Re: [Freeipa-users] Using subdomains (or dots) in hostnames
Hi! Let's say we're using domain example.com. Adding clients a.example.com and b.example.com was smooth. Adding client a.sub1.example.com also had no problems until I tried to get sudoers from the IPA server (using SSSD and LDAP as suggested). The client fails to find any users matching the server name. Because the only difference compared to a fully functional server is the dot in the host name, that's probably the reason why no sudoers are found for the server in the subdomain? What do you use in nsswitch.conf for sudoers? ldap or sss? If sss, can you also paste your sssd.conf? Can you paste the output of sudo along with the -D parameter to get some debugging? I managed to get subdomains working after adding the subdomain to the IPA DNS and filling in the various SRV records pointing to the IPA master. After the DNS was setup properly, DNS discovery would display the correct subdomain on ipa-client-install. After the DNS discovery was successful, also sudo started working properly on most servers. As I specified sss for sudoers in nsswitch.conf and added the necessary configuration to sssd.conf as described in the RedHat documentation, I was able to sudo the commands I had enabled in the IPA policy. That's great! Some servers are still, however, causing headache. According to /var/log/secure sudo can authenticate me, but for some reason the list of allowed commands is empty (sudo -l responds Sorry, user xxx may not run sudo on yyy.). I have defined sudo rules so that anybody can use sudo on any host, but only certain commands. I'll try to debug the problems and let you know how it goes. The caching mechanism for sudo/sssd and especially clearing the cache with sss_cache has turned out to be somewhat challenging to understand. Does anybody know the correct parameters that cause the sudoers cache be invalidated? Thanks also to everybody else for replying to my message! Best regards, Thomas -- Thomas Raehalme CTO, teknologiajohtaja Mobile +358 40 545 0605 Codecenter Oy Väinönkatu 26 A, 4th Floor 40100 JYVÄSKYLÄ, Finland Tel. +358 10 322 0040 www.codecenter.fi Codecenter - Tietojärjestelmiä ymmärrettävästi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Using subdomains (or dots) in hostnames
On Thu, Sep 12, 2013 at 02:54:10PM +0300, Thomas Raehalme wrote: Hi! Let's say we're using domain example.com. Adding clients a.example.com and b.example.com was smooth. Adding client a.sub1.example.com also had no problems until I tried to get sudoers from the IPA server (using SSSD and LDAP as suggested). The client fails to find any users matching the server name. Because the only difference compared to a fully functional server is the dot in the host name, that's probably the reason why no sudoers are found for the server in the subdomain? What do you use in nsswitch.conf for sudoers? ldap or sss? If sss, can you also paste your sssd.conf? Can you paste the output of sudo along with the -D parameter to get some debugging? I managed to get subdomains working after adding the subdomain to the IPA DNS and filling in the various SRV records pointing to the IPA master. After the DNS was setup properly, DNS discovery would display the correct subdomain on ipa-client-install. After the DNS discovery was successful, also sudo started working properly on most servers. As I specified sss for sudoers in nsswitch.conf and added the necessary configuration to sssd.conf as described in the RedHat documentation, I was able to sudo the commands I had enabled in the IPA policy. That's great! Some servers are still, however, causing headache. According to /var/log/secure sudo can authenticate me, but for some reason the list of allowed commands is empty (sudo -l responds Sorry, user xxx may not run sudo on yyy.). I have defined sudo rules so that anybody can use sudo on any host, but only certain commands. I'll try to debug the problems and let you know how it goes. The caching mechanism for sudo/sssd and especially clearing the cache with sss_cache has turned out to be somewhat challenging to understand. Does anybody know the correct parameters that cause the sudoers cache be invalidated? Unfortunately sss_cache cannot clean sudoers rules. It's not as easy as it sounds, I'm afraid, but we're tracking the work in: https://fedorahosted.org/sssd/ticket/2081 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Using subdomains (or dots) in hostnames
On 08/19/2013 09:05 AM, Thomas Raehalme wrote: Hi! We are in the process of deploying FreeIPA in our virtual environment. So far things are working smoothly and I am really impressed by the solution! One question has risen as we have added our first clients to the system. Because the total number of clients is 50 and going up, we have divided our servers to subdomains depending on the purpose of the server, ie. test servers in one subdomain, internal services on another and so on. There is, however, no need for each subdomain to have its own IPA server. Let's say we're using domain example.com. Adding clients a.example.com and b.example.com was smooth. Adding client a.sub1.example.com also had no problems until I tried to get sudoers from the IPA server (using SSSD and LDAP as suggested). The client fails to find any users matching the server name. Because the only difference compared to a fully functional server is the dot in the host name, that's probably the reason why no sudoers are found for the server in the subdomain? For IPA master I am using CentOS 6.4 and ipa-server-3.0.0-26.el6_4.4.x86_64. The clients are also CentOS 6.4 with ipa-client-3.0.0-26.el6_4.4.x86_64. Any help is appreciated! Please let me know if providing any piece of information helps. Best regards, Thomas ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Was there any help provided for this request? -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Using subdomains (or dots) in hostnames
In our deployment we use subdomains but set NIS domain to main domain: example.com has subdomains na.example.com wa.example.com ... all machines work fine with that but in /etc/sysconfig/network we have NISDOMAIN='example.com' This way sudo rules get evaluated see getent netgroup hostgroup On Thu, Aug 29, 2013 at 5:55 PM, Dmitri Pal d...@redhat.com wrote: On 08/19/2013 09:05 AM, Thomas Raehalme wrote: Hi! We are in the process of deploying FreeIPA in our virtual environment. So far things are working smoothly and I am really impressed by the solution! One question has risen as we have added our first clients to the system. Because the total number of clients is 50 and going up, we have divided our servers to subdomains depending on the purpose of the server, ie. test servers in one subdomain, internal services on another and so on. There is, however, no need for each subdomain to have its own IPA server. Let's say we're using domain example.com. Adding clients a.example.com and b.example.com was smooth. Adding client a.sub1.example.com also had no problems until I tried to get sudoers from the IPA server (using SSSD and LDAP as suggested). The client fails to find any users matching the server name. Because the only difference compared to a fully functional server is the dot in the host name, that's probably the reason why no sudoers are found for the server in the subdomain? For IPA master I am using CentOS 6.4 and ipa-server-3.0.0-26.el6_4.4.x86_64. The clients are also CentOS 6.4 with ipa-client-3.0.0-26.el6_4.4.x86_64. Any help is appreciated! Please let me know if providing any piece of information helps. Best regards, Thomas ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Was there any help provided for this request? -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Using subdomains (or dots) in hostnames
On Mon, Aug 19, 2013 at 04:05:40PM +0300, Thomas Raehalme wrote: Hi! We are in the process of deploying FreeIPA in our virtual environment. So far things are working smoothly and I am really impressed by the solution! One question has risen as we have added our first clients to the system. Because the total number of clients is 50 and going up, we have divided our servers to subdomains depending on the purpose of the server, ie. test servers in one subdomain, internal services on another and so on. There is, however, no need for each subdomain to have its own IPA server. Let's say we're using domain example.com. Adding clients a.example.com and b.example.com was smooth. Adding client a.sub1.example.com also had no problems until I tried to get sudoers from the IPA server (using SSSD and LDAP as suggested). The client fails to find any users matching the server name. Because the only difference compared to a fully functional server is the dot in the host name, that's probably the reason why no sudoers are found for the server in the subdomain? For IPA master I am using CentOS 6.4 and ipa-server-3.0.0-26.el6_4.4.x86_64. The clients are also CentOS 6.4 with ipa-client-3.0.0-26.el6_4.4.x86_64. Any help is appreciated! Please let me know if providing any piece of information helps. Best regards, Thomas Sorry Thomas, the subject line fooled me and I didn't see this might be a SSSD issue. What do you use in nsswitch.conf for sudoers? ldap or sss? If sss, can you also paste your sssd.conf? Can you paste the output of sudo along with the -D parameter to get some debugging? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Using subdomains (or dots) in hostnames
Hi! We are in the process of deploying FreeIPA in our virtual environment. So far things are working smoothly and I am really impressed by the solution! One question has risen as we have added our first clients to the system. Because the total number of clients is 50 and going up, we have divided our servers to subdomains depending on the purpose of the server, ie. test servers in one subdomain, internal services on another and so on. There is, however, no need for each subdomain to have its own IPA server. Let's say we're using domain example.com. Adding clients a.example.com and b.example.com was smooth. Adding client a.sub1.example.com also had no problems until I tried to get sudoers from the IPA server (using SSSD and LDAP as suggested). The client fails to find any users matching the server name. Because the only difference compared to a fully functional server is the dot in the host name, that's probably the reason why no sudoers are found for the server in the subdomain? For IPA master I am using CentOS 6.4 and ipa-server-3.0.0-26.el6_4.4.x86_64. The clients are also CentOS 6.4 with ipa-client-3.0.0-26.el6_4.4.x86_64. Any help is appreciated! Please let me know if providing any piece of information helps. Best regards, Thomas ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users