 who doesn't have data from yesterday you can grab a USB stick and edit also you can ask questions to get some prices also I would like to encourage you to let know your opinion about DevConf on Twitter and some blog articles and stuff also you can vote and suggest like me talks in a big glass building the section please do that and also I would like to remind you that it's Sunday there will be context for good prices so yeah then good morning everybody again and welcome to the to the second part of IPA workshop which of you haven't been here yesterday in the in the first part okay so quite a few the thing is what what we did yesterday in the first part is to set up the whole environment which is actually required to go through all the modules here that are covered in in the workshop so and since this is a real workshop where you guys are supposed to work instead of us somehow you actually have to have the environment available as I said in order to go through all the modules so if you if you don't have it available you can't do this kind of stuff so what I what I propose now for those who haven't been here yesterday so we have some usb sticks available and if you want you have a machine with you okay so what you exactly so what you can do is to to mount the usb stick on your on your local box and you find a workshop folder on the usb stick and underneath there was another folder called free IPA and this folder contains all the workshop related content and so you will find there also this workshop html file which is actually an overview about the workshop so and what we did yesterday is as I said we went through module one and module two but in order to finish the two modules here you have to set up a vagrant environment so everything is completely based on on vagrant what does it mean there was another there was actually a section available here in the document as well called preparation and here it's described how to set up the vagrant environment on your box in order to do that ideally you have a fedora machine with a libya installed on it and so then you have to install a vagrant the vagrant libya plug-in it's it's described here in the document in the next step well what is described here is that you have to clone a git repository but actually that's not necessary because the content is already available in the folder from the usb stick now so you do not have to to clone this because as I said it's part of the usb stick yeah then you have to prepare your environment so that your local user you use to manage the vagrant environment is actually able to manage it in order to do that you have to install a policy kit rules and you have to put your local user whatever it is into the vagrant user group and then have to restart the necessary services and finally fetch the vagrant box and the original idea was that you download the vagrant box for my machine here in the front but that is this is not working because of network restrictions but what you can also do is to just add the box from the usb stick again because the box and so the image file is available on the usb stick it's also part of the workshop folder the image file it's like 400 something Mac in size and it's called libya dot box so then just one vagrant box add t-share slash vik a workshop and then the path to the to the libya dot box file and then you are almost good to go no then some some minor additional steps are required so for example to put the virtual machine name names here into your etc host file so that you can later on also SSH into the machine into the virtual machine boxes and so on so and what what you have at that point in time is a vagrant box that has been imported into your machine and when you then fire up the vagrant environment with a vagrant up you will find a server machine a replica machine and the client machine available on your on your local on your local box so and that's actually the environment we are we are working with in this workshop the people who were here already yesterday hopefully most of them completed this these steps and some yeah that's all the environment looks like so when you have the environment up and running you can go to the first module that is installing the server which is described here so IPA server installed with the necessary options make sure you want this command on the server so you can connect to the server by running vagrant as a server you have to answer some some questions from the from the installer and then it goes through the whole installation which takes like how long was it yesterday 10 minutes maybe no no maybe less than than 10 minutes yeah then the servers up and running hopefully after a few minutes and then in the second module you are supposed to install the client machine which is then involved into the free IPA domain so you can just connect to the client again by running vagrant as each client and then execute the client installation program called IPA client installed dash dash mkd a home dear option again it makes it ensures that when a people when somebody logs in who doesn't has a home directory available the home directory is created on the fly automatically you know we also need to do anything that's that's the option so it so the IPA client installed program if the server has been configured properly already it receives all the necessary information from from from DNS so it so what it does it does it DNS discovery and then it finds out which camera was real the client has to use which which IPA server the client has to use and so on and so forth so there was no need to add all those options to the client install a lot program it's all done automatically by DNS this discovery you can of course you can pass those options to the program to the client program but it has some some downsides and sides now that's why I would really recommend to properly set up your DNS on the server which happens automatically if you do it correct and then you can just one the client install out without any additional options okay and that's where we stopped yesterday so before we continue now with the third module which is about user management and user authentication based on on cameras for those who have been here yesterday any questions regarding what we did yesterday but it was bad dreams about IPA last night or vagrant even nobody that's good okay okay so what is we that that's what we are going to talk about now we finished installation yesterday and on what I've showed you is that so this is a server the installation finished successfully and you was able to authenticate as admin user for example no so that that's where I stopped yesterday so I want when k-init admin admin is the user that has been created yesterday as part of the installation process you're asking for a caravans tgt you know this is a ticket which is usually used when you initially log in into a system and then you can use this ticket to request other service-related tickets later on in order to do a real single sign-on so that you can authenticate against different hosts and services without the need to to type in your password again it's all done but transparently for you in the background and the tgt which is used which is which is requested here that's the ticket which is actually used for all this magic that that happens automatically so here we stopped yesterday so what you can do to now create your first users or groups or put users into the groups you just created you can either log into the web interface I told you yesterday a part of the installation is also the setup of a web interface so you can point your browser to this address here HTTPS server IPA demo local and then you can log in with the admin account that's one option or you can of course also use the command line tool now I told you yesterday the command line tool is called IPA it's based so it's completely completely based on on on on modules so and if you call IPA was the user module you can create a user account for example a group so just to give you an idea that's the web interface as you can see I pointed my browser to server IPA demo local the machine we set up yesterday I can log log in as admin since since my my my my local workstation where I have the browser running is not part of the IPA domain I have to type in my my password it would be part of the domain then the and if I would have configured my browser for Kerberos authentication there would be no need to to authenticate with the password so that's the user interface web interface if you want you can can go through it a bit now and explore it now so you can create users here no that that's part of the of the module 3 you are supposed to go through in a minute or in a few minutes let's say you can create user groups here and yeah just take a look at the at the web interface on the other side you can also use as I just set the command line tool so if you run IPA user for example and make use out of the batch completion then you see there are a lot of different modules available and then in order to set up a new user you can just call IPA user add and then either you pass the necessary option to the IPA tool so username first name last name and things like like that or you just press enter and then the tool ask you for the necessary options one remark at that point in time I so I saw there was one mistake in the setup instructions we used yesterday let me point you to that okay yeah yesterday I asked you to install vagrant and vagrant lip beard on your workstation machine on your physical workstation machine and in addition to that also to install a batch completion but that's of course wrong you don't need batch completion on your physical box you need the batch completion package inside of the VMs not on the physical box so probably you can't install this package now anymore from from your from your virtual machines because you don't have external network access from the from the VMs but what you can do in order to use the batch completion which is quite convenient because the IKEA command line tool it has as I said a lot of sub modules so and it's really helpful to have batch completion available just manually source the batch completion file here in the VM source it from the command line and then batch completion is available as I have just shown and so on and so forth and you can do that on the replica machine later on as well and on the on the client too okay so that was just a side note okay so I would say now go through module three just like we did yesterday so you have plenty of time to go to the module try to set up a user account part of the module now is that you are that you set up two user accounts Alice and Bob I think and then you are asked to put those no one of those accounts into a group which is called SUS admin and I leave it up to you if you use the command line or if you if you use the web interface it's up to you okay good and give it a try and if you have problems with the setup let us know one more question that the web interface is everybody able to connect to the web interface or do you have any any problems to connect to it it's working or it's not works works for me so when you when you when you use the command line so let's say you authenticate as an admin type in your password the one IPA user and you also see an issue okay so seems to be fixed um okay so let me let me just quickly show you what you have been supposed to do I use the command line so user ad IPA user ad oh first make sure you have a valid canvas ticket IPA user ad first name Bob last name Bob last and the actual login name is Bob actually it's called just last and now as you can see the user account is created so it uses some some some defaults for example before login shell you can you can define another one if you want if you're curious where all the default settings are defined you can run for example IPA config show and then you see the default shell that is used for every user and if you want to change it to a different one then you can define it there and user ID has been created on the fly group ID has also been created the user is automatically part of the IPA users group which is kind of the default group that is available by by yeah by default after the installation yeah that's basically it's no and so at this point in time as you can see a camera was principle for this user has been created as well but it does not have a password so far no so the password flag is set to two faults so if you want to set a password for the user as admin for example run IPA password Bob give a password and then the user has a password set if you run IPA user user show Bob you can now see that the user has a password configured you can authenticate as Bob sorry as Bob type in the password and then you are forced to change it with the first login so you have changed it you received a TGT for the user Bob and you can now login to a different machine I should have used the fully qualified domain name of course so it took a while but finally if it finished to connect to the to the time machine and as you have probably seen I did not type in a password so the authentication was now done based on on cavos and if you log out again and check your cavos credential cache you can see that you at this point in time not just have a cavos TGT but also a service ticket for the host you have been connecting to and that all happened automatically in the in the background so example for a single sign on was a user you just created so the same can be done with the web UI of course as well so there was one note here in the setup in actually in the module instruction you have probably seen that yeah users are always forced to change their their password with the initial login well that is a different kind of setup now if you use AD users let's say you have set up a trust to AD domain or complete AD forest then you don't use the accounts from the from the IDM side because the accounts lives on the AD side and you use the the accounts stored there so then that then that's a complete different behavior that's again okay so I just wanted to mention that if you connect to the web interface for the first time you've probably seen a warning that the certificate is not trusted by your web browser that's simply because yesterday when we set up the server we use the default or a setup option regarding the certificate authority which is part of the whole setup and so that the default option is that IPA creates an internal certificate or sovereignty as a as a root CA so what does it mean would say means that the CA certificate is a self-signed so it's not signed by another certificate authority but it's it's self-signed so and that that's the reason why why you got this this this warning message because of course the dog tag CA which you set up yesterday the certificate of the CA is not part of your of your web browser so it's not trusted and then that's that's why you receive the warning so there are different other set up options available as well you could also say that the dog tag should be subordinated to another CA so an external one or to an internal or external one or you can completely leave out the CA setup and then you have the requirement to go always to another CA in order to receive certificates but what I would recommend and that's I would say the most common setup is to set up dog tag and have the dog tag CA certificate signed by a by another certificate which is already trusted into your in your enterprise environment and that that's the most common setup okay so this was module two so sweet so the next the next module it's about host-based access control I already briefly explained what what it means of what what host-based access control means in the context of IPA so by default access is allowed for everybody to every host and to every service running on the on the different hosts so that's what you have seen in the last module as well so if you SSH from the server as Bob to the client that was working out of the box without the need to to configure anything and the reason for that is reason for that is that there was a default host-based access control rule available which is called a low all and probably everybody can guess what it does so it's the rule that is responsible that every access is allowed for every user to every host to every service running on the host so if you would disable this rule no access would be would be possible at all and that's what you are actually supposed to do in the in the next module now so the idea here is that you disable the allow the allow all rule no that that's easily possible so you can just run IPA H back rule disable allow all and now it's it's it's disabled so no access would be possible to any host for any user now and some enable it again and in such a case what you have to do in order to let's say SSH from one host to another host is to set up proper host-based access rule and that's what what you are supposed to do here no so you set up a rule called called this admin web service you assign a host group to the rule so the host group is also something that has to be created so a host group is just a group of hosts so you can can can can use groups and put sorry can use hosts and put those hosts into a group and instead of referring to a single host you can then just refer to the to the to the group and then it's much much easier instead of just referring to various hosts and then you create a user group called this admin no and you put in Alice to this group and you assign this group also to the host-based access control rule and then finally in the next step you have you have to define which services are assigned to this this admin web service rule so and you could specify a specific service here so for instance SSHD you know if you just want to allow the access to the SSHD service in our case we just say access to every single service is allowed for the users which are part of the SSHD admin group and for the hosts which are part of the web service group okay and that's that's what you are supposed to do there is a testing mechanism available here as well so as you can see IPA HPEC test that that can that tool or actually this command can be used to test out as the rule is working just to give you an idea if I disable the default rule again and now as I told you earlier no access is possible from any user to any host let's say I test if I can connect as user let's say bop to the client machine via SSH that should not work because of the disabled allowable if I enable the rule again and run the same command again this time it should work access granted true so and the same command can also be used later on if you have your your proper rule to only allow access to the SSHD admin this command can be used then okay okay so I would say give it a try go through the module and so make sure all the necessary groups are in place and before you set up the rule so make sure you have the host group available and make sure you have the user group available and then set up the whole set okay let me let me check if the other stick is working no it's not working but we we had the same problem yesterday as well so some of those sticks they were completely damaged marios it's it's here so it's in the free IPA subfolder this is a slide deck this is a vague one box and this is the this is a so I said again okay oh wow take some time to swing no to to to do what why why should I connect no no no I'm I wanted to swing to the USB stick okay so this one should should work should I copy the file on your stick as well okay the test rule it's it's also part of the document here if you scroll down down so you don't have access probably because so in the last module so if you if you trade Alice for example and you put Alice for the interview but you don't want that so then you would have access so let me let me give you an example how it should look like so the first task was to set up a host group called web servers right so IPA host group at web servers so the host group has been created the second task was to add a member if you don't know which option is necessary in order to add a member to the group just one dash dash help and then you see the option is called hosts can you see that or should I scroll up it's okay okay so and we wanted to add the client IPA demo local host to the group that is that is the necessary option so first create the group and then add the member to the group you could also add multiple hosts at the same time but since we only wanted to add the client host I just used this one okay so this was the first task then in the next task you were asked to to disable the default host base access control rule disable allow all it's disabled now so and then the task was to set up a new host base access control rule which is called this admin web servers so the rule is now in place and now the thing is that you have to assign a host group to this rule set a user group to this rule set and also services to this rule set and that's what you are what you have been asked to do in the next step so the host group web servers that's the one we just created so that should work okay so one member has been added to the group so the next command is to assign the sys admin group to the sys admin web servers rule set this will probably not work on my box because I don't have the sys admin group available so that means I have to create the group first um sys admin sys admin so now it's it's there I want to add a member to the group I want to add Alice to the sys admin group I don't have the user account there so I have to create it so now the user account is there I I give a password to the account so and now I can add Alice to the group okay so and now that was that was the main idea I have to assign the sys admin group to the to the rule set which is working okay now so and at this point in time we have the web server group assigned to the rule set we have the user group assigned what is missing the services exactly and here we said we want to allow all services so which uh worked as well and as I said earlier you could limit this uh this to specific services in this case I just say access is allowed to all services as long as a user who is trying to connect as part of the sys admin group and as long as a user who tries to connect and who is part of the sys admin group tries to connect to a host which is a member of the web service group okay so at this point in time it's only the client host so and this should theoretically work now let's give it a try um first of all let's use the test program I used earlier as well oh maybe first of all make sure the HPEC rule the default rule is indeed disabled yeah it's disabled and you can see we now have a second rule set available here as well the one we just created which one so the default rule is disabled this one should be should be enabled so and now let's do the test so we test the connection from or actually to the client IPA demo local box via ssh for the user bob this should not work because bob is not a member of the group when we try for Alice this should work access granted we can give it a try let's say we authenticate as as bob in the first step and try to connect as as bob to the client does not work now let's authenticate as Alice oh I have to change the password so let's try again as Alice after I change the password this should work why is it taking so long something seems to be wrong let's now it's connected okay it took a while for some reason um might be worse to to investigate why why it took so long but um yeah I think here we don't have the time for it but as you can see Alice is now now connected to the box automatically via cables and this this work okay um so just to be sure I am not running into any other problems during the workshop I just enable the default wizard again as admin of course so this was um module which one was it module 4 any questions it's it's pretty straightforward so if you are if you are used to the to the environment and um have an idea how the command should look like then then then it's it's really easy at the moment it might look a little bit complex but as I said if you get used to it then it's really easy and of course make sure you have command line completion enabled that definitely helps uh what what do you mean exactly so the user now has to be the conditions that you said the users groups and the host groups yeah both have to play yeah that that's true you know so you have to be a member of the group and you have to connect uh to the to the to one of the hosts specified in the host group otherwise the access won't won't work yeah that's correct okay so then oh by the way uh do we have a break no okay yesterday we have one um do you guys want to have a break um okay then we just then we just continue with the module 5 so module 5 now is about um setting up a web server and creating a service principle for this web server you know in IPA it's mostly about caverns right and when we talk about caverns um we also have to talk about caverns principles no so caverns principles are stored in a principle database and um as you have seen earlier when I created a user account a principle automatically a caverns principle has been created automatically for the for the user account I created so this is uh a different when we talk about services no so if you want to configure a caverns based authentication on a specific service in this case it's a web server you have to create a principle for the service manually no so that means you have to tell IPA you now want to run a web server you want to enable a caverns based authentication on this web server and in order to make that work you have to set up a caverns principle for the web server and um yeah that's what is described in this module no so basically you first have to to to set up the principle just by running IPA service ad and then the service name or actually not the service name it's a principle name so you specify the service slash and then the host name where the service actually runs on so this is the service that is the host where the service runs um it's it's important to understand that you can only create a caverns principle for a service which exists on a host which is part of the free IPA domain so this host has to be part of the IPA domain so it has to uh has to have a caverns principle otherwise it would not work to add a service principle for a service which is supposed to run on the specific host okay so and then uh of course if you've created the service principle uh no let me let me wait rephrase the service principle is is part of the IPA framework in order to um to uh make use out of it on the uh host where the where the Apache service runs you have to retrieve the principle from the IPA server to the machine where the service runs no so in our case that's the client machine so and there is also a quite convenient command available to do that it's called IPA get key tab um you specify the IPA server and the name of the caverns principle and the name of the local file where you want to store the principle in no that's usually uh so this file is usually usually called a key tab file um so and then the client talks to the server retrieves the the service principle and stores it in this file and that's basically it from IPA point of view that the next steps are just the configuration of Apache so you have to make sure the key tab file is available in the location Apache has access to you have to make sure that the that the Apache service actually can access to the file so you have to assign the proper um user and group permissions and in case um you have as elinux enabled which is of course always the case then you have to make sure the file also has a proper elinux context so and then you have to configure Apache so we have a on on on on your client box Apache is already installed um there was also a little application available on this box called app.py and if you execute this application uh on the on the host on the on the Apache host so actually if you call the url to execute the application it requires a valid login so you have to log in as some user alice or bog and when you then execute the application and the web browser you see as which user you are actually logged in so that's the purpose of the of the application if you are not logged in via cavers uh the application won't work no so you do not have access to the application uh when you do not have a valid cavers ticket available so and the whole configuration is done uh in a in a conflict file called app.conf which is also already available on your on your client box you only have to add this part here so you have to point the web server to the key tag file which has been downloaded earlier or actually created earlier based on the cavers principle uh here you define that what i just said no that you have to have a valid cavers ticket in order to access the application and that's actually the file that is being executed but that's already part of the configuration file so the only thing you have to add is this card here so then you can now restart the server you can authenticate as some as some user you you created earlier bob or alice it doesn't matter and then you can um use a command line tool like curl for example to um to execute the application and then you should see something like like this no so you should see that you are actually logged in as um as bob so there's a request variable which is a set so request user variable it's actually called uh sorry remote user variable and that that that's the one that is used by the application to show which user is currently talking to the service um yeah that's what you're supposed to do in this module now so create the service retrieves us just a second retrieves a key tag file from the server to the client customize the existing Apache configuration restart Apache and run curl to execute that you had a question yeah okay let's have a look so yeah it says there was no so did you execute a to use a server So, I think, can you just try to find the real world, the real world, because it's okay, but it should be pretty automatically, you're in the environment. Okay, that's fine too. I just want IPA. Now I have to cancel all the orders, all the dance, all the dance, all the sales, all the stuff. I'm eating from here on, I don't know. Yeah, we just looked at the, because since the IPA, so I should do the DNS for the whole environment, the client should have set it up. Okay, so probably something going on. So we have only 15, 15 minutes left, yeah. I would say we continue with the module six, and I will also talk briefly about module seven and module eight, and then I'll leave it up to you which exercises you want to complete here in the workshop, okay? So just that you have an idea about the topics which are, which are discussed here in the different modules. So the last module, was that working okay for you? For most of you? Okay, good. So module six is about certificate management. This is also quite important and interesting because I mentioned a couple of times already that IPA comes with an internal certificate authority system which is able to issue certificates for hosts, for services and also for users with the last releases. So in the last releases we add the feature of certificate profiles and with the profiles you are now able to issue certificates for various kind of setups. Okay, so the idea in this module here is that you request a service certificate for the web server you set up in the last module. So this was, actually this is the service principle, this was the service cavos principle you configured in the last module. It should have a key tab. It's running on the client IPA Emo local system and in the next step you are enabling certmonger. Certmonger is actually a client application which heads to make sure that if a certificate which has been released and which is going to expire that this certificate is renewed automatically before it expires and it can also be used to request the actual certificate. So there is no need for you that you do the request manually because it can all be done with the help of certmonger. Okay, should we do that later on? So, and as I just said you can use certmonger for that and this is the command line which can be used. So you can just say IPA get the request the NSS database where you want to store the certificate key and the actual certificate a name of the certificate so that is just a nickname and for which service principle you want to request the actual certificate. Maybe one more note about this so you know when it comes to certificate management you can either set up PEM based certificates so those are those certificates are usually stored in plain text files which are based 64 encoded or you can say you want to use NSS database and store the certificate and the key which belongs to the certificate in the NSS database and that's the case here in the example instead of using plain text files I just say a patch is already using the NSS database so why not just store the new certificate in this NSS database and that's what I say here so this is a location where the database is stored this is a nickname and I want to have a certificate for this service principle then request is issued and if everything worked well you should receive a certificate back from the DOCTEC instance which is part of the IPA framework so it says that's the location where the certificate is stored it has been issued by this certificate authority and here is the expiration date when the certificate expires so just to give you an idea how it might look like so this is I think I did not created a service so this is this is the actual service so I enable CertMonger so it's running and now what I do is I just request a certificate for the service so a sign request has been issued what? I'm locked in as a waitress that's why it failed so this is a this is a sign request but it failed because my web server is not configured properly if I would have done that you would see a request like like this if you do that on your machines it will definitely work so if you want to look at the certificate that has been released it might look like like this so you can use the certutile command which is part of the NSS you can specify the folder where the where the NSS database is stored and then you can say dash L without any further options it would show you a list of all the certificates which are stored in the database here and if you pass the dash N option and the nickname then you only see this specific certificate so you see the serial number which the A has issued the certificate expiration date so and then you have the certificate available and you can reconfigure Apache to use the certificate so it's really convenient to use certmonger for this of course here we just use a very basic example so we just specified for which service you want to have a certificate you could also add a lot of different options as well so you could specify for example for which extensions you want to use in the X549 certificate you can set up additional DNS names all the things that can be stored inside of X549 certificate for all those things option is available with certmonger so this is really just a very basic example so it's definitely worth to spend some more time on this if you're interested in this later on so replica installation that is module 7 replica installation that means that you just replicate your existing free IPA server onto another box and practice it means that you have a second IPA server available so this is good for example for load balancing if you have a lot of load then it makes sense to distribute the load across different machines or for high availability so if one server goes down then you still have another one which is available it definitely makes sense to have different replicas available especially if you have multiple geos for example as well so then it makes sense to have a replica available and every geo might have some offices and so on and so forth so the installation again it's really easy so what you have to do on the main server you have to prepare the replica just by running IPA prepare the IP address of the replica the name of the replica then you are asked for the directory manager password it retrieves some information out of the LDAP tree and then it creates a replica file this one and this one is actually required on the replica system so you have to copy it over from the master to the replica you run IPA replica install and pass the final name you just created on the master to the tool and then it's more or less the same like on the master server so the installation starts and it sets up all the necessary services and after a while the replica has been set up and you have already replication configured at this point in time between the master and the replica system so actually all the data is stored in LDAP a replication between the two LDAP servers on the master and on the replica has been configured and the replication is running away that's the replica so the last module here is SSH keys that's also a quite interesting features you know when you have SSH keys available for users for hosts usually stored in local files so for users you have also a keys file for hosts you have a known host file and it's always a mess if you have a large environment and you have to copy those files around and it is really easy to store those files in IPA so IPA can be used as a kind of a backend store for public user keys like host keys so to give you an idea if you create a key pair for a user in this case it's Alice you can just modify the user entry from Alice and add the key that has been stored in the local file to the user entry so you can just copy and paste the key from the local file for an IPA user to Alice and pass the option SSH PAP key with the content of the key and then the file is stored on IPA so and during the setup of a client of a client the server or the SSH server already has been configured to look up IPA SSH key when the SSH key is used for authentication so it's not checking the local authorized keys file anymore the SSH demon instead it's asking IPA if the user who is currently trying to log in has a valid key available and it talks to IPA so this is actually done by a little proxy application which is part of the IPA sorry of the open SSH server configuration so if you look it up so there's a little script here at the end of the configuration which is the option which is used is called authorized keys command and this is a script which comes with a framework and which tells the SSH server to please talk to the IPA server in order to look up the key instead of looking into the local authorized keys file and that's quite convenient so if you want to verify this if you've uploaded the key just make sure that you disable Kerberos authentication because if you have a valid Kerberos ticket already when you test it it first tries to log in via Kerberos disable Kerberos during the SSH no this is a necessary command or option actually and then you can log in to a different server and to verify that really the public key has been used you can look up the log file and you should see something like this in the log so that the authentication is based on a public key and it's not based on gssrp and the same is actually for host keys as well so instead of only uploading user keys you can also upload host keys and then the SSH the SSH client is also automatically configured to log up IPA instead of looking into the known host file to verify if a host is known and trusted or if it's not trusted okay that's basically it I think we are already out of time at least for a minute questions do we still have a few minutes for questions maybe one question if there was any no questions okay good okay then thank you very much and have fun this is IPA yeah also please keep in mind that you can rate this workshop on the pages of the conference or we have the mobile application and we are also for your I will copy it over for the existing one thank you yeah and we would like to kindly ask you for the retelling of those USB sticks if you have it okay just give me a second so that I can start the copy so okay I have a small environment with no active directory there's no active directory but I use Samba with open cloud up like Samba domain do you have any recommendation how to solve this with IPA to do what to make some kind of active directory for Windows at this point in time so it's in the work so what is actually missing so that also so that you can kind of build up an active directory server with IPA you need a component which is actually called a global catalog server right so this is a global catalog server component which is always available in AD domain and this one is actually not available at the moment on the IDM side and that's why you cannot set up something like this with IPA but it's in the works as I said so it's coming it's coming okay cool so it's still thinking, it takes a while okay can I keep it because uh a price? yeah okay cause it will be used for other workshops but yeah yeah yeah also really slow so when you copy like 500 Mac file it takes like 10 minutes yeah actually I was a bit cold okay yeah and eventually the dot box file it's also blocking what is blocking? the dot box file some box file it's also broken so you cannot add actually so I will copy directly yeah you can download it from my laptop, I currently use B6 somehow I can give you the file okay it's still thinking what? maybe you can just take the stake with you and pass it back later on well yeah one the bow now so what was working then so you have just restarted and yeah yeah now I have restarted HPTPG okay because we have And afterwards it was working after restarting HTTPD. Okay, here it is. I think it was very short. Yeah, me too, but it was actually the way it was. I want to go. Okay, I think I'm going to... No. Are you coming to Alexander's presentation? Yeah, but that's one way. Yeah. Okay, stars is a reward when you answer some of your questions. We also have a Raspberry Pi to give. Are you the new photographer? No, I just take the stuff. Okay, should I connect on a hedge? Do you need anything? Should I connect to the networks? Is there two cables available? There's only one. I only need the cable, I just need the output. Okay, I'll get the network. Is there a reduction? Do you need it? No, I just need it. Do you need it? Hey, how are you? Are you attending the fourth lap? Yeah. Okay, cool. Awesome. Okay, awesome. Yeah, we need it. Yeah.