Re: [Freeipa-users] ssh known hosts gets recreated on client

2015-06-10 Thread Cory Carlton 
I feel this is a User ssh file issue not a sssd when sshing.
the client is seeing its a different key exchange with the same IP it once
knew about, the known_hosts file on the client machine (and user) in the
.ssh folder need to be updated or wiped clean.

If you edit on the client machine /home/USER/.ssh/known_hosts delete the IP
line.

On Wed, Jun 10, 2015 at 5:33 AM, Bob Hinton 
wrote:

> Hello,
>
> If I uninstall the ipa client with "ipa-client-install --uninstall" then
> reinstall it to the same ipa master then most functions work fine.
> However, if I attempt to ssh from the client to the master then I get.
>
> @@@
> @WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
> @@@
> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
> Someone could be eavesdropping on you right now (man-in-the-middle attack)!
> It is also possible that the RSA host key has just been changed.
> The fingerprint for the RSA key sent by the remote host is
> 86:c1:d7:96:8d:a3:b6:54:69:7c:cf:79:55:b3:14:c1.
> Please contact your system administrator.
> Add correct host key in /home/gbob/.ssh/known_hosts to get rid of this
> message.
> Offending key in /var/lib/sss/pubconf/known_hosts:1
> RSA host key for ipa004.jackland.co.uk has changed and you have
> requested strict checking.
> Host key verification failed.
>
> I've tried stopping the sssd service on the client, removing
> /var/lib/sss/pubconf/known_hosts and /var/lib/sss/db/* then restarting
> sssd, but /var/lib/sss/pubconf just gets recreated with the old contents
> and I get the same error (it seems odd that it's reporting that the host
> key of the master has changed when it's the client that has been
> reinstalled). How do I clear-out the client's knowledge of the old host
> keys?
>
> In this case I'm using ipa-client v3.0.0 on RHEL6.6
>
> Thanks
>
> Bob
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Sudo hangs after reenrollment of some servers in fresh IPA domain

2015-06-04 Thread Cory Carlton 
I would check for DNS resolution from the machine executing the sudo, to
the IPA server.

On Thu, Jun 4, 2015 at 9:54 AM, Sina Owolabi  wrote:

> Hi
>
> I recently had to remove and reinstall a fresh IPA server. I am
> currently re-enrolling all the ipa clients to the recently refreshed
> domain (same name as the previous realm and domain). The new IPA
> master is RHEL7.1 with IPA 4.1.3.
>
> All client servers are running RHEL6.6.
>
> I also have sudorule that allows a group to have access to run all
> commands on all servers:
>
>   Rule name: All
>   Enabled: TRUE
>   Host category: all
>   Command category: all
>   User Groups: superusers
>   Sudo Option: !authenticate
> 
>
> I noticed that trying to run sudo on a few of the servers makes the
> command hang indefinitely.
> I am not sure what is the cause and where to look. Please what can I
> do to troubleshoot and fix this?
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] DNS lookups after replica(master) added

2015-04-22 Thread Cory Carlton 
Hey all,

I for some reason do not ever get responses from doing DNS lookups to my
new servers that have been stood up and replicated as Masters with CA, and
DNS options entered at command line.

Is there any trick or configuration to allow anonymous for my servers
without IPA Client installed to talk to these?

it does not allow lookups,
Ip-tables have even been turned off for testing.
telnet to server via 53 Works
 Stand alone IPA server LDAP DNS Kerberose usages


 [root@DOMAIN ~]# ipa dnsconfig-show --rights --all --raw
-
Global DNS configuration is empty
-
  dn: cn=dns,dc=int,dc=DOMAIN,dc=com
  aci: (targetattr = "*")(version 3.0; acl "Allow read access"; allow
(read,search,compare) groupdn = "ldap:///cn=Read DNS
Entries,cn=permissions,cn=pbac,dc=int,dc=DOMAIN,dc=com" or userattr =
"parent[0,1].managedby#GROUPDN";)
  aci: (target =
"ldap:///idnsname=*,cn=dns,dc=int,dc=DOMAIN,dc=com";)(version 3.0;acl "Add
DNS entries in a zone";allow (add) userattr =
"parent[1].managedby#GROUPDN";)
  aci: (target =
"ldap:///idnsname=*,cn=dns,dc=int,dc=DOMAIN,dc=com";)(version 3.0;acl
"Remove DNS entries from a zone";allow (delete) userattr =
"parent[1].managedby#GROUPDN";)
  aci: (targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl ||
dnsclass || arecord || record || a6record || nsrecord || cnamerecord ||
ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord
|| minforecord || afsdbrecord || sigrecord || keyrecord || locrecord ||
nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord ||
dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname ||
idnszoneactive || idnssoamname || idnssoarname || idnssoaserial ||
idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum ||
idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr
|| idnsforwardpolicy || idnsforwarders")(target =
"ldap:///idnsname=*,cn=dns,dc=int,dc=DOMAIN,dc=com";)(version 3.0;acl
"Update DNS entries in a zone";allow (write) userattr =
"parent[0,1].managedby#GROUPDN";)
  attributelevelrights: {'cn': u'rscwo', 'idnsforwardpolicy': u'rscwo',
'objectclass': u'rscwo', 'idnsallowsyncptr': u'rscwo', 'idnsforwarders':
u'rscwo', 'idnspersistentsearch': u'rscwo', 'idnszonerefresh': u'rscwo',
'aci': u'rscwo', 'nsaccountlock': u'rscwo'}
  cn: dns
  objectclass: idnsConfigObject
  objectclass: nsContainer
  objectclass: top
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] New Replacing Master server help

2015-02-18 Thread Cory Carlton 
Thank you very much for the straight forward items.

I will continue use of these archives (impressed with this group).
Also improving my use of https://fedorahosted.org/freeipa/wiki

On Wed, Feb 18, 2015 at 12:46 PM, Dmitri Pal  wrote:

>  On 02/18/2015 12:17 PM, Cory Carlton wrote:
>
> Hey all.
>
>   We are in the process of essentially moving data centers while
> additionally changing to new OS(rhel from centos) - so we are building
> replica with master option servers to the new networks.  version 3.0.. its
> up and is working as any of our instances.
>
>  Question is how or what do I need to bring over on the new install
> -replica master(s) to ensure we have all the Original master server
> information, keys, crt's, CA etc. before we can shut it down for ever (+ a
> snapshot ;) )
>
>  we have struggled understanding exactly what to back up since the 3.0
> version is lacking backup scripts.
>
>
>  a thought, but not timely present would be to upgrade everything in
> place then migrate, again not timed right for us.
>
>  Thanks in advance.
>
>  Cory
>
>
>
>
> You need to make sure that at least one of the new replicas (better two)
> acts as an IPA CA.
> You need to move CRL generation to one of the new replicas that are CAs
> You need to move the certificate tracking from the old master to the new
> replica with CA.
>
> After that you can decommission old master.
>
> All these procedures are documented on the wiki and RHEL docs. You can
> also find some hints in these archives.
>
> Martin, do you think we need a combined wiki page that covers this use
> case or we already have something like this?
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] New Replacing Master server help

2015-02-18 Thread Cory Carlton 
Hey all.

 We are in the process of essentially moving data centers while
additionally changing to new OS(rhel from centos) - so we are building
replica with master option servers to the new networks.  version 3.0.. its
up and is working as any of our instances.

Question is how or what do I need to bring over on the new install -replica
master(s) to ensure we have all the Original master server information,
keys, crt's, CA etc. before we can shut it down for ever (+ a snapshot ;) )

we have struggled understanding exactly what to back up since the 3.0
version is lacking backup scripts.


a thought, but not timely present would be to upgrade everything in place
then migrate, again not timed right for us.

Thanks in advance.

Cory
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project