Re: [Freeipa-users] sudo su without password

[deepak dimri]

Never mind, i got this working after i added

/usr/bin/sudo <https://ipa.map.mandiant.com/ipa/ui/#/usr/bin/sudo>

On Sat, Mar 4, 2017 at 8:24 PM, deepak dimri <deepak.dimri2...@gmail.com>
wrote:

> Hi All,
>
> In my IPA i have users authenticating using key + token and want to admin
> to switch to root without being prompted for the password. How can i do
> that in IPA?
>
> This is what i have tried - created a test user in IPA and did not give
> any password for this test user. I also have sudo rule configured to allow
> this user to switch to root.  I have added !authenticate option in sudo
> rule. However when i  login using my test user with private key +token and
> now when i am trying "sudo su" i am getting prompted for the password.
>
> Thanks,
> Deepak
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] sudo su without password

[deepak dimri]

Hi All,

In my IPA i have users authenticating using key + token and want to admin
to switch to root without being prompted for the password. How can i do
that in IPA?

This is what i have tried - created a test user in IPA and did not give any
password for this test user. I also have sudo rule configured to allow this
user to switch to root.  I have added !authenticate option in sudo rule.
However when i  login using my test user with private key +token and now
when i am trying "sudo su" i am getting prompted for the password.

Thanks,
Deepak
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Switch sudoers to IPA

[deepak dimri]

Hi Jakub, Actually that is what i am doing. i am creating the user with
same UID in IPA and then if i delete the user locally then i can
authenticate via IPA. Is there anyway i can do this without deleting the
user? This is just to use the same GID and avoid recreation of
home/directories.

Many Thanks for your response!

Regards,
Deepak

On Thu, Mar 2, 2017 at 8:40 PM, Jakub Hrozek <jhro...@redhat.com> wrote:

> On Thu, Mar 02, 2017 at 07:09:41PM +0530, deepak dimri wrote:
> > Hi List,
> >
> > I have sudo and normal users accessing linux systems using their private
> > key without IPA. I have IPA fully functioning and now i want to switch
> the
> > users from local file login to IPA.
> >
> > Any new user i create in IPA can SSH into ipa client jump boxes fine. I
> > want to know how i can migrate existing local sudoers users to IPA.  This
> > is what i have done to achieve this:
> >
> > 1-  Created a new user in IPA with the same name as i have in Jumpbox.
> > 2 - Added the public key of that user in IPA.
> > 3-  Added the user to jumpbox_usergroup as my sshd.conf forces the users
> of
> > this group to authenticate against the pam/sssd
> >
> > Now when i try to ssh into jumpbox using as i was doing before i still
> logs
> > into the jumpbox via unix pam and not IPA.  What should i be doing so
> that
> > the "existing" local unix users can login via IPA?
>
> But do you need to keep the local users around? Why not create the IPA
> user with the same UID as the local user and remove the local user?
>
> Typically, if there is a user both in the local files and a remote
> source, the system (as configured in nsswitch.conf) would first return
> the local user and the PAM stack then only authenticates this user using
> pam_unix.so
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Local users migration into IPA

[deepak dimri]

Hello All,

I have whole bunch of linux users that i want to migrate to IPA. All these
users uses their ssh private keys (no passwords) to login into the linux
system. What steps i should be following to migrate existing linux users
seamlessly to IPA server? since the passwords are not involved i am
thinking it would be rather simple exercise.

This is what i was thinking :

1- Create linux user with same name in IPA
2- Add public cert for each user in IPA
3- I am assuming there is no configuration change in need on ipa clients as
i can login to IPA server fine with new user if thats not the case then
what configuration changes i should be doing on ipaclient?

Do i need to delete local entry of the users from the ipa client for
authentication to go through IPA and not locally? if so then can i anyway
avoid this and rather force the user to authenticate against IPA and not
locally w/out deleting the local entries?

Would truly appreciate if you can provide some direction to this use case.

Thanks,
Deepak
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Switch sudoers to IPA

[deepak dimri]

Hi List,

I have sudo and normal users accessing linux systems using their private
key without IPA. I have IPA fully functioning and now i want to switch the
users from local file login to IPA.

Any new user i create in IPA can SSH into ipa client jump boxes fine. I
want to know how i can migrate existing local sudoers users to IPA.  This
is what i have done to achieve this:

1-  Created a new user in IPA with the same name as i have in Jumpbox.
2 - Added the public key of that user in IPA.
3-  Added the user to jumpbox_usergroup as my sshd.conf forces the users of
this group to authenticate against the pam/sssd

Now when i try to ssh into jumpbox using as i was doing before i still logs
into the jumpbox via unix pam and not IPA.  What should i be doing so that
the "existing" local unix users can login via IPA?

I am still playing with configuration to make it work but thought of asking
this to you all to see if i can get a solution faster.

Many Thanks,
Deepak
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] VERSION: 4.4.0, IPA Replica DOES NOT Work

[deepak dimri]

I am wondering Does IPA Replica as standalone without IPA Master being up
works for you guys? Mine and my collogue IPA setup in our own Dev
environment with VERSION: 4.2 works perfectly fine. but now when we are
moving to staging env we are getting IPA version VERSION: 4.4.0,
API_VERSION: 2.213 installed through yum in centos 7 and replica now DOES
NOT WORK as standalone unit.

We either keep getting GATEWAY_TIMEOUT Error on the browser or its taking
hell lot of time to fetch user and host objects from Replica DS. The moment
we bring up our IPA Server up replica also starts working fine.

I am not sure but unfortunately there is no helpful reply i am getting on
this issue and wondering if any one else is having TIMEOUT issue with
replica with version 4.4?


Thanks,
Deepak
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] IPA replica setup for version 4.4

[deepak dimri]

I am trying to install ipa replica but getting below error when
running ipa-replica-install

i am following below link for ipa 4.4:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the-replica.html


Run connection check to master
ipa.ipapython.install.cli.install_tool(Replica): ERRORConnection check
failed!
Please fix your network settings according to error messages above


What could be reason for this error?

Thanks,
Deepak
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA installation on centos 7

[deepak dimri]

Thanks Rob

Is there a place/link i can download the release for centos 7?

~Amit

On Fri, Feb 3, 2017 at 3:03 PM, Rob Crittenden  wrote:

> amit bhatt wrote:
>
>> My QA development setup is running with IPA VERSION: 4.2.0 on centos 7
>> and I want to install the same version in my production environment as
>> well.  however when i am running yum install ipa-server i am getting
>> VERSION: 4.4.0 (package ipa-server-4.4.0-14.el7.centos.4.x86_64)
>> installed.
>>
>> How can i force IPA server to install 4.2.0 and not 4.4.0?
>>
>
> You'd need to create your own yum repository with the older bits and
> install from there (or push the packages onto your system and do a local
> install).
>
> Note that the IPA packages are tested against the current versions of the
> release which means that some packages may be newer and are therefore
> untested against IPA 4.2.x. Chances are things will work fine but there are
> no guarantees when mixing packages.
>
> rob
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Gateway_timeout Error

[deepak dimri]

Hi All,

I am stuck with this gateway error on my replicas. I recreated the replicas
but that did not help either. I realised that if i just keep my primary ipa
up then i do not get the error on the secondary/replica server. The error
logs on replica shows hits are getting successfully executed but i am
certain that its trying to bind to primary ipa server when i am trying to
open the hosts/users entries. It seems its failing to make ldap bind to
primary server and then eventually timing out.

Any idea why in my case replica is trying to connect to ipa master?

Thanks,
Deepak



On Thu, Feb 2, 2017 at 10:12 AM, deepak dimri <deepak.dimri2...@gmail.com>
wrote:

> Hey Martin,
>
>
> Is gateway error has anything to do with --no-wait-for-dns flag that i
> used when i created the replica image? i have another test IPA setup
> working fine in the same env and the only difference i see that in that env
> i did not use --no-wait-for-dns for replicas
>
> Thanks,
> Deepak
>
> On Wed, Feb 1, 2017 at 10:52 PM, deepak dimri <deepak.dimri2...@gmail.com>
> wrote:
>
>> sorry for not replying to all!
>>
>> I have apache reverse proxy front ending the ipa servers. As i mentioned
>> if i try hitting ipa replica WebUI directly then i do get the objects
>> loaded on the browser after waiting for over a minute or so. replica server
>> (/var/log/dirsrv/slapd-$YOUR_REALM/{access,errors}) shows hits coming
>> through fine but for some reasons web browser ends up with the gateway
>> error.
>>
>> both the ipa masters are running VERSION: 4.4.0, API_VERSION: 2.213
>>
>> Kind Regards,
>> Deepak
>>
>>
>> On Wed, Feb 1, 2017 at 9:21 PM, Martin Babinsky <mbabi...@redhat.com>
>> wrote:
>>
>>> On 02/01/2017 04:26 PM, deepak dimri wrote:
>>>
>>>> Yes, Martin - i do see requests hitting
>>>> replica.. /var/log/httpd/error_log shows:
>>>>
>>>> [Wed Feb 01 15:16:47.469766 2017] [:error] [pid 2464] ipa: INFO:
>>>> ad...@xxx.xyz.com <mailto:ad...@xxx.xyz.com>: batch:
>>>> host_show(u'xxx.abx.xyz <http://xxx.abx.xyz>', rights=True, all=True):
>>>> SUCCESS
>>>>
>>>> I used ansible playbook to build the replica server. ran
>>>> ipa-replica-prepare on the primary:
>>>> ipa-replica-prepare {{ replica_dns }} --password={{ipa_password}}
>>>> --no-wait-for-dns
>>>>
>>>> copied the replica file over to replica server:
>>>> scp -oStrictHostKeyChecking=no -i ~/.ssh/{{ssh_keyname}}.pem
>>>> /var/lib/ipa/replica-info-{{ replica_dns }}.gpg root@{{
>>>> replica_dns }}:/var/lib/ipa/
>>>>
>>>> ran the replica install on the replica server:
>>>> ipa-replica-install /var/lib/ipa/replica-info-{{  replica_dns }}.gpg
>>>> --password={{ipa_password}} --admin-password={{ipa_password}}
>>>>
>>>> I have notices that if i directly use the replica (bypassing proxy)  URL
>>>> then the objects shows after waiting for over a minute or so. When i use
>>>> proxy pass then it just times out after few seconds.
>>>>
>>>> No clue why its behaving like this
>>>>
>>>> Many Thanks,
>>>> Deepak
>>>>
>>>> On Wed, Feb 1, 2017 at 6:45 PM, Martin Babinsky <mbabi...@redhat.com
>>>> <mailto:mbabi...@redhat.com>> wrote:
>>>>
>>>> On 02/01/2017 11:17 AM, deepak dimri wrote:
>>>>
>>>> Hello Martin, Thank you so much for your reply.
>>>>
>>>> I checked /etc/ipa/default.conf 'xmlrpc_uri' on my secondary
>>>> server and
>>>> its pointing to its own hostname and not to primary server
>>>> hostname :(
>>>>
>>>> any other clue, Martin?
>>>>
>>>> I have tried without proxy and again to luck either its throwing
>>>> same
>>>> gateway_error
>>>>
>>>> Regards,
>>>> Deepak
>>>>
>>>> On Wed, Feb 1, 2017 at 3:03 PM, Martin Babinsky
>>>> <mbabi...@redhat.com <mailto:mbabi...@redhat.com>
>>>> <mailto:mbabi...@redhat.com <mailto:mbabi...@redhat.com>>>
>>>> wrote:
>>>>
>>>> On 02/01/2017 10:22 AM, deepak dimri wrote:
>>>>
>>>> Hi All,
>>>>
>>>> I have two IPA servers - primary and secondary

Re: [Freeipa-users] Gateway_timeout Error

[deepak dimri]

Hey Martin,


Is gateway error has anything to do with --no-wait-for-dns flag that i used
when i created the replica image? i have another test IPA setup working
fine in the same env and the only difference i see that in that env i did
not use --no-wait-for-dns for replicas

Thanks,
Deepak

On Wed, Feb 1, 2017 at 10:52 PM, deepak dimri <deepak.dimri2...@gmail.com>
wrote:

> sorry for not replying to all!
>
> I have apache reverse proxy front ending the ipa servers. As i mentioned
> if i try hitting ipa replica WebUI directly then i do get the objects
> loaded on the browser after waiting for over a minute or so. replica server
> (/var/log/dirsrv/slapd-$YOUR_REALM/{access,errors}) shows hits coming
> through fine but for some reasons web browser ends up with the gateway
> error.
>
> both the ipa masters are running VERSION: 4.4.0, API_VERSION: 2.213
>
> Kind Regards,
> Deepak
>
>
> On Wed, Feb 1, 2017 at 9:21 PM, Martin Babinsky <mbabi...@redhat.com>
> wrote:
>
>> On 02/01/2017 04:26 PM, deepak dimri wrote:
>>
>>> Yes, Martin - i do see requests hitting
>>> replica.. /var/log/httpd/error_log shows:
>>>
>>> [Wed Feb 01 15:16:47.469766 2017] [:error] [pid 2464] ipa: INFO:
>>> ad...@xxx.xyz.com <mailto:ad...@xxx.xyz.com>: batch:
>>> host_show(u'xxx.abx.xyz <http://xxx.abx.xyz>', rights=True, all=True):
>>> SUCCESS
>>>
>>> I used ansible playbook to build the replica server. ran
>>> ipa-replica-prepare on the primary:
>>> ipa-replica-prepare {{ replica_dns }} --password={{ipa_password}}
>>> --no-wait-for-dns
>>>
>>> copied the replica file over to replica server:
>>> scp -oStrictHostKeyChecking=no -i ~/.ssh/{{ssh_keyname}}.pem
>>> /var/lib/ipa/replica-info-{{ replica_dns }}.gpg root@{{
>>> replica_dns }}:/var/lib/ipa/
>>>
>>> ran the replica install on the replica server:
>>> ipa-replica-install /var/lib/ipa/replica-info-{{  replica_dns }}.gpg
>>> --password={{ipa_password}} --admin-password={{ipa_password}}
>>>
>>> I have notices that if i directly use the replica (bypassing proxy)  URL
>>> then the objects shows after waiting for over a minute or so. When i use
>>> proxy pass then it just times out after few seconds.
>>>
>>> No clue why its behaving like this
>>>
>>> Many Thanks,
>>> Deepak
>>>
>>> On Wed, Feb 1, 2017 at 6:45 PM, Martin Babinsky <mbabi...@redhat.com
>>> <mailto:mbabi...@redhat.com>> wrote:
>>>
>>> On 02/01/2017 11:17 AM, deepak dimri wrote:
>>>
>>> Hello Martin, Thank you so much for your reply.
>>>
>>> I checked /etc/ipa/default.conf 'xmlrpc_uri' on my secondary
>>> server and
>>> its pointing to its own hostname and not to primary server
>>>     hostname :(
>>>
>>> any other clue, Martin?
>>>
>>> I have tried without proxy and again to luck either its throwing
>>> same
>>> gateway_error
>>>
>>> Regards,
>>> Deepak
>>>
>>> On Wed, Feb 1, 2017 at 3:03 PM, Martin Babinsky
>>> <mbabi...@redhat.com <mailto:mbabi...@redhat.com>
>>> <mailto:mbabi...@redhat.com <mailto:mbabi...@redhat.com>>>
>>> wrote:
>>>
>>> On 02/01/2017 10:22 AM, deepak dimri wrote:
>>>
>>> Hi All,
>>>
>>> I have two IPA servers - primary and secondary running.
>>> the
>>> secondary
>>> ipa server is installed using ipa replica image of
>>> primary.
>>> While doing
>>> the testing i realised that when i manually shut down my
>>> primary ipa
>>> server making my secondary server to serve the UI. And
>>> now when
>>> i try to
>>> access user or hosts details using my secondary server
>>> then i am
>>> getting
>>> below error in the UI. I am able to login fine though;
>>> it is
>>> just that
>>> when i double click on host objects then i get the error.
>>>
>>>
>>>   An error has occurred (GATEWAY_TIMEOUT)
>>>
>>>
>>> I am still trying to troubleshoot as why i am getting
>

Re: [Freeipa-users] Gateway_timeout Error

[deepak dimri]

sorry for not replying to all!

I have apache reverse proxy front ending the ipa servers. As i mentioned if
i try hitting ipa replica WebUI directly then i do get the objects loaded
on the browser after waiting for over a minute or so. replica server
(/var/log/dirsrv/slapd-$YOUR_REALM/{access,errors}) shows hits coming
through fine but for some reasons web browser ends up with the gateway
error.

both the ipa masters are running VERSION: 4.4.0, API_VERSION: 2.213

Kind Regards,
Deepak


On Wed, Feb 1, 2017 at 9:21 PM, Martin Babinsky <mbabi...@redhat.com> wrote:

> On 02/01/2017 04:26 PM, deepak dimri wrote:
>
>> Yes, Martin - i do see requests hitting
>> replica.. /var/log/httpd/error_log shows:
>>
>> [Wed Feb 01 15:16:47.469766 2017] [:error] [pid 2464] ipa: INFO:
>> ad...@xxx.xyz.com <mailto:ad...@xxx.xyz.com>: batch:
>> host_show(u'xxx.abx.xyz <http://xxx.abx.xyz>', rights=True, all=True):
>> SUCCESS
>>
>> I used ansible playbook to build the replica server. ran
>> ipa-replica-prepare on the primary:
>> ipa-replica-prepare {{ replica_dns }} --password={{ipa_password}}
>> --no-wait-for-dns
>>
>> copied the replica file over to replica server:
>> scp -oStrictHostKeyChecking=no -i ~/.ssh/{{ssh_keyname}}.pem
>> /var/lib/ipa/replica-info-{{ replica_dns }}.gpg root@{{
>> replica_dns }}:/var/lib/ipa/
>>
>> ran the replica install on the replica server:
>> ipa-replica-install /var/lib/ipa/replica-info-{{  replica_dns }}.gpg
>> --password={{ipa_password}} --admin-password={{ipa_password}}
>>
>> I have notices that if i directly use the replica (bypassing proxy)  URL
>> then the objects shows after waiting for over a minute or so. When i use
>> proxy pass then it just times out after few seconds.
>>
>> No clue why its behaving like this
>>
>> Many Thanks,
>> Deepak
>>
>> On Wed, Feb 1, 2017 at 6:45 PM, Martin Babinsky <mbabi...@redhat.com
>> <mailto:mbabi...@redhat.com>> wrote:
>>
>> On 02/01/2017 11:17 AM, deepak dimri wrote:
>>
>> Hello Martin, Thank you so much for your reply.
>>
>> I checked /etc/ipa/default.conf 'xmlrpc_uri' on my secondary
>> server and
>> its pointing to its own hostname and not to primary server
>> hostname :(
>>
>> any other clue, Martin?
>>
>> I have tried without proxy and again to luck either its throwing
>> same
>> gateway_error
>>
>> Regards,
>> Deepak
>>
>> On Wed, Feb 1, 2017 at 3:03 PM, Martin Babinsky
>> <mbabi...@redhat.com <mailto:mbabi...@redhat.com>
>> <mailto:mbabi...@redhat.com <mailto:mbabi...@redhat.com>>> wrote:
>>
>> On 02/01/2017 10:22 AM, deepak dimri wrote:
>>
>> Hi All,
>>
>> I have two IPA servers - primary and secondary running.
>> the
>> secondary
>> ipa server is installed using ipa replica image of
>> primary.
>> While doing
>> the testing i realised that when i manually shut down my
>> primary ipa
>> server making my secondary server to serve the UI. And
>> now when
>> i try to
>> access user or hosts details using my secondary server
>> then i am
>> getting
>> below error in the UI. I am able to login fine though; it
>> is
>> just that
>> when i double click on host objects then i get the error.
>>
>>
>>   An error has occurred (GATEWAY_TIMEOUT)
>>
>>
>> I am still trying to troubleshoot as why i am getting
>> timeout
>> error but
>> thought of asking the group here to see if some one can
>> share
>> some pointers
>>
>> Many Thanks,
>> Deepak
>>
>>
>> Hi Deepak,
>>
>> please check /etc/ipa/default.conf on the secondary server
>> and check
>> the value of 'xmlrpc_uri'. Maybe it points to the URL of
>> primary
>> server and that's why you get timeouts when it is down.
>>
>> Re-setting it to the secondary server itself should fix it.
>>
>> --
>> Martin^3 Babinsky
>>
>> --
>>  

[Freeipa-users] Gateway_timeout Error

[deepak dimri]

Hi All,

I have two IPA servers - primary and secondary running. the secondary ipa
server is installed using ipa replica image of primary.  While doing the
testing i realised that when i manually shut down my primary ipa server
making my secondary server to serve the UI. And now when i try to access
user or hosts details using my secondary server then i am getting below
error in the UI. I am able to login fine though; it is just that when i
double click on host objects then i get the error.
An error has occurred (GATEWAY_TIMEOUT)

I am still trying to troubleshoot as why i am getting timeout error but
thought of asking the group here to see if some one can share some pointers

Many Thanks,
Deepak
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Unable to uninstall and re-install ipa client on Ubuntu 14.04

[deepak dimri]

Can some one please help me with this? I cannot uninstall and re install
ipa client cleanly on my ubuntu machine. when i re run in the
ipa-client-install i am always getting these errors:

Unable to sync time with IPA NTP server, assuming the time is in sync.
Enrolled in IPA realm TEST.REALM.COM
Created /etc/ipa/default.conf
New SSSD config will be created.
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm TEST.REALM.COM
Warning: Hostname (foo.test.com) not found in DNS
Failed to obtain host TGT.
Failed to update DNS A record. (Command '/usr/bin/nsupdate -g
/etc/ipa/.dns_update.txt' returned non-zero exit status 1)
root: ERRORdbus failed to start: Command '/usr/sbin/service
dbus start ' returned non-zero exit status 1
Failed to configure automatic startup of the certmonger daemon
Automatic certificate management will not be available
root: ERRORFailed to disable automatic startup of the
certmonger daemon: Command '/sbin/chkconfig certmonger on' returned
non-zero exit status 1
Would run on a Red Hat platform: /usr/sbin/authconfig --enablesssdauth
--enablemkhomedir --update --enablesssd
Please do the corresponding changes manually and press Enter:
SSSD enabled
*Unable to find 'admin' user with 'getent passwd admin'!*
Recognized configuration: SSSD
Client configuration complete.

i am using below command to install ipa client

sudo ipa-client-install --server= --domain=test.realm.com
--enable-dns-updates --mkhomedir --realm=TEST.REALM.com -w  --hostname=
foo.test.com --unattended --no-ntp


Would really appreciate if some one can help resolve the issue i have
facing..

Thanks,

Deepak
On Sat, Jan 28, 2017 at 7:44 PM, Deepak Dimri <deepak_di...@hotmail.com>
wrote:

> Hi All,
>
>
> I am trying to re-install ipa-client on ubuntu 14.04 but its not getting
> completed cleanly.   Getting below errors when trying to uninstall ipa
> client:
>
>
> ipa-client-install --uninstall -U
> root: ERRORdbus failed to start: Command '/usr/sbin/service
> dbus start ' returned non-zero exit status 1
> root: ERRORcertmonger failed to start: Command
> '/usr/sbin/service certmonger start ' returned non-zero exit status 1
> Unenrolling client from IPA server
> Unenrolling host failed: Error obtaining initial credentials: Decrypt
> integrity check failed.
>
> Removing Kerberos service principals from /etc/krb5.keytab
> Failed to clean up /etc/krb5.keytab
> Disabling client Kerberos and LDAP configurations
> Would run on a Red Hat platform: /usr/sbin/authconfig --disablesssdauth
> --disablemkhomedir --update --disablesssd
> Please do the corresponding changes manually and press Enter:
> Restoring client configuration files
>
> if i ignore above error and re run ipa-client-install then it returns
> below errors towards the end:
>
> Failed to update DNS A record. (Command '/usr/bin/nsupdate -g
> /etc/ipa/.dns_update.txt' returned non-zero exit status 1)
> root: ERRORdbus failed to start: Command '/usr/sbin/service
> dbus start ' returned non-zero exit status 1
> Failed to configure automatic startup of the certmonger daemon
> Automatic certificate management will not be available
> root: ERRORFailed to disable automatic startup of the
> certmonger daemon: Command '/sbin/chkconfig certmonger on' returned
> non-zero exit status 1
> Would run on a Red Hat platform: /usr/sbin/authconfig --enablesssdauth
> --enablemkhomedir --update --enablesssd
>
> Can some one please help me how can i get rid of these errors and get the
> clean ipa client installation on ubuntu?
>
>
> Many Thanks,
>
> Deepak
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Unable to uninstall and re-install ipa client on Ubuntu 14.04

[Deepak Dimri]

Hi All,


I am trying to re-install ipa-client on ubuntu 14.04 but its not getting 
completed cleanly.   Getting below errors when trying to uninstall ipa client:


ipa-client-install --uninstall -U
root: ERRORdbus failed to start: Command '/usr/sbin/service dbus 
start ' returned non-zero exit status 1
root: ERRORcertmonger failed to start: Command '/usr/sbin/service 
certmonger start ' returned non-zero exit status 1
Unenrolling client from IPA server
Unenrolling host failed: Error obtaining initial credentials: Decrypt integrity 
check failed.

Removing Kerberos service principals from /etc/krb5.keytab
Failed to clean up /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Would run on a Red Hat platform: /usr/sbin/authconfig --disablesssdauth 
--disablemkhomedir --update --disablesssd
Please do the corresponding changes manually and press Enter:
Restoring client configuration files

if i ignore above error and re run ipa-client-install then it returns below 
errors towards the end:

Failed to update DNS A record. (Command '/usr/bin/nsupdate -g 
/etc/ipa/.dns_update.txt' returned non-zero exit status 1)
root: ERRORdbus failed to start: Command '/usr/sbin/service dbus 
start ' returned non-zero exit status 1
Failed to configure automatic startup of the certmonger daemon
Automatic certificate management will not be available
root: ERRORFailed to disable automatic startup of the certmonger 
daemon: Command '/sbin/chkconfig certmonger on' returned non-zero exit status 1
Would run on a Red Hat platform: /usr/sbin/authconfig --enablesssdauth 
--enablemkhomedir --update --enablesssd

Can some one please help me how can i get rid of these errors and get the clean 
ipa client installation on ubuntu?


Many Thanks,

Deepak
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] IPA Server & LDAP Replication Monitoring

[Deepak Dimri]

Hi All,


Has any one worked on IPA server integration with collectd for its and LDAP 
replication? I am newbie to collectd and still exploring its plug-ins option. 
Would be thankful if some one can share some insight on it..


Thanks,

Deepak
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA rewrite conf

[Deepak Dimri]

Hi Jan, sorry to ask but  where exactly i can modify the referer with 
RequestHeader on IPA Server?


Many Thanks,

Deepak



From: Jan Pazdziora <jpazdzi...@redhat.com>
Sent: Monday, November 28, 2016 8:09 AM
To: Deepak Dimri
Cc: deepak dimri; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] IPA rewrite conf

On Mon, Nov 28, 2016 at 11:25:30AM +, Deepak Dimri wrote:
> Hi Jan, Thanks for your reply. Sorry for the typo its AWS ELB.
>
>
> I have seen the link you shared below.  My issue is that i want my IPA 
> servers in Failover/Load Balancing mode and  when i add another IPA server 
> using Proxy balancer  i believe  ProxyPassReverseCookieDomain and 
> RequestHeader edit Referer directives does not work for me.  Basically I am 
> trying to make the balancer to work with below configuration but its failing 
> at the ProxyPassReverseCookieDomain and RequestHeader edit Referer directives 
> level:
>

What error do you get when it fails?

> 
> 
> # IPA Server 1
> BalancerMember https://ipa1.int.example.com/
> # IPA Server 2
> BalancerMember https://ipa2.int.example.com/
> 
> SSLProxyEngine on
> ProxyPass / balancer://ipacluster/
> ProxyPassReverse / balancer://ipacluster/
> ProxyPassReverseCookieDomain ipa1.int.example.com webipa.example.com
> RequestHeader edit Referer ^https://webipa\.example\.com/ 
> https://ipa1.int.example.com/
> ProxyPassReverseCookieDomain ipa2.int.example.com webipa.example.com
> RequestHeader edit Referer ^https://webipa\.example\.com/ 
> https://ipa2.int.example.com/
> 
>
> I am not sure how ProxyPassReverseCookieDomain and RequestHeader edit Referer 
> can be configured in this scenario along with Proxy balancer?

I don't see why ProxyPassReverseCookieDomain should fail.

With RequestHeader, I suspect only one change will be done because
after the first change, the value of the Referer header already
contains name of one of the replicas.

Could you try modifying the Referer with the RequestHeader directly
on the IPA server, instead of on the balancer machine? On the IPA
server, you already know what name you want to set it to.

--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA rewrite conf

[Deepak Dimri]

Hi Jan, Thanks for your reply. Sorry for the typo its AWS ELB.


I have seen the link you shared below.  My issue is that i want my IPA servers 
in Failover/Load Balancing mode and  when i add another IPA server using Proxy 
balancer  i believe  ProxyPassReverseCookieDomain and RequestHeader edit 
Referer directives does not work for me.  Basically I am trying to make the 
balancer to work with below configuration but its failing at the 
ProxyPassReverseCookieDomain and RequestHeader edit Referer directives level:



# IPA Server 1
BalancerMember https://ipa1.int.example.com/
# IPA Server 2
BalancerMember https://ipa2.int.example.com/

SSLProxyEngine on
ProxyPass / balancer://ipacluster/
ProxyPassReverse / balancer://ipacluster/
ProxyPassReverseCookieDomain ipa1.int.example.com webipa.example.com
RequestHeader edit Referer ^https://webipa\.example\.com/ 
https://ipa1.int.example.com/
ProxyPassReverseCookieDomain ipa2.int.example.com webipa.example.com
RequestHeader edit Referer ^https://webipa\.example\.com/ 
https://ipa2.int.example.com/



I am not sure how ProxyPassReverseCookieDomain and RequestHeader edit Referer 
can be configured in this scenario along with Proxy balancer?


Regards,

Deepak



From: freeipa-users-boun...@redhat.com <freeipa-users-boun...@redhat.com> on 
behalf of Jan Pazdziora <jpazdzi...@redhat.com>
Sent: Monday, November 28, 2016 3:04 AM
To: deepak dimri
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] IPA rewrite conf

On Sun, Nov 27, 2016 at 01:06:36PM +0530, deepak dimri wrote:
> Hi All,
>
> I am posting my issue here with an hope that i get a response.
>
> I have WS ELB configured to connect to FreeIPA servers on Ubuntu.  My
> FreeIPA servers are in private subnets. I am able to access my test
> index.html page deployed on the FreeIPA server by hitting https:// url>/index.html. However when i try IPA UI https:///ipa/ui then i
> am getting redirected to my internal IPA address which then resulting to
> "site cannot be reached" error.  I am wondering if i have an option of
> tweaking my /usr/share/ipa/ipa-rewrite.conf file so that i can access IPA
> UI using external ELB URL?
>
> Would appreciate if some one can give some pointers

I don't know what WS ELB is but maybe

https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name

can get you started?

--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] URL is changing on the browser

[Deepak Dimri]

Adding Jan into the email thread. Hopefully Jan can help too


Best Regards,

Deepak



From: Deepak Dimri <deepak_di...@hotmail.com>
Sent: Sunday, November 27, 2016 8:08 PM
To: Chris Dagdigian
Subject: Re: [Freeipa-users] URL is changing on the browser


Hello Chris,


Were you able to get around AWS ELB integration with IPA Server?  I am stuck 
with this - when i hit my ELB URL i am getting redirected to internal FQDN of 
the IP server ( hosted on private subnet). I tried tweaking ipa-rewrite.conf 
but in vain.  As an alternate i have installed Apache reverse proxy on the 
public subnet and then proxying the requests to IPA. But then it does not work 
if i add one more IPA server for load balancing/failover -  i think its failing 
at  "RequestHeader edit Referer" directive work.


Just thought of checking with you if found any solution to this issue


Many Thanks for your time,

Deepak





> On 15-Nov-2016, at 00:33, Chris Dagdigian <d...@sonsorol.org> wrote:
>
>
> I'm still interested in this topic as our IPA servers are on private AWS 
> subnets and it would be really nice to have an internal AWS ALB or ELB be the 
> user-facing interface so we can route traffic between IPA systems and only 
> "advertise" a single hostname for access. Plus it would be great to put the 
> load balancer name into the various sssd.conf and krb5.conf client files 
> since our internal DNS-based service discovery has some brittleness that is 
> outside my control to fix.
>
> I played with this for a short time and hit the "IPA redirects to it's 
> internal FQDN" problem as well. Now that this appears to be a somewhat simple 
> tweak to the httpd.conf type files I may start playing around with putting 
> private IPA systems behind a private AWS load balancer
>
> Chris
>
>
>
> Deepak Dimri wrote:
>> we discussed the options internally and finally decided to host ipa within 
>> the private subnets - our security team wast too comfortable  to  expose ipa 
>> servers on to the public network.
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] IPA rewrite conf with AWS ELB

[Deepak Dimri]

Hi All,

I am posting my issue here with an hope that i get a response.

I have AWS ELB configured to connect to FreeIPA servers on Ubuntu.  My FreeIPA 
servers are in private subnets. I am able to access my test index.html page 
deployed on the FreeIPA server by hitting https:///index.html. However 
when i try IPA UI https:///ipa/ui then i am getting redirected to my 
internal IPA address which then resulting to "site cannot be reached" error.  I 
am wondering if i have an option of tweaking my 
/etc/httpd/conf.d/ipa-rewrite.conf file so that i can access IPA UI using 
external ELB URL? I see ipa-rewrite.conf is hardcoded with my internal IPA 
server URLs.

Would appreciate if some one can give some pointers

Thanks,
Deepak

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] IPA rewrite conf

[deepak dimri]

Hi All,

I am posting my issue here with an hope that i get a response.

I have WS ELB configured to connect to FreeIPA servers on Ubuntu.  My
FreeIPA servers are in private subnets. I am able to access my test
index.html page deployed on the FreeIPA server by hitting https:///index.html. However when i try IPA UI https:///ipa/ui then i
am getting redirected to my internal IPA address which then resulting to
"site cannot be reached" error.  I am wondering if i have an option of
tweaking my /usr/share/ipa/ipa-rewrite.conf file so that i can access IPA
UI using external ELB URL?

Would appreciate if some one can give some pointers

Thanks,
Deepak
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] FreeIPA behind Apache Reverse Proxy and Load Balancer

[deepak dimri]

Hi All,

I want to configure Apache reverse proxy to load balance/failover between
two IPA servers. I have referred
*https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name
* to
configure reverse proxy and it all works fine with one IPA server but i
want  to load balance across two IPA Servers using Proxy Balancer module.
What should be the configuration for RequestHeader edit Referer with Proxy
balancer? In another thread*
https://www.mail-archive.com/freeipa-users@redhat.com/msg24644.html
 *Peter
has mentioned cookie rewriting or 2 VHs and i will try VH option. But it
will really help and will save my time if some one can share full working
configuration. I tried below configuration but its failing at RequestHeader
edit Referer.



# IPA Server 1
BalancerMember https://ipa1.int.com/
# IPA Server 2
BalancerMember https://ipa2.int.com/

SSLEngine On
SSLProxyEngine On
LogLevel debug
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
ProxyRequests off
ProxyPass / balancer://ipacluster/
ProxyPassReverse / balancer://ipacluster/
ProxyPassReverseCookieDomain ipa1.int.com ipa.ext.com
RequestHeader edit Referer ^https://ipa\.ext\.com/
https://ipa1.int.com/
ProxyPassReverseCookieDomain ipa2.int.com ipa.ext.com
RequestHeader edit Referer ^https://ipa\.ext\.com/
https://ipa2.int.com/




Many Thanks,
Deepak
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Getting "Your session has expired. Please re-login." when trying to access IPA Replica

[deepak dimri]

Got it working, after uninstalling and reinstalling the replica. Not sure
why it did not work at the first place...

On Fri, Nov 18, 2016 at 7:15 PM, deepak dimri <deepak.dimri2...@gmail.com>
wrote:

> Hello All,
>
> I have IPA Master deployed in AWS US West region and replica in US East
> region. The replication installation went successfully however when i am
> trying to access the replication web UI (after making proxypass changes
> etc..) i am getting  Error. I have ProxyPassReverseCookieDomain set
> correctly but still i get the error. Master & Replica are time
> synchronized. Can come please help me with this?  I have tried it in all
> kinds of browser but no luck.
>
> i have followed this document in setting up the reverse proxy
> https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name.
>
> Thanks,
> Deepak
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Getting "Your session has expired. Please re-login." when trying to access IPA Replica

[deepak dimri]

Hello All,

I have IPA Master deployed in AWS US West region and replica in US East
region. The replication installation went successfully however when i am
trying to access the replication web UI (after making proxypass changes
etc..) i am getting  Error. I have ProxyPassReverseCookieDomain set
correctly but still i get the error. Master & Replica are time
synchronized. Can come please help me with this?  I have tried it in all
kinds of browser but no luck.

i have followed this document in setting up the reverse proxy
https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name.

Thanks,
Deepak
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] URL is changing on the browser

[Deepak Dimri]

hi chris, i have the setup working fine with ELB -> apache reverse proxy on 
Fedora (public subnet) -> ipa (private subnet).  i want to use ubuntu instead 
of Fedora for the reverse proxy and i am unable to make the reverse proxy works 
on unbuntu with all the configurations we need for ipa. it would be really nice 
if someone can shareb  documented configurations steps for the ubuntu as well - 
simiar to the what is given in the link that martin had shared

regards,
deepak 


Sent from my iPhone

> On 15-Nov-2016, at 00:33, Chris Dagdigian <d...@sonsorol.org> wrote:
> 
> 
> I'm still interested in this topic as our IPA servers are on private AWS 
> subnets and it would be really nice to have an internal AWS ALB or ELB be the 
> user-facing interface so we can route traffic between IPA systems and only 
> "advertise" a single hostname for access. Plus it would be great to put the 
> load balancer name into the various sssd.conf and krb5.conf client files 
> since our internal DNS-based service discovery has some brittleness that is 
> outside my control to fix.
> 
> I played with this for a short time and hit the "IPA redirects to it's 
> internal FQDN" problem as well. Now that this appears to be a somewhat simple 
> tweak to the httpd.conf type files I may start playing around with putting 
> private IPA systems behind a private AWS load balancer
> 
> Chris
> 
> 
> 
> Deepak Dimri wrote:
>> we discussed the options internally and finally decided to host ipa within 
>> the private subnets - our security team wast too comfortable  to  expose ipa 
>> servers on to the public network.
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] URL is changing on the browser

[Deepak Dimri]

we discussed the options internally and finally decided to host ipa within the 
private subnets - our security team wast too comfortable  to  expose ipa 
servers on to the public network. 

Sent from my iPhone

> On 14-Nov-2016, at 17:56, Jan Pazdziora <jpazdzi...@redhat.com> wrote:
> 
>> On Mon, Nov 14, 2016 at 08:49:34AM +0100, Martin Basti wrote:
>>> On 13.11.2016 16:33, Deepak Dimri wrote:
>>> 
>>> I have my IPA servers hosted in the AWS private subnets and i can access
>>> them using AWS elb URL from public internet just fine.  The problem is
>>> that when i enter https:///index.htl  (dummy index.html hosted on
>>> IPA)  i can access index.html just fine but when i try
>>> https:///ipa/ui then i am getting redirected to
>>> https:///ipa/ui
>>> <https://%3Cipa_private_hostname%3E/ipa/ui>  which is resulting to
>>> "This site can't be reached" error.
>>> 
>>> What should i be doing to access IPA server(s) uri when they running
>>> behind the load balancer or proxy servers?
>> 
>> this may help you
>> 
>> https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name
>> https://www.adelton.com/freeipa/freeipa-behind-ssl-proxy
> 
> For the AWS case, wouldn't it be easier to just have the IPA server
> use the public hostname from the very beginning? You can always put
> appropriate records to /etc/hosts to shortcut the IPA->IPA traffic to
> never leave the machine.
> 
> -- 
> Jan Pazdziora
> Senior Principal Software Engineer, Identity Management Engineering, Red Hat

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] URL is changing on the browser

[deepak dimri]

Hi Martin, Thank you so much for your reply. I am kinda stuck with this
issue with no headway!


I have AWS ELB pointing to my IPA Servers fine - basically ELB is allowing
me to access IPA servers externally.  As per the link you shared i need a
front end proxy configured with mod_ssl does that i need to introduce a
front end proxy in between ELB and IPA? i tried installing mod_ssl on the
IPA Server itself and made the changes in ssl.conf as suggested in the link
but that did not help. My setup is simple i want to access ipa/ui from my
AWS ELB URL.


really appreciate your support


Best Regards,

Deepak



On Mon, Nov 14, 2016 at 1:19 PM, Martin Basti <mba...@redhat.com> wrote:

>
>
> On 13.11.2016 16:33, Deepak Dimri wrote:
>
> Hi All,
>
>
> I have my IPA servers hosted in the AWS private subnets and i can access
> them using AWS elb URL from public internet just fine.  The problem is that
> when i enter https:///index.htl  (dummy index.html hosted on IPA)  i
> can access index.html just fine but when i try https:///ipa/ui then
> i am getting redirected to https:///ipa/ui  which
> is resulting to  "This site can't be reached" error.
>
>
> What should i be doing to access IPA server(s) uri when they running
> behind the load balancer or proxy servers?
>
>
> Thanks for your great support!
>
>
> Best regards
>
> Deepak
>
>
>
>
> Hello,
>
> this may help you
>
> https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name
> https://www.adelton.com/freeipa/freeipa-behind-ssl-proxy
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] IPA UI not accessible behind the load blancer

[deepak dimri]

Hi All,


I have my IPA servers hosted in the AWS private subnets and i can access
them using AWS elastic load balancer(elb) URL from public internet just
fine.  The problem is that when i enter https:///index.htl  (dummy
index.html hosted on IPA)  i can access index.html just fine but when i try
https:///ipa/ui then i am getting redirected to [https://
/ipa/ui]https:///ipa/ui  which
is resulting to  "This site can't be reached" error.


I followed this link
https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name but
it did not help either..


What should i be doing to access IPA server(s) uri when they running behind
the load balancer or proxy servers?


Thanks for your great support!


Best regards

Deepak
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] IPA UI not working behind Load Balancer

[Deepak Dimri]

Hi All,


I have my IPA servers hosted in the AWS private subnets and i can access them 
using AWS elb URL from public internet just fine.  The problem is that when i 
enter https:///index.htl  (dummy index.html hosted on IPA)  i can access 
index.html just fine but when i try https:///ipa/ui then i am getting 
redirected to 
[https:///ipa/ui]https:///ipa/ui  
which is resulting to  "This site can't be reached" error.


I followed this link 
https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name but it 
did not help either..


What should i be doing to access IPA server(s) uri when they running behind the 
load balancer or proxy servers?


Thanks for your great support!


Best regards

Deepak

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] URL is changing on the browser

[Deepak Dimri]

Hi All,


I have my IPA servers hosted in the AWS private subnets and i can access them 
using AWS elb URL from public internet just fine.  The problem is that when i 
enter https:///index.htl  (dummy index.html hosted on IPA)  i can access 
index.html just fine but when i try https:///ipa/ui then i am getting 
redirected to https:///ipa/ui  which is resulting to  
"This site can't be reached" error.


What should i be doing to access IPA server(s) uri when they running behind the 
load balancer or proxy servers?


Thanks for your great support!


Best regards

Deepak

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Getting Minimum SSF not met.

[Deepak Dimri]

Hi All,


I wanted to enable secure LDAP connection on freeIPA but alas after changing 
cn=config

nsslapd-minssf from 0 to 128 i am getting  below error:


ipactl restart

Failed to read data from Directory Service: Unknown error when retrieving list 
of services from LDAP: Server is unwilling to perform: Minimum SSF not met.

Shutting down


When trying to put back the original nsslapd-minssf to "0" i am getting below 
error:

modifying entry "cn=config"

ldap_modify: Server is unwilling to perform (53)

additional info: Minimum SSF not met.


I tried below configuration but still getting unwilling to perform (53) Minimum 
SSF not met Error.


dn: cn=config

changetype: modify

replace: nsslapd-minssf

nsslapd-minssf: 10

-

replace: nsslapd-allow-anonymous-access

nsslapd-allow-anonymous-access: on

-

replace: nsslapd-minssf-exclude-rootdse

nsslapd-minssf-exclude-rootdse: off


I am following the steps mentioned here: 
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/SecureConnections.html

Chapter 14. Configuring Secure Connections - Red Hat 
Support
access.redhat.com
By default, clients and users connect to the Red Hat Directory Server over a 
standard connection. Standard connections do not use any encryption, so 
information is ...




How can i get  LDAPS working on my FreeIPA?


Many Thanks,

Deepak
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Not able to pass through ipa-replica-install on centos 7

[Deepak Dimri]

Hi Martin, Before running ipa-replica-install do i need to run 
ipa-server-install script on the replica?


I am installing ipa-server-install script on the replica and  then If i install 
ipa-replica-install without uninstalling ipa server then i get below errors:

 [root@ip-172-31-23-230 ipa]# ipa-replica-install 
/var/lib/ipa/replica-info-replica.ipa.com.gpg
 ipa.ipapython.install.cli.install_tool(Replica): ERRORIPA client is 
already configured on this system.
Please uninstall it first before configuring the replica, using 
'ipa-client-install --uninstall'.

when i try 'ipa-client-install --uninstall' then i am getting bellow

ipa-client-install --uninstall IPA client is configured as a part of IPA server 
on this system. Refer to ipa-server-install for uninstallation


Thanks,

Deepak



From: Martin Basti <mba...@redhat.com>
Sent: Tuesday, October 18, 2016 8:40 AM
To: Deepak Dimri; Martin Babinsky; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Not able to pass through ipa-replica-install on 
centos 7



On 18.10.2016 13:52, Deepak Dimri wrote:

Thanks Martin, I had to run ipa-server-install --uninstall -U to get rid of IPA 
client error message on the replica server and then re run ipa-replica-install 
script to run it ok. But it does not look clean through - as i understand we do 
need to run ipa-server-install script ( same as master) on the replica server 
but that script by default installs the ipa client which then cause replica 
install to fail.  Is there any way i can avoid IPA client installation on 
replica?


You need to run ipa-replica-install installer and client is required part of 
any server. Can you be more specific what kind of errors are you getting? Logs?

Martin^2

Thanks,

Deepak



From: Martin Babinsky <mbabi...@redhat.com><mailto:mbabi...@redhat.com>
Sent: Monday, October 17, 2016 1:29 AM
To: Deepak Dimri; Martin Basti; 
freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>
Subject: Re: [Freeipa-users] Not able to pass through ipa-replica-install on 
centos 7

On 10/15/2016 12:41 PM, Deepak Dimri wrote:
> Thanks Martin for the reply.
>
> when i try 'ipa-client-install --uninstall' then i am getting bellow
> message:
>
>
> ipa-client-install --uninstall
> IPA client is configured as a part of IPA server on this system.
> Refer to ipa-server-install for uninstallation.
>
>
> How can i raise domain level to 1 in v4? i tried
>
> ipa *domainlevel-set* 1
>
> but i am getting ipa: ERROR: unknown command 'domainlevel-set'
>
> Thanks again for your help on this.
>
> Best Regards,
> Deepak
>
>

Hi Deepak,

IIRC Centos 7 has FreeIPA 4.2.0-15 that does not support replica
promotion and domain levels other than 0.

The error from ipa-replica-install comes probably from a leftovers of
previous client enrollment.

Just run `ipa-client-install --uninstall -U` and then re-run replica
installation as usual.

> 
> *From:* Martin Basti <mba...@redhat.com><mailto:mba...@redhat.com>
> *Sent:* Saturday, October 15, 2016 4:54 AM
> *To:* Deepak Dimri; freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>
> *Subject:* Re: [Freeipa-users] Not able to pass through
> ipa-replica-install on centos 7
>
>
>
>
> On 14.10.2016 18:58, Deepak Dimri wrote:
>>
>> Hi All,
>>
>>
>> I am trying to configure replication between two FreeIPA centos 7
>> servers.  As per the document i need  same FreeIPA version running on
>> both the machines, which i have, and run ipa-replica-prepare on the
>> master and then simply run ipa-replica-install on the replica server
>> along with replica file.  But i am unable to get pass the below error
>> message:
>>
>>
>> [root@ip-172-31-23-230 ipa]# ipa-replica-install
>> /var/lib/ipa/replica-info-replica.ipa.com.gpg
>>
>> ipa.ipapython.install.cli.install_tool(Replica): ERRORIPA client
>> is already configured on this system.
>>
>> Please uninstall it first before configuring the replica, using
>> 'ipa-client-install --uninstall'.
>>
>>
>> What should i be doing to get around this error? the error looks
>> missleading as i am trying to install replica and not ipa client
>>
>>
>> Thanks,
>>
>> Deepak
>>
>>
>>
> Hi,
>
> have you tried ipa-client-install --uninstall?
>
> Replica cannot be installed on system where client is already installed
> (with domain level 0, your case)
>
> Martin
>
>


--
Martin^3 Babinsky

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Not able to pass through ipa-replica-install on centos 7

[Deepak Dimri]

Thanks Martin, I had to run ipa-server-install --uninstall -U to get rid of IPA 
client error message on the replica server and then re run ipa-replica-install 
script to run it ok. But it does not look clean through - as i understand we do 
need to run ipa-server-install script ( same as master) on the replica server 
but that script by default installs the ipa client which then cause replica 
install to fail.  Is there any way i can avoid IPA client installation on 
replica?


Thanks,

Deepak



From: Martin Babinsky <mbabi...@redhat.com>
Sent: Monday, October 17, 2016 1:29 AM
To: Deepak Dimri; Martin Basti; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Not able to pass through ipa-replica-install on 
centos 7

On 10/15/2016 12:41 PM, Deepak Dimri wrote:
> Thanks Martin for the reply.
>
> when i try 'ipa-client-install --uninstall' then i am getting bellow
> message:
>
>
> ipa-client-install --uninstall
> IPA client is configured as a part of IPA server on this system.
> Refer to ipa-server-install for uninstallation.
>
>
> How can i raise domain level to 1 in v4? i tried
>
> ipa *domainlevel-set* 1
>
> but i am getting ipa: ERROR: unknown command 'domainlevel-set'
>
> Thanks again for your help on this.
>
> Best Regards,
> Deepak
>
>

Hi Deepak,

IIRC Centos 7 has FreeIPA 4.2.0-15 that does not support replica
promotion and domain levels other than 0.

The error from ipa-replica-install comes probably from a leftovers of
previous client enrollment.

Just run `ipa-client-install --uninstall -U` and then re-run replica
installation as usual.

> 
> *From:* Martin Basti <mba...@redhat.com>
> *Sent:* Saturday, October 15, 2016 4:54 AM
> *To:* Deepak Dimri; freeipa-users@redhat.com
> *Subject:* Re: [Freeipa-users] Not able to pass through
> ipa-replica-install on centos 7
>
>
>
>
> On 14.10.2016 18:58, Deepak Dimri wrote:
>>
>> Hi All,
>>
>>
>> I am trying to configure replication between two FreeIPA centos 7
>> servers.  As per the document i need  same FreeIPA version running on
>> both the machines, which i have, and run ipa-replica-prepare on the
>> master and then simply run ipa-replica-install on the replica server
>> along with replica file.  But i am unable to get pass the below error
>> message:
>>
>>
>> [root@ip-172-31-23-230 ipa]# ipa-replica-install
>> /var/lib/ipa/replica-info-replica.ipa.com.gpg
>>
>> ipa.ipapython.install.cli.install_tool(Replica): ERRORIPA client
>> is already configured on this system.
>>
>> Please uninstall it first before configuring the replica, using
>> 'ipa-client-install --uninstall'.
>>
>>
>> What should i be doing to get around this error? the error looks
>> missleading as i am trying to install replica and not ipa client
>>
>>
>> Thanks,
>>
>> Deepak
>>
>>
>>
> Hi,
>
> have you tried ipa-client-install --uninstall?
>
> Replica cannot be installed on system where client is already installed
> (with domain level 0, your case)
>
> Martin
>
>


--
Martin^3 Babinsky
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Not able to pass through ipa-replica-install on centos 7

[Deepak Dimri]

Thanks Martin for the reply.

when i try 'ipa-client-install --uninstall' then i am getting bellow message:


ipa-client-install --uninstall
IPA client is configured as a part of IPA server on this system.
Refer to ipa-server-install for uninstallation.


How can i raise domain level to 1 in v4? i tried

ipa domainlevel-set 1

but i am getting ipa: ERROR: unknown command 'domainlevel-set'

Thanks again for your help on this.

Best Regards,
Deepak



From: Martin Basti <mba...@redhat.com>
Sent: Saturday, October 15, 2016 4:54 AM
To: Deepak Dimri; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Not able to pass through ipa-replica-install on 
centos 7



On 14.10.2016 18:58, Deepak Dimri wrote:

Hi All,


I am trying to configure replication between two FreeIPA centos 7 servers.  As 
per the document i need  same FreeIPA version running on both the machines, 
which i have, and run ipa-replica-prepare on the master and then simply run 
ipa-replica-install on the replica server along with replica file.  But i am 
unable to get pass the below error message:


[root@ip-172-31-23-230 ipa]# ipa-replica-install 
/var/lib/ipa/replica-info-replica.ipa.com.gpg

ipa.ipapython.install.cli.install_tool(Replica): ERRORIPA client is already 
configured on this system.

Please uninstall it first before configuring the replica, using 
'ipa-client-install --uninstall'.


What should i be doing to get around this error? the error looks missleading as 
i am trying to install replica and not ipa client


Thanks,

Deepak


Hi,

have you tried ipa-client-install --uninstall?

Replica cannot be installed on system where client is already installed (with 
domain level 0, your case)

Martin
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Not able to pass through ipa-replica-install on centos 7

[Deepak Dimri]

Hi All,


I am trying to configure replication between two FreeIPA centos 7 servers.  As 
per the document i need  same FreeIPA version running on both the machines, 
which i have, and run ipa-replica-prepare on the master and then simply run 
ipa-replica-install on the replica server along with replica file.  But i am 
unable to get pass the below error message:


[root@ip-172-31-23-230 ipa]# ipa-replica-install 
/var/lib/ipa/replica-info-replica.ipa.com.gpg

ipa.ipapython.install.cli.install_tool(Replica): ERRORIPA client is already 
configured on this system.

Please uninstall it first before configuring the replica, using 
'ipa-client-install --uninstall'.


What should i be doing to get around this error? the error looks missleading as 
i am trying to install replica and not ipa client


Thanks,

Deepak
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA Server installation on ubuntu 14.0

[Deepak Dimri]

Hi Alexander,

I have tried it on ubuntu 16.04 as well but no luck either.  Getting the same 
error:


sudo apt-get install freeipa-server

Reading package lists... Done

Building dependency tree

Reading state information... Done

E: Unable to locate package freeipa-server

any other ideas? I dont  find any good response to this issue either..

Thanks Much,
Deepak


From: Alexander Bokovoy <aboko...@redhat.com>
Sent: Wednesday, October 12, 2016 1:40 PM
To: Deepak Dimri
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] FreeIPA Server installation on ubuntu 14.0

On ke, 12 loka 2016, Deepak Dimri wrote:
>Hi All,
>
>
>I am trying to install freeIPA server on ubuntu 14.0 but i am getting Error 
>"Unable to locate package freeipa-server" below is what  i am trying:
>
>
>apt-get install freeipa-server -y
>
>Reading package lists... Done
>
>Building dependency tree
>
>Reading state information... Done
>
>E: Unable to locate package freeipa-server
>
>
>apt-get install freeipa-client -y works just fine..
>
>
>i have tried enabling universe repository in /etc/apt/sources.list and ran 
>apt-get update but no luck either still getting Unable to locate package 
>freeipa-server.
>
>
>How can i install ipa server on ubuntu?
Use newer Ubuntu.

--
/ Alexander Bokovoy
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] FreeIPA Server installation on unbuntu 14.0

[Deepak Dimri]

Hi All,


I am trying to install freeIPA server on ubuntu 14.0 but i am getting Error 
"Unable to locate package freeipa-server" below is what  i am trying:


apt-get install freeipa-server -y

Reading package lists... Done

Building dependency tree

Reading state information... Done

E: Unable to locate package freeipa-server


apt-get install freeipa-client -y works just fine..


i have tried enabling universe repository in /etc/apt/sources.list and ran 
apt-get update but no luck either still getting Unable to locate package 
freeipa-server.


How can i install ipa server on ubuntu?



Thanks,

Deepak
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA Server Hosting - Public Cloud vs Private Cloud

[Deepak Dimri]

Awesome.. Thanks Petr


I will see if i can get some more pointers on it and its great to see the case 
study.


Already loving FreeIPA with such a wonderful support from you all!



regards,
Deepak


From: freeipa-users-boun...@redhat.com <freeipa-users-boun...@redhat.com> on 
behalf of Petr Spacek <pspa...@redhat.com>
Sent: Thursday, October 6, 2016 3:33 AM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] FreeIPA Server Hosting - Public Cloud vs Private 
Cloud

On 5.10.2016 11:16, Deepak Dimri wrote:
> Hi All,
>
> I want to understand if there are any best practices wrt FreeIPA Server 
> deployment in Public vis a vis  Private cloud.  Lets assume a case that most 
> IPA Clients are hosted in private clouds at multiple data centers or across 
> AWS VPCs. In this situation hosting of freeIPA in the public cloud i reckon 
> would be an easier approach (clients can connect over the internet).  The 
> other option would be to host FreeIPA Server in private cloud, which would be 
> more secure,  but then you need to make changes in your network/FW settings 
> across private clouds. Are there any major security concerns if FreeIPA is 
> deployed in public cloud?
Properly configured FreeIPA can run on public Internet. I would recommend you
to read thread
https://www.redhat.com/archives/freeipa-users/2014-April/msg00246.html .

> Any examples of  freeIPA running in public cloud in production?

Here you go:
https://www.dragonsreach.it/2014/10/07/the-gnome-infrastructure-is-now-powered-by-freeipa/
The GNOME Infrastructure is now powered by 
FreeIPA!<https://www.dragonsreach.it/2014/10/07/the-gnome-infrastructure-is-now-powered-by-freeipa/>
www.dragonsreach.it
As preannounced here the GNOME Infrastructure switched to a new Account 
Management System which is reachable at https://account.gnome.org. All the 
details will follow.




--
Petr^2 Spacek

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Freeipa-users Info Page - Red 
Hat<https://www.redhat.com/mailman/listinfo/freeipa-users>
www.redhat.com
Freeipa-users -- List dedicated to discussions about use, configuration and 
deployment of the IPA server. About Freeipa-users



Go to http://freeipa.org for more info on the project
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Install IPA Servers with third-party certificate(external CA)

[Deepak Dimri]

Thanks, Florence


It works now.. my /etc/sssd/sssd.conf was missing with sudo service.. adding 
below line fixed the issue

services = nss, sudo, pam, ssh"


Many Thanks Again!


Best Regards,

Deepak



From: freeipa-users-boun...@redhat.com  on 
behalf of Florence Blanc-Renaud 
Sent: Thursday, September 29, 2016 6:03 AM
To: beeth beeth
Cc: Freeipa-users
Subject: Re: [Freeipa-users] Install IPA Servers with third-party 
certificate(external CA)

On 09/29/2016 11:43 AM, beeth beeth wrote:
> Thanks for the quick response Florence!
>
> My goal is the use a 3rd party certificate(such as Verisign cert) for
> Web UI(company security requirement), in fact we are not required to use
> 3rd party certificate for the LDAP server, but as I mentioned earlier, I
> couldn't make the new Verisign cert to work with the Web UI, without
> messing up the IPA function(after I updated the nss.conf to use the new
> cert in the /etc/httpd/alias db, the ipa_client_install failed). So I
> tried to follow the Redhat instruction, to see if I can get the Verisign
> cert installed at the most beginning, without using FreeIPA's
> own/default certificate), but I got the CSR question.
>
> I did install IPA without a CA, by following the instruction at
> https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP,
Using 3rd part certificates for HTTP/LDAP - 
FreeIPA
www.freeipa.org
The following command will allow you to use a 3rd party certificate after 
initially deploying the FreeIPA system. You will need the following files:



> but failed to restart HTTPD. When and how can I provide the 3rd-party
> certificate? Could you please point me a document about the detail?
Hi,

you need first to clarify if you want FreeIPA to act as a CA or not. The
setup will depend on this choice.

- option a) FreeIPA with an embedded CA:
you can install FreeIPA with a self-signed CA, then follow the
instructions at
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
Using 3rd part certificates for HTTP/LDAP - 
FreeIPA
www.freeipa.org
The following command will allow you to use a 3rd party certificate after 
initially deploying the FreeIPA system. You will need the following files:



in order to replace the WebUI certificate. Please note that there were
some bugs in ipa-server-certinstall, preventing httpd from starting
(Ticket #4786 [1]). The workaround is to manually update nss.conf (as
you did) and manually import the CA certificate into
/etc/pki/pki-tomcat/alias, for instance with
$ certutil -A -d /etc/pki/pki-tomcat/alias -i cacert.pem -n nickname -t C,,


- option b) Free IPA without CA
the installation instructions are in Installing without a CA [2]. You
will provide the certificate that will be used by both the LDAP server
and the WebUI in the command options.

HTH,
Flo.

[1] https://fedorahosted.org/freeipa/ticket/4786
[2]
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-without-ca

> Thanks again!
>
>
> On Thu, Sep 29, 2016 at 5:25 AM, Florence Blanc-Renaud  > wrote:
>
> Hi,
>
> The instructions that you followed are used when you want to install
> FreeIPA with an embedded Certificate Authority (ie FreeIPA is able
> to issue certificates), and FreeIPA CA is signed by a 3rd party CA.
>
> Maybe your goal is just to use a 3rd party certificate for IPA's
> LDAP server and Web UI. In this case, you do not need to install
> FreeIPA with an embedded CA. You can follow the instructions for
> Installing without a CA [1], where you will need to provide a
> 3rd-part certificate.
>
> Hope this clarifies,
> Flo.
>
> [1]
> 
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-without-ca
> 
> 
>
>
>
> On 09/29/2016 11:03 AM, beeth beeth wrote:
>
> I am trying to set up IPA servers with Verisign certificate, so
> that the
> Admin Web console can use public signed certificate to meet
> company's
> security requirement. But when I try to follow Red Hat's
> instructions at
> 
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-external-ca
> 
> 

[Freeipa-users] Sudo Rule not working

[Deepak Dimri]

Hi All,

I have added sudo rule  having allowed command for sudo su for a test user. 
When i login with this test user to my IPA client (ubuntu). I am getting a 
message that "the user is not in the sudoers file.  This incident will be 
reported." and it works fine if i add the user to sudoers file then the user 
can switch to sudo and is able to run all the commands even the commands i have 
included in "deny" list in my IPA server.


Do we need to have  user/group added sudoers list for IPA sudo rule to work? if 
so then how can i make it work with IPA sudo rules?


Thanks,

Deepak

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] SSH key based login for the users

[Deepak Dimri]

Hi All,


Can i have my IPA server pre-configured with RSA and public key authentication 
enabled (passwordauthentication no) for its users and at the same time have 
users to automatically register with their ssh key pair during first time login 
process so that they can login with the keys? i am wondering what would the 
advisable workflow to issue private keys to users so that they can login with 
it to freeIPA server?


This is a great forum hence thought of asking this question while i am still 
exploring on this.


Thanks & Regards,

Deepak
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] key + 2FA (password+OTP) is not working

[Deepak Dimri]

Hi Alexander,


I  somehow manage to try it on fedora and it did work fine for me..


Now is there any way i can restrict the login to OTP only? and not password + 
OTP?


Best Regards,

Deepak



From: Alexander Bokovoy <aboko...@redhat.com>
Sent: Friday, September 23, 2016 3:25 AM
To: Deepak Dimri
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] key + 2FA (password+OTP) is not working

On Fri, 23 Sep 2016, Deepak Dimri wrote:
>
>Hi All,
>
>
>I am trying hard to get my 2FA working with FreeIPA but every effort of
>mine going waste! I have referred earlier forum emails but could not
>find any good reply on the issue i am facing.
>
>
>This is what i am trying
>
>
>I have a test user created in my IPA server enabled with Two factor
>authentication (password + OTP) and has ssh public key added in its
>profile.  I want this test user to ssh into my ipa client (ubuntu
>14.04) using  key + password + OTP. I woudl ceryainly prefer just the
>key+  OTP only ( no password) but that seems far sighted as i cannot
>even make it work with what it supposed to work password + OTP.
Can you make it working on Fedora 24 or CentOS 7.2? I.e. on the
platforms where we know it works for sure (for me, at least).

This would allow us to reduce problem space to the client side.

>My /etc/ssh/sshd_conf file has almost everything default  except i
>added these two lines at the end of it
>
>Match Group testusergroup
>
>   AuthenticationMethods publickey,password:pam 
> publickey,keyboard-interactive:pam
>
>i also tried with below but no luck
>
>Match Group testusergroup
>
> AuthenticationMethods publickey,keyboard-interactive
>
>
>my /etc/pam.d/sshd has these two changes, rest i kept default:
>
>
># Standard Un*x authentication.
>
>#@include common-auth
>
>
>auth required pam_sss.so
>
>
>Now when i try to ssh into ipa client i either keep getting promptS for
>the password or it gets into a loop asking me to change the password
>;complaining falsely that it has expired. I have tried multiple
>combinations of configurations by referring earlier email threads but
>none i found helpful. I cant make simple 2FA login to work with
>freeIPA. Normal password and key works just fine. its the 2FA which
>does not work for me.
>
>
>Would really be thankful if some one can help me with this issue.. is
>there any good freeIPA 2FA configuration document that i can refer?
>
>What should the steps for it work seamlessly?
>
>
>Many Thanks,
>
>Deepak
>

>--
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
Freeipa-users Info Page - Red 
Hat<https://www.redhat.com/mailman/listinfo/freeipa-users>
www.redhat.com
Freeipa-users -- List dedicated to discussions about use, configuration and 
deployment of the IPA server. About Freeipa-users



>Go to http://freeipa.org for more info on the project


--
/ Alexander Bokovoy
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] key + 2FA (password+OTP) is not working

[Deepak Dimri]

Hi Alexander,  I am using AWS to do a pilot on freeIPA & unfortunately AWS does 
not provide fedora or centos as part of its freetier setup so i have to live 
with ubuntu, redhat , suse etc.  I have same problem with ubuntu and redhat 
though!


Just one basic question.. what are the steps i should be following to make it 
work assuming i am trying on centos or fedora


regards,

Deepak






From: Alexander Bokovoy <aboko...@redhat.com>
Sent: Friday, September 23, 2016 3:25 AM
To: Deepak Dimri
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] key + 2FA (password+OTP) is not working

On Fri, 23 Sep 2016, Deepak Dimri wrote:
>
>Hi All,
>
>
>I am trying hard to get my 2FA working with FreeIPA but every effort of
>mine going waste! I have referred earlier forum emails but could not
>find any good reply on the issue i am facing.
>
>
>This is what i am trying
>
>
>I have a test user created in my IPA server enabled with Two factor
>authentication (password + OTP) and has ssh public key added in its
>profile.  I want this test user to ssh into my ipa client (ubuntu
>14.04) using  key + password + OTP. I woudl ceryainly prefer just the
>key+  OTP only ( no password) but that seems far sighted as i cannot
>even make it work with what it supposed to work password + OTP.
Can you make it working on Fedora 24 or CentOS 7.2? I.e. on the
platforms where we know it works for sure (for me, at least).

This would allow us to reduce problem space to the client side.

>My /etc/ssh/sshd_conf file has almost everything default  except i
>added these two lines at the end of it
>
>Match Group testusergroup
>
>   AuthenticationMethods publickey,password:pam 
> publickey,keyboard-interactive:pam
>
>i also tried with below but no luck
>
>Match Group testusergroup
>
> AuthenticationMethods publickey,keyboard-interactive
>
>
>my /etc/pam.d/sshd has these two changes, rest i kept default:
>
>
># Standard Un*x authentication.
>
>#@include common-auth
>
>
>auth required pam_sss.so
>
>
>Now when i try to ssh into ipa client i either keep getting promptS for
>the password or it gets into a loop asking me to change the password
>;complaining falsely that it has expired. I have tried multiple
>combinations of configurations by referring earlier email threads but
>none i found helpful. I cant make simple 2FA login to work with
>freeIPA. Normal password and key works just fine. its the 2FA which
>does not work for me.
>
>
>Would really be thankful if some one can help me with this issue.. is
>there any good freeIPA 2FA configuration document that i can refer?
>
>What should the steps for it work seamlessly?
>
>
>Many Thanks,
>
>Deepak
>

>--
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
Freeipa-users Info Page - Red 
Hat<https://www.redhat.com/mailman/listinfo/freeipa-users>
www.redhat.com
Freeipa-users -- List dedicated to discussions about use, configuration and 
deployment of the IPA server. About Freeipa-users



>Go to http://freeipa.org for more info on the project


--
/ Alexander Bokovoy
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] key + 2FA (password+OTP) is not working

[Deepak Dimri]

Hi All,


I am trying hard to get my 2FA working with FreeIPA but every effort of mine 
going waste! I have referred earlier forum emails but could not find any good 
reply on the issue i am facing.


This is what i am trying


I have a test user created in my IPA server enabled with Two factor 
authentication (password + OTP) and has ssh public key added in its profile.  I 
want this test user to ssh into my ipa client (ubuntu 14.04) using  key + 
password + OTP. I woudl ceryainly prefer just the key+  OTP only ( no password) 
but that seems far sighted as i cannot even make it work with what it supposed 
to work password + OTP.


My /etc/ssh/sshd_conf file has almost everything default  except i added these 
two lines at the end of it

Match Group testusergroup

   AuthenticationMethods publickey,password:pam 
publickey,keyboard-interactive:pam

i also tried with below but no luck

Match Group testusergroup

 AuthenticationMethods publickey,keyboard-interactive


my /etc/pam.d/sshd has these two changes, rest i kept default:


# Standard Un*x authentication.

#@include common-auth


auth required pam_sss.so


Now when i try to ssh into ipa client i either keep getting promptS for the 
password or it gets into a loop asking me to change the password ;complaining 
falsely that it has expired. I have tried multiple combinations of 
configurations by referring earlier email threads but none i found helpful. I 
cant make simple 2FA login to work with freeIPA. Normal password and key works 
just fine. its the 2FA which does not work for me.


Would really be thankful if some one can help me with this issue.. is there any 
good freeIPA 2FA configuration document that i can refer?

What should the steps for it work seamlessly?


Many Thanks,

Deepak

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] key + 2FA (password+OTP) is not working

[Deepak Dimri]

Hi All,


I am trying hard to get my 2FA working with FreeIPA but every effort of mine 
going waste! I have referred earlier forum emails but could not find any good 
reply on the issue i am facing.


This is what i am trying


I have a test user created in my IPA server enabled with Two factor 
authentication (password + OTP) and has ssh public key added in its profile.  I 
want this test user to ssh into my ipa client (ubuntu 14.04) using  key + 
password + OTP. I woudl ceryainly prefer just the key+  OTP only ( no password) 
but that seems far sighted as i cannot even make it work with what it supposed 
to work password + OTP.


My /etc/ssh/sshd_conf file has almost everything default  except i added these 
two lines at the end of it

Match Group testusergroup

   AuthenticationMethods publickey,password:pam 
publickey,keyboard-interactive:pam

i also tried with below but no luck

Match Group testusergroup

 AuthenticationMethods publickey,keyboard-interactive


my /etc/pam.d/sshd has these two changes, rest i kept default:


# Standard Un*x authentication.

#@include common-auth


auth required pam_sss.so


Now when i try to ssh into ipa client i either keep getting promptS for the 
password or it gets into a loop asking me to change the password ;complaining 
falsely that it has expired. I have tried multiple combinations of 
configurations by referring earlier email threads but none i found helpful. I 
cant make simple 2FA login to work with freeIPA. Normal password and key works 
just fine. its the 2FA which does not work for me.


Would really be thankful if some one can help me with this issue.. is there any 
good freeIPA 2FA configuration document that i can refer?

What should the steps for it work seamlessly?


Many Thanks,

Deepak

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA client installation on ubuntu 14.04

[Deepak Dimri]

I got it fixed my adding these in my playbook







  - command: sudo env DEBIAN_FRONTEND=noninteractive
- shell: "DEBIAN_FRONTEND=noninteractive apt-get install freeipa-client -y"
Thanks,Deepak
> Subject: Re: [Freeipa-users] FreeIPA client installation on ubuntu 14.04
> To: deepak_di...@hotmail.com; freeipa-users@redhat.com
> From: tjaal...@ubuntu.com
> Date: Wed, 21 Sep 2016 14:40:17 +0300
> 
> On 21.09.2016 11:34, Deepak Dimri wrote:
> > Thanks Timo,
> > 
> > The "DEBIAN_FRONTEND=noninteractive apt-get install freeipa-client -y"
> > command works on the terminal but within ansible playbook i am getting 
> > 
> > [Errno 2] No such file or directory", "rc": 2}  when adding
> > command: DEBIAN_FRONTEND=noninteractive apt-get install freeipa-client -y
> > 
> > 
> > any idea how can i get this resolved for ansible?  i tried
> > "export DEBIAN_FRONTEND=noninteractive" and then "apt-get install
> > freeipa-client -y"  but that did not help either still getting [Errno 2]
> > No such file or directory", "rc": 2} 
> 
> no idea about that, but you could also preseed the debconf priority
> beforehand and then run apt-get, something like:
> 
> echo 'debconf debconf/priority select critical' > /tmp/preseed
> debconf-set-selections /tmp/preseed
> apt-get ...
> 
> 
  -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] 2FA using FreeIPA

[Deepak Dimri]

hi LS,
I am using IPA Server - VERSION: 4.2.0, API_VERSION: 2.156sssd version on my 
IPA server: 1.13.0sssd version on my IPA client (ubuntu): 1.11.8
I have new "testhip2user" created in IPA Server with 2FA enabled. My 
/etc/ssh/sshd_config has this entry 







AuthorizedKeysFile  %h/.ssh/authorized_keys







#ChallengeResponseAuthentication no







PasswordAuthentication noMatch User testhip2user
AuthenticationMethods publickey,password:pam 
publickey,keyboard-interactive:pam
When i am trying to ssh with private key of testhip2user into IPA client then 
this what i see in ssh auth.log as keep getting prompted for password and then 
it end with permission denied error








Sep 21 12:42:04 ip-172-31-30-146 sshd[7530]: error: Disabled method "password" 
in AuthenticationMethods list "publickey,password:pam"
Sep 21 12:42:04 ip-172-31-30-146 sshd[7530]: Authentication methods list 
"publickey,password:pam" contains disabled method, skipping
Sep 21 12:42:04 ip-172-31-30-146 sshd[7530]: error: Disabled method "password" 
in AuthenticationMethods list "publickey,password:pam" [preauth]
Sep 21 12:42:04 ip-172-31-30-146 sshd[7530]: Authentication methods list 
"publickey,password:pam" contains disabled method, skipping [preauth]Sep 21 
12:42:50 ip-172-31-30-146 sshd[7533]: pam_unix(sshd:auth): authentication 
failure; logname= uid=0 euid=0 tty=ssh ruser= 
rhost=50-201-125-254-static.hfc.comcastbusiness.net  user=testhip2userSep 21 
12:42:50 ip-172-31-30-146 sshd[7533]: pam_sss(sshd:auth): authentication 
failure; logname= uid=0 euid=0 tty=ssh ruser= 
rhost=50-201-125-254-static.hfc.comcastbusiness.net user=testhip2userSep 21 
12:42:50 ip-172-31-30-146 sshd[7533]: pam_sss(sshd:auth): received for user 
testhip2user: 6 (Permission denied)Sep 21 12:42:53 ip-172-31-30-146 sshd[7530]: 
error: PAM: Authentication failure for testhip2user from 
50-201-125-254-static.hfc.comcastbusiness.net





















Thanks for your time and helping me with this
Best Regards,Deepak
> Date: Fri, 16 Sep 2016 10:43:26 +0200
> From: lsleb...@redhat.com
> To: deepak_di...@hotmail.com
> CC: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] 2FA using FreeIPA
> 
> On (13/09/16 03:49), Deepak Dimri wrote:
> >Hi All,
> >I have below lines added to my sshd_config file for testuser.  
> >
> >
> >
> >Match User testuser
> >AuthenticationMethods publickey,password:pam 
> > publickey,keyboard-interactive:pam
> >I have OTP enable for tapuser in IPA and i am able to login to GUI using the 
> >password + OTP.  However when i try to ssh i am getting prompted for first 
> >factor then second factor and then it ends with "Permission denied 
> >(keyboard-interactive)." error.  What could be wrong here? 
> >Regards,Deepak
> >
> Please provide versions of freeIPA server packages, version of sssd.
> And it would be good to seed the exact output of ssh authentication.
> 
> LS
  -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA client installation on ubuntu 14.04

[Deepak Dimri]

Thanks Timo,
The "DEBIAN_FRONTEND=noninteractive apt-get install freeipa-client -y" command 
works on the terminal but within ansible playbook i am getting [Errno 2] No 
such file or directory", "rc": 2}  when adding command: 
DEBIAN_FRONTEND=noninteractive apt-get install freeipa-client -y
any idea how can i get this resolved for ansible?  i tried "export 
DEBIAN_FRONTEND=noninteractive" and then "apt-get install freeipa-client -y"  
but that did not help either still getting [Errno 2] No such file or 
directory", "rc": 2} 
Thanks again,Deepak

> Subject: Re: [Freeipa-users] FreeIPA client installation on ubuntu 14.04
> To: deepak_di...@hotmail.com; freeipa-users@redhat.com
> From: tjaal...@ubuntu.com
> Date: Wed, 21 Sep 2016 10:26:41 +0300
> 
> On 21.09.2016 09:41, Deepak Dimri wrote:
> > Hi All,
> > 
> > I am trying to install freeipa client on my ubuntu client via ansible
> > script. I have "apt-get update" and "apt-get install freeipa-client -y"
> > these basic commands added in my playbook but the problem is when i run
> > "apt-get install freeipa-client" with or without -y option it opens up
> > some graphical interface confirming the IPA realm and other details. I
> > did not find any option with in "apt-get install freeipa-client"to make
> > it deployment unattended. Can anyone please tell me the how i can
> > automate ipa-client installation on ubuntu?
> > 
> > The same process works fine with RHEL using yum but i am unable to do so
> > for ubuntu with apt-get
> 
> the dialog is from krb5-common, and you can skip it with
> 
> DEBIAN_FRONTEND=noninteractive apt-get install ...
> 
  -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] FreeIPA client installation on ubuntu 14.04

[Deepak Dimri]

Hi All,
I am trying to install freeipa client on my ubuntu client via ansible script. I 
have "apt-get update" and "apt-get install freeipa-client -y" these basic 
commands added in my playbook but the problem is when i run "apt-get install 
freeipa-client" with or without -y option it opens up some graphical interface 
confirming the IPA realm and other details. I did not find any option with in 
"apt-get install freeipa-client"to make it deployment unattended. Can anyone 
please tell me the how i can automate ipa-client installation on ubuntu?
The same process works fine with RHEL using yum but i am unable to do so for 
ubuntu with apt-get
Thanks,Deepak
  -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] IPA Server is not coming backup

[Deepak Dimri]

Hi All,
My IPA Server was working all fine until i tried restarting it using "ipactl 
restart"  and now i am ended with these errors :( 








[root@ip-172-31-25-165 plugins]# ipactl restartStarting Directory 
ServiceRestarting krb5kdc ServiceRestarting kadmin ServiceStarting named 
ServiceJob for named-pkcs11.service failed because the control process exited 
with error code. See "systemctl status named-pkcs11.service" and "journalctl 
-xe" for details.Failed to start named ServiceShutting down















Aborting ipactl
This is what i get with  "systemctl status named-pkcs11.service"
[root@ip-172-31-25-165 plugins]# systemctl status named-pkcs11.service● 
named-pkcs11.service - Berkeley Internet Name Domain (DNS) with native PKCS#11  
 Loaded: loaded (/usr/lib/systemd/system/named-pkcs11.service; disabled; vendor 
preset: disabled)   Active: failed (Result: exit-code) since Tue 2016-09-20 
06:28:03 EDT; 1min 2s ago  Process: 3281 ExecStart=/usr/sbin/named-pkcs11 -u 
named $OPTIONS (code=exited, status=1/FAILURE)  Process: 3278 
ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then 
/usr/sbin/named-checkconf -z /etc/named.conf; else echo "Checking of zone files 
is disabled"; fi (code=exited, status=0/SUCCESS)
Sep 20 06:28:03 ip-172-31-25-165.us-west-2.compute.internal named-pkcs11[3284]: 
GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information 
(Server krbtgt/US-WEST-2.C...database)Sep 20 06:28:03 
ip-172-31-25-165.us-west-2.compute.internal named-pkcs11[3284]: LDAP error: 
Local error: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  
Minor code may...er failedSep 20 06:28:03 
ip-172-31-25-165.us-west-2.compute.internal named-pkcs11[3284]: couldn't 
establish connection in LDAP connection pool: failureSep 20 06:28:03 
ip-172-31-25-165.us-west-2.compute.internal named-pkcs11[3284]: dynamic 
database 'ipa' configuration failed: failureSep 20 06:28:03 
ip-172-31-25-165.us-west-2.compute.internal named-pkcs11[3284]: loading 
configuration: failureSep 20 06:28:03 
ip-172-31-25-165.us-west-2.compute.internal named-pkcs11[3284]: exiting (due to 
fatal error)Sep 20 06:28:03 ip-172-31-25-165.us-west-2.compute.internal 
systemd[1]: named-pkcs11.service: control process exited, code=exited 
status=1Sep 20 06:28:03 ip-172-31-25-165.us-west-2.compute.internal systemd[1]: 
Failed to start Berkeley Internet Name Domain (DNS) with native PKCS#11.Sep 20 
06:28:03 ip-172-31-25-165.us-west-2.compute.internal systemd[1]: Unit 
named-pkcs11.service entered failed state.Sep 20 06:28:03 
ip-172-31-25-165.us-west-2.compute.internal systemd[1]: named-pkcs11.service 
failed.
























Hint: Some lines were ellipsized, use -l to show in full.
output from "journalctl -xe" is as below:
[root@ip-172-31-25-165 ec2-user]# journalctl -xeSep 20 06:37:00 
ip-172-31-25-165.us-west-2.compute.internal named-pkcs11[3511]: option 
'serial_autoincrement' is not supported, ignoringSep 20 06:37:00 
ip-172-31-25-165.us-west-2.compute.internal named-pkcs11[3511]: GSSAPI client 
step 1Sep 20 06:37:00 ip-172-31-25-165.us-west-2.compute.internal 
named-pkcs11[3511]: GSSAPI client step 1Sep 20 06:37:00 
ip-172-31-25-165.us-west-2.compute.internal named-pkcs11[3511]: GSSAPI Error: 
Unspecified GSS failure.  Minor code may provide more information Sep 20 
06:37:00 ip-172-31-25-165.us-west-2.compute.internal named-pkcs11[3511]: LDAP 
error: Local error: SASL(-1): generic failure: GSSAPI Error: Unspecified GSSep 
20 06:37:00 ip-172-31-25-165.us-west-2.compute.internal named-pkcs11[3511]: 
couldn't establish connection in LDAP connection pool: failureSep 20 06:37:00 
ip-172-31-25-165.us-west-2.compute.internal named-pkcs11[3511]: dynamic 
database 'ipa' configuration failed: failureSep 20 06:37:00 
ip-172-31-25-165.us-west-2.compute.internal named-pkcs11[3511]: loading 
configuration: failureSep 20 06:37:00 
ip-172-31-25-165.us-west-2.compute.internal named-pkcs11[3511]: exiting (due to 
fatal error)Sep 20 06:37:00 ip-172-31-25-165.us-west-2.compute.internal 
systemd[1]: named-pkcs11.service: control process exited, code=exited 
status=1Sep 20 06:37:00 ip-172-31-25-165.us-west-2.compute.internal systemd[1]: 
Failed to start Berkeley Internet Name Domain (DNS) with native PKCS#11.-- 
Subject: Unit named-pkcs11.service has failed-- Defined-By: systemd-- Support: 
http://lists.freedesktop.org/mailman/listinfo/systemd-devel-- -- Unit 
named-pkcs11.service has failed.-- -- The result is failed.Sep 20 06:37:00 
ip-172-31-25-165.us-west-2.compute.internal systemd[1]: Unit 
named-pkcs11.service entered failed state.Sep 20 06:37:00 
ip-172-31-25-165.us-west-2.compute.internal systemd[1]: named-pkcs11.service 
failed.Sep 20 06:37:00 ip-172-31-25-165.us-west-2.compute.internal 
polkitd[529]: Unregistered Authentication Agent for unix-process:3498:364279453 
(system bus name :1.Sep 20 06:37:00 ip-172-31-25-165.us-west-2.compute.internal 
polkitd[529]: Registered Authentication Agent 

[Freeipa-users] IPA Server is not coming backup

[Deepak Dimri]

Hi All,
My IPA Server was working all fine until i tried restarting it using "ipactl 
restart"  and now i am ended with these errors :( 








[root@ip-172-31-25-165 plugins]# ipactl restartStarting Directory 
ServiceRestarting krb5kdc ServiceRestarting kadmin ServiceStarting named 
ServiceJob for named-pkcs11.service failed because the control process exited 
with error code. See "systemctl status named-pkcs11.service" and "journalctl 
-xe" for details.Failed to start named ServiceShutting down















Aborting ipactl
This is what i get with  "systemctl status named-pkcs11.service"
[root@ip-172-31-25-165 plugins]# systemctl status named-pkcs11.service● 
named-pkcs11.service - Berkeley Internet Name Domain (DNS) with native PKCS#11  
 Loaded: loaded (/usr/lib/systemd/system/named-pkcs11.service; disabled; vendor 
preset: disabled)   Active: failed (Result: exit-code) since Tue 2016-09-20 
06:28:03 EDT; 1min 2s ago  Process: 3281 ExecStart=/usr/sbin/named-pkcs11 -u 
named $OPTIONS (code=exited, status=1/FAILURE)  Process: 3278 
ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then 
/usr/sbin/named-checkconf -z /etc/named.conf; else echo "Checking of zone files 
is disabled"; fi (code=exited, status=0/SUCCESS)
Sep 20 06:28:03 ip-172-31-25-165.us-west-2.compute.internal named-pkcs11[3284]: 
GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information 
(Server krbtgt/US-WEST-2.C...database)Sep 20 06:28:03 
ip-172-31-25-165.us-west-2.compute.internal named-pkcs11[3284]: LDAP error: 
Local error: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  
Minor code may...er failedSep 20 06:28:03 
ip-172-31-25-165.us-west-2.compute.internal named-pkcs11[3284]: couldn't 
establish connection in LDAP connection pool: failureSep 20 06:28:03 
ip-172-31-25-165.us-west-2.compute.internal named-pkcs11[3284]: dynamic 
database 'ipa' configuration failed: failureSep 20 06:28:03 
ip-172-31-25-165.us-west-2.compute.internal named-pkcs11[3284]: loading 
configuration: failureSep 20 06:28:03 
ip-172-31-25-165.us-west-2.compute.internal named-pkcs11[3284]: exiting (due to 
fatal error)Sep 20 06:28:03 ip-172-31-25-165.us-west-2.compute.internal 
systemd[1]: named-pkcs11.service: control process exited, code=exited 
status=1Sep 20 06:28:03 ip-172-31-25-165.us-west-2.compute.internal systemd[1]: 
Failed to start Berkeley Internet Name Domain (DNS) with native PKCS#11.Sep 20 
06:28:03 ip-172-31-25-165.us-west-2.compute.internal systemd[1]: Unit 
named-pkcs11.service entered failed state.Sep 20 06:28:03 
ip-172-31-25-165.us-west-2.compute.internal systemd[1]: named-pkcs11.service 
failed.
























Hint: Some lines were ellipsized, use -l to show in full.
output from "journalctl -xe" is as below:
[root@ip-172-31-25-165 ec2-user]# journalctl -xeSep 20 06:37:00 
ip-172-31-25-165.us-west-2.compute.internal named-pkcs11[3511]: option 
'serial_autoincrement' is not supported, ignoringSep 20 06:37:00 
ip-172-31-25-165.us-west-2.compute.internal named-pkcs11[3511]: GSSAPI client 
step 1Sep 20 06:37:00 ip-172-31-25-165.us-west-2.compute.internal 
named-pkcs11[3511]: GSSAPI client step 1Sep 20 06:37:00 
ip-172-31-25-165.us-west-2.compute.internal named-pkcs11[3511]: GSSAPI Error: 
Unspecified GSS failure.  Minor code may provide more information Sep 20 
06:37:00 ip-172-31-25-165.us-west-2.compute.internal named-pkcs11[3511]: LDAP 
error: Local error: SASL(-1): generic failure: GSSAPI Error: Unspecified GSSep 
20 06:37:00 ip-172-31-25-165.us-west-2.compute.internal named-pkcs11[3511]: 
couldn't establish connection in LDAP connection pool: failureSep 20 06:37:00 
ip-172-31-25-165.us-west-2.compute.internal named-pkcs11[3511]: dynamic 
database 'ipa' configuration failed: failureSep 20 06:37:00 
ip-172-31-25-165.us-west-2.compute.internal named-pkcs11[3511]: loading 
configuration: failureSep 20 06:37:00 
ip-172-31-25-165.us-west-2.compute.internal named-pkcs11[3511]: exiting (due to 
fatal error)Sep 20 06:37:00 ip-172-31-25-165.us-west-2.compute.internal 
systemd[1]: named-pkcs11.service: control process exited, code=exited 
status=1Sep 20 06:37:00 ip-172-31-25-165.us-west-2.compute.internal systemd[1]: 
Failed to start Berkeley Internet Name Domain (DNS) with native PKCS#11.-- 
Subject: Unit named-pkcs11.service has failed-- Defined-By: systemd-- Support: 
http://lists.freedesktop.org/mailman/listinfo/systemd-devel-- -- Unit 
named-pkcs11.service has failed.-- -- The result is failed.Sep 20 06:37:00 
ip-172-31-25-165.us-west-2.compute.internal systemd[1]: Unit 
named-pkcs11.service entered failed state.Sep 20 06:37:00 
ip-172-31-25-165.us-west-2.compute.internal systemd[1]: named-pkcs11.service 
failed.Sep 20 06:37:00 ip-172-31-25-165.us-west-2.compute.internal 
polkitd[529]: Unregistered Authentication Agent for unix-process:3498:364279453 
(system bus name :1.Sep 20 06:37:00 ip-172-31-25-165.us-west-2.compute.internal 
polkitd[529]: Registered Authentication Agent 

Re: [Freeipa-users] Want to extend schema for ipahost

[Deepak Dimri]

Thank You Flo
This helped!!!
Best regards,Deepak

> Subject: Re: [Freeipa-users] Want to extend schema for ipahost
> To: deepak_di...@hotmail.com; freeipa-users@redhat.com
> From: f...@redhat.com
> Date: Mon, 19 Sep 2016 13:41:00 +0200
> 
> On 09/19/2016 01:31 PM, Deepak Dimri wrote:
> > Hi All,
> >
> > I want to add couple of custom attribute to IPA Host. I have already
> > added custom attributes and objectclass "AWSInstanceDetails" to my
> > schema succesfully but when i am trying to modify existing host to
> > include the new objectclass i am getting below error
> >
> > ldap_modify: Object class violation (65)
> >
> > additional info: missing attribute "sn" required by object class
> > "AWSInstanceDetails"
> >
> >
> > my ldif file to add the newly created objectclass.
> >
> >
> > dn: fqdn=testhost,dc=ddiam,dd=online
> >
> > changetype: modify
> >
> > add: objectclass
> >
> > objectclass: AWSInstanceDetails
> >
> >
> > How can i extend my ipahost objectclass to include additional
> > attributes? i followed this document to extend ipa
> > userobjectclass 
> > https://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf but
> > now i need help with ipahost
> >
> >
> > As always any help would be much appreciated!
> >
> >
> > Thanks,
> >
> > Deepak
> >
> >
> >
> 
> Hi Deepak,
> 
> What is your schema definition for AWSInstanceDetails? If it requires 
> the "sn" attribute as a mandatory attribute (i.e in the MUST section), 
> then you need to define a value for sn in your ldif file. Otherwise the 
> schema would not be respected by your object.
> 
> For instance:
> dn: fqdn=testhost,dc=ddiam,dd=online
> changetype: modify
> add: objectclass
> objectclass: AWSInstanceDetails
> -
> add: sn
> sn: myValue
> 
> If, on the contrary, you do not want the attribute to be mandatory, you 
> can define the AWSInstanceDetails objectclass with an optional "sn" 
> attribute, by putting sn in the MAY section.
> 
> Hope this helps,
> Flo.
> 
  -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] 2FA using FreeIPA

[Deepak Dimri]

Hi All,
I have below lines added to my sshd_config file for testuser.  








Match User testuser
AuthenticationMethods publickey,password:pam 
publickey,keyboard-interactive:pam
I have OTP enable for tapuser in IPA and i am able to login to GUI using the 
password + OTP.  However when i try to ssh i am getting prompted for first 
factor then second factor and then it ends with "Permission denied 
(keyboard-interactive)." error.  What could be wrong here? 
Regards,Deepak








  -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] General query regarding nameserver enrtry

[Deepak Dimri]

Thanks Martin for your reply. 
It would be cool if i can have IPA client to resolve IPA server without 
specifying nameserver in resolv.conf
How do i configure zone delegation? is there any document i can refer?
Many Thanks,Deepak
Subject: Re: [Freeipa-users] General query regarding nameserver enrtry
To: deepak_di...@hotmail.com; freeipa-users@redhat.com
From: mba...@redhat.com
Date: Mon, 5 Sep 2016 09:12:08 +0200


  

  
  






On 02.09.2016 20:06, Deepak Dimri
  wrote:



  
  Hi All,



My ipa-client-install fails until etc/resolv.conf  gets
  updated with IPA nameserver entry.   I want to avoid a task of
  updating resolve.conf in my automation script.  Is there a way
  i can get my IPA client installation successful without
  updating resolve.conf? what options do i have?






Many Thanks,
Deepak 
  
  

  
  


Hello,



do you have proper zone delegation? With proper zone delegation it
should be able to resolve IPA from every nameserver.



Martin
  -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] General query regarding nameserver enrtry

[Deepak Dimri]

Hi All,
My ipa-client-install fails until etc/resolve.conf  gets updated with IPA 
nameserver entry.   I want to avoid a task of updating resolve.conf in my 
automation script.  Is there a way i can get my IPA client installation 
successful without updating resolve.conf? what options do i have?

Many Thanks,Deepak-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Getting ACL Syntax Error(-5)

[Deepak Dimri]

Thanks Martin, That worked.
Though this ACI did not help me achieve what i was looking for. Let me ask this 
to you if you can advice me something:-
i want to create a permission which should allow an admin to 'add'/'delete' 
hosts from "foo-hostgroup" list only if the "member attribute"value is equal to 
"foo". I basically want to restrict the foo admin to not to add any other host 
in the "foo-hostgroup other than the host having an attribute value as "foo". 
Why i can achieve this?
Many Thanks,Deepak


Subject: Re: [Freeipa-users] Getting ACL Syntax Error(-5)
To: deepak_di...@hotmail.com; freeipa-users@redhat.com
From: mba...@redhat.com
Date: Wed, 31 Aug 2016 12:06:02 +0200


  

  
  






On 31.08.2016 11:49, Deepak Dimri
  wrote:



  
  


  
Hi All,
I am getting ACL
Syntax Error(-5) when
trying to add ACI to my freeIPA server.  Any idea why i am
getting this error?
  

Maybe your ACI is incorrect?




  


  
This is the error i
am getting:



ldap_modify: Invalid syntax (21)


 additional
  info: ACL Syntax 
Error(-5):(targetattr=\22userclass\22)(targetfilter=\22(objectclass=ipahost)\22)(version3.0;
acl \22permission:Allow admin to modify  hosts membership
within  permitted hostgroups\22; allow (write) groupdn
=\22ldap:///cn=testadmingroup,cn=groups,cn=accounts,dc=us-west-2,dc=compute,dc=amazonaws,dc=com\22;)


  
  

Can you try here 'version3.0;' to put space between
  version and number

  

  Otherwise it looks good to me.




  
my ldif entries:


  
dn:
cn=computers,cn=accounts,dc=us-west-2,dc=compute,dc=amazonaws,dc=com
add: aci
aci: (targetattr =
"userclass")(targetfilter =
"(objectclass=ipahost)")(version3.0;acl "permission:Allow
admin to modify  hosts membership within  permitted
hostgroups";allow (write) groupdn
="ldap:///cn=testadmingroup,cn=groups,cn=accounts,dc=us-west-2,dc=compute,dc=amazonaws,dc=com;;)


  
Also, one general question i should be able to
  view the ACI under freeIPA permission tab once it gets created
  correct?
  

No, you have to add FreeIPA permission, custom ACIs are not tracked
in webUI/CLI



IMO it should be possible to create this permission using webUI



Martin


  



Thanks & regards,
Deepak



  
  

  
  



  -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Getting ACL Syntax Error(-5)

[Deepak Dimri]

Hi All,I am getting ACL Syntax Error(-5) when trying to add ACI to my freeIPA 
server.  Any idea why i am getting this error?
This is the error i am getting:
ldap_modify: Invalid syntax (21)








additional info: ACL Syntax 
Error(-5):(targetattr=\22userclass\22)(targetfilter=\22(objectclass=ipahost)\22)(version3.0;
 acl \22permission:Allow admin to modify  hosts membership within  permitted 
hostgroups\22; allow (write) groupdn 
=\22ldap:///cn=testadmingroup,cn=groups,cn=accounts,dc=us-west-2,dc=compute,dc=amazonaws,dc=com\22;)
my ldif entries:
dn: cn=computers,cn=accounts,dc=us-west-2,dc=compute,dc=amazonaws,dc=com
add: aci
aci: (targetattr = "userclass")(targetfilter = 
"(objectclass=ipahost)")(version3.0;acl "permission:Allow admin to modify  
hosts membership within  permitted hostgroups";allow (write) groupdn 
="ldap:///cn=testadmingroup,cn=groups,cn=accounts,dc=us-west-2,dc=compute,dc=amazonaws,dc=com;;)
Also, one general question i should be able to view the ACI under freeIPA 
permission tab once it gets created correct?
Thanks & regards,Deepak
  -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Permission not working as expected

[Deepak Dimri]

Ok i got it now. Let me try this with role + privilege having three set of 
permissions 1) memberOf hostgroup to manage the permissions to the hosts 2) 
permission on cn=hostgroup to manage the hosts membership with in the given 
group 3) permission for "member attribute" to allow add/delation of hosts 
membership based on the "member attribute" value.I need to go through the link 
you shared in the meanwhile a quick question can i add a custom attribute 
something like AWS EC2 resource tag as the member attribute of an host? i am 
just wondering what all/else could be an member attribute other than AWS EC2 
instance name...

Best Regards,Deepak
> Date: Tue, 30 Aug 2016 18:36:21 +0300
> From: aboko...@redhat.com
> To: deepak_di...@hotmail.com
> CC: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] Permission not working as expected
> 
> On Tue, 30 Aug 2016, Deepak Dimri wrote:
> >Hi Alexander,
> >
> >Since i do not want myadmin1 to be able to add or remove the host from
> >other xyzhostgroups into myhostgroup membership.  Is it possible that
> >myadmin1 only sees objects i specifically given the permissions to  and
> >not any other hosts outside of myhostgroup?  That way he cannot add the
> >host he is not supposed to manage within myhostgroup
> OK, now I get it. An easiest way to solve this problem, no surprise, is
> organizational: do not give host group admin rights to include hosts to
> the hostgroup or delete them, only allow them to manage what's in the
> host group.
> 
> You then need to create a separate permission for 'add'/'del' rights
> against 'member' attribute that would allow to include/remove hosts.
> That's easy but it would not allow you to limit *what* hosts could be
> added/removed from the host group.
> 
> Unfortunately, to make that possible, permission-add/permission-mod
> should be extended to allow specifying target attribute's values like 
> described in the RHDS Administration Guide:
> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Access_Control-Creating_ACIs_Manually.html#Defining_Targets-Targeting_Attribute_Values_Using_LDAP_Filters
> 
> Even then to define something like this, you need to have specific
> naming of hosts to be able to specify a pattern as a 'member' attribute
> value. Not sure how this is going to work for you in AWS, though, so
> this is why I'm saying it is an organizational issue, not really a
> technical one.
> 
> 
> 
> >Thanks for your great support!
> >regards,Deepak
> >
> >From: deepak_di...@hotmail.com
> >To: aboko...@redhat.com
> >CC: freeipa-users@redhat.com
> >Subject: RE: [Freeipa-users] Permission not working as expected
> >Date: Tue, 30 Aug 2016 09:54:38 -0400
> >
> >
> >
> >
> >Let me try summarize it!
> >I want xyzadmin of xyzhostgroup be able to mange all the hosts with in the 
> >xyzhostgroup  - which means he should be able to delete/ add/ modify the 
> >hosts under xyzhostgroup .  This is what i currently  have in the role :  
> >myhostgroup-role (role)--> myadmin1 (admin user)--> myhostgroup (host group 
> >where i have added the hosts) --> my-hostgroup-privilege --> 
> >my-hostgroup-permission
> >The problem is that the moment i add memberOf =cn= in the target filter 
> >then myadmin1 cannot add/delete the hosts with in myhostgroup and any other 
> >hosts in other hostgroups. However if i assign the role permission with with 
> >subtree=dc=us-west-2,dc=compute,dc=amazonaws,dc=com and filter as  
> >(&(cn=myhostgroup)(objectclass=ipahostgroup)) and member attribute added 
> >then myadmin1 gets the expected access to manage the hosts within 
> >myhostgroup but then he also gets access to delete and manage other hosts 
> >outside of myhostgroup which i dont want!
> >
> >Thanks & Regards,Deepak
> >> Date: Tue, 30 Aug 2016 16:10:00 +0300
> >> From: aboko...@redhat.com
> >> To: deepak_di...@hotmail.com
> >> CC: freeipa-users@redhat.com
> >> Subject: Re: [Freeipa-users] Permission not working as expected
> >>
> >> On Tue, 30 Aug 2016, Deepak Dimri wrote:
> >> >Hi Alexander,
> >> >i did try adding the "member" effective attribute in GUI and also from
> >> >the command prompt But the error is not going away when i try to delete
> >> >the host from my taphostgroup. for me it only works if i have
> >> >(&(cn=taphostgroup)(objectclass=ipaobject)) in the --filter, BUT then
> >> >the i am allowed access to all the hosts in all the hostgroup :( I am
> >> >kinda stuck with this is

Re: [Freeipa-users] Permission not working as expected

[Deepak Dimri]

Let me try summarize it!
I want xyzadmin of xyzhostgroup be able to mange all the hosts with in the 
xyzhostgroup  - which means he should be able to delete/ add/ modify the hosts 
under xyzhostgroup .  This is what i currently  have in the role :  
myhostgroup-role (role)--> myadmin1 (admin user)--> myhostgroup (host group 
where i have added the hosts) --> my-hostgroup-privilege --> 
my-hostgroup-permission
The problem is that the moment i add memberOf =cn= in the target filter 
then myadmin1 cannot add/delete the hosts with in myhostgroup and any other 
hosts in other hostgroups. However if i assign the role permission with with 
subtree=dc=us-west-2,dc=compute,dc=amazonaws,dc=com and filter as  
(&(cn=myhostgroup)(objectclass=ipahostgroup)) and member attribute added then 
myadmin1 gets the expected access to manage the hosts within myhostgroup but 
then he also gets access to delete and manage other hosts outside of 
myhostgroup which i dont want!

Thanks & Regards,Deepak
> Date: Tue, 30 Aug 2016 16:10:00 +0300
> From: aboko...@redhat.com
> To: deepak_di...@hotmail.com
> CC: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] Permission not working as expected
> 
> On Tue, 30 Aug 2016, Deepak Dimri wrote:
> >Hi Alexander,
> >i did try adding the "member" effective attribute in GUI and also from
> >the command prompt But the error is not going away when i try to delete
> >the host from my taphostgroup. for me it only works if i have
> >(&(cn=taphostgroup)(objectclass=ipaobject)) in the --filter, BUT then
> >the i am allowed access to all the hosts in all the hostgroup :( I am
> >kinda stuck with this issue.  Would be great if you can suggest any
> >further headway!
> Isn't this is what you wanted: a user has ability to manage all hosts in
> the host group but not other hosts.
> 
> -- 
> / Alexander Bokovoy
  -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Permission not working as expected

[Deepak Dimri]

typo correction below!

From: deepak_di...@hotmail.com
To: aboko...@redhat.com
CC: freeipa-users@redhat.com
Subject: RE: [Freeipa-users] Permission not working as expected
Date: Tue, 30 Aug 2016 09:04:36 -0400




Hi Alexander,
i did try adding the "member" effective attribute in GUI and also from the 
command prompt But the error is not going away when i try to delete the host 
from my taphostgroup. for me it only works if i have 
(&(cn=taphostgroup)(objectclass=ipahostgroup)) in the --filter & 
dc=us-west-2,dc=compute,dc=amazonaws,dc=com in the subtree BUT then the i am 
allowed access to all the hosts in all the hostgroups :( I am kinda stuck with 
this issue.  Would be great if you can suggest any further headway!








 ipa permission-mod manage-taphostgroup 
--attrs={'userPassword','description','nshardwareplatform','nsosversion','usercertificate','userclass','macaddress','ipaassignedidview','ipasshpubkey','member'}
-
Modified permission "manage-taphostgroup"
-
  Permission name: manage-taphostgroup
  Granted rights: all
  Effective attributes: description, ipaassignedidview, ipasshpubkey, 
macaddress, member, nshardwareplatform, nsosversion, userPassword, 
usercertificate, userclass
  Bind rule type: permission
  Subtree: cn=computers,cn=accounts,dc=us-west-2,dc=compute,dc=amazonaws,dc=com
  Extra target filter: 
(memberOf=cn=taphostgroup,cn=hostgroups,cn=accounts,dc=us-west-2,dc=compute,dc=amazonaws,dc=com)
  Type: host
  Granted to Privilege: tap-hostgroup-privilege
  Indirect Member of roles: taphostgroup-role
Many thanks,Deepak
> Date: Tue, 30 Aug 2016 13:27:59 +0300
> From: aboko...@redhat.com
> To: deepak_di...@hotmail.com
> CC: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] Permission not working as expected
> 
> On Tue, 30 Aug 2016, Deepak Dimri wrote:
> >I did try the  exact steps from the blog but alas still it did not work. 
> >getting same error :(
> I don't give rights to write to 'member' attribute in the blog. You have
> to adopt to your situation, obviously.
> 
> -- 
> / Alexander Bokovoy

  -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Permission not working as expected

[Deepak Dimri]

Hi Alexander,
i did try adding the "member" effective attribute in GUI and also from the 
command prompt But the error is not going away when i try to delete the host 
from my taphostgroup. for me it only works if i have 
(&(cn=taphostgroup)(objectclass=ipaobject)) in the --filter, BUT then the i am 
allowed access to all the hosts in all the hostgroup :( I am kinda stuck with 
this issue.  Would be great if you can suggest any further headway!








 ipa permission-mod manage-taphostgroup 
--attrs={'userPassword','description','nshardwareplatform','nsosversion','usercertificate','userclass','macaddress','ipaassignedidview','ipasshpubkey','member'}
-
Modified permission "manage-taphostgroup"
-
  Permission name: manage-taphostgroup
  Granted rights: all
  Effective attributes: description, ipaassignedidview, ipasshpubkey, 
macaddress, member, nshardwareplatform, nsosversion, userPassword, 
usercertificate, userclass
  Bind rule type: permission
  Subtree: cn=computers,cn=accounts,dc=us-west-2,dc=compute,dc=amazonaws,dc=com
  Extra target filter: 
(memberOf=cn=taphostgroup,cn=hostgroups,cn=accounts,dc=us-west-2,dc=compute,dc=amazonaws,dc=com)
  Type: host
  Granted to Privilege: tap-hostgroup-privilege
  Indirect Member of roles: taphostgroup-role
Many thanks,Deepak
> Date: Tue, 30 Aug 2016 13:27:59 +0300
> From: aboko...@redhat.com
> To: deepak_di...@hotmail.com
> CC: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] Permission not working as expected
> 
> On Tue, 30 Aug 2016, Deepak Dimri wrote:
> >I did try the  exact steps from the blog but alas still it did not work. 
> >getting same error :(
> I don't give rights to write to 'member' attribute in the blog. You have
> to adopt to your situation, obviously.
> 
> -- 
> / Alexander Bokovoy
  -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Permission not working as expected

[Deepak Dimri]

I did try the  exact steps from the blog but alas still it did not work. 
getting same error :(









p-172-31-29-153.us-west-2.compute.internal: Insufficient access: Insufficient 
'write' privilege to the 'member' attribute of entry 
'cn=my-hostgroup,cn=hostgroups,cn=accounts,dc=us-west-2,dc=compute,dc=amazonaws,dc=com'.
Regards,Deepak
> Date: Tue, 30 Aug 2016 13:04:07 +0300
> From: aboko...@redhat.com
> To: deepak_di...@hotmail.com
> CC: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] Permission not working as expected
> 
> On Tue, 30 Aug 2016, Deepak Dimri wrote:
> >Hi Alexander,
> >Thanks for the reply
> >i tried exact steps below but it still not working.  the admin user
> >added to new role and privilege we have created is  getting an error
> >when trying to add or remove host of myhostgroup.
> >ip-172-31-29-153.us-west-2.compute.internal: Insufficient access:
> >Insufficient 'write' privilege to the 'member' attribute of entry
> >'cn=myhostgroup,cn=hostgroups,cn=accounts,dc=us-west-2,dc=compute,dc=amazonaws,dc=com'.
> >not sure if DN (memberOf=cn=myhostgroup,cn=ng,cn=alt,dc=ipa,dc=ad,dc=test) 
> >would make any difference? I also noticed i dont get  Permission flags: V2, 
> >SYSTEM in my ipa output.  not sure if that would make any difference
> >I would really appreciate if this can be resolved...
> Read the other emails I sent in this thread.
> 
> The whole story is here:
> https://vda.li/en/posts/2016/08/30/Creating-permissions-in-FreeIPA/
> 
> -- 
> / Alexander Bokovoy
  -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Permission not working as expected

[Deepak Dimri]

Hi Alexander,
Thanks for the reply 
i tried exact steps below but it still not working.  the admin user added to 
new role and privilege we have created is  getting an error when trying to add 
or remove host of myhostgroup.  
ip-172-31-29-153.us-west-2.compute.internal: Insufficient access: Insufficient 
'write' privilege to the 'member' attribute of entry 
'cn=myhostgroup,cn=hostgroups,cn=accounts,dc=us-west-2,dc=compute,dc=amazonaws,dc=com'.
 
not sure if DN (memberOf=cn=myhostgroup,cn=ng,cn=alt,dc=ipa,dc=ad,dc=test) 
would make any difference? I also noticed i dont get  Permission flags: V2, 
SYSTEM in my ipa output.  not sure if that would make any difference
I would really appreciate if this can be resolved...
Best Regards,Deepak
> Date: Tue, 30 Aug 2016 09:03:23 +0300
> From: aboko...@redhat.com
> To: deepak_di...@hotmail.com
> CC: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] Permission not working as expected
> 
> On Tue, 30 Aug 2016, Alexander Bokovoy wrote:
> >On Mon, 29 Aug 2016, Deepak Dimri wrote:
> >>Hi All,
> >>I have created below permission for my "testhostgroup" with the
> >>expectation that this permission will only allow write permission to
> >>the members of "testhostgroup" but, then it allows me to add/delete
> >>other hostgroup members as well. I tried changing the effective
> >>attribute to "memberof" instead of "member" but in vain as with that i
> >>started getting permission denied error even on  testhostgroup itself.
> >>*
> >>
> >>ipa permission-add 'testhostgroup-modify' --permission=write --attrs=member 
> >>--filter='(&(cn=testhostgroup)(objectclass=ipahostgroup ))'
> >>--
> >>Added permission "testhostgroup-modify"
> >>--
> >> Permission name: testhostgroup-modify
> >> Granted rights: write
> >> Effective attributes: member
> >> Bind rule type: permission
> >> Subtree: dc=us-west-2,dc=compute,dc=amazonaws,dc=com
> >> Extra target filter: (&(cn= testhostgroup)(objectclass=ipahostgroup 
> >> ))**
> >>How can i restrict permissions to manage only those hosts which are
> >>part of a particular hostgroup? any help you could offer on this would
> >>be much appreciated. I could not find much on similar issue in the
> >>forum :( Thanks,Deepak  
> >The permission above says: "Allow changing 'member' attribute in the
> >testhostgroup object". I don't think this is what you wanted, according
> >to your explanation above.
> >
> >Let's say you have host group 'myhostgroup':
> ># ipa hostgroup-add myhostgroup
> >-
> >Added hostgroup "myhostgroup"
> >-
> > Host-group: myhostgroup
> >
> >and now you want to create a permission that would target hosts in the
> >host group. A member of that permission would be able to do anything
> >with the host.
> >
> >First, you need to create a basic permission which applies to hosts:
> >
> ># ipa permission-add manage-my-hostgroup --right=all 
> >--bindtype=permission --type=host 
> >--
> >Added permission "manage-my-hostgroup"
> >--
> > Permission name: manage-my-hostgroup
> > Granted rights: all
> > Bind rule type: permission
> > Subtree: cn=computers,cn=accounts,dc=ipa,dc=ad,dc=test
> > Type: host
> > Permission flags: V2, SYSTEM
> >
> >Now, look at the permission in detail:
> >
> ># ipa permission-show --all --raw manage-my-hostgroup
> > dn: cn=manage-my-hostgroup,cn=permissions,cn=pbac,dc=ipa,dc=ad,dc=test
> > cn: manage-my-hostgroup
> > ipapermright: all
> > ipapermbindruletype: permission
> > ipapermlocation: cn=computers,cn=accounts,dc=ipa,dc=ad,dc=test
> > ipapermtargetfilter: (objectclass=ipahost)
> > ipapermissiontype: V2
> > ipapermissiontype: SYSTEM
> > aci: (targetfilter = "(objectclass=ipahost)")(version 3.0;acl 
> > "permission:manage-my-hostgroup";allow (all) groupdn = 
> > "ldap:///cn=manage-my-hostgroup,cn=permissions,cn=pbac,dc=ipa,dc=ad,dc=test;;)
> > objectclass: ipapermission
> > objectclass: top
> > objectclass: groupofnames
> > objectclass: ipapermissionv2
> >
> >As you can see, it applies to hosts: cn=computers,cn=accounts,$SUFFIX
> >subtree, and target filter is set to (objectclass=ipahost). So it would
> >ap

[Freeipa-users] Permission not working as expected

[Deepak Dimri]

Hi All,
I have created below permission for my "testhostgroup" with the expectation 
that this permission will only allow write permission to the members of 
"testhostgroup" but, then it allows me to add/delete other hostgroup members as 
well. I tried changing the effective attribute to "memberof" instead of 
"member" but in vain as with that i started getting permission denied error 
even on  testhostgroup itself.
*







ipa permission-add 'testhostgroup-modify' --permission=write --attrs=member 
--filter='(&(cn=testhostgroup)(objectclass=ipahostgroup ))'
--
Added permission "testhostgroup-modify"
--
  Permission name: testhostgroup-modify
  Granted rights: write
  Effective attributes: member
  Bind rule type: permission
  Subtree: dc=us-west-2,dc=compute,dc=amazonaws,dc=com
  Extra target filter: (&(cn= testhostgroup)(objectclass=ipahostgroup ))**
How can i restrict permissions to manage only those hosts which are part of a 
particular hostgroup? any help you could offer on this would be much 
appreciated. I could not find much on similar issue in the forum :(
Thanks,Deepak -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Delegated Administration in IPA

[Deepak Dimri]

**adding FreeIPA-Users***




Hi Alexander,
I was referring to you below reply regarding managing the access ( adding and 
deleting etc) for only those hosts which are part of a particular hostgroup - 
you mentioned i can do that using "additional target filter based on the 
hostgroup membership." in the freeIPA permission. What would be the 
attribute/DN i should be giving in the target filter to achieve this?
obviously default host group membership allow the admin to add and delete any 
hosts. Which i dont want. I want management restricted to only those host which 
are part of the hostgroup
Thanks in advance
Best Regards,Deepak


> Date: Mon, 8 Aug 2016 11:54:23 +0300
> From: aboko...@redhat.com
> To: deepak_di...@hotmail.com
> CC: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] Delegated Administration in IPA
> 
> On Mon, 08 Aug 2016, Deepak Dimri wrote:
> >Hi List,
> >I want some help here! i have 100 of linux servers and ec2 instances
> >used by various teams/departments.   I want to have group wise
> >clubbing of these servers so that i can delegate administration access
> >to manager of  that particular group. For example lets say out of those
> >100 servers, 25 servers belongs to engineering team so i want to
> >register these 25 servers under engineering group/domain and then
> >assign the full administration access to engineering manager to manage
> >these 25 servers and there accesses.  I am getting a sense that we can
> >create DNS subdomains for each team i.e. engineering. >name> and then register those 25 servers under engineering. >domain name> but then i am not sure how i can assign the access and do
> >rest of the configurations.  I would be thankfully if any of you can
> >provide with configuration steps to help me
> What kind of administration do you want to achieve?
> 
> - Managing IPA objects themselves?
> - Managing actual machines as in login to them, run sudo, etc?
> 
> For the former you'd need to learn how to deal with
> permissions/privileges/roles and create separate
> permissions/privileges/roles that look like a default one with
> additional target filter based on the hostgroup membership.
> 
> For the latter you'd use HBAC rules.
> 
> -- 
> / Alexander Bokovoy

  -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Delegated administration use case

[Deepak Dimri]

My IPA server has bunch of IPA-clients registered with it, i have done 
department/product wise grouping of my ipa clients and users. Example: for 
business unit1 (BU1) i have "BU1UserGroup" and "BU1HostGroup" similarly  for 
BU2 its "BU2UserGroup" & "BU2HostGroup". Now i  want to have department wise 
delegation administration in such a way that admin of BU1 can manage access for 
the users in "BU1UserGroup" and "BU1HostGroup" and admin of BU2 can manage the 
users and hosts for hosts in "BU2UserGroup" & "BU2HostGroup".  Essentially 
these sub admins should have full access to manage the access privileges for 
users and mange the hosts for their respective department/BU. 
I am still playing with IPA to understand this better but thought of asking you 
if this is a valid user case of IPA server and any pointer how this can be 
achieved would be much appreciated
Thanks,Deepak
  -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Admin password no more working

[Deepak Dimri]

Hi All,
While trying to automate IPA client registration programatically, i seems have 
made my admin password out of sync between KDC and 








/etc/krb5.keytab. Now when i try login into ipa GUI via admin i am getting "The 
password or username is incorrect" - though i am trying with the correct 
password that i have been using. Is there anyway i can login to GUI in this 
situation? Is there anyway i can get my admin password reseted or something? i 
can run my ansible playbooks w/out any issues on the linux host but cannot 
login to GUI any more...
Thanks for your great help!
Regards,Deepak-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Ansible Playbook

[Deepak Dimri]

Hi All,
I am looking to write ansible playbook to automatically register my EC2 
instances as freeIPA clients to my IPA Server and then add the client(s) to a 
particular hostgroup based on EC2 tag value. For example EC2 tag key value= 
prod will add the client to prod hostgroup. I am wondering if there is any 
freeIPA client module available for this purpose already that i can leverage?
Many Thanks,Deepak


  -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] 2FA with Sudo not working

[Deepak Dimri]

Hi All,
I have 2FA (Password +OTP) enabled for a user in freeIPA console. I am able to 
SSH into my Linux system using Google Authenticator +  SSH key  but when i do 
sudo su i am getting into below loop even when i am entering valid credential:








-sh-4.2$ sudo su
First Factor: 
Sorry, try again.
First Factor: 
I found couple of email threads having exact same problem 
https://www.redhat.com/archives/freeipa-users/2016-May/msg00414.htmlbut the rpm 
fix (sssd-1.13.3-6.fc24.src.rpm)  mentioned did not fix the issue. I have  also 
downloaded sssd commit mentioned in this link 
https://bugzilla.redhat.com/show_bug.cgi?id=1276868  but don't know how to 
install it?
Is there a any clear instructions available on how this sssd bug can be fixed?
Thanks,Deepak

  -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] key+OTP to SSH into publicly exposed redHat instances

[Deepak Dimri]

Hi All,
I want to protect my publicly exposed AWS EC2 instances with SSH key and OTP. I 
have my freeIPA v4 all up and running. I am able to SSH in to my IPA clients 
with my private key however i want to include OTP into this login process. I 
have enabled OTP for one test user in my FreeIPA and i am able to login with 
password+OTP using browser admin URL BUT how do i challenge the same user for 
OTP when trying to SSH login into RedHat?
I have tried adding this in my freeIPA server /etc/ssh/sshd_config but no luck 
- do not get challenged for OTP when using SSH.








ChallengeResponseAuthentication yes
UsePAM yes
AuthenticationMethods publickey,keyboard-interactive
PasswordAuthentication no
Thanks in Advance,Deepak  -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA LDAP Directory Extenion

[Deepak Dimri]

Ok, got it, Martin
One more query on this.
I have extended the ObjectClass under inerorgperson and added the custom 
attributes successfully. i could add my newly custom ObjectClass under "default 
user object class" tab of my FreeIPA configuration. But then the question how 
do i use these attributes? i dont event see them listed under user identity 
profile along with other out of the attributes like first name, address etc..
Best Regards,Deepak

> Subject: Re: [Freeipa-users] FreeIPA LDAP Directory Extenion
> To: deepak_di...@hotmail.com; mba...@redhat.com; freeipa-users@redhat.com
> From: mko...@redhat.com
> Date: Tue, 9 Aug 2016 11:10:09 +0200
> 
> Hi Deepak,
> 
> This console is not available for regular or shipped with FreeIPA (AFAIK), it
> is only included in the Red Hat Directory Server product. With FreeIPA, you
> will need to extend the schema with CLI tools (ldapmodify) as indicated in the
> presentation that Martin Basti shared.
> 
> Martin
> 
> On 08/09/2016 11:06 AM, Deepak Dimri wrote:
> > Thanks Martin, This helps!
> > 
> > i also like this
> > link 
> > https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html-single/Administration_Guide/index.html#extending-the-schema
> > 
> > would you know how can i access "Directory Server Console" what file i need 
> > to
> > run to open it how its given in this document
> > 
> > Regards,
> > Deepak
> > 
> > 
> > ---
> > Subject: Re: [Freeipa-users] FreeIPA LDAP Directory Extenion
> > To: deepak_di...@hotmail.com; freeipa-users@redhat.com
> > From: mba...@redhat.com
> > Date: Tue, 9 Aug 2016 10:15:47 +0200
> > 
> > 
> > 
> > 
> > On 09.08.2016 10:08, Deepak Dimri wrote:
> > 
> > Hi All,
> > 
> > I want to extend my FreeIPA Directory Scheme - want to add a new
> > ObjectClass and add few attributes to existing person ObjectClass. I see
> > lot of places it is mentioned i can do it through 389-console command 
> > but i
> > dont find it in my freeIPA server.  I am getting ObjectClass not found
> > error when trying to add using FreeIPA admin gui configuration tab. Is
> > there any documentarians steps available how schema can be extended in
> > freeIPA using GUI or outside? I am not finding any helpful material on 
> > this
> > and hence thought of checking with you all!
> > 
> > Thanks,
> > Deepak
> > 
> > 
> > 
> > Hello,
> > 
> > please read [pages 6-7]
> > https://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf
> > 
> > You should *not* extend IPA objectclasses, you have to create own, 
> > otherwise we
> > may and will break your schema during upgrade
> > 
> > Martin
> > 
> > 
> 
  -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA LDAP Directory Extenion

[Deepak Dimri]

Thanks Martin, This helps!
i also like this link 
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html-single/Administration_Guide/index.html#extending-the-schema
would you know how can i access "Directory Server Console" what file i need to 
run to open it how its given in this document
Regards,Deepak

Subject: Re: [Freeipa-users] FreeIPA LDAP Directory Extenion
To: deepak_di...@hotmail.com; freeipa-users@redhat.com
From: mba...@redhat.com
Date: Tue, 9 Aug 2016 10:15:47 +0200


  

  
  






On 09.08.2016 10:08, Deepak Dimri
  wrote:



  
  Hi All,



I want to extend my FreeIPA Directory Scheme - want to add
  a new ObjectClass and add few attributes to existing person
  ObjectClass. I see lot of places it is mentioned i can do it
  through 389-console command but i dont find it in my freeIPA
  server.  I am getting ObjectClass not found error when trying
  to add using FreeIPA admin gui configuration tab. Is there any
  documentarians steps available how schema can be extended in
  freeIPA using GUI or outside? I am not finding any helpful
  material on this and hence thought of checking with you all!



Thanks,
Deepak



  
  

  
  


Hello,



please read [pages 6-7]

https://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf



You should *not* extend IPA objectclasses, you have to create own,
otherwise we may and will break your schema during upgrade



Martin
  -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] FreeIPA LDAP Directory Extenion

[Deepak Dimri]

Hi All,
I want to extend my FreeIPA Directory Scheme - want to add a new ObjectClass 
and add few attributes to existing person ObjectClass. I see lot of places it 
is mentioned i can do it through 389-console command but i dont find it in my 
freeIPA server.  I am getting ObjectClass not found error when trying to add 
using FreeIPA admin gui configuration tab. Is there any documentarians steps 
available how schema can be extended in freeIPA using GUI or outside? I am not 
finding any helpful material on this and hence thought of checking with you all!
Thanks,Deepak
  -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Delegated Administration in IPA

[Deepak Dimri]

Hi List,
I want some help here! i have 100 of linux servers and ec2 instances  used by 
various teams/departments.   I want to have group wise  clubbing of these 
servers so that i can delegate administration access to manager of  that 
particular group. For example lets say out of those 100 servers, 25 servers 
belongs to engineering team so i want to register these 25 servers under 
engineering group/domain and then assign the full administration access to 
engineering manager to manage these 25 servers and there accesses. 
I am getting a sense that we can create DNS subdomains for each team i.e. 
engineering. and then register those 25 servers under 
engineering. but then i am not sure how i can assign 
the access and do rest of the configurations. 
I would be thankfully if any of you can provide with configuration steps to 
help me
Thanks,Deepak -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project