Re: [Freeipa-users] hostgroups not working for Sudo commands
Hi, Yes I'd missed this, echo "nisdomainname ods.vuw.ac.nz" >> /etc/rc.d/rc.local Is it not possible to automate this (sudo setup) more in the ipa-client-install ? control whether you want it via a sudo_enable=yes or no somewhere? Ive added it to my kickstart for now so my sudo setup is mostly automated. Thanks regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: JR Aquino [jr.aqu...@citrix.com] Sent: Monday, 6 August 2012 5:19 p.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] hostgroups not working for Sudo commands On Aug 5, 2012, at 1:54 PM, "Steven Jones" wrote: > Hi, > > I have setup a sudo command but no matter what I do I cannot get a host-group > to work, but I can specify a specific host without issue.I assume this is > a problem with the sssd deamon on the RHEL6.3 client? So what info/logs are > needed to fault find this please? > > > Set sudoers_debug 2 On your sudo-ldap.conf Run the sudo command. You should see it scroll a list of hostgroups etc. If you do not have your domainname set, your sudo commands will fail on the hostgroup because they expect to see the nis domain match. > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] whats the recommended way to change OU structures in IPA?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 06/08/12 16:22, John Dennis wrote: > On 08/06/2012 11:07 AM, Dale Macartney wrote: >> Although I can use any ldapmodify capable tool to do this, I was >> wondering what the "recommended" way that we should be telling customers >> who want to change OU trees? >> >> e.g, say in a high school using IPA, they wished to create a parent OU >> called cn=school accounts,dc=example,dc=com and inside that OU there are >> two more OU's. One for staff and one for students? >> >> Presumably this is not possible through the webUI. >> >> Also what are the implications if I move a user that was created with >> "ipa user-add" into a non-default OU? will it break anything? Whats the >> best way to move an existing user into one of the above OU's? > > IPA only supports flat name spaces, you cannot partition the default containers. This was an early IPA design decision. > > If you use ldapmodify to move entries it will break your IPA installation. Oh that sounds fun ;-) > > You can however assign users, hosts, etc. to groups. Then use group membership to control how a particular group of users behaves. It's easy to automate group membership via automember. I agree with using Groups instead of OU's for for application roles to be honest. I find it much neater. I was curious for certain software that does not make it very easy to use groups instead of OU's.. Thanks for giving me more firepower when asking them to raise an RFE ;-). -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJQH/WcAAoJEAJsWS61tB+q/B8QAJIhywkZqWVohykzqBT9CvLH e2f462HySAQFNyarJ42p16lXai92F7sWS8o6L5N5B25oBJCHrBUsza95wn+BGiq8 W2qI0KZw22TPEMrF4Sl/TO4HnNPht+gkPtO9bAYxeE/l/m3I3CNIVA4AKDJAZtP9 7d1BveT+pXtyF85+5ncwEtNwETe77mDvwnCVkZW/nc2F8Dwf45QCDLync52oEJxG J4McW1pxAdpad6MXHWrVxvQSwJtisNxKV3L/Biq453ISX+e/EXp4qZ1cvhwhq+7+ Gz7cnOnRO6co8ArI2BHhCNKGbVGOhFb8f8AHPKg0DyMytU78RJYUwgTt6zshn2cW bSXFvh/64CrQ88boGutdf9Z30LQ6932k12tJbvxAs4hgirQBLyAZS7b8bRqGJQLl oEx6j9Z+mBy7rzKbmmvdQhtb5ovG6dt1iOWkJZeHVwUtIroP4NYGItZK8qw4DdGX crK+bPK/E5BpNGTIIvSXYhml9IDPH3k5ulS3MfRnSQjXe4jcXE8eXSsfb+IC9M9O IRYg3mp0LG8D5jMAUxwPTx6GlRb3l43Mg3Zo4yR80qrAaANC+1vPFk7bEm1BLSzs KPP9Ryqa/I57Twf+tXrJtcQo/14qMzcToFr+q81eX0paxrCvYflZSf7v6nvVnohs 9ngrnlk1VZpWAahC0zhm =av31 -END PGP SIGNATURE- 0xB5B41FAA.asc Description: application/pgp-keys 0xB5B41FAA.asc.sig Description: PGP signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA 2.2 Windows 2008R2 sync
> > Hi, > > > >>> Hi, > >>> > > Hi all, > > > > i've a problem with winsync between ipa 2.2 on centos 6.3 and > > Active > > directory 2008R2. > > > > I'm following this documentation to enable synchronization: > > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Setting_up_Active_Directory.html > There is nothing on this page about running certutil? Which link > talks > about certutil? > >>> Links present in the documentation talk about commands and options > >>> for certutil but i don't see anything about this error. > >> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html > >> > >> > >> Can one of the IPA developers explain why it is necessary to > >> install > >> the > >> IPA CA certificate into the Windows Cert Store in order to get > >> Winsync/PassSync working? I don't believe it is necessary. > >> > >> For now, just skip steps 1 and 2 under 8.4.1. Trusting the Active > >> Directory and IPA CA Certificates > > - I trusted IPA certificate on AD. > > To do this, i've launched mmc and added "Certificate" component for > > "local computer", and then added IPA cert to Trusted root CA. > > > > Now when i run "openssl s_client -host ad-server.example.com -port > > 636" i can see IPA certificate as Trusted client CA. > > > > - I tested AD ldap connection: > > LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-EXAMPLE-LOCAL ldapsearch -xLLL > > -H ldap://ad-server.example.com -ZZ -D > > "cn=ipasync,cn=users,dc=example,dc=com" -w X -s base -b "" > > 'objectclass=*' namingcontexts > > dn: > > namingContexts: DC=example,DC=com > > namingContexts: CN=Configuration,DC=example,DC=com > > namingContexts: CN=Schema,CN=Configuration,DC=example,DC=com > > namingContexts: DC=DomainDnsZones,DC=example,DC=com > > namingContexts: DC=ForestDnsZones,DC=example,DC=com > > > > - Now i fall on another problem, when i run: > > > > ipa-replica-manage connect --winsync --binddn > > cn=ipasync,cn=users,dc=example,dc=com --bindpw X --passsync > > X --cacert /etc/openldap/cacerts/ad-ca.crt ad-server.example.com > > -v > > Directory Manager password: > > > > Added CA certificate /etc/openldap/cacerts/ad-ca.crt to certificate > > database for ipa.foo.example.local > > ipa: INFO: AD Suffix is: DC=example,DC=com > > The user for the Windows PassSync service is > > uid=passsync,cn=sysaccounts,cn=etc,dc=example,dc=com > > Windows PassSync entry exists, not resetting password > > ipa: INFO: Added new sync agreement, waiting for it to become ready > > . . . > > ipa: INFO: Replication Update in progress: FALSE: status: -11 - > > System error: start: 0: end: 0 > > ipa: INFO: Agreement is ready, starting replication . . . > > Starting replication, please wait until this has completed. > > [ipa.foo.example.local] reports: Update failed! Status: [-11 - > > System error] > > Failed to start replication > What platform? What version of 389-ds-base? > Can you post some excerpts from your 389 errors log from > /var/log/dirsrv/slapd-YOUR-DOMAIN/errors from around the time of the > error? That was an TLS error, uploaded wrong AD CA cert on IPA server. Sorry for the noise. > > > > > > >>> I a newbie on Microsoft OSes, but I don't understand why certutil > >>> don't find my file. > >>> > >>> I will ask on a microsoft forum. > >>> > >>> Regards > >>> > > When i run as admin 'certutil -installcert -v -config > > "ipa.foo.example.local\EXAMPLE.LOCAL Domain CA" > > c:\Users\John\Documents\ipa-ca.crt' it returns (translated from > > french) : > > > > CertUtil : -installCert command failure : 0x80070002 (WIN32: 2) > > CertUtil: Specified file not found > > > > someone saw this issue ? > > > > Have a nice day. > > > > Regards. > > > > Baptiste. > > > > ___ > > Freeipa-users mailing list > > Freeipa-users@redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Have a nice day. > > > > Regards > > > > Baptiste. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] whats the recommended way to change OU structures in IPA?
On Mon, 2012-08-06 at 16:07 +0100, Dale Macartney wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Afternoon all > > Although I can use any ldapmodify capable tool to do this, I was > wondering what the "recommended" way that we should be telling customers > who want to change OU trees? None, FreeIPA does not support non-flat trees at the moment, sorry. > e.g, say in a high school using IPA, they wished to create a parent OU > called cn=school accounts,dc=example,dc=com and inside that OU there are > two more OU's. One for staff and one for students? > > Presumably this is not possible through the webUI. It is not possible through any UI at the moment. We recommend you use groups to create organizational groups. You could use DS views [1] to then show them as trees in theory but we haven't any official guide on that for FeeeIPA yet. > Also what are the implications if I move a user that was created with > "ipa user-add" into a non-default OU? will it break anything? Whats the > best way to move an existing user into one of the above OU's? > > Any thoughts? WebUI and CLI tool will not behave properly if you try to change the DIT. Simo. [1] https://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Deployment_Guide/Designing_the_Directory_Tree.html#Designing_the_Directory_Tree-Virtual_Directory_Information_Tree_Views -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] whats the recommended way to change OU structures in IPA?
On 08/06/2012 11:07 AM, Dale Macartney wrote: Although I can use any ldapmodify capable tool to do this, I was wondering what the "recommended" way that we should be telling customers who want to change OU trees? e.g, say in a high school using IPA, they wished to create a parent OU called cn=school accounts,dc=example,dc=com and inside that OU there are two more OU's. One for staff and one for students? Presumably this is not possible through the webUI. Also what are the implications if I move a user that was created with "ipa user-add" into a non-default OU? will it break anything? Whats the best way to move an existing user into one of the above OU's? IPA only supports flat name spaces, you cannot partition the default containers. This was an early IPA design decision. If you use ldapmodify to move entries it will break your IPA installation. You can however assign users, hosts, etc. to groups. Then use group membership to control how a particular group of users behaves. It's easy to automate group membership via automember. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] whats the recommended way to change OU structures in IPA?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Afternoon all Although I can use any ldapmodify capable tool to do this, I was wondering what the "recommended" way that we should be telling customers who want to change OU trees? e.g, say in a high school using IPA, they wished to create a parent OU called cn=school accounts,dc=example,dc=com and inside that OU there are two more OU's. One for staff and one for students? Presumably this is not possible through the webUI. Also what are the implications if I move a user that was created with "ipa user-add" into a non-default OU? will it break anything? Whats the best way to move an existing user into one of the above OU's? Any thoughts? Thanks Dale -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJQH93DAAoJEAJsWS61tB+qlz0P/3p7Cun4Cv73s9XMbH8borkK 7KaFj/NH6DLBpvRWtiQYvjMI1pD2c70JjKCiEFINkowyf0oR8yNRCo13AAecGTbk VYmdy7XhxHSqyj8wtybjMbF+sEZWeY+2VzFmhgnL5RiUC/MPtRSLoP58xZ04wAYU 5wm0Di4KBpQkUsUyYSCEsNJkfCLwE/TzGUaSFJ1nyYUOAWy8l9hxTIVm/cTBKelz xPZqnxZcQ1TlKPhQkRIL5VUp/p+t73aHB/plyacEiarja8wAe9a0DsXZ8uTiUqsF OHVfEF44YhSa3epYY5+CUmFmD0HCY90isWkAImy2Qhfupbuphe1yxa+8qWjjXXa1 lgFScQx6tQoLwDyjUhqriwmt59yU6R0YCiWnevOdS6CjY3MwH0zrssdnNq34H2LI 9XO9oIHmE2FtRyBqDH+rf9bH1ZkB5XcYhP9RjNOYFgX86yfkxIX/rTq6PhG0oip2 jwq4lFM4sGYel/hWa4Ej+p6YzXABUJBwjSEdDXGGy33c+AsaX8CgC68cJycrN/kL ZiiCuo95j9E+h8fPT/4a8eNX9Sy0ZRcV3vCiBwCg6wQQajrAvGvqK5v1MwqFOl07 P9NPHo9l2kwCFI58w30P5vxsPyIQsWdUg5SbSlzQo2+nfBZaQ1zl+u2ipMmjPlCM 02kAlnlppnissXuQfd5P =1idN -END PGP SIGNATURE- 0xB5B41FAA.asc Description: application/pgp-keys 0xB5B41FAA.asc.sig Description: PGP signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA 2.2 Windows 2008R2 sync
On 08/06/2012 02:28 AM, Baptiste AGASSE wrote: Hi, Hi, Hi all, i've a problem with winsync between ipa 2.2 on centos 6.3 and Active directory 2008R2. I'm following this documentation to enable synchronization: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Setting_up_Active_Directory.html There is nothing on this page about running certutil? Which link talks about certutil? Links present in the documentation talk about commands and options for certutil but i don't see anything about this error. http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html Can one of the IPA developers explain why it is necessary to install the IPA CA certificate into the Windows Cert Store in order to get Winsync/PassSync working? I don't believe it is necessary. For now, just skip steps 1 and 2 under 8.4.1. Trusting the Active Directory and IPA CA Certificates - I trusted IPA certificate on AD. To do this, i've launched mmc and added "Certificate" component for "local computer", and then added IPA cert to Trusted root CA. Now when i run "openssl s_client -host ad-server.example.com -port 636" i can see IPA certificate as Trusted client CA. - I tested AD ldap connection: LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-EXAMPLE-LOCAL ldapsearch -xLLL -H ldap://ad-server.example.com -ZZ -D "cn=ipasync,cn=users,dc=example,dc=com" -w X -s base -b "" 'objectclass=*' namingcontexts dn: namingContexts: DC=example,DC=com namingContexts: CN=Configuration,DC=example,DC=com namingContexts: CN=Schema,CN=Configuration,DC=example,DC=com namingContexts: DC=DomainDnsZones,DC=example,DC=com namingContexts: DC=ForestDnsZones,DC=example,DC=com - Now i fall on another problem, when i run: ipa-replica-manage connect --winsync --binddn cn=ipasync,cn=users,dc=example,dc=com --bindpw X --passsync X --cacert /etc/openldap/cacerts/ad-ca.crt ad-server.example.com -v Directory Manager password: Added CA certificate /etc/openldap/cacerts/ad-ca.crt to certificate database for ipa.foo.example.local ipa: INFO: AD Suffix is: DC=example,DC=com The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=example,dc=com Windows PassSync entry exists, not resetting password ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: FALSE: status: -11 - System error: start: 0: end: 0 ipa: INFO: Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. [ipa.foo.example.local] reports: Update failed! Status: [-11 - System error] Failed to start replication What platform? What version of 389-ds-base? Can you post some excerpts from your 389 errors log from /var/log/dirsrv/slapd-YOUR-DOMAIN/errors from around the time of the error? I a newbie on Microsoft OSes, but I don't understand why certutil don't find my file. I will ask on a microsoft forum. Regards When i run as admin 'certutil -installcert -v -config "ipa.foo.example.local\EXAMPLE.LOCAL Domain CA" c:\Users\John\Documents\ipa-ca.crt' it returns (translated from french) : CertUtil : -installCert command failure : 0x80070002 (WIN32: 2) CertUtil: Specified file not found someone saw this issue ? Have a nice day. Regards. Baptiste. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Have a nice day. Regards Baptiste. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA 2.2 Windows 2008R2 sync
Hi, > > Hi, > > > >>> Hi all, > >>> > >>> i've a problem with winsync between ipa 2.2 on centos 6.3 and > >>> Active > >>> directory 2008R2. > >>> > >>> I'm following this documentation to enable synchronization: > >>> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Setting_up_Active_Directory.html > >> There is nothing on this page about running certutil? Which link > >> talks > >> about certutil? > > Links present in the documentation talk about commands and options > > for certutil but i don't see anything about this error. > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html > > > Can one of the IPA developers explain why it is necessary to install > the > IPA CA certificate into the Windows Cert Store in order to get > Winsync/PassSync working? I don't believe it is necessary. > > For now, just skip steps 1 and 2 under 8.4.1. Trusting the Active > Directory and IPA CA Certificates - I trusted IPA certificate on AD. To do this, i've launched mmc and added "Certificate" component for "local computer", and then added IPA cert to Trusted root CA. Now when i run "openssl s_client -host ad-server.example.com -port 636" i can see IPA certificate as Trusted client CA. - I tested AD ldap connection: LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-EXAMPLE-LOCAL ldapsearch -xLLL -H ldap://ad-server.example.com -ZZ -D "cn=ipasync,cn=users,dc=example,dc=com" -w X -s base -b "" 'objectclass=*' namingcontexts dn: namingContexts: DC=example,DC=com namingContexts: CN=Configuration,DC=example,DC=com namingContexts: CN=Schema,CN=Configuration,DC=example,DC=com namingContexts: DC=DomainDnsZones,DC=example,DC=com namingContexts: DC=ForestDnsZones,DC=example,DC=com - Now i fall on another problem, when i run: ipa-replica-manage connect --winsync --binddn cn=ipasync,cn=users,dc=example,dc=com --bindpw X --passsync X --cacert /etc/openldap/cacerts/ad-ca.crt ad-server.example.com -v Directory Manager password: Added CA certificate /etc/openldap/cacerts/ad-ca.crt to certificate database for ipa.foo.example.local ipa: INFO: AD Suffix is: DC=example,DC=com The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=example,dc=com Windows PassSync entry exists, not resetting password ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: FALSE: status: -11 - System error: start: 0: end: 0 ipa: INFO: Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. [ipa.foo.example.local] reports: Update failed! Status: [-11 - System error] Failed to start replication > > > > > I a newbie on Microsoft OSes, but I don't understand why certutil > > don't find my file. > > > > I will ask on a microsoft forum. > > > > Regards > > > >>> When i run as admin 'certutil -installcert -v -config > >>> "ipa.foo.example.local\EXAMPLE.LOCAL Domain CA" > >>> c:\Users\John\Documents\ipa-ca.crt' it returns (translated from > >>> french) : > >>> > >>> CertUtil : -installCert command failure : 0x80070002 (WIN32: 2) > >>> CertUtil: Specified file not found > >>> > >>> someone saw this issue ? > >>> > >>> Have a nice day. > >>> > >>> Regards. > >>> > >>> Baptiste. > >>> > >>> ___ > >>> Freeipa-users mailing list > >>> Freeipa-users@redhat.com > >>> https://www.redhat.com/mailman/listinfo/freeipa-users Have a nice day. Regards Baptiste. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
