Newbie - Cannot get FreeIPA client authentication working.
by patrick.mchale@nzx.com
Hi,
I have recently installed a Redhat Linux client and server arrangement for FreeIPA and I just cannot get the system to work - client authenticating with server. I was wondering if I could get some help as I am
struggling to get this system to work. I have done everything I know of to get the centralized authentication to work. When I try to log into the client that has been registered on the server, the system still lets me in. I don't know why the authentication on the client is not being managed by the server. Is there a good step by step guide that I could follow as I really would like to get this working.
Regards
Patrick McHale
6 years, 9 months
IPA for public/private krb (kadmin) - no corresponding DNS A/AAAA record
by Pieter Baele
Hi,
Is there a correct way to setup a public/private design using IPA for
Kerberos?
I am currently implementing Kerberos for our Hadoop cluster.
For communication between nodes, I use RFC 1918 addresses
This works properly, but adds a complexity for FreeIPA.
Hosts have a public interface which they use for IPA.
Ex. host/iictyibmls003.nix.infrabel.be(a)NIX.INFRABEL.BE (a 10.x.x.x IP)
For the private 172.16.x.x IP's, I made DNS zones (+reverse) as well,
Hadoop uses DNS a lot.
(.local, in this case adapted to the location)
Ex, iictyibcls002.nix.infrabel.be.bdmzlocal. resolves to 172.16.2.2
The problem: Hadoop now wants to create Kerberos service princiapals for
the .local domain....
I have searched on the mailinglist and other resources, but I am not sure
what the proper 'IPA way' is.
Adding a principal alias does not work (as I expected) --> STDERR: ipa:
ERROR: The host 'iictyibcls002.nix.infrabel.be.bdmzlocal' does not exist to
add a service to.
And if I try to add a host first, using correct DNS records (A and PTR) ,
this still results in
2017-07-11 06:57:27,072 - Failed to create principal, HTTP/
iictyibcls002.nix.infrabel.be.bdmzlocal(a)NIX.INFRABEL.BE - Failed to create
service principal for HTTP/
iictyibcls002.nix.infrabel.be.bdmzlocal(a)NIX.INFRABEL.BE
STDOUT:
STDERR: ipa: ERROR: Host 'iictyibcls002.nix.infrabel.be.bdmzlocal' does not
have corresponding DNS A/AAAA record
Was there something about a (kadmin) override?
Thx a lot!
Pieter
6 years, 9 months
Re: [SSSD-users] Re: 1.15.3/1.16 release timeframe?
by Timo Aaltonen
On 31.05.2017 10:53, Jakub Hrozek wrote:
> On Wed, May 31, 2017 at 08:19:56AM +1000, Lachlan Musicman wrote:
>> Hi all,
>>
>> I noticed a while ago that 1.15.3 was versioned in the repo but I've not
>> seen anything released? I'm mostly looking on the COPR
>> (
>> https://pagure.io/SSSD/sssd/c/012ee7c3fe24a5e75d9b0465268c1bb8187b8337?br...
>> )
>>
>> This is purely selfish - I love all that you do, and I'm aware that there
>> has been some fairly comprehensive infrastructural change.
>>
>> I'm just waiting on that one fix and have no roadmap visibility :)
>
> Sorry, I agree our roadmap is not entirely clear.
>
> 1.15.3 will be released during June, most fixes planned for that release
> are either in or being reviewed.
Freeipa 4.5.2 depends on a feature not available in 1.15.2, which feels
a bit backwards as it's a point-release which I think should not depend
on a not-yet-released features..
--
t
6 years, 9 months
Re: krb won't failover to alternative servers
by pgb205
we have 4 servers for redundancy in krb5.confkdc= server1kdc= server2kdc= server3kdc= server4master_kdc=server1master_kdc=server2master_kdc=server3master_kdc=server4admin_server=server1admin_server=server2admin_server=server3admin_server=server4
servers 1 and 2 are shutdown. I am unable to get kinit <userid> until I comment their lines out and bounce sssd however. So the failover isn't working as expected.
Is there anything I need to do to make this happen?
thank you
6 years, 9 months
FreeIPA and AD Trust - macOS cannot see AD trust users
by Louis Abel
Hello!
I created a FreeIPA (ipa.angelsofclockwork.net) and Active Directory (ad.angelsofclockwork.net) and put them into a two way trust with posix. I used these commands:
ipa-adtrust-install --enable-compat --add-agents
ipa trust-add --type=ad ad.angelsofclockwork.net --admin lmabel --password --two-way=true --range-type=ipa-ad-trust-posix
The users in AD have posix attributes assigned and those attributes are in the global catalog. My linux clients can see the AD users when I do a getent passwd user(a)ad.angelsofclockwork.net. So this is working as intended.
http://www.freeipa.org/page/HowTo/Setup_FreeIPA_Services_for_Mac_OS_X_10.12 - I used this guide to add our first mac to FreeIPA rather than AD. This guide worked for the most part, but I cannot get it to see the users across the trust boundary. I'm sure I'm either missing something or mac's open directory utility doesn't support trusts like we would think it should.
[root@sani ~]# dscacheutil -q user -a name admin
name: admin
password: ********
uid: 931600000
gid: 931600000
dir: /Users/admin
shell: /bin/bash
gecos: Administrator
[root@sani ~]# dscacheutil -q user -a name louis.abel
[root@sani ~]# dscacheutil -q user -a name louis.abel(a)ad.angelsofclockwork.net
Anyone have any suggestions? Or will I have to just connect my mac to AD and work with it that way? I was trying to avoid having to add to AD, but it seems like I'm going to have to go that route. Unless anyone has experience with getting it to work across trusts. From my research it seems others have tried to solve the 'trust' problem when there's two AD domains involved, not an IPA and AD domain. So it seems like a mac specific problem perhaps.
6 years, 9 months
Re: FreeIPA - Active Directory integration and domain names
by Striker Leggette
Well, technically, I don't think IPA needs DNS entries simply for synchronization, so you could technically give it the same domain suffix. However, if you plan on using it for the purpose of clients to connect, it will need to be on its own domain.
The reason it is highly suggested for different domains to have different suffixes within DNS is because clients will 'dig' that domain for Kerberos and LDAP type records when looking for domain servers. Something like the below, for example:
# dig -t SRV _kerberos._tcp.EXAMPLE.COM.
If this returns both AD /and/ IPA servers, your clients will have a bad time.
Sent via carrier pigeons
-------- Original message --------
From: Striker Leggette via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
Date: 6/14/17 8:12 PM (GMT-05:00)
To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
Cc: Striker Leggette <striker(a)terranforge.com>
Subject: [Freeipa-users] Re: FreeIPA - Active Directory integration and domain names
Yes
Sent via carrier pigeons
-------- Original message --------
From: bogusmaster--- via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
Date: 6/14/17 6:06 AM (GMT-05:00)
To: freeipa-users(a)redhat.com
Cc: bogusmaster(a)o2.pl
Subject: [Freeipa-users] FreeIPA - Active Directory integration and domain names
Hi,
I have a question regarding establishing one-way trust between FreeIPA
and Active Directory. In the documentation it is stated that to use a
cross-forest trust it is required for FreeIPA to have a different domain
than that of Active Directory. Does it also apply to the synchronization
scenario?
Thank you
Bart
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
6 years, 9 months
Failed to retrieve entry 32
by wenxing zheng
Dear all,
I met with an issue when doing the LDAP authentication on the Kylin. My
FreeIPA works with Ranger very well, but on Kylin, when binding the DN with
the admin, it failed to connect to the LDAP server:
[05/Jul/2017:11:16:32 +0800] ipalockout_preop - [file ipa_lockout.c, line
756]: Failed to retrieve entry "uid=admin,cn=users,cn=accounts,dc=dat...":
32
[05/Jul/2017:11:16:32 +0800] ipalockout_preop - [file ipa_lockout.c, line
756]: Failed to retrieve entry "uid=admin,cn=users,cn=accounts,dc=dat...":
32
Appreciated for any hints.
Regards, Wenxing
6 years, 9 months
FreeIPA Multitenancy
by Winfried de Heiden
Hi all,
There's a nice litle article on http://www.freeipa.org/page/V3/Multiten
ancy:
Multi-tenancy is an aspect of Identity Management (IdM) where
multiple
parties use the same resource without learn any information about each
other. The example is two rival companies who both operate servers
hosted in a public cloud. Neither company should be aware of the
existance of the other users presence in the web using, and they
definitely should not be able to enumerate either the users or the
hosts
of the other company due to information leaks inside the cloud
services.
The article is rather old and Multitenancy seems not possible in
FreeIPA 4.x.
Is there any progress on this, future plans? Multitenancy for IPA
should be a very nice feature!
Kind regards,
Winfried
6 years, 9 months