Re: [Freeipa-users] Service accounts and groups

2013-02-07 Thread Martin Kosek 
On 02/07/2013 08:46 PM, Steven Jones wrote:
> Hi,
> 
> I have had little to do with permissions until now so bear with me if the Qs 
> are obviously stupid, probably not really IPA but a linux blind spot I 
> haveanyway,
> 
> So I have a service account with its group this runs a database.
> 
> So oracle with uid 2000 and gid 2000.  I have some other users that need to 
> be in the oracle user's group but I cant do that in IPA? 
> 
> So how do I get around that?
> 
> Or am I approaching it totally wrong?
> 
> I created a user group called oragrp gid 2001 but the user oracle is creating 
> files with a uid of 2000 and gid of 2000 and not a gid of 2001 which I assume 
> would fix it?
> 
> regards
> 
> Steven Jones
> 
> Technical Specialist - Linux RHCE
> 
> Victoria University, Wellington, NZ
> 
> 0064 4 463 6272
> 

Hello Steven,

I assume you want to change oracle user primary GID, i.e. something like that:

# ipa group-add oragrp --desc "Oracle Group" --gid 2001

Added group "oragrp"

  Group name: oragrp
  Description: Oracle Group
  GID: 2001

# ipa user-add --first Oracle --last User oracle --noprivate --uid 2000
--gidnumber 2001
---
Added user "oracle"
---
  User login: oracle
  First name: Oracle
  Last name: User
  Full name: Oracle User
  Display name: Oracle User
  Initials: OU
  Home directory: /home/oracle
  GECOS field: Oracle User
  Login shell: /bin/sh
  Kerberos principal: ora...@example.com
  Email address: ora...@example.com
  UID: 2000
  GID: 2001
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False

# su oracle
sh-4.2$ id
uid=2000(oracle) gid=2001(oragrp) groups=2001(oragrp)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
$ touch /tmp/foo
$ ls -la /tmp/foo
-rw-r--r--. 1 oracle oragrp 0 Feb  8 02:28 /tmp/foo

Martin

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] User Migrated from LDAP not able to change the password

2013-02-07 Thread Martin Kosek 
On 02/08/2013 07:43 AM, Rajnesh Kumar Siwal wrote:
> We migrated the users from openldap to IPA.
> We are getting the following error after the User has been migrated
> (after he changes the password through https://ipa1/ipa/migration/)
> and he tries to change passwd :-
> Account is not locked and Kerberos credentials seems to be present
> (created by ipa/migration)
> 
> $ ssh siwal@1.1.1.1
> siwal@172.31.254.204's password:
> Warning: Your password will expire in less than one hour.
> Password expired. Change your password now.
> Last login: Fri Feb  8 09:28:41 2013 from 1.1.1.2
> WARNING: Your password has expired.
> You must change your password now and login again!
> Changing password for user siwal
> Current Password:
> passwd: Authentication token manipulation error
> Connection to 1.1.1.1 closed.
> 
> # ipa user-status siwal
> ---
> Account disabled: False
> ---
>   Server: ipa1.xyz.dmz
>   Failed logins: 0
>   Last successful authentication: 2013-02-08T03:59:29Z
>   Last failed authentication: N/A
>   Time now: 2013-02-08T06:40:18Z
> 
>   Server: ipa2.xyz.dmz
>   Failed logins: 1
>   Last successful authentication: 2013-02-08T03:59:20Z
>   Last failed authentication: 2013-02-08T03:59:33Z
>   Time now: 2013-02-08T06:40:18Z
> 
> Number of entries returned 2
> 
> # ipa user-show vinay
>   User login: siwal
>   Home directory: /home/siwal
>   Login shell: /bin/bash
>   UID: 522
>   GID: 522
>   Account disabled: False
>   Password: True
>   Kerberos keys available: True
> 

Hello Rajnesh,

can you show your user password policy?

# ipa pwpolicy-show

I would be also interested to see full user record after the authentication
failure:

# ipa user-show siwal --all --raw

krb* attributes and others may give us some hint what's wrong.

Martin

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa-replica-prepare failed

2013-02-07 Thread James James 
My ipa version is ipa-server-2.2.0-17.el6_3.1.x86_64 and the distro is
Scientific Linux 6.3.  I have used ipa-server-certinstall to replace the
default IPA certs.




2013/2/8 Rob Crittenden 

> James James wrote:
>
>> Hi,
>> today I wanted to install a ipa replica. When I used the
>> ipa-replica-prepare command, I've got this error :
>>
>> [root@ipa ~]# ipa-replica-prepare ipa2-example.com <
>> http://ipa2-example.com>
>>
>> Directory Manager (existing master) password:
>>
>> Preparing replica for ipa-EXAMPLE.COM from ipa.EXAMPLE.COM
>> 
>>
>> Creating SSL certificate for the Directory Server
>> certutil: could not find certificate named "CN=EXAMPLE.COM
>>  Certificate Authority": security library: bad
>> database.
>>
>> certutil: unable to create cert (security library: bad database.)
>> preparation of replica failed: Command '/usr/bin/certutil -d
>> /tmp/tmpoUpN72ipa/realm_info -A -n Server-Cert -t u,u,u -i
>> /var/lib/ipa/ipa-6qKbha/**tmpcert.der -f
>> /tmp/tmpoUpN72ipa/realm_info/**pwdfile.txt' returned non-zero exit
>> status 255
>> Command '/usr/bin/certutil -d /tmp/tmpoUpN72ipa/realm_info -A -n
>> Server-Cert -t u,u,u -i /var/lib/ipa/ipa-6qKbha/**tmpcert.der -f
>> /tmp/tmpoUpN72ipa/realm_info/**pwdfile.txt' returned non-zero exit
>> status 255
>>File "/usr/sbin/ipa-replica-**prepare", line 459, in 
>>  main()
>>
>>File "/usr/sbin/ipa-replica-**prepare", line 345, in main
>>  export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "dscert",
>> replica_fqdn, subject_base)
>>
>>File "/usr/sbin/ipa-replica-**prepare", line 143, in export_certdb
>>  raise e
>>
>>
>> I have a certificate generated by a custom certificate authority in the
>> ipa server.
>>
>
> Need more information on your installation. What version of IPA, what
> distro?
>
> Did you use ipa-server-certinstall to replace the default IPA certs?
>
> rob
>
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] User Migrated from LDAP not able to change the password

2013-02-07 Thread Rajnesh Kumar Siwal 
We migrated the users from openldap to IPA.
We are getting the following error after the User has been migrated
(after he changes the password through https://ipa1/ipa/migration/)
and he tries to change passwd :-
Account is not locked and Kerberos credentials seems to be present
(created by ipa/migration)

$ ssh siwal@1.1.1.1
siwal@172.31.254.204's password:
Warning: Your password will expire in less than one hour.
Password expired. Change your password now.
Last login: Fri Feb  8 09:28:41 2013 from 1.1.1.2
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user siwal
Current Password:
passwd: Authentication token manipulation error
Connection to 1.1.1.1 closed.

# ipa user-status siwal
---
Account disabled: False
---
  Server: ipa1.xyz.dmz
  Failed logins: 0
  Last successful authentication: 2013-02-08T03:59:29Z
  Last failed authentication: N/A
  Time now: 2013-02-08T06:40:18Z

  Server: ipa2.xyz.dmz
  Failed logins: 1
  Last successful authentication: 2013-02-08T03:59:20Z
  Last failed authentication: 2013-02-08T03:59:33Z
  Time now: 2013-02-08T06:40:18Z

Number of entries returned 2

# ipa user-show vinay
  User login: siwal
  Home directory: /home/siwal
  Login shell: /bin/bash
  UID: 522
  GID: 522
  Account disabled: False
  Password: True
  Kerberos keys available: True

-- 
Regards,
Rajnesh Kumar Siwal

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] SOLVED: Re: Does disabling IPA User disables his LDAP Account Also

2013-02-07 Thread Rajnesh Kumar Siwal 
Thanks for the Quick update.

On Fri, Feb 8, 2013 at 9:31 AM, Rob Crittenden  wrote:
> Rajnesh Kumar Siwal wrote:
>>
>> We are planning to use the IPA Server in the application that may not
>> support Kerberos.
>> So, we may have to interact with the LDAP Server (389-ds) directly for
>> some applications.
>> I would like to confirm whether disabling the IPA User (I believe it
>> locks Kerberos Account) also disables his LDAP Account / Password.
>>
>
> It does.
>
> rob



-- 
Regards,
Rajnesh Kumar Siwal

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa-replica-prepare failed

2013-02-07 Thread Rob Crittenden 

James James wrote:

Hi,
today I wanted to install a ipa replica. When I used the
ipa-replica-prepare command, I've got this error :

[root@ipa ~]# ipa-replica-prepare ipa2-example.com 
Directory Manager (existing master) password:

Preparing replica for ipa-EXAMPLE.COM from ipa.EXAMPLE.COM

Creating SSL certificate for the Directory Server
certutil: could not find certificate named "CN=EXAMPLE.COM
 Certificate Authority": security library: bad database.
certutil: unable to create cert (security library: bad database.)
preparation of replica failed: Command '/usr/bin/certutil -d
/tmp/tmpoUpN72ipa/realm_info -A -n Server-Cert -t u,u,u -i
/var/lib/ipa/ipa-6qKbha/tmpcert.der -f
/tmp/tmpoUpN72ipa/realm_info/pwdfile.txt' returned non-zero exit status 255
Command '/usr/bin/certutil -d /tmp/tmpoUpN72ipa/realm_info -A -n
Server-Cert -t u,u,u -i /var/lib/ipa/ipa-6qKbha/tmpcert.der -f
/tmp/tmpoUpN72ipa/realm_info/pwdfile.txt' returned non-zero exit status 255
   File "/usr/sbin/ipa-replica-prepare", line 459, in 
 main()

   File "/usr/sbin/ipa-replica-prepare", line 345, in main
 export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "dscert",
replica_fqdn, subject_base)

   File "/usr/sbin/ipa-replica-prepare", line 143, in export_certdb
 raise e


I have a certificate generated by a custom certificate authority in the
ipa server.


Need more information on your installation. What version of IPA, what 
distro?


Did you use ipa-server-certinstall to replace the default IPA certs?

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Does disabling IPA User disables his LDAP Account Also

2013-02-07 Thread Rob Crittenden 

Rajnesh Kumar Siwal wrote:

We are planning to use the IPA Server in the application that may not
support Kerberos.
So, we may have to interact with the LDAP Server (389-ds) directly for
some applications.
I would like to confirm whether disabling the IPA User (I believe it
locks Kerberos Account) also disables his LDAP Account / Password.



It does.

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Does disabling IPA User disables his LDAP Account Also

2013-02-07 Thread Rajnesh Kumar Siwal 
We are planning to use the IPA Server in the application that may not
support Kerberos.
So, we may have to interact with the LDAP Server (389-ds) directly for
some applications.
I would like to confirm whether disabling the IPA User (I believe it
locks Kerberos Account) also disables his LDAP Account / Password.

-- 
Regards,
Rajnesh Kumar Siwal

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] SOLVED: Re: Adding an ipa-client behind NAT

2013-02-07 Thread Rajnesh Kumar Siwal 
Thanks, Simo.


On Fri, Feb 8, 2013 at 1:30 AM, Simo Sorce  wrote:
> On Fri, 2013-02-08 at 00:57 +0530, Rajnesh Kumar Siwal wrote:
>> Does IPA server 2.2 supports the ipa clients authentication behind the NAT ?
>
> Authentication works, password changes using kpasswd protocol do not.
>
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>



-- 
Regards,
Rajnesh Kumar Siwal

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] creating group via CLI

2013-02-07 Thread John Dennis 

On 02/07/2013 08:42 PM, Umarzuki Mochlis wrote:

Hi,

Is it possible to create groups and add users to that group via CLI?
So far, I could not find any sample command on doing that.


The ipa CLI has help

% ipa help user
% ipa help group
% ipa help user-add

etc.


--
John Dennis 

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] creating group via CLI

2013-02-07 Thread Umarzuki Mochlis 
Hi,

Is it possible to create groups and add users to that group via CLI?
So far, I could not find any sample command on doing that.

I'm using FreeIPA 3.1.0-2 on fc18

-- 
Regards,

Umarzuki Mochlis
http://debmal.my

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Service accounts and groups

2013-02-07 Thread Steven Jones 
All users are IPA only

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of KodaK [sako...@gmail.com]
Sent: Friday, 8 February 2013 11:22 a.m.
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Service accounts and groups

On Thu, Feb 7, 2013 at 1:46 PM, Steven Jones  wrote:
> Hi,
>
> I have had little to do with permissions until now so bear with me if the Qs 
> are obviously stupid, probably not really IPA but a linux blind spot I 
> haveanyway,
>
> So I have a service account with its group this runs a database.
>
> So oracle with uid 2000 and gid 2000.  I have some other users that need to 
> be in the oracle user's group but I cant do that in IPA?
>

Is oracle an IPA user and group or a local user and group?

Assuming a Linux host and a local oracle user and group:  you can add
the IPA users to a local group and it will work.  I have no idea if
that's the "right" way to do it, though.


> I created a user group called oragrp gid 2001 but the user oracle is creating 
> files with a uid of 2000 and gid of 2000 and not a gid of 2001 which I assume 
> would fix it?

Again, if oracle is a local user, you can change his primary group
using "usermod -G 2001 oracle" -- but you might as well just add the
IPA users to the local oracle group.

--Jason

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Service accounts and groups

2013-02-07 Thread KodaK 
On Thu, Feb 7, 2013 at 1:46 PM, Steven Jones  wrote:
> Hi,
>
> I have had little to do with permissions until now so bear with me if the Qs 
> are obviously stupid, probably not really IPA but a linux blind spot I 
> haveanyway,
>
> So I have a service account with its group this runs a database.
>
> So oracle with uid 2000 and gid 2000.  I have some other users that need to 
> be in the oracle user's group but I cant do that in IPA?
>

Is oracle an IPA user and group or a local user and group?

Assuming a Linux host and a local oracle user and group:  you can add
the IPA users to a local group and it will work.  I have no idea if
that's the "right" way to do it, though.


> I created a user group called oragrp gid 2001 but the user oracle is creating 
> files with a uid of 2000 and gid of 2000 and not a gid of 2001 which I assume 
> would fix it?

Again, if oracle is a local user, you can change his primary group
using "usermod -G 2001 oracle" -- but you might as well just add the
IPA users to the local oracle group.

--Jason

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] sync / trusts with multiple AD domains

2013-02-07 Thread Brian Cook 
I know that syncing w/ AD has a limitation to one domain, or multiple but only 
if there are no overlapping accounts in the AD domains.

Does the current AD trust implementation allow multiple domains, and does it 
have the same overlapping account issues?

Thanks,
Brian


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Adding an ipa-client behind NAT

2013-02-07 Thread Simo Sorce 
On Fri, 2013-02-08 at 00:57 +0530, Rajnesh Kumar Siwal wrote:
> Does IPA server 2.2 supports the ipa clients authentication behind the NAT ?

Authentication works, password changes using kpasswd protocol do not.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Service accounts and groups

2013-02-07 Thread Steven Jones 
Hi,

I have had little to do with permissions until now so bear with me if the Qs 
are obviously stupid, probably not really IPA but a linux blind spot I 
haveanyway,

So I have a service account with its group this runs a database.

So oracle with uid 2000 and gid 2000.  I have some other users that need to be 
in the oracle user's group but I cant do that in IPA? 

So how do I get around that?

Or am I approaching it totally wrong?

I created a user group called oragrp gid 2001 but the user oracle is creating 
files with a uid of 2000 and gid of 2000 and not a gid of 2001 which I assume 
would fix it?

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Account Expiration

2013-02-07 Thread James James 
ok thanks.



2013/2/7 Petr Vobornik 

> On 02/07/2013 08:45 AM, Martin Kosek wrote:
>
>> On 02/07/2013 08:31 AM, James James wrote:
>>
>>> Thanks Rob. I have one more question. Is it possible to add a field in
>>> the ui,
>>> and get the field's value in a custom add user hook script  ?
>>>
>>> James
>>>
>>
> Theoretically it's possible but it requires quite good knowledge of Web UI
> code. It's easier to modify user page source codes. For simple edit (just
> textbox, no calendar widget) it may be just one line of code (in WebUI,
> server plugin will require more work).
>
>
>
>> I know that Petr Vobornik is already working in better extensibility of
>> the UI,
>> but that would be available in future releases. Petr, do you have any
>> advice
>> for James for current release?
>>
>>
>>>
>>> 2013/2/7 Rob Crittenden mailto:rcrit...@redhat.com
>>> >>
>>>
>>>  James James wrote:
>>>
>>>  Can somebody gives me some help to set krbPrincipalExpiration
>>> from the
>>>  freeipa ui ?
>>>
>>>
>>>  You can't set this in the web UI.
>>>
>>
>> Note: You will be able to set it in the CLI/UI when ticket
>> https://fedorahosted.org/**freeipa/ticket/3306
>> is fixed.
>>
>>
>>>  You can do it from the command line using ldapmodify with:
>>>
>>>  $ ldapmodify -x -D 'cn=Directory Manager' -W
>>>  Enter LDAP Password:
>>>  dn: uid=tuser1,cn=users,cn=__**accounts,dc=example,dc=com
>>>  changetype: modify
>>>  replace: krbPasswordExpiration
>>>  krbPasswordExpiration: 20200508032114Z
>>>
>>>  ^D
>>>
>>
>> This would change password expiration attribute. So for account
>> expiration, you
>> would just need to replace krbPasswordExpiration modification above with
>> krbPrincipalExpiration.
>>
>> Martin
>>
>>
> --
> Petr Vobornik
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Account Expiration

2013-02-07 Thread Petr Vobornik 

On 02/07/2013 08:45 AM, Martin Kosek wrote:

On 02/07/2013 08:31 AM, James James wrote:

Thanks Rob. I have one more question. Is it possible to add a field in the ui,
and get the field's value in a custom add user hook script  ?

James


Theoretically it's possible but it requires quite good knowledge of Web 
UI code. It's easier to modify user page source codes. For simple edit 
(just textbox, no calendar widget) it may be just one line of code (in 
WebUI, server plugin will require more work).




I know that Petr Vobornik is already working in better extensibility of the UI,
but that would be available in future releases. Petr, do you have any advice
for James for current release?




2013/2/7 Rob Crittenden mailto:rcrit...@redhat.com>>

 James James wrote:

 Can somebody gives me some help to set krbPrincipalExpiration from the
 freeipa ui ?


 You can't set this in the web UI.


Note: You will be able to set it in the CLI/UI when ticket
https://fedorahosted.org/freeipa/ticket/3306
is fixed.



 You can do it from the command line using ldapmodify with:

 $ ldapmodify -x -D 'cn=Directory Manager' -W
 Enter LDAP Password:
 dn: uid=tuser1,cn=users,cn=__accounts,dc=example,dc=com
 changetype: modify
 replace: krbPasswordExpiration
 krbPasswordExpiration: 20200508032114Z

 ^D


This would change password expiration attribute. So for account expiration, you
would just need to replace krbPasswordExpiration modification above with
krbPrincipalExpiration.

Martin



--
Petr Vobornik

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Account Expiration

2013-02-07 Thread Simo Sorce 
On Thu, 2013-02-07 at 08:31 +0100, James James wrote:
> Thanks Rob. I have one more question. Is it possible to add a field in
> the ui, and get the field's value in a custom add user hook script  ?
> 

It wouldn't be useful as you would not have permission to change it
anyways.

If you want to consistently have a different expiration time you should
change the password policy.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users