Re: [Freeipa-users] oneWaySync affecting Password sync?
Hello, The goal was that I wanted to just have passwords in sync, leaving attributes and what not to windows but mostly to protect from accidental deletes in IPA being carried out in the active directory. I've removed the onewaysync attribute and worked around it with limiting the permissions for the user handling the replication. Thanks! Andreas On 29 Apr 2016 5:49 p.m., Rich Megginson <rmegg...@redhat.com> wrote: > > On 04/29/2016 09:44 AM, Rob Crittenden wrote: > > Andreas Calminder wrote: > >> Hello, > >> > >> I'm running ipa 4.2.0-15.el7 with winsync and wondering if setting > >> oneWaySync to fromWindows will affect password synchronization from IPA > >> to AD, I.E password changes from IPA will not be replicated to Windows? > >> > > > > Hmm, interesting question, I'm not sure. What is your goal here? Do > > you want to disallow attribute changes in IPA to be replicated but you > > DO want passwords, or you don't want anything? > > > > ccing Rich to see what he thinks. > > AFAIK, there is no way to sync only passwords from IPA to AD. So if you > set oneWaySync: fromWindows, you will not sync password changes from IPA > to AD. > > > > > rob > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] oneWaySync affecting Password sync?
Hello, I'm running ipa 4.2.0-15.el7 with winsync and wondering if setting oneWaySync to fromWindows will affect password synchronization from IPA to AD, I.E password changes from IPA will not be replicated to Windows? Best regards, Andreas -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Winsync agreement password sync failing for specific user on the IPA side
Sorry for the noise, I did some backtracking in the mailing list archives and found a conversation from December 2015 regarding the same issue with a nice bugzilla attached https://bugzilla.redhat.com/show_bug.cgi?id=1287092, I'll try to work around the issue with group nesting. /andreas On 04/12/2016 02:41 PM, Andreas Calminder wrote: Hello, I've got a pretty strange problem with FreeIPA 4.2.0-15.el7 running on a rhel 7.2 and wondering if anyone can shed some light on it. I've setup a winsync agreement and it seems to be working fine, stuff gets synced from the AD to IPA. I've also got the PassSync application installed on all windows domain controllers and it's behaving a bit unexpected. It would seem that password changes, initiated on the windows side does not work for my user, however a change for another user pass just fine. From the passsync.log from the same Windows DC: User: 04/08/16 16:29:12: Attempting to sync password for user1 04/08/16 16:29:12: Searching for (ntuserdomainid=user1) 04/08/16 16:29:12: Password modified for remote entry: uid=user1,cn=users,cn=accounts,dc=linux,dc=se 04/08/16 16:29:12: Removing password change from list Me: 04/08/16 16:31:45: Searching for (ntuserdomainid=me) 04/08/16 16:31:45: Ldap error in ModifyPassword 50: Insufficient access 04/08/16 16:31:45: Modify password failed for remote entry: uid=me,cn=users,cn=accounts,dc=linux,dc=se 04/08/16 16:31:45: Deferring password change for me 04/08/16 16:31:45: Backing off for 2000ms Are there different permissions per user or do the passsync user on the IPA side need to update it's permissions (the user me is an IPA administrator)? I'm currently running an older ipa version 3.0.0-37.el6 against the same DC's, same passync user and password where this works. It also works fine in my test environment (4.2.0). Am I missing something obvious or am I doing something wrong? Best regards, Andreas -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Winsync agreement password sync failing for specific user on the IPA side
Hello, I've got a pretty strange problem with FreeIPA 4.2.0-15.el7 running on a rhel 7.2 and wondering if anyone can shed some light on it. I've setup a winsync agreement and it seems to be working fine, stuff gets synced from the AD to IPA. I've also got the PassSync application installed on all windows domain controllers and it's behaving a bit unexpected. It would seem that password changes, initiated on the windows side does not work for my user, however a change for another user pass just fine. From the passsync.log from the same Windows DC: User: 04/08/16 16:29:12: Attempting to sync password for user1 04/08/16 16:29:12: Searching for (ntuserdomainid=user1) 04/08/16 16:29:12: Password modified for remote entry: uid=user1,cn=users,cn=accounts,dc=linux,dc=se 04/08/16 16:29:12: Removing password change from list Me: 04/08/16 16:31:45: Searching for (ntuserdomainid=me) 04/08/16 16:31:45: Ldap error in ModifyPassword 50: Insufficient access 04/08/16 16:31:45: Modify password failed for remote entry: uid=me,cn=users,cn=accounts,dc=linux,dc=se 04/08/16 16:31:45: Deferring password change for me 04/08/16 16:31:45: Backing off for 2000ms Are there different permissions per user or do the passsync user on the IPA side need to update it's permissions (the user me is an IPA administrator)? I'm currently running an older ipa version 3.0.0-37.el6 against the same DC's, same passync user and password where this works. It also works fine in my test environment (4.2.0). Am I missing something obvious or am I doing something wrong? Best regards, Andreas -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA 4.1 -> 4.2 replica upgrade process
Hello! This might be trivial but I want to double check the preferred way of upgrading my ipa environment, I have 3 servers (Running Rhel 7.1, ipa 4.1), 1 acting as master with a ca (external certificate), the replicas are also ca's, they're only syncing to and from the master, unaware of each other. The replicas handle all client requests. The master also run a one-way winsync agreement with one of our active directory servers. For some reason I think that I should start by upgrading the replicas and upgrade the master last, but I don't know why, I might have read it in somewhere, long ago. Is this the preferred way, does order even matter? The documentation just says /yum update ipa-server/ which seems easy enough, but I'd rather double check. Best regards, Andreas -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA 4.1 -> 4.2 replica upgrade process
Great, thanks! I'll just go ahead and yum update then :). /andreas On 11/30/2015 11:58 AM, Martin Basti wrote: On 30.11.2015 10:12, Andreas Calminder wrote: Hello! This might be trivial but I want to double check the preferred way of upgrading my ipa environment, I have 3 servers (Running Rhel 7.1, ipa 4.1), 1 acting as master with a ca (external certificate), the replicas are also ca's, they're only syncing to and from the master, unaware of each other. The replicas handle all client requests. The master also run a one-way winsync agreement with one of our active directory servers. For some reason I think that I should start by upgrading the replicas and upgrade the master last, but I don't know why, I might have read it in somewhere, long ago. Is this the preferred way, does order even matter? The documentation just says /yum update ipa-server/ which seems easy enough, but I'd rather double check. Best regards, Andreas Hello, replicas and master are equal, so it should not matter which is upgraded as first. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Sudo default options
All right, Thanks a million! /andreas On 10/05/2015 11:29 AM, Pavel Březina wrote: On 10/05/2015 10:58 AM, Andreas Calminder wrote: Hi, guessing this is a quite frequent question, but I can't find any solid information about the topic. I want to specify a set of default sudo options so I don't have to specify these options for every other sudo rule I create. There's supposed to be a magic "defaults" rule. This old document (https://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf) suggests it's cn=defaults,ou=sudorules,dc=example,dc=com which doesn't exist in my ipa 4.1 installation others suggest it's under ou=sudoers,dc=example,dc=com when poking around in ldap it looks like it could also be cn=sudorules,cn=sudo,dc=example,dc=com, but there is no way to be sure. Also, might it be as simple as create a defaults rule in the webui or cli with the default options set or is this a ldapmodify action? Hi, just create a sudo rule named "defaults" through ipa cli or wui. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-server-install and ipactl fails after reboot
Solved this on my own. In case anyone else hits this on rhel7 ipa-server 4.1.0-18, just start the dirsrv and tomcat instances by hand: # systemctl start dir...@realm.name # systemctl start pki-tomcatd@pki-tomcat.service and then run your installer again: # ipa-server-install --external-cert-file=ca_chain_and_ipa_cert.pem Sorry for the noise! /andreas On 09/28/2015 12:27 PM, Andreas Calminder wrote: Hello, I have a really strange problem while installing the ipa-server. I've installed the server like this: # ipa-server-install --idstart=7640 -N --realm=DOMAIN.TLD --hostname=idm1.sub.domain.tld -n domain.tld --external-ca --external-ca-type=ms-cs I get he csr and send it off to our AD admin, I poweroff the machine and take a snapshot, because you know, if anything goes wrong I want a clean snapshot. I startup the machine and try to run the installer a second time, like suggested by the installer: # ipa-server-install --external-cert-file=/tmp/ipa.crt --external-cert-file=/tmp/ca_chain.crt It fails with Unable to access directory server: Can't contact ldap server. Ok, fine because it wasn't started after reboot. # ipactl start Starting Directory Service Failed to read data from service file: Failed to get list of services to probe status! Configured hostname 'idm1.sub.domain.tld' does not match any master server in LDAP: idm1.sub.domain.tld Shutting down I reverted back to my snapshot, I still get the same error message. I can start the dirsrv without problem with systemctl start dirsrv@DOMAIN-TLD. Running ipactl -d: ipactl -d status ipa: DEBUG: importing all plugin modules in '/usr/lib/python2.7/site-packages/ipalib/plugins'... ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/aci.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/automember.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/automount.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/batch.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/cert.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/config.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/delegation.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/group.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacrule.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacsvc.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacsvcgroup.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbactest.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/host.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hostgroup.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/idrange.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/idviews.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/internal.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/kerberos.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/krbtpolicy.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/migration.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/misc.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/netgroup.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/otptoken.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/otptoken_yubikey.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/passwd.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/permission.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/ping.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/pkinit.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/privilege.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/pwpolicy.py' ipa: DEBUG: Starting external process ipa: DEBUG: args='klist' '-V' ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=Kerberos 5 version 1.12.2
[Freeipa-users] ipa-server-install and ipactl fails after reboot
Hello, I have a really strange problem while installing the ipa-server. I've installed the server like this: # ipa-server-install --idstart=7640 -N --realm=DOMAIN.TLD --hostname=idm1.sub.domain.tld -n domain.tld --external-ca --external-ca-type=ms-cs I get he csr and send it off to our AD admin, I poweroff the machine and take a snapshot, because you know, if anything goes wrong I want a clean snapshot. I startup the machine and try to run the installer a second time, like suggested by the installer: # ipa-server-install --external-cert-file=/tmp/ipa.crt --external-cert-file=/tmp/ca_chain.crt It fails with Unable to access directory server: Can't contact ldap server. Ok, fine because it wasn't started after reboot. # ipactl start Starting Directory Service Failed to read data from service file: Failed to get list of services to probe status! Configured hostname 'idm1.sub.domain.tld' does not match any master server in LDAP: idm1.sub.domain.tld Shutting down I reverted back to my snapshot, I still get the same error message. I can start the dirsrv without problem with systemctl start dirsrv@DOMAIN-TLD. Running ipactl -d: ipactl -d status ipa: DEBUG: importing all plugin modules in '/usr/lib/python2.7/site-packages/ipalib/plugins'... ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/aci.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/automember.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/automount.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/batch.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/cert.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/config.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/delegation.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/group.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacrule.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacsvc.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacsvcgroup.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbactest.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/host.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hostgroup.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/idrange.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/idviews.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/internal.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/kerberos.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/krbtpolicy.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/migration.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/misc.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/netgroup.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/otptoken.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/otptoken_yubikey.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/passwd.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/permission.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/ping.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/pkinit.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/privilege.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/pwpolicy.py' ipa: DEBUG: Starting external process ipa: DEBUG: args='klist' '-V' ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=Kerberos 5 version 1.12.2 ipa: DEBUG: stderr= ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/radiusproxy.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/realmdomains.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/role.py' ipa: DEBUG: importing plugin module