Re: [Freeipa-users] getent passwd returns usern...@domain.com for username
Tuned out to be the default_domain_suffix setting. It appears our RHEL 6.5 installs ignore it but RHEL 6.8 doesn't. Now that the setting actually does something I've discovered my setting was wrong. Thanks! Dan -Original Message- From: Lukas Slebodnik [mailto:lsleb...@redhat.com] Sent: May 12, 2016 12:09 AM To: Watson, Dan Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] getent passwd returns usern...@domain.com for username On (11/05/16 17:17), Watson, Dan wrote: >Hi All, > >I've run into some strangeness and I just haven't been able to find a solution >online. > >On my existing RHEL 6.5 servers everything runs fine. I do not use the IPA >client install but rather manually setup SSSD, LDAP and Kerberos. We've got a >RHEL 6.8 machine that just was added to IPA and it's showing some strangeness. > >RHEL 6.5: >getent passwd >... >username:*:12345678:12345678:User Name:/home/username:/bin/bash >... > The output looks like with disabled option use_fully_qualified_names. >RHEL 6.8: >getent passwd >... >usern...@domain.com:*:12345678:12345678:User Name:/home/username:/bin/bash >... > The output looks like with enabled option use_fully_qualified_names. By default it should be false. However, if you use default_domain_suffix then the default value is true. https://fedorahosted.org/sssd/ticket/2569 This bug fix was introduced in 1.13.0 LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] getent passwd returns usern...@domain.com for username
Hi All, I've run into some strangeness and I just haven't been able to find a solution online. On my existing RHEL 6.5 servers everything runs fine. I do not use the IPA client install but rather manually setup SSSD, LDAP and Kerberos. We've got a RHEL 6.8 machine that just was added to IPA and it's showing some strangeness. RHEL 6.5: getent passwd ... username:*:12345678:12345678:User Name:/home/username:/bin/bash ... RHEL 6.8: getent passwd ... usern...@domain.com:*:12345678:12345678:User Name:/home/username:/bin/bash ... They have the same sssd.conf, the same krb5.conf and all the same LDAP config files. Has anyone seen this before? Thanks! Dan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Scripting reports from ipa?
Hi all, Can anyone tell me how to script calls from the ipa server? I would like to be able to do something like "ipa group-show unix_admin" in a script, but I don't know how to pass Kerberos credentials that don't expire. I'd appreciate some help, thanks! Dan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Integration with Solaris 10
I finally got it working, the default setup of "ldapclient init" missed the special mapping for netgroups, so I had to do a manual setup that included the mapping. ldapclient manual \ -a credentialLevel=anonymous \ -a authenticationMethod=none \ -a defaultSearchBase=dn=domain,dn=name \ -a domainName=domain.name \ -a defaultServerList=server.domain.name \ -a objectClassMap=shadow:shadowAccount=posixaccount \ -a serviceSearchDescriptor='passwd:cn=users,cn=accounts,dc=bcferries,dc=corp' \ -a serviceSearchDescriptor=group:cn=groups,cn=accounts,dc=bcferries,dc=corp \ -a serviceSearchDescriptor=sudoers:cn=sysaccounts,cn=etc,dc=bcferries,dc=corp \ -a serviceSearchDescriptor=netgroup:cn=ng,cn=compat,dc=bcferries,dc=corp It's the last line that forces the OS level ldap client to look in the rich location for the netgroup information. I hope this helps the next person. Thanks for all the help! Dan -Original Message- From: Watson, Dan Sent: January 02, 2015 11:41 AM To: 'Rob Crittenden'; freeipa-users@redhat.com Subject: RE: [Freeipa-users] Integration with Solaris 10 Hi Rob, Thanks for the reply. Unfortunately /usr/bin/getent on my system doesn't seem to like the netgroup option: -bash-3.2# getent netgroup test1 Unknown database: netgroup usage: getent database [ key ... ] -bash-3.2# uname -a SunOS vdcudantest01 5.10 Generic_147440-27 sun4v sparc SUNW,SPARC-Enterprise-T5120 -bash-3.2# cat /etc/release Solaris 10 10/09 s10s_u8wos_08a SPARC Copyright 2009 Sun Microsystems, Inc. All Rights Reserved. Use is subject to license terms. Assembled 16 September 2009 -bash-3.2# Thanks! Dan -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: January 02, 2015 10:15 AM To: Watson, Dan; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Integration with Solaris 10 Watson, Dan wrote: > Hi All, > > I've lurked in the list history and cannot find anyone saying they have > gotten login restrictions working with Solaris 10 u8. Has anyone on here > successfully configured login restrictions on Solaris 10 u8 through u11? I'm > looking for specific instructions from someone who has gotten this to work > before. > > The two main routes to login restrictions I could find online are Netgroups > or conditional ldap queries in ldapclient > > I initially tried netgroups but wasn't sure how to trouble shoot when it > didn't work. There don't seem to be any user-land tools to query netgroups > and further investigation turned up an issue with OpenLDAP. It seems the > built-in Solaris 10 ldap client expects schema RFC2307bis and not the > OpenLDAP standard RFC2307 (explanation here > http://www.openldap.org/lists/openldap-software/200501/msg00309.html). does > anyone know if this issue applies to IPA? Or how I check? > > The alternative of passing a restrictive query to ldapclient seems like a > good route but doesn't seem to work. The common solution when using the old > SunOne directory server was to pass the ldapclient (command line ldap > configuration tool) an option like > "passwd:ou=people,o=myorg,c=de?one?(isMemberof=cn=unixadmins,ou=groups,o=myorg,c=de)" > (from here https://community.oracle.com/thread/2014224?start=0&tstart=0) > which is supposed to restrict account checking to only people in > ou=people,p=myorg,c=de who are also members of > cn=unixadmins,ou=groups,o=myorg,c=de. Unfortunately this doesn't seem to work > in IPA, first of all because there is no "isMemberof" attribute to a user, > but also doesn't work on other attributes like uid or uidNumber. One possible > explanation I've found is that these attributes are not indexed, but I have > no idea if this is correct or how to add them to be indexed. > > Has anyone else solved this? I just need to be able to allow only a specific > user group to log in to the host, unfortunately the ssh directive > "AllowGroups" is not good enough, this has to be system wide as we also have > samba and some other services that rely on system authentication. > > Can anyone be of some help? > > Thanks! > Dan > You can use getent netgroup to get a specific netgroup. Or ldapsearch -x -b cn=usertest,cn=ng,cn=compat,dc=example,dc=com rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Integration with Solaris 10
Hi Rob, Thanks for the reply. Unfortunately /usr/bin/getent on my system doesn't seem to like the netgroup option: -bash-3.2# getent netgroup test1 Unknown database: netgroup usage: getent database [ key ... ] -bash-3.2# uname -a SunOS vdcudantest01 5.10 Generic_147440-27 sun4v sparc SUNW,SPARC-Enterprise-T5120 -bash-3.2# cat /etc/release Solaris 10 10/09 s10s_u8wos_08a SPARC Copyright 2009 Sun Microsystems, Inc. All Rights Reserved. Use is subject to license terms. Assembled 16 September 2009 -bash-3.2# Thanks! Dan -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: January 02, 2015 10:15 AM To: Watson, Dan; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Integration with Solaris 10 Watson, Dan wrote: > Hi All, > > I've lurked in the list history and cannot find anyone saying they have > gotten login restrictions working with Solaris 10 u8. Has anyone on here > successfully configured login restrictions on Solaris 10 u8 through u11? I'm > looking for specific instructions from someone who has gotten this to work > before. > > The two main routes to login restrictions I could find online are Netgroups > or conditional ldap queries in ldapclient > > I initially tried netgroups but wasn't sure how to trouble shoot when it > didn't work. There don't seem to be any user-land tools to query netgroups > and further investigation turned up an issue with OpenLDAP. It seems the > built-in Solaris 10 ldap client expects schema RFC2307bis and not the > OpenLDAP standard RFC2307 (explanation here > http://www.openldap.org/lists/openldap-software/200501/msg00309.html). does > anyone know if this issue applies to IPA? Or how I check? > > The alternative of passing a restrictive query to ldapclient seems like a > good route but doesn't seem to work. The common solution when using the old > SunOne directory server was to pass the ldapclient (command line ldap > configuration tool) an option like > "passwd:ou=people,o=myorg,c=de?one?(isMemberof=cn=unixadmins,ou=groups,o=myorg,c=de)" > (from here https://community.oracle.com/thread/2014224?start=0&tstart=0) > which is supposed to restrict account checking to only people in > ou=people,p=myorg,c=de who are also members of > cn=unixadmins,ou=groups,o=myorg,c=de. Unfortunately this doesn't seem to work > in IPA, first of all because there is no "isMemberof" attribute to a user, > but also doesn't work on other attributes like uid or uidNumber. One possible > explanation I've found is that these attributes are not indexed, but I have > no idea if this is correct or how to add them to be indexed. > > Has anyone else solved this? I just need to be able to allow only a specific > user group to log in to the host, unfortunately the ssh directive > "AllowGroups" is not good enough, this has to be system wide as we also have > samba and some other services that rely on system authentication. > > Can anyone be of some help? > > Thanks! > Dan > You can use getent netgroup to get a specific netgroup. Or ldapsearch -x -b cn=usertest,cn=ng,cn=compat,dc=example,dc=com rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Integration with Solaris 10
On 12/29/2014 4:22 PM, Pal, Dmitri wrote: >On 12/29/2014 03:40 PM, Watson, Dan wrote: >> Hi All, >> >> I've lurked in the list history and cannot find anyone saying they have >> gotten login restrictions working with Solaris 10 u8. Has anyone on here >> successfully configured login restrictions on Solaris 10 u8 through u11? I'm >> looking for specific instructions from someone who has gotten this to work >> before. >> >> The two main routes to login restrictions I could find online are Netgroups >> or conditional ldap queries in ldapclient >> >> I initially tried netgroups but wasn't sure how to trouble shoot when it >> didn't work. There don't seem to be any user-land tools to query netgroups >> and further investigation turned up an issue with OpenLDAP. It seems the >> built-in Solaris 10 ldap client expects schema RFC2307bis and not the >> OpenLDAP standard RFC2307 (explanation here >> http://www.openldap.org/lists/openldap-software/200501/msg00309.html). does >> anyone know if this issue applies to IPA? Or how I check? >> >> The alternative of passing a restrictive query to ldapclient seems like a >> good route but doesn't seem to work. The common solution when using the old >> SunOne directory server was to pass the ldapclient (command line ldap >> configuration tool) an option like >> "passwd:ou=people,o=myorg,c=de?one?(isMemberof=cn=unixadmins,ou=groups,o=myorg,c=de)" >> (from here https://community.oracle.com/thread/2014224?start=0&tstart=0) >> which is supposed to restrict account checking to only people in >> ou=people,p=myorg,c=de who are also members of >> cn=unixadmins,ou=groups,o=myorg,c=de. Unfortunately this doesn't seem to >> work in IPA, first of all because there is no "isMemberof" attribute to a >> user, but also doesn't work on other attributes like uid or uidNumber. One >> possible explanation I've found is that these attributes are not indexed, >> but I have no idea if this is correct or how to add them to be indexed. >> >> Has anyone else solved this? I just need to be able to allow only a specific >> user group to log in to the host, unfortunately the ssh directive >> "AllowGroups" is not good enough, this has to be system wide as we also have >> samba and some other services that rely on system authentication. >> >> Can anyone be of some help? >> >> Thanks! >> Dan >> >Did you try this? >https://fedorahosted.org/freeipa/ticket/4633 That ticket and all the ones referenced in it are all about setting up basic connectivity to IPA, including secure connections. They do not deal with login restrictions at all. I am already logging in and authenticating fine, but I am lacking any way to restrict logins to a subset of all user accounts in IPA. > >-- >Thank you, >Dmitri Pal > >Sr. Engineering Manager IdM portfolio >Red Hat, Inc. Can you direct me to finding out if the schema matches RFC2307bis? Or how to modify it to work with RFC2307bis? Has anyone gotten LDAP restrictions working? Or netgroups? Thanks! Dan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Integration with Solaris 10
Hi All, I've lurked in the list history and cannot find anyone saying they have gotten login restrictions working with Solaris 10 u8. Has anyone on here successfully configured login restrictions on Solaris 10 u8 through u11? I'm looking for specific instructions from someone who has gotten this to work before. The two main routes to login restrictions I could find online are Netgroups or conditional ldap queries in ldapclient I initially tried netgroups but wasn't sure how to trouble shoot when it didn't work. There don't seem to be any user-land tools to query netgroups and further investigation turned up an issue with OpenLDAP. It seems the built-in Solaris 10 ldap client expects schema RFC2307bis and not the OpenLDAP standard RFC2307 (explanation here http://www.openldap.org/lists/openldap-software/200501/msg00309.html). does anyone know if this issue applies to IPA? Or how I check? The alternative of passing a restrictive query to ldapclient seems like a good route but doesn't seem to work. The common solution when using the old SunOne directory server was to pass the ldapclient (command line ldap configuration tool) an option like "passwd:ou=people,o=myorg,c=de?one?(isMemberof=cn=unixadmins,ou=groups,o=myorg,c=de)" (from here https://community.oracle.com/thread/2014224?start=0&tstart=0) which is supposed to restrict account checking to only people in ou=people,p=myorg,c=de who are also members of cn=unixadmins,ou=groups,o=myorg,c=de. Unfortunately this doesn't seem to work in IPA, first of all because there is no "isMemberof" attribute to a user, but also doesn't work on other attributes like uid or uidNumber. One possible explanation I've found is that these attributes are not indexed, but I have no idea if this is correct or how to add them to be indexed. Has anyone else solved this? I just need to be able to allow only a specific user group to log in to the host, unfortunately the ssh directive "AllowGroups" is not good enough, this has to be system wide as we also have samba and some other services that rely on system authentication. Can anyone be of some help? Thanks! Dan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project