Re: [Freeipa-users] sssd 1.14.1, HBAC still not working?

2016-10-10 Thread Lachlan Musicman 
After further testing, I've discovered that the dev system wasn't working
as well as I thought it was: HBAC and sshd don't seem to be playing well
together on one server, but fine on the other?

ie, I can run the same commands from both ipa-server and ipa-client:

ipa hbactest  --user=user1 --host=ipa-server.unixdev.petermac.org.au
--service=sshd
ipa hbactest  --user=user1 --host=ipa-client.unixdev.petermac.org.au
--service=sshd


and every response is:

to the ipa-client

Access granted: True

  Matched rules: Admin Users (w sudo)
  Matched rules: Users

to the ipa-server

Access granted: True

  Matched rules: Cluster Admin Users (sudo)
  Not matched rules: Cluster Users


but when I try to login to the ipa-server, I get an instance disconnect? I
can login happily to the ipa-client no problems.

Is there a special rule about sshd and the ipa-server?

cheers
L.


--
The most dangerous phrase in the language is, "We've always done it this
way."

- Grace Hopper

On 11 October 2016 at 14:06, Lachlan Musicman  wrote:

> Hola,
>
> I've set up a test domain that's as much as possible the same as the prod
> domain, and successfully got a one way trust against the AD: cantos 7.2,
> ipa 4.2.0-15/api2.156, sssd (copr) 1.14.1-3
>
> On that test domain I believe I have HBAC working successfully.
>
> Once I could show that it was working successfully on the test domain we
> updated all the clients in the prod domain to sssd 1.14.1-3, updated the
> IPA server, ran ipa-server-upgrade and we disabled "allow all" in the HBAC.
>
> And it doesn't work? Two users could login, but none of the others could,
> and the sudo rules weren't applied in so much as the one user that could
> login but shouldn't have had sudo, did.
>
> I tried stopping sssd/clearing cache/start sssd/waiting; and stopping
> sssd/deleting /var/lib/sss/db/* /start sssd/waiting.
>
> Neither of those worked, so I enabled allow all again.
>
> Now I have a bunch of log files to look through, but no clear indication
> of what might have gone wrong from a quick read.
>
> I can see in the logs where one person is ok'd by HBAC for sshd and
> another two are denied - when they should have all been ok'd. And I can
> infer that the reasoning is that HBAC has declared person2 + person3 to not
> be in a group they most definitely are in from the error messages. But
> there is no indication of why sssd hasn't properly picked up that person2
> is in the correct group?
>
> I guess the question is, where do I start fixing this? Which logs should I
> be reading?
>
> What can I compare between the two set ups (dev and prod) that might give
> me insight, given that they are largely set up identically?
>
> Cheers
> L.
>
>
>
> --
> The most dangerous phrase in the language is, "We've always done it this
> way."
>
> - Grace Hopper
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] sssd 1.14.1, HBAC still not working?

2016-10-10 Thread Lachlan Musicman 
Hola,

I've set up a test domain that's as much as possible the same as the prod
domain, and successfully got a one way trust against the AD: cantos 7.2,
ipa 4.2.0-15/api2.156, sssd (copr) 1.14.1-3

On that test domain I believe I have HBAC working successfully.

Once I could show that it was working successfully on the test domain we
updated all the clients in the prod domain to sssd 1.14.1-3, updated the
IPA server, ran ipa-server-upgrade and we disabled "allow all" in the HBAC.

And it doesn't work? Two users could login, but none of the others could,
and the sudo rules weren't applied in so much as the one user that could
login but shouldn't have had sudo, did.

I tried stopping sssd/clearing cache/start sssd/waiting; and stopping
sssd/deleting /var/lib/sss/db/* /start sssd/waiting.

Neither of those worked, so I enabled allow all again.

Now I have a bunch of log files to look through, but no clear indication of
what might have gone wrong from a quick read.

I can see in the logs where one person is ok'd by HBAC for sshd and another
two are denied - when they should have all been ok'd. And I can infer that
the reasoning is that HBAC has declared person2 + person3 to not be in a
group they most definitely are in from the error messages. But there is no
indication of why sssd hasn't properly picked up that person2 is in the
correct group?

I guess the question is, where do I start fixing this? Which logs should I
be reading?

What can I compare between the two set ups (dev and prod) that might give
me insight, given that they are largely set up identically?

Cheers
L.



--
The most dangerous phrase in the language is, "We've always done it this
way."

- Grace Hopper
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Replication attrlist_replace nsslapd-referral failed

2016-10-10 Thread Fil Di Noto 
After an IPA server is re-initialized it immediately begins failing
incremental updates. I checked the kerberos logs and things appear to
be ok there, I can manually test LDAP from all servers against all
other servers.

There is an DS5ReplicaBindDN entry in "dn:
cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config" for
an IPA server that no longer exists. But all IPA living servers have
an entry for all other living servers.
There is the correct number of cn=master, and cn=ca, and the
caRenewalMaster is set on the correct master.

 "ipa-replica-manage del --force --clean " does not remove the entry.

There were some RUV from the old servers also and I cleaned them. The
man page says if a clean is run on the wrong ID then the server should
be re-initialized, so I just did that on purpose and re-initialized
the one of the servers and that has cleared the NSMMReplicationPlugin
error (so far) but I am still getting the attrlist_replace error.

I'm getting no indication of kerberos problems.Could it be the
NSACLPlugin ? It preceeds the other error every time but that is
probably just regular startup procedure, and having an ACL for
something that doesn't exist doesn't feel like a fatal error to me. I
didn't do the KRA install.

[root@ipa05 slapd-example-com]# tail -f errors
[10/Oct/2016:23:27:57 +] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=example,dc=com does not exist
[10/Oct/2016:23:27:57 +] NSACLPlugin - The ACL target
cn=casigningcert
cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=com does not
exist
[10/Oct/2016:23:27:57 +] agmt="cn=meToipa07.example.com"
(ipa07:389) - Can't locate CSN 57fc2e7f000a000d in the changelog
(DB rc=-30988). If replication stops, the consumer may need to be
reinitialized.
[10/Oct/2016:23:27:57 +] NSMMReplicationPlugin - changelog program
- agmt="cn=meToipa07.example.com" (ipa07:389): CSN
57fc2e7f000a000d not found, we aren't as up to date, or we purged
[10/Oct/2016:23:27:57 +] NSMMReplicationPlugin -
agmt="cn=meToipa07.example.com" (ipa07:389): Data required to update
replica has been purged. The replica must be reinitialized.
[10/Oct/2016:23:27:57 +] NSMMReplicationPlugin -
agmt="cn=meToipa07.example.com" (ipa07:389): Incremental update failed
and requires administrator action
[10/Oct/2016:23:29:09 +] attrlist_replace - attr_replace
(nsslapd-referral, ldap://ipa07.example.com:389/o%3Dipaca) failed.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA and Samba

2016-10-10 Thread Alan Latteri 
Nice, I think that page may also solve my problem.  Going to try it soon.

> On Oct 10, 2016, at 1:35 PM, Степаненко Алексей  
> wrote:
> 
> I read again the topic 
> http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA/NTMLSSP
>  
> 
> It works exactly as I wanted
> 
>  ipa-adtrust-install created next configuration:
> $ net conf list
> [global]
> workgroup = WORKGROUP
> netbios name = SMB
> realm = GW.SPB.RU
> kerberos method = dedicated keytab
> dedicated keytab file = FILE:/etc/samba/samba.keytab 
> 
> create krb5 conf = no
> security = user
> domain master = yes
> domain logons = yes
> log level = 1
> max log size = 10
> log file = /var/log/samba/log.%m
> passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-GW-SPB-RU.socket
> disable spoolss = yes
> ldapsam:trusted = yes
> ldap ssl = off
> ldap suffix = dc=gw,dc=spb,dc=ru
> ldap user suffix = cn=users,cn=accounts
> ldap group suffix = cn=groups,cn=accounts
> ldap machine suffix = cn=computers,cn=accounts
> rpc_server:epmapper = external
> rpc_server:lsarpc = external
> rpc_server:lsass = external
> rpc_server:lsasd = external
> rpc_server:samr = external
> rpc_server:netlogon = external
> rpc_server:tcpip = yes
> rpc_daemon:epmd = fork
> rpc_daemon:lsasd = fork
> 
> But I don't understand why it wasn't put to smb.conf directly.
> 
> The second problem is 'passdb backend'. I didn't find any documentation about 
> this module. An attempt to replace a file socket on net connection was 
> failed. And I had to make LDAP replication. It was easy, but " 
> ipa-replica-prepare" installed whole IPA server (tomcat, java, ldap), not 
> only ldap-server. I need to continue to read documentation. However the 
> problem was solved. 
> 
> 06.10.2016 23:51, Степаненко Алексей пишет:
>> Thank you for your reply. 
>> 
>> I've got Samba server for a company, accounts are created by hand. Clients 
>> are different windows or linux desktops. 
>> 
>> I want to install FreeIPA and have one area for managing accounts (SMB, 
>> SSH-access for others servers). Now, I prepare clean samba installation for 
>> testing. It would be great to use FreeIPA as authorization server for samba. 
>> 
>> I was looking for information about samba + freeIPA, but I found only this 
>> document. Maybe, I miss obvious things. 
>> 
>> 
>> 06.10.2016 20:31, Loris Santamaria пишет: 
>>> The document you are linking to explains how to configure a samba file 
>>> server in a freeipa domain, which is one of many ways you can configure 
>>> and use a samba server. 
>>> 
>>> What do you want to achieve with samba, and what is your current setup? 
>>> 
>>> 
>>> El jue, 06-10-2016 a las 19:23 +0300, Степаненко Алексей escribió: 
 Hello. 
 
 I've read the topic about FreeIPA and SAMBA 
 http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_Wit 
  
 h_IPA 
 
 If I understand clearly, samba's client must be present in 
 FreeIPA  AD. 
 Unfortunately, it does not work for me. I can't join some work 
 desktops 
 to AD. Is it possible to make Samba auth trough LDAP IPA ? Samba has 
 ldap support 
 
   ldap admin dn 
   ldap group suffix 
   ldap idmap suffix 
   ldap machine suffix 
   ldap passwd sync 
   ldap suffix 
   ldap user suffix 
 
 Does it work with IPA ? 
 
 Thanks. 
 
>> 
>> 
>> 
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors

2016-10-10 Thread John Popowitch 
Hello FreeIPA community.
I've inherited a group of three FreeIPA v4.2 servers on CentOS 7.2.
I had to reboot one of the servers and now IPA won't run saying, "Upgrade 
required: please run ipa-server-upgrade command."
But when I run ipa-server-upgrade I get an error:
ipa: ERROR: Upgrade failed with This entry already exists
When I run it in debug mode the last action before the error is:
ipa.ipaserver.install.plugins.update_managed_permissions.update_managed_permissions:
 DEBUG: Updating managed permission: System: Modify Certificate Profile
It appears that several of the other managed permissions are processed 
successfully.
When I look in the UI on one of the other servers it appears that this 
permission exists under IPA Server -> Role Based Access Control -> Permissions.
I'm not familiar with FreeIPA so any help would be greatly appreciated.
Thanks in advance.
-John

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA and Samba

2016-10-10 Thread Степаненко Алексей 
I read again the topic 
http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA/NTMLSSP

It works exactly as I wanted

 ipa-adtrust-install created next configuration:

$ net conf list
[global]
workgroup = WORKGROUP
netbios name = SMB
realm = GW.SPB.RU
kerberos method = dedicated keytab
dedicated keytab file = FILE:/etc/samba/samba.keytab
create krb5 conf = no
security = user
domain master = yes
domain logons = yes
log level = 1
max log size = 10
log file = /var/log/samba/log.%m
passdb backend = 
ipasam:ldapi://%2fvar%2frun%2fslapd-GW-SPB-RU.socket

disable spoolss = yes
ldapsam:trusted = yes
ldap ssl = off
ldap suffix = dc=gw,dc=spb,dc=ru
ldap user suffix = cn=users,cn=accounts
ldap group suffix = cn=groups,cn=accounts
ldap machine suffix = cn=computers,cn=accounts
rpc_server:epmapper = external
rpc_server:lsarpc = external
rpc_server:lsass = external
rpc_server:lsasd = external
rpc_server:samr = external
rpc_server:netlogon = external
rpc_server:tcpip = yes
rpc_daemon:epmd = fork
rpc_daemon:lsasd = fork

But I don't understand why it wasn't put to smb.conf directly.

The second problem is 'passdb backend'. I didn't find any documentation 
about this module. An attempt to replace a file socket on net connection 
was failed. And I had to make LDAP replication. It was easy, but " 
ipa-replica-prepare" installed whole IPA server (tomcat, java, ldap), 
not only ldap-server. I need to continue to read documentation. However 
the problem was solved.


06.10.2016 23:51, Степаненко Алексей пишет:

Thank you for your reply.

I've got Samba server for a company, accounts are created by hand. 
Clients are different windows or linux desktops.


I want to install FreeIPA and have one area for managing accounts 
(SMB, SSH-access for others servers). Now, I prepare clean samba 
installation for testing. It would be great to use FreeIPA as 
authorization server for samba.


I was looking for information about samba + freeIPA, but I found only 
this document. Maybe, I miss obvious things.



06.10.2016 20:31, Loris Santamaria пишет:

The document you are linking to explains how to configure a samba file
server in a freeipa domain, which is one of many ways you can configure
and use a samba server.

What do you want to achieve with samba, and what is your current setup?


El jue, 06-10-2016 a las 19:23 +0300, Степаненко Алексей escribió:

Hello.

I've read the topic about FreeIPA and SAMBA
http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_Wit
h_IPA

If I understand clearly, samba's client must be present in
FreeIPA  AD.
Unfortunately, it does not work for me. I can't join some work
desktops
to AD. Is it possible to make Samba auth trough LDAP IPA ? Samba has
ldap support

  ldap admin dn
  ldap group suffix
  ldap idmap suffix
  ldap machine suffix
  ldap passwd sync
  ldap suffix
  ldap user suffix

Does it work with IPA ?

Thanks.









smime.p7s
Description: ÐÑипÑогÑаÑиÑеÑÐºÐ°Ñ Ð¿Ð¾Ð´Ð¿Ð¸ÑÑ S/MIME
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project