Re: [Freeipa-users] Centos 7 No permission to /home/..
On Mon, Feb 23, 2015 at 05:29:32PM +0100, Günther J. Niederwimmer wrote: > I tested all (?), I have configured a ntp /mount for /home, Create a > /home/user > directory only on the ipa-server, nothing is working I have allways > permission > denied ? > > I found a Bug report for the oddjob-mkhomedir, to change the permission from > 0002 to 0077 but now, I am on the end ? Which bugreport? IIRC there was one by Stef Walter which I can't find right now described the default permissions, but it should still be configurable.. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Centos 7 No permission to /home/..
-Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Günther J. Niederwimmer Sent: Monday, February 23, 2015 9:30 AM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Centos 7 No permission to /home/.. Hello, Am Montag, 23. Februar 2015, 09:55:06 schrieb Jakub Hrozek: > On Sun, Feb 22, 2015 at 10:19:32PM +0100, Günther J. Niederwimmer wrote: > > Hello, > > > > I have installed centos 7 and a ipa-server on a other system a > > second ipa- server. > > > > But I can't create a user home directory, not on the server and not > > on a > > ipa- client with autocreate ? > > > > Have any a hint on witch place I can search for this problem ? > > > > sssd ipa-server / client > > > > When you like info please tell me what? > > The first step is verifying that "getent passwd $user" actually > reports the home dir you'd like it to. It's especially important to > check with users from trusted AD domains. This is working, tell me "/home/" > Do you intend to auto-create the home directories on the clients or > have them mounted from a central location? In the former case, you > should check configuration of oddjob-mkhomedir, in the latter, you > should check the automounter configuration. I tested all (?), I have configured a ntp /mount for /home, Create a /home/user directory only on the ipa-server, nothing is working I have allways permission denied ? I found a Bug report for the oddjob-mkhomedir, to change the permission from 0002 to 0077 but now, I am on the end ? But on a ipa client a can't do chown -R :ipausers to change the permission. The ipausers Group is not found on a client? Is this a sssd problem? Now I uninstall all and start again ?. On my setup, group 'ipausers' is not a Posix Group and thus isn't relevant to any of the servers. If indeed oddjob_mkhomedir is creating users $HOME with 755 permissions, then you might want to have a root cron script running on the NFS server itself to set the permissions on a regular basis... ie. 0 * * * * chmod 0700 /home/* > /dev/null 2>&1 #Every hour on the hour, set /home/* to users only. Not an SSSD problem. Craig -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Centos 7 No permission to /home/..
Hello, Am Montag, 23. Februar 2015, 09:55:06 schrieb Jakub Hrozek: > On Sun, Feb 22, 2015 at 10:19:32PM +0100, Günther J. Niederwimmer wrote: > > Hello, > > > > I have installed centos 7 and a ipa-server on a other system a second ipa- > > server. > > > > But I can't create a user home directory, not on the server and not on a > > ipa- client with autocreate ? > > > > Have any a hint on witch place I can search for this problem ? > > > > sssd ipa-server / client > > > > When you like info please tell me what? > > The first step is verifying that "getent passwd $user" actually reports > the home dir you'd like it to. It's especially important to check with > users from trusted AD domains. This is working, tell me "/home/" > Do you intend to auto-create the home directories on the clients or have > them mounted from a central location? In the former case, you should > check configuration of oddjob-mkhomedir, in the latter, you should check > the automounter configuration. I tested all (?), I have configured a ntp /mount for /home, Create a /home/user directory only on the ipa-server, nothing is working I have allways permission denied ? I found a Bug report for the oddjob-mkhomedir, to change the permission from 0002 to 0077 but now, I am on the end ? But on a ipa client a can't do chown -R :ipausers to change the permission. The ipausers Group is not found on a client? Is this a sssd problem? Now I uninstall all and start again ?. -- mit freundlichen Grüßen / best Regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-getcert list fails to report correctly
> -Original Message- > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- > boun...@redhat.com] On Behalf Of Les Stott > Sent: Monday, 23 February 2015 12:18 PM > To: Rob Crittenden; Martin Kosek; freeipa-users@redhat.com; Endi Dewata; > Jan Cholasta > Subject: Re: [Freeipa-users] ipa-getcert list fails to report correctly > > > > > -Original Message- > > From: Rob Crittenden [mailto:rcrit...@redhat.com] > > Sent: Saturday, 21 February 2015 1:39 AM > > To: Martin Kosek; Les Stott; freeipa-users@redhat.com; Endi Dewata; > > Jan Cholasta > > Subject: Re: [Freeipa-users] ipa-getcert list fails to report > > correctly > > > > Martin Kosek wrote: > > > On 02/20/2015 06:56 AM, Les Stott wrote: > > >> Hi all, > > >> > > >> The following is blocking the ability for me to install a CA replica. > > >> > > >> Environment: > > >> > > >> RHEL 6.6 > > >> > > >> IPA 3.0.0-42 > > >> > > >> PKI 9.0.3-38 > > >> > > >> On the master the following is happening: > > >> > > >> ipa-getcert list > > >> > > >> Number of certificates and requests being tracked: 5. > > >> > > >> (but it shows no certificate details in the output) > > >> > > >> Running "getcert list" shows complete output. > > >> > > >> Also, when trying to browse > > >> https://master.mydomain.com/ca/ee/ca/getCertChain i get a failed > > >> response. The apache error logs on the master show > > >> > > >> [Thu Feb 19 23:23:23 2015] [error] SSL Library Error: -12271 SSL > > >> client cannot verify your certificate > > >> > > >> The reason I am trying to browse that address is because that's > > >> what the ipa-ca-install setup is failing at (it complains that the > > >> CA certificate is not in proper format, in fact it's not able to > > >> get it at all). > > >> > > >> I know from another working ipa setup that > > >> > > >> Browsing to the above address provides valid xml content and > > >> ipa-getcert list shows certificate details and not just the number > > >> of tracked certificates. > > >> > > >> Been trying for a long time to figure out the issues without luck. > > >> > > >> I would greatly appreciate any help to troubleshoot and resolve the > > >> above issues. > > >> > > >> Regards, > > >> > > >> Les > > > > > > Endi or JanC, would you have any advise for Les? To me, it looks > > > like the Apache does not have proper certificate installed. > > > > > > My ipa-getcert on RHEL-6.6 shows 3 Server-Certs tracked, making it > > > in total of 8 certs tracked: > > > > > > # ipa-getcert list > > > Number of certificates and requests being tracked: 8. > > > Request ID '201402': > > > status: MONITORING > > > stuck: no > > > key pair storage: > > > type=NSSDB,location='/etc/dirsrv/slapd-IDM-LAB-BOS-REDHAT- > > COM',nicknam > > > e='Server-Cert',token='NSS > > > Certificate > > > DB',pinfile='/etc/dirsrv/slapd-IDM-LAB-BOS-REDHAT-COM/pwdfile.txt' > > > certificate: > > > type=NSSDB,location='/etc/dirsrv/slapd-IDM-LAB-BOS-REDHAT- > > COM',nicknam > > > e='Server-Cert',token='NSS > > > Certificate DB' > > > CA: IPA > > > issuer: CN=Certificate Authority,O=EXAMPLE.COM > > > subject: CN=vm-086.example.com,O=EXAMPLE.COM > > > expires: 2016-11-11 00:00:01 UTC > > > key usage: > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > > eku: id-kp-serverAuth,id-kp-clientAuth > > > pre-save command: > > > post-save command: > > > track: yes > > > auto-renew: yes > > > Request ID '201447': > > > status: MONITORING > > > stuck: no > > > key pair storage: > > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert' > > > ,token='NSS Certificate > > > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' > > > certificate: > > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert' > > > ,token='NSS > > > Certificate DB' > > > CA: IPA > > > issuer: CN=Certificate Authority,O=EXAMPLE.COM > > > subject: CN=vm-086.example.com,O=EXAMPLE.COM > > > expires: 2016-11-11 00:00:46 UTC > > > key usage: > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > > eku: id-kp-serverAuth,id-kp-clientAuth > > > pre-save command: > > > post-save command: > > > track: yes > > > auto-renew: yes > > > Request ID '2014000302': > > > status: MONITORING > > > stuck: no > > > key pair storage: > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token= > > > 'N SS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > > certificate: > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token= > > > 'N > > > SS > > > Certificate DB' > > > CA: IPA > > > issuer: CN=Certificate Authority,O=EXAMPLE.COM > > > subject: CN=vm-086.example.com,O=EXAMPLE.COM > > > expires: 2016-11-11 00:03:02 UTC > > > key usage: > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > > eku: id-kp-serverAuth,id-
Re: [Freeipa-users] Centos 7 No permission to /home/..
On Sun, Feb 22, 2015 at 10:19:32PM +0100, Günther J. Niederwimmer wrote: > Hello, > > I have installed centos 7 and a ipa-server on a other system a second ipa- > server. > > But I can't create a user home directory, not on the server and not on a ipa- > client with autocreate ? > > Have any a hint on witch place I can search for this problem ? > > sssd ipa-server / client > > When you like info please tell me what? The first step is verifying that "getent passwd $user" actually reports the home dir you'd like it to. It's especially important to check with users from trusted AD domains. Do you intend to auto-create the home directories on the clients or have them mounted from a central location? In the former case, you should check configuration of oddjob-mkhomedir, in the latter, you should check the automounter configuration. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Identifying current CA master
On 02/21/2015 02:05 PM, Thomas Raehalme wrote: > Hi! > > I am in the process of migrating FreeIPA master to another server following > the instructions on page > http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master. > > In the instructions 'post-save command' should have one of two given > values, but when I execute the script on the current IPA master there is no > value at all: > > # getcert list -d /var/lib/pki-ca/alias -n "subsystemCert cert-pki-ca" | > grep post-save > post-save command: > > Is this a problem? Good question. You are most likely hitting bug https://bugzilla.redhat.com/show_bug.cgi?id=1178190 that is planned to be fixed in RHEL-6.7. It should only affect the display of the values, the actual storage and execution should be OK. As indicated in the bug, you can verify the values are set up correctly in /var/lib/certmonger/requests. Does that help? > We are using ipa-server-3.0.0-42 on CentOS 6.6. According to yum the > original version which we installed is ipa-server-3.0.0-26. > > Best regards, > Thomas -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
