) > > If your DNS people want to manually mange DNS for you then they need to > create the unix.mydomain.com zone and manually create SRV and TXT > records for kerberos and ldap IPA servers. Is there a doc that explains what those SRV and TXT records need to look like? > > -I'm going to try registering testserver.mycompany.com server as part > > of the UNIX.MYCOMPANY.COM realm. > > > > Sound reasonable and/or sane? :-) > > for the ipa server it should be in the unix.mydomain.com DNS zone to be > useful. The IPA server needs to be part of the unix.mycompany.com domain, then, and the IPA clients do not? Rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept
On Wed, Aug 8, 2012 at 12:33 PM, KodaK wrote: > If you're not familiar with this document then you need to spend some > quality time with it: > > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html That is, as a matter of fact, the guide I've been using. I fear it was written with the assumption readers understood IPA realms couldn't easily coexist with Active Directory domains. Reading through the installation guide, I see no mention of needing a separate realm for IPA... it's probably assumed we know that already? Rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept
On Wed, Aug 8, 2012 at 12:31 PM, Simo Sorce wrote: > Unlike AD we do not force all client to be positioned in the same DNS > zone, however if you have clients not belonging to the same DNS domain > you may have to change the krb5.conf file on all members of the realm to > add additional [domain_realm] mappings so that you can tell that clients > in zone foo.net are also to be looked for in the UNIX.MYDOMAIN.COM realm > and its KDC. I just, as a test, with no DNS set up for this, ran things with DNS being mycompany.com, and the IPA domain being set up as ovm.mycompany.com and realm of OVM.MYCOMPANY.COM, and everything appears to be working great. The only piece is the ipa-client-install needs to specify the (non-DNS) domain, realm, and server, but that's no problem for me at all... Any thoughts about problems I might see? Rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] NFS Ownership Gone
Hi All, Files accessed over NFS with users that are not local (FreeIPA users) are being squashed to nobody:nobody on my OEL6 box. My nfs is set to "defaults" on the client. I'm thinking this is probably something happens regularly? Rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] NFS Ownership Gone
On Fri, Aug 10, 2012 at 2:54 PM, Rob Ogilvie wrote: > Files accessed over NFS with users that are not local (FreeIPA users) > are being squashed to nobody:nobody on my OEL6 box. My nfs is set to > "defaults" on the client. As an addendum to this: I'm not interested in strong security in my NFS implementation; simplicity is what we use NFS for. If there's a simpler way than copying files across all the clients, I'm game. :-) Rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] NFS Ownership Gone
On Sun, Aug 12, 2012 at 11:49 AM, wrote: > Check your idmapper configuration (idmapd.conf) - not quite sure if IPA > cares about NFSv4 ID mapper configuration We have a winner! I had to manually specify the domain and realm, likely because they don't match my DNS configuration. Rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
