freeipa client

[Vince Forgetta]

Hi all,

I have setup freeIPA server and can access the web interface to add users etc.

The freeIPA server is on wwmaster.

I install the freeIPA client like so:

yum --tolerant --installroot /var/chroots/hydrars-centos-7 install ipa-client

Then:

$ chroot  /var/chroots/hydrars-centos-7
# ipa-client-install --server d1p-hydrafs01.ldi.lan --domain ldi.lan --hostname d1p-hydrars01.ldi.lan

Where d1p-hydrafs01.ldi.lan is wwmaster and d1p-hydrars01.ldi.lan is node to which I want to configure. I get the following error:

Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
Proceed with fixed values and no DNS discovery? [no]: yes
Hostname: d1p-hydrars01.ldi.lan
Realm: LDI.LAN
DNS Domain: ldi.lan
IPA Server: d1p-hydrafs01.ldi.lan
BaseDN: dc=ldi,dc=lan

Continue to configure the system with these values? [no]: yes
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
User authorized to enroll computers: admin
Password for admin_at_LDI.LAN:
Please make sure the following ports are opened in the firewall settings:
     TCP: 80, 88, 389
     UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working properly after enrollment:
     TCP: 464
     UDP: 464, 123 (if NTP enabled)
Kerberos authentication failed
kinit: Cryptosystem internal error while getting initial credentials

Anyone have tips on how to configure freeIPA client in a chroot environment?

Thanks,

Vince

[Gregory M. Kurtzer]

Heya Vince,

I wish I could help, but I have no experience with FreeIPA. With that said, this would be a fantastic topic for a recipe to post on the website or documentation.

Thanks!

--
You received this message because you are subscribed to the Google Groups "Warewulf" group.
To unsubscribe from this group and stop receiving emails from it, send an email to warewulf+u...@lbl.gov.
To post to this group, send email to ware...@lbl.gov.
To view this discussion on the web visit https://groups.google.com/a/lbl.gov/d/msgid/warewulf/5260ea48-301c-4d32-a38a-20272179b6c1%40lbl.gov.
For more options, visit https://groups.google.com/a/lbl.gov/d/optout.

--

Gregory M. Kurtzer
Technical Lead and HPC Systems Architect
High Performance Computing Services (HPCS)
University of California
Lawrence Berkeley National Laboratory
One Cyclotron Road, Berkeley, CA 94720

[Vince Forgetta]

Hi Greg, Thanks for feedback.  I will try the manual install of the client as documented by Fedora:

https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/linux-manual.html

Vince

To view this discussion on the web visit https://groups.google.com/a/lbl.gov/d/msgid/warewulf/CAN7etTz%3DNc_dBeJ6xNGidEwhLbGZbeodTCV4k6NSAQqE5VeSLg%40mail.gmail.com.

[Nathaniel Everett Garver-Daniels]

Vince,
I'll look through my notes and see if I did something clever for
this. I think thought that I manually added the machines to IPA, then
exported the appropriate kerberos information, added them as files in
warewulf and provisioned them to the nodes. Then a manual config in the
chroot took care of the rest.

-Nate

>>> <https://groups.google.com/a/lbl.gov/d/msgid/warewulf/5260ea48-301c-4d32-a38a-20272179b6c1%40lbl.gov?utm_medium=email&utm_source=footer>
>>> .

>>> For more options, visit https://groups.google.com/a/lbl.gov/d/optout.
>>>
>>
>>
>> --
>> Gregory M. Kurtzer
>> Technical Lead and HPC Systems Architect
>> High Performance Computing Services (HPCS)
>> University of California
>> Lawrence Berkeley National Laboratory
>> One Cyclotron Road, Berkeley, CA 94720
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Warewulf" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to warewulf+u...@lbl.gov.
>> To post to this group, send email to ware...@lbl.gov.
>> To view this discussion on the web visit
>> https://groups.google.com/a/lbl.gov/d/msgid/warewulf/CAN7etTz%3DNc_dBeJ6xNGidEwhLbGZbeodTCV4k6NSAQqE5VeSLg%40mail.gmail.com

>> <https://groups.google.com/a/lbl.gov/d/msgid/warewulf/CAN7etTz%3DNc_dBeJ6xNGidEwhLbGZbeodTCV4k6NSAQqE5VeSLg%40mail.gmail.com?utm_medium=email&utm_source=footer>
>> .

[Vince Forgetta]

Thanks Nate. I am working my way through the manual install now. So far so good. I am basically doing as you have done. I just hope that the Fedora documentation is accurate.

To view this discussion on the web visit https://groups.google.com/a/lbl.gov/d/msgid/warewulf/56547B60.7040008%40gmail.com.

[Vince Forgetta]

Hi Nate,

I almost  have this working. I followed all steps at:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/linux-manual.html#host-setup-proc

I have arrived at step 11, part 2, where it states to issue the following command:

[root@client ~]# ipa-getcert request -d /etc/pki/nssdb -n Server-Cert -K HOST/ipaclient.example.com -N 'CN=ipaclient.example.com,O=EXAMPLE.COM'

How did you do this within the chroot, but keep it node-specific? Did you make a separate "nssdb" for each node and provision based on node hostname?

Thanks,

Vince

On Tue, Nov 24, 2015 at 9:59 AM, Nathaniel Everett Garver-Daniels <nate.garv...@gmail.com> wrote:

To view this discussion on the web visit https://groups.google.com/a/lbl.gov/d/msgid/warewulf/56547B60.7040008%40gmail.com.

[Nathan Garver-Daniels]

I'll check, but I don't think I bothered with this part. 

To view this discussion on the web visit https://groups.google.com/a/lbl.gov/d/msgid/warewulf/CAEO3gsBOF5MqGkivS%2Bb_pXcNpzabP2C0D6xTfUHiQfkr7dtpFg%40mail.gmail.com.

[Vince Forgetta]

thanks. I assumed this may have been issue as I have done all steps, but still get the following error in /var/log/secure on the client when I try and login with a freeIPA user:

Nov 24 13:31:58 d1p-hydrars01 sshd[5198]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=d1p-hydrafs01.ldi.lan  user=test.user
Nov 24 13:31:58 d1p-hydrars01 sshd[5198]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=d1p-hydrafs01.ldi.lan user=test.user
Nov 24 13:31:58 d1p-hydrars01 sshd[5198]: pam_sss(sshd:auth): received for user test.user: 12 (Authentication token is no longer valid; new one required)
Nov 24 13:31:59 d1p-hydrars01 sshd[5198]: Failed password for test.userfrom 172.21.13.10 port 55862 ssh2

To view this discussion on the web visit https://groups.google.com/a/lbl.gov/d/msgid/warewulf/CAHs%3Dw%3DF%2Bx3cfgXe9fooaViGZ9CD-nqTWjaSzMSkxVGaRG1qS5g%40mail.gmail.com.

[Jason Stover]

Silly question ... are the times sync'd? Ran into a stupid issue
similar previously where the clocks were off 30sec and that was enough
to cause a failure.

-J

> https://groups.google.com/a/lbl.gov/d/msgid/warewulf/CAEO3gsBhV7kM%2BnmWXuncEqQ6f%2BP1a5B%2By_E_ytAetaSuqUJhZQ%40mail.gmail.com.

[Vince Forgetta]

No such this as silly questions in IT!

Date/time is same:

# on wwmaster, check date, and check on single node.

[root@d1p-hydrafs01 ~]# date; pdsh -w d1p-hydrars01 "date"
Tue Nov 24 14:06:56 EST 2015
d1p-hydrars01: Tue Nov 24 14:06:56 EST 2015

To view this discussion on the web visit https://groups.google.com/a/lbl.gov/d/msgid/warewulf/CAGfAqt_ha9HtQCd5wn2Lk_AVQyv2gTvtfwAWvcEp2s6PBRxaog%40mail.gmail.com.

[Nathaniel Everett Garver-Daniels]

Time sync issue would have been my first guess. Next thing I woudl do
is up the log level for sssd and see if anything pertinent pops up.

>> https://groups.google.com/a/lbl.gov/d/msgid/warewulf/CAEO3gsBOF5MqGkivS%2Bb_pXcNpzabP2C0D6xTfUHiQfkr7dtpFg%40mail.gmail.com

>> .
>>>>> For more options, visit https://groups.google.com/a/lbl.gov/d/optout.
>>>> --
>>>> You received this message because you are subscribed to the Google
>> Groups
>>>> "Warewulf" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>> an
>>>> email to warewulf+u...@lbl.gov.
>>>> To post to this group, send email to ware...@lbl.gov.
>>>> To view this discussion on the web visit
>>>>

>> https://groups.google.com/a/lbl.gov/d/msgid/warewulf/CAHs%3Dw%3DF%2Bx3cfgXe9fooaViGZ9CD-nqTWjaSzMSkxVGaRG1qS5g%40mail.gmail.com

>> .
>>>> For more options, visit https://groups.google.com/a/lbl.gov/d/optout.
>>>
>>> --
>>> You received this message because you are subscribed to the Google Groups
>>> "Warewulf" group.
>>> To unsubscribe from this group and stop receiving emails from it, send an
>>> email to warewulf+u...@lbl.gov.
>>> To post to this group, send email to ware...@lbl.gov.
>>> To view this discussion on the web visit
>>>

>> https://groups.google.com/a/lbl.gov/d/msgid/warewulf/CAEO3gsBhV7kM%2BnmWXuncEqQ6f%2BP1a5B%2By_E_ytAetaSuqUJhZQ%40mail.gmail.com

>> .
>>> For more options, visit https://groups.google.com/a/lbl.gov/d/optout.
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Warewulf" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to warewulf+u...@lbl.gov.
>> To post to this group, send email to ware...@lbl.gov.
>> To view this discussion on the web visit

>> https://groups.google.com/a/lbl.gov/d/msgid/warewulf/CAGfAqt_ha9HtQCd5wn2Lk_AVQyv2gTvtfwAWvcEp2s6PBRxaog%40mail.gmail.com

[Vince Forgetta]

Using debug_level = 3 on ipa_server, I restart the service and get following error:

(Tue Nov 24 14:44:23 2015) [sssd[be[ldi.lan]]] [be_run_online_cb] (0x0080): Going online. Running callbacks.
(Tue Nov 24 14:44:23 2015) [sssd[be[ldi.lan]]] [sysdb_range_create] (0x0040): Invalid range, skipping. Expected that either the secondary base RID or the SID of the trusted domain is set, but not both or none of them.
(Tue Nov 24 14:44:23 2015) [sssd[be[ldi.lan]]] [ipa_subdomains_handler_master_done] (0x0020): Master domain record not found!
(Tue Nov 24 14:44:23 2015) [sssd[be[ldi.lan]]] [sysdb_range_create] (0x0040): Invalid range, skipping. Expected that either the secondary base RID or the SID of the trusted domain is set, but not both or none of them.
(Tue Nov 24 14:44:23 2015) [sssd[be[ldi.lan]]] [ipa_subdomains_handler_master_done] (0x0020): Master domain record not found!

To view this discussion on the web visit https://groups.google.com/a/lbl.gov/d/msgid/warewulf/5654B617.4070908%40gmail.com.

[Nathan Garver-Daniels]

Does forward and reverse dns work for your server machine on the server and the client?

To view this discussion on the web visit https://groups.google.com/a/lbl.gov/d/msgid/warewulf/CAEO3gsCqmt22nBA6uAGQa8SJq-3rXnX3nqyzOjbyBUdv1KkBtA%40mail.gmail.com.

[Vince Forgetta]

On client I can see resolve server:

# on client

[root@d1p-hydrars01 sssd]# dig +short d1p-hydrafs01.ldi.lan
172.21.13.10
[root@d1p-hydrars01 sssd]# dig +short -x 172.21.13.10
d1p-hydrafs01.ldi.lan.

On server I can resolve client:

[root@d1p-hydrafs01 sssd]# dig +short d1p-hydrars01.ldi.lan
172.21.13.20
[root@d1p-hydrafs01 sssd]# dig +short -x 172.21.13.20
d1p-hydrars01.ldi.lan.

Not sure if the trailing '.' is normal.

To view this discussion on the web visit https://groups.google.com/a/lbl.gov/d/msgid/warewulf/CAHs%3Dw%3DFKFVSdJMg3WLZKP0Cvzf7WhKYR-4zEE150xQUMpnqcFA%40mail.gmail.com.

[Vince Forgetta]

More info, on client I can perform "getent passwd <user>" and "getent group <group>".

[Vince Forgetta]

​Solved. Stupid mistake on my part. Did not run last two steps:

​# authconfig --nisdomain=example.org --update

​# systemctl restart rhel-domainname.service

​