I’m trying to integrate the “NAS Server” on our Dell EMC Unity with our FreeIPA server so we can secure our NFS shares. Our FreeIPA server is run of the mill setup. We don’t have any special configuration.
The Dell EMC Box NAS configuration settings is asking for the following.
Realm: KDC Servers: Port: Base DN: Custom Principal: Custom Principal password: Keytab
You can get a better visual from these screenshots. https://imgur.com/a/H6pWemL
Info about the environment (I switched example.com from our regular domain but it’s a direct replacement). ny.example.com is my main domain/realm (e.g. NY.EXAMPLE.COM). My other domain is la.example.com. My KDC (IPA servers) are ipa.ny.example.com and ipa.la.example.com, they are replicas. The Dell EMC Unity NAS server I’m setting up will be nfssrv.la.example.com.
So this is what I did. In FreeIPA I create a new host manually through the gui.
Principle alias: nfssrv.la.example.com@NY.EXAMPLE.COM
I then created a new service with that host through the gui
nfs/nfssrv.la.example.com@NY.EXAMPLE.COM
I then went into the freeIPA server and generated a keytab
"ipa-getkeytab -s ipa.ny.example.com -p nfs/nfssrv.la.example.com@NY.EXAMPLE.COM -k /tmp/nfssrv.keytab -P <entered passwd>"
The principal in the ipa-getkeytab command and the password I supplied to the ipa-getkeytab command is what I supplied in the Dell EMC Unity dialogs.
However, when I do all of this, I keep getting errors in the Dell EMC Unity log stating
“In the NAS server nfssrv.la.example.com, ONE LDAP server for Domain ny.example.com goes back from failure.” “LDAP client settings on NAS server nfssrv.la.example.com are not valid within domain ny.example.com”.
So the questions I have are.
1) Am I generating the keytab appropriately? 2) Am I supplying the correct information to the “Specifiy Custom principal” “Principal” fields with the principal of the actual server? 3) The last thing I am unsure about is the “Retrieve Current Schema”. This schema was automatically generated. It states is for the Fedora Directory Service so I assumed that’s was correct since I’m using CentOS with FreeIPA. I haven’t changed anything in the scheme (at least that i’m aware of). Any way to validate this?
If anyone can provide any advice/suggestions I would greatly appreciate it.
The following is the “Current Schema” listed in the LDAP section.
# ----------------------------------------------------------------------------- # This template was automatically generated by the EMC Nas server # - Adjustments could be required to fit your specific LDAP configuration.
# - The following setup fits the Fedora Directory service schema. # Containers
nss_base_passwd ou=people,dc=ny,dc=example,dc=com nss_base_group ou=group,dc=ny,dc=example,dc=com nss_base_hosts ou=hosts, dc=ny,dc=example,dc=com nss_base_netgroup ou=netgroup,dc=ny,dc=example,dc=com
# - The parameter fast_search allows fast search encoding to boost performances with big LDAP repositories. # The parameter is set to 1 by default on this configuration,# Some issue could occurs on Microsoft Active Directory server. # If you encounter some issue on LDAP lookup, set the value of the parameter to 0 fast_search 1
-Kevin
At first glance, it looks like you're doing 1 and 2 correctly. But I'll leave that up to someone else to point that out.
As for number 3, those settings are incorrect. What it should look like is this:
nss_base_passwd cn=users,cn=accounts,dc=ny,dc=example,dc=com nss_base_group cn=groups,cn=accounts,dc=ny,dc=example,dc=com nss_base_hosts cn=computers,cn=accounts,dc=ny,dc=example,dc=com nss_base_netgroup cn=ng,cn=alt,dc=ny,dc=example,dc=com
Thanks Louis! Will be trying this as soon as I get in on Monday (no remote access). If I wanted to validate my configuration how do I go about getting this information out of my FreeIPA installation?
Since the EMC by default includes the schema I attached is it old/out of date or is it for something entirely different?
I was the impression that FreeIPA includes the 389 Directory Service and that Fedora Directory Service, 389 Directory Service, and FreeIPA Directory Service were all synonymous.
I'll post back Monday with results. Thanks again.
-Kevin
On Fri, Sep 6, 2019 at 10:30 PM Louis Abel via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
At first glance, it looks like you're doing 1 and 2 correctly. But I'll leave that up to someone else to point that out.
As for number 3, those settings are incorrect. What it should look like is this:
nss_base_passwd cn=users,cn=accounts,dc=ny,dc=example,dc=com nss_base_group cn=groups,cn=accounts,dc=ny,dc=example,dc=com nss_base_hosts cn=computers,cn=accounts,dc=ny,dc=example,dc=com nss_base_netgroup cn=ng,cn=alt,dc=ny,dc=example,dc=com _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
A lot of products from vendors actually try to make an assumption on the base layout of an LDAP installation and configuration since they for the most part get configured the same way over and over. If you were to setup 389ds by itself, yes, ou=people,dc=ny,dc=example,dc=com would likely be valid. While FreeIPA does use 389ds, it sets up its tree in a very specific manner.
Here's an example of what the base layout looks like (while also showing you how to get this information using ldapsearch):
[label@ipa01 ~]$ kinit label Password for label@EXAMPLE.NET: [label@ipa01 ~]$ ldapsearch -LLLY GSSAPI -s one dn SASL/GSSAPI authentication started SASL username: label@EXAMPLE.NET SASL SSF: 256 SASL data security layer installed. dn: cn=compat,dc=example,dc=net dn: ou=sudoers,dc=example,dc=net dn: cn=accounts,dc=example,dc=net dn: cn=alt,dc=example,dc=net dn: cn=automount,dc=example,dc=net dn: cn=hbac,dc=example,dc=net dn: cn=sudo,dc=example,dc=net dn: cn=etc,dc=example,dc=net dn: cn=selinux,dc=example,dc=net dn: cn=ca,dc=example,dc=net dn: cn=pbac,dc=example,dc=net dn: cn=kerberos,dc=example,dc=net dn: ou=profile,dc=example,dc=net dn: cn=provisioning,dc=example,dc=net dn: cn=otp,dc=example,dc=net dn: cn=radiusproxy,dc=example,dc=net dn: cn=trusts,dc=example,dc=net dn: cn=certmap,dc=example,dc=net dn: cn=dns,dc=example,dc=net
All accounts live under cn=accounts by default. You'll end up seeing users, groups, host groups, computer accounts down further.
[label@ipa01 ~]$ ldapsearch -LLLY GSSAPI -s one -b 'cn=accounts,dc=example,dc=net' dn SASL/GSSAPI authentication started SASL username: label@EXAMPLE.NET SASL SSF: 256 SASL data security layer installed. dn: cn=users,cn=accounts,dc=example,dc=net dn: cn=groups,cn=accounts,dc=example,dc=net dn: cn=services,cn=accounts,dc=example,dc=net dn: cn=computers,cn=accounts,dc=example,dc=net dn: cn=hostgroups,cn=accounts,dc=example,dc=net dn: cn=cosTemplates,cn=accounts,dc=example,dc=net dn: cn=roles,cn=accounts,dc=example,dc=net dn: cn=views,cn=accounts,dc=example,dc=net
Thanks much! I just tried this and sure enough everything came alive and started working as soon as I changed the scheme to what Louis posted in his first post.
The only other thing that I will note is that the Dell EMC seems to hard code what is entered for the REALM as the SPN (Service Principle Name). So for example I wanted to put this machine as ds1.la.example.com@NY.EXAMPLE.COM, however when I type in the host name it automatically put the machine as ds1.ny.example.com@NY.EXAMPLE.COM with no way to change it. If I changed what I typed into the REALM, it changed the SPN, but obviously that’s not correct.
I had the hosts name in my FreeIPA system as I intended, not as the Dell EMC forces on you, so it wouldn’t authentic correctly. As soon as I changed the machine to what Dell EMC puts as the SPN (it’s a grey box that you cant change), it started working.
Also thank you Alexander for the information on the differences in the 389 DS deployment variants and the explanation on how to get that information.
This seems to be fixed now! Thanks again.
-Kevin
On Sep 7, 2019, at 12:20 AM, Louis Abel via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
A lot of products from vendors actually try to make an assumption on the base layout of an LDAP installation and configuration since they for the most part get configured the same way over and over. If you were to setup 389ds by itself, yes, ou=people,dc=ny,dc=example,dc=com would likely be valid. While FreeIPA does use 389ds, it sets up its tree in a very specific manner.
Here's an example of what the base layout looks like (while also showing you how to get this information using ldapsearch):
[label@ipa01 ~]$ kinit label Password for label@EXAMPLE.NET: [label@ipa01 ~]$ ldapsearch -LLLY GSSAPI -s one dn SASL/GSSAPI authentication started SASL username: label@EXAMPLE.NET SASL SSF: 256 SASL data security layer installed. dn: cn=compat,dc=example,dc=net dn: ou=sudoers,dc=example,dc=net dn: cn=accounts,dc=example,dc=net dn: cn=alt,dc=example,dc=net dn: cn=automount,dc=example,dc=net dn: cn=hbac,dc=example,dc=net dn: cn=sudo,dc=example,dc=net dn: cn=etc,dc=example,dc=net dn: cn=selinux,dc=example,dc=net dn: cn=ca,dc=example,dc=net dn: cn=pbac,dc=example,dc=net dn: cn=kerberos,dc=example,dc=net dn: ou=profile,dc=example,dc=net dn: cn=provisioning,dc=example,dc=net dn: cn=otp,dc=example,dc=net dn: cn=radiusproxy,dc=example,dc=net dn: cn=trusts,dc=example,dc=net dn: cn=certmap,dc=example,dc=net dn: cn=dns,dc=example,dc=net
All accounts live under cn=accounts by default. You'll end up seeing users, groups, host groups, computer accounts down further.
[label@ipa01 ~]$ ldapsearch -LLLY GSSAPI -s one -b 'cn=accounts,dc=example,dc=net' dn SASL/GSSAPI authentication started SASL username: label@EXAMPLE.NET SASL SSF: 256 SASL data security layer installed. dn: cn=users,cn=accounts,dc=example,dc=net dn: cn=groups,cn=accounts,dc=example,dc=net dn: cn=services,cn=accounts,dc=example,dc=net dn: cn=computers,cn=accounts,dc=example,dc=net dn: cn=hostgroups,cn=accounts,dc=example,dc=net dn: cn=cosTemplates,cn=accounts,dc=example,dc=net dn: cn=roles,cn=accounts,dc=example,dc=net dn: cn=views,cn=accounts,dc=example,dc=net _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On ma, 09 syys 2019, Kevin Vasko via FreeIPA-users wrote:
Thanks much! I just tried this and sure enough everything came alive and started working as soon as I changed the scheme to what Louis posted in his first post.
The only other thing that I will note is that the Dell EMC seems to hard code what is entered for the REALM as the SPN (Service Principle Name). So for example I wanted to put this machine as ds1.la.example.com@NY.EXAMPLE.COM, however when I type in the host name it automatically put the machine as ds1.ny.example.com@NY.EXAMPLE.COM with no way to change it. If I changed what I typed into the REALM, it changed the SPN, but obviously that’s not correct.
It is not an SPN problem. I guess Dell EMC box assumes you are dealing with AD-like environment. In AD each machine belongs to exactly one AD domain and there AD domain = realm. So, if you are in EXAMPLE.COM, your machine is in .example.com DNS domain (where else it could be?:).
This is what we call 'primary domain' in FreeIPA.
I had the hosts name in my FreeIPA system as I intended, not as the Dell EMC forces on you, so it wouldn’t authentic correctly. As soon as I changed the machine to what Dell EMC puts as the SPN (it’s a grey box that you cant change), it started working.
Also thank you Alexander for the information on the differences in the 389 DS deployment variants and the explanation on how to get that information.
This seems to be fixed now! Thanks again.
-Kevin
On Sep 7, 2019, at 12:20 AM, Louis Abel via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
A lot of products from vendors actually try to make an assumption on the base layout of an LDAP installation and configuration since they for the most part get configured the same way over and over. If you were to setup 389ds by itself, yes, ou=people,dc=ny,dc=example,dc=com would likely be valid. While FreeIPA does use 389ds, it sets up its tree in a very specific manner.
Here's an example of what the base layout looks like (while also showing you how to get this information using ldapsearch):
[label@ipa01 ~]$ kinit label Password for label@EXAMPLE.NET: [label@ipa01 ~]$ ldapsearch -LLLY GSSAPI -s one dn SASL/GSSAPI authentication started SASL username: label@EXAMPLE.NET SASL SSF: 256 SASL data security layer installed. dn: cn=compat,dc=example,dc=net dn: ou=sudoers,dc=example,dc=net dn: cn=accounts,dc=example,dc=net dn: cn=alt,dc=example,dc=net dn: cn=automount,dc=example,dc=net dn: cn=hbac,dc=example,dc=net dn: cn=sudo,dc=example,dc=net dn: cn=etc,dc=example,dc=net dn: cn=selinux,dc=example,dc=net dn: cn=ca,dc=example,dc=net dn: cn=pbac,dc=example,dc=net dn: cn=kerberos,dc=example,dc=net dn: ou=profile,dc=example,dc=net dn: cn=provisioning,dc=example,dc=net dn: cn=otp,dc=example,dc=net dn: cn=radiusproxy,dc=example,dc=net dn: cn=trusts,dc=example,dc=net dn: cn=certmap,dc=example,dc=net dn: cn=dns,dc=example,dc=net
All accounts live under cn=accounts by default. You'll end up seeing users, groups, host groups, computer accounts down further.
[label@ipa01 ~]$ ldapsearch -LLLY GSSAPI -s one -b 'cn=accounts,dc=example,dc=net' dn SASL/GSSAPI authentication started SASL username: label@EXAMPLE.NET SASL SSF: 256 SASL data security layer installed. dn: cn=users,cn=accounts,dc=example,dc=net dn: cn=groups,cn=accounts,dc=example,dc=net dn: cn=services,cn=accounts,dc=example,dc=net dn: cn=computers,cn=accounts,dc=example,dc=net dn: cn=hostgroups,cn=accounts,dc=example,dc=net dn: cn=cosTemplates,cn=accounts,dc=example,dc=net dn: cn=roles,cn=accounts,dc=example,dc=net dn: cn=views,cn=accounts,dc=example,dc=net _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On ma, 09 syys 2019, Alexander Bokovoy via FreeIPA-users wrote:
On ma, 09 syys 2019, Kevin Vasko via FreeIPA-users wrote:
Thanks much! I just tried this and sure enough everything came alive and started working as soon as I changed the scheme to what Louis posted in his first post.
The only other thing that I will note is that the Dell EMC seems to hard code what is entered for the REALM as the SPN (Service Principle Name). So for example I wanted to put this machine as ds1.la.example.com@NY.EXAMPLE.COM, however when I type in the host name it automatically put the machine as ds1.ny.example.com@NY.EXAMPLE.COM with no way to change it. If I changed what I typed into the REALM, it changed the SPN, but obviously that’s not correct.
It is not an SPN problem. I guess Dell EMC box assumes you are dealing with AD-like environment. In AD each machine belongs to exactly one AD domain and there AD domain = realm. So, if you are in EXAMPLE.COM, your machine is in .example.com DNS domain (where else it could be?:).
This is what we call 'primary domain' in FreeIPA.
To close the loop: Kevin provided a how to article how to integrate Dell EMC Unity box with FreeIPA: https://www.freeipa.org/page/Howto/Integrating_Dell_EMC_Unity
Thanks!
On la, 07 syys 2019, Kevin Vasko via FreeIPA-users wrote:
Thanks Louis! Will be trying this as soon as I get in on Monday (no remote access). If I wanted to validate my configuration how do I go about getting this information out of my FreeIPA installation?
Since the EMC by default includes the schema I attached is it old/out of date or is it for something entirely different?
I was the impression that FreeIPA includes the 389 Directory Service and that Fedora Directory Service, 389 Directory Service, and FreeIPA Directory Service were all synonymous.
While software is the same, the way how LDAP tree is arranged is specific to a particular deployment design. FreeIPA deployments use a tree arrangement that is not using organizational units.
In FreeIPA there is a flat subtree per each object type. This means that all objects of that type are placed in the same subtree. All users are in cn=users,cn=accounts, while all groups are in cn=groups,cn=accounts.
In their own turn, these subtrees are subtrees of the main tree suffix which we always call $SUFFIX or $BASEDN (base dn) -- it is always a sequence of DC=.. components from your primary domain/realm:
example.com -> dc=example,dc=com
Louis is correct with the subtrees, please use that arrangement.
If you want to know all subtrees for each object type, you can use IPA command line tool to discover that:
ipa env basedn ipa env |grep container_
You can ask the tool 'ipa env' for a value of a specific variable by its name or just list all of them and grep by some substring like above.
I'll post back Monday with results. Thanks again.
-Kevin
On Fri, Sep 6, 2019 at 10:30 PM Louis Abel via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
At first glance, it looks like you're doing 1 and 2 correctly. But I'll leave that up to someone else to point that out.
As for number 3, those settings are incorrect. What it should look like is this:
nss_base_passwd cn=users,cn=accounts,dc=ny,dc=example,dc=com nss_base_group cn=groups,cn=accounts,dc=ny,dc=example,dc=com nss_base_hosts cn=computers,cn=accounts,dc=ny,dc=example,dc=com nss_base_netgroup cn=ng,cn=alt,dc=ny,dc=example,dc=com _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
Kevin Vasko -
Louis Abel