[Freeipa-users] CANT LOGIN INTO centos 6.6 2.6.32-504.23.4.el6.i686
I have the following configuration below and im able to login via SSH into a 32 bit server. With the same username im able to login on other servers [root@alvin ~]# cat /etc/sssd/sssd.conf [domain/xx.co.zw] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = xx.co.zw id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = alvin.ai.co.zw chpass_provider = ipa ipa_server = _srv_, .ai.co.zw ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = xx.co.zw [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp] [root@alvin ~]# -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SSSD FAILING TO START ON CENTOS 6.6 32BIT
[root@nimbus sssd]# ls -l sssd.conf -rw--- 1 root root 809 Jun 26 11:20 sssd.conf [root@nimbus sssd]# And the permissions are 0600 and SELINUX IS DISABLED -Original Message- From: Jakub Hrozek [mailto:jhro...@redhat.com] Sent: Friday, June 26, 2015 11:42 AM To: Martin Chamambo Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] SSSD FAILING TO START ON CENTOS 6.6 32BIT On Fri, Jun 26, 2015 at 09:32:43AM +, Martin Chamambo wrote: This is my sssd.conf file and I have that config_file_version = 2 Is the config file owned by root.root and does it have 0600 permissions? Are there any AVC denials? [root@server sssd]# vim sssd.conf [domain/ai.co.zw] debug_level = 10 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = ai.co.zw id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = nimbus.ai.co.zw chpass_provider = ipa ipa_server = _srv_, ipaserver.ai.co.zw ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, sudo, pam, autofs, ssh config_file_version = 2 domains = default, ai.co.zw [nss] homedir_substring = /home [pam] [sudo] sssd.conf 46L, 809C -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Jakub Hrozek Sent: Friday, June 26, 2015 11:28 AM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] SSSD FAILING TO START ON CENTOS 6.6 32BIT On Fri, Jun 26, 2015 at 09:18:17AM +, Martin Chamambo wrote: I installed ipa-client on centos 6.6 32 bit and it installed correctly but there was no /etc/sssd/sssd.conf file ..I read through forums that you can copy another sssd.conf file from another machine but this is what im getting when I try to start sssd (Fri Jun 26 10:55:12:934690 2015) [sssd] [load_configuration] (0x0010): ConfDB initialization has failed [Invalid argument] (Fri Jun 26 10:55:12:934810 2015) [sssd] [main] (0x0020): SSSD couldn't load the configuration database. (Fri Jun 26 10:55:14:352106 2015) [sssd] [confdb_init_db] (0x0010): Config file is an old version. Please run configuration upgrade script. Add: config_file_version = 2 to the [sssd] section. (Fri Jun 26 10:55:14:352276 2015) [sssd] [load_configuration] (0x0010): ConfDB initialization has failed [Invalid argument] (Fri Jun 26 10:55:14:352342 2015) [sssd] [main] (0x0020): SSSD couldn't load the configuration database. (Fri Jun 26 10:56:39 2015) [sssd] [mt_svc_exit_handler] (0x0010): Process [ai.co.zw], definitely stopped! (Fri Jun 26 10:58:11 2015) [sssd] [mt_svc_exit_handler] (0x0010): Process [ai.co.zw], definitely stopped! (Fri Jun 26 11:01:03 2015) [sssd] [mt_svc_exit_handler] (0x0010): Process [ai.co.zw], definitely stopped! (Fri Jun 26 11:03:56 2015) [sssd] [mt_svc_exit_handler] (0x0010): Process [ai.co.zw], definitely stopped! (Fri Jun 26 11:10:28 2015) [sssd] [mt_svc_exit_handler] (0x0010): Process [ai.co.zw], definitely stopped! -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SSSD FAILING TO START ON CENTOS 6.6 32BIT
This is my sssd.conf file and I have that config_file_version = 2 [root@server sssd]# vim sssd.conf [domain/ai.co.zw] debug_level = 10 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = ai.co.zw id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = nimbus.ai.co.zw chpass_provider = ipa ipa_server = _srv_, ipaserver.ai.co.zw ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, sudo, pam, autofs, ssh config_file_version = 2 domains = default, ai.co.zw [nss] homedir_substring = /home [pam] [sudo] sssd.conf 46L, 809C -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Jakub Hrozek Sent: Friday, June 26, 2015 11:28 AM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] SSSD FAILING TO START ON CENTOS 6.6 32BIT On Fri, Jun 26, 2015 at 09:18:17AM +, Martin Chamambo wrote: I installed ipa-client on centos 6.6 32 bit and it installed correctly but there was no /etc/sssd/sssd.conf file ..I read through forums that you can copy another sssd.conf file from another machine but this is what im getting when I try to start sssd (Fri Jun 26 10:55:12:934690 2015) [sssd] [load_configuration] (0x0010): ConfDB initialization has failed [Invalid argument] (Fri Jun 26 10:55:12:934810 2015) [sssd] [main] (0x0020): SSSD couldn't load the configuration database. (Fri Jun 26 10:55:14:352106 2015) [sssd] [confdb_init_db] (0x0010): Config file is an old version. Please run configuration upgrade script. Add: config_file_version = 2 to the [sssd] section. (Fri Jun 26 10:55:14:352276 2015) [sssd] [load_configuration] (0x0010): ConfDB initialization has failed [Invalid argument] (Fri Jun 26 10:55:14:352342 2015) [sssd] [main] (0x0020): SSSD couldn't load the configuration database. (Fri Jun 26 10:56:39 2015) [sssd] [mt_svc_exit_handler] (0x0010): Process [ai.co.zw], definitely stopped! (Fri Jun 26 10:58:11 2015) [sssd] [mt_svc_exit_handler] (0x0010): Process [ai.co.zw], definitely stopped! (Fri Jun 26 11:01:03 2015) [sssd] [mt_svc_exit_handler] (0x0010): Process [ai.co.zw], definitely stopped! (Fri Jun 26 11:03:56 2015) [sssd] [mt_svc_exit_handler] (0x0010): Process [ai.co.zw], definitely stopped! (Fri Jun 26 11:10:28 2015) [sssd] [mt_svc_exit_handler] (0x0010): Process [ai.co.zw], definitely stopped! -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FREEIPA REPLICA - ITS USE AND HOW IT SHOULD OPERATE WHEN PRIMARY FAILS
Thanx for the feedback So if the replica is similar to the primary ,if the primary gets completely fried , without automatic failover ,i can reconfigure my clients to point to the new replica server without issues ??? From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Nathan Kinder [nkin...@redhat.com] Sent: Saturday, April 11, 2015 4:57 AM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FREEIPA REPLICA - ITS USE AND HOW IT SHOULD OPERATE WHEN PRIMARY FAILS On 04/10/2015 06:54 PM, Martin Chamambo wrote: Good day I have a freeipa primary server working as i wanted , no complex stuff has been setup yet except the basic service and sudo controls which is fine by me. I have also setup a replica from the primary. the dns server is running from a different platform so basically the 2 servers query a DNS server on onother server to resolve their names. my questions is as follows: when primary server fails , does the replica automatically assume the position of the primary [and please note that replication is also working as expected] The replica is no different from the primary master, aside from being responsible for CRL generation. Failover really depends on how your clients are configured. If you are using SSSD, you should look at the 'FAILOVER' section in the 'sssd-ipa' man page for a details on how it works and how it is configured. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] FREEIPA REPLICA - ITS USE AND HOW IT SHOULD OPERATE WHEN PRIMARY FAILS
Good day I have a freeipa primary server working as i wanted , no complex stuff has been setup yet except the basic service and sudo controls which is fine by me. I have also setup a replica from the primary. the dns server is running from a different platform so basically the 2 servers query a DNS server on onother server to resolve their names. my questions is as follows: when primary server fails , does the replica automatically assume the position of the primary [and please note that replication is also working as expected] -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration
From: Jakub Hrozek [jhro...@redhat.com] Sent: Wednesday, April 08, 2015 2:01 PM To: Martin Chamambo Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration On Wed, Apr 08, 2015 at 01:39:44PM +0200, Chamambo Martin wrote: Sudo seems to be configured correctly but somehow it's not working Even if I do a sudo -l under the admin user [admin@ironhide tmp]$ sudo -l [sudo] password for admin: Matching Defaults entries for admin on this host: requiretty, !visiblepw, always_set_home, env_reset, env_keep=COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS, env_keep+=MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE, env_keep+=LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES, env_keep+=LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE, env_keep+=LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY, secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User admin may run the following commands on this host: (admin, chamambom, kamoyob, kumalop, machangeteb, masaitit, masvivic, matangiraa, nyahumap, pedzisail, tayengwaj : ALL) /usr/bin/vim, ~~~ /usr/bin/less ~ According to this output, admin can run both vim and less... ?? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] granular sudo commands
For all my sudo commands i do sudo command_name_here From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Craig White [cwh...@skytouchtechnology.com] Sent: Thursday, April 09, 2015 1:52 AM To: freeipa-users@redhat.com Subject: [Freeipa-users] granular sudo commands rpm -q sssd sssd-1.11.6-30.el6_6.4.x86_64 rpm -q ipa-client ipa-client-3.0.0-42.el6.x86_64 [test2.user@app001 ~]$ sudo su - weblogic [sudo] password for test2.user: Sorry, user test2.user is not allowed to execute '/bin/su - weblogic' as root on app001.stt.local. [test2.user@app001 ~]$ sudo -l [sudo] password for test2.user: Matching Defaults entries for test2.user on this host: requiretty, !visiblepw, always_set_home, env_reset, env_keep=COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS, env_keep+=MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE, env_keep+=LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES, env_keep+=LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE, env_keep+=LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY, secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, !requiretty User test2.user may run the following commands on this host: (ALL) sudo su - tomcat, sudo su – weblogic How should the actual command be entered? I have tried… Su – weblogic (ignore autocapitilization) /bin/su – weblogic Sudo su – weblogic Sudo /bin/su – weblogic But none seem to actually work Craig White -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration
Good day I managed to configure sudo and its working for all my centos 6.6 and RHEL 6.6 clients. somehow i managed to change the sudo rules ,sudo comands and sudo groups to be less restrictive ,thats when i managed to access root owned files using sudo thanx for your help My advice when configuring sudo , when configuring your sudo rules , start with a less restrictive access control e.g where they say Access this host say any where they say Run Commands ---say any command and when its working ,thats when you can then fine tune your access policies From: Jakub Hrozek [jhro...@redhat.com] Sent: Wednesday, April 08, 2015 2:01 PM To: Martin Chamambo Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration On Wed, Apr 08, 2015 at 01:39:44PM +0200, Chamambo Martin wrote: Sudo seems to be configured correctly but somehow it's not working Even if I do a sudo -l under the admin user [admin@ironhide tmp]$ sudo -l [sudo] password for admin: Matching Defaults entries for admin on this host: requiretty, !visiblepw, always_set_home, env_reset, env_keep=COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS, env_keep+=MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE, env_keep+=LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES, env_keep+=LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE, env_keep+=LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY, secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User admin may run the following commands on this host: (admin, chamambom, kamoyob, kumalop, machangeteb, masaitit, masvivic, matangiraa, nyahumap, pedzisail, tayengwaj : ALL) /usr/bin/vim, ~~~ /usr/bin/less ~ According to this output, admin can run both vim and less... ?? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project