Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master

[Rob Crittenden]

dan.finkelst...@high5games.com wrote:

By the way, I want to mention the conncheck: if I don't skip it, it
tries to ssh into the master IPA instance as 'admin@', rather
than the user (root), and fails. All other parts of the connectivity
check work, however. Why does it try to access the master as a Kerberos
principal instead of the process user?


Because the remote master, being an IPA server, should have an admin 
account, so it's a known. root over ssh is not allowed in some environments.


There is a ticket open to be able to set the login to be used, right now 
admin is hardcoded.


As for the install failure you should now have the appropriate logs to 
start diagnosing what was going on in /var/log/pki.


rob



Thanks,

Dan



*Daniel Alex Finkelstein*| Senior Dev Ops Engineer

_dan.finkelst...@h5g.com _| 212.604.3447

One World Trade Center, New York, NY 10007

www.high5games.com 

Play High 5 Casino  and Shake
the Sky 

Follow us on: Facebook , Twitter
, YouTube
, Linkedin


//

/This message and any attachments may contain confidential or privileged
information and are only for the use of the intended recipient of this
message. If you are not the intended recipient, please notify the sender
by return email, and delete or destroy this and all copies of this
message and all attachments. Any unauthorized disclosure, use,
distribution, or reproduction of this message or any attachments is
prohibited and may be unlawful./

*From: *Rob Crittenden 
*Date: *Monday, June 6, 2016 at 11:44
*To: *Daniel Finkestein ,
"freeipa-users@redhat.com" 
*Subject: *Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of
FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica,
cannot promote to master

Skipping the conncheck can mask odd problems and should be used sparingly.

rob





--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master

[Dan.Finkelstein]

By the way, I want to mention the conncheck: if I don't skip it, it tries to 
ssh into the master IPA instance as 'admin@', rather than the user 
(root), and fails. All other parts of the connectivity check work, however. Why 
does it try to access the master as a Kerberos principal instead of the process 
user?

Thanks,
Dan

[cid:image001.jpg@01D1C019.39465100]
Daniel Alex Finkelstein| Senior Dev Ops Engineer
dan.finkelst...@h5g.com | 212.604.3447
One World Trade Center, New York, NY 10007
www.high5games.com
Play High 5 Casino and Shake the 
Sky
Follow us on: Facebook, 
Twitter, 
YouTube, 
Linkedin

This message and any attachments may contain confidential or privileged 
information and are only for the use of the intended recipient of this message. 
If you are not the intended recipient, please notify the sender by return 
email, and delete or destroy this and all copies of this message and all 
attachments. Any unauthorized disclosure, use, distribution, or reproduction of 
this message or any attachments is prohibited and may be unlawful.

From: Rob Crittenden 
Date: Monday, June 6, 2016 at 11:44
To: Daniel Finkestein , 
"freeipa-users@redhat.com" 
Subject: Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 
3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to 
master

Skipping the conncheck can mask odd problems and should be used sparingly.

rob
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] DNA Ranges

[Michael Rainey (Contractor)]

Greetings Community,

I have a question about restoring the DNA Ranges on my IPA servers.  A 
couple of weeks ago I took down one of my servers which involved a few 
issues I had created for myself, but luckily I managed to recover.  
Today I noticed that the DNA Ranges on the retired server was not 
carried over to the new server.  After checking my other servers, I also 
noticed none of the other servers have any ranges set.  So, my primary 
question is; if I reset the range values to what they were on the 
retired server to the new server, do I run the risk of generating 
duplicate UIDs and GIDs, or should I set a new range to prevent 
duplicate values?


At this point, I haven't found anything in my research which matches my 
current scenario.


Thanks in advance.

--
*Michael Rainey*
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] problem in sudo policy when target commands use local environment variables

[Brennan, Paul J]

Hi Mitra,
   I'm not sure if '-H' is the best option for this. If I'm reading the 
documentation correctly, it sounds like that option only sets the value of 
$HOME to ~srvusr. You may want to try:

$ sudo -u srvusr -i /path/to/target_cmd

That should run the command using a login shell for srvusr, instantiating that 
user's variables.

Good luck,
Paul Brennan

(Apologies if this ends up in the wrong thread or something, I just signed up 
to this list.)
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master

[Dan.Finkelstein]

Swing and a miss: when setting up the replicas, we always use the —setup-ca and 
end the command with the replica  gpg file, but it's the —setup-ca that fails 
as per the earlier messages. If we proceed without —setup-ca, it's fine. I'll 
try it without skipping the connection check, but I don't think the replica 
file is the issue.
Thanks,
Dan

[cid:image001.jpg@01D1BFE8.1A68AAC0]
Daniel Alex Finkelstein| Senior Dev Ops Engineer
dan.finkelst...@h5g.com | 212.604.3447
One World Trade Center, New York, NY 10007
www.high5games.com
Play High 5 Casino and Shake the 
Sky
Follow us on: Facebook, 
Twitter, 
YouTube, 
Linkedin

This message and any attachments may contain confidential or privileged 
information and are only for the use of the intended recipient of this message. 
If you are not the intended recipient, please notify the sender by return 
email, and delete or destroy this and all copies of this message and all 
attachments. Any unauthorized disclosure, use, distribution, or reproduction of 
this message or any attachments is prohibited and may be unlawful.

From: Rob Crittenden 
Date: Monday, June 6, 2016 at 09:51
To: Daniel Finkestein , 
"freeipa-users@redhat.com" 
Subject: Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 
3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to 
master

I think I figured out what is wrong. It is trying to add a NEW CA, not
creating a replica of the CA on this host. You need to pass in the
replica install file as an argument:

# ipa-replica-install foo.example.com

Not sure skipping the conncheck is a great idea either.

rob
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] a bit off topic- samba + sssd => AD

[Alexander Bokovoy]

On Mon, 06 Jun 2016, lejeczek wrote:
Users mapping concept (which I do not grasp completely yet) - when 
an AD client (win10) now gets to samba shares okey it is done with 
AD user credentials, win client sees share like: u...@my.dom which 
user is not IPA's user (there are no trusts no syncing).
I don't know details of what you have configured. For IPA with 
trusts

both Kerberos and passwords should work when Samba is running on IPA
master. For IPA client, we have procedure defined for SSSD+Samba. 
For

anything else only Kerberos would work.
I emailed (this thread) most of the configs, if not all, ~two emails 
ago, last Friday.

Configs were not really helpful without a bigger picture.

Now, when you say mapping - this would be winbind/smb 
translating/mapping AD's SIDs to match IPA's UIDs - which is/would 
be different from syncying users from AD => IPA ,correct?

SIDs to UID/GID on the system. You seem to confuse a lot in your
emails -- you are claiming that there is no IPA trust or sync in place
yet you expect somehow things to magically work, I simply don't
understand your situation to comment on it.
not magically, no, it's the same one box, IPA server and at the same 
time samba(non-IPA, might be why smbclient without kerberos does Not 
work) + sssd to an AD.
And now after fixing keytabs all seems to work ok, and no winbind yet 
- thus my only question now is more about concepts, which - yes - I 
don't grasp fully.

Ok.

Yes I confuse, the way I understand is: my linux box now has two 
separate user db backends, two different users catalogs, first one is 
IPA's and the second is AD's via sssd(which samba being an AD's client 
also uses) with no winbind at this point.

Yes, you have two different user db backends, and there is not enough
interoperability between them yet. As you can guess, this is not really
supported -- I would rather not spend time on that myself as there are
more urgent issues to fix that scale better.

Last thing I wonder is that SIDs/UIDs mapping - one: do I want/need 
it? and if one then two: how to achieve it running setup like mine?

It is not a question of whether you want something. It is required, as
Windows world is different from POSIX and something needs to map between
concepts in both worlds. That something is called Samba and it requires
a proper configuration for SID/ID mapping -- which is done by winbindd.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master

[Rob Crittenden]

dan.finkelst...@high5games.com wrote:

Swing and a miss: when setting up the replicas, we always use the
—setup-ca and end the command with the replica  gpg file, but it's the
—setup-ca that fails as per the earlier messages. If we proceed without
—setup-ca, it's fine. I'll try it without skipping the connection check,
but I don't think the replica file is the issue.


I meant to say: ipa-ca-install replicafile

When running ipa-ca-install without a replicafile then it assumes you 
are trying to set up a brand new CA which isn't allowed if one already 
exists. The messaging has been improved upstream.


Skipping the conncheck can mask odd problems and should be used sparingly.

rob



Thanks,

Dan



*Daniel Alex Finkelstein*| Senior Dev Ops Engineer

_dan.finkelst...@h5g.com _| 212.604.3447

One World Trade Center, New York, NY 10007

www.high5games.com 

Play High 5 Casino  and Shake
the Sky 

Follow us on: Facebook , Twitter
, YouTube
, Linkedin


//

/This message and any attachments may contain confidential or privileged
information and are only for the use of the intended recipient of this
message. If you are not the intended recipient, please notify the sender
by return email, and delete or destroy this and all copies of this
message and all attachments. Any unauthorized disclosure, use,
distribution, or reproduction of this message or any attachments is
prohibited and may be unlawful./

*From: *Rob Crittenden 
*Date: *Monday, June 6, 2016 at 09:51
*To: *Daniel Finkestein ,
"freeipa-users@redhat.com" 
*Subject: *Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of
FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica,
cannot promote to master

I think I figured out what is wrong. It is trying to add a NEW CA, not

creating a replica of the CA on this host. You need to pass in the

replica install file as an argument:

# ipa-replica-install foo.example.com

Not sure skipping the conncheck is a great idea either.

rob





--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] external ad users in ldap directory is it possible in general?

[Serge Krawczenko]

Hello,
my apologies if the question is  asked too frequently

While implementing an SSO in my environment, i have a need to integrate
with existing AD Win2008R2.
The systems i need to be included into SSO can only authorize via LDAP,
many of them have been already configured and tested against FreeIPA and
local users. Those systems are apache, jira, radius and so.

However, how is it applicable for external users from windows AD?
Trusted relations have been configured according to manual.

As stated in FreeIPA 4.3 release notes,

"AD users are now shown as members of IPA groups when external group is
added to IPA group #4403"

So i expect external users to be visible by ldapsearch etc on FreeIPA upon
corresponding groups mapping. Well, no. Users are not visible.

Please advise is this achievable at all or do i have some fundamental
misunderstanding of the technology or is there some misconfiguration?

Thanks a lot.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] a bit off topic- samba + sssd => AD

[lejeczek]

On 06/06/16 12:42, Alexander Bokovoy wrote:

On Mon, 06 Jun 2016, lejeczek wrote:
SMB services with Kerberos require use of 
cifs/ service
principal. Your keytab only has host/ keys, 
and your AD
machine account for the  does not have 
'cifs/' SPN
defined. The latter is what causes smbclient -k to fail 
-- AD DC
doesn't know about 'cifs/' and refuses to 
issue a service

ticket even before smbclient contacts Samba server.

Alexander, thanks!
yes, cifs needs to be in keytab file, smbclient to 
itself(on smb server locally) works now with -k.
I wonder - should it also work with only passwords? It 
does not, for me.
Users mapping concept (which I do not grasp completely 
yet) - when an AD client (win10) now gets to samba shares 
okey it is done with AD user credentials, win client sees 
share like: u...@my.dom which user is not IPA's user 
(there are no trusts no syncing).
I don't know details of what you have configured. For IPA 
with trusts
both Kerberos and passwords should work when Samba is 
running on IPA
master. For IPA client, we have procedure defined for 
SSSD+Samba. For

anything else only Kerberos would work.
I emailed (this thread) most of the configs, if not all, 
~two emails ago, last Friday.


Now, when you say mapping - this would be winbind/smb 
translating/mapping AD's SIDs to match IPA's UIDs - which 
is/would be different from syncying users from AD => IPA 
,correct?
SIDs to UID/GID on the system. You seem to confuse a lot 
in your emails
-- you are claiming that there is no IPA trust or sync in 
place yet you
expect somehow things to magically work, I simply don't 
understand your

situation to comment on it.
not magically, no, it's the same one box, IPA server and at 
the same time samba(non-IPA, might be why smbclient without 
kerberos does Not work) + sssd to an AD.
And now after fixing keytabs all seems to work ok, and no 
winbind yet - thus my only question now is more about 
concepts, which - yes - I don't grasp fully.
Yes I confuse, the way I understand is: my linux box now has 
two separate user db backends, two different users catalogs, 
first one is IPA's and the second is AD's via sssd(which 
samba being an AD's client also uses) with no winbind at 
this point.
Last thing I wonder is that SIDs/UIDs mapping - one: do I 
want/need it? and if one then two: how to achieve it running 
setup like mine?




Another thing, not having winbind in nsswitch (or not 
having it at all), but still having sssd using AD - 
should I be able to access

linux+sssd=>AD box with means like ssh? eg. ssh
m...@my.dom@swir.private.my.dom (I think I had it worked 
with windbind in

nsswitch)
SSSD client as IPA client will work with passwords in AD 
but only if

trust is established between IPA and AD.



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] DNSSEC DANE TLSA

[Günther J . Niederwimmer]

Hello,

is it possible with a FreeIPA Certificate make a DANE entry in IPA DNS ?

Thanks for a answer,
-- 
mit freundlichen Grüßen / best regards,

  Günther J. Niederwimmer

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] how to setup apache reverse https proxy for freeipa web UI

[Karl Forner]

Thanks a lot Jan. It works perfectly, and it is crystal-clear.
Best,
Karl

On Mon, Jun 6, 2016 at 11:13 AM, Jan Pazdziora  wrote:
> On Fri, Jun 03, 2016 at 10:42:59PM +0200, Jan Pazdziora wrote:
>>
>> Hope this helps. I will likely do another writeup about this setup.
>
> https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name
>
> --
> Jan Pazdziora
> Senior Principal Software Engineer, Identity Management Engineering, Red Hat

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project