Re: [Freeipa-users] Is there any delay after applied rules to user?
On Thu, Jul 30, 2015 at 07:09:47PM +0700, Dewangga Bachrul Alam wrote: Hello Jakub! Sorry for delayed email, My bad, I disabled cache_credentials, not sssd_cache. Then I think it's completely unrelated to the sudo rules problem. I tried modified my user `dewangga` to remove sudo rules, the cache still active even I restart the sssd service and delete all ccache* files. Yes, cache can't be completely disabled with sssd. See: https://jhrozek.wordpress.com/2015/03/11/anatomy-of-sssd-user-lookup/ There's no information on sssd log folder. -rw---. 1 root root0 Jul 29 19:26 krb5_child.log -rw---. 1 root root 105K Jul 30 04:49 ldap_child.log -rw---. 1 root root0 Jul 29 19:26 sssd.log -rw---. 1 root root0 Jul 29 19:26 sssd_merahciptamedia.co.id.log -rw---. 1 root root0 Jul 29 19:26 sssd_nss.log -rw---. 1 root root0 Jul 29 19:26 sssd_pac.log -rw---. 1 root root0 Jul 29 19:26 sssd_pam.log -rw---. 1 root root0 Jul 29 19:26 sssd_ssh.log -rw---. 1 root root0 Jul 29 19:26 sssd_sudo.log On 07/30/2015 02:33 PM, Jakub Hrozek wrote: On Thu, Jul 30, 2015 at 02:26:03PM +0700, NitrouZ wrote: Hello! I set the cache value to False on sssd.conf. (On IPA server and client). Can you show me the exact config directive you used? On Thursday, July 30, 2015, Jakub Hrozek jhro...@redhat.com wrote: On Wed, Jul 29, 2015 at 10:03:14PM +0700, Dewangga wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello! Thanks for the hints both of you, yes the sssd_cache is in play. I've set the cache to false, is it have any impact to ipa server/client (performance, security or another issue)? How exactly did you 'disable' the cache? The sssd cache can't be disabled, it can either be removed manually or the cache lifetime can be set short.. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Sent from iDewangga Device -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Is there any delay after applied rules to user?
Hello Jakub! Sorry for delayed email, My bad, I disabled cache_credentials, not sssd_cache. I tried modified my user `dewangga` to remove sudo rules, the cache still active even I restart the sssd service and delete all ccache* files. There's no information on sssd log folder. -rw---. 1 root root0 Jul 29 19:26 krb5_child.log -rw---. 1 root root 105K Jul 30 04:49 ldap_child.log -rw---. 1 root root0 Jul 29 19:26 sssd.log -rw---. 1 root root0 Jul 29 19:26 sssd_merahciptamedia.co.id.log -rw---. 1 root root0 Jul 29 19:26 sssd_nss.log -rw---. 1 root root0 Jul 29 19:26 sssd_pac.log -rw---. 1 root root0 Jul 29 19:26 sssd_pam.log -rw---. 1 root root0 Jul 29 19:26 sssd_ssh.log -rw---. 1 root root0 Jul 29 19:26 sssd_sudo.log On 07/30/2015 02:33 PM, Jakub Hrozek wrote: On Thu, Jul 30, 2015 at 02:26:03PM +0700, NitrouZ wrote: Hello! I set the cache value to False on sssd.conf. (On IPA server and client). Can you show me the exact config directive you used? On Thursday, July 30, 2015, Jakub Hrozek jhro...@redhat.com wrote: On Wed, Jul 29, 2015 at 10:03:14PM +0700, Dewangga wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello! Thanks for the hints both of you, yes the sssd_cache is in play. I've set the cache to false, is it have any impact to ipa server/client (performance, security or another issue)? How exactly did you 'disable' the cache? The sssd cache can't be disabled, it can either be removed manually or the cache lifetime can be set short.. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Sent from iDewangga Device -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Another Migration from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1)
On Wed, Jul 29, 2015 at 11:25 AM, Lukas Slebodnik lsleb...@redhat.com wrote: On (29/07/15 10:52), Guillermo Fuentes wrote: Thanks so much for the info David! We're using the latest version available via EPEL, which is 10.1.2. pki-core is not available in epel7 https://admin.fedoraproject.org/pkgdb/package/pki-core/ So you have the latest version from base CentOS 7.1 CentOS rebuild rhel packages. So you will need to wait for CentOS 7.2 for update. Thanks for clarifying this. List, any idea where to grab pki 10.2.6 for CentOS 7? Source or binary would be fine. Or, if it isn't available, where can I start contributing to the port of pki 10.2.6 to CentOS 7? You might try to backport pki-core from Fedora. Good luck. LS Best, Guillermo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-replica-prepare error
On 07/28/2015 11:09 PM, Jan Cholasta wrote:
Dne 20.7.2015 v 19:52 Orion Poplawski napsal(a):
On 07/20/2015 12:57 AM, Jan Cholasta wrote:
Dne 15.7.2015 v 20:57 Orion Poplawski napsal(a):
On 07/14/2015 11:53 PM, Jan Cholasta wrote:
# ipa-replica-prepare -v ipa1.nwra.com --dirsrv_pkcs12=nwra.com.p12
--dirsrv_pin=XX --http_pkcs12=nwra.com.p12 --http_pin=XX
Directory Manager (existing master) password:
(SEC_ERROR_LIBRARY_FAILURE) security library failure.
I was able to debug this in gdb and tracked it down to a low entropy
condition. Details noted in https://fedorahosted.org/freeipa/ticket/5117.
Looks like prng_instantiate is being called 2-3 times and there just isn't
enough entropy:
Breakpoint 1, prng_instantiate (rng=0x7fffe5f9d3a0 theGlobalRng,
bytes=bytes@entry=0x7fffc220 \304(\336\350F8\375㨟\177\325\017+\302
\230\e\215\bf\201Rw;\300\260\330\366\315\342\235\034]\374J\324\263,
len=110) at drbg.c:160
160 if (len PRNG_SEEDLEN) {
1: len = 110
(gdb) c
Continuing.
Breakpoint 1, prng_instantiate (rng=rng@entry=0x7fffe5f9f620 testContext,
bytes=bytes@entry=0x2153b70
\216\234\r%u\\004\371\305y\020\213#y7\024\237,\307\v9\370\356\357\225\f\227Y\374\n\205A\240;\025\002,
len=len@entry=32) at drbg.c:160
160 if (len PRNG_SEEDLEN) {
1: len = 32
PRNG_SEEDLEN is 55 I think.
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane or...@nwra.com
Boulder, CO 80301 http://www.nwra.com
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Is there any delay after applied rules to user?
Hello! I don't know start from where to tracking down this issue. I found another something interesting. 1. Set `global_policy` password expired (both min and max) to 0 (zero) 2. Add user called `dummy` 3. Set global_policy password expired min (1) and max (90). 4. Add user called `dummy2` Both user dummy and dummy2 have same password expiration :D This problem is same with assign sudo/group to user. I was set debug_level = 7 to following section in sssd.conf : [domain/mydomain.co.id] .. debug_level = 7 .. [sssd] .. debug_level = 7 .. [sudo] .. debug_level = 7 .. I didn't find any related information about the 4 step above. On 07/30/2015 08:54 PM, Jakub Hrozek wrote: On Thu, Jul 30, 2015 at 07:09:47PM +0700, Dewangga Bachrul Alam wrote: Hello Jakub! Sorry for delayed email, My bad, I disabled cache_credentials, not sssd_cache. Then I think it's completely unrelated to the sudo rules problem. I tried modified my user `dewangga` to remove sudo rules, the cache still active even I restart the sssd service and delete all ccache* files. Yes, cache can't be completely disabled with sssd. See: https://jhrozek.wordpress.com/2015/03/11/anatomy-of-sssd-user-lookup/ There's no information on sssd log folder. -rw---. 1 root root0 Jul 29 19:26 krb5_child.log -rw---. 1 root root 105K Jul 30 04:49 ldap_child.log -rw---. 1 root root0 Jul 29 19:26 sssd.log -rw---. 1 root root0 Jul 29 19:26 sssd_merahciptamedia.co.id.log -rw---. 1 root root0 Jul 29 19:26 sssd_nss.log -rw---. 1 root root0 Jul 29 19:26 sssd_pac.log -rw---. 1 root root0 Jul 29 19:26 sssd_pam.log -rw---. 1 root root0 Jul 29 19:26 sssd_ssh.log -rw---. 1 root root0 Jul 29 19:26 sssd_sudo.log On 07/30/2015 02:33 PM, Jakub Hrozek wrote: On Thu, Jul 30, 2015 at 02:26:03PM +0700, NitrouZ wrote: Hello! I set the cache value to False on sssd.conf. (On IPA server and client). Can you show me the exact config directive you used? On Thursday, July 30, 2015, Jakub Hrozek jhro...@redhat.com wrote: On Wed, Jul 29, 2015 at 10:03:14PM +0700, Dewangga wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello! Thanks for the hints both of you, yes the sssd_cache is in play. I've set the cache to false, is it have any impact to ipa server/client (performance, security or another issue)? How exactly did you 'disable' the cache? The sssd cache can't be disabled, it can either be removed manually or the cache lifetime can be set short.. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Sent from iDewangga Device -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-replica-prepare error
Dne 30.7.2015 v 17:28 Orion Poplawski napsal(a):
On 07/28/2015 11:09 PM, Jan Cholasta wrote:
Dne 20.7.2015 v 19:52 Orion Poplawski napsal(a):
On 07/20/2015 12:57 AM, Jan Cholasta wrote:
Dne 15.7.2015 v 20:57 Orion Poplawski napsal(a):
On 07/14/2015 11:53 PM, Jan Cholasta wrote:
# ipa-replica-prepare -v ipa1.nwra.com --dirsrv_pkcs12=nwra.com.p12
--dirsrv_pin=XX --http_pkcs12=nwra.com.p12 --http_pin=XX
Directory Manager (existing master) password:
(SEC_ERROR_LIBRARY_FAILURE) security library failure.
I was able to debug this in gdb and tracked it down to a low entropy
condition. Details noted in https://fedorahosted.org/freeipa/ticket/5117.
Looks like prng_instantiate is being called 2-3 times and there just isn't
enough entropy:
Breakpoint 1, prng_instantiate (rng=0x7fffe5f9d3a0 theGlobalRng,
bytes=bytes@entry=0x7fffc220 \304(\336\350F8\375㨟\177\325\017+\302
\230\e\215\bf\201Rw;\300\260\330\366\315\342\235\034]\374J\324\263,
len=110) at drbg.c:160
160 if (len PRNG_SEEDLEN) {
1: len = 110
(gdb) c
Continuing.
Breakpoint 1, prng_instantiate (rng=rng@entry=0x7fffe5f9f620 testContext,
bytes=bytes@entry=0x2153b70
\216\234\r%u\\004\371\305y\020\213#y7\024\237,\307\v9\370\356\357\225\f\227Y\374\n\205A\240;\025\002,
len=len@entry=32) at drbg.c:160
160 if (len PRNG_SEEDLEN) {
1: len = 32
PRNG_SEEDLEN is 55 I think.
I wouldn't have thought that this might be the cause.
Thank you for the investigation!
--
Jan Cholasta
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Is there any delay after applied rules to user?
On Thu, Jul 30, 2015 at 09:50:23PM +0700, Dewangga Bachrul Alam wrote: Hello! I don't know start from where to tracking down this issue. I found another something interesting. 1. Set `global_policy` password expired (both min and max) to 0 (zero) 2. Add user called `dummy` 3. Set global_policy password expired min (1) and max (90). 4. Add user called `dummy2` Both user dummy and dummy2 have same password expiration :D This problem is same with assign sudo/group to user. I was set debug_level = 7 to following section in sssd.conf : [domain/mydomain.co.id] .. debug_level = 7 .. [sssd] .. debug_level = 7 .. [sudo] .. debug_level = 7 .. I didn't find any related information about the 4 step above. I'm sorry, but I'm getting a bit confused about what is and what is not the problem. Can we take a step back and see what works in your environment and what does not? Can you describe the workflow? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Is there any delay after applied rules to user?
Thanks Martin, Yes, it is for testing only, when the ipa server ready for production, I will enable the cache. Once again, thank you. On Thursday, July 30, 2015, Martin Kosek mko...@redhat.com wrote: On 07/29/2015 05:03 PM, Dewangga wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello! Thanks for the hints both of you, yes the sssd_cache is in play. Good! I've set the cache to false, is it have any impact to ipa server/client (performance, security or another issue)? Disabling cache for testing is fine, it is not that fine for production environment. Without cache enabled, SSSD would always ask server so it would have performance impact, yes. It should not be visible with couple clients, but once you work with big network, it will. On 7/29/2015 21:39, Jakub Hrozek wrote: On Wed, Jul 29, 2015 at 04:32:42PM +0200, Martin Kosek wrote: On 07/29/2015 03:22 PM, Dewangga Bachrul Alam wrote: Hello! I'm using FreeIPA 4.1.x on CentOS 7, Is there any delay after applied some rules to specified user? [root@ipa ~]# ipa sudorule-show Rule name: wheel Rule name: Wheel Enabled: TRUE Host category: all Command category: all RunAs User category: all RunAs Group category: all Sudo order: 1 Users: dewangga User Groups: wheel Sudo Option: !authenticate On ipa-client, user `dewangga` asking for password when execute command `sudo -l` [dewangga@sherief-repository ~]$ sudo -l [sudo] password for dewangga: Here is `ipa user-show dewangga` result : $ ipa user-show dewangga User login: dewangga First name: Dewangga Last name: Alam Home directory: /home/dewangga Login shell: /bin/bash Email address: [removed] UID: 64201 GID: 64201 Account disabled: False Password: False Member of groups: wheel Member of Sudo rule: Wheel Kerberos keys available: False SSH public key fingerprint: [removed] mahaesa-key (ssh-rsa) Any helps are appreciated. Thanks I suspect that SSSD cache is in play. You can try to remove it (man sss_cache or remove it manually stop sssd, remove /var/lib/sss/db/* and start sssd again). I think restarting SSSD should help here. You can read the type of sudo refreshes sssd does in man sssd-sudo. If it doesn't, we need sssd logs. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) iQEcBAEBAgAGBQJVuOsyAAoJEF1+odKB6YIxN8YH+gLezNhWVzS8UDipFM7cBR5b xxj7M0rnkemHlvTVx5tzDkibTDzc3zLlcqX36EtdFWCp4N4uTvchnEbhzilcYW/T kRCAbLtHndhknx8U+eNrKw3EtrErSaDYjADboqqjyuiUfG7xaHwsomqje2F0PvFf c8wOkLxg1eLAZH3zTnZpHxW1PVx4Tdb+7RjwAEr4YFHoDhpe/k422H74ji2wPe3X 5MYJSbtxEra5qfDGsFN9nRKZkVPf/useSlBVH/mtonpT2YYTkdOIJqRaZw1xAG2V Dmuo4dIeZseKDg79easC2AeRtjckvjBo1NPJ4zfBtL8TJ9MZmpScOSh/zCF5miM= =cKjO -END PGP SIGNATURE- -- Sent from iDewangga Device -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-dnskeysyncd exited on failure state
On 30/07/15 00:18, Dewangga wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello! I got many error message from ipa-dnskeysyncd. Here is the snippet from syslog http://fpaste.org/249594/20746714/raw Is it normal? I just restart the ipa server and its going back to normal again, but it come error on random times. Any debug log for this? I assume the error appears when I update to 4.1.4 from 4.1.0. IPA Environment: $ uname -a Linux ipa.mydomain.co.id 3.10.0-229.7.2.el7.x86_64 #1 SMP Tue Jun 23 22:06:11 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux $ ipa --version VERSION: 4.1.4, API_VERSION: 2.114 [1] Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1229430 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) iQEcBAEBAgAGBQJVuVE3AAoJEF1+odKB6YIxBkYIALEqaRmaLvIrjMxVDejlnLIh +agqF9xVsAzBtA6ppJd5HZLNoS5QSicb0/ymi3jdH/qNnPO8OB/Id66/4FOYT1co D8gkNRheUOIjuQU834J5Gyuc5IMTOakfo4/gF5Zjp2wogmj3I4aCTLdJhG6TRDqs g2+rTIPQWs6GtbDS/vfuAYmJx8cz+Wt6NBgseGFshId3d6mEmUEv16XiSKulxeZs 2uqaGc967/XLQ7CXT8O8kfjDPFGejpqwQc9WNRLRqRbmLUy7Oz8h04QuBTdZLGwE Q4Wn2IPAyCGQ2nEOp/3jbl6OiJK9OBWiW3r9tmX3ZExndpTXJI5YQAW6etvHjsY= =OTU3 -END PGP SIGNATURE- Hello, all logs from ipa-dnskeysyncd are stored in journalctl -u ipa-dnskeysyncd This error, or LDAP error may appear during restart, but it should not be often. Is your KDC working well? If you do not use DNSSEC you may safely ignore this error. -- Martin Basti -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-dnskeysyncd exited on failure state
Hello! Yes my KDC working well and all function are OK. Just curious about this error. And currently I'm not using dnssec. Thanks On Thursday, July 30, 2015, Martin Basti mba...@redhat.com wrote: On 30/07/15 00:18, Dewangga wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello! I got many error message from ipa-dnskeysyncd. Here is the snippet from syslog http://fpaste.org/249594/20746714/raw Is it normal? I just restart the ipa server and its going back to normal again, but it come error on random times. Any debug log for this? I assume the error appears when I update to 4.1.4 from 4.1.0. IPA Environment: $ uname -a Linux ipa.mydomain.co.id 3.10.0-229.7.2.el7.x86_64 #1 SMP Tue Jun 23 22:06:11 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux $ ipa --version VERSION: 4.1.4, API_VERSION: 2.114 [1] Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1229430 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) iQEcBAEBAgAGBQJVuVE3AAoJEF1+odKB6YIxBkYIALEqaRmaLvIrjMxVDejlnLIh +agqF9xVsAzBtA6ppJd5HZLNoS5QSicb0/ymi3jdH/qNnPO8OB/Id66/4FOYT1co D8gkNRheUOIjuQU834J5Gyuc5IMTOakfo4/gF5Zjp2wogmj3I4aCTLdJhG6TRDqs g2+rTIPQWs6GtbDS/vfuAYmJx8cz+Wt6NBgseGFshId3d6mEmUEv16XiSKulxeZs 2uqaGc967/XLQ7CXT8O8kfjDPFGejpqwQc9WNRLRqRbmLUy7Oz8h04QuBTdZLGwE Q4Wn2IPAyCGQ2nEOp/3jbl6OiJK9OBWiW3r9tmX3ZExndpTXJI5YQAW6etvHjsY= =OTU3 -END PGP SIGNATURE- Hello, all logs from ipa-dnskeysyncd are stored in journalctl -u ipa-dnskeysyncd This error, or LDAP error may appear during restart, but it should not be often. Is your KDC working well? If you do not use DNSSEC you may safely ignore this error. -- Martin Basti -- Sent from iDewangga Device -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Is there any delay after applied rules to user?
On 07/29/2015 05:03 PM, Dewangga wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello! Thanks for the hints both of you, yes the sssd_cache is in play. Good! I've set the cache to false, is it have any impact to ipa server/client (performance, security or another issue)? Disabling cache for testing is fine, it is not that fine for production environment. Without cache enabled, SSSD would always ask server so it would have performance impact, yes. It should not be visible with couple clients, but once you work with big network, it will. On 7/29/2015 21:39, Jakub Hrozek wrote: On Wed, Jul 29, 2015 at 04:32:42PM +0200, Martin Kosek wrote: On 07/29/2015 03:22 PM, Dewangga Bachrul Alam wrote: Hello! I'm using FreeIPA 4.1.x on CentOS 7, Is there any delay after applied some rules to specified user? [root@ipa ~]# ipa sudorule-show Rule name: wheel Rule name: Wheel Enabled: TRUE Host category: all Command category: all RunAs User category: all RunAs Group category: all Sudo order: 1 Users: dewangga User Groups: wheel Sudo Option: !authenticate On ipa-client, user `dewangga` asking for password when execute command `sudo -l` [dewangga@sherief-repository ~]$ sudo -l [sudo] password for dewangga: Here is `ipa user-show dewangga` result : $ ipa user-show dewangga User login: dewangga First name: Dewangga Last name: Alam Home directory: /home/dewangga Login shell: /bin/bash Email address: [removed] UID: 64201 GID: 64201 Account disabled: False Password: False Member of groups: wheel Member of Sudo rule: Wheel Kerberos keys available: False SSH public key fingerprint: [removed] mahaesa-key (ssh-rsa) Any helps are appreciated. Thanks I suspect that SSSD cache is in play. You can try to remove it (man sss_cache or remove it manually stop sssd, remove /var/lib/sss/db/* and start sssd again). I think restarting SSSD should help here. You can read the type of sudo refreshes sssd does in man sssd-sudo. If it doesn't, we need sssd logs. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) iQEcBAEBAgAGBQJVuOsyAAoJEF1+odKB6YIxN8YH+gLezNhWVzS8UDipFM7cBR5b xxj7M0rnkemHlvTVx5tzDkibTDzc3zLlcqX36EtdFWCp4N4uTvchnEbhzilcYW/T kRCAbLtHndhknx8U+eNrKw3EtrErSaDYjADboqqjyuiUfG7xaHwsomqje2F0PvFf c8wOkLxg1eLAZH3zTnZpHxW1PVx4Tdb+7RjwAEr4YFHoDhpe/k422H74ji2wPe3X 5MYJSbtxEra5qfDGsFN9nRKZkVPf/useSlBVH/mtonpT2YYTkdOIJqRaZw1xAG2V Dmuo4dIeZseKDg79easC2AeRtjckvjBo1NPJ4zfBtL8TJ9MZmpScOSh/zCF5miM= =cKjO -END PGP SIGNATURE- -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Is there any delay after applied rules to user?
On Wed, Jul 29, 2015 at 10:03:14PM +0700, Dewangga wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello! Thanks for the hints both of you, yes the sssd_cache is in play. I've set the cache to false, is it have any impact to ipa server/client (performance, security or another issue)? How exactly did you 'disable' the cache? The sssd cache can't be disabled, it can either be removed manually or the cache lifetime can be set short.. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Is there any delay after applied rules to user?
Hello! I set the cache value to False on sssd.conf. (On IPA server and client). On Thursday, July 30, 2015, Jakub Hrozek jhro...@redhat.com wrote: On Wed, Jul 29, 2015 at 10:03:14PM +0700, Dewangga wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello! Thanks for the hints both of you, yes the sssd_cache is in play. I've set the cache to false, is it have any impact to ipa server/client (performance, security or another issue)? How exactly did you 'disable' the cache? The sssd cache can't be disabled, it can either be removed manually or the cache lifetime can be set short.. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Sent from iDewangga Device -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Setting up Active Directory trusts in a secure environment
Greetings, folks. So, I've been fighting with getting a trust set up between FreeIPA 4.1 on CentOS 7.1 and Windows Server 2008r2 for nearly a week. Today I finally came to a conclusion as to what my issue is. I operate a secure network in which we have configuration guidlines for securing Windows that we have to meet in order to recieve what's known as an Authority to Operate, or ATO. A lot of this configuration is done in the Global Policies. Today I stumbled across one error buried in the Windows Security event log, and when correllated with the errors I was seeing from FreeIPA led me to our policy. The error that popped up in the event log was The user has not been granted the requested logon type at this machine. The logon type was 3, which is network, and the Logon Process and Authorization Package were both Kerberos. Cross referenced with the error on the IPA server: WARNING: Search on AD DC WINSRV.ad.domain.net:3268 failed with: Insufficient access: 8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 569, v1db1 Invalid Credentials Digging into our Domain Controller policy, I found that Access this computer from the network is restricted to Domain Users, Domain Controllers, Domain Computers, Domain Admins, and BUILTIN\Administrators. I attempted to add a context that would allow the IPA server to log on, and got so far through the wizard that it let me select the trusted domain to search and returned a list of security contexts, but when I attempted to add one (Authenticated Users), I recieved the error that it couldn't be found because the server was inaccessable. I saw no errors on the IPA side during this transaction. So, to those of y'all that operate in secure environments, what trick do you use to fully integrate IPA and Active Directory? -- Dan Mossor, RHCSA Systems Engineer Fedora Server WG | Fedora KDE WG | Fedora QA Team Fedora Infrastructure Apprentice FAS: dmossor IRC: danofsatx San Antonio, Texas, USA -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Is there any delay after applied rules to user?
Hello! Sorry for making you confused. The main problem is the cache on ipa server/client. How long the cache remain active and refresh with correct policy/rules. Whenever I set the sudo rules, modify another configuration (policy, etc), it's always have delay. And until now, the global_policy still didn't use correct configuration. It's still using min 0, max 0 configuration (I set this policy yesterday, and was revert it back to min 1 max 90 on yesterday too) Any hints? On 07/31/2015 01:47 AM, Jakub Hrozek wrote: On Thu, Jul 30, 2015 at 09:50:23PM +0700, Dewangga Bachrul Alam wrote: Hello! I don't know start from where to tracking down this issue. I found another something interesting. 1. Set `global_policy` password expired (both min and max) to 0 (zero) 2. Add user called `dummy` 3. Set global_policy password expired min (1) and max (90). 4. Add user called `dummy2` Both user dummy and dummy2 have same password expiration :D This problem is same with assign sudo/group to user. I was set debug_level = 7 to following section in sssd.conf : [domain/mydomain.co.id] .. debug_level = 7 .. [sssd] .. debug_level = 7 .. [sudo] .. debug_level = 7 .. I didn't find any related information about the 4 step above. I'm sorry, but I'm getting a bit confused about what is and what is not the problem. Can we take a step back and see what works in your environment and what does not? Can you describe the workflow? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
