Re: [Freeipa-users] ipa-client-install not creating reverse DNS entries

[Martin Basti]

Hi,
can you check the journalctl -u named(-pkcs11) on server, they might be 
errors why PTR record has not been added.


Do you have enabled dynamic updates for the reverse zone?

Martin

On 09/12/2015 10:42 PM, Youenn PIOLET wrote:


Hi,

I've seen the same issue recently on various clients using ipa 3.3 and 
ipa 4.* during the first join on a clean OS. Can't confirm it was 
working before. Is it normal behavior?


Allow PTR sync is enabled.

Cheers,

Le 12 sept. 2015 7:44 AM, "Nathan Peters" > a écrit :



On 9/11/2015 10:32 AM, Simo Sorce wrote:

On Fri, 2015-09-11 at 10:25 -0700, nat...@nathanpeters.com
 wrote:

I have been trying to figure this out for a while now but
when I join
machine to FreeIPA, the installer properly creates forward DNS
entries,and DNSSSHFP entries, but does not create reverse
entries.
Without the PTR records, kerberos logins are always
failing on these
machines.

I am interested in understanding what fails exactly, stuff
should not
depend on reverse resolution can you give me an example of a
failure ?

For the PTR creation anyway have you enabled the option to
allow setting
PTR records ?
There is a global DNS option (As awell as per-zone setting) called
"Allow PTR Sync" you may want to enable.


When we attempt to login using kerberos on a machine that has no
reverse DNS entry defined, we are instead prompted with a password
prompt.  The password authentication still works but the ticket
does not.

>From what I read, the Allow PTR Sync option is only used in
conjunction with DNS IP address changes and does not apply to the
initial join of the domain.

Is the joining process supposed to create reverse DNS entries for
the clients or just forward entries and SSHFP entries?

-- 
Manage your subscription for the Freeipa-users mailing list:

https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project





-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Using SSH from Active Directory machines for FreeIPA clients with kerberos tickets

[Morgan Marodin]

The Pro edition.

I've solved my connection problem, I have to specify manually the username (
name.surname@ad_domain.com) with Microsoft SSPI.
In this mode is ok, but using Putty "Use system username" do not works for
me.


I don't know why :)
Bye, Morgan

2015-09-11 22:24 GMT+02:00 Alexander Bokovoy :

> On Fri, 11 Sep 2015, Morgan Marodin wrote:
>
>> Hi everyone.
>>
>> I've seen these guides:
>>
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-ssh.html
>>
>> https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/trust-ssh.html
>>
>> https://www.dalemacartney.com/2013/08/30/single-sign-on-sso-with-secure-shell-ssh/
>>
>> But I've not been able to access via ssh to a freeipa client with kerberos
>> tickets.
>> I've also tried to install MIT kerberos to my windows 8.1, but doesn't
>> works too.
>>
> This is not required.
>
> What Windows 8.1 version you have? Is it a Pro edition (the other
> editions don't join AD)?
>
> The target freeipa client is a RHEL 6.7 like distribution.
>>
>> Naturally trying with AD username (name.surn...@mydomain.com) and
>> password
>> is ok.
>>
>> Do you have any suggestions for this problem?
>>
> Enable DEBUG3 level logging in sshd_config for SSH server, attempt to
> login from Windows client and show the logs around 'userok' in the
> resulting debug output.
>
> --
> / Alexander Bokovoy
>



-- 
Morgan Marodin
email: mor...@marodin.it
mobile: +39.3477829069
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Using SSH from Active Directory machines for FreeIPA clients with kerberos tickets

[Sumit Bose]

On Mon, Sep 14, 2015 at 09:24:15AM +0200, Morgan Marodin wrote:
> The Pro edition.
> 
> I've solved my connection problem, I have to specify manually the username (
> name.surname@ad_domain.com) with Microsoft SSPI.
> In this mode is ok, but using Putty "Use system username" do not works for
> me.

iirc putty strips the domain part '@ad_domain.com' here and only uses
'name.surname' to log into a client. Since by default we require a
fully-qualified name which include to domain part to avoid ambiguity the
login fails.

HTH

bye,
Sumit

> 
> 
> I don't know why :)
> Bye, Morgan
> 
> 2015-09-11 22:24 GMT+02:00 Alexander Bokovoy :
> 
> > On Fri, 11 Sep 2015, Morgan Marodin wrote:
> >
> >> Hi everyone.
> >>
> >> I've seen these guides:
> >>
> >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-ssh.html
> >>
> >> https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/trust-ssh.html
> >>
> >> https://www.dalemacartney.com/2013/08/30/single-sign-on-sso-with-secure-shell-ssh/
> >>
> >> But I've not been able to access via ssh to a freeipa client with kerberos
> >> tickets.
> >> I've also tried to install MIT kerberos to my windows 8.1, but doesn't
> >> works too.
> >>
> > This is not required.
> >
> > What Windows 8.1 version you have? Is it a Pro edition (the other
> > editions don't join AD)?
> >
> > The target freeipa client is a RHEL 6.7 like distribution.
> >>
> >> Naturally trying with AD username (name.surn...@mydomain.com) and
> >> password
> >> is ok.
> >>
> >> Do you have any suggestions for this problem?
> >>
> > Enable DEBUG3 level logging in sshd_config for SSH server, attempt to
> > login from Windows client and show the logs around 'userok' in the
> > resulting debug output.
> >
> > --
> > / Alexander Bokovoy
> >
> 
> 
> 
> -- 
> Morgan Marodin
> email: mor...@marodin.it
> mobile: +39.3477829069

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Using SSH from Active Directory machines for FreeIPA clients with kerberos tickets

[Alexander Bokovoy]

On Mon, 14 Sep 2015, Morgan Marodin wrote:

The Pro edition.

I've solved my connection problem, I have to specify manually the username (
name.surname@ad_domain.com) with Microsoft SSPI.
In this mode is ok, but using Putty "Use system username" do not works for
me.


I don't know why :)

A problem is in the fact that when you use PuTTY's 'use system
username', it does only provide unqualified name there, e.g.
Administrator, not AD\Administrator or administra...@ad.test. On IPA
client side AD users are fully qualified and thus a user you are trying
to login to (Administrator) is not the same as the user you are
(adminsitra...@ad.test).
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install --request-cert fails

[Jan Pazdziora]

On Sat, Sep 12, 2015 at 03:14:35PM +0200, Natxo Asenjo wrote:
> On Sat, Sep 12, 2015 at 12:18 PM, Natxo Asenjo 
> wrote:
> 
> > on a a centos 7.1 host when enrolling it with (among other) the switch
> > --request-cert it does not create a host certificate for it. The host is
> > properly joined but not certificate is present.
> >
> > In the ipaclient-install.log file I see this:
> >
> > 2015-09-12T09:34:02Z ERROR certmonger request for host certificate failed
> 
> it's not working when joining a centos 6.7 realm either, same error.

Also reproduced on RHEL 7.1 and RHEL 7.2 (to be). I've filed

https://bugzilla.redhat.com/show_bug.cgi?id=1262718

now.

Thank you for bringing this to our attention.

-- 
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Search 'hosts'

[thierry bordaz]

On 09/14/2015 08:18 AM, Martin Kosek wrote:

On 09/12/2015 01:12 AM, Craig White wrote:

ipa-server-4.1.0-18.el7_1.4.x86_64

Maybe I was spoiled but from the web ui, I can't seem to search for hosts or 
DNS names - all searches seem to return nothing at all

User searches work (thankfully)

Previous version 3.0.0 from RHEL6 I could just put in ipa and get the hosts 
listed that had ipa in them.

Is it just me?

Craig White
System Administrator
O 623-201-8179   M 602-377-9752

[cid:image001.png@01CF86FE.42D51630]

SkyTouch Technology 4225 E. Windrose Dr. Phoenix, AZ 85032


Hello Craig,

I think you are hitting
https://fedorahosted.org/freeipa/ticket/5167
This particular host-find search should be fixed in RHEL-7.2.

There was an overly strict fix of a CVE, resulting in non-ideal general
searches that are used in Web UI, causing 0 returned results. The general case
is tracked in
https://fedorahosted.org/freeipa/ticket/5168

We plan to fix this on the 389-DS level, Thierry (CCed) will file the DS
ticket. However, if you are interested in having this update in RHEL as
asynchronous update and you have a subscription, please file a customer case :-)

Hello Craig,

The 389-ds ticket is https://fedorahosted.org/389/ticket/48275. 


It will be triage soon. So far, it still needs some investigations.

thanks
thierry

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Using SSH from Active Directory machines for FreeIPA clients with kerberos tickets

[Morgan Marodin]

Ok, but now I've an other problem :)

If I disable the default allow_all HBAC rule creating one custom HBAC rule
that enable ad_admins to access any host any service, kerberos ticket via
ssh does not works.
Username/password authentication with the same custom HBAC rules works.

SSH logs with kerberos authentication:
Sep 14 11:04:43 ipa-client01 sshd[1728]: Authorized to
administra...@mydomain.com, krb5 principal administra...@mydomain.com
(krb5_kuserok)
Sep 14 11:04:43 ipa-client01 sshd[1728]: pam_sss(sshd:account): Access
denied for user administra...@mydomain.com: 6 (Permission denied)
Sep 14 11:04:43 ipa-client01 sshd[1729]: fatal: Access denied for user
administra...@mydomain.com by PAM account configuration

SSH logs with username/password authentication:
Sep 14 11:10:30 ipa-client01 sshd[1766]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=192.168.0.252  user=administra...@mydomain.com
Sep 14 11:10:31 ipa-client01 sshd[1766]: pam_sss(sshd:auth): authentication
success; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.252 user=
administra...@mydomain.com
Sep 14 11:10:31 ipa-client01 sshd[1766]: Accepted password for
administra...@mydomain.com from 192.168.0.252 port 49590 ssh2
Sep 14 11:10:31 ipa-client01 sshd[1766]: pam_unix(sshd:session): session
opened for user administra...@mydomain.com by (uid=0)

If I enable allow_all HBAC rule kerberos authentication works.
Maybe is there something else to configure?

Thanks, Morgan

2015-09-14 9:48 GMT+02:00 Alexander Bokovoy :

> On Mon, 14 Sep 2015, Morgan Marodin wrote:
>
>> The Pro edition.
>>
>> I've solved my connection problem, I have to specify manually the
>> username (
>> name.surname@ad_domain.com) with Microsoft SSPI.
>> In this mode is ok, but using Putty "Use system username" do not works for
>> me.
>>
>>
>> I don't know why :)
>>
> A problem is in the fact that when you use PuTTY's 'use system
> username', it does only provide unqualified name there, e.g.
> Administrator, not AD\Administrator or administra...@ad.test. On IPA
> client side AD users are fully qualified and thus a user you are trying
> to login to (Administrator) is not the same as the user you are
> (adminsitra...@ad.test).
> --
> / Alexander Bokovoy
>



-- 
Morgan Marodin
email: mor...@marodin.it
mobile: +39.3477829069
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Using SSH from Active Directory machines for FreeIPA clients with kerberos tickets

[Sumit Bose]

On Mon, Sep 14, 2015 at 11:16:57AM +0200, Morgan Marodin wrote:
> Ok, but now I've an other problem :)
> 
> If I disable the default allow_all HBAC rule creating one custom HBAC rule
> that enable ad_admins to access any host any service, kerberos ticket via
> ssh does not works.
> Username/password authentication with the same custom HBAC rules works.
> 
> SSH logs with kerberos authentication:
> Sep 14 11:04:43 ipa-client01 sshd[1728]: Authorized to
> administra...@mydomain.com, krb5 principal administra...@mydomain.com
> (krb5_kuserok)
> Sep 14 11:04:43 ipa-client01 sshd[1728]: pam_sss(sshd:account): Access
> denied for user administra...@mydomain.com: 6 (Permission denied)
> Sep 14 11:04:43 ipa-client01 sshd[1729]: fatal: Access denied for user
> administra...@mydomain.com by PAM account configuration
> 
> SSH logs with username/password authentication:
> Sep 14 11:10:30 ipa-client01 sshd[1766]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=192.168.0.252  user=administra...@mydomain.com
> Sep 14 11:10:31 ipa-client01 sshd[1766]: pam_sss(sshd:auth): authentication
> success; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.252 user=
> administra...@mydomain.com
> Sep 14 11:10:31 ipa-client01 sshd[1766]: Accepted password for
> administra...@mydomain.com from 192.168.0.252 port 49590 ssh2
> Sep 14 11:10:31 ipa-client01 sshd[1766]: pam_unix(sshd:session): session
> opened for user administra...@mydomain.com by (uid=0)
> 
> If I enable allow_all HBAC rule kerberos authentication works.
> Maybe is there something else to configure?

no, HBAC result should not change depending on the authentication
method. Can you send me the SSSD logs with a high debug level (10) for
both cases? If you prefer you can send them to me directly.

bye,
Sumit

> 
> Thanks, Morgan
> 
> 2015-09-14 9:48 GMT+02:00 Alexander Bokovoy :
> 
> > On Mon, 14 Sep 2015, Morgan Marodin wrote:
> >
> >> The Pro edition.
> >>
> >> I've solved my connection problem, I have to specify manually the
> >> username (
> >> name.surname@ad_domain.com) with Microsoft SSPI.
> >> In this mode is ok, but using Putty "Use system username" do not works for
> >> me.
> >>
> >>
> >> I don't know why :)
> >>
> > A problem is in the fact that when you use PuTTY's 'use system
> > username', it does only provide unqualified name there, e.g.
> > Administrator, not AD\Administrator or administra...@ad.test. On IPA
> > client side AD users are fully qualified and thus a user you are trying
> > to login to (Administrator) is not the same as the user you are
> > (adminsitra...@ad.test).
> > --
> > / Alexander Bokovoy
> >
> 
> 
> 
> -- 
> Morgan Marodin
> email: mor...@marodin.it
> mobile: +39.3477829069

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] add SubjectAltName (SAN) to IPA certificate

[Brian J. Murrell]

On Mon, 2015-09-14 at 08:28 +0200, Martin Kosek wrote:
> Hello,

Hi,

> It is the right way to do it AFAIK,

Indeed, no.  It's a hack around the lack of SNI support in mod_nss.

>  however it would only work with FreeIPA 4.0
> or older:
> 
> https://fedorahosted.org/freeipa/ticket/3977

That's right.  I don't even know what the workaround would be for older
than FreeIPA 4.0.  Probably the only choice left there is to run the
additional virtual hosts on a port other than 443.  But that's an even
uglier hack as it's user-facing.

> Speaking in RHEL/CentOS versions, this is 7.1 or older.

My 7.1 has FreeIPA 4.1.

Cheers,
b.


signature.asc
Description: This is a digitally signed message part
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Using SSH from Active Directory machines for FreeIPA clients with kerberos tickets

[Morgan Marodin]

Now is working, with the same configuration ...
Could it be possibile some delay on the trust if the AD group was a new one?

Thanks, Morgan

2015-09-14 11:35 GMT+02:00 Sumit Bose :

> On Mon, Sep 14, 2015 at 11:16:57AM +0200, Morgan Marodin wrote:
> > Ok, but now I've an other problem :)
> >
> > If I disable the default allow_all HBAC rule creating one custom HBAC
> rule
> > that enable ad_admins to access any host any service, kerberos ticket via
> > ssh does not works.
> > Username/password authentication with the same custom HBAC rules works.
> >
> > SSH logs with kerberos authentication:
> > Sep 14 11:04:43 ipa-client01 sshd[1728]: Authorized to
> > administra...@mydomain.com, krb5 principal administra...@mydomain.com
> > (krb5_kuserok)
> > Sep 14 11:04:43 ipa-client01 sshd[1728]: pam_sss(sshd:account): Access
> > denied for user administra...@mydomain.com: 6 (Permission denied)
> > Sep 14 11:04:43 ipa-client01 sshd[1729]: fatal: Access denied for user
> > administra...@mydomain.com by PAM account configuration
> >
> > SSH logs with username/password authentication:
> > Sep 14 11:10:30 ipa-client01 sshd[1766]: pam_unix(sshd:auth):
> > authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> > rhost=192.168.0.252  user=administra...@mydomain.com
> > Sep 14 11:10:31 ipa-client01 sshd[1766]: pam_sss(sshd:auth):
> authentication
> > success; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.252 user=
> > administra...@mydomain.com
> > Sep 14 11:10:31 ipa-client01 sshd[1766]: Accepted password for
> > administra...@mydomain.com from 192.168.0.252 port 49590 ssh2
> > Sep 14 11:10:31 ipa-client01 sshd[1766]: pam_unix(sshd:session): session
> > opened for user administra...@mydomain.com by (uid=0)
> >
> > If I enable allow_all HBAC rule kerberos authentication works.
> > Maybe is there something else to configure?
>
> no, HBAC result should not change depending on the authentication
> method. Can you send me the SSSD logs with a high debug level (10) for
> both cases? If you prefer you can send them to me directly.
>
> bye,
> Sumit
>
> >
> > Thanks, Morgan
> >
> > 2015-09-14 9:48 GMT+02:00 Alexander Bokovoy :
> >
> > > On Mon, 14 Sep 2015, Morgan Marodin wrote:
> > >
> > >> The Pro edition.
> > >>
> > >> I've solved my connection problem, I have to specify manually the
> > >> username (
> > >> name.surname@ad_domain.com) with Microsoft SSPI.
> > >> In this mode is ok, but using Putty "Use system username" do not
> works for
> > >> me.
> > >>
> > >>
> > >> I don't know why :)
> > >>
> > > A problem is in the fact that when you use PuTTY's 'use system
> > > username', it does only provide unqualified name there, e.g.
> > > Administrator, not AD\Administrator or administra...@ad.test. On IPA
> > > client side AD users are fully qualified and thus a user you are trying
> > > to login to (Administrator) is not the same as the user you are
> > > (adminsitra...@ad.test).
> > > --
> > > / Alexander Bokovoy
> > >
> >
> >
> >
> > --
> > Morgan Marodin
> > email: mor...@marodin.it
> > mobile: +39.3477829069
>
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
>
>


-- 
Morgan Marodin
email: mor...@marodin.it
mobile: +39.3477829069
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Sudo entry not found by sssd in the cache db

[Pavel Březina]

On 09/11/2015 02:40 PM, Molnár Domokos wrote:

Full log attached.
"Molnár Domokos"  írta:


"Pavel Březina"  írta:

On 09/09/2015 09:31 PM, Molnár Domokos wrote:
 > I have a working IPA server and a working client config on an 
OpenSuse
 > 13.2 with the following versions:
 > nappali:~ # rpm -qa |grep sssd
 > sssd-tools-1.12.2-3.4.1.i586
 > sssd-krb5-1.12.2-3.4.1.i586
 > python-sssd-config-1.12.2-3.4.1.i586
 > sssd-ipa-1.12.2-3.4.1.i586
 > sssd-1.12.2-3.4.1.i586
 > sssd-dbus-1.12.2-3.4.1.i586
 > sssd-krb5-common-1.12.2-3.4.1.i586
 > sssd-ldap-1.12.2-3.4.1.i586
 > sssd is confihured for nss, pam, sudo
 > There is a test sudo rule defined in the ipa server, which applies to
 > user "doma".  However when the user tries to use sudo the rule does 
not
 > work.
 > doma@nappali:/home/doma> sudo ls
 > doma's password:
 > doma is not allowed to run sudo on nappali.  This incident will be 
reported.
 > The corresponding log in the sssd_sudo.log is this:
 > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] 
(0x0200):
 > Received client version [1].
 > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] 
(0x0200):
 > Offered version [1].
 > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains]
 > (0x0200): name 'doma' matched without domain, user is doma
 > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains]
 > (0x0200): name 'doma' matched without domain, user is doma
 > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] 
[sudosrv_cmd_parse_query_done]
 > (0x0200): Requesting default options for [doma] from []
 > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200):
 > Requesting info about [doma@szilva]
 > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
 > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
 > 
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))]
 > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
 > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
 > [(&(objectClass=sudoRule)(|(name=defaults)))]
 > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains]
 > (0x0200): name 'doma' matched without domain, user is doma
 > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains]
 > (0x0200): name 'doma' matched without domain, user is doma
 > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] 
[sudosrv_cmd_parse_query_done]
 > (0x0200): Requesting rules for [doma] from []
 > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200):
 > Requesting info about [doma@szilva]
 > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
 > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
 > 
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))]
 > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
 > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
 > 
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))]
 > (Wed Sep  9 21:25:30 2015) [sssd[sudo]] [client_recv] (0x0200): 
Client
 > disconnected!
 > This seems perfectly OK with one exception. The query against the 
sysdb
 > does not find the entry. This is strange because the entry is there.
 > Log in sssd.log:
 > (Wed Sep  2 08:52:13 2015) [sssd] [sysdb_domain_init_internal] 
(0x0200):
 > DB File for szilva: /var/lib/sss/db/cache_szilva.ldb
 > So we know that the sysdb is /var/lib/sss/db/cache_szilva.ldb
 > Running the exact same query seen above in the sssd_sudo.log against 
the
 > db returns:
 > ldbsearch -H /var/lib/sss/db/cache_szilva.ldb
 > 
"(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))"
 > asq: Unable to register control with rootdse!
 > # record 1
 > dn: name=Doma_ls,cn=sudorules,cn=custom,cn=szilva,cn=sysdb
 > cn: Doma_ls
 > dataExpireTimestamp: 1441830262
 > entryUSN: 20521
 > name: Doma_ls
 > objectClass: sudoRule
 > originalDN: cn=Doma_ls,ou=sudoers,dc=szilva
 > sudoCommand: ls
 > sudoHost: nappali.szilva
 > sudoRunAsGroup: ALL
 

Re: [Freeipa-users] AD Trust Issues

[Matt Wells]

Is the fix in CentOS or RHEL yet?

On Fri, Sep 11, 2015 at 1:34 PM, Alexander Bokovoy 
wrote:

> On Fri, 11 Sep 2015, Matt Wells wrote:
>
>> I've been working on an AD trust with our freeipa servers but have run
>> into
>> some of the same issues others have had.
>> It's well documented here however I feel I've mitigated these -
>> https://bugzilla.redhat.com/show_bug.cgi?id=1219832
>>
>> Freeipa Servers are Fedora 22 / freeipa-server-4.2.0
>> The Samba version i'm on is well past the patched version.  It seems the
>> patch is in samba-4.2.1-7.fc22 and I'm on samba-4.2.3-0 (assuming the
>> patch
>> is in this version).
>>
>> I run
>> # echo Password123 | ipa trust-add --type=ad ad.example.com
>> --trust-secret
>> ipa: ERROR: CIFS server configuration does not allow access to
>> \\pipe\lsarpc
>>
> This was looking like a partial fix. The full fix is in Fedora 23 with
> FreeIPA 4.2.1 release (we didn't yet officially announced it).
>
> We were all busy at FreeIPA/SSSD gathering in Brno this week so there
> wasn't really time to do Fedora 22 backport of the fixes yet.
>
> --
> / Alexander Bokovoy
>



-- 
Matt Wells
Chief Systems Architect
RHCA, RHCVA - #110-000-353
(702) 808-0424
matt.we...@mosaic451.com
 Las Vegas | Phoenix | Portland Mosaic451.com
CONFIDENTIALITY NOTICE: This transmittal is a confidential communication or
may otherwise be privileged. If you are not intended recipient, you are
hereby notified that you have received this transmittal in error and that
any review, dissemination, distribution or copying of this transmittal is
strictly prohibited. If you have received this communication in error,
please notify this office, and immediately delete this message and all its
attachments, if any.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] AuthorizedKeysCommand for clients using nss-pam-ldapd

[Pawel Fiuto]

Hi Gustavo,

Using settings from  'ipa-advise config-redhat-sssd-before-1-9' with below 
modifications seems to work quite well:

- on ipa server add permisson to read ipaSshPubKey anonymously:

[ipa-server]# ipa permission-add 'Read ipaSshPubKey' --type=user 
--attrs=ipaSshPubKey --bindtype=anonymous --permissions=read

[ipa-client]# diff /etc/sssd/sssd.conf /etc/sssd/sssd.conf.orig
2c2
< services = nss, pam, ssh
---
> services = nss, pam
12c12
< ldap_search_base = cn=accounts,dc=example,dc=org
---
> ldap_search_base = cn=compat,dc=example,dc=org
14d13
< ldap_user_ssh_public_key = ipaSshPubKey




From: freeipa-users-boun...@redhat.com  on 
behalf of Gustavo Mateus 
Sent: 11 September 2015 00:30
To: freeipa-users@redhat.com
Subject: [Freeipa-users] AuthorizedKeysCommand for clients using nss-pam-ldapd

Hi,

I'm trying to setup my Amazon Linux instances to be able to fetch the IPA users 
public ssh key.

Do I have to setup a binddn and bindpw in the ldap.conf file and use 
/usr/libexec/openssh/ssh-ldap-wrapper or is there a better way to do it?

Thanks,
Gustavo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] freeIPA or just SSSD?

[Milam, Tyler S]

My organization is evaluating new methods of user account provisioning in 
Linux. What advantages does freeIPA offer over just SSSD?

Some background - we use Active Directory for everything but have a small linux 
footprint (25 servers). However, many services are going to be migrated from 
AIX to Linux, and this will increase the number of Linux servers to well over 
100.

I've been testing FreeIPA 4.1.0, but having a hard time determining if sssd by 
itself is 'enough' or if the additional complexity of setting up FreeIPA with a 
new DNS zone and a 2-way trust with active directory can be justified.

Thanks,
Tyler


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] AuthorizedKeysCommand for clients using nss-pam-ldapd

[Gustavo Mateus]

I did not try that setup because the config-redhat-sssd-before-1-9 because
its description says it works with version 1.5 - 1.8, and Amazon linux has
1.2

config-redhat-sssd-before-1-9: Instructions for configuring a
system

   with an old version of SSSD
(1.5-1.8)

   as a IPA client. This set of

   instructions is targeted for

   platforms that include the
authconfig

   utility, which are all Red Hat
based

   platforms.


It is good to know that it works. I'll give it a try.


Thanks,
Gustavo

On Mon, Sep 14, 2015 at 7:01 AM, Pawel Fiuto  wrote:

> Hi Gustavo,
>
> Using settings from  'ipa-advise config-redhat-sssd-before-1-9' with below
> modifications seems to work quite well:
>
> - on ipa server add permisson to read ipaSshPubKey anonymously:
>
> [ipa-server]# ipa permission-add 'Read ipaSshPubKey' --type=user
> --attrs=ipaSshPubKey --bindtype=anonymous --permissions=read
>
> [ipa-client]# diff /etc/sssd/sssd.conf /etc/sssd/sssd.conf.orig
> 2c2
> < services = nss, pam, ssh
> ---
> > services = nss, pam
> 12c12
> < ldap_search_base = cn=accounts,dc=example,dc=org
> ---
> > ldap_search_base = cn=compat,dc=example,dc=org
> 14d13
> < ldap_user_ssh_public_key = ipaSshPubKey
>
>
>
> --
> *From:* freeipa-users-boun...@redhat.com 
> on behalf of Gustavo Mateus 
> *Sent:* 11 September 2015 00:30
> *To:* freeipa-users@redhat.com
> *Subject:* [Freeipa-users] AuthorizedKeysCommand for clients using
> nss-pam-ldapd
>
> Hi,
>
> I'm trying to setup my Amazon Linux instances to be able to fetch the IPA
> users public ssh key.
>
> Do I have to setup a binddn and bindpw in the ldap.conf file and use
> /usr/libexec/openssh/ssh-ldap-wrapper or is there a better way to do it?
>
> Thanks,
> Gustavo
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] PHP example of authenticating to Freeipa api

[Marc van de Geijn]

Hi,

I've been searching for an PHP example that autheticates to the Freeipa  API.

Does somebody have working PHP code? I've been trying to het php code working 
with bits I could find, but it does not work.

I want to communicate with Freeipa to add users, change passwords, etc from our 
administration panel.

Kind regards,
Marc van de Geijn



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] V6 and v4

[Janelle]

On 9/13/15 11:46 PM, Alexander Bokovoy wrote:

On Sun, 13 Sep 2015, Janelle wrote:

Hello,

I read something recently that if ip v6 is disable on a server this
hurts performance in some way? Is there more info on this or did I
misread it?

Do not disable IPv6 stack on your machines. By disabling IPv6 you are
not doing good. On contrary, many contemporary software projects are
using IPv6-enabled network calls by default because both IPv6 and IPv4
share the same name space on the machine so you only need to listen on a
IPv6 port to accept both IPv4 and IPv6. This is a recommended approach
for networking applications' developers for years already.

Note that this means only that support for IPv6 stack is enabled in the
kernel. You are not required to go with IPv6 networking addresses, this
is not really needed if you don't want to. But allowing applications to
be IPv6 aware is required.

FreeIPA has several components which are programmed in such way that
they expect IPv6 stack to be enabled for reasons outlined above. If you
disable IPv6 stack, FreeIPA will partially malfunction and will not
really be in a supported state, especially when we are talking about
trusts to Active Directory (and, in future, IPA to IPA trust).

Currently no AD trusts and none planned ever, but based on your 
suggestions, I will re-enable the v6 stack.


thank you
~J

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] PHP example of authenticating to Freeipa api

[Alexander Bokovoy]

On Mon, 14 Sep 2015, Marc van de Geijn wrote:

Hi,

I've been searching for an PHP example that autheticates to the Freeipa
API.

Does somebody have working PHP code? I've been trying to het php code
working with bits I could find, but it does not work.

I want to communicate with Freeipa to add users, change passwords, etc
from our administration panel.

Look at session-based authentication that I described at
https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/

It should work for any programming language as long as you are capable
to process cookies and keep the session somewhere.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] freeIPA or just SSSD?

[Jakub Hrozek]

On Mon, Sep 14, 2015 at 12:38:00PM -0400, Mark Heslin wrote:
> Hi Tyler,
> 
> Some comments below...I'm sure others will chime in :-)
> 
> On 09/14/2015 10:33 AM, Milam, Tyler S wrote:
> >
> >My organization is evaluating new methods of user account provisioning in
> >Linux. What advantages does freeIPA offer over just SSSD?
> >
> 
> Just to be clear, SS
> SD is the client that can work directly to an existing AD domain, or
> indirectly to an AD domain via IdM/FreeIPA and a cross-realm Kerberos trust.
> When you configure an IdM/FreeIPA client, SSSD is configured (via
> ipa-client-install or realmd). In short:
> 
>   SSSD -> AD (Direct AD Integration)
>   SSSD -> IdM/FreeIPA (standard configuration)
>   SSSD -> IdM/FreeIPA <--- cross-realm Kerberos trust ---> AD (Indirect
> AD integration)
> 
> In general, Direct AD integration is recommended for small environments with
> few Linux clients.
> For larger numbers of clients, indirect AD integration is preferred as it
> will give you more control, granularity
> to manage users, hosts, services, certs, keytabs, etc.
> 
> There are some details that come into play - particularly around which
> versions of RHEL (or non-RHEL) you're clients are on.
> Attached is a tech brief we put out for Summit that can help.

Also, there were some blog posts Dmitri wrote up not too long ago that
compare direct and indirect integration:

http://rhelblog.redhat.com/2015/05/27/direct-or-indirect-that-is-the-question/

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] vsftpd PAM setup problem

[jcnt]

> Is there anything for /var/log/secure for vsftpd ? I would look for
> messages from pam_sss.so

Sep 14 19:50:11 fds vsftpd[27097]: pam_unix(vsftpd:auth): authentication 
failure; logname= uid=0 euid=0 tty=ftp ruser=admin rhost=::1  user=admin
(END)

Nothing from pam_sss.so

Found a temporary workaround - turn off selinux, pam_sss now shows up in log 
files and admin login succeeds.
Seems like problem is not related to freeipa itself.

--
Josh.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install not creating reverse DNS entries

[Nathan Peters]

I think it was not having dynamic updates enabled for the reverse zone.  
I enabled those and PTR sync on both the forward and reverse and now it 
seems to be working for a new client that I joined.


What I'm not clear on at this point is why that is not a default 
setting.  I know at some point I deleted a /24 reverse zone and made a 
/16 instead because we have too many /24s to manage efficiently.


Also, due to the issues that can arise from not having valid PTR 
entries, you would think that this would be defaulted to on.


On 9/14/2015 12:03 AM, Martin Basti wrote:

Hi,
can you check the journalctl -u named(-pkcs11) on server, they might 
be errors why PTR record has not been added.


Do you have enabled dynamic updates for the reverse zone?

Martin

On 09/12/2015 10:42 PM, Youenn PIOLET wrote:


Hi,

I've seen the same issue recently on various clients using ipa 3.3 
and ipa 4.* during the first join on a clean OS. Can't confirm it was 
working before. Is it normal behavior?


Allow PTR sync is enabled.

Cheers,

Le 12 sept. 2015 7:44 AM, "Nathan Peters" > a écrit :



On 9/11/2015 10:32 AM, Simo Sorce wrote:

On Fri, 2015-09-11 at 10:25 -0700, nat...@nathanpeters.com wrote:

I have been trying to figure this out for a while now but
when I join
machine to FreeIPA, the installer properly creates
forward DNS
entries,and DNSSSHFP entries, but does not create reverse
entries.
Without the PTR records, kerberos logins are always
failing on these
machines.

I am interested in understanding what fails exactly, stuff
should not
depend on reverse resolution can you give me an example of a
failure ?

For the PTR creation anyway have you enabled the option to
allow setting
PTR records ?
There is a global DNS option (As awell as per-zone setting)
called
"Allow PTR Sync" you may want to enable.


When we attempt to login using kerberos on a machine that has no
reverse DNS entry defined, we are instead prompted with a
password prompt.  The password authentication still works but the
ticket does not.

>From what I read, the Allow PTR Sync option is only used in
conjunction with DNS IP address changes and does not apply to the
initial join of the domain.

Is the joining process supposed to create reverse DNS entries for
the clients or just forward entries and SSHFP entries?

-- 
Manage your subscription for the Freeipa-users mailing list:

https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project







-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Sudo entry not found by sssd in the cache db

[Molnár Domokos]

On 09/14/2015 03:08 PM, Pavel Březina wrote:
>On 09/11/2015 02:40 PM, Molnár Domokos wrote:

>>Full log attached.
>>"Molnár Domokos"  írta:
>>
>>
>>"Pavel Březina"  írta:
>>
>>On 09/09/2015 09:31 PM, Molnár Domokos wrote:
>> > I have a working IPA server and a working client config on an 
>> OpenSuse
>> > 13.2 with the following versions:
>> > nappali:~ # rpm -qa |grep sssd
>> > sssd-tools-1.12.2-3.4.1.i586
>> > sssd-krb5-1.12.2-3.4.1.i586
>> > python-sssd-config-1.12.2-3.4.1.i586
>> > sssd-ipa-1.12.2-3.4.1.i586
>> > sssd-1.12.2-3.4.1.i586
>> > sssd-dbus-1.12.2-3.4.1.i586
>> > sssd-krb5-common-1.12.2-3.4.1.i586
>> > sssd-ldap-1.12.2-3.4.1.i586
>> > sssd is confihured for nss, pam, sudo
>> > There is a test sudo rule defined in the ipa server, which applies 
>> to
>> > user "doma".  However when the user tries to use sudo the rule 
>> does not
>> > work.
>> > doma@nappali:/home/doma> sudo ls
>> > doma's password:
>> > doma is not allowed to run sudo on nappali.  This incident will be 
>> reported.
>> > The corresponding log in the sssd_sudo.log is this:
>> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] 
>> (0x0200):
>> > Received client version [1].
>> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] 
>> (0x0200):
>> > Offered version [1].
>> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] 
>> [sss_parse_name_for_domains]
>> > (0x0200): name 'doma' matched without domain, user is doma
>> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] 
>> [sss_parse_name_for_domains]
>> > (0x0200): name 'doma' matched without domain, user is doma
>> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] 
>> [sudosrv_cmd_parse_query_done]
>> > (0x0200): Requesting default options for [doma] from []
>> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] 
>> (0x0200):
>> > Requesting info about [doma@szilva]
>> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
>> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
>> > 
>> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))]
>> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
>> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
>> > [(&(objectClass=sudoRule)(|(name=defaults)))]
>> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] 
>> [sss_parse_name_for_domains]
>> > (0x0200): name 'doma' matched without domain, user is doma
>> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] 
>> [sss_parse_name_for_domains]
>> > (0x0200): name 'doma' matched without domain, user is doma
>> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] 
>> [sudosrv_cmd_parse_query_done]
>> > (0x0200): Requesting rules for [doma] from []
>> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] 
>> (0x0200):
>> > Requesting info about [doma@szilva]
>> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
>> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
>> > 
>> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))]
>> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
>> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
>> > 
>> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))]
>> > (Wed Sep  9 21:25:30 2015) [sssd[sudo]] [client_recv] (0x0200): 
>> Client
>> > disconnected!
>> > This seems perfectly OK with one exception. The query against the 
>> sysdb
>> > does not find the entry. This is strange because the entry is 
>> there.
>> > Log in sssd.log:
>> > (Wed Sep  2 08:52:13 2015) [sssd] [sysdb_domain_init_internal] 
>> (0x0200):
>> > DB File for szilva: /var/lib/sss/db/cache_szilva.ldb
>> > So we know that the sysdb is /var/lib/sss/db/cache_szilva.ldb
>> > Running the exact same query seen above in the sssd_sudo.log 
>> against the
>> > db returns:
>> > ldbsearch -H /var/lib/sss/db/cache_szilva.ldb
>> > 
>> "(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))"
>> > asq: Unable to register control with rootdse!
>> > # record 1
>> > dn: name=Doma_ls,cn=sudorules,cn=custom,cn=szilva,cn=sysdb
>> > cn: Doma_ls
>> >

Re: [Freeipa-users] vsftpd PAM setup problem

[Jakub Hrozek]

On Mon, Sep 14, 2015 at 08:04:09PM -0400, j...@use.startmail.com wrote:
> > Is there anything for /var/log/secure for vsftpd ? I would look for
> > messages from pam_sss.so
> 
> Sep 14 19:50:11 fds vsftpd[27097]: pam_unix(vsftpd:auth): authentication 
> failure; logname= uid=0 euid=0 tty=ftp ruser=admin rhost=::1  user=admin
> (END)
> 
> Nothing from pam_sss.so
> 
> Found a temporary workaround - turn off selinux, pam_sss now shows up in log 
> files and admin login succeeds.
> Seems like problem is not related to freeipa itself.

Posting the AVC might be helpful here -- chances are just some files are
mislabaled.

I tried a quick:
# getsebool -a | grep ftp
but didn't find anything relevant that would need toggling to make
non-unix auth working.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] AD Trust Issues

[Martin Kosek]

Rough FreeIPA 4.2.1 equivalent should be in RHEL-7.2 - Beta is already out:

https://www.redhat.com/en/about/blog/red-hat-enterprise-linux-72-beta-now-available

On 09/14/2015 04:13 PM, Matt Wells wrote:
> Is the fix in CentOS or RHEL yet?
> 
> On Fri, Sep 11, 2015 at 1:34 PM, Alexander Bokovoy 
> wrote:
> 
>> On Fri, 11 Sep 2015, Matt Wells wrote:
>>
>>> I've been working on an AD trust with our freeipa servers but have run
>>> into
>>> some of the same issues others have had.
>>> It's well documented here however I feel I've mitigated these -
>>> https://bugzilla.redhat.com/show_bug.cgi?id=1219832
>>>
>>> Freeipa Servers are Fedora 22 / freeipa-server-4.2.0
>>> The Samba version i'm on is well past the patched version.  It seems the
>>> patch is in samba-4.2.1-7.fc22 and I'm on samba-4.2.3-0 (assuming the
>>> patch
>>> is in this version).
>>>
>>> I run
>>> # echo Password123 | ipa trust-add --type=ad ad.example.com
>>> --trust-secret
>>> ipa: ERROR: CIFS server configuration does not allow access to
>>> \\pipe\lsarpc
>>>
>> This was looking like a partial fix. The full fix is in Fedora 23 with
>> FreeIPA 4.2.1 release (we didn't yet officially announced it).
>>
>> We were all busy at FreeIPA/SSSD gathering in Brno this week so there
>> wasn't really time to do Fedora 22 backport of the fixes yet.
>>
>> --
>> / Alexander Bokovoy
>>
> 
> 
> 
> 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Sudo entry not found by sssd in the cache db

[Jakub Hrozek]

On Tue, Sep 15, 2015 at 07:25:17AM +0200, Molnár Domokos wrote:
> On 09/14/2015 03:08 PM, Pavel Březina wrote:
> >On 09/11/2015 02:40 PM, Molnár Domokos wrote:
> 
> >>Full log attached.
> >>"Molnár Domokos"  írta:
> >>
> >>
> >>"Pavel Březina"  írta:
> >>
> >>On 09/09/2015 09:31 PM, Molnár Domokos wrote:
> >> > I have a working IPA server and a working client config on an 
> >> OpenSuse
> >> > 13.2 with the following versions:
> >> > nappali:~ # rpm -qa |grep sssd
> >> > sssd-tools-1.12.2-3.4.1.i586
> >> > sssd-krb5-1.12.2-3.4.1.i586
> >> > python-sssd-config-1.12.2-3.4.1.i586
> >> > sssd-ipa-1.12.2-3.4.1.i586
> >> > sssd-1.12.2-3.4.1.i586
> >> > sssd-dbus-1.12.2-3.4.1.i586
> >> > sssd-krb5-common-1.12.2-3.4.1.i586
> >> > sssd-ldap-1.12.2-3.4.1.i586
> >> > sssd is confihured for nss, pam, sudo
> >> > There is a test sudo rule defined in the ipa server, which 
> >> applies to
> >> > user "doma".  However when the user tries to use sudo the rule 
> >> does not
> >> > work.
> >> > doma@nappali:/home/doma> sudo ls
> >> > doma's password:
> >> > doma is not allowed to run sudo on nappali.  This incident will 
> >> be reported.
> >> > The corresponding log in the sssd_sudo.log is this:
> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] 
> >> (0x0200):
> >> > Received client version [1].
> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] 
> >> (0x0200):
> >> > Offered version [1].
> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] 
> >> [sss_parse_name_for_domains]
> >> > (0x0200): name 'doma' matched without domain, user is 
> >> doma
> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] 
> >> [sss_parse_name_for_domains]
> >> > (0x0200): name 'doma' matched without domain, user is 
> >> doma
> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] 
> >> [sudosrv_cmd_parse_query_done]
> >> > (0x0200): Requesting default options for [doma] from []
> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] 
> >> (0x0200):
> >> > Requesting info about [doma@szilva]
> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
> >> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb 
> >> with
> >> > 
> >> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))]
> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
> >> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb 
> >> with
> >> > [(&(objectClass=sudoRule)(|(name=defaults)))]
> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] 
> >> [sss_parse_name_for_domains]
> >> > (0x0200): name 'doma' matched without domain, user is 
> >> doma
> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] 
> >> [sss_parse_name_for_domains]
> >> > (0x0200): name 'doma' matched without domain, user is 
> >> doma
> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] 
> >> [sudosrv_cmd_parse_query_done]
> >> > (0x0200): Requesting rules for [doma] from []
> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] 
> >> (0x0200):
> >> > Requesting info about [doma@szilva]
> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
> >> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb 
> >> with
> >> > 
> >> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))]
> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
> >> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb 
> >> with
> >> > 
> >> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))]
> >> > (Wed Sep  9 21:25:30 2015) [sssd[sudo]] [client_recv] (0x0200): 
> >> Client
> >> > disconnected!
> >> > This seems perfectly OK with one exception. The query against 
> >> the sysdb
> >> > does not find the entry. This is strange because the entry is 
> >> there.
> >> > Log in sssd.log:
> >> > (Wed Sep  2 08:52:13 2015) [sssd] [sysdb_domain_init_internal] 
> >> (0x0200):
> >> > DB File for szilva: /var/lib/sss/db/cache_szilva.ldb
> >> > So we know that the sysdb is /var/lib/sss/db/cache_szilva.ldb
> >> > Running the exact same query seen above in the sssd_sudo.log 
> >> against the
> >> > db returns:
> >> > ldbsearch -H /var/lib/sss/db/cache_szilva.ldb
> >> > 
> >> "(&(objectClass=sudoRule)(|(sudoUser=ALL)(sud