[Freeipa-users] DNS forwarding issue
Hello, I have a problem with Samba setup that I haven't been able to overcome for months. I am trying to setup samba on RHEL 7 using SSSD instead of winbind Currently, I have a one way trust between the production Active directory and productin IPA. I have users on IPA and Active directory. For example, I have an account called will...@activedirectory.example.com and will...@ipa.example.com. To get sharing working, I have created a posix group that now have of the above users. The intent is, I should be able to write to my Linux home user irrespective of what account I log in with. [homes] comment = Home Directories path = /home/william browseable = yes writeable = yes valid users = @william_posix_group From any of the IPA clients, samba seem to work fine. I can login with samba client, delete, list and do anything. With klist, I do see both the CIFS and Linux host ticket. >From Windows though, it don't work. I see that the Windows system did actually get the host ticket for the server running samba, the Windows hots ticket but the CIFS ticket is missing. With that background, I have setup a dummy active directory called test.local. Essentially, I intend to destroy it once I verify that the behaviour is consistent with the production active directory. I am however stuck with DNS setup, and can't therefore establish trust between production IPA and dummy active directory. Would you know what I could be doing wrong with from the logs below? [root@lithium ~]# ipa dnsforwardzone-add test.local. --forwarder=192.168.11.56 --forward-policy=first Server will check DNS forwarder(s). This may take some time, please wait ... ipa: WARNING: DNSSEC validation failed: record 'test.local. SOA' failed DNSSEC validation on server 192.168.20.1. Please verify your DNSSEC configuration or disable DNSSEC validation on all IPA servers. Zone name: test.local. Active zone: TRUE Zone forwarders: 192.168.11.56 Forward policy: first [root@lithium ~]# dig +short -t SRV _kerberos._udp.dc._msdcs.test.local [root@lithium ~]# dig @192.168.11.56 +short -t SRV _kerberos._udp.dc._msdcs.test.local 0 100 88 server.test.local. [root@lithium ~]# Regards, William -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Creating trust relationship that survive password rotation
Good evening, I am looking through the IPA documentation and it looks like I will need a password that don't expire on the active directory side. These are the two documented ways. ipa trust-add --type=ad ad.example.com --admin Administrator –password ipa trust-add --type=ad ad.example.com --trust-secret I had initially used the first method, but we recently started rotating the admin password. I suspect this has broken the trust and looking on a more durable solution. On closely reading through the trust secret section on the documentation, it looks like it also involve using a password. I thought I had read somewhere that trust can be done without a permanent password, but this don't seem like the case now. Is there a way of creating trust, without putting an none expire exception on the active directory trust account? Regards, William -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] LDAP based autofs map redundancy
Hello, To add to previous mail, I have noticed this: I had two IPA, hydrogen and lithium. lithium died and will be resetting another soon after I find why the setup isn't redundant with one IPA. But this line seem to be a lead Working: ipa_server = _srv_, hydrogen.eng.example.com Failing: ipa_server = _srv_, lithium.eng.example.com Have read on that format and seem fine from the reading. To add on that, DNS records seem to be fine too. ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.3 <<>> SRV _ldap._ tcp.eng.example.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;_ldap._tcp.eng.example.com.IN SRV ;; ANSWER SECTION: _ldap._tcp.eng.example.com. 86400 INSRV 0 100 389 hydrogen.eng.example.com. _ldap._tcp.eng.example.com. 86400 INSRV 0 100 389 lithium.eng.example.com. ;; AUTHORITY SECTION: eng.example.com.86400 IN NS hydrogen.eng.example.com. eng.example.com.86400 IN NS lithium.eng.example.com. ;; ADDITIONAL SECTION: lithium.eng.example.com. 1200 INA 192.168.20.3 hydrogen.eng.example.com. 1200 IN A 192.168.20.1 ;; Query time: 1 msec ;; SERVER: 192.168.20.1#53(192.168.20.1) ;; WHEN: Tue Mar 14 18:32:44 2017 ;; MSG SIZE rcvd: 200 What could I be missing? Regards, William On 5 March 2017 at 14:59, William Muriithi wrote: > Jakub, > > >> > >> It does look though like kerberos is not affected as all systems can > >> authenticate fine, so looks like its autofs issue alone > >> > >> This is the error I am noticing on the logs. > >> > >> Mar 2 14:18:29 platinum automount[2887]: key "brad" not found in map > source(s). > >> Mar 2 14:19:18 platinum automount[2887]: bind_ldap_simple: > >> lookup(ldap): Unable to bind to the LDAP server: (default), error > >> Can't contact LDAP server > >> Mar 2 14:19:21 platinum automount[2887]: bind_ldap_simple: > >> lookup(ldap): Unable to bind to the LDAP server: (default), error > >> Can't contact LDAP server > > > > I guess /etc/nsswitch.conf uses ldap for automount and not sssd? > > > Actually no. We are using SSSD > > Just checked to confirm and looks like below: > > services: files sss > netgroup: files sss > publickey: nisplus > automount: sss files > aliases:files nisplus > sudoers: files sss > > Regards, > William > *** > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] LDAP based autofs map redundancy
Jakub, >> >> It does look though like kerberos is not affected as all systems can >> authenticate fine, so looks like its autofs issue alone >> >> This is the error I am noticing on the logs. >> >> Mar 2 14:18:29 platinum automount[2887]: key "brad" not found in map >> source(s). >> Mar 2 14:19:18 platinum automount[2887]: bind_ldap_simple: >> lookup(ldap): Unable to bind to the LDAP server: (default), error >> Can't contact LDAP server >> Mar 2 14:19:21 platinum automount[2887]: bind_ldap_simple: >> lookup(ldap): Unable to bind to the LDAP server: (default), error >> Can't contact LDAP server > > I guess /etc/nsswitch.conf uses ldap for automount and not sssd? > Actually no. We are using SSSD Just checked to confirm and looks like below: services: files sss netgroup: files sss publickey: nisplus automount: sss files aliases:files nisplus sudoers: files sss Regards, William *** -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Can kerberos SSSD provider be used against IPA
Hello, I just came across this document. https://www.susecon.com/doc/2015/sessions/TUT19343.pdf If you look at page 8, that diagram imply that kerberos provider can only be used against active directory back end. However, this Redhat article below recommended the solution above for an IPA setup. See the third page from the bottom. http://people.redhat.com/steved/Summits/Summit13/Summit_Handout13.pdf Would anyone be able to comment about the inconsistency? Both articles come from a reliable source, so not sure how to make of it. Regards, William -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Push authentication policy using IPA
Hello, Is there currently any way one can force IPA clients (Gnome and KDE) to authenticate users before one can have Gnome based services like browser and such? I am looking for something similar to windows GPO that one can publish to force password authentication after restart or after a certain time expire without any users activity. If not, would anyone have an way of controlling RHEL based system policies in a central way? Any pointer would be appreciated Regards, William -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] LDAP based autofs map redundancy
Afternoon, I have noticed that even when a network has two IPA for redundancy, autofs don't seem to be able to take advantage of the remaining IPA should one of the IPA goes down. Is this a know issue with LDAP based maps or is it a configuration that need to be adjusted. By the way, only about half of the systems are affected and I have noticed they have this on sssd.conf ipa_server = _srv_, hydrogen.eng.example.com It does look though like kerberos is not affected as all systems can authenticate fine, so looks like its autofs issue alone This is the error I am noticing on the logs. Mar 2 14:18:29 platinum automount[2887]: key "brad" not found in map source(s). Mar 2 14:19:18 platinum automount[2887]: bind_ldap_simple: lookup(ldap): Unable to bind to the LDAP server: (default), error Can't contact LDAP server Mar 2 14:19:21 platinum automount[2887]: bind_ldap_simple: lookup(ldap): Unable to bind to the LDAP server: (default), error Can't contact LDAP server Regards, William -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Kerberos autheticated NFS issue
Afternoon. I have noticed below errors on a RHEL 6.8 NFS client that is using a IPA 4.4 for authentication. On some system, this error show up a lot. The connection is fine according to nmap, but the logs imply there is issue with the connection. What are some of the reason that can trigger the particular error on NFS system? Mar 2 11:50:51 manganese rpc.gssd[8336]: WARNING: can't create tcp rpc_clnt to server plutonium.eng.example.com for user with uid 0: RPC: Remote system error - No route to host Mar 2 11:50:51 manganese rpc.gssd[8336]: WARNING: can't create tcp rpc_clnt to server plutonium.eng.example.com for user with uid 0: RPC: Remote system error - No route to host Mar 2 11:52:23 manganese rpc.gssd[8336]: WARNING: can't create tcp rpc_clnt to server bromine.eng.example.com for user with uid 0: RPC: Remote system error - No route to host Mar 2 11:52:23 manganese rpc.gssd[8336]: WARNING: can't create tcp rpc_clnt to server bromine.eng.example.com for user with uid 0: RPC: Remote system error - No route to host Mar 2 11:52:26 manganese rpc.gssd[8336]: WARNING: can't create tcp rpc_clnt to server iodine.eng.example.com for user with uid 0: RPC: Remote system error - No route to host Regards, William -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] How to change kerberos key lifetime?
Hello David/Lukas Thank you for your assistance so far. I still have the problem and not even sure what to look at next. We are still seeing key expiry error from NFS even after the proposed changes. [william@silicon ~]$ ssh iron Last login: Wed Mar 1 19:26:56 2017 from silicon.eng.example.com Could not chdir to home directory /home/william: Key has expired [william@iron /]$ [rtdamgr@silicon ~]$ ssh manganese Last login: Wed Mar 1 19:26:57 2017 from silicon.eng.example.com Could not chdir to home directory /home/william: Permission denied [william@manganese /]$ [william@silicon ~]$ ssh iron Last login: Wed Mar 1 19:58:36 2017 from manganese.eng.example.com DISPLAY is manganese:2 [william@iron ~]$ klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_800 These are the changes that I currently have on my sssd.conf [domain/eng.example.com] krb5_realm = ENG.EXAMPLE.COM krb5_server = hydrogen.eng.example.com auth_provider = krb5 krb5_renewable_lifetime = 50d krb5_renew_interval = 3600 cache_credentials = True krb5_store_password_if_offline = True According to this article, this change would ensure that the system auto renew the keys for the next 50 days. Why would this key expiry still show up? http://people.redhat.com/steved/Summits/Summit13/Summit_Handout13.pdf One side question, that is the difference between "auth_provider = krb5" and "auth_provider = ipa"? In another word, what is expected different between the two as far as IPA usage is concerned and what would make one choose one over the other? Regards, William On 17 February 2017 at 09:56, Lukas Slebodnik wrote: > On (16/02/17 18:05), William Muriithi wrote: >>> The fact that your desktops are using SSSD changes the situation >>> dramatically. >>> >>> SSSD (with ipa or krb5 provider) obtains ticket for user when he is >>> logging-in. >>> And can be configured to renew the ticket for the user until the ticket >>> renew >>> life time expires. >>> >>> Given this you can keep ticket life time reasonable short (~1 day) set >>> ticket >>> renewable life time to longer period (~2 weeks) and maintain reasonable >>> security level without negative impact on user's daily work. >>> >>> Look for krb5_renew_interval, krb5_lifetime, krb5_renewable_lifetime options >>> in sssd-krb5 man page. >>> >>Thanks a lot. I did actually end up using this. Will wait for a >>couple of days and see if anybody if the situation is better and >>update you. >> >>Curious though, why isn't renewal interval setup by default? Is there >>a negative consequence of having SSSD renewing tickets by default? I >>can't think of any and hence a bit lost on explaining the default >>setup > > Desktop/laptop user usually does not need automatic renewal. > They authenticate/login/unlock screen quite often and for each > action sssd authenticate against IPA server which automatically get/renew > krb5 ticket. Unless machine is offline. > > LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] How to change kerberos key lifetime?
David > > The fact that your desktops are using SSSD changes the situation dramatically. > > SSSD (with ipa or krb5 provider) obtains ticket for user when he is > logging-in. > And can be configured to renew the ticket for the user until the ticket renew > life time expires. > > Given this you can keep ticket life time reasonable short (~1 day) set ticket > renewable life time to longer period (~2 weeks) and maintain reasonable > security level without negative impact on user's daily work. > > Look for krb5_renew_interval, krb5_lifetime, krb5_renewable_lifetime options > in sssd-krb5 man page. > Thanks a lot. I did actually end up using this. Will wait for a couple of days and see if anybody if the situation is better and update you. Curious though, why isn't renewal interval setup by default? Is there a negative consequence of having SSSD renewing tickets by default? I can't think of any and hence a bit lost on explaining the default setup > -- Regards, William -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] How to change kerberos key lifetime?
Morning David, Thank you very much for your help. > first you're mentioning "key expiry" but if I understand correctly you're > interested in "ticket lifetime". Yes, want to increase ticket lifetime. > > As mentioned here [1] the ticket lifetime is the minimum of 4 values: > 1) maxlife for the user principal > 2) maxlife for the service [principal] > 3) max_life in the kdc.conf > 4) requested lifetime in the ticket request > > You've already done 1) (ipa krbtpolicy) and 4) (ticket_lifetime in > [libdefaults] in /etc/krb5.conf on client). > > To increase 2) you need to change maxlife for krbtgt service. There're two > ways > this ca be done: > a) modifying krbMaxTicketLife attribute in > krbPrincipalName=krbtgt/example@example.org,cn=EXAMPLE.ORG,cn=kerberos,dc=example,dc=org > b) using kadmin.local: > # kadmin.local > Authenticating as principal admin/ad...@example.org > : modprinc -maxlife 10day krbtgt/EXAMPLE.ORG > Principal "krbtgt/example@example.org" modified. > : exit Will try 2 b and see how it goes > > To increase 3) you need to change 'max_life' in /var/kerberos/krb5kdc/kdc.conf > and restart krb5kdc service. > okay, wasn't actually aware of this. Will look at it > But generally I don't think it's a good idea to have such long tickets. Would > it make sense in your use case to deploy SSSD on user systems to handle > Kerberos tickets for them? > I am actually using SSSD on all the systems, even the desktops. I agree the changes above aren't ideal and would prefer to get SSSD working well. Where would like to avoid this error showing around every 12 hours. antimony: Could not chdir to home directory /home/william: Key has expired Regards, William -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] How to change kerberos key lifetime?
Hello We are currently mostly using RHEL 6 on the clients but IPA is on RHEL 7.3. I am using Kerberos to authenticate NFS mount and its working fine. However, there is a lot of users who are complaining that its causing too much problems. They are all related to key expiry I have looked at how to rectify this and noticed that the only solution with RHEL 6 is to increase the time the key is valid. However, it hasn't worked, the key lifetime remains a day and maximum lifetime of 7 days. These are the changes I have made so far: Changed the policy on IPA: [root@lithium ~]# ipa krbtpolicy-show Max life: 15552000 Max renew: 25552000 [root@lithium ~]# Changed kerberos configuration: [libdefaults] default_realm = ENG.EXAMPLE.COM dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 4320h forwardable = yes udp_preference_limit = 0 Changed sssd configurations: [domain/eng.example.com] krb5_renewable_lifetime = 180d krb5_renew_interval = 3600 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = eng.example.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = platinum.eng.example.com chpass_provider = ipa ipa_dyndns_update = True ipa_server = _srv_, lithium.eng.example.com ldap_tls_cacert = /etc/ipa/ca.crt autofs_provider = ipa ipa_automount_location = default [sssd] services = nss, sudo, pam, autofs, ssh domains = eng.example.com [nss] homedir_substring = /home None have lead to any difference as seem below. What would I be missing? Ticket cache: FILE:/tmp/krb5cc_782_L8aH9N Default principal: will...@eng.example.com Valid starting ExpiresService principal 02/15/17 13:17:11 02/22/17 13:17:11 krbtgt/eng.example@eng.example.com renew until 03/01/17 13:17:11 Regards, William -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] (no subject)
Hello, I have been attempting to setup samba server on RHEL 7 and I haven't had luck so far. I am hoping to get some guidance on what I could be missing. I am using the link below as a guide. http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA My setup is made up of two IPA version 4.4 (Master master) with a trust relationship to Windows AD. Samba is running on a separate system (RHEL7.3) and fully to date. Windows domain would be ad.example.com and ipa domain is eng.example.com Below is my samba config at present. There is an ad group called eng that is mapped to an external group called eng_external on ipa. eng_external is a member of ipausers group [global] workgroup = ENG realm = ENG.EXAMPLE.COM dedicated keytab file = FILE:/etc/samba/samba.keytab kerberos method = dedicated keytab server string = Samba Server Version %v log file = /var/log/samba/log.%m log level = 5 max log size = 50 security = ads passdb backend = tdbsam strict locking = no load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes [homes] comment = Home Directories path = /home browseable = yes writable = yes valid users = @ipausers [projects] comment = Projects path = /projects browseable = yes writable = yes valid users = @ipausers After restarting samba, an attempt to connect to samba from Windows result in the following samba logs? Do you notice any problem from the information that I have shared please? Would appreciate any pointer at this point [2017/01/17 10:17:55.905941, 5] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2017/01/17 10:17:55.905980, 4] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2017/01/17 10:17:55.906751, 5] ../source3/smbd/share_access.c:120(token_contains_name) lookup_name ipausers failed [2017/01/17 10:17:55.906789, 2] ../source3/smbd/service.c:427(create_connection_session_info) user 'will...@ad.example.com' (from session setup) not permitted to access this share (will...@ad.example.com) [2017/01/17 10:17:55.906818, 1] ../source3/smbd/service.c:560(make_connection_snum) create_connection_session_info failed: NT_STATUS_ACCESS_DENIED [2017/01/17 10:17:55.906838, 5] ../lib/dbwrap/dbwrap.c:178(dbwrap_check_lock_order) check lock order 1 for /var/lib/samba/lock/smbXsrv_tcon_global.tdb [2017/01/17 10:17:55.906871, 5] ../lib/dbwrap/dbwrap.c:146(dbwrap_lock_order_state_destructor) release lock order 1 for /var/lib/samba/lock/smbXsrv_tcon_global.tdb [2017/01/17 10:17:55.906895, 3] ../source3/smbd/smb2_server.c:3098(smbd_smb2_request_error_ex) smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_tcon.c:135 [2017/01/17 10:18:02.815184, 4] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2017/01/17 10:18:02.815224, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2017/01/17 10:18:02.815242, 5] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2017/01/17 10:18:02.815270, 5] ../source3/smbd/uid.c:425(smbd_change_to_root_user) change_to_root_user: now uid=(0,0) gid=(0,0) [2017/01/17 10:18:02.815304, 5] ../lib/dbwrap/dbwrap.c:178(dbwrap_check_lock_order) check lock order 1 for /var/lib/samba/lock/smbXsrv_tcon_global.tdb [2017/01/17 10:18:02.815347, 5] ../lib/dbwrap/dbwrap.c:146(dbwrap_lock_order_state_destructor) release lock order 1 for /var/lib/samba/lock/smbXsrv_tcon_global.tdb [2017/01/17 10:18:02.815375, 3] ../source3/lib/access.c:338(allow_access) Allowed connection from 192.168.15.41 (192.168.15.41) [2017/01/17 10:18:02.815402, 3] ../libcli/security/dom_sid.c:209(dom_sid_parse_endp) string_to_sid: SID @ipausers is not in a valid format [2017/01/17 10:18:02.815421, 5] ../source3/auth/user_util.c:151(user_in_netgroup) looking for user will...@ad.example.com of domain eng.example.com in netgroup ipausers [2017/01/17 10:18:02.815774, 4] ../source3/smbd/sec_ctx.c:217(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2017/01/17 10:18:02.815814, 4] ../source3/smbd/uid.c:491(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2017/01/17 10:18:02.815835, 4] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2017/01/17 10:18:02.815852, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2017/01/17 10:18:02.815868, 5] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0
[Freeipa-users] Effect of reversing trust relationship
Hello, Curious, two weeks ago, we established a two way trust between AD and FreeIPA. This has been working fine till yesterday when AD started having DNS issues. I am 99% certain trust had nothing to do with DNS issue, but want to reverse the trust and see if we could fair better My question is, if I run "ipa trustdomain-del", what does it do behind the back? - Will there be a change in the AD systems or just remove association on IPA side without reversing changes on the AD side? - Whats the implication on the IPA client? Any possibility of an outage? - Whats the difference of "ipa trustdomain-del" and restoring from "ipa-backup" and what would be more recommended if one has both options? Regards, William -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Assistance with Samba share intergration with IPA
Hello I am trying to setup a samba share - actually replace winbind on a current samba server and I am basing my change on these instructions. http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA The IPA servers is version ipa-server-4.4.0-14.el7 and I have trust established between AD and IPA. Samba server is on RHEL 6.8 Ideally, I would prefer to leave samba on RHEL 6 and it looks like RHEL 6 is currently using sssd-1.13.3-22.el6_8.4.x86_64. According to above link, you need sssd v1.12.2 and above. Would the version on RHEL 6 above be bundling sssd-libwbclient by any chance? If not, is it possible to install sssd-libwbclient on RHEL 6? Also, on smb.conf, its a bit ambiguous what REALM need to be used. Does one need to use IPA REALM or active directory REALM on these two lines below? workgroup = MY realm = MY.REALM Lastly, when I followed the above article to setup samba, I got the following errors when I attempted to connect to samba from Windows. What would be potential places to go check for misconfiguration? Dec 28 17:49:41 manganese smbd[30221]: [2016/12/28 17:49:41.503322, 0] libads/kerberos_verify.c:75(ads_dedicated_keytab_verify_ticket) Dec 28 17:49:41 manganese smbd[30221]: krb5_rd_req failed (Wrong principal in request) Dec 28 17:49:41 manganese smbd[30221]: [2016/12/28 17:49:41.507090, 0] libads/kerberos_verify.c:75(ads_dedicated_keytab_verify_ticket) Dec 28 17:49:41 manganese smbd[30221]: krb5_rd_req failed (Wrong principal in request) Regards, William -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] (no subject)
Hi Rob, > > >> automount --dumpmaps sss auto.projects > >> > > Thanks, this indeed is working. Thanks for clarifying the man page. > > Its however not listing any keys on map created as child to master > > using the flag below. > > --parentmap=auto.master > > > > This seem like a bug. Could this be a corner case that was missed? > > Hard to say without seeing your maps and keys. > > You could run `ipa automountlocation-tofiles default` to see what IPA > thinks things look like. > I had checked with the above command a two weeks ago and indeed have a better result that way. Also, though I added the maps using a script (cli interface), I do see them displayed correctly and nicely on the FreeIPA GUI. Finally, they do seem to work fine as I haven't heard issue with the maps for the last 4 weeks we have been using this setup. We had them initially on the file and only migrated then to LDAP recently. Its after this migration that I noticed that some script that used to parse the auto maps as a files are now broken and have been attempting to fix then since. Regards, William -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Kerberos realm for different domain
Stephen > > Can you have a domain that belongs to a Kerberos realm with a completely > different domain? For example, could example.com belong to the > ANOTHERDOMAIN.COM realm as long as we control DNS for both and have all the > necessary SRV and TXT records to locate it and krb5.conf is configured > properly? This will indeed work. Its however highly discouraged by FreeIPA. For example, if you do go this way, you will never be able to establish trust relationship with Active directory as Active directory will not accept this setup. Also, you will be on untested territory. I don't think may people use this setup, so the code may not be well exercised in such a setup. On the positive side, you could help FreeIPA project flash out any bug that such a setup may expose. Regards, William -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] (no subject)
Hello Rob, Thanks >> After reading the above map page, I was hoping the below command would >> list keys on one of the projects map. It doesn't work though. >> >> automount --dumpmaps map autofs map tercel >> >> The info page isn't also any better. I wonder if someone can explain >> the use of these keys by an example. Would be very grateful >> >> " " > > You don't include "map" in the name of the thing. I think you want: > > automount --dumpmaps sss auto.projects > Thanks, this indeed is working. Thanks for clarifying the man page. Its however not listing any keys on map created as child to master using the flag below. --parentmap=auto.master This seem like a bug. Could this be a corner case that was missed? Thanks again Regards, William > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] (no subject)
Hello I have indirect map that I would like to list the keys but from command line. I am able to see every key on the home directories map, but it display just names for the rest of the maps. Looking at the man page, I believe this would be my solution. -m, --dumpmaps [ ] With no parameters, list information about the configured automounter maps, then exit. If the dumpmaps option is given and is followed by two parameters, " " then simple "" pairs that would be read in by a map read are printed to stdout if the given map type and map name are found in the map configuration. My maps looks like this: Mount point: /projects source(s): lookup_nss_read_map: reading map sss auto.projects do_init: parse(sun): init gathered global options: (null) lookup_nss_read_map: reading map files auto.projects instance type(s): sss map: auto.projects quetzal | -fstype=autofs ldap:auto.projects-quetzal tercel | -fstype=autofs ldap:auto.projects-tercel After reading the above map page, I was hoping the below command would list keys on one of the projects map. It doesn't work though. automount --dumpmaps map autofs map tercel The info page isn't also any better. I wonder if someone can explain the use of these keys by an example. Would be very grateful " " Regards, William -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Intergrating vino or krfb to IPA server
Hello, I am trying to see if either of the two desktop manager may be able to work with FreeIPA and I haven't had much luck. It seem like for example vino should be able to do so - see link below, but I haven't been able to do it or find article from those who have attemptd it before https://fedoraproject.org/wiki/Features/VirtVNCAuth Would be great if anybody in this list who have gone through such an expericence could share their experience. It doesn't need to be with vino or krfb specifically, but any VNC implementation that support physical console would be a great start Regards, William -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] mailing list SPAM
Hello, This is just a FYI. Whenever I post an email here, I get lot of emails from this address - kimirachel4...@cczaa.com. Think there is someone in the list who is harvesting email addresses. That wouldn't be too bad because if he try to send a fresh mail, the spam system at google would filter it out, but since he is leveraging the mailing list and a current thread, it just pass through. Regards, William -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] mount lookup failure getautomntent_r
Jakub, Thanks for response On 27 November 2016 at 15:43, Jakub Hrozek wrote: > >> >> I have noticed an error that pop up as the final line after running >> lookup_read_map: lookup(sss): getautomntent_r: No such file or directory >> >> failed to read map >> >> Have anyone found a way to clean up that error? >> > > No idea without more context, sorry. Does auto mounter actually work for you > or are some maps missing? > The mount work fine actually. I only noticed the error because I have a script that is consuming the standard output from "automount -m" command. I thought instead of filtering away the error, it would be more prudent to fix the root issue. > The message can really be harmless, because the client (=automounter) > iterates over the maps returned by the server (=sssd in this context) until > the server returns ENOENT. I agree though the message is confusing and we’ll > be (most probably) looking at some autofs enhancements in the next sssd > version.. > Now that I have shared some context, is there any way I can track down whats might be causing it? Or better, whats are some of the candidate mistakes that can trigger it. Regards, William -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] mount lookup failure getautomntent_r
Hello, I have noticed an error that pop up as the final line after running this command " automount -m". I suspect its related to selinux, but haven't seen how to fix it from the google search this morning. I have autofs maps on IPA and using SSSD to read the maps. Mount point: /- source(s): lookup_read_map: lookup(sss): getautomntent_r: No such file or directory failed to read map Have anyone found a way to clean up that error? Regards, William -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Would fixing hosts file break kerberos
Afternoon. I just noticed that I used inappropriate way of setting up my hosts files and I am planning to make a fix. I am however worried this may break Kerberos. Should this change be of concern and have anyone made the changes before? My current /etc/hosts are as follows: 192.168.20.2 ipa ipa.example.com I am planning to change them so that the above line looks like this: 192.168.20.2ipa.example.com ipa Regards, William -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] query for key with hostname from automap
Hello I have a system using automount for home directories and the automount maps are on FreeIPA. Is there a way I can query the username assigned to a certain host? Essentially, if I have a hostname xyz.example.com, what would be the process that I would need to query the keys living on that host? Nothing under "ipa help automount" seem to meet my need and wonder if anybody has come across such a problem Thanks William -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Kerberos enabled NFS error (Key has expired)
On 3 November 2016 at 22:59, William Muriithi wrote: > Hello > > I have NFS server that has been working fine with "sec=sys" for years > but changed it last weekend to use "sec=krb5" last weekend. Since > then, users have been randomly complaining that they are seeing the > below error: > > [alexl@manganese /<7>dtop/simulation/vhdl_example]$ ll /projects/sparrow/meng > > ls: cannot access /projects/sparrow/meng: Key has expired > > When I login and try to list the content of the same directory, all > works fine. What is the root cause of this error? I have been > googling for a week, but haven't found any solution so far. Posting this to help anyone who may have the same problem and end up coming across this post. The problem was the script was changing user through su. This mean they didn't have any kerberos key after on that host as su bypassed proper authentication When the user used his username to ssh to the host and then run the script, the problem went away Regards, William -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Kerberos enabled NFS error (Key has expired)
Morning, I did forget to post the version of software I am using: ipa client: sssd-ipa-1.11.6-30.el6_6.4.x86_64 ipa-client-3.0.0-50.el6_8.3.x86_64 ipa server: ipa-server-4.2.0-15.0.1.el7.centos.18.x86_64 sssd-ipa-1.13.0-40.el7_2.12.x86_64 I have seen discussion of a bug where the key wasn't being renewed but that was back in 2012, so don't look very relevant. William On 3 November 2016 at 22:59, William Muriithi wrote: > Hello > > I have NFS server that has been working fine with "sec=sys" for years > but changed it last weekend to use "sec=krb5" last weekend. Since > then, users have been randomly complaining that they are seeing the > below error: > > [alexl@manganese /<7>dtop/simulation/vhdl_example]$ ll /projects/sparrow/meng > > ls: cannot access /projects/sparrow/meng: Key has expired > > When I login and try to list the content of the same directory, all > works fine. What is the root cause of this error? I have been > googling for a week, but haven't found any solution so far. > > Would appreciate any advice > > Regards, > > William -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Kerberos enabled NFS error (Key has expired)
Hello I have NFS server that has been working fine with "sec=sys" for years but changed it last weekend to use "sec=krb5" last weekend. Since then, users have been randomly complaining that they are seeing the below error: [alexl@manganese /<7>dtop/simulation/vhdl_example]$ ll /projects/sparrow/meng ls: cannot access /projects/sparrow/meng: Key has expired When I login and try to list the content of the same directory, all works fine. What is the root cause of this error? I have been googling for a week, but haven't found any solution so far. Would appreciate any advice Regards, William -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] is ipa-client-automount idempotent?
Hi On 30 October 2016 at 03:26, William Muriithi wrote: > Morning, > > I am curious to know if ipa-client-automount would be safe to rerun > multiple times. I have done a bit of google search and this don't > seem to have been discussed previously in this list. > Ignore this question please. I have figured the answer to my question. Its not idempotent Regards, William -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] is ipa-client-automount idempotent?
Morning, I am curious to know if ipa-client-automount would be safe to rerun multiple times. I have done a bit of google search and this don't seem to have been discussed previously in this list. I have attempted to rerun it on a system multiple time and don't seem to break anything, but that don't mean its not messing around with configuration file somehow. Regards, William -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa automount bug?
Rob, >>> >>> 2. How would one import an existing maps to ipa auto.home map. Import >>> seem to be only capable of importing to auto.master, which make its >>> utility doubtful >>> >>> [root@hydrogen ~]# ipa automountlocation-import default >>> /tmp/2016-10-26/auto.home >>> >>> Imported maps: >>> Imported keys: >>> >>> Added adam to auto.master >>> .. >>> >>> I think we should have a flag that allow importation of key to other >>> other maps other than auto.master > > > You're right, auto.master is hardcoded. Please open an RFE for this if you > need to be able to specify the mount. Thanks for confirming a problem. Will open a ticket on it this morning > > rob > Regards, William -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa automount bug?
>> >> [root@hydrogen ~]# ipa automountmap-add-indirect default >> auto.projects-prs1013 –-mount=/projects/prs1013 >> --parentmap=auto.projects > > Is this a direct copy-paste from the terminal? If so and your e-mail client > did not do any reformatting then the first character in the > "–-mount=/projects/prs1013" is not a dash, which results in it being > recognized as a third argument, thus the warning about at most 2 arguments. > Thanks for that observation. It was indeed the case and it worked when I fixed that typo. Thanks a bunch William >> >> ipa: ERROR: command 'automountmap_add_indirect' takes at most 2 arguments >> >> I had got the idea that this is possible from the documentation below: >> >> >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/configuring-maps.html ported keys: William -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ipa automount bug?
Evening, I am trying to import some autos map from a file to FreeIPA LDAP and have noticed two problems that can be considered a bug in my humble opinion. This is on: ipa-server-4.2.0-15.0.1.el7 1. This either is a documentation bug that suggest one can specify a parent map while thats actually not the case or ipa I am running has a bug and can't handle parent map. Below is what I get when I try to specify parent map: [root@hydrogen ~]# ipa automountmap-add-indirect default auto.projects-prs1013 –-mount=/projects/prs1013 --parentmap=auto.projects ipa: ERROR: command 'automountmap_add_indirect' takes at most 2 arguments I had got the idea that this is possible from the documentation below: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/configuring-maps.html According to the document, I should be able to specify an automap parent. However, it don’t look like that’s actually supported. 2. How would one import an existing maps to ipa auto.home map. Import seem to be only capable of importing to auto.master, which make its utility doubtful [root@hydrogen ~]# ipa automountlocation-import default /tmp/2016-10-26/auto.home Imported maps: Imported keys: Added adam to auto.master .. I think we should have a flag that allow importation of key to other other maps other than auto.master Regards, William -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA-AD trust group membership: display 'short' group names for *two* AD domains?
Morning Jakub, >> However, I would like to tune this configuration to drop the domain >> component of the user and group names. I tried to do this by adding >> these settings to the [sssd] section in sssd.conf on the client: >> >>default_domain_suffix = example.au >> full_name_format = %1$s >> >> With this configuration, I can login as a staff domain user (example.au) >> successfully and I then see the short-name form of the groups: >> >> $ ssh -l r...@student.example.au ipa-client-rh7.ipa.example.au >> [rnst@ipa-client-rh7 ~]$ groups >> rnst >> >> Is this expected behaviour? Is there a possible client configuration that >> will support our AD forest setup or is this simply not possible? > > What you did is quite correct, but unfortunately works only with > RHEL-7.3 or newer as it requires sssd-1.14 or newer, sorry. Does one need sssd-1.14 on the IPA server only or is this required on all the IPA clients too? Regards, William -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] NFS permissions after migrating to FreeIPA
Hello, First, this may just be a coincidence and may have nothing to do with FreeIPA. However, I am running out of ideas and just wonder if anyone has seen it. The only change was to move them from openLDAP to FreeIPA. The automount were in place before this weekend and were working fine. However, I seem to have permission when using wildcard permissions. If I add the line below to /etc/exports, it works fine. This fixes it: /export platinum.eng.example.com(rw,sync,no_root_squash) However, its clearly covered by this wildcard permissions. All three lines the same access options - rw, sync and ro root squash [root@platinum ~]# showmount -e silicon Export list for silicon: /export/eng *.eng.example.com /export *.eng.example.com However, I do get an error that I don't have proper rights. Sep 25 21:54:15 platinum automount[13480]: mount_mount: mount(nfs): calling mkdir_path /home/rtdamgr Sep 25 21:54:15 platinum automount[13480]: mount_mount: mount(nfs): calling mount -t nfs -s -o intr 192.168.20.14:/export/eng/home/rtdamgr /home/rtdamgr Sep 25 21:54:15 platinum automount[13480]: >> mount.nfs: access denied by server while mounting 192.168.20.14:/export/eng/home/rtdamgr Sep 25 21:54:15 platinum automount[13480]: mount(nfs): nfs: mount failure 192.168.20.14:/export/eng/home/rtdamgr on /home/rtdamgr Would anyone know why NFS wouldn't respect wildcard hostnames? Regards, William -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] openLDAP to FreeIPA user migration
Morning Alexander, >>Failed user: >> aagrim: missing attribute "sn" required by object class >> "organizationalPerson" >> acctemp: missing attribute "sn" required by object class >>"organizationalPerson" >> ... > This looks like a common problem. I had recently made a small 'hack' to > solve this problem. > > Following small fixup plugin could be used to affect how entries are > generated. If you add it to /usr/lib/python2.7/site-packages/ipalib/plugins > on IPA master and restart httpd service, the plugin would modify migrate-ds > command so > that 'sn' attribute would be set to a 'Migrated User Last Name' for all > entries that miss 'sn' attribute before they actually get added into IPA > LDAP. > > This is an experimental hack, of course, but it should work. Once > migration is finished, don't forget to remove the file and restart httpd > service again. Worked for me, thank you. Curious, would this qualify for inclusion in future IPA release considering its a common problem that show up often? > Regards, William -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] openLDAP to FreeIPA user migration
Afternoon, I have an openLDAP system that lack a required attribute. This result in the migration script rejecting all the user import. I have googled externsively, read ever line of ipa migration --help doc and it doesn't seem I will be able to use this migration script. I wonder if there is anybody here who have been able to overcome this problem in the past. [root@hydrogen ~]# ipa -v migrate-ds --with-compat --bind-dn="cn=admin,dc=eng.example,dc=com" --user-ignore-attribute="sn" --user-container="ou=People,dc=eng.example,dc=com" --group-container="ou=Group,dc=eng.example,dc=com" --group-objectclass="posixGroup" --user-objectclass="account" ldap://192.168.20.18:389 ipa: INFO: trying https://hydrogen.eng.example.com/ipa/session/json Password: ipa: INFO: Forwarding 'migrate_ds' to json server 'https://hydrogen.eng.example.com/ipa/session/json' --- migrate-ds: --- Migrated: Failed user: aagrim: missing attribute "sn" required by object class "organizationalPerson" acctemp: missing attribute "sn" required by object class "organizationalPerson" ... Regards, William -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA without using User Principal Name
Hello, I am having a problem introducing IPA to an organization because FreeIPA uses User Principal Name and the organization has scripts that will break as they expect the short username. I had initially used trust but have since un-enrolled it from AD as I realized I couldn't use short name with two domains. However, even with a single domain, I can't seem to achieve the use of short names. I do log in with short name after sssd change, but my env username is in User Principal Name format Is this objective achievable? Regards, William -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] nfsidmap oddity
Morning I have been struggling with nfsidmap issue for a couple of days and wouldn't mind a fresh eyes. Essentially, I have a FreeIPA that has a trust relationship with AD. The AD is on domain example-corp.example.com while FreeIPA manages eng.example.com. The problem is, when I login using AD account, the nfsidmap seem to think I am on the FreeIPA account. I have changed the idnapd.conf to use AD domain but that doesn't help. vi /etc/idmapd.conf Domain = example-corp.example.com [william@cacti ~]$ ssh 'william@example-corp'@platinum.eng.example.com william@example-c...@platinum.eng.example.com's password: Last login: Tue Aug 23 11:45:33 2016 from 192.168.20.28 [will...@example-corp.example.com@platinum ~]$ env | grep USER USER=will...@example-corp.example.com [will...@example-corp.example.com@platinum ~]$ su Password: [root@platinum william]# tail /var/log/messages Aug 26 08:18:13 platinum nfsidmap[17780]: nss_getpwnam: name 'r...@eng.example.com' does not map into domain 'example-corp.example.com' Aug 26 08:18:13 platinum nfsidmap[17784]: nss_getpwnam: name 'will...@eng.example.com' does not map into domain 'example-corp.example.com' -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Very slow enrolment process
Hello, I have systems that were previously using openLDAP and plan to migrate them to freeIPA. I have a problem I have been struggling with since Thursday. The client take 10 to 15 minutes to finish the enrolment process. I can't find anything in the logs, have disabled nscd, the DNS and hostname is set up write and nothing on the message logs point me to the problem. Have put se-linux to permissive and done all the basic checks I can think of. Its always stalling at this point. What usually happen after the end of the log below? --- 2016-08-22T01:12:07Z INFO Synchronizing time with KDC... 2016-08-22T01:12:07Z DEBUG Search DNS for SRV record of _ntp._udp.eng.example.com. 2016-08-22T01:12:07Z DEBUG DNS record found: DNSResult::name:_ntp._udp.eng.example.com.,type:33,class:1,rdata={priority:0,port:123,weight:100,server:hydrogen.eng.example.com.} 2016-08-22T01:12:08Z DEBUG args=/usr/sbin/ntpdate -U ntp -s -b -v hydrogen.eng.example.com 2016-08-22T01:12:08Z DEBUG stdout= 2016-08-22T01:12:08Z DEBUG stderr= 2016-08-22T01:12:08Z DEBUG Writing Kerberos configuration to /tmp/tmpYLpzuV: 2016-08-22T01:12:08Z DEBUG #File modified by ipa-client-install includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = ENG.EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = false rdns = false ticket_lifetime = 24h forwardable = yes udp_preference_limit = 0 [realms] ENG.EXAMPLE.COM = { kdc = hydrogen.eng.example.com:88 master_kdc = hydrogen.eng.example.com:88 admin_server = hydrogen.eng.example.com:749 default_domain = eng.example.com pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .eng.example.com = ENG.EXAMPLE.COM eng.example.com = ENG.EXAMPLE.COM Regards, William -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] PKI signing certificate question
Mateusz >> > There is "X.509 Name Constraints" extension for certificates, however >> > external CA would have to make this extension as "critical" (which would >> > probably cause compatibility issues with some software - "critical" means >> > that if some app doesn't know how to handle this extension, it has to >> > report >> > error and do not proceed with establishing secure connection). >> >> The certificate with CA basic constraint would only have been used on >> freeIPA, not on other servers. I believe freeIPA could handle such a >> certificate. > > FreeIPA should be perfectly fine, the problem is with workstations. While > (almost?) all software is capable of understanding CA basic constraint (as > it was known and used for ages), limiting CA to single domain zone using > X.509 Name Constraints can have some side effects (apps on user workstation > have to validate all certificates up to root CA - if it happens that they > don't understand name constraints, they will choke on IPA CA certificate if > such extension is marked "critical"; I think that's the case with majority > of Apple devices). I'm not aware of any CA that issues technically > constrained sub-CAs and I think that according to latest guidelines, they > are required to publicly disclose other sub-CAs issued (and such CAs have to > undergo full WebTrust audit and have CPS just like regular CA). > Interesting, now I understand what you meant. Make a lot of sense. >> > As I understand, --external-ca option should be used when you already >> > have configured PKI infrastructure in your network (for example Active >> > Directory Certificate Services) and spinning another internal CA is not a >> > big deal. You've mentioned that there is already an Active Directory >> > domain, >> > (...) >> > >> Interesting. Active Directory certificate service would also be using self >> signed certificate, correct? > > Correct. AD Certificate Service can generate its own self-signed root CA > certificate, just like FreeIPA with internal CA does. As far as I know, > depending on how you initialize AD CS, this certificate would be deployed to > domain-joined machines automatically or you would have to push it through > Group Policies. Thanks, I understand the purpose of --external-ca flag now petty well > -- > Best regards > Mateusz Małek Thanks a lot Mateusz. Really appreciate your great response. I now do feel I have all the info I was looking for when I started this thread. Regards, William -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] PKI signing certificate question
Mateusz > > > > Which external CA would be more open to signing this kind of certificate? > > I'm afraid that there is not a single external CA that would sign request for CA certificate. They need to make sure that certificate would not be used for fraudulent purposes (for e.g. Man-in-the-Middle attacks) which usually means that they keep control of all subordinate CAs they create (you can only place requests for client or server certificates - but domain ownership validation and certificate issuance takes place in their infrastructure) or they verified that you securely store your private key in dedicated HSM and have adequate policies and rules regarding certificate issuance. Understandable. Did speak with them and realised its not a straight forward thing. As I understand, some CA like Symantec may allow sub CA. > > There is "X.509 Name Constraints" extension for certificates, however external CA would have to make this extension as "critical" (which would probably cause compatibility issues with some software - "critical" means that if some app doesn't know how to handle this extension, it has to report error and do not proceed with establishing secure connection). The certificate with CA basic constraint would only have been used on freeIPA, not on other servers. I believe freeIPA could handle such a certificate. > As I understand, --external-ca option should be used when you already have configured PKI infrastructure in your network (for example Active Directory Certificate Services) and spinning another internal CA is not a big deal. You've mentioned that there is already an Active Directory domain, so the last options seems the easiest one - internal CA root certificate can be deployed to Windows workstation using AD and IPA configured with external CA would automatically deploy internal root CA to Linux workstations on during ipa-client-install. > Interesting. Active Directory certificate service would also be using self signed certificate, correct? Saw another thread today of someone using --external-ca flag. Wish someone who has gone through the process could document the process including if they are using external CA > -- > Best regards > Mateusz Małek Appreciate your feedback a lot. William -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] PKI signing certificate question
Clark, Thank you. > I personally haven't done this, but from https://www.freeipa.org/page/PKI > > "when --external-ca option is used, ipa-server-install produces a certificate certificate request for it's CA certificate so that it can be properly chained in existing PKI infrastructure." > Is anyone here been successful in getting external CA to sign this kind of certificate? I have just tried to convince DigiCert for 2 days that there is no harm issuing this kind of certificate as long us it's restricted to one domain without success. Which external CA would be more open to signing this kind of certificate? Lastly, would there be any harm enrolling IPA clients to this server before feeding it the signed certificate ? Regards William -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] PKI signing certificate question
Hello I want to use an external certificate when setting up a new FreeIPA next week and plan to send the CSR tomorrow. I would like to source a certificate for example.com and use it on FreeIPA on eng.example.com. I can't specifically set the FreeIPA on example.com because we have active directory on corp.example.com Is there a way for using FreeIPA with such a setup? I am hoping that if I can setup FreeIPA using example.com, I can be able to generate certificates for both Windows and Linux plus other like vpn.example.com that don't sit well on either AD or FreeIPA domain. Whats the best way to approach this? If not possible, would setting FreeIPA as a sub domain for active directory help? Regards, William -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] DNS Design for FreeIPA4
Josh, First, sorry for top posting, on a stupid cell. You miss the point that dns is not only used for name resolution, but also hosting configurations. If something is not right about dns, lots of incorrect info will be embedded on your ipa clients. Make it simple as Simon said and point your ipa clients to ipa servers. Redhat recommend you point your ipa clients to ipa server. Microsoft recommend the same thing, point windows clients to AD. William, I don't understand why I would have problems if AD DNS can resolve IPA dns, and IPA DNS can resolve AD DNS? The DNS servers that my servers are using can resolve both AD and IPA. Thanks, Josh > -Original Message- > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- > boun...@redhat.com] On Behalf Of William Muriithi > Sent: Thursday, January 15, 2015 8:08 PM > To: freeipa-users@redhat.com; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] DNS Design for FreeIPA4 > > Josh, > > You will have problems if you go with below plan in my opinion. I used > arrangements like the one you listed below when I used freeipa 2.2. This > worked for me only when I had users hosted on freeipa. After upgrading to > 3.3 for trust, it became very unreliable and had to point the ipa clients to > ipa > server for it to work reliably > > Especially if you plan to point them to AD, it wouldn't work as AD use dns for > configuration just like ipa, do there will be conflict. > > William > > > We are currently piloting FreeIPA4 (RHEL 7.1 IdM) in our environment. We > plan on establishing a trust with AD at some point during the POC. An > overview of the current DNS design: > > * FreeIPA runs integrated DNS (ie, ipa.domain.com) > * Servers in our environment (even once joined to IPA) continue to use our > current non-IPA DNS infrastructure for name resolution > * Servers in our environment have hostnames in several other non-IPA > domains (not ipa.domain.com) > * IPA DNS is configured to zone-transfer ipa.domain.com to our primary > infrwastructure non-IPA DNS servers > * IPA is configured to forward all non ipa.domain.com requests to our > primary infrastructure non-IPA DNS servers > * ipa.domain.com DNS can be resolved from all non-IPA DNS servers since it > is a slave on our primary non-IPA DNS servers > * IPA can resolve our Active Directory DNS (ad.domain.lan) > * Active Directory DNS can resolve IPA DNS (ipa.domain.com) > > Is this a sensible design for DNS? In this configuration, IPA does not appear > to be creating DNS records in ipa.domain.com for the hosts that we add to > IPA. This is presumably because the hosts themselves are in other domains > (not ipa.domain.com) which are not controlled by IPA. Is this going to cause > problems? > > We have a requirement to keep all servers in our environment using our > primary non-IPA DNS servers for resolution. It seemed logical to use IPA- > integrated DNS just so IPA could manage the SRV/LDAP records > automatically within the IPA zone. > > Any advice/tips/suggestions regarding this design would be greatly > appreciated. > > Thanks, > > Josh > > > > > -- > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > End of Freeipa-users Digest, Vol 78, Issue 62 > * > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] DNS Design for FreeIPA4
Josh, You will have problems if you go with below plan in my opinion. I used arrangements like the one you listed below when I used freeipa 2.2. This worked for me only when I had users hosted on freeipa. After upgrading to 3.3 for trust, it became very unreliable and had to point the ipa clients to ipa server for it to work reliably Especially if you plan to point them to AD, it wouldn't work as AD use dns for configuration just like ipa, do there will be conflict. William We are currently piloting FreeIPA4 (RHEL 7.1 IdM) in our environment. We plan on establishing a trust with AD at some point during the POC. An overview of the current DNS design: * FreeIPA runs integrated DNS (ie, ipa.domain.com) * Servers in our environment (even once joined to IPA) continue to use our current non-IPA DNS infrastructure for name resolution * Servers in our environment have hostnames in several other non-IPA domains (not ipa.domain.com) * IPA DNS is configured to zone-transfer ipa.domain.com to our primary infrwastructure non-IPA DNS servers * IPA is configured to forward all non ipa.domain.com requests to our primary infrastructure non-IPA DNS servers * ipa.domain.com DNS can be resolved from all non-IPA DNS servers since it is a slave on our primary non-IPA DNS servers * IPA can resolve our Active Directory DNS (ad.domain.lan) * Active Directory DNS can resolve IPA DNS (ipa.domain.com) Is this a sensible design for DNS? In this configuration, IPA does not appear to be creating DNS records in ipa.domain.com for the hosts that we add to IPA. This is presumably because the hosts themselves are in other domains (not ipa.domain.com) which are not controlled by IPA. Is this going to cause problems? We have a requirement to keep all servers in our environment using our primary non-IPA DNS servers for resolution. It seemed logical to use IPA-integrated DNS just so IPA could manage the SRV/LDAP records automatically within the IPA zone. Any advice/tips/suggestions regarding this design would be greatly appreciated. Thanks, Josh -- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users End of Freeipa-users Digest, Vol 78, Issue 62 * -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa / sudoers on centos 6.3 client
Hi, I also think you will have to update to rhel 6.6 if you want to use sssd for sudo. If updating to 6.6 is not a problem, this would be least painful. > > > The problem is that I can't get sudo rules to work. I know that the > > > ipa client software version 3.0.0 doesn't automatically set up all the > > > configuration for sssd to control sudo access, but I have set up all > > > the configuration necessary manually: > > > > > > > > > On the client, /etc/nsswitch.conf has > > > > > > > > > sudoers files sss This will work only for rhel 6.6. Add ldap between files and sss if you wouldn't be using 6.6 > > > > > > > > > /etc/sssd/sssd/conf has > > > > > > > > > [domain/default] > > > > > > > > > cache_credentials = True > > > krb5_realm = > > > krb5_server = :88 > > > id_provider = ldap > > > auth_provider = ldap > > > chpass_provider = ldap > > > ldap_tls_cacertdir = /etc/openldap/cacerts > > > [domain/] Remove the ldap related lines if on 6.6. If you are not going to use 6.6, keep them, but add a bind password on ipa-server as it can't bind anonymously > > > > > > > > > cache_credentials = True > > > krb5_store_password_if_offline = True > > > ipa_domain = > > > id_provider = ipa > > > auth_provider = ipa > > > access_provider = ipa > > > chpass_provider = ipa > > > ipa_dyndns_update = True > > > ipa_server = > > > ldap_tls_cacert = /etc/ipa/ca.crt > > > sudo_provider = ldap This is assuming you are not using 6.6, else replace ldap with sss > > > ldap_uri = ldap:// > > > ldap_sudo_search_base = ou=sudoers, > > > ldap_sasl_mech = GSSAPI > > > ldap_sasl_authid = host/ > > > ldap_sasl_realm = > > > krb5_server = > > > debug_level = 9 > > > [sssd] > > > services = nss, pam, ssh, sudo > > > config_file_version = 2 > > > > > > > > > domains = , default > > > debug_level = 9 > > > [nss] > > > debug_level = 9 > > > > > > > > > [pam] > > > debug_level = 9 > > > > > > > > > [sudo] > > > debug_level = 9 > > > [autofs] > > > > > > > > > I have validated the ldap sasl configuration using ldapsearch, so I'm > > > sure they are correct. > > > > > > > > > The nisdomainname command returns the domain name. > > > > > > > > > The sudo rules are: > > > # ipa sudorule-find > > > > > > 2 Sudo Rules matched > > > > > > Rule name: sudo-host1 > > > Enabled: TRUE > > > Command category: all > > > RunAs User category: all > > > User Groups: host1-rw > > > Host Groups: host1 > > > Sudo Option: -authenticate > > > > > > > > > Rule name: sudo-host2 > > > Enabled: TRUE > > > User Groups: host2-rw > > > Host Groups: host2 > > > Sudo Option: -authenticate > > > > > > Number of entries returned 2 > > > > > > > > > > > > When a user in user group host1-rw sshs to a client in host group > > > host1 and runs "sudo su -" the user gets prompted for a password even > > > though the sudo option -authenticate is set. > > > I'm not convinced that sudo is even attempting to use sssd, but I'm > > > not sure how to confirm this. I think command group all or category all may be problematic. Enable debugging to see if category all is being considered. For me, I had to adjust that, but can't recall how I went around it from memory. > > > > > > > > > I have seen some references to /etc/sudo-ldap.conf in online > > > discussions of similar issues. This file exists on my client, but > > > everything is commented out. Do I need to put the ldap client > > > configuration in /etc/sudo-ldap.conf as well as /etc/sssd/sssd.conf > > > for CentOS 6.3 clients? Yes. Uncomment the lines that are commented with a single # and customize it with your realm details plus password you created on ipa-server. At the bottom, enable debugging in case it don't work on first attempt. If you are on 6.6, disregard this file > > > > > > > > > Any ideas about how to work out what is failing? William -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] SUDO options on freeipa
Afternoon I have the following commands and I need to set up for Jenkins to run through sudo. For this to work, I need to add two sudo options, no password and no requiretty Is this something supported by IPA version ipa-server-3.3.3-28.el7_0.3.x86_64 ? I can't seem to get it working and there is very little documentation on sudo options with IPA on the web. ipa sudorule-add jenkins --desc "Allow jenkins to deploy jboss, imageserver and fileserver on all the systems" ipa sudocmdgroup-add-member --sudocmds '/sbin/service jboss start' jenkins_commands ipa sudocmdgroup-add-member --sudocmds '/sbin/service jboss stop' jenkins_commands [root@ipa3-yyz-int ~]# ipa sudorule-add-option jenkins_commands --sudooption !authenticate -bash: !authenticate: event not found [root@ipa3-yyz-int ~]# ipa sudorule-add-option jenkins_commands Sudo Option: !requiretty ipa: ERROR: no such entry What is the proper way of handling SUDO options with ipa? Thanks William -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Is it possible to set up SUDO with redudancy
List more than 1 LDAP sever in you config then. ldap_uri, ldap_backup_uri (string) Specifies the comma-separated list of URIs of the LDAP servers to which SSSD should connect in the order of preference. Refer to the "FAILOVER" section for more information on failover and server redundancy. If neither option is specified, service discovery is enabled. For more information, refer to the "SERVICE DISCOVERY" section. The format of the URI must match the format defined in RFC 2732: ldap[s]://[:port] For explicit IPv6 addresses, must be enclosed in brackets [] example: ldap://[fc00::126:25]:389 - Ah, thanks. Now Google is helpful when I try the 'failover' keywords. See it in mailing list but not on docs Thank you. William On Mon, Nov 24, 2014 at 8:38 PM, William Muriithi < william.murii...@gmail.com> wrote: > Evening, > > After looking at almost all the SUDO documentation I could find, it looks > one has to hardcode FreeIPA hostname on sssd.conf file. Below is what red > hat advice to add in sssd config file. > > ?services = nss, pam, ssh, pac, sudo [domain/idm.coe.muc.redhat.com] > sudo_provider = ldap ldap_uri = ldap://grobi.idm.coe.muc.redhat.com > ldap_sudo_search_base = ou=sudoers,dc=idm,dc=coe,dc=muc,dc=redhat,dc=com > ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/ > tiffy.idm.coe.muc.redhat.com ldap_sasl_realm = IDM.COE.MUC.REDHAT.COM > krb5_server = grobi.idm.coe.muc.redhat.com > > The implications ?of adding above is that SUDO would break if the > hardcoded ipa is not available even if there is another replica somewhere > in the network. Is that correct assumption? > > Is there a better way of doing it that I have missed? > > Thanks > > William > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project > -- next part -- An HTML attachment was scrubbed... URL: <https://www.redhat.com/archives/freeipa-users/attachments/20141124/b0a88b13/attachment.html> -- Message: 2 Date: Tue, 25 Nov 2014 14:43:28 +1000 From: Fraser Tweedale To: Rob Crittenden Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] curious about monkeysphere Message-ID: <20141125044328.ga8...@dhcp-40-8.bne.redhat.com> Content-Type: text/plain; charset=utf-8 On Mon, Nov 24, 2014 at 11:04:50AM -0500, Rob Crittenden wrote: > Outback Dingo wrote: > > ??Im curious about monkeysphere http://web.monkeysphere.info/ and how > > it might compare, integrate, enhance freeipa . any thoughts, or > > ideas, or is what it does basically already covered via freeipa? > > > > > > There does seem to be a fair bit of overlap with the SSH key > distribituion/validation. > > We attempt CA fetching in a similar way, by using a trusted mechanism to > fetch it. We use Kerberos when available. > > rob > The projects have very different goals - Monkeysphere is web-of-trust whereas FreeIPA uses centralised authentication and a chain-of-trust PKI - so I do not see much scope for direct integration. Rob's point about some of the underlying mechanisms being similar is accurate - a cross-pollination of ideas or implementations could reduce overall effort. Fraser -- Message: 3 Date: Tue, 25 Nov 2014 08:07:46 +0100 From: Martin Kosek To: Rolf Nufable , "freeipa-users@redhat.com" Subject: Re: [Freeipa-users] Don't know what To do with this (error?? ) Message-ID: <54742ac2.3060...@redhat.com> Content-Type: text/plain; charset=utf-8 On 11/25/2014 03:07 AM, Rolf Nufable wrote: > Goodmorning > So I've solved my Time error (I think) in my fedora 20, but even though I'm > having the correct time and configured the browser for kerberos > authentication I still can't log in my admin account in the web UI > is there a work around for this?? Well, you can log in with your user name and password if GSSAPI does not work. Or is that part also not working? If this is the case, I would suggest to: - check that ipa_memcached service is running - check that there are no SELinux errors in audit.log (or just try in SELinux permissive mode) If user+password login works and GSSAPI does not, make sure that after you fixed the time on your FreeIPA server, you also have time synchronized on your machine with the browser - so that there is not time difference bigger that a 1-2 minutes. > plus I can't find any solutions online on this matter, so I'm really confused > on why this is happening in my free ipa :< > TIA : ) -- Message: 4 Date: Mon, 24 Nov 2014 23:12:23 -0800 From: Rolf Nufable To: Martin Kosek , &qu
Re: [Freeipa-users] Is it possible to set up SUDO with redudancy
Implications of adding above is that SUDO would break if the > hardcoded ipa is not available even if there is another replica somewhere > in the network. Is that correct assumption? > > Is there a better way of doing it that I have missed? > Which version of sssd do you have? sssd >= 1.10 has native ipa suod providers and you don't need to use "sudo_provider = ldap". Sorry, responding from blackberry which don't seen to indent the question I am responding to. This is sssd version I am using. Certainly newer than 1.10. Do you mind pointing me to the recommended way of handling SUDO now? sssd-common-1.11.2-68.el7_0.6.x86_64 sssd-ipa-1.11.2-68.el7_0.6.x86_64 sssd-1.11.2-68.el7_0.6.x86_64 sssd-client-1.11.2-68.el7_0.6.x86_64 sssd-ad-1.11.2-68.el7_0.6.x86_64 sssd-proxy-1.11.2-68.el7_0.6.x86_64 python-sssdconfig-1.11.2-68.el7_0.6.noarch sssd-common-pac-1.11.2-68.el7_0.6.x86_64 sssd-krb5-1.11.2-68.el7_0.6.x86_64 sssd-krb5-common-1.11.2-68.el7_0.6.x86_64 sssd-ldap-1.11.2-68.el7_0.6.x86_64 William -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Is it possible to set up SUDO with redudancy?
Evening, After looking at almost all the SUDO documentation I could find, it looks one has to hardcode FreeIPA hostname on sssd.conf file. Below is what red hat advice to add in sssd config file.services = nss, pam, ssh, pac, sudo [domain/idm.coe.muc.redhat.com] sudo_provider = ldap ldap_uri = ldap://grobi.idm.coe.muc.redhat.com ldap_sudo_search_base = ou=sudoers,dc=idm,dc=coe,dc=muc,dc=redhat,dc=com ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/tiffy.idm.coe.muc.redhat.com ldap_sasl_realm = IDM.COE.MUC.REDHAT.COM krb5_server = grobi.idm.coe.muc.redhat.comThe implications of adding above is that SUDO would break if the hardcoded ipa is not available even if there is another replica somewhere in the network. Is that correct assumption? Is there a better way of doing it that I have missed?ThanksWilliam -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Mixing local FreeIPA users with active directory users
Hi guys,I am wondering how one would go about allowing both ad users and FreeIPA user to work in harmony. I recently was able to get FreeIPA to use trust to service unix systems. However, I encountered resistance as some people didn't like the long username, for example, username@domain.lo...@dev1.example.com. So I created local accounts and forced everyone back to FreeIPA users.Some people didn't mind the name format and would prefer a single username everywhere. So now things are a bit cool, am investigating if these accounts can coexist and would like it to be up to the user's which account the will useWhen I check id when logged in on with ad account, I don't see the group developer, but see developers@example.local. This is a problem since I can't assign files to two groups, something I need as they have files they all have change. I also need both users to have SUDO access, this is fine as I can just duplicate SUDO commands one for developers group and another for developers@example.localHow would one fix file sharing between ad and FreeIPA users? I don't think one can put a group within another group? Or am I wrong on that? Google results seem negative Thanks for adviceWilliam -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Possible trust issues
Evening, Also, this show up on /var/log/krb5kdc.log on ipa server Nov 10 18:43:22 ipa3-yyz-int.example.loc krb5kdc[5469](info): AS_REQ (4 etypes {18 17 16 23}) 10.10.10.29: NEEDED_PREAUTH: host/sogo-eval.example@example.loc for krbtgt/example@example.loc, Additional pre-authentication required Nov 10 18:43:22 ipa3-yyz-int.example.loc krb5kdc[5468](info): AS_REQ (4 etypes {18 17 16 23}) 10.10.10.29: ISSUE: authtime 1415663002, etypes {rep=18 tkt=18 ses=18}, host/sogo-eval.example@example.loc for krbtgt/example@example.loc What does pre-authentication required mean? William I am certain the problem has something to do with trust as I have created a local account on FreeIPA (wmuriithi_user) and it works as expected. However active directory users in the same posix group fails and have not been able to nail where my mistake. How would one go about debugging this issue? I have looked at logs and the looks as below. cat /var/log/secure Nov 10 12:12:05 datagroup-dev sshd[30150]: Invalid user wmuriithi@example.local from 10.10.10.15 Nov 10 12:12:05 datagroup-dev sshd[30151]: input_userauth_request: invalid user wmuriithi@example.local Nov 10 12:12:09 datagroup-dev sshd[30150]: pam_unix(sshd:auth): check pass; user unknown Nov 10 12:12:09 datagroup-dev sshd[30150]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.10.15 Nov 10 12:12:09 datagroup-dev sshd[30150]: pam_succeed_if(sshd:auth): error retrieving information about user wmuriithi@example.local Nov 10 12:12:11 datagroup-dev sshd[30150]: Failed password for invalid user wmuriithi@example.local from 10.10.10.15 port 52792 ssh2 Nov 10 12:12:17 datagroup-dev sshd[30151]: Connection closed by 10.10.10.15 cat /var/log/sssd/sssd_ssh.log (Mon Nov 10 12:34:01 2014) [sssd[ssh]] [sss_parse_name_for_domains] (0x0200): name 'wmuriithi@example.local' matched expression for domain 'EXAMPLE.local', user is wmuriithi (Mon Nov 10 12:34:01 2014) [sssd[ssh]] [ssh_user_pubkeys_search_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 1432158221, Account info lookup failed (Mon Nov 10 12:34:01 2014) [sssd[ssh]] [ssh_user_pubkeys_search_next] (0x0040): No attributes for user [wmuriithi] found. (Mon Nov 10 12:34:01 2014) [sssd[ssh]] [client_recv] (0x0200): Client disconnected! (Mon Nov 10 15:16:44 2014) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Received client version [0]. (Mon Nov 10 15:16:44 2014) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Offered version [0]. (Mon Nov 10 15:16:44 2014) [sssd[ssh]] [sss_parse_name_for_domains] (0x0200): name 'wmuriithi@example.local' matched expression for domain 'EXAMPLE.local', user is wmuriithi (Mon Nov 10 15:16:44 2014) [sssd[ssh]] [ssh_user_pubkeys_search_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 1432158221, Account info lookup failed less /var/log/sssd/sssd_example.loc.log (Mon Nov 10 15:58:21 2014) [sssd[be[example.loc]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'ipa3-yyz-int.example.loc' as 'working' (Mon Nov 10 15:58:21 2014) [sssd[be[example.loc]]] [set_server_common_status] (0x0100): Marking server 'ipa3-yyz-int.example.loc' as 'working' (Mon Nov 10 16:01:44 2014) [sssd[be[example.loc]]] [be_get_account_info] (0x0100): Got request for [4097][1][name=wmuriithi] (Mon Nov 10 16:01:44 2014) [sssd[be[example.loc]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. (Mon Nov 10 16:01:44 2014) [sssd[be[example.loc]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,1432158221,Account info lookup failed (Mon Nov 10 16:01:57 2014) [sssd[be[example.loc]]] [be_get_account_info] (0x0100): Got request for [4097][1][name=wmuriithi] (Mon Nov 10 16:01:57 2014) [sssd[be[example.loc]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. (Mon Nov 10 16:01:57 2014) [sssd[be[example.loc]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,1432158221,Account info lookup failed (Mon Nov 10 16:01:57 2014) [sssd[be[example.loc]]] [be_get_account_info] (0x0100): Got request for [4097][1][name=wmuriithi] (Mon Nov 10 16:01:57 2014) [sssd[be[example.loc]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. (Mon Nov 10 16:01:57 2014) [sssd[be[example.loc]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,1432158221,Account info lookup failed (Mon Nov 10 16:01:57 2014) [sssd[be[example.loc]]] [be_get_account_info] (0x0100): Got request for [4097][1][name=wmuriithi] (Mon Nov 10 16:01:57 2014) [sssd[be[example.loc]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. Does this mean I have to recreate the trust relationship? I didn't get any error when I set up the trust last week and uncertain recreating the trust would help. Would highly appreciate any pointers on what would be best way forward. William -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman
[Freeipa-users] Possible trust issues
Evening, I have been trying to get IPA server working using AD users and I think I need some assistance as I have run into the wall. Below is some background information. The active directory domain is called example.local and the IPA domain is called example.loc. My plan is to map domain users on AD to ad_users on IPA servers. I am using CentOS Linux release 7.0.1406 (Core) with below RPM [root@ipa3-yyz-int ~]# rpm -qa | grep ipa ipa-client-3.3.3-28.el7.centos.1.x86_64 iniparser-3.1-5.el7.x86_64 ipa-server-trust-ad-3.3.3-28.el7.centos.1.x86_64 sssd-ipa-1.11.2-68.el7_0.5.x86_64 ipa-python-3.3.3-28.el7.centos.1.x86_64 ipa-server-3.3.3-28.el7.centos.1.x86_64 libipa_hbac-1.11.2-68.el7_0.5.x86_64 python-iniparse-0.4-9.el7.noarch libipa_hbac-python-1.11.2-68.el7_0.5.x86_64 ipa-admintools-3.3.3-28.el7.centos.1.x86_64 I have two groups [root@ipa3-yyz-int ~]# ipa group-show --all ad_users dn: cn=ad_users,cn=groups,cn=accounts,dc=example,dc=loc Group name: ad_users Description: ad_domain users GID: 196385 Member users: williamm_user, wmuriithi_user Member of HBAC rule: dev-systems-rules ipantsecurityidentifier: S-1-5-21-3033893191-3803153583-4018222701-1005 ipauniqueid: eec320c2-650b-11e4-bc2c-000c29c42447 objectclass: top, groupofnames, nestedgroup, ipausergroup, ipaobject, posixgroup, ipantgroupattrs [root@ipa3-yyz-int ~]# ipa group-show --all ad_users_external dn: cn=ad_users_external,cn=groups,cn=accounts,dc=example,dc=loc Group name: ad_users_external Description: ad_domain users external map External member: S-1-5-21-205922407-570005376-4065188459-513 ipauniqueid: d3b2759e-650b-11e4-8518-000c29c42447 objectclass: top, groupofnames, nestedgroup, ipausergroup, ipaobject, ipaexternalgroup I am certain the problem has something to do with trust as I have created a local account on FreeIPA (wmuriithi_user) and it works as expected. However active directory users in the same posix group fails and have not been able to nail where my mistake. How would one go about debugging this issue? I have looked at logs and the looks as below. cat /var/log/secure Nov 10 12:12:05 datagroup-dev sshd[30150]: Invalid user wmuriithi@example.local from 10.10.10.15 Nov 10 12:12:05 datagroup-dev sshd[30151]: input_userauth_request: invalid user wmuriithi@example.local Nov 10 12:12:09 datagroup-dev sshd[30150]: pam_unix(sshd:auth): check pass; user unknown Nov 10 12:12:09 datagroup-dev sshd[30150]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.10.15 Nov 10 12:12:09 datagroup-dev sshd[30150]: pam_succeed_if(sshd:auth): error retrieving information about user wmuriithi@example.local Nov 10 12:12:11 datagroup-dev sshd[30150]: Failed password for invalid user wmuriithi@example.local from 10.10.10.15 port 52792 ssh2 Nov 10 12:12:17 datagroup-dev sshd[30151]: Connection closed by 10.10.10.15 cat /var/log/sssd/sssd_ssh.log (Mon Nov 10 12:34:01 2014) [sssd[ssh]] [sss_parse_name_for_domains] (0x0200): name 'wmuriithi@example.local' matched expression for domain 'EXAMPLE.local', user is wmuriithi (Mon Nov 10 12:34:01 2014) [sssd[ssh]] [ssh_user_pubkeys_search_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 1432158221, Account info lookup failed (Mon Nov 10 12:34:01 2014) [sssd[ssh]] [ssh_user_pubkeys_search_next] (0x0040): No attributes for user [wmuriithi] found. (Mon Nov 10 12:34:01 2014) [sssd[ssh]] [client_recv] (0x0200): Client disconnected! (Mon Nov 10 15:16:44 2014) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Received client version [0]. (Mon Nov 10 15:16:44 2014) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Offered version [0]. (Mon Nov 10 15:16:44 2014) [sssd[ssh]] [sss_parse_name_for_domains] (0x0200): name 'wmuriithi@example.local' matched expression for domain 'EXAMPLE.local', user is wmuriithi (Mon Nov 10 15:16:44 2014) [sssd[ssh]] [ssh_user_pubkeys_search_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 1432158221, Account info lookup failed less /var/log/sssd/sssd_example.loc.log (Mon Nov 10 15:58:21 2014) [sssd[be[example.loc]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'ipa3-yyz-int.example.loc' as 'working' (Mon Nov 10 15:58:21 2014) [sssd[be[example.loc]]] [set_server_common_status] (0x0100): Marking server 'ipa3-yyz-int.example.loc' as 'working' (Mon Nov 10 16:01:44 2014) [sssd[be[example.loc]]] [be_get_account_info] (0x0100): Got request for [4097][1][name=wmuriithi] (Mon Nov 10 16:01:44 2014) [sssd[be[example.loc]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. (Mon Nov 10 16:01:44 2014) [sssd[be[example.loc]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,1432158221,Account info lookup failed (Mon Nov 10 16:01:57 2014) [sssd[be[example.loc]]] [be_get_account_info] (0x0100): Got request for [4097][1][name=wmuriithi] (Mon Nov 10 16:01:57 2014) [sssd[be[example.loc]]] [ipa_s2n_get_user_done]
Re: [Freeipa-users] Trust relationship redundancy
Peter, Sorry, missed your response earlier. On 4.11.2014 21:57, William Muriithi wrote: > Afternoon, > > I have two AD and would like to retain that redundancy within IPA after > establishing trust relationship. How would one achieve that? > > I have attempted the following: > > > [root@ipa3-yyz-int ~]# ipa dnszone-add example.local > --name-server=srvyyzdc02.example.local --name-server=srvyyzdc01.example.local > --admin-email='systemad...@example.com' --force --forwarder=10.10.10.90 > --forwarder=10.10.10.91 --forward-policy=only --ip-address=10.10.10.90 > --ip-address=10.10.10.91 > ipa: ERROR: invalid 'idnssoamname': Only one value is allowed > > And got the following error above > >Hello, >Could you explain what you are trying to achieve, please? Was trying to make sure trust remain in place even if we loose one of the master master AD >What version of FreeIPA do you use? Version 3.3. Default on centos 7 with all updates applied. Not at office at the moment so can't post rpm precise version >Commands 'ipa dnszone-*' manage DNS and are >not strictly related to AD >trusts. >If you add DNS zone to one IPA server it is >automatically served by all other >servers. This applies to master & forward zones >too. Ah. I see. I misunderstood the documentation then. So, would ipa know there are two active directories in the network even without being explicit on the configuration? I am guessing through DNS? If not, what would be needed to clue it of this fact? >To get full redundancy for *master* zones you >have to add all names of IPA >DNS >servers to NS records in the zone and also to its >parent zone. (BTW FreeIPA >4.1 will manage in-zone NS records automatically for you.) >For forward zones you don't need to do anything >else. It should just work. -- Petr^2 Spacek Thanks William -- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users End of Freeipa-users Digest, Vol 76, Issue 10 * -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Trust relationship issues
Sending again Previous mail hot mangled by blackberry I have two AD and would like to retain that redundancy within IPA after establishing trust relationship. How would one achieve that? I have attempted the following: [root@ipa3-yyz-int ~]# ipa dnszone-add example.local --name-server=srvyyzdc02.example.local --name-server=srvyyzdc01.example.local --admin-email='systemad...@example.com' --force --forwarder=10.10.10.90 --forwarder=10.10.10.91 --forward-policy=only --ip-address=10.10.10.90 --ip-address=10.10.10.91 ipa: ERROR: invalid 'idnssoamname': Only one value is allowed And got the following error above This however works ipa dnszone-add example.local --name-server=srvyyzdc02.example.local --admin-email='systemad...@example.com' --force --forwarder=10.10.10.91 --forward-policy=only --ip-address=10.10.10.91 What should I have done to get redundancy working? If this is not possible currently, any chance it can be implemented some day? William -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Trust relationship redundancy
Afternoon,I have two AD and would like to retain that redundancy within IPA after establishing trust relationship. How would one achieve that?I have attempted the following:[root@ipa3-yyz-int ~]# ipa dnszone-add example.local --name-server=srvyyzdc02.example.local --name-server=srvyyzdc01.example.local --admin-email='systemad...@example.com' --force --forwarder=10.10.10.90 --forwarder=10.10.10.91 --forward-policy=only --ip-address=10.10.10.90 --ip-address=10.10.10.91ipa: ERROR: invalid 'idnssoamname': Only one value is allowedAnd got the following error aboveThis however worksipa dnszone-add example.local --name-server=srvyyzdc02.example.local --admin-email='systemad...@example.com' --force --forwarder=10.10.10.91 --forward-policy=only --ip-address=10.10.10.91What should I have done to get redundancy working? If this is not possible currently, any chance it can be implemented some day?William -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Renewing FreeIPA 2.2 certificate
Afternoon I have been trying to renew FreeIPA certificate for the last three days and I am running out of luck. I can't for example use the GUI interface and the ipa cli tools are also failing since the certificate expired on 27th last month. I have followed the instructions below but may be missing a step. http://www.freeipa.org/page/IPA_2x_Certificate_Renewal Below is what I have done. I seem to have renewed some certificate successfully. [root@ipa1-yyz-int 10.30.2014]# cat certificate_status.sh #!/bin/bash for nickname in "auditSigningCert cert-pki-ca" "ocspSigningCert cert-pki-ca" "subsystemCert cert-pki-ca" "Server-Cert cert-pki-ca" do echo $nickname certutil -L -d /var/lib/pki-ca/alias -n "${nickname}" | grep -i after done [root@ipa1-yyz-int 10.30.2014]# ./certificate_status.sh auditSigningCert cert-pki-ca Not After : Thu Apr 23 22:18:47 2015 ocspSigningCert cert-pki-ca Not After : Fri Oct 14 22:17:47 2016 subsystemCert cert-pki-ca Not After : Fri Oct 14 22:17:47 2016 Server-Cert cert-pki-ca Not After : Fri Oct 14 22:17:48 2016 I think I have done the steps above correctly but dont understand this section [root@ipa1-yyz-int 10.30.2014]# certutil -L -d /etc/httpd/alias -n ipaCert Certificate: Data: Version: 3 (0x2) Serial Number: 7 (0x7) Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: "CN=Certificate Authority,O=EXAMPLE.LOC" Validity: Not Before: Tue Nov 06 21:35:53 2012 Not After : Mon Oct 27 21:35:53 2014 As you can see below, this certificate was not renewed, and therefore I couldnt change the serial # through ldap tools. Which step would I have missed, or rather what should I re-run? Would be grateful for a second eye looking at it and advice what I could be missing. I know I am using old software and did setup a replica successfully on Friday but it also have certificate issues. I plan to move all the certificate role to the free-IPA 3 once I get the certificate issues sorted and decommission Free-IPA 2.2 William -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Permission for root running cron task as a different user
Evening, Came across a problem where a cron job I had setup last night seemed not to run. On further investigation, I noticed FreeIPA must be pushing a policy that block cron task that adopt a different user than the one its set under. I am certain its FreeIPA related as I have a system that's not enrolled and the task run fine there. Now, this is curiosity sake as I solved the problem using groups, but how would one allow root to schedule a job that run as non root? * 4 * * * williamm /usr/local/bin/some-script.sh Aug 21 14:06:02 muriithi crond[6621]: (williamm) FAILED to authorize user with PAM (Permission denied) Aug 21 14:07:01 wmuriithi crond[6625]: (williamm) FAILED to authorize user with PAM (Permission denied) Aug 21 14:08:01 wmuriithi crond[6628]: (williamm) FAILED to authorize user with PAM (Permission denied) Regards, William -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] sudo 'run as' question
Afternoon, I have an application that use the account image as service account. I can su to the account 'image' and start or stop it fine. No root privilege needed. So I am not trying to set it up so that other developers can be able to restart it through sudo and that's when I realized I am missing something about sudo. The problem is under "run as" usage. When I look at man page, it imply that "run as" account don't need to be root. Quoting the man page. Begin quote: sudo allows a permitted user to execute a command as the superuser or another user, as specified by the security policy. End quote: On FreeIPA, I have a sudo rule called developers with necessary hostgroups and usergroups. At the bottom is a section titled "AS WHOM" and that's where I am having a problem. If I use root under RunAs Users section, it works. If I substitute root with account image, I get the following error. [william@dev18-yyz-int ~]$ sudo service imageserver stop [sudo] password for william: Sorry, user william is not allowed to execute '/sbin/service imageserver stop' as root on dev18-yyz-int.jamar.loc. [william@dev18-yyz-int ~]$ ls -al /etc/init.d/imageserver -rwxr-xr-x. 1 image image 1014 Jan 9 15:38 /etc/init.d/imageserver [william@dev18-yyz-int ~]$ cat /etc/init.d/imageserver #! /bin/sh start(){ echo "Starting imageserver.." eval "runuser - image -c '/usr/local/bin/imageserver.sh &'" } stop(){ echo "Stopping imageserver.." PIDNUMBER=`ps aux | grep imaginserver | grep -v grep | awk '{print $2}'` echo $PIDNUMBER eval "runuser - image -c 'kill -9 $PIDNUMBER'" } [william@dev18-yyz-int ~]$ ls -al /usr/local/bin/imageserver.sh -rwxr--r--. 1 image image 89 Jan 9 15:36 /usr/local/bin/imageserver.sh [williamm@dev18-yyz-int ~]$ cat /usr/local/bin/imageserver.sh #!/bin/bash cd /opt/jamar/application/imaginserver nohup ant run > /dev/null 2>&1 & Is it possible to use sudo without first needing to go through root momentary. I suspect this should be possible as sudo "run as" facility wouldn't then make sense otherwise . So, it would work as follows: William -> image Instead of: William -> root -> image. Appreciate any advice in advance William ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Deny SSH access from selected host
>> Would it be possible to deny ssh access per host without pulling a host off >> FreeIPA management? > > from-host part of the rule is not enforced by default due to the fact > that it is pretty easy to fake that one on connection. > > You can try to create more specific rules allowing access to the > systems. With allow_all rule disabled these would help -- when there is > no rule for that user to access an SSH service on the host, it will not > be able to do so. > > Are you using allow_all rule right now? > Yes, the all_allow rule was in place. I didn't see the allow all from the browser though and wasn't aware of it either. After I disabled it, I was able to achieve selective access. Thank you very much. > http://www.freeipa.org/page/Howto/HBAC_and_allow_all > -- > / Alexander Bokovoy William ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Deny SSH access from selected host
Hello I have an ipa-server-2.2.0-16.el6.x86_64 server serving different version of ipa-clients and so far it has been good. I have noticed that some of our DEVs have started to ssh into some of the systems that I had no intention of making available through ssh. I have tried to revoke specific group ssh permission from a certain host and I don't seem to be having luck. I have only looked under policy and IPA server tabs but these two tabs seem like they can only add more access/role from the default user. Would it be possible to deny ssh access per host without pulling a host off FreeIPA management? Thanks in advance William ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Updated doc, synchronization question
> > > Two questions: > > > > > > - Any ETA on an updated 3.3.3 Users Guide? > > > >>> > > > >>> Our current plan is to release next documentation release along with > > > >>> FreeIPA > > > >>> 3.4, when more documentation fixes are factored in. > > > >>> > > > > Would you by any chance know when FreeIPA 3.4 will be realised? > > > > Looking to update a version 2.2 and would wait for 3.4 if its > > reasonably soon. > > > > We planned for Feb but it seems like it would slip. How much is unclear. > We might reduce the scope and cut it earlier (I mean do not slip too > much) or try to keep the scope and extend the time couple months. > We will decide in early Feb. Thanks a lot for the estimated release date. Please do make some announcement once you guys make up your mind which route to take. William > > Sorry not to have a more precise answer. > > Thanks > Dmitri > > > William > > > > > >>> Just in case you would like to check the most recent status of the > > > >>> documentation work (or even help us with it), this page describes > > > >>> the details > > > >>> > > > >>> http://www.freeipa.org/page/Contribute/Documentation > > > >>> > > > >>> including instructions how to build HTMLs out of our git tree. > > > >>> > > > >> > > > >> Thanks, I'll take a look. > > > >> > > > - Is AD/IPA synchronization still supported in 3.3.3? Will it > > always? > > > >>> > > > >>> The AD/IPA synchronization is supported only in terms in bug fixes. > > > >>> As for the > > > >>> enhancements, the FreeIPA core team is focusing on the AD trusts: > > > >>> > > > >>> http://www.freeipa.org/page/Trusts > > > >>> > > > >>> (That does not mean we are not open to contributions from the > > > >>> community) > > > >>> > > > >>> Martin > > > >>> > > > >> > > > >> Thanks for the that link - the video was helpful. Although I'm > > > >> afraid that is > > > >> making me lean towards implementing the not recommended "split brain" > > > >> approach. Although one thing that is not clear to me is weather > > > >> doing this > > > >> consumes CALs for the linux machines since they authenticate > > against AD. > > > > Linux machines do not authenticate against AD DC in single sign-on > > > > case. Instead, usually Windows users obtain their Kerberos TGT upon > > > > logon to > > > > Windows machines and then use it to obtain tickets to services on > > Linux > > > > machines, by obtaining cross-realm TGT from AD DC and presenting it to > > > > IPA KDC as a proof. So in single sign-on case it works fine -- > > > > authentication against AD happens on AD side. > > > > > > > > Of course, when AD users attempt to log in with password to IPA > > > > resources, SSSD would perform communication with AD DC to obtain > > TGT on > > > > their behalf. There is AD DC involved in making a decision whether > > > > this AD user is allowed to authenticate. On Kerberos level, however, > > > > there are no limitations from where the authentication request comes > > > > (unless it is restricted with the firewalls). CALs play role on using > > > > Windows resources after authentication happened but in IPA AD trusts > > > > case currently only IPA resources can be consumed by AD users, IPA > > users > > > > cannot yet consume Windows resources and therefore get assigned rights > > > > to access them. > > > > > > > > > > To clarify the CAL part. > > > The CALs come in two shapes: per user and per host. > > > If it is per user and you have users in AD then regardless of how you > > > integrate with IPA you have to pay these CALs. > > > If your CALs is around hosts then they are based on the count of the > > > computer objects in AD. > > > If the client system is joined directly and has kerberos identity in AD > > > domain you have an object in AD that counts towards CALs. > > > If you have client joined to IPA and either trust or sync solution in > > > place the client is not a member of AD (no computer object in AD) and > > > this does not count towards CALs. > > > > > > HTH > > > > > > > > > > > > > > > -- > > > Thank you, > > > Dmitri Pal > > > > > > Sr. Engineering Manager for IdM portfolio > > > Red Hat Inc. > > > > > > > > > > > > > > ___ > > Freeipa-users mailing list > > Freeipa-users@redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > --- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > -- next part -- > An HTML attachment was scrubbed... > URL: < https://www.redhat.com/archives/freeipa-users/attachments/20140112/fe887df9/attachment.html > > > --- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Updated doc, synchronization question
> Two questions: > > - Any ETA on an updated 3.3.3 Users Guide? > >>> > >>> Our current plan is to release next documentation release along with > >>> FreeIPA > >>> 3.4, when more documentation fixes are factored in. > >>> Would you by any chance know when FreeIPA 3.4 will be realised? Looking to update a version 2.2 and would wait for 3.4 if its reasonably soon. William > >>> Just in case you would like to check the most recent status of the > >>> documentation work (or even help us with it), this page describes > >>> the details > >>> > >>> http://www.freeipa.org/page/Contribute/Documentation > >>> > >>> including instructions how to build HTMLs out of our git tree. > >>> > >> > >> Thanks, I'll take a look. > >> > - Is AD/IPA synchronization still supported in 3.3.3? Will it always? > >>> > >>> The AD/IPA synchronization is supported only in terms in bug fixes. > >>> As for the > >>> enhancements, the FreeIPA core team is focusing on the AD trusts: > >>> > >>> http://www.freeipa.org/page/Trusts > >>> > >>> (That does not mean we are not open to contributions from the > >>> community) > >>> > >>> Martin > >>> > >> > >> Thanks for the that link - the video was helpful. Although I'm > >> afraid that is > >> making me lean towards implementing the not recommended "split brain" > >> approach. Although one thing that is not clear to me is weather > >> doing this > >> consumes CALs for the linux machines since they authenticate against AD. > > Linux machines do not authenticate against AD DC in single sign-on > > case. Instead, usually Windows users obtain their Kerberos TGT upon > > logon to > > Windows machines and then use it to obtain tickets to services on Linux > > machines, by obtaining cross-realm TGT from AD DC and presenting it to > > IPA KDC as a proof. So in single sign-on case it works fine -- > > authentication against AD happens on AD side. > > > > Of course, when AD users attempt to log in with password to IPA > > resources, SSSD would perform communication with AD DC to obtain TGT on > > their behalf. There is AD DC involved in making a decision whether > > this AD user is allowed to authenticate. On Kerberos level, however, > > there are no limitations from where the authentication request comes > > (unless it is restricted with the firewalls). CALs play role on using > > Windows resources after authentication happened but in IPA AD trusts > > case currently only IPA resources can be consumed by AD users, IPA users > > cannot yet consume Windows resources and therefore get assigned rights > > to access them. > > > > To clarify the CAL part. > The CALs come in two shapes: per user and per host. > If it is per user and you have users in AD then regardless of how you > integrate with IPA you have to pay these CALs. > If your CALs is around hosts then they are based on the count of the > computer objects in AD. > If the client system is joined directly and has kerberos identity in AD > domain you have an object in AD that counts towards CALs. > If you have client joined to IPA and either trust or sync solution in > place the client is not a member of AD (no computer object in AD) and > this does not count towards CALs. > > HTH > > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Anyone tried to authenticate Jenkins user through freeIPA?
Hello all, I have been struggling to get jenkins authenticating through FreeIPA and it seem this is currently not possible. The problem is, jenkins is not capable of using Kerberos as far as I can tell. Also, I am not sure FreeIPA can authenticate directly through LDAP, as far as I understand, LDAP is only used for authorization and authentication is through kerberos. I am planning to set up apache and run it as reverse proxy for Jenkins as a work around. Would this be the best way forward or would anyone know of a better way around this? I have noticed that the FreeIPA project uses jenkins, how have you guys got around this? Thanks in advance. Regards, William ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Suppressing the domain section after authentication
Rob, >> >> The question is, how would I coerce apache or kerberos to pass >> gitolite only section before the @ character? >> > > With mod_auth_kerb >= 5.4 you can use KrbLocalUserMapping on to strip the realm. > > rob Thanks a lot, that did it. I added KrbLocalUserMapping On And it worked perfectly. Thanks again William ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Suppressing the domain section after authentication
Hello I have set up gitolite3 and its working fine when I connect to it through ssh. I am using LDAP (FreeIPA) for authorization. When I connect through http/https, I am authenticated, but I believe authorization is not working. I have not been able to figure how to work around it.. git clone http://will...@git1.example.com/git/Design.git But after Apache authenticate me, it passes will...@example.loc not william to gitolite. When the name will...@example.loc is passed to the group searching script, it returns null and hence the error below 2013-05-29.14:51:19 12567 access(Design, will...@example.loc, R, 'any'),-> R any Design will...@example.loc DENIED by fallthru 2013-05-29.14:51:19 12567 trigger,Writable,access_1, ACCESS_1,Design,will...@example.loc,R,any,R any Design will...@example.loc DENIED by fallthru 2013-05-29.14:51:19 12567 die R any Design will...@example.loc DENIED by fallthru<>(or you mis-spelled the reponame) The question is, how would I coerce apache or kerberos to pass gitolite only section before the @ character? Regards, William ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Authenticating Apache through FreeIPA
Hello, This seem well documented, but I can't seem to get it working. Not sure what I am missing.. I will try go over it and hopefully someone may notice why I am failing I got a system enrolled to IPA and its running httpd-2.2.15-28.el6.centos.x86_64 mod_auth_kerb-5.4-9.el6.x86_64 mod_authnz_external-3.2.6-1.el6.x86_64 I initially tried to authenticate against LDAP directly, but it didn't work at all. I believe FreeIPA only use LDAP for authorization and Kerberos for authentication.. Is this observation correct? I mean, can one deal with LDAP directly i this setup. For Kerbero, went to the IPA server and generated a key tab [root@ipa1-yyz-int wmuriithi]# kinit admin Password for ad...@example.loc: [root@ipa1-yyz-int wmuriithi]# ipa service-add HTTP/git1.example@example.loc --- Added service "HTTP/git1.example@example.loc" --- Principal: HTTP/git1.example@example.loc Managed by: git1.example.com [root@ipa1-yyz-int wmuriithi]# ipa-getkeytab -s ipa1-yyz-int.example.loc -p HTTP/git1.example.com -k /tmp/httpd.keytab Keytab successfully retrieved and stored in: /tmp/httpd.keytab [root@ipa1-yyz-int wmuriithi]# scp /tmp/httpd.keytab root@10.10.10.50: /etc/httpd/conf/ The authenticity of host '10.10.10.50 ()' can't be established. RSA key fingerprint is cc:83:9c:95:bf:c6:a0:a4:a0:0a:dd:5a:85:85:bf:1e. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.10.10.50' (RSA) to the list of known hosts. root@10.10.10.50's password: [root@ipa1-yyz-int wmuriithi]# scp /tmp/httpd.keytab root@10.10.10.50: /etc/httpd/conf/ Then from the IPA client 10.10.10.50, I have this basic change, the bottom part is the only pertinent section but posted the whole file in case I have done something silly somewhere else. ServerNamegit1.example.com ServerAlias git DocumentRoot /var/www/git Options None AllowOverride none Order allow,deny Allow from all SuexecUserGroup gitolite3 gitolite3 # Set up appropriate GIT environments SetEnv GIT_PROJECT_ROOT /var/lib/gitolite3/repositories SetEnv GIT_HTTP_EXPORT_ALL SetEnv REMOTE_USER=$REDIRECT_REMOTE_USER # Set up appropriate gitolite environments SetEnv GITOLITE_HTTP_HOME /var/lib/gitolite3 ScriptAlias /git/ /var/www/bin/gitolite-suexec-wrapper.sh/ ScriptAlias /gitmob/ /var/www/bin/gitolite-suexec-wrapper.sh/ # SSLRequireSSL AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate On KrbMethodK5Passwd Off KrbAuthRealms EXAMPLE.LOC Krb5KeyTab /etc/httpd/conf/httpd.keytab require valid-user When I test it with a browser, I get the following error [Mon May 27 12:55:18 2013] [notice] Apache/2.2.15 (Unix) DAV/2 mod_auth_kerb/5.4 configured -- resuming normal operations [Mon May 27 12:55:38 2013] [error] [client 10.10.10.231] user william: authentication failure for "/git": Password Mismatch I can ssh in to the server with the same account password, so log in details should be fine. All I want to achieve is basic authentication, but I seem to be missing something, Any pointers? Regards, William ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] FreeIPA gitolite intergration
Thank Martin and Natxo, Really appreciate. > > Got a question, I know FreeIPA does not allow anonymous binding so if one > > need to create an account to query for such information. I did this during > > the sudo setup. > > > > unless you have changed it yourself (or stuff has changed in the standard > > installation since v2.2 when I installed my ipa servers) anonymous binding is > > allowed. But you cannot query group membership of the users IIRC anonymously. > > Correct. To disable anonymous binds, you can check: > http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/disabling-anon-binds.html > Thanks, I opted to add a bind user instead. > > > > I am trying to get git to use FreeIPA today and I trying to figure where > > the bind user should be created under. This got to be a system account, so > > I am not sure it should go under the normal user dn below. And even if I > > created it as normal user, I am not sure it would have permission to > > transverse the tree looking for the group user details > > > > dn: uid=william,cn=users,cn= compat,dc=example,dc=com > > > > system accounts like sudo are in cn=sysaccounts,cn=etc,dc=domain,dc=tld ; but > > you can create them wherever you like I think. If you create a normal ipa > > account with the ipa tools, you can always modify the krbPasswordExpiration > > attribute manually and have it expire in the year 3000 so it does not get > > disabled until then ;-) Opted to create it under sysaccounts, that way, its a bit hidden and unlikely to be removed accidentally. I initially tried to query for group information from a system that is not enrolled to freeIPA realm. Was getting sasl error when the script is called through gitolite but the script would worked fine when I run it manually. Odd. I enrolled the git server and now that problem seem to have gone away. Anyway to explain what was happening, just being curious here? > > I am currently not familiar with how the git+LDAP works, but you could also add > service for it like "git/your.host.with.git@YOUR.REALM", get a keytab for it > and then let git use it to authenticate to FreeIPA. Git don't have any authentication or authorization facilities, it leave that out for SSH and Apache to handle. Gitolite is there to assist with authorization but don't handle authentication. So one uploads a public key and which SSH uses for authentication and then gitolite take the username and check the respective groups one is authorized to use. Its this group querying that the script above is useful for. > > Martin > > William > > -- > > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] FreeIPA gitolite intergration
Afternoon, Got a question, I know FreeIPA does not allow anonymous binding so if one need to create an account to query for such information. I did this during the sudo setup. I am trying to get git to use FreeIPA today and I trying to figure where the bind user should be created under. This got to be a system account, so I am not sure it should go under the normal user dn below. And even if I created it as normal user, I am not sure it would have permission to transverse the tree looking for the group user details dn: uid=william,cn=users,cn= compat,dc=example,dc=com Here is the script that interacts with FreeIPA, whats the best way to get the script working with FreeIPA? http://gitolite.googlecode.com/git-history/v2.0.2/contrib/ldap/ldap-query-example.pl Any advice would be appreciated. Regards, William ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Process conflict issue when restarting IPA
> I see the same issue as William on CentOS6.3 fully up-to-date... > > [root@test-1 ~]# rpm -qa|grep ipa > ipa-client-2.2.0-16.el6.x86_64 > ipa-server-selinux-2.2.0-16.el6.x86_64 > libipa_hbac-1.8.0-32.el6.x86_64 > ipa-pki-common-theme-9.0.3-7.el6.noarch > python-iniparse-0.3.1-2.1.el6.noarch > ipa-python-2.2.0-16.el6.x86_64 > ipa-admintools-2.2.0-16.el6.x86_64 > ipa-server-2.2.0-16.el6.x86_64 > ipa-pki-ca-theme-9.0.3-7.el6.noarch > libipa_hbac-python-1.8.0-32.el6.x86_64 > [root@test-1 ~]# yum update > Loaded plugins: fastestmirror > Loading mirror speeds from cached hostfile > base | 3.7 kB 00:00 > extras | 3.5 kB 00:00 > updates | 3.5 kB 00:00 > Setting up Update Process > No Packages marked for Update > [root@service-1 ~]# ipactl restart > Restarting Directory Service > Shutting down dirsrv: > TEST-LOCAL...[ OK ] > PKI-IPA... [ OK ] > Starting dirsrv: > TEST-LOCAL...[ OK ] > PKI-IPA... [ OK ] > Restarting KDC Service > Stopping Kerberos 5 KDC: [ OK ] > Starting Kerberos 5 KDC: [ OK ] > Restarting KPASSWD Service > Stopping Kerberos 5 Admin Server: [ OK ] > Starting Kerberos 5 Admin Server: [ OK ] > Restarting DNS Service > Stopping named: [ OK ] > Starting named:[ OK ] > Restarting MEMCACHE Service > Stopping ipa_memcached:[ OK ] > Starting ipa_memcached:[ OK ] > Restarting HTTP Service > Stopping httpd:[ OK ] > Starting httpd: [Tue Jan 15 09:10:03 2013] [warn] worker ajp://localhost:9447/ already used by another worker > [Tue Jan 15 09:10:03 2013] [warn] worker ajp://localhost:9447/ already used by another worker >[ OK ] > Restarting CA Service > Stopping pki-ca: [ OK ] > Starting pki-ca: [ OK ] > [root@test-1 ~]# > > Thanks, > Mike > > > That is the same version of IPA I am also using. When I came across it initially, I turned off tomcat as I initially thought it may have come up by mistake but soon noticed errors in the logs. Restarting it a second time and noticed it complained the certificate system was not running. It was then that I guessed it was a script bug and ignored it > > -- > > Thank you, > > Dmitri Pal > > > > Sr. Engineering Manager for IdM portfolio > > Red Hat Inc. > > > > William > > --- > > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Process conflict issue when restarting IPA
Hello When I restart IPA through ipactl, I get the following message. All seem to be working despite the message. I think it is pki-ca that is running on tomcat Starting httpd: [Fri Jan 11 16:13:25 2013] [warn] worker ajp://localhost:9447/ already used by another worker [Fri Jan 11 16:13:25 2013] [warn] worker ajp://localhost:9447/ already used by another worker I assume there may be a bug on the ipactl script, is this a correct assumption? Regards William ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA and Samba 4
> > I know this may be a loaded question, but I am asking it anyways. > > > > > > Can anyone tell me what the current status and future plan for IPA / > > Samba 4 is? > > We plan to support setting up trusts with Samba4 just like we do with AD > when Samba4 will start supporting Cross-forest trusts. It currently > doesn't. > > Simo. > Yes, its amazing samba4 has finally gone GA. Plan to set up an instance as a backup AD to existing AD some day when I get some time. Not well documented though, wish there was well writen book on it. Anyway backup AD would be the best way to set some experience I am assuming A related question, would there be any need to have a replica when using trust if the AD is just one instance? What I am asking in another way is, if the AD fail, wouldn't the FreeIPA fail to authenticate users till AD issues are fixed? Regards, William > -- > Simo Sorce * Red Hat, Inc * New York > > > > -- > > Message: 2 > Date: Mon, 17 Dec 2012 16:03:03 -0500 > From: Dmitri Pal > To: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] anyone know how to do sssd filters? > Message-ID: <50cf8887.9020...@redhat.com> > Content-Type: text/plain; charset=ISO-8859-1 > > On 12/17/2012 03:11 PM, KodaK wrote: > > I'm attempting to install Satellite in my IPA domain. There is a > > ridiculous requirement that the group "dba" must not already exist > > prior to installing. Red Hat support wanted me to *remove* the DBA > > group and then install. > > > > Anyway, I'm trying to play around with filter_groups in sssd, and I > > can't seem to get it to "take." The man page isn't exactly clear, but > > here's what I've tried: > > > > filter_groups = dba > > filter_groups= dba@fqdn > > > > In the [domain], [sssd] and [nss] sections of the config file. > > > > What's the right syntax? Do I need it in every section? > > > Is it a local group or a central group? > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > --- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > > > -- > > Message: 3 > Date: Mon, 17 Dec 2012 16:29:00 -0500 > From: Dmitri Pal > To: Simo Sorce > Cc: freeipa-users , Albert Adams > > Subject: Re: [Freeipa-users] Allow IPA users to create SSH tunnel with > no shell > Message-ID: <50cf8e9c.4020...@redhat.com> > Content-Type: text/plain; charset=UTF-8 > > On 12/17/2012 09:36 AM, Simo Sorce wrote: > > On Mon, 2012-12-17 at 09:07 -0500, Albert Adams wrote: > >> Thank you for the responses. I was initially attempting to set this > >> value via the web UI and if I entered anything other than the hash > >> value of the user's public key it would get rejected. After thinking > >> about your response I realize that I really need to determine a method > >> of doing this via a HBAC rule. If I accomplish this with > >> authorized_keys then the user is restricted across the board and would > >> not be able to gain a shell on any system whereas HBAC would allow me > >> to restrict thier access as needed. We currently require users to > >> tunnel over SSH to gain access to certain sensitive web apps (like > >> Nessus) but those same users have shell access on a few boxes. > >> Thoughts?? > > One thing you could do is to use the override_shell parameter in sssd. > > However this one would override the shell for all users so just > > putting /sbin/nologin there would not work if you need some users to be > > able to log in (if you care only for root logins it would be enough). > > > > However you can still manage to use it to point to a script that would > > test something like whether the user belongs to a group or not, and if > > so run either /bin/bash or /bin/nologin > > > > This seem like a nice feature request for FreeIPA though, maybe we can > > extend HBAC to allow a special option to define a shell, maybe creating > > a special 'shell' service that sssd can properly interpret as a hint to > > set nologin vs the actual shell. > > > > Dmitri, should we open a RFE on this ? > > > > > > Simo. > > > OK , RFE would make sense. > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > --- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > > > -- > > Message: 4 > Date: Tue, 18 Dec 2012 00:15:42 + > From: Johan Petersson > To: "freeipa-users@redhat.com" > Subject: [Freeipa-users] Problem generating Oracle ZFS Storage > Appliance host and nfs principals and keys to IPA/Free IPA. > Message-ID: > <558c15177f5e714f83334217c9a197df5db40...@ssc-mbx2.ssc.internal> > Content-Type: text/plain; charset="iso-8859-1" > > Hi, > > When trying to generate a host and nfs principal + keys from the Oracle ZFS 7120/7320 Appliance i get the following error message (note that the information pasted are from a simulato
Re: [Freeipa-users] Managing Sudo through FreeIPA
FYI Got it working, credit to JR for pointing I need to assign a password to sudo account on LDAP and use it for binding. Thanks a lot William On 8 November 2012 12:11, William Muriithi wrote: > Steven, > > Thanks for the pointers. I remember finding a post on this, but having > problem finding it now >> >> I assume rhel6.3 by the el6 in the rpm >> >> 1) Make sure the host and IPA server are fully patched/updated. > I am current already > >> 2) Edit nsswitch.conf to have "sudoers: files ldap" as the last line, may or >> may not be there. > > Done > >> 3) add lines to /etc/sudo-ldap.conf, takes a recent upgrade/patch of 6.3 for >> that file to "appear" Im not at work so I odnt have a pastable set > Yes, the file was there already. Wonder if you can paste it now. > Mine was like this > > uri ldap://ipa1-yyz-int.example.loc > > sudoers_base ou=SUDOers,dc=example,dc=loc > > ssl start_tls > tls_checkpeer(yes) > tls_cacertfile /etc/ipa/ca.crt > > >> 4) Add "nisdomainname example.com" to /etc/rc.d/rc.local. > Done >> 5) Add or enable the sudo "connection" user in IPA with a password. > ? Lost me here, mind explaining a bit please if you have a chance? >> 6) reboot the host >> >> If it doesnt work set the debug level in sudo-ldap.conf to 2 and re-try to >> see the output..restart sssd. >> > sh-4.1$ sudo less /var/log/secure > LDAP Config Summary > === > uri ldap://ipa1-yyz-int.example.loc > ldap_version 3 > sudoers_base ou=SUDOers,dc=example,dc=loc > binddn (anonymous) > bindpw (anonymous) > ssl start_tls > tls_checkpeer(no) > tls_cacertfile /etc/ipa/ca.crt > === > sudo: ldap_set_option: debug -> 0 > sudo: ldap_set_option: tls_checkpeer -> 0 > sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt > sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt > sudo: ldap_initialize(ld, ldap://ipa1-yyz-int.example.loc) > sudo: ldap_set_option: ldap_version -> 3 > sudo: ldap_start_tls_s() ok > sudo: ldap_sasl_bind_s() ok > sudo: no default options found in ou=SUDOers,dc=example,dc=loc > sudo: ldap search > '(|(sudoUser=williamm)(sudoUser=%williamm)(sudoUser=%operations)(sudoUser=ALL))' > sudo: ldap search 'sudoUser=+*' > sudo: user_matches=0 > sudo: host_matches=0 > sudo: sudo_ldap_lookup(0)=0x60 > [sudo] password for williamm: > williamm is not in the sudoers file. This incident will be reported. > > > Thank you again for your help > > Regards, > > William >> regards >> Steven Jones >> Technical Specialist - Linux RHCE >> Victoria University, Wellington, NZ >> 0064 4 463 6272 >> >> >> >> >> From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on >> behalf of William Muriithi [william.murii...@gmail.com] >> Sent: Thursday, 8 November 2012 10:28 a.m. >> To: freeipa-users@redhat.com >> Subject: [Freeipa-users] Managing Sudo through FreeIPA >> >> Hello >> >> I have been trying to setup user access through sudo file managed by >> FreeIPA and it don't seem to be working. I am not sure how to go >> about fixing it, but I guess the best place to start is ask what I >> should expect the IPA installation script should set up and what >> should be done manually >> >> [root@demo2 wmuriithi]# rpm -qa | grep sssd >> sssd-client-1.8.0-32.el6.x86_64 >> sssd-1.8.0-32.el6.x86_64 >> [root@demo2 wmuriithi]# >> >> >> >> [root@demo2 wmuriithi]# rpm -qa | grep sudo >> sudo-1.7.4p5-13.el6_3.x86_64 >> >> The only errors related to sudo that I can find is on apache error logs >> >> [Wed Nov 07 13:16:18 2012] [error] ipa: INFO: ad...@example.loc: >> sudorule_add_user(u'read_only_viewiers', all=False, raw=False, >> version=u'2.34', group=(u'operations',)): SUCCESS >> [Wed Nov 07 13:54:44 2012] [error] ipa: ERROR: release_ipa_ccache: >> ccache_name (FILE:/var/run/ipa_memcached/krbcc_3988) != KRB5CCNAME >> environment variable (FILE:/tmp/krb5cc_apache_NB7pph) >> [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: ad...@example.loc: >> sudorule_find(None, sizelimit=0, pkey_only=True): SUCCESS >> [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: ad...@example.loc: >> batch: sudorule_show(u'Full_Access', all=True): SUCCESS >> [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: ad...@example.loc: >> batch: sudorule_s
Re: [Freeipa-users] Managing Sudo through FreeIPA
Steven, Thanks for the pointers. I remember finding a post on this, but having problem finding it now > > I assume rhel6.3 by the el6 in the rpm > > 1) Make sure the host and IPA server are fully patched/updated. I am current already > 2) Edit nsswitch.conf to have "sudoers: files ldap" as the last line, may or > may not be there. Done > 3) add lines to /etc/sudo-ldap.conf, takes a recent upgrade/patch of 6.3 for > that file to "appear" Im not at work so I odnt have a pastable set Yes, the file was there already. Wonder if you can paste it now. Mine was like this uri ldap://ipa1-yyz-int.example.loc sudoers_base ou=SUDOers,dc=example,dc=loc ssl start_tls tls_checkpeer(yes) tls_cacertfile /etc/ipa/ca.crt > 4) Add "nisdomainname example.com" to /etc/rc.d/rc.local. Done > 5) Add or enable the sudo "connection" user in IPA with a password. ? Lost me here, mind explaining a bit please if you have a chance? > 6) reboot the host > > If it doesnt work set the debug level in sudo-ldap.conf to 2 and re-try to > see the output..restart sssd. > sh-4.1$ sudo less /var/log/secure LDAP Config Summary === uri ldap://ipa1-yyz-int.example.loc ldap_version 3 sudoers_base ou=SUDOers,dc=example,dc=loc binddn (anonymous) bindpw (anonymous) ssl start_tls tls_checkpeer(no) tls_cacertfile /etc/ipa/ca.crt === sudo: ldap_set_option: debug -> 0 sudo: ldap_set_option: tls_checkpeer -> 0 sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt sudo: ldap_initialize(ld, ldap://ipa1-yyz-int.example.loc) sudo: ldap_set_option: ldap_version -> 3 sudo: ldap_start_tls_s() ok sudo: ldap_sasl_bind_s() ok sudo: no default options found in ou=SUDOers,dc=example,dc=loc sudo: ldap search '(|(sudoUser=williamm)(sudoUser=%williamm)(sudoUser=%operations)(sudoUser=ALL))' sudo: ldap search 'sudoUser=+*' sudo: user_matches=0 sudo: host_matches=0 sudo: sudo_ldap_lookup(0)=0x60 [sudo] password for williamm: williamm is not in the sudoers file. This incident will be reported. Thank you again for your help Regards, William > regards > Steven Jones > Technical Specialist - Linux RHCE > Victoria University, Wellington, NZ > 0064 4 463 6272 > > > > ____ > From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on > behalf of William Muriithi [william.murii...@gmail.com] > Sent: Thursday, 8 November 2012 10:28 a.m. > To: freeipa-users@redhat.com > Subject: [Freeipa-users] Managing Sudo through FreeIPA > > Hello > > I have been trying to setup user access through sudo file managed by > FreeIPA and it don't seem to be working. I am not sure how to go > about fixing it, but I guess the best place to start is ask what I > should expect the IPA installation script should set up and what > should be done manually > > [root@demo2 wmuriithi]# rpm -qa | grep sssd > sssd-client-1.8.0-32.el6.x86_64 > sssd-1.8.0-32.el6.x86_64 > [root@demo2 wmuriithi]# > > > > [root@demo2 wmuriithi]# rpm -qa | grep sudo > sudo-1.7.4p5-13.el6_3.x86_64 > > The only errors related to sudo that I can find is on apache error logs > > [Wed Nov 07 13:16:18 2012] [error] ipa: INFO: ad...@example.loc: > sudorule_add_user(u'read_only_viewiers', all=False, raw=False, > version=u'2.34', group=(u'operations',)): SUCCESS > [Wed Nov 07 13:54:44 2012] [error] ipa: ERROR: release_ipa_ccache: > ccache_name (FILE:/var/run/ipa_memcached/krbcc_3988) != KRB5CCNAME > environment variable (FILE:/tmp/krb5cc_apache_NB7pph) > [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: ad...@example.loc: > sudorule_find(None, sizelimit=0, pkey_only=True): SUCCESS > [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: ad...@example.loc: > batch: sudorule_show(u'Full_Access', all=True): SUCCESS > [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: ad...@example.loc: > batch: sudorule_show(u'read_only_viewiers', all=True): SUCCESS > [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: ad...@example.loc: > batch: sudorule_show(u'developers', all=True): SUCCESS > [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: ad...@example.loc: > batch: sudorule_show(u'operation', all=True): SUCCESS > [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: ad...@example.loc: > batch(({u'params': [[u'Full_Access'], {u'all': True}], u'method': > u'sudorule_show'}, {u'params': [[u'read_only_viewiers'], {u'all': > True}], u'method': u'sudorule_show'}, {u'params': [[u'developers&
Re: [Freeipa-users] Managing Sudo through FreeIPA
Dmitri, > > The SODO integration is evolving so it important to know what OS and > version you are on. > I would assume you are on RHEL6.3 or equivalent. That's correct. I am on RHEL6.3 equivalent > There are two main ways to integrate SUDO with IPA. One with SSSD > integration and another without. The one with the SSSD integration was a > tech preview in 6.3 and did not work well so we will set is aside for > now (but we fixed it and it is coming in 6.4 as a supported feature). > Neat, looks forward to 6.4 > So the only reasonable option ATM is to setup sudo without SSSD integration. > > So this solution implies that SUDO will use LDAP to get data from the > LDAP server and LDAP server happens to be IPA in this case. > You need to configure SUDO with LDAP as one would do following the > instructions provided by SUDO package. > Please search archives of the last month. There have been couple threads > that you can find helpful in your quest. > Thank you for the pointer... Looking at the archive now > Kee in mind that the location and name of the file used by sudo to > configure LDAP connection has changed. The exact names of the files and > recommendations you will find in the mentioned threads. > > Once you configured SUDO and if you still have problems please let us > know and we will help to troubleshoot the issue. > Thank you aagain William > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > --- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA v 2.2 in an AD environment
Rich, > > In addition to other comments I want to step back and give a bit of a > bigger picture. > 1) Regardless of what approach you choose we recommend using the latest > available version at the moment of deployment. Good suggestion. This mean I should use version 3. Problem that would have to run Fedora 17 and not happy with that option. Think I may have to wait for 6.4 before changing current setup as I like the trust setup more than the sync alternative > 2) There are two different approached to dealing with AD - sync or > trust. You need to chose what approach you want to use. Down the road > there might be some hybrid solutions but so far they are not supported. > > Sync: available starting the beginning of the IPA life. It has some > limitations and we indeed had some issues with the corner cases that > Steve's environment has. They are not common but you have been warned > anyways. Ok > > Trust: > a) Trusts are targeting RHEL 6.4 > b) There is no upgrade from Sync to Trust solution. If you want trusts > you need to upgrade what you have to 6.4 (or start over) and implement > trusts there and not do Sync. > c) To take advantage of trusts your clients must be SSSD 1.9.x otherwise > the trusts would not work. This also means that if you have other UNIXes > the trusts would not work there. That sucks. Would have been better if it only affected IPA server. Hopes there will not be too many dependencies that would make it impossible of updating to SSSD 1.9.x. why is this necessary if I may ask? Though most of the changes would be limited to the server side? Actually, a better question is, whats the difference between sync and trust? To me, sync mean pushing the username password pair through the passsync while trust mean pushing the username and password through samba4. Is this correct? > > If you have UNIX clients that need to be accessed by AD users you might > explore some hybrid solutions that might work but we can't say for sure. > For example the sync might actually work in parallel to trusts to some > extent. There is also PAM pass through capability that comes with 6.4 as > a tech preview. That would allow pass through LDAP auth for the non > SSSD 1.9 clients. But this needs to be tried out and there might be dragons. > Interesting, sound scarily to go there. Thank you > > William >> >> ___ >> Freeipa-users mailing list >> Freeipa-users@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > --- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > > > -- > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > End of Freeipa-users Digest, Vol 52, Issue 9 > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA v 2.2 in an AD environment
Steve, thanks > Hi, > > Yes you can winsync and passsync RHEL6.3 IPA from win2k3 r2 + AD, it should > be in your RH supported channel tree? > Nope, using Centos 6.3. I checked and looks like I can find passsync.msi from here. I am hoping its the same Windows binaries supplied to RedHat paying customers http://directory.fedoraproject.org/wiki/Download > > 1) Only one AD domain, so if you have a AD "forest" you can only do one > sub-domain. So if the root is "example.com" and you have > "staff.example.com" and "clients.example.com" you can do only one, say > staff.example.com to IPA. > > Possible issues, > > 2) There is a bug in the setup where you have to be careful that you specify > the right OU= IF your users are not in the expected default (cn=users?), > otherwise the IPA users get deleted rather than ignored, you end up with an > empty IPAfrightened me senseless! Do you mind explaining this further please? Where are you specifying this? On the passsync.msi application "search base" field? on AD side or on "ipa-replica-manage --win-subtree" ? Expected default users CN, on which side, AD or FreeIPA? Sorry, I tried to google for the bug and I can't seem to pick it, so the question. > > So, > > a) If you have users in multiple ou's then only one set is synced the > rest in IPA will go bye bye, unless they are unique to IPA. > b) If some users have a smartphone to exchange setup the winsync > agreement sees that as the user having 2 ous's and first adds and then > deletes those users..oops.I lost 20% of my users that way Yikes, that would have sucked, hope you had a backup. I don't have sub-domain (Forest = domain), but would have been caught by the smartphone issue. Thanks for the heads up, really appreciates. > > This is with RH support. Hmm, hopefully their response will get to us none customers somehow. > > 3) Also with 6.2 or 6.2 upgraded to 6.3 you may find that when the winsync > syncs, the IPA users lose all their groups. I have tested a 6.2 upgraded to > 6.3 several times and this happens each time but a clean 6.3 IPA seems > finewe dont know why that is yet. > > This is with RH support, > > So if you are going to do this you need an isolated test setup to test for > un-expected "features" that could really spoil your day. > > :( Yes, I am really grateful for asking before diving in. Looks like I would have got hurt really bad. > > My main advice would be restart with a clean 6.3 setup and not an upgraded > from 6.2. Ive rebuilt 2 of my three IPA servers and teh 6.3 clean builds > seem a lot more stable. > > Also use db2ldif to make backups of your database before you do italso > you might want to halt and turn off any IPA replicas when you do it until > after you are happy its stable and OK. > Will use 6.3. Thank you again for the advice William > > > From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on > behalf of William Muriithi [william.murii...@gmail.com] > Sent: Monday, 5 November 2012 8:23 a.m. > To: freeipa-users@redhat.com > Subject: [Freeipa-users] FreeIPA v 2.2 in an AD environment > > Hi all, > > I am in the process of deploying freeIPA 2.2 to authenticate Linux > systems and have been able to setup everything nicely with separate > domain. I mean users are currently using separate password to access > Linux system and another set of password from AD for desktop stuff. On > Friday, I came across an article on freeIPA v 3 and noticed one can > use the same username & password for both Linux and Windows systems. > I have since felt this would be a better setup and but feel like the > documentation are not clear on how to achieve the above. > > Would anyone be able to clarify this: > > - Can I be able to synchronize the current AD user credentials with > FreeIPA 2.2 or do I have to upgrade to FreeIPA 3.0 ? > - If upgrading is necessary, is there an RPM that can run on RHEL 6.2 > ? I can only seem to find freeIPA v3 RPM for Fedora 17. Was hoping > to use a blessed RPM instead of rolling one which mean be incompatible > with the distribution RPM once it comes around > > Regards, > > William > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > -- > > Message: 3 > Date: Mon, 05 Nov 2012 09:32:42 +0100 > From: Petr Spacek > To: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] FreeIPA for AMM users management > Mes