Re: [Freeipa-users] Centos7/IPA4.2 : disable/enable hosts

2017-04-10 Thread Lachlan Musicman 
On 11 April 2017 at 00:14, Johan Vermeulen  wrote:

> Hello All,
>
> just getting started with FreeIPA and one of the first features I'm trying
> is adding hosts, something I can't do in our current
> ldap-setup. So I'm looking forward to being able to do this.
> But after adding a host, the only way I see to disable it is unprovision
> it. And after doing that, I can' t find a way to re-provision the host.
>
> Can anybody point me in the right direction regarding this?
>
> Many thanks, J.
>
>

Rob is right - it depends on what you are doing.

But, in the mean time, here are a couple of pointers:

How to enable/disable hosts
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/host-disable.html


If what you are after is having it in the domain but restricting access,
then you are looking for "Host Based Access Control"

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/configuring-host-access.html


Cheers
L.



--
The most dangerous phrase in the language is, "We've always done it this
way."

- Grace Hopper
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Centos7/IPA4.2 : disable/enable hosts

2017-04-10 Thread Rob Crittenden 
Johan Vermeulen wrote:
> Hello All,
> 
> just getting started with FreeIPA and one of the first features I'm
> trying is adding hosts, something I can't do in our current
> ldap-setup. So I'm looking forward to being able to do this.
> But after adding a host, the only way I see to disable it is unprovision
> it. And after doing that, I can' t find a way to re-provision the host.
> 
> Can anybody point me in the right direction regarding this?

I'm not sure I follow what you're doing and don't want to guess and send
you on a wild goose chase :-)

Can you elaborate on your workflow and the output you're seeing when you
try to re-provision?

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Centos7/IPA4.2 : disable/enable hosts

2017-04-10 Thread Johan Vermeulen 
Hello All,

just getting started with FreeIPA and one of the first features I'm trying
is adding hosts, something I can't do in our current
ldap-setup. So I'm looking forward to being able to do this.
But after adding a host, the only way I see to disable it is unprovision
it. And after doing that, I can' t find a way to re-provision the host.

Can anybody point me in the right direction regarding this?

Many thanks, J.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SSSD setting memcache_timeout on ipa master

2017-04-10 Thread Ronald Wimmer 

On 2017-04-10 13:23, Jakub Hrozek wrote:

[...]
This shouldn't be the case with 1.14+ and wasn't in my testing. Did you
remove the cache (really remove, not just expire with sss_cache) after
you upgraded from 1.13 to 1.14?

If yes, can you run some simple systemtap scripts?


I did not upgrade from an older version. I experienced the problems with 
SSSD 1.14. I followed the steps in the performance tuning guide and 
moved the cache directory into RAM. After that I deleted the directory's 
content and restarted SSSD.


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SSSD setting memcache_timeout on ipa master

2017-04-10 Thread Jakub Hrozek 
On Mon, Apr 10, 2017 at 01:07:08PM +0200, Ronald Wimmer wrote:
> On 2017-04-10 12:16, Lukas Slebodnik wrote:
> > [...]
> > sssd_be consumed a lot of CPU and produced a lot of I/O in the sssd cache
> > directory. After following 
> > https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-ipa-ad-trust-deployments/
> > the problems did nod reappear.
> > 
> > Did you try all recommended steps or just few?
> > 
> > Do you know which one was the most useful in your case?
> > 
> 
> I think the biggest benefit came from moving the sssd cache into RAM.

This shouldn't be the case with 1.14+ and wasn't in my testing. Did you
remove the cache (really remove, not just expire with sss_cache) after
you upgraded from 1.13 to 1.14?

If yes, can you run some simple systemtap scripts?

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SSSD setting memcache_timeout on ipa master

2017-04-10 Thread Ronald Wimmer 

On 2017-04-10 12:16, Lukas Slebodnik wrote:

[...]
sssd_be consumed a lot of CPU and produced a lot of I/O in the sssd cache
directory. After following 
https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-ipa-ad-trust-deployments/
the problems did nod reappear.

Did you try all recommended steps or just few?

Do you know which one was the most useful in your case?



I think the biggest benefit came from moving the sssd cache into RAM.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Password-based authentication with AD users does not work

2017-04-10 Thread Ronald Wimmer 

On 2017-04-07 10:28, Sumit Bose wrote:

[...]
I'm not aware of any limitation here. Have you tried to run 'ipa
trust-fetch-domains ad.forest.root' to update the list?

If this does not help please add 'log level = 100' to
/usr/share/ipa/smb.conf.empty so that it looks like:

 [global]
 log level = 100

and run trust-fetch-domains again. The debug output can then be found
in /var/log/httpd/error_log. [...]


Not one error in the error_log - absolutely nothing. Our AD guys 
confirmed that there are many more UPN suffixes than the five I can see 
when I run ipa trust-find.


Can somebody confirm that this UPN suffix mismatch is exactly the 
problem preventing password-based login in my case?


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SSH access to only specific hosts useding ssh keys

2017-04-10 Thread Jakub Hrozek 
On Mon, Apr 10, 2017 at 12:04:58AM -0400, Tym Rehm wrote:
> Hey all, New user here.
> 
> I have a user "user1" that I want to allow a couple of different users
> "userX and userY" to be allowed to ssh into "server1" and "server2", but
> not both servers using ssh-keys.
> 
> So as an example. UserX will ssh user1@server2 with ssh-key, but I don't
> want userY to be able to successfully run the same command.
> 
> I currently have userX and userY's public ssh-key attached to user1 and I
> have created a HBAC rule to allow user1 to connect with ssh on both server1
> and server2. This is allowing user1 to connect to both servers fine,
> without a password. It also is allowing users (X & Y) to ssh user1@server1
> and user1@server2.
> 
> How can stop that to restrict userX to be able to ssh as user1 on server1,
> but not server2?
> 
> Do I need to do something with the keytabs or add the ssh-keys for userX to
> the server1 host only?

I'm honestly not sure if I understand the problem well, but would it be
helpful to add SSH keys to an ID view that is attached to one of the
servers only?

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project