Re: [Freeipa-users] apache kerberized nfs4 /var/www/html access denied for apache user

[Rob Verduijn]

2014-09-16 20:57 GMT+02:00 Nordgren, Bryce L -FS :

>
> > Also opened https://fedorahosted.org/freeipa/ticket/4544
>
> Tried to summarize this thread on that ticket.
>
> Back to the OP's concern, whenever I use NFS as a documentroot for apache
> (even a WebDAV server), I make a separate mountpoint, fall back to sec=sys,
> set "all-squash", and specify the webserver's IP. It's not like individual
> user accounts need a presence on the filesystem. Do you need encryption for
> your application or is apache just going to spray the content out across
> the commodity internet via un-encrypted http?
>
> Bryce
>
>
>
>
>
>
> This electronic message contains information generated by the USDA solely
> for the intended recipients. Any unauthorized interception of this message
> or the use or disclosure of the information it contains may violate the law
> and subject the violator to civil or criminal penalties. If you believe you
> have received this message in error, please notify the sender and delete
> the email immediately.
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
>


Hello,

I've already implemented the share as 1.2.3.4(ro,sync,all-squash,sec=sys)
It's not sensitive data and it's also internal, so it will do fine for now
as a workaround.
But there is going to be a situation that apache requires access to a
document root containing sensitive data, in that case I would prefer a more
secure method.

I've been reading up a little on the gss-proxy, which would be the prefered
way on the obtaining of the credentials from a keytab.
Have gss-proxy do it or have gss-proxy use  s4u2proxy to fetch the keytab ?
(which might also solve some of my ssh anoyances but that's a bit off topic)

Rob Verduijn
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] How to use sudo rules on ubuntu

[Tevfik Ceydeliler]

Hi Lukas,
After you warned me, I reinstall IPA server and client, and replica.
After that I did your directives shown below.
Everything looked ok.
I got output like you tell.
But after couple of hours later  I try to conenct client host by using 
ssh and test again.

ANd suprise! client again cant use sudo.

What happened??

On 01-09-2014 19:05, Lukas Slebodnik wrote:

On (01/09/14 17:52), Tevfik Ceydeliler wrote:

1. I think I configure instead of this document

Sorry you didn't.


2. I can login with ordinary user

login and sudo are not the same think.

My FreeIPA server is alredy properly configured with sudo rules.
I tried to install freipa-client on ubuntu 14.04 and it owrked without any
problem.


Step 0: Install freipa-client on ubuntu 14.04 and configure sudo integration

root@ubuntu1404:/# ipa-client-install --no-ntp
root@ubuntu1404:/# echo "sudoers: files sss" >> /etc/nsswitch.conf

root@ubuntu1404:/# grep services /etc/sssd/sssd.conf
services = nss, pam
root@ubuntu1404:/# sed -i -e 's/\(services.*\)/\1, sudo/' /etc/sssd/sssd.conf
root@ubuntu1404:/# grep services /etc/sssd/sssd.conf
services = nss, pam, sudo


Step 1: configure sudo rules for ordinary user
 Please follow the instructions from FreeIPA documentation.
 http://www.freeipa.org/docs/master/html-desktop/index.html#sudo


   This step was skipped, becuase it was already done few months ago :-)


Step 2: login to machine as ordinary user, which is allowed to use sudo.

$ su usersssd01
Password:
$ id
uid=325600011(usersssd01) gid=325600011(usersssd01) 
groups=325600011(usersssd01),30011(biggroup1)


Step 3: run command
 sudo -l
 // this command should show you which commands can be executed as root
 // with sudo

$ sudo -l
sudo: unable to resolve host ubuntu1404.example.test
[sudo] password for usersssd01:
Matching Defaults entries for usersssd01 on ubuntu1404:
 env_reset, mail_badpass,
 
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User usersssd01 may run the following commands on ubuntu1404:
 (root) /usr/bin/less, /usr/bin/vim


Step 4: If there weren't any problems then user will be able to run command.
 sudo some_command_listed_in_step3

$ sudo /usr/bin/less /etc/shadow | wc -l
21
$ echo $?
0

$ sudo apt-get install mc
Sorry, user usersssd01 is not allowed to execute '/usr/bin/apt-get install mc' 
as root on ubuntu.example.test.
$ echo $?
1

LS


--



http://www.yasar.com.tr/banner/yhbanner.jpg";> 

Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar sadece 
adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu mesajin icerigi 
ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. Eger gonderilmesi 
dusunulen kisi veya kurulus degilseniz, lutfen gonderen kisiyi derhal haberdar 
ediniz ve mesaji sisteminizden siliniz.The information contained in this e-mail 
and any files transmitted with it are intended solely for the use of the 
individual or entity to whom they are addressed and Yasar Group Companies do 
not accept legal responsibility for the contents. If you are not the intended 
recipient, please immediately notify the sender and delete it from your system.-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] How to use sudo rules on ubuntu

[Lukas Slebodnik]

On (17/09/14 13:57), Tevfik Ceydeliler wrote:
>
>Hi Lukas,
>After you warned me, I reinstall IPA server and client, and replica.
>After that I did your directives shown below.
>Everything looked ok.
>I got output like you tell.
>But after couple of hours later  I try to conenct client host by using ssh
>and test again.
>ANd suprise! client again cant use sudo.
>
>What happened??
I don't know.

Please put "debug_level = 7" into sssd.conf  (sections: sudo and domain)
* restart sssd
* login as sssd used which should be allowed to run sudo sommand(s)
* execute command "truncate -s 0 /var/log/sssd/*"
* call sudo -l
* and provide log files from /var/log/sssd/* and also output from "sudo -l"
I can take a loog to the log files and identify the problem.

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] How to use sudo rules on ubuntu

[Tevfik Ceydeliler]

OK :)
No panic  for my self :)
I found what was wrong. now ok.
Thnx so much
On 17-09-2014 14:53, Lukas Slebodnik wrote:

On (17/09/14 13:57), Tevfik Ceydeliler wrote:

Hi Lukas,
After you warned me, I reinstall IPA server and client, and replica.
After that I did your directives shown below.
Everything looked ok.
I got output like you tell.
But after couple of hours later  I try to conenct client host by using ssh
and test again.
ANd suprise! client again cant use sudo.

What happened??

I don't know.

Please put "debug_level = 7" into sssd.conf  (sections: sudo and domain)
* restart sssd
* login as sssd used which should be allowed to run sudo sommand(s)
* execute command "truncate -s 0 /var/log/sssd/*"
* call sudo -l
* and provide log files from /var/log/sssd/* and also output from "sudo -l"
I can take a loog to the log files and identify the problem.

LS


--



http://www.yasar.com.tr/banner/yhbanner.jpg";> 

Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar sadece 
adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu mesajin icerigi 
ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. Eger gonderilmesi 
dusunulen kisi veya kurulus degilseniz, lutfen gonderen kisiyi derhal haberdar 
ediniz ve mesaji sisteminizden siliniz.The information contained in this e-mail 
and any files transmitted with it are intended solely for the use of the 
individual or entity to whom they are addressed and Yasar Group Companies do 
not accept legal responsibility for the contents. If you are not the intended 
recipient, please immediately notify the sender and delete it from your system.-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] sudo setup in Ubuntu

[Sanju A]

Dear All,

I am able to configure the sudo settings in Centos clients by 
adding/modifying  the entries in /etc/nsswitch.conf and 
/etc/sudo-ldap.conf. What is the exact steps for the configuration in 
Ubuntu as I am not able find the configuration file sudo-ldap.conf in 
Ubuntu.


Regards
Sanju Abraham
IS - Network/System Administrator
Tata Consultancy Services
TCS Centre SEZ Unit,
Infopark PO,
Kochi - 682042,Kerala
India
Ph:-   +91 484 6187490
Mailto: sanj...@tcs.com
Website: http://www.tcs.com

Experience certainty.   IT Services
Business Solutions
Consulting

=-=-=
Notice: The information contained in this e-mail
message and/or attachments to it may contain 
confidential or privileged information. If you are 
not the intended recipient, any dissemination, use, 
review, distribution, printing or copying of the 
information contained in this e-mail message 
and/or attachments to it are strictly prohibited. If 
you have received this communication in error, 
please notify us by reply e-mail or telephone and 
immediately and permanently delete the message 
and any attachments. Thank you


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] sudo setup in Ubuntu

[Tevfik Ceydeliler]

Thanks to Lukas:

Step 0: Install freipa-client on ubuntu 14.04 and configure sudo integration

root@ubuntu1404:/# ipa-client-install --no-ntp
root@ubuntu1404:/# echo "sudoers: files sss" >> /etc/nsswitch.conf

root@ubuntu1404:/# grep services /etc/sssd/sssd.conf
services = nss, pam
root@ubuntu1404:/# sed -i -e 's/\(services.*\)/\1, sudo/' /etc/sssd/sssd.conf
root@ubuntu1404:/# grep services /etc/sssd/sssd.conf
services = nss, pam, sudo


Step 1: configure sudo rules for ordinary user
 Please follow the instructions from FreeIPA documentation.
 http://www.freeipa.org/docs/master/html-desktop/index.html#sudo


  This step was skipped, becuase it was already done few months ago


Step 2: login to machine as ordinary user, which is allowed to use sudo.


$ su usersssd01
Password:
$ id
uid=325600011(usersssd01) gid=325600011(usersssd01) 
groups=325600011(usersssd01),30011(biggroup1)


Step 3: run command
 sudo -l
 // this command should show you which commands can be executed as root
 // with sudo


$ sudo -l
sudo: unable to resolve host ubuntu1404.example.test
[sudo] password for usersssd01:
Matching Defaults entries for usersssd01 on ubuntu1404:
env_reset, mail_badpass,

secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User usersssd01 may run the following commands on ubuntu1404:
(root) /usr/bin/less, /usr/bin/vim


Step 4: If there weren't any problems then user will be able to run command.
 sudo some_command_listed_in_step3


$ sudo /usr/bin/less /etc/shadow | wc -l
21
$ echo $?
0

$ sudo apt-get install mc
Sorry, user usersssd01 is not allowed to execute '/usr/bin/apt-get install mc' 
as root on ubuntu.example.test.
$ echo $?
1


On 17-09-2014 16:54, Sanju A wrote:

Dear All,

I am able to configure the sudo settings in Centos clients by 
adding/modifying  the entries in /etc/nsswitch.conf and 
/etc/sudo-ldap.conf. What is the exact steps for the configuration in 
Ubuntu as I am not able find the configuration file sudo-ldap.conf in 
Ubuntu.



Regards
Sanju Abraham
IS - Network/System Administrator
Tata Consultancy Services
TCS Centre SEZ Unit,
Infopark PO,
Kochi - 682042,Kerala
India
Ph:-   +91 484 6187490
Mailto: sanj...@tcs.com
Website: http://www.tcs.com 

Experience certainty.IT Services
   Business Solutions
   Consulting


=-=-=
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you





--



http://www.yasar.com.tr/banner/yhbanner.jpg";> 

Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar sadece 
adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu mesajin icerigi 
ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. Eger gonderilmesi 
dusunulen kisi veya kurulus degilseniz, lutfen gonderen kisiyi derhal haberdar 
ediniz ve mesaji sisteminizden siliniz.The information contained in this e-mail 
and any files transmitted with it are intended solely for the use of the 
individual or entity to whom they are addressed and Yasar Group Companies do 
not accept legal responsibility for the contents. If you are not the intended 
recipient, please immediately notify the sender and delete it from your system.-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] unhappy replication?

[thierry bordaz]

On 09/09/2014 04:39 PM, Kat wrote:

Anyone seen this before -- 2 freshly kicked CentOS 7 installs:

On the replica from the ipa-replica-install :

reports: Update failed! Status: [10 Total update abortedLDAP error: 
Referral]

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

and then the errors file for 389-ds

"The remote replica has a different database generation ID than the 
local database.  You may have to reinitialize the remote replica, or 
the local replica."


~K


Hello,

   Investigating a similar issue we suspected the logged RC to be
   invalid. Instead of Referral it could actually be CONN_TIMEOUT.

   If you are still  able to reproduce, would you verify the value of
   'nsds5ReplicaTimeout' on the replica Agreement on the master.
   If it is set to a "low" value like 120, there is a possible
   workaround by removing it (or set to a higher value). So it will
   wait for 10m (default) before ending with a failure.
   Then retry the full init.

   regards
   thierry

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] users in groups but user entry does not show groups

[Ron]

I have created user groups and entered users.

When I view the groups under the "User Groups" heading, I see the group
members.

When I go to the "Users" heading, and click the "User Groups"
sub-heading, IPA does not show any groups (says no entries at bottom).

See attached png screenshots.

Any ideas as to what is going on?

This does not happen for all members of the group.  For some users,
there *are* entries for groups under "Users -> User groups"

Thank you.

-- 
Ron Parachoniak
Systems Manager, Department of Physics & Astronomy
University of British Columbia, Vancouver, B.C.  V6T 1Z1
Phone: (604) 838-6437

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] AD Trust - Cannot resolve servers for KDC after reboot

[Genadi Postrilko]

I have configured the DNS with the AD as a forwarder (ipa-server-install
--forwarder), just as explaine in RHEL 7 Windows Integration guide - 5.3.1.
Setting up Trust with IdM as a DNS Subdomain of Active Directory.

To use KRB5_TRACE ill need to recreate the issue.

2014-09-16 10:28 GMT+03:00 Sumit Bose :

> On Tue, Sep 16, 2014 at 01:39:41AM +0300, Genadi Postrilko wrote:
> > Hello all !
> >
> > I have deployed test environment for AD trust feature, the environment
> > contains :
> > Windows Server 2008 - AD Server.
> > RHEL 7 - IPA 3.3 Server.
> > RHEL  6.2 - IPA Client.
> >
> > I have established the trust as IPA in the sub domain of AD.
> > AD DNS domain - blue.com
> > IPA DNS domain - linux.blue.com
> >
> > All was working fine as i was able to kinit with AD users:
> >
> > [root@ipaserver1 ~]# kinit y...@blue.com
> > Password for y...@blue.com:
> >
> > [root@ipaserver1 ~]# klist
> > Ticket cache: KEYRING:persistent:0:krb_ccache_oi15FrE
> > Default principal: y...@blue.com
> >
> > Valid starting   Expires  Service principal
> > 09/16/2014 01:00:25  09/16/2014 11:00:25  krbtgt/blue@blue.com
> > renew until 09/17/2014 01:00:20
> >
> > But after i rebooted the Windows Server Machine, i could not kinit with
> AD
> > users anymore:
> > [root@ipaserver1 ~]# kinit y...@blue.com
> > kinit:  Cannot resolve servers for KDC in realm "BLUE.COM" while getting
> > initial
>
> The only IPA component used for kinit is the DNS server. How did you
> configure DNS (glue records? forwarder?). To get more details about what
> is failing you can call:
>
> KRB5_TRACE=/dev/stdout kinit y...@blue.com
>
> HTH
>
> bye,
> Sumit
>
> >
> > I have checked if all the IPA services where UP:
> >
> > [root@ipaserver1 ~]# ipactl status
> > Directory Service: RUNNING
> > krb5kdc Service: RUNNING
> > kadmin Service: RUNNING
> > named Service: RUNNING
> > ipa_memcached Service: RUNNING
> > httpd Service: RUNNING
> > pki-tomcatd Service: RUNNING
> > smb Service: RUNNING
> > winbind Service: RUNNING
> > ipa-otpd Service: RUNNING
> > ipa: INFO: The ipactl command was successful
> >
> > After i restarted IPA services (ipactl restart), i was able to to kinit
> > again.
> > Restarting smb service would do the job as well (?).
> >
> > Just wanted to know if it is a know issue, or the AD should be re
> > discovered if it reboots.
> > I think i seen an issue about it in the mailing list some time ago (not
> > sure).
> >
> > I did not increase the debug level and got the logs.
> > But i can share the ipa and sssd version:
> >
> > rpm -qa | grep ipa
> > ipa-server-3.3.3-28.el7_0.1.x86_64
> > python-iniparse-0.4-9.el7.noarch
> > libipa_hbac-1.11.2-68.el7_0.5.x86_64
> > ipa-admintools-3.3.3-28.el7_0.1.x86_64
> > ipa-server-trust-ad-3.3.3-28.el7_0.1.x86_64
> > ipa-python-3.3.3-28.el7_0.1.x86_64
> > sssd-ipa-1.11.2-68.el7_0.5.x86_64
> > iniparser-3.1-5.el7.x86_64
> > libipa_hbac-python-1.11.2-68.el7_0.5.x86_64
> > ipa-client-3.3.3-28.el7_0.1.x86_64
> >
> > rpm -qa | grep sssd
> > sssd-krb5-common-1.11.2-68.el7_0.5.x86_64
> > sssd-ldap-1.11.2-68.el7_0.5.x86_64
> > sssd-common-1.11.2-68.el7_0.5.x86_64
> > sssd-common-pac-1.11.2-68.el7_0.5.x86_64
> > sssd-ad-1.11.2-68.el7_0.5.x86_64
> > sssd-krb5-1.11.2-68.el7_0.5.x86_64
> > sssd-1.11.2-68.el7_0.5.x86_64
> > python-sssdconfig-1.11.2-68.el7_0.5.noarch
> > sssd-ipa-1.11.2-68.el7_0.5.x86_64
> > sssd-proxy-1.11.2-68.el7_0.5.x86_64
> > sssd-client-1.11.2-68.el7_0.5.x86_64
> >
> >  Thanks for all the helpers.
>
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go To http://freeipa.org for more info on the project
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] users in groups but user entry does not show groups

[Ron]

More information that I should have include before is below.  Note that
I use a perl script to add users to the IPA server using perl->LDAP
commands (see below).  Could this be the source of the problem?


snippet from perl createid script:

  $mesg = $ldap->add("uid=$me,".$CONF{"dn_suffix"},
attrs => [
"objectclass"   => $CONF{"obj_class"},
"uidNumber" => $uid,
"gidNumber" => $gid,
"cn"=> $gecos,
"gecos" => $gecos,
"sn"=> $lastname,
"givenName" => $firstname,
"homeDirectory" => $homedir,
"loginShell"=> $shell,
"mail"  => $mail,
"userPassword"  => $pass
]);

=
This user does not show the memberof entries even though user brog is in
the p309-mm group.

[root@ipa ~]# ipa user-show --raw --all brog
  dn: uid=brog,cn=users,cn=accounts,dc=abc,dc=def,dc=gh
  uid: brog
  givenname: Bir
  sn: Roga
  cn: Bir Roga
  homedirectory: /home2/brog
  gecos: Bir Roga
  loginshell: /bin/bash
  mail: b...@xyz.gh
  uidnumber: 15520
  gidnumber: 15520
  nsaccountlock: False
  has_password: True
  has_keytab: False
  mepmanagedentry: cn=brog,cn=groups,cn=accounts,dc=abc,dc=def,dc=gh
  objectclass: posixAccount
  objectclass: top
  objectclass: person
  objectclass: organizationalPerson
  objectclass: inetOrgPerson
  objectclass: shadowAccount
  objectclass: mepOriginEntry

==
this user shows the "memberof" entries as expected.

[root@ipa ~]# ipa user-show --raw --all dwth
  dn: uid=dwth,cn=users,cn=accounts,dc=abc,dc=def,dc=gh
  uid: dwth
  givenname: Dev
  sn: Tho
  cn: Dev  Tho
  homedirectory: /home2/dwth
  gecos: Devin  Tho
  loginshell: /bin/bash
  krbprincipalname: d...@abc.def.gh
  mail: d...@xyz.gh
  uidnumber: 15424
  gidnumber: 400
  nsaccountlock: False
  has_password: True
  has_keytab: True
  ipauniqueid: 44f17786-f95c-11e2-b3be-64700200e138
  krbextradata: AAJP6ihScm9vdC9hZG1pbkBQSEFTLlVCQy5DQQA=
  krblastpwdchange: 20130905203215Z
  krbpasswordexpiration: 20131204203215Z
  memberof: cn=ipausers,cn=groups,cn=accounts,dc=abc,dc=def,dc=gh
  memberof: cn=p309-mm,cn=groups,cn=accounts,dc=abc,dc=def,dc=gh
  objectclass: krbticketpolicyaux
  objectclass: ipaobject
  objectclass: organizationalperson
  objectclass: top
  objectclass: ipasshuser
  objectclass: inetorgperson
  objectclass: person
  objectclass: inetuser
  objectclass: krbprincipalaux
  objectclass: shadowaccount
  objectclass: posixaccount
  objectclass: ipaSshGroupOfPubKeys

==
[root@ipa ~]# ipa group-show --all p309-mm
  dn: cn=p309-mm,cn=groups,cn=accounts,dc=abc,dc=def,dc=gh
  Group name: p309-mm
  Description: p309 lab group mm
  GID: 462
  Member users: halp, jfc, tpr, dwth, brog
  ipauniqueid: b4d0f16e-3a95-11e4-81df-64700200e138
  objectclass: top, groupofnames, nestedgroup, ipausergroup, ipaobject,
posixgroup

==


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] users in groups but user entry does not show groups

[Alexander Bokovoy]

On Wed, 17 Sep 2014, Ron wrote:

More information that I should have include before is below.  Note that
I use a perl script to add users to the IPA server using perl->LDAP
commands (see below).  Could this be the source of the problem?

Yes. If you are creating users not using IPA commands, you need to make
sure you are adding required object classes. Your user below misses
ipaObject and few more.




snippet from perl createid script:

 $mesg = $ldap->add("uid=$me,".$CONF{"dn_suffix"},
   attrs => [
   "objectclass"   => $CONF{"obj_class"},
   "uidNumber" => $uid,
   "gidNumber" => $gid,
   "cn"=> $gecos,
   "gecos" => $gecos,
   "sn"=> $lastname,
   "givenName" => $firstname,
   "homeDirectory" => $homedir,
   "loginShell"=> $shell,
   "mail"  => $mail,
   "userPassword"  => $pass
   ]);

=
This user does not show the memberof entries even though user brog is in
the p309-mm group.

[root@ipa ~]# ipa user-show --raw --all brog
 dn: uid=brog,cn=users,cn=accounts,dc=abc,dc=def,dc=gh
 uid: brog
 givenname: Bir
 sn: Roga
 cn: Bir Roga
 homedirectory: /home2/brog
 gecos: Bir Roga
 loginshell: /bin/bash
 mail: b...@xyz.gh
 uidnumber: 15520
 gidnumber: 15520
 nsaccountlock: False
 has_password: True
 has_keytab: False
 mepmanagedentry: cn=brog,cn=groups,cn=accounts,dc=abc,dc=def,dc=gh
 objectclass: posixAccount
 objectclass: top
 objectclass: person
 objectclass: organizationalPerson
 objectclass: inetOrgPerson
 objectclass: shadowAccount
 objectclass: mepOriginEntry

==
this user shows the "memberof" entries as expected.

[root@ipa ~]# ipa user-show --raw --all dwth
 dn: uid=dwth,cn=users,cn=accounts,dc=abc,dc=def,dc=gh
 uid: dwth
 givenname: Dev
 sn: Tho
 cn: Dev  Tho
 homedirectory: /home2/dwth
 gecos: Devin  Tho
 loginshell: /bin/bash
 krbprincipalname: d...@abc.def.gh
 mail: d...@xyz.gh
 uidnumber: 15424
 gidnumber: 400
 nsaccountlock: False
 has_password: True
 has_keytab: True
 ipauniqueid: 44f17786-f95c-11e2-b3be-64700200e138
 krbextradata: AAJP6ihScm9vdC9hZG1pbkBQSEFTLlVCQy5DQQA=
 krblastpwdchange: 20130905203215Z
 krbpasswordexpiration: 20131204203215Z
 memberof: cn=ipausers,cn=groups,cn=accounts,dc=abc,dc=def,dc=gh
 memberof: cn=p309-mm,cn=groups,cn=accounts,dc=abc,dc=def,dc=gh
 objectclass: krbticketpolicyaux
 objectclass: ipaobject
 objectclass: organizationalperson
 objectclass: top
 objectclass: ipasshuser
 objectclass: inetorgperson
 objectclass: person
 objectclass: inetuser
 objectclass: krbprincipalaux
 objectclass: shadowaccount
 objectclass: posixaccount
 objectclass: ipaSshGroupOfPubKeys

==
[root@ipa ~]# ipa group-show --all p309-mm
 dn: cn=p309-mm,cn=groups,cn=accounts,dc=abc,dc=def,dc=gh
 Group name: p309-mm
 Description: p309 lab group mm
 GID: 462
 Member users: halp, jfc, tpr, dwth, brog
 ipauniqueid: b4d0f16e-3a95-11e4-81df-64700200e138
 objectclass: top, groupofnames, nestedgroup, ipausergroup, ipaobject,
posixgroup

==


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Certs.

[Rob Crittenden]

Walid wrote:

Hi Rob,

Self signed IPA certificate i saw it is 20 years, however how about the
client nodes renewal, i see here it is automated, how, and when


For renewed CA certificate distribution, we are working on it in ticket 
https://fedorahosted.org/freeipa/ticket/4322


For any server certificates on a client then certmonger is the way to 
go, and is our recommended mechanism. It will monitor and automatically 
renew any certificates installed (well, any it has permission to renew).


rob



On 16 September 2014 20:13, Rob Crittenden mailto:rcrit...@redhat.com>> wrote:

Walid wrote:

Hi Dmitri,

I am interested in the renewal process, how would that happen for
clients, and when would it happen?


It depends on what scenario you're talking about (self-signed IPA
cert, IPA as subordinate, user-provided certificates), and what
certs you mean.

rob


On 11 September 2014 03:01, Dmitri Pal mailto:d...@redhat.com>
>> wrote:

 On 09/10/2014 07:57 PM, William Graboyes wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA512

 Hi Dmitri,

 Production Environment is going to be RH 6.5,  We are still
 evaluating
 the usage of systemd. More like we are taking a wait
and see
 approach
 to to systemd, while actively testing it.

 The command line options for chaining are there from day one.
 So you would need to chain your production environment when you
 deploy it.
 In future when you migrate to later versions (in couple of
years or
 so) you will be able to change the chaining using the new
tools.
 Right now it is a vary hard multi step manual procedure.
This is why
 we developed the tool.
 But you should be all set for now. You would not need to change
 anything for several years.

 Thanks
 Dmitri



 Thanks,
 Bill

 On Wed Sep 10 16:49:24 2014, Dmitri Pal wrote:

 On 09/10/2014 07:26 PM, William Graboyes wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA512

 Hi Chris,

 Thank you for the suggestion. Looking at

http://www.redhat.com/archives/freeipa-users/2014-August/msg00334.html




>

 Installing a new, third party cert requires a
reinstall
 of IPA?  IPA
 Devs, that is a bit silly don't you think?  A
year or
 two in the cert
 expires, now you have to start from scratch?  I
will
 wait for some form
 of response before I attempt at eating crow in
front of
 management.

 I forgot to mention, free-ipa version
 ipa-server-3.0.0-37.el6.x86_64.

 Since 3.0 internal certs are issued for 2 years and
are renewed
 automatically. The root cert is valid for more than two
 years (AFAIR
 it is 20).





 On Wed Sep 10 15:55:56 2014, Chris Whittle wrote:

 Search the list for a post by me and certs...
 Basically there is a
 install
 flag that will do all the work for you once
you have
 it the cert in the
 right format.
 On Sep 10, 2014 5:53 PM, "William Graboyes"
 mailto:wgrabo...@cenic.org> >>
 wrote:

 * *BEGIN ENCRYPTED or SIGNED PART*
*

 Hello list,

 I have been fruitlessly searching for some
 information, especially
 related to Certs, namely how to replace the
self
 signed certs with
 certs from a trusted CA?  As we are moving
forward into
 productionizing of our free-ipa install, I am
 finding in

[Freeipa-users] Suggested Upgrade Path

[Dan Mossor]

Good day, folks.

I am curious what the suggested upgrade path is for FreeIPA. Currently, 
I am running freeipa-server-3.3.5-1.fc20.x86_64 on a virtual Fedora 20 
server and am planning my upgrade to FreeIPA 4.0.3 on Fedora 21 Server.


My current thought is to just build the F21 server and set it up as a 
replication server, then destroy the F20 VM. Will that be a seamless 
migration, or am I missing something?

--
Dan Mossor, RHCSA
Systems Engineer at Large
Fedora KDE WG | Fedora QA Team | Fedora Server SIG
Fedora Infrastructure Apprentice
FAS: dmossor IRC: danofsatx
San Antonio, Texas, USA

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Suggested Upgrade Path

[Dmitri Pal]

On 09/17/2014 10:56 PM, Dan Mossor wrote:

Good day, folks.

I am curious what the suggested upgrade path is for FreeIPA. 
Currently, I am running freeipa-server-3.3.5-1.fc20.x86_64 on a 
virtual Fedora 20 server and am planning my upgrade to FreeIPA 4.0.3 
on Fedora 21 Server.


My current thought is to just build the F21 server and set it up as a 
replication server, then destroy the F20 VM. Will that be a seamless 
migration, or am I missing something?
Make sure you install the replica with full CA and reconfigure this 
replica to be the CRL publisher and cert renewal tracker. Search this 
list archives and wiki on how to do it.


--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Two way A/D trust versus one way trust

[Dmitri Pal]

On 09/17/2014 12:38 AM, Greg Scott wrote:

Thanks everyone for the advice.  Here's a sanitized version of what I put 
together for my end user customer.  Feel free to use any of this text as you 
see fit.



Here's the scoop with IdM and AD trusts.  It's an "official" 2-way trust with 
the currently shipping IdM version - I think it's 3.3.5 right now.  It's an official 
2-way trust, but de-facto it's only one way because IdM doesn't have all the pieces it 
needs yet to allow AD to trust IdM.   So IdM can trust AD but right now AD cannot trust 
IdM.  Red Hat Support told us that in the support case and I confirmed it with the 
upstream community.  So even though it says it's a 2-way trust, it's really only one way.

Somewhere in the future, around version 4.3 or so, so it's a long way away, the plan is 
for IdM to have the pieces it needs for AD to trust IdM.  When that time comes, there are 
a number of options for ***?.  One is to stick with today's current version. "If it 
ain't broke, don't fix it."  Another is to continue upgrading to the current 
versions as they become available and redo the trust to be an official one way trust when 
the time comes.   Another option - just leave it as a 2-way trust.

The decision doesn't come up for a long time - if I had to guess, I'd put it 
sometime after 2015.  That's just my guess because the people doing the 
development don't know themselves and they're the ones building this stuff.  
It's a long time out.  And even then, it's not a huge decision.  Let's say ***? 
decides to leave it as a 2-way trust.  What are the consequences?  Are there 
now suddenly 2 sources of truth?  Is there a security hole?  Is AD suddenly 
vulnerable?

My answer would be no, no, and no.

On sources of truth - There will always be a few unique users in the Linux IdM 
domain.  User root, for example, and probably a few others.  This is true 
whether there is no trust, a one-way trust, or a 2-way trust.  IdM is like a 
Windows forest with one domain.  And AD is a forest with at least one domain.  
By definition, both forests have their own individual entities.

On security holes - with a 2-way trust, the AD Administrator now has the 
ability to regulate access to AD resources from IdM users and groups.  If the 
AD Admin takes no action, then nobody on the IdM side can access anything on 
the AD side.   Just because the AD administrator has this ability does not 
imply the he will use it.  If he doesn't use it - the default action - nothing 
happens.

Is AD suddenly vulnerable?  No.  Even with a 2-way trust, the AD Admin has to 
take specific actions in cooperation with others to allow anyone from IdM to 
access anything inside AD.

My opinion isn't worth the disk space to store this text and free opinions are 
worth what you pay for them.   So test it yourself.  ***? has the tools right 
now.  Build a Windows forest - independent of your Dev forest - and do some 
experiments with 2-way cross forest trusts.   Set up and destroy a few trust 
relationships with your existing Dev domain/forest and my proposed test forest 
and grant permissions to a few groups from one side into the other side.  You 
can do it with one Windows VM.  Now substitute IdM for that test Windows forest 
when the time comes and the issues are exactly the same.

One more point on vulnerability.  I know the choice to copy AD users into IdM 
is well-known, safe, and comfortable at ***?.  That's the way they did it last 
time.  But this choice requires non Microsoft software on the ***? AD domain 
controllers.  So thinking it through - which represents the most risk?  Setting 
up a cross forest trust where the AD administrator retains total control over 
everything, or putting foreign software on the Windows domain controllers to 
copy user passwords to an untrusted entity?

-   Greg


Bravo!
This deserves a wiki page, blog and a keynote at a couple conferences.


--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] Kerberized NFS and automount

[Dan Mossor]

I have been fighting with getting my NFS servers kerberized since I 
first installed FreeIPA back in April - I still cannot create a secured 
NFS mount, and have exhausted all my resources in troublshooting, so I 
am reaching out to the list since I see many of you have it working.


The next step in the puzzle will be to make this work with automount - 
which again, I can't get this working either. I am missing one key step 
here, but I can't find it. The documentation for both issues is 
confusing, especially to someone new to FreeIPA.


So first, let's tackle the Kerberized NFS mounts. On the server doing 
the exporting, here are the pertinent files.

/etc/sysconfig/nfs:
RPCNFSDARGS=""
RPCNFSDCOUNT=8
RPCMOUNTDOPTS="--debug all"
STATDARG=""
RPCIDMAPDARGS=""
RPCGSSDARGS="--debug all"
GSS_USE_PROXY="no"
RPCSVCGSSDARGS=""

My last attempt at an /etc/exports file before I gave up:
/home/repo gss/krb5p(rw,no_root_squash,subtree_check,fsid=0)

What other information do y'all need to help me get this working?
--
Dan Mossor
Systems Engineer at Large
Fedora QA Team | Fedora KDE SIG | Fedora Server SIG
Fedora Infrastructure Apprentice
FAS: dmossor IRC: danofsatx
San Antonio, Texas, USA

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] sudo setup in Ubuntu

[Sanju A]

Dear All,

I have tried with the settings as mentioned here. But still the issue 
persists.




Regards
Sanju Abraham
IS - Network/System Administrator
Tata Consultancy Services
TCS Centre SEZ Unit,
Infopark PO,
Kochi - 682042,Kerala
India
Ph:-   +91 484 6187490
Mailto: sanj...@tcs.com
Website: http://www.tcs.com

Experience certainty.   IT Services
Business Solutions
Consulting




From:   Tevfik Ceydeliler 
To: 
Date:   17-09-2014 19:46
Subject:Re: [Freeipa-users] sudo setup in Ubuntu
Sent by:freeipa-users-boun...@redhat.com



Thanks to Lukas:
Step 0: Install freipa-client on ubuntu 14.04 and configure sudo 
integration

root@ubuntu1404:/# ipa-client-install --no-ntp
root@ubuntu1404:/# echo "sudoers: files sss" >> /etc/nsswitch.conf

root@ubuntu1404:/# grep services /etc/sssd/sssd.conf
services = nss, pam
root@ubuntu1404:/# sed -i -e 's/\(services.*\)/\1, sudo/' 
/etc/sssd/sssd.conf
root@ubuntu1404:/# grep services /etc/sssd/sssd.conf
services = nss, pam, sudo


Step 1: configure sudo rules for ordinary user
Please follow the instructions from FreeIPA documentation.
http://www.freeipa.org/docs/master/html-desktop/index.html#sudo


  This step was skipped, becuase it was already done few months ago 


Step 2: login to machine as ordinary user, which is allowed to use sudo.

$ su usersssd01
Password:
$ id
uid=325600011(usersssd01) gid=325600011(usersssd01) 
groups=325600011(usersssd01),30011(biggroup1)


Step 3: run command
sudo -l
// this command should show you which commands can be executed as root
// with sudo

$ sudo -l
sudo: unable to resolve host ubuntu1404.example.test
[sudo] password for usersssd01:
Matching Defaults entries for usersssd01 on ubuntu1404:
env_reset, mail_badpass,
 
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User usersssd01 may run the following commands on ubuntu1404:
(root) /usr/bin/less, /usr/bin/vim


Step 4: If there weren't any problems then user will be able to run 
command.
sudo some_command_listed_in_step3

$ sudo /usr/bin/less /etc/shadow | wc -l
21
$ echo $?
0

$ sudo apt-get install mc
Sorry, user usersssd01 is not allowed to execute '/usr/bin/apt-get install 
mc' as root on ubuntu.example.test.
$ echo $?
1

On 17-09-2014 16:54, Sanju A wrote:
Dear All, 

I am able to configure the sudo settings in Centos clients by 
adding/modifying  the entries in /etc/nsswitch.conf and 
/etc/sudo-ldap.conf. What is the exact steps for the configuration in 
Ubuntu as I am not able find the configuration file sudo-ldap.conf in 
Ubuntu. 


Regards
Sanju Abraham
IS - Network/System Administrator
Tata Consultancy Services
TCS Centre SEZ Unit,
Infopark PO,
Kochi - 682042,Kerala
India
Ph:-   +91 484 6187490
Mailto: sanj...@tcs.com
Website: http://www.tcs.com

Experience certainty.IT Services
   Business Solutions
   Consulting
 
=-=-=
Notice: The information contained in this e-mail
message and/or attachments to it may contain 
confidential or privileged information. If you are 
not the intended recipient, any dissemination, use, 
review, distribution, printing or copying of the 
information contained in this e-mail message 
and/or attachments to it are strictly prohibited. If 
you have received this communication in error, 
please notify us by reply e-mail or telephone and 
immediately and permanently delete the message 
and any attachments. Thank you



-- 







Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar 
sadece adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu 
mesajin icerigi ile ilgili olarak hic bir hukuksal sorumlulugu kabul 
etmez. Eger gonderilmesi dusunulen kisi veya kurulus degilseniz, lutfen 
gonderen kisiyi derhal haberdar ediniz ve mesaji sisteminizden siliniz.The 
information contained in this e-mail and any files transmitted with it are 
intended solely for the use of the individual or entity to whom they are 
addressed and Yasar Group Companies do not accept legal responsibility for 
the contents. If you are not the intended recipient, please immediately 
notify the sender and delete it from your system.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] sudo setup in Ubuntu

[Tevfik Ceydeliler]

Hi,
Did u add this user to sudo rule/users ?

On 18-09-2014 08:02, Sanju A wrote:

Dear All,

I have tried with the settings as mentioned here. But still the issue 
persists.





Regards
Sanju Abraham
IS - Network/System Administrator
Tata Consultancy Services
TCS Centre SEZ Unit,
Infopark PO,
Kochi - 682042,Kerala
India
Ph:-   +91 484 6187490
Mailto: sanj...@tcs.com
Website: http://www.tcs.com 

Experience certainty.IT Services
   Business Solutions
   Consulting




From: Tevfik Ceydeliler 
To: 
Date: 17-09-2014 19:46
Subject: Re: [Freeipa-users] sudo setup in Ubuntu
Sent by: freeipa-users-boun...@redhat.com




Thanks to Lukas:
Step 0: Install freipa-client on ubuntu 14.04 and configure sudo 
integration


root@ubuntu1404:/# ipa-client-install --no-ntp
root@ubuntu1404:/# echo "sudoers: files sss" >> /etc/nsswitch.conf

root@ubuntu1404:/# grep services /etc/sssd/sssd.conf
services = nss, pam
root@ubuntu1404:/# sed -i -e 's/\(services.*\)/\1, sudo/' 
/etc/sssd/sssd.conf

root@ubuntu1404:/# grep services /etc/sssd/sssd.conf
services = nss, pam, sudo


Step 1: configure sudo rules for ordinary user
   Please follow the instructions from FreeIPA documentation.
_http://www.freeipa.org/docs/master/html-desktop/index.html#sudo_


  This step was skipped, becuase it was already done few months ago


Step 2: login to machine as ordinary user, which is allowed to use sudo.

$ su usersssd01
Password:
$ id
uid=325600011(usersssd01) gid=325600011(usersssd01) 
groups=325600011(usersssd01),30011(biggroup1)



Step 3: run command
   sudo -l
   // this command should show you which commands can be executed as root
   // with sudo

$ sudo -l
sudo: unable to resolve host ubuntu1404.example.test
[sudo] password for usersssd01:
Matching Defaults entries for usersssd01 on ubuntu1404:
   env_reset, mail_badpass,
 secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User usersssd01 may run the following commands on ubuntu1404:
   (root) /usr/bin/less, /usr/bin/vim


Step 4: If there weren't any problems then user will be able to run 
command.

   sudo some_command_listed_in_step3

$ sudo /usr/bin/less /etc/shadow | wc -l
21
$ echo $?
0

$ sudo apt-get install mc
Sorry, user usersssd01 is not allowed to execute '/usr/bin/apt-get 
install mc' as root on ubuntu.example.test.

$ echo $?
1

On 17-09-2014 16:54, Sanju A wrote:
Dear All,

I am able to configure the sudo settings in Centos clients by 
adding/modifying  the entries in /etc/nsswitch.conf and 
/etc/sudo-ldap.conf. What is the exact steps for the configuration in 
Ubuntu as I am not able find the configuration file sudo-ldap.conf in 
Ubuntu.



Regards
Sanju Abraham
IS - Network/System Administrator
Tata Consultancy Services
TCS Centre SEZ Unit,
Infopark PO,
Kochi - 682042,Kerala
India
Ph:-   +91 484 6187490
Mailto: _sanju.a@tcs.com_ 
Website: _http://www.tcs.com_ 

Experience certainty.IT Services
 Business Solutions
 Consulting


=-=-=
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you




--






Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki 
dosyalar sadece adres sahip/sahiplerine ait olup, Yasar Toplulugu 
Sirketleri bu mesajin icerigi ile ilgili olarak hic bir hukuksal 
sorumlulugu kabul etmez. Eger gonderilmesi dusunulen kisi veya kurulus 
degilseniz, lutfen gonderen kisiyi derhal haberdar ediniz ve mesaji 
sisteminizden siliniz.The information contained in this e-mail and any 
files transmitted with it are intended solely for the use of the 
individual or entity to whom they are addressed and Yasar Group 
Companies do not accept legal responsibility for the contents. If you 
are not the intended recipient, please immediately notify the sender 
and delete it from your system.



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the 
project




--



http://www.yasar.com.tr/banner/yhbanner.jpg";> 

Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar sadece 
adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu mesajin icerigi 
ile ilgili olarak hic b

Re: [Freeipa-users] Kerberized NFS and automount

[Johan Petersson]

I do not know what OS you are using but if it is RHEL 6 or CentOS 6 you would 
need to do the following:

In /etc/idmapd.conf:

Domain = your.domain

Add this to /etc/sysconfig/nfs

SECURE_NFS="yes"

In /etc/exports:

/home/repo *(rw,sync,sec=krb5p) 

Make sure that you use NTP for every server/client and that the time is synced.

Add the server to the IPA Domain

Create a NFS Service for the server in IPA:

ipa service-add nfs/your.server.name 

Generate a key using ipa-getkeytab -s ipa.server -p nfs/your.nfs.server -k 
/tmp/nfsserver.keytab  # Do this on the nfs server and you can add the key 
directly to /etc/krb5.keytab.

Add a firewall rule for tcp 2049.

iptables -I INPUT 5 -p tcp -m state --state NEW,ESTABLISHED --dport 2049 -j 
ACCEPT

Save and restart firewall + the other services and it should work.

For RHEL 7 or Fedora it is essentially the same except that you do not add the 
line to /etc/sysconfig/nfs.

Instead you need to enable and start nfs-server and nfs-secure-server using 
systemctl.

For autofs you just need to add a proper direct or indirect map in IPA and on 
the IPA client run ipa-client-automount.

Make sure that the nfs 4 kerberos share is working first before starting with 
autofs config.

mount -t nfs4 -v -o sec=krb5p nfs.server:/home/repo /mnt

Hope this could help you get it working. :-)

Regards,
Johan


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Dan Mossor [danofs...@gmail.com]
Sent: Thursday, September 18, 2014 06:57
To: freeipa-users@redhat.com
Subject: [Freeipa-users] Kerberized NFS and automount

I have been fighting with getting my NFS servers kerberized since I
first installed FreeIPA back in April - I still cannot create a secured
NFS mount, and have exhausted all my resources in troublshooting, so I
am reaching out to the list since I see many of you have it working.

The next step in the puzzle will be to make this work with automount -
which again, I can't get this working either. I am missing one key step
here, but I can't find it. The documentation for both issues is
confusing, especially to someone new to FreeIPA.

So first, let's tackle the Kerberized NFS mounts. On the server doing
the exporting, here are the pertinent files.
/etc/sysconfig/nfs:
RPCNFSDARGS=""
RPCNFSDCOUNT=8
RPCMOUNTDOPTS="--debug all"
STATDARG=""
RPCIDMAPDARGS=""
RPCGSSDARGS="--debug all"
GSS_USE_PROXY="no"
RPCSVCGSSDARGS=""

My last attempt at an /etc/exports file before I gave up:
/home/repo gss/krb5p(rw,no_root_squash,subtree_check,fsid=0)

What other information do y'all need to help me get this working?
--
Dan Mossor
Systems Engineer at Large
Fedora QA Team | Fedora KDE SIG | Fedora Server SIG
Fedora Infrastructure Apprentice
FAS: dmossor IRC: danofsatx
San Antonio, Texas, USA

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
This e-mail is private and confidential between the sender and the addressee.
In the event of misdirection, the recipient is prohibited from using, copying 
or disseminating it or any information in it. Please notify the above if any 
misdirection.


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project