Re: [Freeipa-users] (no subject)

[Guy Matz]

Which version of ubuntu are you using?

On 06/13/2013 04:12 PM, Marcelo Carvalho wrote:
> Hi Folks.
>
> I have installed an ipa server and a replica on linux CentOS release
> 6.4 (Final).  It is using outside DNS.  I have https console access
> authenticating admin user through kerberos, and have migrated
> information on 80+ users and groups to it from a LDAP server.
>
> Packages related to ipa installed at main server are:
>
> [root ~]# rpm -qa | grep ipa
> ipa-server-selinux-3.0.0-26.el6_4.2.x86_64
> ipa-pki-ca-theme-9.0.3-7.el6.noarch
> libipa_hbac-1.9.2-82.el6.x86_64
> ipa-python-3.0.0-26.el6_4.2.x86_64
> ipa-admintools-3.0.0-26.el6_4.2.x86_64
> ipa-client-3.0.0-26.el6_4.2.x86_64
> python-iniparse-0.3.1-2.1.el6.noarch
> ipa-pki-common-theme-9.0.3-7.el6.noarch
> libipa_hbac-python-1.9.2-82.el6.x86_64
> ipa-server-3.0.0-26.el6_4.2.x86_64
> [root ~]#
>
> I am now on the process of installing a CentOS 6.4 as IPA client, and
> switch my Ubuntu desktop to use IPA as well.
>
> 1- On the CentOS 6.4 as IPA client:
>
> Packages installed are:
>
>  $ rpm -qa | grep ipa
> ipa-client-3.0.0-26.el6_4.2.x86_64
> ipa-python-3.0.0-26.el6_4.2.x86_64
> python-iniparse-0.3.1-2.1.el6.noarch
> libipa_hbac-python-1.9.2-82.el6.x86_64
> libipa_hbac-1.9.2-82.el6.x86_64
>
>
> I run installation line as follows and
>
> ipa-client-install --domain=.xxx --server=ipaserver.xx.xxx
> --realm=XX.XXX
>
> Id did go well and I see output line:
>
> Client configuration complete.
>
> Although all of the above I still cannot login into this new node
> using IPA.  It still checks the local users.
>
>
> 2- On the Ubunto desktop
>
>I am locked out.  It now does not accept my IPA user-passwd not my
> local-user-passwd.
>
> Please advise on both.
>
> Many thanks,
>
> Marcelo
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] (no subject)

[Marcelo Carvalho]

Hi Folks.

I have installed an ipa server and a replica on linux CentOS release
6.4 (Final).  It is using outside DNS.  I have https console access
authenticating admin user through kerberos, and have migrated
information on 80+ users and groups to it from a LDAP server.

Packages related to ipa installed at main server are:

[root ~]# rpm -qa | grep ipa
ipa-server-selinux-3.0.0-26.el6_4.2.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
libipa_hbac-1.9.2-82.el6.x86_64
ipa-python-3.0.0-26.el6_4.2.x86_64
ipa-admintools-3.0.0-26.el6_4.2.x86_64
ipa-client-3.0.0-26.el6_4.2.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
ipa-pki-common-theme-9.0.3-7.el6.noarch
libipa_hbac-python-1.9.2-82.el6.x86_64
ipa-server-3.0.0-26.el6_4.2.x86_64
[root ~]#

I am now on the process of installing a CentOS 6.4 as IPA client, and
switch my Ubuntu desktop to use IPA as well.

1- On the CentOS 6.4 as IPA client:

Packages installed are:

 $ rpm -qa | grep ipa
ipa-client-3.0.0-26.el6_4.2.x86_64
ipa-python-3.0.0-26.el6_4.2.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
libipa_hbac-python-1.9.2-82.el6.x86_64
libipa_hbac-1.9.2-82.el6.x86_64


I run installation line as follows and

ipa-client-install --domain=.xxx --server=ipaserver.xx.xxx
--realm=XX.XXX

Id did go well and I see output line:

Client configuration complete.

Although all of the above I still cannot login into this new node
using IPA.  It still checks the local users.


2- On the Ubunto desktop

   I am locked out.  It now does not accept my IPA user-passwd not my
local-user-passwd.

Please advise on both.

Many thanks,

Marcelo

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Sudo Commands and groups confusion

[Notify Me]

Thanks a lot. I followed Alex's advice and it's all good now.
Very much appreciated!
On Jun 13, 2013 9:33 AM, "Jakub Hrozek"  wrote:

> On Thu, Jun 13, 2013 at 01:26:54AM +0300, Alexander Bokovoy wrote:
> > On Wed, 12 Jun 2013, Sina Owolabi wrote:
> > >Thank you for the reply Alex, though I'm a little confused that I am
> > >answering the correct email.
> > >I have taken a look at the example sssd.conf you advised, and I'm a
> little
> > >curious if the configuration supports having multiple IPA servers? I
> have a
> > >multi-master setup with two servers. I tried to add both servers to the
> > >ldap uri and to the krb5 section byt the service refused to start.
> > See man sssd-ldap(5). ldap_uri accepts comma-separated list of servers.
> > Same for krb5_server, see sssd-krb5(5).
>
> Also if you're using service DNS records, you can either leave the URIs
> blank and default to service resolution or explicitly use service
> resolution along with a hardcoded name:
>
> ldap_uri = _srv_, ldap://ldap.example.com
>
> See the "service discovery" section in the man pages.
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Sudo Commands and groups confusion

[Pavel Březina]

On 06/12/2013 02:51 PM, Pavel Březina wrote:

On 06/12/2013 02:37 PM, Jakub Hrozek wrote:

On Wed, Jun 12, 2013 at 11:22:35AM +0200, Matt . wrote:

Hi,

The package as you described is installed, the configlines are set as
you
show it.

This is what I see in auth.log, my sssd_sudo does not show a thing:

Jun 12 11:19:16 server sudo: pam_unix(sudo:auth): authentication
failure;
logname=USERNAME uid=86666 euid=0 tty=/dev/pts/0 ruser=USERNAME
rhost=
user=USERNAME
Jun 12 11:19:16 server sudo: pam_sss(sudo:auth): User info message: Your
password will expire in 89 day(s).
Jun 12 11:19:16 server sudo: pam_sss(sudo:auth): authentication success;
logname=USERNAME uid=86666 euid=0 tty=/dev/pts/0 ruser=USERNAME
rhost=
user=USERNAME
Jun 12 11:19:16 server sudo: USERNAME : user NOT in sudoers ;
TTY=pts/0 ;
PWD=/ ; USER=root ; COMMAND=/bin/su


Pavel, I know you were debugging this problem on IRC, was there any
conclusion?



No. I'm waiting for our lab to come back online so I can try to
reproduce it.


I followed the deployment guide and everything works fine. If you still 
have problem, please start over and follow:

[1] for sudo-ldap-ipa
[2] for sudo-sssd-ipa

Check list:
- NIS domain has to be set to IPA domain

- hostname must be set to fqdn

- sudo-ldap configuration file on RHEL systems is located at
  # sudo -V | grep ldap.conf
  ldap.conf path: /etc/sudo-ldap.conf

- nsswitch must contain sudoers: ldap or sudoers: sss
  # cat /etc/nsswitch.conf  | grep sudoers
  sudoers: files ldap


[1] 
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html#example-configuring-sudo


[2] http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf




Jun 12 11:19:16 server sudo: unable to execute /usr/sbin/sendmail: No
such
file or directory

I really cannot figure out what to check more.


2013/6/12 Alexander Bokovoy 


On Wed, 12 Jun 2013, Matt . wrote:


Hi,

A lot of people seem to have problem with Sudo and FreeIPA.

How to enable sudo is described here:

http://www.freeipa.org/images/**7/77/Freeipa30_SSSD_SUDO_**
Integration.pdf


The problem we are facing, also discussed on IRC is that there is
looked
in
the local sudoers file of the client if the loggedin user may sudo. Of
course the username is not known there.


Not sure what exactly is your problem? Could you please rephrase and
show it with logs again?

If you are using SSSD's sudo integration against IPA server, then here
is what you need to get it working on Fedora 18/19 and RHEL 6.4:

1. install libsss_sudo package

2. Add/change following line to /etc/nsswitch.conf

sudoers: files sss

3. Make sure your /etc/sssd/sssd.conf looks like this example:
http://abbra.fedorapeople.org/**.paste/sssd.conf.example

4. Restart sssd

These are the only actions I needed to get sudo working for IPA
users on
Fedora 19 and RHEL 6.4.

Please note thatsudoers: files sss
gives you chance to have local users configured in local sudoers. If
you
don't want them to be able to use sudo, just change the line in
/etc/nsswitch.conf to
sudoers: sss


--
/ Alexander Bokovoy




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Trusted AD Users login via gdm

[Leah Zimmermann]

Hello Sumit,
Hello List Members,

Am 13.06.2013 09:18, schrieb Sumit Bose:

On Wed, Jun 12, 2013 at 02:04:33PM +0200, Leah Zimmermann wrote:

Am 12.06.2013 12:03, schrieb Sumit Bose:

On Wed, Jun 12, 2013 at 11:42:23AM +0200, Leah Zimmermann wrote:

Dear List Members,

I have a FreeIPA-Domain on a CentOS 6.4 machine. It is in a trusted
relationship to an AD-Domain.
The users of the AD-Domain can login via ssh- or console-login. Then
they can start the gnome desktop manually. But if they login via gdm
they logged out immediatly.

Which name style are you using 'AD_NETBIOS\username' or
'username@AD_DOMAIN' ? If you only tried one can you try the other?

until now I tried only 'username@AD_DOMAIN', but
'AD_NETBIOS\username' does not work as well.

If this does not help, please send the relevant section of
/var/Log/secure and the sssd logs with a high debug level.



As far as I can see, both styles causing the same results.

Jun 12 13:27:56 ipa_hostname pam: gdm-password:
pam_unix(gdm-password:auth): authentication failure; logname= uid=0
euid=0 tty=:0 ruser= rhost=  user=leah@AD_DOMAIN
Jun 12 13:27:57 ipa_hostname pam: gdm-password:
pam_sss(gdm-password:auth): authentication success; logname= uid=0
euid=0 tty=:0 ruser= rhost= user=leah@AD_DOMAIN
Jun 12 13:27:57 ipa_hostname pam: gdm-password:
pam_unix(gdm-password:session): session opened for user
leah@AD_DOMAIN by (uid=0)
Jun 12 13:27:57 ipa_hostname polkitd(authority=local): Unregistered
Authentication Agent for session
/org/freedesktop/ConsoleKit/Session25 (system bus name :1.265,
object path /org/gnome/PolicyKit1/AuthenticationAgent, locale
de_DE.UTF-8) (disconnected from bus)
Jun 12 13:27:58 ipa_hostname pam: gdm-password:
pam_unix(gdm-password:session): session closed for user
leah@AD_DOMAIN
Jun 12 13:27:59 ipa_hostname polkitd(authority=local): Registered
Authentication Agent for session
/org/freedesktop/ConsoleKit/Session27 (system bus name :1.275
[/usr/libexec/polkit-gnome-authentication-agent-1], object path
/org/gnome/PolicyKit1/AuthenticationAgent, locale de_DE.UTF-8)


Jun 12 13:32:56 ipa_hostname pam: gdm-password:
pam_unix(gdm-password:auth): authentication failure; logname= uid=0
euid=0 tty=:0 ruser= rhost=  user=AD_NETBIOS\leah
Jun 12 13:32:58 ipa_hostname pam: gdm-password:
pam_sss(gdm-password:auth): authentication success; logname= uid=0
euid=0 tty=:0 ruser= rhost= user=AD_NETBIOS\leah
Jun 12 13:32:58 ipa_hostname pam: gdm-password:
pam_unix(gdm-password:session): session opened for user
AD_NETBIOS\leah by (uid=0)
Jun 12 13:32:58 ipa_hostname polkitd(authority=local): Unregistered
Authentication Agent for session
/org/freedesktop/ConsoleKit/Session27 (system bus name :1.275,
object path /org/gnome/PolicyKit1/AuthenticationAgent, locale
de_DE.UTF-8) (disconnected from bus)
Jun 12 13:32:58 ipa_hostname pam: gdm-password:
pam_unix(gdm-password:session): session closed for user
AD_NETBIOS\leah
Jun 12 13:32:59 ipa_hostname polkitd(authority=local): Registered
Authentication Agent for session
/org/freedesktop/ConsoleKit/Session29 (system bus name :1.285
[/usr/libexec/polkit-gnome-authentication-agent-1], object path
/org/gnome/PolicyKit1/AuthenticationAgent, locale de_DE.UTF-8)

May be the Unregistered Authentication Agent is the problem. But
what I have missed to do?

Do you have SELinux enabled? Can you check if there any audit messages
with DELinux denials? Can you check if the SELinux context of the users
home directory is right?

SELinux is disabled by setting SELINUX=disabled in /etc/sysconfig/selinux.
I did that already, for eleminating this as the source of difficulties.
I'm sorry. May be, I should have mentioned this earlier.

If I set it to permissive mode I get

drwxr-xr-x. leah@ad_domainleah@ad_domain 
unconfined_u:object_r:user_home_t:s0 leah
drwxr-xr-x. user_xy@ad_domain user_xy@ad_domain 
unconfined_u:object_r:user_home_t:s0 user_xy

...

All home directories of AD-Users looks like this.

Thanks

Leah


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Sudo Commands and groups confusion

[Jakub Hrozek]

On Thu, Jun 13, 2013 at 01:26:54AM +0300, Alexander Bokovoy wrote:
> On Wed, 12 Jun 2013, Sina Owolabi wrote:
> >Thank you for the reply Alex, though I'm a little confused that I am
> >answering the correct email.
> >I have taken a look at the example sssd.conf you advised, and I'm a little
> >curious if the configuration supports having multiple IPA servers? I have a
> >multi-master setup with two servers. I tried to add both servers to the
> >ldap uri and to the krb5 section byt the service refused to start.
> See man sssd-ldap(5). ldap_uri accepts comma-separated list of servers.
> Same for krb5_server, see sssd-krb5(5).

Also if you're using service DNS records, you can either leave the URIs
blank and default to service resolution or explicitly use service
resolution along with a hardcoded name:

ldap_uri = _srv_, ldap://ldap.example.com

See the "service discovery" section in the man pages.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Trusted AD Users login via gdm

[Sumit Bose]

On Wed, Jun 12, 2013 at 02:04:33PM +0200, Leah Zimmermann wrote:
> Am 12.06.2013 12:03, schrieb Sumit Bose:
> >On Wed, Jun 12, 2013 at 11:42:23AM +0200, Leah Zimmermann wrote:
> >>Dear List Members,
> >>
> >>I have a FreeIPA-Domain on a CentOS 6.4 machine. It is in a trusted
> >>relationship to an AD-Domain.
> >>The users of the AD-Domain can login via ssh- or console-login. Then
> >>they can start the gnome desktop manually. But if they login via gdm
> >>they logged out immediatly.
> >Which name style are you using 'AD_NETBIOS\username' or
> >'username@AD_DOMAIN' ? If you only tried one can you try the other?
> until now I tried only 'username@AD_DOMAIN', but
> 'AD_NETBIOS\username' does not work as well.
> >
> >If this does not help, please send the relevant section of
> >/var/Log/secure and the sssd logs with a high debug level.
> >
> >
> As far as I can see, both styles causing the same results.
> 
> Jun 12 13:27:56 ipa_hostname pam: gdm-password:
> pam_unix(gdm-password:auth): authentication failure; logname= uid=0
> euid=0 tty=:0 ruser= rhost=  user=leah@AD_DOMAIN
> Jun 12 13:27:57 ipa_hostname pam: gdm-password:
> pam_sss(gdm-password:auth): authentication success; logname= uid=0
> euid=0 tty=:0 ruser= rhost= user=leah@AD_DOMAIN
> Jun 12 13:27:57 ipa_hostname pam: gdm-password:
> pam_unix(gdm-password:session): session opened for user
> leah@AD_DOMAIN by (uid=0)
> Jun 12 13:27:57 ipa_hostname polkitd(authority=local): Unregistered
> Authentication Agent for session
> /org/freedesktop/ConsoleKit/Session25 (system bus name :1.265,
> object path /org/gnome/PolicyKit1/AuthenticationAgent, locale
> de_DE.UTF-8) (disconnected from bus)
> Jun 12 13:27:58 ipa_hostname pam: gdm-password:
> pam_unix(gdm-password:session): session closed for user
> leah@AD_DOMAIN
> Jun 12 13:27:59 ipa_hostname polkitd(authority=local): Registered
> Authentication Agent for session
> /org/freedesktop/ConsoleKit/Session27 (system bus name :1.275
> [/usr/libexec/polkit-gnome-authentication-agent-1], object path
> /org/gnome/PolicyKit1/AuthenticationAgent, locale de_DE.UTF-8)
> 
> 
> Jun 12 13:32:56 ipa_hostname pam: gdm-password:
> pam_unix(gdm-password:auth): authentication failure; logname= uid=0
> euid=0 tty=:0 ruser= rhost=  user=AD_NETBIOS\leah
> Jun 12 13:32:58 ipa_hostname pam: gdm-password:
> pam_sss(gdm-password:auth): authentication success; logname= uid=0
> euid=0 tty=:0 ruser= rhost= user=AD_NETBIOS\leah
> Jun 12 13:32:58 ipa_hostname pam: gdm-password:
> pam_unix(gdm-password:session): session opened for user
> AD_NETBIOS\leah by (uid=0)
> Jun 12 13:32:58 ipa_hostname polkitd(authority=local): Unregistered
> Authentication Agent for session
> /org/freedesktop/ConsoleKit/Session27 (system bus name :1.275,
> object path /org/gnome/PolicyKit1/AuthenticationAgent, locale
> de_DE.UTF-8) (disconnected from bus)
> Jun 12 13:32:58 ipa_hostname pam: gdm-password:
> pam_unix(gdm-password:session): session closed for user
> AD_NETBIOS\leah
> Jun 12 13:32:59 ipa_hostname polkitd(authority=local): Registered
> Authentication Agent for session
> /org/freedesktop/ConsoleKit/Session29 (system bus name :1.285
> [/usr/libexec/polkit-gnome-authentication-agent-1], object path
> /org/gnome/PolicyKit1/AuthenticationAgent, locale de_DE.UTF-8)
> 
> May be the Unregistered Authentication Agent is the problem. But
> what I have missed to do?

Do you have SELinux enabled? Can you check if there any audit messages
with DELinux denials? Can you check if the SELinux context of the users
home directory is right?

bye,
Sumit
> 
> Thanks
> 
> Leah

> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users