Re: [Freeipa-users] Services and Keytabs for load-balanced hostnames
Thanks Alexander. Reviewing the proxy requirements now. On Tue, Nov 25, 2014 at 3:32 PM, Alexander Bokovoy wrote: > On Tue, 25 Nov 2014, Dimitar Georgievski wrote: > >> My case for HTTP load balancing is little different. Ideally I would like >> to use a real load balancer (A10 in this case) for balancing HTTP and >> HTTPS >> services. >> Would that be possible? >> >> Based on the info in this thread, and Apache configuration for IPA >> (ipa.conf) the following steps were performed >> - Added host for sso.example.com >> - Added service for HTTP/sso.example.com >> - added new entry for HTTP/sso.example.com to /etc/httpd/conf/ipa.keytab. >> This keytab is listed in the conf.d/ipa.conf under the Location '/ipa' >> groups of directives. >> ipa-getkeytab -s `hostname` -p HTTP/sso.example.com -k >> /etc/httpd/conf/ipa.keytab >> >> - modifed the conf.d/ipa-rewrite.conf and ipa-pki-proxy.conf to redirect >> requests to sso.example.com >> >> The login page loads but unfortunately authentication is failing with HTTP >> 401 (unauthorized) response from the server. I wonder what I am doing >> wrong. >> > Can you show your /var/log/krb5kdc.log, lines concerning > HTTP/sso.example.com principal at the time you are trying to access IPA > UI. > > FreeIPA limits service principals' ability to impersonate user > principals (or any other principals). FreeIPA UI runs as HTTP/ principal > and is given permission to impersonate user principal when talking to > ldap/ service. This setup is explicit and requires additional > configuration for those Kerberos principals which ask for additional > access. > > For more detailed description read my article at > http://vda.li/en/posts/2013/07/29/Setting-up-S4U2Proxy- > with-FreeIPA/index.html > > -- > / Alexander Bokovoy > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Services and Keytabs for load-balanced hostnames
My case for HTTP load balancing is little different. Ideally I would like to use a real load balancer (A10 in this case) for balancing HTTP and HTTPS services. Would that be possible? Based on the info in this thread, and Apache configuration for IPA (ipa.conf) the following steps were performed - Added host for sso.example.com - Added service for HTTP/sso.example.com - added new entry for HTTP/sso.example.com to /etc/httpd/conf/ipa.keytab. This keytab is listed in the conf.d/ipa.conf under the Location '/ipa' groups of directives. ipa-getkeytab -s `hostname` -p HTTP/sso.example.com -k /etc/httpd/conf/ipa.keytab - modifed the conf.d/ipa-rewrite.conf and ipa-pki-proxy.conf to redirect requests to sso.example.com The login page loads but unfortunately authentication is failing with HTTP 401 (unauthorized) response from the server. I wonder what I am doing wrong. IPA ver is 3.0 running on CentOS 6.5, 64bit Thanks Dimitar On Tue, Sep 30, 2014 at 3:01 AM, Petr Spacek wrote: > On 29.9.2014 23:12, Simo Sorce wrote: > >> On Mon, 29 Sep 2014 23:25:08 +0300 >> Alexander Bokovoy wrote: >> >> On Mon, 29 Sep 2014, Mark Heslin wrote: >>> Folks, I'm looking for the best approach to take for configuring IdM clients to access web services (HTTP) with keytabs when a front-end load-balanced hostname is in place. I have a distributed OpenShift Enterprise configuration with three broker hosts (broker1, broker2, broker3) with all three configured as IdM clients. IdM is configured with one server (idm-srv1.example.com), one replica (idm-srv2.example.com); an HTTP service has been created for each broker host: # ipa service-add HTTP/broker1.example.com # ipa service-add HTTP/broker2.example.com # ipa service-add HTTP/broker3.example.com A DNS round-robin hostname called '*broker**.example.com*' has also been configured to distribute broker requests across the three brokers: # ipa dnsrecord-add example.com broker --a-ip-address=10.0.0.11 # ipa dnsrecord-add example.com broker --a-ip-address=10.0.0.12 # ipa dnsrecord-add example.com broker --a-ip-address=10.0.0.13 Effectively, this creates a DNS A record that acts as a pseudo DNS load-balancer. To access the HTTP services, we have been creating keytabs for for the first broker host: # ipa-getkeytab -s idm-srv1.example.com -p HTTP/*broker1*.example@example.com -k /var/www/openshift/broker/httpd/conf.d/http.keytab and copying the keytab over to the other two OpenShift broker hosts. This all works fine but in the event that *broker1* should go down, the other broker hosts will lose access to the web service. Ideally, we would like to have web services use the more generic, "load balanced" hostname (*broker.example.com*) and in turn have the keytabs use this name as well. I tried creating an HTTP service using the "load balanced" hostname (*broker.example.com*) but that appears to fail due to *broker.example.com* not being a valid host within IdM: # ipa service-add HTTP/broker.example.com ipa: ERROR: The host 'broker.example.com' does not exist to add a service to. In the F18 FreeIPA guide it discusses creating a combined keytab file (Section 6.5.4) using ktutil: http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_ Guide/managing-services.html#Using_the_Same_Service_ Principal_for_Multiple_Services but would that still work as intended should a broker host go down? The next section (6.5.5) mentions creating a keytab to create a service principal that can be used across multiple hosts: # ipa-getkeytab -s kdc.example.com -p HTTP/server.example.com -k /etc/httpd/conf/krb5.keytab -e des-cbc-crc Which seems more in-line with my thinking and exactly what we've been doing but again, if I try to do that using the "load balanced" hostname (*broker.example.com*) it fails sicne it's not a valid host within IdM. What is the best method to doing this? >>> Make a host named broker.example.com >>> ipa host-add broker.example.com --force >>> >>> --force will make sure to create the host object even if there is no >>> such name in the DNS. >>> >>> Then create services for this host. >>> >>> You'll need to set up your balancer hosts to use the proper service >>> principal instead of allowing them to construct the principal >>> themselves based on the hostname. >>> >> >> Even better tell them to not assume any name if the server name is NULL >> GSSAPI will try every key in the keytab. YUou can even force that >> behavior with a krb5 config hack even if the app insist setting a name >> by adding "ignore_acceptor_hostname true" in [libdefaults] >> > > I co
Re: [Freeipa-users] Monitoring FreeIPA with SNMP
Problem resolved. I completely forgot to check the access privileges in /etc/snmp/snmpd.conf. By default NET-SNMP configures the agent to provide access to .iso.org.dod.internet.mgmt. sub-tree only. The redhat sub-tree is under .iso.org.dod.internet.private.enterprises. I had to add a view on this three and the appropriate security privileges to access the new community. The sub-tree could be traversed now with: *snmpwalk -v 2c -c mycommunity -mALL localhost rhds* > RHDS-MIB::dsAnonymousBinds.389 = Counter64: 1187 > RHDS-MIB::dsUnAuthBinds.389 = Counter64: 1187 > RHDS-MIB::dsSimpleAuthBinds.389 = Counter64: 1213 > RHDS-MIB::dsStrongAuthBinds.389 = Counter64: 227103 > RHDS-MIB::dsBindSecurityErrors.389 = Counter64: 5 > RHDS-MIB::dsInOps.389 = Counter64: 6590347 > RHDS-MIB::dsReadOps.389 = Counter64: 0 > RHDS-MIB::dsCompareOps.389 = Counter64: 6 > RHDS-MIB::dsAddEntryOps.389 = Counter64: 17 > RHDS-MIB::dsRemoveEntryOps.389 = Counter64: 203 > RHDS-MIB::dsModifyEntryOps.389 = Counter64: 70101 > RHDS-MIB::dsModifyRDNOps.389 = Counter64: 0 > RHDS-MIB::dsListOps.389 = Counter64: 0 > RHDS-MIB::dsSearchOps.389 = Counter64: 5959375 > RHDS-MIB::dsOneLevelSearchOps.389 = Counter64: 39 > RHDS-MIB::dsWholeSubtreeSearchOps.389 = Counter64: 5342418 > RHDS-MIB::dsReferrals.389 = Counter64: 0 > RHDS-MIB::dsChainings.389 = Counter64: 0 > RHDS-MIB::dsSecurityErrors.389 = Counter64: 7 > RHDS-MIB::dsErrors.389 = Counter64: 240831 > RHDS-MIB::dsMasterEntries.389 = Counter64: 0 > RHDS-MIB::dsCopyEntries.389 = Counter64: 0 > RHDS-MIB::dsCacheEntries.389 = Counter64: 0 > RHDS-MIB::dsCacheHits.389 = Counter64: 0 > RHDS-MIB::dsSlaveHits.389 = Counter64: 0 > RHDS-MIB::dsEntityDescr.389 = STRING: > RHDS-MIB::dsEntityVers.389 = STRING: 389-Directory/1.2.11.15 > RHDS-MIB::dsEntityOrg.389 = STRING: > RHDS-MIB::dsEntityLocation.389 = STRING: > RHDS-MIB::dsEntityContact.389 = STRING: > RHDS-MIB::dsEntityName.389 = STRING: On Tue, Aug 26, 2014 at 12:43 PM, Dimitar Georgievski wrote: > > I have successfully enabled SNMP monitoring of FreeIPA server following > the instructions available at RedHat's portal: > > https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Monitoring_DS_Using_SNMP.html > > The problem is I cannot retrieve any metrics from the monitored server: > > Examples: > Try to walk the whole rhds sub-tree > >> snmpwalk -v 2c -c public -mALL localhost rhds >> RHDS-MIB::rhds = No more variables left in this MIB View (It is past the >> end of the MIB tree) > > > I was expecting the redhat sub-tree would be instantiated under > private/enterprises(2312) > > > Judging from the snmpwalk output the RHDS sub-tree is missing in the MIB > view. My understanding is that beside configuring the SNMP agents for > monitoring I don't need to configure the LDAP/FreeIPA server for > monitoring, > Is there anything else I need to configure, that is maybe not mentioned in > the documentation? > > We are using > - FreeIPA -3.0.0 > - CentOS release 6.5 x86_64 > - NET-SNMP version 5.5 > > dirsrv-snmp agent configuration > /etc/dirsrv/config/ldap-agent.conf > >> agentx-master /var/agentx/master >> agent-logdir /var/log/dirsrv >> server slapd-EXAMPLE-COM > > > and log output > >> 2014-08-26 10:58:48 Starting ldap-agent... >> 2014-08-26 10:58:48 Started ldap-agent as pid 27008 > > > snmpd AgentX log output > >> Aug 26 10:43:48 106 snmpd[26607]: Turning on AgentX master support. >> Aug 26 10:43:48 106 snmpd[26609]: NET-SNMP version 5.5 > > > Thanks > > Dimitar > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Monitoring FreeIPA with SNMP
I have successfully enabled SNMP monitoring of FreeIPA server following the instructions available at RedHat's portal: https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Monitoring_DS_Using_SNMP.html The problem is I cannot retrieve any metrics from the monitored server: Examples: Try to walk the whole rhds sub-tree > snmpwalk -v 2c -c public -mALL localhost rhds > RHDS-MIB::rhds = No more variables left in this MIB View (It is past the > end of the MIB tree) I was expecting the redhat sub-tree would be instantiated under private/enterprises(2312) Judging from the snmpwalk output the RHDS sub-tree is missing in the MIB view. My understanding is that beside configuring the SNMP agents for monitoring I don't need to configure the LDAP/FreeIPA server for monitoring, Is there anything else I need to configure, that is maybe not mentioned in the documentation? We are using - FreeIPA -3.0.0 - CentOS release 6.5 x86_64 - NET-SNMP version 5.5 dirsrv-snmp agent configuration /etc/dirsrv/config/ldap-agent.conf > agentx-master /var/agentx/master > agent-logdir /var/log/dirsrv > server slapd-EXAMPLE-COM and log output > 2014-08-26 10:58:48 Starting ldap-agent... > 2014-08-26 10:58:48 Started ldap-agent as pid 27008 snmpd AgentX log output > Aug 26 10:43:48 106 snmpd[26607]: Turning on AgentX master support. > Aug 26 10:43:48 106 snmpd[26609]: NET-SNMP version 5.5 Thanks Dimitar -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Automembership not working
Hi, I am trying to create rules to place users in given user groups based on the value of their ou (Organization Unit) field in their profiles. For some reason it is not working, and I am trying to understand why. The rule is very simple and looks like this > ipa automember-find engineering > Grouping Type: group > --- > 1 rules matched > --- > Description: Add automatically Engineering users to engineering User > Group > Automember Rule: engineering > Inclusive Regex: ou=^Engineering With this rule in place I would expect all the new users with ou=Engineering to be automatically placed in the engineering user group. I am using FreeIPA v3.0.0 on CentOS 6.5 Thanks Dimitar ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Export data
In my case DNS is not an issue, FreeIPA is integrated with existing DNS servers. The above procedure would work for migrating the user's data to a new IPA server that has a new host name. What if I would like to restore the original IPA server ? Could I repeat the above steps with the exception of #4, in which I would restore backed-up certificates and keytab files. This should avoid the need to regenerate them, no? In short how would you perform a full back-up and restore of the Primary IPA server? I understand this is not a trivial task for the IPA server and from what I've learned it is probably not fully supported in the current ver 3.x Thanks, Dimitar On Thu, Jan 23, 2014 at 1:32 AM, Martin Kosek wrote: > On 01/22/2014 06:57 PM, Petr Viktorin wrote: > > On 01/22/2014 06:26 PM, Dimitar Georgievski wrote: > >> Would you use ldapmodify -f file-name-with-exported-data to import the > >> data back to a new copy of FreeIPA? > > > > No, that generally won't work. There's more to IPA than the data in LDAP. > > Instead of copying data you should install the new server as a replica > of the > > old one. > > That would give you FreeIPA with the same domain, realm or certificate > subject > name. > > If you want to start with different settings, I would recommend: > > 1) Installing new IPA server > 2) Using "ipa migrate-ds" command to migrate users and groups > 3) Use the ldapsearch&ldapmodify to migrate DNS (you may need to change > the DN > in the LDIF file to use correct SUFFIX if the realm changed) > 4) For all hosts - unenroll and enroll again against the new IPA. This is > needed to regenerate the new certificates or host keytab > > HTH, > Martin > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Export data
Would you use ldapmodify -f file-name-with-exported-data to import the data back to a new copy of FreeIPA? Thanks Dimitar On Wed, Jan 22, 2014 at 8:52 AM, Petr Spacek wrote: > On 22.1.2014 14:40, Rob Crittenden wrote: > >> Martin Kosek wrote: >> >>> On 01/22/2014 01:48 PM, Choudhury, Suhail wrote: >>> Hi guys, I trying to get a dump of all users, hosts and DNS entries from IPA so we can run scripts/Puppet against them. Tried searching for it but cannot find anything, so was hoping someone can give some hints on how best to do this please. >>> You can either export them via ldapsearch: >>> >>> $ kinit admin >>> $ ldapsearch -h `hostname` -Y GSSAPI -b >>> 'cn=users,cn=accounts,dc=example,dc=com' >>> >>> >>> ... or for write a Python script to do what you want. Very simple >>> example: >>> >>> $ kinit admin >>> $ python >>> from ipalib import api >> api.bootstrap() >> api.finalize() >> api.Backend.xmlclient.connect() >> users = api.Command.user_find() >> for user in users['result']:... print "%s:%s:%s" % >> (user['uid'][0], >> > user['uidnumber'][0], user['gidnumber'][0]) >>> ... >>> admin:191360:191360 >>> tuser:191361:191361 >>> >> >> Be aware that there are some search limits too, both in size and time. >> Some of >> this is configurable from the client side, some on the server. >> > > You can use standard zone transfer for DNS: > > See > https://www.redhat.com/archives/freeipa-users/2013-September/msg00022.html > https://www.redhat.com/archives/freeipa-users/2013-September/msg00047.html > > -- > Petr^2 Spacek > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Sudo policy not working with group of servers
Setting the nis domain resolved the issue with the host groups. Thanks Dimitar On Tue, Jan 14, 2014 at 10:41 AM, Martin Kosek wrote: > On 01/14/2014 04:27 PM, Dimitar Georgievski wrote: > > Hi, > > > > I've been trying to create a simple sudo policy, that would grant certain > > privileges to a group of users on a group of hosts. The policy would not > > work unless I specify the hosts individually in the *Sudo Rule* > definition > > page under *Access this hos*t section. > > > > I am using FreeIPA v3.0 and SSSD v1.9.2 on CentOS 6.5 > > > > Thanks, > > > > Dimitar > > Hello Dimitar, > > I would recommend starting investigation by following this article: > > http://www.freeipa.org/page/Troubleshooting#sudo_does_not_work_for_hostgroups > > Martin > > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Sudo policy not working with group of servers
Hi, I've been trying to create a simple sudo policy, that would grant certain privileges to a group of users on a group of hosts. The policy would not work unless I specify the hosts individually in the *Sudo Rule* definition page under *Access this hos*t section. I am using FreeIPA v3.0 and SSSD v1.9.2 on CentOS 6.5 Thanks, Dimitar ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Manage records while primary IPA is down
I was referring to user accounts, and I believe they require certificates. With the Primary IPA being down I was not able to create new user entries on the replica servers. Hopefully the CA fail-over requirement is addressed in a new release of FreeIPA. Thanks, Dimitar On Mon, Jan 13, 2014 at 1:36 PM, Dmitri Pal wrote: > On 01/13/2014 01:33 PM, Rob Crittenden wrote: > > Dimitar Georgievski wrote: > >> This question is really about HA of FreeIPA. I've noticed that new > >> records cannot be added on the replica server while the primary is down. > >> > >> Ideally these services should be always available even when the Primary > >> server is down (for maintenance or other reasons). > >> > >> Is it possible to have another Primary server replicating with the first > >> Primary or to use one of the Replica servers to manage records while the > >> Primary server is down. > > > > All servers in IPA are equal masters, the only difference may be the > > services running on any given server (DNS and a CA). > > > > The exception is if a master runs out of DNA values or has never been > > used to add an entry that requires one and the original IPA master is > > down. An IPA server will request a DNA range the first time it needs > > one but doesn't get one until then. I'm guessing that is what happened. > > > > I believe IPA 3.3 added some options to ipa-replica-manage to be able > > to control the DNA configuration. > > > We might be talking about the entries that have certificates. Is this > the case? > If so the certificate operations are proxied to the server that has full > CA but AFAIR there is not failover there and I vaguely recall that there > was ticket filed to address this scenario. > > So which entries we are talking about? > > > > > rob > > > > ___ > > Freeipa-users mailing list > > Freeipa-users@redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > --- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Manage records while primary IPA is down
This question is really about HA of FreeIPA. I've noticed that new records cannot be added on the replica server while the primary is down. Ideally these services should be always available even when the Primary server is down (for maintenance or other reasons). Is it possible to have another Primary server replicating with the first Primary or to use one of the Replica servers to manage records while the Primary server is down. Thanks Dimitar ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Sudo issues with FreeIPA
Hi Lukas, Does the LDAP entry need to be removed or just modified? Could the LDAP entry be a sudo policy assigned to the user? In my tests with modified sudo policies the cache entries would persists even after they were invalidated and the user re-authenticated with the LDAP server. Unless I wanted to wait for a smart refresh of the cache I had to delete the entry from the cache with ldbdel and then restart the SSSD daemon. I wonder if there is a better way to refresh the cache on demand. Thanks, Dimitar On Sat, Dec 21, 2013 at 3:28 PM, Lukas Slebodnik wrote: > On (20/12/13 18:42), Dimitar Georgievski wrote: > >Hi Dmitri, > > > >One follow up question about the management of the SSSD local cache. I've > >tried to clean cache entries with the sss_cache utility, but it looks like > >this utility is not working. I was able to confirm with ldbsearch that > >records for specific entries were not removed from the cache. > > > >This seems to be a bug. I can use ldpdel with a restart of the SSSD > daemon, > >but just wanted to confirm with you. I suspect you would know more about > >this problem. Unfortunately I wasn't able to find any info yet about this > >potential bug. > > > >thanks > > > >Dimitar > > > sss_cache does not remove users from cache (sss_cache -U) > This utility sets expiration of account to the past (unix time with value > 1), > because user needs to be able authenticate offline. > Entry will be removed from cache if user try to > authenticate online and entry is removed from LDAP. > > LS > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Sudo issues with FreeIPA
Hi Dmitri, One follow up question about the management of the SSSD local cache. I've tried to clean cache entries with the sss_cache utility, but it looks like this utility is not working. I was able to confirm with ldbsearch that records for specific entries were not removed from the cache. This seems to be a bug. I can use ldpdel with a restart of the SSSD daemon, but just wanted to confirm with you. I suspect you would know more about this problem. Unfortunately I wasn't able to find any info yet about this potential bug. thanks Dimitar On Tue, Dec 17, 2013 at 10:40 PM, Dimitar Georgievski wrote: > Thanks Dmitri. Those settings for ldap in sssd.conf fixed the issue. > > Dimitar > > > On Tue, Dec 17, 2013 at 6:47 PM, Dmitri Pal wrote: > >> On 12/17/2013 06:34 PM, Dimitar Georgievski wrote: >> >> Hi, >> >> I am running FreeIPA 3.3.3 on CentOS 6.5. Everything works fine except >> that I have problem enforcing sudo policies on the hosts that are part of >> the managed domain. >> >> When trying to run the following simple command as a user managed by >> FreeIPA I got the following response: >> >> >> *> sudo /usr/bin/vim test.txt * >> *jsmith is not allowed to run sudo on myhost. This incident will be >> reported.* >> >> I might have missed in the configuration of the serve or SSSD on the >> client host. >> >> Is there any guideline for sudo integration with FreeIPA? >> >> The following is the SSSD configuration on the client host: >> >> [domain/example.net] >> >> cache_credentials = True >> krb5_store_password_if_offline = True >> ipa_domain = example.net >> id_provider = ipa >> auth_provider = ipa >> access_provider = ipa >> sudo_provider = ldap >> ldap_tls_cacert = /etc/ipa/ca.crt >> ipa_hostname = ipaserver.example.net >> chpass_provider = ipa >> ipa_server = _srv_ >> ipa_backup_server = replica.example.net >> >> >> dns_discovery_domain = example.net >> >> >> >> [sssd] >> services = nss, pam, ssh, sudo >> config_file_version = 2 >> >> domains = example.net >> [nss] >> >> [pam] >> >> [sudo] >> debug_level = 0x3ff0 >> >> [autofs] >> >> [ssh] >> >> [pac] >> >> Thanks, >> >> Dimitar >> >> >> ___ >> Freeipa-users mailing >> listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager for IdM portfolio >> Red Hat Inc. >> >> >> --- >> Looking to carve out IT costs?www.redhat.com/carveoutcosts/ >> >> >> ___ >> Freeipa-users mailing list >> Freeipa-users@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Sudo issues with FreeIPA
Thanks Dmitri. Those settings for ldap in sssd.conf fixed the issue. Dimitar On Tue, Dec 17, 2013 at 6:47 PM, Dmitri Pal wrote: > On 12/17/2013 06:34 PM, Dimitar Georgievski wrote: > > Hi, > > I am running FreeIPA 3.3.3 on CentOS 6.5. Everything works fine except > that I have problem enforcing sudo policies on the hosts that are part of > the managed domain. > > When trying to run the following simple command as a user managed by > FreeIPA I got the following response: > > > *> sudo /usr/bin/vim test.txt * > *jsmith is not allowed to run sudo on myhost. This incident will be > reported.* > > I might have missed in the configuration of the serve or SSSD on the > client host. > > Is there any guideline for sudo integration with FreeIPA? > > The following is the SSSD configuration on the client host: > > [domain/example.net] > > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = example.net > id_provider = ipa > auth_provider = ipa > access_provider = ipa > sudo_provider = ldap > ldap_tls_cacert = /etc/ipa/ca.crt > ipa_hostname = ipaserver.example.net > chpass_provider = ipa > ipa_server = _srv_ > ipa_backup_server = replica.example.net > > > dns_discovery_domain = example.net > > > > [sssd] > services = nss, pam, ssh, sudo > config_file_version = 2 > > domains = example.net > [nss] > > [pam] > > [sudo] > debug_level = 0x3ff0 > > [autofs] > > [ssh] > > [pac] > > Thanks, > > Dimitar > > > ___ > Freeipa-users mailing > listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users > > > http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > --- > Looking to carve out IT costs?www.redhat.com/carveoutcosts/ > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Sudo issues with FreeIPA
Hi, I am running FreeIPA 3.3.3 on CentOS 6.5. Everything works fine except that I have problem enforcing sudo policies on the hosts that are part of the managed domain. When trying to run the following simple command as a user managed by FreeIPA I got the following response: *> sudo /usr/bin/vim test.txt* *jsmith is not allowed to run sudo on myhost. This incident will be reported.* I might have missed in the configuration of the serve or SSSD on the client host. Is there any guideline for sudo integration with FreeIPA? The following is the SSSD configuration on the client host: [domain/example.net] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = example.net id_provider = ipa auth_provider = ipa access_provider = ipa sudo_provider = ldap ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = ipaserver.example.net chpass_provider = ipa ipa_server = _srv_ ipa_backup_server = replica.example.net dns_discovery_domain = example.net [sssd] services = nss, pam, ssh, sudo config_file_version = 2 domains = example.net [nss] [pam] [sudo] debug_level = 0x3ff0 [autofs] [ssh] [pac] Thanks, Dimitar ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Install FreeIPA on CentOS 6.4
Christian/Dmitri, Thank you both for the links. I found that I could follow the RedHat's guide for installing and configuring FreeIPA on CentOS 6.4. My biggest worry was the installation part which has a long list of dependencies. Thanks Dimitar On Wed, Dec 4, 2013 at 11:04 AM, Dmitri Pal wrote: > On 12/04/2013 10:52 AM, Dimitar Georgievski wrote: > > hi, > > I plan to install FreeIPA on CentOS 6.4. Initially FreeIPA should > provide secure authentication and authorization for system (shell) accounts > (users and groups) by integration with SSSD. > There is already a DNS server and FreeIPA should integrate with it. > > I am looking for some guidelines for installing FreeIPA on CentOS 6.x, > possibly from packages, and selectively enabling FreeIPA components. If > these questions sound trivial that's because I am new to FreeIPA :-) > > Thanks, > > Dimitar > > > ___ > Freeipa-users mailing > listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users > > Here some good references: > http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/index.html > > https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > --- > Looking to carve out IT costs?www.redhat.com/carveoutcosts/ > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Install FreeIPA on CentOS 6.4
hi, I plan to install FreeIPA on CentOS 6.4. Initially FreeIPA should provide secure authentication and authorization for system (shell) accounts (users and groups) by integration with SSSD. There is already a DNS server and FreeIPA should integrate with it. I am looking for some guidelines for installing FreeIPA on CentOS 6.x, possibly from packages, and selectively enabling FreeIPA components. If these questions sound trivial that's because I am new to FreeIPA :-) Thanks, Dimitar ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users