Re: [Freeipa-users] About AllowGroups with sshd
Hi Jakub Thanks for your response. It's an option, but my backups servers I will not add to the FreeIPA server. Then, I cannot use the option HBAC, because I want my backup server can connect with root to some client server of my FreeIPA Server. If I'm doing something wrong, please let me know Thanks, Regards Jose Alvarez R. -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Jakub Hrozek Sent: martes 13 de septiembre de 2016 02:22 a.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] About AllowGroups with sshd On Mon, Sep 12, 2016 at 10:00:57AM -0600, Jose Alvarez R. wrote: > Hello > > > > I have an question > > > > I have an FreeIPA 3.0 server(CentOS 6) with some clients servers(CentOS 6). > I wants enable root a two servers this servers, because they are > backup servers. > > > > I add theses lines in /etc/ssh/sshd_config of a client server. > > > > AllowUsers root@192.168.20.2 > > AllowUsers root@192.168.20.90 > > PermitRootLogin yes > > > > This working, but when try login with my user IPA, I can't login. > > > > I add the line "AllowGroups" with my group of users_IPA > > > > AllowGroups > > > > But not working, Can you help me ? > > > > Thanks, Regards > > > > Jose Alvarez. I know I'm not answering your question directly, but isn't it better to use HBAC with IPA and centralize the access control rather than edit config files on the clients? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] About AllowGroups with sshd
Hello I have an question I have an FreeIPA 3.0 server(CentOS 6) with some clients servers(CentOS 6). I wants enable root a two servers this servers, because they are backup servers. I add theses lines in /etc/ssh/sshd_config of a client server. AllowUsers root@192.168.20.2 AllowUsers root@192.168.20.90 PermitRootLogin yes This working, but when try login with my user IPA, I can't login. I add the line "AllowGroups" with my group of users_IPA AllowGroups But not working, Can you help me ? Thanks, Regards Jose Alvarez. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] HTTP response code is 401, not 200
Hi Rob Thanks for your response. The PPA is hosting Control Panel of the company Odin(https://www.plesk.com/?_ga=1.159107642.1001081217.1436214087) Several packages were installed by this software. Because they use their own repositories. Regards Jose Alvarez -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: lunes 2 de mayo de 2016 01:15 p.m. To: Jose Alvarez R. Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] HTTP response code is 401, not 200 Jose Alvarez R. wrote: > *Hi, Rob* > > ** > > *I did what you indicated to me, but still gives the same problem.* > > ** > > *Can you help me ?* The problem is client side, not server side, so you need to install the updated bits on the client. I don't know what the reference to PPA is. If that doesn't fix things then it's hard to say. There are only a couple of moving parts and you just ruled out the server since another client can enroll ok. The non-working log shows the server sending WWW-Authenticate: Negotiate and the client just gives up. In the working version the client correctly responds with an Authorization header and things proceed so I think the problem is in either libcurl or xmlrpc-c. rob > > ** > > *Thanks, Regards* > > ** > > *Jose Alvarez* > > -Original Message- > From: freeipa-users-boun...@redhat.com > [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Jose Alvarez R. > Sent: viernes 29 de abril de 2016 02:53 p.m. > To: 'Rob Crittenden' > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] HTTP response code is 401, not 200 > > Hi, Rob > > Thanks for your response > > The link https://bugzilla.redhat.com/show_bug.cgi?id=719945I not have > > access.. > > I tried to install xmlrpc-c-1.16.24-1210.1840.el6.src.rpm in the server > > PPA(Client IPA), but still shows the same error. > > A moment ago I added another client server with same version xmlrpc and > > installed correctly. > > Thanks Regards. > > [root@bk1 ~]# ipa-client-install --debug > > /usr/sbin/ipa-client-install was invoked with options: {'domain': None, > > 'force': False, 'realm_name': None, 'krb5_offline_passwords': True, > > 'primary': False, 'mkhomedir'on_master': False, 'ntp_server': None, > > 'nisdomain': None, 'no_nisdomain': False, 'principal': None, 'hostname': > > None, 'no_ac': False, 'unattended': None, 'sssd': True,nf_sudo': True, > > 'conf_ssh': True, 'force_join': False, 'ca_cert_file': None, 'server': None, > > 'prompt_password': False, 'permit': False, 'debug': True, 'preserve_sssd': > > missing options might be asked for interactively later > > Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' > > Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' > > [IPA Discovery] > > Starting IPA discovery with domain=None, servers=None, > > hostname=bk1.cyberfuel.com > > Start searching for LDAP SRV record in "cyberfuel.com" (domain of the > > hostname) and its sub-domains > > Search DNS for SRV record of _ldap._tcp.cyberfuel.com. > > DNS record found: > > DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={priority:0, > > port:389,weight:50,server:freeipa.cyberfuel.com.} > > [Kerberos realm search] > > Search DNS for TXT record of _kerberos.cyberfuel.com. > > DNS record found: > > DNSResult::name:_kerberos.cyberfuel.com.,type:16,class:1,rdata={data:CYBERFU > > EL.COM} > > Search DNS for SRV record of _kerberos._udp.cyberfuel.com. > > DNS record found: > > DNSResult::name:_kerberos._udp.cyberfuel.com.,type:33,class:1,rdata={priorit > > y:0,port:88,weight:50,server:freeipa.cyberfuel.com.} > > [LDAP server check] > > Verifying that freeipa.cyberfuel.com (realm CYBERFUEL.COM) is an IPA server > > Init LDAP connection with: ldap://freeipa.cyberfuel.com:389 > > Search LDAP server for IPA base DN > > Check if naming context 'dc=cyberfuel,dc=com' is for IPA > > Naming context 'dc=cyberfuel,dc=com' is a valid IPA context > > Search for (objectClass=krbRealmContainer) in dc=cyberfuel,dc=com (sub) > > Found: cn=CYBERFUEL.COM,cn=kerberos,dc=cyberfuel,dc=com > > Discovery result: Success; server=freeipa.cyberfuel.com, > > domain=cyberfuel.com, kdc=freeipa.cyberfuel.com, basedn=dc=cyberfuel,dc=com > > Validated servers: freeipa.cyberfuel.com > > will use discovered domain: cyberfuel.
Re: [Freeipa-users] HTTP response code is 401, not 200
m M3mXs1gsTFKClFnTbOzwg8QyFlCj+An4GrzrsbAA/rfLvb+VmwOS/BcXJiFI6Ub3ShUVZUinN/bv 4/xv1ejRLk62VxtHxw1z+w/JLc0WbTtIj4cB4nE03et3id5ZT6yDz5XKduyhAeCYPGXepmWXqSxb 2N/Ia5OZbEfwNcEivzWdeRzxnk+W8OErBuOkRcCYmT1aIFGmIAAACANrKXEgH6qjJZdpFM3mdAXb 7imVRF1adYeI7i8daJxkwxPv55idHkphc4aDX4lUPzvcw+r5jtE+rm4huv03qlTKy+/0HlTyIRJv wfpc='), rights=False, updatedns=False, all=False, raw=False, no_members=False) Forwarding 'host_mod' to server u'https://freeipa.cyberfuel.com/ipa/xml' NSSConnection init freeipa.cyberfuel.com Connecting: 192.168.20.90:0 handshake complete, peer = 192.168.20.90:443 Protocol: TLS1.2 Cipher: TLS_RSA_WITH_AES_256_CBC_SHA received Set-Cookie 'ipa_session=efae42241c1d4ecc0c222d477f64e3a0; Domain=freeipa.cyberfuel.com; Path=/ipa; Expires=Fri, 29 Apr 2016 21:02:35 GMT; Secure; HttpOnly' storing cookie 'ipa_session=efae42241c1d4ecc0c222d477f64e3a0; Domain=freeipa.cyberfuel.com; Path=/ipa; Expires=Fri, 29 Apr 2016 21:02:35 GMT; Secure; HttpOnly' for prin args=keyctl search @s user ipa_session_cookie:host/bk1.cyberfuel@cyberfuel.com stdout=640092261 stderr= args=keyctl search @s user ipa_session_cookie:host/bk1.cyberfuel@cyberfuel.com stdout=640092261 stderr= args=keyctl pupdate 640092261 stdout= stderr= Writing nsupdate commands to /etc/ipa/.dns_update.txt: zone cyberfuel.com. update delete bk1.cyberfuel.com. IN SSHFP send update add bk1.cyberfuel.com. 1200 IN SSHFP 1 1 B40F0F3FF14223B021F206C3E3276AC48F6EEAF0 update add bk1.cyberfuel.com. 1200 IN SSHFP 2 1 30D2331BC69452EFE65445B5C990773EA41A2FE8 send args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt stdout= stderr=tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server DNS/ns1.cyberfuel@cyberfuel.com no nsupdate failed: Command '/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt' returned non-zero exit status 1 Could not update DNS SSHFP records. args=/sbin/service nscd status stdout= stderr=nscd: unrecognized service Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' args=/usr/sbin/authconfig --enablesssdauth --update --enablesssd stdout= stderr= SSSD enabled Configuring cyberfuel.com as NIS domain args=/bin/nisdomainname stdout=(none) stderr= Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' args=/usr/sbin/authconfig --update --nisdomain cyberfuel.com stdout= stderr= args=/bin/nisdomainname cyberfuel.com stdout= stderr= args=/sbin/service sssd restart stdout=Stopping sssd: [FAILED] Starting sssd: [ OK ] stderr=cat: /var/run/sssd.pid: No such file or directory args=/sbin/service sssd status stdout=sssd (pid 42071) is running... stderr= args=/sbin/chkconfig sssd on stdout= stderr= Backing up system configuration file '/etc/openldap/ldap.conf' Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' Configured /etc/openldap/ldap.conf args=getent passwd admin stdout=admin:*:104540:104540:Administrator:/home/admin:/bin/bash stderr= Backing up system configuration file '/etc/ntp/step-tickers' Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' args=/usr/sbin/selinuxenabled stdout= stderr= args=/sbin/chkconfig ntpd stdout= stderr= Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' Backing up system configuration file '/etc/ntp.conf' Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' args=/usr/sbin/selinuxenabled stdout= stderr= Backing up system configuration file '/etc/sysconfig/ntpd' Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' args=/usr/sbin/selinuxenabled stdout= stderr= args=/sbin/chkconfig ntpd on stdout= stderr= args=/sbin/service ntpd restart stdout=Shutting down ntpd: [ OK ] Starting ntpd: [ OK ] stderr= args=/sbin/service ntpd status stdout=ntpd (pid 42133) is running... stderr= NTP enabled Backing up system configuration file '/etc/ssh/ssh_config' Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' Configured /etc/ssh/ssh_config Backing up system configuration file '/etc/ssh/sshd_config' Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' args=sshd -t -f /dev/null -o AuthorizedKeysCommand= stdout= stderr= Configured /etc/ssh/sshd_config args=/sbin/service sshd status stdout=openssh-daemon (pid 46497) is running... stderr= args=/sbin/service sshd restart stdout=Stopping sshd: [ OK ] Starting sshd:
Re: [Freeipa-users] HTTP response code is 401, not 200
Hi, Rob Thanks!! The version the xmlrpc-c of my server IPA: xmlrpc-c-1.16.24-1210.1840.el6.x86_64 xmlrpc-c-client-1.16.24-1210.1840.el6.x86_64 The version the xmlrpc-c of my client IPA xmlrpc-c-client-1.16.24-1210.1840.el6.x86_64 xmlrpc-c-1.16.24-1210.1840.el6.x86_64 libiqxmlrpc-0.12.4-0.parallels.i686 xmlrpc-c-c++-1.16.24-1210.1840.el6.x86_64 The versions are the same, but the libcurl is different It's the version curl IPA server [root@freeipa log]# rpm -qa | grep curl python-pycurl-7.19.0-8.el6.x86_64 curl-7.19.7-46.el6.x86_64 libcurl-7.19.7-46.el6.x86_64 [root@freeipa log]# It's the version curl PPA server(IPA Client) [root@ppa named]# rpm -qa | grep curl curl-7.31.0-1.el6.x86_64 python-pycurl-7.19.0-8.el6.x86_64 libcurl-7.31.0-1.el6.x86_64 libcurl-7.31.0-1.el6.i686 Sorry, my english is not very well Regards. -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: viernes 29 de abril de 2016 11:14 a.m. To: Jose Alvarez R. ; freeipa-users@redhat.com Subject: Re: [Freeipa-users] HTTP response code is 401, not 200 Jose Alvarez R. wrote: > Hi Rob, Thanks for your response > > Yes, It's with admin. I assume this is a problem with your version of xmlrpc-c. We use standard calls xmlrpc-c calls to setup authentication and IIRC that links against libcurl which provides the Kerberos/GSSAPI support. On EL6 you need xmlrpc-c >= 1.16.24-1200.1840.2 I'm confused about the versions. You mention PPA but include what look like RPM versions that seem to point to RHEL 6. rob > > I execute the command "ipa-client-install --debug" > -- > --- > > > [root@ppa named]# ipa-client-install --debug > /usr/sbin/ipa-client-install was invoked with options: {'domain': > None, > 'force': False, 'realm_name': None, 'krb5_offline_passwords': True, > 'primary': False, 'mkhomedir > ': False, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True, > 'on_master': False, 'ntp_server': None, 'nisdomain': None, 'no_nisdomain': > False, 'principal': None > , 'hostname': None, 'no_ac': False, 'unattended': None, 'sssd': True, > 'trust_sshfp': False, 'kinit_attempts': 5, 'dns_updates': False, > 'conf_sudo': True, 'conf_ssh': Tr > ue, 'force_join': False, 'ca_cert_file': None, 'server': None, > 'prompt_password': False, 'permit': False, 'debug': True, 'preserve_sssd': > False, 'uninstall': False} > missing options might be asked for interactively later Loading Index > file from '/var/lib/ipa-client/sysrestore/sysrestore.index' > Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' > [IPA Discovery] > Starting IPA discovery with domain=None, servers=None, > hostname=ppa.cyberfuel.com Start searching for LDAP SRV record in > "cyberfuel.com" (domain of the > hostname) and its sub-domains > Search DNS for SRV record of _ldap._tcp.cyberfuel.com. > DNS record found: > DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prior > ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.} > [Kerberos realm search] > Search DNS for TXT record of _kerberos.cyberfuel.com. > DNS record found: > DNSResult::name:_kerberos.cyberfuel.com.,type:16,class:1,rdata={data:C > YBERFU > EL.COM} > Search DNS for SRV record of _kerberos._udp.cyberfuel.com. > DNS record found: > DNSResult::name:_kerberos._udp.cyberfuel.com.,type:33,class:1,rdata={p > riorit y:0,port:88,weight:50,server:freeipa.cyberfuel.com.} > [LDAP server check] > Verifying that freeipa.cyberfuel.com (realm CYBERFUEL.COM) is an IPA > server Init LDAP connection with: ldap://freeipa.cyberfuel.com:389 > Search LDAP server for IPA base DN Check if naming context > 'dc=cyberfuel,dc=com' is for IPA Naming context 'dc=cyberfuel,dc=com' > is a valid IPA context Search for (objectClass=krbRealmContainer) in > dc=cyberfuel,dc=com (sub) > Found: cn=CYBERFUEL.COM,cn=kerberos,dc=cyberfuel,dc=com > Discovery result: Success; server=freeipa.cyberfuel.com, > domain=cyberfuel.com, kdc=freeipa.cyberfuel.com, > basedn=dc=cyberfuel,dc=com Validated servers: freeipa.cyberfuel.com > will use discovered domain: cyberfuel.com Start searching for LDAP SRV > record in "cyberfuel.com" (Validating DNS > Discovery) and its sub-domains > Search DNS for SRV record of _ldap._tcp.cyberfuel.com. > DNS record found: > DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prior >
Re: [Freeipa-users] HTTP response code is 401, not 200
est result: 0/Success [18097] 1461937028.669156: Received creds for desired service ldap/freeipa.cyberfuel@cyberfuel.com [18097] 1461937028.669167: Removing ad...@cyberfuel.com -> ldap/freeipa.cyberfuel@cyberfuel.com from FILE:/tmp/tmpF9x_o8 [18097] 1461937028.669176: Storing ad...@cyberfuel.com -> ldap/freeipa.cyberfuel@cyberfuel.com in FILE:/tmp/tmpF9x_o8 [18097] 1461937028.669304: Creating authenticator for ad...@cyberfuel.com -> ldap/freeipa.cyberfuel@cyberfuel.com, seqnum 940175329, subkey aes256-cts/53B9, session key aes256-cts/9592 [18097] 1461937028.676414: ccselect module realm chose cache FILE:/tmp/tmpF9x_o8 with client principal ad...@cyberfuel.com for server principal ldap/freeipa.cyberfuel@cyberfuel.com [18097] 1461937028.676470: Retrieving ad...@cyberfuel.com -> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from FILE:/tmp/tmpF9x_o8 with result: -1765328243/Matching credential not found [18097] 1461937028.676534: Read AP-REP, time 1461937028.669328, subkey aes256-cts/26C4, seqnum 864174069 --- Regards Jose Alvarez -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: viernes 29 de abril de 2016 09:34 a.m. To: Jose Alvarez R. ; freeipa-users@redhat.com Subject: Re: [Freeipa-users] HTTP response code is 401, not 200 Jose Alvarez R. wrote: > Hi Users > > You can help me? > > I have the problem for join a client to my FREEIPA Server. The version > IPA Server is 3.0 and IP client is 3.0 > > When I join my client to IPA server show these errors: > > [root@ppa ~]# tail -f /var/log/ipaclient-install.log > > 2016-04-28T17:26:41Z DEBUG stderr= > > 2016-04-28T17:26:41Z DEBUG trying to retrieve CA cert via LDAP from > ldap://freeipa.cyberfuel.com > > 2016-04-28T17:26:41Z DEBUG Existing CA cert and Retrieved CA cert are > identical > > 2016-04-28T17:26:41Z DEBUG args=/usr/sbin/ipa-join -s > freeipa.cyberfuel.com -b dc=cyberfuel,dc=com > > 2016-04-28T17:26:41Z DEBUG stdout= > > 2016-04-28T17:26:41Z DEBUG stderr=HTTP response code is 401, not 200 > > 2016-04-28T17:26:41Z ERROR Joining realm failed: HTTP response code is > 401, not 200 > > 2016-04-28T17:26:41Z ERROR Installation failed. Rolling back changes. > > 2016-04-28T17:26:41Z ERROR IPA client is not configured on this system. I'd look in the 389-ds access and error logs on the IPA server to see if there are any more details. Look for the BIND from the client and see what happens. More context from the log file might be helpful. I believe if you run the client installer with --debug then additional flags are passed to ipa-join to include the XML-RPC conversation and that might be useful too. What account are you using to enroll with, admin? rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] HTTP response code is 401, not 200
Hi Users You can help me? I have the problem for join a client to my FREEIPA Server. The version IPA Server is 3.0 and IP client is 3.0 When I join my client to IPA server show these errors: [root@ppa ~]# tail -f /var/log/ipaclient-install.log 2016-04-28T17:26:41Z DEBUG stderr= 2016-04-28T17:26:41Z DEBUG trying to retrieve CA cert via LDAP from ldap://freeipa.cyberfuel.com 2016-04-28T17:26:41Z DEBUG Existing CA cert and Retrieved CA cert are identical 2016-04-28T17:26:41Z DEBUG args=/usr/sbin/ipa-join -s freeipa.cyberfuel.com -b dc=cyberfuel,dc=com 2016-04-28T17:26:41Z DEBUG stdout= 2016-04-28T17:26:41Z DEBUG stderr=HTTP response code is 401, not 200 2016-04-28T17:26:41Z ERROR Joining realm failed: HTTP response code is 401, not 200 2016-04-28T17:26:41Z ERROR Installation failed. Rolling back changes. 2016-04-28T17:26:41Z ERROR IPA client is not configured on this system. My client have installed a PPA(http://www.odin.com/es/products/plesk-automation <http://www.odin.com/es/products/plesk-automation/> ) and the version curl is: curl-7.31.0-1.el6.x86_64 python-pycurl-7.19.0-8.el6.x86_64 libcurl-7.31.0-1.el6.x86_64 libcurl-7.31.0-1.el6.i686 The version curl in my server FREEIPA is: python-pycurl-7.19.0-8.el6.x86_64 curl-7.19.7-46.el6.x86_64 libcurl-7.19.7-46.el6.x86_64 Can you help me ? Thanks, Regards Jose Alvarez R. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project