Re: [Freeipa-users] Centos7/IPA4.2 : disable/enable hosts
On 11 April 2017 at 00:14, Johan Vermeulenwrote: > Hello All, > > just getting started with FreeIPA and one of the first features I'm trying > is adding hosts, something I can't do in our current > ldap-setup. So I'm looking forward to being able to do this. > But after adding a host, the only way I see to disable it is unprovision > it. And after doing that, I can' t find a way to re-provision the host. > > Can anybody point me in the right direction regarding this? > > Many thanks, J. > > Rob is right - it depends on what you are doing. But, in the mean time, here are a couple of pointers: How to enable/disable hosts https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/host-disable.html If what you are after is having it in the domain but restricting access, then you are looking for "Host Based Access Control" https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/configuring-host-access.html Cheers L. -- The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Centos7/IPA4.2 : disable/enable hosts
Johan Vermeulen wrote: > Hello All, > > just getting started with FreeIPA and one of the first features I'm > trying is adding hosts, something I can't do in our current > ldap-setup. So I'm looking forward to being able to do this. > But after adding a host, the only way I see to disable it is unprovision > it. And after doing that, I can' t find a way to re-provision the host. > > Can anybody point me in the right direction regarding this? I'm not sure I follow what you're doing and don't want to guess and send you on a wild goose chase :-) Can you elaborate on your workflow and the output you're seeing when you try to re-provision? rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Centos7/IPA4.2 : disable/enable hosts
Hello All, just getting started with FreeIPA and one of the first features I'm trying is adding hosts, something I can't do in our current ldap-setup. So I'm looking forward to being able to do this. But after adding a host, the only way I see to disable it is unprovision it. And after doing that, I can' t find a way to re-provision the host. Can anybody point me in the right direction regarding this? Many thanks, J. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SSSD setting memcache_timeout on ipa master
On 2017-04-10 13:23, Jakub Hrozek wrote: [...] This shouldn't be the case with 1.14+ and wasn't in my testing. Did you remove the cache (really remove, not just expire with sss_cache) after you upgraded from 1.13 to 1.14? If yes, can you run some simple systemtap scripts? I did not upgrade from an older version. I experienced the problems with SSSD 1.14. I followed the steps in the performance tuning guide and moved the cache directory into RAM. After that I deleted the directory's content and restarted SSSD. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SSSD setting memcache_timeout on ipa master
On Mon, Apr 10, 2017 at 01:07:08PM +0200, Ronald Wimmer wrote: > On 2017-04-10 12:16, Lukas Slebodnik wrote: > > [...] > > sssd_be consumed a lot of CPU and produced a lot of I/O in the sssd cache > > directory. After following > > https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-ipa-ad-trust-deployments/ > > the problems did nod reappear. > > > > Did you try all recommended steps or just few? > > > > Do you know which one was the most useful in your case? > > > > I think the biggest benefit came from moving the sssd cache into RAM. This shouldn't be the case with 1.14+ and wasn't in my testing. Did you remove the cache (really remove, not just expire with sss_cache) after you upgraded from 1.13 to 1.14? If yes, can you run some simple systemtap scripts? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SSSD setting memcache_timeout on ipa master
On 2017-04-10 12:16, Lukas Slebodnik wrote: [...] sssd_be consumed a lot of CPU and produced a lot of I/O in the sssd cache directory. After following https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-ipa-ad-trust-deployments/ the problems did nod reappear. Did you try all recommended steps or just few? Do you know which one was the most useful in your case? I think the biggest benefit came from moving the sssd cache into RAM. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Password-based authentication with AD users does not work
On 2017-04-07 10:28, Sumit Bose wrote: [...] I'm not aware of any limitation here. Have you tried to run 'ipa trust-fetch-domains ad.forest.root' to update the list? If this does not help please add 'log level = 100' to /usr/share/ipa/smb.conf.empty so that it looks like: [global] log level = 100 and run trust-fetch-domains again. The debug output can then be found in /var/log/httpd/error_log. [...] Not one error in the error_log - absolutely nothing. Our AD guys confirmed that there are many more UPN suffixes than the five I can see when I run ipa trust-find. Can somebody confirm that this UPN suffix mismatch is exactly the problem preventing password-based login in my case? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SSH access to only specific hosts useding ssh keys
On Mon, Apr 10, 2017 at 12:04:58AM -0400, Tym Rehm wrote: > Hey all, New user here. > > I have a user "user1" that I want to allow a couple of different users > "userX and userY" to be allowed to ssh into "server1" and "server2", but > not both servers using ssh-keys. > > So as an example. UserX will ssh user1@server2 with ssh-key, but I don't > want userY to be able to successfully run the same command. > > I currently have userX and userY's public ssh-key attached to user1 and I > have created a HBAC rule to allow user1 to connect with ssh on both server1 > and server2. This is allowing user1 to connect to both servers fine, > without a password. It also is allowing users (X & Y) to ssh user1@server1 > and user1@server2. > > How can stop that to restrict userX to be able to ssh as user1 on server1, > but not server2? > > Do I need to do something with the keytabs or add the ssh-keys for userX to > the server1 host only? I'm honestly not sure if I understand the problem well, but would it be helpful to add SSH keys to an ID view that is attached to one of the servers only? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project