[Freeipa-users] A new Quick Start Quide for FreeIPA software
Hello, FreeIPA list! About a month ago I promised to write a detailed tutorial about FreeIPA domain setup, including both Linux and Unix (FreeBSD) clients, and now it's ready! Use this link to download the tutorial: https://cloud.mail.ru/public/c3209284323e/FreeIPA%20-%20FreeBSD.docx I would highly appreciate if you find time to read the tutorial completely from the beginning to the end, follow all instructions and post your comments regarding: 1) errors in wording / spelling (I'm not a native English speaker); 2) unnecessary actions (maybe the system will work perfectly well without performing some steps); 3) insufficient comments on some instructions (maybe you can give a better BRIEF description for some steps). The only thing I would ask anyone willing to collaborate is to read the tutorial completely before commenting on anything! If you collaborate on this subject, we'll be able to prepare a new and actual Quick Start Quide for FreeIPA software. Thanks for your attention, time and efforts! Orkhan Gasymov.-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Radius schema addition to default user objectclasses in FreeIPA 4.1
New task: I want to add an additional schema (radius schema) to default user object classes. I prepared the ldif-file for the schema: https://cloud.mail.ru/public/40edc9a6c9bb%2Fradiusschema.ldif , then followed instructions in https://www.redhat.com/archives/freeipa-users/2014-February/msg00050.html At step #2 of the instructions, ldapmodify command was run; as I'm using FreeIPA 4.1 in a multi-master replication scenario with 2 servers, the command was run on both servers and produced this output on both: modifying entry cn=schema Then I switched to GUI and added radiusprofile objectclass. After hitting the Update button I got the message: IPA Error 4001: NotFound objectclass radiusprofile not found Restarting ipactl didn't help. Command ldapsearch -Y GSSAPI | grep schema gives no output besides informational SASL messages. There is a MUST cn part in the objectclass definition in the ldif-file, but even after removing it the situation doesn't change. Please help me to understand where is the problem, and is it generally possible to use radius.schema with FreeIPA? The original schema was taken from: http://open.rhx.it/phamm/schema/radius.schema Thanks in advance! -- Орхан Касумов-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
+1. And even if talking about installation of the necessary software and not about the configuration, then why this? The commands to enable the custom repository and install the required packages on a FreeBSD host appear below. Note that these are Bourne shell commands; this script will not work in the FreeBSD default shell csh . After having baked ONE SET OF DEFAULTS into a custom package (to make our lives easier), you leave readers to mess with ANOTHER SET OF DEFAULTS, i.e. to change FreeBSD's shells? Aren't there some discrepancies? It may be simple / useful / interesting to change shells, but why not make a self-sufficient article? Please update your article to provide a full picture of what a user should do to install all necessary software, and also which parts should be installed from your repo, and which parts should be installed from ports (+ the correct order). You've already done a lot of work, but with this refinement your help will be even more valuable. I'm not asking for myself personally (I've already accomplished all necessary tasks) - just IMHO everyone writing instructions, tutorials and HowTos for the *nix world should stick to the rule: articles should be self-sufficient. I.e. if they rely on techniques not detailed in them, they should at least include links to other WORKING articles to ensure that a reader will be able to COMPLETE a task. Thanks for your contribution, Fraser. Thu, 23 Oct 2014 09:58:33 +0200 от Lukas Slebodnik lsleb...@redhat.com: On (23/10/14 11:27), Outback Dingo wrote: On Thu, Oct 23, 2014 at 11:20 AM, Fraser Tweedale ftwee...@redhat.com wrote: On Wed, Oct 22, 2014 at 03:23:56PM +0200, Lukas Slebodnik wrote: On (22/10/14 17:10), Fraser Tweedale wrote: Further to my earlier email, I have written a blog post about all these matters, with a particular focus on the custom package repo. I will update it tomorrow with a bit more about the package flavours topic. For now, all the details for enabling and using the custom repo are in the post. Check it out and let me know if you spot any issues. http://blog-ftweedal.rhcloud.com/2014/10/configuring-freebsd-as-a-freeipa-client/ The disadvantage of this approach is that users need to rely on updating of non standard repo. https://frase.id.au/pkg/${ABI}_FreeIPA In my opinion, it's better to write howto (script) which will configure all necessary ports/files and portmaster will take care of updating ports. https://www.freebsd.org/doc/handbook/ports-using.html#portmaster LS Each has its advantages and disadvantages; people can choose what works for them. Hopefully - not too far in the future - people won't have to choose, when binary package flavours are implemented. When that happens, a small effort will be needed to define the FreeIPA flavour and ensure it gets included in the official package repos. Fraser you missed one main point of this thread. The most problematic was to *configure* all files and not install sssd. I don't want to say that installing is super easy, but configuration is much more complicated. Actually I would be inclined to assist with a ports build, so it could be done correctly from the ports tree and work towards having it adopted into mainline. +1 LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] A crazy idea maybe, migration to Free-IPA 4.1.
Alright then, thanks for info! Tomorrow is the deadline for my researches on FreeIPA. Then I have to start deploying a centralized management solution in our production environment. Please help me to make a final decision on which version of FreeIPA to choose - 3.3 or 4.1? I'd like to have all the benefits of the latest version, but all our production servers are FreeBSD. With all information sources at my disposal right now I tend to choose FreeIPA 3.3. The cause is that otherwise I can't use host groups with sudo commands - the cron script proposed at FreeBSD forums works with old way of storing host group information in the LDAP directory of FreeIPA. Is there any workaround for this? (P.S. Here's what I'm talking about: The tricky part was getting sudo to work with host groups. FreeIPA keeps host groups in netgroups, and FreeBSD's support for netgroups is limited. One solution would have been to enable NIS services on the FreeIPA server so that we could use proper netgroups on FreeBSD clients. We didn't like that solution, so instead we wrote a script that pulls all netgroup data from FreeIPA and stores it in /etc/netgroup . We run the script every hour via cron . The script looks for host groups in 'cn=hostgroups,cn=accounts,dc=domain', and that works with FreeIPA 3.3. But in FreeIPA v4 host groups get in 'cn=ng,cn=compat,dc=domain'. So the script needs modification. But I don't know how to modify the script, simply changing the string passed to the ldapsearch command doesn't work.) Thu, 23 Oct 2014 16:41:55 +0300 от Alexander Bokovoy aboko...@redhat.com: On Thu, 23 Oct 2014, Orkhan Gasimov wrote: And another interesting behaviour. Say a user netuser is a member of a user group netstaff, and a host bsd.example.com is a member of a host group nethosts. We then create an HBAC rule netstaff_to_nethosts: Who: User Groups - netstaff -- Accessing: Host Groups - nethosts -- Via Service: Specified Services and Groups - sshd Here you are allowing only sshd service for use. And we create a SUDO rule test: Who: Specified Users and Groups - netuser -- Access this host: bsd.example.com -- Run Commands: Any Command Expected result is this: user netuser should be able to SSH to host bsd.example.com and successfully issue the command sudo shutdown -r now. What happens instead: user netuser is able to SSH to host bsd.example.com, but issuing the command sudo shutdown -r now produces this output (password is entered correctly): $ shutdown -r now Password: Ying Tong Iddle I Po Password: Do you think like you type? Password: Have you considered trying to match wits with a rutabaga? This is funny, and you can continue trying sudo and getting funny outputs; but the only way for the command to work properly is to change the HBAC rule: Who: User Groups - netstaff -- Accessing: Host Groups - nethosts -- Via Service: Specified Services and Groups - ANY SERVICE Is this the correct behavior? I don't remember anything like this in FreeIPA 3.3. Yes. The behaviour did not change since may be FreeIPA 2.0. sudo does authenticate and authorize user first via PAM stack and then applies own ruleset. So HBAC rules get applied here and since you don't have allow_all rule that would allow any user to access any service on any host, you get denial. Instead of using only sshd service in HBAC rule, make a service group and add both sshd and sudo there. Alternatively you can add multiple HBAC rules, one for sshd, one for sudo. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
1. Yes, being able to find simple typos is what distinguishes a good troubleshooter from a bad one. The problem really was between the chair and the keyboard. 2. Not only you were right in this aspect, but also regarding the idea that comments in sssd.conf file shouldn't be on the same line as directives. Putting a comment on a separate line allows sssd to start normally instead of giving error messages. 3. I already updated my post at FreeBSD forums and included your comments there. Thanks for taking time to find the cause of the problems. 4. I consider this thread closed, but still plan to write a detailed HowTo about FreeBSD - FreeIPA integration, i.e. about full setup of 5 VMs: a) a DNS server; b) the first IPA server; c) the second IPA server for multi-master replication; d) a Linux IPA client (for changing LDAP users' passwords in behalf of FreeBSD); b) a FreeBSD client - detailed steps, including many things that current post at FreeBSD forums misses. I will then send my HowTo to both FreeBSD forums and FreeIPA team, and it's up to them to decide if the HowTo is worth publishing or not. If the HowTo is OK, I'll translate it to another two languages: Russian and Azeri. Tue, 21 Oct 2014 20:31:17 +0200 от Lukas Slebodnik lsleb...@redhat.com: On (20/10/14 15:06), Orkhan Gasimov wrote: OK, Lukas, I did as you say: 1) reset my pam.d - login to its defaul state 2) added to my pam.d - system: account required /usr/local/lib/pam_sss.so ignore_unknown_user ignore_authinfo_unavail; 3) commented out enumerate = True in my /usr/local/etc/sssd/sssd.conf. Now I cannot locally login as either root or IPA user. Seems like we built our SSSDs differently or from different ports. Would you be so kind to share info about your choices when building SSSD? You're right, I'm a newbie in FreeIPA setups. But I've worked with pam stack before, when configuring OpenLDAP on servers. That knowledge of pam let me solve the problem of local logins with sssd by adding the appropriate line in pam.d - login instead of pam.d - system. This setup works fine for me; another setup, which you and FreeBSD forums suppose, doesn't work. Did you check everything on a blank FreeBSD 10 setup? Basically, you should do all (ipa-client-install) steps manually. I would recommend you to look into log file from linux machine /var/log/ipaclient-install.log. The main difference between linux and FreeBSD will be location of configuration files(/etc vs /usr/local/etc) There are indeed nuances that the post at FreeBSD forums didn't address: I would say that post was more focused on integration sssd with sudo and expected more experienced user with better knowledge of FreeIPA. It is the most difficult part. 1) what choices should be made when building SSSD and other ports - VERY IMPORTANT, but missing information; I am use to using install packages with utility pkg. Just some packages need to be build from source. (they are listed in the begging of post) 2) how ldap.conf should be configured on a FreeBSD client for ldapsearch to work; I don't have configured ldap.conf. On the other hand, it can be useful for troubleshooting with utility ldapsearch. 3) how krb5.conf should be configured on a FreeBSD client; The same as on linux. (sssd is linked with MIT kerberos) 4) how SSH files should be configured on a FreeBSD client for single sign-on to behave properly (GSS-API part); Linux and FreeBSD use openssh. You can inspire in changes done by script ipa-client-install 5) how cron script file's executability, IPA user's shell and automatic creation of home directories should be considered - there are some caveats why do you need cron? User shell can be changed on FreeIPA server or you can change sssd configuration man sssd.conf (see *shell*) for newbies; Do you mean admin newbies or FreeIPA newbies? admin should know how to configure automatic creation of directories. (another pam module) ipa-client install just simplify it on linux. 6) why a user can't initially SSH or locally login to a FreeBSD client even with correct configuration files (password change problem); FreeBSD admins should already have experiences with ldap configuration on FreeBSD (or at least read FreeBSD documentation). Official documentation is very good (ldap client configuration with nss-pam-ldapd) https://www.freebsd.org/doc/en/articles/ldap-auth/client.html 7) how to setup SSSD so that it doesn't cache information too long (this is not what we always want, right?). sssd use cache by design. If you don't want to cache LDAP users, you can use nss-pam-ldapd. BTW this point is not related to FreeBSD Summary: Fee free to write detailed howto for newbies. We will be very glad to help with review and fixing problematic parts. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
Good day to everybody. There`s a post on how to make a FreeBSD client work with a FreeIPA server: https://forums.freebsd.org/viewtopic.php?f=39t=46526p=260146#p260146 For some reason the instructions in that post don`t lead to a working solution. Getent passwd/group return no data from the IPA server, although ldapsearch works fine. I followed the instructions exactly (+ configured ldap.conf started sssd) and didn`t get errors anywhere, all steps completed successfully. My setup: 2 VMs, one is the FreeIPA server (on Fedora 20), the other is a FreeBSD client (on FreeBSD 10.0). IPA server is configured as written in the IPA Quick Start Quide, it has no integrated DNS server. Both VMs have identical /etc/hosts file: ::1 localhost 127.0.0.1 localhost 192.168.1.10 ipa1.mydomain.com ipa1 192.168.1.30 bsd1.mydomain.com bsd1 Seems like some instructions in etc/nsswitch.conf file, like group: files sss and passwd: files sss have no effect. Does anybody tried this setup, what could be wrong with it? I can provide outputs of any commands if necessary. If I shouldn`t have asked this question here, please advise me where to ask. Any hint on what to do will be highly appreciated!-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project