Re: [Freeipa-users] How does one authenticate Windows login against IPA

[John Meyers]

Even if you get that to work, you are still stuck with same issue
discussed earlier in this thread -- you need to have a Windows account,
either local or AD, to be able to login and grant rights against.  pGina
just handles the authentication part.  The only way to do either a 1-way
Kerberos trust (AD->IPA) or pGina is to somehow sync native IPA users to
AD (or Samba AD) to create the "shadow account"?  Winsync will not do this.



On 5/18/16 7:49 PM, Michael ORourke wrote:
> What about using the pGina project on the Windows side?
>
> Reference:
> http://blog.zwiegnet.com/linux-server/configure-pgina-windows-7-openldap-authentication/
>
> -Mike
>
> -Original Message-
>> From: John Meyers 
>> Sent: May 18, 2016 5:19 PM
>> To: freeipa-users@redhat.com
>> Subject: [Freeipa-users] How does one authenticate Windows login against IPA
>>
>> All,
>>
>> FreeIPA as we've discovered has some wonderful Windows integration
>> capability, but it is all predicated on Windows AD being the
>> authoritative source of user information.  2-Way trusts are great, but
>> they only work for kerberotized applications, not native Windows rights
>> (that would require FreeIPA to act as global catalog as I learned from
>> Alexander).  The winsync capability does not, as it turns out, sync
>> native IPA users to AD.
>>
>> The million dollar question is if you are 90% Linux shop and FreeIPA is
>> your authoritative user repository (AD is a blank slate), how do you
>> perform local Windows login authentication for the 10% of Windows
>> machines against FreeIPA?
>>
>> Thank you all!
>>
>> John
>>
>>
>> -- 
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] AD group membership

[Lachlan Musicman]

Hi,

We seem to have some progress, after reading this blog post about sssd
performance tuning.

https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-ipa-ad-trust-deployments/

So now we see that on the FreeIPA server, everything is stable and always
produces the results we expect with regard to users and group membership.
It's also a bit speedier, which is nice.

Unfortunately, on the clients, we are still seeing groups "disappearing"
occasionally,

We found this thread from late last year that seemed to state exactly what
we are seeing, although our sssd_pac.log is empty. I have just added
debug_level = 7 to [pac] in sssd.conf on server and client.

https://www.redhat.com/archives/freeipa-users/2015-December/msg00180.html

Did anything come of this?

Cheers
L.


--
The most dangerous phrase in the language is, "We've always done it this
way."

- Grace Hopper
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] AD users home directory automount

[Michael ORourke]

Ben,First, you will need to create the automount map in FreeIPA.Example of adding automount maps from the CLI on the IPA server:1). Get TGT for admin user (or equivalent) kinit admin2). Create automount mapipa automountmap-add default auto.home3). Add auto.home to auto.masteripa automountkey-add default --key "/home/domain.org" --info auto.home auto.master4). Add key for user accountsipa automountkey-add default --key "*" --info "-fstype=nfs3,rw filer.domain.org:/exports/home/&" auto.home Note: the above command assumes that you have a filer with a FQDN of "filer.domain.org" and NFS exported directory "/exports/home/".5). Then on the filer, you will need to create directories for each user under /exports/home/ and set the ownership and perms.mkdir /exports/home/usernamecp /etc/skel/.* /exports/home/usernamechown -R username:username /exports/home/usernamechmod 770 /exports/home/usernameNote: if you can't login to the filer and run commands, then you might have to manually mount the /exports/home onto a box with "root nosquash" option turned on so that you can create the directories and permissions manually.6). On the client machines, turn off the mkhomedir option (this doesn't work with automounted home dirs).authconfig --disablemkhomedir --update7). Create mount point for home dir on client machines.mkdir /home/domain.org8). On the client machines, turn on the automount option.ipa-client-automount --location=default9). On the client machines, make sure the autofs service is enabled and running.systemctl enable autofssystemctl start autofs10). Test automount by logging into the client.That should do it!-Mike-Original Message-
From: "Ben .T.George" 
Sent: May 18, 2016 10:03 AM
To: Michael ORourke 
Cc: freeipa-users 
Subject: Re: [Freeipa-users] AD users home directory automount

HI,Thanks for the reply.actually i don't want to share from my Trusted AD. My san has cifs and NFS capability.in this case how can i proceed? usually while installing client, i used to give below optionsipa-client-install --server global.ipa.local  --domain ipa.local --mkhomedir --fixed-primary  so whenever user loggedin, it creates home directory automatically under /home/DOMAIN/user.regards,BenOn Wed, May 18, 2016 at 4:00 PM, Michael ORourke  wrote:Yes, because you can point the automount maps to whatever device you want.  NFSv4 might be more tricky to setup on a SAN device and may or may not work depending on the software/firmware of the device.  NFSv3 is a well supported protocol across SAN vendors and you should not have any problems setting that up.  I've used Openfiler on a white-box SAN with home dirs and automount maps which is working fine for us.I wonder if you could do some sort of CIFS home dir automount with a SAN that is joined to an AD domain which is trusted by FreeIPA?  Seems like this would be feasible.-Mike-Original Message-
From: "Ben .T.George" 
Sent: May 18, 2016 7:38 AM
To: freeipa-users 
Subject: [Freeipa-users] AD users home directory automount

HI LIst,Is it possible to mount home directories of AD authenticated users from external source(like san or fileshare)Regards,Ben


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How does one authenticate Windows login against IPA

[Michael ORourke]

What about using the pGina project on the Windows side?

Reference:
http://blog.zwiegnet.com/linux-server/configure-pgina-windows-7-openldap-authentication/

-Mike

-Original Message-
>From: John Meyers 
>Sent: May 18, 2016 5:19 PM
>To: freeipa-users@redhat.com
>Subject: [Freeipa-users] How does one authenticate Windows login against IPA
>
>All,
>
>FreeIPA as we've discovered has some wonderful Windows integration
>capability, but it is all predicated on Windows AD being the
>authoritative source of user information.  2-Way trusts are great, but
>they only work for kerberotized applications, not native Windows rights
>(that would require FreeIPA to act as global catalog as I learned from
>Alexander).  The winsync capability does not, as it turns out, sync
>native IPA users to AD.
>
>The million dollar question is if you are 90% Linux shop and FreeIPA is
>your authoritative user repository (AD is a blank slate), how do you
>perform local Windows login authentication for the 10% of Windows
>machines against FreeIPA?
>
>Thank you all!
>
>John
>
>
>-- 
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
>Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC access denied, all AD groups not detected

[Simpson Lachlan]

> -Original Message-
> From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
> boun...@redhat.com] On Behalf Of Jakub Hrozek
> Sent: Wednesday, 18 May 2016 5:40 PM
> To: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] HBAC access denied, all AD groups not detected
> 
> On Wed, May 18, 2016 at 08:35:14AM +1000, Lachlan Musicman wrote:
> > Hmmm, I also now see
> >
> > https://fedorahosted.org/sssd/ticket/2642
> > and
> > https://bugzilla.redhat.com/show_bug.cgi?id=1217127
> >
> > Versions being run:
> >
> > sssd-client-1.13.0-40.el7_2.4.x86_64
> > sssd-ad-1.13.0-40.el7_2.4.x86_64
> > sssd-proxy-1.13.0-40.el7_2.4.x86_64
> > sssd-1.13.0-40.el7_2.4.x86_64
> > sssd-common-1.13.0-40.el7_2.4.x86_64
> > sssd-common-pac-1.13.0-40.el7_2.4.x86_64
> > sssd-ipa-1.13.0-40.el7_2.4.x86_64
> > sssd-ldap-1.13.0-40.el7_2.4.x86_64
> > python-sssdconfig-1.13.0-40.el7_2.4.noarch
> > sssd-krb5-common-1.13.0-40.el7_2.4.x86_64
> > sssd-krb5-1.13.0-40.el7_2.4.x86_64
> >
> > ipa-server-trust-ad-4.2.0-15.0.1.el7.centos.6.1.x86_64
> 
> The reason I asked about the server versions is
> https://bugzilla.redhat.com/show_bug.cgi?id=1304333
> 
> I'm not too familiar with how the centos versioning works, can you check if 
> that
> bug is mentioned in the rpm changelog?


"You are not authorized to access bug #1304333." :(
This email (including any attachments or links) may contain 
confidential and/or legally privileged information and is 
intended only to be read or used by the addressee.  If you 
are not the intended addressee, any use, distribution, 
disclosure or copying of this email is strictly 
prohibited.  
Confidentiality and legal privilege attached to this email 
(including any attachments) are not waived or lost by 
reason of its mistaken delivery to you.
If you have received this email in error, please delete it 
and notify us immediately by telephone or email.  Peter 
MacCallum Cancer Centre provides no guarantee that this 
transmission is free of virus or that it has not been 
intercepted or altered and will not be liable for any delay 
in its receipt.


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] want to make new replicas but cert expire

[barrykfl]

Already change a new cert no.errror prompt when start server. But using
ipa-replica install.same error out. So.i.should miss some.folder not yet
replace.
2016年5月19日 上午2:01 於 "Rob Crittenden"  寫道：

> barry...@gmail.com wrote:
>
>> Hi:
>>
>> I type ipa-replica-install server --ip 192.168.1.3
>>
>> it show my cert expire nwhere location I should input the cert ?
>>
>> trusted by the user.)
>> preparation of replica failed: cannot connect to
>> 'https://ipa.cora.nwra.com:9444/ca/ee/ca/profileSubmitSSLClient': [Errno
>> -8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been
>> marked
>>
>
> You need to sort out your expired certs before you can create a new master.
>
> Why not just renew the GoDaddy certs?
>
> rob
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How does one authenticate Windows login against IPA

[John Meyers]

Thanks.  I've experimented with that as well with vanilla MIT kerberos
(prior to using FreeIPA) and I agree it works just fine.  However, the
limitation I always found was that it is not practical to manually
create the "shadow objects" and then keep in them in sync.  I was hoping
the "winsync" feature would actually be able to handle that part of it,
but it only seems to be able to deal with accounts that come from AD
initially.

On 5/18/16 6:03 PM, Coy Hile wrote:
> When I've done this in the past, I used mit directly, not IPA. I set up a one 
> way trust, then used "shadow objects" for users mapped using 
> alternateSecurityID. I've setup the same one way trust testing with freeipa, 
> but unfortunately I had to use kadmin.local to do it. I don't know that 
> that's actually supported. Simo?
>
> -c
>
> Sent from my iPad
>
>> On May 18, 2016, at 17:19, John Meyers  wrote:
>>
>> All,
>>
>> FreeIPA as we've discovered has some wonderful Windows integration
>> capability, but it is all predicated on Windows AD being the
>> authoritative source of user information.  2-Way trusts are great, but
>> they only work for kerberotized applications, not native Windows rights
>> (that would require FreeIPA to act as global catalog as I learned from
>> Alexander).  The winsync capability does not, as it turns out, sync
>> native IPA users to AD.
>>
>> The million dollar question is if you are 90% Linux shop and FreeIPA is
>> your authoritative user repository (AD is a blank slate), how do you
>> perform local Windows login authentication for the 10% of Windows
>> machines against FreeIPA?
>>
>> Thank you all!
>>
>> John
>>
>>
>> -- 
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How does one authenticate Windows login against IPA

[Coy Hile]

When I've done this in the past, I used mit directly, not IPA. I set up a one 
way trust, then used "shadow objects" for users mapped using 
alternateSecurityID. I've setup the same one way trust testing with freeipa, 
but unfortunately I had to use kadmin.local to do it. I don't know that that's 
actually supported. Simo?

-c

Sent from my iPad

> On May 18, 2016, at 17:19, John Meyers  wrote:
> 
> All,
> 
> FreeIPA as we've discovered has some wonderful Windows integration
> capability, but it is all predicated on Windows AD being the
> authoritative source of user information.  2-Way trusts are great, but
> they only work for kerberotized applications, not native Windows rights
> (that would require FreeIPA to act as global catalog as I learned from
> Alexander).  The winsync capability does not, as it turns out, sync
> native IPA users to AD.
> 
> The million dollar question is if you are 90% Linux shop and FreeIPA is
> your authoritative user repository (AD is a blank slate), how do you
> perform local Windows login authentication for the 10% of Windows
> machines against FreeIPA?
> 
> Thank you all!
> 
> John
> 
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] How does one authenticate Windows login against IPA

[John Meyers]

All,

FreeIPA as we've discovered has some wonderful Windows integration
capability, but it is all predicated on Windows AD being the
authoritative source of user information.  2-Way trusts are great, but
they only work for kerberotized applications, not native Windows rights
(that would require FreeIPA to act as global catalog as I learned from
Alexander).  The winsync capability does not, as it turns out, sync
native IPA users to AD.

The million dollar question is if you are 90% Linux shop and FreeIPA is
your authoritative user repository (AD is a blank slate), how do you
perform local Windows login authentication for the 10% of Windows
machines against FreeIPA?

Thank you all!

John


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] want to make new replicas but cert expire

[Rob Crittenden]

barry...@gmail.com wrote:

Hi:

I type ipa-replica-install server --ip 192.168.1.3

it show my cert expire nwhere location I should input the cert ?

trusted by the user.)
preparation of replica failed: cannot connect to
'https://ipa.cora.nwra.com:9444/ca/ee/ca/profileSubmitSSLClient': [Errno
-8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been
marked


You need to sort out your expired certs before you can create a new master.

Why not just renew the GoDaddy certs?

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] LDAP access for user authentication?

[Rob Crittenden]

Alexander Skwar wrote:

Hello Rob

2016-05-18 16:21 GMT+02:00 Rob Crittenden :

Alexander Skwar wrote:


Hello Rob

2016-05-12 0:06 GMT+02:00 Rob Crittenden :



Alexander Skwar wrote:



Important parts here:

- [USER_AUTH_FAILED_TECH]
- javax.naming.AuthenticationNotSupportedException: [LDAP: error code
48 - Inappropriate Authentication]

I suppose, the "tech" user doesn't have the sufficient rights.



Is your user "tech?" It doesn't appear to be though this logging leaves much
to be desired.



Well, according to the howto, I created a user with "DN:
uid=system,cn=sysaccounts,cn=etc,dc=hydrus,dc=intern". That's also
what I configured as the „Technical user DN“ in my appliance (→
uid=system,cn=sysaccounts,cn=etc,dc=hydrus,dc=intern).

The password is correct. I double checked. On the IPA server, I can do:

local@bbva-auth01-prod ~ % ldapsearch -x -D
uid=system,cn=sysaccounts,cn=etc,dc=hydrus,dc=intern -W | head
# extended LDIF
#
# LDAPv3
# base 

Re: [Freeipa-users] LDAP access for user authentication?

[Alexander Skwar]

Hello Rob

2016-05-18 16:21 GMT+02:00 Rob Crittenden :
> Alexander Skwar wrote:
>>
>> Hello Rob
>>
>> 2016-05-12 0:06 GMT+02:00 Rob Crittenden :
>>>
>>>
>>> Alexander Skwar wrote:

>> Important parts here:
>>
>> - [USER_AUTH_FAILED_TECH]
>> - javax.naming.AuthenticationNotSupportedException: [LDAP: error code
>> 48 - Inappropriate Authentication]
>>
>> I suppose, the "tech" user doesn't have the sufficient rights.
>
>
> Is your user "tech?" It doesn't appear to be though this logging leaves much
> to be desired.


Well, according to the howto, I created a user with "DN:
uid=system,cn=sysaccounts,cn=etc,dc=hydrus,dc=intern". That's also
what I configured as the „Technical user DN“ in my appliance (→
uid=system,cn=sysaccounts,cn=etc,dc=hydrus,dc=intern).

The password is correct. I double checked. On the IPA server, I can do:

local@bbva-auth01-prod ~ % ldapsearch -x -D
uid=system,cn=sysaccounts,cn=etc,dc=hydrus,dc=intern -W | head
# extended LDIF
#
# LDAPv3
# base 

Re: [Freeipa-users] LDAP access for user authentication?

[Rob Crittenden]

Alexander Skwar wrote:

Hello Rob

2016-05-12 0:06 GMT+02:00 Rob Crittenden :


Alexander Skwar wrote:



The WAF would then send username and password to FreeIPA (using LDAP)
and would need to get back, whether the combination was good or not.

Is that scenario doable with FreeIPA and LDAP? Would anyone maybe even
know of some good howtos or links? Any gotchas, that we'd need to be
aware of?



Yes it's possible, see http://www.freeipa.org/page/HowTo/LDAP



I created the user uid=system as shown in the howto. But my appliance
is having issues (so to say). I'm getting errors like this one:

[…]
2016-05-18 14:55:35,003 +0200 ERROR [CC:Eoyfcf1mV9E$]
[RC:7f0100-4094-2016.05.18_1255.33.733-001] audit:writeLog() - [AUDIT]
[USER_AUTH_FAILED_TECH] user="ask" logmsg="Authentication failed due
to a technical problem. Reason: '[SYSTEM] [ERR_INTERNAL_STATE] Invalid
internal state! Reason:
'cn=users,cn=accounts,dc=hydrus,dc=intern@ldaps://192.168.94.147:636'
/ cn=users,cn=accounts,dc=hydrus,dc=intern@ldaps://192.168.94.147:636
/ javax.naming.AuthenticationNotSupportedException: [LDAP: error code
48 - Inappropriate Authentication]'"
2016-05-18 14:55:35,006 +0200 ERROR [CC:Eoyfcf1mV9E$]
[RC:7f0100-4094-2016.05.18_1255.33.733-001]
exception:logExceptionStackTrace() - [SYSTEM] [ERR_INTERNAL_STATE]
Invalid internal state! Reason:
'cn=users,cn=accounts,dc=hydrus,dc=intern@ldaps://192.168.94.147:636'
com.usp.sls.toolkit.error.SLSException: [SYSTEM] [ERR_INTERNAL_STATE]
Invalid internal state! Reason:
'cn=users,cn=accounts,dc=hydrus,dc=intern@ldaps://192.168.94.147:636'
 at com.usp.sls.ldap.adapter.LdapUtil.getSLSException(LdapUtil.java:410)
 at 
com.usp.sls.ldap.service.LDAPServiceWrapper.openContext(LDAPServiceWrapper.java:203)
[…]


Important parts here:

- [USER_AUTH_FAILED_TECH]
- javax.naming.AuthenticationNotSupportedException: [LDAP: error code
48 - Inappropriate Authentication]

I suppose, the "tech" user doesn't have the sufficient rights.


Is your user "tech?" It doesn't appear to be though this logging leaves 
much to be desired.


LDAP err 48 means a bind was tried using a bad mechanism, like trying to 
do a simple bind when stronger auth is required, for example. Or you try 
to bind with a user that has no password.


What is confusing to me is that the DN doesn't include uid=system, so it 
may be a configuration error on your part.




In the Howto, it says:

Note: IPA 4.0 is going to change the default stance on data from
nearly everything is readable to nothing is readable, by default. You
will eventually need to add some Access Control Instructions (ACI's)
to grant read access to the parts of the LDAP tree you will need.



What would be good ACIs to grant read access to
cn=users,cn=accounts,dc=hydrus,dc=intern to this uid=system user?


This is not the problem.

rob



Thanks again,


Alexander



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] AD users home directory automount

[Baird, Josh]

I would start by reading the documentation [1].

[1] 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/automount.html

Josh

From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Ben .T.George
Sent: Wednesday, May 18, 2016 10:04 AM
To: Michael ORourke 
Cc: freeipa-users 
Subject: Re: [Freeipa-users] AD users home directory automount

HI,

Thanks for the reply.

actually i don't want to share from my Trusted AD. My san has cifs and NFS 
capability.

in this case how can i proceed? usually while installing client, i used to give 
below options

ipa-client-install --server global.ipa.local  --domain ipa.local --mkhomedir 
--fixed-primary

so whenever user loggedin, it creates home directory automatically under 
/home/DOMAIN/user.

regards,
Ben

On Wed, May 18, 2016 at 4:00 PM, Michael ORourke 
> wrote:
Yes, because you can point the automount maps to whatever device you want.  
NFSv4 might be more tricky to setup on a SAN device and may or may not work 
depending on the software/firmware of the device.  NFSv3 is a well supported 
protocol across SAN vendors and you should not have any problems setting that 
up.  I've used Openfiler on a white-box SAN with home dirs and automount maps 
which is working fine for us.
I wonder if you could do some sort of CIFS home dir automount with a SAN that 
is joined to an AD domain which is trusted by FreeIPA?  Seems like this would 
be feasible.

-Mike
-Original Message-
From: "Ben .T.George"
Sent: May 18, 2016 7:38 AM
To: freeipa-users
Subject: [Freeipa-users] AD users home directory automount
HI LIst,

Is it possible to mount home directories of AD authenticated users from 
external source(like san or fileshare)

Regards,
Ben

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] AD users home directory automount

[Ben .T.George]

HI,

Thanks for the reply.

actually i don't want to share from my Trusted AD. My san has cifs and NFS
capability.

in this case how can i proceed? usually while installing client, i used to
give below options

ipa-client-install --server global.ipa.local  --domain ipa.local
--mkhomedir --fixed-primary

so whenever user loggedin, it creates home directory automatically under
/home/DOMAIN/user.

regards,
Ben

On Wed, May 18, 2016 at 4:00 PM, Michael ORourke 
wrote:

> Yes, because you can point the automount maps to whatever device you
> want.  NFSv4 might be more tricky to setup on a SAN device and may or may
> not work depending on the software/firmware of the device.  NFSv3 is a well
> supported protocol across SAN vendors and you should not have any problems
> setting that up.  I've used Openfiler on a white-box SAN with home dirs and
> automount maps which is working fine for us.
> I wonder if you could do some sort of CIFS home dir automount with a SAN
> that is joined to an AD domain which is trusted by FreeIPA?  Seems like
> this would be feasible.
>
> -Mike
>
> -Original Message-
> From: "Ben .T.George"
> Sent: May 18, 2016 7:38 AM
> To: freeipa-users
> Subject: [Freeipa-users] AD users home directory automount
>
> HI LIst,
>
> Is it possible to mount home directories of AD authenticated users from
> external source(like san or fileshare)
>
> Regards,
> Ben
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] LDAP access for user authentication?

[Alexander Skwar]

Hello Rob

2016-05-12 0:06 GMT+02:00 Rob Crittenden :
>
> Alexander Skwar wrote:

>> The WAF would then send username and password to FreeIPA (using LDAP)
>> and would need to get back, whether the combination was good or not.
>>
>> Is that scenario doable with FreeIPA and LDAP? Would anyone maybe even
>> know of some good howtos or links? Any gotchas, that we'd need to be
>> aware of?
>
>
> Yes it's possible, see http://www.freeipa.org/page/HowTo/LDAP
>

I created the user uid=system as shown in the howto. But my appliance
is having issues (so to say). I'm getting errors like this one:

[…]
2016-05-18 14:55:35,003 +0200 ERROR [CC:Eoyfcf1mV9E$]
[RC:7f0100-4094-2016.05.18_1255.33.733-001] audit:writeLog() - [AUDIT]
[USER_AUTH_FAILED_TECH] user="ask" logmsg="Authentication failed due
to a technical problem. Reason: '[SYSTEM] [ERR_INTERNAL_STATE] Invalid
internal state! Reason:
'cn=users,cn=accounts,dc=hydrus,dc=intern@ldaps://192.168.94.147:636'
/ cn=users,cn=accounts,dc=hydrus,dc=intern@ldaps://192.168.94.147:636
/ javax.naming.AuthenticationNotSupportedException: [LDAP: error code
48 - Inappropriate Authentication]'"
2016-05-18 14:55:35,006 +0200 ERROR [CC:Eoyfcf1mV9E$]
[RC:7f0100-4094-2016.05.18_1255.33.733-001]
exception:logExceptionStackTrace() - [SYSTEM] [ERR_INTERNAL_STATE]
Invalid internal state! Reason:
'cn=users,cn=accounts,dc=hydrus,dc=intern@ldaps://192.168.94.147:636'
com.usp.sls.toolkit.error.SLSException: [SYSTEM] [ERR_INTERNAL_STATE]
Invalid internal state! Reason:
'cn=users,cn=accounts,dc=hydrus,dc=intern@ldaps://192.168.94.147:636'
at com.usp.sls.ldap.adapter.LdapUtil.getSLSException(LdapUtil.java:410)
at 
com.usp.sls.ldap.service.LDAPServiceWrapper.openContext(LDAPServiceWrapper.java:203)
[…]


Important parts here:

- [USER_AUTH_FAILED_TECH]
- javax.naming.AuthenticationNotSupportedException: [LDAP: error code
48 - Inappropriate Authentication]

I suppose, the "tech" user doesn't have the sufficient rights.

In the Howto, it says:

Note: IPA 4.0 is going to change the default stance on data from
nearly everything is readable to nothing is readable, by default. You
will eventually need to add some Access Control Instructions (ACI's)
to grant read access to the parts of the LDAP tree you will need.



What would be good ACIs to grant read access to
cn=users,cn=accounts,dc=hydrus,dc=intern to this uid=system user?

Thanks again,


Alexander
-- 
=>Google+ => http://plus.skwar.me <==
=> Chat (Jabber/Google Talk) => a.sk...@gmail.com <==

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] AD users home directory automount

[Michael ORourke]

Yes, because you can point the automount maps to whatever device you want.  NFSv4 might be more tricky to setup on a SAN device and may or may not work depending on the software/firmware of the device.  NFSv3 is a well supported protocol across SAN vendors and you should not have any problems setting that up.  I've used Openfiler on a white-box SAN with home dirs and automount maps which is working fine for us.I wonder if you could do some sort of CIFS home dir automount with a SAN that is joined to an AD domain which is trusted by FreeIPA?  Seems like this would be feasible.-Mike-Original Message-
From: "Ben .T.George" 
Sent: May 18, 2016 7:38 AM
To: freeipa-users 
Subject: [Freeipa-users] AD users home directory automount

HI LIst,Is it possible to mount home directories of AD authenticated users from external source(like san or fileshare)Regards,Ben


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] a user delegated to control a OU and realmd join - how..

[Sumit Bose]

On Mon, May 16, 2016 at 09:34:28AM +0100, lejeczek wrote:
> 
> 
> On 13/05/16 14:14, Sumit Bose wrote:
> > On Wed, May 11, 2016 at 05:17:03PM +0100, lejeczek wrote:
> > > .. if possible, would you know?
> > > hi everybody,
> > > I'm trying, and hoping it is possible to realm join an AD but is such a
> > > way so I tap my IPA into specific OU within that AD.
> > I'm not exactly sure what you mean here. Do you want to join a computer
> > which is already a client in an IPA domain to AD as well? If this is the
> > case I would recommend to consider the IPA trust feature. Joining 2
> > domain is in general possible with SSSD but has to be done with very
> > great care, e.g. by using different keytabs for each domain.
> > 
> > > The thing is - I'm thinking it would make user access control ideal
> > > from the start as I need only users from that OU, but also because I'm
> > > only granted access to the user/group who has control over that OU.
> > > I'm trying that but I see:
> > > 
> > > ! The computer account RIDER already exists, but is not in the desired
> > > organizational unit.
> > > adcli: joining domain ccc.bb.aa failed: The computer account RIDER
> > > already exists,
> > Computer account names in AD must be unique even if they are added to
> > different OUs. So if there is already a computer called RIDER joined to
> > AD and it is not your computer you have to rename your computer to join.
> > If it is your computer and you want to create it in a different OU you
> > have to delete to old computer object first and then do a fresh join.
> hi Sumit, for me it did not work because of this bug:
> https://bugzilla.redhat.com/show_bug.cgi?id=1258488

You might want to have a look at the test build at
http://koji.fedoraproject.org/koji/taskinfo?taskID=14148923 which
includes a patch which should fix for bz1258488.

bye,
Sumit

> > HTH
> > 
> > bye,
> > Sumit
> > 
> > >   ! Failed to join the domain
> > > 
> > > I'm doing this:
> > > $ realm join ccc.bb.aa --user=private-user --computer-ou=private
> > > 
> > > and computer is in OU=private of ccc.bb.aa
> > > so is the user private-user
> > > 
> > > many thanks.
> > > L##SELECTION_END##
> > > -- 
> > > Manage your subscription for the Freeipa-users mailing list:
> > > https://www.redhat.com/mailman/listinfo/freeipa-users
> > > Go to http://freeipa.org for more info on the project
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] AD users home directory automount

[Ben .T.George]

HI LIst,

Is it possible to mount home directories of AD authenticated users from
external source(like san or fileshare)

Regards,
Ben
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] From where can i get repo details for FreeIPA 4.3.1 version

[Ben .T.George]

HI All

again repo is down.

Regards,
Ben

On Mon, May 2, 2016 at 2:04 PM, Alexander Bokovoy 
wrote:

> On Mon, 02 May 2016, Ben .T.George wrote:
>
>> HI
>>
>> thanks
>>
>> yes now it's working and yesterday it was not.
>>
> COPR service SLA is weaker than primary Fedora repositories. Basically,
> we have no promise COPR would be available all the time.
>
> --
> / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] want to make new replicas but cert expire

[barrykfl]

Hi:

I type ipa-replica-install server --ip 192.168.1.3

it show my cert expire nwhere location I should input the cert ?

trusted by the user.)
preparation of replica failed: cannot connect to
'https://ipa.cora.nwra.com:9444/ca/ee/ca/profileSubmitSSLClient': [Errno
-8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been
marked

thkx
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Reverse DNS

[Martin Basti]

On 18.05.2016 11:13, Andrew Holway wrote:

Hello,

I see that our default installation of IdM is working quite well 
without rdns configured (its on AWS). We're not doing anything 
complicated with it yet but is there anything that definitely will not 
work?


Cheers,

Andrew



Hello,

IPA services and clients are able to work without reverse DNS

if you are using something else in environment, you must find out if 
reverse records are needed :)


Martin
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Advice sought on monitoring freeipa status

[Roderick Johnstone]

Hi

I'm trying to set up some monitoring of our freeipa installation. To 
start with, I'd like to know eg:


1) If replication stopped

2) Whether the ldap datatbases on replicas are inconsistent with each other.

We have RHEL7 freeipa servers and RHEL6 and RHEL7 clients, all with 
latest distribution packages.


I see a number of pages at www.ipa.org about monitoring freeipa in 
various ways, but I'm not sure any were actually implemented yet.


Then I found this: https://github.com/peterpakos/ipa_check_consistency
which looks useful but seems to require a plain text password for a 
privileged ldap account to be embedded in a file, which is less than ideal.


So, I was wondering, as a stop gap, whether its possible to control the 
server that the ipa commands talk to at the command line?


One could then run a cron job to iterate through the servers and compare 
various outputs from ipa commands. However, the ipa man page suggests 
the ipa command will go for either the server explicitly set in 
/etc/ipa/default.conf or if unavailable use those set in the DNS _SRV_ 
records.


Maybe there is a better way to do this that I missed altogether?

Roderick Johnstone

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] a user delegated to control a OU and realmd join - how..

[Alexander Bokovoy]

On Wed, 18 May 2016, lejeczek wrote:

On Tue, 2016-05-17 at 09:19 -0400, Simo Sorce wrote:

On Tue, 2016-05-17 at 09:27 +0100, lejeczek wrote:
> On Fri, 2016-05-13 at 15:14 +0200, Sumit Bose wrote:
> > On Wed, May 11, 2016 at 05:17:03PM +0100, lejeczek wrote:
> > > .. if possible, would you know?
> > > hi everybody,
> > > I'm trying, and hoping it is possible to realm join an AD but
> > > is
> > > such a
> > > way so I tap my IPA into specific OU within that AD.
> >
> > I'm not exactly sure what you mean here. Do you want to join a
> > computer
> > which is already a client in an IPA domain to AD as well? If this
> > is
> > the
> > case I would recommend to consider the IPA trust feature. Joining
> > 2
> > domain is in general possible with SSSD but has to be done with
> > very
> > great care, e.g. by using different keytabs for each domain.
> Can IPA domain establish a trust between win AD if IPA admin only
> has
> admin control over an OU in win AD ?

No, you need to be a Domain Admin with full privileges.

many thanks Simo,
when I try user who only has delegated admin/management over a OU I
see:
Active Directory domain administrator's password: 
ipa: ERROR: Insufficient access: CIFS server denied your credentials.

That's correct. You need to be a member of Domain Admins group of the
forest root domain or a member of Enteprise Admins group in the forest.


Would joining an IPA server to winAD with realmd be kind of one way
trust?

No, not at all.

Trust != joining a machine to AD domain.


Is it even possible(with no reasons against doing so) to join IPA
server/domain to AD?

No. A machine in Active Directory can only be a member of a single
domain. It cannot be a servant of two masters.


I mean I did that and I could get AD users IDs but there was some
problem with krb5, config got messed up and daemon would not start.

If you like to enjoy broken configurations, it is up to you. There is
probably a reason why obvious things don't work. If you want to know
more about Active Directory, feel free to read specs at MSDN. Start with
MS-ADTS: https://msdn.microsoft.com/en-us/library/cc223122.aspx

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] a user delegated to control a OU and realmd join - how..

[lejeczek]

On Tue, 2016-05-17 at 09:19 -0400, Simo Sorce wrote:
> On Tue, 2016-05-17 at 09:27 +0100, lejeczek wrote:
> > On Fri, 2016-05-13 at 15:14 +0200, Sumit Bose wrote:
> > > On Wed, May 11, 2016 at 05:17:03PM +0100, lejeczek wrote:
> > > > .. if possible, would you know?
> > > > hi everybody,
> > > > I'm trying, and hoping it is possible to realm join an AD but
> > > > is
> > > > such a
> > > > way so I tap my IPA into specific OU within that AD.
> > > 
> > > I'm not exactly sure what you mean here. Do you want to join a
> > > computer
> > > which is already a client in an IPA domain to AD as well? If this
> > > is
> > > the
> > > case I would recommend to consider the IPA trust feature. Joining
> > > 2
> > > domain is in general possible with SSSD but has to be done with
> > > very
> > > great care, e.g. by using different keytabs for each domain.
> > Can IPA domain establish a trust between win AD if IPA admin only
> > has
> > admin control over an OU in win AD ?
> 
> No, you need to be a Domain Admin with full privileges.
many thanks Simo,
when I try user who only has delegated admin/management over a OU I
see:
Active Directory domain administrator's password: 
ipa: ERROR: Insufficient access: CIFS server denied your credentials.
Would joining an IPA server to winAD with realmd be kind of one way
trust?
Is it even possible(with no reasons against doing so) to join IPA
server/domain to AD?
I mean I did that and I could get AD users IDs but there was some
problem with krb5, config got messed up and daemon would not start.
> > 
> > I know very little about AD and only started with IPA - I don't suppose
> > control of OU delegated to a user makes that user AD admin.
> > 

> 
> 
> It doesn't.
> 
> 
> > 
> > I guess what I'm thinking, asking, is - what would be the correct
> > possible way to plug in, connect IPA domain to win AD when one has
> > admin control only over a OU in win AD?
> > 

> 
> 
> Not sure you can even do sync, there isn't really much you can do with
> those privileges, you are basically just allowed to administer a
> "group".
> 
> Simo.
> 
> 
> 
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Reverse DNS

[Andrew Holway]

Hello,

I see that our default installation of IdM is working quite well without
rdns configured (its on AWS). We're not doing anything complicated with it
yet but is there anything that definitely will not work?

Cheers,

Andrew
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Limiting directory listing for all users in self service

[Petr Spacek]

On 18.5.2016 10:27, Marc Peiser wrote:
> Hi all,
> 
> We're busy rolling out freeipa internally and one thing we would like to
> limit is the ability for normal users to view all users in the directory
> via the self service portal. We only want the user to see their particular
> details. Is this possible?

This could theoretically be done using ACI in LDAP but please see
https://www.redhat.com/archives/freeipa-users/2016-March/msg00071.html
for elaborate discussion.

It would have significant consequences.

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Limiting directory listing for all users in self service

[Marc Peiser]

Hi all,

We're busy rolling out freeipa internally and one thing we would like to
limit is the ability for normal users to view all users in the directory
via the self service portal. We only want the user to see their particular
details. Is this possible?

Thanks,
Marc
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC access denied, all AD groups not detected

[Alexander Bokovoy]

On Wed, 18 May 2016, Jakub Hrozek wrote:

On Wed, May 18, 2016 at 08:35:14AM +1000, Lachlan Musicman wrote:

Hmmm, I also now see

https://fedorahosted.org/sssd/ticket/2642
and
https://bugzilla.redhat.com/show_bug.cgi?id=1217127

Versions being run:

sssd-client-1.13.0-40.el7_2.4.x86_64
sssd-ad-1.13.0-40.el7_2.4.x86_64
sssd-proxy-1.13.0-40.el7_2.4.x86_64
sssd-1.13.0-40.el7_2.4.x86_64
sssd-common-1.13.0-40.el7_2.4.x86_64
sssd-common-pac-1.13.0-40.el7_2.4.x86_64
sssd-ipa-1.13.0-40.el7_2.4.x86_64
sssd-ldap-1.13.0-40.el7_2.4.x86_64
python-sssdconfig-1.13.0-40.el7_2.4.noarch
sssd-krb5-common-1.13.0-40.el7_2.4.x86_64
sssd-krb5-1.13.0-40.el7_2.4.x86_64

ipa-server-trust-ad-4.2.0-15.0.1.el7.centos.6.1.x86_64


The reason I asked about the server versions is
https://bugzilla.redhat.com/show_bug.cgi?id=1304333

I'm not too familiar with how the centos versioning works, can you check
if that bug is mentioned in the rpm changelog?

No, these packages are not at the level where all known membership bugs
were fixed.

RHEL 7.2 build should be ipa-4.2.0-15.el7_2.15. A corresponding CentOS
build is already available in updates and it is ipa-4.2.0-15.el7.centos.15

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC access denied, all AD groups not detected

[Jakub Hrozek]

On Wed, May 18, 2016 at 08:35:14AM +1000, Lachlan Musicman wrote:
> Hmmm, I also now see
> 
> https://fedorahosted.org/sssd/ticket/2642
> and
> https://bugzilla.redhat.com/show_bug.cgi?id=1217127
> 
> Versions being run:
> 
> sssd-client-1.13.0-40.el7_2.4.x86_64
> sssd-ad-1.13.0-40.el7_2.4.x86_64
> sssd-proxy-1.13.0-40.el7_2.4.x86_64
> sssd-1.13.0-40.el7_2.4.x86_64
> sssd-common-1.13.0-40.el7_2.4.x86_64
> sssd-common-pac-1.13.0-40.el7_2.4.x86_64
> sssd-ipa-1.13.0-40.el7_2.4.x86_64
> sssd-ldap-1.13.0-40.el7_2.4.x86_64
> python-sssdconfig-1.13.0-40.el7_2.4.noarch
> sssd-krb5-common-1.13.0-40.el7_2.4.x86_64
> sssd-krb5-1.13.0-40.el7_2.4.x86_64
> 
> ipa-server-trust-ad-4.2.0-15.0.1.el7.centos.6.1.x86_64

The reason I asked about the server versions is
https://bugzilla.redhat.com/show_bug.cgi?id=1304333

I'm not too familiar with how the centos versioning works, can you check
if that bug is mentioned in the rpm changelog?

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC access denied, all AD groups not detected

[Jakub Hrozek]

On Wed, May 18, 2016 at 09:46:49AM +1000, Lachlan Musicman wrote:
> It's worth noting that, in difference to the bug report:
> 
> 1. We aren't making changes to the overrides. The overrides exist, they
> just aren't propagating evenly or consistently.
> 2. We are seeing these errors in the various logs:
> 
> 
> sssd_DOMAIN.log:(Wed May 18 09:00:01 2016) [sssd[be[DOMAIN]]]
> [sysdb_delete_group] (0x0400): Error: 2 (No such file or directory)
> sssd_DOMAIN.log:(Wed May 18 09:00:01 2016) [sssd[be[DOMAIN]]]
> [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
> 
> 
> krb5_child.log:(Wed May 18 09:12:30 2016) [[sssd[krb5_child[8929
> [k5c_send_data] (0x0200): Received error code 0
> krb5_child.log:(Wed May 18 09:12:30 2016) [[sssd[krb5_child[8931
> [k5c_send_data] (0x0200): Received error code 1432158214
> 
> sssd_nss.log:Error: 3, 0, Account info lookup failed
> sssd_nss.log:(Wed May 18 09:01:04 2016) [sssd[nss]] [sss_dp_get_reply]
> (0x1000): Got reply from Data Provider - DP error code: 3 errno: 22 error
> message: Account info lookup failed
> sssd_nss.log:Error: 3, 22, Account info lookup failed
> sssd_nss.log:(Wed May 18 09:01:04 2016) [sssd[nss]] [sss_dp_get_reply]
> (0x1000): Got reply from Data Provider - DP error code: 3 errno: 0 error
> message: Account info lookup failed

You need to look into the failures in the domain log that happened in
the same time as these. Some failures are recoverable, in some other
cases we're just reporting failure even if we just didn't match any
entry (yes, that a subtle bug we should fix).

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project