Re: [Freeipa-users] Password expiration dates are different when being resetted by the (primary) admin and a different admin
@Martin 1) Yes, I did executed 8.5.3 from the wiki. Is this is reason for the systems behaviour? if so why doesnt't it applies for both admins? And it doesn't explain the 90 days, because it is not set in the tutorial. Unless some params are left out of the wiki for some reason. I'm using windows LDAP admin tool to browse the LDAP tree, but couln't find this param/value so I wasn't sure if the new setting is being used. I did get a confirmation while executing the change. @Dimitri 1) Yes, there are no problems with changing your own password. There is only something strange with the expiration lifetime when you are changing other users (admin or non-admin) password. The expiration lifetime of a password reset should be equal to BOTH admins like expired immediately, 90 days or the value that is set in the password policy. I prefer the value in a password policy, because this way I have it more under control. @Martin @Will 1b) Ok, I'm afraid you may say that. Most free clients like gmail, hotmail, ebay, paypal doesn't require a password reset from time to time (yes they may have set a very high value). So I was wondering why it isn't possible. I know it's bad for security, but still. On Thu, Aug 28, 2014 at 6:18 PM, Dmitri Pal d...@redhat.com wrote: On 08/28/2014 04:18 PM, Zip Ly wrote: Hi, I'm trying to change a user password without reset. If I use the (primary) admin to change the password then it doesn't need a password reset, because the expire lifetime is 90 days. But if I create a second admin, then every password change made by the second admin needs a password reset, because the password is expired immediately. 1a) Does anyone knows how I can change the policy/privilege of the second admin so every password change doesn't require a reset? 1b) and is it possible to set a different expire lifetime like zero for unlimited lifetime? You are probably changing password for the admin himself. Isn't there a different flow when admin changes his own password? It's almost the same bugreport as https://fedorahosted.org/freeipa/ticket/2795 but the difference is there should be 2 policies: one for changing your own password and another for resetting other users password. 2) Are there more differences in policies between the first (primary) admin and the second admin you just created? Kind regards, Zip -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] How to use sudo rules on ubuntu
On Fri, Aug 29, 2014 at 09:30:55AM +0300, Tevfik Ceydeliler wrote: Here is my configuration adn client output. I dont know what is wrong Please keep the freeipa-users list in the CC list; other users might run into the same problem. === Server Side: [root@srv ~]# ipa sudorule-find --- 1 Sudo Rule matched --- Rule name: log-reading Enabled: TRUE Users: kduser1, user1 Hosts: clnt2.ipa.grp, clnt.ipa.grp Sudo Allow Commands: /usr/bin/less, /usr/bin/vi, /usr/bin/yum, /usr/bin/apt- get Sudo Option: !authenticate Number of entries returned 1 And client side: 1. nsswitch.con: # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc Name Service Switch' for information about this file. passwd: compat sss group: compat sss shadow: compat hosts: files mdns4_minimal [NOTFOUND=return] dns networks: files protocols: sss files services: sss files ethers: sss files rpc:sss files netgroup: nis sss sudoers:files sss sudoers_debug: 1 2. sssd.conf: [domain/ipa.grp] krb5_realm = IPA.GRP cache_credentials = True krb5_store_password_if_offline = True ipa_domain = ipa.grp id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = clnt.ipa.grp chpass_provider = ipa ipa_dyndns_update = True ipa_server = _srv_, srv.ipa.grp ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, pam, ssh, sudo config_file_version = 2 domains = ipa.grp [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] ldap_sudo_search_base = ou=sudoers,ou=ipa,dc=grp ldap_sasl_mech = GSSAPI ldap=sasl_authid = host/cnlt2.ipa.grp ldap_sasl_realm = IPA.GRP ldap_netgroup_search_base = ou=SUDOers,dc=ipa,dc=grp sudo_provider = ldap ldap_uri = ldap://srv.ipa.grp krb5_server = srv.ipa.grp These options belong to the [domain] section, you put them into the [pac] section. When I try to use sudo: user1@clnt:~$ sudo -i user1 vi apt-get update [sudo] password for user1: Sorry, user user1 is not allowed to execute '/bin/bash -c user1 vi apt-get update' as root on clnt.ipa.grp. user1@clnt:~$ === On 28-08-2014 17:21, Jakub Hrozek wrote: On Thu, Aug 28, 2014 at 02:53:35PM +0300, Tevfik Ceydeliler wrote: After configuration, for example, I try to create policiy about sudo command, let's say I want to run apt-get command bu sudoas client How can I use it in client side? Any example? I still don't understand what you mean, did you check out the 'ipa sudorule-add-runasuser' command? -- br img src=http://www.yasar.com.tr/banner/yhbanner.jpg; /img brbr Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar sadece adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu mesajin icerigi ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. Eger gonderilmesi dusunulen kisi veya kurulus degilseniz, lutfen gonderen kisiyi derhal haberdar ediniz ve mesaji sisteminizden siliniz.The information contained in this e-mail and any files transmitted with it are intended solely for the use of the individual or entity to whom they are addressed and Yasar Group Companies do not accept legal responsibility for the contents. If you are not the intended recipient, please immediately notify the sender and delete it from your system. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] How to use sudo rules on ubuntu
ok sorry. On 29-08-2014 11:27, Jakub Hrozek wrote: On Fri, Aug 29, 2014 at 09:30:55AM +0300, Tevfik Ceydeliler wrote: Here is my configuration adn client output. I dont know what is wrong Please keep the freeipa-users list in the CC list; other users might run into the same problem. === Server Side: [root@srv ~]# ipa sudorule-find --- 1 Sudo Rule matched --- Rule name: log-reading Enabled: TRUE Users: kduser1, user1 Hosts: clnt2.ipa.grp, clnt.ipa.grp Sudo Allow Commands: /usr/bin/less, /usr/bin/vi, /usr/bin/yum, /usr/bin/apt- get Sudo Option: !authenticate Number of entries returned 1 And client side: 1. nsswitch.con: # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc Name Service Switch' for information about this file. passwd: compat sss group: compat sss shadow: compat hosts: files mdns4_minimal [NOTFOUND=return] dns networks: files protocols: sss files services: sss files ethers: sss files rpc:sss files netgroup: nis sss sudoers:files sss sudoers_debug: 1 2. sssd.conf: [domain/ipa.grp] krb5_realm = IPA.GRP cache_credentials = True krb5_store_password_if_offline = True ipa_domain = ipa.grp id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = clnt.ipa.grp chpass_provider = ipa ipa_dyndns_update = True ipa_server = _srv_, srv.ipa.grp ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, pam, ssh, sudo config_file_version = 2 domains = ipa.grp [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] ldap_sudo_search_base = ou=sudoers,ou=ipa,dc=grp ldap_sasl_mech = GSSAPI ldap=sasl_authid = host/cnlt2.ipa.grp ldap_sasl_realm = IPA.GRP ldap_netgroup_search_base = ou=SUDOers,dc=ipa,dc=grp sudo_provider = ldap ldap_uri = ldap://srv.ipa.grp krb5_server = srv.ipa.grp These options belong to the [domain] section, you put them into the [pac] section. When I try to use sudo: user1@clnt:~$ sudo -i user1 vi apt-get update [sudo] password for user1: Sorry, user user1 is not allowed to execute '/bin/bash -c user1 vi apt-get update' as root on clnt.ipa.grp. user1@clnt:~$ === On 28-08-2014 17:21, Jakub Hrozek wrote: On Thu, Aug 28, 2014 at 02:53:35PM +0300, Tevfik Ceydeliler wrote: After configuration, for example, I try to create policiy about sudo command, let's say I want to run apt-get command bu sudoas client How can I use it in client side? Any example? I still don't understand what you mean, did you check out the 'ipa sudorule-add-runasuser' command? -- br img src=http://www.yasar.com.tr/banner/yhbanner.jpg; /img brbr Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar sadece adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu mesajin icerigi ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. Eger gonderilmesi dusunulen kisi veya kurulus degilseniz, lutfen gonderen kisiyi derhal haberdar ediniz ve mesaji sisteminizden siliniz.The information contained in this e-mail and any files transmitted with it are intended solely for the use of the individual or entity to whom they are addressed and Yasar Group Companies do not accept legal responsibility for the contents. If you are not the intended recipient, please immediately notify the sender and delete it from your system. -- br img src=http://www.yasar.com.tr/banner/yhbanner.jpg; /img brbr Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar sadece adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu mesajin icerigi ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. Eger gonderilmesi dusunulen kisi veya kurulus degilseniz, lutfen gonderen kisiyi derhal haberdar ediniz ve mesaji sisteminizden siliniz.The information contained in this e-mail and any files transmitted with it are intended solely for the use of the individual or entity to whom they are addressed and Yasar Group Companies do not accept legal responsibility for the contents. If you are not the intended recipient, please immediately notify the sender and delete it from your system.-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] How to use sudo rules on ubuntu
I moved these configuration lines under [domain] section. Then reboot the client. But same result.. On 29-08-2014 11:27, Jakub Hrozek wrote: On Fri, Aug 29, 2014 at 09:30:55AM +0300, Tevfik Ceydeliler wrote: Here is my configuration adn client output. I dont know what is wrong Please keep the freeipa-users list in the CC list; other users might run into the same problem. === Server Side: [root@srv ~]# ipa sudorule-find --- 1 Sudo Rule matched --- Rule name: log-reading Enabled: TRUE Users: kduser1, user1 Hosts: clnt2.ipa.grp, clnt.ipa.grp Sudo Allow Commands: /usr/bin/less, /usr/bin/vi, /usr/bin/yum, /usr/bin/apt- get Sudo Option: !authenticate Number of entries returned 1 And client side: 1. nsswitch.con: # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc Name Service Switch' for information about this file. passwd: compat sss group: compat sss shadow: compat hosts: files mdns4_minimal [NOTFOUND=return] dns networks: files protocols: sss files services: sss files ethers: sss files rpc:sss files netgroup: nis sss sudoers:files sss sudoers_debug: 1 2. sssd.conf: [domain/ipa.grp] krb5_realm = IPA.GRP cache_credentials = True krb5_store_password_if_offline = True ipa_domain = ipa.grp id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = clnt.ipa.grp chpass_provider = ipa ipa_dyndns_update = True ipa_server = _srv_, srv.ipa.grp ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, pam, ssh, sudo config_file_version = 2 domains = ipa.grp [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] ldap_sudo_search_base = ou=sudoers,ou=ipa,dc=grp ldap_sasl_mech = GSSAPI ldap=sasl_authid = host/cnlt2.ipa.grp ldap_sasl_realm = IPA.GRP ldap_netgroup_search_base = ou=SUDOers,dc=ipa,dc=grp sudo_provider = ldap ldap_uri = ldap://srv.ipa.grp krb5_server = srv.ipa.grp These options belong to the [domain] section, you put them into the [pac] section. When I try to use sudo: user1@clnt:~$ sudo -i user1 vi apt-get update [sudo] password for user1: Sorry, user user1 is not allowed to execute '/bin/bash -c user1 vi apt-get update' as root on clnt.ipa.grp. user1@clnt:~$ === On 28-08-2014 17:21, Jakub Hrozek wrote: On Thu, Aug 28, 2014 at 02:53:35PM +0300, Tevfik Ceydeliler wrote: After configuration, for example, I try to create policiy about sudo command, let's say I want to run apt-get command bu sudoas client How can I use it in client side? Any example? I still don't understand what you mean, did you check out the 'ipa sudorule-add-runasuser' command? -- br img src=http://www.yasar.com.tr/banner/yhbanner.jpg; /img brbr Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar sadece adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu mesajin icerigi ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. Eger gonderilmesi dusunulen kisi veya kurulus degilseniz, lutfen gonderen kisiyi derhal haberdar ediniz ve mesaji sisteminizden siliniz.The information contained in this e-mail and any files transmitted with it are intended solely for the use of the individual or entity to whom they are addressed and Yasar Group Companies do not accept legal responsibility for the contents. If you are not the intended recipient, please immediately notify the sender and delete it from your system. -- br img src=http://www.yasar.com.tr/banner/yhbanner.jpg; /img brbr Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar sadece adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu mesajin icerigi ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. Eger gonderilmesi dusunulen kisi veya kurulus degilseniz, lutfen gonderen kisiyi derhal haberdar ediniz ve mesaji sisteminizden siliniz.The information contained in this e-mail and any files transmitted with it are intended solely for the use of the individual or entity to whom they are addressed and Yasar Group Companies do not accept legal responsibility for the contents. If you are not the intended recipient, please immediately notify the sender and delete it from your system.-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] How to use sudo rules on ubuntu
On Fri, Aug 29, 2014 at 01:15:28PM +0300, Tevfik Ceydeliler wrote: I moved these configuration lines under [domain] section. Then reboot the client. But same result.. Please make sure libsss_sudo is installed. If it is, then we need to see the logs from the [sudo] and [domain] sections of sssd.conf -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] GSSAPIAuthentication setting in /etc/sshd_config?
Does this really need to be set to yes in /etc/sshd_config? I've looked through the documentation and it only seems to say this for HP-UX and AIX. We're running freeipa 3.3.5-1 and are seeing some slow logins via ssh that some users have reported speed up markedly when this setting is toggled to no. Before I make any wholesale change recommendations, I wanted to check on this. Thanks! -- *Bret Wortman* http://damascusgrp.com/ http://about.me/wortmanbret smime.p7s Description: S/MIME Cryptographic Signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] GSSAPIAuthentication setting in /etc/sshd_config?
On Fri, 2014-08-29 at 08:31 -0400, Bret Wortman wrote: Does this really need to be set to yes in /etc/sshd_config? I've looked through the documentation and it only seems to say this for HP-UX and AIX. If you want to do SSO login (ie passwordless) you need that on. We're running freeipa 3.3.5-1 and are seeing some slow logins via ssh that some users have reported speed up markedly when this setting is toggled to no. Before I make any wholesale change recommendations, I wanted to check on this. Users may fail to name the server properly, or servers may not have keytabs, what I suggest is for users to add exceptions in their .ssh/config so that their client skips trying SSO auth for hosts that are known to fail to provide it. Something like: Host fails.example.com User root GSSAPIAuthentication no HTH, Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] How to use sudo rules on ubuntu
this package is installed root@clnt:/home/awtadm# apt-get install libsss-sudo Reading package lists... Done Building dependency tree Reading state information... Done libsss-sudo is already the newest version. libsss-sudo set to manually installed. 0 upgraded, 0 newly installed, 0 to remove and 15 not upgraded. sssd_sudo and sssd_domain logs are empty under /var/log/sssd On 29-08-2014 14:23, Jakub Hrozek wrote: On Fri, Aug 29, 2014 at 01:15:28PM +0300, Tevfik Ceydeliler wrote: I moved these configuration lines under [domain] section. Then reboot the client. But same result.. Please make sure libsss_sudo is installed. If it is, then we need to see the logs from the [sudo] and [domain] sections of sssd.conf -- br img src=http://www.yasar.com.tr/banner/yhbanner.jpg; /img brbr Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar sadece adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu mesajin icerigi ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. Eger gonderilmesi dusunulen kisi veya kurulus degilseniz, lutfen gonderen kisiyi derhal haberdar ediniz ve mesaji sisteminizden siliniz.The information contained in this e-mail and any files transmitted with it are intended solely for the use of the individual or entity to whom they are addressed and Yasar Group Companies do not accept legal responsibility for the contents. If you are not the intended recipient, please immediately notify the sender and delete it from your system.-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] How to use sudo rules on ubuntu
On Fri, Aug 29, 2014 at 03:45:38PM +0300, Tevfik Ceydeliler wrote: this package is installed root@clnt:/home/awtadm# apt-get install libsss-sudo Reading package lists... Done Building dependency tree Reading state information... Done libsss-sudo is already the newest version. libsss-sudo set to manually installed. 0 upgraded, 0 newly installed, 0 to remove and 15 not upgraded. sssd_sudo and sssd_domain logs are empty under /var/log/sssd You need to put debug_level=N into the [sssd] and [domain] sections, restart sssd, then you'll have some logs. We only log critical failures by default. 6 is a good start for the log level usually. On 29-08-2014 14:23, Jakub Hrozek wrote: On Fri, Aug 29, 2014 at 01:15:28PM +0300, Tevfik Ceydeliler wrote: I moved these configuration lines under [domain] section. Then reboot the client. But same result.. Please make sure libsss_sudo is installed. If it is, then we need to see the logs from the [sudo] and [domain] sections of sssd.conf -- br img src=http://www.yasar.com.tr/banner/yhbanner.jpg; /img brbr Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar sadece adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu mesajin icerigi ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. Eger gonderilmesi dusunulen kisi veya kurulus degilseniz, lutfen gonderen kisiyi derhal haberdar ediniz ve mesaji sisteminizden siliniz.The information contained in this e-mail and any files transmitted with it are intended solely for the use of the individual or entity to whom they are addressed and Yasar Group Companies do not accept legal responsibility for the contents. If you are not the intended recipient, please immediately notify the sender and delete it from your system. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] How to use sudo rules on ubuntu
On Fri, Aug 29, 2014 at 03:07:08PM +0200, Jakub Hrozek wrote: On Fri, Aug 29, 2014 at 03:45:38PM +0300, Tevfik Ceydeliler wrote: this package is installed root@clnt:/home/awtadm# apt-get install libsss-sudo Reading package lists... Done Building dependency tree Reading state information... Done libsss-sudo is already the newest version. libsss-sudo set to manually installed. 0 upgraded, 0 newly installed, 0 to remove and 15 not upgraded. sssd_sudo and sssd_domain logs are empty under /var/log/sssd You need to put debug_level=N into the [sssd] and [domain] sections, Sorry I meant to say [sudo] and [domain] sections. restart sssd, then you'll have some logs. We only log critical failures by default. 6 is a good start for the log level usually. On 29-08-2014 14:23, Jakub Hrozek wrote: On Fri, Aug 29, 2014 at 01:15:28PM +0300, Tevfik Ceydeliler wrote: I moved these configuration lines under [domain] section. Then reboot the client. But same result.. Please make sure libsss_sudo is installed. If it is, then we need to see the logs from the [sudo] and [domain] sections of sssd.conf -- br img src=http://www.yasar.com.tr/banner/yhbanner.jpg; /img brbr Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar sadece adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu mesajin icerigi ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. Eger gonderilmesi dusunulen kisi veya kurulus degilseniz, lutfen gonderen kisiyi derhal haberdar ediniz ve mesaji sisteminizden siliniz.The information contained in this e-mail and any files transmitted with it are intended solely for the use of the individual or entity to whom they are addressed and Yasar Group Companies do not accept legal responsibility for the contents. If you are not the intended recipient, please immediately notify the sender and delete it from your system. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] How to use sudo rules on ubuntu
On (28/08/14 14:15), Tevfik Ceydeliler wrote: Hi, I try to apply sudo policies on ubuntu client. Is there any examples how to apply it? Regards... You may be interested in this presentation. http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] How to use sudo rules on ubuntu
Thnx for document. I know this. I think there is no problem abot configuration generally. Maybe some nish details. Problem is why dont work in my test env. On 29-08-2014 16:44, Lukas Slebodnik wrote: On (28/08/14 14:15), Tevfik Ceydeliler wrote: Hi, I try to apply sudo policies on ubuntu client. Is there any examples how to apply it? Regards... You may be interested in this presentation. http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf LS -- br img src=http://www.yasar.com.tr/banner/yhbanner.jpg; /img brbr Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar sadece adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu mesajin icerigi ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. Eger gonderilmesi dusunulen kisi veya kurulus degilseniz, lutfen gonderen kisiyi derhal haberdar ediniz ve mesaji sisteminizden siliniz.The information contained in this e-mail and any files transmitted with it are intended solely for the use of the individual or entity to whom they are addressed and Yasar Group Companies do not accept legal responsibility for the contents. If you are not the intended recipient, please immediately notify the sender and delete it from your system.-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] How to use sudo rules on ubuntu
On (29/08/14 17:37), Tevfik Ceydeliler wrote: Thnx for document. I know this. I think there is no problem abot configuration generally. Maybe some nish details. Problem is why dont work in my test env. Could you write more details about version of sssd, sudo? Which ubuntu release do you use? ... LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] IPA, Multiple Backends
I'm doing some testing to integrate FreeIPA into my environment. I need to setup two domains in sssd.conf; One is my fresh install of IPA, and the other is our legacy LDAP environment. I want to use IPA for ssh logins to servers. I want to be able to grant/deny SSH access through IPA. However, I still need the legacy LDAP connected to ensure our servers still see the same file level permissions in their content directories. I added two domains to SSSD (config below), and it works fine as far as seeing all accounts and groups. My problem is, SSSD is now allowing SSH access from both IPA and from LDAP. I don't want users in our legacy LDAP environment to be able to login to servers. Is there a way to say allow SSH from this domain, and disallow SSH from this other domain? Sanitized version of my sssd.conf: [domain/newipa.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = newipa.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = client.newipa.com chpass_provider = ipa ipa_server = _srv_, ipaserver.newipa.com ldap_tls_cacert = /etc/ipa/ca.crt [domain/oldldap.com] #legacy LDAP ldap_id_use_start_tls = True cache_credentials = True ldap_search_base = dc=oldldap,dc=com id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldap://ldapserver.oldldap.com #ldap_tls_cacertdir = /etc/openldap/cacerts ldap_tls_reqcert = never [sssd] services = nss, pam, ssh config_file_version = 2 domains = newipa.com, oldldap.com Thanks. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA, Multiple Backends
On 29 Aug 2014, at 18:33, Kyle Flavin kyle.fla...@gmail.com wrote: I'm doing some testing to integrate FreeIPA into my environment. I need to setup two domains in sssd.conf; One is my fresh install of IPA, and the other is our legacy LDAP environment. I want to use IPA for ssh logins to servers. I want to be able to grant/deny SSH access through IPA. However, I still need the legacy LDAP connected to ensure our servers still see the same file level permissions in their content directories. I added two domains to SSSD (config below), and it works fine as far as seeing all accounts and groups. My problem is, SSSD is now allowing SSH access from both IPA and from LDAP. I don't want users in our legacy LDAP environment to be able to login to servers. Is there a way to say allow SSH from this domain, and disallow SSH from this other domain”? Can you try auth_provider=none in the domain that is not supposed to authenticate? Sanitized version of my sssd.conf: [domain/newipa.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = newipa.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = client.newipa.com chpass_provider = ipa ipa_server = _srv_, ipaserver.newipa.com ldap_tls_cacert = /etc/ipa/ca.crt [domain/oldldap.com] #legacy LDAP ldap_id_use_start_tls = True cache_credentials = True ldap_search_base = dc=oldldap,dc=com id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldap://ldapserver.oldldap.com #ldap_tls_cacertdir = /etc/openldap/cacerts ldap_tls_reqcert = never [sssd] services = nss, pam, ssh config_file_version = 2 domains = newipa.com, oldldap.com Thanks. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] IPuser can't authenticated with sssd
Hi I have configured IPA(ipa-client-2.1.3-7.el5) but the problem is that Ican connect with kerberos from another client but I can't login to client directly and I chet below error pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.211.166 user= Please help me if you can ,I'm under pressure to fix it :( my os is centos 5.8 and kernel is 2.6.18-348.16.1-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA, Multiple Backends
Hi Jacob, I'll give that a try shortly, and update with the result. On Fri, Aug 29, 2014 at 9:43 AM, Jakub Hrozek jhro...@redhat.com wrote: On 29 Aug 2014, at 18:33, Kyle Flavin kyle.fla...@gmail.com wrote: I'm doing some testing to integrate FreeIPA into my environment. I need to setup two domains in sssd.conf; One is my fresh install of IPA, and the other is our legacy LDAP environment. I want to use IPA for ssh logins to servers. I want to be able to grant/deny SSH access through IPA. However, I still need the legacy LDAP connected to ensure our servers still see the same file level permissions in their content directories. I added two domains to SSSD (config below), and it works fine as far as seeing all accounts and groups. My problem is, SSSD is now allowing SSH access from both IPA and from LDAP. I don't want users in our legacy LDAP environment to be able to login to servers. Is there a way to say allow SSH from this domain, and disallow SSH from this other domain”? Can you try auth_provider=none in the domain that is not supposed to authenticate? Sanitized version of my sssd.conf: [domain/newipa.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = newipa.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = client.newipa.com chpass_provider = ipa ipa_server = _srv_, ipaserver.newipa.com ldap_tls_cacert = /etc/ipa/ca.crt [domain/oldldap.com] #legacy LDAP ldap_id_use_start_tls = True cache_credentials = True ldap_search_base = dc=oldldap,dc=com id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldap://ldapserver.oldldap.com #ldap_tls_cacertdir = /etc/openldap/cacerts ldap_tls_reqcert = never [sssd] services = nss, pam, ssh config_file_version = 2 domains = newipa.com, oldldap.com Thanks. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA, Multiple Backends
That's doing what I need! Thank you. On Fri, Aug 29, 2014 at 9:57 AM, Kyle Flavin kyle.fla...@gmail.com wrote: Hi Jacob, I'll give that a try shortly, and update with the result. On Fri, Aug 29, 2014 at 9:43 AM, Jakub Hrozek jhro...@redhat.com wrote: On 29 Aug 2014, at 18:33, Kyle Flavin kyle.fla...@gmail.com wrote: I'm doing some testing to integrate FreeIPA into my environment. I need to setup two domains in sssd.conf; One is my fresh install of IPA, and the other is our legacy LDAP environment. I want to use IPA for ssh logins to servers. I want to be able to grant/deny SSH access through IPA. However, I still need the legacy LDAP connected to ensure our servers still see the same file level permissions in their content directories. I added two domains to SSSD (config below), and it works fine as far as seeing all accounts and groups. My problem is, SSSD is now allowing SSH access from both IPA and from LDAP. I don't want users in our legacy LDAP environment to be able to login to servers. Is there a way to say allow SSH from this domain, and disallow SSH from this other domain”? Can you try auth_provider=none in the domain that is not supposed to authenticate? Sanitized version of my sssd.conf: [domain/newipa.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = newipa.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = client.newipa.com chpass_provider = ipa ipa_server = _srv_, ipaserver.newipa.com ldap_tls_cacert = /etc/ipa/ca.crt [domain/oldldap.com] #legacy LDAP ldap_id_use_start_tls = True cache_credentials = True ldap_search_base = dc=oldldap,dc=com id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldap://ldapserver.oldldap.com #ldap_tls_cacertdir = /etc/openldap/cacerts ldap_tls_reqcert = never [sssd] services = nss, pam, ssh config_file_version = 2 domains = newipa.com, oldldap.com Thanks. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA bind also-notify behavior.
Hi Everyone! I am using FreeIPA 3.3.5 on Fedora 20 and attempting to configure FreeIPA to send notifies to non-IPA slaves, but it seems broken on IPA ( notify packets are never sent to to slaves ). I have configured also-notify { nameserverip; }; in named.conf on my FreeIPA test host in the options section and watched for notify traffic with tcpdump. This document suggests that this is supported, and this is something I have used in non-IPA bind servers with no issues. https://fedoraproject.org/wiki/QA:Testcase_freeipav3_dns_zone_transfer I wanted to ask the list before I file a bug with more details. Is anyone using this bind feature on IPA with any success? Thanks! Matt -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project