Re: [Freeipa-users] DNSSEC NSEC3 Parameter
On 05/14/2016 07:49 PM, Günther J. Niederwimmer wrote: > Hello, > > Thanks for answer, > > Am Freitag, 13. Mai 2016, 09:40:05 CEST schrieb Martin Kosek: >> On 05/12/2016 04:41 PM, Günther J. Niederwimmer wrote: >>> Hello, >>> I have the Problem to find the correct way for NSEC3PARAM ? >>> >>> With your Help I have this found >>> >>> ipa dnszone-mod example.com. --nsec3param-rec " >>> " >>> >>> But it dos not work correct ? >>> >>> Now the question, is this the correct way >>> >>> ipa dnszone-mod example.com. --nsec3param-rec "1 7 100 f9ba6264232b7283" >>> >>> to insert the NSEC3PARAMETER ?? >> >> This should be right, there were related fixes by >> https://fedorahosted.org/freeipa/ticket/4413 >> >> Your second command works in my test environment: >> # ipa dnszone-mod example.com. --nsec3param-rec "1 7 100 f9ba6264232b7283" >> # dig -t nsec3param example.com. +short >> 1 7 100 F9BA6264232B7283 > > The question is now, I mean the Parameter is wrong ? > > I make a test without Freeipa on a "normal" DNS (DNSSEC) installation (bind 9) > > dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N > INCREMENT -o $ZONE -t $ZONEDIR/$ZONEFILE > > and a > > dig -t nsec3param example.com. +short > > the relult is > > 1 0 10 > > 1 is sha1 > so I mean (?) "0" is the correct parameter ?. > "10" is the default for Bind > > so I hope this is working now correct > > Thanks for testing and answer Ahh, now I understand what you were asking about. The validators we have in DNS records are only limited, mostly to check that you are entering the right number of fields or that the data type is OK. They usually do not do any more complex evaluation. I would let Petr Spacek say if we need to change anything in FreeIPA in this case. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] How RBAC defined.
HI Marc, thanks for the explanation. can you please share some kind of implementation guide for this? On Mon, May 16, 2016 at 3:45 AM, Marc Boorshtein < marc.boorsht...@tremolosecurity.com> wrote: > > I would like to know more about RBAC. like what is RBAC and what can be > > achieved with RBAC. > > > > anyone please share some good topics about this as i am getting so many > and > > the information's mentioned on those are different. > > I can imagine. RBAC (Role Based Access Control) was created on the > idea that what systems, applications and entitlements you need should > be based on your job function. Its a way of mapping business policies > to to technical authorizations. An example would be that someone in > accounts payable shouldn't have access to the same systems as someone > from accounts receivable. So in RBAC terms you would have a "Role" > called "Accounts Payable" that might map to groups in a directory for > "access to check system" and "access to vendor system" but another > "Role" called Accounts Receivable that has access to other groups. > Then you have something to audit against "Why does someone with Role X > have groups that aren't tied to that role?". > > In practice, this rarely works. Few enterprises do that good of a job > defining the roles and responsibilities for their employees at an HR > level that trying to enforce those roles in technology is hopeless. > Also, RBAC models are very rigid and hard to change so if you need to > grant someone access to a system thats "one off" to get something done > it breaks the entire model (unless your technology can handle it). > What often happens is you get into a situation where every user could > have their own role, completely breaking the RBAC model. > > In my decade plus of identity management implementations across pretty > much every vendor and several industries I can't think of any RBAC > based models that were successful, but several that were complete > failures. I was told going into a meeting at one large customer > "Don't even mention RBAC or the meeting will be ended and we'll be > out." > > Hope that helps > > Thanks > Marc > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] After successful ipa-client-install, sssd not used?
> -Original Message- > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- > boun...@redhat.com] On Behalf Of Jakub Hrozek > Sent: Monday, 16 May 2016 1:32 AM > To: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] After successful ipa-client-install, sssd not > used? > > SSSD doesn't log anything except critical failures by default. Please follow > https://fedorahosted.org/sssd/wiki/Troubleshooting to see what's going on on > the > client. Thanks. Turns out the AD DNS had some bad entries that were poisoning our results. They have been solved now. Cheers L. This email (including any attachments or links) may contain confidential and/or legally privileged information and is intended only to be read or used by the addressee. If you are not the intended addressee, any use, distribution, disclosure or copying of this email is strictly prohibited. Confidentiality and legal privilege attached to this email (including any attachments) are not waived or lost by reason of its mistaken delivery to you. If you have received this email in error, please delete it and notify us immediately by telephone or email. Peter MacCallum Cancer Centre provides no guarantee that this transmission is free of virus or that it has not been intercepted or altered and will not be liable for any delay in its receipt. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] AD Primary Groups are ignored in FreeIPA?
Hola, We have an interesting scenario that is hard to find any information on. Due to permission restrictions, a NAS that is mounted and visible by both AD and 'nix clients, every user belongs to a particular primary group. When we try doing idoverride's on the groups, it fails with the Primary Group. In some cases, the primary group doesn't even appear in a getent or id request. Sometimes it appears with incorrect name or GID. We have found it hard to get repeatable "failures", but here are two: 1. getent group (where groupname is any group, but is a primary group for a subset of members) - does not return any member that has groupname as a primary group in AD. 2. Overriding a group if the user has that group as a primary group (in AD), it will override the name, but not the GID. else, the override works. There were a number of other unusual results that are hard to explain how to reproduce because it was all so seemingly random. I feel like it would be an obvious need - to translate or override AD primary groups to FreeIPA groups, but this doesn't seem possible. Have we set IPA up incorrectly, or are we hitting on something else? I found this AD support problem for Win2003, but I feel like it's old and would surely have been solved? https://support.microsoft.com/en-us/kb/275523 Also, their solution ("hack AD, then hack your other LDAP software") is, for some reason, funny to me. Cheers L. -- The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] revise back cert of freeipa
Hi : Before I use goddy cert and everything workfine for a year now the cert expired. and break the muial agreement .whatever command I type it shown cant contact ldap server. can I just fall back the ipa self sign cert if I have backup? pls advise the detail procedure Regards. Barry -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] How RBAC defined.
> I would like to know more about RBAC. like what is RBAC and what can be > achieved with RBAC. > > anyone please share some good topics about this as i am getting so many and > the information's mentioned on those are different. I can imagine. RBAC (Role Based Access Control) was created on the idea that what systems, applications and entitlements you need should be based on your job function. Its a way of mapping business policies to to technical authorizations. An example would be that someone in accounts payable shouldn't have access to the same systems as someone from accounts receivable. So in RBAC terms you would have a "Role" called "Accounts Payable" that might map to groups in a directory for "access to check system" and "access to vendor system" but another "Role" called Accounts Receivable that has access to other groups. Then you have something to audit against "Why does someone with Role X have groups that aren't tied to that role?". In practice, this rarely works. Few enterprises do that good of a job defining the roles and responsibilities for their employees at an HR level that trying to enforce those roles in technology is hopeless. Also, RBAC models are very rigid and hard to change so if you need to grant someone access to a system thats "one off" to get something done it breaks the entire model (unless your technology can handle it). What often happens is you get into a situation where every user could have their own role, completely breaking the RBAC model. In my decade plus of identity management implementations across pretty much every vendor and several industries I can't think of any RBAC based models that were successful, but several that were complete failures. I was told going into a meeting at one large customer "Don't even mention RBAC or the meeting will be ended and we'll be out." Hope that helps Thanks Marc -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] How RBAC defined.
HI List, anyone please help me by sending some updated documents. On Sat, May 14, 2016 at 1:25 AM, Ben .T.George wrote: > Hi List, > > i have one working setup with HBAC and sudo rules. > > I would like to know more about RBAC. like what is RBAC and what can be > achieved with RBAC. > > anyone please share some good topics about this as i am getting so many > and the information's mentioned on those are different. > > Thanks & Regards, > Ben > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] After successful ipa-client-install, sssd not used?
On Sun, May 15, 2016 at 11:11:27AM +1000, Lachlan Musicman wrote: > Hola, > > We successfully installed ipa-server, and then successfully joined an AD in > a one way trust. > All in IPA are Centos 7.2 latest updates. > > I can successfully get info from AD by using: $id username on the server. > > I can successfully *join* the new ipa server with a client using > ipa-client-install. (both on stdout and /var/log/ipaclient-install look > good). > > I have followed these instructions to add an external mapped group, an > internal group and a HBAC. > > http://www.freeipa.org/page/Active_Directory_trust_setup > > > But, for some reason I can't then login to that client using AD > credentials. > > In fact, on the client in question, all indicators are that the username > being used is "unknown". I see little to nothing in /var/log/sssd/*, a few > lines, late, in /var/log/dirsrv/slapd/. Most of the live logging of > auth seems to be in /var/log/secure. SSSD doesn't log anything except critical failures by default. Please follow https://fedorahosted.org/sssd/wiki/Troubleshooting to see what's going on on the client. > > My feeling is that the client successfully joins, but then isn't using sssd > as it's authentication system. > > Where should I start looking? The logs aren't showing me anything of note. > What should I test? How can I test? > > I have had this working previously on a test domain, but it's hard to know > what I've done differently due to time and how long it took to get it > working last time. > > Cheers > L. > > > > > -- > The most dangerous phrase in the language is, "We've always done it this > way." > > - Grace Hopper > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project