Re: [Freeipa-users] Unable to establish trust with FreeIPA and Active Directory

2014-04-03 Thread Redmond, Stacy 
I have this same exact issue.  I have not only verified that DNS is
functioning properly, I have also added the AD server to the local hosts
file as is the reported fix for this issue and it still persists.

[root@linuxtest1 ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 6.5 (Santiago)
[root@linuxtest1 ~]# uname -a
Linux linuxtest1.sbx.local 2.6.32-431.11.2.el6.x86_64 #1 SMP Mon Mar 3
13:32:45 EST 2014 x86_64 x86_64 x86_64 GNU/Linux


[root@linuxtest1 ~]# nslookup wdir901sbx.sbx.local
Server: 10.130.82.20
Address:10.130.82.20#53

Name:   wdir901sbx.sbx.local
Address: 10.130.82.20

[root@linuxtest1 ~]# nslookup 10.130.82.20
Server: 10.130.82.20
Address:10.130.82.20#53

20.82.130.10.in-addr.arpa   name = wdir901sbx.sbx.local.


[root@linuxtest1 ~]# dig SRV _ldap._tcp.ad.sbx.local

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> SRV
_ldap._tcp.ad.sbx.local
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 50435
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;_ldap._tcp.ad.sbx.local.   IN  SRV

;; AUTHORITY SECTION:
sbx.local.  3600IN  SOA wdir901sbx.sbx.local.
hostmaster. 4715 900 600 86400 3600

;; Query time: 0 msec
;; SERVER: 10.130.82.20#53(10.130.82.20)
;; WHEN: Thu Apr  3 10:34:02 2014
;; MSG SIZE  rcvd: 107


[root@linuxtest1 ~]# ipa trust-add --type=ad ad.sbx.local --admin
'admsredmo01' --password
Active directory domain administrator's password: 
ipa: ERROR: Cannot find specified domain or server name
[root@linuxtest1 ~]#


[root@linuxtest1 ~]# ipa trust-add --type=ad sbx.local --admin
'admsredmo01' --password
Active directory domain administrator's password: 
ipa: ERROR: Cannot find specified domain or server name
[root@linuxtest1 ~]#

Any and all help would be appreciated.

-Original Message-
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of
freeipa-users-requ...@redhat.com
Sent: Thursday, April 03, 2014 9:00 AM
To: freeipa-users@redhat.com
Subject: Freeipa-users Digest, Vol 69, Issue 20

Send Freeipa-users mailing list submissions to
freeipa-users@redhat.com

To subscribe or unsubscribe via the World Wide Web, visit
https://www.redhat.com/mailman/listinfo/freeipa-users
or, via email, send a message with subject or body 'help' to
freeipa-users-requ...@redhat.com

You can reach the person managing the list at
freeipa-users-ow...@redhat.com

When replying, please edit your Subject line so it is more specific than
"Re: Contents of Freeipa-users digest..."


Today's Topics:

   1. Re: Unable to establish trust with FreeIPA and Active
  Directory (Sumit Bose)


--

Message: 1
Date: Thu, 3 Apr 2014 16:53:31 +0200
From: Sumit Bose 
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Unable to establish trust with FreeIPA
and Active Directory
Message-ID: <20140403145331.GN11404@localhost.localdomain>
Content-Type: text/plain; charset=us-ascii

On Thu, Apr 03, 2014 at 02:31:55PM +, Matthew W Hanley wrote:
> I'm in the midst of setting up a trust with FreeIPA and Active
Directory and am receiving the following error:
> 
> # ipa trust-add --type=ad ad.example.com --admin 'mwhanley' --password

> Active directory domain administrator's password:
> 
> ipa: ERROR: Cannot find specified domain or server name

looks like a DNS issue. Can you check if

dig SRV _ldap._tcp.ad.example.com

returns a list of IP addresses for your AD DCs? If not you might want to
have a look at
www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#DNS_configuration .

HTH

bye,
Sumit

> 
> The FreeIPA server is running Fedora release 20, version 3.3.3-4 of
FreeIPA and I have turned on debugging and get the following:
> 
> ps [Wed Apr 02 10:20:53.766064 2014] [:error] [pid 32522] ipa: INFO: 
> ad...@ipaexample.com: trust_add(u'ad.example.com', trust_type=u'ad', 
> realm_admin=u'mwhanley', realm_passwd=u'', all=False, 
> raw=False, version=u'2.65'): NotFound [Wed Apr 02 10:21:29.635077 
> 2014] [:error] [pid 32521] ipa: INFO: ad...@ipaexample.com: 
> idrange_find(None, all=False, raw=False, version=u'2.65', 
> pkey_only=False): SUCCESS
> INFO: Current debug levels:
>   all: 11
>   tdb: 11
>   printdrivers: 11
>   lanman: 11
>   smb: 11
>   rpc_parse: 11
>   rpc_srv: 11
>   rpc_cli: 11
>   passdb: 11
>   sam: 11
>   auth: 11
>   winbind: 11
>   vfs: 11
>   idmap: 11
>   quota: 11
>   acls: 11
>   locking: 11
>   msdfs: 11
>   dmapi: 11
>   registry: 11
>   scavenger: 11
>   dns: 11
>   ldb: 11
> pm_process() returned Yes
> Using binding ncacn_np:host.ipaexample.com[,] Mapped to DCERPC 
> endpoint \pipe\lsarpc added interface eth0 ip=xxx.xxx.xxx.xxx 
> bcast=xxx.xxx.xxx.xxx netmask=255.255.255.0 added interface eth0 
> ip=xxx.xxx.xxx.xxx bcast=xxx.xxx.xxx.xxx netmask=255.255.255.0 Sock

Re: [Freeipa-users] Unable to establish trust with FreeIPA and Active Directory

2014-04-03 Thread Redmond, Stacy 
Yes, I did that, here is the log

[Thu Apr 03 13:21:52 2014] [error] [client 10.130.82.68] Credentials for
HTTP/linuxtest1.sbx.local@UNIX have expired or will soon expire - now
1396556512 endtime 1396551629, referer:
https://linuxtest1.sbx.local/ipa/xml
[Thu Apr 03 13:21:52 2014] [error] [client 10.130.82.68] Credentials for
HTTP/linuxtest1.sbx.local@UNIX have expired or will soon expire - now
1396556512 endtime 1396551629, referer:
https://linuxtest1.sbx.local/ipa/xml
[Thu Apr 03 13:21:52 2014] [error] ipa: INFO: admin@UNIX: ping():
SUCCESS
[Thu Apr 03 13:21:55 2014] [error] ipa: INFO: admin@UNIX:
trust_add(u'sbx.local', trust_type=u'ad', realm_admin=u'admsredmo01',
realm_passwd=u'', range_size=20, all=False, raw=False,
version=u'2.49'): NotFound

-Original Message-
From: Alexander Bokovoy [mailto:aboko...@redhat.com] 
Sent: Thursday, April 03, 2014 12:12 PM
To: Redmond, Stacy
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Unable to establish trust with FreeIPA and
Active Directory

On Thu, 03 Apr 2014, Redmond, Stacy wrote:
>I have this same exact issue.  I have not only verified that DNS is 
>functioning properly, I have also added the AD server to the local 
>hosts file as is the reported fix for this issue and it still persists.
add 

log level = 100

to [global] section in /usr/share/ipa/smb.conf.empty

and try 'ipa trust-add' again.

You'll get debug output in httpd's error_log.

I'd like to see level 100 logs, they give a bit more details in case of
SMB Python bindings.

--
/ Alexander Bokovoy

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Unable to establish trust with FreeIPA and Active Directory

2014-04-04 Thread Redmond, Stacy 
You are absolutlely right, I had rebuilt the server, and had forgotten
to put the log level back in, here it is.

[root@linuxtest1 ~]# cat /var/log/httpd/error_log
/dev/null
lpcfg_load: refreshing parameters from /usr/share/ipa/smb.conf.empty
params.c:pm_process() - Processing configuration file
"/usr/share/ipa/smb.conf.empty"
Processing section "[global]"
INFO: Current debug levels:
  all: 100
  tdb: 100
  printdrivers: 100
  lanman: 100
  smb: 100
  rpc_parse: 100
  rpc_srv: 100
  rpc_cli: 100
  passdb: 100
  sam: 100
  auth: 100
  winbind: 100
  vfs: 100
  idmap: 100
  quota: 100
  acls: 100
  locking: 100
  msdfs: 100
  dmapi: 100
  registry: 100
pm_process() returned Yes
Using binding ncacn_np:linuxtest1.unix.sbx.local[,]
tevent: Added timed event "dcerpc_connect_timeout_handler":
0x7facb82d32b0
tevent: Added timed event "composite_trigger": 0x7facb8091400
tevent: Added timed event "composite_trigger": 0x7facb8091d30
tevent: Running timer event 0x7facb8091400 "composite_trigger"
tevent: Destroying timer event 0x7facb8091d30 "composite_trigger"
Mapped to DCERPC endpoint \pipe\lsarpc
added interface eth0 ip=10.130.82.68 bcast=10.130.82.255
netmask=255.255.255.0
added interface eth0 ip=10.130.82.68 bcast=10.130.82.255
netmask=255.255.255.0
tevent: Ending timer event 0x7facb8091400 "composite_trigger"
tevent: Added timed event "connect_multi_timer": 0x7facb80a1e70
tevent: Schedule immediate event "tevent_req_trigger": 0x7facb813fe80
tevent: Run immediate event "tevent_req_trigger": 0x7facb813fe80
tevent: Destroying timer event 0x7facb80a1e70 "connect_multi_timer"
Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 1
TCP_KEEPCNT = 9
TCP_KEEPIDLE = 7200
TCP_KEEPINTVL = 75
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_REUSEPORT = 0
SO_SNDBUF = 169160
SO_RCVBUF = 87380
SO_SNDLOWAT = 1
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
TCP_QUICKACK = 1
TCP_DEFER_ACCEPT = 0
tevent: Added timed event "tevent_req_timedout": 0x7facb815c6c0
tevent: Schedule immediate event "tevent_queue_immediate_trigger":
0x7facb832cd60
tevent: Run immediate event "tevent_queue_immediate_trigger":
0x7facb832cd60
tevent: Destroying timer event 0x7facb815c6c0 "tevent_req_timedout"
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Ticket in credentials cache for admin@UNIX will expire in 36642 secs
tevent: Added timed event "tevent_req_timedout": 0x7facb815ddc0
tevent: Schedule immediate event "tevent_queue_immediate_trigger":
0x7facb832cd60
tevent: Run immediate event "tevent_queue_immediate_trigger":
0x7facb832cd60
tevent: Destroying timer event 0x7facb815ddc0 "tevent_req_timedout"
gensec_gssapi: NO credentials were delegated
GSSAPI Connection will be cryptographically sealed
tevent: Added timed event "tevent_req_timedout": 0x7facb815d5a0
tevent: Schedule immediate event "tevent_queue_immediate_trigger":
0x7facb832cd60
tevent: Run immediate event "tevent_queue_immediate_trigger":
0x7facb832cd60
tevent: Destroying timer event 0x7facb815d5a0 "tevent_req_timedout"
tevent: Added timed event "tevent_req_timedout": 0x7facb8292850
tevent: Schedule immediate event "tevent_queue_immediate_trigger":
0x7facb832cd60
tevent: Run immediate event "tevent_queue_immediate_trigger":
0x7facb832cd60
tevent: Destroying timer event 0x7facb8292850 "tevent_req_timedout"
tevent: Destroying timer event 0x7facb82d32b0
"dcerpc_connect_timeout_handler"
[Fri Apr 04 06:59:43 2014] [error] ipa: INFO: admin@UNIX:
trust_add(u'unix.sbx.local', trust_type=u'ad',
realm_admin=u'Administrator', realm_passwd=u'',
range_size=20, all=False, raw=False, version=u'2.49'): NotFound
[root@linuxtest1 ~]#

-Original Message-
From: Alexander Bokovoy [mailto:aboko...@redhat.com] 
Sent: Thursday, April 03, 2014 9:34 PM
To: Redmond, Stacy
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Unable to establish trust with FreeIPA and
Active Directory

On Thu, 03 Apr 2014, Redmond, Stacy wrote:
>Yes, I did that, here is the log
>
>[Thu Apr 03 13:21:52 2014] [error] [client 10.130.82.68] Credentials 
>for HTTP/linuxtest1.sbx.local@UNIX have expired or will soon expire - 
>now
>1396556512 endtime 1396551629, referer:
>https://linuxtest1.sbx.local/ipa/xml
>[Thu Apr 03 13:21:52 2014] [error] [client 10.130.82.68] Credentials 
>for HTTP/linuxtest1.sbx.local@UNIX have expired or will soon expire - 
>now
>1396556512 endtime 1396551629, referer:
>https://linuxtest1.sbx.local/ipa/xml
>[Thu Apr 03 13:21:52

Re: [Freeipa-users] Unable to establish trust with FreeIPA and Active Directory

2014-04-04 Thread Redmond, Stacy 
We will be using unix as the Kerberos realm and unix.sbx.local as the
domain so we can use srv records for the unix hosts to point at ipa.
The AD domain is sbx.local, here is the output using the AD domain

[root@linuxtest1 ~]# ipa trust-add --type=ad sbx.local --admin
Administrator --password
Active directory domain administrator's password:
ipa: ERROR: Cannot find specified domain or server name
[root@linuxtest1 ~]# cat /var/log/httpd/error_log
lpcfg_load: refreshing parameters from /usr/share/ipa/smb.conf.empty
params.c:pm_process() - Processing configuration file
"/usr/share/ipa/smb.conf.empty"
Processing section "[global]"
INFO: Current debug levels:
  all: 100
  tdb: 100
  printdrivers: 100
  lanman: 100
  smb: 100
  rpc_parse: 100
  rpc_srv: 100
  rpc_cli: 100
  passdb: 100
  sam: 100
  auth: 100
  winbind: 100
  vfs: 100
  idmap: 100
  quota: 100
  acls: 100
  locking: 100
  msdfs: 100
  dmapi: 100
  registry: 100
pm_process() returned Yes
Using binding ncacn_np:linuxtest1.unix.sbx.local[,]
tevent: Added timed event "dcerpc_connect_timeout_handler":
0x7facb82e9d30
tevent: Added timed event "composite_trigger": 0x7facb80a8de0
tevent: Added timed event "composite_trigger": 0x7facb80a9710
tevent: Running timer event 0x7facb80a8de0 "composite_trigger"
tevent: Destroying timer event 0x7facb80a9710 "composite_trigger"
Mapped to DCERPC endpoint \pipe\lsarpc
added interface eth0 ip=10.130.82.68 bcast=10.130.82.255
netmask=255.255.255.0
added interface eth0 ip=10.130.82.68 bcast=10.130.82.255
netmask=255.255.255.0
tevent: Ending timer event 0x7facb80a8de0 "composite_trigger"
tevent: Added timed event "connect_multi_timer": 0x7facb81bf0e0
tevent: Schedule immediate event "tevent_req_trigger": 0x7facb81bfa10
tevent: Run immediate event "tevent_req_trigger": 0x7facb81bfa10
tevent: Destroying timer event 0x7facb81bf0e0 "connect_multi_timer"
Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 1
TCP_KEEPCNT = 9
TCP_KEEPIDLE = 7200
TCP_KEEPINTVL = 75
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_REUSEPORT = 0
SO_SNDBUF = 169160
SO_RCVBUF = 87380
SO_SNDLOWAT = 1
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
TCP_QUICKACK = 1
TCP_DEFER_ACCEPT = 0
tevent: Added timed event "tevent_req_timedout": 0x7facb814b930
tevent: Schedule immediate event "tevent_queue_immediate_trigger":
0x7facb8156ab0
tevent: Run immediate event "tevent_queue_immediate_trigger":
0x7facb8156ab0
tevent: Destroying timer event 0x7facb814b930 "tevent_req_timedout"
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Ticket in credentials cache for admin@UNIX will expire in 31325 secs
tevent: Added timed event "tevent_req_timedout": 0x7facb82715b0
tevent: Schedule immediate event "tevent_queue_immediate_trigger":
0x7facb8156ab0
tevent: Run immediate event "tevent_queue_immediate_trigger":
0x7facb8156ab0
tevent: Destroying timer event 0x7facb82715b0 "tevent_req_timedout"
gensec_gssapi: NO credentials were delegated
GSSAPI Connection will be cryptographically sealed
tevent: Added timed event "tevent_req_timedout": 0x7facb814c340
tevent: Schedule immediate event "tevent_queue_immediate_trigger":
0x7facb8156ab0
tevent: Run immediate event "tevent_queue_immediate_trigger":
0x7facb8156ab0
tevent: Destroying timer event 0x7facb814c340 "tevent_req_timedout"
tevent: Added timed event "tevent_req_timedout": 0x7facb814c340
tevent: Schedule immediate event "tevent_queue_immediate_trigger":
0x7facb8156ab0
tevent: Run immediate event "tevent_queue_immediate_trigger":
0x7facb8156ab0
tevent: Destroying timer event 0x7facb814c340 "tevent_req_timedout"
tevent: Destroying timer event 0x7facb82e9d30
"dcerpc_connect_timeout_handler"
[Fri Apr 04 08:28:21 2014] [error] ipa: INFO: admin@UNIX:
trust_add(u'sbx.local', trust_type=u'ad', realm_admin=u'Administrator',
realm_passwd=u'', range_size=20, all=False, raw=False,
version=u'2.49'): NotFound
[root@linuxtest1 ~]#

-Original Message-
From: Alexander Bokovoy [mailto:aboko...@redhat.com] 
Sent: Friday, April 04, 2014 8:25 AM
To: Redmond, Stacy
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Unable to establish trust with FreeIPA and
Active Directory

On Fri, 04 Apr 2014, Redmond, Stacy wrote:
>You are absolutlely right, I had rebuilt the server, and had forgotten 
>to put the log level back in, here it is.
>
>[root@linuxtest1 ~]# cat /var/log/httpd/error_log /dev/null
>lpcfg_load: refreshing parameters from /usr/share/ipa/smb.conf.empty
>params.c:p

[Freeipa-users] Enabling ntp if not done during ipa-server-install

2014-08-15 Thread Redmond, Stacy 
I installed my ipa server with -no-ntp but find that I want to enable it
on my server, and all my replicas.  Is it possible to do post install?

 

Stacy Redmond | Unix/Linux System Administrator

Build Engineering | Bluedof California 

4203 Town Center Boulevard | El Dorado Hills, CA 95762

Desk: 916.350.7912 | FAX: 916.350.8943

Email: Stacy redm...@blueshieldca.com  

 

 

"This message (including any attachments) contains business
proprietary/confidentialinformation intended for a specific individual
and purpose and is protected by law. If you are not the intended
recipient, you should delete this message and all attachments from your
computer or email server. Any disclosure, copying, or distribution of
this message, or the taking of any action based on it, without the
express permission of the originator, is strictly prohibited."

 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] Service Accounts via IPA

2015-12-10 Thread Redmond, Stacy 
Generally I will lock a service account on linux so that the account cannot 
login, but users can sudo su - to that user.  As I don't have access to the 
password field in free ipa, what are my options to set this up as a default for 
service accounts, or how can I modify individual accounts that need access to a 
system, but should not be able to login to the system.  Any help is appreciated.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Service Accounts via IPA

2015-12-11 Thread Redmond, Stacy 
No, that does not even allow su – unless you add the –s /bin/bash or some valid 
shell.  I did try a few of these, generally I just put a ! I front of the 
password locally, but since these exist in ldap now instead, not sure that is 
an option.

From: Nicola Canepa [mailto:canep...@mmfg.it]
Sent: Thursday, December 10, 2015 11:55 PM
To: Redmond, Stacy; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Service Accounts via IPA

** BSCA security warning: Do not click links or trust the content unless you 
expected this email and trust the sender – This email originated outside of 
Blue Shield. **
Maybe you can use /usr/sbin/nologin as the shell?

Nicola
Il 10/12/15 19:24, Redmond, Stacy ha scritto:
Generally I will lock a service account on linux so that the account cannot 
login, but users can sudo su – to that user.  As I don’t have access to the 
password field in free ipa, what are my options to set this up as a default for 
service accounts, or how can I modify individual accounts that need access to a 
system, but should not be able to login to the system.  Any help is appreciated.





--



Nicola Canepa

Tel: +39-0522-399-3474

canep...@mmfg.it<mailto:canep...@mmfg.it>

---

Il contenuto della presente comunicazione è riservato e destinato 
esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da persona 
diversa dal destinatario sono proibite la diffusione, la distribuzione e la 
copia. Nel caso riceveste la presente per errore, Vi preghiamo di informarci e 
di distruggerlo e/o cancellarlo dal Vostro computer, senza utilizzare i dati 
contenuti. La presente comunicazione (comprensiva dei documenti allegati) non 
avrà valore di proposta contrattuale e/o accettazione di proposte provenienti 
dal destinatario, nè rinuncia o riconoscimento di diritti, debiti e/o crediti, 
nè sarà impegnativa, qualora non sia sottoscritto successivo accordo da chi può 
validamente obbligarci. Non deriverà alcuna responsabilità precontrattuale a 
ns. carico, se la presente non sia seguita da contratto sottoscritto dalle 
parti.



The content of the above communication is strictly confidential and reserved 
solely for the referred addressees. In the event of receipt by persons 
different from the addressee, copying, alteration and distribution are 
forbidden. If received by mistake we ask you to inform us and to destroy and/or 
delete from your computer without using the data herein contained. The present 
message (eventual annexes inclusive) shall not be considered a contractual 
proposal and/or acceptance of offer from the addressee, nor waiver recognizance 
of rights, debts  and/or credits, nor shall it be binding when not executed as 
a subsequent agreement by persons who could lawfully represent us. No 
pre-contractual liability shall apply to us when the present communication is 
not followed by any binding agreement between the parties.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Service Accounts via IPA

2015-12-11 Thread Redmond, Stacy 
That is probably what I will end up doing, thanks for all the input so far.

From: Marc Boorshtein [mailto:marc.boorsht...@tremolosecurity.com]
Sent: Friday, December 11, 2015 9:49 AM
To: Redmond, Stacy
Cc: freeipa-users; Nicola Canepa
Subject: Re: [Freeipa-users] Service Accounts via IPA

** BSCA security warning: Do not click links or trust the content unless you 
expected this email and trust the sender – This email originated outside of 
Blue Shield. **

I do the same thing on most deployments.  I usually just assign a large random 
password to the service account.

Marc Boorshtein
CTO, Tremolo Security, Inc.
On Dec 11, 2015 12:15 PM, "Redmond, Stacy" 
mailto:stacy.redm...@blueshieldca.com>> wrote:
No, that does not even allow su – unless you add the –s /bin/bash or some valid 
shell.  I did try a few of these, generally I just put a ! I front of the 
password locally, but since these exist in ldap now instead, not sure that is 
an option.

From: Nicola Canepa [mailto:canep...@mmfg.it<mailto:canep...@mmfg.it>]
Sent: Thursday, December 10, 2015 11:55 PM
To: Redmond, Stacy; freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>
Subject: Re: [Freeipa-users] Service Accounts via IPA

** BSCA security warning: Do not click links or trust the content unless you 
expected this email and trust the sender – This email originated outside of 
Blue Shield. **
Maybe you can use /usr/sbin/nologin as the shell?

Nicola
Il 10/12/15 19:24, Redmond, Stacy ha scritto:
Generally I will lock a service account on linux so that the account cannot 
login, but users can sudo su – to that user.  As I don’t have access to the 
password field in free ipa, what are my options to set this up as a default for 
service accounts, or how can I modify individual accounts that need access to a 
system, but should not be able to login to the system.  Any help is appreciated.



--



Nicola Canepa

Tel: +39-0522-399-3474

canep...@mmfg.it<mailto:canep...@mmfg.it>

---

Il contenuto della presente comunicazione è riservato e destinato 
esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da persona 
diversa dal destinatario sono proibite la diffusione, la distribuzione e la 
copia. Nel caso riceveste la presente per errore, Vi preghiamo di informarci e 
di distruggerlo e/o cancellarlo dal Vostro computer, senza utilizzare i dati 
contenuti. La presente comunicazione (comprensiva dei documenti allegati) non 
avrà valore di proposta contrattuale e/o accettazione di proposte provenienti 
dal destinatario, nè rinuncia o riconoscimento di diritti, debiti e/o crediti, 
nè sarà impegnativa, qualora non sia sottoscritto successivo accordo da chi può 
validamente obbligarci. Non deriverà alcuna responsabilità precontrattuale a 
ns. carico, se la presente non sia seguita da contratto sottoscritto dalle 
parti.



The content of the above communication is strictly confidential and reserved 
solely for the referred addressees. In the event of receipt by persons 
different from the addressee, copying, alteration and distribution are 
forbidden. If received by mistake we ask you to inform us and to destroy and/or 
delete from your computer without using the data herein contained. The present 
message (eventual annexes inclusive) shall not be considered a contractual 
proposal and/or acceptance of offer from the addressee, nor waiver recognizance 
of rights, debts  and/or credits, nor shall it be binding when not executed as 
a subsequent agreement by persons who could lawfully represent us. No 
pre-contractual liability shall apply to us when the present communication is 
not followed by any binding agreement between the parties.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.redhat.com_mailman_listinfo_freeipa-2Dusers&d=AwMFaQ&c=hNAZrKxPkhfPADjr9wUJ4AJ2gCqdYYgx1uIsXrLIsh-DuhNfnmQL7Uyhk3cxPIdo&r=JsDTB76-3eZrht7R5YNlXe7iBejsWCoV1YpaDE3cXO0&m=n7S68QYI493Q55zNcp4O8sTxaKCRzzW6UvySGVOt9xI&s=gB8Mv6dcgtXa0UGgh5veuvYnutUvRuKMINZ9cqzJjnM&e=>
Go to 
http://freeipa.org<https://urldefense.proofpoint.com/v2/url?u=http-3A__freeipa.org&d=AwMFaQ&c=hNAZrKxPkhfPADjr9wUJ4AJ2gCqdYYgx1uIsXrLIsh-DuhNfnmQL7Uyhk3cxPIdo&r=JsDTB76-3eZrht7R5YNlXe7iBejsWCoV1YpaDE3cXO0&m=n7S68QYI493Q55zNcp4O8sTxaKCRzzW6UvySGVOt9xI&s=Y-N5X1PXaMcc-dQJmTK3p8mjBcr8mFpUbUch1VhGSmA&e=>
 for more info on the project
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Removing the requirement to add domain to users login

2016-03-22 Thread Redmond, Stacy 
I have been tasked with setting up an IPA AD trust.  I have my ipa server 
setup, the trust is setup, and appears to be working for the most part.  I have 
two problems.  I would like for users to login with userid only.  Right now I 
can only login using userid@ad_domain   I am hoping there is some way to just 
have it search that domain as well as the default ipa domain

I will add my other problem, but am willing to send a second email to the group 
if needed.  When I login to my linux client and type id, I see lots of groups 
but they don't all match the member of list I pull using an ldap search of AD.

IPA Server:  RHEL 7.2  ipa 4.2
Client:  RHEL 7.2
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] AD replication and password passthrough

2016-05-23 Thread Redmond, Stacy 
Is there a way to setup replication from AD, and just use passthrough to AD for 
passwords, vs having to synchronize passwords.  I am getting a lot of pushback 
from the AD team on installing the password sync software due to issues in the 
past.  I would like to setup replication, but still use AD to authenticate 
passwords.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Removing REALM requirement and home directory location

2015-05-04 Thread Redmond, Stacy 
I am running a RHEL7 IPA Server ipa-server 3.3.3-28
RHEL6 clients running IPA Client 3.0.0-42

I have setup an AD trust which works great, however I want to make it so the 
users don't have to use @realm to login and that their home directory does not 
default to /home/realm/username

AD   sbx.local
IPA   unix.sbx.local


Works great
User login:  ssh username@realm@hostname

$ ssh aduser1@s...@linuxtest1.sbx.local
aduser1@s...@linuxtest1.sbx.local's password:
Last login: Fri May  1 09:36:53 2015 from xxx.xxx.xxx.xxx

Could not chdir to home directory /home/sbx.local/aduser1: No such file or 
directory
$

Any and all help is appreciated.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Removing REALM requirement and home directory location

2015-05-06 Thread Redmond, Stacy 
That's great, I got it all working, perhaps you can answer one last question, 
although not sure this is going to be fixable or not.

Anyway to get rid of the realm when using id, as you can see below, kinda messy.

[root@linuxtest1 home]# su - aduser1
-sh-4.1$ id
uid=1989603105(aduser1@sbx.local<mailto:aduser1@sbx.local>) 
gid=1989603105(aduser1@sbx.local<mailto:aduser1@sbx.local>) 
groups=1989603105(aduser1@sbx.local<mailto:aduser1@sbx.local>)
-sh-4.1$ pwd
/home/aduser1
-sh-4.1$ ls -l /home/
total 4
drwxr-xr-x 2 aduser1@sbx.local<mailto:aduser1@sbx.local> 
aduser1@sbx.local<mailto:aduser1@sbx.local> 4096 May  5 09:38 aduser1
-sh-4.1$


From: Tomas Babej [mailto:tba...@redhat.com]
Sent: Tuesday, May 05, 2015 1:31 AM
To: Redmond, Stacy; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Removing REALM requirement and home directory 
location


On 05/04/2015 08:50 PM, Redmond, Stacy wrote:
I am running a RHEL7 IPA Server ipa-server 3.3.3-28
RHEL6 clients running IPA Client 3.0.0-42

I have setup an AD trust which works great, however I want to make it so the 
users don't have to use @realm to login and that their home directory does not 
default to /home/realm/username


Also note that you can override the home directory location using the 
override_homedir directive. See man sssd.conf for more details.


AD   sbx.local
IPA   unix.sbx.local


Works great
User login:  ssh username@realm@hostname

$ ssh 
aduser1@s...@linuxtest1.sbx.local<mailto:aduser1@s...@linuxtest1.sbx.local>
aduser1@s...@linuxtest1.sbx.local<mailto:aduser1@s...@linuxtest1.sbx.local>'s 
password:
Last login: Fri May  1 09:36:53 2015 from xxx.xxx.xxx.xxx

Could not chdir to home directory /home/sbx.local/aduser1: No such file or 
directory
$

Any and all help is appreciated.


Tomas
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project