Re: [Freeipa-users] ipa-client-install fails on replica because of kinit cannot contact any KDC
Shree wrote: Lukas Perhaps I should explain the design a bit and see if FreeIPA even supports this.Our replica is in a separate network and all the appropriate ports are opened between the master and the replica. The replica got created successfully and is in sync with the master (except the CA services which I mentioned earlier) Now,when I try to run ipa-client-install on hosts in the new network using the replica, it complains that about Cannot contact any KDC for realm. I am wondering it my hosts in the new network are trying to access the master for certificates since the replica does not have any CA services running? I couldn't find any obvious proof of this even running the install in a debug mode. Do I need to open ports between the new hosts and the master for CA services? At this point I cannot disable or move the master, it needs to function in its location but I need No, the clients don't directly talk to the CA. You'd need to look in /var/log/ipaclient-install.log to see what KDC was found and we were trying to use. If you have SRV records for both but we try to contact the hidden master this will happen. You can try specifying the server on the command-line with --server but this will be hardcoding things and make it less flexible later. rob Shreeraj Change is the only Constant ! On Saturday, February 8, 2014 1:29 AM, Lukas Slebodnik lsleb...@redhat.com wrote: On (06/02/14 18:33), Shree wrote: First of all, the ipa-replica-install did not allow me to use the --setup-ca option complaining that a cert already exists, replicate creation was successful after I skipped the option. Seems like the replica is one except 1) There is no CA Service running on the replica (which I guess is expected) and 2) I am unable to run ipa-client-install successfully on any clients using the replica. (I don't have the option of using the primary master as it is configured in a segregated environment. Only the master and replica are allowed to sync. Debug shows it fails at ipa : DEBUGstderr=kinit: Cannot contact any KDC for realm 'mydomainname.com' while getting initial credentials I was not able to install replica witch CA on fedora 20, Bug is already reported https://fedorahosted.org/pki/ticket/816 Guys from dogtag found a workaround https://fedorahosted.org/pki/ticket/816#comment:12 Does it work for you? LS ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] sudo 'run as' question
Afternoon, I have an application that use the account image as service account. I can su to the account 'image' and start or stop it fine. No root privilege needed. So I am not trying to set it up so that other developers can be able to restart it through sudo and that's when I realized I am missing something about sudo. The problem is under run as usage. When I look at man page, it imply that run as account don't need to be root. Quoting the man page. Begin quote: sudo allows a permitted user to execute a command as the superuser or another user, as specified by the security policy. End quote: On FreeIPA, I have a sudo rule called developers with necessary hostgroups and usergroups. At the bottom is a section titled AS WHOM and that's where I am having a problem. If I use root under RunAs Users section, it works. If I substitute root with account image, I get the following error. [william@dev18-yyz-int ~]$ sudo service imageserver stop [sudo] password for william: Sorry, user william is not allowed to execute '/sbin/service imageserver stop' as root on dev18-yyz-int.jamar.loc. [william@dev18-yyz-int ~]$ ls -al /etc/init.d/imageserver -rwxr-xr-x. 1 image image 1014 Jan 9 15:38 /etc/init.d/imageserver [william@dev18-yyz-int ~]$ cat /etc/init.d/imageserver #! /bin/sh start(){ echo Starting imageserver.. eval runuser - image -c '/usr/local/bin/imageserver.sh ' } stop(){ echo Stopping imageserver.. PIDNUMBER=`ps aux | grep imaginserver | grep -v grep | awk '{print $2}'` echo $PIDNUMBER eval runuser - image -c 'kill -9 $PIDNUMBER' } [william@dev18-yyz-int ~]$ ls -al /usr/local/bin/imageserver.sh -rwxr--r--. 1 image image 89 Jan 9 15:36 /usr/local/bin/imageserver.sh [williamm@dev18-yyz-int ~]$ cat /usr/local/bin/imageserver.sh #!/bin/bash cd /opt/jamar/application/imaginserver nohup ant run /dev/null 21 Is it possible to use sudo without first needing to go through root momentary. I suspect this should be possible as sudo run as facility wouldn't then make sense otherwise . So, it would work as follows: William - image Instead of: William - root - image. Appreciate any advice in advance William ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sudo 'run as' question
- Original Message - From: William Muriithi william.murii...@gmail.com To: freeipa-users@redhat.com Sent: Sunday, February 9, 2014 10:13:50 PM Subject: [Freeipa-users] sudo 'run as' question Afternoon, I have an application that use the account image as service account. I can su to the account 'image' and start or stop it fine. No root privilege needed. So I am not trying to set it up so that other developers can be able to restart it through sudo and that's when I realized I am missing something about sudo. The problem is under run as usage. When I look at man page, it imply that run as account don't need to be root. Quoting the man page. Begin quote: sudo allows a permitted user to execute a command as the superuser or another user, as specified by the security policy. End quote: On FreeIPA, I have a sudo rule called developers with necessary hostgroups and usergroups. At the bottom is a section titled AS WHOM and that's where I am having a problem. If I use root under RunAs Users section, it works. If I substitute root with account image, I get the following error. [william@dev18-yyz-int ~]$ sudo service imageserver stop [sudo] password for william: Sorry, user william is not allowed to execute '/sbin/service imageserver stop' as root on dev18-yyz-int.jamar.loc. You need to specify the user, because the default for sudo is root. sudo -u image command Although, this won't work - your init script is using runuser, which an unprivileged user can't use. HTH. Stephen ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users