Re: [Freeipa-users] IPA, autofs, kerberos

[Cal Sawyer]

Hi

Let me update that last post.  After setting authrequired=no in 
/etc/autofs_ldap_auth.conf, automount comes right up on reboot


However, given CentOS6 clients using ipa-client-3.0.0-47.el6 and IPA 
server 4.1.0, what is the highest /secure/ level i can achieve without 
manually intervening?


autofs_ldap_auth.conf is currently




- cal sawyer


On 11/12/15 13:25, Cal Sawyer wrote:

Hi

After getting autofs working using automountmaps in IPA, i've 
discovered that upon rebooting a client i have no automounts.  If i 
ssh into the client and obtain a ticket as admin, after restarting 
autofs (as root), I can once again see access automounted 
directories.  Until then, user logins which depend on network home 
mount consistently fail


Question is, how can this be made automatic on reboot?

thanks

- cal sawyer


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Service Accounts via IPA

[Redmond, Stacy]

No, that does not even allow su – unless you add the –s /bin/bash or some valid 
shell.  I did try a few of these, generally I just put a ! I front of the 
password locally, but since these exist in ldap now instead, not sure that is 
an option.

From: Nicola Canepa [mailto:canep...@mmfg.it]
Sent: Thursday, December 10, 2015 11:55 PM
To: Redmond, Stacy; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Service Accounts via IPA

** BSCA security warning: Do not click links or trust the content unless you 
expected this email and trust the sender – This email originated outside of 
Blue Shield. **
Maybe you can use /usr/sbin/nologin as the shell?

Nicola
Il 10/12/15 19:24, Redmond, Stacy ha scritto:
Generally I will lock a service account on linux so that the account cannot 
login, but users can sudo su – to that user.  As I don’t have access to the 
password field in free ipa, what are my options to set this up as a default for 
service accounts, or how can I modify individual accounts that need access to a 
system, but should not be able to login to the system.  Any help is appreciated.





--



Nicola Canepa

Tel: +39-0522-399-3474

canep...@mmfg.it

---

Il contenuto della presente comunicazione è riservato e destinato 
esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da persona 
diversa dal destinatario sono proibite la diffusione, la distribuzione e la 
copia. Nel caso riceveste la presente per errore, Vi preghiamo di informarci e 
di distruggerlo e/o cancellarlo dal Vostro computer, senza utilizzare i dati 
contenuti. La presente comunicazione (comprensiva dei documenti allegati) non 
avrà valore di proposta contrattuale e/o accettazione di proposte provenienti 
dal destinatario, nè rinuncia o riconoscimento di diritti, debiti e/o crediti, 
nè sarà impegnativa, qualora non sia sottoscritto successivo accordo da chi può 
validamente obbligarci. Non deriverà alcuna responsabilità precontrattuale a 
ns. carico, se la presente non sia seguita da contratto sottoscritto dalle 
parti.



The content of the above communication is strictly confidential and reserved 
solely for the referred addressees. In the event of receipt by persons 
different from the addressee, copying, alteration and distribution are 
forbidden. If received by mistake we ask you to inform us and to destroy and/or 
delete from your computer without using the data herein contained. The present 
message (eventual annexes inclusive) shall not be considered a contractual 
proposal and/or acceptance of offer from the addressee, nor waiver recognizance 
of rights, debts  and/or credits, nor shall it be binding when not executed as 
a subsequent agreement by persons who could lawfully represent us. No 
pre-contractual liability shall apply to us when the present communication is 
not followed by any binding agreement between the parties.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Any recent guides for Postfix and IPA integration?

[Natxo Asenjo]

hi Ranbir,


On Fri, Dec 11, 2015 at 9:29 PM, Ranbir  wrote:

> Hi All,
>
> I want to integrate my Postfix server with IPA. I've found a couple of
> documents on how this can be done, but they don't accomplish the feat
> the same way (they're also not discussing the exact same end goal). I'm
> left wondering how exactly to integrate IPA and Postfix.
>
>
what exactly do you want to achieve? 'Integrate' could mean a couple of
things, so please specify.

--
Groeten,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Any recent guides for Postfix and IPA integration?

[Martin Štefany]

Hello Ranbir,

I'm working on this, even today I was putting more things together.
(That DRAFT is really uncommented version of what I currently have). And
I've opened also https://fedorahosted.org/freeipa/ticket/5521 to get a
bit more out of it.

To sum it up what I've put together:
- Postfix for SMTP MTA
- Dovecot for IMAP (no POP3)
- Amavisd-new with ClamAV and SpamAssassin for Antispam / Antivirus /
additional header checks, etc.
- SPF, DKIM, DMARC support for both sending and receiving mail
- setup is HA thanks to DNS records, and 2 separate systems running
almost identical configuration and Dovecot replicates mailboxes using
dsync
- PLAIN / LOGIN / GSSAPI authentication for SSO login thanks to FreeIPA
(integration with Evolution on Fedora/RHEL/CentOS desktop joined to
FreeIPA domain works also great)
- users, of course, stored in FreeIPA, usage granted only to ones with
correct e-mail field, group membership (and enablement of the ID)
- but some pieces are still missing:
  - I'm still reviewing e.g. correct postfix restrictions and
documenting the full setup
  - there's missing support for GUI configuration domain aliases, user
aliases, sender/receiver Bcc support, quota setup, etc. even if
something is managable via ipa-admintools and LDAP attributes

I would like to finish it asap, within a week or two, cause I run this
e-mail system at home (as somebody already mentioned, why not?) and I
don't like it unfinished. ;)

But to give you a good place to start: have a look to iRedMail project, 
http://www.iredmail.org/, ZhangHuangbin's product is great and it helped
me a lot to prepare what I described above. There's no support for 'old-
style' HA, but you can still run it 'HA' on VM with all the benefits,
and there's not direct support for FreeIPA integration, but guideline
for ActiveDirectory integration exists, so you can start there: http://w
ww.iredmail.org/docs/active.directory.html.

As Natxo mentioned, it all depends what kind of integration you want and
what do you expect from mail setup. ;)

Martin




On Pi, 2015-12-11 at 22:13 +0100, Natxo Asenjo wrote:
> hi Ranbir,
> 
> 
> On Fri, Dec 11, 2015 at 9:29 PM, Ranbir 
> wrote:
> > Hi All,
> > 
> > I want to integrate my Postfix server with IPA. I've found a couple
> > of
> > documents on how this can be done, but they don't accomplish the
> > feat
> > the same way (they're also not discussing the exact same end goal).
> > I'm
> > left wondering how exactly to integrate IPA and Postfix.
> > 
> what exactly do you want to achieve? 'Integrate' could mean a couple
> of things, so please specify. 
> 
> --
> Groeten,
> natxo
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

signature.asc
Description: This is a digitally signed message part
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Clean up DNS Host Cert and other records from IPA

[Andrey Ptashnik]

Hello Team,

We have many servers in our environment that are on a different stage of their 
lifecycle. All of them are added to IPA domain. There are cases when servers 
gets moved, sometimes crash, sometimes are being rebuild or decommissioned. In 
those cases we need to completely remove server identity from IPA including 
DNS, Host, Certificate and other associated records.
What is the most proper way to completely remove client records in case if 
server needs to be rebuilt with the same host name down the road? (hardware 
failure happened, server crashed and needs to be rebuild – is a perfect 
example).

Regards,

Andrey Ptashnik

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Service Accounts via IPA

[Marc Boorshtein]

I do the same thing on most deployments.  I usually just assign a large
random password to the service account.

Marc Boorshtein
CTO, Tremolo Security, Inc.
On Dec 11, 2015 12:15 PM, "Redmond, Stacy" 
wrote:

> No, that does not even allow su – unless you add the –s /bin/bash or some
> valid shell.  I did try a few of these, generally I just put a ! I front of
> the password locally, but since these exist in ldap now instead, not sure
> that is an option.
>
>
>
> *From:* Nicola Canepa [mailto:canep...@mmfg.it]
> *Sent:* Thursday, December 10, 2015 11:55 PM
> *To:* Redmond, Stacy; freeipa-users@redhat.com
> *Subject:* Re: [Freeipa-users] Service Accounts via IPA
>
>
>
> ** BSCA security warning: Do not click links or trust the content unless
> you expected this email and trust the sender – This email originated
> outside of Blue Shield. **
>
> Maybe you can use /usr/sbin/nologin as the shell?
>
> Nicola
>
> Il 10/12/15 19:24, Redmond, Stacy ha scritto:
>
> Generally I will lock a service account on linux so that the account
> cannot login, but users can sudo su – to that user.  As I don’t have access
> to the password field in free ipa, what are my options to set this up as a
> default for service accounts, or how can I modify individual accounts that
> need access to a system, but should not be able to login to the system.
> Any help is appreciated.
>
>
>
>
>
> --
>
>
>
> Nicola Canepa
>
> Tel: +39-0522-399-3474
>
> canep...@mmfg.it
>
> ---
>
> Il contenuto della presente comunicazione è riservato e destinato 
> esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da 
> persona diversa dal destinatario sono proibite la diffusione, la 
> distribuzione e la copia. Nel caso riceveste la presente per errore, Vi 
> preghiamo di informarci e di distruggerlo e/o cancellarlo dal Vostro 
> computer, senza utilizzare i dati contenuti. La presente comunicazione 
> (comprensiva dei documenti allegati) non avrà valore di proposta contrattuale 
> e/o accettazione di proposte provenienti dal destinatario, nè rinuncia o 
> riconoscimento di diritti, debiti e/o crediti, nè sarà impegnativa, qualora 
> non sia sottoscritto successivo accordo da chi può validamente obbligarci. 
> Non deriverà alcuna responsabilità precontrattuale a ns. carico, se la 
> presente non sia seguita da contratto sottoscritto dalle parti.
>
>
>
> The content of the above communication is strictly confidential and reserved 
> solely for the referred addressees. In the event of receipt by persons 
> different from the addressee, copying, alteration and distribution are 
> forbidden. If received by mistake we ask you to inform us and to destroy 
> and/or delete from your computer without using the data herein contained. The 
> present message (eventual annexes inclusive) shall not be considered a 
> contractual proposal and/or acceptance of offer from the addressee, nor 
> waiver recognizance of rights, debts  and/or credits, nor shall it be binding 
> when not executed as a subsequent agreement by persons who could lawfully 
> represent us. No pre-contractual liability shall apply to us when the present 
> communication is not followed by any binding agreement between the parties.
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Service Accounts via IPA

[Redmond, Stacy]

That is probably what I will end up doing, thanks for all the input so far.

From: Marc Boorshtein [mailto:marc.boorsht...@tremolosecurity.com]
Sent: Friday, December 11, 2015 9:49 AM
To: Redmond, Stacy
Cc: freeipa-users; Nicola Canepa
Subject: Re: [Freeipa-users] Service Accounts via IPA

** BSCA security warning: Do not click links or trust the content unless you 
expected this email and trust the sender – This email originated outside of 
Blue Shield. **

I do the same thing on most deployments.  I usually just assign a large random 
password to the service account.

Marc Boorshtein
CTO, Tremolo Security, Inc.
On Dec 11, 2015 12:15 PM, "Redmond, Stacy" 
> wrote:
No, that does not even allow su – unless you add the –s /bin/bash or some valid 
shell.  I did try a few of these, generally I just put a ! I front of the 
password locally, but since these exist in ldap now instead, not sure that is 
an option.

From: Nicola Canepa [mailto:canep...@mmfg.it]
Sent: Thursday, December 10, 2015 11:55 PM
To: Redmond, Stacy; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Service Accounts via IPA

** BSCA security warning: Do not click links or trust the content unless you 
expected this email and trust the sender – This email originated outside of 
Blue Shield. **
Maybe you can use /usr/sbin/nologin as the shell?

Nicola
Il 10/12/15 19:24, Redmond, Stacy ha scritto:
Generally I will lock a service account on linux so that the account cannot 
login, but users can sudo su – to that user.  As I don’t have access to the 
password field in free ipa, what are my options to set this up as a default for 
service accounts, or how can I modify individual accounts that need access to a 
system, but should not be able to login to the system.  Any help is appreciated.



--



Nicola Canepa

Tel: +39-0522-399-3474

canep...@mmfg.it

---

Il contenuto della presente comunicazione è riservato e destinato 
esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da persona 
diversa dal destinatario sono proibite la diffusione, la distribuzione e la 
copia. Nel caso riceveste la presente per errore, Vi preghiamo di informarci e 
di distruggerlo e/o cancellarlo dal Vostro computer, senza utilizzare i dati 
contenuti. La presente comunicazione (comprensiva dei documenti allegati) non 
avrà valore di proposta contrattuale e/o accettazione di proposte provenienti 
dal destinatario, nè rinuncia o riconoscimento di diritti, debiti e/o crediti, 
nè sarà impegnativa, qualora non sia sottoscritto successivo accordo da chi può 
validamente obbligarci. Non deriverà alcuna responsabilità precontrattuale a 
ns. carico, se la presente non sia seguita da contratto sottoscritto dalle 
parti.



The content of the above communication is strictly confidential and reserved 
solely for the referred addressees. In the event of receipt by persons 
different from the addressee, copying, alteration and distribution are 
forbidden. If received by mistake we ask you to inform us and to destroy and/or 
delete from your computer without using the data herein contained. The present 
message (eventual annexes inclusive) shall not be considered a contractual 
proposal and/or acceptance of offer from the addressee, nor waiver recognizance 
of rights, debts  and/or credits, nor shall it be binding when not executed as 
a subsequent agreement by persons who could lawfully represent us. No 
pre-contractual liability shall apply to us when the present communication is 
not followed by any binding agreement between the parties.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to 
http://freeipa.org
 for more info on the project
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Any recent guides for Postfix and IPA integration?

[Ranbir]

Hi All,

I want to integrate my Postfix server with IPA. I've found a couple of
documents on how this can be done, but they don't accomplish the feat
the same way (they're also not discussing the exact same end goal). I'm
left wondering how exactly to integrate IPA and Postfix.

For reference:

https://www.dalemacartney.com/2013/03/14/deploying
-postfix-with-ldap-freeipa-virtual-aliases-and-kerberos-authentication/

http://www.freeipa.org/page/%28DRAFT%29_HA_mail_services_with_FreeIPA,_
postfix,_dovecot,_amavisd-new,_clamd_and_PLAIN/GSSAPI_SSO

Is there anything more recent out there or are the above two docs still
good enough/applicable to IPA and postfix servers running on CentOS 7?

Thanks in advance.


-- 
Ranbir


signature.asc
Description: This is a digitally signed message part
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project