Re: [Freeipa-users] Automembership not working

2014-05-01 Thread JR Aquino 
I don't believe that the attribute is an OU.

try performing a:

ipa group-show engineering --all --raw

I believe that your automember rule wants to be cn=^Engineering

"You cannot hope to secure that which you do not first understand"
~~~~~~~
Jr Aquino
Manager Operation Services, Infrastructure and Application Security
GXPN | GIAC Exploit Researcher and Advanced Penetration Tester
GCIH | GIAC Certified Incident Handler
GWAPT | GIAC WebApp Penetration Tester

Citrix Systems, Inc | 7408 Hollister Avenue | Goleta, CA 93117
SaaS Division
T:  +1 805.690.3478
jr.aqu...@citrix.com
http://www.citrix.com

On Apr 30, 2014, at 2:10 PM, Dimitar Georgievski  wrote:

> Hi,
> 
> I am trying to create rules to place users in given user groups based on the 
> value of their ou (Organization Unit) field in their profiles. For some 
> reason it is not working, and I am trying to understand why. 
> 
> The rule is very simple and looks like this
>  ipa automember-find engineering
> Grouping Type: group
> ---
> 1 rules matched
> ---
>   Description: Add automatically  Engineering users to engineering User Group
>   Automember Rule: engineering
>   Inclusive Regex: ou=^Engineering
> 
> With this rule in place I would expect all the new users with ou=Engineering 
> to be automatically placed in the engineering user group.
> 
> I am using FreeIPA v3.0.0 on CentOS 6.5 
> 
> Thanks
> 
> Dimitar 
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] scripting ipa commands

2014-03-06 Thread JR Aquino 
If you don't find an answer for doing it -minus- a ticket, here is what I would 
suggest.

Create a service user who's only role permissions give them the ability to 
delete users.

Then perform a getkeytab for the user:
ipa-getkeytab -s ipa.example.com -p @EXAMPLE.COM -k 
/path/to/username.keytab

Then associate the following along with your cron.  I would also recommend a 
kdestroy -after- the task is run.
#!/bin/bash

###
# Auto Kinit


/usr/kerberos/bin/klist -s
EXITCODE=$?
if [ $EXITCODE != "0" ] ; then
/usr/kerberos/bin/kdestroy >> /dev/null 2>&1
/usr/kerberos/bin/kinit -F usern...@example.com -k -t 
/path/to/username.keytab
fi


On Mar 6, 2014, at 8:48 AM, KodaK  wrote:

> Once again, I'm probably missing something that's well documented.  I promise 
> I searched.
> 
> We have a daily termination list that needs to be enforced at 5:00 PM every 
> day.  I can script it up just fine, but sometimes I like to sneak out early.
> 
> I tried to use "at," but since I'm logged out when the job runs there's no 
> ticket and the ipa commands fail.
> 
> ex:
> 
> echo "sh terminate" | at 5:00 PM Friday
> 
> works if I'm logged in with a ticket ("terminate" contains the ipa command to 
> disable / delete users.)
> 
> Is there some way to automate this?  I can leave a terminal open on a VM as a 
> work-around, but I'd like to be cleaner if I can.
> 
> --Jason
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] local root can su to any IPA user

2014-02-28 Thread JR Aquino 
Some further reading material about operating in a security model where you 
accept that things are already compromised:

* CISecurity did a good job on the Kerberos benchmark that was written:
http://benchmarks.cisecurity.org/downloads/show-single/index.cfm?file=mitkerberos110.100

* Two Factor should be employed on any system you consider critical: As far as 
Identities go, The Password is Dead... 
YubiKey is a pretty good, low overhead starting point, 
http://wiki.yubico.com/wiki/index.php/Main_Page

* Long Live POSIX, the owner,group,everyone model has been broken for quite 
sometime.  I suggest checking out Capsicum in addition to any further reading 
about trusted computing or SElinux, etc.
http://www.cl.cam.ac.uk/research/security/capsicum/
https://github.com/google/capsicum-linux

On Feb 28, 2014, at 9:27 AM, Nordgren, Bryce L -FS  wrote:

> 
>>> Offline password caching is also optional and a different method.
>>> In this case the actual password is maintained in the kernel keyring
>>> in locked memory until the machine goes online and can acquire a TGT.
>>> On success it is deleted.
>>> 
>>> however it doesn't really matter from an evil-root scenario, because
>>> evil-root will have already snatched the password from the PAM stack
>>> at authentication time.
> 
> Ah. My evil root scenario was that my AS exchange happened on my trusted 
> machine and I used SSO to sign in to Evil root's machine. No password in 
> Evil's pam stack. Evil can log into an Evil-compromised machine all he wants. 
> Can't steal a password from yourself.
> 
> Please shoot holes in this design for me: :)
> 
> A domain uses Kerberos for authentication. The domain does not allow LDAP or 
> other forms of authentication.
> 
> A domain has trusted, domain-administrated machines for initial sign on. 
> Users are not given root access on these machines. Alternatively, users who 
> have been given root access to a machine can initiate an AS exchange from 
> machines they control, but others cannot and/or are strongly discouraged from 
> doing so. Hence, a user can be granted control over their own 
> workstation/laptop.
> 
> Users are given permissions on machines as needed to configure whatever it is 
> that they need to do. Say there is some sort of project with specialized 
> requirements which affects ~10-50 participants or so. Someone in the project 
> stands up a machine to address the project's needs, but this person is not 
> part of the Organization, so he could be Evil.
> 
> Users would be expected to perform their initial sign on using their own 
> workstation/terminal, then connect to the project resource. Ideally, the 
> project resource is a website of some type, so only a Kerberos service ticket 
> is needed. In the case that project members need command line access, but no 
> access to domain-wide services (like NFS server), they can just get a service 
> ticket for host/evil.example@example.org.
> 
> So far, Evil is boxed in. Evil has not been given credentials which allow him 
> to impersonate another user to the domain. Evil's box is a black hole. 
> Identities go in, but they can't get out.
> 
> A problem occurs when users need to access domain-wide services from Evil's 
> machine. The user (Innocent) can forward their TGT to Evil's machine, giving 
> Evil full use of Innocent's identity, or Innocent can use their own, trusted 
> workstation to individually request proxy tickets for the services Innocent 
> intends to access.
> 
> Evil can now impersonate Innocent. In the case where Evil received proxy 
> tickets, it can only impersonate Innocent to specific services on specific 
> hosts. In the case where Evil received a TGT, Evil can impersonate innocent 
> at will to any domain service.
> 
> This suggests that it should be a security requirement for 
> non-organization-wide projects to provide their own services. This permits 
> encouraging/mandating the use of service tickets with project resources. For 
> instance, if the project needs file storage, they should provide file 
> storage. Alternatively, if the organization wishes to provide storage, they 
> may want to allocate servers (and Kerberos principals) individually for each 
> project.
> 
> This seems to me to be a way to compartmentalize groups of cooperating users 
> in a way that tends to prevent Evil in one group from spreading to another 
> group, while allowing users to leverage the organization's identity 
> store...It seems to me that this is even more effective at stopping the 
> spread of Evil than establishing hierarchical cross-realm trusts underneath 
> the main organization...
> 
> Am I overlooking something, or is this likely to be an effective means of 
> delegating small project support while sideboarding potential Evil?
> 
> Bryce
> 
> 
> 
> 
> This electronic message contains information generated by the USDA solely for 
> the intended recipients. Any unauthorized interception of this message or the 
> use or disclosure of the

[Freeipa-users] How to restore an IPA Replica when the CSN number generator has moved impossibly far into the future or past

2014-02-03 Thread JR Aquino 
If you are seeing clock skew errors in /var/log/dirsrv/slapd-EXAMPLE-COM/errors that look like this, then you will need to verify the time/date of the server to make sure NTP isn't freaked out. If the system date is correct, it is possible that the change number generator has skewed.[01/Feb/2014:14:42:06 -0800] NSMMReplicationPlugin - conn=12949 op=7 repl="dc=example,dc=com": Excessive clock skew from supplier RUV[01/Feb/2014:14:42:06 -0800] - csngen_adjust_time: adjustment limit exceeded; value - 1448518, limit - 86400[01/Feb/2014:14:42:06 -0800] - CSN generator's state:[01/Feb/2014:14:42:06 -0800] -  replica id: 115[01/Feb/2014:14:42:06 -0800] -  sampled time: 1391294526[01/Feb/2014:14:42:06 -0800] -  local offset: 0[01/Feb/2014:14:42:06 -0800] -  remote offset: 0[01/Feb/2014:14:42:06 -0800] -  sequence number: 55067The following NsState_Script should be used to determine whether the change number generator has jumped significantly from the real time/date.https://github.com/richm/scripts/blob/master/readNsState.pyThe usage for the script works like this:[r...@ipaserver.ops jaquino]# ./readNsState.py /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldifnsState is cwBGPfBSAQACAA==Little EndianFor replica cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config  fmtstr=[H6x3QH6x]  size=40  len of nsstate is 40  CSN generator state:    Replica ID    : 115    Sampled Time  : 1391476038    Gen as csn    : 52f03d4600020115    Time as str   : Mon Feb  3 17:07:18 2014    Local Offset  : 0    Remote Offset : 1    Seq. num      : 2    System time   : Mon Feb  3 17:09:11 2014    Diff in sec.  : 113    Day:sec diff  : 0:113If the output from the above command is over a day or more out of sync, then the reason is because the CSN generator has become grossly skewed. It will be necessary to perform the following steps to recover.How to resolve this issue• 1: Select an ipa server to be authoritative and write the contents of its database to an ldif file   On the master supplier:   /var/lib/dirsrv/scripts-EXAMPLE-COM/db2ldif.pl -D 'cn=Directory Manager' -w - -n userRoot -a /tmp/master-389.ldif   Note that without the -r option it is deliberately ommiting the tainted replication data which contains the bad CSNs• 2: On the ipa server, shutdown its dirsrv daemon down so that you can reset the attribute responsible for the serial generation, and so that you can re-initialize its db from the known good ldif   On the master supplier:   ipactl stop  • 3: Sanitize the dse.ldif Configuration File   On  the master supplier:    edit the /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif file and remove the nsState attribute from the replica config entry   You DO NOT want to remove the nsState from: dn: cn=uniqueid generator,cn=config   The stanza you want to remove the value from is: dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config   The attribute will look like this: nsState:: cwA3QPBSAQABAA==   Delete the entire line• 3.1: Remove traces of stale CSN tracking in the Replica Agreements themeselves   File location: /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif   cat dse.ldif | sed -n '1 {h; $ !d}; $ {x; s/\n //g; p}; /^ / {H; d}; /^ /! {x; s/\n //g; p}' | grep -v nsds50ruv > new.dse.ldif   backup the old dse.ldif and replace it with the new one:   # mv dse.ldif dse.saved.ldif   # mv new.dse.ldif dse.ldif• 4: Import the data from the known good ldif. This will mark all the changes with CSNs that match the current time/date stamps   On  the master supplier:   chmod 644 /tmp/master-389.ldif   /var/lib/dirsrv/scripts-EXAMPLE-COM/ldif2db -n userRoot -i /tmp/master-389.ldif• 5: Restart the ipa daemons on the master supplier   #ipactl start• 6: When the daemon starts, it will see that it does not have an nsState and will write new CSN's to -all- of the newly imported good data with today's timetamp, we need to take that data and write -it- out to an ldif file  On  the master supplier:  /var/lib/dirsrv/scripts-EXAMPLE-COM/db2ldif.pl -D 'cn=Directory Manager' -w - -n userRoot -r -a /tmp/replication-master-389.ldif  ^ the -r tells it to include all replica data which includes the newly blessed CSN data  transfer the file to all of the ipa servers in the fleet• 7: Now we must re-initialize _every other_ ipa consumer server in the fleet with the new good data.  Steps 7-10 need to be done 1 at a time on each ipa consumer server  ipactl stop• 8: Sanitize the dse.ldif Configuration File   On the ipa server:    edit the /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif file and remove the nsState attribute from the replica config entry   You DO NOT want to remove the nsState from: dn: cn=uniqueid generator,cn=config   The stanza you want to remove the value from is: dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config   The attribute will look like this: nsState:: cwA3QPBSAQABAA==   Delet

Re: [Freeipa-users] slapi-nis bypass Password Policies

2013-09-20 Thread JR Aquino 
Is your client simply using LDAP to bind and authenticate your service?

If so, you may be able to create a special dedicated sysaccount in: 
cn=sysaccounts,cn=etc,dc=domain,dc=com

This account could be used to bind your service without having it be a member 
of the standard users database subjected to Password Policy expirations etc.

"You cannot hope to secure that which you do not first understand"
~~~~~
Jr Aquino | Sr. Information Security Specialist
GXPN | GIAC Exploit Researcher and Advanced Penetration Tester
GCIH | GIAC Certified Incident Handler
GWAPT | GIAC WebApp Penetration Tester

Citrix Online | 7408 Hollister Avenue | Goleta, CA 
93117
T:  +1 805.690.3478
C: +1 805.717.0365
jr.aqu...@citrix.com<mailto:jr.aqu...@citrixonline.com>
http://www.citrixonline.com<http://www.citrixonline.com/>

On Sep 18, 2013, at 10:00 AM, cbul...@gmail.com<mailto:cbul...@gmail.com> wrote:

Hi,

We have a client server connected to the IPA server using NIS. It's
working well but we have a service running at client server that doesn't
handle the password expiration properly.
Is it possible to bypass the Password Policies from this client server?

Thanks!


___
Freeipa-users mailing list
Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Replication woes

2013-08-20 Thread JR Aquino 
On Aug 20, 2013, at 6:46 AM, Rich Megginson 
mailto:rmegg...@redhat.com>> wrote:

On 08/20/2013 05:55 AM, Bret Wortman wrote:
Okay, now I'm thinking I need to dump all my replicas and start them fresh. My 
/var/log/slapd-FOO-COM/errors is filled with messages like this:

NSMMReplicationPlugin - changelog program - 
agmt="cn=meTogood1.foo.com" (good1:389): CSN 
520a4964001d not found, we aren't as up to date, or we purged
agmt="cn=meTogood1.foo.com" (good1:389) - Can't 
locate CSN 520a4964001d in the changelog (DB rc=-30988). The consumer 
may need to be reinitialized.

I assume the "consumer" is the replica, right? At present, I have two replicas 
known to my master that are simply gone. Another is there but they can't talk. 
Three more have good communication but I'm getting errors like these. Is there 
a good, clean way to just clobber all the replicas and start over without 
trashing the DNS and other identity data that is inside my master and which is 
working? Deleting them from the master hasn't been working; it tends to hang 
the master's DNS and other services until I Ctrl-C out and "ipactl restart" it.

I'm afraid to venture out without a net here and make things worse

This looks like https://fedorahosted.org/389/ticket/47386

We've never been able to reproduce this in a "controlled" environment.

The original reporter has been able to get this to work in some cases by 
restarting ipa (ipactl restart).

Before you do that, would you be able to provide some information for me?

On the supplier and consumer:
ldapsearch -xLLL -D "cn=directory manager" -W -b "dc=FOO,dc=COM" 
'(&(objectclass=nstombstone)(nsuniqueid=---))' 
> ruv.ldif

ldapsearch -xLLL -D "cn=directory manager" -W -b "cn=config" 
'(objectclass=nsds5replicationagreement)' > agmt.ldif

dbscan -f /var/lib/dirsrv/slapd-FOO-COM/cldb/*.db4 | head -200 > cldb.txt

Be sure to obscure any sensitive data in ruv.ldif, agmt.ldif, and cldb.txt - 
you can either attach to https://fedorahosted.org/389/ticket/47386 or email to 
me directly.


Any help you could provide in capturing the fail-state would be hugely 
appreciated.

I've found that if you work through the issue and fix the problem, it doesn't 
appear to be deliberately reproducible.

If you can get the debugging data that Rich needs, I can work on drafting  you 
a basic howto on how to diagnose and fix your replication issue.


Bret Wortman
[http://damascusgrp.com/item/51f7de33e4b08d2bdb8b4860?format=1500w]
http://damascusgrp.com/
http://about.me/wortmanbret


On Mon, Aug 19, 2013 at 2:21 PM, Bret Wortman 
mailto:bret.wort...@damascusgrp.com>> wrote:
On my master (where this error is occurring), I've got, in /etc/hosts:

127.0.0.1 localhost localhost.localdomain
::1  localhost localhost.localdomain
1.2.3.4ipamaster.foo.net ipamaster

So that should be okay, right?

# host ipamaster.foo.net
ipamaster.foo.net has address 1.2.3.4
# host ipamaster
ipamaster.foo.net has address 1.2.3.4
# host localhost
localhost has address 127.0.0.1
localhost has IPv6 address ::1
#

I checked the other system (the one I can't connect to) to be safe, and its 
/etc/hosts is similarly configured. It even has the master listed with its 
correct IP address.




Bret Wortman
[http://damascusgrp.com/item/51f7de33e4b08d2bdb8b4860?format=1500w]
http://damascusgrp.com/
http://about.me/wortmanbret


On Mon, Aug 19, 2013 at 2:02 PM, Simo Sorce 
mailto:s...@redhat.com>> wrote:
On Mon, 2013-08-19 at 13:51 -0400, Bret Wortman wrote:
> So, any idea how to fix the Kerberos problem?
>

If your server is trying to get a tgt for ldap/localhost it probably
means your /etc/hosts file is broken and has a line like this:

1.2.3.4 localhost my.real.name

When GSSAPI tries to resolve my.realm.name it gets back 
that 'localhost'
is the canonical name so it tries to get a TGT with that name and it
fails.

If /etc/host sis fine then the DNS server may be returning an IP address
that later resolves to localhost again.

To unbreak make sure that if you have your fully qualified name
in /etc/hosts that it is on its own line pointing at the right IP
address and where the FQDN name is the first in line:
eg:

this is ok:
1.2.3.4 server.full.name server

this is not:
1.2.3.4 server server.full.name

Simo.
>
> Bret Wortman
>
>
> http://damascusgrp.com/
>
> http://about.me/wortmanbret
>
>
>
> On Mon, Aug 19, 2013 at 12:19 PM, Bret Wortman
> mailto:bret.wort...@damascusgrp.com>> wrote:
> ...and I got the web UI, authentication and sudo back via:
>
>
> # ipactl stop
> # ipactl start
>
>
> Not sure why that worked, but it did. I was grasping at
> straws, honestly.
>
>
>
>
>
> Bret Wortman
>

Re: [Freeipa-users] Configure IPA 3.1.5 client for sudo?

2013-06-25 Thread JR Aquino 
On Jun 25, 2013, at 2:52 AM, Martin Kosek 
 wrote:

> On 06/24/2013 03:36 PM, Rob Crittenden wrote:
>> Dean Hunter wrote:
>>> On Mon, 2013-06-24 at 09:07 +0300, Alexander Bokovoy wrote:
 On Sun, 23 Jun 2013, Dean Hunter wrote:
> Section 14.4. Applying the Configured sudo Policies to Hosts of the
> FreeIPA Guide, Edition 3.1.5 in the Fedora 18 documentation contains
> only an example of configuring sudo for use with FreeIPA 2.2. It differs
> in many regards from QA:Testcase freeipav3 sudo sssd in the Wiki at
> fedoraproject.org.
> 
> What instructions should I use to configure an IPA 3.1.5-1 client with
> sudo?
 This thread should clear it up:
 https://www.redhat.com/archives/freeipa-users/2013-June/msg00064.html
 
 This presentation covers current state:
 http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf
 
>>> Thank you for the prompt response!  I really appreciate how helpful
>>> y'all are on this list.  The slide presentation is especially useful
>>> because of all the explanation.  Have you identified a target release for:
>>> 
>>>1) SSSD doesn't support FreeIPA as SUDO provider yet
>> 
>> To clarify, this is just to make SSSD use the native IPA schema instead of
>> ou=sudoers. https://fedorahosted.org/sssd/ticket/1108
> 
> Right. When talking about SUDO being able to select SSSD as a source database
> (instead of the native LDAP connection), this works already - SSSD reads
> ou=sudoers. There is an RFE ticket targeted to 3.4 already (it also contains
> steps how to configure it manually):

Is there a specific version of Sudo that supports nsswitch.conf having: sudo 
sss?

Is that version of Sudo available on RHEL?

> 
> https://fedorahosted.org/freeipa/ticket/3358
> 
>> 
>>>2) A command line tool to preform the client configuration
>> 
>> https://fedorahosted.org/freeipa/ticket/3358
>> 
>> rob
>> 
>> ___
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
> 
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] sudo rules user and host group bugs?

2013-06-05 Thread JR Aquino 
On Jun 5, 2013, at 1:47 PM, KodaK wrote:

Sorry, for some reason gmail makes me forget about "reply all."

On Wed, Jun 5, 2013 at 2:45 PM, Dmitri Pal 
mailto:d...@redhat.com>> wrote:
On 06/05/2013 11:20 AM, KodaK wrote:
I know this has been discussed before, but I didn't see anything with a cursory 
search.

There are bugs when using user and host groups with sudo rules.  I have to 
split out my users and hosts into individual entries.  I'm running ipa 3.0.0-26 
on RHEL.

All I really want to know is if this is fixed upstream.


I am not sure I recall a bug you are referring to. A quick scan against the 
open tickets does not reveal anything like what you describe.
Can you provide the description of the issue or point to the earlier thread on 
the matter?


I'm going off of memory on seeing the previous bug.  It very well could be a 
false memory.

I have a rule like this:

[jebalicki@mo0033802 ~]$ ipa sudorule-show esolutions-sandbox-root-access
  Rule name: esolutions-sandbox-root-access
  Enabled: TRUE
  Users: slfries, awellard
  Hosts: slnessbxl01.unix.magellanhealth.com
  Sudo Allow Commands: /bin/su -

This works.  However, if I change the rule to use hostgroups instead of listing 
the hosts individually the rule will not work.

The groups still exist and look like this:

[jebalicki@mo0033802 ~]$ ipa hostgroup-show esolutions-sandbox-hosts
  Host-group: esolutions-sandbox-hosts
  Description: esolutions sandbox hosts
  Member hosts: slnessbxl01.unix.magellanhealth.com
  Member of HBAC rule: esolutions-sandbox-access

[jebalicki@mo0033802 ~]$ ipa group-show esolutions
  Group name: esolutions
  Description: esolutions group
  GID: 1115600250
  Member users: awellard, slfries
  Member of HBAC rule: esolutions-sandbox-access

Client machine is pretty much default-out-of-the-box IRT IPA configuration, 
here's the installer output (installs during kickstart):

[root@slnessbxl01 ~]# cat ks-post.log
Discovery was successful!
Hostname: slnessbxl01.unix.magellanhealth.com
Realm: UNIX.MAGELLANHEALTH.COM
DNS Domain: UNIX.MAGELLANHEALTH.COM
IPA Server: slpidml01.unix.magellanhealth.com
BaseDN: dc=unix,dc=magellanhealth,dc=com


Synchronizing time with KDC...

Enrolled in IPA realm UNIX.MAGELLANHEALTH.COM
Created /etc/ipa/default.conf
New SSSD config will be created.
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm UNIX.MAGELLANHEALTH.COM
Warning: Hostname (slnessbxl01.unix.magellanhealth.com) not found in DNS
DNS server record set to: slnessbxl01.unix.magellanhealth.com -> 10.200.12.104
SSSD enabled
NTP enabled
Client configuration complete.

[root@slnessbxl01 ~]# rpm -qa | grep ipa
python-iniparse-0.3.1-2.1.el6.noarch
libipa_hbac-python-1.8.0-32.el6.x86_64
libipa_hbac-1.8.0-32.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
ipa-python-2.2.0-16.el6.x86_64
[root@slnessbxl01 ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.3 (Santiago)
[root@slnessbxl01 ~]#

Troubleshooting:

Can you confirm that the output of the following commands:
1. $ domainname
* does it match your domain?
2. $ hostname
* does match match your fqdn?
3. $ getent netgroup esolutions-sandbox-hosts
* does this list your host?
4. Does /etc/nsswitch.conf contain the line: "netgroup:   files sss"?


Another important Sudo Troubleshooting step is to edit: /etc/sudo-ldap.conf (or 
/etc/ldap.conf, depending on what version of RHEL/Sudo you're running):

At the top, add the line: sudoers_debug 2

Then try another sudo command. sudo -l for example.

This should result in a long list of search criteria and status.  The last few 
lines should indicate where any matches occurred.

"Keeping your head in the cloud"
~
JR Aquino

Senior Information Security Specialist, Technical Operations
T: +1 805 690 3478 | F: +1 805 879 3730 | M: +1 805 717 0365
GIAC Certified Exploit Researcher and Advanced Penetration Tester |
GIAC WebApplication Penetration Tester | GIAC Certified Incident Handler
jr.aqu...@citrix.com<mailto:jr.aqu...@citrix.com>

[cid:image002.jpg@01CD4A37.5451DC00]



Powering mobile workstyles and cloud services






___
Freeipa-users mailing list
Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users

<>___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] IPA Replica Issue

2013-06-05 Thread JR Aquino 
On Jun 5, 2013, at 6:48 PM, Rich Megginson wrote:

> On 06/05/2013 07:20 PM, JR Aquino wrote:
>> On Jun 5, 2013, at 5:26 PM, Rich Megginson wrote:
>> 
>>> On 06/05/2013 05:49 PM, JR Aquino wrote:
>>>> I have been having replication issues since the update to RHEL6.4 and 
>>>> 389-ds-base-1.2.11.15-12.
>>>> 
>>>> It is entirely possible that we have more than just 1 problem.
>>>> 
>>>> Frequently we seeing errors in our replication monitoring indicating:  -1 
>>>> Incremental update has failed and requires administrator actionLDAP error: 
>>>> Can't contact LDAP server
>>>> 
>>>> This problem cannot be solved via ipa-replication-managment force-sync and 
>>>> it does not get permanently solved with a re-initializeation or a dirsrv 
>>>> restart either (the problem eventually comes back or appears on a 
>>>> different server)
>>>> 
>>>> Have any of you also seen this error when you could verify that the 
>>>> servers can communicate over ldap?
>>>> 
>>>> When checking with Rich today in IRC, we turned on debugging for 
>>>> replication and did not see a smoking gun.
>>>> 
>>>> We -did- see log messages showing things like: (auth1:389): CSN 
>>>> 51ad2c5500090066 not found, we aren't as up to date, or we purged
>>> On replicaID 0x66 - I think dbscan -f 
>>> /var/lib/dirsrv/slapd-INST/cldb/xx.db4 will tell you what are the purge 
>>> and max CSNs, somewhere near the beginning - what are they?
>> I've looked up and down the dbscan output and there is no sign of the word 
>> 'purge' or 'max'
> ok - try this
> dbscan -k 00de -f /var/lib/dirsrv/slapd-INST/cldb/xx.db4
> and
> dbscan -k 014d -f /var/lib/dirsrv/slapd-INST/cldb/xx.db4
> 
> If that gives you nothing, then just tell me what the first and last csns are.

It looks like -none- of my 42 servers seem to have that key present or a 'max' 
or a 'purge' csn.

The first CSN is:
dbid: 514543d200060077
replgen: 1363737222 Tue Mar 19 16:53:42 2013
csn: 514543d200060077
uniqueid: ---
dn: cn=start iteration
operation: delete

the last CSN is:
dbid: 51afe52a00090038
replgen: 1370480270 Wed Jun  5 17:57:50 2013
csn: 51afe52a00090038
uniqueid: 34b69984-244d11e2-9c3ddd59-5d298bd5
dn: uid=user,cn=users,cn=accounts,dc=example,dc=com
operation: modify
ntUserLastLogon: 130149214165556521
manager: uid=manager,cn=users,cn=accounts,dc=example,dc=com
manager: uid=manager,cn=users,cn=accounts,dc=example,dc=com
modifiersName: cn=Multimaster Replication 
Plugin,cn=plugins,cn=config
modifyTimestamp: 20130606005748Z


>> 
>>> Also, what is the database RUV on 0x66?  that is, do
>>> 
>>> ldapsearch -xLLL -h 0x66hostname -D "cn=directory manager" -w password -b 
>>> dc=expertcity,dc=com 
>>> '(&(objectclass=nsTombstone)(nsuniqueid=---))'
>> I've sent you a private email from for the above output
>> 
>>>> When looking for this change, it was determined that the originating IPA 
>>>> server who was responsible for the change show that this was a 
>>>> modification by the MemberOf plugin associating a host with a hostgroup or 
>>>> vice versa.
>>>> 
>>>> This change was -not- found on the IPA server who is reporting the 
>>>> replication troubles.
>>>> 
>>>> IPA deliberately excludes memberof changes during incremental updates for 
>>>> performance reasons.  This is because each server does replicate the 
>>>> 'member' info, where by the local MemberOf plugin will fire off and 
>>>> perform its respective fixups accordingly.
>>>> 
>>>> Rich asked me to bring this issue up to the attention of the mailing list 
>>>> so that we could continue to track the root cause of the issue(s) and 
>>>> hopefully come to a conclusion about how to fix them.
>>>> 
>>>> 
>>>> "Keeping your head in the cloud"
>>>> ~
>>>> Jr Aquino | Sr. Information Security Specialist
>>>> GXPN | GIAC Exploit Researcher and Advanced Penetration Tester
>>>> GCIH | GIAC Certified Incident Handler
>>>> GWAPT | GIAC WebApp Penetration Tester
>>>> 
>>>> Citrix Online | 7408 Hollister Avenue | Goleta, CA 
>>>> 93117
>>>> T:  +1 805.690.3478
>>>> C: +1 805.717.0365
>>>> jr.aqu...@citrix.com<mailto:jr.aqu...@citrixonline.com>
>>>> http://www.citrixonline.com<http://www.citrixonline.com/>
>>>> 
>>>> 
>>>> ___
>>>> Freeipa-users mailing list
>>>> Freeipa-users@redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
> 
>> 


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] IPA Replica Issue

2013-06-05 Thread JR Aquino 
On Jun 5, 2013, at 5:26 PM, Rich Megginson wrote:

> On 06/05/2013 05:49 PM, JR Aquino wrote:
>> I have been having replication issues since the update to RHEL6.4 and 
>> 389-ds-base-1.2.11.15-12.
>> 
>> It is entirely possible that we have more than just 1 problem.
>> 
>> Frequently we seeing errors in our replication monitoring indicating:  -1 
>> Incremental update has failed and requires administrator actionLDAP error: 
>> Can't contact LDAP server
>> 
>> This problem cannot be solved via ipa-replication-managment force-sync and 
>> it does not get permanently solved with a re-initializeation or a dirsrv 
>> restart either (the problem eventually comes back or appears on a different 
>> server)
>> 
>> Have any of you also seen this error when you could verify that the servers 
>> can communicate over ldap?
>> 
>> When checking with Rich today in IRC, we turned on debugging for replication 
>> and did not see a smoking gun.
>> 
>> We -did- see log messages showing things like: (auth1:389): CSN 
>> 51ad2c5500090066 not found, we aren't as up to date, or we purged
> 
> On replicaID 0x66 - I think dbscan -f 
> /var/lib/dirsrv/slapd-INST/cldb/xx.db4 will tell you what are the purge 
> and max CSNs, somewhere near the beginning - what are they?

I've looked up and down the dbscan output and there is no sign of the word 
'purge' or 'max'

> Also, what is the database RUV on 0x66?  that is, do
> 
> ldapsearch -xLLL -h 0x66hostname -D "cn=directory manager" -w password -b 
> dc=expertcity,dc=com 
> '(&(objectclass=nsTombstone)(nsuniqueid=---))'

I've sent you a private email from for the above output

> 
>> 
>> When looking for this change, it was determined that the originating IPA 
>> server who was responsible for the change show that this was a modification 
>> by the MemberOf plugin associating a host with a hostgroup or vice versa.
>> 
>> This change was -not- found on the IPA server who is reporting the 
>> replication troubles.
>> 
>> IPA deliberately excludes memberof changes during incremental updates for 
>> performance reasons.  This is because each server does replicate the 
>> 'member' info, where by the local MemberOf plugin will fire off and perform 
>> its respective fixups accordingly.
>> 
>> Rich asked me to bring this issue up to the attention of the mailing list so 
>> that we could continue to track the root cause of the issue(s) and hopefully 
>> come to a conclusion about how to fix them.
>> 
>> 
>> "Keeping your head in the cloud"
>> ~
>> Jr Aquino | Sr. Information Security Specialist
>> GXPN | GIAC Exploit Researcher and Advanced Penetration Tester
>> GCIH | GIAC Certified Incident Handler
>> GWAPT | GIAC WebApp Penetration Tester
>> 
>> Citrix Online | 7408 Hollister Avenue | Goleta, CA 
>> 93117
>> T:  +1 805.690.3478
>> C: +1 805.717.0365
>> jr.aqu...@citrix.com<mailto:jr.aqu...@citrixonline.com>
>> http://www.citrixonline.com<http://www.citrixonline.com/>
>> 
>> 
>> ___
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
> 


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] IPA Replica Issue

2013-06-05 Thread JR Aquino 
I have been having replication issues since the update to RHEL6.4 and 
389-ds-base-1.2.11.15-12.

It is entirely possible that we have more than just 1 problem.

Frequently we seeing errors in our replication monitoring indicating:  -1 
Incremental update has failed and requires administrator actionLDAP error: 
Can't contact LDAP server

This problem cannot be solved via ipa-replication-managment force-sync and it 
does not get permanently solved with a re-initializeation or a dirsrv restart 
either (the problem eventually comes back or appears on a different server)

Have any of you also seen this error when you could verify that the servers can 
communicate over ldap?

When checking with Rich today in IRC, we turned on debugging for replication 
and did not see a smoking gun.

We -did- see log messages showing things like: (auth1:389): CSN 
51ad2c5500090066 not found, we aren't as up to date, or we purged

When looking for this change, it was determined that the originating IPA server 
who was responsible for the change show that this was a modification by the 
MemberOf plugin associating a host with a hostgroup or vice versa.

This change was -not- found on the IPA server who is reporting the replication 
troubles.

IPA deliberately excludes memberof changes during incremental updates for 
performance reasons.  This is because each server does replicate the 'member' 
info, where by the local MemberOf plugin will fire off and perform its 
respective fixups accordingly.

Rich asked me to bring this issue up to the attention of the mailing list so 
that we could continue to track the root cause of the issue(s) and hopefully 
come to a conclusion about how to fix them.


"Keeping your head in the cloud"
~~~~~
Jr Aquino | Sr. Information Security Specialist
GXPN | GIAC Exploit Researcher and Advanced Penetration Tester
GCIH | GIAC Certified Incident Handler
GWAPT | GIAC WebApp Penetration Tester

Citrix Online | 7408 Hollister Avenue | Goleta, CA 
93117
T:  +1 805.690.3478
C: +1 805.717.0365
jr.aqu...@citrix.com<mailto:jr.aqu...@citrixonline.com>
http://www.citrixonline.com<http://www.citrixonline.com/>


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] automember issues

2013-04-30 Thread JR Aquino 
I've got about 30mins before I get into my next meeting.

Are you able to hop into IRC in Freenode to work in realtime on #freeipa?

"Keeping your head in the cloud"
~~~~~~~~~
Jr Aquino | Sr. Information Security Specialist
GXPN | GIAC Exploit Researcher and Advanced Penetration Tester
GCIH | GIAC Certified Incident Handler
GWAPT | GIAC WebApp Penetration Tester

Citrix Online | 7408 Hollister Avenue | Goleta, CA 
93117
T:  +1 805.690.3478
C: +1 805.717.0365
jr.aqu...@citrix.com<mailto:jr.aqu...@citrixonline.com>
http://www.citrixonline.com<http://www.citrixonline.com/>

On Apr 30, 2013, at 12:23 PM, John Moyer 
mailto:john.mo...@digitalreasoning.com>>
 wrote:

So I must have looked at the wrong server name, I just tried to add 4 more 
servers and none of them worked.   Anymore ideas?   The target is specified by 
the rule name test-group is the target.

Thanks,
_
John Moyer


On Apr 30, 2013, at 2:25 PM, Dmitri Pal 
mailto:d...@redhat.com>> wrote:

On 04/30/2013 02:17 PM, JR Aquino wrote:
On Apr 30, 2013, at 11:12 AM, John Moyer 
mailto:john.mo...@digitalreasoning.com>>
wrote:

I tried adding it in addition to the current rule and that didn't work.  I then 
deleted the old rule to only leave the rule with the full name 
(uid=build,cn=users,cn=accounts,dc=example,dc=com) and that didn't work either.

This is the new output of that command you had me run earlier:

ipa automember-find --type=hostgroup
---
1 rules matched
---
Automember Rule: test-group
Inclusive Regex: enrolledby=uid=build,cn=users,cn=accounts,dc=example,dc=com

Number of entries returned 1


Interesting.

What about if you just do something silly like: ".*build.*"

Nathan... I believe the plugin is set to expect string values... how does it 
handle a DN such as the enrolled by above?


Don't you need to specify target group?
It might be that the filter is working but it is not placing it anywhere
because nothing is specifying where to place it.




Thanks,
_________
John Moyer


On Apr 30, 2013, at 2:07 PM, JR Aquino 
mailto:jr.aqu...@citrix.com>> wrote:

On Apr 30, 2013, at 11:02 AM, John Moyer 
mailto:john.mo...@digitalreasoning.com>>
wrote:

It comes back with a ton of stuff the row you are probably interested in is 
this one:

enrolledby: uid=build,cn=users,cn=accounts,dc=example,dc=com
Bingo!

Ok, try to adjust your automember rule.

Delete your previous inclusive regex, and replace it with 
uid=build,cn=users,cn=accounts,dc=example,dc=com

See if that does the trick

Thanks,
_________
John Moyer


On Apr 30, 2013, at 1:57 PM, JR Aquino 
mailto:jr.aqu...@citrix.com>> wrote:

On Apr 30, 2013, at 10:52 AM, John Moyer 
mailto:john.mo...@digitalreasoning.com>>
wrote:

Not a problem, here is the output

ipa automember-find --type=hostgroup
---
1 rules matched
---
Automember Rule: test-group
Inclusive Regex: enrolledby=build

Number of entries returned 1


interesting.

When you do an: ipa host-show 
test-hostname.example.com<http://test-hostname.example.com> --all --raw

Does it clearly show that enrolledby=build?


Thanks,
_
John Moyer


On Apr 30, 2013, at 1:48 PM, JR Aquino 
mailto:jr.aqu...@citrix.com>> wrote:

On Apr 30, 2013, at 10:43 AM, John Moyer 
mailto:john.mo...@digitalreasoning.com>>
wrote:

One thing to add is that this build user only has the following access:

Host Administrators
Host enrollment

Would he need more access to do the membership?  My original thought was that 
technically the user is not doing the addition to the group it's the system 
technically doing it so there shouldn't be a permissions issue.

The user's roles shouldn't really matter to the best of my knowledge (Nathan 
Kinder may need to refresh my memory), but the 389 plugin, should be catching 
the insertion of the new object, then match the watched-attribute, and execute 
the hostgroup assignment based upon the rights of the plugin rather than that 
of the user.

Would it be possible to ask you to do an automember-find --type=hostgroup on 
the CLI and send it back to the thread?

If we are missing something or if we have any bugs in there, we need to get 
them identified and fixed.


Thanks,
_
John Moyer
On Apr 30, 2013, at 1:21 PM, JR Aquino 
mailto:jr.aqu...@citrix.com>> wrote:

On Apr 30, 2013, at 9:30 AM, John Moyer 
mailto:john.mo...@digitalreasoning.com><mailto:john.mo...@digitalreasoning.com>>
 wrote:

Anyone have any suggestions to using the auto member function

Re: [Freeipa-users] automember issues

2013-04-30 Thread JR Aquino 
On Apr 30, 2013, at 11:23 AM, John Moyer 
 wrote:

> Ha!  I tried .*build and build.* before contacting you guys, I didn't try 
> .*build.* 
> 
> That worked, it automatically added the machine to the group! 
> 
> Thanks!  That will save me s much time! 
> 

Not a problem John, thanks for your patience!

Glad to be of help!

I'm very happy to see that some of the stuff that I use daily saves other folks 
time and headaches too!

-JR

> 
> Thanks, 
> _
> John Moyer
> 
> 
> On Apr 30, 2013, at 2:17 PM, JR Aquino  wrote:
> 
>> On Apr 30, 2013, at 11:12 AM, John Moyer 
>> wrote:
>> 
>>> I tried adding it in addition to the current rule and that didn't work.  I 
>>> then deleted the old rule to only leave the rule with the full name 
>>> (uid=build,cn=users,cn=accounts,dc=example,dc=com) and that didn't work 
>>> either.
>>> 
>>> This is the new output of that command you had me run earlier: 
>>> 
>>> ipa automember-find --type=hostgroup
>>> ---
>>> 1 rules matched
>>> ---
>>> Automember Rule: test-group
>>> Inclusive Regex: enrolledby=uid=build,cn=users,cn=accounts,dc=example,dc=com
>>> 
>>> Number of entries returned 1
>>> 
>>> 
>> 
>> Interesting.
>> 
>> What about if you just do something silly like: ".*build.*"
>> 
>> Nathan... I believe the plugin is set to expect string values... how does it 
>> handle a DN such as the enrolled by above?
>> 
>>> 
>>> 
>>> Thanks, 
>>> _
>>> John Moyer
>>> 
>>> 
>>> On Apr 30, 2013, at 2:07 PM, JR Aquino  wrote:
>>> 
>>>> On Apr 30, 2013, at 11:02 AM, John Moyer 
>>>> wrote:
>>>> 
>>>>> It comes back with a ton of stuff the row you are probably interested in 
>>>>> is this one: 
>>>>> 
>>>>> enrolledby: uid=build,cn=users,cn=accounts,dc=example,dc=com
>>>> 
>>>> Bingo!
>>>> 
>>>> Ok, try to adjust your automember rule.
>>>> 
>>>> Delete your previous inclusive regex, and replace it with 
>>>> uid=build,cn=users,cn=accounts,dc=example,dc=com
>>>> 
>>>> See if that does the trick
>>>> 
>>>>> Thanks, 
>>>>> _
>>>>> John Moyer
>>>>> 
>>>>> 
>>>>> On Apr 30, 2013, at 1:57 PM, JR Aquino  wrote:
>>>>> 
>>>>>> On Apr 30, 2013, at 10:52 AM, John Moyer 
>>>>>> 
>>>>>> wrote:
>>>>>> 
>>>>>>> Not a problem, here is the output
>>>>>>> 
>>>>>>> ipa automember-find --type=hostgroup
>>>>>>> ---
>>>>>>> 1 rules matched
>>>>>>> ---
>>>>>>> Automember Rule: test-group
>>>>>>> Inclusive Regex: enrolledby=build
>>>>>>> 
>>>>>>> Number of entries returned 1
>>>>>>> 
>>>>>>> 
>>>>>> 
>>>>>> interesting.
>>>>>> 
>>>>>> When you do an: ipa host-show test-hostname.example.com --all --raw
>>>>>> 
>>>>>> Does it clearly show that enrolledby=build?
>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> Thanks, 
>>>>>>> _
>>>>>>> John Moyer
>>>>>>> 
>>>>>>> 
>>>>>>> On Apr 30, 2013, at 1:48 PM, JR Aquino  wrote:
>>>>>>> 
>>>>>>>> On Apr 30, 2013, at 10:43 AM, John Moyer 
>>>>>>>> 
>>>>>>>> wrote:
>>>>>>>> 
>>>>>>>>> One thing to add is that this build user only has the following 
>>>>>>>>> access: 
>>>>>>>>> 
>>>>>>>>> Host Administrators
>>>>>>>>> Host enrollment 
>>>>>>>>&g

Re: [Freeipa-users] automember issues

2013-04-30 Thread JR Aquino 
On Apr 30, 2013, at 11:12 AM, John Moyer 
 wrote:

> I tried adding it in addition to the current rule and that didn't work.  I 
> then deleted the old rule to only leave the rule with the full name 
> (uid=build,cn=users,cn=accounts,dc=example,dc=com) and that didn't work 
> either.
> 
> This is the new output of that command you had me run earlier: 
> 
> ipa automember-find --type=hostgroup
> ---
> 1 rules matched
> ---
>  Automember Rule: test-group
>  Inclusive Regex: enrolledby=uid=build,cn=users,cn=accounts,dc=example,dc=com
> 
> Number of entries returned 1
> 
> 

Interesting.

What about if you just do something silly like: ".*build.*"

Nathan... I believe the plugin is set to expect string values... how does it 
handle a DN such as the enrolled by above?

> 
> 
> Thanks, 
> _________
> John Moyer
> 
> 
> On Apr 30, 2013, at 2:07 PM, JR Aquino  wrote:
> 
>> On Apr 30, 2013, at 11:02 AM, John Moyer 
>> wrote:
>> 
>>> It comes back with a ton of stuff the row you are probably interested in is 
>>> this one: 
>>> 
>>> enrolledby: uid=build,cn=users,cn=accounts,dc=example,dc=com
>> 
>> Bingo!
>> 
>> Ok, try to adjust your automember rule.
>> 
>> Delete your previous inclusive regex, and replace it with 
>> uid=build,cn=users,cn=accounts,dc=example,dc=com
>> 
>> See if that does the trick
>> 
>>> Thanks, 
>>> _
>>> John Moyer
>>> 
>>> 
>>> On Apr 30, 2013, at 1:57 PM, JR Aquino  wrote:
>>> 
>>>> On Apr 30, 2013, at 10:52 AM, John Moyer 
>>>> wrote:
>>>> 
>>>>> Not a problem, here is the output
>>>>> 
>>>>> ipa automember-find --type=hostgroup
>>>>> ---
>>>>> 1 rules matched
>>>>> ---
>>>>> Automember Rule: test-group
>>>>> Inclusive Regex: enrolledby=build
>>>>> 
>>>>> Number of entries returned 1
>>>>> 
>>>>> 
>>>> 
>>>> interesting.
>>>> 
>>>> When you do an: ipa host-show test-hostname.example.com --all --raw
>>>> 
>>>> Does it clearly show that enrolledby=build?
>>>> 
>>>>> 
>>>>> 
>>>>> Thanks, 
>>>>> _
>>>>> John Moyer
>>>>> 
>>>>> 
>>>>> On Apr 30, 2013, at 1:48 PM, JR Aquino  wrote:
>>>>> 
>>>>>> On Apr 30, 2013, at 10:43 AM, John Moyer 
>>>>>> 
>>>>>> wrote:
>>>>>> 
>>>>>>> One thing to add is that this build user only has the following access: 
>>>>>>> 
>>>>>>> Host Administrators
>>>>>>> Host enrollment 
>>>>>>> 
>>>>>>> Would he need more access to do the membership?  My original thought 
>>>>>>> was that technically the user is not doing the addition to the group 
>>>>>>> it's the system technically doing it so there shouldn't be a 
>>>>>>> permissions issue. 
>>>>>>> 
>>>>>> 
>>>>>> The user's roles shouldn't really matter to the best of my knowledge 
>>>>>> (Nathan Kinder may need to refresh my memory), but the 389 plugin, 
>>>>>> should be catching the insertion of the new object, then match the 
>>>>>> watched-attribute, and execute the hostgroup assignment based upon the 
>>>>>> rights of the plugin rather than that of the user.
>>>>>> 
>>>>>> Would it be possible to ask you to do an automember-find 
>>>>>> --type=hostgroup on the CLI and send it back to the thread?
>>>>>> 
>>>>>> If we are missing something or if we have any bugs in there, we need to 
>>>>>> get them identified and fixed.
>>>>>> 
>>>>>> 
>>>>>>> Thanks, 
>>>>>>> _
>>>>>>> John Moyer
>>>>>>> On Apr 30, 2013, at 1:21 PM, JR Aquino  wrote:
>&

Re: [Freeipa-users] automember issues

2013-04-30 Thread JR Aquino 
On Apr 30, 2013, at 11:02 AM, John Moyer 
 wrote:

> It comes back with a ton of stuff the row you are probably interested in is 
> this one: 
> 
> enrolledby: uid=build,cn=users,cn=accounts,dc=example,dc=com

Bingo!

Ok, try to adjust your automember rule.

Delete your previous inclusive regex, and replace it with 
uid=build,cn=users,cn=accounts,dc=example,dc=com

See if that does the trick

> Thanks, 
> _
> John Moyer
> 
> 
> On Apr 30, 2013, at 1:57 PM, JR Aquino  wrote:
> 
>> On Apr 30, 2013, at 10:52 AM, John Moyer 
>> wrote:
>> 
>>> Not a problem, here is the output
>>> 
>>> ipa automember-find --type=hostgroup
>>> ---
>>> 1 rules matched
>>> ---
>>> Automember Rule: test-group
>>> Inclusive Regex: enrolledby=build
>>> 
>>> Number of entries returned 1
>>> 
>>> 
>> 
>> interesting.
>> 
>> When you do an: ipa host-show test-hostname.example.com --all --raw
>> 
>> Does it clearly show that enrolledby=build?
>> 
>>> 
>>> 
>>> Thanks, 
>>> _
>>> John Moyer
>>> 
>>> 
>>> On Apr 30, 2013, at 1:48 PM, JR Aquino  wrote:
>>> 
>>>> On Apr 30, 2013, at 10:43 AM, John Moyer 
>>>> wrote:
>>>> 
>>>>> One thing to add is that this build user only has the following access: 
>>>>> 
>>>>> Host Administrators
>>>>> Host enrollment 
>>>>> 
>>>>> Would he need more access to do the membership?  My original thought was 
>>>>> that technically the user is not doing the addition to the group it's the 
>>>>> system technically doing it so there shouldn't be a permissions issue. 
>>>>> 
>>>> 
>>>> The user's roles shouldn't really matter to the best of my knowledge 
>>>> (Nathan Kinder may need to refresh my memory), but the 389 plugin, should 
>>>> be catching the insertion of the new object, then match the 
>>>> watched-attribute, and execute the hostgroup assignment based upon the 
>>>> rights of the plugin rather than that of the user.
>>>> 
>>>> Would it be possible to ask you to do an automember-find --type=hostgroup 
>>>> on the CLI and send it back to the thread?
>>>> 
>>>> If we are missing something or if we have any bugs in there, we need to 
>>>> get them identified and fixed.
>>>> 
>>>> 
>>>>> Thanks, 
>>>>> _
>>>>> John Moyer
>>>>> On Apr 30, 2013, at 1:21 PM, JR Aquino  wrote:
>>>>> 
>>>>>> 
>>>>>> On Apr 30, 2013, at 9:30 AM, John Moyer 
>>>>>> mailto:john.mo...@digitalreasoning.com>>
>>>>>>  wrote:
>>>>>> 
>>>>>> Anyone have any suggestions to using the auto member function in IPA?  
>>>>>> I've tried to set it up so if a server is enrolled by a user called 
>>>>>> "build" then it should add it to a specific server group.   I put in an 
>>>>>> inclusive rule and the expression is just "build", but it doesn't work.  
>>>>>> Do I need to specify more than just build in the expression area?
>>>>>> 
>>>>>> 
>>>>>> That -should- be enough to catch new hosts that are built by the 'build' 
>>>>>> user.
>>>>>> 
>>>>>> Can you verify that the Attribute you are matching on is: "enrolledby" ?
>>>>>> 
>>>>>> 
>>>>>> "Keeping your head in the cloud"
>>>>>> ~
>>>>>> Jr Aquino | Sr. Information Security Specialist
>>>>>> GXPN | GIAC Exploit Researcher and Advanced Penetration Tester
>>>>>> GCIH | GIAC Certified Incident Handler
>>>>>> GWAPT | GIAC WebApp Penetration Tester
>>>>>> 
>>>>>> Citrix Online | 7408 Hollister Avenue | Goleta, CA 
>>>>>> 93117
>>>>>> T:  +1 805.690.3478
>>>>>> C: +1 805.717.0365
>>>>>> jr.aqu...@citrix.com<mailto:jr.aqu...@citrixonline.com>
>>>>>> http://www.citrixonline.com<http://www.citrixonline.com/>
>>>>>> 
>>>>>> "Keeping your head in the cloud"
>>>>>> ~
>>>>>> Jr Aquino | Sr. Information Security Specialist
>>>>>> GXPN | GIAC Exploit Researcher and Advanced Penetration Tester
>>>>>> GCIH | GIAC Certified Incident Handler
>>>>>> GWAPT | GIAC WebApp Penetration Tester
>>>>>> 
>>>>>> Citrix Online | 7408 Hollister Avenue | Goleta, CA 
>>>>>> 93117
>>>>>> T:  +1 805.690.3478
>>>>>> C: +1 805.717.0365
>>>>>> jr.aqu...@citrix.com<mailto:jr.aqu...@citrixonline.com>
>>>>>> http://www.citrixonline.com<http://www.citrixonline.com/>
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> Thanks,
>>>>>> _
>>>>>> John Moyer
>>>>>> 
>>>>>> 
>>>>>> ___
>>>>>> Freeipa-users mailing list
>>>>>> Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>
>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>> 
>>>>> 
>>>> 
>>> 
>> 
> 


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] automember issues

2013-04-30 Thread JR Aquino 
On Apr 30, 2013, at 10:52 AM, John Moyer 
 wrote:

> Not a problem, here is the output
> 
> ipa automember-find --type=hostgroup
> ---
> 1 rules matched
> ---
>  Automember Rule: test-group
>  Inclusive Regex: enrolledby=build
> 
> Number of entries returned 1
> 
> 

interesting.

When you do an: ipa host-show test-hostname.example.com --all --raw

Does it clearly show that enrolledby=build?

> 
> 
> Thanks, 
> _
> John Moyer
> 
> 
> On Apr 30, 2013, at 1:48 PM, JR Aquino  wrote:
> 
>> On Apr 30, 2013, at 10:43 AM, John Moyer 
>> wrote:
>> 
>>> One thing to add is that this build user only has the following access: 
>>> 
>>> Host Administrators
>>> Host enrollment 
>>> 
>>> Would he need more access to do the membership?  My original thought was 
>>> that technically the user is not doing the addition to the group it's the 
>>> system technically doing it so there shouldn't be a permissions issue. 
>>> 
>> 
>> The user's roles shouldn't really matter to the best of my knowledge (Nathan 
>> Kinder may need to refresh my memory), but the 389 plugin, should be 
>> catching the insertion of the new object, then match the watched-attribute, 
>> and execute the hostgroup assignment based upon the rights of the plugin 
>> rather than that of the user.
>> 
>> Would it be possible to ask you to do an automember-find --type=hostgroup on 
>> the CLI and send it back to the thread?
>> 
>> If we are missing something or if we have any bugs in there, we need to get 
>> them identified and fixed.
>> 
>> 
>>> Thanks, 
>>> _
>>> John Moyer
>>> On Apr 30, 2013, at 1:21 PM, JR Aquino  wrote:
>>> 
>>>> 
>>>> On Apr 30, 2013, at 9:30 AM, John Moyer 
>>>> mailto:john.mo...@digitalreasoning.com>> 
>>>> wrote:
>>>> 
>>>> Anyone have any suggestions to using the auto member function in IPA?  
>>>> I've tried to set it up so if a server is enrolled by a user called 
>>>> "build" then it should add it to a specific server group.   I put in an 
>>>> inclusive rule and the expression is just "build", but it doesn't work.  
>>>> Do I need to specify more than just build in the expression area?
>>>> 
>>>> 
>>>> That -should- be enough to catch new hosts that are built by the 'build' 
>>>> user.
>>>> 
>>>> Can you verify that the Attribute you are matching on is: "enrolledby" ?
>>>> 
>>>> 
>>>> "Keeping your head in the cloud"
>>>> ~
>>>> Jr Aquino | Sr. Information Security Specialist
>>>> GXPN | GIAC Exploit Researcher and Advanced Penetration Tester
>>>> GCIH | GIAC Certified Incident Handler
>>>> GWAPT | GIAC WebApp Penetration Tester
>>>> 
>>>> Citrix Online | 7408 Hollister Avenue | Goleta, CA 
>>>> 93117
>>>> T:  +1 805.690.3478
>>>> C: +1 805.717.0365
>>>> jr.aqu...@citrix.com<mailto:jr.aqu...@citrixonline.com>
>>>> http://www.citrixonline.com<http://www.citrixonline.com/>
>>>> 
>>>> "Keeping your head in the cloud"
>>>> ~
>>>> Jr Aquino | Sr. Information Security Specialist
>>>> GXPN | GIAC Exploit Researcher and Advanced Penetration Tester
>>>> GCIH | GIAC Certified Incident Handler
>>>> GWAPT | GIAC WebApp Penetration Tester
>>>> 
>>>> Citrix Online | 7408 Hollister Avenue | Goleta, CA 
>>>> 93117
>>>> T:  +1 805.690.3478
>>>> C: +1 805.717.0365
>>>> jr.aqu...@citrix.com<mailto:jr.aqu...@citrixonline.com>
>>>> http://www.citrixonline.com<http://www.citrixonline.com/>
>>>> 
>>>> 
>>>> 
>>>> Thanks,
>>>> _
>>>> John Moyer
>>>> 
>>>> 
>>>> ___
>>>> Freeipa-users mailing list
>>>> Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> 
>>> 
>> 
> 


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] automember issues

2013-04-30 Thread JR Aquino 
On Apr 30, 2013, at 10:43 AM, John Moyer 
 wrote:

> One thing to add is that this build user only has the following access: 
> 
> Host Administrators
> Host enrollment 
> 
> Would he need more access to do the membership?  My original thought was that 
> technically the user is not doing the addition to the group it's the system 
> technically doing it so there shouldn't be a permissions issue. 
> 

The user's roles shouldn't really matter to the best of my knowledge (Nathan 
Kinder may need to refresh my memory), but the 389 plugin, should be catching 
the insertion of the new object, then match the watched-attribute, and execute 
the hostgroup assignment based upon the rights of the plugin rather than that 
of the user.

Would it be possible to ask you to do an automember-find --type=hostgroup on 
the CLI and send it back to the thread?

If we are missing something or if we have any bugs in there, we need to get 
them identified and fixed.


> Thanks, 
> _____
> John Moyer
> On Apr 30, 2013, at 1:21 PM, JR Aquino  wrote:
> 
>> 
>> On Apr 30, 2013, at 9:30 AM, John Moyer 
>> mailto:john.mo...@digitalreasoning.com>> 
>> wrote:
>> 
>> Anyone have any suggestions to using the auto member function in IPA?  I've 
>> tried to set it up so if a server is enrolled by a user called "build" then 
>> it should add it to a specific server group.   I put in an inclusive rule 
>> and the expression is just "build", but it doesn't work.  Do I need to 
>> specify more than just build in the expression area?
>> 
>> 
>> That -should- be enough to catch new hosts that are built by the 'build' 
>> user.
>> 
>> Can you verify that the Attribute you are matching on is: "enrolledby" ?
>> 
>> 
>> "Keeping your head in the cloud"
>> ~
>> Jr Aquino | Sr. Information Security Specialist
>> GXPN | GIAC Exploit Researcher and Advanced Penetration Tester
>> GCIH | GIAC Certified Incident Handler
>> GWAPT | GIAC WebApp Penetration Tester
>> 
>> Citrix Online | 7408 Hollister Avenue | Goleta, CA 
>> 93117
>> T:  +1 805.690.3478
>> C: +1 805.717.0365
>> jr.aqu...@citrix.com<mailto:jr.aqu...@citrixonline.com>
>> http://www.citrixonline.com<http://www.citrixonline.com/>
>> 
>> "Keeping your head in the cloud"
>> ~
>> Jr Aquino | Sr. Information Security Specialist
>> GXPN | GIAC Exploit Researcher and Advanced Penetration Tester
>> GCIH | GIAC Certified Incident Handler
>> GWAPT | GIAC WebApp Penetration Tester
>> 
>> Citrix Online | 7408 Hollister Avenue | Goleta, CA 
>> 93117
>> T:  +1 805.690.3478
>> C: +1 805.717.0365
>> jr.aqu...@citrix.com<mailto:jr.aqu...@citrixonline.com>
>> http://www.citrixonline.com<http://www.citrixonline.com/>
>> 
>> 
>> 
>> Thanks,
>> _
>> John Moyer
>> 
>> 
>> ___
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> 
> 


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] automember issues

2013-04-30 Thread JR Aquino 

On Apr 30, 2013, at 9:30 AM, John Moyer 
mailto:john.mo...@digitalreasoning.com>> wrote:

Anyone have any suggestions to using the auto member function in IPA?  I've 
tried to set it up so if a server is enrolled by a user called "build" then it 
should add it to a specific server group.   I put in an inclusive rule and the 
expression is just "build", but it doesn't work.  Do I need to specify more 
than just build in the expression area?


That -should- be enough to catch new hosts that are built by the 'build' user.

Can you verify that the Attribute you are matching on is: "enrolledby" ?


"Keeping your head in the cloud"
~
Jr Aquino | Sr. Information Security Specialist
GXPN | GIAC Exploit Researcher and Advanced Penetration Tester
GCIH | GIAC Certified Incident Handler
GWAPT | GIAC WebApp Penetration Tester

Citrix Online | 7408 Hollister Avenue | Goleta, CA 
93117
T:  +1 805.690.3478
C: +1 805.717.0365
jr.aqu...@citrix.com<mailto:jr.aqu...@citrixonline.com>
http://www.citrixonline.com<http://www.citrixonline.com/>

"Keeping your head in the cloud"
~
Jr Aquino | Sr. Information Security Specialist
GXPN | GIAC Exploit Researcher and Advanced Penetration Tester
GCIH | GIAC Certified Incident Handler
GWAPT | GIAC WebApp Penetration Tester

Citrix Online | 7408 Hollister Avenue | Goleta, CA 
93117
T:  +1 805.690.3478
C: +1 805.717.0365
jr.aqu...@citrix.com<mailto:jr.aqu...@citrixonline.com>
http://www.citrixonline.com<http://www.citrixonline.com/>



Thanks,
_
John Moyer


___
Freeipa-users mailing list
Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] openldap to ipa

2013-01-11 Thread JR Aquino 
Try editing /etc/openldap/ldap.conf:

TLS_CACERT  /etc/ipa/ca.crt
TLS_REQCERT allow


See if that helps

"Keeping your head in the cloud"
~~~~~
Jr Aquino | Sr. Information Security Specialist
GIAC Exploit Researcher and Advanced Penetration Tester |
GIAC Certified Incident Handler | GIAC WebApp Penetration Tester
Citrix Online | 7408 Hollister Avenue | Goleta, CA 
93117
T:  +1 805.690.3478
C: +1 805.717.0365
jr.aqu...@citrix.com<mailto:jr.aqu...@citrixonline.com>
http://www.citrixonline.com<http://www.citrixonline.com/>

On Jan 11, 2013, at 8:05 AM, Johnathan Phan 
mailto:j...@ox-consulting.com>> wrote:

Hi There,

This is driving me up the wall.

I have two servers. 1 is a live openldap/kerberous AAA server running on RHEL6. 
The LDAP service has SSL/TS support. The second server is a test environment 
running on fedora and has 3.1 IPA installed.

As a last step of my POC I need to migrate the users and passwords from the 
LDAP server to IPA server.

I ran this command perfectly fine.

ipa config-mod --enable-migration=TRUE

However the next step was where my issues began.

In the end after a lot of IRC communication and troubleshooting I now run the 
following command.

ipa migrate-ds --bind-dn="cn=admin,dc=example,dc=com" 
--user-container="ou=users,ou=live,dc=example,dc=com" 
--group-container="ou=groups,ou=live,dc=example,dc=com" 
ldaps://ldap1.live.example.com<http://ldap1.live.example.com/>

I get the following error.

ipa: DEBUG: Caught fault 4203 from server 
http://fedoraipaserver.test.example.com/ipa/xml: Can't contact LDAP server: TLS 
error -8179:Peer's Certificate issuer is not recognized.
ipa: DEBUG: Destroyed connection context.xmlclient
ipa: ERROR: Can't contact LDAP server: TLS error -8179:Peer's Certificate 
issuer is not recognized.

I have summarized that the IPA server does not trust the cert served by the 
openldap or the other way around. Does anyone know how to get around this? Or 
allow me to finish the migration of user data.

Regards

John

--
Johnathan Phan

T: +44 (0)784 118 7080



___
Freeipa-users mailing list
Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] RHEL6.3 Install Problem with IPA

2012-11-29 Thread JR Aquino 
I have a weird ipa-replica-install problem that I have not been able to work 
around.

I have managed to successfully reproduce and identify the root cause of my 
pain, but I don't understand why its coming up...

My install fails with:
Starting httpd: (98)Address already in use: make_sock: could not bind to 
address 0.0.0.0:80


After much head scratching, I finally was able to reproduce the problem:

If you start httpd as the install script does, it gives the following:

service httpd start
Starting httpd: Please enter password for "internal" token:

This process doesn't create the pidfile and essentially hangs httpd on 80 and 
443

When the restart process is later called, you get the message that the 
installer is throwing:

service httpd restart
Stopping httpd:[FAILED]
Starting httpd: (98)Address already in use: make_sock: could not bind to 
address 0.0.0.0:80
no listening sockets available, shutting down
Unable to open logs
[FAILED]


I've verified that the content of /etc/httpd/conf/password.conf is valid and 
will 'authenticate' if passed to that internal token prompt...

mod_nss is clearly the piece that is causing the prompting but I'm not sure 
what is breaking here or how I can work around it.

Can someone help?

"Keeping your head in the cloud"
~
Jr Aquino | Sr. Information Security Specialist
GIAC Exploit Researcher and Advanced Penetration Tester |
GIAC Certified Incident Handler | GIAC WebApp Penetration Tester
Citrix Online | 7408 Hollister Avenue | Goleta, CA 
93117
T:  +1 805.690.3478
C: +1 805.717.0365
jr.aqu...@citrix.com<mailto:jr.aqu...@citrixonline.com>
http://www.citrixonline.com<http://www.citrixonline.com/>


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Managing Sudo through FreeIPA

2012-11-08 Thread JR Aquino 
If you go to the CLI on the FreeIPA server and type: ipa sudorule 

It will give you some useful info.  I believe you asked about the sudo user 
(which your log shows as currently unset, and configured as anonymous)

Here is a snipit:

-=-=-=-=-=-
...
FreeIPA provides a designated binddn to use with Sudo located at:
uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com

To enable the binddn run the following command to set the password:
LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W -h 
ipa.example.com<http://ipa.example.com> -ZZ -D "cn=Directory Manager" 
uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com

For more information, see the FreeIPA Documentation to Sudo.
-=-=-=-=-=-

The resulting user needs to be configured in your sudo-ldap.conf with:
binddn uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
bindpw 



"Keeping your head in the cloud"
~~~~~
Jr Aquino | Sr. Information Security Specialist

GIAC Certified Incident Handler | GIAC WebApp Penetration Tester
Citrix Online | 7408 Hollister Avenue | Goleta, CA 
93117
T:  +1 805.690.3478
C: +1 805.717.0365
jr.aqu...@citrix.com<mailto:jr.aqu...@citrixonline.com>
http://www.citrixonline.com<http://www.citrixonline.com/>

On Nov 8, 2012, at 9:11 AM, William Muriithi 
mailto:william.murii...@gmail.com>> wrote:

Steven,

Thanks for the pointers. I remember finding a post on this, but having
problem finding it now

I assume rhel6.3 by the el6 in the rpm

1) Make sure the host and IPA server are fully patched/updated.
I am current already

2) Edit nsswitch.conf to have "sudoers: files ldap" as the last line, may or 
may not be there.

Done

3) add lines to /etc/sudo-ldap.conf, takes a recent upgrade/patch of 6.3 for 
that file to "appear"  Im not at work so I odnt have a pastable set
Yes, the file was there already.  Wonder if you can paste it now.
Mine was like this

uri ldap://ipa1-yyz-int.example.loc

sudoers_base ou=SUDOers,dc=example,dc=loc

ssl  start_tls
tls_checkpeer(yes)
tls_cacertfile   /etc/ipa/ca.crt


4) Add "nisdomainname example.com<http://example.com>" to /etc/rc.d/rc.local.
Done
5) Add or enable the sudo "connection" user in IPA with a password.
?  Lost me here, mind explaining a bit please if you have a chance?
6) reboot the host

If it doesnt work set the debug level in sudo-ldap.conf to 2 and re-try to see 
the output..restart sssd.

sh-4.1$ sudo less /var/log/secure
LDAP Config Summary
===
uri  ldap://ipa1-yyz-int.example.loc
ldap_version 3
sudoers_base ou=SUDOers,dc=example,dc=loc
binddn   (anonymous)
bindpw   (anonymous)
ssl  start_tls
tls_checkpeer(no)
tls_cacertfile   /etc/ipa/ca.crt
===
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: tls_checkpeer -> 0
sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt
sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt
sudo: ldap_initialize(ld, ldap://ipa1-yyz-int.example.loc)
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_start_tls_s() ok
sudo: ldap_sasl_bind_s() ok
sudo: no default options found in ou=SUDOers,dc=example,dc=loc
sudo: ldap search
'(|(sudoUser=williamm)(sudoUser=%williamm)(sudoUser=%operations)(sudoUser=ALL))'
sudo: ldap search 'sudoUser=+*'
sudo: user_matches=0
sudo: host_matches=0
sudo: sudo_ldap_lookup(0)=0x60
[sudo] password for williamm:
williamm is not in the sudoers file.  This incident will be reported.


Thank you again for your help

Regards,

William
regards
Steven Jones
Technical Specialist - Linux RHCE
Victoria University, Wellington, NZ
0064 4 463 6272




From: freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com> 
[freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com>] on 
behalf of William Muriithi 
[william.murii...@gmail.com<mailto:william.murii...@gmail.com>]
Sent: Thursday, 8 November 2012 10:28 a.m.
To: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>
Subject: [Freeipa-users] Managing Sudo through FreeIPA

Hello

I have been trying to setup user access through sudo file managed by
FreeIPA and it don't seem to be working.  I am not sure how to go
about fixing it, but I guess the best place to start is ask what I
should expect the IPA installation script should set up and what
should be done manually

[root@demo2 wmuriithi]# rpm -qa | grep sssd
sssd-client-1.8.0-32.el6.x86_64
sssd-1.8.0-32.el6.x86_64
[root@demo2 wmuriithi]#



[root@demo2 wmuriithi]# rpm -qa | grep sudo
sudo-1.7.4p5-13.el6_3.x86_64

The only errors related to sudo that I can find is on apache error logs

[Wed Nov 07 13:16:18 2012] [error] ipa: INFO: 
ad...@example.loc<mailto:ad...@example.loc>:
sudorule_add_user(u'read_only_viewiers', all=False, raw=False,
version=u'2.34'

Re: [Freeipa-users] Sudo works for full access, but not on a per command or host level.

2012-10-16 Thread JR Aquino 
If you look closely, the reason that your admin works is because it appears to 
be matching a sudo rule who has the "ALL" hosts value set.

When you run the non working user, it is attempting to match the 
hostname/hostgroup to the rule and fails to do so.

Try this. Type: getent netgroup hostgroupname <- your host's hostgroup goes 
there.

^ that command should return all of the hosts in your hostgroup. If it does 
not, then check /etc/nsswitch.conf and make sure that netgroup is set to use 
sss.

You will also need to make sure that the output of: domainname or nisdomainname 
matches your expected domain.

Let me know how things look after trying that.

~~~~~
Jr Aquino | Sr. Information Security Specialist
GIAC Certified Incident Handler | GIAC WebApp Penetration Tester
Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117
T:  +1 805.690.3478
C: +1 805.717.0365
jr.aqu...@citrixonline.com<mailto:jr.aqu...@citrixonline.com>
http://www.citrixonline.com

On Oct 16, 2012, at 8:34 AM, "Macklin, Jason" 
mailto:jason.mack...@roche.com>> wrote:

Working user:

[jmacklin@dbduwdu062 log]$ sudo -l
LDAP Config Summary
===
uri  ldap://dbduvdu145.dbr.roche.com
ldap_version 3
sudoers_base ou=SUDOers,dc=dbr,dc=roche,dc=com
binddn   uid=sudo,cn=sysaccounts,cn=etc,dc=dbr,dc=roche,dc=com
bindpw   Roche454
bind_timelimit   5000
timelimit15
ssl  start_tls
tls_checkpeer(yes)
tls_cacertfile   /etc/ipa/ca.crt
===
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: tls_checkpeer -> 1
sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt
sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt
sudo: ldap_initialize(ld, ldap://dbduvdu145.dbr.roche.com)
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: timelimit -> 15
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5)
sudo: ldap_start_tls_s() ok
sudo: ldap_sasl_bind_s() ok
sudo: no default options found in ou=SUDOers,dc=dbr,dc=roche,dc=com
sudo: ldap sudoHost 'ALL' ... MATCH!
sudo: user_matches=1
sudo: host_matches=1
sudo: sudo_ldap_lookup(52)=0x82
Matching Defaults entries for jmacklin on this host:
requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS 
DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE 
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL 
LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

sudo: ldap search 
'(|(sudoUser=jmacklin)(sudoUser=%jmacklin)(sudoUser=%dbr)(sudoUser=%admins)(sudoUser=ALL))'
sudo: ldap sudoHost 'ALL' ... MATCH!
sudo: ldap search 'sudoUser=+*'
User jmacklin may run the following commands on this host:
(root) ALL

Non-working user:

  Rule name: test4
  Enabled: TRUE
  Command category: all
  Users: asteinfeld
  Hosts: dbduwdu062.some.domain.com<http://dbduwdu062.some.domain.com>

LDAP Config Summary
===
uri  ldap://dbduvdu145.dbr.roche.com
ldap_version 3
sudoers_base ou=SUDOers,dc=dbr,dc=roche,dc=com
binddn   uid=sudo,cn=sysaccounts,cn=etc,dc=dbr,dc=roche,dc=com
bindpw   Roche454
bind_timelimit   5000
timelimit15
ssl  start_tls
tls_checkpeer(yes)
tls_cacertfile   /etc/ipa/ca.crt
===
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: tls_checkpeer -> 1
sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt
sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt
sudo: ldap_initialize(ld, ldap://dbduvdu145.dbr.roche.com)
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: timelimit -> 15
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5)
sudo: ldap_start_tls_s() ok
sudo: ldap_sasl_bind_s() ok
sudo: no default options found in ou=SUDOers,dc=dbr,dc=roche,dc=com
sudo: ldap sudoHost 'dbduwdu062.dbr.roche.com<http://dbduwdu062.dbr.roche.com>' 
... not
sudo: user_matches=1
sudo: host_matches=0
sudo: sudo_ldap_lookup(52)=0x84
[sudo] password for asteinfeld:
Sorry, user asteinfeld may not run sudo on dbduwdu062.

Cheers,
Jason
From: Dmitri Pal [mailto:d...@redhat.com]
Sent: Tuesday, October 16, 2012 11:22 AM
To: Macklin, Jason {DASB~Branford}
Cc: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>
Subject: Re: [Freeipa-users] Sudo works for full access, but not on a per 
command or host level.

On 10/16/2012 11:09 AM, Macklin, Jason wrote:
Dmitri,

I will give you everything I’ve got.  If I can provide something else, let me 
know!

Working User:

Sudo debug output:

[jmacklin@dbduwdu062 log]$ sudo -l
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_op

Re: [Freeipa-users] Setting up sudo in FreeIPA v2.2

2012-10-16 Thread JR Aquino 
On the host in question Run the command: domainname

That wants to match whatever your domain is. If it doesn't it will fail even if 
you have all the server rules configured correctly. This is a sudo + 
netgroups/hostgroups 'feature'

~~~~~~~~~
Jr Aquino | Sr. Information Security Specialist
GIAC Certified Incident Handler | GIAC WebApp Penetration Tester
Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117
T:  +1 805.690.3478
C: +1 805.717.0365
jr.aqu...@citrixonline.com
http://www.citrixonline.com

On Oct 16, 2012, at 2:26 PM, "Toasted Penguin"  
wrote:

> I have the server setup to manage sudo and I configured a target client to 
> use the IPA server for sudo.  When a user tries to use sudo (in this case 
> "sudo su -") it fails and they get the error "user is not allowed to run sudo 
> on client-host.  This incident will be reported." I verified via the log 
> files that the client is making requests to the IPA server when the user is 
> attemping to use sudo and it fails.  I temporarily disabled using the IPA 
> server for sudo and I get the standard "User not in the sudoers file" 
>  
> Its starting to look like the server rules maybe the issue but I believe I 
> have the sudo rule setup correctly.  I created a sudo command "/bin/su", 
> created a sudo rule "Sudo to root" , added the group the user in question is 
> a part of to the WHO-->User Groups; Added the Host Group the target client 
> host is part of to Access This Host-->Host Groups and added the sudo command 
> to the sudo rule via Allow-->Sudo Allow Commands.  When I delete the sudo 
> rule I get the same result as I did when I temporarily disbled the client 
> host using tghe IPA server for sudo verification.
>  
> Any ideas why or where to look to figure out this issue?
>  
> Thanks,
> David 
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Password requirements too stringent

2012-09-17 Thread JR Aquino 

On Sep 17, 2012, at 7:53 PM, Tim Hildred wrote:

> JR
> 
> I had that line. I commented it out. Thank you.
> 
> Now, what do I have to restart?

I believe it should take effect in real time, but you may need to test to be 
sure.  If it is still happening, you may need to double check that some other 
pam cfg doesn't also have it present: $ cd /etc/pam.d/ && grep pam_cracklib *

If you have removed it from everything and it is still giving you the same 
error, then I would try a reboot... perhaps getty needs to reinitialize or 
something.  But I'd try those steps before a reboot!

;)

> Tim Hildred, RHCE
> Content Author II - Engineering Content Services, Red Hat, Inc.
> Brisbane, Australia
> Email: thild...@redhat.com
> Internal: 8588287
> Mobile: +61 4 666 25242
> IRC: thildred
> 
> - Original Message -
>> From: "JR Aquino" 
>> To: "Tim Hildred" 
>> Cc: "freeipa-users" 
>> Sent: Tuesday, September 18, 2012 12:37:48 PM
>> Subject: Re: [Freeipa-users] Password requirements too stringent
>> 
>> Tim, please check your /etc/pam.d/system-auth with the password
>> block.  If you see passwordrequisite pam_cracklib.so, then
>> this is why you are having a problem.
>> 
>> $ man pam_cracklib
>> 
>> It is a local security library for enforcing strong password
>> practices from the unix cli.
>> 
>> ProTip:
>> If you don't need this, you can remove it from pam
>> If you want to work around this, set your password from the IPA webui
>> or via the cli: "ipa passwd username"
>> 
>> Hope this info helps!
>> 
>> "Keeping your head in the cloud"
>> ~
>> JR Aquino
>> 
>> Senior Information Security Specialist, Technical Operations
>> T: +1 805 690 3478 | F: +1 805 879 3730 | M: +1 805 717 0365
>> GIAC Certified Incident Handler | GIAC WebApplication Penetration
>> Tester
>> jr.aqu...@citrix.com<mailto:jr.aqu...@citrix.com>
>> 
>> 
>> [cid:image002.jpg@01CD4A37.5451DC00]
>> 
>> Powering mobile workstyles and cloud services
>> 
>> 
>> 
>> 
>> 
>> On Sep 17, 2012, at 6:25 PM, Tim Hildred wrote:
>> 
>> Hey all;
>> 
>> I'm running IPA internally to control access to our cloud
>> environment.
>> 
>> I must admit, I do not understand the password requirements. I have
>> had them set to the defaults. I read this:
>> https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/user-pwdpolicy.html
>> 
>> I have the minimum character classes set to 0. When people use SSH to
>> change their passwords, they get "Based on a dictionary word" for
>> passwords that have nothing to do with dictionary words.
>> 
>> I can't find anywhere in the documentation a break down of what makes
>> an unacceptable versus acceptable password.
>> 
>> Can anyone help me figure out what to tell my users? I think people
>> would get a lot less frustrated if they knew why "C679V375" was "too
>> simple" when the password policy has 0 required classes.
>> 
>> Tim Hildred, RHCE
>> Content Author II - Engineering Content Services, Red Hat, Inc.
>> Brisbane, Australia
>> Email: thild...@redhat.com
>> Internal: 8588287
>> Mobile: +61 4 666 25242
>> IRC: thildred
>> 
>> ps: funny exchange with user:
>> Jul 12 14:12:33  i feel like im being punked
>> Jul 12 14:12:40  it is based on a dictionary word
>> Jul 12 14:12:43  it is too short
>> Jul 12 14:12:49  is does not have enough unique letters
>> Jul 12 14:12:51  etc
>> 
>> ___
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> 
>> 


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Password requirements too stringent

2012-09-17 Thread JR Aquino 
Tim, please check your /etc/pam.d/system-auth with the password block.  If you 
see passwordrequisite pam_cracklib.so, then this is why you are having 
a problem.

$ man pam_cracklib

It is a local security library for enforcing strong password practices from the 
unix cli.

ProTip:
If you don't need this, you can remove it from pam
If you want to work around this, set your password from the IPA webui or via 
the cli: "ipa passwd username"

Hope this info helps!

"Keeping your head in the cloud"
~~~~~~~~~
JR Aquino

Senior Information Security Specialist, Technical Operations
T: +1 805 690 3478 | F: +1 805 879 3730 | M: +1 805 717 0365
GIAC Certified Incident Handler | GIAC WebApplication Penetration Tester
jr.aqu...@citrix.com<mailto:jr.aqu...@citrix.com>


[cid:image002.jpg@01CD4A37.5451DC00]

Powering mobile workstyles and cloud services





On Sep 17, 2012, at 6:25 PM, Tim Hildred wrote:

Hey all;

I'm running IPA internally to control access to our cloud environment.

I must admit, I do not understand the password requirements. I have had them 
set to the defaults. I read this:
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/user-pwdpolicy.html

I have the minimum character classes set to 0. When people use SSH to change 
their passwords, they get "Based on a dictionary word" for passwords that have 
nothing to do with dictionary words.

I can't find anywhere in the documentation a break down of what makes an 
unacceptable versus acceptable password.

Can anyone help me figure out what to tell my users? I think people would get a 
lot less frustrated if they knew why "C679V375" was "too simple" when the 
password policy has 0 required classes.

Tim Hildred, RHCE
Content Author II - Engineering Content Services, Red Hat, Inc.
Brisbane, Australia
Email: thild...@redhat.com
Internal: 8588287
Mobile: +61 4 666 25242
IRC: thildred

ps: funny exchange with user:
Jul 12 14:12:33  i feel like im being punked
Jul 12 14:12:40  it is based on a dictionary word
Jul 12 14:12:43  it is too short
Jul 12 14:12:49  is does not have enough unique letters
Jul 12 14:12:51  etc

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

<>___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] hostgroups not working for Sudo commands

2012-08-05 Thread JR Aquino 
On Aug 5, 2012, at 1:54 PM, "Steven Jones"  wrote:

> Hi,
> 
> I have setup a sudo command but no matter what I do I cannot get a host-group 
> to work, but I can specify a specific host without issue.I assume this is 
> a problem with the sssd deamon on the RHEL6.3 client?  So what info/logs are 
> needed to fault find this please?
> 
> 
> 

Set sudoers_debug 2 On your sudo-ldap.conf

Run the sudo command. You should see it scroll a list of hostgroups etc.

If you do not have your domainname set, your sudo commands will fail on the 
hostgroup because they expect to see the nis domain match.

> regards
> 
> Steven Jones
> 
> Technical Specialist - Linux RHCE
> 
> Victoria University, Wellington, NZ
> 
> 0064 4 463 6272
> 
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] self service password reset

2012-07-11 Thread JR Aquino 
On Jul 11, 2012, at 3:23 PM, Dmitri Pal wrote:

On 07/11/2012 06:15 PM, JR Aquino wrote:
Note that this is also a future feature planned for 3.x

https://fedorahosted.org/freeipa/ticket/2276


Slightly different issue. This ticket is about allowing you to change
your password when it is expired when one logs into the web UI.
It is a more narrow use case than the mentioned utility.



Hrm. while the pwm tool DOES offer a great deal of other really cool looking 
features, it looks like it was only sited as an example in the BZ, and that the 
core problem described was "self password reset without ssh/kerb/etc)  The 
corresponding fix also seems only to implement only that one feature.

I am interested in the other features that pwm advertises though!  Perhaps I 
will get a free moment to test it out and report back on compatibility.


Benjamin Reed<mailto:ran...@opennms.org> 2011-09-30 14:06:31 EDT

Not a bug per se, but an enhancement request.

While it's possible for a user to reset their own password, it currently 
requires being hooked into some level of "real" account access, like SSH'ing in 
or providing kerberos credentials.  We are using FreeIPA to provide a 
user-management backend for web-based services we are providing to our 
customers, and don't want them to have to configure Kerberos, or SSH into an 
account, just to set their password.

It would be nice to have a "password reset" tool that is accessible securely 
(like over HTTPS) which doesn't require special credentials other than 
knowledge of the existing username and password.  One such example I'll be 
evaluating since there is no built-in facility for this is PWM:



^ That sounds like needing an HTTPS interface to perform self password resets 
on accounts that are expired :)

The detailed notes in the corresponding FreeIPA ticket seem to be in parallel 
as well:

https://fedorahosted.org/freeipa/ticket/1907


~
Jr Aquino | Sr. Information Security Specialist
GIAC Certified Incident Handler | GIAC WebApp Penetration Tester
Citrix Online | 7408 Hollister Avenue | Goleta, CA 
93117
T:  +1 805.690.3478
C: +1 805.717.0365
jr.aqu...@citrixonline.com<mailto:jr.aqu...@citrixonline.com><mailto:jr.aqu...@citrixonline.com>
http://www.citrixonline.com<http://www.citrixonline.com/>

On Jul 11, 2012, at 11:59 AM, KodaK wrote:

Has anyone rolled out a self-service password reset utility for IPA?
If so did you use something off the shelf that speaks LDAP or roll
your own?

I'm looking at this:

http://code.google.com/p/pwm/

But I'm just starting down this path.

Thanks,

--Jason

--
The government is going to read our mail anyway, might as well make it
tough for them.  GPG Public key ID:  B6A1A7C6

___
Freeipa-users mailing list
Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users


--
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/<http://www.redhat.com/carveoutcosts/>



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] self service password reset

2012-07-11 Thread JR Aquino 
Note that this is also a future feature planned for 3.x

https://fedorahosted.org/freeipa/ticket/2276

~
Jr Aquino | Sr. Information Security Specialist
GIAC Certified Incident Handler | GIAC WebApp Penetration Tester
Citrix Online | 7408 Hollister Avenue | Goleta, CA 
93117
T:  +1 805.690.3478
C: +1 805.717.0365
jr.aqu...@citrixonline.com<mailto:jr.aqu...@citrixonline.com>
http://www.citrixonline.com<http://www.citrixonline.com/>

On Jul 11, 2012, at 11:59 AM, KodaK wrote:

Has anyone rolled out a self-service password reset utility for IPA?
If so did you use something off the shelf that speaks LDAP or roll
your own?

I'm looking at this:

http://code.google.com/p/pwm/

But I'm just starting down this path.

Thanks,

--Jason

--
The government is going to read our mail anyway, might as well make it
tough for them.  GPG Public key ID:  B6A1A7C6

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] sudo hostgroup sanity check, please?

2012-07-10 Thread JR Aquino 

On Jul 10, 2012, at 12:28 PM, KodaK wrote:

> Further information:
> 
> I do have:
> 
> ldap_netgroup_search_base = cn=ng,cn=compat,dc=validdomain,dc=com

Go ahead and remove this line.  Previous legacy versions of sssd required it.  
I believe it just gets in the way now.

You also want to run: $ domainanme

Make sure it comes back with your domain, if not, please set your domainname.  
(/etc/rc.local is currently the place recommended to set this value)

Netgroups will come back as a tuple like: (testhost.domain.com, -, domain.com)  

Sudo will do the netgroup look up and wants to see that the hostname matches 
the hostname of the server, and that the domain also matches.

You can double-check this by doing: getent netgroup 

It should return a tuple like the one above.

If you are still having difficulty, you can add sudoers_debug 2 in your 
/etc/sudo-ldap.conf file then re-run your sudo command.  IT should show the 
various tests it performs and the output of the FreeIPA server.  It wants to 
match, user, host, and command.


> In /etc/sssd/sssd.conf
> 
> Is cn=ng,cn=compat correct?
> 
> --Jason
> 
> On Tue, Jul 10, 2012 at 2:15 PM, KodaK  wrote:
>> I'm running IPA 2.2.0 on RHEL6
>> 
>> Server:
>> 
>> [root@validserver ~]# rpm -qa | grep ipa
>> ipa-client-2.2.0-16.el6.x86_64
>> ipa-pki-common-theme-9.0.3-7.el6.noarch
>> libipa_hbac-python-1.8.0-32.el6.x86_64
>> ipa-python-2.2.0-16.el6.x86_64
>> ipa-server-2.2.0-16.el6.x86_64
>> ipa-server-selinux-2.2.0-16.el6.x86_64
>> ipa-pki-ca-theme-9.0.3-7.el6.noarch
>> python-iniparse-0.3.1-2.1.el6.noarch
>> libipa_hbac-1.8.0-32.el6.x86_64
>> ipa-admintools-2.2.0-16.el6.x86_64
>> 
>> Client:
>> 
>> [root@validhost ~]# rpm -qa | grep ipa
>> ipa-client-2.2.0-16.el6.x86_64
>> ipa-pki-common-theme-9.0.3-7.el6.noarch
>> libipa_hbac-python-1.8.0-32.el6.x86_64
>> ipa-python-2.2.0-16.el6.x86_64
>> ipa-server-2.2.0-16.el6.x86_64
>> ipa-server-selinux-2.2.0-16.el6.x86_64
>> ipa-pki-ca-theme-9.0.3-7.el6.noarch
>> python-iniparse-0.3.1-2.1.el6.noarch
>> libipa_hbac-1.8.0-32.el6.x86_64
>> ipa-admintools-2.2.0-16.el6.x86_64
>> 
>> My sudo-ldap.conf file:
>> 
>> binddn uid=sudo,cn=sysaccounts,cn=etc,dc=validserver,dc=com
>> bindpw validpassword
>> 
>> ssl start_tls
>> tls_cacertfile /etc/ipa/ca.crt
>> tls_checkpeer yes
>> 
>> bind_timelimit 5
>> timelimit 15
>> 
>> uri ldap://validserver ldap://validserver2
>> sudoers_base ou=SUDOers,dc=unix,dc=magellanhealth,dc=com
>> 
>> What I'm trying to do:  I have a group of users that I'd like to have
>> restart apache on a group of hosts.
>> 
>> What I've done:  created a user group, created a group of hosts (in a
>> grouplist.)
>> 
>> I can successfully run sudo in any configuration, *except* when using
>> a host group.  When I try I get:
>> 
>> Sorry, user validuser is not allowed to execute
>> '/etc/rc.d/init.d/httpd status' as root on validhost1.fqdn.com.
>> 
>> I can edit the same rule, change the host group (that only contains
>> two hosts) and specify the two hosts directly and it works fine.
>> 
>> Can someone else just try this and see if I've hit a bug?  I'm certain
>> I couldn't have messed up creating the host group, but I suppose it's
>> possible.
>> 
>> I get the same behavior when I try a simple "/bin/cat" command through
>> sudo, too.
>> 
>> Is there a special config for using host groups?  I suspect I may have
>> missed some obvious documentation.
>> 
>> --
>> The government is going to read our mail anyway, might as well make it
>> tough for them.  GPG Public key ID:  B6A1A7C6
> 
> 
> 
> -- 
> The government is going to read our mail anyway, might as well make it
> tough for them.  GPG Public key ID:  B6A1A7C6
> 
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] 389-ds memory usage

2012-06-06 Thread JR Aquino 
On Jun 6, 2012, at 12:30 AM, "Sigbjorn Lie"  wrote:

> On Wed, June 6, 2012 00:54, JR Aquino wrote:
>> On Jun 5, 2012, at 3:42 PM, Sigbjorn Lie wrote:
>> 
>> 
>>> On 06/06/2012 12:26 AM, JR Aquino wrote:
>>> 
>>>> On Jun 5, 2012, at 3:12 PM, Sigbjorn Lie wrote:
>>>> 
>>>> 
>>>>> On 06/05/2012 11:44 PM, JR Aquino wrote:
>>>>> 
>>>>>> On Jun 5, 2012, at 1:54 PM, Sigbjorn Lie wrote:
>>>>>> 
>>>>>> 
>>>>>>> On 06/05/2012 10:42 PM, Steven Jones wrote:
>>>>>>> 
>>>>>>>> Hi
>>>>>>>> 
>>>>>>>> 
>>>>>>>> This has bug has pretty much destroyed my IPA deployment...I had a 
>>>>>>>> pretty bad
>>>>>>>> memory leak had to reboot every 36 hours...made worse by trying later 
>>>>>>>> 6.3? rpms didnt
>>>>>>>> fix the leak and it went split brain2 months and no fixboy 
>>>>>>>> did that open
>>>>>>>> up a can of worms.
>>>>>>>> 
>>>>>>>> :/
>>>>>>>> 
>>>>>>>> 
>>>>>>>> In my case I cant see how its churn as I have so few entries (<50) and 
>>>>>>>> Im adding no
>>>>>>>> more items at presentunless a part of ipa is "replicating and 
>>>>>>>> diffing" in the
>>>>>>>> background to check consistency?
>>>>>>>> 
>>>>>>>> I also have only one way replication now at most,  master to replica 
>>>>>>>> and no memory
>>>>>>>> leak shows in Munin at present.
>>>>>>>> 
>>>>>>>> but I seem to be faced with a rebuild from scratch...
>>>>>>> Did you do the "max entry cache size" tuning? If you did, what did you 
>>>>>>> set it to?
>>>>>>> 
>>>>>>> 
>>>>>>> Did you do any other tuning from the 389-ds tuning guide?
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> Rgds,
>>>>>>> Siggi
>>>>>>> 
>>>>>> When I had similar problems using Feodra (Not Redhat or CentOS) my 
>>>>>> underlying issues
>>>>>> were: managed entries firing off any time an object was updated (every 
>>>>>> time someone
>>>>>> successfully authenticates, kerberos updates the user object, which in 
>>>>>> turn would touch
>>>>>> the mepmanaged entry for the user's private group)  Similar things 
>>>>>> happened when
>>>>>> hostgroups were modified...
>>>>>> 
>>>>>> This was further complicated by inefficiencies in the way that slapi-nis 
>>>>>> was processing
>>>>>> the compat pieces for the sudo rules and the netgroups (which are 
>>>>>> automatically create
>>>>>> from every hostgroup)
>>>>>> 
>>>>>> Thus, when memberof fired off, slapi-nis recomputed a great deal of its 
>>>>>> chunk...
>>>>>> 
>>>>>> 
>>>>>> After getting those issues resolved, I tuned the max entry cache size.  
>>>>>> But it took all
>>>>>> the fixes to finally resolve the memory creep problem.
>>>>>> 
>>>>>> It is not at all clear to me whether or not the bug fixes for my problem 
>>>>>> have made it up
>>>>>> into Redhat / CentOS though...  The slapi-nis versions definitely don't 
>>>>>> line up between
>>>>>> fedora and redhat/centos...
>>>>>> 
>>>>>> Perhaps Nalin Or Rich can speak to some of that.
>>>>>> 
>>>>>> 
>>>>>> The bug itself was easiest to replicate with _big_ changes like deleting 
>>>>>> a group that had
>>>>>> a great number of members for example, but the symptoms were similar for 
>>>>>> me were similar
>>>>>> for day to date operation resulting in consumption that never freed.
>>>>>&g

Re: [Freeipa-users] 389-ds memory usage

2012-06-05 Thread JR Aquino 
On Jun 5, 2012, at 3:42 PM, Sigbjorn Lie wrote:

> On 06/06/2012 12:26 AM, JR Aquino wrote:
>> On Jun 5, 2012, at 3:12 PM, Sigbjorn Lie wrote:
>> 
>>> On 06/05/2012 11:44 PM, JR Aquino wrote:
>>>> On Jun 5, 2012, at 1:54 PM, Sigbjorn Lie wrote:
>>>> 
>>>>> On 06/05/2012 10:42 PM, Steven Jones wrote:
>>>>>> Hi
>>>>>> 
>>>>>> This has bug has pretty much destroyed my IPA deployment...I had a 
>>>>>> pretty bad memory leak had to reboot every 36 hours...made worse by 
>>>>>> trying later 6.3? rpms didnt fix the leak and it went split 
>>>>>> brain2 months and no fixboy did that open up a can of 
>>>>>> worms.
>>>>>> 
>>>>>> :/
>>>>>> 
>>>>>> In my case I cant see how its churn as I have so few entries (<50) and 
>>>>>> Im adding no more items at presentunless a part of ipa is 
>>>>>> "replicating and diffing" in the background to check consistency?
>>>>>> 
>>>>>> I also have only one way replication now at most,  master to replica and 
>>>>>> no memory leak shows in Munin at present.
>>>>>> 
>>>>>> but I seem to be faced with a rebuild from scratch...
>>>>> Did you do the "max entry cache size" tuning? If you did, what did you 
>>>>> set it to?
>>>>> 
>>>>> Did you do any other tuning from the 389-ds tuning guide?
>>>>> 
>>>>> 
>>>>> 
>>>>> Rgds,
>>>>> Siggi
>>>> When I had similar problems using Feodra (Not Redhat or CentOS) my 
>>>> underlying issues were: managed entries firing off any time an object was 
>>>> updated (every time someone successfully authenticates, kerberos updates 
>>>> the user object, which in turn would touch the mepmanaged entry for the 
>>>> user's private group)  Similar things happened when hostgroups were 
>>>> modified...
>>>> 
>>>> This was further complicated by inefficiencies in the way that slapi-nis 
>>>> was processing the compat pieces for the sudo rules and the netgroups 
>>>> (which are automatically create from every hostgroup)
>>>> 
>>>> Thus, when memberof fired off, slapi-nis recomputed a great deal of its 
>>>> chunk...
>>>> 
>>>> After getting those issues resolved, I tuned the max entry cache size.  
>>>> But it took all the fixes to finally resolve the memory creep problem.
>>>> 
>>>> It is not at all clear to me whether or not the bug fixes for my problem 
>>>> have made it up into Redhat / CentOS though...  The slapi-nis versions 
>>>> definitely don't line up between fedora and redhat/centos...
>>>> 
>>>> Perhaps Nalin Or Rich can speak to some of that.
>>>> 
>>>> The bug itself was easiest to replicate with _big_ changes like deleting a 
>>>> group that had a great number of members for example, but the symptoms 
>>>> were similar for me were similar for day to date operation resulting in 
>>>> consumption that never freed.
>>>> 
>>>> https://bugzilla.redhat.com/show_bug.cgi?id=771493
>>>> 
>>>> Are either of you currently utilizing sudo?
>>>> 
>>> I read your bug report a while back, and made sure that slapi-nis was 
>>> disabled.
>>> 
>>> I have tuned my cache size to 256MB. I believe that should be OK as my 
>>> cache hit ratio sits at 97-99% ?
>>> 
>>> I understand you have a farily large deployment, what cache size are you 
>>> using? Are you using Fedora or Red Hat / CentOS as your production 
>>> environment?
>>> 
>>> I do not use sudo with IPA yet, I am planning for doing that later. Is 
>>> there any issues I should be aware of with sudo integration?
>>> 
>>> Rich/Nalin,
>>> Was there a bug in managed entries that's been fixed in the current 389-ds 
>>> versions available in Red Hat / CentOS  6?
>>> 
>>> 
>>> Regards,
>>> Siggi
>>> 
>> Ya it is true that I do have a large environment, but some of the hurdles 
>> that I had to jump appeared to be ones that weren't related so much to the 
>> number of hosts I had, but rather their amount of activity.  I.e. automated 
>>

Re: [Freeipa-users] 389-ds memory usage

2012-06-05 Thread JR Aquino 
On Jun 5, 2012, at 3:12 PM, Sigbjorn Lie wrote:

> On 06/05/2012 11:44 PM, JR Aquino wrote:
>> On Jun 5, 2012, at 1:54 PM, Sigbjorn Lie wrote:
>> 
>>> On 06/05/2012 10:42 PM, Steven Jones wrote:
>>>> Hi
>>>> 
>>>> This has bug has pretty much destroyed my IPA deployment...I had a 
>>>> pretty bad memory leak had to reboot every 36 hours...made worse by trying 
>>>> later 6.3? rpms didnt fix the leak and it went split brain2 months 
>>>> and no fixboy did that open up a can of worms.
>>>> 
>>>> :/
>>>> 
>>>> In my case I cant see how its churn as I have so few entries (<50) and Im 
>>>> adding no more items at presentunless a part of ipa is "replicating 
>>>> and diffing" in the background to check consistency?
>>>> 
>>>> I also have only one way replication now at most,  master to replica and 
>>>> no memory leak shows in Munin at present.
>>>> 
>>>> but I seem to be faced with a rebuild from scratch...
>>> 
>>> Did you do the "max entry cache size" tuning? If you did, what did you set 
>>> it to?
>>> 
>>> Did you do any other tuning from the 389-ds tuning guide?
>>> 
>>> 
>>> 
>>> Rgds,
>>> Siggi
>> When I had similar problems using Feodra (Not Redhat or CentOS) my 
>> underlying issues were: managed entries firing off any time an object was 
>> updated (every time someone successfully authenticates, kerberos updates the 
>> user object, which in turn would touch the mepmanaged entry for the user's 
>> private group)  Similar things happened when hostgroups were modified...
>> 
>> This was further complicated by inefficiencies in the way that slapi-nis was 
>> processing the compat pieces for the sudo rules and the netgroups (which are 
>> automatically create from every hostgroup)
>> 
>> Thus, when memberof fired off, slapi-nis recomputed a great deal of its 
>> chunk...
>> 
>> After getting those issues resolved, I tuned the max entry cache size.  But 
>> it took all the fixes to finally resolve the memory creep problem.
>> 
>> It is not at all clear to me whether or not the bug fixes for my problem 
>> have made it up into Redhat / CentOS though...  The slapi-nis versions 
>> definitely don't line up between fedora and redhat/centos...
>> 
>> Perhaps Nalin Or Rich can speak to some of that.
>> 
>> The bug itself was easiest to replicate with _big_ changes like deleting a 
>> group that had a great number of members for example, but the symptoms were 
>> similar for me were similar for day to date operation resulting in 
>> consumption that never freed.
>> 
>> https://bugzilla.redhat.com/show_bug.cgi?id=771493
>> 
>> Are either of you currently utilizing sudo?
>> 
> I read your bug report a while back, and made sure that slapi-nis was 
> disabled.
> 
> I have tuned my cache size to 256MB. I believe that should be OK as my cache 
> hit ratio sits at 97-99% ?
> 
> I understand you have a farily large deployment, what cache size are you 
> using? Are you using Fedora or Red Hat / CentOS as your production 
> environment?
> 
> I do not use sudo with IPA yet, I am planning for doing that later. Is there 
> any issues I should be aware of with sudo integration?
> 
> Rich/Nalin,
> Was there a bug in managed entries that's been fixed in the current 389-ds 
> versions available in Red Hat / CentOS  6?
> 
> 
> Regards,
> Siggi
> 

Ya it is true that I do have a large environment, but some of the hurdles that 
I had to jump appeared to be ones that weren't related so much to the number of 
hosts I had, but rather their amount of activity.  I.e. automated single-sign 
on scripts, people authenticating, general binds taking place all over...

I am using Fedora with FreeIPA 2.2 pending a migration to RHEL 6.3 and IPA 2.2

My measurements... ;)

dn: cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
cn: monitor
database: ldbm database
readonly: 0
entrycachehits: 904077
entrycachetries: 923802
entrycachehitratio: 97
currententrycachesize: 79607895
maxentrycachesize: 104857600
currententrycachecount: 10301
maxentrycachecount: -1
dncachehits: 3
dncachetries: 10302
dncachehitratio: 0
currentdncachesize: 1861653
maxdncachesize: 10485760
currentdncachecount: 10301
maxdncachecount: -1



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] 389-ds memory usage

2012-06-05 Thread JR Aquino 
On Jun 5, 2012, at 1:54 PM, Sigbjorn Lie wrote:

> On 06/05/2012 10:42 PM, Steven Jones wrote:
>> Hi
>> 
>> This has bug has pretty much destroyed my IPA deployment...I had a 
>> pretty bad memory leak had to reboot every 36 hours...made worse by trying 
>> later 6.3? rpms didnt fix the leak and it went split brain2 months 
>> and no fixboy did that open up a can of worms.
>> 
>> :/
>> 
>> In my case I cant see how its churn as I have so few entries (<50) and Im 
>> adding no more items at presentunless a part of ipa is "replicating and 
>> diffing" in the background to check consistency?
>> 
>> I also have only one way replication now at most,  master to replica and no 
>> memory leak shows in Munin at present.
>> 
>> but I seem to be faced with a rebuild from scratch...
> 
> 
> Did you do the "max entry cache size" tuning? If you did, what did you set it 
> to?
> 
> Did you do any other tuning from the 389-ds tuning guide?
> 
> 
> 
> Rgds,
> Siggi

When I had similar problems using Feodra (Not Redhat or CentOS) my underlying 
issues were: managed entries firing off any time an object was updated (every 
time someone successfully authenticates, kerberos updates the user object, 
which in turn would touch the mepmanaged entry for the user's private group)  
Similar things happened when hostgroups were modified...

This was further complicated by inefficiencies in the way that slapi-nis was 
processing the compat pieces for the sudo rules and the netgroups (which are 
automatically create from every hostgroup)

Thus, when memberof fired off, slapi-nis recomputed a great deal of its chunk...

After getting those issues resolved, I tuned the max entry cache size.  But it 
took all the fixes to finally resolve the memory creep problem.

It is not at all clear to me whether or not the bug fixes for my problem have 
made it up into Redhat / CentOS though...  The slapi-nis versions definitely 
don't line up between fedora and redhat/centos...

Perhaps Nalin Or Rich can speak to some of that.

The bug itself was easiest to replicate with _big_ changes like deleting a 
group that had a great number of members for example, but the symptoms were 
similar for me were similar for day to date operation resulting in consumption 
that never freed.

https://bugzilla.redhat.com/show_bug.cgi?id=771493

Are either of you currently utilizing sudo?


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA webserver cert expired.

2012-06-05 Thread JR Aquino 
On Jun 5, 2012, at 11:18 AM, Paul Tader wrote:

> A couple days ago my (apache) certificates expired.  Users are able to kinit 
> but tools such as sudo fail because of the expired certificates. Lots of 
> reading/Google'ing later I found this script (steps) to renew these certs:

I'm just curious, but, isn't certmonger supposed to automatically renew these?  
Is certmonger failing in this case?

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Still not working -- Re: What to do next???: IPA replica host entry is removed on web UI by mistake

2012-05-16 Thread JR Aquino 
Whew, glad to hear you got through it!

The 389 ds crew is working on making the cleanruv into an internal automated 
process. I empathize completely.

The gssapi errors are generally benign. They come up because ldap starts before 
the kdc.

"Keeping your head in the cloud"
~~~~~
Jr Aquino | Sr. Information Security Specialist
GIAC Certified Incident Handler | GIAC WebApp Penetration Tester
Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117
jr.aqu...@citrix.com<mailto:jr.aqu...@citrix.com>
http://www.citrixonline.com

On May 16, 2012, at 4:29 PM, "David Copperfield" 
mailto:cao2...@yahoo.com>> wrote:

Could that be because of removing ghost entries in CA database?

Another possible place could be the deleting/clearing option itself. One 
annoying thing that I've found is:

I cleared the RUV records from IPA servers one by one, then I restart IPA 
services on the servers one by one again, ldapsearch showed that the RUV ghost 
entries popped up again. :(

I had to kill it again and again across the IPA server farms, then restart IPA 
servers one by one, check again, until the ghost RUV entries disappeared from 
all and didn't come back -- It is very, VERY exhausting and annoying.

After that I still need to stop IPA replica first, then restart IPA master and 
until now it worked -- ipa commands and kinit worked.  At last I brought up the 
valid replica and it worked this time as well.

Now it was time to reinstall the failed IPA replica and it was installed and up 
and running well.

After I tested with 'ipa user-add', 'ipa-user-delete' and found that the 
replication did work across the IPA master and IPA replicas. I tested the last 
time and found the following messages in the error log file on IPA master, it 
maybe harmless but I am not sure:

[16/May/2012:16:18:36 -0700] - 389-Directory/1.2.9.16 B2012.023.214 starting 
up[16/May/2012:16:18:36 -0700] schema-compat-plugin - warning: no entries set 
up under ou=SUDOers, dc=jigsaw,dc=com
[16/May/2012:16:18:36 -0700] - Skipping CoS Definition cn=Password 
Policy,cn=accounts,dc=jigsaw,dc=com--no CoS Templates found, which should be 
added before the CoS Definition.
[16/May/2012:16:18:36 -0700] - Skipping CoS Definition cn=Password 
Policy,cn=accounts,dc=jigsaw,dc=com--no CoS Templates found, which should be 
added before the CoS Definition.
[16/May/2012:16:18:36 -0700] set_krb5_creds - Could not get initial credentials 
for principal 
[ldap/ipamaster.example@example.com<mailto:ldap/ipamaster.example@example.com>]
 in keytab [WRFILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see 
e-text))[16/May/2012:16:18:36 -0700] - slapd started.  Listening on All 
Interfaces port 389 for LDAP requests
[16/May/2012:16:18:36 -0700] set_krb5_creds - Could not get initial credentials 
for principal 
[ldap/ipamaster.example@example.com<mailto:ldap/ipamaster.example@example.com>]
 in keytab [WRFILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see 
e-text))[16/May/2012:16:18:36 -0700] - Listening on All Interfaces port 636 for 
LDAPS requests
[16/May/2012:16:18:36 -0700] - Listening on /var/run/slapd-EXAMPLE-COM.socket 
for LDAPI requests
[16/May/2012:16:18:36 -0700] slapd_ldap_sasl_interactive_bind - Error: could 
not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) 
(SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code 
may provide more information (Credentials cache file '/tmp/krb5cc_496' not 
found))
[16/May/2012:16:18:36 -0700] slapi_ldap_bind - Error: could not perform 
interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
[16/May/2012:16:18:36 -0700] NSMMReplicationPlugin - 
agmt="cn=meToipareplica02.example.com" (ipareplica02:389): Replication bind 
with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic 
failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more 
information (Credentials cache file '/tmp/krb5cc_496' not found))
[16/May/2012:16:18:36 -0700] slapd_ldap_sasl_interactive_bind - Error: could 
not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) 
(SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code 
may provide more information (Credentials cache file '/tmp/krb5cc_496' not 
found))
[16/May/2012:16:18:36 -0700] slapi_ldap_bind - Error: could not perform 
interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
[16/May/2012:16:18:36 -0700] NSMMReplicationPlugin - 
agmt="cn=meToipareplica01.example.com" (ipareplica01:389): Replication bind 
with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic 
failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more 
information (Credentials cache file '/tmp/krb5cc_496' not 
found))[16/May/2012:16:18:39 -0700] NSMMReplicationPlugi

Re: [Freeipa-users] Still not working -- Re: What to do next???: IPA replica host entry is removed on web UI by mistake

2012-05-16 Thread JR Aquino 
Try: ipactl stop then ipactl start

Doesn't look like dirsrv is running on 389 and 636

~~~~~
Jr Aquino | Sr. Information Security Specialist
GIAC Certified Incident Handler | GIAC WebApp Penetration Tester
Citrix Online | 7408 Hollister Avenue | Goleta, CA 
93117
T:  +1 805.690.3478
C: +1 805.717.0365
jr.aqu...@citrixonline.com<mailto:jr.aqu...@citrixonline.com>
http://www.citrixonline.com<http://www.citrixonline.com/>

On May 16, 2012, at 2:54 PM, David Copperfield wrote:

Sorry to declare success too quick, :( In fact, it is worse now, the IPA master 
fail after performing the above steps including the RUV cleaning.  I've only 
one working replica and I'm afraid to do anything on it.

On The IPA master, after I ran 'service ipa restart' it reported OK, but  'ipa 
user-find' failed. so I cleared my Kerboers TGT ticket, ran 'kinit admin' to 
try my luck, the IPA master  failed with the following message, it showed that 
389 port listening disappeared for unknown reasons.

[root@ipamaster slapd-EXAMPLE-COM]# kinit admin

kinit: Generic error (see e-text) while getting initial credentials
[root@ipamaster slapd-EXAMPLE-COM]# netstat -antup | grep -i LISTEN | grep ns
tcp0  0 :::7389 :::*
LISTEN  6550/ns-slapd
tcp0  0 :::7390 :::*
LISTEN  6550/ns-slapd
[root@ipamaster slapd-EXAMPLE-COM]#

The error logs are pasted here too.

[16/May/2012:14:41:43 -0700] set_krb5_creds - Could not get initial credentials 
for principal 
[ldap/ipamaster.example@example.com<mailto:ldap/ipamaster.example@example.com>]
 in keytab [WRFILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC 
for requested realm)
[16/May/2012:14:41:43 -0700] - slapd started.  Listening on All Interfaces port 
389 for LDAP requests
[16/May/2012:14:41:43 -0700] - Listening on All Interfaces port 636 for LDAPS 
requests
[16/May/2012:14:41:43 -0700] - Listening on /var/run/slapd-EXAMPLE-COM.socket 
for LDAPI requests
[16/May/2012:14:41:43 -0700] slapd_ldap_sasl_interactive_bind - Error: could 
not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) 
(SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code 
may provide more information (Credentials cache file '/tmp/krb5cc_496' not 
found))
[16/May/2012:14:41:43 -0700] slapi_ldap_bind - Error: could not perform 
interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
[16/May/2012:14:41:43 -0700] NSMMReplicationPlugin - 
agmt="cn=meToipareplica01.example.com" (ipareplica01:389): Replication bind 
with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic 
failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more 
information (Credentials cache file '/tmp/krb5cc_496' not found))
[16/May/2012:14:41:46 -0700] NSMMReplicationPlugin - 
agmt="cn=meToipareplica01.example.com" (ipareplica01:389): Replication bind 
with GSSAPI auth resumed

Thanks.

--David


From: David Copperfield mailto:cao2...@yahoo.com>>
To: JR Aquino mailto:jr.aqu...@citrix.com>>
Cc: "freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>" 
mailto:freeipa-users@redhat.com>>
Sent: Wednesday, May 16, 2012 1:23 PM
Subject: Re: [Freeipa-users] What to do next???: IPA replica host entry is 
removed on web UI by mistake

Hi JR,

Thanks a lot! It works perfectly.

The only extra thing probably goes with 2.1.3 only: I need to find and clear 
ghost RUV records for CA database, and remove it from master and all other live 
replicas as well.

BTW, on 2.2.0 the two database backends still are separate, or merged into one?

Thanks.

--David


From: JR Aquino mailto:jr.aqu...@citrix.com>>
To: David Copperfield mailto:cao2...@yahoo.com>>
Cc: FreeIPAUsers mailto:freeipa-users@redhat.com>>
Sent: Wednesday, May 16, 2012 12:57 PM
Subject: Re: [Freeipa-users] What to do next???: IPA replica host entry is 
removed on web UI by mistake

On May 16, 2012, at 12:23 PM, David Copperfield wrote:

> Hi all,
>
>  I accidentally removed one of my IPA replica host on IPA web UI by mistake, 
> on the host list I planed to remove 
> ipaclient02.example.com<http://ipaclient02.example.com/>, but accidentally 
> the mouse moved to ipareplica02.example.com<http://ipareplica02.example.com/> 
> and the latter got removed without a prompt.
>
> I realized the mistake and tried to recover from this disaster but it was 
> already too late, the change propagated to all the replicas and the poor 
> ipareplica02 now stops functioning.
>
> [root@ipareplica02 slapd-EXAMPLE-COM]# ipa service-find
> ipa: ERROR: cannot connect to u'https://ipareplica02.qe9.jigsaw.com/i

Re: [Freeipa-users] What to do next???: IPA replica host entry is removed on web UI by mistake

2012-05-16 Thread JR Aquino 
On May 16, 2012, at 12:23 PM, David Copperfield wrote:

> Hi all,
> 
>  I accidentally removed one of my IPA replica host on IPA web UI by mistake, 
> on the host list I planed to remove ipaclient02.example.com, but accidentally 
> the mouse moved to ipareplica02.example.com and the latter got removed 
> without a prompt.
> 
> I realized the mistake and tried to recover from this disaster but it was 
> already too late, the change propagated to all the replicas and the poor 
> ipareplica02 now stops functioning.
> 
> [root@ipareplica02 slapd-EXAMPLE-COM]# ipa service-find
> ipa: ERROR: cannot connect to u'https://ipareplica02.qe9.jigsaw.com/ipa/xml': 
> Internal Server Error
> [root@ipareplica02 slapd-EXAMPLE-COM]# ipa user-find
> ipa: ERROR: cannot connect to u'https://ipareplica02.qe9.jigsaw.com/ipa/xml': 
> Internal Server Error
> [root@ipareplica02 slapd-EXAMPLE-COM]# ipa host-find
> ipa: ERROR: cannot connect to u'https://ipareplica02.qe9.jigsaw.com/ipa/xml': 
> Internal Server Error
> [root@ipareplica02 slapd-EXAMPLE-COM]# 
> 
> On the IPA master, It was found that ipareplica02 didn't show up in 
> 'host-find' list or 'service-find' list. Though it still showed in the master 
> list reported by 'ipa-replica-manage' and 'ipa-csreplica-manage', the real 
> command 'ipa-replica-manage list ipareplica02' fails with LDAP could't reach 
> error.
> 
> What should I do now? Is there are any other ways to recover besides 
> uninstall and reinstall of IPA replica ipareplica02?
> 
>  BTW, it will be more than appreciated if the web UI could pop up a warning 
> prompt when removing host/services entries associated with IPA masters and 
> IPA replicas. 

Been there... Done that... The bug is fixed in 2.2... It will prompt and 
prevent you from deleting a replica host if there is an agreement.

To clean up...

0. On the master replica: ipa-replica-manage del ipareplica02.example.com 
--force
-This will delete the replica agreement for the host.

1. $ ldapsearch -xLLL -D "cn=directory manager" -W -b dc=example,dc=com \
 '(&(nsuniqueid=---)(objectclass=nstombstone))'

Look for your your nsds50ruv that matches your ghost replica.

2. Create an ldif following the directions here: 
http://directory.fedoraproject.org/wiki/Howto:CLEANRUV
Something like:

$ cat cleanup.ldif
dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
changetype: modify
replace: nsds5task
nsds5task: CLEANRUV## <- ## == The ReplicaID number for the ghost replica.

3. Run on all of the remaining replicas: ldapmodify -x -D "cn=directory 
manager" -W -f fixed.ldif
- This removes the ghost entry.

4. on the broken replica: ipa-server-install --uninstall

5. Follow the normal directions for 'installing a replica'
- on master: ipa-replica-prepare ipareplica02.example.com
- scp /path/to/ipareplica02.example.com.gpg  ipareplica02.example.com: 
ipareplica02.example.com.gpg
- on replica: ipa-replica-install  ipareplica02.example.com 
--whatever_options_you_used_previously

6. Check to make sure the server was built correctly and command work as 
expected: kinit admin, ipa user-find, ipa host-find, id admin, etc etc

7. Sigh and drink coffee

> Thanks.
> 
> --David
> From: Rich Megginson 
> To: Ben Ho  
> Cc: freeipa-users@redhat.com 
> Sent: Tuesday, May 15, 2012 5:33 PM
> Subject: Re: [Freeipa-users] Help with ipa-replica-manage
> 
> On 05/15/2012 02:49 PM, Ben Ho wrote:
>> This is the information I retrieved about my server.
>> 
>> ipa-server-selinux-2.1.3-9.el6.x86_64
>> ipa-client-2.1.3-9.el6.x86_64
>> ipa-server-2.1.3-9.el6.x86_64
>> CentOS release 6.2
>> 389-ds-base-1.2.9.14-1.el6_2.2.x86_64
>> 
>> Thanks again.
> 
> Is replication otherwise working?
> 
>> 
>> -Ben
>> 
>> Date: Tue, 15 May 2012 13:15:46 -0600
>> From: rmegg...@redhat.com
>> To: ben1...@hotmail.com
>> CC: freeipa-users@redhat.com
>> Subject: Re: [Freeipa-users] Help with ipa-replica-manage
>> 
>> On 05/15/2012 01:00 PM, Ben Ho wrote:
>> Hello,
>>   I am pretty new to IPA.  Right now I have three servers that are running 
>> IPA.  I am trying to replicate one server to two other servers.  I use this 
>> command:
>> 
>> ipa-replica-manage re-initialize --from example2.edu
>> 
>>   On the first server I need to replicate, it works fine.  However, on the 
>> second server I get this message in my log files.  The errors get printed 
>> out once every 1 to 5 minutes.
>> 
>> [15/May/2012:14:22:43 -0400] NSMMReplicationPlugin - 
>> agmt="cn=meToexample1.edu" (example1:389): Schema replication update failed: 
>> Type or value exists
>> [15/May/2012:14:22:43 -0400] NSMMReplicationPlugin - 
>> agmt="cn=meToexample1.edu" (example1:389): Warning: unable to replicate 
>> schema: rc=1
>> [15/May/2012:14:22:47 -0400] NSMMReplicationPlugin - 
>> agmt="cn=meToexample2.edu" (example2:389): Schema replication update failed: 
>> Type or value exists
>> [15/May/2012:14:22:47 -0400] NSMMReplicationPlugin - 
>> agmt="cn=meToexample2.edu" (example2:389): Warning: u

Re: [Freeipa-users] Please help: How to restore IPA Master/Replicas from daily IPA Replica setup???

2012-05-15 Thread JR Aquino 
I have successfully utilized a similar procedure.  The restoration process is 
the same for both though.

I would be willing to accept the tickets and document the various backup and 
recovery methods.

Though, I'd like Dmitri's feedback on whether or not the team approves of 
making the "official" method of recovery from catastrophic failure be the use 
of frozen vm images.

"Keeping your head in the cloud"
~~~~~
Jr Aquino | Sr. Information Security Specialist
GIAC Certified Incident Handler | GIAC WebApp Penetration Tester
Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117
jr.aqu...@citrix.com
http://www.citrixonline.com

On May 15, 2012, at 2:16 AM, "Petr Spacek"  wrote:

> Hello,
> 
> IMHO it *must* be documented very well. Thank for scenario proposal!
> 
> There is a new documentation ticket: 
> https://fedorahosted.org/freeipa/ticket/2758
> 
> Another ticket exists for CA master recovery procedure: 
> https://fedorahosted.org/freeipa/ticket/2749
> 
> Petr^2 Spacek
> 
> On 05/15/2012 01:19 AM, Gelen James wrote:
>> Hi Dimitri,
>> 
>> thanks a lot for your offer. It will be more than appreciated if Rob, or some
>> other talented genius could wiki the steps. The more details, the sooner, and
>> the better. It will help IPA projects and its users dramatically, especially
>> for newbies like me. :)
>> 
>> Thanks again for you, Rob and others for the coming documentation work.
>> 
>> 
>> --Gelen.
>> 
>> --
>> *From:* Dmitri Pal 
>> *To:* Robinson Tiemuqinke 
>> *Cc:* "Freeipa-users@redhat.com" ; Rich Megginson
>> 
>> *Sent:* Monday, May 14, 2012 1:20 PM
>> *Subject:* Re: Please help: How to restore IPA Master/Replicas from daily IPA
>> Replica setup???
>> 
>> On 05/14/2012 03:48 PM, Robinson Tiemuqinke wrote:
>>> Hi Dmitri, Rich and all,
>>> 
>>> I am a newbie to Redhat IPA, It looks like pretty cool compared with other
>>> solutions I've tried before. Thanks a lot for this great product! :)
>>> 
>>> But there are still some things I needs your help. My main question is: How
>>> to restore the IPA setup with a daily machine-level IPA Replica backup?
>>> 
>>> Please let me explain my IPA setup background and backup/restore goals
>>> trying to reach:
>>> 
>>> I'm running IPA 2.1.3 on Redhat Enterprise 6.2. The IPA master is setup with
>>> Dogtag CA system. It is installed first. Then two IPA replicas are installed
>>> -- with '--setup-ca' options -- for load balancing and failover purposes.
>>> 
>>> To describe my problems/objectives, I'll name the IPA Master as machine A,
>>> IPA replicas as B and C. and now I've one more extra IPA replica 'D'
>>> (virtual machine) setup ONLY for backup purposes.
>>> The setup looks like the following, A is the configuration Hub. B,C,D are
>>> siblings.
>>> 
>>> A
>>> / | \
>>> B C D
>>> 
>>> The following are the steps I backup IPA setups and LDAP backends daily --
>>> it is a whole machine-level backup (through virtual machine D).
>>> 
>>> 1, First, IPA replica D is backed up daily. The backup happens like this:
>>> 
>>> 1.1 on IP replica D, run 'service IPA stop'. Then run 'shutdown -h '. On
>>> the Hypervisor which holds virtual machine D, do a daily backup of the whole
>>> virtual disk that D is on.
>>> 1.2 turn on the IP replica D again.
>>> 1.3 after virtual machine D is up, on D optionally run a 'ipa-replica-manage
>>> --force-sync --from ' to sync the IPA databases forcibly.
>>> 
>>> Now comes to restore part, which is pretty confusing to me. I've tried
>>> several times, and every times it comes this or that kinds of issues and so
>>> I am wondering that correct steps/ineraction of IPA Master/replicas are the
>>> king :(
>>> 
>>> 2, case #1, A is broken, like disc failure, and then re-imaged after several
>>> days.
>>> 
>>> 2.1 How to rebuild the IPA Master/Hub A after A is re-imaged, with the daily
>>> backup from IPA replica D?
>>> 2.2 do I have to check some files on A into subversion immediately after A
>>> was initially installed?
>>> 2.3 Please describe the steps. I'll follow exactly and report the results.
>>> 
>>> 3, case #2, A is working, but either B, or C is broken.
>>> 
>

Re: [Freeipa-users] dead in the water IPA server

2012-05-14 Thread JR Aquino 
On May 13, 2012, at 2:39 PM, "Steven Jones" 
mailto:steven.jo...@vuw.ac.nz>> wrote:

Hi,

I have what I'm told are 6.3 rpms on ipa2 and no its not fixed, the memory leak 
kills a server in 48 hours.  I also find I have a problem with rebooting, IPA 
doesnt survive a reboot, so I cant even cron a reboot nightly.

Right now both are in a bad way and I need to reboot them..

:(

The interesting thing is I have a test setup that is stable, yet has the same 
rpmsso Im flumixt'd, maybe its something Ive done, but I cant think 
whatits bod standard as far as I know

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


When I was having similar problems, it turned out to be due to a few different 
factors...

* my cache was too low, was being exceeded and triggering a leak in 389
* I discovered a bug in managed entries that caused the plugin to fire if _any_ 
change occurred to a managed object. As opposed to firing only when relivent 
attributes changed.
* I also had a great deal of churning happening from slapi-nis in competition 
with the MemberOf plugin...

Here is my bug, it was fixed in Fedora, but perhaps it is still a problem in 
RHEL: https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=771493



From: freeipa-users-boun...@redhat.com 
[freeipa-users-boun...@redhat.com] on 
behalf of Dmitri Pal [d...@redhat.com]
Sent: Saturday, 12 May 2012 9:29 a.m.
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] dead in the water IPA server

On 05/07/2012 05:05 PM, Rich Megginson wrote:
On 05/07/2012 02:55 PM, Steven Jones wrote:

Hi,

Yes I have a memory leak see attached graphs

Yes looks like the killer killed slapd...dont know what caused this 
yetif its the "killer" looks like its decided to kill slapd or slapd 
was going to kill the system anyway so it may have done the right thing.

Looks like I have 3 days between reboots if i dont IPA losses the plot big 
timevery bad news..I will I think slow IPA deployment here at this 
timethis cant be deployed for us as it is, I cant even test as if 
something doesn't work I don't know if its my configuring error or an 
inconsistent IPA.

:/

Thanks for this info I will pursue this through RH support for a perm fix, 
adding more memory doesn't strike me as the solution, 4gb of ram for 3~4 users 
and about 6 client machines seems a lot.

Right.  See https://fedorahosted.org/389/ticket/51 and especially all of the 
comments to https://bugzilla.redhat.com/show_bug.cgi?id=697701

You will need to closely monitor your entry cache usage.


As far as I see the ticket is fixed upstream and is in testing for 6.3.
Is this the correct understanding?


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Sigbjorn Lie [sigbj...@nixtra.com]
Sent: Monday, 7 May 2012 9:45 p.m.
To: Steven Jones
Cc: Jan Cholasta; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] dead in the water IPA server

This sound very much the same as the issue I've been having. Did you check to 
see if it was the
directory server that consumed all of your memory too?

https://www.redhat.com/archives/freeipa-users/2012-April/msg00139.html


Regards,
Siggi




On Mon, May 7, 2012 11:32, Jan Cholasta wrote:


Hi,


It seems that your system ate all the available memory and the kernel
decided to kill a directory server instance to free some. The kernel agent 
responsible for this is
called the out-of-memory killer, you can read more about it and how to 
configure it not to kill
important processes here: http://lwn.net/Articles/317814/

On 7.5.2012 02:22, Steven Jones wrote:



Interesting memory message.as attached


I take it it isnt good?  cant login that is for sure so whatever is behind the 
web gui is dead
if nothing else...


regards

Steven Jones


Technical Specialist - Linux RHCE


Victoria University, Wellington, NZ


0064 4 463 6272




--
Jan Cholasta


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users






___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



--
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to car

Re: [Freeipa-users] FreeIPA and others

2012-05-14 Thread JR Aquino 

On May 14, 2012, at 9:50 PM, "Steven Jones"  wrote:

> 8><-
> 
> Mileage may vary.
> 
> I for one have found no suitable scalable substitute for FreeIPA.
> 
> 8><--
> 
> Sure but depends on capability and experience, I for one am 
> struggling.while significantly easier than say 389 (which I gave up on), 
> its still a huge step up...
> 

I agree that it doesn't solve /all/ problems (yet) ;)

However, I have looked for a very very long time to find a scalable LDAP 
implementation with integrated Kerberos and RBAC/HBAC.  I've had numerous 
personal discussions with the creators /maintainers of openldap, pam_ldap, 
sudo, and some of the MIT-Kerb folk along my way.

Because no one else had solve those problems, I was actually in the middle of 
writing my own solution when I stumbled onto FeeIPA... 

For example, Pam_ldap expect(s/ed) that every user object contain an attribute 
entry for every single host they are allowed to log into Doesn't quite 
scale when you have to manage complex mixtures of thousands of users to 
thousands of hosts...

What do you feel is the biggest struggle?

Is it the base core features, or is it external integration pains for things 
feature that don't exist yet?

"Keeping your head in the cloud"
~
Jr Aquino | Sr. Information Security Specialist
GIAC Certified Incident Handler | GIAC WebApp Penetration Tester
Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117
jr.aqu...@citrixonline.com
http://www.citrixonline.com

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA and others

2012-05-14 Thread JR Aquino 
On May 13, 2012, at 11:13 PM, Jan-Frode Myklebust wrote:

> On Mon, May 14, 2012 at 03:53:34AM +0000, JR Aquino wrote:
>> 
>> I currently run over 21 (soon to be 42) Production FreeIPA servers. These 
>> are globally dispersed in every major continent.
>> They support over 5,000 servers (Mostly RHEL with some Fedora, and Ubuntu 
>> mixed in), 1,000 Networking devices (Cisco and Juniper) and around 2,000 
>> users.
> 
> Could you please say something about how you're connecting the Cisco's and
> Juniper's to IPA ? LDAP backend for radius/ACS, or something else ?

Yes, there is a Cisco ACS acting as a middle man between providing Tacacs / 
Radius where appropriate.


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA and others

2012-05-13 Thread JR Aquino 
On May 13, 2012, at 2:23 PM, "Steven Jones" 
mailto:steven.jo...@vuw.ac.nz>> wrote:

Hi,

>From a user perspective such as myself,

If its mission critical and complex need today then you need to also look at 
more mature solutions.

Mileage may vary.

I for one have found no suitable scalable substitute for FreeIPA.

I currently run over 21 (soon to be 42) Production FreeIPA servers. These are 
globally dispersed in every major continent.

They support over 5,000 servers (Mostly RHEL with some Fedora, and Ubuntu mixed 
in), 1,000 Networking devices (Cisco and Juniper) and around 2,000 users.

I heavily utilize centralized authentication, SSO, hbac, sudo, and automember 
(with sometimes as many as 100 new hosts a week being built and automatically 
assigned to their respective hostgroups.).

My use case tends to be the most complex that I've heard of.

The important bugs that I find and report have patches sometimes within a few 
days.

My advice is to stage thoroughly so you  know what you need to have in order to 
run effectively in production.

There is no real end all be all for all things relating to authentication.  I 
suggest that if you find an important delta, don't give up, experiment with 
integrating whatever protocol you need. Document the success or the challenges 
for others to benefit or contribute.

-JR

These however will cost you a lot of time and money to deploy. We have been 
there and the costs are obscene and the support worryingly poor in AP.  Since 
you have only mentioned 389 and Openldap as options I suspect IPA will suit you 
its the best of the three, so take a look.


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com 
[freeipa-users-boun...@redhat.com] on 
behalf of Chandan Kumar 
[chandank.ku...@gmail.com]
Sent: Saturday, 12 May 2012 6:18 a.m.
To: Freeipa-users@redhat.com
Subject: [Freeipa-users] FreeIPA and others

Hi All,

I was considering different centralized authentication/authorization services 
such as FreeIPA, 389 and Open ldap to deploy into our network in order to have 
a good centralized user authentication/authorization machanism. I was wondering 
what are they key that FreeIPA provides as compared to other directory servies 
in terms of extra feature, ease of deployment and use etc.

Thanks
Chandan



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Replication status

2012-05-03 Thread JR Aquino 
Also See: 
http://directory.fedoraproject.org/wiki/Howto:CN%3DMonitor_LDAP_Monitoring

;)

On May 3, 2012, at 9:26 AM, JR Aquino wrote:

> I have been considering looking into using this: 
> http://cnmonitor.sourceforge.net/
> 
> ~~~~~
> Jr Aquino | Sr. Information Security Specialist
> GIAC Certified Incident Handler | GIAC WebApp Penetration Tester
> Citrix Online | 7408 Hollister Avenue | Goleta, CA 
> 93117
> T:  +1 805.690.3478
> C: +1 805.717.0365
> jr.aqu...@citrixonline.com<mailto:jr.aqu...@citrixonline.com>
> http://www.citrixonline.com<http://www.citrixonline.com/>
> 
> On May 2, 2012, at 2:46 PM, Ian Levesque wrote:
> 
> Hi,
> 
> I'm curious how members of this list are monitoring their IPA servers' 
> replication status. `ipa-replica-manage list` doesn't actually tell you if 
> your replica is working. I just realized that our replica's IPA processes 
> were hung (likely as a result of suspending & resuming the VM it's running 
> on). It would be great if our nagios could monitor the replica status - 
> anyone here have any ideas?
> 
> Cheers,
> Ian
> 
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
> 
> 
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Replication status

2012-05-03 Thread JR Aquino 
I have been considering looking into using this: 
http://cnmonitor.sourceforge.net/

~
Jr Aquino | Sr. Information Security Specialist
GIAC Certified Incident Handler | GIAC WebApp Penetration Tester
Citrix Online | 7408 Hollister Avenue | Goleta, CA 
93117
T:  +1 805.690.3478
C: +1 805.717.0365
jr.aqu...@citrixonline.com<mailto:jr.aqu...@citrixonline.com>
http://www.citrixonline.com<http://www.citrixonline.com/>

On May 2, 2012, at 2:46 PM, Ian Levesque wrote:

Hi,

I'm curious how members of this list are monitoring their IPA servers' 
replication status. `ipa-replica-manage list` doesn't actually tell you if your 
replica is working. I just realized that our replica's IPA processes were hung 
(likely as a result of suspending & resuming the VM it's running on). It would 
be great if our nagios could monitor the replica status - anyone here have any 
ideas?

Cheers,
Ian

___
Freeipa-users mailing list
Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] A couple of quick questions about FreeIPA

2012-04-26 Thread JR Aquino 
On Apr 26, 2012, at 9:57 AM, Paul Robert Marino wrote:

> Hello
> I'm trying to figure out if free IPA is a good solution for my
> environment or if i should just construct a custom infrastructure with
> 389 server and i just have a couple of quick questions. I have a long
> history working with LDAPv3 and I'm currently planing a new
> infrastructure for my current employer. I've worked with OpenLDAP 389
> server and even 389 servers original incarnation when Netscape was
> still around
> 
> 1) Can the Kerberos server be on an other box.
> I'm not a python programer so I haven't been able to test it my self
> but many of the Kerberos calls look like wrappers to the C libraries.
> if so than it might be possible

Currently FreeIPA integrates Kerberos directly and its not something that can 
be removed or setup on a seperate box AFAIK


> 2) Can I configure it not to store the Kerberos data in the LDAP
> server. I don't like the chicken  and the egg authentication conundrum
> this can cause, and I have no intention of allowing users to use
> LDAPv2 so I actually don't want the password field in the database or
> at least blocked by an ACL so it cant be used. I personally find the
> fact that applications still use this field for authentication
> appalling because it essentially turned back the clock to before
> shadow password files.

^ Same answer

> 
> 
> 3) This is the most important question, there has been a lot of talk
> about fixing the issues with MIT Kerberos. Is there someplace I can
> look To see what the status of these fixes are other than pouring
> through the change logs for MIT Kerberos.
> I don't want to get in to a Kerberos holy war but most of these are
> really old bugs in MIT Kerberos that made me abandon the Idea of ever
> using the MIT server in production over a decade ago. I know exactly
> the issues that lead to the Samba group choose to code only to Heimdal
> all too well because I first remember hitting them and reporting them
> back 2001 to the Samba group via usenet.
> The big thing for me is the thread safety because this often caused
> the MIT Kerberos server to crash then Samba was running in domain mode
> on the same box, Honestly I still don't trust MIT's implementation in
> a mission critical environment,

A great deal of things have changed since 2001, but I guess the real thing to 
do here is to answer a question with a question.

What specific 'bugs' are you concerned with regarding MIT Kerberos?

I maintain a very large global FreeIPA deployment with heavy Kerberos SSO, 
Sudo, and LDAP Usage. 

Things are quite stable.

"Keeping your head in the cloud"
~
Jr Aquino | Sr. Information Security Specialist
GIAC Certified Incident Handler | GIAC WebApp Penetration Tester
Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117
T:  +1 805.690.3478
jr.aqu...@citrix.com
http://www.citrixonline.com

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] compat plug-in and replication

2012-03-16 Thread JR Aquino 
On Mar 16, 2012, at 1:06 PM, Stephen Ingram wrote:

> On Fri, Mar 16, 2012 at 12:33 PM, JR Aquino  wrote:
>> On Mar 16, 2012, at 11:54 AM, Stephen Ingram wrote:
>> 
>> I've seen mention about the compat plug-in causing issues with
>> replication. In my 2.1.4 installation I notice that the plug-in is
>> turned on by default. Is compat only required for those supporting NIS
>> or does it serve another purpose. As I don't use NIS, I'm just
>> wondering if it's safe to turn off.
>> 
>> To compliment what Rob mentioned...
>> 
>> Compat is also generally necessary for any user who wishes to utilize Sudo 
>> with FreeIPA.
>> 
>> Sudo does not natively understand what a 'hostgroup' is, so it can only 
>> utilize NIS netgroups for this.  Care was taken when designing the FreeIPA 
>> hostgroup and nis compatibility system such that any hostgroup that is 
>> created has a mirrored (and semi hidden) NIS netgroup created.
>> 
>> This way when you build Sudo rules and reference 'hostgroups', 
>> transparently, it is really referencing NIS netgroups stored inside of ldap 
>> and provided by the compat / nis plugins.
>> 
>> Hope this helps clear some stuff up about why one would want compat and nis 
>> turned on in FreeIPA.
> 
> Glad you mentioned this. I would have turned it off just to save
> space, but I do need sudo. This makes more sense as to why its enabled
> by default. Very clever design too to hide the complexity from the
> user.

Glad to know the info helps!

We did such a good job at keeping that stuff in the background that it 
sometimes gets overlooked :)

To be completely fair... The SSSD team is actively working toward the goal of 
eventually supporting FreeIPA natively via the Sudo plugin system.

In the future it will not be necessary to use compat or nis for Sudo.

-JR

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] compat plug-in and replication

2012-03-16 Thread JR Aquino 
On Mar 16, 2012, at 11:54 AM, Stephen Ingram wrote:

I've seen mention about the compat plug-in causing issues with
replication. In my 2.1.4 installation I notice that the plug-in is
turned on by default. Is compat only required for those supporting NIS
or does it serve another purpose. As I don't use NIS, I'm just
wondering if it's safe to turn off.

To compliment what Rob mentioned...

Compat is also generally necessary for any user who wishes to utilize Sudo with 
FreeIPA.

Sudo does not natively understand what a 'hostgroup' is, so it can only utilize 
NIS netgroups for this.  Care was taken when designing the FreeIPA hostgroup 
and nis compatibility system such that any hostgroup that is created has a 
mirrored (and semi hidden) NIS netgroup created.

This way when you build Sudo rules and reference 'hostgroups', transparently, 
it is really referencing NIS netgroups stored inside of ldap and provided by 
the compat / nis plugins.

Hope this helps clear some stuff up about why one would want compat and nis 
turned on in FreeIPA.


~~~~~
Jr Aquino | Sr. Information Security Specialist
GIAC Certified Incident Handler | GIAC WebApp Penetration Tester
Citrix Online | 7408 Hollister Avenue | Goleta, CA 
93117
T:  +1 805.690.3478
C: +1 805.717.0365
jr.aqu...@citrixonline.com<mailto:jr.aqu...@citrixonline.com>
http://www.citrixonline.com<http://www.citrixonline.com/>



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] A way to rename a host and/or a host group?

2012-02-22 Thread JR Aquino 
On Feb 22, 2012, at 1:24 PM, Marco Pizzoli wrote:

> Hi guys,
> I see that there's no way to rename a host once created. Same issue with host 
> groups.
> Could you confirm that it is by design and so I never will be able to do that?
> 
> Thanks
> Marco (wanting to rename everything :-( )

Hi Marco.  Yes, you do need to fully delete and uninstall a host from FreeIPA 
before readding it with a new name.

http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/renaming-machines.html

What may make this easier for you is a feature in 389 DS called Automember:

http://directory.fedoraproject.org/wiki/Auto_Membership_Design

Automember is a way to use regular expression to tie a given fqdn-type to a 
given hostgroup.  So that when you 'add' a host with a similar name. say: 
webserver2.example.com, the host automatically ends up in the 'webservers' host 
group.

If you wish for a bunch of hosts to be "renamed"/re-provisioned, and 
automatically assigned to a new hostgroup, you can predefine the regex mapping 
and make this process a little easier.

FreeIPA provides a CLI (and in 2.1.90, a WebUI) for managing these entries.



Here is the help doc from the cli tool:

Auto Membership Rule.

Bring clarity to the membership of hosts and users by configuring inclusive
or exclusive regex paterns, you can automatically assign a new entries into
a group or hostgroup based upon attribute information.

A rule is directly associated with a group by name, so you cannot create
a rule without an accompanying group or hostgroup

A condition is a regular expression used by 389-ds to match a new incoming
entry with an automember rule. If it matches an inclusive rule then the
entry is added to the appropriate group or hostgroup.

EXAMPLES:

 Create the initial group or hostgroup:
   ipa hostgroup-add --desc="Web Servers" webservers
   ipa group-add --desc="Developers" devel

 Create the initial rule:
   ipa automember-add --type=hostgroup webservers
   ipa automember-add --type=group devel

 Add a condition to the rule:
   ipa automember-add-condition --key=fqdn --type=hostgroup 
--inclusive-regex=^web[1-9]+\.example\.com webservers
   ipa automember-add-condition --key=manager --type=group 
--inclusive-regex=^uid=mscott devel

 Add an exclusive condition to the rule to prevent auto assignment:
   ipa automember-add-condition --key=fqdn --type=hostgroup 
--exclusive-regex=^web5\.example\.com webservers

 Add a host:
ipa host-add web1.example.com

 Add a user:
ipa user-add --first=Tim --last=User --password tuser1 --manager=mscott

 Verify automembership:
ipa hostgroup-show webservers
  Host-group: webservers
  Description: Web Servers
  Member hosts: web1.example.com

ipa group-show devel
  Group name: devel
  Description: Developers
  GID: 100420
  Member users: tuser

 Remove a condition from the rule:
   ipa automember-remove-condition --key=fqdn --type=hostgroup 
--inclusive-regex=^web[1-9]+\.example\.com webservers

 Modify the automember rule:
ipa automember-mod

 Set the default target group:
ipa automember-default-group-set --default-group=webservers --type=hostgroup
ipa automember-default-group-set --default-group=ipausers --type=group

 Set the default target group:
ipa automember-default-group-remove --type=hostgroup
ipa automember-default-group-remove --type=group

 Show the default target group:
ipa automember-default-group-show --type=hostgroup
ipa automember-default-group-show --type=group

 Find all of the automember rules:
ipa automember-find

 Display a automember rule:
ipa automember-show --type=hostgroup webservers
ipa automember-show --type=group devel

 Delete an automember rule:
ipa automember-del --type=hostgroup webservers
ipa automember-del --type=group devel

Topic commands:
  automember-add   Add an automember rule.
  automember-add-condition Add conditions to an automember rule.
  automember-default-group-remove  Remove default group for all unmatched 
entries.
  automember-default-group-set Set default group for all unmatched entries.
  automember-default-group-showDisplay information about the default 
automember groups.
  automember-del   Delete an automember rule.
  automember-find  Search for automember rules.
  automember-mod   Modify an automember rule.
  automember-remove-condition  Remove conditions from an automember rule.
  automember-show  Display information about an automember rule.


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa-getkeytab during %post

2012-02-08 Thread JR Aquino 
If you are really trying to go the route of using the password, the best way to 
accomplish that is to procedurally ADD the host ahead of time with the -random 
flag to generate a one-time-pass.  Then insert that 1 time password dynamically 
into the kickstart script.

If you want to approach the problem from a technical side and not procedural... 
I don't suppose you have Puppet ?

You can utilize puppet to deploy a 'host provisioning' keytab that you then 
kinit -kt before issuing the other commands that require authentication. When 
it is finished, delete the keytab.

The problem with authentication and complete hands off automation is that you 
always have to whittle it down to an area of acceptable risk with lots of 
compensating controls and logging.


On Feb 8, 2012, at 6:44 AM, Dale Macartney wrote:

> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> Hi Simo
> 
> ipa-client-install is provided by the ipa-client rpm. Details below
> 
> Name: ipa-client
> Arch: x86_64
> Version : 2.1.3
> Release : 9.el6
> Size: 222 k
> Repo: installed
> 
> 
> What I am trying to achieve is these two commands in a post...
> 
> ipa service-add HTTP/$(hostname)
> this definitely requires an authenticated user to add i'm sure
> 
> 
> ipa-getkeytab -s ds01.example.com -p HTTP/$(hostname) -k
> /etc/squid/krb5.keytab
> this one I suspect might be able to be retrieved using the host/
> principle from the system after running ipa-client-install.
> 
> 
> Does this help paint a picture?
> 
> 
> Dale
> 
> 
> On 02/08/2012 01:49 PM, Simo Sorce wrote:
>> On Wed, 2012-02-08 at 11:13 +, Dale Macartney wrote:
>>> -BEGIN PGP SIGNED MESSAGE-
>>> Hash: SHA1
>>> 
>>> morning all...
>>> 
>>> i'm dabbling with automated provisioning of ipa client servers, and i'm
>>> a little perplexed on how to add a keytab to a system during the %post
>>> section of a kickstart...
>>> 
>>> i've run ipa-client-install -U -p admin -w redhat123 which works
>>> perfect, but in order to run ipa-getkeytab i need a tgt, which doesn't
>>> appear to be generated during the ipa-client-install.
>>> 
>>> any suggestions on doing this during a post?
>> 
>> What version of ipa-client-install are you using ?
>> 
>> Newer versions (2.x) should fetch a keytab for your system (needs
>> credentials or OTP password.
>> 
>> Simo.
>> 
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iQIcBAEBAgAGBQJPMopXAAoJEAJsWS61tB+qyg8QAJPJJB8/9sxjKmKaEreRQyRb
> NgHUaaY1FRGs7CvtTeSTY177bnVerr8dJGj3nmqMCwlveUEXZS2T8mBWxVpRm/BW
> HrNR5i9kEIXL6HiaYfZMCVX1pyaxsStCnZJCiBjDDL5PsIX6FCsuUEYX4BGXyLAU
> s212Ugn46vYY4E5d8Cwi6BS0MW6c9a3yoPXAH4A8JCSjIptYXMuBY8YFHiQLLAPi
> AID7Q4N3U5FC6B0ahqhL64tAL8EggMkxhJ0Flhz7aWboz14bL7+M+vx3qVxF2W0z
> WgaO13ai/lTL/jTy1n3dBVegqdACRTgH/K094+iaq96flhBrfzYiDaeCtj9OgoAV
> ntHJksEPuC2X2lc8IRgzWVFa847+GMYl3YdYt0jflCcRAoWnpsaNW5F4HKG9K2Ob
> sXEo+/4sSku85Ezu7rJyS5zNn6BfdynxOGfaYqavWK3lyegxpHaIBdxR3YPi9Esm
> mrRvN3mkfAaUWboxImOJvZTgv+P/jq7CFlokaTGakeJT2N5/HpQADw1haNLDDvoY
> DFfE3EgkmkT04Lcg+tCxouybYYdWdNSLl86maDsxeIHbyrnHQjgZ+Pw2KsMd1BUD
> huqromxtFnUoY6DY2cwRFTGFJihkX3/Grai2ojPGFgiNA5H1G1APs5J2i9dafp1x
> UftjI6x2lzTqQw/BNqLL
> =mInj
> -END PGP SIGNATURE-
> 
> <0xB5B41FAA.asc><0xB5B41FAA.asc.sig>___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] WebUI With Windows, Firefox, and MIT Kerberos

2012-01-30 Thread JR Aquino 
On Jan 30, 2012, at 6:12 PM, Adam Young wrote:

On 01/28/2012 01:53 PM, Erinn Looney-Triggs wrote:

On 1/27/2012 4:53 PM, JR Aquino wrote:


On Jan 27, 2012, at 5:31 PM, Jr Aquino wrote:

Has anyone successfully gotten firefox in windows with firefox and mit kerberos?

I've followed several how to's, but i cant get firefox to take/pass my tgt.


The Key to success:

network.negotiate-auth.gsslib: C:\Program Files\MIT\Kerberos\bin\gssapi32.dll

I had been previously using lib\i386/gssapi32.lib and thats what was breaking 
it.

The rest of the documentation on the FreeIPA site is sound.

We could probably stand to add that 1 line to the doc at 
http://freeipa.com/page/ClientConfigurationGuide

___
Freeipa-users mailing list
Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users


The only other thing I would add here, at least for me, was on an x86_64
install of windows I needed to use: C:\Program Files
(x86)\MIT\Kerberos\bin\gssapi32.dll

-Erinn


OPPS!  One other line I needed to change for firefox to work in windows:

network.auth.use-sspi: false


^ This tells firefox  to use the built-in AD based Kerberos/SSO.

I didn't realize I had missed this until I went back through from scratch to 
retest.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] WebUI With Windows, Firefox, and MIT Kerberos

2012-01-27 Thread JR Aquino 

On Jan 27, 2012, at 5:31 PM, Jr Aquino wrote:

Has anyone successfully gotten firefox in windows with firefox and mit kerberos?

I've followed several how to's, but i cant get firefox to take/pass my tgt.


The Key to success:

network.negotiate-auth.gsslib: C:\Program Files\MIT\Kerberos\bin\gssapi32.dll

I had been previously using lib\i386/gssapi32.lib and thats what was breaking 
it.

The rest of the documentation on the FreeIPA site is sound.

We could probably stand to add that 1 line to the doc at 
http://freeipa.com/page/ClientConfigurationGuide

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] WebUI With Windows, Firefox, and MIT Kerberos

2012-01-27 Thread JR Aquino 
Has anyone successfully gotten firefox in windows with firefox and mit kerberos?

I've followed several how to's, but i cant get firefox to take/pass my tgt.

-Jr

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Sudo options

2012-01-18 Thread JR Aquino 
On Jan 18, 2012, at 1:24 PM, Erinn Looney-Triggs wrote:

On 01/18/2012 11:50 AM, JR Aquino wrote:
On Jan 18, 2012, at 11:47 AM, Erinn Looney-Triggs wrote:

I can't really figure out what the proper syntax is for the sudo rules
in IPA. I have a number of options that I would like included by
default, I have put them in place, from ipa sudorule-show:

Sudo Option: env_keep = "LESSSECURE", env_reset, mail_badpass,
mail_no_host, mail_no_perms, syslog = local2

It looks to be getting confused by the whitespace.

Remove the whitespace for env_keep = "LESSSECURE" & syslog = local2 to:
env_keep="LESSSECURE"
syslog=local2

Let me know if that helps.

Also, can you post a compare against:

ipa sudorule-show defaults

vs

 $ sudo -l



This doesn't appear to work, when sudo is run:

sudo: unknown defaults entry `env_keep '
sudo: unknown defaults entry `mail_badpass, mail_no_host, mail_no_perms,
syslog '

One thing that jumps out at me is that the '= whatever' portion is not
being maintained.

The directions in the IDM guide are less than clear, simply referencing
the sudoers page for options. These are all valid sudo options, this is
basically a straight port over from a sudoers file.

So anyone have any experience doing this bit?

-Erinn

___
Freeipa-users mailing list
Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users


It looks like this was actually ttwo problems, one the quoting, and the
second that via the web ui, I had put multiple options on a single line
separated by a comma, so initially one rule was:
mail_badpass, mail_no_host, mail_no_perms, syslog = local2

After fixing the spacing issue, as well as putting each into it's own
statement everything worked just fine.

There should probably either be better documentation, or better
validation of input for those options, or ideally both :). I reckon I
will open a bug up.


Thanks! I agree with you. Might even help to do some level of input validation 
as well.

Thanks again!

~
Jr Aquino, GCIH, GWAPT | Sr. Information Security Specialist
Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117
T:  +1 805.690.3478
jr.aqu...@citrixonline.com<mailto:jr.aqu...@citrixonline.com>
http://www.citrixonline.com


[cid:image001.jpg@01CB2FE6.2B7BFA80]
Access Your PC or Mac From Anywhere:  www.gotomypc.com
Online Meetings Made Easy:  www.gotomeeting.com
Web Events Made Easy:www.gotowebinar.com
Remote Support Made Easy:  www.gotoassist.com





Thanks for the help,

-Erinn


<>___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Sudo options

2012-01-18 Thread JR Aquino 
On Jan 18, 2012, at 11:47 AM, Erinn Looney-Triggs wrote:

> I can't really figure out what the proper syntax is for the sudo rules
> in IPA. I have a number of options that I would like included by
> default, I have put them in place, from ipa sudorule-show:
> 
> Sudo Option: env_keep = "LESSSECURE", env_reset, mail_badpass,
> mail_no_host, mail_no_perms, syslog = local2

It looks to be getting confused by the whitespace.

Remove the whitespace for env_keep = "LESSSECURE" & syslog = local2 to: 
env_keep="LESSSECURE"
syslog=local2

Let me know if that helps.

Also, can you post a compare against:

ipa sudorule-show defaults

vs

 $ sudo -l


> 
> This doesn't appear to work, when sudo is run:
> 
> sudo: unknown defaults entry `env_keep '
> sudo: unknown defaults entry `mail_badpass, mail_no_host, mail_no_perms,
> syslog '
> 
> One thing that jumps out at me is that the '= whatever' portion is not
> being maintained.
> 
> The directions in the IDM guide are less than clear, simply referencing
> the sudoers page for options. These are all valid sudo options, this is
> basically a straight port over from a sudoers file.
> 
> So anyone have any experience doing this bit?
> 
> -Erinn
> 
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] HBAC issues

2012-01-05 Thread JR Aquino 
On Jan 5, 2012, at 3:14 PM, "Stephen Gallagher"  wrote:

> 
> 
> On Jan 5, 2012, at 5:48 PM, Erinn Looney-Triggs 
>  wrote:
> 
>> On 01/05/2012 11:54 AM, Stephen Gallagher wrote:
>>> On Thu, 2012-01-05 at 11:48 -0900, Erinn Looney-Triggs wrote:
 Yes that look about right, not able to confirm 100%, but that is
 probably the issue.
>>> 
>>> 
>>> We're looking into it. However, I should point out that using srchost is
>>> a very unreliable means of restricting access. There are numerous
>>> problems with it, most notably because we have to rely on what PAM sends
>>> us in the srchost field, which is not defined in the spec, so different
>>> applications such as 'login' and 'sshd' sometimes put different values
>>> in those fields.
>>> 
>>> In SSSD upstream, we're defaulting to ignoring srchost rules because
>>> they're 1) unreliable and 2) cause significant performance impact on
>>> networks with lots of host entries.
>>> 
>>> Our general recommendation is that if you want to restrict access from
>>> specific hosts, it's usually a better idea to do this at the firewall
>>> level, rather than the HBAC level.
>> 
>> Well that kind of puts that whole HBAC thing on the skids doesn't it?
> 
> Well, target host works fine. The real problem is with accurately identifying 
> the remote host that the connection originated from.
> 
> So you can still write rules that say "only these users can log onto these 
> hosts".

If you absoluelty must use it I have found that access.conf works well enough 
to limit srchost ssh access:
 
http://linux.die.net/man/5/access.

> 
>> Unfortunate that it works that way, and yes firewalling is always a good
>> option.
>> 
>> Thanks for the info,
>> -Erinn
>> 
>> 
> 
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Host Based Access Control and Solaris?

2012-01-04 Thread JR Aquino 
On Jan 4, 2012, at 2:39 AM, "Craig T"  wrote:

> Hi,
> 
> Server: RHEL6.2
> Spec: ipa-server-2.1.3-9
> 
> 1) After reading the IPA documentation, it seems that HBAC is only available 
> to SSSD clients. This would suggest that I'm not going to be able to 
> configure it for Solaris hosts? 
> "Using host-based access control requires SSSD to be installed and configured 
> on the IPA client
> machine."

I have written a custom python Pam module that fully supports HBAC in Linux, 
however, it utilizes http://ace-host.stuart.id.au/russell/files/pam_python/. 
Which is currently not OpenPAM compatible.  I've been seeking help to find 
someone to port it to OpenPAM since that is what the BSD's, Solaris, and MacOSX 
use, but I haven't had any luck so far.

> 
> 2) Does this mean that I won't be able to control "who" can log onto our 
> solaris servers? Perhaps I'll have to configure a custom /etc/hosts.deny 
> entry?
> 
> cya
> 
> Craig
> 
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Expired SSL certificate issue with IPA

2012-01-03 Thread JR Aquino 
On Jan 3, 2012, at 8:37 AM, nasir nasir wrote:

> 
> 
> --- On Tue, 1/3/12, Rich Megginson  wrote:
> 
> From: Rich Megginson 
> Subject: Re: [Freeipa-users] Expired SSL certificate issue with IPA
> To: "nasir nasir" 
> Cc: freeipa-users@redhat.com, fasilk...@gmail.com
> Date: Tuesday, January 3, 2012, 7:41 AM
> 
> On 01/03/2012 12:52 AM, nasir nasir wrote:
>> Hi,
>> 
>> I am facing a serious issue with my production IPA server. When I try to 
>> access IPA web interface using Firefox, it hangs and doesn't allow me to get 
>> in. It seems to be due to expired SSL certificate as seen in the apache log 
>> file, 
>> 
>> 
>> [Tue Jan 03 10:34:08 2012] [error] Certificate not verified: 'Server-Cert'
>> [Tue Jan 03 10:34:08 2012] [error] SSL Library Error: -8181 Certificate has 
>> expired
>> [Tue Jan 03 10:34:08 2012] [error] Unable to verify certificate 
>> 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the server can 
>> start until the problem can be resolved.
>> [Tue Jan 03 10:34:08 2012] [error] Certificate not verified: 'Server-Cert'
>> 
>> 
>> Also, when I try to use the command line (ipa user-mod or user-show 
>> commands) it too just hangs and doesn't give any output or allow me for any 
>> input. I can see the following in krb5kdc.log ,
>> 
>> Jan 03 10:29:16 xx.xx.com krb5kdc[2426](info): preauth (timestamp) 
>> verify failure: Decrypt integrity check failed
>> Jan 03 10:29:16 xx.xx.com krb5kdc[2426](info): AS_REQ (4 etypes {18 
>> 17 16 23}) 192.168.1.10: PREAUTH_FAILED: host/x.x@xx.com for 
>> krbtgt/xx@xx.com, Decrypt integrity check failed
>> Jan 03 10:29:16 xx.xx.com krb5kdc[2429](info): AS_REQ (4 etypes {18 
>> 17 16 23}) 192.168.1.10: NEEDED_PREAUTH: host/.x@x.com for 
>> krbtgt/xx@xx.com, Additional pre-authentication required
>> 
>> 
>> The output of "certutil -L -d /etc/httpd/alias -n Server-Cert" confirms that 
>> certificate is expired as given below.
>> 
>> Certificate:
>> Data:
>> Version: 3 (0x2)
>> Serial Number: 10 (0xa)
>> Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
>> Issuer: "CN=Certificate Authority,O=XX.COM"
>> Validity:
>> Not Before: Sun Jun 19 11:27:20 2011
>> Not After : Fri Dec 16 11:27:20 2011
>> 
>> 
>> Relevant info
>> 
>> OS: RHEL 6.1
>> 
>> 
>> Output of rpm -qa | grep ipa
>> 
>> ipa-client-2.0.0-23.el6.i686
>> ipa-pki-ca-theme-9.0.3-6.el6.noarch
>> ipa-pki-common-theme-9.0.3-6.el6.noarch
>> device-mapper-multipath-libs-0.4.9-41.el6.i686
>> python-iniparse-0.3.1-2.1.el6.noarch
>> ipa-python-2.0.0-23.el6.i686
>> ipa-server-selinux-2.0.0-23.el6.i686
>> ipa-server-2.0.0-23.el6.i686
>> device-mapper-multipath-0.4.9-41.el6.i686
>> ipa-admintools-2.0.0-23.el6.i686
>> 
>> 
>> I went through the documentations to check how to renew the expired certs 
>> but it seems to be confusing and different across versions. Could someone 
>> please help me out by suggesting which is the best way to achieve this ? Any 
>> help would be greatly appreciated as I am unable to perform any task on the 
>> IPA server now because of this.
> I suggest following the mod_nss suggestion to allow it to start and use the 
> expired cert while you attempt to figure this out.
> 
> Thanks indeed for the suggestion. I will consider this. But can anyone point 
> me the steps to renew certificate from the expired one ?
> 
> Thankds and regards,
> Nidal

wasn't certmonger supposed to be designed to automatically handle this 
situation?

> 
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Large slow down when using IPA

2011-12-30 Thread JR Aquino 

On Dec 30, 2011, at 5:45 PM, Erinn Looney-Triggs wrote:

> I have been slowly rolling out FreeIPA to my systems, trying to track
> differences/changes. One of the most noticeable has been a large slow
> down in file access times.
> 
> Let me explain as best as I can. I use AIDE to track the file system
> (think tripwire) and it runs checks once a day. During these checks it
> is scanning (almost) the entire file system and comparing it to a stored
> database. On a moderately powered system with ~151k files, an AIDE run
> will usually take ~30 minutes. After the system becomes an IPA client
> the same run will generally take ~90-120 minutes. Un-install the
> ipa-client, back to ~30 minutes for an AIDE run.
> 
> Now clearly a lot of lookups are being done for user names and group
> names, and this will have a performance hit that is dependant on the
> network. However, the odd thing is that even when running on the IPA
> server itself the slowdown is still the same.
> 
> Not sure if this is an IPA problem, an SSSD problem, a bit of both, or
> neither, perhaps it is just the way it is, but a slowdown of 3-4x seems
> a bit much to me. Clearly the results are not scientific, however, they
> have been generally reproducible since I started rolling IPA out.
> 
> As a side note this slowdown has also broken bacula backups, as the
> bacula client is scanning the filesystem for change (using accurate
> backups) the director times out.
> 
> Any thoughts, or opinions? Workarounds etc? I have checked to make sure
> that SSSD caching is enabled, and functional.
> 
> Thanks,
> 
> -Erinn

I am assuming that these are all running as local users.

>From the sssd.conf man page in the nss section:

filter_users, filter_groups (string)
   Exclude certain users from being fetched from the sss NSS database. 
This is particularly useful for system accounts. This option can also be set 
per-domain or include fully-qualified names to filter only users from the
   particular domain.

   Default: root


Try adding this to your sssd.conf:

[nss]
   filter_groups = root,bacula,aide,otherdaemonuser <-as needed
   filter_users = root,bacula,aide,otherdaemonuser <- as needed

Let me know if that solves your issue.


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] FreeIPA Replica Manage Reinitialize causes ALL Severs to rerun memberof fixup

2011-12-23 Thread JR Aquino 
I have a multimaster infrastructure with 3 core FreeIPA servers and 10 
supporting (procedurally read-only) FreeIPA servers.

I notice that occasionally 1 of the systems starts producing errors filling up 
/var/log/dirsrv/slapd-DOMAIN-COM/errors:
Replica has a different generation ID than the local data
(I suspect this is due to ntp problems that I am trying to work out)

http://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_Replication-Troubleshooting_Replication_Related_Problems.html

^ This document suggests that I should re-initialize the problematic system 
from one of the core master servers.

Upon so doing, I am finding that all 13 servers CPU's spike to 100% of 1 core 
while they re-process memberof data... Even though there are many many cores in 
these systems the intense & single threaded nature of this process causes a 
performance hit in all 13 data centers for all clients.

Am I reading the documentation wrong? Shouldn't a re-initialization of the 
problematic host only cause a replication: master -> slave + slave memberof 
fixup?

This seems like a fairly severe performance effecting bug.

-JR

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] [Freeipa-devel] Announcing FreeIPA 2.1.4

2011-12-06 Thread JR Aquino 
On Dec 6, 2011, at 1:09 PM, Simo Sorce wrote:

> Thanks Rob for all the great work!
> 
> 
> I want to add just one warning that may escape users attention.
> 
> Due to the need to address the CSRF attack, our command line tools
> (including ipa-client-install) will not work on newer servers until you
> upgrade those clients. The reason is that the old tools never sent the
> Referer header.

How do you upgrade your clients if they are RHEL and the Server is Fedora?

> 
> The newer tools should work w/o any issue against an old server.
> 
> Unfortunately although CSRF attacks are a concern only when using the
> Web UI, we had to break compatibility because a browser could be
> subverted to use the xml-rpc interface used by the CLI tools, and we
> couldn't leave that hole open even though this means we are breaking
> backwards compatibility.
> 
> So if you need to have a gradual upgrade you should start from clients
> (and install images) before upgrading the server.
> 
> Keep in mind though that the flaw will not be fixed until you upgrade
> the server. So, although the flaw is not really critical (IMO), you
> should not delay upgrades too long in production environments and be
> careful on administrative clients where you use admin credentials.
> 
> HTH,
> Simo.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] HBAC rules not working

2011-11-23 Thread JR Aquino 
On Nov 23, 2011, at 5:41 PM, Steven Jones wrote:
> Hi,
> 
> Even a reboot doesnt fix the ghost host group issue...
> 
> Can it be dont via the cli?

ipa hbacrule-add-host --hostgroups=hostgroup_name hbacrule_name

Also you may be running into a problem with source hosts... You do need to 
specify from which hosts you are allowing ssh if I recall correctly.  Assuming 
that you want to permit _from_ any source host:

ipa hbacrule-mod --srchostcat=all hbacrule_name



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Firefox on Windows + FreeIPA WebUI

2011-11-21 Thread JR Aquino 
Has anyone got this working?

I've installed MIT Kerb on my windows system and configured Firefox, but I've 
yet to get them all to play nicely together...

If someone else has managed to figure this out, could you please hit me with 
the clue stick?

I'd prefer to fix Kerb SSO rather than adventure down the path of enabling 
Basic Auth on my FreeIPA Server.

Thanks!
~~~~~~~~~
Jr Aquino, GCIH, GWAPT | Sr. Information Security Specialist
Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117
T:  +1 805.690.3478
jr.aqu...@citrixonline.com<mailto:jr.aqu...@citrixonline.com>
http://www.citrixonline.com


[cid:image001.jpg@01CB2FE6.2B7BFA80]
Access Your PC or Mac From Anywhere:  www.gotomypc.com
Online Meetings Made Easy:  www.gotomeeting.com
Web Events Made Easy:www.gotowebinar.com
Remote Support Made Easy:  www.gotoassist.com




<>___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] FreeIPA 2.1.3 Replication Install Failure

2011-11-09 Thread JR Aquino 
:15:40:00 -0800] conn=29 op=1 RESULT err=0 tag=101 nentries=1 
etime=0
[09/Nov/2011:15:40:01 -0800] conn=28 op=5 UNBIND
[09/Nov/2011:15:40:01 -0800] conn=28 op=5 fd=75 closed - U1
[09/Nov/2011:15:40:01 -0800] conn=30 fd=75 slot=75 connection from 10.230.6.100 
to 10.230.6.96
[09/Nov/2011:15:40:01 -0800] conn=30 op=0 EXT oid="1.3.6.1.4.1.1466.20037" 
name="startTLS"
[09/Nov/2011:15:40:01 -0800] conn=30 op=0 RESULT err=0 tag=120 nentries=0 
etime=0
[09/Nov/2011:15:40:01 -0800] conn=30 SSL 256-bit AES
[09/Nov/2011:15:40:01 -0800] conn=30 op=1 BIND dn="cn=replication 
manager,cn=config" method=128 version=3
[09/Nov/2011:15:40:01 -0800] conn=30 op=1 RESULT err=0 tag=97 nentries=0 
etime=0 dn="cn=replication manager,cn=config"
[09/Nov/2011:15:40:01 -0800] conn=30 op=2 SRCH base="" scope=0 
filter="(objectClass=*)" attrs="supportedControl supportedExtension"
[09/Nov/2011:15:40:01 -0800] conn=30 op=2 RESULT err=0 tag=101 nentries=1 
etime=0
[09/Nov/2011:15:40:01 -0800] conn=30 op=3 SRCH base="" scope=0 
filter="(objectClass=*)" attrs="supportedControl supportedExtension"
[09/Nov/2011:15:40:01 -0800] conn=30 op=3 RESULT err=0 tag=101 nentries=1 
etime=0
[09/Nov/2011:15:40:01 -0800] conn=30 op=4 EXT oid="2.16.840.1.113730.3.5.12"
[09/Nov/2011:15:40:01 -0800] conn=30 op=4 RESULT err=0 tag=120 nentries=0 
etime=0
[09/Nov/2011:15:40:02 -0800] conn=29 op=2 SRCH base="cn=config" scope=2 
filter="(&(nsDS5ReplicaHost=authdev1.qai.example.com)(|(objectClass=nsDSWindowsReplicationAgreement)(objectClass=nsds5ReplicationAgreement)))"
 attrs=ALL
[09/Nov/2011:15:40:02 -0800] conn=29 op=2 RESULT err=0 tag=101 nentries=1 
etime=0
[09/Nov/2011:15:40:02 -0800] conn=29 op=3 MOD 
dn="cn=meToauthdev1.qai.example.com,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping
 tree,cn=config"
[09/Nov/2011:15:40:02 -0800] conn=29 op=3 RESULT err=0 tag=103 nentries=0 
etime=0
[09/Nov/2011:15:40:03 -0800] conn=29 op=4 MOD 
dn="cn=meToauthdev1.qai.example.com,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping
 tree,cn=config"
[09/Nov/2011:15:40:03 -0800] conn=29 op=4 RESULT err=0 tag=103 nentries=0 
etime=0
[09/Nov/2011:15:40:04 -0800] conn=29 op=5 SRCH 
base="cn=meToauthdev1.qai.example.com,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping
 tree,cn=config" scope=0 filter="(objectClass=*)" attrs="cn 
nsds5replicaUpdateInProgress nsds5replicaLastUpdateStatus 
nsds5replicaLastUpdateStart nsds5replicaLastUpdateEnd"
[09/Nov/2011:15:40:04 -0800] conn=29 op=5 RESULT err=0 tag=101 nentries=1 
etime=0
[09/Nov/2011:15:40:04 -0800] conn=29 op=6 SRCH base="dc=example,dc=com" scope=2 
filter="(krbPrincipalName=ldap/authdev1.qai.example@example.com<mailto:krbPrincipalName=ldap/authdev1.qai.example@example.com>)"
 attrs=ALL
[09/Nov/2011:15:40:04 -0800] conn=29 op=6 RESULT err=0 tag=101 nentries=0 
etime=0
[09/Nov/2011:15:40:04 -0800] conn=29 op=7 UNBIND
[09/Nov/2011:15:40:04 -0800] conn=29 op=7 fd=76 closed - U1
[09/Nov/2011:15:40:08 -0800] conn=30 op=5 UNBIND
[09/Nov/2011:15:40:08 -0800] conn=30 op=5 fd=75 closed - U1
[09/Nov/2011:15:40:08 -0800] conn=31 fd=75 slot=75 connection from 10.230.6.100 
to 10.230.6.96
[09/Nov/2011:15:40:08 -0800] conn=31 op=0 EXT oid="1.3.6.1.4.1.1466.20037" 
name="startTLS"
[09/Nov/2011:15:40:08 -0800] conn=31 op=0 RESULT err=0 tag=120 nentries=0 
etime=0
[09/Nov/2011:15:40:08 -0800] conn=31 SSL 256-bit AES
[09/Nov/2011:15:40:08 -0800] conn=31 op=1 BIND dn="cn=replication 
manager,cn=config" method=128 version=3
[09/Nov/2011:15:40:08 -0800] conn=31 op=1 RESULT err=0 tag=97 nentries=0 
etime=0 dn="cn=replication manager,cn=config"
[09/Nov/2011:15:40:08 -0800] conn=31 op=2 SRCH base="" scope=0 
filter="(objectClass=*)" attrs="supportedControl supportedExtension"
[09/Nov/2011:15:40:08 -0800] conn=31 op=2 RESULT err=0 tag=101 nentries=1 
etime=0
[09/Nov/2011:15:40:08 -0800] conn=31 op=3 SRCH base="" scope=0 
filter="(objectClass=*)" attrs="supportedControl supportedExtension"
[09/Nov/2011:15:40:08 -0800] conn=31 op=3 RESULT err=0 tag=101 nentries=1 
etime=0
[09/Nov/2011:15:40:08 -0800] conn=31 op=4 EXT oid="2.16.840.1.113730.3.5.12"
[09/Nov/2011:15:40:08 -0800] conn=31 op=4 RESULT err=0 tag=120 nentries=0 
etime=0
~
Jr Aquino, GCIH, GWAPT | Sr. Information Security Specialist
Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117
T:  +1 805.690.3478
jr.aqu...@citrixonline.com<mailto:jr.aqu...@citrixonline.com>
http://www.citrixonline.com


[cid:image001.jpg@01CB2FE6.2B7BFA80]
Access Your PC or Mac From Anywhere:  www.gotomypc.com
Online Meetings Made Easy:  www.gotomeeting.com
Web Events Made Easy:www.gotowebinar.com
Remote Support Made Easy:  www.gotoassist.com




<>___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Where do I find info on how to allow or stop users logging into hosts?

2011-06-13 Thread JR Aquino 
1) Create an HBAC Rule or rules: choose allow or deny
2) add users/usergroups to the rule
3) add hosts/hostgroups to the rule
4) disable the default 'allow all' rule

Now any system that has SSSD 1.5 will enforce those HBAC rules.

For systems that do not support sssd, I have been working on a proof of concept 
authorization module for HBAC written in python.

-JR

On Jun 13, 2011, at 5:32 PM, Steven Jones wrote:

> Hi,
> 
> Ive seen/read it.and I have a hard copy on my desk in front of me right 
> now
> 
> I find it typical of such documents, it has lots of sections in great detail 
> but it doesnt tell you how to achieve anything end to endand often its 
> gives you written instructions on visual tasks so if you are not in the right 
> bit of the gui you go nowhere.So it needs far more screenshots and 
> wizards
> 
> regards
> ________
> From: JR Aquino [jr.aqu...@citrix.com]
> Sent: Tuesday, 14 June 2011 11:53 a.m.
> To: Steven Jones
> Cc: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] Where do I find info on how to allow or stop 
> users logging into hosts?
> 
> On Jun 13, 2011, at 4:43 PM, Steven Jones wrote:
> 
>> I have put 3 clients into a netgroup and added a user, however when I remove 
>> the user from the netgroup the user can still login! Even if the user wasnt 
>> ever in teh netgroup they can login
>> 
>> So how do I stop that?
>> 
>> When will we see some documentation on doing user admin tasks like this?
> 
> Have a look at this:
> 
> http://obriend.fedorapeople.org/freeIPA2.0/Identity_and_Policy_Management_Guide/html-single/#sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies
> 
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Where do I find info on how to allow or stop users logging into hosts?

2011-06-13 Thread JR Aquino 

On Jun 13, 2011, at 4:43 PM, Steven Jones wrote:

> I have put 3 clients into a netgroup and added a user, however when I remove 
> the user from the netgroup the user can still login! Even if the user wasnt 
> ever in teh netgroup they can login
> 
> So how do I stop that?
> 
> When will we see some documentation on doing user admin tasks like this?

Have a look at this:

http://obriend.fedorapeople.org/freeIPA2.0/Identity_and_Policy_Management_Guide/html-single/#sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] RHEL client to IPA

2011-05-18 Thread JR Aquino 
Can you try both of those command with sudo?

sudo service dirsrv status

?

~~
Jr Aquino
Info. Security Specialist
Citrix Online
jr.aqu...@citrixonline.com
805.690.3478
GCIH, CCNA

On May 18, 2011, at 1:38 PM, "Steven Jones"  wrote:

> [jonesst1@vuwunicoipamt01 ipa]$ service dirsrv status
> /etc/sysconfig/dirsrv: line 50: ulimit: open files: cannot modify limit: 
> Operation not permitted
> dirsrv UNIX-VUW-AC-NZ is stopped
> [jonesst1@vuwunicoipamt01 ipa]$ service krb5kdc status
> krb5kdc (pid  4686) is running...
> [jonesst1@vuwunicoipamt01 ipa]$ grep file-max /etc/sysctl.conf 
> [jonesst1@vuwunicoipamt01 ipa]$ grep nofile /etc/security/limits.conf 
> #- nofile - max number of open files
> dirsrv-nofile8192
> [jonesst1@vuwunicoipamt01 ipa]$ cat /proc/sys/fs/file-max 
> 97190
> [jonesst1@vuwunicoipamt01 ipa]$ 
> 
> From: Rich Megginson [rmegg...@redhat.com]
> Sent: Thursday, 19 May 2011 1:22 a.m.
> To: Steven Jones
> Cc: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] RHEL client to IPA
> 
> On 05/17/2011 09:36 PM, Steven Jones wrote:
>> the dirsrv isnt running...
>> 
>> its giving me " line 50: ulimit: open files: cannot modify limit: operation 
>> not permitted  dirsrv unix-vuw-ac-nz is stopped...
> What is the number of files that ulimit is attempting to use?
> What does
> grep file-max /etc/sysctl.conf
> say?
> what about
> grep nofile /etc/security/limits.conf
> ?
> what about
> cat /proc/sys/fs/file-max
> ?
>> krb5kdc is running.
>> 
>> regards
>> 
>> From: JR Aquino [jr.aqu...@citrix.com]
>> Sent: Wednesday, 18 May 2011 3:31 p.m.
>> To: Steven Jones
>> Cc: freeipa-users@redhat.com
>> Subject: Re: [Freeipa-users] RHEL client to IPA
>> 
>> Is ns-ldap / kdc running on vuwunicoipamt01.unix.vuw.ac.nz?
>> service dirsrv status
>> service krb5kdc status
>> 
>> 
>> And are you running the command on vuwunicoipamt01.unix.vuw.ac.nz?
>> 
>> On May 17, 2011, at 8:23 PM, "Steven 
>> Jones"mailto:steven.jo...@vuw.ac.nz>>  wrote:
>> 
>> Im getting,
>> 
>> "SASL bind failed!"
>> 
>> 8><
>> 
>> Steven Jones wrote:
>> So what should the command be?
>> 
>> # kinit admin
>> # ipa-getkeytab -k /tmp/vuwnicologint2.keytab -p
>> host/vuwunicologint2.unix.vuw.ac.nz -s vuwunicoipamt01.unix.vuw.ac.nz
>> 
>> 
>> ___
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> 
>> ___
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
> 
> 
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] RHEL client to IPA

2011-05-17 Thread JR Aquino 
Is ns-ldap / kdc running on vuwunicoipamt01.unix.vuw.ac.nz?
service dirsrv status
service krb5kdc status


And are you running the command on vuwunicoipamt01.unix.vuw.ac.nz?

On May 17, 2011, at 8:23 PM, "Steven Jones" 
mailto:steven.jo...@vuw.ac.nz>> wrote:

Im getting,

"SASL bind failed!"

8><

Steven Jones wrote:
So what should the command be?

# kinit admin
# ipa-getkeytab -k /tmp/vuwnicologint2.keytab -p
host/vuwunicologint2.unix.vuw.ac.nz -s vuwunicoipamt01.unix.vuw.ac.nz


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA for Linux desktop deployment

2011-05-11 Thread JR Aquino 
On May 11, 2011, at 12:25 PM, JR Aquino wrote:
>> 
>> These are all workarounds, I assume having the functionality available 
>> trough the native sssd
>> would be of an advantage. But this way you would the mentioned extra 
>> functionality of SSSD without
>> having to do the work of supporting your competitors operating systems. :)
> 
> There have been _some_ discussions surrounding a pam module that could be 
> used as a very base level of hbac support since there are a lot of 
> pre-required dependancies for sssd.
> 
> The advantage would be theoretical portability, and the loss would be caching.
> 
> I have personally written such a pam plugin prototype in python, and it 
> functions just fine in linux installations.  the c code that calls the python 
> script is not compatible with open_pam,
> so there is still work to be done to support the BSD / MAC solutions, but I 
> believe its just a matter of some syntax changes...

After closer inspection it appears that OpenPam appears to try to remain 
compatible with Solaris, so, a method for providing a non caching bare bones 
openpam compatible module would likely satisfy Solaris, MacOSX and the BSDs.


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA for Linux desktop deployment

2011-05-11 Thread JR Aquino 
On May 11, 2011, at 10:51 AM, Sigbjorn Lie wrote:

> On Wed, May 11, 2011 14:42, Stephen Gallagher wrote:
>> On Tue, 2011-05-10 at 23:42 +0200, Sigbjorn Lie wrote:
>> 
>>> Hi,
>>> 
>>> 
>>> I would like to see the ipa client scripts and possibly the admin tools
>>> in a nice Solaris package. This would make my job a lot easier as we have a 
>>> lot of customers
>>> running Solaris. :)
>>> 
>>> For the server part I agree with you, keep it at RHEL.
>>> 
>>> 
>>> SSSD @ Solaris / HP-UX / AIX ... well there isn't much (if any) of the
>>> UNIX vendors selling their iron as client machines anymore. And I don't
>>> see a considerable benefit in adding SSSD to servers, who will be well 
>>> connected to the network
>>> anyway.
>> 
>> 
>> Actually, SSSD is still valuable on server systems (and is used very
>> often in datacenters). The reason is that it can allow a server to ride out 
>> an outage in the LDAP
>> and/or Kerberos server and still handle authentication and identity requests 
>> from its cache.
>> 
>> We've expressed interest several times in working WITH other platforms
>> to help them port the SSSD, but we've received no real commitment to 
>> assisting with it. We have a
>> lot on our plates already, so it is difficult for us to justify spending 
>> time improving our
>> competitors' offerings :)
>> 
>> Also, SSSD has additional features with FreeIPA integration that
>> nss_ldap and pam_krb5 do not. Specifically, it has support for managing 
>> access-control using
>> FreeIPA's host-based access control model. This is
>> a very valuable piece of the puzzle and should not be ignored.
> 
> 
> 
> I see you're having a valid point about the outage support. This could be 
> worked around using the
> "High Availability Add-on" in RHEL, sharing an IP address between your IPA 
> servers, which you
> would switch to the currently active IPA server.

Not only is there a question of high availability with regard to lookups into 
ldap.  But there is also a problem of scale and overhead.

nss_ldap and pam_ldap perform a lookup per iteration in many cases.

Consider for example. 4 data centers with 100 servers each, all tied back to 
ldap for uid/gid mappings and pam_ldap for authentication and authorization.

If you have a task that logs into each of these 400 servers and performs a 
'sudo ls -la /home' for example, 
your ldap servers are going to incur the cost of looking up each file on each 
server, the cost of each authentication, and the cost of performing several 
ldap lookups from the sudo binary.

SSSD is not only beneficial during periods of network inaccessibility, but also 
crucial with regard to scale.
 
> 
> With regards to IPA's host-based access control: What about doing access 
> control through using
> netgroups via the tcp wrappers?
> 
> You could still be configuring host based access control in IPA as it's 
> creating transparent
> netgroups for the host groups.

Host based access control is currently a mess in the Linux Community.

There are currently a few ways to go about it.

netgroups with
TCP Wrappers
Access.conf

^ This method implies that the changes in your central database must eventually 
be pushed to flatfile configs on the end hosts.
While this works pretty well in small environments, it can fall apart and have 
serious scale issues when dealing with hundreds or thousands of hosts.
(Yes, even when using something like Satellite or Puppet)
Consider the case of Active Directory where you scratch your head and go: "Gee, 
I'm SURE that i pushed that GPO, but for some reason, this set of hosts didn't 
get the memo"

pam_ldap + pam_check_host_attr

^ This issue has a sheer drop off problem with scale.  In this approach, you 
need to fill the user objects with every host that the user is permitted to 
login to.
When the number of users/administrators grow along with the number of hosts you 
have, you get: n^users * n^hosts and the administrative overhead becomes 
overwhelming.

> 
> These are all workarounds, I assume having the functionality available trough 
> the native sssd
> would be of an advantage. But this way you would the mentioned extra 
> functionality of SSSD without
> having to do the work of supporting your competitors operating systems. :)

There have been _some_ discussions surrounding a pam module that could be used 
as a very base level of hbac support since there are a lot of pre-required 
dependancies for sssd.

The advantage would be theoretical portability, and the loss would be caching.

I have personally written such a pam plugin prototype in python, and it 
functions just fine in linux installations.  the c code that calls the python 
script is not compatible with open_pam,
so there is still work to be done to support the BSD / MAC solutions, but I 
believe its just a matter of some syntax changes...

I hope this information helps clarify these points.

> 
> 
> Rgds,
> Siggi
> 
> 
> 
> ___
> Freeipa-users mailing lis

Re: [Freeipa-users] FreeIPA for Linux desktop deployment

2011-04-30 Thread JR Aquino 
On Apr 29, 2011, at 11:45 PM, "nasir nasir" 
mailto:kollath...@yahoo.com>> wrote:

Hi All,

First of all, many thanks indeed to the developers and community for making 
some great strides in the open source IPA world !

I am planning for a Linux deployment with the following requirements.

   -- About 50 Linux clients running Kubuntu (can change this to ubuntu if 
necessary)
   -- Centralized authentication
   -- Centralized storage with iSCSI for /home folder for each user by means of 
a dedicated storage
   -- NO Windows or other users
   -- Admin should be able to create and modify the accounts of all the users
   -- Admin should be able to set password policies
   -- Allocate /home folder for each user from the storage through iSCSI
   -- Server can be CentOS/RHEL (or even Fedora if absolutely required)
   -- Any other administration of users if possible !

I was wondering whether FreeIPA makes sense to me in this scenario ? can it 
satisfy all these or at least some of these ? if not, can anyone suggest me 
some alternative solutions which are open source ? I am flexible on the 
requirements and can make modifications if that is required.

I would really appreciate any feedback on this.

Thanks in advance and regards,
Nidal

__

Yes Nidal, you will find that FreeIPA satisfies almost all of these 
requirements.  iSCSI managment is not a feature of FreeIPA.

If you are looking to begin now, I would recommend that you start with Fedora 
as your base server distro.

IPA will be available for RHEL as a Feature preview in 6.1 with plans to be 
fully supported and integrated by 6.2.

-JR

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] allowing anonymous access to ipa directory

2011-04-13 Thread JR Aquino 

On Apr 13, 2011, at 5:26 PM, Stephen Ingram wrote:

> This question might be better posed on a general directory server
> list, however, as ipa obviously contains very sensitive data, I'm
> curious as to what ipa users think. Although ipa uses extensive acl's
> to shield the most important directory attributes from general view,
> it does allow anonymous access to many of the general entries. I
> notice that many directories do this to allow outside firms to view
> addressbook-type information of the company from their directories and
> referrals also depend on this functionality. I'm wondering though, if
> you have users from multiple domains in your directory with say name
> and email address information available, wouldn't this just be a
> free-for-all for some enterprising spammer or such? Or, if hosting dns
> from ipa, host records available to aid potential attackers to map
> network systems? Shouldn't this be controlled further in some
> instances and perhaps require at least a user bind (if not a TLS/SSL
> layer) to access this information?
> 
> Steve

This question has come up before Stephen.

A conscious effort has been made to provide FreeIPA with a balance of security 
minded and usable defaults.   

There are circumstances with other Distributions/OS's and nss_ldap situations 
which require anonymous binds.  It is for this reason that the default for 
FreeIPA permits read access to a limited scope of the LDAP directory.  You will 
note that areas of the directory responsible for mapping security authorization 
controls have been deliberately protected with ACLs.

That being said, there has been an ongoing effort to verify that the FreeIPA 
framework all functions correctly with ldap security features turned on: 
Always Encrypt/Disable Anonymous or Unauthenticated Binds.

To turn on these features:

You will want to look to: /etc/dirsrv/slapd-DOMAIN-COM/dse.ldif:

nsslapd-allow-anonymous-access: on/off
(This toggles anonymous / unauthenticated binds)

and

nsslapd-minssf: 56 
(This enforces the encryption minimum security strength factor and prevents 
unencrypted communications)

service dirsrv restart will be required for the features to take effect.

-JR

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Auto membership plugin

2011-04-08 Thread JR Aquino 
Is there any way to capture a description associated with the regex -> group 
mapping?

I was thinking that after time, it would be important to look back on rules and 
know why they were put there.

Particularly in the case of regex, since it may not be completely obvious by 
looking back at alphabet soup.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] [Freeipa-devel] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release

2011-01-04 Thread JR Aquino 
On 1/4/11 1:04 AM, "Roland Kaeser" 
wrote:

>>We return to this discussion once in a while...
>>
>>Samba 4 tries to do it and still struggles after many years
>>of development. We definitely would look at Samba 4 again when we see it
>>Sufficiently ready but this is not a priority for 2011.
>
>Maybe this is the reason why freeipa has that less users and nearly no
>echo in the linux community.

I disagree Roland.  The linux community at large, is generally living in
the dark ages of authorization management.

There are no comparative comprehensive linux solutions in the community
thus far which actually address scalable authentication and authorization
from linux systems by a linux solution.

My observation of the quiet in the community is due to lack of solutions
out there.

/etc/access.conf, pam_ldap, Certify, hosts.allow are very primitive means
to control access with to linux client.

Regardless of how complex you make your authentication database, to this
day, you are still limited to: pam_ldap, access.conf, Certify,
hosts.allow... These  are very primitive means to control access with to
linux client.

With FreeIPA and SSSD, the first means of providing real RBAC/HBAC is
available to the Open Source community.

We cannot and should not attempt to explain the quiet with answers of
disinterest or lack of Microsoft support.

The fact is, there has not yet been a competent linux solution and as a
result the utilization of pure Linux environments has been stunted with
people settling for things like, /etc/passwd, /etc/access.conf, pam_ldap,
and NIS...

What you are describing is the reinventing of the wheel.  Which has
previously been answered: If the goal is to provide an alternative linux
authentication/authorization method for Microsoft Windows, then there are
already existing solutions out there: Samba4, Novell eDirectory +
Directory Services for Windows...

FreeIPA serves to facilitate some of the most basic
authentication/authorization interactions that other OS's have taken for
granted for years.
 
>
>>Samba 4 is intended to be a duplicate of AD this is how it is designed
>>and implemented.
>The problem here is that samba 4 is still alpha.
>
>>I would like to be able to use Linux as the IT backbone without having
>>to resort to Microsoft.
>This also our most implemented scenario. Only in last year we migrated a
>half a dozend companies away from microsoft and AD (on the server side).
>This year a lot of companies are already planned for migration. Specially
>with the knowledge in mind that (based on the change of microsofts
>licensing model for hosters) around 1000 companies only in switzerland
>will switch their abacus (www.abacus.ch, large erp for switzerland)
>platform to linux so its REALLY, REALLY (I cannot write how much I would
>like to accentuate this) important to have a network wide authentication
>and identity management software to build up large linux server
>environments with windows frontents.
>So, having windows clients in the network is the reality we cannot close
>our eyes to this only because its challenge to implement it.

Microsoft has designed a complete ecosystem to surround its client,
server, email, and productivity solutions.

It's not just a challenge to implement a successful means of replacing the
backend, it is directly opposed to the goals of its creator: Microsoft.

The various components within Microsoft's (and most commercial) solutions
are designed at their core to be proprietary with the effort of drawing in
consumers to more pieces of their puzzle.

It is entirely likely that it will be necessary to have both solutions in
place and working together, rather than attempting to circumvent
Microsoft's solution.

>
>>Linux is lacking a complete solution that acts as a "central
>>authentication and identity >management platform"
>I think also this is the only huge area in linux which is really missing.
> Just think about the huge potential of users and implementations if
>freeipa acts also as authentication instance for windows environments.
>Just we only (as small company with 8 persons) whould have the
>possibility for around 20 migrations this year. It just wage to dream a
>bit but from my point of view the authentication lack is the only
>remaining one which prevents the rest of the world (or even europe and
>switzerland) to massivly migrate to linux and opensource (at least on the
>server side).

While I agree that a truly unified solution which answers all clients
authentication needs is a worthwhile concept, in practice, throughout my
entire career, I've learned that the commercial design of this ecosystem
conflicts with this ambitious ideal.

I have had a great deal of experience in highly dense and distributed
(world wide) native Linux installations which serv