[Freeipa-users] How to clean out(reset) FreeIPA,

2017-01-25 Thread Tony Brian Albers 
Hi guys,

Is there a way to expunge everything except admin account from IPA?

We have a supercomputer test installation here that needs it, and a 
reset is preferable over a complete reinstall.

TIA

Tony
-- 
Best regards,

Tony Albers
Systems administrator, IT-development
Royal Danish Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
Tel: +45 2566 2383 / +45 8946 2316

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] anyone else getting porn spam pretending to be replies to freeipa-users threads?

2016-11-15 Thread Tony Brian Albers 
Hehe, just you wait Lachlan ;)

/tony

On 11/16/2016 01:56 AM, Lachlan Musicman wrote:
> Gah, just happened to me. Wasn't porn, but was someone called Kimi and
> the only content was "Heeey Lachlan, how's it going?"
>
> L.
>
> --
> The most dangerous phrase in the language is, "We've always done it this
> way."
>
> - Grace Hopper
>
> On 16 November 2016 at 04:02, Martin Basti  > wrote:
>
>
>
> On 15.11.2016 17:32, Chris Dagdigian wrote:
>
>
>
> Got a porn spam today that had a subject header of:
>
> Re: [Freeipa-users] URL is changing on the browser
>
>
> Have to admit that got through my spam filter and got me to open
> the email.
>
> It's clear that it was not a list message; looks like something
> may be mining the public list archives to pull email addresses
> and plausible sounding subject lines.
>
> Mildly interested if anyone else got an email like this?
>
> -Chris
>
>
>  We are receiving those emails as well (different subjects, domains,
> but the same content)
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> 
> Go to http://freeipa.org for more info on the project
>
>
>
>

-- 
Best regards,

Tony Albers
Systems administrator, IT-development
State and University Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
Tel: +45 2566 2383 / +45 8946 2316

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] krb5 and nfsv4 not working right

2016-11-15 Thread Tony Brian Albers 
Hi guys,

I've followed every guide I can find on this subject. What I'm trying to 
is to get our home directories which are shared via NFS from the FreeIPA 
server mounted via autofs on the clients.

The client is kact-man-001 and the FreeIPA server is kact-adm-001

/etc/exports:


I've done the ipa-client-install and the ipa-client-automount

However, when I log in, my homedir is mounted as expected but what I get 
in the messages log is:

Nov 15 12:52:25 kact-man-001 gssproxy: gssproxy[770]: (OID: { 1 2 840 
113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more 
information, No credentials cache found

A lot!

/etc/krb5.conf is default from the FreeIPA installation:

   default_ccache_name = KEYRING:persistent:%{uid}


The autofs setup looks like this:

-

[root@kact-adm-001 log]# ipa automountmap-find
Location: default

3 automount maps matched

   Map: auto.direct

   Map: auto.home

   Map: auto.master

Number of entries returned 3

[root@kact-adm-001 log]#



[root@kact-adm-001 log]# ipa automountkey-find
Location: default
Map: auto.home
---
1 automount key matched
---
   Key: *
   Mount information: -fstype=nfs4,rw,sec=krb5,rsize=8192,wsize=8192 
kact-adm-001.kact.sblokalnet:/data/home/&

Number of entries returned 1

[root@kact-adm-001 log]#

-

Now, the BAD thing is, trying to copy a large file to the automounted 
dir on the client just hangs:

[tba@pc588 images]$ scp NAS4Free-x64-LiveUSB-10.3.0.3.2987.img.gz 
tba...@kact-man-001.kact.sblokalnet:.
tba...@kact-man-001.kact.sblokalnet's password:
NAS4Free-x64-LiveUSB-10.3.0.3.2987.img.gz 
100%  281MB  93.6MB/s 
00:03
[hangs]

And my logged in session on the client hangs if I try to do ls in my 
homedir:
[tba@pc588 ~]$ ssh tba...@kact-man-001.kact.sblokalnet
tba...@kact-man-001.kact.sblokalnet's password:
Last login: Tue Nov 15 13:07:12 2016 from pc588.sb.statsbiblioteket.dk
-sh-4.2$
-sh-4.2$
-sh-4.2$ pwd
/home/tba-sb
-sh-4.2$ hostname
kact-man-001
-sh-4.2$
-sh-4.2$ ls
[hangs]


And I see a huge amount of the GSS failures in the messages file on the 
client.


Any suggestions?

TIA




-- 
Best regards,

Tony Albers
Systems administrator, IT-development
State and University Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
Tel: +45 2566 2383 / +45 8946 2316

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] can't get sudo to work.

2016-08-24 Thread Tony Brian Albers 
And indeed the compat tree was disabled.

Guess I forgot to reenable it after copying the db to a testing
environment.

Thanks guys, sudo is working fine now.

/tony

On Tue, 2016-08-23 at 10:13 -0400, Rob Crittenden wrote:
> Pavel Březina wrote:
> > On 08/23/2016 01:55 PM, Tony Brian Albers wrote:
> >> Here you are:
> >>
> >>
> >> [root ~]# ldapsearch -Y GSSAPI -b $dc
> >> '(ou=*)' -s onelevel
> >
> >> # profile, $domain
> >> dn: ou=profile,$dc
> >> objectClass: top
> >> objectClass: organizationalUnit
> >> ou: profiles
> >> ou: profile
> >>
> >> # search result
> >> search: 4
> >> result: 0 Success
> >>
> >> # numResponses: 2
> >> # numEntries: 1
> >
> >
> > Sudo rules are not downloaded by SSSD because ou=sudoers is missing on
> > the IPA server, or it may have incorrect ACL. Does someone from IPA team
> > know why?
> 
> Perhaps the compat tree is disabled:
> 
> $ ipa-compat-manage status
> 
> rob
> 
> 

-- 
Best regards,

Tony Albers
Systems administrator, IT-development
State and University Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
Tel: +45 8946 2316




-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] can't get sudo to work.

2016-08-23 Thread Tony Brian Albers 
Thanks Jakub,

I've attached a file with the output from looking in the log files
mentioned in the link you gave me.

I'm not sure exactly what is wrong, I don't know how to interpret
messages like: name 'tba-sadm' matched without domain, user is tba
-sadm   (is that good or bad?)

Any advice is appreciated.

/tony


On Tue, 2016-08-23 at 09:17 +0200, Jakub Hrozek wrote:
> On Tue, Aug 23, 2016 at 07:11:44AM +, Tony Brian Albers wrote:
> > Thanks Simon,
> > 
> > Is this a known issue?  We're on Centos 7.2 and yes, the sssd version is
> > 1.13
> > 
> > /tony
> 
> IIRC Simpson's issue was related to using AD trusts and
> default_domain_suffix. I would recommend looking at logs first before
> jumping to conclusions.
> 

-- 
Best regards,

Tony Albers
Systems administrator, IT-development
State and University Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
Tel: +45 8946 2316



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] can't get sudo to work.

2016-08-23 Thread Tony Brian Albers 
Thanks Simon,

Is this a known issue?  We're on Centos 7.2 and yes, the sssd version is
1.13

/tony

On Tue, 2016-08-23 at 06:49 +, Simpson Lachlan wrote:
> What version of sssd are you using?
> 
> We found that it wouldn't work w sssd<1.14
> 
> On the IPA server, it would say "yep rule applies", but then on any 
> particular machine it wouldn't (well, it would - but only intermittently).
> 
> There's a COPR repo for Centos7 if you aren't on Fedora/RedHat.
> 
> Cheers
> L.
> 
> -Original Message-
> From: freeipa-users-boun...@redhat.com 
> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Tony Brian Albers
> Sent: Tuesday, 23 August 2016 4:24 PM
> To: freeipa-users@redhat.com
> Subject: [Freeipa-users] can't get sudo to work.
> 
> Hi guys,
> 
> I've been trying to get sudo to work for our day-to-day admin who have their 
> own usergroup in IPA called subadmin.
> 
> For some reason I can't really get sudo to work, I suspect I am missing 
> something simple, but I can't really figure out what it is.
> 
> This is my config:
> 
> # ipa sudorule-find
> ---
> 1 Sudo Rule matched
> ---
>   Rule name: All
>   Enabled: TRUE
>   Host category: all
>   Command category: all
>   User Groups: subadmin
> 
> Number of entries returned 1
> 
> #
> 
> 
> 
> 
> # ipa group-find subadmin
> ---
> 1 group matched
> ---
>   Group name: subadmin
>   Description: For daily administration of users and hosts
>   GID: 10003
>   Member users: abr-sadm, pmd-sadm, tba-sadm, bja-sadm, alberto-ibm
>   Roles: Sub-admins
>   Member of Sudo rule: All
> 
> Number of entries returned 1
> 
> #
> 
> 
> 
> 
> 
> And on a client:
> 
> # cat /etc/sssd/sssd.conf
> [domain/kac.lokalnet]
> 
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = kac.sblokalnet
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = kac-man-001.kac.lokalnet
> chpass_provider = ipa
> ipa_server = _srv_, kac-adm-001.kac.lokalnet ldap_tls_cacert = 
> /etc/ipa/ca.crt autofs_provider = ipa ipa_automount_location = default 
> krb5_renewable_lifetime = 50d krb5_renew_interval = 3600 [sssd] services = 
> nss, sudo, pam, autofs, ssh config_file_version = 2
> 
> domains = kac.lokalnet
> [nss]
> homedir_substring = /home
> 
> [pam]
> 
> [sudo]
> 
> [autofs]
> 
> [ssh]
> 
> [pac]
> 
> [ifp]
> 
> 
> 
> 
> 
> 
> nsswitch.conf:
> 
> passwd: files sss
> shadow: files sss
> group:  files sss
> #initgroups: files
> 
> #hosts: db files nisplus nis dns
> hosts:  files dns myhostname
> 
> # Example - obey only what nisplus tells us...
> #services:   nisplus [NOTFOUND=return] files
> #networks:   nisplus [NOTFOUND=return] files
> #protocols:  nisplus [NOTFOUND=return] files
> #rpc:nisplus [NOTFOUND=return] files
> #ethers: nisplus [NOTFOUND=return] files
> #netmasks:   nisplus [NOTFOUND=return] files 
> 
> bootparams: nisplus [NOTFOUND=return] files
> 
> ethers: files
> netmasks:   files
> networks:   files
> protocols:  files
> rpc:files
> services:   files sss
> 
> netgroup:   files sss
> 
> publickey:  nisplus
> 
> automount:  sss files
> aliases:files nisplus
> sudoers:files sss
> 
> 
> 
> 
> And for a subadmin account:
> 
> -sh-4.2$ sudo -l
> [sudo] password for tba-sadm: 
> Your password will expire in 6 day(s).
> User tba-sadm is not allowed to run sudo on kac-man-001.
> -sh-4.2$
> 
> 
> 
> Any suggestions?  Help is much appreciated.
> 
> TIA
> 
> /tony
> 
> --
> Best regards,
> 
> Tony Albers
> Systems administrator, IT-development
> State and University Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
> Tel: +45 8946 2316
> 
> 
> 
> 
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
> This email (including any attachments or links) may contain 
> confidential and/or legally privileged information and is 
> intended only to be read or used by the addressee.  If you 
> are not the intended addressee, any use, distribution, 
> disclosure or copying of this email is strictly 
> prohibited.  
> Confidentiality and legal privilege attached to this email 
> (including any att

[Freeipa-users] can't get sudo to work.

2016-08-22 Thread Tony Brian Albers 
Hi guys,

I've been trying to get sudo to work for our day-to-day admin who have
their own usergroup in IPA called subadmin.

For some reason I can't really get sudo to work, I suspect I am missing
something simple, but I can't really figure out what it is.

This is my config:

# ipa sudorule-find
---
1 Sudo Rule matched
---
  Rule name: All
  Enabled: TRUE
  Host category: all
  Command category: all
  User Groups: subadmin

Number of entries returned 1

#




# ipa group-find subadmin
---
1 group matched
---
  Group name: subadmin
  Description: For daily administration of users and hosts
  GID: 10003
  Member users: abr-sadm, pmd-sadm, tba-sadm, bja-sadm, alberto-ibm
  Roles: Sub-admins
  Member of Sudo rule: All

Number of entries returned 1

#





And on a client:

# cat /etc/sssd/sssd.conf 
[domain/kac.lokalnet]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = kac.sblokalnet
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = kac-man-001.kac.lokalnet
chpass_provider = ipa
ipa_server = _srv_, kac-adm-001.kac.lokalnet
ldap_tls_cacert = /etc/ipa/ca.crt
autofs_provider = ipa
ipa_automount_location = default
krb5_renewable_lifetime = 50d
krb5_renew_interval = 3600
[sssd]
services = nss, sudo, pam, autofs, ssh
config_file_version = 2

domains = kac.lokalnet
[nss]
homedir_substring = /home

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]






nsswitch.conf:

passwd: files sss
shadow: files sss
group:  files sss
#initgroups: files

#hosts: db files nisplus nis dns
hosts:  files dns myhostname

# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files 

bootparams: nisplus [NOTFOUND=return] files

ethers: files
netmasks:   files
networks:   files
protocols:  files
rpc:files
services:   files sss

netgroup:   files sss

publickey:  nisplus

automount:  sss files
aliases:files nisplus
sudoers:files sss




And for a subadmin account:

-sh-4.2$ sudo -l
[sudo] password for tba-sadm: 
Your password will expire in 6 day(s).
User tba-sadm is not allowed to run sudo on kac-man-001.
-sh-4.2$



Any suggestions?  Help is much appreciated.

TIA

/tony

-- 
Best regards,

Tony Albers
Systems administrator, IT-development
State and University Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
Tel: +45 8946 2316




-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sudo Cmnd_Alias ?

2016-08-09 Thread Tony Brian Albers 
On Tue, 2016-08-09 at 10:16 +0200, Jakub Hrozek wrote:
> On Tue, Aug 09, 2016 at 07:12:30AM +0000, Tony Brian Albers wrote:
> > Hi guys,
> > 
> > I'm working on getting ambari from IBM BigInsights working using sudo in
> > FreeIPA, and I've come across the following(there are a few of these):
> > 
> > Cmnd_Alias BIGSQL_SERVICE_AGNT=
> > 
> > /var/lib/ambari-agent/cache/stacks/BigInsights/*/services/BIGSQL/package/scripts/*
> > 
> > Does anyone know how to implement a cmnd_alias in FreeIPA's sudo? I can't 
> > find anything about it in the docs.
> 
> Would sudo command group work the way you want?
> 


It might, I'm trying it now.

Thanks for the suggestion.

/tony
-- 
Best regards,

Tony Albers
Systems administrator, IT-development
State and University Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
Tel: +45 8946 2316




-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] sudo Cmnd_Alias ?

2016-08-09 Thread Tony Brian Albers 
Hi guys,

I'm working on getting ambari from IBM BigInsights working using sudo in
FreeIPA, and I've come across the following(there are a few of these):

Cmnd_Alias BIGSQL_SERVICE_AGNT=

/var/lib/ambari-agent/cache/stacks/BigInsights/*/services/BIGSQL/package/scripts/*

Does anyone know how to implement a cmnd_alias in FreeIPA's sudo? I can't find 
anything about it in the docs.

TIA

/tony
-- 
Best regards,

Tony Albers
Systems administrator, IT-development
State and University Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
Tel: +45 8946 2316




-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] copying through intermediate host. SOLVED

2016-07-08 Thread Tony Brian Albers 
Ok, so I managed to get this fixed, It turned out that I ssh
port-forwarded in the wrong direction.  So the solution is as follows:

[workstation1]# ssh -L 9000:localhost:389 root@server1
[server1]# 

[workstation1]# ssh -R 9100:localhost:9000 root@server2
[server2]# echo password | ipa migrate-ds --bind-dn="cn=Directory
Manager" --user-container=cn=users,cn=accounts
--group-container=cn=groups,cn=accounts --group-objectclass=posixgroup
--user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry}
 --user-ignore-objectclass=mepOriginEntry --with-compat ldap://localhost:9100
---
migrate-ds:
---
Migrated: 

--
Passwords have been migrated in pre-hashed format.
IPA is unable to generate Kerberos keys unless provided
with clear text passwords. All migrated users need to
login at https://your.domain/ipa/migration/ before they
can use their Kerberos accounts.



The main thing I missed was that I thought that the ldap:// URI in ipa
migrate-ds should point to the receiving server, since the documentation
explains that migrate-ds exports data. In reality, migrate-ds imports
data from the mentioned ldap uri and into the locally running ipa
server. So it should be run on the receiving host.

/tony





-- 
Best regards,

Tony Albers
Systems administrator, IT-development
State and University Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
Tel: +45 8946 2316




-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] copying through intermediate host.

2016-07-08 Thread Tony Brian Albers 
Replying to myself here, I do that sometimes when I feel alone ;)

I actually tried ssh port forwarding and relaying through workstation1,
like so:

ssh -L 9000:localhost:389 root@server2  (in one terminal)

ssh -R 9100:localhost:9000 root@server1 (in another terminal)

And then, on server1:

echo password | ipa migrate-ds --bind-dn="cn=Directory Manager"
--user-container=cn=users,cn=accounts
--group-container=cn=groups,cn=accounts --group-objectclass=posixgroup
--user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry}
 --user-ignore-objectclass=mepOriginEntry --with-compat ldap://localhost:9100

But I get:
ipa: ERROR: Insufficient access:  Invalid credentials

Even though the password _is_ correct and port 9100 is connected to ipa
on server2:

[server1]# ldapsearch -x -h localhost:9100  -b dc=server2,dc=server2net
uid=admin
# extended LDIF
#
# LDAPv3
# base  with scope subtree
# filter: uid=admin
# requesting: ALL
#

# admin, users, compat, server2.server2net
dn: uid=admin,cn=users,cn=compat,dc=server2,dc=server2net
cn: Administrator
objectClass: posixAccount
objectClass: ipaOverrideTarget



So, I can connect to server2 on server1's port 9100 but I can't get ipa
migrate-ds to use it.

And I did a kinit admin on server1 first ;)

Any suggestione are appreciated.

/tony


On Fri, 2016-07-08 at 08:50 +0000, Tony Brian Albers wrote:
> Hi Guys,
> 
> I'm trying to copy relevant users and groups from one IPA
> server(server1) to another(server2). This is they can't talk to one
> another, they can't even establish connections to something outside
> their own networks. SSH into the servers from where I am(workstation1)
> works fine for both of them.
> 
> Is there a way to use ipa migrate-ds and get it to dump to a file that I
> can import on server2?
> 
> The network layout is like this
> server1<>firewall2>>server2
> 
> So, the firewalls allow connections from workstation1 to server 1 and
> server2, but not from server1 to server2 or from either server1 or
> server2 to workstation1.
> 
> The easy solution would be dumping the necessary info from the IPA
> server to a file and then import it on the other server.
> 
> Any suggestions?  I've looked a bit at ssh port forwarding, but I can't
> really get an idea as how to relay the two connections to the servers to
> oneanother.
> 
> Thanks,
> 
> Tony
> 
> -- 
> Best regards,
> 
> Tony Albers
> Systems administrator, IT-development
> State and University Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
> Tel: +45 8946 2316
> 
> 
> 
> 

-- 
Best regards,

Tony Albers
Systems administrator, IT-development
State and University Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
Tel: +45 8946 2316




-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] copying through intermediate host.

2016-07-08 Thread Tony Brian Albers 
Hi Guys,

I'm trying to copy relevant users and groups from one IPA
server(server1) to another(server2). This is they can't talk to one
another, they can't even establish connections to something outside
their own networks. SSH into the servers from where I am(workstation1)
works fine for both of them.

Is there a way to use ipa migrate-ds and get it to dump to a file that I
can import on server2?

The network layout is like this
server1<>firewall2>>server2

So, the firewalls allow connections from workstation1 to server 1 and
server2, but not from server1 to server2 or from either server1 or
server2 to workstation1.

The easy solution would be dumping the necessary info from the IPA
server to a file and then import it on the other server.

Any suggestions?  I've looked a bit at ssh port forwarding, but I can't
really get an idea as how to relay the two connections to the servers to
oneanother.

Thanks,

Tony

-- 
Best regards,

Tony Albers
Systems administrator, IT-development
State and University Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
Tel: +45 8946 2316




-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Apache Knox and FreeIPA

2016-06-02 Thread Tony Brian Albers 
Hi guys,

Do any of you have this setup working? And if so, how did you do it?

Thanks,

Tony
-- 
Best regards,

Tony Albers
Systems administrator, IT-development
State and University Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
Tel: +45 8946 2316




-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Sudo ALL rule

2016-05-31 Thread Tony Brian Albers 
Hi guys,

I'm implementing FreeIPA to auhenticate users on a small HPC cluster
here. For a few of these I need a sudo rule that in essence does the
same as the standard ALL(ALL) rule. How do I implement that in FreeIPA?

I've found some links/guides on the net, but they don't seem appropriate
for our version, 4.2.0

Any help is appreciated.

/tony
-- 
Best regards,

Tony Albers
Systems administrator, IT-development
State and University Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
Tel: +45 8946 2316




-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project