Re: [Freeipa-users] sudo users
Cool. That solved the problem. Thanks On Thu, Mar 10, 2016 at 9:37 PM, Jakub Hrozek wrote: > On Thu, Mar 10, 2016 at 03:50:08PM +1300, Teik Hooi Beh wrote: > > Hi, > > > > I am trying to deploy sudo rules in FreeIPA 4.2 on Centos 7.2. I have > > created 2 sudo rules, one with sudo options=!authenticate (NOPASSWD) and > > the other sudo options=authenticate (PASSWD) (which I assume requires the > > user to key in the password to run). > > > > The NOPASSWD works but the one with PASSWD kept denying eventhough > password > > seems authenticated (from /var/log/secure) - > > > > Mar 10 02:38:31 node1 sudo: pam_sss(sudo:auth): authentication success; > > logname=ttester uid=5001 euid=0 tty=/dev/pts/1 ruser=ttester rhost= > > user=ttester > > Mar 10 02:38:31 node1 sudo: pam_sss(sudo:account): Access denied for user > > ttester: 6 (Permission denied) > > > > I have followed instructions from here - > > > http://blog.delouw.ch/2013/07/25/centrally-manage-sudoers-rules-with-ipa-part-i-preparation/ > > Looks like HBAC is denying access, please make sure the user is allowed > to access the sudo/sudo-i service. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Lock screen when Smart Card is removed.
Greetings, I have been adding systems to my new domain and utilizing the smart card login feature. To date the smart card login feature is working very well. However, my group has been trying to implement locking the screen when the smart card is removed, but have not been successful at making it work. Does anyone have any suggestions as to what it would take to enable locking the screen when the smart card is removed. Thank you in advance. -- *Michael Rainey* -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] [requirements gathering] Notification system / hooks
As an administrator I would like to get notified when anyone successfully/unsuccessfully authenticates to predefined services (n times). Van: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] Namens Anon Lister Verzonden: donderdag 10 maart 2016 17:20 Aan: Petr Spacek CC: freeipa-users Onderwerp: Re: [Freeipa-users] [requirements gathering] Notification system / hooks I would like an alert when my IPA servers successfully establish a bidirectional trust with mutual authentication with our AD server Actually I could even skip the alert ;) On Mar 9, 2016 11:27 AM, "Petr Spacek" mailto:pspa...@redhat.com>> wrote: Dear users, FreeIPA team is thinking about adding notification system (or 'hooks') to various parts of FreeIPA. If you happen to know about a use-case for hook or an event you want to react to please let us know. Example: - As admin, I want to call my custom script when a host is deleted. (E.g. to to do cleanup in our other internal systems.) - As user, I want to get a notification when ... Be creative and let us know as soon as you find the use-case. Thank you very much! BTW design page is on: http://www.freeipa.org/page/V4/Notification_system (but it is mostly empty at the moment). -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] [requirements gathering] Notification system / hooks
Well... I suppose that's problem #2. Problem #1 would be implementing the bidirectional authentication in the first place. :p On Mar 10, 2016 11:22 AM, "Petr Spacek" wrote: > On 10.3.2016 17:20, Anon Lister wrote: > > I would like an alert when my IPA servers successfully establish a > > bidirectional trust with mutual authentication with our AD server > > Actually I could even skip the alert ;) > > On Mar 9, 2016 11:27 AM, "Petr Spacek" wrote: > > Heh, I'm confused. How would you establish the trust without using admin's > credentials or pre-shared secret in the first place? > > I.e. how this could be done without admin's consent? > > Petr^2 Spacek > > >> Dear users, > >> > >> FreeIPA team is thinking about adding notification system (or 'hooks') > to > >> various parts of FreeIPA. > >> > >> If you happen to know about a use-case for hook or an event you want to > >> react > >> to please let us know. > >> > >> Example: > >> - As admin, I want to call my custom script when a host is deleted. > (E.g. > >> to > >> to do cleanup in our other internal systems.) > >> - As user, I want to get a notification when ... > >> > >> Be creative and let us know as soon as you find the use-case. > >> > >> Thank you very much! > >> > >> > >> BTW design page is on: > >> http://www.freeipa.org/page/V4/Notification_system > >> (but it is mostly empty at the moment). > >> > >> -- > >> Petr^2 Spacek > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] [requirements gathering] Notification system / hooks
I would like an alert when my IPA servers successfully establish a bidirectional trust with mutual authentication with our AD server Actually I could even skip the alert ;) On Mar 9, 2016 11:27 AM, "Petr Spacek" wrote: > Dear users, > > FreeIPA team is thinking about adding notification system (or 'hooks') to > various parts of FreeIPA. > > If you happen to know about a use-case for hook or an event you want to > react > to please let us know. > > Example: > - As admin, I want to call my custom script when a host is deleted. (E.g. > to > to do cleanup in our other internal systems.) > - As user, I want to get a notification when ... > > Be creative and let us know as soon as you find the use-case. > > Thank you very much! > > > BTW design page is on: > http://www.freeipa.org/page/V4/Notification_system > (but it is mostly empty at the moment). > > -- > Petr^2 Spacek > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] [requirements gathering] Notification system / hooks
On 10.3.2016 17:20, Anon Lister wrote: > I would like an alert when my IPA servers successfully establish a > bidirectional trust with mutual authentication with our AD server > Actually I could even skip the alert ;) > On Mar 9, 2016 11:27 AM, "Petr Spacek" wrote: Heh, I'm confused. How would you establish the trust without using admin's credentials or pre-shared secret in the first place? I.e. how this could be done without admin's consent? Petr^2 Spacek >> Dear users, >> >> FreeIPA team is thinking about adding notification system (or 'hooks') to >> various parts of FreeIPA. >> >> If you happen to know about a use-case for hook or an event you want to >> react >> to please let us know. >> >> Example: >> - As admin, I want to call my custom script when a host is deleted. (E.g. >> to >> to do cleanup in our other internal systems.) >> - As user, I want to get a notification when ... >> >> Be creative and let us know as soon as you find the use-case. >> >> Thank you very much! >> >> >> BTW design page is on: >> http://www.freeipa.org/page/V4/Notification_system >> (but it is mostly empty at the moment). >> >> -- >> Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] [requirements gathering] Notification system / hooks
On 10.3.2016 05:06, Mike Kelly wrote: > As an admin, I want to get a notification when a user's password is rest, > or when they update their password, so that I can disable an user who does > not change their password a certain amount of time after it was reset. > > Basically, the goal is to have a way to implement a policy like "if we > reset your password, and you don't change it to a new one after 2 days, > we'll lock your account" so that, say, some old email with their password > in it is unlikely to be valid anymore. This sounds sensible, thank you. (re-posting to ipa-users) For the record and other interested parties: Please keep in mind that this is NOT intended as an audit mechanism. We already have audit in LDAP server and audit is explicitly out of scope of this work. This should provide hooks so vanilla IPA as shipped in packages can be easily integrated with third-party systems which are present all over the place. Jan Cholasta identified few object types which he thinks are interesting from the hook(s) perspective: user, group, host, hostgroup, service Current line of thinking was about adding hooks into IPA framework so we are not risking destabilizing or slowing down the DS. If we want to monitor generic LDAP we could use syncrepl to stay outside of DS. As far as I understood Honza this has interesting problems because the consumer of the notifications from LDAP would have to undestand the relations between IPA LDAP objects etc., which can be quite complicated. For this reason we were thinking about kind of limited approach where hooks are called when using CLI/WebUI/API but not when direct LDAP modifications are done. Would that work for you? Petr^2 Spacek > > On Wed, Mar 9, 2016 at 11:23 AM Petr Spacek wrote: > >> Dear users, >> >> FreeIPA team is thinking about adding notification system (or 'hooks') to >> various parts of FreeIPA. >> >> If you happen to know about a use-case for hook or an event you want to >> react >> to please let us know. >> >> Example: >> - As admin, I want to call my custom script when a host is deleted. (E.g. >> to >> to do cleanup in our other internal systems.) >> - As user, I want to get a notification when ... >> >> Be creative and let us know as soon as you find the use-case. >> >> Thank you very much! >> >> >> BTW design page is on: >> http://www.freeipa.org/page/V4/Notification_system >> (but it is mostly empty at the moment). >> >> -- >> Petr^2 Spacek -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA and samba 4
On 10.3.2016 16:06, Rob Verduijn wrote: > Howdy, > > out of curiousity any targetted release for UPN ? Currently 4.4, see https://fedorahosted.org/freeipa/ticket/5354 . This might change, of course. Petr^2 Spacek > > Cheers > Rob > > 2016-03-10 15:15 GMT+01:00 Petr Spacek : >> On 10.3.2016 13:34, Giulio Casella wrote: >>> I've seen that howto, but it's not my case. I cannot establish a trust >>> between >>> IPA and AD, because AD domain involves additional UPNs (mydomain.com and >>> another.mydomain.com) in addition to main domain foobar.local. This scenario >>> is not supported by current version of FreeIPA (maybe in future releases). >>> So: FreeIPA domain and AD domain have to be different. >> >> For the record, UPN support is soonish. >> >> Petr^2 Spacek >> >>> >>> Giulio >>> >>> Il 10/03/2016 13:23, Justin Stephenson ha scritto: Hello, Are you looking for this? This leverages the AD trust to allow samba within IPA to resolve AD users from a trusted AD domain/forest *Howto/Integrating a Samba File Server With IPA* http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA -Justin On 03/10/2016 06:29 AM, Giulio Casella wrote: > Hi guys, > I've got a FreeIPA domain up and running, with a nfs server, joined to > IPA domain, offering user's home directories. > > I'd like to give users on Windows 7 PC (not joined to the same domain) > the ability to mount those home directories via samba (entering > credentials, not kerberos, being different domains). > > How can I configure samba to use IPA kerberos authentication > authentication to offer access to home directories? > > I know this could be configured more as a samba question, but I hope > someone in this list already faced my scenario. > > Thanks in advance, > Giulio > >>> >> >> >> -- >> Petr^2 Spacek >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Cannot add password policy SOLVED
On 09/03/2016 22:14, Rob Crittenden wrote: > Bob Hinton wrote: >> Hi, >> >> I've been trying to add a password policy for an existing user group >> called "services" in IPA version 4.2.0. >> >> ipa pwpolicy-add services >> ipa: ERROR: entry with name "services" already exists >> >> ipa pwpolicy-show services >> ipa: ERROR: services: password policy not found >> >> ipa pwpolicy-del services >> ipa: ERROR: services: password policy not found >> >> ipa pwpolicy-mod services >> ipa: ERROR: services: password policy not found >> >> ipa pwpolicy-find >> doesn't list it. >> >> As an experiment I've tried to add additional pwpolicy entries. If these >> fail due to insufficient privileges then I get the same symptoms, so >> it's possible that this is what happened with the services pwpolicy. >> >> How do I correct this situation? >> >> Many thanks > I'd use ldapsearch to narrow things down. A group-based password policy > consists of two entries so I'd look in both: > > $ kinit admin > $ ldapsearch -Y GSSAPI -b cn=costemplates,cn=accounts,dc=example,dc=com > $ ldapsearch -Y GSSAPI -b cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com > '(objectclass=krbPwdPolicy)' > > There could, for example, be a replication conflict entry. > > rob > . > Hi Rob, The culprit turned-out to be a "cn=costemplates,cn=accounts,..." record. Attempting to create a pwpolicy that failed with a permissions error created a costemplates record, but not the corresponding "cn=DOMAIN,cn=kerberos,..." record. After removing the offending record with ldapdelete I could create the pwpolicy entry. Many thanks Bob Hinton -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA and samba 4
Howdy, out of curiousity any targetted release for UPN ? Cheers Rob 2016-03-10 15:15 GMT+01:00 Petr Spacek : > On 10.3.2016 13:34, Giulio Casella wrote: >> I've seen that howto, but it's not my case. I cannot establish a trust >> between >> IPA and AD, because AD domain involves additional UPNs (mydomain.com and >> another.mydomain.com) in addition to main domain foobar.local. This scenario >> is not supported by current version of FreeIPA (maybe in future releases). >> So: FreeIPA domain and AD domain have to be different. > > For the record, UPN support is soonish. > > Petr^2 Spacek > >> >> Giulio >> >> Il 10/03/2016 13:23, Justin Stephenson ha scritto: >>> Hello, >>> >>> Are you looking for this? This leverages the AD trust to allow samba >>> within IPA to resolve AD users from a trusted AD domain/forest >>> >>> *Howto/Integrating a Samba File Server With IPA* >>> >>> >>> http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA >>> >>> >>> -Justin >>> >>> On 03/10/2016 06:29 AM, Giulio Casella wrote: Hi guys, I've got a FreeIPA domain up and running, with a nfs server, joined to IPA domain, offering user's home directories. I'd like to give users on Windows 7 PC (not joined to the same domain) the ability to mount those home directories via samba (entering credentials, not kerberos, being different domains). How can I configure samba to use IPA kerberos authentication authentication to offer access to home directories? I know this could be configured more as a samba question, but I hope someone in this list already faced my scenario. Thanks in advance, Giulio >>> >> > > > -- > Petr^2 Spacek > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA and samba 4
On 10.3.2016 13:34, Giulio Casella wrote: > I've seen that howto, but it's not my case. I cannot establish a trust between > IPA and AD, because AD domain involves additional UPNs (mydomain.com and > another.mydomain.com) in addition to main domain foobar.local. This scenario > is not supported by current version of FreeIPA (maybe in future releases). > So: FreeIPA domain and AD domain have to be different. For the record, UPN support is soonish. Petr^2 Spacek > > Giulio > > Il 10/03/2016 13:23, Justin Stephenson ha scritto: >> Hello, >> >> Are you looking for this? This leverages the AD trust to allow samba >> within IPA to resolve AD users from a trusted AD domain/forest >> >> *Howto/Integrating a Samba File Server With IPA* >> >> >> http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA >> >> >> -Justin >> >> On 03/10/2016 06:29 AM, Giulio Casella wrote: >>> Hi guys, >>> I've got a FreeIPA domain up and running, with a nfs server, joined to >>> IPA domain, offering user's home directories. >>> >>> I'd like to give users on Windows 7 PC (not joined to the same domain) >>> the ability to mount those home directories via samba (entering >>> credentials, not kerberos, being different domains). >>> >>> How can I configure samba to use IPA kerberos authentication >>> authentication to offer access to home directories? >>> >>> I know this could be configured more as a samba question, but I hope >>> someone in this list already faced my scenario. >>> >>> Thanks in advance, >>> Giulio >>> >> > -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA and samba 4
I've seen that howto, but it's not my case. I cannot establish a trust between IPA and AD, because AD domain involves additional UPNs (mydomain.com and another.mydomain.com) in addition to main domain foobar.local. This scenario is not supported by current version of FreeIPA (maybe in future releases). So: FreeIPA domain and AD domain have to be different. Giulio Il 10/03/2016 13:23, Justin Stephenson ha scritto: Hello, Are you looking for this? This leverages the AD trust to allow samba within IPA to resolve AD users from a trusted AD domain/forest *Howto/Integrating a Samba File Server With IPA* http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA -Justin On 03/10/2016 06:29 AM, Giulio Casella wrote: Hi guys, I've got a FreeIPA domain up and running, with a nfs server, joined to IPA domain, offering user's home directories. I'd like to give users on Windows 7 PC (not joined to the same domain) the ability to mount those home directories via samba (entering credentials, not kerberos, being different domains). How can I configure samba to use IPA kerberos authentication authentication to offer access to home directories? I know this could be configured more as a samba question, but I hope someone in this list already faced my scenario. Thanks in advance, Giulio -- Giulio Casellagiulio at di.unimi.it System and network manager Computer Science Dept. - University of Milano -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA and samba 4
Hello, Are you looking for this? This leverages the AD trust to allow samba within IPA to resolve AD users from a trusted AD domain/forest *Howto/Integrating a Samba File Server With IPA* http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA -Justin On 03/10/2016 06:29 AM, Giulio Casella wrote: Hi guys, I've got a FreeIPA domain up and running, with a nfs server, joined to IPA domain, offering user's home directories. I'd like to give users on Windows 7 PC (not joined to the same domain) the ability to mount those home directories via samba (entering credentials, not kerberos, being different domains). How can I configure samba to use IPA kerberos authentication authentication to offer access to home directories? I know this could be configured more as a samba question, but I hope someone in this list already faced my scenario. Thanks in advance, Giulio -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA and samba 4
Hi guys, I've got a FreeIPA domain up and running, with a nfs server, joined to IPA domain, offering user's home directories. I'd like to give users on Windows 7 PC (not joined to the same domain) the ability to mount those home directories via samba (entering credentials, not kerberos, being different domains). How can I configure samba to use IPA kerberos authentication authentication to offer access to home directories? I know this could be configured more as a samba question, but I hope someone in this list already faced my scenario. Thanks in advance, Giulio -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] sudo users
On Thu, Mar 10, 2016 at 03:50:08PM +1300, Teik Hooi Beh wrote: > Hi, > > I am trying to deploy sudo rules in FreeIPA 4.2 on Centos 7.2. I have > created 2 sudo rules, one with sudo options=!authenticate (NOPASSWD) and > the other sudo options=authenticate (PASSWD) (which I assume requires the > user to key in the password to run). > > The NOPASSWD works but the one with PASSWD kept denying eventhough password > seems authenticated (from /var/log/secure) - > > Mar 10 02:38:31 node1 sudo: pam_sss(sudo:auth): authentication success; > logname=ttester uid=5001 euid=0 tty=/dev/pts/1 ruser=ttester rhost= > user=ttester > Mar 10 02:38:31 node1 sudo: pam_sss(sudo:account): Access denied for user > ttester: 6 (Permission denied) > > I have followed instructions from here - > http://blog.delouw.ch/2013/07/25/centrally-manage-sudoers-rules-with-ipa-part-i-preparation/ Looks like HBAC is denying access, please make sure the user is allowed to access the sudo/sudo-i service. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
