[Freeipa-users] FreeIPA Security issue : Anonymous user can fetch user details from IPA without authenticating
Hi, IPA has really been a great Project. But, I was really concerned about the security of IPA I have been testing it on RHEL 7 Beta for some time. ldapsearch is able to fetch the details from the IPA Server without Authentication. I would appreciate if IPA team could work on securing the IPA Server as it the most critical server if installed in an infrastructure. It exposes the details of all the users/admins in the environment. There should be a user that the IPA should use to fetch the details from the IPA Servers. Without Authentication , no one should be able to fetch any information from the IPA Server. -- Regards, Rajnesh Kumar Siwal ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Migration of password (Kerberos Tickets) fails when users initially imported from AD
[root@ipasvr slapd-LABS-LOCAL]# ipa user-show rsiwal User login: rsiwal First name: Rajnesh Kumar Last name: Siwal Home directory: /home/rsiwal Login shell: /bin/bash UID: 1201200050 GID: 1201200050 Account disabled: False Password: False Kerberos keys available: False On Sat, Mar 2, 2013 at 7:42 PM, Rajnesh Kumar Siwal wrote: > We just set up synchronization between the IPA Server and AD Server > and setup password. > But we cannot see kerberos tickets corresponding to the users fetched > from Windows AD Server. > > -- > Regards, > Rajnesh Kumar Siwal -- Regards, Rajnesh Kumar Siwal ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Transferring "mastership" to a new server
Is is still required if the replica is created using the following command:- # ipa-replica-install --setup-ca --setup-dns -- Regards, Rajnesh Kumar Siwal ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] permissions of the user uid=sudo, cn=sysaccounts, cn=etc, dc=example, dc=com
Please guide us about the LDAP user "uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com". Does it has a read only access or read-write access to the "uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com" ? Because the file /etc/ldap.conf is readable by all the users, so I am concerned about the security. -- Regards, Rajnesh Kumar Siwal ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] SOLVED: Re: Logging of Who does What on IPA Server
Thanks, Simo. It solves my concern, On Thu, Feb 14, 2013 at 7:21 PM, Simo Sorce wrote: > On Thu, 2013-02-14 at 12:50 +0530, Rajnesh Kumar Siwal wrote: >> IPA is going to be very critical Server for any environment. >> Do we have proper logging of who as locked whom, Who has created a >> sudo policy, who has allowed access to whom etc ? > > You can see this information by querying LDAP directly. > > The 'creatorsName' attribute holds the identity of the user that created > the object. > > The 'createTimestamp' attribute holds the time at which the object was > created. > > The 'modifiersName' attribute holds the identity of the user that last > modified the object. > > The 'modifyTimestamp' attribute holds the time at which the object was > modified. > > All these attributes are operational, so you normally do not see them > unless you explicitly ask for them during an ldap search. Some LDAP > browsers allow you to add a list of attributes to ask for explicitly. > > > > To see these attributes for a user named foo for example you can run > this query: "ldapsearch -Y GSSAPI uid=foo creatorsName createTimestamp > modifiersName modifyTimestamp" > > add a '*' at the end if you also want to fetch regular attributes. > This command assumes you have kerberos credentials (-Y GSSAPI tells > ldapsearch to use them to auth to the server). > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > -- Regards, Rajnesh Kumar Siwal ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Logging of Who does What on IPA Server
IPA is going to be very critical Server for any environment. Do we have proper logging of who as locked whom, Who has created a sudo policy, who has allowed access to whom etc ? -- Regards, Rajnesh Kumar Siwal ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Restricting other User's Details to be visible to a user
Yes. We would still like to restrict the Visibility of the users. We could implement the ACL's in 389-ds. However, I was concerned whether it breaks the IPA. -- Regards, Rajnesh Kumar Siwal ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Restricting other User's Details to be visible to a user
It has been found that any user can see the details of other users through the IPA Web Interface (even ldapsearch with anonymous user). It would be great if we could hide the details of the other users from the current user (including emai, phone number, Licence Number). Additionally, anonymous access to the information should not be available. -- Regards, Rajnesh Kumar Siwal ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] User Migrated from LDAP not able to change the password
We migrated the Users from OpenLDAP where we were using the objectClass 'ShadowAccount' for the Password Expiration and Warning, So, it has been added by the IPA migration part. [root@ipa1 ~]# ipa pwpolicy-show --user=siwal Group: global_policy Max lifetime (days): 90 Min lifetime (hours): 1 History size: 0 Character classes: 0 Min length: 12 Max failures: 6 Failure reset interval: 60 Lockout duration: 600 -- Regards, Rajnesh Kumar Siwal ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] The htaccess login pop-up window appears but login never succeeds
Thanks, Petr, I would like to confirm that I did not manually install any other application on it. I will dig further on it , if I could fetch out the reason. On Mon, Feb 11, 2013 at 9:23 AM, Petr Vobornik wrote: > On 02/10/2013 06:30 PM, Rajnesh Kumar Siwal wrote: >> >> Hi All, >> >> As I try to login into the IPA through https, it displays me a popup >> window to login. >> But login fails through it every time. I don't understand why this >> popup window is for. >> Screenshot of pop-up window attached. >> >> In the next screen, I login through Form-Based authentication and that >> works fine. >> >> Why does this POP-up window appears and why my login fails everytime >> (I try to login through admin user) >> Please suggest >> >> Thanks in advance. >> > > Hi, > > it looks like a HTTP basic authentication dialog. FreeIPA doesn't use this > method. Is it possible, that you, or some other application on the machine > modified apache configuration and enabled it? > > HTH > -- > Petr Vobornik -- Regards, Rajnesh Kumar Siwal ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] The htaccess login pop-up window appears but login never succeeds
Did you follow the instructions on how to import IPA cert into your browser ? Not yet. Will following the instructions test that part also and will let you know. But I need to understand what this htaccess page is trying to do. On Mon, Feb 11, 2013 at 4:10 AM, Rajnesh Kumar Siwal wrote: > Versions: > OS: CentOS 6.3 > IPA: 2.2 > > On Sun, Feb 10, 2013 at 5:30 PM, Rajnesh Kumar Siwal > wrote: >> Hi All, >> >> As I try to login into the IPA through https, it displays me a popup >> window to login. >> But login fails through it every time. I don't understand why this >> popup window is for. >> Screenshot of pop-up window attached. >> >> In the next screen, I login through Form-Based authentication and that >> works fine. >> >> Why does this POP-up window appears and why my login fails everytime >> (I try to login through admin user) >> Please suggest >> >> Thanks in advance. >> -- >> Regards, >> Rajnesh Kumar Siwal > > > > -- > Regards, > Rajnesh Kumar Siwal -- Regards, Rajnesh Kumar Siwal ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] The htaccess login pop-up window appears but login never succeeds
Versions: OS: CentOS 6.3 IPA: 2.2 On Sun, Feb 10, 2013 at 5:30 PM, Rajnesh Kumar Siwal wrote: > Hi All, > > As I try to login into the IPA through https, it displays me a popup > window to login. > But login fails through it every time. I don't understand why this > popup window is for. > Screenshot of pop-up window attached. > > In the next screen, I login through Form-Based authentication and that > works fine. > > Why does this POP-up window appears and why my login fails everytime > (I try to login through admin user) > Please suggest > > Thanks in advance. > -- > Regards, > Rajnesh Kumar Siwal -- Regards, Rajnesh Kumar Siwal ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] SOLVED: Re: How to failover to IPA replica server
It started working after a few minutes. On Sat, Feb 9, 2013 at 9:34 PM, Rajnesh Kumar Siwal wrote: > We have setup an IPA replica server on the environment using the > following command:- > #ipa-replica-install --setup-dns --setup-ca --forwarder=192.168.1.204 > /var/lib/ipa/replica-info-ipa2.labs.local.gpg > > There is a client authenticating against it. > If I shutdown the ipa1 (Master server), the client does not falls back > and authenticate against ipa2 (the replica) > > Logs that can be seen at IPA2 :- > [09/Feb/2013:15:52:50 +] slapi_ldap_bind - Error: could not > perform interactive bind for id [] mech [GSSAPI]: error -1 (Can't > contact LDAP server) > [09/Feb/2013:15:56:02 +] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint > is not connected) > [09/Feb/2013:15:56:02 +] slapi_ldap_bind - Error: could not > perform interactive bind for id [] mech [GSSAPI]: error -1 (Can't > contact LDAP server) > > > nslookup from the IPA client :- > [root@testvm ~]# nslookup -type=srv _kerberos._tcp.labs.local > Server: 192.168.1.207 > Address:192.168.1.207#53 > > _kerberos._tcp.labs.local service = 0 100 88 ipa2.labs.local. > _kerberos._tcp.labs.local service = 0 100 88 ipa.labs.local. > ----------- > > Please suggest how to use ipa2 for authentication purpose. > > -- > Regards, > Rajnesh Kumar Siwal -- Regards, Rajnesh Kumar Siwal ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] How to failover to IPA replica server
We have setup an IPA replica server on the environment using the following command:- #ipa-replica-install --setup-dns --setup-ca --forwarder=192.168.1.204 /var/lib/ipa/replica-info-ipa2.labs.local.gpg There is a client authenticating against it. If I shutdown the ipa1 (Master server), the client does not falls back and authenticate against ipa2 (the replica) Logs that can be seen at IPA2 :- [09/Feb/2013:15:52:50 +] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -1 (Can't contact LDAP server) [09/Feb/2013:15:56:02 +] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [09/Feb/2013:15:56:02 +] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -1 (Can't contact LDAP server) nslookup from the IPA client :- [root@testvm ~]# nslookup -type=srv _kerberos._tcp.labs.local Server: 192.168.1.207 Address:192.168.1.207#53 _kerberos._tcp.labs.local service = 0 100 88 ipa2.labs.local. _kerberos._tcp.labs.local service = 0 100 88 ipa.labs.local. --- Please suggest how to use ipa2 for authentication purpose. -- Regards, Rajnesh Kumar Siwal ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Testing out FreeIPA
#yum install ipa-server -- Regards, Rajnesh Kumar Siwal ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] User Migrated from LDAP not able to change the password
We migrated the users from openldap to IPA. We are getting the following error after the User has been migrated (after he changes the password through https://ipa1/ipa/migration/) and he tries to change passwd :- Account is not locked and Kerberos credentials seems to be present (created by ipa/migration) $ ssh siwal@1.1.1.1 siwal@172.31.254.204's password: Warning: Your password will expire in less than one hour. Password expired. Change your password now. Last login: Fri Feb 8 09:28:41 2013 from 1.1.1.2 WARNING: Your password has expired. You must change your password now and login again! Changing password for user siwal Current Password: passwd: Authentication token manipulation error Connection to 1.1.1.1 closed. # ipa user-status siwal --- Account disabled: False --- Server: ipa1.xyz.dmz Failed logins: 0 Last successful authentication: 2013-02-08T03:59:29Z Last failed authentication: N/A Time now: 2013-02-08T06:40:18Z Server: ipa2.xyz.dmz Failed logins: 1 Last successful authentication: 2013-02-08T03:59:20Z Last failed authentication: 2013-02-08T03:59:33Z Time now: 2013-02-08T06:40:18Z Number of entries returned 2 # ipa user-show vinay User login: siwal Home directory: /home/siwal Login shell: /bin/bash UID: 522 GID: 522 Account disabled: False Password: True Kerberos keys available: True -- Regards, Rajnesh Kumar Siwal ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] SOLVED: Re: Does disabling IPA User disables his LDAP Account Also
Thanks for the Quick update. On Fri, Feb 8, 2013 at 9:31 AM, Rob Crittenden wrote: > Rajnesh Kumar Siwal wrote: >> >> We are planning to use the IPA Server in the application that may not >> support Kerberos. >> So, we may have to interact with the LDAP Server (389-ds) directly for >> some applications. >> I would like to confirm whether disabling the IPA User (I believe it >> locks Kerberos Account) also disables his LDAP Account / Password. >> > > It does. > > rob -- Regards, Rajnesh Kumar Siwal ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Does disabling IPA User disables his LDAP Account Also
We are planning to use the IPA Server in the application that may not support Kerberos. So, we may have to interact with the LDAP Server (389-ds) directly for some applications. I would like to confirm whether disabling the IPA User (I believe it locks Kerberos Account) also disables his LDAP Account / Password. -- Regards, Rajnesh Kumar Siwal ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] SOLVED: Re: Adding an ipa-client behind NAT
Thanks, Simo. On Fri, Feb 8, 2013 at 1:30 AM, Simo Sorce wrote: > On Fri, 2013-02-08 at 00:57 +0530, Rajnesh Kumar Siwal wrote: >> Does IPA server 2.2 supports the ipa clients authentication behind the NAT ? > > Authentication works, password changes using kpasswd protocol do not. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > -- Regards, Rajnesh Kumar Siwal ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa replica install fails
I am missing these two entries in ipa1 (The Master that was installed first):- HTTP/ipa2.xyz@xyz.dmz DNS/ipa2.xyz@xyz.dmz The above entries are present only in ipa2. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa replica install fails
Two more issues:- 1. I am still not able to login into the WebUI of ipa2 (Replica Server). It displays "Internal Server Error" 2. Are there any logs to make sure that the Replication is working fine ? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa replica install fails
As a workaround I modified named.conf to use simple authentication and was able to start bind However I am looking for a better resolution. -- dynamic-db "ipa" { library "ldap.so"; arg "uri ldapi://%2fvar%2frun%2fslapd-XYZ-DMZ.socket"; arg "base cn=dns, dc=xyz,dc=dmz"; arg "fake_mname ipa2.xyz.dmz."; arg "auth_method simple"; arg "bind_dn cn=Directory Manager"; arg "password xxx"; #arg "auth_method sasl"; #arg "sasl_mech GSSAPI"; #arg "sasl_user DNS/ipa2.xyz.dmz"; arg "zone_refresh 30"; }; [root@ipa2 ~]# ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING DNS Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING - ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa replica install fails
Still unable to start bind :- [root@ipa2 ~]# ipa-replica-conncheck --replica ipa1.xyz.dmz Check connection from master to remote replica 'ipa1.xyz.dmz': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): WARNING Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): WARNING HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK The following UDP ports could not be verified as open: 88, 464 This can happen if they are already bound to an application and ipa-replica-conncheck cannot attach own UDP responder. Connection from master to replica is OK. [root@ipa2 ~]# ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING DNS Service: STOPPED MEMCACHE Service: STOPPED HTTP Service: RUNNING CA Service: STOPPED [root@ipa2 ~]# /etc/init.d/named restart Stopping named:[ OK ] Starting named:[FAILED] LOG:== Feb 5 23:53:34 ipa2 named[22084]: sizing zone task pool based on 6 zones Feb 5 23:53:34 ipa2 named[22084]: set up managed keys zone for view _default, file 'dynamic/managed-keys.bind' Feb 5 23:53:34 ipa2 named[22084]: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Mutual authentication failed) Feb 5 23:53:34 ipa2 named[22084]: bind to LDAP server failed: Local error Feb 5 23:53:34 ipa2 named[22084]: loading configuration: failure Feb 5 23:53:34 ipa2 named[22084]: exiting (due to fatal error) Feb 5 23:53:35 ipa2 sssd_be: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Mutual authentication failed) - [root@ipa1 ~]# ipa-replica-conncheck --replica ipa2.xyz.dmz Check connection from master to remote replica 'ipa2.xyz.dmz': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): WARNING Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): WARNING HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK The following UDP ports could not be verified as open: 88, 464 This can happen if they are already bound to an application and ipa-replica-conncheck cannot attach own UDP responder. Connection from master to replica is OK. [root@ipa1 ~]# ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa replica install fails
When I am trying to restart ipa, it fails to start the services to I manually started LDAP and krb5kdc, now kinit admin is fine :- How shall I proceed now ? - [root@ipa2 ~]# /etc/init.d/ipa status Directory Service: STOPPED Unknown error when retrieving list of services from LDAP: [Errno 111] Connection refused [root@ipa2 ~]# ipactl status Directory Service: STOPPED Unknown error when retrieving list of services from LDAP: [Errno 111] Connection refused [root@ipa2 ~]# /etc/init.d/dirsrv status dirsrv XYZ-DMZ is stopped dirsrv PKI-IPA is stopped [root@ipa2 ~]# /etc/init.d/dirsrv start Starting dirsrv: XYZ-DMZ... [ OK ] PKI-IPA... [ OK ] [root@ipa2 ~]# /etc/init.d/krb5kdc start Starting Kerberos 5 KDC: [ OK ] [root@ipa2 ~]# kinit admin Password for ad...@xyx.dmz: On Tue, Feb 5, 2013 at 10:29 PM, Rob Crittenden wrote: > Rajnesh Kumar Siwal wrote: >> >> Both of these replica are in the same network. >> I have disabled the iptables on both >> Selinux disable. >> still the output of kinit admin is the same >> kinit: Cannot contact any KDC for realm >> >> strace output attached. > > > strace isn't really helpful in this case. > > Is the KDC running? You might want to check /var/log/krb5kdc.log to see what > it says. > > rob > > >> >> >> On Tue, Feb 5, 2013 at 9:45 PM, Rajnesh Kumar Siwal >> wrote: >>> >>> Last time the installation of replica failed. So this is second time I >>> did it (The logs in the mail are from the second time after I >>> uninstalled the ipa2). >>> >>> After installing the replica, I restarted IPA and failed to start the KDC >>> too. >>> So, kinit admin is now failing. >>> - >>> >>> [root@ipa2 log]# klist -ket /etc/named.keytab >>> Keytab name: WRFILE:/etc/named.keytab >>> KVNO Timestamp Principal >>> - >>> >>> 2 02/05/13 14:30:26 DNS/ipa2.xyz@xyz.dmz >>> (aes256-cts-hmac-sha1-96) >>> 2 02/05/13 14:30:26 DNS/ipa2.xyz@xyz.dmz >>> (aes128-cts-hmac-sha1-96) >>> 2 02/05/13 14:30:26 DNS/ipa2.xyz@xyz.dmz (des3-cbc-sha1) >>> 2 02/05/13 14:30:26 DNS/ipa2.xyz@xyz.dmz (arcfour-hmac) >>> [root@ipa2 log]# kinit -kt DNS/ipa2.xyz@xyz.dmz >>> kinit: Cannot contact any KDC for realm 'XYZ.DMZ' while getting >>> initial credentials >>> >>> --- >>> >>> On Tue, Feb 5, 2013 at 8:15 PM, Rajnesh Kumar Siwal >>> wrote: >>>> >>>> Finally , I installed it with "--skip-conncheck":- >>>> Now DNS fails to start. >>>> I tried ipa-dns-install too:- >>>> >>>> [root@ipa2 log]# ipa-dns-install >>>> The log file for this installation can be found in >>>> /var/log/ipaserver-install.log >>>> >>>> == >>>> This program will setup DNS for the IPA Server. >>>> >>>> This includes: >>>>* Configure DNS (bind) >>>> >>>> To accept the default shown in brackets, press the Enter key. >>>> Existing BIND configuration detected, overwrite? [no]: yes >>>> DNS is already configured in this IPA server. >>>> [root@ipa2 log]# /etc/init.d/ipa status >>>> Directory Service: RUNNING >>>> KDC Service: RUNNING >>>> KPASSWD Service: RUNNING >>>> DNS Service: STOPPED >>>> MEMCACHE Service: RUNNING >>>> HTTP Service: RUNNING >>>> CA Service: RUNNING >>>> [root@ipa2 log]# /etc/init.d/named restart >>>> Stopping named:[ OK ] >>>> Starting named:[FAILED] >>>> >>>> >>>> - >>>> DNS logs :- >>>> Feb 5 09:40:19 ipa2 named[19873]: >>>> >>>> Feb 5 09:40:19 ipa2 named[19873]: BIND 9 is maintained by Internet >>>> Systems Consortium,
Re: [Freeipa-users] ipa replica install fails
Both of these replica are in the same network. I have disabled the iptables on both Selinux disable. still the output of kinit admin is the same kinit: Cannot contact any KDC for realm strace output attached. On Tue, Feb 5, 2013 at 9:45 PM, Rajnesh Kumar Siwal wrote: > Last time the installation of replica failed. So this is second time I > did it (The logs in the mail are from the second time after I > uninstalled the ipa2). > > After installing the replica, I restarted IPA and failed to start the KDC too. > So, kinit admin is now failing. > - > > [root@ipa2 log]# klist -ket /etc/named.keytab > Keytab name: WRFILE:/etc/named.keytab > KVNO Timestamp Principal > - > >2 02/05/13 14:30:26 DNS/ipa2.xyz@xyz.dmz (aes256-cts-hmac-sha1-96) >2 02/05/13 14:30:26 DNS/ipa2.xyz@xyz.dmz (aes128-cts-hmac-sha1-96) >2 02/05/13 14:30:26 DNS/ipa2.xyz@xyz.dmz (des3-cbc-sha1) >2 02/05/13 14:30:26 DNS/ipa2.xyz@xyz.dmz (arcfour-hmac) > [root@ipa2 log]# kinit -kt DNS/ipa2.xyz@xyz.dmz > kinit: Cannot contact any KDC for realm 'XYZ.DMZ' while getting > initial credentials > ----------- > > On Tue, Feb 5, 2013 at 8:15 PM, Rajnesh Kumar Siwal > wrote: >> Finally , I installed it with "--skip-conncheck":- >> Now DNS fails to start. >> I tried ipa-dns-install too:- >> >> [root@ipa2 log]# ipa-dns-install >> The log file for this installation can be found in >> /var/log/ipaserver-install.log >> == >> This program will setup DNS for the IPA Server. >> >> This includes: >> * Configure DNS (bind) >> >> To accept the default shown in brackets, press the Enter key. >> Existing BIND configuration detected, overwrite? [no]: yes >> DNS is already configured in this IPA server. >> [root@ipa2 log]# /etc/init.d/ipa status >> Directory Service: RUNNING >> KDC Service: RUNNING >> KPASSWD Service: RUNNING >> DNS Service: STOPPED >> MEMCACHE Service: RUNNING >> HTTP Service: RUNNING >> CA Service: RUNNING >> [root@ipa2 log]# /etc/init.d/named restart >> Stopping named:[ OK ] >> Starting named:[FAILED] >> >> - >> DNS logs :- >> Feb 5 09:40:19 ipa2 named[19873]: >> >> Feb 5 09:40:19 ipa2 named[19873]: BIND 9 is maintained by Internet >> Systems Consortium, >> Feb 5 09:40:19 ipa2 named[19873]: Inc. (ISC), a non-profit 501(c)(3) >> public-benefit >> Feb 5 09:40:19 ipa2 named[19873]: corporation. Support and training >> for BIND 9 are >> Feb 5 09:40:19 ipa2 named[19873]: available at https://www.isc.org/support >> Feb 5 09:40:19 ipa2 named[19873]: >> >> Feb 5 09:40:19 ipa2 named[19873]: adjusted limit on open files from >> 102400 to 1048576 >> Feb 5 09:40:19 ipa2 named[19873]: found 2 CPUs, using 2 worker threads >> Feb 5 09:40:19 ipa2 named[19873]: using up to 4096 sockets >> Feb 5 09:40:19 ipa2 named[19873]: loading configuration from >> '/etc/named.conf' >> Feb 5 09:40:19 ipa2 named[19873]: using default UDP/IPv4 port range: >> [1024, 65535] >> Feb 5 09:40:19 ipa2 named[19873]: using default UDP/IPv6 port range: >> [1024, 65535] >> Feb 5 09:40:19 ipa2 named[19873]: listening on IPv6 interfaces, port 53 >> Feb 5 09:40:19 ipa2 named[19873]: listening on IPv4 interface lo, >> 127.0.0.1#53 >> Feb 5 09:40:19 ipa2 named[19873]: listening on IPv4 interface eth0, >> 172.31.254.205#53 >> Feb 5 09:40:19 ipa2 named[19873]: generating session key for dynamic DNS >> Feb 5 09:40:19 ipa2 named[19873]: sizing zone task pool based on 6 zones >> Feb 5 09:40:19 ipa2 named[19873]: set up managed keys zone for view >> _default, file 'dynamic/managed-keys.bind' >> Feb 5 09:40:19 ipa2 named[19873]: GSSAPI Error: Unspecified GSS >> failure. Minor code may provide more information (Mutual >> authentication failed) >> Feb 5 09:40:19 ipa2 named[19873]: bind to LDAP server failed: Local error >> Feb 5 09:40:19 ipa2 named[19873]: loading configuration: failure >> Feb 5 09:40:19 ipa2 named[19873]: exiting (du
Re: [Freeipa-users] ipa replica install fails
Last time the installation of replica failed. So this is second time I did it (The logs in the mail are from the second time after I uninstalled the ipa2). After installing the replica, I restarted IPA and failed to start the KDC too. So, kinit admin is now failing. - [root@ipa2 log]# klist -ket /etc/named.keytab Keytab name: WRFILE:/etc/named.keytab KVNO Timestamp Principal - 2 02/05/13 14:30:26 DNS/ipa2.xyz@xyz.dmz (aes256-cts-hmac-sha1-96) 2 02/05/13 14:30:26 DNS/ipa2.xyz@xyz.dmz (aes128-cts-hmac-sha1-96) 2 02/05/13 14:30:26 DNS/ipa2.xyz@xyz.dmz (des3-cbc-sha1) 2 02/05/13 14:30:26 DNS/ipa2.xyz@xyz.dmz (arcfour-hmac) [root@ipa2 log]# kinit -kt DNS/ipa2.xyz@xyz.dmz kinit: Cannot contact any KDC for realm 'XYZ.DMZ' while getting initial credentials --- On Tue, Feb 5, 2013 at 8:15 PM, Rajnesh Kumar Siwal wrote: > Finally , I installed it with "--skip-conncheck":- > Now DNS fails to start. > I tried ipa-dns-install too:- > > [root@ipa2 log]# ipa-dns-install > The log file for this installation can be found in > /var/log/ipaserver-install.log > == > This program will setup DNS for the IPA Server. > > This includes: > * Configure DNS (bind) > > To accept the default shown in brackets, press the Enter key. > Existing BIND configuration detected, overwrite? [no]: yes > DNS is already configured in this IPA server. > [root@ipa2 log]# /etc/init.d/ipa status > Directory Service: RUNNING > KDC Service: RUNNING > KPASSWD Service: RUNNING > DNS Service: STOPPED > MEMCACHE Service: RUNNING > HTTP Service: RUNNING > CA Service: RUNNING > [root@ipa2 log]# /etc/init.d/named restart > Stopping named:[ OK ] > Starting named:[FAILED] > > - > DNS logs :- > Feb 5 09:40:19 ipa2 named[19873]: > > Feb 5 09:40:19 ipa2 named[19873]: BIND 9 is maintained by Internet > Systems Consortium, > Feb 5 09:40:19 ipa2 named[19873]: Inc. (ISC), a non-profit 501(c)(3) > public-benefit > Feb 5 09:40:19 ipa2 named[19873]: corporation. Support and training > for BIND 9 are > Feb 5 09:40:19 ipa2 named[19873]: available at https://www.isc.org/support > Feb 5 09:40:19 ipa2 named[19873]: > > Feb 5 09:40:19 ipa2 named[19873]: adjusted limit on open files from > 102400 to 1048576 > Feb 5 09:40:19 ipa2 named[19873]: found 2 CPUs, using 2 worker threads > Feb 5 09:40:19 ipa2 named[19873]: using up to 4096 sockets > Feb 5 09:40:19 ipa2 named[19873]: loading configuration from > '/etc/named.conf' > Feb 5 09:40:19 ipa2 named[19873]: using default UDP/IPv4 port range: > [1024, 65535] > Feb 5 09:40:19 ipa2 named[19873]: using default UDP/IPv6 port range: > [1024, 65535] > Feb 5 09:40:19 ipa2 named[19873]: listening on IPv6 interfaces, port 53 > Feb 5 09:40:19 ipa2 named[19873]: listening on IPv4 interface lo, > 127.0.0.1#53 > Feb 5 09:40:19 ipa2 named[19873]: listening on IPv4 interface eth0, > 172.31.254.205#53 > Feb 5 09:40:19 ipa2 named[19873]: generating session key for dynamic DNS > Feb 5 09:40:19 ipa2 named[19873]: sizing zone task pool based on 6 zones > Feb 5 09:40:19 ipa2 named[19873]: set up managed keys zone for view > _default, file 'dynamic/managed-keys.bind' > Feb 5 09:40:19 ipa2 named[19873]: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (Mutual > authentication failed) > Feb 5 09:40:19 ipa2 named[19873]: bind to LDAP server failed: Local error > Feb 5 09:40:19 ipa2 named[19873]: loading configuration: failure > Feb 5 09:40:19 ipa2 named[19873]: exiting (due to fatal error) > Feb 5 09:40:28 ipa2 kernel: IN=eth0 OUT= > MAC=ff:ff:ff:ff:ff:ff:00:22:6b:12:99:bc:08:00 SRC=0.0.0.0 > DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=60 ID=0 PROTO=UDP > SPT=68 DPT=67 LEN=308 > [root@ipa2 log]# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: ad...@xyz.dmz > Valid starting ExpiresService principal > 02/05/13 14:32:56 02/06/13 14:32:24 krbtgt/xyz@xyz.dmz > 02/05/13 14:33:16 02/06/13 14:31:34 ldap/ipa2.xyz@xyz.dmz > > > > On Tue, Feb 5, 2013 at 7:45 PM, Rajnesh Kumar Siwal > wrote: >> Hi Rob, >> >&g
Re: [Freeipa-users] SOLVED: Re: sudo rule working even after the user has been removed from the sudo rule
Thanks, Bob/Simo. On Tue, Feb 5, 2013 at 8:24 PM, Rob Crittenden wrote: > Simo Sorce wrote: >> >> On Mon, 2013-02-04 at 09:21 -0500, Rob Crittenden wrote: >>> >>> Rajnesh Kumar Siwal wrote: >>>> >>>> Looking into the sssd logs, I came to know there there was one more >>>> rule allowing access:- >>>> (Mon Feb 4 14:13:01 2013) [sssd[be[chargepoint.dmz]]] >>>> [hbac_get_category] (5): Category is set to 'all'. >>>> (Mon Feb 4 14:13:01 2013) [sssd[be[chargepoint.dmz]]] >>>> [ipa_hbac_evaluate_rules] (3): Access granted by HBAC rule [allow_all] >>>> (Mon Feb 4 14:13:01 2013) [sssd[be[chargepoint.dmz]]] >>>> [be_pam_handler_callback] (4): Backend returned: (0, 0, ) >>>> [Success] >>>> >>>> I disabled that allow_all rule, now it is fine. >>> >>> >>> I don't know why that would make any difference. HBAC != sudo. >> >> >> sudo uses pam so HBAC may be involved during auth >> >> Simo. >> > > That's true but it isn't going to grant sudo access to users that aren't in > the rule. > > rob -- Regards, Rajnesh Kumar Siwal ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa replica install fails
Finally , I installed it with "--skip-conncheck":- Now DNS fails to start. I tried ipa-dns-install too:- [root@ipa2 log]# ipa-dns-install The log file for this installation can be found in /var/log/ipaserver-install.log == This program will setup DNS for the IPA Server. This includes: * Configure DNS (bind) To accept the default shown in brackets, press the Enter key. Existing BIND configuration detected, overwrite? [no]: yes DNS is already configured in this IPA server. [root@ipa2 log]# /etc/init.d/ipa status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING DNS Service: STOPPED MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING [root@ipa2 log]# /etc/init.d/named restart Stopping named:[ OK ] Starting named:[FAILED] - DNS logs :- Feb 5 09:40:19 ipa2 named[19873]: Feb 5 09:40:19 ipa2 named[19873]: BIND 9 is maintained by Internet Systems Consortium, Feb 5 09:40:19 ipa2 named[19873]: Inc. (ISC), a non-profit 501(c)(3) public-benefit Feb 5 09:40:19 ipa2 named[19873]: corporation. Support and training for BIND 9 are Feb 5 09:40:19 ipa2 named[19873]: available at https://www.isc.org/support Feb 5 09:40:19 ipa2 named[19873]: Feb 5 09:40:19 ipa2 named[19873]: adjusted limit on open files from 102400 to 1048576 Feb 5 09:40:19 ipa2 named[19873]: found 2 CPUs, using 2 worker threads Feb 5 09:40:19 ipa2 named[19873]: using up to 4096 sockets Feb 5 09:40:19 ipa2 named[19873]: loading configuration from '/etc/named.conf' Feb 5 09:40:19 ipa2 named[19873]: using default UDP/IPv4 port range: [1024, 65535] Feb 5 09:40:19 ipa2 named[19873]: using default UDP/IPv6 port range: [1024, 65535] Feb 5 09:40:19 ipa2 named[19873]: listening on IPv6 interfaces, port 53 Feb 5 09:40:19 ipa2 named[19873]: listening on IPv4 interface lo, 127.0.0.1#53 Feb 5 09:40:19 ipa2 named[19873]: listening on IPv4 interface eth0, 172.31.254.205#53 Feb 5 09:40:19 ipa2 named[19873]: generating session key for dynamic DNS Feb 5 09:40:19 ipa2 named[19873]: sizing zone task pool based on 6 zones Feb 5 09:40:19 ipa2 named[19873]: set up managed keys zone for view _default, file 'dynamic/managed-keys.bind' Feb 5 09:40:19 ipa2 named[19873]: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Mutual authentication failed) Feb 5 09:40:19 ipa2 named[19873]: bind to LDAP server failed: Local error Feb 5 09:40:19 ipa2 named[19873]: loading configuration: failure Feb 5 09:40:19 ipa2 named[19873]: exiting (due to fatal error) Feb 5 09:40:28 ipa2 kernel: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:22:6b:12:99:bc:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=60 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=308 [root@ipa2 log]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: ad...@xyz.dmz Valid starting ExpiresService principal 02/05/13 14:32:56 02/06/13 14:32:24 krbtgt/xyz@xyz.dmz 02/05/13 14:33:16 02/06/13 14:31:34 ldap/ipa2.xyz@xyz.dmz On Tue, Feb 5, 2013 at 7:45 PM, Rajnesh Kumar Siwal wrote: > Hi Rob, > > Thanks for the quick reply. > I tried logging iptables in the replica also, but no log for dropped packet :- > I would appreciate if you could please let me know what these login actually > do. > 1. Looks to me as getting tgt for admin > 2. Is it trying to login though ssh to ipa1 server ? > -- > Get credentials to log in to remote master > ad...@xyz.dmz password: > > Execute check on remote master > ad...@ipa1.xyz.dmz's password: > -- > > SELINUX is disabled at both the ends. > > Is there any other log file that may suggest something. > It would be great if we could figure out whats the cause of the error. > ------- > > On Tue, Feb 5, 2013 at 7:35 PM, Rob Crittenden wrote: >> Rajnesh Kumar Siwal wrote: >>> >>> We are trying to setup the IPA replication but it says "Connection >>> check failed!". >>> We disabled the firewall and found the same result. >>> >>> >>> --- >>> [root@ipa2 /]# ipa-replica-install -d --setup-ca --setup-dns >>> --forwarder 64.71.0.60 /var/lib/ipa/replica-info-ipa2.xyz.dmz.gpg &g
Re: [Freeipa-users] ipa replica install fails
Hi Rob, Thanks for the quick reply. I tried logging iptables in the replica also, but no log for dropped packet :- I would appreciate if you could please let me know what these login actually do. 1. Looks to me as getting tgt for admin 2. Is it trying to login though ssh to ipa1 server ? -- Get credentials to log in to remote master ad...@xyz.dmz password: Execute check on remote master ad...@ipa1.xyz.dmz's password: -- SELINUX is disabled at both the ends. Is there any other log file that may suggest something. It would be great if we could figure out whats the cause of the error. --- On Tue, Feb 5, 2013 at 7:35 PM, Rob Crittenden wrote: > Rajnesh Kumar Siwal wrote: >> >> We are trying to setup the IPA replication but it says "Connection >> check failed!". >> We disabled the firewall and found the same result. >> >> >> --- >> [root@ipa2 /]# ipa-replica-install -d --setup-ca --setup-dns >> --forwarder 64.71.0.60 /var/lib/ipa/replica-info-ipa2.xyz.dmz.gpg >> ipa : DEBUG/usr/sbin/ipa-replica-install was invoked with >> argument "/var/lib/ipa/replica-info-ipa2.xyz.dmz.gpg" and options: >> {'no_forwarders': False, 'conf_ssh': False, 'conf_sshd': False, >> 'ui_redirect': True, 'reverse_zone': None, 'trust_sshfp': False, >> 'unattended': False, 'no_host_dns': False, 'ip_address': None, >> 'no_reverse': False, 'setup_dns': True, 'create_sshfp': True, >> 'setup_ca': True, 'forwarders': [CheckedIPAddress('64.71.0.60')], >> 'debug': True, 'conf_ntp': True, 'skip_conncheck': False} >> ipa : DEBUGLoading Index file from >> '/var/lib/ipa-client/sysrestore/sysrestore.index' >> ipa : DEBUGLoading StateFile from >> '/var/lib/ipa/sysrestore/sysrestore.state' >> ipa : DEBUGLoading Index file from >> '/var/lib/ipa/sysrestore/sysrestore.index' >> Directory Manager (existing master) password: >> >> ipa : DEBUGargs=/usr/bin/gpg --batch --homedir >> /tmp/tmpRGaqDpipa/ipa-A3XOq7/.gnupg --passphrase-fd 0 --yes --no-tty >> -o /tmp/tmpRGaqDpipa/files.tar -d >> /var/lib/ipa/replica-info-ipa2.xyz.dmz.gpg >> ipa : DEBUGstdout= >> ipa : DEBUGstderr=gpg: WARNING: unsafe permissions on >> homedir `/tmp/tmpRGaqDpipa/ipa-A3XOq7/.gnupg' >> gpg: keyring `/tmp/tmpRGaqDpipa/ipa-A3XOq7/.gnupg/secring.gpg' created >> gpg: keyring `/tmp/tmpRGaqDpipa/ipa-A3XOq7/.gnupg/pubring.gpg' created >> gpg: 3DES encrypted data >> gpg: encrypted with 1 passphrase >> gpg: WARNING: message was not integrity protected >> >> ipa : DEBUGargs=tar xf /tmp/tmpRGaqDpipa/files.tar -C >> /tmp/tmpRGaqDpipa >> ipa : DEBUGstdout= >> ipa : DEBUGstderr= >> Run connection check to master >> Check connection from replica to remote master 'ipa1.xyz.dmz': >> Directory Service: Unsecure port (389): OK >> Directory Service: Secure port (636): OK >> Kerberos KDC: TCP (88): OK >> Kerberos Kpasswd: TCP (464): OK >> HTTP Server: Unsecure port (80): OK >> HTTP Server: Secure port (443): OK >> PKI-CA: Directory Service port (7389): OK >> >> The following list of ports use UDP protocol and would need to be >> checked manually: >> Kerberos KDC: UDP (88): SKIPPED >> Kerberos Kpasswd: UDP (464): SKIPPED >> >> Connection from replica to master is OK. >> Start listening on required ports for remote master check >> Get credentials to log in to remote master >> ad...@xyz.dmz password: >> >> Execute check on remote master >> ad...@ipa1.xyz.dmz's password: >> >> Remote master check failed with following error message(s): >> >> ipa : DEBUGargs=/usr/sbin/ipa-replica-conncheck --master >> ipa1.xyz.dmz --auto-master-check --realm XYZ.DMZ --principal admin >> --hostname ipa2.xyz.dmz --check-ca >> Connection check failed! >> Please fix your network settings according to error messages above. >> If the check results are not valid it can be skipped with >> --skip-c
Re: [Freeipa-users] Backup and Restoration of IPA Server
Thanks Christian. I am still looking for some workaround till then. On Mon, Feb 4, 2013 at 10:16 PM, Christian Hernandez wrote: > Looks like a "backup/restore" procedure is in the roadmap > > http://www.freeipa.org/page/Roadmap > > > Thank you, > > Christian Hernandez > 1225 Los Angeles Street > Glendale, CA 91204 > Phone: 877-782-2737 ext. 4566 > Fax: 818-265-3152 > christi...@4over.com <mailto:christi...@4over.com> > www.4over.com <http://www.4over.com> > > > On Mon, Feb 4, 2013 at 2:54 AM, Rajnesh Kumar Siwal > wrote: >> >> Does it means that we don't have any backup / restoration process as >> of now for IPA 2.2 ? >> I am really concerned about such a critical application. >> >> It would be greate if you could please specify the set of manual >> commands in case they can be used for Backup / Restoration purpose. >> >> -- >> Regards, >> Rajnesh Kumar Siwal >> >> _______ >> Freeipa-users mailing list >> Freeipa-users@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Regards, Rajnesh Kumar Siwal ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] RHEL 6.3 identity manual - IPA
IPA client details are :- [rsiwal@gw1-test ~]$ rpm -qa|grep -i -w ipa ipa-client-2.1.3-5.el5_9.2 [rsiwal@gw1-test ~]$ cat /etc/redhat-release CentOS release 5.6 (Final) [rsiwal@gw1-test ~]$ uname -a Linux gw1-test 2.6.18-238.el5 #1 SMP Thu Jan 13 15:51:15 EST 2011 x86_64 x86_64 x86_64 GNU/Linux On Mon, Feb 4, 2013 at 9:37 PM, Rob Crittenden wrote: > Rajnesh Kumar Siwal wrote: >> >> Hi Rob, >> >> This is the way I configured it:- >> 1. Added the details in /etc/ldap.conf :- >> binddn uid=sudo,cn=sysaccounts,cn=etc,dc=chargepoint,dc=dmz >> bindpw >> >> ssl start_tls >> tls_cacertfile /etc/ipa/ca.crt >> tls_checkpeer yes >> >> bind_timelimit 5 >> timelimit 15 >> >> uri ldap://ipa1.chargepoint.dmz >> sudoers_base ou=SUDOers,dc=chargepoint,dc=dmz >> sudoers_debug 1 >> >> 2. Modified /etc/nsswitch.conf to fetch sudo details from ldap:- >> sudoers:files ldap >> >> 3. So what I can understand from the above steps is that I am >> interacting directly with the LDAP (389-ds) Server directly (because I >> am not using sss (instead ldap is being used)). > > > What distribution and release number is the client? > > Can you include what you see when you execute a sudo? > > rob > > >> >> >> On Mon, Feb 4, 2013 at 7:50 PM, Rob Crittenden >> wrote: >>> >>> Fred van Zwieten wrote: >>>> >>>> >>>> Hi, >>>> >>>> ipa-client-install should take care of setting up sudo on the client to >>>> use IPA, afaik. >>>> >>> >>> Not yet, https://fedorahosted.org/freeipa/ticket/3358 >>> >>>> Essential line in nsswitch.conf: >>>> sudoers:files ldap >>>> >>>> Please read here >>>> >>>> >>>> <https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html-single/Identity_Management_Guide/index.html#sudo> >>> >>> >>> >>> Note that the configuration file name is wrong for RHEL 6. You need to >>> use >>> /etc/sudo-ldap.conf. >>> >>> rob >>> >>>> >>>> As for the second question. dc=example,dc=com is, well, an example. >>>> example.com <http://example.com> is used throughout the documentation >>>> >>>> for documentation purposes where a domain name is needed. Please replace >>>> is with you're domain, e.g. dc=yourcompanyname,dc=com >>>> >>>> Met vriendelijke groeten, >>>> * >>>> Fred* >>>> >>>> >>>> >>>> On Mon, Feb 4, 2013 at 7:29 AM, Rajnesh Kumar Siwal >>>> mailto:rajnesh.si...@gmail.com>> wrote: >>>> >>>> I am planning to use the sudo feature on IPA 2.2. By default the >>>> IPA >>>> client that I configured does not seems to use fetch the sudo user >>>> details. >>>> >>>> It looks that we need to modify nsswitch.conf and ldap.conf to >>>> support it. >>>> >>>> Can sssd take care of fetching the sudo user details ? >>>> >>>> Secondly, I am not able to find the password for >>>> uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com . How do I find it >>>> ? >>>> Will it be safe to change password of this sudo user or it may >>>> impact >>>> the IPA Server ? >>>> >>>> Please suggest. >>>> >>>> >>>> -- >>>> Regards, >>>> Rajnesh Kumar Siwal >>>> >>>> ___ >>>> Freeipa-users mailing list >>>> Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com> >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >>>> >>>> >>>> >>>> >>>> ___ >>>> Freeipa-users mailing list >>>> Freeipa-users@redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >>> >> >> >> > -- Regards, Rajnesh Kumar Siwal ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] RHEL 6.3 identity manual - IPA
Hi Rob, This is the way I configured it:- 1. Added the details in /etc/ldap.conf :- binddn uid=sudo,cn=sysaccounts,cn=etc,dc=chargepoint,dc=dmz bindpw ssl start_tls tls_cacertfile /etc/ipa/ca.crt tls_checkpeer yes bind_timelimit 5 timelimit 15 uri ldap://ipa1.chargepoint.dmz sudoers_base ou=SUDOers,dc=chargepoint,dc=dmz sudoers_debug 1 2. Modified /etc/nsswitch.conf to fetch sudo details from ldap:- sudoers:files ldap 3. So what I can understand from the above steps is that I am interacting directly with the LDAP (389-ds) Server directly (because I am not using sss (instead ldap is being used)). On Mon, Feb 4, 2013 at 7:50 PM, Rob Crittenden wrote: > Fred van Zwieten wrote: >> >> Hi, >> >> ipa-client-install should take care of setting up sudo on the client to >> use IPA, afaik. >> > > Not yet, https://fedorahosted.org/freeipa/ticket/3358 > >> Essential line in nsswitch.conf: >> sudoers:files ldap >> >> Please read here >> >> <https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html-single/Identity_Management_Guide/index.html#sudo> > > > Note that the configuration file name is wrong for RHEL 6. You need to use > /etc/sudo-ldap.conf. > > rob > >> >> As for the second question. dc=example,dc=com is, well, an example. >> example.com <http://example.com> is used throughout the documentation >> >> for documentation purposes where a domain name is needed. Please replace >> is with you're domain, e.g. dc=yourcompanyname,dc=com >> >> Met vriendelijke groeten, >> * >> Fred* >> >> >> >> On Mon, Feb 4, 2013 at 7:29 AM, Rajnesh Kumar Siwal >> mailto:rajnesh.si...@gmail.com>> wrote: >> >> I am planning to use the sudo feature on IPA 2.2. By default the IPA >> client that I configured does not seems to use fetch the sudo user >> details. >> >> It looks that we need to modify nsswitch.conf and ldap.conf to >> support it. >> >> Can sssd take care of fetching the sudo user details ? >> >> Secondly, I am not able to find the password for >> uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com . How do I find it ? >> Will it be safe to change password of this sudo user or it may impact >> the IPA Server ? >> >> Please suggest. >> >> >> -- >> Regards, >> Rajnesh Kumar Siwal >> >> ___ >> Freeipa-users mailing list >> Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com> >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> >> >> >> ___ >> Freeipa-users mailing list >> Freeipa-users@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > -- Regards, Rajnesh Kumar Siwal ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] SOLVED: Re: sudo rule working even after the user has been removed from the sudo rule
Not sure but this is what resolved it. On Mon, Feb 4, 2013 at 7:51 PM, Rob Crittenden wrote: > Rajnesh Kumar Siwal wrote: >> >> Looking into the sssd logs, I came to know there there was one more >> rule allowing access:- >> (Mon Feb 4 14:13:01 2013) [sssd[be[chargepoint.dmz]]] >> [hbac_get_category] (5): Category is set to 'all'. >> (Mon Feb 4 14:13:01 2013) [sssd[be[chargepoint.dmz]]] >> [ipa_hbac_evaluate_rules] (3): Access granted by HBAC rule [allow_all] >> (Mon Feb 4 14:13:01 2013) [sssd[be[chargepoint.dmz]]] >> [be_pam_handler_callback] (4): Backend returned: (0, 0, ) >> [Success] >> >> I disabled that allow_all rule, now it is fine. > > > I don't know why that would make any difference. HBAC != sudo. > > rob > > >> >> On Mon, Feb 4, 2013 at 2:02 PM, Rajnesh Kumar Siwal >> wrote: >>> >>> Here is the outuput of ldapsearch :- >>> dn: cn=Admins,ou=sudoers,dc=example,dc=com >>> objectClass: sudoRole >>> sudoUser: %ctsadmin >>> sudoHost: ALL >>> sudoCommand: ALL >>> sudoRunAsUser: ALL >>> cn: Admins >>> >>> The rule still says that the group ctsadmin is allowed (Which should >>> not happen after I remove the ctsadmin group from sudo access) >>> On the IPA Web Interface there is not sudo role attached to the User >>> "rsiwal" (Neither Direct nor Indirect). >>> May be there is some bug. >>> >>> >>> On Mon, Feb 4, 2013 at 1:22 PM, Rajnesh Kumar Siwal >>> wrote: >>>> >>>> Hi all, >>>> >>>> I have just created a setup for sudo on the IPA Server 2.2. >>>> I modified nsswitch.conf to use ldap. >>>> ldap.conf has been modified to fetch sudo users from the IPA Server. >>>> >>>> Now, th euser in group "admin" can do sudo. >>>>1. rsiwal being a user of group sudo can run all commands as sudo >>>> (FINE) >>>> 2. If I disable the rule "Admins" (that I admin group access to >>>> sudo), the sudo still works for the user rsiwal (Which should not work >>>> logically). >>>>3. Removed the group "Admins" (including rsiwal) from the Sudo >>>> rule. The rule is still allowing user rsiwal to run "sudo su -". (It >>>> should Fail) >>>> >>>> Is there some kind of caching being at the Server / client end ? >>>> >>>> -- >>>> Regards, >>>> Rajnesh Kumar Siwal >>> >>> >>> >>> >>> -- >>> Regards, >>> Rajnesh Kumar Siwal >> >> >> >> > -- Regards, Rajnesh Kumar Siwal ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sudo rule working even after the user has been removed from the sudo rule
The details are as follows :- [root@ipa1 ~]# cat /etc/redhat-release CentOS release 6.3 (Final) [root@ipa1 ~]# rpm -qa|grep -i ipa ipa-server-2.2.0-17.el6_3.1.x86_64 libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-python-2.2.0-17.el6_3.1.x86_64 device-mapper-multipath-libs-0.4.9-56.el6_3.1.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-client-2.2.0-17.el6_3.1.x86_64 ipa-server-selinux-2.2.0-17.el6_3.1.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-admintools-2.2.0-17.el6_3.1.x86_64 device-mapper-multipath-0.4.9-56.el6_3.1.x86_64 [root@ipa1 ~]# uname -a Linux ipa1.chargepoint.dmz 2.6.32-279.19.1.el6.x86_64 #1 SMP Wed Dec 19 07:05:20 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux As of now this is a standalone server being run (No replication till now) We have been interacting with the Web Interface only. One thing, the Server is in "Migration Mode" . The users have yet to login into the Migration Page and get their credentials created. [root@ipa1 ~]# ipa config-show Maximum username length: 32 Home directory base: /home Default shell: /bin/bash Default users group: ipausers Default e-mail domain: chargepoint.com Search time limit: 2 Search size limit: 100 User search fields: uid,givenname,sn,telephonenumber,ou,title Group search fields: cn,description Enable migration mode: TRUE Certificate Subject base: O=MYCOMPANY.DMZ Password Expiration Notification (days): 15 Password plugin features: AllowNThash SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0-s0:c0.c1023$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 Default SELinux user: guest_u:s0 We have migrated the Users/Groups from the OpenLDAP Server (after disabling compat-mode) using schema RFC 2307. I am not yet aable to migrate sudo roles so will be creating them manually. On Mon, Feb 4, 2013 at 7:59 PM, Rob Crittenden wrote: > Rajnesh Kumar Siwal wrote: >> >> I deleted the following entry from the IPA WebUI "All Except Shell" >> (Sudo Role) but ldapsearch still fetches it (Effectively sudo works >> after the deletion of the rule) :- >> >> dn: cn=All Except Shell,ou=sudoers,dc=example,dc=com >> objectClass: sudoRole >> sudoUser: %ctsadmin >> sudoHost: ALL >> sudoCommand: ALL >> sudoRunAsUser: ALL >> sudoOption: !authenticate >> cn: All Except Shell >> >> Is it present in cache somewhere ? > > > I think we need more information on your configuration, distribution, exact > package version(s) and what you've done. > > rob > > >> >> On Mon, Feb 4, 2013 at 2:18 PM, Rajnesh Kumar Siwal >> wrote: >>> >>> Looking into the sssd logs, I came to know there there was one more >>> rule allowing access:- >>> (Mon Feb 4 14:13:01 2013) [sssd[be[chargepoint.dmz]]] >>> [hbac_get_category] (5): Category is set to 'all'. >>> (Mon Feb 4 14:13:01 2013) [sssd[be[chargepoint.dmz]]] >>> [ipa_hbac_evaluate_rules] (3): Access granted by HBAC rule [allow_all] >>> (Mon Feb 4 14:13:01 2013) [sssd[be[chargepoint.dmz]]] >>> [be_pam_handler_callback] (4): Backend returned: (0, 0, ) >>> [Success] >>> >>> I disabled that allow_all rule, now it is fine. >>> >>> On Mon, Feb 4, 2013 at 2:02 PM, Rajnesh Kumar Siwal >>> wrote: >>>> >>>> Here is the outuput of ldapsearch :- >>>> dn: cn=Admins,ou=sudoers,dc=example,dc=com >>>> objectClass: sudoRole >>>> sudoUser: %ctsadmin >>>> sudoHost: ALL >>>> sudoCommand: ALL >>>> sudoRunAsUser: ALL >>>> cn: Admins >>>> >>>> The rule still says that the group ctsadmin is allowed (Which should >>>> not happen after I remove the ctsadmin group from sudo access) >>>> On the IPA Web Interface there is not sudo role attached to the User >>>> "rsiwal" (Neither Direct nor Indirect). >>>> May be there is some bug. >>>> >>>> >>>> On Mon, Feb 4, 2013 at 1:22 PM, Rajnesh Kumar Siwal >>>> wrote: >>>>> >>>>> Hi all, >>>>> >>>>> I have just created a setup for sudo on the IPA Server 2.2. >>>>> I modified nsswitch.conf to use ldap. >>>>> ldap.conf has been modified to fetch sudo users from the IPA Server. >>>>> >>>>> Now, th euser in group "admin" can do sudo. >>>>>1. rsiwal being a user of group sudo can run all commands as >>>>> sudo (FINE) >>>>>2. If I disable the rule "Admins" (that I admin group access to >>>>> sudo), the sudo still works for the user rsiwal (Which should not work >>>>> logically). >>>>>3. Removed the group "Admins" (including rsiwal) from the Sudo >>>>> rule. The rule is still allowing user rsiwal to run "sudo su -". (It >>>>> should Fail) >>>>> >>>>> Is there some kind of caching being at the Server / client end ? >>>>> >>>>> -- >>>>> Regards, >>>>> Rajnesh Kumar Siwal >>>> >>>> >>>> >>>> >>>> -- >>>> Regards, >>>> Rajnesh Kumar Siwal >>> >>> >>> >>> >>> -- >>> Regards, >>> Rajnesh Kumar Siwal >> >> >> >> > -- Regards, Rajnesh Kumar Siwal ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sudo rule working even after the user has been removed from the sudo rule
Restarting IPA removed the rule that was deleted manually through GUI . It looks like a bug the IPA Webui was not able to delete the sudo rule "cn: All Except Shell" On Mon, Feb 4, 2013 at 3:54 PM, Rajnesh Kumar Siwal wrote: > I deleted the following entry from the IPA WebUI "All Except Shell" > (Sudo Role) but ldapsearch still fetches it (Effectively sudo works > after the deletion of the rule) :- > > dn: cn=All Except Shell,ou=sudoers,dc=example,dc=com > objectClass: sudoRole > sudoUser: %ctsadmin > sudoHost: ALL > sudoCommand: ALL > sudoRunAsUser: ALL > sudoOption: !authenticate > cn: All Except Shell > > Is it present in cache somewhere ? > > On Mon, Feb 4, 2013 at 2:18 PM, Rajnesh Kumar Siwal > wrote: >> Looking into the sssd logs, I came to know there there was one more >> rule allowing access:- >> (Mon Feb 4 14:13:01 2013) [sssd[be[chargepoint.dmz]]] >> [hbac_get_category] (5): Category is set to 'all'. >> (Mon Feb 4 14:13:01 2013) [sssd[be[chargepoint.dmz]]] >> [ipa_hbac_evaluate_rules] (3): Access granted by HBAC rule [allow_all] >> (Mon Feb 4 14:13:01 2013) [sssd[be[chargepoint.dmz]]] >> [be_pam_handler_callback] (4): Backend returned: (0, 0, ) >> [Success] >> >> I disabled that allow_all rule, now it is fine. >> >> On Mon, Feb 4, 2013 at 2:02 PM, Rajnesh Kumar Siwal >> wrote: >>> Here is the outuput of ldapsearch :- >>> dn: cn=Admins,ou=sudoers,dc=example,dc=com >>> objectClass: sudoRole >>> sudoUser: %ctsadmin >>> sudoHost: ALL >>> sudoCommand: ALL >>> sudoRunAsUser: ALL >>> cn: Admins >>> >>> The rule still says that the group ctsadmin is allowed (Which should >>> not happen after I remove the ctsadmin group from sudo access) >>> On the IPA Web Interface there is not sudo role attached to the User >>> "rsiwal" (Neither Direct nor Indirect). >>> May be there is some bug. >>> >>> >>> On Mon, Feb 4, 2013 at 1:22 PM, Rajnesh Kumar Siwal >>> wrote: >>>> Hi all, >>>> >>>> I have just created a setup for sudo on the IPA Server 2.2. >>>> I modified nsswitch.conf to use ldap. >>>> ldap.conf has been modified to fetch sudo users from the IPA Server. >>>> >>>> Now, th euser in group "admin" can do sudo. >>>> 1. rsiwal being a user of group sudo can run all commands as sudo >>>> (FINE) >>>> 2. If I disable the rule "Admins" (that I admin group access to >>>> sudo), the sudo still works for the user rsiwal (Which should not work >>>> logically). >>>> 3. Removed the group "Admins" (including rsiwal) from the Sudo >>>> rule. The rule is still allowing user rsiwal to run "sudo su -". (It >>>> should Fail) >>>> >>>> Is there some kind of caching being at the Server / client end ? >>>> >>>> -- >>>> Regards, >>>> Rajnesh Kumar Siwal >>> >>> >>> >>> -- >>> Regards, >>> Rajnesh Kumar Siwal >> >> >> >> -- >> Regards, >> Rajnesh Kumar Siwal > > > > -- > Regards, > Rajnesh Kumar Siwal -- Regards, Rajnesh Kumar Siwal ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sudo rule working even after the user has been removed from the sudo rule
I deleted the following entry from the IPA WebUI "All Except Shell" (Sudo Role) but ldapsearch still fetches it (Effectively sudo works after the deletion of the rule) :- dn: cn=All Except Shell,ou=sudoers,dc=example,dc=com objectClass: sudoRole sudoUser: %ctsadmin sudoHost: ALL sudoCommand: ALL sudoRunAsUser: ALL sudoOption: !authenticate cn: All Except Shell Is it present in cache somewhere ? On Mon, Feb 4, 2013 at 2:18 PM, Rajnesh Kumar Siwal wrote: > Looking into the sssd logs, I came to know there there was one more > rule allowing access:- > (Mon Feb 4 14:13:01 2013) [sssd[be[chargepoint.dmz]]] > [hbac_get_category] (5): Category is set to 'all'. > (Mon Feb 4 14:13:01 2013) [sssd[be[chargepoint.dmz]]] > [ipa_hbac_evaluate_rules] (3): Access granted by HBAC rule [allow_all] > (Mon Feb 4 14:13:01 2013) [sssd[be[chargepoint.dmz]]] > [be_pam_handler_callback] (4): Backend returned: (0, 0, ) > [Success] > > I disabled that allow_all rule, now it is fine. > > On Mon, Feb 4, 2013 at 2:02 PM, Rajnesh Kumar Siwal > wrote: >> Here is the outuput of ldapsearch :- >> dn: cn=Admins,ou=sudoers,dc=example,dc=com >> objectClass: sudoRole >> sudoUser: %ctsadmin >> sudoHost: ALL >> sudoCommand: ALL >> sudoRunAsUser: ALL >> cn: Admins >> >> The rule still says that the group ctsadmin is allowed (Which should >> not happen after I remove the ctsadmin group from sudo access) >> On the IPA Web Interface there is not sudo role attached to the User >> "rsiwal" (Neither Direct nor Indirect). >> May be there is some bug. >> >> >> On Mon, Feb 4, 2013 at 1:22 PM, Rajnesh Kumar Siwal >> wrote: >>> Hi all, >>> >>> I have just created a setup for sudo on the IPA Server 2.2. >>> I modified nsswitch.conf to use ldap. >>> ldap.conf has been modified to fetch sudo users from the IPA Server. >>> >>> Now, th euser in group "admin" can do sudo. >>> 1. rsiwal being a user of group sudo can run all commands as sudo >>> (FINE) >>> 2. If I disable the rule "Admins" (that I admin group access to >>> sudo), the sudo still works for the user rsiwal (Which should not work >>> logically). >>> 3. Removed the group "Admins" (including rsiwal) from the Sudo >>> rule. The rule is still allowing user rsiwal to run "sudo su -". (It >>> should Fail) >>> >>> Is there some kind of caching being at the Server / client end ? >>> >>> -- >>> Regards, >>> Rajnesh Kumar Siwal >> >> >> >> -- >> Regards, >> Rajnesh Kumar Siwal > > > > -- > Regards, > Rajnesh Kumar Siwal -- Regards, Rajnesh Kumar Siwal ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] SOLVED: Re: sudo rule working even after the user has been removed from the sudo rule
Looking into the sssd logs, I came to know there there was one more rule allowing access:- (Mon Feb 4 14:13:01 2013) [sssd[be[chargepoint.dmz]]] [hbac_get_category] (5): Category is set to 'all'. (Mon Feb 4 14:13:01 2013) [sssd[be[chargepoint.dmz]]] [ipa_hbac_evaluate_rules] (3): Access granted by HBAC rule [allow_all] (Mon Feb 4 14:13:01 2013) [sssd[be[chargepoint.dmz]]] [be_pam_handler_callback] (4): Backend returned: (0, 0, ) [Success] I disabled that allow_all rule, now it is fine. On Mon, Feb 4, 2013 at 2:02 PM, Rajnesh Kumar Siwal wrote: > Here is the outuput of ldapsearch :- > dn: cn=Admins,ou=sudoers,dc=example,dc=com > objectClass: sudoRole > sudoUser: %ctsadmin > sudoHost: ALL > sudoCommand: ALL > sudoRunAsUser: ALL > cn: Admins > > The rule still says that the group ctsadmin is allowed (Which should > not happen after I remove the ctsadmin group from sudo access) > On the IPA Web Interface there is not sudo role attached to the User > "rsiwal" (Neither Direct nor Indirect). > May be there is some bug. > > > On Mon, Feb 4, 2013 at 1:22 PM, Rajnesh Kumar Siwal > wrote: >> Hi all, >> >> I have just created a setup for sudo on the IPA Server 2.2. >> I modified nsswitch.conf to use ldap. >> ldap.conf has been modified to fetch sudo users from the IPA Server. >> >> Now, th euser in group "admin" can do sudo. >> 1. rsiwal being a user of group sudo can run all commands as sudo >> (FINE) >> 2. If I disable the rule "Admins" (that I admin group access to >> sudo), the sudo still works for the user rsiwal (Which should not work >> logically). >> 3. Removed the group "Admins" (including rsiwal) from the Sudo >> rule. The rule is still allowing user rsiwal to run "sudo su -". (It >> should Fail) >> >> Is there some kind of caching being at the Server / client end ? >> >> -- >> Regards, >> Rajnesh Kumar Siwal > > > > -- > Regards, > Rajnesh Kumar Siwal -- Regards, Rajnesh Kumar Siwal ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] RHEL 6.3 identity manual - IPA
IPA client on CentOS 5.6 was not able to take care of it.) On Mon, Feb 4, 2013 at 1:54 PM, Fred van Zwieten wrote: > Hi, > > ipa-client-install should take care of setting up sudo on the client to use > IPA, afaik. > > Essential line in nsswitch.conf: > sudoers:files ldap > > Please read here > > As for the second question. dc=example,dc=com is, well, an example. > example.com is used throughout the documentation for documentation purposes > where a domain name is needed. Please replace is with you're domain, e.g. > dc=yourcompanyname,dc=com > > Met vriendelijke groeten, > > Fred > > > On Mon, Feb 4, 2013 at 7:29 AM, Rajnesh Kumar Siwal > wrote: >> >> I am planning to use the sudo feature on IPA 2.2. By default the IPA >> client that I configured does not seems to use fetch the sudo user >> details. >> >> It looks that we need to modify nsswitch.conf and ldap.conf to support it. >> >> Can sssd take care of fetching the sudo user details ? >> >> Secondly, I am not able to find the password for >> uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com . How do I find it ? >> Will it be safe to change password of this sudo user or it may impact >> the IPA Server ? >> >> Please suggest. >> >> >> -- >> Regards, >> Rajnesh Kumar Siwal >> >> ___ >> Freeipa-users mailing list >> Freeipa-users@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Regards, Rajnesh Kumar Siwal ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sudo rule working even after the user has been removed from the sudo rule
Here is the outuput of ldapsearch :- dn: cn=Admins,ou=sudoers,dc=example,dc=com objectClass: sudoRole sudoUser: %ctsadmin sudoHost: ALL sudoCommand: ALL sudoRunAsUser: ALL cn: Admins The rule still says that the group ctsadmin is allowed (Which should not happen after I remove the ctsadmin group from sudo access) On the IPA Web Interface there is not sudo role attached to the User "rsiwal" (Neither Direct nor Indirect). May be there is some bug. On Mon, Feb 4, 2013 at 1:22 PM, Rajnesh Kumar Siwal wrote: > Hi all, > > I have just created a setup for sudo on the IPA Server 2.2. > I modified nsswitch.conf to use ldap. > ldap.conf has been modified to fetch sudo users from the IPA Server. > > Now, th euser in group "admin" can do sudo. > 1. rsiwal being a user of group sudo can run all commands as sudo (FINE) > 2. If I disable the rule "Admins" (that I admin group access to > sudo), the sudo still works for the user rsiwal (Which should not work > logically). > 3. Removed the group "Admins" (including rsiwal) from the Sudo > rule. The rule is still allowing user rsiwal to run "sudo su -". (It > should Fail) > > Is there some kind of caching being at the Server / client end ? > > -- > Regards, > Rajnesh Kumar Siwal -- Regards, Rajnesh Kumar Siwal ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] sudo rule working even after the user has been removed from the sudo rule
Hi all, I have just created a setup for sudo on the IPA Server 2.2. I modified nsswitch.conf to use ldap. ldap.conf has been modified to fetch sudo users from the IPA Server. Now, th euser in group "admin" can do sudo. 1. rsiwal being a user of group sudo can run all commands as sudo (FINE) 2. If I disable the rule "Admins" (that I admin group access to sudo), the sudo still works for the user rsiwal (Which should not work logically). 3. Removed the group "Admins" (including rsiwal) from the Sudo rule. The rule is still allowing user rsiwal to run "sudo su -". (It should Fail) Is there some kind of caching being at the Server / client end ? -- Regards, Rajnesh Kumar Siwal ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] RHEL 6.3 identity manual - IPA
I am planning to use the sudo feature on IPA 2.2. By default the IPA client that I configured does not seems to use fetch the sudo user details. It looks that we need to modify nsswitch.conf and ldap.conf to support it. Can sssd take care of fetching the sudo user details ? Secondly, I am not able to find the password for uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com . How do I find it ? Will it be safe to change password of this sudo user or it may impact the IPA Server ? Please suggest. -- Regards, Rajnesh Kumar Siwal ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Bug: FreeIPA 2.2.0 on CentOS 6.3 Any User can see the details of all the Users through GUI
Change Password Link is not greyed (It is enabled). However, when I tried to change password, it failed because of insufficient Privileges (Looks Good). Thanks for the Quick reply. -- Regards, Rajnesh Kumar Siwal ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Bug: FreeIPA 2.2.0 on CentOS 6.3 Any User can see the details of all the Users through GUI
Any User throug IPA GUI can see the details of all the other users. He should be able to see his own details. Additionally the , Change Passwords link is enabled corresponding to all Users (appears to any regular user). I am in Migration Mode. -- Regards, Rajnesh Kumar Siwal ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users