Re: [Freeipa-users] [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [6]: Permission denied.

[TomK]

On 1/8/2017 12:22 AM, TomK wrote:

Hey All,

Wanted to tap your experience a bit.  Do you recall under which
conditions this error can be triggered under?

(Sun Jan  8 00:15:17 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200):
received: [6 (Permission denied)][mds.xyz]
(Sun Jan  8 00:15:17 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply
called with result [6]: Permission denied.

Pass is OK (tested) and UNIX Login for AD users works on the servers but
not the clients.

Resolved.  It was multiple domains being listed in sssd.conf that caused 
this.


--
Cheers,
Tom K.
-

Living on earth is expensive, but it includes a free trip around the sun.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [6]: Permission denied.

[TomK]

Hey All,

Wanted to tap your experience a bit.  Do you recall under which 
conditions this error can be triggered under?


(Sun Jan  8 00:15:17 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): 
received: [6 (Permission denied)][mds.xyz]
(Sun Jan  8 00:15:17 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply 
called with result [6]: Permission denied.


Pass is OK (tested) and UNIX Login for AD users works on the servers but 
not the clients.


--
Cheers,
Tom K.
-

Living on earth is expensive, but it includes a free trip around the sun.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA + /etc/named.conf

[TomK]

On 1/5/2017 2:17 PM, Martin Basti wrote:



On 05.01.2017 20:03, TomK wrote:

Hey All,

QQ.

Should the DNS forwarders be updated in /etc/named.conf?  Until I
manually change /etc/named.conf, can't ping the windows AD cluster:
mds.xyz.  Nor can I get dig to resolve the SRV records (dig SRV
_ldap._tcp.mds.xyz).

sssd-ipa-1.14.0-43.el7_3.4.x86_64
ipa-client-4.4.0-14.el7.centos.x86_64

IPA command below indicates that it's set to 'first' but that's not
what's in /etc/named.conf file when I check.  Again, it works if I
change /etc/named.conf manually.



Forwarder settings has priority:

named.conf < global forwarders (ipa dnsconfig-mod) < local dns server
config (ipa dnsserver-*) < forwardzones (applied per query, not as
global forwarder)

so what is in named.conf is usually always overwritten


How did you edited the named.conf?

Does dig @192.168.0.224 SRV _ldap._tcp.mds.xyz. works?
Do you have any errors in journalctl -u named-pkcs11 ??

Martin


Thanks Martin.

Yes, with the manual update of /etc/named.conf this command works, as I 
posted earlier (It doesn't work without the manual update of 
/etc/named.conf to  forward first; ):


dig @192.168.0.224 SRV _ldap._tcp.mds.xyz.

;; ANSWER SECTION:
_ldap._tcp.mds.xyz. 3600IN  SRV 0 100 389 winad02.mds.xyz.
_ldap._tcp.mds.xyz. 600 IN  SRV 0 100 389 winad01.mds.xyz.

Yes I stumbled on the journalctl command but really haven't seen 
anything applicable to my scenario AFAIKT.  Nontheless, logs available 
below:


http://microdevsys.com/freeipa/named-pkcs11-working.log
http://microdevsys.com/freeipa/named-pkcs11-non-working.log
http://microdevsys.com/freeipa/named-pkcs11-working-again.log

I'm still going over them.  The only message that seamed to make sense was:

ignoring inherited 'forward first;' for zone '.' - did you want 'forward 
only;' to override automatic empty zone


but it appears in both the working and non-working situations so isn't 
looking significant ATM and nothing I found applied to this scenario.  Btw:


[root@idmipa01 log]# cat /etc/resolv.conf
search nix.mds.xyz mds.xyz
nameserver 127.0.0.1
You have new mail in /var/spool/mail/root
[root@idmipa01 log]#

And based on earlier chats, that's how it should stay.  Resolution of AD 
ID's does work from clients though (When I have forward first; in 
/etc/named.conf)




--
Cheers,
Tom K.
-

Living on earth is expensive, but it includes a free trip around the sun.


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] FreeIPA + /etc/named.conf

[TomK]

Hey All,

QQ.

Should the DNS forwarders be updated in /etc/named.conf?  Until I 
manually change /etc/named.conf, can't ping the windows AD cluster: 
mds.xyz.  Nor can I get dig to resolve the SRV records (dig SRV 
_ldap._tcp.mds.xyz).


sssd-ipa-1.14.0-43.el7_3.4.x86_64
ipa-client-4.4.0-14.el7.centos.x86_64

IPA command below indicates that it's set to 'first' but that's not 
what's in /etc/named.conf file when I check.  Again, it works if I 
change /etc/named.conf manually.


--
Cheers,
Tom K.
-

Living on earth is expensive, but it includes a free trip around the sun.



[root@idmipa02 network-scripts]# ipa dnsforwardzone-find mds.xyz
  Zone name: mds.xyz.
  Active zone: TRUE
  Zone forwarders: 192.168.0.224
  Forward policy: first

Number of entries returned 1

[root@idmipa02 network-scripts]# grep -i forward /etc/named.conf
forward only;
forwarders {
[root@idmipa02 network-scripts]# vi /etc/named.conf
[root@idmipa02 network-scripts]#
[root@idmipa02 network-scripts]#
[root@idmipa02 network-scripts]# ipactl restart
Stopping pki-tomcatd Service
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting ipa_memcached Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting ntpd Service
Restarting pki-tomcatd Service
Restarting smb Service
Restarting winbind Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful
[root@idmipa02 network-scripts]#
[root@idmipa02 network-scripts]#
[root@idmipa02 network-scripts]#
[root@idmipa02 network-scripts]# ping mds.xyz
PING mds.xyz (192.168.0.224) 56(84) bytes of data.
64 bytes from 192.168.0.224: icmp_seq=1 ttl=128 time=0.515 ms
64 bytes from 192.168.0.224: icmp_seq=2 ttl=128 time=0.447 ms
^C
--- mds.xyz ping statistics ---
2 packets transmitted, 2 received, +2 duplicates, 0% packet loss, time 
1000ms

rtt min/avg/max/mdev = 0.447/83.695/333.339/144.132 ms
[root@idmipa02 network-scripts]# grep -i forward /etc/named.conf
forward first;
forwarders {
[root@idmipa02 network-scripts]# dig SRV _ldap._tcp.mds.xyz

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> SRV _ldap._tcp.mds.xyz
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5407
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 6

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_ldap._tcp.mds.xyz.IN  SRV

;; ANSWER SECTION:
_ldap._tcp.mds.xyz. 600 IN  SRV 0 100 389 winad01.mds.xyz.
_ldap._tcp.mds.xyz. 600 IN  SRV 0 100 389 winad02.mds.xyz.

;; AUTHORITY SECTION:
xyz.10876   IN  NS  generationxyz.nic.xyz.
xyz.10876   IN  NS  z.nic.xyz.
xyz.10876   IN  NS  y.nic.xyz.
xyz.10876   IN  NS  x.nic.xyz.

;; ADDITIONAL SECTION:
winad02.mds.xyz.497 IN  A   192.168.0.221
winad02.mds.xyz.497 IN  A   192.168.0.223
winad01.mds.xyz.2902IN  A   192.168.0.224
winad01.mds.xyz.2902IN  A   192.168.0.220
winad01.mds.xyz.2902IN  A   192.168.0.222

;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jan 05 13:55:51 EST 2017
;; MSG SIZE  rcvd: 277

[root@idmipa02 network-scripts]#

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Mapping users from AD to IPA KDC

[TomK]

On 12/6/2016 3:37 PM, Alexander Bokovoy wrote:

On ti, 06 joulu 2016, TomK wrote:

On 12/5/2016 2:02 AM, Alexander Bokovoy wrote:

On su, 04 joulu 2016, TomK wrote:

Could not get much from logs and decided to start fresh.  When I run
this:

ipa trust-add --type=ad mds.xyz --admin Administrator --password

Trust works fine and id t...@mds.xyz returns a valid result.

However when I run the following on both masters on a fresh new setup:

ipa-adtrust-install --netbios-name=NIX -a ""
ipa trust-add --type=ad "mds.xyz" --trust-secret

and created a trust object in AD DC with the name of NIX and a
non-transitive trust, the above did NOT work.  I didn't get anything
by typing id t...@mds.xyz.  (I do not get an option for a Forest Trust
as the gif on this page suggests:
https://www.freeipa.org/page/Active_Directory_trust_setup .  Possibly
it's Server 2012 hence the difference in what's presented to me but
another reason is that the name I type for the trust can't resolve to
an IP for now: nix.mds.xyz . So I use NIX to match the bios name used
on the ipa-adtrust-install command above.  )

The shared secret case for one-way trust is known to be broken. When a
shared half is created on AD side first, it is marked as not yet valid
by Windows and currently we cannot perform validation of it from IPA
side. Validating it from AD side is not possible as well as we don't
provide all interfaces Windows would like to use.

And the fact you cannot see 'Forest Trust' type of the trust says also
that you have problems with reaching IPA masters from AD DC side for
probing purposes over CLDAP ping (389/UDP) and then SMB (445/TCP and
UDP).

Nothing I tried in AD Trust creation allowed me to make one with type
Forest.  Just realm.  I recall I had a trust type of Forest but in
trying various options I lost how I did that.  Or perhaps I hadn't
payed attention and it got created indirectly as part of another
action I took.  The domain functional level I'm using is Windows
Server 2008. Using a lower value for testing.

This (inability to chose Forest trust type) simply means AD DC is unable
to probe IPA DC. You said below that SMB port towards IPA DC was closed.

Also make sure to remove incorrect trust from Windows side. While we are
removing a trust object named as our NetBIOS name, it only works for the
proper trusted domain/forests, not for wrong 'realm trust' type.

Removed the incorrect trust and recreated per your online pages.  This 
time forest was visible.




My IPA version is 4.2 right now.  It came with the CentOS 7.2.
Looking forward to 4.4.  Not sure when you plan to include it as part
of the latest CentOS base.  Indeed some ports were not open (445).
I've adjusted the firewall command accordingly for RHEL 7 / CentOS 7:

for KEY in $(echo "80/tcp 443/tcp 389/tcp 636/tcp 88/tcp 464/tcp
53/tcp 135/tcp 138/tcp 139/tcp 445/tcp 1024-1300/tcp 88/udp 464/udp
53/udp 123/udp 138/udp 139/udp 389/udp 445/udp"); do firewall-cmd
--zone=public --permanent --add-port=$KEY; done

[root@idmipa01 ~]# firewall-cmd --zone=public --list-all
public (default)
 interfaces:
 sources:
 services: dhcpv6-client ntp ssh
 ports: 443/tcp 80/tcp 464/tcp 138/tcp 88/udp 464/udp 445/tcp 88/tcp
135/tcp 123/udp 139/tcp 389/tcp 53/tcp 389/udp 1024-1300/tcp 445/udp
139/udp 138/udp 53/udp 636/tcp
 masquerade: no
 forward-ports:
 icmp-blocks:
 rich rules:

[root@idmipa01 ~]#

On Windows Side (The nslookup results were the same before the
firewall change however.):

Firewall changes cannot affect DNS as you already had DNS port open.


On the AD side, I added the SRV records for the second AD DC,
manually, since earlier there were no results printed on the AD DC
command line for the second AD DC, when I typed the command
_ldap._tcp.mds.xyz.

One additional question I had with the setup is in regards to the
failover.  I see the ipa_server entry in /etc/sssd/sssd.conf pointing
to two of the master IPA nodes.  Where can I find the additional
settings that control priority of the listed server or order they are
checked?

You need to look at SSSD manual pages: sssd-ipa and sssd-ldap, sections
FAILOVER and SERVICE DISCOVER.


What I ran to get the above is:

1) ipa-client-install --force-join -p admin -w ""
--fixed-primary --server=idmipa01.nix.mds.xyz
--server=idmipa02.nix.mds.xyz --domain=nix.mds.xyz --realm=NIX.MDS.XYZ -U
2) realm join mds.xyz

This is wrong. You have effectively joined this IPA client to AD and IPA
at the same time. It should not be done this way (read
http://www.freeipa.org/page/V4/IPA_Client_in_Active_Directory_DNS_domain
for details).

Instead, you need to identify why the trust does not work properly.
Use tcpdump to intercept the traffic between your AD DCs and IPA DCs
while establishing the trust.

You can send the trace to me off-list.




Sending you a document with the details.

--
Cheers,
Tom K.
---

Re: [Freeipa-users] Mapping users from AD to IPA KDC

[TomK]

On 12/6/2016 11:32 PM, TomK wrote:

On 12/6/2016 3:37 PM, Alexander Bokovoy wrote:

On ti, 06 joulu 2016, TomK wrote:

On 12/5/2016 2:02 AM, Alexander Bokovoy wrote:

On su, 04 joulu 2016, TomK wrote:

Could not get much from logs and decided to start fresh.  When I run
this:

ipa trust-add --type=ad mds.xyz --admin Administrator --password

Trust works fine and id t...@mds.xyz returns a valid result.

However when I run the following on both masters on a fresh new setup:

ipa-adtrust-install --netbios-name=NIX -a ""
ipa trust-add --type=ad "mds.xyz" --trust-secret

and created a trust object in AD DC with the name of NIX and a
non-transitive trust, the above did NOT work.  I didn't get anything
by typing id t...@mds.xyz.  (I do not get an option for a Forest Trust
as the gif on this page suggests:
https://www.freeipa.org/page/Active_Directory_trust_setup .  Possibly
it's Server 2012 hence the difference in what's presented to me but
another reason is that the name I type for the trust can't resolve to
an IP for now: nix.mds.xyz . So I use NIX to match the bios name used
on the ipa-adtrust-install command above.  )

The shared secret case for one-way trust is known to be broken. When a
shared half is created on AD side first, it is marked as not yet valid
by Windows and currently we cannot perform validation of it from IPA
side. Validating it from AD side is not possible as well as we don't
provide all interfaces Windows would like to use.

And the fact you cannot see 'Forest Trust' type of the trust says also
that you have problems with reaching IPA masters from AD DC side for
probing purposes over CLDAP ping (389/UDP) and then SMB (445/TCP and
UDP).

Nothing I tried in AD Trust creation allowed me to make one with type
Forest.  Just realm.  I recall I had a trust type of Forest but in
trying various options I lost how I did that.  Or perhaps I hadn't
payed attention and it got created indirectly as part of another
action I took.  The domain functional level I'm using is Windows
Server 2008. Using a lower value for testing.

This (inability to chose Forest trust type) simply means AD DC is unable
to probe IPA DC. You said below that SMB port towards IPA DC was closed.

Also make sure to remove incorrect trust from Windows side. While we are
removing a trust object named as our NetBIOS name, it only works for the
proper trusted domain/forests, not for wrong 'realm trust' type.



My IPA version is 4.2 right now.  It came with the CentOS 7.2.
Looking forward to 4.4.  Not sure when you plan to include it as part
of the latest CentOS base.  Indeed some ports were not open (445).
I've adjusted the firewall command accordingly for RHEL 7 / CentOS 7:

for KEY in $(echo "80/tcp 443/tcp 389/tcp 636/tcp 88/tcp 464/tcp
53/tcp 135/tcp 138/tcp 139/tcp 445/tcp 1024-1300/tcp 88/udp 464/udp
53/udp 123/udp 138/udp 139/udp 389/udp 445/udp"); do firewall-cmd
--zone=public --permanent --add-port=$KEY; done

[root@idmipa01 ~]# firewall-cmd --zone=public --list-all
public (default)
 interfaces:
 sources:
 services: dhcpv6-client ntp ssh
 ports: 443/tcp 80/tcp 464/tcp 138/tcp 88/udp 464/udp 445/tcp 88/tcp
135/tcp 123/udp 139/tcp 389/tcp 53/tcp 389/udp 1024-1300/tcp 445/udp
139/udp 138/udp 53/udp 636/tcp
 masquerade: no
 forward-ports:
 icmp-blocks:
 rich rules:

[root@idmipa01 ~]#

On Windows Side (The nslookup results were the same before the
firewall change however.):

Firewall changes cannot affect DNS as you already had DNS port open.


On the AD side, I added the SRV records for the second AD DC,
manually, since earlier there were no results printed on the AD DC
command line for the second AD DC, when I typed the command
_ldap._tcp.mds.xyz.

One additional question I had with the setup is in regards to the
failover.  I see the ipa_server entry in /etc/sssd/sssd.conf pointing
to two of the master IPA nodes.  Where can I find the additional
settings that control priority of the listed server or order they are
checked?

You need to look at SSSD manual pages: sssd-ipa and sssd-ldap, sections
FAILOVER and SERVICE DISCOVER.


What I ran to get the above is:

1) ipa-client-install --force-join -p admin -w ""
--fixed-primary --server=idmipa01.nix.mds.xyz
--server=idmipa02.nix.mds.xyz --domain=nix.mds.xyz
--realm=NIX.MDS.XYZ -U
2) realm join mds.xyz

This is wrong. You have effectively joined this IPA client to AD and IPA
at the same time. It should not be done this way (read
http://www.freeipa.org/page/V4/IPA_Client_in_Active_Directory_DNS_domain
for details).

Instead, you need to identify why the trust does not work properly.
Use tcpdump to intercept the traffic between your AD DCs and IPA DCs
while establishing the trust.

You can send the trace to me off-list.





Ok, let me take these away and get back to you.  ( On realm, thank you.
Hadn't reviewed the changes it did fully before logging off. )



Removed the direct md

Re: [Freeipa-users] Mapping users from AD to IPA KDC

[TomK]

On 12/5/2016 2:02 AM, Alexander Bokovoy wrote:

On su, 04 joulu 2016, TomK wrote:

Could not get much from logs and decided to start fresh.  When I run
this:

ipa trust-add --type=ad mds.xyz --admin Administrator --password

Trust works fine and id t...@mds.xyz returns a valid result.

However when I run the following on both masters on a fresh new setup:

ipa-adtrust-install --netbios-name=NIX -a ""
ipa trust-add --type=ad "mds.xyz" --trust-secret

and created a trust object in AD DC with the name of NIX and a
non-transitive trust, the above did NOT work.  I didn't get anything
by typing id t...@mds.xyz.  (I do not get an option for a Forest Trust
as the gif on this page suggests:
https://www.freeipa.org/page/Active_Directory_trust_setup .  Possibly
it's Server 2012 hence the difference in what's presented to me but
another reason is that the name I type for the trust can't resolve to
an IP for now: nix.mds.xyz . So I use NIX to match the bios name used
on the ipa-adtrust-install command above.  )

The shared secret case for one-way trust is known to be broken. When a
shared half is created on AD side first, it is marked as not yet valid
by Windows and currently we cannot perform validation of it from IPA
side. Validating it from AD side is not possible as well as we don't
provide all interfaces Windows would like to use.

And the fact you cannot see 'Forest Trust' type of the trust says also
that you have problems with reaching IPA masters from AD DC side for
probing purposes over CLDAP ping (389/UDP) and then SMB (445/TCP and
UDP).
Nothing I tried in AD Trust creation allowed me to make one with type 
Forest.  Just realm.  I recall I had a trust type of Forest but in 
trying various options I lost how I did that.  Or perhaps I hadn't payed 
attention and it got created indirectly as part of another action I 
took.  The domain functional level I'm using is Windows Server 2008. 
Using a lower value for testing.





I went back to the trust object in AD and set it to Transitive from
Non-transitive.  And all of a sudden I can resolve the AD ID's on the
IP Servers and all is working fine.  Great!

I could not follow the section within the online document above for
setting up forwarders.  I had to delegate nix.mds.xyz from the two AD
/ DNS Clustered Windows Server 2012 servers to the two FreeIPA servers
(idmipa01, idmipa02) .  I found that the forwarding section doesn't
quite jive well with delegation in Windows Server 2012.

Whatever you do to forward DNS in a DNS-compliant way should be enough.
The documentation typically tries to explain that there are multiple
ways to achieve this, from hackish to standards-compliant.


The remaining questions I need to ask is does the NetBIOS name used on
the ipa-adtrust-install command above have to match the AD DC Trust
object name?  Any tie's between the naming of the two?  ( Thinking no
tie in but not 100% . Seems AD expects a domain that resolves to an IP )

100% tied, this is AD requirement.

Each domain has domain name in NetBIOS, domain name in DNS, and SID. The
first two must be matching and on DNS level AD expects both to resolve
properly. It is a legacy from NT times that _all_ trusted domain objects
are named as NetBIOS$, as well as _all_ computer objects have the same
style names COMPUTER$. This is enforced on multiple levels, from SMB to
Kerberos.

What 'resolve' means here is that DNS searches for different types of
SRV records should succeed, and then CLDAP ping to the servers which are
mentioned in the
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.$DOMAIN
or _ldap._tcp.dc._msdcs.$DOMAIN should succeed too.



Also, given this setup I have:

1) The two windows servers, winad01, winad02 are both DNS, AD servers
and are clustered (NLB)

2) Have DNS delegation on nix.mds.xyz so FreeIPA servers will be
authoritative for that subdomain.

3) AD Trust objects look for a resolvable domain (ie nix.mds.xyz) and
current version of FreeIPA does not yet resolve nix.mds.xyz to any IP

No, this is not required. What required, is that trust object is
correctly set, and it involves a lot more than what you are outlining.
As you can see above, resolving nix.mds.xyz to IP is not required, but
DNS SRV records like _ldap._tcp.dc._msdcs.nix.mds.xyz should be
resolvable.


4) IPA ipa-adtrust-install only accepts NetBIOS names.

ipa-adtrust-install configures what is missing from the base setup
related to the trust to AD. NetBIOS name is missing, thus is added.



Is it at all possible to setup a non-transitive trust with all that?
( I might just not be seeing the forest through the trees  :) - Pun
Intended. )   Still new to quite a bit of this so thank you for your
patience and feedback.

Non-transitive trust is called 'external trust' in AD jargon. It can be
established to any domain in a forest. We support it from FreeIPA 4.4
with --external=true option to

Re: [Freeipa-users] Mapping users from AD to IPA KDC

[TomK]

On 12/3/2016 12:57 PM, TomK wrote:

On 12/3/2016 12:33 AM, TomK wrote:

On 12/2/2016 8:43 AM, Sumit Bose wrote:

On Fri, Dec 02, 2016 at 08:30:28AM -0500, TomK wrote:

Hey All,

I've successfully mapped the nixadmins to the external group
nixadmins_external.  However no users in that group make it over to
Free IPA
that I can see.

ipa group-add-member nixadmins_external --external "nixadmins"

Windows AD users, 3 of them, are in the windows AD group nixadmins.
However
I can't port them over.

These accounts have UNIX attributes assigned to them.

Question that I have and can't find, should I be seeing these users
in the
mapped groups above?  ( ie within the GUI should I see any users
listed from
AD DC in nixadmins or nixadmins_external? )


no, the GUI won't show them. Calling 'id user_from_nixadmins@ad.domain'
should show that nixadmins_external is a member of that group. With
recent version of SSSD 'getent group nixadmins_external' should list the
users from nixadmins as well, older versions might miss them.

HTH

bye,
Sumit



If there is an issue and I'm just not picking it out from the debug
logs,
what to look for?  Is there anything more I need to do on the Windows
side
that I haven't found on the existing pages?


# ipa group-add-member nixadmins_external --external "nixadmins"
[member user]:
[member group]:
  Group name: nixadmins_external
  Description: NIX Admins External map
  External member: S-1-5-21-3418825849-1633701630-2291579631-1006
  Member groups: nixadmins
  Member of groups: nixadmins
  Indirect Member groups: nixadmins_external
-
Number of members added 1
-
#


# ipa trustdomain-find abc.xyz
  Domain name: abc.xyz
  Domain NetBIOS name: ABC
  Domain Security Identifier: S-1-5-21-1803828911-4163023034-2461700517
  Domain enabled: True

Number of entries returned 1

#


[realms]
 DOM.ABC.XYZ = {
.
.
.
  auth_to_local = RULE:[1:$1@$0](^.*@ABC.XYZ$)s/@ABC.XYZ/@abc.xyz/
  auth_to_local = DEFAULT
}


# ipa trust-fetch-domains abc.xyz



List of trust domains successfully refreshed. Use trustdomain-find
command
to list them.




Number of entries returned 0

[root@idmipa01 sssd]# ipa trustdomain-find abc.xyz
  Domain name: abc.xyz
  Domain NetBIOS name: ABC
  Domain Security Identifier: S-1-5-21-1803828911-4163023034-2461700517
  Domain enabled: True

Number of entries returned 1



# ipa trust-fetch-domains abc.xyz



List of trust domains successfully refreshed. Use trustdomain-find
command
to list them.




Number of entries returned 0

#


The following command successfully returns all AD objects under the
Users
cn.

# ldapsearch -x -h 192.168.0.3 -D "t...@abc.xyz" -W -b
"cn=users,dc=abc,dc=xyz" -s sub "(cn=*)" cn mail sn


--
Cheers,
Tom K.
-



Living on earth is expensive, but it includes a free trip around the
sun.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project




Nothing:

# id t...@abc.xyz
id: t...@abc.xyz: no such user
# getent group nixadmins_external
# getent group nixadmins
nixadmins:*:1746600012:
#

I'll enable debug logging to determine further.



I'm getting the following in the logs. Not sure why it cannot assign a
GID (possibly a range mismatch) but my dnaRemainingValues: 99498 and so
is fine:

[2016/12/03 10:45:44.232656,  3, pid=4792, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_allocate_gid.c:45(winbindd_allocate_gid_send)
  allocate_gid
[2016/12/03 10:45:44.232689,  1, pid=4792, effective(0, 0), real(0, 0)]
../librpc/ndr/ndr.c:439(ndr_print_function_debug)
   wbint_AllocateGid: struct wbint_AllocateGid
  in: struct wbint_AllocateGid
[2016/12/03 10:45:44.233134,  1, pid=4792, effective(0, 0), real(0, 0)]
../librpc/ndr/ndr.c:439(ndr_print_function_debug)
   wbint_AllocateGid: struct wbint_AllocateGid
  out: struct wbint_AllocateGid
  gid  : *
  gid  : 0x (0)
  result   : NT_STATUS_UNSUCCESSFUL
[2016/12/03 10:45:44.233192,  5, pid=4792, effective(0, 0), real(0, 0),
clas

Re: [Freeipa-users] Mapping users from AD to IPA KDC

[TomK]

On 12/3/2016 12:33 AM, TomK wrote:

On 12/2/2016 8:43 AM, Sumit Bose wrote:

On Fri, Dec 02, 2016 at 08:30:28AM -0500, TomK wrote:

Hey All,

I've successfully mapped the nixadmins to the external group
nixadmins_external.  However no users in that group make it over to
Free IPA
that I can see.

ipa group-add-member nixadmins_external --external "nixadmins"

Windows AD users, 3 of them, are in the windows AD group nixadmins.
However
I can't port them over.

These accounts have UNIX attributes assigned to them.

Question that I have and can't find, should I be seeing these users
in the
mapped groups above?  ( ie within the GUI should I see any users
listed from
AD DC in nixadmins or nixadmins_external? )


no, the GUI won't show them. Calling 'id user_from_nixadmins@ad.domain'
should show that nixadmins_external is a member of that group. With
recent version of SSSD 'getent group nixadmins_external' should list the
users from nixadmins as well, older versions might miss them.

HTH

bye,
Sumit



If there is an issue and I'm just not picking it out from the debug
logs,
what to look for?  Is there anything more I need to do on the Windows
side
that I haven't found on the existing pages?


# ipa group-add-member nixadmins_external --external "nixadmins"
[member user]:
[member group]:
  Group name: nixadmins_external
  Description: NIX Admins External map
  External member: S-1-5-21-3418825849-1633701630-2291579631-1006
  Member groups: nixadmins
  Member of groups: nixadmins
  Indirect Member groups: nixadmins_external
-
Number of members added 1
-
#


# ipa trustdomain-find abc.xyz
  Domain name: abc.xyz
  Domain NetBIOS name: ABC
  Domain Security Identifier: S-1-5-21-1803828911-4163023034-2461700517
  Domain enabled: True

Number of entries returned 1

#


[realms]
 DOM.ABC.XYZ = {
.
.
.
  auth_to_local = RULE:[1:$1@$0](^.*@ABC.XYZ$)s/@ABC.XYZ/@abc.xyz/
  auth_to_local = DEFAULT
}


# ipa trust-fetch-domains abc.xyz


List of trust domains successfully refreshed. Use trustdomain-find
command
to list them.



Number of entries returned 0

[root@idmipa01 sssd]# ipa trustdomain-find abc.xyz
  Domain name: abc.xyz
  Domain NetBIOS name: ABC
  Domain Security Identifier: S-1-5-21-1803828911-4163023034-2461700517
  Domain enabled: True

Number of entries returned 1



# ipa trust-fetch-domains abc.xyz


List of trust domains successfully refreshed. Use trustdomain-find
command
to list them.



Number of entries returned 0

#


The following command successfully returns all AD objects under the
Users
cn.

# ldapsearch -x -h 192.168.0.3 -D "t...@abc.xyz" -W -b
"cn=users,dc=abc,dc=xyz" -s sub "(cn=*)" cn mail sn


--
Cheers,
Tom K.
-


Living on earth is expensive, but it includes a free trip around the
sun.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project




Nothing:

# id t...@abc.xyz
id: t...@abc.xyz: no such user
# getent group nixadmins_external
# getent group nixadmins
nixadmins:*:1746600012:
#

I'll enable debug logging to determine further.



I'm getting the following in the logs. Not sure why it cannot assign a 
GID (possibly a range mismatch) but my dnaRemainingValues: 99498 and so 
is fine:


[2016/12/03 10:45:44.232656,  3, pid=4792, effective(0, 0), real(0, 0), 
class=winbind] 
../source3/winbindd/winbindd_allocate_gid.c:45(winbindd_allocate_gid_send)

  allocate_gid
[2016/12/03 10:45:44.232689,  1, pid=4792, effective(0, 0), real(0, 0)] 
../librpc/ndr/ndr.c:439(ndr_print_function_debug)

   wbint_AllocateGid: struct wbint_AllocateGid
  in: struct wbint_AllocateGid
[2016/12/03 10:45:44.233134,  1, pid=4792, effective(0, 0), real(0, 0)] 
../librpc/ndr/ndr.c:439(ndr_print_function_debug)

   wbint_AllocateGid: struct wbint_AllocateGid
  out: struct wbint_AllocateGid
  gid  : *
  gid  : 0x (0)
  result   : NT_STATUS_UNSUCCESSFUL
[2016/12/03 10:45:44.233192,  5, pid=4792, effective(0, 0), real(0, 0), 
class=winbind] 
../source3/winbindd/winbindd_

Re: [Freeipa-users] Mapping users from AD to IPA KDC

[TomK]

On 12/2/2016 8:43 AM, Sumit Bose wrote:

On Fri, Dec 02, 2016 at 08:30:28AM -0500, TomK wrote:

Hey All,

I've successfully mapped the nixadmins to the external group
nixadmins_external.  However no users in that group make it over to Free IPA
that I can see.

ipa group-add-member nixadmins_external --external "nixadmins"

Windows AD users, 3 of them, are in the windows AD group nixadmins. However
I can't port them over.

These accounts have UNIX attributes assigned to them.

Question that I have and can't find, should I be seeing these users in the
mapped groups above?  ( ie within the GUI should I see any users listed from
AD DC in nixadmins or nixadmins_external? )


no, the GUI won't show them. Calling 'id user_from_nixadmins@ad.domain'
should show that nixadmins_external is a member of that group. With
recent version of SSSD 'getent group nixadmins_external' should list the
users from nixadmins as well, older versions might miss them.

HTH

bye,
Sumit



If there is an issue and I'm just not picking it out from the debug logs,
what to look for?  Is there anything more I need to do on the Windows side
that I haven't found on the existing pages?


# ipa group-add-member nixadmins_external --external "nixadmins"
[member user]:
[member group]:
  Group name: nixadmins_external
  Description: NIX Admins External map
  External member: S-1-5-21-3418825849-1633701630-2291579631-1006
  Member groups: nixadmins
  Member of groups: nixadmins
  Indirect Member groups: nixadmins_external
-
Number of members added 1
-
#


# ipa trustdomain-find abc.xyz
  Domain name: abc.xyz
  Domain NetBIOS name: ABC
  Domain Security Identifier: S-1-5-21-1803828911-4163023034-2461700517
  Domain enabled: True

Number of entries returned 1

#


[realms]
 DOM.ABC.XYZ = {
.
.
.
  auth_to_local = RULE:[1:$1@$0](^.*@ABC.XYZ$)s/@ABC.XYZ/@abc.xyz/
  auth_to_local = DEFAULT
}


# ipa trust-fetch-domains abc.xyz

List of trust domains successfully refreshed. Use trustdomain-find command
to list them.


Number of entries returned 0

[root@idmipa01 sssd]# ipa trustdomain-find abc.xyz
  Domain name: abc.xyz
  Domain NetBIOS name: ABC
  Domain Security Identifier: S-1-5-21-1803828911-4163023034-2461700517
  Domain enabled: True

Number of entries returned 1



# ipa trust-fetch-domains abc.xyz

List of trust domains successfully refreshed. Use trustdomain-find command
to list them.


Number of entries returned 0

#


The following command successfully returns all AD objects under the Users
cn.

# ldapsearch -x -h 192.168.0.3 -D "t...@abc.xyz" -W -b
"cn=users,dc=abc,dc=xyz" -s sub "(cn=*)" cn mail sn


--
Cheers,
Tom K.
-

Living on earth is expensive, but it includes a free trip around the sun.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project




Nothing:

# id t...@abc.xyz
id: t...@abc.xyz: no such user
# getent group nixadmins_external
# getent group nixadmins
nixadmins:*:1746600012:
#

I'll enable debug logging to determine further.

--
Cheers,
Tom K.
-

Living on earth is expensive, but it includes a free trip around the sun.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Mapping users from AD to IPA KDC

[TomK]

Hey All,

I've successfully mapped the nixadmins to the external group 
nixadmins_external.  However no users in that group make it over to Free 
IPA that I can see.


ipa group-add-member nixadmins_external --external "nixadmins"

Windows AD users, 3 of them, are in the windows AD group nixadmins. 
However I can't port them over.


These accounts have UNIX attributes assigned to them.

Question that I have and can't find, should I be seeing these users in 
the mapped groups above?  ( ie within the GUI should I see any users 
listed from AD DC in nixadmins or nixadmins_external? )


If there is an issue and I'm just not picking it out from the debug 
logs, what to look for?  Is there anything more I need to do on the 
Windows side that I haven't found on the existing pages?



# ipa group-add-member nixadmins_external --external "nixadmins"
[member user]:
[member group]:
  Group name: nixadmins_external
  Description: NIX Admins External map
  External member: S-1-5-21-3418825849-1633701630-2291579631-1006
  Member groups: nixadmins
  Member of groups: nixadmins
  Indirect Member groups: nixadmins_external
-
Number of members added 1
-
#


# ipa trustdomain-find abc.xyz
  Domain name: abc.xyz
  Domain NetBIOS name: ABC
  Domain Security Identifier: S-1-5-21-1803828911-4163023034-2461700517
  Domain enabled: True

Number of entries returned 1

#


[realms]
 DOM.ABC.XYZ = {
.
.
.
  auth_to_local = RULE:[1:$1@$0](^.*@ABC.XYZ$)s/@ABC.XYZ/@abc.xyz/
  auth_to_local = DEFAULT
}


# ipa trust-fetch-domains abc.xyz

List of trust domains successfully refreshed. Use trustdomain-find 
command to list them.



Number of entries returned 0

[root@idmipa01 sssd]# ipa trustdomain-find abc.xyz
  Domain name: abc.xyz
  Domain NetBIOS name: ABC
  Domain Security Identifier: S-1-5-21-1803828911-4163023034-2461700517
  Domain enabled: True

Number of entries returned 1



# ipa trust-fetch-domains abc.xyz

List of trust domains successfully refreshed. Use trustdomain-find 
command to list them.



Number of entries returned 0

#


The following command successfully returns all AD objects under the 
Users cn.


# ldapsearch -x -h 192.168.0.3 -D "t...@abc.xyz" -W -b 
"cn=users,dc=abc,dc=xyz" -s sub "(cn=*)" cn mail sn



--
Cheers,
Tom K.
-

Living on earth is expensive, but it includes a free trip around the sun.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Ping forwarded domain name.

[TomK]

On 11/25/2016 9:09 AM, Petr Spacek wrote:

On 25.11.2016 14:48, TomK wrote:

On 11/25/2016 4:00 AM, Petr Spacek wrote:

On 25.11.2016 05:57, TomK wrote:

On 11/24/2016 4:49 AM, Petr Spacek wrote:

On 24.11.2016 06:08, TomK wrote:

On 11/23/2016 3:28 AM, Martin Basti wrote:



On 23.11.2016 03:48, TomK wrote:

On 11/22/2016 10:22 AM, Martin Basti wrote:



On 22.11.2016 13:57, TomK wrote:

On 11/22/2016 2:59 AM, Martin Basti wrote:

Hey,


On 22.11.2016 06:33, TomK wrote:

Hey Guy's,

I'm forwarding a domain dom.abc.xyz from a Windows Server 2012
over to
my dual Free IPA server.  The Free IPA servers are authoritative for
this subdomain.  The Windows Server 2012 DNS is resolves on abc.xyz
and forwards dom.abc.xyz.

Do you have configured proper zone delegation for subdomain
dom.abc.xyz?
Proper NS and glue records
http://www.zytrax.com/books/dns/ch9/delegate.html



I cannot ping dom.abc.xyz.  Everything else, including client
registrations, work fine.  If Free IPA is authoritative on
dom.abc.xyz, should it not create DNS entries so the sub domain
can be
pinged as well?


What do you mean by "ping"?



/etc/resolv.conf also get's regenerated on reboot on the IPA Servers
and wanted to ask if you can point me to some materials online to
determine where can I permanently adjust the search to add
dom.abc.xyz
to the already present abc.xyz .  I wasn't able to locate what I
needed in my searches.

I'm using the latest v4.


It depends on what are you using, probably you have NetworkManager
there
that is editing /etc/resolv.conf

https://ask.fedoraproject.org/en/question/67752/how-do-i-add-a-search-domain-using-networkmanager/







Martin



I Uninstalled NetworkManager.  Still changes.
ping dom.abc.com results in "ping: unknown host"

I'll have a look at the first link, ty.



ping (ICMP protocol) and DNS system are different things, do you have
hostname dom.abc.com with A record or it is a zone?

with ping command hostname "dom.abc.com" is resolved to IP address
first, do you have A record set for dom.abc.com in zone apex or what are
you trying to achieve with ping command?

for testing DNS try to use commands: dig, host, nslookup

Martin



Apologize for the long reply but it should give some background on
what it is that I'm doing.

1) dom.abc.com is a zone.  There is no A record for dom.abc.com in
FreeIPA (Confirmed by Petr).  I get the point Petr Spacek pointed out
in his comment as well.  What should it really point too? ( I kind of
answer this question below so please read on. )  Where I'm getting
this from is that in Windows Server 2012 abc.com returns the IP of any
of the participating AD / DNS servers within the cluster (The two
Windows Server 2012 are a combined clustered AD + DNS servers.).
Being able to resolve abc.xyz is handy.  During a lookup, I can get a
list of all the IP's associated with that domain which would indicate
all the DNS + AD servers online under that domain or serving that domain:


# nslookup abc.xyz
Server: 192.168.0.3
Address:192.168.0.3#53

Name:   abc.xyz
Address: 192.168.0.3
Name:   abc.xyz
Address: 192.168.0.1
Name:   abc.xyz
Address: 192.168.0.2
#

Again, where this is handy is when configuring sssd.conf for example
or other apps for that matter.  I can just point the app to
authenticate against the domain and I have my redundancy solved.
Windows Server 2012 does it, but FreeIPA didn't, so I threw the
question out there.


IPA uses SRV records heavily, all IPA related services have SRV records,
SSSD uses SRV records of IPA, client should use SRV record to connect to
the right service (or URI record - will be in next IPA). SRV records
work for IPA locations mechanism, we cannot achieve this with pure A
records.



Delegation from this Windows DNS works as expected.  Any lookup from
dom.abc.xyz is forwarded too and handled by FreeIPA servers. Tested
this out. No issue with this.

I did see earlier that there is no A record for dom.abc.xyz in
FreeIPA. My reasons for asking if there was an IP on the subdomain in
FreeIPA were above but the missing IP on the subdomain isn't a major
issue for me.  Things are working without dom.abc.xyz resolving to an
IP.  What I was hoping for is to have a VIP for the IPA servers and
one for the Windows Server 2012 DNS Cluster in /etc/resolv.conf.  (I
have the VIP for the windows server).  One forwarding to the other for
a given domain.  This is all for testing a) redundancy, b) forwarding,
a) authentication .

IE:

# cat /etc/resolv.conf
search dom.abc.xyz abc.xyz
nameserver 192.168.0.3< Win Cluster DNS VIP
nameserver 192.168.0.4< IPA Cluster DNS VIP

* Just what I want to achieve above.  VIP 192.168.0.4 doesn't exist on
my cluster yet.  I'm looking to integrate ucarp with the above IPA
servers.


2) More to the topic of my second question however, is that
/etc/resolv.conf

Re: [Freeipa-users] Ping forwarded domain name.

[TomK]

On 11/25/2016 4:00 AM, Petr Spacek wrote:

On 25.11.2016 05:57, TomK wrote:

On 11/24/2016 4:49 AM, Petr Spacek wrote:

On 24.11.2016 06:08, TomK wrote:

On 11/23/2016 3:28 AM, Martin Basti wrote:



On 23.11.2016 03:48, TomK wrote:

On 11/22/2016 10:22 AM, Martin Basti wrote:



On 22.11.2016 13:57, TomK wrote:

On 11/22/2016 2:59 AM, Martin Basti wrote:

Hey,


On 22.11.2016 06:33, TomK wrote:

Hey Guy's,

I'm forwarding a domain dom.abc.xyz from a Windows Server 2012
over to
my dual Free IPA server.  The Free IPA servers are authoritative for
this subdomain.  The Windows Server 2012 DNS is resolves on abc.xyz
and forwards dom.abc.xyz.

Do you have configured proper zone delegation for subdomain
dom.abc.xyz?
Proper NS and glue records
http://www.zytrax.com/books/dns/ch9/delegate.html



I cannot ping dom.abc.xyz.  Everything else, including client
registrations, work fine.  If Free IPA is authoritative on
dom.abc.xyz, should it not create DNS entries so the sub domain
can be
pinged as well?


What do you mean by "ping"?



/etc/resolv.conf also get's regenerated on reboot on the IPA Servers
and wanted to ask if you can point me to some materials online to
determine where can I permanently adjust the search to add
dom.abc.xyz
to the already present abc.xyz .  I wasn't able to locate what I
needed in my searches.

I'm using the latest v4.


It depends on what are you using, probably you have NetworkManager
there
that is editing /etc/resolv.conf

https://ask.fedoraproject.org/en/question/67752/how-do-i-add-a-search-domain-using-networkmanager/






Martin



I Uninstalled NetworkManager.  Still changes.
ping dom.abc.com results in "ping: unknown host"

I'll have a look at the first link, ty.



ping (ICMP protocol) and DNS system are different things, do you have
hostname dom.abc.com with A record or it is a zone?

with ping command hostname "dom.abc.com" is resolved to IP address
first, do you have A record set for dom.abc.com in zone apex or what are
you trying to achieve with ping command?

for testing DNS try to use commands: dig, host, nslookup

Martin



Apologize for the long reply but it should give some background on
what it is that I'm doing.

1) dom.abc.com is a zone.  There is no A record for dom.abc.com in
FreeIPA (Confirmed by Petr).  I get the point Petr Spacek pointed out
in his comment as well.  What should it really point too? ( I kind of
answer this question below so please read on. )  Where I'm getting
this from is that in Windows Server 2012 abc.com returns the IP of any
of the participating AD / DNS servers within the cluster (The two
Windows Server 2012 are a combined clustered AD + DNS servers.).
Being able to resolve abc.xyz is handy.  During a lookup, I can get a
list of all the IP's associated with that domain which would indicate
all the DNS + AD servers online under that domain or serving that domain:


# nslookup abc.xyz
Server: 192.168.0.3
Address:192.168.0.3#53

Name:   abc.xyz
Address: 192.168.0.3
Name:   abc.xyz
Address: 192.168.0.1
Name:   abc.xyz
Address: 192.168.0.2
#

Again, where this is handy is when configuring sssd.conf for example
or other apps for that matter.  I can just point the app to
authenticate against the domain and I have my redundancy solved.
Windows Server 2012 does it, but FreeIPA didn't, so I threw the
question out there.


IPA uses SRV records heavily, all IPA related services have SRV records,
SSSD uses SRV records of IPA, client should use SRV record to connect to
the right service (or URI record - will be in next IPA). SRV records
work for IPA locations mechanism, we cannot achieve this with pure A
records.



Delegation from this Windows DNS works as expected.  Any lookup from
dom.abc.xyz is forwarded too and handled by FreeIPA servers. Tested
this out. No issue with this.

I did see earlier that there is no A record for dom.abc.xyz in
FreeIPA. My reasons for asking if there was an IP on the subdomain in
FreeIPA were above but the missing IP on the subdomain isn't a major
issue for me.  Things are working without dom.abc.xyz resolving to an
IP.  What I was hoping for is to have a VIP for the IPA servers and
one for the Windows Server 2012 DNS Cluster in /etc/resolv.conf.  (I
have the VIP for the windows server).  One forwarding to the other for
a given domain.  This is all for testing a) redundancy, b) forwarding,
a) authentication .

IE:

# cat /etc/resolv.conf
search dom.abc.xyz abc.xyz
nameserver 192.168.0.3< Win Cluster DNS VIP
nameserver 192.168.0.4< IPA Cluster DNS VIP

* Just what I want to achieve above.  VIP 192.168.0.4 doesn't exist on
my cluster yet.  I'm looking to integrate ucarp with the above IPA
servers.


2) More to the topic of my second question however, is that
/etc/resolv.conf, on the IPA servers themselves, get's rewritten on
restart.  Would like to

Re: [Freeipa-users] anyone else getting porn spam pretending to be replies to freeipa-users threads?

[TomK]

On 11/16/2016 11:23 AM, Sean Hogan wrote:

Yes... just got 2 of them from same address.. kimi rachel





Sean Hogan







Inactive hide details for Tony Brian Albers ---11/15/2016 11:54:35
PM---Hehe, just you wait Lachlan ;) /tonyTony Brian Albers ---11/15/2016
11:54:35 PM---Hehe, just you wait Lachlan ;) /tony

From: Tony Brian Albers 
To: "freeipa-users@redhat.com" 
Date: 11/15/2016 11:54 PM
Subject: Re: [Freeipa-users] anyone else getting porn spam pretending to
be replies to freeipa-users threads?
Sent by: freeipa-users-boun...@redhat.com





Hehe, just you wait Lachlan ;)

/tony

On 11/16/2016 01:56 AM, Lachlan Musicman wrote:

Gah, just happened to me. Wasn't porn, but was someone called Kimi and
the only content was "Heeey Lachlan, how's it going?"

L.

--
The most dangerous phrase in the language is, "We've always done it this
way."

- Grace Hopper

On 16 November 2016 at 04:02, Martin Basti mailto:mba...@redhat.com>> wrote:



On 15.11.2016 17:32, Chris Dagdigian wrote:



Got a porn spam today that had a subject header of:

Re: [Freeipa-users] URL is changing on the browser


Have to admit that got through my spam filter and got me to open
the email.

It's clear that it was not a list message; looks like something
may be mining the public list archives to pull email addresses
and plausible sounding subject lines.

Mildly interested if anyone else got an email like this?

-Chris


 We are receiving those emails as well (different subjects, domains,
but the same content)


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users

Go to http://freeipa.org for more info on the project






--
Best regards,

Tony Albers
Systems administrator, IT-development
State and University Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
Tel: +45 2566 2383 / +45 8946 2316

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project








Getting the same.  The header is as follows.

I've blocked the two for now, to see how effective this would be but 
previous IP changed again.



Mellowhost NET-148-163-124-128-25 (NET-148-163-124-128-1) 
148.163.124.128 - 148.163.124.255
Input Output Flood LLC IOFLOOD (NET-148-163-0-0-1) 148.163.0.0 - 
148.163.127.255





Return-Path: 
Received: from m40.bytekeys.com ([148.163.124.181]) by mx.perfora.net
 (mxeueus003 [74.208.5.3]) with ESMTP (Nemesis) id 0MhTU4-1cMSKS0KOo-00McNU
 for ; Thu, 24 Nov 2016 11:36:22 +0100
Received: from localhost (unknown [107.178.101.40])
by m40.bytekeys.com (Postfix) with ESMTPSA id BBE4D22E71
for ; Thu, 24 Nov 2016 10:35:33 + (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.1 m40.bytekeys.com BBE4D22E71
Date: Thu, 24 Nov 2016 16:35:18 +0600
To: t...@mdevsys.com
From: Kimi Rachel 
Reply-To: Kimi Rachel 
Subject: Re: Re: [Freeipa-users] Ping forwarded domain name.
Message-ID: <62e8e8f685dbfb70eec33b944d962877@localhost>
In-Reply-To: <731bb495-e534-8581-9da4-ae57f9f6b...@mdevsys.com>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="b1_62e8e8f685dbfb70eec33b944d962877"
Content-Transfer-Encoding: 7bit
Envelope-To: 

--
Cheers,
Tom K.
-

Living on earth is expensive, but it includes a free trip around the sun.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Ping forwarded domain name.

[TomK]

On 11/24/2016 4:49 AM, Petr Spacek wrote:

On 24.11.2016 06:08, TomK wrote:

On 11/23/2016 3:28 AM, Martin Basti wrote:



On 23.11.2016 03:48, TomK wrote:

On 11/22/2016 10:22 AM, Martin Basti wrote:



On 22.11.2016 13:57, TomK wrote:

On 11/22/2016 2:59 AM, Martin Basti wrote:

Hey,


On 22.11.2016 06:33, TomK wrote:

Hey Guy's,

I'm forwarding a domain dom.abc.xyz from a Windows Server 2012
over to
my dual Free IPA server.  The Free IPA servers are authoritative for
this subdomain.  The Windows Server 2012 DNS is resolves on abc.xyz
and forwards dom.abc.xyz.

Do you have configured proper zone delegation for subdomain
dom.abc.xyz?
Proper NS and glue records
http://www.zytrax.com/books/dns/ch9/delegate.html



I cannot ping dom.abc.xyz.  Everything else, including client
registrations, work fine.  If Free IPA is authoritative on
dom.abc.xyz, should it not create DNS entries so the sub domain
can be
pinged as well?


What do you mean by "ping"?



/etc/resolv.conf also get's regenerated on reboot on the IPA Servers
and wanted to ask if you can point me to some materials online to
determine where can I permanently adjust the search to add
dom.abc.xyz
to the already present abc.xyz .  I wasn't able to locate what I
needed in my searches.

I'm using the latest v4.


It depends on what are you using, probably you have NetworkManager
there
that is editing /etc/resolv.conf

https://ask.fedoraproject.org/en/question/67752/how-do-i-add-a-search-domain-using-networkmanager/





Martin



I Uninstalled NetworkManager.  Still changes.
ping dom.abc.com results in "ping: unknown host"

I'll have a look at the first link, ty.



ping (ICMP protocol) and DNS system are different things, do you have
hostname dom.abc.com with A record or it is a zone?

with ping command hostname "dom.abc.com" is resolved to IP address
first, do you have A record set for dom.abc.com in zone apex or what are
you trying to achieve with ping command?

for testing DNS try to use commands: dig, host, nslookup

Martin



Apologize for the long reply but it should give some background on
what it is that I'm doing.

1) dom.abc.com is a zone.  There is no A record for dom.abc.com in
FreeIPA (Confirmed by Petr).  I get the point Petr Spacek pointed out
in his comment as well.  What should it really point too? ( I kind of
answer this question below so please read on. )  Where I'm getting
this from is that in Windows Server 2012 abc.com returns the IP of any
of the participating AD / DNS servers within the cluster (The two
Windows Server 2012 are a combined clustered AD + DNS servers.).
Being able to resolve abc.xyz is handy.  During a lookup, I can get a
list of all the IP's associated with that domain which would indicate
all the DNS + AD servers online under that domain or serving that domain:


# nslookup abc.xyz
Server: 192.168.0.3
Address:192.168.0.3#53

Name:   abc.xyz
Address: 192.168.0.3
Name:   abc.xyz
Address: 192.168.0.1
Name:   abc.xyz
Address: 192.168.0.2
#

Again, where this is handy is when configuring sssd.conf for example
or other apps for that matter.  I can just point the app to
authenticate against the domain and I have my redundancy solved.
Windows Server 2012 does it, but FreeIPA didn't, so I threw the
question out there.


IPA uses SRV records heavily, all IPA related services have SRV records,
SSSD uses SRV records of IPA, client should use SRV record to connect to
the right service (or URI record - will be in next IPA). SRV records
work for IPA locations mechanism, we cannot achieve this with pure A
records.



Delegation from this Windows DNS works as expected.  Any lookup from
dom.abc.xyz is forwarded too and handled by FreeIPA servers. Tested
this out. No issue with this.

I did see earlier that there is no A record for dom.abc.xyz in
FreeIPA. My reasons for asking if there was an IP on the subdomain in
FreeIPA were above but the missing IP on the subdomain isn't a major
issue for me.  Things are working without dom.abc.xyz resolving to an
IP.  What I was hoping for is to have a VIP for the IPA servers and
one for the Windows Server 2012 DNS Cluster in /etc/resolv.conf.  (I
have the VIP for the windows server).  One forwarding to the other for
a given domain.  This is all for testing a) redundancy, b) forwarding,
a) authentication .

IE:

# cat /etc/resolv.conf
search dom.abc.xyz abc.xyz
nameserver 192.168.0.3< Win Cluster DNS VIP
nameserver 192.168.0.4< IPA Cluster DNS VIP

* Just what I want to achieve above.  VIP 192.168.0.4 doesn't exist on
my cluster yet.  I'm looking to integrate ucarp with the above IPA
servers.


2) More to the topic of my second question however, is that
/etc/resolv.conf, on the IPA servers themselves, get's rewritten on
restart.  Would like to know by what if I already uninstalled
NetworkManager?  When I configured th

Re: [Freeipa-users] Ping forwarded domain name.

[TomK]

On 11/23/2016 3:28 AM, Martin Basti wrote:



On 23.11.2016 03:48, TomK wrote:

On 11/22/2016 10:22 AM, Martin Basti wrote:



On 22.11.2016 13:57, TomK wrote:

On 11/22/2016 2:59 AM, Martin Basti wrote:

Hey,


On 22.11.2016 06:33, TomK wrote:

Hey Guy's,

I'm forwarding a domain dom.abc.xyz from a Windows Server 2012
over to
my dual Free IPA server.  The Free IPA servers are authoritative for
this subdomain.  The Windows Server 2012 DNS is resolves on abc.xyz
and forwards dom.abc.xyz.

Do you have configured proper zone delegation for subdomain
dom.abc.xyz?
Proper NS and glue records
http://www.zytrax.com/books/dns/ch9/delegate.html



I cannot ping dom.abc.xyz.  Everything else, including client
registrations, work fine.  If Free IPA is authoritative on
dom.abc.xyz, should it not create DNS entries so the sub domain
can be
pinged as well?


What do you mean by "ping"?



/etc/resolv.conf also get's regenerated on reboot on the IPA Servers
and wanted to ask if you can point me to some materials online to
determine where can I permanently adjust the search to add
dom.abc.xyz
to the already present abc.xyz .  I wasn't able to locate what I
needed in my searches.

I'm using the latest v4.


It depends on what are you using, probably you have NetworkManager
there
that is editing /etc/resolv.conf

https://ask.fedoraproject.org/en/question/67752/how-do-i-add-a-search-domain-using-networkmanager/




Martin



I Uninstalled NetworkManager.  Still changes.
ping dom.abc.com results in "ping: unknown host"

I'll have a look at the first link, ty.



ping (ICMP protocol) and DNS system are different things, do you have
hostname dom.abc.com with A record or it is a zone?

with ping command hostname "dom.abc.com" is resolved to IP address
first, do you have A record set for dom.abc.com in zone apex or what are
you trying to achieve with ping command?

for testing DNS try to use commands: dig, host, nslookup

Martin



Apologize for the long reply but it should give some background on
what it is that I'm doing.

1) dom.abc.com is a zone.  There is no A record for dom.abc.com in
FreeIPA (Confirmed by Petr).  I get the point Petr Spacek pointed out
in his comment as well.  What should it really point too? ( I kind of
answer this question below so please read on. )  Where I'm getting
this from is that in Windows Server 2012 abc.com returns the IP of any
of the participating AD / DNS servers within the cluster (The two
Windows Server 2012 are a combined clustered AD + DNS servers.).
Being able to resolve abc.xyz is handy.  During a lookup, I can get a
list of all the IP's associated with that domain which would indicate
all the DNS + AD servers online under that domain or serving that domain:


# nslookup abc.xyz
Server: 192.168.0.3
Address:192.168.0.3#53

Name:   abc.xyz
Address: 192.168.0.3
Name:   abc.xyz
Address: 192.168.0.1
Name:   abc.xyz
Address: 192.168.0.2
#

Again, where this is handy is when configuring sssd.conf for example
or other apps for that matter.  I can just point the app to
authenticate against the domain and I have my redundancy solved.
Windows Server 2012 does it, but FreeIPA didn't, so I threw the
question out there.


IPA uses SRV records heavily, all IPA related services have SRV records,
SSSD uses SRV records of IPA, client should use SRV record to connect to
the right service (or URI record - will be in next IPA). SRV records
work for IPA locations mechanism, we cannot achieve this with pure A
records.



Delegation from this Windows DNS works as expected.  Any lookup from
dom.abc.xyz is forwarded too and handled by FreeIPA servers. Tested
this out. No issue with this.

I did see earlier that there is no A record for dom.abc.xyz in
FreeIPA. My reasons for asking if there was an IP on the subdomain in
FreeIPA were above but the missing IP on the subdomain isn't a major
issue for me.  Things are working without dom.abc.xyz resolving to an
IP.  What I was hoping for is to have a VIP for the IPA servers and
one for the Windows Server 2012 DNS Cluster in /etc/resolv.conf.  (I
have the VIP for the windows server).  One forwarding to the other for
a given domain.  This is all for testing a) redundancy, b) forwarding,
a) authentication .

IE:

# cat /etc/resolv.conf
search dom.abc.xyz abc.xyz
nameserver 192.168.0.3< Win Cluster DNS VIP
nameserver 192.168.0.4< IPA Cluster DNS VIP

* Just what I want to achieve above.  VIP 192.168.0.4 doesn't exist on
my cluster yet.  I'm looking to integrate ucarp with the above IPA
servers.


2) More to the topic of my second question however, is that
/etc/resolv.conf, on the IPA servers themselves, get's rewritten on
restart.  Would like to know by what if I already uninstalled
NetworkManager?  When I configured the FreeIPA server, I used:

ipa-server-install --setup-dns --forwarder=192.168.0.3 -p &

Re: [Freeipa-users] Ping forwarded domain name.

[TomK]

On 11/22/2016 10:22 AM, Martin Basti wrote:



On 22.11.2016 13:57, TomK wrote:

On 11/22/2016 2:59 AM, Martin Basti wrote:

Hey,


On 22.11.2016 06:33, TomK wrote:

Hey Guy's,

I'm forwarding a domain dom.abc.xyz from a Windows Server 2012 over to
my dual Free IPA server.  The Free IPA servers are authoritative for
this subdomain.  The Windows Server 2012 DNS is resolves on abc.xyz
and forwards dom.abc.xyz.

Do you have configured proper zone delegation for subdomain dom.abc.xyz?
Proper NS and glue records
http://www.zytrax.com/books/dns/ch9/delegate.html



I cannot ping dom.abc.xyz.  Everything else, including client
registrations, work fine.  If Free IPA is authoritative  on
dom.abc.xyz, should it not create DNS entries so the sub domain can be
pinged as well?


What do you mean by "ping"?



/etc/resolv.conf also get's regenerated on reboot on the IPA Servers
and wanted to ask if you can point me to some materials online to
determine where can I permanently adjust the search to add dom.abc.xyz
to the already present abc.xyz .  I wasn't able to locate what I
needed in my searches.

I'm using the latest v4.


It depends on what are you using, probably you have NetworkManager there
that is editing /etc/resolv.conf

https://ask.fedoraproject.org/en/question/67752/how-do-i-add-a-search-domain-using-networkmanager/



Martin



I Uninstalled NetworkManager.  Still changes.
ping dom.abc.com results in "ping: unknown host"

I'll have a look at the first link, ty.



ping (ICMP protocol) and DNS system are different things, do you have
hostname dom.abc.com with A record or it is a zone?

with ping command hostname "dom.abc.com" is resolved to IP address
first, do you have A record set for dom.abc.com in zone apex or what are
you trying to achieve with ping command?

for testing DNS try to use commands: dig, host, nslookup

Martin



Apologize for the long reply but it should give some background on what 
it is that I'm doing.


1) dom.abc.com is a zone.  There is no A record for dom.abc.com in 
FreeIPA (Confirmed by Petr).  I get the point Petr Spacek pointed out in 
his comment as well.  What should it really point too? ( I kind of 
answer this question below so please read on. )  Where I'm getting this 
from is that in Windows Server 2012 abc.com returns the IP of any of the 
participating AD / DNS servers within the cluster (The two Windows 
Server 2012 are a combined clustered AD + DNS servers.).  Being able to 
resolve abc.xyz is handy.  During a lookup, I can get a list of all the 
IP's associated with that domain which would indicate all the DNS + AD 
servers online under that domain or serving that domain:



# nslookup abc.xyz
Server: 192.168.0.3
Address:192.168.0.3#53

Name:   abc.xyz
Address: 192.168.0.3
Name:   abc.xyz
Address: 192.168.0.1
Name:   abc.xyz
Address: 192.168.0.2
#

Again, where this is handy is when configuring sssd.conf for example or 
other apps for that matter.  I can just point the app to authenticate 
against the domain and I have my redundancy solved.  Windows Server 2012 
does it, but FreeIPA didn't, so I threw the question out there.


Delegation from this Windows DNS works as expected.  Any lookup from 
dom.abc.xyz is forwarded too and handled by FreeIPA servers.  Tested 
this out. No issue with this.


I did see earlier that there is no A record for dom.abc.xyz in FreeIPA. 
My reasons for asking if there was an IP on the subdomain in FreeIPA 
were above but the missing IP on the subdomain isn't a major issue for 
me.  Things are working without dom.abc.xyz resolving to an IP.  What I 
was hoping for is to have a VIP for the IPA servers and one for the 
Windows Server 2012 DNS Cluster in /etc/resolv.conf.  (I have the VIP 
for the windows server).  One forwarding to the other for a given 
domain.  This is all for testing a) redundancy, b) forwarding, a) 
authentication .


IE:

# cat /etc/resolv.conf
search nix.mds.xyz mds.xyz
nameserver 192.168.0.3< Win Cluster DNS VIP
nameserver 192.168.0.4< IPA Cluster DNS VIP

* Just what I want to achieve above.  VIP 192.168.0.4 doesn't exist on 
my cluster yet.  I'm looking to integrate ucarp with the above IPA 
servers.



2) More to the topic of my second question however, is that 
/etc/resolv.conf, on the IPA servers themselves, get's rewritten on 
restart.  Would like to know by what if I already uninstalled 
NetworkManager?  When I configured the FreeIPA server, I used:


ipa-server-install --setup-dns --forwarder=192.168.0.3 -p "Hush!" -a 
"Hush!" -r DOM.ABC.XYZ -n dom.abc.xyz --hostname ipa01.dom.abc.xyz


Notice I used the VIP of the Windows Server 2012 Cluster when installing 
FreeIPA.  This is nice for redundancy.  So the resolv.conf ends up being:


# cat /etc/resolv.conf
# Generated by NetworkManager
search abc.xyz
nameserver 192.168

Re: [Freeipa-users] Ping forwarded domain name.

[TomK]

On 11/22/2016 2:59 AM, Martin Basti wrote:

Hey,


On 22.11.2016 06:33, TomK wrote:

Hey Guy's,

I'm forwarding a domain dom.abc.xyz from a Windows Server 2012 over to
my dual Free IPA server.  The Free IPA servers are authoritative for
this subdomain.  The Windows Server 2012 DNS is resolves on abc.xyz
and forwards dom.abc.xyz.

Do you have configured proper zone delegation for subdomain dom.abc.xyz?
Proper NS and glue records
http://www.zytrax.com/books/dns/ch9/delegate.html



I cannot ping dom.abc.xyz.  Everything else, including client
registrations, work fine.  If Free IPA is authoritative  on
dom.abc.xyz, should it not create DNS entries so the sub domain can be
pinged as well?


What do you mean by "ping"?



/etc/resolv.conf also get's regenerated on reboot on the IPA Servers
and wanted to ask if you can point me to some materials online to
determine where can I permanently adjust the search to add dom.abc.xyz
to the already present abc.xyz .  I wasn't able to locate what I
needed in my searches.

I'm using the latest v4.


It depends on what are you using, probably you have NetworkManager there
that is editing /etc/resolv.conf

https://ask.fedoraproject.org/en/question/67752/how-do-i-add-a-search-domain-using-networkmanager/


Martin



I Uninstalled NetworkManager.  Still changes.
ping dom.abc.com results in "ping: unknown host"

I'll have a look at the first link, ty.

--
Cheers,
Tom K.
-

Living on earth is expensive, but it includes a free trip around the sun.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Ping forwarded domain name.

[TomK]

Hey Guy's,

I'm forwarding a domain dom.abc.xyz from a Windows Server 2012 over to 
my dual Free IPA server.  The Free IPA servers are authoritative for 
this subdomain.  The Windows Server 2012 DNS is resolves on abc.xyz and 
forwards dom.abc.xyz.


I cannot ping dom.abc.xyz.  Everything else, including client 
registrations, work fine.  If Free IPA is authoritative  on dom.abc.xyz, 
should it not create DNS entries so the sub domain can be pinged as well?


/etc/resolv.conf also get's regenerated on reboot on the IPA Servers and 
wanted to ask if you can point me to some materials online to determine 
where can I permanently adjust the search to add dom.abc.xyz to the 
already present abc.xyz .  I wasn't able to locate what I needed in my 
searches.


I'm using the latest v4.

--
Cheers,
Tom K.
-

Living on earth is expensive, but it includes a free trip around the sun.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC

[TomK]

On 10/1/2015 12:04 PM, Simo Sorce wrote:

On 30/09/15 21:22, TomK wrote:



On 9/30/2015 8:12 AM, Martin Kosek wrote:

On 09/30/2015 07:50 AM, Alexander Bokovoy wrote:

On Tue, 29 Sep 2015, TomK wrote:

Hey Guy's,

(Sending this again as I didn't have this email included in the
freeipa-users
mailing list so not sure if the other message will get posted.)

Before I post a ticket to RH Support for an RFE, I'll post the
request here
to get some feedback on options and what ideas folks have.  I've a
situation
as follows.  I have the following setup in WS 2012 AD DC:

TomK (user)
TomK Groups:
unixg
windowsg

unixg has the 'host' attribute defined 'lab01,lab02,lab03,lab04'
windowsg has the 'host' attribute defined 'lab06,lab07,lab08,lab09'

TomK(user) also has the 'host' attribute defined as per the proper
RFC for
LDAP.  With SSSD rules I can define the rules to read the user 'host'
attribute but not the group 'host' attribute:


|access_provider = ldap ldap_access_order = host
ldap_user_authorized_host =
host|


Essentially TomK to be given access to hosts listed in the 'host'
attribute
but denied entry into lab05 for example (not listed in any group 
'host'

attribute above) to the server.   If I have a new user that has
joined that
particular team at our organization, I can simply add her/him to the
above
groups and this user would get access only to the listed servers in
'host'
attribute by default. I don't need to specify new groups in 
customized

sssd.conf or ldap.conf files or in sshd config files. Hence less to
update
with Salt or any other CM suite.  I've managed to setup SUDO rules
and with
the openssh-ldap.diff schema SSH public keys could be stored in AD
as well
and be read by OpenSSH.  So aside from the HBAC capability on groups,
virtually all our needs are handled by the WS2012 AD DC as it has to
follow
the OpenLDAP standard anyway.  Now to get this we considered and are
still
considering FreeIPA.  However this idea poses a set of challenges:

1) In large organizations where the AD support department are only
trained in
Windows AD setup and configuration (Only windows guy's) this would
require a
minimal of 3 bodies to support that know LDAP/Linux.  This is a
large cost.

2) The additional server requires the same hardening as the Windows
AD DC
servers meaning a new procedure has to be carved out for the 2+ 
FreeIPA

servers to be supported, hardened and maintained (upgraded).

Now I probably sound somewhat anti-FreeIPA, however the challenges of
implementing it in large organizations surface after some
deliberation, so
probably better to list then as it may help direct development of
the product
to contend with the challenges (Like having a document fully
dedicated to
hardening a FreeIPA server with selinux and other technologies in
easy to
maintain configuration).   I could be mistaken but some folks
mention that
it's 'better' to implement this sort of HBAC through other means (??
iptables
??) but never tried the alternatives yet.

So, cutting to the end, would it be possible to add an attribute 
like:


|ldap_user_authorized_host|

but perhaps called 'ldap_group_authorized_host' to the SSSD code to
enable
reading the 'host' attribute on AD/LDAP defined groups?

In FreeIPA we support HBAC rules for AD users and groups. What exactly
is wrong with that?

See 'ipa help trust' for details how to map AD groups to IPA groups 
and

then 'ipa help hbacrule' for how to limit access of those groups to
specific hosts and services on them.

This is all covered well in the guide:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html 




More reading on External groups used for AD access control:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/active-directory-trust.html#trust-win-groups 




I would also suggest a video with HBAC and Trust in action:

https://www.youtube.com/watch?v=sQnNFJOzwa8

HTH,
Martin


We already defined HBAC rules in the manner that all the links you
pointed out indicate as an early implementation.  As a product, there is
no issue in IDM from that perspective.  This is all great and the
product is fine from that perspective.

It would be good to have a dual option of either allowing SSSD or IDM /
FreeIPA have full HBAC capability not just FreeIPA / IDM as in our
organization that would be a huge cost savings vs implementing IDM as a
separate Linux DC to be managed by a separate team.  So for those
customers that wish to go directly to AD or have already invested in AD
can choose SSSD only (If MS bundles AD with certain purchases, for
example, that is an actual cost savings for a company).  Other customers
who wish to ke

Re: [Freeipa-users] HBAC

[TomK]

On 9/30/2015 8:12 AM, Martin Kosek wrote:

On 09/30/2015 07:50 AM, Alexander Bokovoy wrote:

On Tue, 29 Sep 2015, TomK wrote:

Hey Guy's,

(Sending this again as I didn't have this email included in the freeipa-users
mailing list so not sure if the other message will get posted.)

Before I post a ticket to RH Support for an RFE, I'll post the request here
to get some feedback on options and what ideas folks have.  I've a situation
as follows.  I have the following setup in WS 2012 AD DC:

TomK (user)
TomK Groups:
unixg
windowsg

unixg has the 'host' attribute defined 'lab01,lab02,lab03,lab04'
windowsg has the 'host' attribute defined 'lab06,lab07,lab08,lab09'

TomK(user) also has the 'host' attribute defined as per the proper RFC for
LDAP.  With SSSD rules I can define the rules to read the user 'host'
attribute but not the group 'host' attribute:


|access_provider = ldap ldap_access_order = host ldap_user_authorized_host =
host|


Essentially TomK to be given access to hosts listed in the 'host' attribute
but denied entry into lab05 for example (not listed in any group 'host'
attribute above) to the server.   If I have a new user that has joined that
particular team at our organization, I can simply add her/him to the above
groups and this user would get access only to the listed servers in 'host'
attribute by default. I don't need to specify new groups in customized
sssd.conf or ldap.conf files or in sshd config files.  Hence less to update
with Salt or any other CM suite.  I've managed to setup SUDO rules and with
the openssh-ldap.diff schema SSH public keys could be stored in AD as well
and be read by OpenSSH.  So aside from the HBAC capability on groups,
virtually all our needs are handled by the WS2012 AD DC as it has to follow
the OpenLDAP standard anyway.  Now to get this we considered and are still
considering FreeIPA.  However this idea poses a set of challenges:

1) In large organizations where the AD support department are only trained in
Windows AD setup and configuration (Only windows guy's) this would require a
minimal of 3 bodies to support that know LDAP/Linux.  This is a large cost.

2) The additional server requires the same hardening as the Windows AD DC
servers meaning a new procedure has to be carved out for the 2+ FreeIPA
servers to be supported, hardened and maintained (upgraded).

Now I probably sound somewhat anti-FreeIPA, however the challenges of
implementing it in large organizations surface after some deliberation, so
probably better to list then as it may help direct development of the product
to contend with the challenges (Like having a document fully dedicated to
hardening a FreeIPA server with selinux and other technologies in easy to
maintain configuration).   I could be mistaken but some folks mention that
it's 'better' to implement this sort of HBAC through other means (?? iptables
??) but never tried the alternatives yet.

So, cutting to the end, would it be possible to add an attribute like:

|ldap_user_authorized_host|

but perhaps called 'ldap_group_authorized_host' to the SSSD code to enable
reading the 'host' attribute on AD/LDAP defined groups?

In FreeIPA we support HBAC rules for AD users and groups. What exactly
is wrong with that?

See 'ipa help trust' for details how to map AD groups to IPA groups and
then 'ipa help hbacrule' for how to limit access of those groups to
specific hosts and services on them.

This is all covered well in the guide:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html

More reading on External groups used for AD access control:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/active-directory-trust.html#trust-win-groups

I would also suggest a video with HBAC and Trust in action:

https://www.youtube.com/watch?v=sQnNFJOzwa8

HTH,
Martin


We already defined HBAC rules in the manner that all the links you 
pointed out indicate as an early implementation.  As a product, there is 
no issue in IDM from that perspective.  This is all great and the 
product is fine from that perspective.


It would be good to have a dual option of either allowing SSSD or IDM / 
FreeIPA have full HBAC capability not just FreeIPA / IDM as in our 
organization that would be a huge cost savings vs implementing IDM as a 
separate Linux DC to be managed by a separate team.  So for those 
customers that wish to go directly to AD or have already invested in AD 
can choose SSSD only (If MS bundles AD with certain purchases, for 
example, that is an actual cost savings for a company).  Other customers 
who wish to keep the two separate so they do not flood AD DC's with non 
Windows AD setti

[Freeipa-users] HBAC

[TomK]

Hey Guy's,

(Sending this again as I didn't have this email included in the 
freeipa-users mailing list so not sure if the other message will get 
posted.)


Before I post a ticket to RH Support for an RFE, I'll post the request 
here to get some feedback on options and what ideas folks have.  I've a 
situation as follows.  I have the following setup in WS 2012 AD DC:


TomK (user)
TomK Groups:
unixg
windowsg

unixg has the 'host' attribute defined 'lab01,lab02,lab03,lab04'
windowsg has the 'host' attribute defined 'lab06,lab07,lab08,lab09'

TomK(user) also has the 'host' attribute defined as per the proper RFC 
for LDAP.  With SSSD rules I can define the rules to read the user 
'host' attribute but not the group 'host' attribute:



|access_provider = ldap ldap_access_order = host 
ldap_user_authorized_host = host|



Essentially TomK to be given access to hosts listed in the 'host' 
attribute but denied entry into lab05 for example (not listed in any 
group 'host' attribute above) to the server.   If I have a new user that 
has joined that particular team at our organization, I can simply add 
her/him to the above groups and this user would get access only to the 
listed servers in 'host' attribute by default. I don't need to specify 
new groups in customized sssd.conf or ldap.conf files or in sshd config 
files.  Hence less to update with Salt or any other CM suite.  I've 
managed to setup SUDO rules and with the openssh-ldap.diff schema SSH 
public keys could be stored in AD as well and be read by OpenSSH.  So 
aside from the HBAC capability on groups, virtually all our needs are 
handled by the WS2012 AD DC as it has to follow the OpenLDAP standard 
anyway.  Now to get this we considered and are still considering 
FreeIPA.  However this idea poses a set of challenges:


1) In large organizations where the AD support department are only 
trained in Windows AD setup and configuration (Only windows guy's) this 
would require a minimal of 3 bodies to support that know LDAP/Linux.  
This is a large cost.


2) The additional server requires the same hardening as the Windows AD 
DC servers meaning a new procedure has to be carved out for the 2+ 
FreeIPA servers to be supported, hardened and maintained (upgraded).


Now I probably sound somewhat anti-FreeIPA, however the challenges of 
implementing it in large organizations surface after some deliberation, 
so probably better to list then as it may help direct development of the 
product to contend with the challenges (Like having a document fully 
dedicated to hardening a FreeIPA server with selinux and other 
technologies in easy to maintain configuration).   I could be mistaken 
but some folks mention that it's 'better' to implement this sort of HBAC 
through other means (?? iptables ??) but never tried the alternatives yet.


So, cutting to the end, would it be possible to add an attribute like:

|ldap_user_authorized_host|

but perhaps called 'ldap_group_authorized_host' to the SSSD code to 
enable reading the 'host' attribute on AD/LDAP defined groups?


Cheers,
Tom



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project