Re: [Freeipa-users] Configuring a Fedora 15 client to connect to a FreeIPA 1.2 server
On Tue, 2011-06-21 at 14:41 -0400, Dan Scott wrote: > > Excellent! Thanks - that makes much more sense. I've been using > authconfig-tui all this time and had no idea that it was doing things > incorrectly. > > One small issue that I found, if I switch on the "Use DNS to resolve > hosts to realms" option, then the krb5_realm (in sssd.conf) and > default_realm (in krb5.conf) are removed and my authentication fails. > I'm pretty sure that I have DNS correctly configured (_kerberos >IN TXT EXAMPLE.COM). Does the sssd client look for different > DNS records for realm discovery? Actually, we don't currently support *realm* discovery. We only support KDC discovery (using ._kerberos._tcp IN SRV EXAMPLE.COM) Feel free to open an RFE at https://fedorahosted.org/sssd (Fedora Account required to open tickets) for support of detecting the realm by TXT record. signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Configuring a Fedora 15 client to connect to a FreeIPA 1.2 server
On Tue, Jun 21, 2011 at 14:19, Stephen Gallagher wrote: > On Tue, 2011-06-21 at 11:58 -0400, Dan Scott wrote: >> On Tue, Jun 21, 2011 at 11:37, Stephen Gallagher wrote: >> > On Tue, 2011-06-21 at 11:31 -0400, Dan Scott wrote: >> >> Hi, >> >> >> >> On Tue, Jun 21, 2011 at 11:20, Stephen Gallagher >> >> wrote: >> >> > On Tue, 2011-06-21 at 11:06 -0400, Dan Scott wrote: >> >> >> Hi, >> >> >> >> >> >> I'm still running a FreeIPA 1.2 server but have started installing >> >> >> Fedora 15 clients and am trying to figure out how to manually setup >> >> >> the Krb/LDAP configuration. >> >> >> >> >> >> I've run the 'authconfig-tui' command and manually setup Krb >> >> >> authentication and LDAP authorisation, using DNS discovery for the >> >> >> servers. The authentication is working correctly, but when I run 'id >> >> >> $USERNAME' I don't receive the correct groups, so I believe that >> >> >> Kerberos is working, but the LDAP configuration is wrong. I've turned >> >> >> the sssd loglevel up to 100, but I can't figure out why I'm not >> >> >> getting the correct groups >> >> >> >> >> >> My system has a variety of files and I'm not sure which are still in >> >> >> use: >> >> >> >> >> >> /etc/krb5.conf >> >> >> /etc/pam_ldap.conf >> >> >> /etc/sssd/sssd.conf >> >> >> >> >> >> On Fedora 14 and earlier, there used to be an '/etc/nss_ldap.conf' - >> >> >> this is not present on F15. >> >> >> >> >> >> Can anyone help me figure out how to get the group lookups working? >> >> > >> >> > >> >> > Probably you need to add ldap_schema=rfc2307bis into the >> >> > [domain/default] section of /etc/sssd/sssd.conf. >> >> > >> >> > If you just set authconfig up as an LDAP server, it defaults to >> >> > ldap_schema = rfc2307, which uses a different attribute on the server to >> >> > contain group memberships. >> >> >> >> Thanks, but I've tried both of those entries - it doesn't appear to >> >> make any difference. >> >> >> >> Dan >> > >> > >> > Could you attach your >> > (sanitized) /etc/sssd/sssd.conf, /etc/krb5.conf, /etc/nsswitch.conf >> > and /etc/pam.d/system-auth? >> >> Attached, thanks. The only changes are domain names and 'dc=*' entries. >> >> One thing that I just noticed, the system-auth file has pam_krb5.so >> entries, previously, these were pam_sss.so - I've tried using both, >> but neither appears to work. >> >> Thanks, >> >> Dan > > > Your /etc/nsswitch.conf is wrong. I just noticed that you were using > authconfig-tui which is deprecated upstream and does not properly set up > SSSD. Only 'authconfig' (command-line) or 'authconfig-gtk' (GUI) works > properly. Feel free to file a bug against authconfig. > > /etc/nsswitch.conf needs to specify 'sss' instead of 'ldap' to use SSSD. > Similarly system-auth needs to use pam_sss.so, not pam_krb5.so. > > If you run 'authconfig --enablesssd --enablesssdauth --update' you > should be fine. This will update the config files with the correct > SSSD-related settings. Excellent! Thanks - that makes much more sense. I've been using authconfig-tui all this time and had no idea that it was doing things incorrectly. One small issue that I found, if I switch on the "Use DNS to resolve hosts to realms" option, then the krb5_realm (in sssd.conf) and default_realm (in krb5.conf) are removed and my authentication fails. I'm pretty sure that I have DNS correctly configured (_kerberos IN TXT EXAMPLE.COM). Does the sssd client look for different DNS records for realm discovery? Thanks for your help, Dan ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Configuring a Fedora 15 client to connect to a FreeIPA 1.2 server
On Tue, 2011-06-21 at 11:58 -0400, Dan Scott wrote: > On Tue, Jun 21, 2011 at 11:37, Stephen Gallagher wrote: > > On Tue, 2011-06-21 at 11:31 -0400, Dan Scott wrote: > >> Hi, > >> > >> On Tue, Jun 21, 2011 at 11:20, Stephen Gallagher > >> wrote: > >> > On Tue, 2011-06-21 at 11:06 -0400, Dan Scott wrote: > >> >> Hi, > >> >> > >> >> I'm still running a FreeIPA 1.2 server but have started installing > >> >> Fedora 15 clients and am trying to figure out how to manually setup > >> >> the Krb/LDAP configuration. > >> >> > >> >> I've run the 'authconfig-tui' command and manually setup Krb > >> >> authentication and LDAP authorisation, using DNS discovery for the > >> >> servers. The authentication is working correctly, but when I run 'id > >> >> $USERNAME' I don't receive the correct groups, so I believe that > >> >> Kerberos is working, but the LDAP configuration is wrong. I've turned > >> >> the sssd loglevel up to 100, but I can't figure out why I'm not > >> >> getting the correct groups > >> >> > >> >> My system has a variety of files and I'm not sure which are still in > >> >> use: > >> >> > >> >> /etc/krb5.conf > >> >> /etc/pam_ldap.conf > >> >> /etc/sssd/sssd.conf > >> >> > >> >> On Fedora 14 and earlier, there used to be an '/etc/nss_ldap.conf' - > >> >> this is not present on F15. > >> >> > >> >> Can anyone help me figure out how to get the group lookups working? > >> > > >> > > >> > Probably you need to add ldap_schema=rfc2307bis into the > >> > [domain/default] section of /etc/sssd/sssd.conf. > >> > > >> > If you just set authconfig up as an LDAP server, it defaults to > >> > ldap_schema = rfc2307, which uses a different attribute on the server to > >> > contain group memberships. > >> > >> Thanks, but I've tried both of those entries - it doesn't appear to > >> make any difference. > >> > >> Dan > > > > > > Could you attach your > > (sanitized) /etc/sssd/sssd.conf, /etc/krb5.conf, /etc/nsswitch.conf > > and /etc/pam.d/system-auth? > > Attached, thanks. The only changes are domain names and 'dc=*' entries. > > One thing that I just noticed, the system-auth file has pam_krb5.so > entries, previously, these were pam_sss.so - I've tried using both, > but neither appears to work. > > Thanks, > > Dan Your /etc/nsswitch.conf is wrong. I just noticed that you were using authconfig-tui which is deprecated upstream and does not properly set up SSSD. Only 'authconfig' (command-line) or 'authconfig-gtk' (GUI) works properly. Feel free to file a bug against authconfig. /etc/nsswitch.conf needs to specify 'sss' instead of 'ldap' to use SSSD. Similarly system-auth needs to use pam_sss.so, not pam_krb5.so. If you run 'authconfig --enablesssd --enablesssdauth --update' you should be fine. This will update the config files with the correct SSSD-related settings. signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Configuring a Fedora 15 client to connect to a FreeIPA 1.2 server
On Tue, Jun 21, 2011 at 11:37, Stephen Gallagher wrote: > On Tue, 2011-06-21 at 11:31 -0400, Dan Scott wrote: >> Hi, >> >> On Tue, Jun 21, 2011 at 11:20, Stephen Gallagher wrote: >> > On Tue, 2011-06-21 at 11:06 -0400, Dan Scott wrote: >> >> Hi, >> >> >> >> I'm still running a FreeIPA 1.2 server but have started installing >> >> Fedora 15 clients and am trying to figure out how to manually setup >> >> the Krb/LDAP configuration. >> >> >> >> I've run the 'authconfig-tui' command and manually setup Krb >> >> authentication and LDAP authorisation, using DNS discovery for the >> >> servers. The authentication is working correctly, but when I run 'id >> >> $USERNAME' I don't receive the correct groups, so I believe that >> >> Kerberos is working, but the LDAP configuration is wrong. I've turned >> >> the sssd loglevel up to 100, but I can't figure out why I'm not >> >> getting the correct groups >> >> >> >> My system has a variety of files and I'm not sure which are still in use: >> >> >> >> /etc/krb5.conf >> >> /etc/pam_ldap.conf >> >> /etc/sssd/sssd.conf >> >> >> >> On Fedora 14 and earlier, there used to be an '/etc/nss_ldap.conf' - >> >> this is not present on F15. >> >> >> >> Can anyone help me figure out how to get the group lookups working? >> > >> > >> > Probably you need to add ldap_schema=rfc2307bis into the >> > [domain/default] section of /etc/sssd/sssd.conf. >> > >> > If you just set authconfig up as an LDAP server, it defaults to >> > ldap_schema = rfc2307, which uses a different attribute on the server to >> > contain group memberships. >> >> Thanks, but I've tried both of those entries - it doesn't appear to >> make any difference. >> >> Dan > > > Could you attach your > (sanitized) /etc/sssd/sssd.conf, /etc/krb5.conf, /etc/nsswitch.conf > and /etc/pam.d/system-auth? Attached, thanks. The only changes are domain names and 'dc=*' entries. One thing that I just noticed, the system-auth file has pam_krb5.so entries, previously, these were pam_sss.so - I've tried using both, but neither appears to work. Thanks, Dan nsswitch.conf Description: Binary data system-auth Description: Binary data krb5.conf Description: Binary data sssd.conf Description: Binary data ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Configuring a Fedora 15 client to connect to a FreeIPA 1.2 server
On Tue, 2011-06-21 at 11:31 -0400, Dan Scott wrote: > Hi, > > On Tue, Jun 21, 2011 at 11:20, Stephen Gallagher wrote: > > On Tue, 2011-06-21 at 11:06 -0400, Dan Scott wrote: > >> Hi, > >> > >> I'm still running a FreeIPA 1.2 server but have started installing > >> Fedora 15 clients and am trying to figure out how to manually setup > >> the Krb/LDAP configuration. > >> > >> I've run the 'authconfig-tui' command and manually setup Krb > >> authentication and LDAP authorisation, using DNS discovery for the > >> servers. The authentication is working correctly, but when I run 'id > >> $USERNAME' I don't receive the correct groups, so I believe that > >> Kerberos is working, but the LDAP configuration is wrong. I've turned > >> the sssd loglevel up to 100, but I can't figure out why I'm not > >> getting the correct groups > >> > >> My system has a variety of files and I'm not sure which are still in use: > >> > >> /etc/krb5.conf > >> /etc/pam_ldap.conf > >> /etc/sssd/sssd.conf > >> > >> On Fedora 14 and earlier, there used to be an '/etc/nss_ldap.conf' - > >> this is not present on F15. > >> > >> Can anyone help me figure out how to get the group lookups working? > > > > > > Probably you need to add ldap_schema=rfc2307bis into the > > [domain/default] section of /etc/sssd/sssd.conf. > > > > If you just set authconfig up as an LDAP server, it defaults to > > ldap_schema = rfc2307, which uses a different attribute on the server to > > contain group memberships. > > Thanks, but I've tried both of those entries - it doesn't appear to > make any difference. > > Dan Could you attach your (sanitized) /etc/sssd/sssd.conf, /etc/krb5.conf, /etc/nsswitch.conf and /etc/pam.d/system-auth? signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Configuring a Fedora 15 client to connect to a FreeIPA 1.2 server
Hi, On Tue, Jun 21, 2011 at 11:20, Stephen Gallagher wrote: > On Tue, 2011-06-21 at 11:06 -0400, Dan Scott wrote: >> Hi, >> >> I'm still running a FreeIPA 1.2 server but have started installing >> Fedora 15 clients and am trying to figure out how to manually setup >> the Krb/LDAP configuration. >> >> I've run the 'authconfig-tui' command and manually setup Krb >> authentication and LDAP authorisation, using DNS discovery for the >> servers. The authentication is working correctly, but when I run 'id >> $USERNAME' I don't receive the correct groups, so I believe that >> Kerberos is working, but the LDAP configuration is wrong. I've turned >> the sssd loglevel up to 100, but I can't figure out why I'm not >> getting the correct groups >> >> My system has a variety of files and I'm not sure which are still in use: >> >> /etc/krb5.conf >> /etc/pam_ldap.conf >> /etc/sssd/sssd.conf >> >> On Fedora 14 and earlier, there used to be an '/etc/nss_ldap.conf' - >> this is not present on F15. >> >> Can anyone help me figure out how to get the group lookups working? > > > Probably you need to add ldap_schema=rfc2307bis into the > [domain/default] section of /etc/sssd/sssd.conf. > > If you just set authconfig up as an LDAP server, it defaults to > ldap_schema = rfc2307, which uses a different attribute on the server to > contain group memberships. Thanks, but I've tried both of those entries - it doesn't appear to make any difference. Dan ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Configuring a Fedora 15 client to connect to a FreeIPA 1.2 server
On Tue, 2011-06-21 at 11:06 -0400, Dan Scott wrote: > Hi, > > I'm still running a FreeIPA 1.2 server but have started installing > Fedora 15 clients and am trying to figure out how to manually setup > the Krb/LDAP configuration. > > I've run the 'authconfig-tui' command and manually setup Krb > authentication and LDAP authorisation, using DNS discovery for the > servers. The authentication is working correctly, but when I run 'id > $USERNAME' I don't receive the correct groups, so I believe that > Kerberos is working, but the LDAP configuration is wrong. I've turned > the sssd loglevel up to 100, but I can't figure out why I'm not > getting the correct groups > > My system has a variety of files and I'm not sure which are still in use: > > /etc/krb5.conf > /etc/pam_ldap.conf > /etc/sssd/sssd.conf > > On Fedora 14 and earlier, there used to be an '/etc/nss_ldap.conf' - > this is not present on F15. > > Can anyone help me figure out how to get the group lookups working? Probably you need to add ldap_schema=rfc2307bis into the [domain/default] section of /etc/sssd/sssd.conf. If you just set authconfig up as an LDAP server, it defaults to ldap_schema = rfc2307, which uses a different attribute on the server to contain group memberships. signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Configuring a Fedora 15 client to connect to a FreeIPA 1.2 server
Hi, I'm still running a FreeIPA 1.2 server but have started installing Fedora 15 clients and am trying to figure out how to manually setup the Krb/LDAP configuration. I've run the 'authconfig-tui' command and manually setup Krb authentication and LDAP authorisation, using DNS discovery for the servers. The authentication is working correctly, but when I run 'id $USERNAME' I don't receive the correct groups, so I believe that Kerberos is working, but the LDAP configuration is wrong. I've turned the sssd loglevel up to 100, but I can't figure out why I'm not getting the correct groups My system has a variety of files and I'm not sure which are still in use: /etc/krb5.conf /etc/pam_ldap.conf /etc/sssd/sssd.conf On Fedora 14 and earlier, there used to be an '/etc/nss_ldap.conf' - this is not present on F15. Can anyone help me figure out how to get the group lookups working? Thanks, Dan ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users