Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists

2016-01-25 Thread Martin Basti 

Thank you,

I found root cause why "System: Read Replication Agreements" ACI is not 
on replica.


https://fedorahosted.org/freeipa/ticket/5631

I have to figure out why this permission is added on centos7.2, because 
IMO this bug is there from 4.0.



On 24.01.2016 03:22, Nathan Peters wrote:

I can now confirm that this is a 100% reproducible bug, and a pretty severe one 
at that.  You should be able to reproduce this issue at will if you follow 
these steps.  It may actually be possible with less servers and less steps, but 
here is what I did in a test lab today:

1. Create a brand new FreeIPA domain in CentOS 7.2 / FreeIPA 4.2.0 with 3 
servers, dc1, dc2, dc3, replicating any way you want.
3. Use ipa-replica-manage del dc2.ipatestdomain.net, and then delete the server 
/ vm / whatever you have it running on
3. Install Fedora 23 on the same IP address and hostname 
(dc2.ipatestdomain.net).  Install FreeIPA server 4.2.3 from replica file 
created on CA master (dc1).

Check aci on dc2.  You will notice it's now missing a bunch of stuff.  So 
basically, all it takes to lose that ACL is to create a Fedora FreeIPA server 
and join it to a CentOS domain.
After I had upgraded all 3 to Fedora, that ACLS was lost permanently as it no 
longer existed on any server because there were no CentOS servers left.

I'm assuming since this is so easy to reproduce, that you don't actually need 
my log files.

ACL comparisons below for reference :
1. ACL on dc1 when its on FreeIPA 4.2.0 on CentOS 7.2 and the domain consists 
of only CentOS servers
2. ACL on dc1 when its still on FreeIPA 4.2.0 on CentOS 7.2 but there is now a 
Fedora 23 FreeIPA 4.2.3 server in the domain (for reference that the CentOS ACL 
hasn't changed yet)
3. ACL on dc2 when it's now a Fedora 23 FreeIPA 4.2.3 server created from a 
replica file made from dc1, the centOS 7.2 CA master(missing some stuff)
4. ACL on dc1 when it's now a Fedora 23 FreeIPA 4.2.3 server (now missing some 
stuff)


1. ACL on dc1 when its on FreeIPA 4.2.0 on CentOS 7.2 and the domain consists 
of only CentOS servers

[root@dc1 ~]# ldapsearch -D "cn=directory manager" -W -b "cn=config" "(aci=*)" 
aci
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base

Re: [Freeipa-users] Replica Error with freeIPA Centos 7.2

2016-01-25 Thread Martin Kosek 
On 01/25/2016 01:34 PM, thierry bordaz wrote:
> On 01/23/2016 11:08 PM, Günther J. Niederwimmer wrote:
>> Hello,
>>
>> I have installed freeIPA from a CentOS 7.2 with a replica Server, but I have
>> on all two masters a Error.
>>
>> NSMMReplicationPlugin - replication keep alive entry

Re: [Freeipa-users] multimaster ad one way trust setup

2016-01-25 Thread Rob Verduijn 
Cool

Thanx
Rob Verduijn

2016-01-25 12:59 GMT+01:00 Alexander Bokovoy :
> On Mon, 25 Jan 2016, Rob Verduijn wrote:
>>
>> Since the first option has less impact, that one sounds the most
>> interesting.
>> However, does this also remain functional when the first ipa server is
>> taken offline ?
>
> Yes. What this option enables is to allow IPA master to become 'trust
> agent' which means SSSD on that master will be able to use cross-forest
> trust credentials to talk to AD for user/group information and
> authentication purposes. It does not allow that master to *manage* the
> trust itself.
>
>>
>> Rob Verduijn
>>
>> 2016-01-25 12:41 GMT+01:00 Alexander Bokovoy :
>>>
>>> On Mon, 25 Jan 2016, Rob Verduijn wrote:


 Hi all,

 When you have an ipa 4.2 server with an one way trust to the ad.
 What steps are needed to install a second ipa master that also has a
 one way trust to the ad ?
>>>
>>>
>>> Depends on what you want to achieve.
>>>
>>> If you want second IPA master to be able to resolve AD users, just
>>> install the master and run 'ipa-adtrust-install --add-agents' on the
>>> *first* master. This will prompt you to be asked on adding the second
>>> master to the list of hosts allowed to use cross-forest trust
>>> credentials.
>>>
>>> If you want to use the second IPA master to *manage* trust, you'd need
>>> to run 'ipa-adtrust-install' on the it. No need to specify
>>> '--add-agents' because the master where 'ipa-adtrust-install' is being
>>> run will be automatically added to the list.
>>> --
>>> / Alexander Bokovoy
>>
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>
>
> --
> / Alexander Bokovoy

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Replica Error with freeIPA Centos 7.2

2016-01-25 Thread thierry bordaz 

On 01/23/2016 11:08 PM, Günther J. Niederwimmer wrote:

Hello,

I have installed freeIPA from a CentOS 7.2 with a replica Server, but I have
on all two masters a Error.

NSMMReplicationPlugin - replication keep alive entry

[Freeipa-users] Authentication Issues

2016-01-25 Thread Vang Pha 
Hello All,

Installation Notes:

-  ipa-server-4.2.0-15.el7.centos.3.x86_64

-  ipa-server-trust-ad-4.2.0-15.el7.centos.3.x86_64

Configured it as a non-dns server install with a trust to server.dev, but after 
I established the trust and rebooted the machine. It's looking for 
krbtgt/server.dev now and I can't kinit admin. I'm not understanding why it's 
elsewhere to kinit now after the trust and not itself? Any help would be 
appreciated! Thanks!

Jan 22 11:02:45 l-freeipa101.server.dev smbd[3126]: GSSAPI client step 1
Jan 22 11:02:45 l-freeipa101.server.dev smbd[3126]: GSSAPI client step 1
Jan 22 11:02:45 l-freeipa101.server.dev smbd[3126]: GSSAPI Error: Unspecified 
GSS failure.  Minor code may provide more information (Server 
krbtgt/server@ipa.server.dev not fo...os database)
Jan 22 11:02:45 l-freeipa101.server.dev smbd[3126]: GSSAPI client step 1
Jan 22 11:02:45 l-freeipa101.server.dev smbd[3126]: GSSAPI client step 1
Jan 22 11:02:45 l-freeipa101.server.dev smbd[3126]: GSSAPI Error: Unspecified 
GSS failure.  Minor code may provide more information (Server 
krbtgt/server@ipa.server.dev not fo...os database)
Jan 22 11:02:46 l-freeipa101.server.dev systemd[1]: smb.service: main process 
exited, code=exited, status=1/FAILURE
Jan 22 11:02:46 l-freeipa101.server.dev systemd[1]: Failed to start Samba SMB 
Daemon.
Jan 22 11:02:46 l-freeipa101.server.dev systemd[1]: Unit smb.service entered 
failed state.
Jan 22 11:02:46 l-freeipa101.server.dev systemd[1]: smb.service failed.



Vang Pha
Systems Administrator - Web Operations - Lititz, PA
[cid:image002.png@01D0BE16.94D6FDE0]
717-381-4842 x2006

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Replica Error with freeIPA Centos 7.2

2016-01-25 Thread Ludwig Krispenz 


On 01/25/2016 01:43 PM, Martin Kosek wrote:

On 01/25/2016 01:34 PM, thierry bordaz wrote:

On 01/23/2016 11:08 PM, Günther J. Niederwimmer wrote:

Hello,

I have installed freeIPA from a CentOS 7.2 with a replica Server, but I have
on all two masters a Error.

NSMMReplicationPlugin - replication keep alive entry

Re: [Freeipa-users] Replica Error with freeIPA Centos 7.2

2016-01-25 Thread Ludwig Krispenz 


On 01/23/2016 11:08 PM, Günther J. Niederwimmer wrote:

Hello,

I have installed freeIPA from a CentOS 7.2 with a replica Server, but I have
on all two masters a Error.

NSMMReplicationPlugin - replication keep alive entry

[Freeipa-users] Active Directory and IPA Client

2016-01-25 Thread Cameron Christensen 
Hello,

I have a trust established between Windows Active Directory and IPA.
From the IPA server I can get details about AD users but not from a
server configured as an IPA client.

[root@ipa_server ~]# getent passwd ad_user@ad_domain
ad_user@ad_domain:*:1869402973:1869402973:ADUser
Name:/home/ad_domain/ad_user:

Trying to access details about AD users from a server configured as an
IPA client, no results.

[root@ipa_client server ~]# getent passwd ad_user@ad_domain
[root@ipa_client server ~]#

I've enabled debugging of sssd. I believe this is the relevant
information from /var/log/sssd/sssd_.log

(Mon Jan 25 09:37:39 2016) [sssd[be[ipa_domain]]]
[sbus_message_handler] (0x4000): Received SBUS method [getAccountInfo]
(Mon Jan 25 09:37:39 2016) [sssd[be[ipa_domain]]]
[sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Mon Jan 25 09:37:39 2016) [sssd[be[ipa_domain]]]
[sbus_handler_got_caller_id] (0x4000): Received SBUS method
[getAccountInfo]
(Mon Jan 25 09:37:39 2016) [sssd[be[ipa_domain]]] [be_get_account_info]
(0x0200): Got request for [0x1001][1][name=ad_user]
(Mon Jan 25 09:37:39 2016) [sssd[be[ipa_domain]]] [be_req_set_domain]
(0x0400): Changing request domain from [ipa_domain] to [ad_domain]
(Mon Jan 25 09:37:39 2016) [sssd[be[ipa_domain]]]
[sdap_id_op_connect_step] (0x4000): reusing cached connection
(Mon Jan 25 09:37:39 2016) [sssd[be[ipa_domain]]]
[sdap_id_op_connect_step] (0x4000): reusing cached connection
(Mon Jan 25 09:37:39 2016) [sssd[be[ipa_domain]]]
[ipa_get_ad_override_connect_done] (0x4000): Searching for overrides in
view [Default Trust View] with filter
[(&(objectClass=ipaUserOverride)(uid=ad_user))].
(Mon Jan 25 09:37:39 2016) [sssd[be[ipa_domain]]] [sdap_print_server]
(0x2000): Searching 
(Mon Jan 25 09:37:39 2016) [sssd[be[ipa_domain]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(objectClass=ipaUserOverride)(uid=ad_user))][cn=Default Trust
View,cn=views,cn=accounts,d
c=sub_domain,dc=domain].
(Mon Jan 25 09:37:39 2016) [sssd[be[ipa_domain]]]
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 9
(Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [sdap_process_result]
(0x2000): Trace: sh[0xa88e70], connected[1], ops[0xa957b0],
ldap[0xa8a650]
(Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]]
[sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
(Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
(Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]]
[ipa_get_ad_override_done] (0x4000): No override found with filter
[(&(objectClass=ipaUserOverride)(uid=ad_user))].
(Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [sdap_id_op_destroy]
(0x4000): releasing operation connection
(Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]]
[sdap_id_op_connect_step] (0x4000): reusing cached connection
(Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [ipa_s2n_exop_send]
(0x0400): Executing extended operation
(Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [ipa_s2n_exop_send]
(0x2000): ldap_extended_operation sent, msgid = 10
(Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [sdap_process_result]
(0x2000): Trace: sh[0xa88e70], connected[1], ops[0xa9d0c0],
ldap[0xa8a650]
(Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [sdap_process_result]
(0x2000): Trace: ldap_result found nothing!
(Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [sdap_process_result]
(0x2000): Trace: sh[0xa88e70], connected[1], ops[0xa9d0c0],
ldap[0xa8a650]
(Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]]
[sdap_process_message] (0x4000): Message type: [LDAP_RES_EXTENDED]
(Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [ipa_s2n_exop_done]
(0x0040): ldap_extended_operation result: No such object(32), (null).
(Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]]
[ipa_s2n_get_user_done] (0x0040): s2n exop request failed.
(Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [sdap_id_op_done]
(0x4000): releasing operation connection
(Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [sdap_id_op_destroy]
(0x4000): releasing operation connection
(Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [acctinfo_callback]
(0x0100): Request processed. Returned 0,0,Success
(Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [sdap_process_result]
(0x2000): Trace: sh[0xa88e70], connected[1], ops[(nil)], ldap[0xa8a650]
(Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [sdap_process_result]
(0x2000): Trace: ldap_result found nothing!

I see two issues, " ldap_extended_operation result: No such object(32),
(null)" and "ldap_result found nothing!"

Using ldapsearch to execute the query from the ipa_server or the
ipa_client_server produces no results:

[root@ipa_client_server sssd]# ldapsearch -Y GSSAPI
"(&(objectClass=ipaUserOverride)(uid=ad_user))"
SASL/GSSAPI authentication started
SASL username: admin@
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base

Re: [Freeipa-users] Active Directory and IPA Client

2016-01-25 Thread Sumit Bose 
On Mon, Jan 25, 2016 at 10:15:42AM -0700, Cameron Christensen wrote:
> Hello,
> 
> I have a trust established between Windows Active Directory and IPA.
> From the IPA server I can get details about AD users but not from a
> server configured as an IPA client.
> 
> [root@ipa_server ~]# getent passwd ad_user@ad_domain
> ad_user@ad_domain:*:1869402973:1869402973:ADUser
> Name:/home/ad_domain/ad_user:
> 
> Trying to access details about AD users from a server configured as an
> IPA client, no results.
> 
> [root@ipa_client server ~]# getent passwd ad_user@ad_domain
> [root@ipa_client server ~]#
> 
> I've enabled debugging of sssd. I believe this is the relevant
> information from /var/log/sssd/sssd_.log
> 
> (Mon Jan 25 09:37:39 2016) [sssd[be[ipa_domain]]]
> [sbus_message_handler] (0x4000): Received SBUS method [getAccountInfo]
> (Mon Jan 25 09:37:39 2016) [sssd[be[ipa_domain]]]
> [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
> (Mon Jan 25 09:37:39 2016) [sssd[be[ipa_domain]]]
> [sbus_handler_got_caller_id] (0x4000): Received SBUS method
> [getAccountInfo]
> (Mon Jan 25 09:37:39 2016) [sssd[be[ipa_domain]]] [be_get_account_info]
> (0x0200): Got request for [0x1001][1][name=ad_user]
> (Mon Jan 25 09:37:39 2016) [sssd[be[ipa_domain]]] [be_req_set_domain]
> (0x0400): Changing request domain from [ipa_domain] to [ad_domain]
> (Mon Jan 25 09:37:39 2016) [sssd[be[ipa_domain]]]
> [sdap_id_op_connect_step] (0x4000): reusing cached connection
> (Mon Jan 25 09:37:39 2016) [sssd[be[ipa_domain]]]
> [sdap_id_op_connect_step] (0x4000): reusing cached connection
> (Mon Jan 25 09:37:39 2016) [sssd[be[ipa_domain]]]
> [ipa_get_ad_override_connect_done] (0x4000): Searching for overrides in
> view [Default Trust View] with filter
> [(&(objectClass=ipaUserOverride)(uid=ad_user))].
> (Mon Jan 25 09:37:39 2016) [sssd[be[ipa_domain]]] [sdap_print_server]
> (0x2000): Searching 
> (Mon Jan 25 09:37:39 2016) [sssd[be[ipa_domain]]]
> [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
> [(&(objectClass=ipaUserOverride)(uid=ad_user))][cn=Default Trust
> View,cn=views,cn=accounts,d
> c=sub_domain,dc=domain].
> (Mon Jan 25 09:37:39 2016) [sssd[be[ipa_domain]]]
> [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 9
> (Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [sdap_process_result]
> (0x2000): Trace: sh[0xa88e70], connected[1], ops[0xa957b0],
> ldap[0xa8a650]
> (Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]]
> [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
> (Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]]
> [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
> errmsg set
> (Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]]
> [ipa_get_ad_override_done] (0x4000): No override found with filter
> [(&(objectClass=ipaUserOverride)(uid=ad_user))].
> (Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [sdap_id_op_destroy]
> (0x4000): releasing operation connection
> (Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]]
> [sdap_id_op_connect_step] (0x4000): reusing cached connection
> (Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [ipa_s2n_exop_send]
> (0x0400): Executing extended operation
> (Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [ipa_s2n_exop_send]
> (0x2000): ldap_extended_operation sent, msgid = 10
> (Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [sdap_process_result]
> (0x2000): Trace: sh[0xa88e70], connected[1], ops[0xa9d0c0],
> ldap[0xa8a650]
> (Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [sdap_process_result]
> (0x2000): Trace: ldap_result found nothing!
> (Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [sdap_process_result]
> (0x2000): Trace: sh[0xa88e70], connected[1], ops[0xa9d0c0],
> ldap[0xa8a650]
> (Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]]
> [sdap_process_message] (0x4000): Message type: [LDAP_RES_EXTENDED]
> (Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [ipa_s2n_exop_done]
> (0x0040): ldap_extended_operation result: No such object(32), (null).
> (Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]]
> [ipa_s2n_get_user_done] (0x0040): s2n exop request failed.
> (Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [sdap_id_op_done]
> (0x4000): releasing operation connection
> (Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [sdap_id_op_destroy]
> (0x4000): releasing operation connection
> (Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [acctinfo_callback]
> (0x0100): Request processed. Returned 0,0,Success
> (Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [sdap_process_result]
> (0x2000): Trace: sh[0xa88e70], connected[1], ops[(nil)], ldap[0xa8a650]
> (Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [sdap_process_result]
> (0x2000): Trace: ldap_result found nothing!
> 
> I see two issues, " ldap_extended_operation result: No such object(32),
> (null)" and "ldap_result found nothing!"

The IPA client cannot talk to AD directly to look up the user data, but
request the data from the IPA server with an

Re: [Freeipa-users] Active Directory users are not controlled by HBAC

2016-01-25 Thread Birnbaum, Warren (ETW) 
My system-auth-ac files looks like:

authrequired  pam_env.so
authsufficientpam_unix.so nullok try_first_pass
authrequisite pam_succeed_if.so uid >= 1000 quiet_success
authsufficientpam_sss.so use_first_pass
authrequired  pam_deny.so

account required  pam_access.so
account required  pam_unix.so
account sufficientpam_localuser.so
account sufficientpam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required  pam_permit.so

passwordrequisite pam_pwquality.so try_first_pass retry=3 type=
passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass
use_authtok
passwordsufficientpam_sss.so use_authtok
passwordrequired  pam_deny.so

session optional  pam_keyinit.so revoke
session required  pam_limits.so
-session optional  pam_systemd.so
session optional  pam_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session required  pam_unix.so
session optional  pam_sss.so




___
Warren Birnbaum : Infrastructure Services
Web Automation Engineer
Europe CDT Techn. Operations
Nike Inc. : Mobile +31 6 23902697






On 1/25/16, 1:26 PM, "Birnbaum, Warren (ETW)" 
wrote:

>Thanks Alexander.  Is there a place where there are example pam stacks
>that work with active directory and hbac?
> 
>___
>Warren Birnbaum : Infrastructure Services
>Web Automation Engineer
>Europe CDT Techn. Operations
>Nike Inc. : Mobile +31 6 23902697
>
>
>
>
>
>
>On 1/22/16, 2:44 PM, "Alexander Bokovoy"  wrote:
>
>>On Fri, 22 Jan 2016, Birnbaum, Warren (ETW) wrote:
>>>Thanks for you reply.  I understand what you are saying but don¹t see
>>>how
>>>this would work because Allow_All is my current situation (even with
>>>this
>>>rule disabled).  My understand is you can¹t restrict through a rule,
>>>only
>>>limit.  I am missing something?
>>Yes.
>>
>>First, lack of HBAC rule that allows to access a service means pam_sss
>>will deny access to this service. HBAC rules only give you means to
>>_allow_ access, not to limit it as when no rules are in place,
>>everything is disallowed.  'allow_all' HBAC rule is provided exactly to
>>allow starting with a fresh working ground -- you would then remove
>>'allow_all' rule after creating specific allow rules.
>>
>>Second, while pam_sss evaluates HBAC rules, it is only one module in a
>>PAM stack. There might be other PAM modules that could make own
>>decisions to allow access to a specific service. You need to see what is
>>in your configuration.
>>
>>On RHEL and Fedora we configure PAM stack in such way that apart from
>>root and wheel group the rest is managed by SSSD via pam_sss. If your
>>configuration is different, it is up to you to ensure everything is
>>tightened up.
>>
>>>
>>>
>>>
>>>
>>>On 1/22/16, 1:51 PM, "freeipa-users-boun...@redhat.com on behalf of
>>>Jakub
>>>Hrozek" >>jhro...@redhat.com>
>>>wrote:
>>>
On Fri, Jan 22, 2016 at 09:27:40AM +, Birnbaum, Warren (ETW) wrote:
> Hi.
>
> I have a been successful using Freeipa 4.1 configuring active
>directory
>users and with sudo.  The problem I am having is that the HBAC rules
>are
>not applying to my active directory users.  They have access to all
>systems even if I disable my Allow_ALL rule.  Is there something
>special
>I should be doing to domain?

Normally HBAC for AD users should be done through an external group you
add the AD users or groups to, then add the external group to a regular
IPA group and reference this IPA group from HBAC rules.

There have been bugs related to external groups resolution, so please
update to the latest IPA and SSSD packages also.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
>>>
>>>
>>>-- 
>>>Manage your subscription for the Freeipa-users mailing list:
>>>https://www.redhat.com/mailman/listinfo/freeipa-users
>>>Go to http://freeipa.org for more info on the project
>>
>>-- 
>>/ Alexander Bokovoy
>


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Active Directory users are not controlled by HBAC

2016-01-25 Thread Alexander Bokovoy 

On Mon, 25 Jan 2016, Birnbaum, Warren (ETW) wrote:

Thanks Alexander.  Is there a place where there are example pam stacks
that work with active directory and hbac?

Defaults in RHEL/Fedora should be enough:
- install RHEL/Fedora,
- apply ipa-client-install,

then you get proper setup. That's what is tested and supported.

ipa-client-install would run authconfig utility with correct parameters
to set PAM stack properly.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Active Directory users are not controlled by HBAC

2016-01-25 Thread Birnbaum, Warren (ETW) 
OK.  I have done this and am using the pam stack that is the result of
what you here describe.

A few threads back you mentioned that this could be a reason why my hbac
are not restricting access.  I have no hbac rules currently and any active
directory user can access any host.  Is there something else I could look
at to see why this is happening?

Thanks.
___
Warren Birnbaum : Infrastructure Services
Web Automation Engineer
Europe CDT Techn. Operations
Nike Inc. : Mobile +31 6 23902697






On 1/25/16, 2:11 PM, "Alexander Bokovoy"  wrote:

>On Mon, 25 Jan 2016, Birnbaum, Warren (ETW) wrote:
>>Thanks Alexander.  Is there a place where there are example pam stacks
>>that work with active directory and hbac?
>Defaults in RHEL/Fedora should be enough:
> - install RHEL/Fedora,
> - apply ipa-client-install,
>
>then you get proper setup. That's what is tested and supported.
>
>ipa-client-install would run authconfig utility with correct parameters
>to set PAM stack properly.
>
>-- 
>/ Alexander Bokovoy


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Active Directory users are not controlled by HBAC

2016-01-25 Thread Alexander Bokovoy 

On Mon, 25 Jan 2016, Birnbaum, Warren (ETW) wrote:

OK.  I have done this and am using the pam stack that is the result of
what you here describe.

A few threads back you mentioned that this could be a reason why my hbac
are not restricting access.  I have no hbac rules currently and any active
directory user can access any host.  Is there something else I could look
at to see why this is happening?

https://fedorahosted.org/sssd/wiki/Troubleshooting is your friend.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Default shell for AD-domain accounts

2016-01-25 Thread Jakub Hrozek 
On Sun, Jan 24, 2016 at 08:03:09PM +0100, Rob Verduijn wrote:
> Hi,
> 
> H microsoft removes the UI, but leaves the schema extension.
> Does not really make sense, but after some googling this does seem to
> be the case.
> 
> Your comment made me check google with some different keywords and I
> found that there was this irritation that was solved by somebody. (at
> microsoft)
> 
> http://blogs.technet.com/b/sfu/archive/2013/07/08/ldap-calls-made-from-the-unix-client-query-incorrect-login-shell.aspx
> 
> That explains why modifying the loginShell attribute did not work.
> 
> I put the 'ldap_user_shell=msSFU30LoginShell' in the
> [domain/ipadomain] section from sssd.conf.
> This is required I guess on all ipa-clients that AD-accounts get access to.

Hmm, is this really required? The thing is that the IPA clients get
their information through an extended operation and it's the SSSD on the
IPA server that does the heavy lifting and just passes the info to the
clients.

I'll try to find some time later to test this..

> 
> And now all users seem to get the /bin/bash that can be set in the
> AD-user attribute loginShell
> 
> ( glad to see the keep their camel case in sync everywhere in the AD )
> 
> Thanks for thinking along on this one.
> Rob Verduijn
> 
> 2016-01-24 16:02 GMT+01:00 Jakub Hrozek :
> >
> >> On 24 Jan 2016, at 12:00, Rob Verduijn  wrote:
> >>
> >> Hello,
> >>
> >> I'm trying to get an ipa server to trust a microsoft AD-domain.
> >>
> >> So far I've managed to get the trust to work and I can login with an
> >> active directory user on the ipa clients.
> >>
> >> Now I see the default shell is set to /bin/sh.
> >> Since the preffered shel is bash for me I wish to change this.
> >> It doesn't help to set this in the ipa server config since these
> >> accounts are external ms accounts.
> >>
> >> In the goog old days we used to have posix attributes schemas in the
> >> AD one of them being the shell.
> >>
> >> Sadly this is a thing of the past.
> >   
> >
> > Are you referring to IMU being deprecated? IIRC the attributes should 
> > work..even though MS is deprecating the UI..
> >
> > Alternatively, since the clients read the ID info via the server, 
> > overrinding the shell in IPA server's sssd.conf should work as well.
> >
> >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/ex.sssd-ad-posix.html
> >>
> >> How do I define a new default shell for all ms-AD accounts in ipa ?
> >>
> >> Cheers
> >> Rob Verduijn
> >>
> >> --
> >> Manage your subscription for the Freeipa-users mailing list:
> >> https://www.redhat.com/mailman/listinfo/freeipa-users
> >> Go to http://freeipa.org for more info on the project
> >

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Default shell for AD-domain accounts

2016-01-25 Thread Rob Verduijn 
Maybe the difference was that I used a fresh demo installation from
windows 2012r2 server.
I only added the ad-controller, dns and ntp functionality for testing.
(and all the patches...which literaly takes a day to complete on a
system with 4 cores and 4G ram)

I also found out that dnsseq is not default, so I disabled dnsseq
validation on the ipa server in the named.conf.
Because this already cost me a day's work debugging and not to mention
lack of knowledge on how to do this in ad.

Minor side note,
according to : 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-requirements.html#dns-realm-settings
In the dns verification checks it tells you to verify the kerberos udp record
dig +short -t SRV _kerberos._udp.dc._msdcs.ad.example.com.
This yields no response

There is no udp record in the ad , but there is a tcp record.
dig +short -t SRV _kerberos._tcp.dc._msdcs.ad.example.com.
This gives a response

I also validated the trust on the AD side, I'm not sure this is needed.

After doing this I can issue the command : 'id AD.DOMAIN\\ADUSER' and
I get a response telling me the uid/gid/ad-id/ad-group etc.

Rob Verduijn

2016-01-25 9:24 GMT+01:00 Jakub Hrozek :
> On Sun, Jan 24, 2016 at 08:03:09PM +0100, Rob Verduijn wrote:
>> Hi,
>>
>> H microsoft removes the UI, but leaves the schema extension.
>> Does not really make sense, but after some googling this does seem to
>> be the case.
>>
>> Your comment made me check google with some different keywords and I
>> found that there was this irritation that was solved by somebody. (at
>> microsoft)
>>
>> http://blogs.technet.com/b/sfu/archive/2013/07/08/ldap-calls-made-from-the-unix-client-query-incorrect-login-shell.aspx
>>
>> That explains why modifying the loginShell attribute did not work.
>>
>> I put the 'ldap_user_shell=msSFU30LoginShell' in the
>> [domain/ipadomain] section from sssd.conf.
>> This is required I guess on all ipa-clients that AD-accounts get access to.
>
> Hmm, is this really required? The thing is that the IPA clients get
> their information through an extended operation and it's the SSSD on the
> IPA server that does the heavy lifting and just passes the info to the
> clients.
>
> I'll try to find some time later to test this..
>
>>
>> And now all users seem to get the /bin/bash that can be set in the
>> AD-user attribute loginShell
>>
>> ( glad to see the keep their camel case in sync everywhere in the AD )
>>
>> Thanks for thinking along on this one.
>> Rob Verduijn
>>
>> 2016-01-24 16:02 GMT+01:00 Jakub Hrozek :
>> >
>> >> On 24 Jan 2016, at 12:00, Rob Verduijn  wrote:
>> >>
>> >> Hello,
>> >>
>> >> I'm trying to get an ipa server to trust a microsoft AD-domain.
>> >>
>> >> So far I've managed to get the trust to work and I can login with an
>> >> active directory user on the ipa clients.
>> >>
>> >> Now I see the default shell is set to /bin/sh.
>> >> Since the preffered shel is bash for me I wish to change this.
>> >> It doesn't help to set this in the ipa server config since these
>> >> accounts are external ms accounts.
>> >>
>> >> In the goog old days we used to have posix attributes schemas in the
>> >> AD one of them being the shell.
>> >>
>> >> Sadly this is a thing of the past.
>> >   
>> >
>> > Are you referring to IMU being deprecated? IIRC the attributes should 
>> > work..even though MS is deprecating the UI..
>> >
>> > Alternatively, since the clients read the ID info via the server, 
>> > overrinding the shell in IPA server's sssd.conf should work as well.
>> >
>> >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/ex.sssd-ad-posix.html
>> >>
>> >> How do I define a new default shell for all ms-AD accounts in ipa ?
>> >>
>> >> Cheers
>> >> Rob Verduijn
>> >>
>> >> --
>> >> Manage your subscription for the Freeipa-users mailing list:
>> >> https://www.redhat.com/mailman/listinfo/freeipa-users
>> >> Go to http://freeipa.org for more info on the project
>> >

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] How to reference to IPA Server in Multi-Master Setup ?

2016-01-25 Thread Zeal Vora 
Hi

I have setup a multi-master IPA and it seems to be working fine.

The clients ( laptops and servers ) are not using the DNS of IPA.

I was wondering, while configuring ipa-client, which server do I reference
to when it asks the ipa-server hostname ?

Both the master server has different hostnames.

master1.example.com  ( Master 1 )
master2.example.com  ( Master 2 )

Any help will be appreciated


Thanks
Zeal
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA KDC Proxy

2016-01-25 Thread Christian Heimes 
On 2016-01-25 08:17, Winfried de Heiden wrote:
> Great,
> 
> Changing
> 
> /etc/ipa/kdcproxy/kdcproxy.conf
> [global]
> configs = mit
> use_dns = false
> 
> to
> 
> # cat /etc/ipa/kdcproxy/kdcproxy.conf
> [global]
> configs = mit
> use_dns = true
> 
> along with adding the windows realm to krb5.conf on the clients did the
> trick; I am able to obtain aan AD TGT ticket by using the KDC proxy
> 
> Is there a special reason why "use_dns = false" was used in kdcproxy.conf?

The current implementation of the DNS configuration feature is slow and
reduce performance of KDC proxy requests. Every request has to fetch
multiple SRV records and then resolve each entry in each record again.
There is neither caching nor async DNS support, too.

A co-worker has written a RFC to address the problem. The RFC hasn't
been approved yet.
https://tools.ietf.org/html/draft-mccallum-kitten-krb-service-discovery-00

Do you need dynamic configuration or can you get by with static
configuration in krb5.conf?

Christian



signature.asc
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Freeipa deployment request

2016-01-25 Thread Petr Spacek 
On 22.1.2016 16:22, Visakh MV wrote:
> Hi team,
> 
> We have plan to integrate windows ad and openshift origin with freeipa. We
> have doubt about that DNS working between those. And also needs
> configuration details of replication between those. If guys you provide any
> kind of information for above, I am really would like to go for with Redhat
> 7. Your kindly responses as soon as good for us.

Please see official documentation.

DNS configuration required for FreeIPA:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#dns-reqs

DNS requirements for AD trusts:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-requirements.html#dns-realm-settings

This guide includes procedure to verify that FreeIPA can see AD's DNS and the
other way around.

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA KDC Proxy

2016-01-25 Thread Winfried de Heiden 

  
  
OK clear, many thanks!
  
  Winny

Op 25-01-16 om 09:45 schreef Christian
  Heimes:


  On 2016-01-25 08:17, Winfried de Heiden wrote:

  
Great,

Changing

/etc/ipa/kdcproxy/kdcproxy.conf
[global]
configs = mit
use_dns = false

to

# cat /etc/ipa/kdcproxy/kdcproxy.conf
[global]
configs = mit
use_dns = true

along with adding the windows realm to krb5.conf on the clients did the
trick; I am able to obtain aan AD TGT ticket by using the KDC proxy

Is there a special reason why "use_dns = false" was used in kdcproxy.conf?

  
  
The current implementation of the DNS configuration feature is slow and
reduce performance of KDC proxy requests. Every request has to fetch
multiple SRV records and then resolve each entry in each record again.
There is neither caching nor async DNS support, too.

A co-worker has written a RFC to address the problem. The RFC hasn't
been approved yet.
https://tools.ietf.org/html/draft-mccallum-kitten-krb-service-discovery-00

Do you need dynamic configuration or can you get by with static
configuration in krb5.conf?

Christian




  


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA KDC Proxy

2016-01-25 Thread Winfried de Heiden 

  
  
"RHEL 6.x libkrb5 has no support for KDC proxy"
  
  Too bad, I was afraid for that
  
  Winny

Op 25-01-16 om 08:36 schreef Alexander
  Bokovoy:


  HEL 6.x libkrb5 has no support for KDC proxy 


  


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] multimaster ad one way trust setup

2016-01-25 Thread Rob Verduijn 
Hi all,

When you have an ipa 4.2 server with an one way trust to the ad.
What steps are needed to install a second ipa master that also has a
one way trust to the ad ?

Rob Verduijn

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How to reference to IPA Server in Multi-Master Setup ?

2016-01-25 Thread Petr Spacek 
On 25.1.2016 10:47, Zeal Vora wrote:
> Hi
> 
> I have setup a multi-master IPA and it seems to be working fine.
> 
> The clients ( laptops and servers ) are not using the DNS of IPA.
> 
> I was wondering, while configuring ipa-client, which server do I reference
> to when it asks the ipa-server hostname ?
> 
> Both the master server has different hostnames.
> 
> master1.example.com  ( Master 1 )
> master2.example.com  ( Master 2 )

Specify only --domain option and do not use --server option at all. In will
enable server auto-detection using DNS SRV records and you will not need to
worry about adding/removing servers because all clients will automatically
pick the new list up.

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How to reference to IPA Server in Multi-Master Setup ?

2016-01-25 Thread Zeal Vora 
Thanks Petr.

So if the domain is example.com, in DNS, what would be the IP associated
with it ?

As there are 2 master servers, each of them will have different IP address.

On Mon, Jan 25, 2016 at 4:34 PM, Petr Spacek  wrote:

> On 25.1.2016 10:47, Zeal Vora wrote:
> > Hi
> >
> > I have setup a multi-master IPA and it seems to be working fine.
> >
> > The clients ( laptops and servers ) are not using the DNS of IPA.
> >
> > I was wondering, while configuring ipa-client, which server do I
> reference
> > to when it asks the ipa-server hostname ?
> >
> > Both the master server has different hostnames.
> >
> > master1.example.com  ( Master 1 )
> > master2.example.com  ( Master 2 )
>
> Specify only --domain option and do not use --server option at all. In will
> enable server auto-detection using DNS SRV records and you will not need to
> worry about adding/removing servers because all clients will automatically
> pick the new list up.
>
> --
> Petr^2 Spacek
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Incremental update failed and requires administrator action

2016-01-25 Thread bahan w 
Hello !

I recently installed a replica (master2) in addition of my master (master1)
with IPA 3.0.0-47 on RHEL6.6.
I don't know from when exactly, but the dirsrv (and the whole ipa service)
on master1 crashes regularly with the following logs.

###
[22/Jan/2016:15:38:20 +0100] - 389-Directory/1.2.11.15 B2015.279.183
starting up
[22/Jan/2016:15:38:20 +0100] schema-compat-plugin - warning: no entries set
up under cn=computers, cn=compat,dc=
[22/Jan/2016:15:38:21 +0100] schema-compat-plugin - warning: no entries set
up under cn=ng, cn=compat,dc=
[22/Jan/2016:15:38:21 +0100] schema-compat-plugin - warning: no entries set
up under ou=sudoers,dc=
[22/Jan/2016:15:38:21 +0100] - slapd started.  Listening on All Interfaces
port 389 for LDAP requests
[22/Jan/2016:15:38:21 +0100] - Listening on All Interfaces port 636 for
LDAPS requests
[22/Jan/2016:15:38:21 +0100] - Listening on /var/run/slapd-.socket
for LDAPI requests
[22/Jan/2016:17:04:03 +0100] NSMMReplicationPlugin - changelog program -
_cl5WriteOperationTxn: retry (49) the transaction
(csn=56a252ef0004) failed (rc=-30994 (DB_LOCK_DEADLOCK: Locker
killed to resolve a deadlock))
[22/Jan/2016:17:04:03 +0100] NSMMReplicationPlugin - changelog program -
_cl5WriteOperationTxn: failed to write entry with csn
(56a252ef0004); db error - -30994 DB_LOCK_DEADLOCK: Locker killed
to resolve a deadlock
[22/Jan/2016:17:04:03 +0100] NSMMReplicationPlugin -
write_changelog_and_ruv: can't add a change for
uid=,cn=users,cn=accounts,dc= (uniqid:
a7ebd403-c12111e5-9c84c092-9a5deb81, optype: 16) to changelog csn
56a252ef0004
[22/Jan/2016:17:04:03 +0100] NSMMReplicationPlugin -
agmt="cn=meTo" (:389): Missing data encountered
[22/Jan/2016:17:04:03 +0100] NSMMReplicationPlugin -
agmt="cn=meTo" (:389): Incremental update
failed and requires administrator action
###

Then the dirsrv, I mean the whole ipa server, is down.
When I restart the service, here is what is see :

###
[22/Jan/2016:17:06:18 +0100] - 389-Directory/1.2.11.15 B2015.279.183
starting up
[22/Jan/2016:17:06:18 +0100] - Detected Disorderly Shutdown last time
Directory Server was running, recovering database.
[22/Jan/2016:17:06:18 +0100] schema-compat-plugin - warning: no entries set
up under cn=computers, cn=compat,dc=
[22/Jan/2016:17:06:19 +0100] schema-compat-plugin - warning: no entries set
up under cn=ng, cn=compat,dc=
[22/Jan/2016:17:06:19 +0100] schema-compat-plugin - warning: no entries set
up under ou=sudoers,dc=
[22/Jan/2016:17:06:20 +0100] set_krb5_creds - Could not get initial
credentials for principal [ldap/@] in keytab
[FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text))
[22/Jan/2016:17:06:20 +0100] - slapd started.  Listening on All Interfaces
port 389 for LDAP requests
[22/Jan/2016:17:06:20 +0100] - Listening on All Interfaces port 636 for
LDAPS requests
[22/Jan/2016:17:06:20 +0100] - Listening on /var/run/slapd-.socket
for LDAPI requests
[22/Jan/2016:17:06:20 +0100] slapd_ldap_sasl_interactive_bind - Error:
could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2
(Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
failure.  Minor code may provide more information (Credentials cache file
'/tmp/krb5cc_244' not found)) errno 0 (Success)
[22/Jan/2016:17:06:20 +0100] slapi_ldap_bind - Error: could not perform
interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
[22/Jan/2016:17:06:20 +0100] NSMMReplicationPlugin -
agmt="cn=meTo" (:389): Replication bind with
GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure:
GSSAPI Error: Unspecified GSS failure.  Minor code may provide more
information (Credentials cache file '/tmp/krb5cc_244' not found))
[22/Jan/2016:17:06:23 +0100] NSMMReplicationPlugin -
agmt="cn=meTo" (:389): Replication bind with
GSSAPI auth resumed
###

It seems that there is a problem to write an entry in the DB ? Do you know
how I can solve this problem please ?

Furthermore, it seems that there is a second problem with the keytab
/etc/dirsrv/ds.keytab.

The keytab is good for me :
###
#ls -l /etc/dirsrv/ds.keytab
-rw--- 1 dirsrv dirsrv 362 Jan 21 14:12 /etc/dirsrv/ds.keytab
# kinit -kt /etc/dirsrv/ds.keytab ldap/@
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ldap/@

Valid starting ExpiresService principal
01/25/16 11:54:23  01/26/16 11:54:23  krbtgt/@
###

I wonder if this second problem does not come from the user dirsrv who
would not be able to use this keytab.
I cannot test this because this user dirsrv has been created with nologin.
###
# su - dirsrv -c "kinit -kt /etc/dirsrv/ds.keytab ldap/@"
This account is currently not available.

# grep dirsrv /etc/passwd
dirsrv:x:244:497::/var/lib/dirsrv:/sbin/nologin
pkisrv:x:246:497::/var/lib/dirsrv:/sbin/nologin
###

Just for my information, is it normal that these users are created with
nologin ?

Best regards.

Bahan
-- 
Manage your subscription for the Freeipa-users mailing list:

Re: [Freeipa-users] multimaster ad one way trust setup

2016-01-25 Thread Alexander Bokovoy 

On Mon, 25 Jan 2016, Rob Verduijn wrote:

Hi all,

When you have an ipa 4.2 server with an one way trust to the ad.
What steps are needed to install a second ipa master that also has a
one way trust to the ad ?

Depends on what you want to achieve.

If you want second IPA master to be able to resolve AD users, just
install the master and run 'ipa-adtrust-install --add-agents' on the
*first* master. This will prompt you to be asked on adding the second
master to the list of hosts allowed to use cross-forest trust
credentials.

If you want to use the second IPA master to *manage* trust, you'd need
to run 'ipa-adtrust-install' on the it. No need to specify
'--add-agents' because the master where 'ipa-adtrust-install' is being
run will be automatically added to the list.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How to reference to IPA Server in Multi-Master Setup ?

2016-01-25 Thread Petr Spacek 
On 25.1.2016 12:08, Zeal Vora wrote:
> Thanks Petr.
> 
> So if the domain is example.com, in DNS, what would be the IP associated
> with it ?
> 
> As there are 2 master servers, each of them will have different IP address.

Please see following text about DNS SRV records:
https://en.wikipedia.org/wiki/SRV_record

I hope it helps.

Petr^2 Spacek

> 
> On Mon, Jan 25, 2016 at 4:34 PM, Petr Spacek  wrote:
> 
>> On 25.1.2016 10:47, Zeal Vora wrote:
>>> Hi
>>>
>>> I have setup a multi-master IPA and it seems to be working fine.
>>>
>>> The clients ( laptops and servers ) are not using the DNS of IPA.
>>>
>>> I was wondering, while configuring ipa-client, which server do I
>> reference
>>> to when it asks the ipa-server hostname ?
>>>
>>> Both the master server has different hostnames.
>>>
>>> master1.example.com  ( Master 1 )
>>> master2.example.com  ( Master 2 )
>>
>> Specify only --domain option and do not use --server option at all. In will
>> enable server auto-detection using DNS SRV records and you will not need to
>> worry about adding/removing servers because all clients will automatically
>> pick the new list up.
>>
>> --
>> Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How to reference to IPA Server in Multi-Master Setup ?

2016-01-25 Thread David Kupka 

On 25/01/16 12:08, Zeal Vora wrote:

Thanks Petr.

So if the domain is example.com, in DNS, what would be the IP associated
with it ?

As there are 2 master servers, each of them will have different IP address.

On Mon, Jan 25, 2016 at 4:34 PM, Petr Spacek  wrote:


On 25.1.2016 10:47, Zeal Vora wrote:

Hi

I have setup a multi-master IPA and it seems to be working fine.

The clients ( laptops and servers ) are not using the DNS of IPA.

I was wondering, while configuring ipa-client, which server do I

reference

to when it asks the ipa-server hostname ?

Both the master server has different hostnames.

master1.example.com  ( Master 1 )
master2.example.com  ( Master 2 )


Specify only --domain option and do not use --server option at all. In will
enable server auto-detection using DNS SRV records and you will not need to
worry about adding/removing servers because all clients will automatically
pick the new list up.

--
Petr^2 Spacek

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project







The '--domain' parameter is for client installer to form DNS request.
Request that is sent is the same as one sent by this command:
dig -t SRV _ldap._tcp.

It then receiver list of records similar to this one:
100 0 389 
100 0 389 

Installer then goes through the list and checks if it's really FreeIPA 
server and first one that passes is used. When IP address is needed it 
can be resolved from the name included in SRV response.


HTH,
--
David Kupka

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Incremental update failed and requires administrator action

2016-01-25 Thread Ludwig Krispenz 

could you get a core dump from the crash:
http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-crashes

Ludwig

On 01/25/2016 12:08 PM, bahan w wrote:

Hello !

I recently installed a replica (master2) in addition of my master 
(master1) with IPA 3.0.0-47 on RHEL6.6.
I don't know from when exactly, but the dirsrv (and the whole ipa 
service) on master1 crashes regularly with the following logs.


###
[22/Jan/2016:15:38:20 +0100] - 389-Directory/1.2.11.15 
 B2015.279.183 starting up
[22/Jan/2016:15:38:20 +0100] schema-compat-plugin - warning: no 
entries set up under cn=computers, cn=compat,dc=
[22/Jan/2016:15:38:21 +0100] schema-compat-plugin - warning: no 
entries set up under cn=ng, cn=compat,dc=
[22/Jan/2016:15:38:21 +0100] schema-compat-plugin - warning: no 
entries set up under ou=sudoers,dc=
[22/Jan/2016:15:38:21 +0100] - slapd started.  Listening on All 
Interfaces port 389 for LDAP requests
[22/Jan/2016:15:38:21 +0100] - Listening on All Interfaces port 636 
for LDAPS requests
[22/Jan/2016:15:38:21 +0100] - Listening on 
/var/run/slapd-.socket for LDAPI requests
[22/Jan/2016:17:04:03 +0100] NSMMReplicationPlugin - changelog program 
- _cl5WriteOperationTxn: retry (49) the transaction 
(csn=56a252ef0004) failed (rc=-30994 (DB_LOCK_DEADLOCK: Locker 
killed to resolve a deadlock))
[22/Jan/2016:17:04:03 +0100] NSMMReplicationPlugin - changelog program 
- _cl5WriteOperationTxn: failed to write entry with csn 
(56a252ef0004); db error - -30994 DB_LOCK_DEADLOCK: Locker 
killed to resolve a deadlock
[22/Jan/2016:17:04:03 +0100] NSMMReplicationPlugin - 
write_changelog_and_ruv: can't add a change for 
uid=,cn=users,cn=accounts,dc= (uniqid: 
a7ebd403-c12111e5-9c84c092-9a5deb81, optype: 16) to changelog csn 
56a252ef0004
[22/Jan/2016:17:04:03 +0100] NSMMReplicationPlugin - 
agmt="cn=meTo" (:389): Missing data 
encountered
[22/Jan/2016:17:04:03 +0100] NSMMReplicationPlugin - 
agmt="cn=meTo" (:389): Incremental update 
failed and requires administrator action

###

Then the dirsrv, I mean the whole ipa server, is down.
When I restart the service, here is what is see :

###
[22/Jan/2016:17:06:18 +0100] - 389-Directory/1.2.11.15 
 B2015.279.183 starting up
[22/Jan/2016:17:06:18 +0100] - Detected Disorderly Shutdown last time 
Directory Server was running, recovering database.
[22/Jan/2016:17:06:18 +0100] schema-compat-plugin - warning: no 
entries set up under cn=computers, cn=compat,dc=
[22/Jan/2016:17:06:19 +0100] schema-compat-plugin - warning: no 
entries set up under cn=ng, cn=compat,dc=
[22/Jan/2016:17:06:19 +0100] schema-compat-plugin - warning: no 
entries set up under ou=sudoers,dc=
[22/Jan/2016:17:06:20 +0100] set_krb5_creds - Could not get initial 
credentials for principal [ldap/@] in keytab 
[FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text))
[22/Jan/2016:17:06:20 +0100] - slapd started.  Listening on All 
Interfaces port 389 for LDAP requests
[22/Jan/2016:17:06:20 +0100] - Listening on All Interfaces port 636 
for LDAPS requests
[22/Jan/2016:17:06:20 +0100] - Listening on 
/var/run/slapd-.socket for LDAPI requests
[22/Jan/2016:17:06:20 +0100] slapd_ldap_sasl_interactive_bind - Error: 
could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 
-2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified 
GSS failure.  Minor code may provide more information (Credentials 
cache file '/tmp/krb5cc_244' not found)) errno 0 (Success)
[22/Jan/2016:17:06:20 +0100] slapi_ldap_bind - Error: could not 
perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
[22/Jan/2016:17:06:20 +0100] NSMMReplicationPlugin - 
agmt="cn=meTo" (:389): Replication bind 
with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): 
generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code 
may provide more information (Credentials cache file '/tmp/krb5cc_244' 
not found))
[22/Jan/2016:17:06:23 +0100] NSMMReplicationPlugin - 
agmt="cn=meTo" (:389): Replication bind 
with GSSAPI auth resumed

###

It seems that there is a problem to write an entry in the DB ? Do you 
know how I can solve this problem please ?


Furthermore, it seems that there is a second problem with the keytab 
/etc/dirsrv/ds.keytab.


The keytab is good for me :
###
#ls -l /etc/dirsrv/ds.keytab
-rw--- 1 dirsrv dirsrv 362 Jan 21 14:12 /etc/dirsrv/ds.keytab
# kinit -kt /etc/dirsrv/ds.keytab ldap/@
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ldap/@

Valid starting ExpiresService principal
01/25/16 11:54:23  01/26/16 11:54:23 krbtgt/@
###

I wonder if this second problem does not come from the user dirsrv who 
would not be able to use this keytab.

I cannot test this because this user dirsrv has been created with nologin.
###
# su - dirsrv -c "kinit -kt /etc/dirsrv/ds.keytab 
ldap/@"

This account is currently not available.

# grep dirsrv /etc/passwd

Re: [Freeipa-users] multimaster ad one way trust setup

2016-01-25 Thread Alexander Bokovoy 

On Mon, 25 Jan 2016, Rob Verduijn wrote:

Since the first option has less impact, that one sounds the most interesting.
However, does this also remain functional when the first ipa server is
taken offline ?

Yes. What this option enables is to allow IPA master to become 'trust
agent' which means SSSD on that master will be able to use cross-forest
trust credentials to talk to AD for user/group information and
authentication purposes. It does not allow that master to *manage* the
trust itself.



Rob Verduijn

2016-01-25 12:41 GMT+01:00 Alexander Bokovoy :

On Mon, 25 Jan 2016, Rob Verduijn wrote:


Hi all,

When you have an ipa 4.2 server with an one way trust to the ad.
What steps are needed to install a second ipa master that also has a
one way trust to the ad ?


Depends on what you want to achieve.

If you want second IPA master to be able to resolve AD users, just
install the master and run 'ipa-adtrust-install --add-agents' on the
*first* master. This will prompt you to be asked on adding the second
master to the list of hosts allowed to use cross-forest trust
credentials.

If you want to use the second IPA master to *manage* trust, you'd need
to run 'ipa-adtrust-install' on the it. No need to specify
'--add-agents' because the master where 'ipa-adtrust-install' is being
run will be automatically added to the list.
--
/ Alexander Bokovoy


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project