[Freeipa-users] Re: How to deal with 'su root'

[Gordon Messmer via FreeIPA-users]

On 12/19/2017 02:54 AM, Ronald Wimmer via FreeIPA-users wrote:
We have some users that have ALL sudo permissions. What is the best 
way of keeping track of all actions they do after having switched to 
the root user? Or would it be better to completely prevent switching 
to the root user? (if yes, what would be the recommended way of doing 
that?) 



If you're doing this for auditing purposes, you need to use auditd. On a 
CentOS system, you can simply edit /etc/audit/rules.d/audit.rules and 
add two lines to the end of the file:


-a exit,always -F arch=b64 -S execve
-a exit,always -F arch=b32 -S execve

Run "/sbin/augenrules --load" to reload the rules.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Replica setup options

[Gordon Messmer via FreeIPA-users]

I've set up a replica in an IPA domain, and was surprised that it did 
not have DNS configured the same way that the first IPA server does.  Of 
the following options that I specified on the first install, which do I 
need to provide to a replica in order to get identical functionality, 
and where is that documented?


    --mkhomedir --setup-dns --forwarder --reverse-zone 
--allow-zone-overlap --setup-adtrust

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: FreeIPA connection limits?

[Gordon Messmer via FreeIPA-users]

On 12/11/2017 01:46 PM, Aaron Hicks via FreeIPA-users wrote:
When the hosts behind the NAT process a job, it starts a burst of 
activity and initiating a large number of LDAP connections (multiple 
connections per host, about a hundred hosts)


That seems like a relatively small number of connections, well within 
the default configuration's capabilities.


Performance tuning for the directory server for Linux is documented here:

http://directory.fedoraproject.org/docs/389ds/FAQ/performance-tuning.html

http://directory.fedoraproject.org/docs/389ds/howto/howto-systemd.html 
(see the last section of this page)


...but be aware that some of these settings are already higher on 
CentOS/RHEL 7 than the documentation suggests.  Check the settings on 
your system before making any changes so that you don't actually impose 
a smaller limit than is currently in place.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: FreeIPA connection limits?

[Gordon Messmer via FreeIPA-users]

On 12/10/2017 01:08 PM, Aaron Hicks via FreeIPA-users wrote:


We’ve got a number (hundreds) of hosts inside a private network, these 
all query the FreeIPA server for user and group information using NAT 
and a gateway server.


However we’re having issues with the LDAP queries timing out or 
becoming unresponsive.


Is there a limit on the number of concurrent connections from a single 
host (e.g. the NAT gateway)?




I'm not aware of such a limit in 389-ds, but if there were one, I'd 
expect you to see a fast lookup failure, rather than a timeout.


Instead, you might want to investigate the NAT gateway.  The common case 
with NAT gateways is a fairly short TCP timeout which causes long-lived 
by infrequently-used connections to time out, producing the kind of 
unresponsive behavior you're describing.  In that case, you might need 
to increase the NAT timeout on the gateway.  If that's not an option, 
you should migrate to sssd instead of nscd. sssd has a configurable idle 
timeout, so that you can configure the systems to disconnect after an 
idle period that matches whatever limit is imposed by your NAT gateway.


Is there a way of increasing the number of simultaneous connections to 
FreeIPA/dirsrv?




Determine whether or not that's the problem, first.  Maybe monitor your 
FreeIPA server connections.  Once a minute, record the output of "ss -ta 
| grep :389 | grep ESTAB".  If you're seeing clients hang when there are 
different numbers of active connections at the server, it's less likely 
to be a FreeIPA problem, and more likely to be a NAT problem.

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Accessing KRB5 NFS from local system accounts

[Gordon Messmer via FreeIPA-users]

On 12/01/2017 09:52 AM, Simo Sorce via FreeIPA-users wrote:

gssproxy dos not use libidmapd because it is not threads safe (among
other issues), it is also not needed, because you can control mapping
in auth_to_local in krb5.conf and that place is the correct place to
deal with identity mapping when kerberos is involved.



Not sure if I'm doing this right, but that doesn't work for me, either:

[realms]
  EXAMPLE.NET = {
    pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
    pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
    auth_to_local = RULE:[2:$1](daemon)s/^.*$/daemon/
    auto_to_local = DEFAULT
  }


Client's default principal is 
daemon/application-2017111901.example@example.net

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Accessing KRB5 NFS from local system accounts

[Gordon Messmer via FreeIPA-users]

On 11/30/2017 03:11 PM, Simo Sorce wrote:

The reason why NFS wants to authenticate you, is to know what uig/gid
it should assign to your user (on the server) to access files. So
creating a user is not necessarily a bad idea...


Naturally.  I think I understand the "why" part of krb5 NFS 
authentication, but I'm trying to figure out how to allow access from 
system accounts, where creating a new user and changing the UID for an 
existing process would mean changing permissions on the local 
filesystems in addition to the NFS filesystems.



However in some NFS servers you may be able to create mappings from
principals to local users. In that case you can use a SPN (Service
Principal Name) and associated keytab to gain access.

In freeipa only users can have a 1 component principal such as "daemon@
DOMAIN" normally. If you really just want to use a service I would
first explore the possibility of mapping "daemon/hosts.f.q.d.n@REALM"
to a user on the NFS server and then just create a normal service and
get a keytab for in in IPA.



That looks like it's probably what I'm after, though I can't get it to 
actually work.  On the NFS server, I've set '[Translation] Method = 
nsswitch,static' and set '[Static] daemon/f.q.d.n@REALM = daemon'.  With 
verbosity set to an arbitrary large value, I see what appears to be 
activity mapping numeric UID and GIDs to names, but never the reverse.  
There is no logged activity mapping a name to a UID, and the process 
which has the 'daemon/f.q.d.n@REALM' ticket gets access as the nfsnobody 
account.  (It had no permission of any kind with no ticket.)  It may be 
good enough to provide a ticket and no mapping, since I want it to 
access globally readable files, and the nfsnobody user can do that, but 
I would like to understand the mapping feature better than I do. I'm 
doing something wrong, but I'm not sure what.  That seems like a 
question better suited for another list, though.

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Accessing KRB5 NFS from local system accounts

[Gordon Messmer via FreeIPA-users]

I'm troubleshooting a problem: A local system account (daemon) needs to 
access a file on an NFS4 filesystem with sec=krb5.  My understanding is 
that only processes which have a Kerberos ticket are able to access 
files on such a filesystem, and that seems to be the case on the system 
I'm troubleshooting.


Suppose I need a keytab to identify the "daemon" user.  I don't think I 
want to create a new user in FreeIPA, since it would have a uid/gid that 
conflict with the locally defined account. However, I think I do need a 
keytab for "daemon@DOMAIN".  The ipa command doesn't seem to provide a 
means of creating such a principal.


Should I work directly in kadmin to create the principal and export the 
keytab?  Am I even on the right track?

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: mysql and freeipa

[Gordon Messmer via FreeIPA-users]

On 11/01/2017 09:46 AM, Robbie Harwood wrote:

None of that is particularly relevant unless you're specifically
supporting MSCHAPv2 authentication.

... which you shouldn't do because it's broken:
https://www.schneier.com/blog/archives/2012/08/breaking_micros.html


...and also not supported by MySQL, as far as I know.  I suppose I could 
have said that, but I thought it was obvious.  :)
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: mysql and freeipa

[Gordon Messmer via FreeIPA-users]

On 10/31/2017 03:44 PM, Andrew Meyer via FreeIPA-users wrote:


I've been following this website:
FreeIPA: Giving permissions to service accounts. — Firstyear's 
blog-a-log 




None of that is particularly relevant unless you're specifically 
supporting MSCHAPv2 authentication.


The easiest solution for authenticating MySQL using FreeIPA is probably 
to join the MySQL server to the IPA domain and then use PAM authentication:


https://dev.mysql.com/doc/refman/5.5/en/pam-pluggable-authentication.html


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: LDAP connection issue - ipa replica fails at replication task

[Gordon Messmer via FreeIPA-users]

On 10/27/2017 06:41 PM, Bhavin Vaidya via FreeIPA-users wrote:
ldapsearch from client works, on same host which we are trying to 
create replica. (ran ipa-client to test and then uninstall).
[root@ds04 certs]# ldapsearch -x -v -H ldaps://ds01.example.com -s 
base -b '' namingContexts -d 1

...
TLS: certificate [CN=Certificate Authority,O=EXAMPLE.COM] is not valid 
- error -8172:Peer's certificate issuer has been marked as not trusted 
by the user..

...
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)


It doesn't look like ldapsearch is working.  Why do you say that it works?


[root@ds01 openldap]# certutil -d /etc/openldap/cacerts -L
certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The 
certificate/key database is in an old, unsupported format.


I'm not sure that's relevant to the problem you're having on ds04, since 
that directory isn't used by the FreeIPA LDAP server (as far as I 
know).  But now it looks like ds04 doesn't have the CA cert for FreeIPA, 
and therefore does not trust its TLS certificates.  Without that trust, 
it naturally follows that both ldapsearch fails and replication does not 
start.


It also looks like your FreeIPA installation on ds01 is somehow 
inconsistent, with /etc/openldap/certs being out of date or corrupt.  
That may or may not be related.


If this problem only affects one host, I'd suggest wiping it clean and 
starting over.  If you can't add any new host, then it would probably be 
helpful to see the logs from the ipa server setup on a brand new host 
which you try to add to the cluster.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Samba utilizing FreeIPA as Auth

[Gordon Messmer via FreeIPA-users]

On 10/04/2017 05:43 AM, Patrick No via FreeIPA-users wrote:

~~/etc/samba/smb.conf~~
security = ads



I'm working on Samba integration, as well.  I think you might need to 
use "security = USER".

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: server setup in existing DNS zone

[Gordon Messmer via FreeIPA-users]

That's embarrassing.  I noticed --allow-zone-overlap right after I
sent that.  I swear I looked for an option beforehand.

Sorry for the noise.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] server setup in existing DNS zone

[Gordon Messmer via FreeIPA-users]

I'd like to set up a new FreeIPA instance with DNS, and I'd like to
use a zone that already exists.  My intention is to configure the ipa
server, then delete the existing DNS zone and point NS records for
that zone toward the ipa server.

ipa-server-install fails when the domain given by --domain already
exists.  Can I instruct the setup process to skip that check?

If not, then presumably the hostname of the ipa server must not be a
member of the zone given by --domain?  I'd prefer for its hostname to
be a member of that zone, but the hostname must resolve during setup.
That's not possible if the hostname is a child of the domain given by
--domain, and that domain can't already exist.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org