Re: [Freeipa-users] Getting Samba to authenticate against FreeIPA
Am 24.03.2013 18:14, schrieb Martin: That guide at techslaves.org sounds like a perfect match for our needs, unfortunately the map and reality didn't quite match... Point 4.3 says: 4.3. Test the CLI. With an “admin” (or equivalent priv) kerberos ticket, try creating a new group: account@ipaserver:~ $ ipa group-add testgrp --desc=Testing the group.py CLI mods - Added group testgrp - Group name: testgrp Description: Testing the group.py CLI mods GID: 1234500010 Samba Group Type: 4 So I did. However, all I get is: ipa: ERROR: Unknown option: sambagrouptype but I've followed the instructions carefully. There's, however, an added complication here and that's that the sambaserver runs on a different machine than the IPA-server and since it's not obvious (to me at least) which part goes where I ran all the commands on the sambaserver. I bet at least some of the steps would have to be run on the IPA-server. Does anyone have an idea what went wrong? All the commands went through without a problem until ipa group-add... Regards I'm using this configuration with IPA based on 6.3 and had to patch the ipa python scripts. I'm also far from an acceptable solution but still I've written some helper scripts that are making pain little worse and operatable. I think you should get a step further with the following: First change the group.py diff -Naur /usr/lib/python2.6/site-packages/ipalib/plugins/group.py-20120904 /usr/lib/python2.6/site-packages/ipalib/plugins/group.py --- /usr/lib/python2.6/site-packages/ipalib/plugins/group.py-20120904 2012-09-04 14:03:33.943724891 +0200 +++ /usr/lib/python2.6/site-packages/ipalib/plugins/group.py 2012-09-04 14:06:07.240468927 +0200 @@ -121,6 +121,13 @@ doc=_('GID (use this option to set it manually)'), minvalue=1, ), +Int('sambagrouptype', +cli_name='sgt', +label=_('Samba Group Type'), +doc=_('Samba Group Type (default is 4)'), +default=4, +autofill=True, +), ) api.register(group) My script for getting the next available SID: LDAPbase=dc=example,dc=com lastsid=$({ ldapsearch -z0 -LLL -b cn=users,cn=accounts,$LDAPbase '(objectClass=sambaSAMAccount)' sambaSID 2/dev/null; ldapsearch -z0 -LLL -b cn=groups,cn=accounts,$LDAPbase '(objectClass=sambaGroupMapping)' sambaSID 2/dev/null; }| grep sambaSID | awk '{ print $2; }' | sort -n -t- -k 7 | tail -1) echo $lastsid | awk ' BEGIN { OFS=-; FS=-; } { print $1,$2,$3,$4,$5,$6,$7+1; }' Then create a new group with: ipa group-add --desc=Testgroup2 testgroup2 --sgt=4 --setattr=sambaSID=$(bash ./ldap-getnext-SID.sh) Hope this helps. Regards Marc. -- Marc Grimme E-Mail: grimme( at )atix.de XING: www.xing.com/profile/Marc_Grimme ATIX - The Linux Open Source Company ATIX Informationstechnologie und Consulting AG Einsteinstraße 10 85716 Unterschleißheim www.atix.de ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Account Expiration
On 03/24/2013 05:50 PM, Dmitri Pal wrote: On 03/23/2013 03:58 AM, James James wrote: Hi Petr Can you (or somebody else ) give me some hints to use a calendar widget in the UI ? In the past we said that there is no calendar widget mature enough to meet our requirements. Has this changed? Is there a good widget to use now? Thanks. I believe that jQuery UI datepicker can be used. It's already included in jQuery UI lib which is shipped with FreeIPA. It can't be used right away though. It will require to incorporate it into FreeIPA Web UI's widget system. That means inherit from text_widget, override create method and probably do some format conversion in update and save methods. Register the new widget to widget repository. Then, one has to modify spec of appropriate facets to use it. HTH 2013/2/7 Petr Vobornik pvobo...@redhat.com mailto:pvobo...@redhat.com On 02/07/2013 08:45 AM, Martin Kosek wrote: On 02/07/2013 08:31 AM, James James wrote: Thanks Rob. I have one more question. Is it possible to add a field in the ui, and get the field's value in a custom add user hook script ? James Theoretically it's possible but it requires quite good knowledge of Web UI code. It's easier to modify user page source codes. For simple edit (just textbox, no calendar widget) it may be just one line of code (in WebUI, server plugin will require more work). I know that Petr Vobornik is already working in better extensibility of the UI, but that would be available in future releases. Petr, do you have any advice for James for current release? 2013/2/7 Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com mailto:rcrit...@redhat.com mailto:rcrit...@redhat.com James James wrote: Can somebody gives me some help to set krbPrincipalExpiration from the freeipa ui ? You can't set this in the web UI. Note: You will be able to set it in the CLI/UI when ticket https://fedorahosted.org/freeipa/ticket/3306 is fixed. You can do it from the command line using ldapmodify with: $ ldapmodify -x -D 'cn=Directory Manager' -W Enter LDAP Password: dn: uid=tuser1,cn=users,cn=__accounts,dc=example,dc=com changetype: modify replace: krbPasswordExpiration krbPasswordExpiration: 20200508032114Z ^D This would change password expiration attribute. So for account expiration, you would just need to replace krbPasswordExpiration modification above with krbPrincipalExpiration. Martin -- Petr Vobornik ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Petr Vobornik ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] bind-dyndb-ldap howto use wildcard
On 23.3.2013 18:17, Marc Roos wrote: I dont seem to get the wildcard working. Is this a correct way of creating a dns record DN: idnsName=*.241.36.65,idnsName=rbl.test.com,dc=office,dc=local objectClass: idnsRecord aRecord: 127.0.0.1 idnsName: *.241.36.65 If I do a dig on the nameserver on 1.241.36.65.rbl.test.com it results in a failed lookup and does not return 127.0.0.1 Unfortunately wildcard records are not supported at the moment. You can watch the progress in ticket https://fedorahosted.org/bind-dyndb-ldap/ticket/95 You can add yourself to CC in the ticket, then you will get fresh news directly from bug tracker. -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Account Expiration
On 03/25/2013 08:27 AM, Simo Sorce wrote: On Mon, 2013-03-25 at 10:42 +0100, Petr Vobornik wrote: On 03/24/2013 05:50 PM, Dmitri Pal wrote: On 03/23/2013 03:58 AM, James James wrote: Hi Petr Can you (or somebody else ) give me some hints to use a calendar widget in the UI ? In the past we said that there is no calendar widget mature enough to meet our requirements. Has this changed? Is there a good widget to use now? Thanks. I believe that jQuery UI datepicker can be used. It's already included in jQuery UI lib which is shipped with FreeIPA. It can't be used right away though. It will require to incorporate it into FreeIPA Web UI's widget system. That means inherit from text_widget, override create method and probably do some format conversion in update and save methods. Register the new widget to widget repository. Then, one has to modify spec of appropriate facets to use it. HTH Should we open a ticket with this RFE ? Simo. Yes. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] User admins for different groups
Hi, I am trying to do the following: We have some branch offices at different locations. We want to use one ipa-server with replicas in each branch office. Each branch office should have it's own set of administrators who should be able to create/modify/delete users for its own branch but should not be allowed to change users from other branches. How could this be accomplished? i.e.: ipa group-add branch-at ipa group-add admins-at ipa group-add-member branch-at --groups=admins-at ipa group-add branch-us ipa group-add admins-us ipa group-add-member branch-us --groups=admins-us ipa user-add admin1at ipa group-add-member admins-at --users=admin1at ipa user-add user1us ipa group-add-member branch-us --users=user1us now, every member of admin-at should be forced to create/modify/delete only users in branch-at. The same applies for admin-us/branch-us. at first, i thought of a combination of (a) new role(s), with write/delete permissions set for the branch-at group, as well as an automember rule but it seems there is no way to filter for the creator of an entry, which would be needed for the group membership.. am i missing anything? cheers, Philipp ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] error setting up replication client
Ok. The log directory being empty is indicative of the server not having started - which is what I suspected based on the output you provided. There might have been some indication in /var/log/messages or in /var/log/audit/audit.log (for selinux) as to why this happened. If this does happen again, I would check there. Ade On Thu, 2013-03-21 at 16:24 -0400, Patrick Hemmer wrote: I'm not sure what happened here. The log dir for pki-ca was completely empty. I restarted pki-ca, the log files were created, and it appeared to operate normally. I rebuilt the box from scratch (just to have a clean start) and everything came up perfectly fine. -Patrick On 2013/20/03 12:54, Ade Lee wrote: Patrick, Can you provide some log files? Looks like pkisilent is trying to get to the first configuration panel on the CA and is getting a 302. I would need to see the logs under /var/log/pki-ca for the replica subsystem. Thanks, Ade Lee On Wed, 2013-03-20 at 12:04 -0400, Patrick Hemmer wrote: I'm trying to set up an ipa replica, and each time I try the install process fails at the same point. When I look in the ipareplica-install.log I see a 302 redirection which seems to be causing the issue. Any ideas why this is happening (or if something else is the issue)? Thanks -Patrick (http://fpaste.org/gbYz/) 2013-03-15T17:19:50Z DEBUG stderr= 2013-03-15T17:19:50Z DEBUG duration: 5 seconds 2013-03-15T17:19:50Z DEBUG [3/17]: configuring certificate server instance 2013-03-15T17:19:51Z DEBUG args=/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname i-d1579ba3.ipa-server.us-east-1.cloud.com -cs_port 9445 -client_certdb_dir /tmp/tmp-2l64F1 -client_certdb_pw d -preop_pin IWk44JzZT6A78Pha3SrM -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa - agent_cert_subject CN=ipa-ca-agent,O=CLOUD.COM -ldap_host i-d1579ba3.ipa-server.us-east-1.cloud.com -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password -base_dn o=ipaca -db_name ip aca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=CLOUD .COM -ca_subsystem_cert_subject_name CN=CA Subsystem,O=CLOUD.COM -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=CLOUD.COM -ca_server_cert_subject_name CN=i-d1579ba3.ipa-server.us-east-1.cloud.com,O= CLOUD.COM -ca_audit_signing_cert_subject_name CN=CA Audit,O=CLOUD.COM -ca_sign_cert_subject_name CN=Certificate Authority,O=CLOUD.COM -external false -clone true -clone_p12_file ca.p12 -clone_p12_pa ssword -sd_hostname i-6775b715.ipa-server.us-east-1.cloud.com -sd_admin_port 443 -sd_admin_name admin -sd_admin_password -clone_start_tls true -clone_uri https://i-6775b715.ipa-ser ver.us-east-1.cloud.com:443 2013-03-15T17:19:51Z DEBUG stdout=libpath=/usr/lib64 ### CRYPTO INIT WITH CERTDB:/tmp/tmp-2l64F1 tokenpwd: # Attempting to connect to: i-d1579ba3.ipa-server.us-east-1.cloud.com:9445 in TestCertApprovalCallback.approve() Peer cert details: subject: CN=i-d1579ba3.ipa-server.us-east-1.cloud.com,O=CLOUD.COM issuer: CN=Certificate Authority,O=CLOUD.COM serial: 3 item 1 reason=-8172 depth=1 cert details: subject: CN=Certificate Authority,O=CLOUD.COM issuer: CN=Certificate Authority,O=CLOUD.COM serial: 1 importing certificate. Connected. Posting Query = https://i-d1579ba3.ipa-server.us-east-1.cloud.com:9445//ca/admin/console/config/login?pin=IWk44JzZT6A78Pha3SrMxml=true RESPONSE STATUS: HTTP/1.1 200 OK RESPONSE HEADER: Server: Apache-Coyote/1.1 RESPONSE HEADER: Content-Type: text/html;charset=UTF-8 RESPONSE HEADER: Content-Length: 0 RESPONSE HEADER: Date: Fri, 15 Mar 2013 17:19:51 GMT RESPONSE HEADER: Connection: keep-alive xml returned: # Attempting to connect to: i-d1579ba3.ipa-server.us-east-1.cloud.com:9445 Connected. Posting Query = https://i-d1579ba3.ipa-server.us-east-1.cloud.com:9445//ca/admin/console/config/wizard?p=0op=nextxml=true RESPONSE STATUS: HTTP/1.1 302 Moved Temporarily RESPONSE HEADER: Server: Apache-Coyote/1.1 RESPONSE HEADER: Set-Cookie: JSESSIONID=A8B36AB92F386DB22B193215907C01AC; Path=/ca; Secure RESPONSE HEADER: Location: https://i-d1579ba3.ipa-server.us-east-1.cloud.com:9445/ca/admin/console/config/login RESPONSE HEADER: Content-Type: text/html;charset=UTF-8 RESPONSE HEADER: Content-Length: 0 RESPONSE HEADER: Date: Fri, 15 Mar 2013 17:19:51 GMT RESPONSE HEADER: Connection: keep-alive ERROR: unable to parse xml ERROR XML =