[Freeipa-users] Re: ipa host-del ERROR Unable to communicate with CMS (403)
On 2/25/20 8:27 PM, Chris Bacott via FreeIPA-users wrote: Oh wow. Well, thank you very much for showing me how to enable the debug logging for the whole app stack, that proved to reveal exactly what the issue was. Turns out, apache mod_security was blocking the access from "ipa host-del". [Tue Feb 25 13:04:59.559181 2020] [:error] [pid 26434:tid 139810169677568] [client 10.39.42.117:53938] [client 10.39.42.117] ModSecurity: Warning. Pattern match "(?i:(?:^(-023456|4294967295|4294967296|2147483648|2147483647|012345|-2147483648|-2147483649|023456|3.0.00738585072007e-308|1e309)$))" at ARGS:size. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "208"] [id "942220"] [rev "2"] [msg "Looking for intiger overflow attacks, these are taken from skipfish, except 3.0.00738585072007e-308 is the \\"magic number\\" crash"] [data "Matched Data: 2147483647 found within ARGS:size: 2147483647"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "SNIP"] [uri "/ca/rest/c erts/search"] [unique_id "XlVv2yNlIktD1-cw0Xy6cQE"] [Tue Feb 25 13:04:59.559335 2020] [:error] [pid 26434:tid 139810169677568] [client 10.39.42.117:53938] [client 10.39.42.117] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "SNIP"] [uri "/ca/rest/certs/search"] [unique_id "XlVv2yNlIktD1-cw0Xy6cQE"] [Tue Feb 25 13:04:59.559524 2020] [:error] [pid 26434:tid 139810169677568] [client 10.39.42.117:53938] [client 10.39.42.117] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/httpd/modsecurity.d/activated_rules/RESPONSE-980-CORRELATION.conf"] [line "73"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=5,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): Looking for intiger overflow attacks, these are taken from skipfish, except 3.0.00738585072007e-308 is the \\"magic number\\" crash"] [tag "event-correlation"] [hostname "SNIP"] [uri "/ca/rest/certs/search"] [unique_id "XlVv2yNlIktD1-cw0Xy6cQE"] [Tue Feb 25 13:04:59.560660 2020] [wsgi:error] [pid 26430:tid 139810400032512] [remote 10.39.42.117:53934] ipa: DEBUG: response status 403 I didn't specifically install or set up mod_security, I believe it's a default package, but I normally just disable it as it causes all sorts of random headaches like this. Once I disabled it, I was able to delete the host via "ipa host-del". That at least solves that problem. Thank you for the suggestions! Hi, thanks for the update, glad you could solve the issue. Mod_security is not installed by default with httpd, and is not required by IPA either. Unless httpd is used by other apps on the master (which is not recommended), you are safe to remove mod_security package. flo ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Can't login AD users on FreeIPA client
> On Tue, Feb 25, 2020 at 10:02:48AM -, Michael Solodovnikov via > FreeIPA-users wrote: > > Thanks, > > please try to add > > krb5_use_fast = never > > to the [domain/] section of sssd.conf as well. > > If this does not help, please send/paste the krb5_child.log files with > this setting as well. > > bye, > Sumit Thanks, Sumit. Its work. Best regards, Michael. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: ipa host-del ERROR Unable to communicate with CMS (403)
Oh wow. Well, thank you very much for showing me how to enable the debug logging for the whole app stack, that proved to reveal exactly what the issue was. Turns out, apache mod_security was blocking the access from "ipa host-del". [Tue Feb 25 13:04:59.559181 2020] [:error] [pid 26434:tid 139810169677568] [client 10.39.42.117:53938] [client 10.39.42.117] ModSecurity: Warning. Pattern match "(?i:(?:^(-023456|4294967295|4294967296|2147483648|2147483647|012345|-2147483648|-2147483649|023456|3.0.00738585072007e-308|1e309)$))" at ARGS:size. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "208"] [id "942220"] [rev "2"] [msg "Looking for intiger overflow attacks, these are taken from skipfish, except 3.0.00738585072007e-308 is the \\"magic number\\" crash"] [data "Matched Data: 2147483647 found within ARGS:size: 2147483647"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "SNIP"] [uri "/ca/rest/c erts/search"] [unique_id "XlVv2yNlIktD1-cw0Xy6cQE"] [Tue Feb 25 13:04:59.559335 2020] [:error] [pid 26434:tid 139810169677568] [client 10.39.42.117:53938] [client 10.39.42.117] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "SNIP"] [uri "/ca/rest/certs/search"] [unique_id "XlVv2yNlIktD1-cw0Xy6cQE"] [Tue Feb 25 13:04:59.559524 2020] [:error] [pid 26434:tid 139810169677568] [client 10.39.42.117:53938] [client 10.39.42.117] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/httpd/modsecurity.d/activated_rules/RESPONSE-980-CORRELATION.conf"] [line "73"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=5,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): Looking for intiger overflow attacks, these are taken from skipfish, except 3.0.00738585072007e-308 is the \\"magic number\\" crash"] [tag "event-correlation"] [hostname "SNIP"] [uri "/ca/rest/certs/search"] [unique_id "XlVv2yNlIktD1-cw0Xy6cQE"] [Tue Feb 25 13:04:59.560660 2020] [wsgi:error] [pid 26430:tid 139810400032512] [remote 10.39.42.117:53934] ipa: DEBUG: response status 403 I didn't specifically install or set up mod_security, I believe it's a default package, but I normally just disable it as it causes all sorts of random headaches like this. Once I disabled it, I was able to delete the host via "ipa host-del". That at least solves that problem. Thank you for the suggestions! ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: ipa host-del ERROR Unable to communicate with CMS (403)
On 2/25/20 6:25 PM, Chris Bacott via FreeIPA-users wrote: Thank you for the reply. There is no errors with getting any certs at all, that's why this is baffling me. The 403 error is making me think this is either an apache or tomcat issue. Strange issue, indeed. You can enable debug logs: Create a config file: $ cat /etc/ipa/server.conf [global] debug = True Then restart apache with "systemctl restart httpd". You may get more information in /var/log/httpd/error_log. The "ipa host-del" command should also trigger a log like the following in /var/log/pki/pki-tomcat/localhost_access_log.$DATE.txt: 10.37.171.197 - - [25/Feb/2020:18:59:08 +0100] "POST /ca/rest/certs/search?size=2147483647 HTTP/1.1" 200 142 and in /var/log/pki/pki-tomcat/ca/debug, the relevant log will start after SessionContextInterceptor: CertResource.searchCerts() and show if authentication is tried. In my case I can see "AuthMethodInterceptor: anonymous access allowed". Let's see if IPA framework is at least initiating a connection to PKI. flo # ipa cert-show 1 Issuing CA: ipa Certificate: Subject: CN=Certificate Authority,O= Issuer: CN=Certificate Authority,O= Not Before: Fri Feb 07 17:29:50 2020 UTC Not After: Tue Feb 07 17:29:50 2040 UTC Serial number: 1 Serial number (hex): 0x1 Revoked: False ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: ipa host-del ERROR Unable to communicate with CMS (403)
Thank you for the reply. There is no errors with getting any certs at all, that's why this is baffling me. The 403 error is making me think this is either an apache or tomcat issue. # ipa cert-show 1 Issuing CA: ipa Certificate: Subject: CN=Certificate Authority,O= Issuer: CN=Certificate Authority,O= Not Before: Fri Feb 07 17:29:50 2020 UTC Not After: Tue Feb 07 17:29:50 2040 UTC Serial number: 1 Serial number (hex): 0x1 Revoked: False ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: ipa host-del ERROR Unable to communicate with CMS (403)
On 2/25/20 4:18 PM, Chris Bacott via FreeIPA-users wrote: Hello, I've been searching for resolution on this issue for a while now, but it seems all of the issues others have encountered were unrelated. Host OS: CentOS 8.1.1911 All packages up to date. This is a stock installation of freeipa, nothing tricky like replication or anything. The system authenticates fine, however when I went to add a host to it, for whatever reason the client got the hostname wrong, thus samba authentication wasn't working. I deleted the install on the client, and went to re-install, and it began asking for a password for the host. I never set one up to my knowledge. So, I went to delete the client host completely from the server, and that is where I got the above error. I've examined 'getcert list', no error. I confirmed that all firewalls are (currently) off, and ports are open. I've examined all logs under /var/log/pki, and there's no errors that I could find. As far as I can tell, tomcat is working just fine, all certs are fine, but ipa is saying it cannot connect, getting a 403 forbidden error. Any insights would be helpful. Hi, "ipa host-del" is internally checking if there are any certificates associated to the host that is being deleted. In order to do this internal check, it needs to connect to the PKI server. The connection is authenticated using the RA cert stored in /var/lib/ipa/ra-agent.pem. To check that this authentication is OK, you can run $ kinit admin $ ipa cert-show 1 If this command fails, you need to check that the content of the cert in /var/lib/ipa/ra-agent.pem is consistent with the entry uid=ipara,ou=people,o=ipaca: $ ldapsearch -D cn=directory\ manager -w Secret123 -b uid=ipara,ou=people,o=ipaca -LLL -o ldif-wrap=no - the usercertificate attribute must contain the same certificate as the ra-agent.pem, in a single line and without header/footer, for instance userCertificate:: MIIDyD... - the description attribute must have the following content: description: 2;;; with serial issuer and subject identical to the values that could be seen in ra-agent.pem with $ openssl x509 -noout -text -in ra-agent.pem If there is a mismatch, you need to fix the inconsistency. Find which certificate is the most recent (the one from ldap or the one from ra-agent.pem file), keep this one and update the other with the right values. HTH, flo ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Domain controllers switch to LDAPS
On ti, 25 helmi 2020, Ronald Wimmer via FreeIPA-users wrote: On 25.02.20 16:47, Alexander Bokovoy via FreeIPA-users wrote: [...] Details are in https://access.redhat.com/articles/4661861 (accessible with a subscription but even free Developer's subscription is fine). "Red Hat is working on an SSSD/adcli (RHEL8,RHEL7) enhancement that allows the use of ldaps protocol with the SSSD active directory provider. This type of configuration is optional and only needed in environments where the default LDAP port 389 is closed." So there is no solution yet? No changes are needed for the default IPA configuration. Some people are panicking and want to switch everything to LDAPS. For those there is additional enhancement in works. For everyone else there is no need to do anything. The only odd thing we found is that Microsoft Windows, it seems, have a false positive message in the eventlog when SASL GSS-API encrypted requests are used by FreeIPA. The traffic is all signed and encrypted, thanks to CyrusSASL automatically enforcing that with Kerberos in use. Windows Servers respond with a single unsigned packet in a communication flow but continue to establish a secure and encrypted connection. That leads to a message but no operational difference. The traffic keeps flowing, nothing is rejected, etc. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Add more user/group container objects in freeIPA.
We are migrating from AD to FreeIPA and we have existing tools that limit search by containers, and keeping containers would facilitate the migration a lot! ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Add more user/group container objects in freeIPA.
We are migrating from AD to FreeIPA and we have existing tools that limit the search by containers, and keeping those containers would facilitate the migration a lot! Best Regards, Mary ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Domain controllers switch to LDAPS
On 25.02.20 16:47, Alexander Bokovoy via FreeIPA-users wrote: [...] Details are in https://access.redhat.com/articles/4661861 (accessible with a subscription but even free Developer's subscription is fine). "Red Hat is working on an SSSD/adcli (RHEL8,RHEL7) enhancement that allows the use of ldaps protocol with the SSSD active directory provider. This type of configuration is optional and only needed in environments where the default LDAP port 389 is closed." So there is no solution yet? Cheers, Ronald ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Domain controllers switch to LDAPS
On ti, 25 helmi 2020, Ronald Wimmer via FreeIPA-users wrote: Hi, will Microsofts decision to let domain controllers talk LDAPS only in the near future affect IPA sowehow? Details are in https://access.redhat.com/articles/4661861 (accessible with a subscription but even free Developer's subscription is fine). -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] ipa host-del ERROR Unable to communicate with CMS (403)
Hello, I've been searching for resolution on this issue for a while now, but it seems all of the issues others have encountered were unrelated. Host OS: CentOS 8.1.1911 All packages up to date. This is a stock installation of freeipa, nothing tricky like replication or anything. The system authenticates fine, however when I went to add a host to it, for whatever reason the client got the hostname wrong, thus samba authentication wasn't working. I deleted the install on the client, and went to re-install, and it began asking for a password for the host. I never set one up to my knowledge. So, I went to delete the client host completely from the server, and that is where I got the above error. I've examined 'getcert list', no error. I confirmed that all firewalls are (currently) off, and ports are open. I've examined all logs under /var/log/pki, and there's no errors that I could find. As far as I can tell, tomcat is working just fine, all certs are fine, but ipa is saying it cannot connect, getting a 403 forbidden error. Any insights would be helpful. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: DC-Controllers LDAPS only
Sorry for this post. It is a duplicate of "Domain controllers switch to LDAPS". Thunderbird crashed and I was not aware that it sent that message... ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Domain controllers switch to LDAPS
Hi, will Microsofts decision to let domain controllers talk LDAPS only in the near future affect IPA sowehow? Cheers, Ronald ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] DC-Controllers LDAPS only
Will IPA be affected somehow when Windows Domain Controllers start accepting LDAPS traffic only? Cheers, Ronald ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Add more user/group container objects in freeIPA.
On ti, 25 helmi 2020, Mary Georgiou via FreeIPA-users wrote: Thank you very much for the prompt answer. If I generally would like to add another container such as cn=some_other_type_of_users, cn=accounts, dc=example,dc=com. Is there a way to not create a mess in this case? Perhaps, it would be better if you'd explain what you want to achieve. Adding other type of object is OK but it means you'll need to add a mechanism to manage those objects somehow, you need to supply additional LDAP schema, make sure it is available on all masters, as well as the code that manages those entries, handles their backup and restore, etc. Adding the same IPA users but in a separate container is not going to help -- they wouldn't be visible in IPA commands, you wouldn't be able to add them into IPA groups, reference in other objects (HBAC or SUDO rules and so on). So what is your actual goal? -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Add more user/group container objects in freeIPA.
Thank you very much for the prompt answer. If I generally would like to add another container such as cn=some_other_type_of_users, cn=accounts, dc=example,dc=com. Is there a way to not create a mess in this case? Again thanks a lot, All the best Mary ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Add more user/group container objects in freeIPA.
On ti, 25 helmi 2020, Mary Georgiou via FreeIPA-users wrote: Hello all, I'd like to add to the FreeIPA 389DS more user and group containers. For example currently, the default one is cn=users, cn=accounts, dc=example,dc=com and I'd like to add OU=something, cn=accounts, dc=example,dc=com and under it cn=some_other_users,OU=something, cn=accounts, dc=example,dc=com etc. Is this possible without breaking everything in FreeIPA (considering that I'd like the entries in that part of the tree to be handled as accounts that can be added to groups etc)? The design of FreeIPA is built around flat DIT. That is, no OUs. There are quite a few places which this design is hardcoded because it simplified a lot. Thus, adding OUs is not supported and not planned. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Add more user/group container objects in freeIPA.
Hello all, I'd like to add to the FreeIPA 389DS more user and group containers. For example currently, the default one is cn=users, cn=accounts, dc=example,dc=com and I'd like to add OU=something, cn=accounts, dc=example,dc=com and under it cn=some_other_users,OU=something, cn=accounts, dc=example,dc=com etc. Is this possible without breaking everything in FreeIPA (considering that I'd like the entries in that part of the tree to be handled as accounts that can be added to groups etc)? Thanks in advance! ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Caching
On Tue, Feb 25, 2020 at 11:38:29AM +0100, Ronald Wimmer via FreeIPA-users wrote: > I was not aware of that. If I change sudo rules for a certain user do I have > any control on how long the changes take to be effective? Is invalidating > the cache on a client the only option I have? Hi, you can of course make SSSD to refresh the rules more often by lowering ldap_sudo_smart_refresh_interval (see man sssd-ldap for details). But this will also increase the number of request on your LDAP server. Btw, please note that 'smart refresh' does not cover the case where rules are deleted only new and updated rules are covered. bye, Sumit > > Cheers, > Ronald > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Caching
I was not aware of that. If I change sudo rules for a certain user do I have any control on how long the changes take to be effective? Is invalidating the cache on a client the only option I have? Cheers, Ronald ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Caching
On Tue, Feb 25, 2020 at 11:17:17AM +0100, Ronald Wimmer via FreeIPA-users wrote: > If SSSD has cache_credentials set to True it will take some time until > changes become visible on an IPA client. When I change sudo permissions for > a certain user I usually want to changes to be effective immediately. Does > this imply setting cache_credentials to False or what are best practices > here? Hi, 'cache_credentials' only control is the credentials given by the user, typically this is a password, is stored in the cache in a hashed version. To invalidate the sudo rules on a single host you can call sss_cache -R on this host. HTH bye, Sumit > > Cheers, > Ronald > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Can't login AD users on FreeIPA client
On Tue, Feb 25, 2020 at 10:02:48AM -, Michael Solodovnikov via FreeIPA-users wrote: > > Hi, > > > > can you paste krb5_child.log from the server and client attempt as well? > > > > bye, > > Sumit > > Attempt on server krb5_child.log - https://paste.centos.org/view/09edb080 > > Attempt on client krb5_child.log - https://paste.centos.org/view/eb2b89b3 Thanks, please try to add krb5_use_fast = never to the [domain/] section of sssd.conf as well. If this does not help, please send/paste the krb5_child.log files with this setting as well. bye, Sumit > > Michael. > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Caching
If SSSD has cache_credentials set to True it will take some time until changes become visible on an IPA client. When I change sudo permissions for a certain user I usually want to changes to be effective immediately. Does this imply setting cache_credentials to False or what are best practices here? Cheers, Ronald ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Can't login AD users on FreeIPA client
> Hi, > > can you paste krb5_child.log from the server and client attempt as well? > > bye, > Sumit Attempt on server krb5_child.log - https://paste.centos.org/view/09edb080 Attempt on client krb5_child.log - https://paste.centos.org/view/eb2b89b3 Michael. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org