Re: [Freeipa-users] setting up a client on Debian squeeze

2013-08-30 Thread Jakub Hrozek 
On Fri, Aug 30, 2013 at 03:54:54PM +0200, Michał Dwużnik wrote:
> Ok, I somehow assumed certs are very much needed for ldaps...
> 

Well, for most operations the SSSD uses GSSAPI authentication. Only when
passwords are migrated, we do an LDAP bind with StartTLS.

> In the meantime, I set up a debian wheezy machine to try the freeipa-client
> from debs.
> 
> I managed to get working ipa-client (with a few quirks...- default nss
> database needed to be created) with packages from
> deb http://apt.numeezy.fr wheezy main
> deb-src http://apt.numeezy.fr wheezy main.
> So now I have a ready set of debian-like configs for wheezy, making it work
> with squeeze seems easier now (it comes with learning, too...)
> 
> I must admit ipa-client debug option is lovely as a step-by-step guide for
> trying by hand :>
> 
> Going back to thinking whether to try getting ipa on squeeze or getting the
> legacy software working with squeeze...
> (some of the scientists seem to be the happiest if the system is totally
> unchanged for some 20 years...).
> 
> 
> Regards
> Michal
> 
> PS:I do see hope for rooting out the last instance of NIS on the campus :>

Terminate it with extreme prejudice :-)

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] setting up a client on Debian squeeze

2013-08-30 Thread Michał Dwużnik 
Ok, I somehow assumed certs are very much needed for ldaps...

In the meantime, I set up a debian wheezy machine to try the freeipa-client
from debs.

I managed to get working ipa-client (with a few quirks...- default nss
database needed to be created) with packages from
deb http://apt.numeezy.fr wheezy main
deb-src http://apt.numeezy.fr wheezy main.
So now I have a ready set of debian-like configs for wheezy, making it work
with squeeze seems easier now (it comes with learning, too...)

I must admit ipa-client debug option is lovely as a step-by-step guide for
trying by hand :>

Going back to thinking whether to try getting ipa on squeeze or getting the
legacy software working with squeeze...
(some of the scientists seem to be the happiest if the system is totally
unchanged for some 20 years...).


Regards
Michal

PS:I do see hope for rooting out the last instance of NIS on the campus :>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] setting up a client on Debian squeeze

2013-08-30 Thread Jakub Hrozek 
On Thu, Aug 29, 2013 at 10:04:43PM -0400, Rob Crittenden wrote:
> Michał Dwużnik wrote:
> >Sorry for quick continuation...
> >
> >Certificate added to nss DB in /etc/pki
> >certutil -A -d /etc/pki/ -n "IPA CA" -t CT,C,C -a -i pki/ca.crt
> >
> >sssd configured according to
> >http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/linux-manual.html
> >
> >How do I test now, before changing PAM options that the pieces fit together?
> 
> Perhaps exercise nss with:
> 
> % id admin
> % getent passwd admin
> % getent group admin
> 
> You can substitute admin for any IPA user or group.
> 
> And really you can skip the cert step if you want. Unless you have
> something that will use it we put a cert on the system as a
> convenience right now. There isn't currently anything using it by
> default.
> 
> rob

On the client, one piece of functionality where you need the cert are
password migrations from LDAP to IPA. I don't think that's your case,
though.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] setting up a client on Debian squeeze

2013-08-29 Thread Rob Crittenden 

Michał Dwużnik wrote:

Sorry for quick continuation...

Certificate added to nss DB in /etc/pki
certutil -A -d /etc/pki/ -n "IPA CA" -t CT,C,C -a -i pki/ca.crt

sssd configured according to
http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/linux-manual.html

How do I test now, before changing PAM options that the pieces fit together?


Perhaps exercise nss with:

% id admin
% getent passwd admin
% getent group admin

You can substitute admin for any IPA user or group.

And really you can skip the cert step if you want. Unless you have 
something that will use it we put a cert on the system as a convenience 
right now. There isn't currently anything using it by default.


rob




(Sorry for being a bit too tired...)

M.


On Fri, Aug 30, 2013 at 1:49 AM, Michał Dwużnik
mailto:michal.dwuz...@gmail.com>> wrote:

Ok, going step by step I did the following on squeeze:

set up ntp, time synced with ipa server

test setup is done on
ipa.localdomain (server)
client.localdomain
(client on Scientific Linux 6.4, looks ok after ipa-client-install,
ssh works for test users tester and tester2)

client2.localdomain is the Debian Squeeze client

added host client2.localdomain on IPA server, added 'managedby', got
the keytab and put the 'client2.keytab' in /etc/krb5.keytab on client2

most important part of /etc/krb5.conf:

[realms]
 LOCALDOMAIN = {
 kdc = ipa.localdomain
 admin_server = ipa.localdomain
 }

[domain_realm]
 .localdomain = LOCALDOMAIN
 localdomain = LOCALDOMAIN
 default_domain = localdomain

[libdefaults]
 default_realm = LOCALDOMAIN


The following lets me think the KRB5 part of the setup is done
correctly:

root@client2:/etc# kinit admin
Password for admin@LOCALDOMAIN:
root@client2:/etc# kdestroy
root@client2:/etc# kinit tester
Password for tester@LOCALDOMAIN:
root@client2:/etc# klis
-su: klis: command not found
root@client2:/etc# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: tester@LOCALDOMAIN

Valid starting ExpiresService principal
08/30/13 00:35:50  08/31/13 00:35:47  krbtgt/LOCALDOMAIN@LOCALDOMAIN


root@client2:/etc# kpasswd tester
Password for tester@LOCALDOMAIN:
Enter new password:
Enter it again:
Password changed.


I guess that's the point of snapshotting 'KRB done' state (can I be
wrong?)

DNS for all the hosts involved is similar to:
root@client2:/etc# nslookup ipa
Server: 192.168.137.29
Address:192.168.137.29#53

Name:   ipa.localdomain
Address: 192.168.137.13

root@client2:/etc# nslookup 192.168.137.13
Server: 192.168.137.29
Address:192.168.137.29#53

13.137.168.192.in-addr.arpa name = ipa.localdomain.

Now I guess it's time for certificates, where I do have some doubts...

I've added the SSH host keys via web interface, now the cert part:

having generated the CSR afte creating the new database:

  certutil -R -d . -a -g 2048 -s 'CN=client2.localdomain,O=LOCALDOMAIN'
(in the /etc/pki dir) I paste the CSR and Issue the certificate for host

(/etc/pi contains newly created   cert8.db   key3.dbsecmod.db )

Which of those should be used to add the cert to?

(like certutil -A -d /etc/pki/nssdb -n "IPA CA" -t CT,C,C -a -i
/|/path/to/|/ca.crt)

All of the tries result in:
root@client2:/etc/pki# certutil -A -d /etc/pki/cert8.db -n "IPA CA"
-t CT,C,C -a -i ./ca.crt
certutil: function failed: security library: bad database.
root@client2:/etc/pki# certutil -A -d /etc/pki/secmod.db -n "IPA CA"
-t CT,C,C -a -i ./ca.crt
certutil: function failed: security library: bad database.
root@client2:/etc/pki# certutil -A -d /etc/pki/key3.db -n "IPA CA"
-t CT,C,C -a -i ./ca.crt
certutil: function failed: security library: bad database.

Could someone show me my mistake?

Regards
Michal



On Thu, Aug 29, 2013 at 9:00 PM, Michał Dwużnik
mailto:michal.dwuz...@gmail.com>> wrote:

As for now I have set up a 'known good' client on RH based
distro, to get the feeling how the config files
look like when configured correctly.

Thanks for the nice reference

M.


On Thu, Aug 29, 2013 at 7:56 PM, Rob Crittenden
mailto:rcrit...@redhat.com>> wrote:

Michał Dwużnik wrote:

Hi folks,

did anyone succeed in connecting such an old thing
recently to freeipa
server?

Is there a document (or an archive post) about
connecting a 'non ipa
aware' client step by step?
I got as far as woing Kerberos with no issues, hit a
wall with ldap part..


You might tr

Re: [Freeipa-users] setting up a client on Debian squeeze

2013-08-29 Thread Michał Dwużnik 
Sorry for quick continuation...

Certificate added to nss DB in /etc/pki
certutil -A -d /etc/pki/ -n "IPA CA" -t CT,C,C -a -i pki/ca.crt

sssd configured according to
http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/linux-manual.html

How do I test now, before changing PAM options that the pieces fit together?


(Sorry for being a bit too tired...)

M.


On Fri, Aug 30, 2013 at 1:49 AM, Michał Dwużnik wrote:

> Ok, going step by step I did the following on squeeze:
>
> set up ntp, time synced with ipa server
>
> test setup is done on
> ipa.localdomain (server)
> client.localdomain
> (client on Scientific Linux 6.4, looks ok after ipa-client-install, ssh
> works for test users tester and tester2)
>
> client2.localdomain is the Debian Squeeze client
>
> added host client2.localdomain on IPA server, added 'managedby', got the
> keytab and put the 'client2.keytab' in /etc/krb5.keytab on client2
>
> most important part of /etc/krb5.conf:
>
> [realms]
> LOCALDOMAIN = {
> kdc = ipa.localdomain
> admin_server = ipa.localdomain
> }
>
> [domain_realm]
> .localdomain = LOCALDOMAIN
> localdomain = LOCALDOMAIN
> default_domain = localdomain
>
> [libdefaults]
> default_realm = LOCALDOMAIN
>
>
> The following lets me think the KRB5 part of the setup is done correctly:
>
> root@client2:/etc# kinit admin
> Password for admin@LOCALDOMAIN:
> root@client2:/etc# kdestroy
> root@client2:/etc# kinit tester
> Password for tester@LOCALDOMAIN:
> root@client2:/etc# klis
> -su: klis: command not found
> root@client2:/etc# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: tester@LOCALDOMAIN
>
> Valid starting ExpiresService principal
> 08/30/13 00:35:50  08/31/13 00:35:47  krbtgt/LOCALDOMAIN@LOCALDOMAIN
>
>
> root@client2:/etc# kpasswd tester
> Password for tester@LOCALDOMAIN:
> Enter new password:
> Enter it again:
> Password changed.
>
>
> I guess that's the point of snapshotting 'KRB done' state (can I be wrong?)
>
> DNS for all the hosts involved is similar to:
> root@client2:/etc# nslookup ipa
> Server: 192.168.137.29
> Address:192.168.137.29#53
>
> Name:   ipa.localdomain
> Address: 192.168.137.13
>
> root@client2:/etc# nslookup 192.168.137.13
> Server: 192.168.137.29
> Address:192.168.137.29#53
>
> 13.137.168.192.in-addr.arpa name = ipa.localdomain.
>
> Now I guess it's time for certificates, where I do have some doubts...
>
> I've added the SSH host keys via web interface, now the cert part:
>
> having generated the CSR afte creating the new database:
>
>  certutil -R -d . -a -g 2048 -s 'CN=client2.localdomain,O=LOCALDOMAIN'
> (in the /etc/pki dir) I paste the CSR and Issue the certificate for host
>
> (/etc/pi contains newly created   cert8.db   key3.dbsecmod.db )
>
> Which of those should be used to add the cert to?
>
> (like certutil -A -d /etc/pki/nssdb -n "IPA CA" -t CT,C,C -a -i */path/to/
> *ca.crt)
>
> All of the tries result in:
> root@client2:/etc/pki# certutil -A -d /etc/pki/cert8.db -n "IPA CA" -t
> CT,C,C -a -i ./ca.crt
> certutil: function failed: security library: bad database.
> root@client2:/etc/pki# certutil -A -d /etc/pki/secmod.db -n "IPA CA" -t
> CT,C,C -a -i ./ca.crt
> certutil: function failed: security library: bad database.
> root@client2:/etc/pki# certutil -A -d /etc/pki/key3.db -n "IPA CA" -t
> CT,C,C -a -i ./ca.crt
> certutil: function failed: security library: bad database.
>
> Could someone show me my mistake?
>
> Regards
> Michal
>
>
>
> On Thu, Aug 29, 2013 at 9:00 PM, Michał Dwużnik 
> wrote:
>
>> As for now I have set up a 'known good' client on RH based distro, to get
>> the feeling how the config files
>> look like when configured correctly.
>>
>> Thanks for the nice reference
>>
>> M.
>>
>>
>> On Thu, Aug 29, 2013 at 7:56 PM, Rob Crittenden wrote:
>>
>>> Michał Dwużnik wrote:
>>>
 Hi folks,

 did anyone succeed in connecting such an old thing recently to freeipa
 server?

 Is there a document (or an archive post) about connecting a 'non ipa
 aware' client step by step?
 I got as far as woing Kerberos with no issues, hit a wall with ldap
 part..

>>>
>>> You might try this: http://docs.fedoraproject.org/**
>>> en-US/Fedora/17/html/FreeIPA_**Guide/linux-manual.html
>>>
>>> rob
>>>
>>>
>>
>>
>> --
>> Michal Dwuznik
>>
>
>
>
> --
> Michal Dwuznik
>



-- 
Michal Dwuznik
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] setting up a client on Debian squeeze

2013-08-29 Thread Michał Dwużnik 
Ok, going step by step I did the following on squeeze:

set up ntp, time synced with ipa server

test setup is done on
ipa.localdomain (server)
client.localdomain
(client on Scientific Linux 6.4, looks ok after ipa-client-install, ssh
works for test users tester and tester2)

client2.localdomain is the Debian Squeeze client

added host client2.localdomain on IPA server, added 'managedby', got the
keytab and put the 'client2.keytab' in /etc/krb5.keytab on client2

most important part of /etc/krb5.conf:

[realms]
LOCALDOMAIN = {
kdc = ipa.localdomain
admin_server = ipa.localdomain
}

[domain_realm]
.localdomain = LOCALDOMAIN
localdomain = LOCALDOMAIN
default_domain = localdomain

[libdefaults]
default_realm = LOCALDOMAIN


The following lets me think the KRB5 part of the setup is done correctly:

root@client2:/etc# kinit admin
Password for admin@LOCALDOMAIN:
root@client2:/etc# kdestroy
root@client2:/etc# kinit tester
Password for tester@LOCALDOMAIN:
root@client2:/etc# klis
-su: klis: command not found
root@client2:/etc# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: tester@LOCALDOMAIN

Valid starting ExpiresService principal
08/30/13 00:35:50  08/31/13 00:35:47  krbtgt/LOCALDOMAIN@LOCALDOMAIN


root@client2:/etc# kpasswd tester
Password for tester@LOCALDOMAIN:
Enter new password:
Enter it again:
Password changed.


I guess that's the point of snapshotting 'KRB done' state (can I be wrong?)

DNS for all the hosts involved is similar to:
root@client2:/etc# nslookup ipa
Server: 192.168.137.29
Address:192.168.137.29#53

Name:   ipa.localdomain
Address: 192.168.137.13

root@client2:/etc# nslookup 192.168.137.13
Server: 192.168.137.29
Address:192.168.137.29#53

13.137.168.192.in-addr.arpa name = ipa.localdomain.

Now I guess it's time for certificates, where I do have some doubts...

I've added the SSH host keys via web interface, now the cert part:

having generated the CSR afte creating the new database:

 certutil -R -d . -a -g 2048 -s 'CN=client2.localdomain,O=LOCALDOMAIN'
(in the /etc/pki dir) I paste the CSR and Issue the certificate for host

(/etc/pi contains newly created   cert8.db   key3.dbsecmod.db )

Which of those should be used to add the cert to?

(like certutil -A -d /etc/pki/nssdb -n "IPA CA" -t CT,C,C -a -i */path/to/*
ca.crt)

All of the tries result in:
root@client2:/etc/pki# certutil -A -d /etc/pki/cert8.db -n "IPA CA" -t
CT,C,C -a -i ./ca.crt
certutil: function failed: security library: bad database.
root@client2:/etc/pki# certutil -A -d /etc/pki/secmod.db -n "IPA CA" -t
CT,C,C -a -i ./ca.crt
certutil: function failed: security library: bad database.
root@client2:/etc/pki# certutil -A -d /etc/pki/key3.db -n "IPA CA" -t
CT,C,C -a -i ./ca.crt
certutil: function failed: security library: bad database.

Could someone show me my mistake?

Regards
Michal



On Thu, Aug 29, 2013 at 9:00 PM, Michał Dwużnik wrote:

> As for now I have set up a 'known good' client on RH based distro, to get
> the feeling how the config files
> look like when configured correctly.
>
> Thanks for the nice reference
>
> M.
>
>
> On Thu, Aug 29, 2013 at 7:56 PM, Rob Crittenden wrote:
>
>> Michał Dwużnik wrote:
>>
>>> Hi folks,
>>>
>>> did anyone succeed in connecting such an old thing recently to freeipa
>>> server?
>>>
>>> Is there a document (or an archive post) about connecting a 'non ipa
>>> aware' client step by step?
>>> I got as far as woing Kerberos with no issues, hit a wall with ldap
>>> part..
>>>
>>
>> You might try this: http://docs.fedoraproject.org/**
>> en-US/Fedora/17/html/FreeIPA_**Guide/linux-manual.html
>>
>> rob
>>
>>
>
>
> --
> Michal Dwuznik
>



-- 
Michal Dwuznik
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] setting up a client on Debian squeeze

2013-08-29 Thread Michał Dwużnik 
As for now I have set up a 'known good' client on RH based distro, to get
the feeling how the config files
look like when configured correctly.

Thanks for the nice reference

M.


On Thu, Aug 29, 2013 at 7:56 PM, Rob Crittenden  wrote:

> Michał Dwużnik wrote:
>
>> Hi folks,
>>
>> did anyone succeed in connecting such an old thing recently to freeipa
>> server?
>>
>> Is there a document (or an archive post) about connecting a 'non ipa
>> aware' client step by step?
>> I got as far as woing Kerberos with no issues, hit a wall with ldap part..
>>
>
> You might try this: http://docs.fedoraproject.org/**
> en-US/Fedora/17/html/FreeIPA_**Guide/linux-manual.html
>
> rob
>
>


-- 
Michal Dwuznik
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] setting up a client on Debian squeeze

2013-08-29 Thread Rob Crittenden 

Michał Dwużnik wrote:

Hi folks,

did anyone succeed in connecting such an old thing recently to freeipa
server?

Is there a document (or an archive post) about connecting a 'non ipa
aware' client step by step?
I got as far as woing Kerberos with no issues, hit a wall with ldap part..


You might try this: 
http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/linux-manual.html


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] setting up a client on Debian squeeze

2013-08-29 Thread Michał Dwużnik 
Hi folks,

did anyone succeed in connecting such an old thing recently to freeipa
server?

Is there a document (or an archive post) about connecting a 'non ipa aware'
client step by step?
I got as far as woing Kerberos with no issues, hit a wall with ldap part..

Regards
Michal


-- 
Michal Dwuznik
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users