[Freeipa-users] ipa-client-install failing on new ipa-server

Post by Anthony Lanni
While running ipa-server-install, it's failing out at the end with an
error regarding the client install on the server. This happens
ipa-server-install --setup-dns -N --idstart=1000 -r EXAMPLE.COM
<http://EXAMPLE.COM> -n example.com <http://example.com> -p passwd1 -a
passwd2 --hostname=ldap-server-01.example.com
<http://ldap-server-01.example.com> --forwarder=10.0.1.20
--forwarder=10.0.1.21 --reverse-zone=1.0.10.in-addr.arpa. -d
[...]
ipa : DEBUG args=/usr/sbin/ipa-client-install --on-master
--unattended --domain example.com <http://example.com> --server
ldap-server-01.example.com <http://ldap-server-01.example.com> --realm
EXAMPLE.COM <http://EXAMPLE.COM> --hostname ldap-server-01.example.com
<http://ldap-server-01.example.com>
ipa : DEBUG stdout=
ipa : DEBUG stderr=Hostname: ldap-server-01.example.com
<http://ldap-server-01.example.com>
Realm: EXAMPLE.COM <http://EXAMPLE.COM>
DNS Domain: example.com <http://example.com>
IPA Server: ldap-server-01.example.com <http://ldap-server-01.example.com>
BaseDN: dc=example,dc=com
New SSSD config will be created
Configured /etc/sssd/sssd.conf
File "/usr/sbin/ipa-client-install", line 2377, in <module>
sys.exit(main())
File "/usr/sbin/ipa-client-install", line 2363, in main
rval = install(options, env, fstore, statestore)
File "/usr/sbin/ipa-client-install", line 2135, in install
delete_persistent_client_session_data(host_principal)
File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 124, in
delete_persistent_client_session_data
kernel_keyring.del_key(keyname)
File "/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py",
line 99, in del_key
real_key = get_real_key(key)
File "/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py",
line 45, in get_real_key
(stdout, stderr, rc) = run(['keyctl', 'search', KEYRING, KEYTYPE,
key], raiseonerr=False)

Is keyctl installed? Can you run it manually?
Any SELinux denials?

Post by Anthony Lanni
File "/usr/lib/python2.6/site-packages/ipapython/ipautil.py", line
295, in run
close_fds=True, env=env, cwd=cwd)
File "/usr/lib64/python2.6/subprocess.py", line 642, in __init__
errread, errwrite)
File "/usr/lib64/python2.6/subprocess.py", line 1234, in _execute_child
raise child_exception
OSError: [Errno 8] Exec format error
ipa : INFO File
"/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py",
line 614, in run_script
return_value = main_function()
File "/usr/sbin/ipa-server-install", line 1103, in main
sys.exit("Configuration of client side components
failed!\nipa-client-install returned: " + str(e))
ipa : INFO The ipa-server-install command failed,
exception: SystemExit: Configuration of client side components failed!
ipa-client-install returned: Command '/usr/sbin/ipa-client-install
--on-master --unattended --domain example.com <http://example.com>
--server ldap-server-01.example.com
<http://ldap-server-01.example.com> --realm EXAMPLE.COM
<http://EXAMPLE.COM> --hostname ldap-server-01.advdc.com
<http://ldap-server-01.advdc.com>' returned non-zero exit status 1
Same details (without the debug messages, of course) in
[...]
2015-03-24T23:15:26Z DEBUG Backing up system configuration file
'/etc/sssd/sssd.conf'
2015-03-24T23:15:26Z DEBUG -> Not backing up - '/etc/sssd/sssd.conf'
doesn't exist
2015-03-24T23:15:26Z INFO New SSSD config will be created
2015-03-24T23:15:26Z INFO Configured /etc/sssd/sssd.conf
2015-03-24T23:15:26Z DEBUG args=/usr/bin/certutil -A -d /etc/pki/nssdb
-n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt
2015-03-24T23:15:26Z DEBUG stdout=
2015-03-24T23:15:26Z DEBUG stderr=
2015-03-24T23:15:26Z DEBUG args=/usr/bin/kinit -k -t /etc/krb5.keytab
2015-03-24T23:15:26Z DEBUG stdout=
2015-03-24T23:15:26Z DEBUG stderr=
I'm running on CENTOS 6.5, freeipa 3.0.0.37
#> ipactl status
Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
DNS Service: RUNNING
MEMCACHE Service: RUNNING
HTTP Service: RUNNING
CA Service: RUNNING
I noticed that there's no host certificate for the server when I look
at the host details in the web interface.
thx
anthony

--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

Martin Kosek

2015-03-25 12:34:58 UTC

Post by Anthony Lanni
While running ipa-server-install, it's failing out at the end with an error
regarding the client install on the server. This happens regardless of how I
ipa-server-install --setup-dns -N --idstart=1000 -r EXAMPLE.COM
<http://EXAMPLE.COM> -n example.com <http://example.com> -p passwd1 -a
passwd2 --hostname=ldap-server-01.example.com
<http://ldap-server-01.example.com> --forwarder=10.0.1.20
--forwarder=10.0.1.21 --reverse-zone=1.0.10.in-addr.arpa. -d
[...]
ipa : DEBUG args=/usr/sbin/ipa-client-install --on-master
--unattended --domain example.com <http://example.com> --server
ldap-server-01.example.com <http://ldap-server-01.example.com> --realm
EXAMPLE.COM <http://EXAMPLE.COM> --hostname ldap-server-01.example.com
<http://ldap-server-01.example.com>
ipa : DEBUG stdout=
ipa : DEBUG stderr=Hostname: ldap-server-01.example.com
<http://ldap-server-01.example.com>
Realm: EXAMPLE.COM <http://EXAMPLE.COM>
DNS Domain: example.com <http://example.com>
IPA Server: ldap-server-01.example.com <http://ldap-server-01.example.com>
BaseDN: dc=example,dc=com
New SSSD config will be created
Configured /etc/sssd/sssd.conf
File "/usr/sbin/ipa-client-install", line 2377, in <module>
sys.exit(main())
File "/usr/sbin/ipa-client-install", line 2363, in main
rval = install(options, env, fstore, statestore)
File "/usr/sbin/ipa-client-install", line 2135, in install
delete_persistent_client_session_data(host_principal)
File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 124, in
delete_persistent_client_session_data
kernel_keyring.del_key(keyname)
File "/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py", line
99, in del_key
real_key = get_real_key(key)
File "/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py", line
45, in get_real_key
(stdout, stderr, rc) = run(['keyctl', 'search', KEYRING, KEYTYPE, key],
raiseonerr=False)

Is keyctl installed? Can you run it manually?
Any SELinux denials?

You are likely hitting
https://fedorahosted.org/freeipa/ticket/3808

Please try installing keyutils before running ipa-server-install. It is fixed
in RHEL-7, I filed us a RHEL-6 ticket, to fix it in this platform also:
https://bugzilla.redhat.com/show_bug.cgi?id=1205660

Martin

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Anthony Lanni

2015-03-25 17:59:34 UTC

keyutils is already installed but /bin/keyctl was 0 length (!). Anyway I
reinstalled keyutils and then ran the ipa-server-install again, and this
time it completed without error.

Thanks very much, Martin and Dmitri!

thx
anthony

Post by Anthony Lanni
While running ipa-server-install, it's failing out at the end with an

error

Post by Anthony Lanni
regarding the client install on the server. This happens regardless of

how I

Post by Anthony Lanni
ipa-server-install --setup-dns -N --idstart=1000 -r EXAMPLE.COM
<http://EXAMPLE.COM> -n example.com <http://example.com> -p passwd1 -a
passwd2 --hostname=ldap-server-01.example.com
<http://ldap-server-01.example.com> --forwarder=10.0.1.20
--forwarder=10.0.1.21 --reverse-zone=1.0.10.in-addr.arpa. -d
[...]
ipa : DEBUG args=/usr/sbin/ipa-client-install --on-master
--unattended --domain example.com <http://example.com> --server
ldap-server-01.example.com <http://ldap-server-01.example.com> --realm
EXAMPLE.COM <http://EXAMPLE.COM> --hostname ldap-server-01.example.com
<http://ldap-server-01.example.com>
ipa : DEBUG stdout=
ipa : DEBUG stderr=Hostname: ldap-server-01.example.com
<http://ldap-server-01.example.com>
Realm: EXAMPLE.COM <http://EXAMPLE.COM>
DNS Domain: example.com <http://example.com>
IPA Server: ldap-server-01.example.com <

http://ldap-server-01.example.com>

Post by Anthony Lanni
BaseDN: dc=example,dc=com
New SSSD config will be created
Configured /etc/sssd/sssd.conf
File "/usr/sbin/ipa-client-install", line 2377, in <module>
sys.exit(main())
File "/usr/sbin/ipa-client-install", line 2363, in main
rval = install(options, env, fstore, statestore)
File "/usr/sbin/ipa-client-install", line 2135, in install
delete_persistent_client_session_data(host_principal)
File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 124, in
delete_persistent_client_session_data
kernel_keyring.del_key(keyname)
File "/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py",

line

Post by Anthony Lanni
99, in del_key
real_key = get_real_key(key)
File "/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py",

line

Post by Anthony Lanni
45, in get_real_key
(stdout, stderr, rc) = run(['keyctl', 'search', KEYRING, KEYTYPE,

key],

Post by Anthony Lanni
raiseonerr=False)

Is keyctl installed? Can you run it manually?
Any SELinux denials?

You are likely hitting
https://fedorahosted.org/freeipa/ticket/3808
Please try installing keyutils before running ipa-server-install. It is fixed
https://bugzilla.redhat.com/show_bug.cgi?id=1205660
Martin
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Martin Kosek

2015-03-26 14:14:30 UTC

Ok, thanks for reaching back. BTW, next RHEL-6 minor release should have the
keyutils dependency fixed anyway :-)

Martin

Post by Anthony Lanni
keyutils is already installed but /bin/keyctl was 0 length (!). Anyway I
reinstalled keyutils and then ran the ipa-server-install again, and this
time it completed without error.
Thanks very much, Martin and Dmitri!
thx
anthony

Post by Anthony Lanni
While running ipa-server-install, it's failing out at the end with an

error

Post by Anthony Lanni
regarding the client install on the server. This happens regardless of

how I

http://ldap-server-01.example.com>

line

Post by Anthony Lanni
99, in del_key
real_key = get_real_key(key)
File "/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py",

line

Post by Anthony Lanni
45, in get_real_key
(stdout, stderr, rc) = run(['keyctl', 'search', KEYRING, KEYTYPE,

key],

Post by Anthony Lanni
raiseonerr=False)

Is keyctl installed? Can you run it manually?
Any SELinux denials?

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Anthony Lanni

2015-03-26 16:28:05 UTC

great, thanks.

On a related note: the server still doesn't get a (client) kerberos ticket,
which means I can't kinit as a user and then log into a client machine
without a password. Going the other way works fine, however.

thx
anthony

Post by Martin Kosek
Ok, thanks for reaching back. BTW, next RHEL-6 minor release should have the
keyutils dependency fixed anyway :-)
Martin

Post by Anthony Lanni
While running ipa-server-install, it's failing out at the end with an

error

Post by Anthony Lanni
regarding the client install on the server. This happens regardless of

how I

Post by Anthony Lanni
ipa-server-install --setup-dns -N --idstart=1000 -r EXAMPLE.COM
<http://EXAMPLE.COM> -n example.com <http://example.com> -p passwd1

-a

Post by Anthony Lanni
passwd2 --hostname=ldap-server-01.example.com
<http://ldap-server-01.example.com> --forwarder=10.0.1.20
--forwarder=10.0.1.21 --reverse-zone=1.0.10.in-addr.arpa. -d
[...]
ipa : DEBUG args=/usr/sbin/ipa-client-install --on-master
--unattended --domain example.com <http://example.com> --server
ldap-server-01.example.com <http://ldap-server-01.example.com>

--realm

Post by Anthony Lanni
EXAMPLE.COM <http://EXAMPLE.COM> --hostname

ldap-server-01.example.com

Post by Anthony Lanni
<http://ldap-server-01.example.com>
ipa : DEBUG stdout=
ipa : DEBUG stderr=Hostname: ldap-server-01.example.com
<http://ldap-server-01.example.com>
Realm: EXAMPLE.COM <http://EXAMPLE.COM>
DNS Domain: example.com <http://example.com>
IPA Server: ldap-server-01.example.com <

http://ldap-server-01.example.com>

line

Post by Anthony Lanni
99, in del_key
real_key = get_real_key(key)
File "/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py",

line

Post by Anthony Lanni
45, in get_real_key
(stdout, stderr, rc) = run(['keyctl', 'search', KEYRING, KEYTYPE,

key],

Post by Anthony Lanni
raiseonerr=False)

Is keyctl installed? Can you run it manually?
Any SELinux denials?

Martin Kosek

2015-03-26 16:31:50 UTC

I am not sure what you mean. So are you saying that "kinit USER" done on server
fails? With what error?

Post by Anthony Lanni
great, thanks.
On a related note: the server still doesn't get a (client) kerberos ticket,
which means I can't kinit as a user and then log into a client machine
without a password. Going the other way works fine, however.
thx
anthony

Post by Martin Kosek
Ok, thanks for reaching back. BTW, next RHEL-6 minor release should have the
keyutils dependency fixed anyway :-)
Martin

Post by Anthony Lanni
While running ipa-server-install, it's failing out at the end with an

error

Post by Anthony Lanni
regarding the client install on the server. This happens regardless of

how I

Post by Anthony Lanni
ipa-server-install --setup-dns -N --idstart=1000 -r EXAMPLE.COM
<http://EXAMPLE.COM> -n example.com <http://example.com> -p passwd1

-a

--realm

Post by Anthony Lanni
EXAMPLE.COM <http://EXAMPLE.COM> --hostname

ldap-server-01.example.com

http://ldap-server-01.example.com>

line

Post by Anthony Lanni
99, in del_key
real_key = get_real_key(key)
File "/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py",

line

Post by Anthony Lanni
45, in get_real_key
(stdout, stderr, rc) = run(['keyctl', 'search', KEYRING, KEYTYPE,

key],

Post by Anthony Lanni
raiseonerr=False)

Is keyctl installed? Can you run it manually?
Any SELinux denials?

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Anthony Lanni

2015-03-26 16:52:42 UTC

kinit USER works perfectly; but I can't ssh into the client machine from
the server without it requesting a password.

I think this is a DNS issue, actually. The server isn't resolving the name
of the client, so I'm ssh'ing with the IP address, and that's not going to
work since it's not in the Kerberos db ("Cannot determine realm for numeric
host address").

Except, of course, that the server did not get its own valid Kerberos host
certificate. It should, right? during the ipa-client-install --on-master
step of the server install?

In fact, the global DNS config is completely empty. But I'm going to have
to tear down the server and rebuild because it's on the same domain as an
AD server, and ipa-client-install finds that server rather than the new IPA
server by default: that won't work because I want LDAP to dynamically
update the records, and establish a trust with the AD server.
Also we've got 2 linux DNS root servers that act as forwarders. I pointed
the IPA server at them, but I don't know enough about FreeIPA or DNS/Bind
to configure IPA to use them properly. SO I'm sure that's where most of my
problems lie.

I've got to RTFM a bit more before I really start asking the right
questions, I think. At that point I'll start a new thread.

thx
anthony

Post by Martin Kosek
I am not sure what you mean. So are you saying that "kinit USER" done on server
fails? With what error?

Post by Anthony Lanni
great, thanks.
On a related note: the server still doesn't get a (client) kerberos

ticket,

Post by Anthony Lanni
which means I can't kinit as a user and then log into a client machine
without a password. Going the other way works fine, however.
thx
anthony

Post by Martin Kosek
Ok, thanks for reaching back. BTW, next RHEL-6 minor release should have the
keyutils dependency fixed anyway :-)
Martin

Post by Anthony Lanni
keyutils is already installed but /bin/keyctl was 0 length (!). Anyway

Post by Anthony Lanni
reinstalled keyutils and then ran the ipa-server-install again, and

this

Post by Anthony Lanni
time it completed without error.
Thanks very much, Martin and Dmitri!
thx
anthony

Post by Anthony Lanni
While running ipa-server-install, it's failing out at the end with

Post by Anthony Lanni
regarding the client install on the server. This happens regardless

Post by Anthony Lanni
ipa-server-install --setup-dns -N --idstart=1000 -r EXAMPLE.COM
<http://EXAMPLE.COM> -n example.com <http://example.com> -p passwd1

-a

--realm

Post by Anthony Lanni
EXAMPLE.COM <http://EXAMPLE.COM> --hostname

ldap-server-01.example.com

http://ldap-server-01.example.com>

Post by Anthony Lanni
delete_persistent_client_session_data
kernel_keyring.del_key(keyname)
File

"/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py",

Post by Anthony Lanni
99, in del_key
real_key = get_real_key(key)
File

"/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py",

Post by Anthony Lanni
45, in get_real_key
(stdout, stderr, rc) = run(['keyctl', 'search', KEYRING,

KEYTYPE,

Post by Anthony Lanni
raiseonerr=False)

Is keyctl installed? Can you run it manually?
Any SELinux denials?

You are likely hitting
https://fedorahosted.org/freeipa/ticket/3808
Please try installing keyutils before running ipa-server-install. It

Post by Anthony Lanni
fixed
in RHEL-7, I filed us a RHEL-6 ticket, to fix it in this platform
https://bugzilla.redhat.com/show_bug.cgi?id=1205660
Martin
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Martin Kosek

2015-03-26 17:01:01 UTC

Post by Anthony Lanni
kinit USER works perfectly; but I can't ssh into the client machine from
the server without it requesting a password.
I think this is a DNS issue, actually. The server isn't resolving the name
of the client, so I'm ssh'ing with the IP address, and that's not going to
work since it's not in the Kerberos db ("Cannot determine realm for numeric
host address").

So it looks like you have found your problem - Kerberos tends to break if DNS
is not set properly.

Post by Anthony Lanni
Except, of course, that the server did not get its own valid Kerberos host
certificate. It should, right? during the ipa-client-install --on-master
step of the server install?

Are you asking about host certificate or a Kerberos keytab (/etc/krb5.keytab)?
They are 2 distinct things.

Post by Anthony Lanni
In fact, the global DNS config is completely empty. But I'm going to have
to tear down the server and rebuild because it's on the same domain as an
AD server, and ipa-client-install finds that server rather than the new IPA
server by default: that won't work because I want LDAP to dynamically
update the records, and establish a trust with the AD server.
Also we've got 2 linux DNS root servers that act as forwarders. I pointed
the IPA server at them, but I don't know enough about FreeIPA or DNS/Bind
to configure IPA to use them properly. SO I'm sure that's where most of my
problems lie.
I've got to RTFM a bit more before I really start asking the right
questions, I think. At that point I'll start a new thread.

Ok :-)

Martin

Post by Anthony Lanni
thx
anthony

Post by Martin Kosek
I am not sure what you mean. So are you saying that "kinit USER" done on server
fails? With what error?

Post by Anthony Lanni
great, thanks.
On a related note: the server still doesn't get a (client) kerberos

ticket,

Post by Anthony Lanni
which means I can't kinit as a user and then log into a client machine
without a password. Going the other way works fine, however.
thx
anthony

Post by Martin Kosek
Ok, thanks for reaching back. BTW, next RHEL-6 minor release should have the
keyutils dependency fixed anyway :-)
Martin

Post by Anthony Lanni
keyutils is already installed but /bin/keyctl was 0 length (!). Anyway

Post by Anthony Lanni
reinstalled keyutils and then ran the ipa-server-install again, and

this

Post by Anthony Lanni
time it completed without error.
Thanks very much, Martin and Dmitri!
thx
anthony

Post by Anthony Lanni
While running ipa-server-install, it's failing out at the end with

Post by Anthony Lanni
regarding the client install on the server. This happens regardless

Post by Anthony Lanni
ipa-server-install --setup-dns -N --idstart=1000 -r EXAMPLE.COM
<http://EXAMPLE.COM> -n example.com <http://example.com> -p passwd1

-a

--realm

Post by Anthony Lanni
EXAMPLE.COM <http://EXAMPLE.COM> --hostname

ldap-server-01.example.com

http://ldap-server-01.example.com>

Post by Anthony Lanni
delete_persistent_client_session_data
kernel_keyring.del_key(keyname)
File

"/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py",

Post by Anthony Lanni
99, in del_key
real_key = get_real_key(key)
File

"/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py",

Post by Anthony Lanni
45, in get_real_key
(stdout, stderr, rc) = run(['keyctl', 'search', KEYRING,

KEYTYPE,

Post by Anthony Lanni
raiseonerr=False)

Is keyctl installed? Can you run it manually?
Any SELinux denials?

You are likely hitting
https://fedorahosted.org/freeipa/ticket/3808
Please try installing keyutils before running ipa-server-install. It

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Anthony Lanni

2015-03-26 17:38:54 UTC

I'm referring to the host certificate; I was looking at the web UI, under
Identity->Hosts in the server details page. The Host Certificate section
says 'No Valid Certificate'.
The server has a /etc/krb5.keytab file, and on the same page the Enrollment
section says 'Kerberos Key Present, Host Provisioned'.

thx
anthony

thx
anthony

name

Post by Anthony Lanni
of the client, so I'm ssh'ing with the IP address, and that's not going

Post by Anthony Lanni
work since it's not in the Kerberos db ("Cannot determine realm for

numeric

Post by Anthony Lanni
host address").

So it looks like you have found your problem - Kerberos tends to break if DNS
is not set properly.

Post by Anthony Lanni
Except, of course, that the server did not get its own valid Kerberos

host

Post by Anthony Lanni
certificate. It should, right? during the ipa-client-install --on-master
step of the server install?

Are you asking about host certificate or a Kerberos keytab
(/etc/krb5.keytab)?
They are 2 distinct things.

IPA

Post by Anthony Lanni
server by default: that won't work because I want LDAP to dynamically
update the records, and establish a trust with the AD server.
Also we've got 2 linux DNS root servers that act as forwarders. I pointed
the IPA server at them, but I don't know enough about FreeIPA or DNS/Bind
to configure IPA to use them properly. SO I'm sure that's where most of

Post by Anthony Lanni
problems lie.
I've got to RTFM a bit more before I really start asking the right
questions, I think. At that point I'll start a new thread.

Ok :-)
Martin

Post by Anthony Lanni
thx
anthony

Post by Martin Kosek
I am not sure what you mean. So are you saying that "kinit USER" done on server
fails? With what error?

Post by Anthony Lanni
great, thanks.
On a related note: the server still doesn't get a (client) kerberos

ticket,

Post by Anthony Lanni
which means I can't kinit as a user and then log into a client machine
without a password. Going the other way works fine, however.
thx
anthony

Post by Martin Kosek
Ok, thanks for reaching back. BTW, next RHEL-6 minor release should

have

Post by Martin Kosek
the
keyutils dependency fixed anyway :-)
Martin

Post by Anthony Lanni
keyutils is already installed but /bin/keyctl was 0 length (!).

Anyway

Post by Martin Kosek
I

Post by Anthony Lanni
reinstalled keyutils and then ran the ipa-server-install again, and

this

Post by Anthony Lanni
time it completed without error.
Thanks very much, Martin and Dmitri!
thx
anthony

Post by Anthony Lanni
While running ipa-server-install, it's failing out at the end with

Post by Anthony Lanni
regarding the client install on the server. This happens

regardless

Post by Martin Kosek
of

Post by Anthony Lanni
ipa-server-install --setup-dns -N --idstart=1000 -r EXAMPLE.COM
<http://EXAMPLE.COM> -n example.com <http://example.com> -p

passwd1

Post by Martin Kosek
-a

--realm

Post by Anthony Lanni
EXAMPLE.COM <http://EXAMPLE.COM> --hostname

ldap-server-01.example.com

Post by Anthony Lanni
<http://ldap-server-01.example.com>
ipa : DEBUG stdout=

ldap-server-01.example.com

Post by Anthony Lanni
<http://ldap-server-01.example.com>
Realm: EXAMPLE.COM <http://EXAMPLE.COM>
DNS Domain: example.com <http://example.com>
IPA Server: ldap-server-01.example.com <

http://ldap-server-01.example.com>

Post by Anthony Lanni
delete_persistent_client_session_data
kernel_keyring.del_key(keyname)
File

"/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py",

Post by Anthony Lanni
99, in del_key
real_key = get_real_key(key)
File

"/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py",

Post by Anthony Lanni
45, in get_real_key
(stdout, stderr, rc) = run(['keyctl', 'search', KEYRING,

KEYTYPE,

Post by Anthony Lanni
raiseonerr=False)

Is keyctl installed? Can you run it manually?
Any SELinux denials?

You are likely hitting
https://fedorahosted.org/freeipa/ticket/3808
Please try installing keyutils before running ipa-server-install. It

Rob Crittenden

2015-03-26 17:44:09 UTC

Post by Anthony Lanni
I'm referring to the host certificate; I was looking at the web UI,
under Identity->Hosts in the server details page. The Host Certificate
section says 'No Valid Certificate'.
The server has a /etc/krb5.keytab file, and on the same page the
Enrollment section says 'Kerberos Key Present, Host Provisioned'.

No, masters never got this certificate issued. It was intended to be an
alternate way to authenticate a host to IPA. The host certificate is not
used by IPA currently, and in 4.1 one isn't issued for clients by
default any more.

rob

Post by Anthony Lanni
thx
anthony
thx
anthony

So it looks like you have found your problem - Kerberos tends to break if DNS
is not set properly.

Post by Anthony Lanni
Except, of course, that the server did not get its own valid Kerberos host
certificate. It should, right? during the ipa-client-install --on-master
step of the server install?

Are you asking about host certificate or a Kerberos keytab
(/etc/krb5.keytab)?
They are 2 distinct things.

Ok :-)
Martin

Post by Anthony Lanni
thx
anthony

Post by Martin Kosek
I am not sure what you mean. So are you saying that "kinit USER"

done on

Post by Martin Kosek
server
fails? With what error?

Post by Anthony Lanni
great, thanks.
On a related note: the server still doesn't get a (client) kerberos

ticket,

Post by Anthony Lanni
which means I can't kinit as a user and then log into a client

machine

Post by Anthony Lanni
without a password. Going the other way works fine, however.
thx
anthony

Post by Martin Kosek
Ok, thanks for reaching back. BTW, next RHEL-6 minor release

should have

Post by Martin Kosek
the
keyutils dependency fixed anyway :-)
Martin

Post by Anthony Lanni
keyutils is already installed but /bin/keyctl was 0 length

(!). Anyway

Post by Martin Kosek
I

Post by Anthony Lanni
reinstalled keyutils and then ran the ipa-server-install

again, and

Post by Martin Kosek
this

Post by Anthony Lanni
time it completed without error.
Thanks very much, Martin and Dmitri!
thx
anthony
On Wed, Mar 25, 2015 at 5:34 AM, Martin Kosek

Post by Anthony Lanni
While running ipa-server-install, it's failing out at the

end with

Post by Martin Kosek
an

Post by Anthony Lanni
regarding the client install on the server. This happens

regardless

Post by Martin Kosek
of

Post by Anthony Lanni
ipa-server-install --setup-dns -N --idstart=1000 -r

EXAMPLE.COM <http://EXAMPLE.COM>

Post by Anthony Lanni
<http://EXAMPLE.COM> -n example.com <http://example.com>

<http://example.com> -p passwd1

Post by Martin Kosek
-a

Post by Anthony Lanni
passwd2 --hostname=ldap-server-01.example.com

<http://ldap-server-01.example.com>

Post by Anthony Lanni
<http://ldap-server-01.example.com> --forwarder=10.0.1.20
--forwarder=10.0.1.21 --reverse-zone=1.0.10.in-addr.arpa. -d
[...]
ipa : DEBUG args=/usr/sbin/ipa-client-install

--on-master

Post by Anthony Lanni
--unattended --domain example.com <http://example.com>

<http://example.com> --server

Post by Anthony Lanni
ldap-server-01.example.com

<http://ldap-server-01.example.com> <http://ldap-server-01.example.com>

Post by Martin Kosek
--realm

Post by Anthony Lanni
EXAMPLE.COM <http://EXAMPLE.COM> <http://EXAMPLE.COM>

--hostname

Post by Martin Kosek
ldap-server-01.example.com <http://ldap-server-01.example.com>

Post by Anthony Lanni
<http://ldap-server-01.example.com>
ipa : DEBUG stdout=

ldap-server-01.example.com <http://ldap-server-01.example.com>

Post by Anthony Lanni
<http://ldap-server-01.example.com>
Realm: EXAMPLE.COM <http://EXAMPLE.COM> <http://EXAMPLE.COM>
DNS Domain: example.com <http://example.com>

<http://example.com>

Post by Anthony Lanni
IPA Server: ldap-server-01.example.com

<http://ldap-server-01.example.com> <

Post by Anthony Lanni
http://ldap-server-01.example.com>

line 124,

Post by Martin Kosek
in

Post by Anthony Lanni
delete_persistent_client_session_data
kernel_keyring.del_key(keyname)
File

"/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py",

Post by Anthony Lanni
99, in del_key
real_key = get_real_key(key)
File

"/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py",

Post by Anthony Lanni
45, in get_real_key
(stdout, stderr, rc) = run(['keyctl', 'search', KEYRING,

KEYTYPE,

Post by Anthony Lanni
raiseonerr=False)

Is keyctl installed? Can you run it manually?
Any SELinux denials?

You are likely hitting
https://fedorahosted.org/freeipa/ticket/3808
Please try installing keyutils before running

ipa-server-install. It

Post by Martin Kosek
is

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Anthony Lanni

2015-03-26 18:09:19 UTC

ah, ok. So I'm going to assume the problem with my server not being able to
get a DNS record for any of the clients is why the user can't ssh into the
clients.

Thanks for the help, everyone!

thx
anthony

Post by Anthony Lanni
thx
anthony
thx
anthony

Post by Anthony Lanni
kinit USER works perfectly; but I can't ssh into the client

machine from

Post by Anthony Lanni
the server without it requesting a password.
I think this is a DNS issue, actually. The server isn't resolving

the name

Post by Anthony Lanni
of the client, so I'm ssh'ing with the IP address, and that's not

going to

Post by Anthony Lanni
work since it's not in the Kerberos db ("Cannot determine realm

for numeric

Post by Anthony Lanni
host address").

So it looks like you have found your problem - Kerberos tends to break if DNS
is not set properly.

Post by Anthony Lanni
Except, of course, that the server did not get its own valid

Kerberos host

Post by Anthony Lanni
certificate. It should, right? during the ipa-client-install

--on-master

Post by Anthony Lanni
step of the server install?

Are you asking about host certificate or a Kerberos keytab (/etc/krb5.keytab)?
They are 2 distinct things.

Post by Anthony Lanni
In fact, the global DNS config is completely empty. But I'm going

to have

Post by Anthony Lanni
to tear down the server and rebuild because it's on the same

domain as an

Post by Anthony Lanni
AD server, and ipa-client-install finds that server rather than

the new IPA

Post by Anthony Lanni
server by default: that won't work because I want LDAP to

dynamically

Post by Anthony Lanni
update the records, and establish a trust with the AD server.
Also we've got 2 linux DNS root servers that act as forwarders. I

pointed

Post by Anthony Lanni
the IPA server at them, but I don't know enough about FreeIPA or

DNS/Bind

Post by Anthony Lanni
to configure IPA to use them properly. SO I'm sure that's where

most of my

Post by Anthony Lanni
problems lie.
I've got to RTFM a bit more before I really start asking the right
questions, I think. At that point I'll start a new thread.

Ok :-)
Martin

Post by Anthony Lanni
thx
anthony

Post by Martin Kosek
I am not sure what you mean. So are you saying that "kinit USER"

done on

Post by Martin Kosek
server
fails? With what error?

Post by Anthony Lanni
great, thanks.
On a related note: the server still doesn't get a (client)

kerberos

Post by Martin Kosek
ticket,

Post by Anthony Lanni
which means I can't kinit as a user and then log into a client

machine

Post by Anthony Lanni
without a password. Going the other way works fine, however.
thx
anthony

Post by Martin Kosek
Ok, thanks for reaching back. BTW, next RHEL-6 minor release

should have

Post by Martin Kosek
the
keyutils dependency fixed anyway :-)
Martin

Post by Anthony Lanni
keyutils is already installed but /bin/keyctl was 0 length

(!). Anyway

Post by Martin Kosek
I

Post by Anthony Lanni
reinstalled keyutils and then ran the ipa-server-install

again, and

Post by Martin Kosek
this

Post by Anthony Lanni
time it completed without error.
Thanks very much, Martin and Dmitri!
thx
anthony
On Wed, Mar 25, 2015 at 5:34 AM, Martin Kosek

Post by Anthony Lanni
While running ipa-server-install, it's failing out at the

end with

Post by Martin Kosek
an

Post by Anthony Lanni
regarding the client install on the server. This happens

regardless

Post by Martin Kosek
of

Post by Anthony Lanni
ipa-server-install --setup-dns -N --idstart=1000 -r

EXAMPLE.COM <http://EXAMPLE.COM>

Post by Anthony Lanni
<http://EXAMPLE.COM> -n example.com <http://example.com>

<http://example.com> -p passwd1

Post by Martin Kosek
-a

Post by Anthony Lanni
passwd2 --hostname=ldap-server-01.example.com

<http://ldap-server-01.example.com>

Post by Anthony Lanni
<http://ldap-server-01.example.com> --forwarder=10.0.1.20
--forwarder=10.0.1.21 --reverse-zone=1.0.10.in-addr.arpa. -d
[...]
ipa : DEBUG args=/usr/sbin/ipa-client-install

--on-master

Post by Anthony Lanni
--unattended --domain example.com <http://example.com>

<http://example.com> --server

Post by Anthony Lanni
ldap-server-01.example.com

<http://ldap-server-01.example.com> <

http://ldap-server-01.example.com>

Post by Martin Kosek
--realm

Post by Anthony Lanni
EXAMPLE.COM <http://EXAMPLE.COM> <http://EXAMPLE.COM>

--hostname

Post by Martin Kosek
ldap-server-01.example.com <http://ldap-server-01.example.com>

Post by Anthony Lanni
<http://ldap-server-01.example.com>
ipa : DEBUG stdout=

ldap-server-01.example.com <http://ldap-server-01.example.com>

Post by Anthony Lanni
<http://ldap-server-01.example.com>
Realm: EXAMPLE.COM <http://EXAMPLE.COM> <http://EXAMPLE.COM
DNS Domain: example.com <http://example.com>

<http://example.com>

Post by Anthony Lanni
IPA Server: ldap-server-01.example.com

<http://ldap-server-01.example.com> <

Post by Anthony Lanni
http://ldap-server-01.example.com>

Post by Anthony Lanni
BaseDN: dc=example,dc=com
New SSSD config will be created
Configured /etc/sssd/sssd.conf
File "/usr/sbin/ipa-client-install", line 2377, in

Post by Anthony Lanni
sys.exit(main())
File "/usr/sbin/ipa-client-install", line 2363, in main
rval = install(options, env, fstore, statestore)
File "/usr/sbin/ipa-client-install", line 2135, in install
delete_persistent_client_session_data(host_principal)
File "/usr/lib/python2.6/site-packages/ipalib/rpc.py",

line 124,

Post by Martin Kosek
in

Post by Anthony Lanni
delete_persistent_client_session_data
kernel_keyring.del_key(keyname)
File

"/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py",

Post by Anthony Lanni
99, in del_key
real_key = get_real_key(key)
File

"/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py",

Post by Anthony Lanni
45, in get_real_key
(stdout, stderr, rc) = run(['keyctl', 'search', KEYRING,

KEYTYPE,

Post by Anthony Lanni
raiseonerr=False)

Is keyctl installed? Can you run it manually?
Any SELinux denials?

You are likely hitting
https://fedorahosted.org/freeipa/ticket/3808
Please try installing keyutils before running

ipa-server-install. It

Post by Martin Kosek
is

Post by Anthony Lanni
fixed
in RHEL-7, I filed us a RHEL-6 ticket, to fix it in this

platform

Post by Anthony Lanni
https://bugzilla.redhat.com/show_bug.cgi?id=1205660
Martin
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

g***@unicyber.co.uk

2015-03-26 00:32:04 UTC

Hi

I am setting up a plain and simple sssd service against my FreeIPA
Server.
The FreeIPA Server is a Centos 7.1 box with IPA version 4.1 and the
client box is ubuntu: Ubuntu 12.04.5 LTS

The Users and Credentials are being Synched out of an AD Server (the
passwords happened to be transferred using the PassSync Service)

Now.. I wanted to setup a very simple sssd service (not the FreeIPA
client service)
And so far I succeeded on synching the users along with the passwords
using SSSD.

Now, Trying to get the sudo access sorted I cannot see that working, and
I came across some documentation mentioning SSSD is NOT currently
supporting IPA schema for the SUDOers
if that is the case

Can anybody point me to the right document or procedure in terms of
getting also the sudoers installed?

Would be possible , somehow, to have this sorted WITHOUT using the
ipa-client?

many thanks!

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Dmitri Pal

2015-03-26 00:35:59 UTC

Post by g***@unicyber.co.uk
Hi
I am setting up a plain and simple sssd service against my FreeIPA
Server.
The FreeIPA Server is a Centos 7.1 box with IPA version 4.1 and the
client box is ubuntu: Ubuntu 12.04.5 LTS
The Users and Credentials are being Synched out of an AD Server (the
passwords happened to be transferred using the PassSync Service)
Now.. I wanted to setup a very simple sssd service (not the FreeIPA
client service)
And so far I succeeded on synching the users along with the passwords
using SSSD.
Now, Trying to get the sudo access sorted I cannot see that working,
and I came across some documentation mentioning SSSD is NOT currently
supporting IPA schema for the SUDOers
if that is the case
Can anybody point me to the right document or procedure in terms of
getting also the sudoers installed?
Would be possible , somehow, to have this sorted WITHOUT using the
ipa-client?
many thanks!

http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf
--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Gonzalo Fernandez Ordas

2015-03-26 02:41:23 UTC

Exactly the document i was having a look at.
In simple words,is possible to work this around and how,?
Otherwise i have to drop freeipa and get back to 389_ds as still seems fully ldap sssd compatible.

Have you got any doc clearly stating how to get this done?
I really invested many days on reaching this far beingÂ sudo the last tiny bit to get sorted which is hugely frustrated.

Thanks for all the support
Sent from Type Mail

http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Dmitri Pal

2015-03-26 02:52:06 UTC

Post by Gonzalo Fernandez Ordas
Exactly the document i was having a look at.
In simple words,is possible to work this around and how,?

It is possible.
The doc has guidelines. Are they not clear?

Post by Gonzalo Fernandez Ordas
Otherwise i have to drop freeipa and get back to 389_ds as still seems
fully ldap sssd compatible.
Have you got any doc clearly stating how to get this done?
I really invested many days on reaching this far being sudo the last
tiny bit to get sorted which is hugely frustrated.
Thanks for all the support
Sent from Type Mail <http://r.typeapp.com>
Hi I am setting up a plain and simple sssd service against my
FreeIPA Server. The FreeIPA Server is a Centos 7.1 box with
IPA version 4.1 and the client box is ubuntu: Ubuntu 12.04.5
LTS The Users and Credentials are being Synched out of an AD
Server (the passwords happened to be transferred using the
PassSync Service) Now.. I wanted to setup a very simple sssd
service (not the FreeIPA client service) And so far I
succeeded on synching the users along with the passwords using
SSSD. Now, Trying to get the sudo access sorted I cannot see
that working, and I came across some documentation mentioning
SSSD is NOT currently supporting IPA schema for the SUDOers if
that is the case Can anybody point me to the right document or
procedure in terms of getting also the sudoers installed?
Would be possible , somehow, to have this sorted WITHOUT using
the ipa-client? many thanks!
http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf

--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

Rob Crittenden

2015-03-26 02:56:48 UTC

Post by Gonzalo Fernandez Ordas
Exactly the document i was having a look at.
In simple words,is possible to work this around and how,?
Otherwise i have to drop freeipa and get back to 389_ds as still seems
fully ldap sssd compatible.
Have you got any doc clearly stating how to get this done?
I really invested many days on reaching this far being sudo the last
tiny bit to get sorted which is hugely frustrated.

How to configure sudo largely depends on the version of SSSD you have in
Ubuntu. I'm not sure how configuring SSSD is going to affect your choice
of server though. If you still use SSSD the same problem will exist
regardless, right?

rob

Post by Gonzalo Fernandez Ordas
Thanks for all the support
Sent from Type Mail <http://r.typeapp.com>
Hi
I am setting up a plain and simple sssd service against my FreeIPA
Server.
The FreeIPA Server is a Centos 7.1 box with IPA version 4.1 and the
client box is ubuntu: Ubuntu 12.04.5 LTS
The Users and Credentials are being Synched out of an AD Server (the
passwords happened to be transferred using the PassSync Service)
Now.. I wanted to setup a very simple sssd service (not the FreeIPA
client service)
And so far I succeeded on synching the users along with the passwords
using SSSD.
Now, Trying to get the sudo access sorted I cannot see that working,
and I came across some documentation mentioning SSSD is NOT currently
supporting IPA schema for the SUDOers
if that is the case
Can anybody point me to the right document or procedure in terms of
getting also the sudoers installed?
Would be possible , somehow, to have this sorted WITHOUT using the
ipa-client?
many thanks!
http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Gonzalo Fernandez Ordas

2015-03-26 05:21:19 UTC

I have to test a few options to see how I can overcome that issue.
A pity as I nearly got everything setup in full.
Any findings I will get back to the list as this might be relevant for
other users.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Jakub Hrozek

2015-03-26 08:31:10 UTC

If you have SSSD 1.9.6 or newer all the sudo configuration boils down to including 'sss' for 'sudoers' in nsswitch.conf and sudo_provider=ipa in sssd.conf.

You also need a reasonably recent sudo itself. Posting versions of SSSD and sudo would help.

----- Original Message -----
From: "Gonzalo Fernandez Ordas" <***@unicyber.co.uk>
To: "Rob Crittenden" <***@redhat.com>, ***@redhat.com
Cc: freeipa-***@redhat.com
Sent: Thursday, 26 March, 2015 6:21:19 AM
Subject: Re: [Freeipa-users] Ubuntu sssd client -- FreeIPA Server fed from AD

I have to test a few options to see how I can overcome that issue.
A pity as I nearly got everything setup in full.
Any findings I will get back to the list as this might be relevant for
other users.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

g***@unicyber.co.uk

2015-03-30 04:36:00 UTC

Hey Guys

Not sure if I am missing any bit.... but this was the thing in the end:

http://generations.menteyarte.org/archives/195-freeipa-server-and-SSSD-on-Ubuntu.html

I managed to have it working and I have documented all those nasty bits
which might save people's time. The whole weekend gone but for the less
has been productive.

I am including the SUDO bit which is usually a pain in my experience..

Thanks

Post by Jakub Hrozek
If you have SSSD 1.9.6 or newer all the sudo configuration boils down
to including 'sss' for 'sudoers' in nsswitch.conf and
sudo_provider=ipa in sssd.conf.
You also need a reasonably recent sudo itself. Posting versions of
SSSD and sudo would help.
----- Original Message -----
Sent: Thursday, 26 March, 2015 6:21:19 AM
Subject: Re: [Freeipa-users] Ubuntu sssd client -- FreeIPA Server fed from AD
I have to test a few options to see how I can overcome that issue.
A pity as I nearly got everything setup in full.
Any findings I will get back to the list as this might be relevant for
other users.

Post by Gonzalo Fernandez Ordas
Thanks for all the support
Sent from Type Mail <http://r.typeapp.com>
Hi
I am setting up a plain and simple sssd service against my FreeIPA
Server.
The FreeIPA Server is a Centos 7.1 box with IPA version 4.1 and the
client box is ubuntu: Ubuntu 12.04.5 LTS
The Users and Credentials are being Synched out of an AD
Server
(the
passwords happened to be transferred using the PassSync Service)
Now.. I wanted to setup a very simple sssd service (not the FreeIPA
client service)
And so far I succeeded on synching the users along with the passwords
using SSSD.
Now, Trying to get the sudo access sorted I cannot see that working,
and I came across some documentation mentioning SSSD is NOT currently
supporting IPA schema for the SUDOers
if that is the case
Can anybody point me to the right document or procedure in terms of
getting also the sudoers installed?
Would be possible , somehow, to have this sorted WITHOUT using the
ipa-client?
many thanks!
http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Jakub Hrozek

2015-03-30 08:16:47 UTC

Post by g***@unicyber.co.uk
Hey Guys
http://generations.menteyarte.org/archives/195-freeipa-server-and-SSSD-on-Ubuntu.html
I managed to have it working and I have documented all those nasty bits
which might save people's time. The whole weekend gone but for the less has
been productive.
I am including the SUDO bit which is usually a pain in my experience..
Thanks

Thank you very much for documenting this, but wouldn't it be better to
use id_provider=ipa instead?

Then the configuration would be simpler, less error prone and would
authenticate more securely. You don't need to run ipa-client-install on
the box, you can generate the client keytab elsewhere and transfer it to
the client.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Gonzalo Fernandez Ordas

2015-03-30 14:51:56 UTC

Hi Jakub

Yes, I can also include that.
The configuration I was showing was a simple one, mainly I focused on
the library set as it is usually the most problematic part in old
distributions, but I will also include your comment as indeed makes more
sense.
As I was suggesting in the post, sssd is flexible enough admit multiple
configurations, once you get a working one you can work on improving it.
(Also I wanted to write that asap before I forget any important detail)
Your comment is very much appreciated and I will update accordingly

Thanks

Post by Jakub Hrozek

Thank you very much for documenting this, but wouldn't it be better to
use id_provider=ipa instead?
Then the configuration would be simpler, less error prone and would
authenticate more securely. You don't need to run ipa-client-install on
the box, you can generate the client keytab elsewhere and transfer it to
the client.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Lukas Slebodnik

2015-03-30 14:21:37 UTC

Post by g***@unicyber.co.uk
Hey Guys
http://generations.menteyarte.org/archives/195-freeipa-server-and-SSSD-on-Ubuntu.html
I managed to have it working and I have documented all those nasty bits which
might save people's time. The whole weekend gone but for the less has been
productive.
I am including the SUDO bit which is usually a pain in my experience..

Do you relly have to enabled enumeration?
"enumerate = True"

It would be good if you could remove it from the post.

LS

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Gonzalo Fernandez Ordas

2015-03-30 14:58:27 UTC