[Fedora-directory-users] New install with Admin Server issues
by Duncan McGreggor
Hey all,
I'm having some troubles with the Admin Server (web). First, some
details:
* This is my first experience with FDS
* I'm running Debian and followed the install instructions here:
http://directory.fedora.redhat.com/wiki/Howto:DebianUbuntu
* I created/installed the debian package from fedora-
ds-1.0.4-1.RHEL3.i386.opt.rpm
* I can run the java console application, login, create entries, etc.
* I'm a python coder, not a java one, so I have no idea about the
java stuff.
Here are the issues I am seeing:
1) clicking on the "help" buttons on the java console results in a
download dialog with the following message:
The file "help" is of type application/octect-stream...
2) Clicking the "Restart" button (admin tasks) on the java console
results in a 404
3) Attempting to visit the url http://myhost:62332/ results in a
download dialog
4) If I download the file, open it and read it, it's a binary file.
The file begins with the following:
ELF
16 years, 11 months
Re: [Fedora-directory-users] Can't connect to admin server as Directory Manager
by Bob Rossi
Could it be uninterruptible sleep? Just think about it.
> On Sat, Dec 23, 2006 at 05:18:42AM -0500, Mike Mueller wrote:
> > I just did a fresh install of FDS 1.0.4 on a Gentoo Linux workstation
> > (built manually, not from RPM). After running the setup script to
> > install it, everything appears to be working, except I can't login to
> > the admin console. I can connect to the server via the web browser on
> > my admin port (9419) and authenticate fine there.
> >
> > However, when I start the console up, I do:
> >
> > User ID: cn=Directory Manager
> > Password: <my password>
> > Administration URL: http://hostname.domain.com:9419/
> >
> > The dialog that I get says:
> >
> > "Cannot logon because of an incorrect User ID,
> > Incorrect password or Directory problem.
> >
> > HttpException
> > Response: HTTP/1.1 401 Authorization Required
> > Status: 401
> > URL: http://hostname.domain.com:9419/admin-serv/authenticate"
> >
> > I made sure that the admin server isn't configured to block any hosts
> > or IP addresses (set them both to '*' in the local.conf file).
> >
> > Here's what the error log says:
> >
> > [Sat Dec 23 05:09:46 2006] [notice] [client 192.168.2.1]
> > admserv_host_ip_check: ap_get_remote_host could not resolve
> > 192.168.2.1
> > [Sat Dec 23 05:09:46 2006] [error] [client 192.168.2.1] user
> > cn=Directory Manager not found: /admin-serv/authenticate
> >
> > How could the "cn=Directory Manager" user be not found? Doesn't it
> > always exist? Yes, I used the default name for this user when I ran
> > setup.
> >
> > Any input would be appreciated!
> >
> > Thanks,
> > Mike
>
16 years, 11 months
[Fedora-directory-users] Re: Kerberos/Samba/LDAP? Was: FDS - using one password for Samba
by Howard Chu
> Date: Wed, 27 Dec 2006 10:01:42 -0800
> From: Jim Hogan <jimh(a)u.washington.edu>
> I have a brand-new Samba 3.x domain working with LDAP/FDS backend; this
> is just for my small (university) department of ~350 users. The
> university operates an overarching Kerberos realm. My best possible
> case would be to use that Kerberos realm for authentication/password but
> continue to maintain department LDAP for actual user/group
> authorization/rights. If I can get everything to use people's existing
> university password, that would be very sweet; failing that, I have to
> give out about 300 passwords in the next month :(
>
> I see the FDS Kerberos Howto, and it seems to make Kerberos integration
> pretty simple, but what is not clear to me is whether it is possible to
> pass this Kerberos authentication through to Samba clients. The few
> references I see to Samba-Kerberos integration modify the smb.conf with
> direct references to kerberos realm and keytab that would seem to result in:
>
> Samba ----> Kerberos
> _____ <---- ________
>
> where what I think I want is more like:
>
> Samba ----> LDAP ----> Kerberos
> _____ <---- ____ <---- ________
>
> (sorry for the awful ASCII!) where I retain "passdb backend =
> ldapsam:ldap://x.x.x.x" as the user/group store, but where LDAP refers
> to Kerberos for authn/passwd.
>
> I was going to pose this question to the Samba users list, but I thought
> there might be more value to ask first whether anyone has worked on this
> in a FDS context. Not to say anything bad about other LDAP servers, but
> I can sometimes find it hard to map integration discussions that use
> OpenLDAP examples to my situation.
>
> So, anyone on the list running a completely integrated
> Samba/FDS/Kerberos setup that references an overarching Kerberos realm?
You're confusing some of these steps. First of all, the direct Samba ->
Kerberos route is only talking about a very special case - an SMB client
with its own TGT, getting a service ticket from Kerberos for talking to
Samba. In this case, Samba uses Kerberos as the actual client
authentication mechanism. And as noted here:
http://www.mail-archive.com/samba@lists.samba.org/msg80208.html
this only works in Samba3 when Samba is talking to a real
ActiveDirectory server.
When Samba is configured to talk directly to LDAP, it only uses it as a
data store, not as an authentication mechanism. In that case, it is
expecting to find sambaNTPassword or sambaLMPassword attributes in the
LDAP store, so that it can validate the authentication itself. As such,
your Samba -> LDAP -> Kerberos picture doesn't apply.
Currently the only way to have all of these things integrated in one
place is to use the OpenLDAP server with smbk5pwd module, with Heimdal
KDC using OpenLDAP as its data store, and Samba using OpenLDAP as its
data store. I've contributed code to the Fedora project to assist them
along these same lines but it's still missing secure ldapi:// support
and a few other things, so AFAIK OpenLDAP is the only solution at the
moment.
The only way you could set things up so that authentication works as you
want is if the clients send plaintext passwords over the wire. That's
obviously a bad idea to begin with, and for recent clients (W2K etc)
it's not even an option.
If your existing Kerberos KDC is not Heimdal, and you don't have the
option of migrating to Heimdal, then I think you're out of luck. I know
that there's preliminary support for LDAP in recent MIT releases, but my
experience with MIT Kerberos has been pretty unsatisfactory over the
years. They only recently took steps to make their library thread-safe,
and their library performance is still several times slower than
Heimdal's, making it unsuitable for busy sites. Even if you decided to
switch to using Heimdal integrated with LDAP, you still need the NTLM
keys, which you cannot derive from the Kerberos keys, so I think you're
looking at regenerating your ~300 passwords regardless.
Of course, there's always the brute force approach of running a password
cracker on the KDC database to try to guess the original plaintext. It's
a self-defeating activity but I've been cajoled into doing it in the
past. (It takes a long time, you may not successfully crack all the
accounts, and succeeding only means that your users have poorly chosen
passwords that they ought to change anyway.)
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/
16 years, 11 months
[Fedora-directory-users] Do any one know Solution
by Junaid
Can any one help me, when i install FDS on FC4 and startconsole then following error occurs. Please tell me what to do to start console.
the error is
[root@fedorasix fedora-ds]# ./startconsole
GC Warning: Out of Memory! Returning NIL!
GC Warning: Out of Memory! Returning NIL!
Exception in thread "main" GC Warning: Out of Memory! Returning NIL!
java.lang.OutOfMemoryError
GC Warning: Out of Memory! Returning NIL!
*** Catastrophic failure while handling uncaught exception.
GC Warning: Out of Memory! Returning NIL!
[root@fedorasix fedora-ds]#
I am waiting for reply.Thankx
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
16 years, 11 months
[Fedora-directory-users] FDS - using one password for Samba and Linux accounts
by Saravana Kumar
Hi List,
I have FDS configured in the server. There are windows and Linux client in
our network. Windows users also have Linux.
Linux clients are authenticating to fds. Samba server is running in a
different server and refers to the fds server(ldapbackend). For windows i
had to create a separate password with smbpasswd -a username for each user
which means samba password can be different from Linux password. Also the
password policy doesn't apply to the smbpasswd i create.
Is there a way to use one password for both windows and linux logins?
TIA,
SK
16 years, 11 months
[Fedora-directory-users] Fwd: Fedora-directory-users Digest, Vol 19, Issue 23
by Linux Kid
Reminder # 01
help me plz
Message: 2
Date: Wed, 20 Dec 2006 14:42:19 +0500
From: "Linux Kid" <khankhn2(a)gmail.com>
Subject: [Fedora-directory-users] help about RedHat Directory Server
To: fedora-directory-users(a)redhat.com
Message-ID:
<6bacfd1c0612200142h24edda9cs156c8c34cd9dd990(a)mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
I need help about how to users in Redhat Directory Server.
1. First to Add on a system with a command line [useradd] and then add in
RDS
2. First add in RDS and then with useradd because i am getting this error.
[root@station4 ~]# su - ali
id: cannot find name for group ID 501
[ali@station4 ~]$
where station4 is client , and home directory of RDS server is mounted here.
and that user is added in server.
So why i am getting this error, kindly waiting for a fast reply.
Regards
Linux Kid
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
https://www.redhat.com/archives/fedora-directory-users/attachments/200612...
16 years, 11 months
[Fedora-directory-users] Password lockout and Account inactivation
by Ankur Agarwal
Hi,
In my application i need to implement password lockout (after 3 unsuccessful attempts) and account inactivation by admin. I am using Weblogic security provider for authenticating my users residing in redhat LDAP. I have 2 questions:
1) Using directory management console i have set lockout account after 3 login attempts. Account does get locked out but i dont know which attribute gets set in user profile to indicate the same?
2) For account inactivation i am setting nsAccountLock=true. Is this correct?
When i am trying to login i always get same exception that login failed. Is there a mechanism so that i can identify why login failed ie due to password lockout or account inactivation?
regards,
Ankur
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
16 years, 11 months
[Fedora-directory-users] Replication multiple suffixes
by Jo De Troy
Hello,
I was wondering what the best way to setup multi-master replication was when
multiple suffixes exist on each supplier.
Should we first setup each supplier with the same root suffix in the
userRoot DB, then setup replication. Then create the 2nd suffix in a
separare database and setup replication for this suffix ...
I'm currently trying to use the mmr script to setup replication without succes.
I have 2 Fedora DS servers running each with a different suffix in
their userRoot and would like to setup replication te each other.
Thanks in advance,
Jo
16 years, 11 months