[Freeipa-users] Re: Issues with config between FreeIPA and Dell EMC Unity NAS server

[Alexander Bokovoy via FreeIPA-users]

On ma, 09 syys 2019, Kevin Vasko via FreeIPA-users wrote:

Thanks much! I just tried this and sure enough everything came alive
and started working as soon as I changed the scheme to what Louis
posted in his first post.

The only other thing that I will note is that the Dell EMC seems to
hard code what is entered for the REALM as the SPN (Service Principle
Name). So for example I wanted to put this machine as
ds1.la.example....@ny.example.com, however when I type in the host name
it automatically put the machine as ds1.ny.example....@ny.example.com
with no way to change it. If I changed what I typed into the REALM, it
changed the SPN, but obviously that’s not correct.

It is not an SPN problem. I guess Dell EMC box assumes you are dealing
with AD-like environment. In AD each machine belongs to exactly one AD
domain and there AD domain = realm. So, if you are in EXAMPLE.COM, your
machine is in .example.com DNS domain (where else it could be?:).

This is what we call 'primary domain' in FreeIPA.

I had the hosts name in my FreeIPA system as I intended, not as the
Dell EMC forces on you, so it wouldn’t authentic correctly. As soon as
I changed the machine to what Dell EMC puts as the SPN (it’s a grey box
that you cant change), it started working.

Also thank you Alexander for the information on the differences in the 389 DS 
deployment variants and the explanation on how to get that information.

This seems to be fixed now! Thanks again.

-Kevin

On Sep 7, 2019, at 12:20 AM, Louis Abel via FreeIPA-users 
<freeipa-users@lists.fedorahosted.org> wrote:

A lot of products from vendors actually try to make an assumption on the base 
layout of an LDAP installation and configuration since they for the most part 
get configured the same way over and over. If you were to setup 389ds by 
itself, yes, ou=people,dc=ny,dc=example,dc=com would likely be valid. While 
FreeIPA does use 389ds, it sets up its tree in a very specific manner.

Here's an example of what the base layout looks like (while also showing you 
how to get this information using ldapsearch):

[label@ipa01 ~]$ kinit label
Password for la...@example.net:
[label@ipa01 ~]$ ldapsearch -LLLY GSSAPI -s one dn
SASL/GSSAPI authentication started
SASL username: la...@example.net
SASL SSF: 256
SASL data security layer installed.
dn: cn=compat,dc=example,dc=net
dn: ou=sudoers,dc=example,dc=net
dn: cn=accounts,dc=example,dc=net
dn: cn=alt,dc=example,dc=net
dn: cn=automount,dc=example,dc=net
dn: cn=hbac,dc=example,dc=net
dn: cn=sudo,dc=example,dc=net
dn: cn=etc,dc=example,dc=net
dn: cn=selinux,dc=example,dc=net
dn: cn=ca,dc=example,dc=net
dn: cn=pbac,dc=example,dc=net
dn: cn=kerberos,dc=example,dc=net
dn: ou=profile,dc=example,dc=net
dn: cn=provisioning,dc=example,dc=net
dn: cn=otp,dc=example,dc=net
dn: cn=radiusproxy,dc=example,dc=net
dn: cn=trusts,dc=example,dc=net
dn: cn=certmap,dc=example,dc=net
dn: cn=dns,dc=example,dc=net

All accounts live under cn=accounts by default. You'll end up seeing users, 
groups, host groups, computer accounts down further.

[label@ipa01 ~]$ ldapsearch -LLLY GSSAPI -s one -b 
'cn=accounts,dc=example,dc=net' dn
SASL/GSSAPI authentication started
SASL username: la...@example.net
SASL SSF: 256
SASL data security layer installed.
dn: cn=users,cn=accounts,dc=example,dc=net
dn: cn=groups,cn=accounts,dc=example,dc=net
dn: cn=services,cn=accounts,dc=example,dc=net
dn: cn=computers,cn=accounts,dc=example,dc=net
dn: cn=hostgroups,cn=accounts,dc=example,dc=net
dn: cn=cosTemplates,cn=accounts,dc=example,dc=net
dn: cn=roles,cn=accounts,dc=example,dc=net
dn: cn=views,cn=accounts,dc=example,dc=net
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org