date:20170222


On ke, 22 helmi 2017, Jason B. Nance wrote:

For example, for user that would be (&(objectClass=posixAccount)(uid=%s))
where %s is ad_u...@server.com according to your example.

This is what would be intercepted and queried through SSSD.

For example:

$ ldapsearch -Y GSSAPI -b cn=compat,dc=xs,dc=ipa,dc=cool
'(&(objectClass=posixAccount)(uid=u...@ad.ipa.cool))'
SASL/GSSAPI authentication started
SASL username: ad...@xs.ipa.cool
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base  with scope subtree
# filter: (&(objectClass=posixAccount)(uid=u...@ad.ipa.cool))
# requesting: ALL
#

# u...@ad.ipa.cool, users, compat, xs.ipa.cool
dn: uid=u...@ad.ipa.cool,cn=users,cn=compat,dc=xs,dc=ipa,dc=cool
objectClass: ipaOverrideTarget
objectClass: posixAccount
objectClass: top
cn: YO!
gidNumber: 967001113
gecos: YO!
ipaAnchorUUID:: 
uidNumber: 967001113
loginShell: /bin/bash
homeDirectory: /home/ad.ipa.cool/user
uid: u...@ad.ipa.cool

# search result
search: 4
result: 0 Success

# numResponses: 2
# numEntries: 1


I'm not able to recreate this (on FreeIPA 4.4.0).  "ipa-compat-manage
status" says "Plugin Enabled", but searches for AD users yield no
results:

Sorry, I forgot mention yesterday that if you didn't use
'ipa-adtrust-install --enable-compat' then one thing is missing from
compat tree configuration to allow resolution of AD users. Luckily, it
is a simple ldapadd that can fix it. You can use ipa-ldap-updater:


# cat 80-enable-compat-nsswitch.update 
dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config

add:schema-compat-lookup-nsswitch: user

dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
add:schema-compat-lookup-nsswitch: group
# ipa-ldap-updater ./80-enable-compat-nsswitch.update 


and then restart 389-ds.


As a side note, I'm also not able to use GSSAPI auth as you did:

$ kinit
Password for jna...@lab.gen.zone:
$ ldapsearch -Y GSSAPI -b cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone 
'(&(objectClass=posixAccount)(uid=jna...@lab.gen.zone))'
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)

I used IPA user, not AD user to bind with GSSAPI.

In FreeIPA 4.4 it should also work with AD user as well but only if the
user has ID override entry, even empty one:

# ipa idoverrideuser-add 'Default Trust View' administra...@ad.ipa.cool

and now administra...@ad.ipa.cool will be able to issue ldap searches
against IPA LDAP server from Linux machines. Note that ldp.exe will
still be unable to perform searches against IPA LDAP until
https://github.com/cyrusimap/cyrus-sasl/pull/424 is released in a
distribution.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Dogtag certs did not auto-renew, very stuck!

2017-02-22 Thread Peter Fern

On 23/02/17 05:26, Rob Crittenden wrote:
> It's been many moons since I worked on nss-pem but from what I can tell
> it should be buildable outside of NSS so can ship as a separate package.
> You might try building it locally to see if it resolves the issues for
> you. It resides at https://github.com/kdudka/nss-pem

I had to modify an include path, and it links against some static libs
(libfreebl.a, libnssb.a, libnssckfw.a) that are not included in the
current Debian libnss3 packages, so a non-trivial packaging effort.  And
because certmonger appears to use nss directly, linking against a
different libcurl variant is also probably not an option.

There are other issues too - the default cert store path of
/etc/httpd/alias is still used in the deb package, however the correct
path is /etc/apache2/nssdb.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Recommended approach to VM snapshot prior to upgrade

2017-02-22 Thread Brian Mathis

I have a 3-node cluster running FreeIPA 4.2 on RHEL 7.2.  I would like to
upgrade to RHEL 7.3 / IPA 4.4, and I want to make VM snapshots that I can
rollback to in case there are issues.  What is the recommended approach to
this?

Should services already be started when running the yum update?

Can I shut down each ipa service one by one, snapshot, then upgrade?  How
would replication be affected if I had to rollback to the older snapshot
after other nodes had been upgraded?

Or is it better to shut down all ipa services on all nodes, make snapshots,
then perform the upgrade?  Obviously that would bring down the domain
during the upgrade, but it would better ensure integrity.

Thanks,

~ Brian Mathis
@orev
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] FreeIPA 4.3.1 ipa-replica-install wrong exit code?

2017-02-22 Thread Diogenes S. Jesus

We are ansible-playbooking FreeIPA and we don't want to care about if
freeipa is installed, we just want to ignore errors if it already is - but
for that the exit code is relevant.
Either the return code is wrong in the code or in the manual - according to
the manual, it should be 3, but it's currently 1.


ubuntu@ipa02:~$ sudo -i
root@ipa02:~# http_proxy='' https_proxy='' ipa-replica-install
--dirsrv-cert-file=/etc/ssl/private/ipa02.dev.pfx
--http-cert-file=/etc/ssl/private/ipa02.dev.pfx --dirsrv-pin=export
--http-pin=export
ipa.ipapython.install.cli.install_tool(Replica): ERRORIPA server is
already configured on this system.
If you want to reinstall the IPA server, please uninstall it first using
'ipa-server-install --uninstall'.
ipa.ipapython.install.cli.install_tool(Replica): ERRORThe
ipa-replica-install command failed. See /var/log/ipareplica-install.log for
more information

root@ipa02:~# echo $?
1

root@ipa02:~# cat /var/log/ipareplica-install.log
2017-02-22T22:49:45Z DEBUG Logging to /var/log/ipareplica-install.log
2017-02-22T22:49:45Z DEBUG ipa-replica-install was invoked with arguments
[] and options: {'no_dns_sshfp': None, 'skip_schema_check': None,
'setup_kra': None, 'ip_addresses': None, 'mkhomedir': None, 'no_pkinit':
None, 'http_cert_files': ['/etc/ssl/private/ipa02.dev.pfx'], 'no_ntp':
None, 'verbose': False, 'no_forwarders': None, 'keytab': None,
'ssh_trust_dns': None, 'domain_name': None, 'http_cert_name': None,
'dirsrv_cert_files': ['/etc/ssl/private/ipa02.dev.pfx'],
'no_dnssec_validation': None, 'no_reverse': None, 'pkinit_cert_files':
None, 'unattended': False, 'auto_reverse': None, 'auto_forwarders': None,
'no_host_dns': None, 'no_sshd': None, 'no_ui_redirect': None,
'dirsrv_config_file': None, 'forwarders': None, 'pkinit_cert_name': None,
'setup_ca': None, 'realm_name': None, 'skip_conncheck': None, 'no_ssh':
None, 'dirsrv_cert_name': None, 'quiet': False, 'server': None,
'setup_dns': None, 'host_name': None, 'log_file': None, 'reverse_zones':
None, 'allow_zone_overlap': None}
2017-02-22T22:49:45Z DEBUG IPA version 4.3.1
2017-02-22T22:49:45Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2017-02-22T22:49:45Z DEBUG Loading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'
2017-02-22T22:49:45Z DEBUG httpd is configured
2017-02-22T22:49:45Z DEBUG kadmin is configured
2017-02-22T22:49:45Z DEBUG dirsrv is configured
2017-02-22T22:49:45Z DEBUG pki-tomcatd is not configured
2017-02-22T22:49:45Z DEBUG install is not configured
2017-02-22T22:49:45Z DEBUG krb5kdc is configured
2017-02-22T22:49:45Z DEBUG ntpd is configured
2017-02-22T22:49:45Z DEBUG named is not configured
2017-02-22T22:49:45Z DEBUG ipa_memcached is configured
2017-02-22T22:49:45Z DEBUG filestore has files
2017-02-22T22:49:45Z DEBUG   File
"/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 171, in
execute
return_value = self.run()
  File "/usr/lib/python2.7/dist-packages/ipapython/install/cli.py", line
318, in run
cfgr.run()
  File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line
308, in run
self.validate()
  File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line
317, in validate
for nothing in self._validator():
  File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line
372, in __runner
self._handle_exception(exc_info)
  File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line
394, in _handle_exception
six.reraise(*exc_info)
  File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line
362, in __runner
step()
  File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line
359, in 
step = lambda: next(self.__gen)
  File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line
81, in run_generator_with_yield_from
six.reraise(*exc_info)
  File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line
59, in run_generator_with_yield_from
value = gen.send(prev_value)
  File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line
564, in _configure
next(validator)
  File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line
372, in __runner
self._handle_exception(exc_info)
  File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line
449, in _handle_exception
self.__parent._handle_exception(exc_info)
  File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line
394, in _handle_exception
six.reraise(*exc_info)
  File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line
446, in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
  File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line
394, in _handle_exception
six.reraise(*exc_info)
  File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line
362, in __runner
step()
  File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line
359, in

[Freeipa-users] authenticating with dns

2017-02-22 Thread Aaron Young

Hello Everyone

I recently lost the master master IPA server setup by the previous
administrator.
As it stands now, if I try to add a new client, in order to standup a new
replica, I get errors while trying to setup DNS. This led me to look at how
authentication worked (I'm new to IPA) and I learned about the kerberos
tools

I don't know if I'm familiar enough with the terminology to adequately
describe what I'm experiencing, so I'll give you some of the commands and
their results

but first, a bit on the design

before I got to this, we had

a <-> b <-> c <-> d

b was the master master

a, happened to point to two test servers nyc02ipa01 and nyc02ipa02 (not
pictured, I discovered them later when c and d started having problems)

a - nyc01ipa02
b - nyc01ipa01
c - ld4ipa01
d - ld4ipa02

currently, I have nyc02ipa02 <-> nyc01ipa02

the reason I have it limited like this is because all the other servers
stopped replicating for one reason or another (mainly that they can't
authenticate or in one case, there was a database record corruption)

Anyway, here are some activities and logs from the latest round of fixes
and information activities I've been engaging in

22:54:32 root@nyc01ipa02:~# kinit admin
kinit: Clients credentials have been revoked while getting initial
credentials

Reading through this
 tells me that

# kadmin: modprinc -unlock PRINCNAME

will unlock an account...but if I can't get in

22:54:37 root@nyc01ipa02:~# kadmin
Authenticating as principal root/admin@MF with password.
kadmin: Client 'root/admin@MF' not found in Kerberos database while
initializing kadmin interface

on ld4ipa02, did a

# ipa-client-install --uninstall

then

# ipa-client-install --force-join --enable-dns-updates --permit -f
--ssh-trust-dns --request-cert --automount-location=LD4 --enable-dns-updates

DNS did not update, here is the relevant portion from
/var/log/ipaclient-install.log

2017-02-20T18:46:49Z DEBUG Writing nsupdate commands to
/etc/ipa/.dns_update.txt:
2017-02-20T18:46:49Z DEBUG debug

update delete ld4ipa02.mf. IN A
show
send

update delete ld4ipa02.mf. IN 
show
send

update add ld4ipa02.mf. 1200 IN A 10.102.100.140
show
send

2017-02-20T18:46:49Z DEBUG Starting external process
2017-02-20T18:46:49Z DEBUG args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt
2017-02-20T18:46:49Z DEBUG Process finished, return code=1
2017-02-20T18:46:49Z DEBUG stdout=Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
ld4ipa02.mf. 0 ANY A

2017-02-20T18:46:49Z DEBUG stderr=Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34702
;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;ld4ipa02.mf. IN SOA

;; AUTHORITY SECTION:
mf. 1800 IN SOA ld4ipa01.mf. hostmaster.mf. 1487615509 3600 900 1209600 3600

Found zone name: mf
The master is: ld4ipa01.mf
start_gssrequest
tkey query failed: GSSAPI error: Major = Unspecified GSS failure.
Minor code may provide more information, Minor = Server
DNS/ld4ipa01.mf@MF not found in Kerberos database.

2017-02-20T18:46:49Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate
-g /etc/ipa/.dns_update.txt' returned non-zero exit status 1
2017-02-20T18:46:49Z ERROR Failed to update DNS records.
2017-02-20T18:46:49Z DEBUG DNS resolver: Query: ld4ipa02.mf IN A
2017-02-20T18:46:49Z DEBUG DNS resolver: No record.
2017-02-20T18:46:49Z DEBUG DNS resolver: Query: ld4ipa02.mf IN 
2017-02-20T18:46:49Z DEBUG DNS resolver: No record.
2017-02-20T18:46:49Z DEBUG DNS resolver: Query:
140.100.102.10.in-addr.arpa. IN PTR
2017-02-20T18:46:49Z DEBUG DNS resolver: No record.
2017-02-20T18:46:49Z WARNING Missing A/ record(s) for host
ld4ipa02.mf: 10.102.100.140.
2017-02-20T18:46:49Z WARNING Missing reverse record(s) for
address(es): 10.102.100.140.

Why isn't there an entry for "DNS/ld4ipa01.mf@MF" in the Kerberos database?

klist -ktK /etc/dirsrv/ds.keytab on ld4ipa01 returns

Keytab name: FILE:/etc/dirsrv/ds.keytab 
KVNO Timestamp Principal
 ---
--
2 11/17/2016 20:38:39 ldap/ld4ipa01.mf@MF
(0x696a502bc73d209acdd36c42242f7f8aff9dbba1073b34ea018ed3bd9cdfd970)
2 11/17/2016 20:38:39 ldap/ld4ipa01.mf@MF
(0xe031464b6948ea34f4291d40fca7a21e)
2 11/17/2016 20:38:39 ldap/ld4ipa01.mf@MF
(0xe94a1c98fe79b6317901435d9e9e0257cefe438ff2ec527f)
2 11/17/2016 20:38:39 ldap/ld4ipa01.mf@MF
(0x6aaf4c7fa6b51b9de032b7c6428307b5)
2 11/17/2016 20:38:39 ldap/ld4ipa01.mf@MF
(0x5e0702f44aef9e0633e09eede7ca8041)
2 11/17/2016 20:38:39 ldap/ld4ipa01.mf@MF
(0x6e3a9d29ee3f129a156ae6228ab7728df8ce5de923a61eba6a2e7802b8d230b6)


Tried to test connectivity using ldapsearch  found that I could connect to
other hosts on 389 but not 636

# ldapsearch -H ldap://nyc02ipa02:389 -D "cn=directory manager" -W -b "" -s base

Re: [Freeipa-users] ldapsearch for AD users

Hey Jason,

I am not sure about that. I just rebuilt my IPA server since it's only
purpose is to authenticate users with the AD. As for the clients, I removed
them from the FreeIPA server using ipa-client-install --uninstall and
rebooted. Once they rebooted my saltstack state added them back to the
server. Sorry, I can't help you much there.

Regards,

Hanoz

*Hanoz Elavia |*  IT Manager
*O:* 604-734-2866 *|*  *www.atomiccartoons.com
*
112 West 6th Ave, Vancouver, BC, Canada, V5Y1K6

On Wed, Feb 22, 2017 at 2:19 PM, Jason B. Nance  wrote:

>
> I realized I had made one more change. I setup the FreeIPA server again
> and this time I added the --enable-compat with my
> /usr/sbin/ipa-adtrust-install command.
>
> Is it safe to re-run ipa-adtrust-install?  I have existing trusts in place.
>
> Thanks,
>
> j
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ldapsearch for AD users

> I realized I had made one more change. I setup the FreeIPA server again and 
> this
> time I added the --enable-compat with my /usr/sbin/ipa-adtrust-install 
> command.

Is it safe to re-run ipa-adtrust-install? I have existing trusts in place. 

Thanks, 

j 
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ldapsearch for AD users

Hey Jason,

Also, my bind DN is a native FreeIPA user and doesn't exist on the Active
Directory.

Regards,

Hanoz


*Hanoz Elavia |*  IT Manager
*O:* 604-734-2866 *|*  *www.atomiccartoons.com
*
112 West 6th Ave, Vancouver, BC, Canada, V5Y1K6

On Wed, Feb 22, 2017 at 2:07 PM, Hanoz Elavia 
wrote:

> Hey Jason,
>
> I realized I had made one more change. I setup the FreeIPA server again
> and this time I added the --enable-compat with my
> /usr/sbin/ipa-adtrust-install command.
>
> Yes, I cannot use GSSAPI as well. I use simple bind to run a LDAP query.
> On IPA clients I don't need to authenticate as IPA takes care of that. Hope
> this helps.
>
> Regards,
>
> Hanoz
>
>
> *Hanoz Elavia |*  IT Manager
> *O:* 604-734-2866 *|*  *www.atomiccartoons.com
> *
> 112 West 6th Ave, Vancouver, BC, Canada, V5Y1K6
>
> On Wed, Feb 22, 2017 at 1:50 PM, Jason B. Nance 
> wrote:
>
>> > For example, for user that would be (&(objectClass=posixAccount)(u
>> id=%s))
>> > where %s is ad_u...@server.com according to your example.
>> >
>> > This is what would be intercepted and queried through SSSD.
>> >
>> > For example:
>> >
>> > $ ldapsearch -Y GSSAPI -b cn=compat,dc=xs,dc=ipa,dc=cool
>> > '(&(objectClass=posixAccount)(uid=u...@ad.ipa.cool))'
>> > SASL/GSSAPI authentication started
>> > SASL username: ad...@xs.ipa.cool
>> > SASL SSF: 56
>> > SASL data security layer installed.
>> > # extended LDIF
>> > #
>> > # LDAPv3
>> > # base  with scope subtree
>> > # filter: (&(objectClass=posixAccount)(uid=u...@ad.ipa.cool))
>> > # requesting: ALL
>> > #
>> >
>> > # u...@ad.ipa.cool, users, compat, xs.ipa.cool
>> > dn: uid=u...@ad.ipa.cool,cn=users,cn=compat,dc=xs,dc=ipa,dc=cool
>> > objectClass: ipaOverrideTarget
>> > objectClass: posixAccount
>> > objectClass: top
>> > cn: YO!
>> > gidNumber: 967001113
>> > gecos: YO!
>> > ipaAnchorUUID:: 
>> > uidNumber: 967001113
>> > loginShell: /bin/bash
>> > homeDirectory: /home/ad.ipa.cool/user
>> > uid: u...@ad.ipa.cool
>> >
>> > # search result
>> > search: 4
>> > result: 0 Success
>> >
>> > # numResponses: 2
>> > # numEntries: 1
>>
>> I'm not able to recreate this (on FreeIPA 4.4.0).  "ipa-compat-manage
>> status" says "Plugin Enabled", but searches for AD users yield no results:
>>
>> $ ldapsearch -b cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone
>> '(&(objectClass=posixAccount)(uid=jna...@lab.gen.zone))' -W -x -D
>> 'cn=Directory Manager'
>> Enter LDAP Password:
>> # extended LDIF
>> #
>> # LDAPv3
>> # base  with scope subtree
>> # filter: (&(objectClass=posixAccount)(uid=jna...@lab.gen.zone))
>> # requesting: ALL
>> #
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 1
>>
>>
>> I'm currently logged into the machine with an AD account from a trust:
>>
>> [jna...@lab.gen.zone@sl2aospljmp0001 ~]$ whoami
>> jna...@lab.gen.zone
>> [jna...@lab.gen.zone@sl2aospljmp0001 ~]$ id
>> uid=21104(jna...@lab.gen.zone) gid=21104(jna...@lab.gen.zone)
>> groups=21104(jna...@lab.gen.zone),10009(lgz-lxusers),10011(lxeng),20512(domain
>> adm...@lab.gen.zone),20513(domain us...@lab.gen.zone),21112(lxus
>> e...@lab.gen.zone),21117(lab_adm...@lab.gen.zone)
>> context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>>
>>
>> If I search for a user that is local to IPA it works:
>>
>> $ ldapsearch -b cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone
>> '(&(objectClass=posixAccount)(uid=jnance-ipa))' -W -x -D 'cn=Directory
>> Manager' -H 'ldaps://sl2mmgplidm0001.ipa.lab.gen.zone'
>> Enter LDAP Password:
>> # extended LDIF
>> #
>> # LDAPv3
>> # base  with scope subtree
>> # filter: (&(objectClass=posixAccount)(uid=jnance-ipa))
>> # requesting: ALL
>> #
>>
>> # jnance-ipa, users, compat, ipa.lab.gen.zone
>> dn: uid=jnance-ipa,cn=users,cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone
>> cn: Jason Nance
>> objectClass: posixAccount
>> objectClass: ipaOverrideTarget
>> objectClass: top
>> gidNumber: 10008
>> gecos: Jason Nance
>> ipaAnchorUUID:: OklQQTppcGEubGFiLmdlbi56b25lOm
>> QxYzU0NGI2LWU5YjktMTFlNi1iNWM1LT
>>  AwNTA1NjkxMGE0NA==
>> uidNumber: 10008
>> loginShell: /bin/bash
>> homeDirectory: /home/jnance-ipa
>> uid: jnance-ipa
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 2
>> # numEntries: 1
>>
>>
>> As a side note, I'm also not able to use GSSAPI auth as you did:
>>
>> $ kinit
>> Password for jna...@lab.gen.zone:
>> $ ldapsearch -Y GSSAPI -b cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone
>> '(&(objectClass=posixAccount)(uid=jna...@lab.gen.zone))'
>> SASL/GSSAPI authentication started
>> ldap_sasl_interactive_bind_s: Invalid credentials (49)
>>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ldapsearch for AD users

Hey Jason,

I realized I had made one more change. I setup the FreeIPA server again and
this time I added the --enable-compat with my /usr/sbin/ipa-adtrust-install
command.

Yes, I cannot use GSSAPI as well. I use simple bind to run a LDAP query. On
IPA clients I don't need to authenticate as IPA takes care of that. Hope
this helps.

Regards,

Hanoz


*Hanoz Elavia |*  IT Manager
*O:* 604-734-2866 *|*  *www.atomiccartoons.com
*
112 West 6th Ave, Vancouver, BC, Canada, V5Y1K6

On Wed, Feb 22, 2017 at 1:50 PM, Jason B. Nance  wrote:

> > For example, for user that would be (&(objectClass=posixAccount)(
> uid=%s))
> > where %s is ad_u...@server.com according to your example.
> >
> > This is what would be intercepted and queried through SSSD.
> >
> > For example:
> >
> > $ ldapsearch -Y GSSAPI -b cn=compat,dc=xs,dc=ipa,dc=cool
> > '(&(objectClass=posixAccount)(uid=u...@ad.ipa.cool))'
> > SASL/GSSAPI authentication started
> > SASL username: ad...@xs.ipa.cool
> > SASL SSF: 56
> > SASL data security layer installed.
> > # extended LDIF
> > #
> > # LDAPv3
> > # base  with scope subtree
> > # filter: (&(objectClass=posixAccount)(uid=u...@ad.ipa.cool))
> > # requesting: ALL
> > #
> >
> > # u...@ad.ipa.cool, users, compat, xs.ipa.cool
> > dn: uid=u...@ad.ipa.cool,cn=users,cn=compat,dc=xs,dc=ipa,dc=cool
> > objectClass: ipaOverrideTarget
> > objectClass: posixAccount
> > objectClass: top
> > cn: YO!
> > gidNumber: 967001113
> > gecos: YO!
> > ipaAnchorUUID:: 
> > uidNumber: 967001113
> > loginShell: /bin/bash
> > homeDirectory: /home/ad.ipa.cool/user
> > uid: u...@ad.ipa.cool
> >
> > # search result
> > search: 4
> > result: 0 Success
> >
> > # numResponses: 2
> > # numEntries: 1
>
> I'm not able to recreate this (on FreeIPA 4.4.0).  "ipa-compat-manage
> status" says "Plugin Enabled", but searches for AD users yield no results:
>
> $ ldapsearch -b cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone
> '(&(objectClass=posixAccount)(uid=jna...@lab.gen.zone))' -W -x -D
> 'cn=Directory Manager'
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base  with scope subtree
> # filter: (&(objectClass=posixAccount)(uid=jna...@lab.gen.zone))
> # requesting: ALL
> #
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 1
>
>
> I'm currently logged into the machine with an AD account from a trust:
>
> [jna...@lab.gen.zone@sl2aospljmp0001 ~]$ whoami
> jna...@lab.gen.zone
> [jna...@lab.gen.zone@sl2aospljmp0001 ~]$ id
> uid=21104(jna...@lab.gen.zone) gid=21104(jna...@lab.gen.zone)
> groups=21104(jna...@lab.gen.zone),10009(lgz-lxusers),10011(lxeng),20512(domain
> adm...@lab.gen.zone),20513(domain us...@lab.gen.zone),21112(
> lxus...@lab.gen.zone),21117(lab_adm...@lab.gen.zone) context=unconfined_u:
> unconfined_r:unconfined_t:s0-s0:c0.c1023
>
>
> If I search for a user that is local to IPA it works:
>
> $ ldapsearch -b cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone
> '(&(objectClass=posixAccount)(uid=jnance-ipa))' -W -x -D 'cn=Directory
> Manager' -H 'ldaps://sl2mmgplidm0001.ipa.lab.gen.zone'
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base  with scope subtree
> # filter: (&(objectClass=posixAccount)(uid=jnance-ipa))
> # requesting: ALL
> #
>
> # jnance-ipa, users, compat, ipa.lab.gen.zone
> dn: uid=jnance-ipa,cn=users,cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone
> cn: Jason Nance
> objectClass: posixAccount
> objectClass: ipaOverrideTarget
> objectClass: top
> gidNumber: 10008
> gecos: Jason Nance
> ipaAnchorUUID:: OklQQTppcGEubGFiLmdlbi56b25lOm
> QxYzU0NGI2LWU5YjktMTFlNi1iNWM1LT
>  AwNTA1NjkxMGE0NA==
> uidNumber: 10008
> loginShell: /bin/bash
> homeDirectory: /home/jnance-ipa
> uid: jnance-ipa
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
>
> As a side note, I'm also not able to use GSSAPI auth as you did:
>
> $ kinit
> Password for jna...@lab.gen.zone:
> $ ldapsearch -Y GSSAPI -b cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone
> '(&(objectClass=posixAccount)(uid=jna...@lab.gen.zone))'
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Invalid credentials (49)
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] lost master master and soa

2017-02-22 Thread Aaron Young

sorry for the late response, yes, this was helpful

I ended up realizing that each IPA server is a kind of SOA and that I
needed to get rid of the old master and much of it resolved itself...until
the next problem surfaced that is keeping me from creating a new master (at
least, with my limited knowledge)

i'll start a new message about this to help the web searchers in the future


On Tue, Feb 14, 2017 at 2:18 AM, Martin Babinsky 
wrote:

> On 02/13/2017 10:12 PM, Aaron Young wrote:
>
>> hello
>>
>> So, I recently took over this site and a couple days into it, the first
>> ipa server died because of disk corruption.
>>
>> Right now, I've built another ipa server to step into the topology as a
>> replica, but I keep getting strange dns errors during update
>>
>> Looking at it closer, it appears that when nsupdate runs, it fails
>> updating
>>
>> looking closer, I notice that the SOA comes back with the name of the
>> missing server
>>
>> So, it seems like I should change that. So far I've been unable to
>>
>> I get messages back from nsupdate like
>>
>> "response to SOA query was unsuccessful"
>>
>> I'm not sure what information I should send to help with this
>>
>> My main question is, is there a way to force the change of the SOA?
>>
>> aaron
>> --
>> Aaron Young
>> MarketFactory, Manager of Site Reliability Engineering
>> 425 Broadway, 3FL
>> New  York, NY 10013
>> Office: +1 212 625 9988
>> Direct +1 646 779 3710
>> US Support: +1 (212) 625-0688  | UK
>> Support: +44 (0) 203 695-7997 
>>
>>
>>
> Hi Aaron,
>
> there may be some stale NS record on other IPA masters which serve your
> DNS zone. you can verify this by running:
>
> # ipa dnsrecord-show  @
>
> and check the list of nameservers returned.
>
> To remove the record of the old master run
>
> # ipa dnsrecord-del   @ --ns-rec 
>
> Also, make sure you cleaned up old agreements, services, etc. of the old
> master by running `ipa-replica-manage del --force --cleanup `
> on some other IPA master.
>
> You will also probably have to stand-up a new CA renewal/CRL master[1] on
> one of remaining replicas if the first server died and you have CA
> configured.
>
> [1] http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master
>
> Hope this helps
>
> --
> Martin^3 Babinsky
>



-- 
Aaron Young
MarketFactory, Manager of Site Reliability Engineering
425 Broadway, 3FL
New  York, NY 10013
Office: +1 212 625 9988
Direct +1 646 779 3710
US Support: +1 (212) 625-0688 | UK Support: +44 (0) 203 695-7997
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ldapsearch for AD users

> For example, for user that would be (&(objectClass=posixAccount)(uid=%s))
> where %s is ad_u...@server.com according to your example.
> 
> This is what would be intercepted and queried through SSSD.
> 
> For example:
> 
> $ ldapsearch -Y GSSAPI -b cn=compat,dc=xs,dc=ipa,dc=cool
> '(&(objectClass=posixAccount)(uid=u...@ad.ipa.cool))'
> SASL/GSSAPI authentication started
> SASL username: ad...@xs.ipa.cool
> SASL SSF: 56
> SASL data security layer installed.
> # extended LDIF
> #
> # LDAPv3
> # base  with scope subtree
> # filter: (&(objectClass=posixAccount)(uid=u...@ad.ipa.cool))
> # requesting: ALL
> #
> 
> # u...@ad.ipa.cool, users, compat, xs.ipa.cool
> dn: uid=u...@ad.ipa.cool,cn=users,cn=compat,dc=xs,dc=ipa,dc=cool
> objectClass: ipaOverrideTarget
> objectClass: posixAccount
> objectClass: top
> cn: YO!
> gidNumber: 967001113
> gecos: YO!
> ipaAnchorUUID:: 
> uidNumber: 967001113
> loginShell: /bin/bash
> homeDirectory: /home/ad.ipa.cool/user
> uid: u...@ad.ipa.cool
> 
> # search result
> search: 4
> result: 0 Success
> 
> # numResponses: 2
> # numEntries: 1

I'm not able to recreate this (on FreeIPA 4.4.0).  "ipa-compat-manage status" 
says "Plugin Enabled", but searches for AD users yield no results:

$ ldapsearch -b cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone 
'(&(objectClass=posixAccount)(uid=jna...@lab.gen.zone))' -W -x -D 'cn=Directory 
Manager'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base  with scope subtree
# filter: (&(objectClass=posixAccount)(uid=jna...@lab.gen.zone))
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1


I'm currently logged into the machine with an AD account from a trust:

[jna...@lab.gen.zone@sl2aospljmp0001 ~]$ whoami
jna...@lab.gen.zone
[jna...@lab.gen.zone@sl2aospljmp0001 ~]$ id
uid=21104(jna...@lab.gen.zone) gid=21104(jna...@lab.gen.zone) 
groups=21104(jna...@lab.gen.zone),10009(lgz-lxusers),10011(lxeng),20512(domain 
adm...@lab.gen.zone),20513(domain 
us...@lab.gen.zone),21112(lxus...@lab.gen.zone),21117(lab_adm...@lab.gen.zone) 
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023


If I search for a user that is local to IPA it works:

$ ldapsearch -b cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone 
'(&(objectClass=posixAccount)(uid=jnance-ipa))' -W -x -D 'cn=Directory Manager' 
-H 'ldaps://sl2mmgplidm0001.ipa.lab.gen.zone'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base  with scope subtree
# filter: (&(objectClass=posixAccount)(uid=jnance-ipa))
# requesting: ALL
#

# jnance-ipa, users, compat, ipa.lab.gen.zone
dn: uid=jnance-ipa,cn=users,cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone
cn: Jason Nance
objectClass: posixAccount
objectClass: ipaOverrideTarget
objectClass: top
gidNumber: 10008
gecos: Jason Nance
ipaAnchorUUID:: OklQQTppcGEubGFiLmdlbi56b25lOmQxYzU0NGI2LWU5YjktMTFlNi1iNWM1LT
 AwNTA1NjkxMGE0NA==
uidNumber: 10008
loginShell: /bin/bash
homeDirectory: /home/jnance-ipa
uid: jnance-ipa

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


As a side note, I'm also not able to use GSSAPI auth as you did:

$ kinit
Password for jna...@lab.gen.zone:
$ ldapsearch -Y GSSAPI -b cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone 
'(&(objectClass=posixAccount)(uid=jna...@lab.gen.zone))'
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Debian client installation

2017-02-22 Thread Lukas Slebodnik

On (22/02/17 17:35), Per Qvindesland wrote:
>Hi 
>
>Thanks for the answer.
>
>Is there any workaround for this that anyone can suggest?
>
There are two vesions of sudo packages in debian
sudo and sudo-ldap. IIRC the 1st one is compiled with sssd support
and 2nd one just with ldap support.

Which one do you use ?
You can check output of sudo --version | grep sss.

If neither of pacakges are compiled with sssd by default in wheezy
then you can try install packages from wheezy-backports.

And then I would recommend to follow instructions in manual page
sssd-sudo.

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA Fedora 25 and IPA CentOS 7.3

2017-02-22 Thread Lukas Slebodnik

On (22/02/17 12:59), Alexander Bokovoy wrote:
>On ke, 22 helmi 2017, Ente Trompete wrote:
>> The next question which I have is: can I install a Fedora 25 and use
>> the included FreeIPA v4.4.1-3 to create a replica of the existing
>> 4.4.0-14? My problem is that I will use an ARM32 computer as replica
>> and Centos 7.3 runs properly on it but the repositories includes only
>> ipa-client packages. No ipa-server* package (BTW also for ARM64 is only
>> ipa-server-common available). But in the repositories of Fedora 25
>> ARM32 I can found all.
>Packages in Fedora are 'freeipa-*', packages in RHEL/CentOS are 'ipa-*'.
>
There is not any problem to install ipa-server on fedora.
There are provides.

sh# cat /etc/os-release
NAME=Fedora
VERSION="26 (Server Edition)"
ID=fedora
VERSION_ID=26
PRETTY_NAME="Fedora 26 (Server Edition)"
ANSI_COLOR="0;34"
CPE_NAME="cpe:/o:fedoraproject:fedora:26"
HOME_URL="https://fedoraproject.org/";
BUG_REPORT_URL="https://bugzilla.redhat.com/";
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=rawhide
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=rawhide
PRIVACY_POLICY_URL=https://fedoraproject.org/wiki/Legal:PrivacyPolicy
VARIANT="Server Edition"
VARIANT_ID=server

sh# dnf install ipa-server
Last metadata expiration check: 1:48:26 ago on Wed Feb 22 19:33:40 2017 CET.
Dependencies resolved.

 Package ArchVersion Repository
   Size

Installing:
 freeipa-server  x86_64  4.4.3-4.fc26rawhide  380 k
Installing dependencies:

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] support for rfc2307AIX schema in IPA server

2017-02-22 Thread Michael Ströder

Iulian Roman wrote:
> On Wed, Feb 22, 2017 at 6:03 PM, Michael Ströder  > wrote:
> 
> Iulian Roman wrote:
> > On Tue, Feb 21, 2017 at 4:31 PM, Rob Crittenden  
> > >> wrote:
> >
> > Iulian Roman wrote:
> > > Does anybody know if the rfc2307aix schema is supported in IPA 
> server
> >
> > No, it isn't supported (it's the first I've ever heard of it). 
> Looking
> > at the schema I doubt it is something that would ever be fully 
> supported.
> >
> > is there any possibility to extend the existing schema with additional
> > attributes/object
> 
> Do you really use this specific AIX schema?
> If yes, which attributes for which purpose?
> 
> I do need the aixAuxAccount and aixAuxGroup object classes . they implement 
> some
> password restrictions needed for security/compliance

Password policy is something best enforced centrally in the authentication 
server and
password management system. So IMHO this serves as perfect example for 
proprietary
attributes you won't need.

How is authentication done? SSH keys, Kerberos, LDAP simple bind?

> +  some other security related attributes.
> Personally i do not consider them a must - they are rather some nice to have 
> features  -
> but i have to migrate an environment which does use them. And i would like as 
> well to
> make the migration as transparent as possible (therefore without "missing 
> features").

Is the existing environment also an LDAP server with this particular AIX schema?
Or are you trying to follow a migration path to LDAP suggested by IBM docs?

Being in your position I'd first compile a list of functional and security 
requirements
and ask then whether these requirements can be implemented with FreeIPA. I'm 
curious to
learn whether "some other security related attributes" are still needed after 
all.

Ciao, Michael.

smime.p7s
Description: S/MIME Cryptographic Signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ldapsearch for AD users


On ke, 22 helmi 2017, Hanoz Elavia wrote:

Hey Alexander,

So based on the RFC 2307 documentation, I built a test server and ran the
following command:

ldapsearch -x -W -H 'ldap://ipa.server.com' -b
'cn=compat,dc=ipa,dc=server,dc=com' -D
'uid=admin,cn=users,cn=accounts,dc=ipa,dc=server,dc=com' -s sub 'uid=
ad_u...@server.com'

It worked as expected. Then once I rebooted the test server it stopped
working. Any idea which service might be failing ?

As I said, these are dynamic entries. You should use proper queries.
I mentioned RFC2307, use section 5.2 to get proper queries.

For example, for user that would be (&(objectClass=posixAccount)(uid=%s))
where %s is ad_u...@server.com according to your example.

This is what would be intercepted and queried through SSSD.

For example:

$ ldapsearch -Y GSSAPI -b cn=compat,dc=xs,dc=ipa,dc=cool 
'(&(objectClass=posixAccount)(uid=u...@ad.ipa.cool))'
SASL/GSSAPI authentication started
SASL username: ad...@xs.ipa.cool
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base  with scope subtree
# filter: (&(objectClass=posixAccount)(uid=u...@ad.ipa.cool))
# requesting: ALL
#

# u...@ad.ipa.cool, users, compat, xs.ipa.cool
dn: uid=u...@ad.ipa.cool,cn=users,cn=compat,dc=xs,dc=ipa,dc=cool
objectClass: ipaOverrideTarget
objectClass: posixAccount
objectClass: top
cn: YO!
gidNumber: 967001113
gecos: YO!
ipaAnchorUUID:: 
uidNumber: 967001113
loginShell: /bin/bash
homeDirectory: /home/ad.ipa.cool/user
uid: u...@ad.ipa.cool

# search result
search: 4
result: 0 Success

# numResponses: 2
# numEntries: 1





Regards,

Hanoz



On Wed, Feb 22, 2017 at 8:40 AM, Hanoz Elavia 
wrote:


Hey Alex,

Thanks, I ran ipa-compat-manage status and it shows Plugin enabled. I'll
have a look at the link and see if we can change the query to obtain the
info required.

Regards,

Hanoz


*Hanoz Elavia |*  IT Manager
*O:* 604-734-2866 *|*  *www.atomiccartoons.com
*
112 West 6th Ave, Vancouver, BC, Canada, V5Y1K6

On Wed, Feb 22, 2017 at 8:34 AM, Alexander Bokovoy 
wrote:


On ke, 22 helmi 2017, Hanoz Elavia wrote:


Thanks Alex,

Does it also means that I'll have to install the FreeIPA server with
--enable-compat ? I didn't do that.



check ipa-compat-manage tool.



Regards,

Hanoz


*Hanoz Elavia |*  IT Manager
*O:* 604-734-2866 *|*  *www.atomiccartoons.com
*
112 West 6th Ave, Vancouver, BC, Canada, V5Y1K6

On Wed, Feb 22, 2017 at 7:22 AM, Alexander Bokovoy 
wrote:

On ke, 22 helmi 2017, Hanoz Elavia wrote:


Hey Alex,


Thanks for the link, isn't RFC 2307 implemented as Services for Unix in
Windows 2008 R2? Apologies for not mentioning this earlier but I
haven't
enabled that mainly because SSSD now maps the IDs. Also, in the newer
version of the Windows Server, SFU seems to have been discontinued.

I think you are confused by the names. What Compat tree provides is an

interface on IPA side to look up identities of AD users and groups over
LDAP. Compat tree will do lookup through SSSD on your behalf. This means
we don't depend on how Windows side provides or does not provide
attributes.
Everything SSSD can resolve, can be returned, be it stored in AD LDAP,
generated by SSSD, or stored in ID overrides in IPA.

But the query format is the one described in RFC 2307 because this is
what all nss implementations like nss_ldap or similar ones use in
UNIX-like environments. Windows Server is merely implementing the same
LDAP schema to allow interoperability with the same clients. Think of
Compat Tree in IPA as doing the same, just dynamically.


--
/ Alexander Bokovoy



--
/ Alexander Bokovoy






--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Dogtag certs did not auto-renew, very stuck!

2017-02-22 Thread Rob Crittenden

Peter Fern wrote:
> Okay, with much debugging and hoop-jumping, I can say that certmonger on
> Debian/Ubuntu is currently in a rather broken state, at least in a
> server role.
> 
> It links against libcurl3-nss, however on Debian/-derivs there is no
> build of nss-pem, so anything built against libcurl3-nss cannot parse
> PEM formatted certs.  This results in a failure to process the IPA CA
> from the filesystem, causing the certmonger agent to fail verification
> of the server cert, producing the curl 'Error 77 connecting to: Problem
> with the SSL CA cert (path? access rights?)' return, which makes it
> impossible to renew certificates, and resulted in wedging my deployment
> as described.
> 
> Does the FreeIPA issue tracker accept distro-specific reports, or is
> there somewhere more appropriate I should be sending this?  As it
> stands, operating a CA on Debian/Ubuntu will break in painful and
> unexpected fashion, and should be avoided.

Very nice job in tracking this down.

You can certainly open a ticket against freeipa or certmonger but I
think this is more a packaging issue in Debian, et al (although granted
a very non-obvious one).

It's been many moons since I worked on nss-pem but from what I can tell
it should be buildable outside of NSS so can ship as a separate package.
You might try building it locally to see if it resolves the issues for
you. It resides at https://github.com/kdudka/nss-pem

I don't know who does the certmonger packaging, is that you Timo?

rob

> 
> On 21/02/17 23:36, Peter Fern wrote:
>> I don't know why the certs did not auto-renew originally, but now I am
>> very stuck trying to get my CA functional again.  I've tried setting the
>> clock back to a week or two before the certs were due to expire, but I'm
>> still having no luck getting the CA functional.
>>
>> This is a Ubuntu server, so some paths are different to what may be
>> found on RPM-based distros.  Any urgent help would be greatly
>> appreciated - I've been bashing against this for a couple of hours now
>> with no luck, and the hour is getting late.
>>
>> Below is my current (anonymized) `getcert list` of the problem certs,
>> where you will see my current ca-error:
>>
>> Request ID '20160616123036':
>> status: CA_UNREACHABLE
>> ca-error: Error 77 connecting to
>> https://ipaserver.example.com:8443/ca/agent/ca/profileReview: Problem
>> with the SSL CA cert (path? access rights?).
>> stuck: no
>> key pair storage:
>> type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS
>> Certificate DB',pinfile='/etc/apache2/nssdb/pwdfile.txt'
>> certificate:
>> type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS
>> Certificate DB'
>> CA: dogtag-ipa-ca-renew-agent
>> issuer: CN=Certificate Authority,O=EXAMPLE.COM
>> subject: CN=IPA RA,O=EXAMPLE.COM
>> expires: 2017-02-11 05:52:26 UTC
>> key usage:
>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command: /usr/lib/ipa/certmonger/renew_ra_cert_pre
>> post-save command: /usr/lib/ipa/certmonger/renew_ra_cert
>> track: yes
>> auto-renew: yes
>> Request ID '20160616123427':
>> status: CA_UNREACHABLE
>> ca-error: Error 77 connecting to
>> https://ipaserver.example.com:8443/ca/agent/ca/profileReview: Problem
>> with the SSL CA cert (path? access rights?).
>> stuck: no
>> key pair storage:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
>> cert-pki-ca',token='NSS Certificate DB',pin set
>> certificate:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
>> cert-pki-ca',token='NSS Certificate DB'
>> CA: dogtag-ipa-ca-renew-agent
>> issuer: CN=Certificate Authority,O=EXAMPLE.COM
>> subject: CN=CA Audit,O=EXAMPLE.COM
>> expires: 2017-02-11 05:52:03 UTC
>> key usage: digitalSignature,nonRepudiation
>> pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
>> post-save command: /usr/lib/ipa/certmonger/renew_ca_cert
>> "auditSigningCert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>> Request ID '20160616123428':
>> status: CA_UNREACHABLE
>> ca-error: Error 77 connecting to
>> https://ipaserver.example.com:8443/ca/agent/ca/profileReview: Problem
>> with the SSL CA cert (path? access rights?).
>> stuck: no
>> key pair storage:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
>> cert-pki-ca',token='NSS Certificate DB',pin set
>> certificate:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
>> cert-pki-ca',token='NSS Certificate DB'
>> CA: dogtag-ipa-ca-renew-agent
>> issuer: CN=Certificate Authority,O=EXAMPLE.COM
>> subject: CN=OCSP Subsystem,O=EXAMPLE.COM
>> expires: 2017-02-1

Re: [Freeipa-users] ldapsearch for AD users

Hey Alexander,

So based on the RFC 2307 documentation, I built a test server and ran the
following command:

 ldapsearch -x -W -H 'ldap://ipa.server.com' -b
'cn=compat,dc=ipa,dc=server,dc=com' -D
'uid=admin,cn=users,cn=accounts,dc=ipa,dc=server,dc=com' -s sub 'uid=
ad_u...@server.com'

It worked as expected. Then once I rebooted the test server it stopped
working. Any idea which service might be failing ?

Regards,

Hanoz



On Wed, Feb 22, 2017 at 8:40 AM, Hanoz Elavia 
wrote:

> Hey Alex,
>
> Thanks, I ran ipa-compat-manage status and it shows Plugin enabled. I'll
> have a look at the link and see if we can change the query to obtain the
> info required.
>
> Regards,
>
> Hanoz
>
>
> *Hanoz Elavia |*  IT Manager
> *O:* 604-734-2866 *|*  *www.atomiccartoons.com
> *
> 112 West 6th Ave, Vancouver, BC, Canada, V5Y1K6
>
> On Wed, Feb 22, 2017 at 8:34 AM, Alexander Bokovoy 
> wrote:
>
>> On ke, 22 helmi 2017, Hanoz Elavia wrote:
>>
>>> Thanks Alex,
>>>
>>> Does it also means that I'll have to install the FreeIPA server with
>>> --enable-compat ? I didn't do that.
>>>
>>
>> check ipa-compat-manage tool.
>>
>>
>>> Regards,
>>>
>>> Hanoz
>>>
>>>
>>> *Hanoz Elavia |*  IT Manager
>>> *O:* 604-734-2866 *|*  *www.atomiccartoons.com
>>> *
>>> 112 West 6th Ave, Vancouver, BC, Canada, V5Y1K6
>>>
>>> On Wed, Feb 22, 2017 at 7:22 AM, Alexander Bokovoy 
>>> wrote:
>>>
>>> On ke, 22 helmi 2017, Hanoz Elavia wrote:

 Hey Alex,
>
> Thanks for the link, isn't RFC 2307 implemented as Services for Unix in
> Windows 2008 R2? Apologies for not mentioning this earlier but I
> haven't
> enabled that mainly because SSSD now maps the IDs. Also, in the newer
> version of the Windows Server, SFU seems to have been discontinued.
>
> I think you are confused by the names. What Compat tree provides is an
 interface on IPA side to look up identities of AD users and groups over
 LDAP. Compat tree will do lookup through SSSD on your behalf. This means
 we don't depend on how Windows side provides or does not provide
 attributes.
 Everything SSSD can resolve, can be returned, be it stored in AD LDAP,
 generated by SSSD, or stored in ID overrides in IPA.

 But the query format is the one described in RFC 2307 because this is
 what all nss implementations like nss_ldap or similar ones use in
 UNIX-like environments. Windows Server is merely implementing the same
 LDAP schema to allow interoperability with the same clients. Think of
 Compat Tree in IPA as doing the same, just dynamically.


 --
 / Alexander Bokovoy


>> --
>> / Alexander Bokovoy
>>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] support for rfc2307AIX schema in IPA server

2017-02-22 Thread Iulian Roman

On Wed, Feb 22, 2017 at 6:03 PM, Michael Ströder 
wrote:

> Iulian Roman wrote:
> > On Tue, Feb 21, 2017 at 4:31 PM, Rob Crittenden  > > wrote:
> >
> > Iulian Roman wrote:
> > > Hello,
> > >
> > > Does anybody know if the rfc2307aix schema is supported in IPA
> server (i
> > > use red hat IDM version) ? If yes, is there any documentation
> available
> > > ? Was it tested ?
> >
> > No, it isn't supported (it's the first I've ever heard of it).
> Looking
> > at the schema I doubt it is something that would ever be fully
> supported.
> >
> > is there any possibility to extend the existing schema with additional
> > attributes/object
>
> Do you really use this specific AIX schema?
> If yes, which attributes for which purpose?
>
> I do need the aixAuxAccount and aixAuxGroup object classes . they
implement some password restrictions needed for security/compliance +  some
other security related attributes.
Personally i do not consider them a must - they are rather some nice to
have features  - but i have to migrate an environment which does use them.
And i would like as well to make the migration as transparent as possible
(therefore without "missing features").


> Last time I've checked this schema when integrating AIX clients my
> conclusion was that
> this schema is rather useless and proprietary bloat.
>
> Ciao, Michael.
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Debian client installation

2017-02-22 Thread Per Qvindesland

Hi 

Thanks for the answer.

Is there any workaround for this that anyone can suggest?

Regards
Per 

Sent from my Commodore 64

> On 18 Feb 2017, at 05:34, Timo Aaltonen  wrote:
> 
>> On 17.02.2017 17:37, Per Qvindesland wrote:
>> Hi All
>> 
>> I have installed free ipa client by using 
>> http://www.pakjiddat.pk/articles/all/installing-freeipa-client-on-debian 
>> which works, but I am unable to get the sudo to work, on debian 7.11 
>> machines,  sssd installed version is 1.9.6 which I think is pretty old.
>> 
>> Does anyone have any suggestions on how to get sudo to work on debian 7? 
>> perhaps another more updated how to?
> 
> you need sudo built with sssd support, which that repo is lacking.
> 
> 
> -- 
> t

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] support for rfc2307AIX schema in IPA server

2017-02-22 Thread Michael Ströder

Iulian Roman wrote:
> On Tue, Feb 21, 2017 at 4:31 PM, Rob Crittenden  > wrote:
> 
> Iulian Roman wrote:
> > Hello,
> >
> > Does anybody know if the rfc2307aix schema is supported in IPA server (i
> > use red hat IDM version) ? If yes, is there any documentation available
> > ? Was it tested ?
> 
> No, it isn't supported (it's the first I've ever heard of it). Looking
> at the schema I doubt it is something that would ever be fully supported.
> 
> is there any possibility to extend the existing schema with additional 
> attributes/object

Do you really use this specific AIX schema?
If yes, which attributes for which purpose?

Last time I've checked this schema when integrating AIX clients my conclusion 
was that
this schema is rather useless and proprietary bloat.

Ciao, Michael.



smime.p7s
Description: S/MIME Cryptographic Signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sudo NOPASSWD for a single command

> We have a script stored on a particular server in our realm that executes a
> number of non-privileged commands and are wanting to add /sbin/vgs command. 
> The
> script uses SSH to then execute the same set of commands on all the servers in
> the realm.

> The owner of the script is in the administrator group and there are sudoer
> commands for the administrator group in general. We need to place a rule for
> this one command for either this group or the script owner to run NOPASSWD.

> Where and how would I specify that in the IPA admin console?

Have you tried creating your command in IPA as "NOPASSWD: /sbin/vgs" (Policy -> 
Sudo -> Sudo Commands)? 
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ldapsearch for AD users

Hey Alex,

Thanks, I ran ipa-compat-manage status and it shows Plugin enabled. I'll
have a look at the link and see if we can change the query to obtain the
info required.

Regards,

Hanoz


*Hanoz Elavia |*  IT Manager
*O:* 604-734-2866 *|*  *www.atomiccartoons.com
*
112 West 6th Ave, Vancouver, BC, Canada, V5Y1K6

On Wed, Feb 22, 2017 at 8:34 AM, Alexander Bokovoy 
wrote:

> On ke, 22 helmi 2017, Hanoz Elavia wrote:
>
>> Thanks Alex,
>>
>> Does it also means that I'll have to install the FreeIPA server with
>> --enable-compat ? I didn't do that.
>>
>
> check ipa-compat-manage tool.
>
>
>> Regards,
>>
>> Hanoz
>>
>>
>> *Hanoz Elavia |*  IT Manager
>> *O:* 604-734-2866 *|*  *www.atomiccartoons.com
>> *
>> 112 West 6th Ave, Vancouver, BC, Canada, V5Y1K6
>>
>> On Wed, Feb 22, 2017 at 7:22 AM, Alexander Bokovoy 
>> wrote:
>>
>> On ke, 22 helmi 2017, Hanoz Elavia wrote:
>>>
>>> Hey Alex,

 Thanks for the link, isn't RFC 2307 implemented as Services for Unix in
 Windows 2008 R2? Apologies for not mentioning this earlier but I haven't
 enabled that mainly because SSSD now maps the IDs. Also, in the newer
 version of the Windows Server, SFU seems to have been discontinued.

 I think you are confused by the names. What Compat tree provides is an
>>> interface on IPA side to look up identities of AD users and groups over
>>> LDAP. Compat tree will do lookup through SSSD on your behalf. This means
>>> we don't depend on how Windows side provides or does not provide
>>> attributes.
>>> Everything SSSD can resolve, can be returned, be it stored in AD LDAP,
>>> generated by SSSD, or stored in ID overrides in IPA.
>>>
>>> But the query format is the one described in RFC 2307 because this is
>>> what all nss implementations like nss_ldap or similar ones use in
>>> UNIX-like environments. Windows Server is merely implementing the same
>>> LDAP schema to allow interoperability with the same clients. Think of
>>> Compat Tree in IPA as doing the same, just dynamically.
>>>
>>>
>>> --
>>> / Alexander Bokovoy
>>>
>>>
> --
> / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] sudo NOPASSWD for a single command

2017-02-22 Thread Auerbach, Steven

We have a script stored on a particular server in our realm that executes a 
number of non-privileged commands and are wanting to add /sbin/vgs command. The 
script uses SSH to then execute the same set of commands on all the servers in 
the realm.

The owner of the script is in the administrator group and there are sudoer 
commands for the administrator group in general.  We need to place a rule for 
this one command for either this group or the script owner to run NOPASSWD.

Where and how would I specify that in the IPA admin console?

Steven Auerbach
Systems Administrator

State University System of Florida
Board of Governors
325 W. Gaines Street, Suite 1625
Tallahassee, Florida 32399
(850) 245-9592
steven.auerb...@flbog.edu | 
www.flbog.edu
[email_sig]

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ldapsearch for AD users


On ke, 22 helmi 2017, Hanoz Elavia wrote:

Thanks Alex,

Does it also means that I'll have to install the FreeIPA server with
--enable-compat ? I didn't do that.


check ipa-compat-manage tool.



Regards,

Hanoz


*Hanoz Elavia |*  IT Manager
*O:* 604-734-2866 *|*  *www.atomiccartoons.com
*
112 West 6th Ave, Vancouver, BC, Canada, V5Y1K6

On Wed, Feb 22, 2017 at 7:22 AM, Alexander Bokovoy 
wrote:


On ke, 22 helmi 2017, Hanoz Elavia wrote:


Hey Alex,

Thanks for the link, isn't RFC 2307 implemented as Services for Unix in
Windows 2008 R2? Apologies for not mentioning this earlier but I haven't
enabled that mainly because SSSD now maps the IDs. Also, in the newer
version of the Windows Server, SFU seems to have been discontinued.


I think you are confused by the names. What Compat tree provides is an
interface on IPA side to look up identities of AD users and groups over
LDAP. Compat tree will do lookup through SSSD on your behalf. This means
we don't depend on how Windows side provides or does not provide
attributes.
Everything SSSD can resolve, can be returned, be it stored in AD LDAP,
generated by SSSD, or stored in ID overrides in IPA.

But the query format is the one described in RFC 2307 because this is
what all nss implementations like nss_ldap or similar ones use in
UNIX-like environments. Windows Server is merely implementing the same
LDAP schema to allow interoperability with the same clients. Think of
Compat Tree in IPA as doing the same, just dynamically.


--
/ Alexander Bokovoy



--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Can mount NFS, but user only gets the permission question marks

2017-02-22 Thread Brendan Kearney

On 02/22/2017 10:26 AM, Kees Bakker wrote:

On 22-02-17 14:05, Brendan Kearney wrote:

On 02/22/2017 05:23 AM, Kees Bakker wrote:

On 21-02-17 19:49, Brendan Kearney wrote:

On 02/21/2017 10:57 AM, Kees Bakker wrote:

Hey,

Maybe one of the NFS users on this list could give me a hint what
could be wrong. I'm not sure if it has any relation with FreeIPA/Kerberos.

I've set up an NFS server and I can mount the NFS directory on my client. So,
I'm
guessing that setting up Kerberos principal was done correctly.

However, only root can actually access the mounted contents. Any other user
only sees question marks as shown below.

The mount command is simple.
$ sudo mount -v -t nfs srv1.example.com:/home /nfshome
mount.nfs: timeout set for Tue Feb 21 16:36:39 2017
mount.nfs: trying text-based options
'vers=4,addr=172.16.16.45,clientaddr=172.16.16.30'

On the server side /etc/exports looks like this.
/home*(rw,sync,sec=krb5i,no_subtree_check)

$ sudo mount |grep nfs
srv1.example.com:/home on /nfshome type nfs4
(rw,relatime,vers=4.0,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=krb5i,clientaddr=172.16.16.30,local_lock=none,addr=172.16.16.45)

$ sudo ls -ld /nfshome
drwxr-xr-x 1 root root 72 feb 21 04:22 /nfshome
$ sudo ls -l /nfshome
total 0
drwxr-xr-x 1 keesb keesb 116 jan 27 12:56 keesb

$ ls -l /nfshome
ls: cannot access '/nfshome': Permission denied
$ ls -l / | grep nfshome
ls: cannot access '/nfshome': Permission denied
d? ? ?? ?? nfshome

sec=krb* means that the user accessing the mount has to authenticate with a
kerberos ticket, and has to be the user or in the group granted access to the
share. from the looks of things, the user did not authenticate, and that is
why the permissions are question marks. check the kerberos tickets that the
user has (klist output). Otherwise, the ownership might be user and group that
the client machine does not recognize (think posix user/group that is not in
sync between the NFS server and the client)

Thanks for the reply.

In this case the user _is_ authenticated.
keesb@client1:~$ klist
Ticket cache: KEYRING:persistent:60001:60001
Default principal: ke...@example.com

Valid starting ExpiresService principal
22-02-17 09:20:30 23-02-17 09:20:25 krbtgt/example@example.com

no, the user has a TGT. a nfs/host.domain.tld@REALM ticket is needed to
authenticate.

(( I'm trying to catch up on the acronyms. TGT. Reading wikipedia now. ))

What other grants could be needed? HBAC Rules?

Do I need an nfs principal for the client? (I didn't think so, but many HOWTO's
say so [2]. Anyway, it
doesn't help to get access for the user.)

there are principals to create and keytabs to be updated on hte NFS sever, if
not done already.

I did create a principal for the NFS server (using ipa service-add) and
add to the keytab on the NFS server (using ipa-getkeytab) ...
root@srv1# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
--
1 host/srv1.example@example.com (aes256-cts-hmac-sha1-96)
1 host/srv1.example@example.com (aes128-cts-hmac-sha1-96)
1 nfs/srv1.example@example.com (aes256-cts-hmac-sha1-96)
1 nfs/srv1.example@example.com (aes128-cts-hmac-sha1-96)

Is this what you mean?
yes, if that is done, the server side components should be done for
kerberos. have you set things up in /etc/idmapd.conf so your domain,
REALM, etc are setup?

then the user should be able to pull the ticket for auth.

Sorry to ask, but how do I do that? On the client, I suppose, and by the user ??

keesb@client1$ kinit nfs/srv1.example@example.com
Password for nfs/srv1.example@example.com:

But I don't have a password for that. Hmm.
there is no need to init on the client side, as long as the TGT is
obtained. you should never need to init the nfs/blah.. on the client side.

Furthermore, I'm guessing that the host principle which I got after
ipa-client-install is
good enough. (This [1] wiki suggests that I need to do a ipa-getkeytab for it,
which I
did not do.)
# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
--
1 host/client1.example@example.com (aes256-cts-hmac-sha1-96)
1 host/client1.example@example.com (aes128-cts-hmac-sha1-96)

[1] http://wiki.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA
[2] https://www.lisenet.com/2016/kerberised-nfs-server-on-rhel-7/

http://www.itp.uzh.ch/~dpotter/howto/kerberos

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ldapsearch for AD users

Thanks Alex,

Does it also means that I'll have to install the FreeIPA server with
--enable-compat ? I didn't do that.

Regards,

Hanoz


*Hanoz Elavia |*  IT Manager
*O:* 604-734-2866 *|*  *www.atomiccartoons.com
*
112 West 6th Ave, Vancouver, BC, Canada, V5Y1K6

On Wed, Feb 22, 2017 at 7:22 AM, Alexander Bokovoy 
wrote:

> On ke, 22 helmi 2017, Hanoz Elavia wrote:
>
>> Hey Alex,
>>
>> Thanks for the link, isn't RFC 2307 implemented as Services for Unix in
>> Windows 2008 R2? Apologies for not mentioning this earlier but I haven't
>> enabled that mainly because SSSD now maps the IDs. Also, in the newer
>> version of the Windows Server, SFU seems to have been discontinued.
>>
> I think you are confused by the names. What Compat tree provides is an
> interface on IPA side to look up identities of AD users and groups over
> LDAP. Compat tree will do lookup through SSSD on your behalf. This means
> we don't depend on how Windows side provides or does not provide
> attributes.
> Everything SSSD can resolve, can be returned, be it stored in AD LDAP,
> generated by SSSD, or stored in ID overrides in IPA.
>
> But the query format is the one described in RFC 2307 because this is
> what all nss implementations like nss_ldap or similar ones use in
> UNIX-like environments. Windows Server is merely implementing the same
> LDAP schema to allow interoperability with the same clients. Think of
> Compat Tree in IPA as doing the same, just dynamically.
>
>
> --
> / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Can mount NFS, but user only gets the permission question marks

2017-02-22 Thread Kees Bakker

On 22-02-17 14:05, Brendan Kearney wrote:
> On 02/22/2017 05:23 AM, Kees Bakker wrote:
>> On 21-02-17 19:49, Brendan Kearney wrote:
>>> On 02/21/2017 10:57 AM, Kees Bakker wrote:
 Hey,

 Maybe one of the NFS users on this list could give me a hint what
 could be wrong. I'm not sure if it has any relation with FreeIPA/Kerberos.

 I've set up an NFS server and I can mount the NFS directory on my client. 
 So, I'm
 guessing that setting up Kerberos principal was done correctly.

 However, only root can actually access the mounted contents. Any other user
 only sees question marks as shown below.

 The mount command is simple.
 $ sudo mount -v -t nfs srv1.example.com:/home /nfshome
 mount.nfs: timeout set for Tue Feb 21 16:36:39 2017
 mount.nfs: trying text-based options 
 'vers=4,addr=172.16.16.45,clientaddr=172.16.16.30'

 On the server side /etc/exports looks like this.
 /home*(rw,sync,sec=krb5i,no_subtree_check)

 $ sudo mount |grep nfs
 srv1.example.com:/home on /nfshome type nfs4 
 (rw,relatime,vers=4.0,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=krb5i,clientaddr=172.16.16.30,local_lock=none,addr=172.16.16.45)

 $ sudo ls -ld /nfshome
 drwxr-xr-x 1 root root 72 feb 21 04:22 /nfshome
 $ sudo ls -l /nfshome
 total 0
 drwxr-xr-x 1 keesb  keesb  116 jan 27 12:56 keesb

 $ ls -l /nfshome
 ls: cannot access '/nfshome': Permission denied
 $ ls -l / | grep nfshome
 ls: cannot access '/nfshome': Permission denied
 d?   ? ??   ?? nfshome

>>> sec=krb* means that the user accessing the mount has to authenticate with a 
>>> kerberos ticket, and has to be the user or in the group granted access to 
>>> the share.  from the looks of things, the user did not authenticate, and 
>>> that is why the permissions are question marks.  check the kerberos tickets 
>>> that the user has (klist output).  Otherwise, the ownership might be user 
>>> and group that the client machine does not recognize (think posix 
>>> user/group that is not in sync between the NFS server and the client)
>> Thanks for the reply.
>>
>> In this case the user _is_ authenticated.
>> keesb@client1:~$ klist
>> Ticket cache: KEYRING:persistent:60001:60001
>> Default principal: ke...@example.com
>>
>> Valid starting ExpiresService principal
>> 22-02-17 09:20:30  23-02-17 09:20:25  krbtgt/example@example.com
> no, the user has a TGT.  a nfs/host.domain.tld@REALM ticket is needed to 
> authenticate.

(( I'm trying to catch up on the acronyms. TGT. Reading wikipedia now. ))

>>
>> What other grants could be needed? HBAC Rules?
>>
>> Do I need an nfs principal for the client? (I didn't think so, but many 
>> HOWTO's say so [2]. Anyway, it
>> doesn't help to get access for the user.)
> there are principals to create and keytabs to be updated on hte NFS sever, if 
> not done already.

I did create a principal for the NFS server (using ipa service-add) and
add to the keytab on the NFS server (using ipa-getkeytab) ...
root@srv1# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
 --
   1 host/srv1.example@example.com (aes256-cts-hmac-sha1-96)
   1 host/srv1.example@example.com (aes128-cts-hmac-sha1-96)
   1 nfs/srv1.example@example.com (aes256-cts-hmac-sha1-96)
   1 nfs/srv1.example@example.com (aes128-cts-hmac-sha1-96)

Is this what you mean?

>   then the user should be able to pull the ticket for auth.

Sorry to ask, but how do I do that? On the client, I suppose, and by the user ??

keesb@client1$ kinit nfs/srv1.example@example.com
Password for nfs/srv1.example@example.com:

But I don't have a password for that. Hmm.

>>
>> Furthermore, I'm guessing that the host principle which I got after 
>> ipa-client-install is
>> good enough. (This [1] wiki suggests that I need to do a ipa-getkeytab for 
>> it, which I
>> did not do.)
>> # klist -ke
>> Keytab name: FILE:/etc/krb5.keytab
>> KVNO Principal
>>  
>> --
>> 1 host/client1.example@example.com (aes256-cts-hmac-sha1-96)
>> 1 host/client1.example@example.com (aes128-cts-hmac-sha1-96)
>>
>> [1] http://wiki.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA
>> [2] https://www.lisenet.com/2016/kerberised-nfs-server-on-rhel-7/
>
> http://www.itp.uzh.ch/~dpotter/howto/kerberos
>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ldapsearch for AD users


On ke, 22 helmi 2017, Hanoz Elavia wrote:

Hey Alex,

Thanks for the link, isn't RFC 2307 implemented as Services for Unix in
Windows 2008 R2? Apologies for not mentioning this earlier but I haven't
enabled that mainly because SSSD now maps the IDs. Also, in the newer
version of the Windows Server, SFU seems to have been discontinued.

I think you are confused by the names. What Compat tree provides is an
interface on IPA side to look up identities of AD users and groups over
LDAP. Compat tree will do lookup through SSSD on your behalf. This means
we don't depend on how Windows side provides or does not provide attributes.
Everything SSSD can resolve, can be returned, be it stored in AD LDAP,
generated by SSSD, or stored in ID overrides in IPA.

But the query format is the one described in RFC 2307 because this is
what all nss implementations like nss_ldap or similar ones use in
UNIX-like environments. Windows Server is merely implementing the same
LDAP schema to allow interoperability with the same clients. Think of
Compat Tree in IPA as doing the same, just dynamically.


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ldapsearch for AD users

Hey Alex,

Thanks for the link, isn't RFC 2307 implemented as Services for Unix in
Windows 2008 R2? Apologies for not mentioning this earlier but I haven't
enabled that mainly because SSSD now maps the IDs. Also, in the newer
version of the Windows Server, SFU seems to have been discontinued.

Since there is a possibility of us having to upgrade in the future, I tried
to keep SFU out of the picture. Please let me know your thoughts. Here's
some additional info regarding the environment:

Windows ADs: Windows Server 2008 R2
FreeIPA Server: CentOS 7.2 x86_64
FreeIPA Server Version: 4.4.0.14
FreeIPA Client Version: 4.4.0.14
SSSD Version: 1.14.0-43

Thanks,

Hanoz


*Hanoz Elavia |*  IT Manager
*O:* 604-734-2866 *|*  *www.atomiccartoons.com
*
112 West 6th Ave, Vancouver, BC, Canada, V5Y1K6

On Wed, Feb 22, 2017 at 7:05 AM, Hanoz Elavia 
wrote:

> Thanks guys,
>
> I think there might be a way to modify the LDAP query. I'm speaking to the
> EMC /  Dell support personnel today to see what can be done.
>
> Regards,
>
> Hanoz
>
>
> *Hanoz Elavia |*  IT Manager
> *O:* 604-734-2866 *|*  *www.atomiccartoons.com
> *
> 112 West 6th Ave, Vancouver, BC, Canada, V5Y1K6
>
> On Wed, Feb 22, 2017 at 6:50 AM, Alexander Bokovoy 
> wrote:
>
>> On ke, 22 helmi 2017, Jason B. Nance wrote:
>>
>>> There is none. Compat tree is built with RFC2307 queries in mind.
 RFC2307 clients issue a request with a specific user or group name and
 that triggers lookup of AD user/group through SSSD and insertion into
 the compat tree. A part of the trigger is how LDAP filter is built (see
 RFC for those). If your software does not use the same filter, you
 wouldn't get a response.

>>>
>>> Are you saying that there is an LDAP query you can use to retrieve the
>>> UID/GID of a user/group that is known via an AD trust as long as the
>>> filter is correct?  I ran into this same situation (with a storage
>>> appliance) and thought that the problem was that the UIDs/GIDs were
>>> calculated but never stored, but I hadn't stopped to think about how
>>> whether sssd (on the local machine) retrieves them from FreeIPA or does
>>> the calculation.
>>>
>> Read https://pagure.io/slapi-nis/blob/master/f/doc/ipa/sch-ipa.txt
>>
>>
>>
>> --
>> / Alexander Bokovoy
>>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ldapsearch for AD users

Thanks guys,

I think there might be a way to modify the LDAP query. I'm speaking to the
EMC /  Dell support personnel today to see what can be done.

Regards,

Hanoz


*Hanoz Elavia |*  IT Manager
*O:* 604-734-2866 *|*  *www.atomiccartoons.com
*
112 West 6th Ave, Vancouver, BC, Canada, V5Y1K6

On Wed, Feb 22, 2017 at 6:50 AM, Alexander Bokovoy 
wrote:

> On ke, 22 helmi 2017, Jason B. Nance wrote:
>
>> There is none. Compat tree is built with RFC2307 queries in mind.
>>> RFC2307 clients issue a request with a specific user or group name and
>>> that triggers lookup of AD user/group through SSSD and insertion into
>>> the compat tree. A part of the trigger is how LDAP filter is built (see
>>> RFC for those). If your software does not use the same filter, you
>>> wouldn't get a response.
>>>
>>
>> Are you saying that there is an LDAP query you can use to retrieve the
>> UID/GID of a user/group that is known via an AD trust as long as the
>> filter is correct?  I ran into this same situation (with a storage
>> appliance) and thought that the problem was that the UIDs/GIDs were
>> calculated but never stored, but I hadn't stopped to think about how
>> whether sssd (on the local machine) retrieves them from FreeIPA or does
>> the calculation.
>>
> Read https://pagure.io/slapi-nis/blob/master/f/doc/ipa/sch-ipa.txt
>
>
>
> --
> / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ldapsearch for AD users


On ke, 22 helmi 2017, Jason B. Nance wrote:

There is none. Compat tree is built with RFC2307 queries in mind.
RFC2307 clients issue a request with a specific user or group name and
that triggers lookup of AD user/group through SSSD and insertion into
the compat tree. A part of the trigger is how LDAP filter is built (see
RFC for those). If your software does not use the same filter, you
wouldn't get a response.


Are you saying that there is an LDAP query you can use to retrieve the
UID/GID of a user/group that is known via an AD trust as long as the
filter is correct?  I ran into this same situation (with a storage
appliance) and thought that the problem was that the UIDs/GIDs were
calculated but never stored, but I hadn't stopped to think about how
whether sssd (on the local machine) retrieves them from FreeIPA or does
the calculation.

Read https://pagure.io/slapi-nis/blob/master/f/doc/ipa/sch-ipa.txt



--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ldapsearch for AD users

> There is none. Compat tree is built with RFC2307 queries in mind.
> RFC2307 clients issue a request with a specific user or group name and
> that triggers lookup of AD user/group through SSSD and insertion into
> the compat tree. A part of the trigger is how LDAP filter is built (see
> RFC for those). If your software does not use the same filter, you
> wouldn't get a response.

Are you saying that there is an LDAP query you can use to retrieve the UID/GID 
of a user/group that is known via an AD trust as long as the filter is correct? 
 I ran into this same situation (with a storage appliance) and thought that the 
problem was that the UIDs/GIDs were calculated but never stored, but I hadn't 
stopped to think about how whether sssd (on the local machine) retrieves them 
from FreeIPA or does the calculation.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Client for CoreOS

2017-02-22 Thread Igor Leão

Thanks, Lukas.
Hope it works.

2017-02-20 13:22 GMT-03:00 Lukas Slebodnik :

> On (20/02/17 12:44), Igor Leão wrote:
> >Is it possible to run a FreeIPA client on CoreOS?
> >The OS misses some libraries and I didn't succeeded installing them.
> >
> >Has anyone faced this scenario?
> >
> You need to run everything in container even installer.
>
> You might inspire in docker version of container.
> https://hub.docker.com/r/fedora/sssd/
>
> I am not sure whether it's possible to run with rocket.
>
> LS
>



-- 
Igor Leão  Site Reliability Engineer

Mobile: +55 81 99727-1083 
Skype: *igorvpcleao*
Office: +55 81 4042-9757 
Website: inlocomedia.com 
[image: inlocomedia]

 [image: LinkedIn]

 [image: Facebook]  [image: Twitter]

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Can mount NFS, but user only gets the permission question marks

2017-02-22 Thread Brendan Kearney

On 02/22/2017 05:23 AM, Kees Bakker wrote:

On 21-02-17 19:49, Brendan Kearney wrote:

On 02/21/2017 10:57 AM, Kees Bakker wrote:

Hey,

Maybe one of the NFS users on this list could give me a hint what
could be wrong. I'm not sure if it has any relation with FreeIPA/Kerberos.

I've set up an NFS server and I can mount the NFS directory on my client. So,
I'm
guessing that setting up Kerberos principal was done correctly.

However, only root can actually access the mounted contents. Any other user
only sees question marks as shown below.

On the server side /etc/exports looks like this.
/home*(rw,sync,sec=krb5i,no_subtree_check)

$ sudo ls -ld /nfshome
drwxr-xr-x 1 root root 72 feb 21 04:22 /nfshome
$ sudo ls -l /nfshome
total 0
drwxr-xr-x 1 keesb keesb 116 jan 27 12:56 keesb

$ ls -l /nfshome
ls: cannot access '/nfshome': Permission denied
$ ls -l / | grep nfshome
ls: cannot access '/nfshome': Permission denied
d? ? ?? ?? nfshome

Thanks for the reply.

In this case the user _is_ authenticated.
keesb@client1:~$ klist
Ticket cache: KEYRING:persistent:60001:60001
Default principal: ke...@example.com

Valid starting ExpiresService principal
22-02-17 09:20:30 23-02-17 09:20:25 krbtgt/example@example.com
no, the user has a TGT. a nfs/host.domain.tld@REALM ticket is needed to
authenticate.

What other grants could be needed? HBAC Rules?

Do I need an nfs principal for the client? (I didn't think so, but many HOWTO's
say so [2]. Anyway, it
doesn't help to get access for the user.)
there are principals to create and keytabs to be updated on hte NFS
sever, if not done already. then the user should be able to pull the
ticket for auth.

[1] http://wiki.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA
[2] https://www.lisenet.com/2016/kerberised-nfs-server-on-rhel-7/

http://www.itp.uzh.ch/~dpotter/howto/kerberos

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Katello IPA auth and Cross realm trust.

2017-02-22 Thread Sumit Bose

On Wed, Feb 22, 2017 at 12:03:58PM +, wouter.hummel...@kpn.com wrote:
> Hello all,
> 
> I'm trying to get IPA auth on Katello to work properly, however the infopipe 
> is unable to access the right information without additional configuration.
> With these changes I got the infopipe to work, but then user logins started 
> to fail due to invalid user errors.
> 
> I've added the following to the domain/xxx section on the katello server
> 
> [domain/XXX]
> ldap_user_extra_attrs=email:mail, lastname:sn, firstname:givenname

Current version of SSSD already read the email attribute from the server
(check ldap_user_email in man sssd-ldap). So you can either remove email
from your ldap_user_extra_attrs or set 'ldap_user_email = noSuchAttr' to
avoid the collision.

HTH

bye,
Sumit

> 
> [ifp]
> 
> allowed_uids=apache, root
> user_attributes=+email, +firstname, +lastname
> 
> 
> And on the ipa server:
> [nss]
> user_attributes=+mail, +sn, +givenname
> 
> [domain/XXX]
> ldap_user_extra_attrs=mail, sn, givenname
> 
> However, the suggested change on the IPA server (from the satellite 
> installation guide) results in user lookup failures on client systems (not 
> exclusive to the katello host)
> 
> # id user@TRUSTED.DOMAIN
> id: user@TRUSTED.DOMAIN: no such user
> 
> SSSD logs do reveal a hint about whats going on:
> [filtered for brevity, modified for privacy]
> (Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [sdap_get_generic_ext_step] 
> (0x0400): calling ldap_search_ext with 
> [(&(|(krbPrincipalName=user@TRUSTED.DOMAIN)(mail=user@TRUSTED.DOMAIN)(krbPrincipalName=user\\@TRUSTED.DOMAIN@IPA.DOMAIN))(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0][cn=accounts,dc=linux,dc=infra,dc=local].
> (Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [sdap_get_generic_ext_step] 
> (0x1000): Requesting attrs: [mail]
> (Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [get_extra_attrs] (0x4000): 
> Extra attribute [mail].
> (Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [get_extra_attrs] (0x4000): 
> Extra attribute [mail].
> (Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [get_extra_attrs] (0x4000): 
> Extra attribute [mail].
> (Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [get_extra_attrs] (0x4000): 
> Extra attribute [mail].
> (Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [is_email_from_domain] 
> (0x4000): Email [sander.lambrec...@kpn.com] is not from domain 
> [TRUSTED.DOMAIN].
> (Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [is_email_from_domain] 
> (0x4000): Email [sander.lambrec...@kpn.com] is not from domain 
> [TRUSTED.DOMAIN].
> (Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] 
> [sysdb_set_cache_entry_attr] (0x0080): ldb_modify failed: [Attribute or value 
> exists](20)[attribute 'mail': value #1 on 
> 'name=user@TRUSTED.DOMAIN,cn=users,cn=TRUSTED.DOMAIN,cn=sysdb' provided more 
> than once]
> (Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] 
> [sysdb_set_cache_entry_attr] (0x0080): ldb_modify failed: [Attribute or value 
> exists](20)[attribute 'mail': value #1 on 
> 'name=user@TRUSTED.DOMAIN,cn=users,cn=TRUSTED.DOMAIN,cn=sysdb' provided more 
> than once]
> 
> Am I running into a bug or have I misconfigured this somewhere?
> 
> Met vriendelijke groet,
> Wouter Hummelink
> Technical Consultant - Enterprise Webhosting
> T: +31-6-12882447
> E: wouter.hummel...@kpn.com
> 

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How to check if ldap was updated?

2017-02-22 Thread Martin Basti




On 22.02.2017 13:13, Sandor Juhasz wrote:

Hi,

i would like to know if there is any endpoint, command, plugin, api or 
other way to check if ldap was modified.
I would like to trigger jobs, if user/group attributes are updated and 
polling ldap continuously is not he best

way i guess.

*Sándor Juhász*
System Administrator
*ChemAxon**Ltd*.
Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031
Cell: +36704258964




Hello,
*

*we don't have any command/api to detect if LDAP was changed.
for this you can use syncrepl or persistent ldapsearch attached to 
users/groups subtree.


Martin^2
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] How to check if ldap was updated?

2017-02-22 Thread Sandor Juhasz

Hi, 

i would like to know if there is any endpoint, command, plugin, api or other 
way to check if ldap was modified. 
I would like to trigger jobs, if user/group attributes are updated and polling 
ldap continuously is not he best 
way i guess. 

Sándor Juhász 
System Administrator 
ChemAxon Ltd . 
Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031 
Cell: +36704258964 
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Katello IPA auth and Cross realm trust.

2017-02-22 Thread wouter.hummelink

Hello all,

I'm trying to get IPA auth on Katello to work properly, however the infopipe is 
unable to access the right information without additional configuration.
With these changes I got the infopipe to work, but then user logins started to 
fail due to invalid user errors.

I've added the following to the domain/xxx section on the katello server

[domain/XXX]
ldap_user_extra_attrs=email:mail, lastname:sn, firstname:givenname

[ifp]

allowed_uids=apache, root
user_attributes=+email, +firstname, +lastname


And on the ipa server:
[nss]
user_attributes=+mail, +sn, +givenname

[domain/XXX]
ldap_user_extra_attrs=mail, sn, givenname

However, the suggested change on the IPA server (from the satellite 
installation guide) results in user lookup failures on client systems (not 
exclusive to the katello host)

# id user@TRUSTED.DOMAIN
id: user@TRUSTED.DOMAIN: no such user

SSSD logs do reveal a hint about whats going on:
[filtered for brevity, modified for privacy]
(Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [sdap_get_generic_ext_step] 
(0x0400): calling ldap_search_ext with 
[(&(|(krbPrincipalName=user@TRUSTED.DOMAIN)(mail=user@TRUSTED.DOMAIN)(krbPrincipalName=user\\@TRUSTED.DOMAIN@IPA.DOMAIN))(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0][cn=accounts,dc=linux,dc=infra,dc=local].
(Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [sdap_get_generic_ext_step] 
(0x1000): Requesting attrs: [mail]
(Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [get_extra_attrs] (0x4000): 
Extra attribute [mail].
(Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [get_extra_attrs] (0x4000): 
Extra attribute [mail].
(Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [get_extra_attrs] (0x4000): 
Extra attribute [mail].
(Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [get_extra_attrs] (0x4000): 
Extra attribute [mail].
(Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [is_email_from_domain] 
(0x4000): Email [sander.lambrec...@kpn.com] is not from domain [TRUSTED.DOMAIN].
(Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [is_email_from_domain] 
(0x4000): Email [sander.lambrec...@kpn.com] is not from domain [TRUSTED.DOMAIN].
(Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [sysdb_set_cache_entry_attr] 
(0x0080): ldb_modify failed: [Attribute or value exists](20)[attribute 'mail': 
value #1 on 'name=user@TRUSTED.DOMAIN,cn=users,cn=TRUSTED.DOMAIN,cn=sysdb' 
provided more than once]
(Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [sysdb_set_cache_entry_attr] 
(0x0080): ldb_modify failed: [Attribute or value exists](20)[attribute 'mail': 
value #1 on 'name=user@TRUSTED.DOMAIN,cn=users,cn=TRUSTED.DOMAIN,cn=sysdb' 
provided more than once]

Am I running into a bug or have I misconfigured this somewhere?

Met vriendelijke groet,
Wouter Hummelink
Technical Consultant - Enterprise Webhosting
T: +31-6-12882447
E: wouter.hummel...@kpn.com

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA Fedora 25 and IPA CentOS 7.3