Access issues with SSH/IPA
by John Bowman
So yesterday we upgrade our older IPA 3.x servers (RHEL 6.8) to the latest
and greatest (RHEL 6.9) and it seemed to be working as expected. Came in
the next day and older IPA 4.2 server (RHEL 7.2) was having issues so
thought it would be a good time patch it up to the latest (IPA 4.4 and RHEL
7.3) seemed okay after it came back up but after a little while hosts
configured to use IPA stopped allowing access via ssh.
I can explicitly put in sssd.conf to use the patched up 4.4 server and I
seem to be able to log in via ssh but when a server is pointing to one of
the 3.x servers it just gives me an access denied. The strange part is
some accounts (like my test account) can log in to some servers via ssh and
can even sudo to root where available regardless of which IPA server the
host is using.
Any help would be appreciated because I'm stumped on this one. Just let
me know what logs would be helpful in troubleshooting.
Thanks!
--
John Bowman
6 years, 3 months
replication problem
by Adrian HY
Hi folks, I had a problem with replication and I tried to add the slave
back to the replica. The process stops in the initial replication phase.
The firewall and selinux are down and both servers are synchronized with
the time.
Centos 7.3
Freeipa 4.4.0-14
*Master error log:*
11/Jun/2017:01:11:45.690402715 -0400] NSMMReplicationPlugin - agmt="cn=
meTousuarios-replica.ipa.server.com" (usuarios-replica:389): Replication
bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) ()
[11/Jun/2017:01:11:45.690877649 -0400] NSMMReplicationPlugin - Warning:
unable to acquire replica for total update, error: 49, retrying in 1
seconds.
[11/Jun/2017:01:11:46.966060891 -0400] NSMMReplicationPlugin - agmt="cn=
meTousuarios-replica.ipa.server.com" (usuarios-replica:389): Replication
bind with GSSAPI auth resumed
[11/Jun/2017:01:11:47.095800971 -0400] NSMMReplicationPlugin - Beginning
total update of replica "agmt="cn=meTousuarios-replica.ipa.server.com"
(usuarios-replica:389)".
[11/Jun/2017:01:12:06.873713837 -0400] NSMMReplicationPlugin - agmt="cn=
meTousuarios-replica.ipa.server.com" (usuarios-replica:389): Failed to send
extended operation: LDAP error -1 (Can't contact LDAP server)
[11/Jun/2017:01:12:06.874590112 -0400] NSMMReplicationPlugin - agmt="cn=
meTousuarios-replica.ipa.server.com" (usuarios-replica:389): Received error
-1 (Can't contact LDAP server): for total updat
e operation
[11/Jun/2017:01:12:06.874950648 -0400] NSMMReplicationPlugin - agmt="cn=
meTousuarios-replica.ipa.server.com" (usuarios-replica:389): Warning:
unable to send endReplication extended operation (Can'
t contact LDAP server)
[11/Jun/2017:01:12:06.875217640 -0400] NSMMReplicationPlugin - Total update
failed for replica "agmt="cn=meTousuarios-replica.ipa.server.com"
(usuarios-replica:389)", error (-11)
[11/Jun/2017:01:12:06.894882383 -0400] NSMMReplicationPlugin - agmt="cn=
meTousuarios-replica.ipa.server.com" (usuarios-replica:389): Replication
bind with GSSAPI auth resumed
[11/Jun/2017:01:12:06.905304992 -0400] NSMMReplicationPlugin - agmt="cn=
meTousuarios-replica.ipa.server.com" (usuarios-replica:389): The remote
replica has a different database generation ID than
the local database. You may have to reinitialize the remote replica, or
the local replica.
[11/Jun/2017:01:12:09.912282245 -0400] NSMMReplicationPlugin - agmt="cn=
meTousuarios-replica.ipa.server.com" (usuarios-replica:389): The remote
replica has a different database generation ID than
the local database. You may have to reinitialize the remote replica, or
the local replica.
*Client ipareplica-install.log:*
2017-06-11T05:24:24Z DEBUG stderr=
2017-06-11T05:24:24Z DEBUG wait_for_open_ports: localhost [389] timeout 300
2017-06-11T05:24:24Z DEBUG Fetching nsDS5ReplicaId from master [attempt 1/5]
2017-06-11T05:24:24Z DEBUG flushing ldap://usuarios.ipa.server.com:389 from
SchemaCache
2017-06-11T05:24:24Z DEBUG retrieving schema for SchemaCache url=ldap://
usuarios.ipa.server.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance
at 0x86909e0>
2017-06-11T05:24:24Z DEBUG Successfully updated nsDS5ReplicaId.
2017-06-11T05:24:24Z DEBUG flushing
ldapi://%2fvar%2frun%2fslapd-IPA.SERVER.COM.socket from SchemaCache
2017-06-11T05:24:24Z DEBUG retrieving schema for SchemaCache
url=ldapi://%2fvar%2frun%2fslapd-IPA.SERVER.COM.socket
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x9e74440>
2017-06-11T05:24:46Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 449, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 439, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py",
line 416, in __setup_replica
repl.setup_promote_replication(self.master_fqdn)
File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
line 1643, in setup_promote_replication
raise RuntimeError("Failed to start replication")
RuntimeError: Failed to start replication
2017-06-11T05:24:46Z DEBUG [error] RuntimeError: Failed to start
replication
2017-06-11T05:24:46Z DEBUG Destroyed connection context.ldap2_101192976
2017-06-11T05:24:46Z DEBUG File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
execute
return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line
318, in run
cfgr.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
310, in run
self.execute()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
332, in execute
for nothing in self._executor():
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
372, in __runner
self._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
394, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
362, in __runner
step()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
359, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line
81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line
59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
586, in _configure
next(executor)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
372, in __runner
self._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
449, in _handle_exception
self.__parent._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
394, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
446, in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
394, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
362, in __runner
step()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
359, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line
81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line
59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line
63, in _install
for nothing in self._installer(self.parent):
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
line 1722, in main
promote(self)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
line 372, in decorated
func(installer)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
line 1423, in promote
promote=True, pkcs12_info=dirsrv_pkcs12_info)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
line 135, in install_replica_ds
api=remote_api,
File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py",
line 401, in create_replica
self.start_creation(runtime=60)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 449, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 439, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py",
line 416, in __setup_replica
repl.setup_promote_replication(self.master_fqdn)
File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
line 1643, in setup_promote_replication
raise RuntimeError("Failed to start replication")
6 years, 3 months
Apache authentication with Kerberos to IPA
by Ivars Strazdiņš
Hi,
my question is not directly related to IPA, but since IPA provides underlying authentication services, I think it almost fits here.
I have an Apache WebDAV server that authenticates via Kerberos to IPA server.
Related configuration in Apache is:
AuthType Kerberos
# Essential for Windows clients to connect
KrbMethodNegotiate Off
KrbMethodK5Passwd On
KrbAuthRealms REALM
Krb5KeyTab /etc/httpd/conf/krb5.keytab
KrbServiceName HTTP
Require valid-user
I can login with IPA username (i.e. user) and user@REALM
But I also need to login with e-mail, as user@domain, which does not work.
“domain" equals “REALM", but, naturally, domain is lowercase and REALM is uppercase.
I could not find any simple solution so far. I thought I could manipulate username supplied by user and I tried to play with /etc/krb5.conf, by adding auth_to_local statements, as below:
[realms]
REALM = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
# experimenting to convert to uppercase
auth_to_local = RULE:[1:$1@$0](^.*@domain$)s/@domain/@REALM/
auth_to_local = DEFAULT
}
But this doesn’t work and it seems that it is not even tried by Apache/Kerberos.
Could you suggest any other solution if this is possible to achieve at all?
One other way that might work is via Apache module mod_map_user, but I could not compile it on Centos7.
Thanks for you time and kind regards,
Ivars
6 years, 3 months
Query about the configuration on the High Availability of the FreeIPA
by wenxing zheng
Dear experts,
I have configured a FreeIPA server + a FreeIPA replica, which can work in
expectation. But now when I am coming to configure the Client, how to
specify the option --server for the ipa-client-install?
Since FreeIPA are working in the mode of master + replica, I think when we
are configuring the client, we need to specify a "logical" server,
otherwise, how to implement the failover?
Appreciated for your hints
Kind Regards, Wenxing
6 years, 3 months
Re: FreeIPA - Active Directory integration and domain names
by Striker Leggette
Yes
Sent via carrier pigeons
-------- Original message --------
From: bogusmaster--- via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
Date: 6/14/17 6:06 AM (GMT-05:00)
To: freeipa-users(a)redhat.com
Cc: bogusmaster(a)o2.pl
Subject: [Freeipa-users] FreeIPA - Active Directory integration and domain names
Hi,
I have a question regarding establishing one-way trust between FreeIPA
and Active Directory. In the documentation it is stated that to use a
cross-forest trust it is required for FreeIPA to have a different domain
than that of Active Directory. Does it also apply to the synchronization
scenario?
Thank you
Bart
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
6 years, 3 months
Re: IPA Compat + ID Views + AIX 7.1
by wouter.hummelink@kpn.com
Is there a way for the compat view to respond to both fully qualified and short uids? IBM seems to require that for trust to work
Verzonden vanaf mijn Samsung-apparaat
-------- Oorspronkelijk bericht --------
Van: "Hummelink, Wouter" <wouter.hummelink(a)kpn.com>
Datum: 22-05-17 15:46 (GMT+01:00)
Aan: freeipa-users(a)lists.fedorahosted.org
Onderwerp: RE: [Freeipa-users] IPA Compat + ID Views + AIX 7.1
Hi All,
We have our basic configuration working now however AD trusted users cannot log in. The system reports:
Can't retrieve attribute SYSTEM for NOUSER: No such file or directory
In LDAP Access logs we see AIX query user@<ad.domain<mailto:user@%3cad.domain>> and directly after <user> on slapd.
The same behavior happens with SU and that results in a session with empty HOME and SHELL variables (and an error report that you can’t change directory to ‘’)
LSUSER command do however return correct information about these users. (IPA groups included)
[22/May/2017:15:14:10.074845110 +0200] conn=1046 op=75 SRCH base="cn=users,cn=aixtest,cn=views,cn=compat,dc=ipa,dc=domain" scope=2 filter="(&(objectClass=posixaccount)(uid=aduser(a)ad.domain))" attrs=ALL
[22/May/2017:15:14:10.076149098 +0200] conn=1046 op=75 RESULT err=0 tag=101 nentries=1 etime=0
[22/May/2017:15:14:10.099789298 +0200] conn=1046 op=76 SRCH base="cn=users,cn=aixtest,cn=views,cn=compat,dc=ipa,dc=domain" scope=2 filter="(&(objectClass=posixaccount)(uid=aduser))" attrs=ALL
[22/May/2017:15:14:10.110271957 +0200] conn=1046 op=76 RESULT err=0 tag=101 nentries=0 etime=0
From: freeipa-users-bounces(a)redhat.com [mailto:freeipa-users-bounces@redhat.com] On Behalf Of Bjarne Blichfeldt
Sent: woensdag 17 mei 2017 07:30
To: Luiz Fernando Vianna da Silva; freeipa-users(a)redhat.com
Subject: Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1
Thank you for pointing that out.
I should of course have been more specific: native aix sudo does not support ldap and therefore sudorules from ldap, but it is possible
to install a different sudo version with ldap enabled.
Unfortunately, in our case, using external rpm’s is not an option.
Regards
Bjarne Blichfeldt.
From: Luiz Fernando Vianna da Silva [mailto:luiz.vianna@tivit.com.br]
Sent: 16. maj 2017 16:43
To: Bjarne Blichfeldt <BJB(a)jndata.dk<mailto:BJB@jndata.dk>>; freeipa-users(a)redhat.com<mailto:freeipa-users@redhat.com>
Subject: Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1
As far as I found out, it is not possible to integrate sudo rules from IPA into AIX. sudo on aix does not support that.
You will have to maintain /etc/sudoers by som other means.
Thats where you are mistaken. It is possible to integrate sudo rules into AIX, I've done it and have documented it here: https://www.freeipa.org/page/SUDO_Integration_for_AIX
Give it a try, its a fairly simple procedure.
P.S.
IBM has recently pimped the AIX toolbox RPMs and even implemented it as a YUM server. I haven't tried using these new RPMs yet to see if they work with sudo integration.
If you want to keep it safe, user perzl RPMs as I describe on the documentation. If you want, and I would appreciate it if you would, give the new RPMs from toolbox a go and if it works please update the documentaion, or send me your notes and I'll update it.
Atenciosamente/Best Regards
__________________________________________
Luiz Fernando Vianna da Silva
Em 15-05-2017 02:53, Bjarne Blichfeldt escreveu:
We have a working setup on three aix servers and by comparing our config with yours, I see the following differences:
LDAP:
/etc/security/ldap/ldap.cfg :
userattrmappath:/etc/security/ldap/FreeIPAuser.map
groupattrmappath:/etc/security/ldap/FreeIPAgroup.map
userclasses:posixaccount
/etc/security/ldap/FreeIPAuser.map:
#FreeIPAuser.map file
# https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Configu...
keyobjectclass SEC_CHAR posixaccount s
# The following attributes are required by AIX to be functional
username SEC_CHAR uid s
id SEC_INT uidnumber s
pgrp SEC_CHAR gidnumber s
home SEC_CHAR homedirectory s
shell SEC_CHAR loginshell s
gecos SEC_CHAR gecos s
spassword SEC_CHAR userpassword s
lastupdate SEC_INT shadowlastchange s
/etc/security/ldap/FreeIPAgroup.map:
#FreeIPAgroup.map file
# https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Configu...
groupname SEC_CHAR cn s
id SEC_INT gidNumber s
users SEC_LIST member m
To test if the ldap is working:
ls-secldapclntd
lsldap -a passwd
lsuser -R LDAP ALL
KERBEROS:
/etc/methods.cfg:
KRB5:
program = /usr/lib/security/KRB5
program_64 = /usr/lib/security/KRB5_64
options = authonly,is_kadmind_compat=no,tgt_verify=no,allow_expired_pwd=yes
Add Kerberos to authorized authentication entities and verify:
chauthent -k5 -std
#Verify
lsauthent
Kerberos 5
Standard Aix
To test:
lsuser -R KRB5LDAP <someuser>
Configure aix to create homedir during login:
/etc/security/login.cfg:
mkhomeatlogin = true
usw:
shells = /bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh,/bin/ksh93,/usr/bin/sh,/usr/bin/bsh,/usr/bin/csh,/usr/bin/ksh,/usr/bin/tsh,/usr/bin/ksh93,/
usr/bin/rksh,/usr/bin/rksh93,/usr/sbin/sliplogin,/usr/sbin/uucp/uucico,/usr/sbin/snappd
maxlogins = 32767
logintimeout = 30
maxroles = 8
auth_type = STD_AUTH
mkhomeatlogin = true
Also remember: user can be locked in AIX so use smitty to unlock user and reset login attempts.
As far as I found out, it is not possible to integrate sudo rules from IPA into AIX. sudo on aix does not support that.
You will have to maintain /etc/sudoers by som other means.
Hope that helps, good luck.
Regards
Bjarne Blichfeldt.
From: wouter.hummelink(a)kpn.com<mailto:wouter.hummelink@kpn.com> [mailto:wouter.hummelink@kpn.com]
Sent: 12. maj 2017 16:03
To: iulian.roman(a)gmail.com<mailto:iulian.roman@gmail.com>
Cc: freeipa-users(a)redhat.com<mailto:freeipa-users@redhat.com>
Subject: Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1
Yes, kinit works with IPA users. GSSAPI authentication is not keeping it simple, since we want passwords to work before trying TGS based logins over GSSAPI.
The keytab works sinds lsuser is still able to get user data. (Documentation specifies that enabling krb5 in ldap.cfg makes the bind user and password moot, secldapclntd uses krb5 to identify itself to IPA)
Also we are able to kinit host/aixlpar.example.org(a)EXAMPLE.ORG<mailto:host/aixlpar.example.org@EXAMPLE.ORG> -kt /etc/krb5/krb5.keytab
We van try using su from an unprivileged user, but su has some different issues altogether, it doesn’t like @ in usernames which we need at the next stage (integrating AD Trust)
From: Iulian Roman [mailto:iulian.roman@gmail.com]
Sent: vrijdag 12 mei 2017 15:56
To: Hummelink, Wouter
Cc: luiz.vianna(a)tivit.com.br<mailto:luiz.vianna@tivit.com.br>; freeipa-users(a)redhat.com<mailto:freeipa-users@redhat.com>
Subject: Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1
On Fri, May 12, 2017 at 3:31 PM, <wouter.hummelink(a)kpn.com<mailto:wouter.hummelink@kpn.com>> wrote:
The shell is shown correctly as ksh in lsuser, so that doesnt appear to be an issue for the ID view.
My advice would be to start simple ,prove that your authentication works and you can develop a more elaborated setup afterwards. If you combine them all together it will be a trial and error which eventually will work at some point.
Do you have the correct keytabs in /etc/krb5/krb5.keytab ? can you run kinit (with password and with the keytab) from aix and get a ticket from Kerberos ? can you su to an IPA account ? do you have GSSAPIAuthentication enabled in sshd_config ?
From what you've described i would suspect that your keytab is not correct , but that should be confirmed only by answering the questions above.
Verzonden vanaf mijn Samsung-apparaat
-------- Oorspronkelijk bericht --------
Van: Luiz Fernando Vianna da Silva <luiz.vianna(a)tivit.com.br<mailto:luiz.vianna@tivit.com.br>>
Datum: 12-05-17 15:03 (GMT+01:00)
Aan: "Hummelink, Wouter" <wouter.hummelink(a)kpn.com<mailto:wouter.hummelink@kpn.com>>, freeipa-users(a)redhat.com<mailto:freeipa-users@redhat.com>
Onderwerp: Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1
Hello Wouter.
It may seem silly, but try installing bash on one AIX server and test authenticating against that one.
Its a single rpm with no dependencies. For me it did the trick and I ended up doing that on all my AIX servers.
Let me know how it goes or if you have any issues.
Best Regards
__________________________________________
Luiz Fernando Vianna da Silva
Em 12-05-2017 09:47, wouter.hummelink(a)kpn.com<mailto:wouter.hummelink@kpn.com> escreveu:
Hi All,
We’re running a POC to integrate IPA and AIX using AIX KRB5LDAP compound module.
All the moving parts seem to be working on their own, however logging in doesn’t work with SSH on AIX reporting Failed password for user <xxx>
We’re using ID views to overwrite the user shell and home dirs. (Since AIX will refuse a login with a nonexisting shell (like bash))
AIXs lsuser command is able to find all of the users it’s supposed to and su to IPA users works.
Also when a user tries to log in I can see a successful Kerberos conversation to our IPA server.
Tips for troubleshooting would be much appreciated, increasing SSH log level did not produce any meaningful logging.
=============== Configuration Excerpt ================================================================
/etc/security/ldap/ldap.cfg:
ldapservers:ipaserver.example.org<http://ipaserver.example.org>
binddn:uid=srvc-aixservice,cn=users,cn=accounts,dc=example,dc=org
bindpwd:{DESv2}<redacted>
authtype:ldap_auth
useSSL:TLS
ldapsslkeyf:/etc/security/ldap/example.kdb
ldapsslkeypwd:{DESv2}4688216124E33174C03FBBB420 88FA8 932F219867AA7C2C552A12BEEC0CC67
useKRB5:yes
krbprincipal:host/aixlpar.example.org<http://aixlpar.example.org>
krbkeypath:/etc/krb5/krb5.keytab
userattrmappath:/etc/security/ldap/2307user.map
groupattrmappath:/etc/security/ldap/2307group.map
userbasedn:cn=users,cn=aixtest,cn=views,cn=compat,dc=example,dc=org
groupbasedn:cn=groups,cn=aixtest,cn=views,cn=compat,dc=example,dc=org
netgroupbasedn:cn=ng,cn=compat,dc=example,dc=org
automountbasedn:cn=default,cn=automount,dc=example,dc=org
etherbasedn:cn=computers,cn=accounts,dc=example,dc=org
userclasses:posixaccount,account,shadowaccount
groupclasses:posixgroup
ldapport:389
searchmode:ALL
defaultentrylocation:LDAP
/etc/security/user default:
SYSTEM = KRB5LDAP or compat
/etc/methods.cfg
LDAP:
program = /usr/lib/security/LDAP
program_64 =/usr/lib/security/LDAP64
NIS:
program = /usr/lib/security/NIS
program_64 = /usr/lib/security/NIS_64
DCE:
program = /usr/lib/security/DCE
KRB5:
program = /usr/lib/security/KRB5
program_64 = /usr/lib/security/KRB5_64
options = authonly,is_kadmind_compat=no,tgt_verify=yes,kadmind=no,keep_creds=yes,allow_expired_pwd=no
KRB5LDAP:
options = auth=KRB5,db=LDAP
Met vriendelijke groet,
Wouter Hummelink
Technical Consultant - Enterprise Webhosting / Tooling & Automation
T: +31-6-12882447<tel:+31%206%2012882447>
E: wouter.hummelink(a)kpn.com<mailto:wouter.hummelink@kpn.com>
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
6 years, 3 months
Hoping it is something simple - CA install error?
by Kat
Hi all,
Having a problem with a new server install on RHEL 7 -
Done configuring directory server (dirsrv).
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
30 seconds
[1/31]: creating certificate server user
[2/31]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to
configure CA instance: Command '/usr/sbin/pkispawn -s CA -f
/tmp/tmphCcxuk' returned non-zero exit status 1
I have researched through "the google", and not much luck. Although I
see others who have had the problem, there seems to be no specific fix.
This is RHEL 7.3 in AWS and ipa-server-4.4.0-14.el7_3.7.x86_64
I have an exact duplicate of this in another VPC with no issues, so just
wondering if there are some places to look?
6 years, 3 months
FreeIPA - Active Directory integration and domain names
by bogusmaster@o2.pl
Hi,
I have a question regarding establishing one-way trust between FreeIPA
and Active Directory. In the documentation it is stated that to use a
cross-forest trust it is required for FreeIPA to have a different domain
than that of Active Directory. Does it also apply to the synchronization
scenario?
Thank you
Bart
6 years, 3 months
freeipa cluster. replication ok but "secondary" DNS not recognized as DNS role.
by Tiran Efrat
Hi,I setup a while a go a freeIPA cluster and all records are replicated.The issue is that I found out the secondary DNS was probably configured as caching dns as it's not recognized as a DNS role on the web gui.How can i configure it to be a replicate DNS role correctly (note that the original conf had the listen on 127.0.0.1. weird..) ? Thanks,Tiran.
this is my secondary IPA named.conf
/ named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
// listen-on port 53 { 127.0.0.1; };
// listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
6 years, 3 months
