Re: [Freeipa-users] Automembership not working
I don't believe that the attribute is an OU. try performing a: ipa group-show engineering --all --raw I believe that your automember rule wants to be cn=^Engineering You cannot hope to secure that which you do not first understand ~~~ Jr Aquino Manager Operation Services, Infrastructure and Application Security GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Systems, Inc | 7408 Hollister Avenue | Goleta, CA 93117 SaaS Division T: +1 805.690.3478 jr.aqu...@citrix.com http://www.citrix.com On Apr 30, 2014, at 2:10 PM, Dimitar Georgievski mitk...@gmail.com wrote: Hi, I am trying to create rules to place users in given user groups based on the value of their ou (Organization Unit) field in their profiles. For some reason it is not working, and I am trying to understand why. The rule is very simple and looks like this ipa automember-find engineering Grouping Type: group --- 1 rules matched --- Description: Add automatically Engineering users to engineering User Group Automember Rule: engineering Inclusive Regex: ou=^Engineering With this rule in place I would expect all the new users with ou=Engineering to be automatically placed in the engineering user group. I am using FreeIPA v3.0.0 on CentOS 6.5 Thanks Dimitar ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users signature.asc Description: Message signed with OpenPGP using GPGMail ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] scripting ipa commands
If you don't find an answer for doing it -minus- a ticket, here is what I would suggest. Create a service user who's only role permissions give them the ability to delete users. Then perform a getkeytab for the user: ipa-getkeytab -s ipa.example.com -p user name to export@EXAMPLE.COM -k /path/to/username.keytab Then associate the following along with your cron. I would also recommend a kdestroy -after- the task is run. #!/bin/bash ### # Auto Kinit /usr/kerberos/bin/klist -s EXITCODE=$? if [ $EXITCODE != 0 ] ; then /usr/kerberos/bin/kdestroy /dev/null 21 /usr/kerberos/bin/kinit -F usern...@example.com -k -t /path/to/username.keytab fi On Mar 6, 2014, at 8:48 AM, KodaK sako...@gmail.com wrote: Once again, I'm probably missing something that's well documented. I promise I searched. We have a daily termination list that needs to be enforced at 5:00 PM every day. I can script it up just fine, but sometimes I like to sneak out early. I tried to use at, but since I'm logged out when the job runs there's no ticket and the ipa commands fail. ex: echo sh terminate | at 5:00 PM Friday works if I'm logged in with a ticket (terminate contains the ipa command to disable / delete users.) Is there some way to automate this? I can leave a terminal open on a VM as a work-around, but I'd like to be cleaner if I can. --Jason ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users signature.asc Description: Message signed with OpenPGP using GPGMail ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] local root can su to any IPA user
Some further reading material about operating in a security model where you accept that things are already compromised: * CISecurity did a good job on the Kerberos benchmark that was written: http://benchmarks.cisecurity.org/downloads/show-single/index.cfm?file=mitkerberos110.100 * Two Factor should be employed on any system you consider critical: As far as Identities go, The Password is Dead... YubiKey is a pretty good, low overhead starting point, http://wiki.yubico.com/wiki/index.php/Main_Page * Long Live POSIX, the owner,group,everyone model has been broken for quite sometime. I suggest checking out Capsicum in addition to any further reading about trusted computing or SElinux, etc. http://www.cl.cam.ac.uk/research/security/capsicum/ https://github.com/google/capsicum-linux On Feb 28, 2014, at 9:27 AM, Nordgren, Bryce L -FS bnordg...@fs.fed.us wrote: Offline password caching is also optional and a different method. In this case the actual password is maintained in the kernel keyring in locked memory until the machine goes online and can acquire a TGT. On success it is deleted. however it doesn't really matter from an evil-root scenario, because evil-root will have already snatched the password from the PAM stack at authentication time. Ah. My evil root scenario was that my AS exchange happened on my trusted machine and I used SSO to sign in to Evil root's machine. No password in Evil's pam stack. Evil can log into an Evil-compromised machine all he wants. Can't steal a password from yourself. Please shoot holes in this design for me: :) A domain uses Kerberos for authentication. The domain does not allow LDAP or other forms of authentication. A domain has trusted, domain-administrated machines for initial sign on. Users are not given root access on these machines. Alternatively, users who have been given root access to a machine can initiate an AS exchange from machines they control, but others cannot and/or are strongly discouraged from doing so. Hence, a user can be granted control over their own workstation/laptop. Users are given permissions on machines as needed to configure whatever it is that they need to do. Say there is some sort of project with specialized requirements which affects ~10-50 participants or so. Someone in the project stands up a machine to address the project's needs, but this person is not part of the Organization, so he could be Evil. Users would be expected to perform their initial sign on using their own workstation/terminal, then connect to the project resource. Ideally, the project resource is a website of some type, so only a Kerberos service ticket is needed. In the case that project members need command line access, but no access to domain-wide services (like NFS server), they can just get a service ticket for host/evil.example@example.org. So far, Evil is boxed in. Evil has not been given credentials which allow him to impersonate another user to the domain. Evil's box is a black hole. Identities go in, but they can't get out. A problem occurs when users need to access domain-wide services from Evil's machine. The user (Innocent) can forward their TGT to Evil's machine, giving Evil full use of Innocent's identity, or Innocent can use their own, trusted workstation to individually request proxy tickets for the services Innocent intends to access. Evil can now impersonate Innocent. In the case where Evil received proxy tickets, it can only impersonate Innocent to specific services on specific hosts. In the case where Evil received a TGT, Evil can impersonate innocent at will to any domain service. This suggests that it should be a security requirement for non-organization-wide projects to provide their own services. This permits encouraging/mandating the use of service tickets with project resources. For instance, if the project needs file storage, they should provide file storage. Alternatively, if the organization wishes to provide storage, they may want to allocate servers (and Kerberos principals) individually for each project. This seems to me to be a way to compartmentalize groups of cooperating users in a way that tends to prevent Evil in one group from spreading to another group, while allowing users to leverage the organization's identity store...It seems to me that this is even more effective at stopping the spread of Evil than establishing hierarchical cross-realm trusts underneath the main organization... Am I overlooking something, or is this likely to be an effective means of delegating small project support while sideboarding potential Evil? Bryce This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to
[Freeipa-users] How to restore an IPA Replica when the CSN number generator has moved impossibly far into the future or past
If you are seeing clock skew errors in /var/log/dirsrv/slapd-EXAMPLE-COM/errors that look like this, then you will need to verify the time/date of the server to make sure NTP isn't freaked out. If the system date is correct, it is possible that the change numbergenerator has skewed.[01/Feb/2014:14:42:06 -0800] NSMMReplicationPlugin - conn=12949 op=7 repl="dc=example,dc=com": Excessive clock skew from supplier RUV[01/Feb/2014:14:42:06 -0800] - csngen_adjust_time: adjustment limit exceeded; value - 1448518, limit - 86400[01/Feb/2014:14:42:06 -0800] - CSN generator's state:[01/Feb/2014:14:42:06 -0800] - replica id: 115[01/Feb/2014:14:42:06 -0800] - sampled time: 1391294526[01/Feb/2014:14:42:06 -0800] - local offset: 0[01/Feb/2014:14:42:06 -0800] - remote offset: 0[01/Feb/2014:14:42:06 -0800] - sequence number: 55067The following NsState_Script should be used to determine whether the change number generator has jumped significantly from the real time/date.https://github.com/richm/scripts/blob/master/readNsState.pyThe usage for the script works like this:[r...@ipaserver.ops jaquino]# ./readNsState.py /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldifnsState is cwBGPfBSAQACAA==Little EndianFor replica cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config fmtstr=[H6x3QH6x] size=40 len of nsstate is 40 CSN generator state: Replica ID : 115 Sampled Time : 1391476038 Gen as csn : 52f03d4600020115 Time as str : Mon Feb 3 17:07:18 2014 Local Offset : 0 Remote Offset : 1 Seq. num : 2 System time : Mon Feb 3 17:09:11 2014 Diff in sec. : 113 Day:sec diff : 0:113If the output from the above command is over a day or more out of sync, then the reason is because the CSN generator has become grossly skewed. It will be necessary to perform the following steps to recover.How to resolve this issue• 1: Select an ipa server to be authoritative and write the contents of its database to an ldif file On the master supplier: /var/lib/dirsrv/scripts-EXAMPLE-COM/db2ldif.pl -D 'cn=Directory Manager' -w - -n userRoot -a /tmp/master-389.ldif Note that without the -r option it is deliberately ommiting the tainted replication data which contains the bad CSNs• 2: On the ipa server, shutdown its dirsrv daemon down so that you can reset the attribute responsible for the serial generation, and so that you can re-initialize its db from the known good ldif On the master supplier: ipactl stop• 3: Sanitize the dse.ldif Configuration File On the master supplier: edit the /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif file and remove the nsState attribute from the replica config entry You DO NOT want to remove the nsState from: dn: cn=uniqueid generator,cn=config The stanza you want to remove the value from is: dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config The attribute will look like this: nsState:: cwA3QPBSAQABAA== Delete the entire line• 3.1: Remove traces of stale CSN tracking in the Replica Agreements themeselves File location: /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif cat dse.ldif | sed -n '1 {h; $ !d}; $ {x; s/\n //g; p}; /^ / {H; d}; /^ /! {x; s/\n //g; p}' | grep -v nsds50ruv new.dse.ldif backup the old dse.ldif and replace it with the new one: # mv dse.ldif dse.saved.ldif # mv new.dse.ldif dse.ldif• 4: Import the data from the known good ldif. This will mark all the changes with CSNs that match the current time/date stamps On the master supplier: chmod 644 /tmp/master-389.ldif /var/lib/dirsrv/scripts-EXAMPLE-COM/ldif2db -n userRoot -i /tmp/master-389.ldif• 5: Restart the ipa daemons on the master supplier #ipactl start• 6: When the daemon starts, it will see that it does not have an nsState and will write new CSN's to -all- of the newly imported good data with today's timetamp, we need to take that data and write -it- out to an ldif file On the master supplier: /var/lib/dirsrv/scripts-EXAMPLE-COM/db2ldif.pl -D 'cn=Directory Manager' -w - -n userRoot -r -a /tmp/replication-master-389.ldif ^ the -r tells it to include all replica data which includes the newly blessed CSN data transfer the file to all of the ipa servers in the fleet• 7: Now we must re-initialize _every other_ ipa consumer server in the fleet with the new good data. Steps 7-10 need to be done 1 at a time on each ipa consumer server ipactl stop• 8: Sanitize the dse.ldif Configuration File On the ipa server: edit the /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif file and remove the nsState attribute from the replica config entry You DO NOT want to remove the nsState from: dn: cn=uniqueid generator,cn=config The stanza you want to remove the value from is: dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config The attribute will look like this: nsState:: cwA3QPBSAQABAA== Delete the entire line• 8.1: Remove traces of stale CSN tracking in the Replica Agreements themeselves File
Re: [Freeipa-users] slapi-nis bypass Password Policies
Is your client simply using LDAP to bind and authenticate your service? If so, you may be able to create a special dedicated sysaccount in: cn=sysaccounts,cn=etc,dc=domain,dc=com This account could be used to bind your service without having it be a member of the standard users database subjected to Password Policy expirations etc. You cannot hope to secure that which you do not first understand ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ On Sep 18, 2013, at 10:00 AM, cbul...@gmail.commailto:cbul...@gmail.com wrote: Hi, We have a client server connected to the IPA server using NIS. It's working well but we have a service running at client server that doesn't handle the password expiration properly. Is it possible to bypass the Password Policies from this client server? Thanks! ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Replication woes
On Aug 20, 2013, at 6:46 AM, Rich Megginson rmegg...@redhat.commailto:rmegg...@redhat.com wrote: On 08/20/2013 05:55 AM, Bret Wortman wrote: Okay, now I'm thinking I need to dump all my replicas and start them fresh. My /var/log/slapd-FOO-COM/errors is filled with messages like this: NSMMReplicationPlugin - changelog program - agmt=cn=meTogood1.foo.comhttp://metogood1.foo.com/ (good1:389): CSN 520a4964001d not found, we aren't as up to date, or we purged agmt=cn=meTogood1.foo.comhttp://metogood1.foo.com/ (good1:389) - Can't locate CSN 520a4964001d in the changelog (DB rc=-30988). The consumer may need to be reinitialized. I assume the consumer is the replica, right? At present, I have two replicas known to my master that are simply gone. Another is there but they can't talk. Three more have good communication but I'm getting errors like these. Is there a good, clean way to just clobber all the replicas and start over without trashing the DNS and other identity data that is inside my master and which is working? Deleting them from the master hasn't been working; it tends to hang the master's DNS and other services until I Ctrl-C out and ipactl restart it. I'm afraid to venture out without a net here and make things worse This looks like https://fedorahosted.org/389/ticket/47386 We've never been able to reproduce this in a controlled environment. The original reporter has been able to get this to work in some cases by restarting ipa (ipactl restart). Before you do that, would you be able to provide some information for me? On the supplier and consumer: ldapsearch -xLLL -D cn=directory manager -W -b dc=FOO,dc=COM '((objectclass=nstombstone)(nsuniqueid=---))' ruv.ldif ldapsearch -xLLL -D cn=directory manager -W -b cn=config '(objectclass=nsds5replicationagreement)' agmt.ldif dbscan -f /var/lib/dirsrv/slapd-FOO-COM/cldb/*.db4 | head -200 cldb.txt Be sure to obscure any sensitive data in ruv.ldif, agmt.ldif, and cldb.txt - you can either attach to https://fedorahosted.org/389/ticket/47386 or email to me directly. Any help you could provide in capturing the fail-state would be hugely appreciated. I've found that if you work through the issue and fix the problem, it doesn't appear to be deliberately reproducible. If you can get the debugging data that Rich needs, I can work on drafting you a basic howto on how to diagnose and fix your replication issue. Bret Wortman [http://damascusgrp.com/item/51f7de33e4b08d2bdb8b4860?format=1500w] http://damascusgrp.com/ http://about.me/wortmanbret On Mon, Aug 19, 2013 at 2:21 PM, Bret Wortman bret.wort...@damascusgrp.commailto:bret.wort...@damascusgrp.com wrote: On my master (where this error is occurring), I've got, in /etc/hosts: 127.0.0.1 localhost localhost.localdomain ::1 localhost localhost.localdomain 1.2.3.4ipamaster.foo.nethttp://ipamaster.foo.net/ ipamaster So that should be okay, right? # host ipamaster.foo.nethttp://ipamaster.foo.net/ ipamaster.foo.nethttp://ipamaster.foo.net/ has address 1.2.3.4 # host ipamaster ipamaster.foo.nethttp://ipamaster.foo.net/ has address 1.2.3.4 # host localhost localhost has address 127.0.0.1 localhost has IPv6 address ::1 # I checked the other system (the one I can't connect to) to be safe, and its /etc/hosts is similarly configured. It even has the master listed with its correct IP address. Bret Wortman [http://damascusgrp.com/item/51f7de33e4b08d2bdb8b4860?format=1500w] http://damascusgrp.com/ http://about.me/wortmanbret On Mon, Aug 19, 2013 at 2:02 PM, Simo Sorce s...@redhat.commailto:s...@redhat.com wrote: On Mon, 2013-08-19 at 13:51 -0400, Bret Wortman wrote: So, any idea how to fix the Kerberos problem? If your server is trying to get a tgt for ldap/localhost it probably means your /etc/hosts file is broken and has a line like this: 1.2.3.4 localhost my.real.namehttp://my.real.name/ When GSSAPI tries to resolve my.realm.namehttp://my.realm.name/ it gets back that 'localhost' is the canonical name so it tries to get a TGT with that name and it fails. If /etc/host sis fine then the DNS server may be returning an IP address that later resolves to localhost again. To unbreak make sure that if you have your fully qualified name in /etc/hosts that it is on its own line pointing at the right IP address and where the FQDN name is the first in line: eg: this is ok: 1.2.3.4 server.full.namehttp://server.full.name/ server this is not: 1.2.3.4 server server.full.namehttp://server.full.name/ Simo. Bret Wortman http://damascusgrp.com/ http://about.me/wortmanbret On Mon, Aug 19, 2013 at 12:19 PM, Bret Wortman bret.wort...@damascusgrp.commailto:bret.wort...@damascusgrp.com wrote: ...and I got the web UI, authentication and sudo back via: # ipactl stop # ipactl start Not sure why that worked, but it did. I was grasping at straws, honestly.
Re: [Freeipa-users] Configure IPA 3.1.5 client for sudo?
On Jun 25, 2013, at 2:52 AM, Martin Kosek mko...@redhat.com wrote: On 06/24/2013 03:36 PM, Rob Crittenden wrote: Dean Hunter wrote: On Mon, 2013-06-24 at 09:07 +0300, Alexander Bokovoy wrote: On Sun, 23 Jun 2013, Dean Hunter wrote: Section 14.4. Applying the Configured sudo Policies to Hosts of the FreeIPA Guide, Edition 3.1.5 in the Fedora 18 documentation contains only an example of configuring sudo for use with FreeIPA 2.2. It differs in many regards from QA:Testcase freeipav3 sudo sssd in the Wiki at fedoraproject.org. What instructions should I use to configure an IPA 3.1.5-1 client with sudo? This thread should clear it up: https://www.redhat.com/archives/freeipa-users/2013-June/msg00064.html This presentation covers current state: http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf Thank you for the prompt response! I really appreciate how helpful y'all are on this list. The slide presentation is especially useful because of all the explanation. Have you identified a target release for: 1) SSSD doesn't support FreeIPA as SUDO provider yet To clarify, this is just to make SSSD use the native IPA schema instead of ou=sudoers. https://fedorahosted.org/sssd/ticket/1108 Right. When talking about SUDO being able to select SSSD as a source database (instead of the native LDAP connection), this works already - SSSD reads ou=sudoers. There is an RFE ticket targeted to 3.4 already (it also contains steps how to configure it manually): Is there a specific version of Sudo that supports nsswitch.conf having: sudo sss? Is that version of Sudo available on RHEL? https://fedorahosted.org/freeipa/ticket/3358 2) A command line tool to preform the client configuration https://fedorahosted.org/freeipa/ticket/3358 rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] IPA Replica Issue
I have been having replication issues since the update to RHEL6.4 and 389-ds-base-1.2.11.15-12. It is entirely possible that we have more than just 1 problem. Frequently we seeing errors in our replication monitoring indicating: -1 Incremental update has failed and requires administrator actionLDAP error: Can't contact LDAP server This problem cannot be solved via ipa-replication-managment force-sync and it does not get permanently solved with a re-initializeation or a dirsrv restart either (the problem eventually comes back or appears on a different server) Have any of you also seen this error when you could verify that the servers can communicate over ldap? When checking with Rich today in IRC, we turned on debugging for replication and did not see a smoking gun. We -did- see log messages showing things like: (auth1:389): CSN 51ad2c5500090066 not found, we aren't as up to date, or we purged When looking for this change, it was determined that the originating IPA server who was responsible for the change show that this was a modification by the MemberOf plugin associating a host with a hostgroup or vice versa. This change was -not- found on the IPA server who is reporting the replication troubles. IPA deliberately excludes memberof changes during incremental updates for performance reasons. This is because each server does replicate the 'member' info, where by the local MemberOf plugin will fire off and perform its respective fixups accordingly. Rich asked me to bring this issue up to the attention of the mailing list so that we could continue to track the root cause of the issue(s) and hopefully come to a conclusion about how to fix them. Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA Replica Issue
On Jun 5, 2013, at 5:26 PM, Rich Megginson wrote: On 06/05/2013 05:49 PM, JR Aquino wrote: I have been having replication issues since the update to RHEL6.4 and 389-ds-base-1.2.11.15-12. It is entirely possible that we have more than just 1 problem. Frequently we seeing errors in our replication monitoring indicating: -1 Incremental update has failed and requires administrator actionLDAP error: Can't contact LDAP server This problem cannot be solved via ipa-replication-managment force-sync and it does not get permanently solved with a re-initializeation or a dirsrv restart either (the problem eventually comes back or appears on a different server) Have any of you also seen this error when you could verify that the servers can communicate over ldap? When checking with Rich today in IRC, we turned on debugging for replication and did not see a smoking gun. We -did- see log messages showing things like: (auth1:389): CSN 51ad2c5500090066 not found, we aren't as up to date, or we purged On replicaID 0x66 - I think dbscan -f /var/lib/dirsrv/slapd-INST/cldb/xx.db4 will tell you what are the purge and max CSNs, somewhere near the beginning - what are they? I've looked up and down the dbscan output and there is no sign of the word 'purge' or 'max' Also, what is the database RUV on 0x66? that is, do ldapsearch -xLLL -h 0x66hostname -D cn=directory manager -w password -b dc=expertcity,dc=com '((objectclass=nsTombstone)(nsuniqueid=---))' I've sent you a private email from for the above output When looking for this change, it was determined that the originating IPA server who was responsible for the change show that this was a modification by the MemberOf plugin associating a host with a hostgroup or vice versa. This change was -not- found on the IPA server who is reporting the replication troubles. IPA deliberately excludes memberof changes during incremental updates for performance reasons. This is because each server does replicate the 'member' info, where by the local MemberOf plugin will fire off and perform its respective fixups accordingly. Rich asked me to bring this issue up to the attention of the mailing list so that we could continue to track the root cause of the issue(s) and hopefully come to a conclusion about how to fix them. Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sudo rules user and host group bugs?
On Jun 5, 2013, at 1:47 PM, KodaK wrote: Sorry, for some reason gmail makes me forget about reply all. On Wed, Jun 5, 2013 at 2:45 PM, Dmitri Pal d...@redhat.commailto:d...@redhat.com wrote: On 06/05/2013 11:20 AM, KodaK wrote: I know this has been discussed before, but I didn't see anything with a cursory search. There are bugs when using user and host groups with sudo rules. I have to split out my users and hosts into individual entries. I'm running ipa 3.0.0-26 on RHEL. All I really want to know is if this is fixed upstream. I am not sure I recall a bug you are referring to. A quick scan against the open tickets does not reveal anything like what you describe. Can you provide the description of the issue or point to the earlier thread on the matter? I'm going off of memory on seeing the previous bug. It very well could be a false memory. I have a rule like this: [jebalicki@mo0033802 ~]$ ipa sudorule-show esolutions-sandbox-root-access Rule name: esolutions-sandbox-root-access Enabled: TRUE Users: slfries, awellard Hosts: slnessbxl01.unix.magellanhealth.com Sudo Allow Commands: /bin/su - This works. However, if I change the rule to use hostgroups instead of listing the hosts individually the rule will not work. The groups still exist and look like this: [jebalicki@mo0033802 ~]$ ipa hostgroup-show esolutions-sandbox-hosts Host-group: esolutions-sandbox-hosts Description: esolutions sandbox hosts Member hosts: slnessbxl01.unix.magellanhealth.com Member of HBAC rule: esolutions-sandbox-access [jebalicki@mo0033802 ~]$ ipa group-show esolutions Group name: esolutions Description: esolutions group GID: 1115600250 Member users: awellard, slfries Member of HBAC rule: esolutions-sandbox-access Client machine is pretty much default-out-of-the-box IRT IPA configuration, here's the installer output (installs during kickstart): [root@slnessbxl01 ~]# cat ks-post.log Discovery was successful! Hostname: slnessbxl01.unix.magellanhealth.com Realm: UNIX.MAGELLANHEALTH.COM DNS Domain: UNIX.MAGELLANHEALTH.COM IPA Server: slpidml01.unix.magellanhealth.com BaseDN: dc=unix,dc=magellanhealth,dc=com Synchronizing time with KDC... Enrolled in IPA realm UNIX.MAGELLANHEALTH.COM Created /etc/ipa/default.conf New SSSD config will be created. Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm UNIX.MAGELLANHEALTH.COM Warning: Hostname (slnessbxl01.unix.magellanhealth.com) not found in DNS DNS server record set to: slnessbxl01.unix.magellanhealth.com - 10.200.12.104 SSSD enabled NTP enabled Client configuration complete. [root@slnessbxl01 ~]# rpm -qa | grep ipa python-iniparse-0.3.1-2.1.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 ipa-python-2.2.0-16.el6.x86_64 [root@slnessbxl01 ~]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 6.3 (Santiago) [root@slnessbxl01 ~]# Troubleshooting: Can you confirm that the output of the following commands: 1. $ domainname * does it match your domain? 2. $ hostname * does match match your fqdn? 3. $ getent netgroup esolutions-sandbox-hosts * does this list your host? 4. Does /etc/nsswitch.conf contain the line: netgroup: files sss? Another important Sudo Troubleshooting step is to edit: /etc/sudo-ldap.conf (or /etc/ldap.conf, depending on what version of RHEL/Sudo you're running): At the top, add the line: sudoers_debug 2 Then try another sudo command. sudo -l for example. This should result in a long list of search criteria and status. The last few lines should indicate where any matches occurred. Keeping your head in the cloud ~ JR Aquino Senior Information Security Specialist, Technical Operations T: +1 805 690 3478 | F: +1 805 879 3730 | M: +1 805 717 0365 GIAC Certified Exploit Researcher and Advanced Penetration Tester | GIAC WebApplication Penetration Tester | GIAC Certified Incident Handler jr.aqu...@citrix.commailto:jr.aqu...@citrix.com [cid:image002.jpg@01CD4A37.5451DC00] Powering mobile workstyles and cloud services ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users inline: image002.jpg___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] automember issues
On Apr 30, 2013, at 9:30 AM, John Moyer john.mo...@digitalreasoning.commailto:john.mo...@digitalreasoning.com wrote: Anyone have any suggestions to using the auto member function in IPA? I've tried to set it up so if a server is enrolled by a user called build then it should add it to a specific server group. I put in an inclusive rule and the expression is just build, but it doesn't work. Do I need to specify more than just build in the expression area? That -should- be enough to catch new hosts that are built by the 'build' user. Can you verify that the Attribute you are matching on is: enrolledby ? Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ Thanks, _ John Moyer ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] automember issues
On Apr 30, 2013, at 10:43 AM, John Moyer john.mo...@digitalreasoning.com wrote: One thing to add is that this build user only has the following access: Host Administrators Host enrollment Would he need more access to do the membership? My original thought was that technically the user is not doing the addition to the group it's the system technically doing it so there shouldn't be a permissions issue. The user's roles shouldn't really matter to the best of my knowledge (Nathan Kinder may need to refresh my memory), but the 389 plugin, should be catching the insertion of the new object, then match the watched-attribute, and execute the hostgroup assignment based upon the rights of the plugin rather than that of the user. Would it be possible to ask you to do an automember-find --type=hostgroup on the CLI and send it back to the thread? If we are missing something or if we have any bugs in there, we need to get them identified and fixed. Thanks, _ John Moyer On Apr 30, 2013, at 1:21 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 9:30 AM, John Moyer john.mo...@digitalreasoning.commailto:john.mo...@digitalreasoning.com wrote: Anyone have any suggestions to using the auto member function in IPA? I've tried to set it up so if a server is enrolled by a user called build then it should add it to a specific server group. I put in an inclusive rule and the expression is just build, but it doesn't work. Do I need to specify more than just build in the expression area? That -should- be enough to catch new hosts that are built by the 'build' user. Can you verify that the Attribute you are matching on is: enrolledby ? Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ Thanks, _ John Moyer ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] automember issues
On Apr 30, 2013, at 10:52 AM, John Moyer john.mo...@digitalreasoning.com wrote: Not a problem, here is the output ipa automember-find --type=hostgroup --- 1 rules matched --- Automember Rule: test-group Inclusive Regex: enrolledby=build Number of entries returned 1 interesting. When you do an: ipa host-show test-hostname.example.com --all --raw Does it clearly show that enrolledby=build? Thanks, _ John Moyer On Apr 30, 2013, at 1:48 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 10:43 AM, John Moyer john.mo...@digitalreasoning.com wrote: One thing to add is that this build user only has the following access: Host Administrators Host enrollment Would he need more access to do the membership? My original thought was that technically the user is not doing the addition to the group it's the system technically doing it so there shouldn't be a permissions issue. The user's roles shouldn't really matter to the best of my knowledge (Nathan Kinder may need to refresh my memory), but the 389 plugin, should be catching the insertion of the new object, then match the watched-attribute, and execute the hostgroup assignment based upon the rights of the plugin rather than that of the user. Would it be possible to ask you to do an automember-find --type=hostgroup on the CLI and send it back to the thread? If we are missing something or if we have any bugs in there, we need to get them identified and fixed. Thanks, _ John Moyer On Apr 30, 2013, at 1:21 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 9:30 AM, John Moyer john.mo...@digitalreasoning.commailto:john.mo...@digitalreasoning.com wrote: Anyone have any suggestions to using the auto member function in IPA? I've tried to set it up so if a server is enrolled by a user called build then it should add it to a specific server group. I put in an inclusive rule and the expression is just build, but it doesn't work. Do I need to specify more than just build in the expression area? That -should- be enough to catch new hosts that are built by the 'build' user. Can you verify that the Attribute you are matching on is: enrolledby ? Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ Thanks, _ John Moyer ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] automember issues
On Apr 30, 2013, at 11:02 AM, John Moyer john.mo...@digitalreasoning.com wrote: It comes back with a ton of stuff the row you are probably interested in is this one: enrolledby: uid=build,cn=users,cn=accounts,dc=example,dc=com Bingo! Ok, try to adjust your automember rule. Delete your previous inclusive regex, and replace it with uid=build,cn=users,cn=accounts,dc=example,dc=com See if that does the trick Thanks, _ John Moyer On Apr 30, 2013, at 1:57 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 10:52 AM, John Moyer john.mo...@digitalreasoning.com wrote: Not a problem, here is the output ipa automember-find --type=hostgroup --- 1 rules matched --- Automember Rule: test-group Inclusive Regex: enrolledby=build Number of entries returned 1 interesting. When you do an: ipa host-show test-hostname.example.com --all --raw Does it clearly show that enrolledby=build? Thanks, _ John Moyer On Apr 30, 2013, at 1:48 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 10:43 AM, John Moyer john.mo...@digitalreasoning.com wrote: One thing to add is that this build user only has the following access: Host Administrators Host enrollment Would he need more access to do the membership? My original thought was that technically the user is not doing the addition to the group it's the system technically doing it so there shouldn't be a permissions issue. The user's roles shouldn't really matter to the best of my knowledge (Nathan Kinder may need to refresh my memory), but the 389 plugin, should be catching the insertion of the new object, then match the watched-attribute, and execute the hostgroup assignment based upon the rights of the plugin rather than that of the user. Would it be possible to ask you to do an automember-find --type=hostgroup on the CLI and send it back to the thread? If we are missing something or if we have any bugs in there, we need to get them identified and fixed. Thanks, _ John Moyer On Apr 30, 2013, at 1:21 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 9:30 AM, John Moyer john.mo...@digitalreasoning.commailto:john.mo...@digitalreasoning.com wrote: Anyone have any suggestions to using the auto member function in IPA? I've tried to set it up so if a server is enrolled by a user called build then it should add it to a specific server group. I put in an inclusive rule and the expression is just build, but it doesn't work. Do I need to specify more than just build in the expression area? That -should- be enough to catch new hosts that are built by the 'build' user. Can you verify that the Attribute you are matching on is: enrolledby ? Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ Thanks, _ John Moyer ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] automember issues
On Apr 30, 2013, at 11:12 AM, John Moyer john.mo...@digitalreasoning.com wrote: I tried adding it in addition to the current rule and that didn't work. I then deleted the old rule to only leave the rule with the full name (uid=build,cn=users,cn=accounts,dc=example,dc=com) and that didn't work either. This is the new output of that command you had me run earlier: ipa automember-find --type=hostgroup --- 1 rules matched --- Automember Rule: test-group Inclusive Regex: enrolledby=uid=build,cn=users,cn=accounts,dc=example,dc=com Number of entries returned 1 Interesting. What about if you just do something silly like: .*build.* Nathan... I believe the plugin is set to expect string values... how does it handle a DN such as the enrolled by above? Thanks, _ John Moyer On Apr 30, 2013, at 2:07 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 11:02 AM, John Moyer john.mo...@digitalreasoning.com wrote: It comes back with a ton of stuff the row you are probably interested in is this one: enrolledby: uid=build,cn=users,cn=accounts,dc=example,dc=com Bingo! Ok, try to adjust your automember rule. Delete your previous inclusive regex, and replace it with uid=build,cn=users,cn=accounts,dc=example,dc=com See if that does the trick Thanks, _ John Moyer On Apr 30, 2013, at 1:57 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 10:52 AM, John Moyer john.mo...@digitalreasoning.com wrote: Not a problem, here is the output ipa automember-find --type=hostgroup --- 1 rules matched --- Automember Rule: test-group Inclusive Regex: enrolledby=build Number of entries returned 1 interesting. When you do an: ipa host-show test-hostname.example.com --all --raw Does it clearly show that enrolledby=build? Thanks, _ John Moyer On Apr 30, 2013, at 1:48 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 10:43 AM, John Moyer john.mo...@digitalreasoning.com wrote: One thing to add is that this build user only has the following access: Host Administrators Host enrollment Would he need more access to do the membership? My original thought was that technically the user is not doing the addition to the group it's the system technically doing it so there shouldn't be a permissions issue. The user's roles shouldn't really matter to the best of my knowledge (Nathan Kinder may need to refresh my memory), but the 389 plugin, should be catching the insertion of the new object, then match the watched-attribute, and execute the hostgroup assignment based upon the rights of the plugin rather than that of the user. Would it be possible to ask you to do an automember-find --type=hostgroup on the CLI and send it back to the thread? If we are missing something or if we have any bugs in there, we need to get them identified and fixed. Thanks, _ John Moyer On Apr 30, 2013, at 1:21 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 9:30 AM, John Moyer john.mo...@digitalreasoning.commailto:john.mo...@digitalreasoning.com wrote: Anyone have any suggestions to using the auto member function in IPA? I've tried to set it up so if a server is enrolled by a user called build then it should add it to a specific server group. I put in an inclusive rule and the expression is just build, but it doesn't work. Do I need to specify more than just build in the expression area? That -should- be enough to catch new hosts that are built by the 'build' user. Can you verify that the Attribute you are matching on is: enrolledby ? Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1
Re: [Freeipa-users] automember issues
On Apr 30, 2013, at 11:23 AM, John Moyer john.mo...@digitalreasoning.com wrote: Ha! I tried .*build and build.* before contacting you guys, I didn't try .*build.* That worked, it automatically added the machine to the group! Thanks! That will save me s much time! Not a problem John, thanks for your patience! Glad to be of help! I'm very happy to see that some of the stuff that I use daily saves other folks time and headaches too! -JR Thanks, _ John Moyer On Apr 30, 2013, at 2:17 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 11:12 AM, John Moyer john.mo...@digitalreasoning.com wrote: I tried adding it in addition to the current rule and that didn't work. I then deleted the old rule to only leave the rule with the full name (uid=build,cn=users,cn=accounts,dc=example,dc=com) and that didn't work either. This is the new output of that command you had me run earlier: ipa automember-find --type=hostgroup --- 1 rules matched --- Automember Rule: test-group Inclusive Regex: enrolledby=uid=build,cn=users,cn=accounts,dc=example,dc=com Number of entries returned 1 Interesting. What about if you just do something silly like: .*build.* Nathan... I believe the plugin is set to expect string values... how does it handle a DN such as the enrolled by above? Thanks, _ John Moyer On Apr 30, 2013, at 2:07 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 11:02 AM, John Moyer john.mo...@digitalreasoning.com wrote: It comes back with a ton of stuff the row you are probably interested in is this one: enrolledby: uid=build,cn=users,cn=accounts,dc=example,dc=com Bingo! Ok, try to adjust your automember rule. Delete your previous inclusive regex, and replace it with uid=build,cn=users,cn=accounts,dc=example,dc=com See if that does the trick Thanks, _ John Moyer On Apr 30, 2013, at 1:57 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 10:52 AM, John Moyer john.mo...@digitalreasoning.com wrote: Not a problem, here is the output ipa automember-find --type=hostgroup --- 1 rules matched --- Automember Rule: test-group Inclusive Regex: enrolledby=build Number of entries returned 1 interesting. When you do an: ipa host-show test-hostname.example.com --all --raw Does it clearly show that enrolledby=build? Thanks, _ John Moyer On Apr 30, 2013, at 1:48 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 10:43 AM, John Moyer john.mo...@digitalreasoning.com wrote: One thing to add is that this build user only has the following access: Host Administrators Host enrollment Would he need more access to do the membership? My original thought was that technically the user is not doing the addition to the group it's the system technically doing it so there shouldn't be a permissions issue. The user's roles shouldn't really matter to the best of my knowledge (Nathan Kinder may need to refresh my memory), but the 389 plugin, should be catching the insertion of the new object, then match the watched-attribute, and execute the hostgroup assignment based upon the rights of the plugin rather than that of the user. Would it be possible to ask you to do an automember-find --type=hostgroup on the CLI and send it back to the thread? If we are missing something or if we have any bugs in there, we need to get them identified and fixed. Thanks, _ John Moyer On Apr 30, 2013, at 1:21 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 9:30 AM, John Moyer john.mo...@digitalreasoning.commailto:john.mo...@digitalreasoning.com wrote: Anyone have any suggestions to using the auto member function in IPA? I've tried to set it up so if a server is enrolled by a user called build then it should add it to a specific server group. I put in an inclusive rule and the expression is just build, but it doesn't work. Do I need to specify more than just build in the expression area? That -should- be enough to catch new hosts that are built by the 'build' user. Can you verify that the Attribute you are matching on is: enrolledby ? Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister
Re: [Freeipa-users] automember issues
I've got about 30mins before I get into my next meeting. Are you able to hop into IRC in Freenode to work in realtime on #freeipa? Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ On Apr 30, 2013, at 12:23 PM, John Moyer john.mo...@digitalreasoning.commailto:john.mo...@digitalreasoning.com wrote: So I must have looked at the wrong server name, I just tried to add 4 more servers and none of them worked. Anymore ideas? The target is specified by the rule name test-group is the target. Thanks, _ John Moyer On Apr 30, 2013, at 2:25 PM, Dmitri Pal d...@redhat.commailto:d...@redhat.com wrote: On 04/30/2013 02:17 PM, JR Aquino wrote: On Apr 30, 2013, at 11:12 AM, John Moyer john.mo...@digitalreasoning.commailto:john.mo...@digitalreasoning.com wrote: I tried adding it in addition to the current rule and that didn't work. I then deleted the old rule to only leave the rule with the full name (uid=build,cn=users,cn=accounts,dc=example,dc=com) and that didn't work either. This is the new output of that command you had me run earlier: ipa automember-find --type=hostgroup --- 1 rules matched --- Automember Rule: test-group Inclusive Regex: enrolledby=uid=build,cn=users,cn=accounts,dc=example,dc=com Number of entries returned 1 Interesting. What about if you just do something silly like: .*build.* Nathan... I believe the plugin is set to expect string values... how does it handle a DN such as the enrolled by above? Don't you need to specify target group? It might be that the filter is working but it is not placing it anywhere because nothing is specifying where to place it. Thanks, _ John Moyer On Apr 30, 2013, at 2:07 PM, JR Aquino jr.aqu...@citrix.commailto:jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 11:02 AM, John Moyer john.mo...@digitalreasoning.commailto:john.mo...@digitalreasoning.com wrote: It comes back with a ton of stuff the row you are probably interested in is this one: enrolledby: uid=build,cn=users,cn=accounts,dc=example,dc=com Bingo! Ok, try to adjust your automember rule. Delete your previous inclusive regex, and replace it with uid=build,cn=users,cn=accounts,dc=example,dc=com See if that does the trick Thanks, _ John Moyer On Apr 30, 2013, at 1:57 PM, JR Aquino jr.aqu...@citrix.commailto:jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 10:52 AM, John Moyer john.mo...@digitalreasoning.commailto:john.mo...@digitalreasoning.com wrote: Not a problem, here is the output ipa automember-find --type=hostgroup --- 1 rules matched --- Automember Rule: test-group Inclusive Regex: enrolledby=build Number of entries returned 1 interesting. When you do an: ipa host-show test-hostname.example.comhttp://test-hostname.example.com --all --raw Does it clearly show that enrolledby=build? Thanks, _ John Moyer On Apr 30, 2013, at 1:48 PM, JR Aquino jr.aqu...@citrix.commailto:jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 10:43 AM, John Moyer john.mo...@digitalreasoning.commailto:john.mo...@digitalreasoning.com wrote: One thing to add is that this build user only has the following access: Host Administrators Host enrollment Would he need more access to do the membership? My original thought was that technically the user is not doing the addition to the group it's the system technically doing it so there shouldn't be a permissions issue. The user's roles shouldn't really matter to the best of my knowledge (Nathan Kinder may need to refresh my memory), but the 389 plugin, should be catching the insertion of the new object, then match the watched-attribute, and execute the hostgroup assignment based upon the rights of the plugin rather than that of the user. Would it be possible to ask you to do an automember-find --type=hostgroup on the CLI and send it back to the thread? If we are missing something or if we have any bugs in there, we need to get them identified and fixed. Thanks, _ John Moyer On Apr 30, 2013, at 1:21 PM, JR Aquino jr.aqu...@citrix.commailto:jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 9:30 AM, John Moyer john.mo
Re: [Freeipa-users] openldap to ipa
Try editing /etc/openldap/ldap.conf: TLS_CACERT /etc/ipa/ca.crt TLS_REQCERT allow See if that helps Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GIAC Exploit Researcher and Advanced Penetration Tester | GIAC Certified Incident Handler | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ On Jan 11, 2013, at 8:05 AM, Johnathan Phan j...@ox-consulting.commailto:j...@ox-consulting.com wrote: Hi There, This is driving me up the wall. I have two servers. 1 is a live openldap/kerberous AAA server running on RHEL6. The LDAP service has SSL/TS support. The second server is a test environment running on fedora and has 3.1 IPA installed. As a last step of my POC I need to migrate the users and passwords from the LDAP server to IPA server. I ran this command perfectly fine. ipa config-mod --enable-migration=TRUE However the next step was where my issues began. In the end after a lot of IRC communication and troubleshooting I now run the following command. ipa migrate-ds --bind-dn=cn=admin,dc=example,dc=com --user-container=ou=users,ou=live,dc=example,dc=com --group-container=ou=groups,ou=live,dc=example,dc=com ldaps://ldap1.live.example.comhttp://ldap1.live.example.com/ I get the following error. ipa: DEBUG: Caught fault 4203 from server http://fedoraipaserver.test.example.com/ipa/xml: Can't contact LDAP server: TLS error -8179:Peer's Certificate issuer is not recognized. ipa: DEBUG: Destroyed connection context.xmlclient ipa: ERROR: Can't contact LDAP server: TLS error -8179:Peer's Certificate issuer is not recognized. I have summarized that the IPA server does not trust the cert served by the openldap or the other way around. Does anyone know how to get around this? Or allow me to finish the migration of user data. Regards John -- Johnathan Phan T: +44 (0)784 118 7080 ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] RHEL6.3 Install Problem with IPA
I have a weird ipa-replica-install problem that I have not been able to work around. I have managed to successfully reproduce and identify the root cause of my pain, but I don't understand why its coming up... My install fails with: Starting httpd: (98)Address already in use: make_sock: could not bind to address 0.0.0.0:80 After much head scratching, I finally was able to reproduce the problem: If you start httpd as the install script does, it gives the following: service httpd start Starting httpd: Please enter password for internal token: This process doesn't create the pidfile and essentially hangs httpd on 80 and 443 When the restart process is later called, you get the message that the installer is throwing: service httpd restart Stopping httpd:[FAILED] Starting httpd: (98)Address already in use: make_sock: could not bind to address 0.0.0.0:80 no listening sockets available, shutting down Unable to open logs [FAILED] I've verified that the content of /etc/httpd/conf/password.conf is valid and will 'authenticate' if passed to that internal token prompt... mod_nss is clearly the piece that is causing the prompting but I'm not sure what is breaking here or how I can work around it. Can someone help? Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GIAC Exploit Researcher and Advanced Penetration Tester | GIAC Certified Incident Handler | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Managing Sudo through FreeIPA
If you go to the CLI on the FreeIPA server and type: ipa sudorule enter It will give you some useful info. I believe you asked about the sudo user (which your log shows as currently unset, and configured as anonymous) Here is a snipit: -=-=-=-=-=- ... FreeIPA provides a designated binddn to use with Sudo located at: uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com To enable the binddn run the following command to set the password: LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W -h ipa.example.comhttp://ipa.example.com -ZZ -D cn=Directory Manager uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com For more information, see the FreeIPA Documentation to Sudo. -=-=-=-=-=- The resulting user needs to be configured in your sudo-ldap.conf with: binddn uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com bindpw password Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GIAC Certified Incident Handler | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ On Nov 8, 2012, at 9:11 AM, William Muriithi william.murii...@gmail.commailto:william.murii...@gmail.com wrote: Steven, Thanks for the pointers. I remember finding a post on this, but having problem finding it now I assume rhel6.3 by the el6 in the rpm 1) Make sure the host and IPA server are fully patched/updated. I am current already 2) Edit nsswitch.conf to have sudoers: files ldap as the last line, may or may not be there. Done 3) add lines to /etc/sudo-ldap.conf, takes a recent upgrade/patch of 6.3 for that file to appear Im not at work so I odnt have a pastable set Yes, the file was there already. Wonder if you can paste it now. Mine was like this uri ldap://ipa1-yyz-int.example.loc sudoers_base ou=SUDOers,dc=example,dc=loc ssl start_tls tls_checkpeer(yes) tls_cacertfile /etc/ipa/ca.crt 4) Add nisdomainname example.comhttp://example.com to /etc/rc.d/rc.local. Done 5) Add or enable the sudo connection user in IPA with a password. ? Lost me here, mind explaining a bit please if you have a chance? 6) reboot the host If it doesnt work set the debug level in sudo-ldap.conf to 2 and re-try to see the output..restart sssd. sh-4.1$ sudo less /var/log/secure LDAP Config Summary === uri ldap://ipa1-yyz-int.example.loc ldap_version 3 sudoers_base ou=SUDOers,dc=example,dc=loc binddn (anonymous) bindpw (anonymous) ssl start_tls tls_checkpeer(no) tls_cacertfile /etc/ipa/ca.crt === sudo: ldap_set_option: debug - 0 sudo: ldap_set_option: tls_checkpeer - 0 sudo: ldap_set_option: tls_cacertfile - /etc/ipa/ca.crt sudo: ldap_set_option: tls_cacert - /etc/ipa/ca.crt sudo: ldap_initialize(ld, ldap://ipa1-yyz-int.example.loc) sudo: ldap_set_option: ldap_version - 3 sudo: ldap_start_tls_s() ok sudo: ldap_sasl_bind_s() ok sudo: no default options found in ou=SUDOers,dc=example,dc=loc sudo: ldap search '(|(sudoUser=williamm)(sudoUser=%williamm)(sudoUser=%operations)(sudoUser=ALL))' sudo: ldap search 'sudoUser=+*' sudo: user_matches=0 sudo: host_matches=0 sudo: sudo_ldap_lookup(0)=0x60 [sudo] password for williamm: williamm is not in the sudoers file. This incident will be reported. Thank you again for your help Regards, William regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com] on behalf of William Muriithi [william.murii...@gmail.commailto:william.murii...@gmail.com] Sent: Thursday, 8 November 2012 10:28 a.m. To: freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: [Freeipa-users] Managing Sudo through FreeIPA Hello I have been trying to setup user access through sudo file managed by FreeIPA and it don't seem to be working. I am not sure how to go about fixing it, but I guess the best place to start is ask what I should expect the IPA installation script should set up and what should be done manually [root@demo2 wmuriithi]# rpm -qa | grep sssd sssd-client-1.8.0-32.el6.x86_64 sssd-1.8.0-32.el6.x86_64 [root@demo2 wmuriithi]# [root@demo2 wmuriithi]# rpm -qa | grep sudo sudo-1.7.4p5-13.el6_3.x86_64 The only errors related to sudo that I can find is on apache error logs [Wed Nov 07 13:16:18 2012] [error] ipa: INFO: ad...@example.locmailto:ad...@example.loc: sudorule_add_user(u'read_only_viewiers', all=False, raw=False, version=u'2.34', group=(u'operations',)): SUCCESS [Wed Nov 07 13:54:44 2012] [error] ipa: ERROR: release_ipa_ccache
Re: [Freeipa-users] Setting up sudo in FreeIPA v2.2
On the host in question Run the command: domainname That wants to match whatever your domain is. If it doesn't it will fail even if you have all the server rules configured correctly. This is a sudo + netgroups/hostgroups 'feature' ~ Jr Aquino | Sr. Information Security Specialist GIAC Certified Incident Handler | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 T: +1 805.690.3478 C: +1 805.717.0365 jr.aqu...@citrixonline.com http://www.citrixonline.com On Oct 16, 2012, at 2:26 PM, Toasted Penguin toastedpenguini...@gmail.com wrote: I have the server setup to manage sudo and I configured a target client to use the IPA server for sudo. When a user tries to use sudo (in this case sudo su -) it fails and they get the error user is not allowed to run sudo on client-host. This incident will be reported. I verified via the log files that the client is making requests to the IPA server when the user is attemping to use sudo and it fails. I temporarily disabled using the IPA server for sudo and I get the standard User not in the sudoers file Its starting to look like the server rules maybe the issue but I believe I have the sudo rule setup correctly. I created a sudo command /bin/su, created a sudo rule Sudo to root , added the group the user in question is a part of to the WHO--User Groups; Added the Host Group the target client host is part of to Access This Host--Host Groups and added the sudo command to the sudo rule via Allow--Sudo Allow Commands. When I delete the sudo rule I get the same result as I did when I temporarily disbled the client host using tghe IPA server for sudo verification. Any ideas why or where to look to figure out this issue? Thanks, David ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Password requirements too stringent
Tim, please check your /etc/pam.d/system-auth with the password block. If you see passwordrequisite pam_cracklib.so, then this is why you are having a problem. $ man pam_cracklib It is a local security library for enforcing strong password practices from the unix cli. ProTip: If you don't need this, you can remove it from pam If you want to work around this, set your password from the IPA webui or via the cli: ipa passwd username Hope this info helps! Keeping your head in the cloud ~ JR Aquino Senior Information Security Specialist, Technical Operations T: +1 805 690 3478 | F: +1 805 879 3730 | M: +1 805 717 0365 GIAC Certified Incident Handler | GIAC WebApplication Penetration Tester jr.aqu...@citrix.commailto:jr.aqu...@citrix.com [cid:image002.jpg@01CD4A37.5451DC00] Powering mobile workstyles and cloud services On Sep 17, 2012, at 6:25 PM, Tim Hildred wrote: Hey all; I'm running IPA internally to control access to our cloud environment. I must admit, I do not understand the password requirements. I have had them set to the defaults. I read this: https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/user-pwdpolicy.html I have the minimum character classes set to 0. When people use SSH to change their passwords, they get Based on a dictionary word for passwords that have nothing to do with dictionary words. I can't find anywhere in the documentation a break down of what makes an unacceptable versus acceptable password. Can anyone help me figure out what to tell my users? I think people would get a lot less frustrated if they knew why C679V375 was too simple when the password policy has 0 required classes. Tim Hildred, RHCE Content Author II - Engineering Content Services, Red Hat, Inc. Brisbane, Australia Email: thild...@redhat.com Internal: 8588287 Mobile: +61 4 666 25242 IRC: thildred ps: funny exchange with user: Jul 12 14:12:33 user1 i feel like im being punked Jul 12 14:12:40 user1 it is based on a dictionary word Jul 12 14:12:43 user1 it is too short Jul 12 14:12:49 user1 is does not have enough unique letters Jul 12 14:12:51 user1 etc ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users inline: image002.jpg___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Password requirements too stringent
On Sep 17, 2012, at 7:53 PM, Tim Hildred wrote: JR I had that line. I commented it out. Thank you. Now, what do I have to restart? I believe it should take effect in real time, but you may need to test to be sure. If it is still happening, you may need to double check that some other pam cfg doesn't also have it present: $ cd /etc/pam.d/ grep pam_cracklib * If you have removed it from everything and it is still giving you the same error, then I would try a reboot... perhaps getty needs to reinitialize or something. But I'd try those steps before a reboot! ;) Tim Hildred, RHCE Content Author II - Engineering Content Services, Red Hat, Inc. Brisbane, Australia Email: thild...@redhat.com Internal: 8588287 Mobile: +61 4 666 25242 IRC: thildred - Original Message - From: JR Aquino jr.aqu...@citrix.com To: Tim Hildred thild...@redhat.com Cc: freeipa-users freeipa-users@redhat.com Sent: Tuesday, September 18, 2012 12:37:48 PM Subject: Re: [Freeipa-users] Password requirements too stringent Tim, please check your /etc/pam.d/system-auth with the password block. If you see passwordrequisite pam_cracklib.so, then this is why you are having a problem. $ man pam_cracklib It is a local security library for enforcing strong password practices from the unix cli. ProTip: If you don't need this, you can remove it from pam If you want to work around this, set your password from the IPA webui or via the cli: ipa passwd username Hope this info helps! Keeping your head in the cloud ~ JR Aquino Senior Information Security Specialist, Technical Operations T: +1 805 690 3478 | F: +1 805 879 3730 | M: +1 805 717 0365 GIAC Certified Incident Handler | GIAC WebApplication Penetration Tester jr.aqu...@citrix.commailto:jr.aqu...@citrix.com [cid:image002.jpg@01CD4A37.5451DC00] Powering mobile workstyles and cloud services On Sep 17, 2012, at 6:25 PM, Tim Hildred wrote: Hey all; I'm running IPA internally to control access to our cloud environment. I must admit, I do not understand the password requirements. I have had them set to the defaults. I read this: https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/user-pwdpolicy.html I have the minimum character classes set to 0. When people use SSH to change their passwords, they get Based on a dictionary word for passwords that have nothing to do with dictionary words. I can't find anywhere in the documentation a break down of what makes an unacceptable versus acceptable password. Can anyone help me figure out what to tell my users? I think people would get a lot less frustrated if they knew why C679V375 was too simple when the password policy has 0 required classes. Tim Hildred, RHCE Content Author II - Engineering Content Services, Red Hat, Inc. Brisbane, Australia Email: thild...@redhat.com Internal: 8588287 Mobile: +61 4 666 25242 IRC: thildred ps: funny exchange with user: Jul 12 14:12:33 user1 i feel like im being punked Jul 12 14:12:40 user1 it is based on a dictionary word Jul 12 14:12:43 user1 it is too short Jul 12 14:12:49 user1 is does not have enough unique letters Jul 12 14:12:51 user1 etc ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] hostgroups not working for Sudo commands
On Aug 5, 2012, at 1:54 PM, Steven Jones steven.jo...@vuw.ac.nz wrote: Hi, I have setup a sudo command but no matter what I do I cannot get a host-group to work, but I can specify a specific host without issue.I assume this is a problem with the sssd deamon on the RHEL6.3 client? So what info/logs are needed to fault find this please? Set sudoers_debug 2 On your sudo-ldap.conf Run the sudo command. You should see it scroll a list of hostgroups etc. If you do not have your domainname set, your sudo commands will fail on the hostgroup because they expect to see the nis domain match. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] self service password reset
On Jul 11, 2012, at 3:23 PM, Dmitri Pal wrote: On 07/11/2012 06:15 PM, JR Aquino wrote: Note that this is also a future feature planned for 3.x https://fedorahosted.org/freeipa/ticket/2276 Slightly different issue. This ticket is about allowing you to change your password when it is expired when one logs into the web UI. It is a more narrow use case than the mentioned utility. Hrm. while the pwm tool DOES offer a great deal of other really cool looking features, it looks like it was only sited as an example in the BZ, and that the core problem described was self password reset without ssh/kerb/etc) The corresponding fix also seems only to implement only that one feature. I am interested in the other features that pwm advertises though! Perhaps I will get a free moment to test it out and report back on compatibility. BZ snipit Benjamin Reedmailto:ran...@opennms.org 2011-09-30 14:06:31 EDT Not a bug per se, but an enhancement request. While it's possible for a user to reset their own password, it currently requires being hooked into some level of real account access, like SSH'ing in or providing kerberos credentials. We are using FreeIPA to provide a user-management backend for web-based services we are providing to our customers, and don't want them to have to configure Kerberos, or SSH into an account, just to set their password. It would be nice to have a password reset tool that is accessible securely (like over HTTPS) which doesn't require special credentials other than knowledge of the existing username and password. One such example I'll be evaluating since there is no built-in facility for this is PWM: /BZ snipit ^ That sounds like needing an HTTPS interface to perform self password resets on accounts that are expired :) The detailed notes in the corresponding FreeIPA ticket seem to be in parallel as well: https://fedorahosted.org/freeipa/ticket/1907 ~ Jr Aquino | Sr. Information Security Specialist GIAC Certified Incident Handler | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrixonline.commailto:jr.aqu...@citrixonline.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ On Jul 11, 2012, at 11:59 AM, KodaK wrote: Has anyone rolled out a self-service password reset utility for IPA? If so did you use something off the shelf that speaks LDAP or roll your own? I'm looking at this: http://code.google.com/p/pwm/ But I'm just starting down this path. Thanks, --Jason -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/http://www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sudo hostgroup sanity check, please?
On Jul 10, 2012, at 12:28 PM, KodaK wrote: Further information: I do have: ldap_netgroup_search_base = cn=ng,cn=compat,dc=validdomain,dc=com Go ahead and remove this line. Previous legacy versions of sssd required it. I believe it just gets in the way now. You also want to run: $ domainanme Make sure it comes back with your domain, if not, please set your domainname. (/etc/rc.local is currently the place recommended to set this value) Netgroups will come back as a tuple like: (testhost.domain.com, -, domain.com) Sudo will do the netgroup look up and wants to see that the hostname matches the hostname of the server, and that the domain also matches. You can double-check this by doing: getent netgroup hostgroup-name It should return a tuple like the one above. If you are still having difficulty, you can add sudoers_debug 2 in your /etc/sudo-ldap.conf file then re-run your sudo command. IT should show the various tests it performs and the output of the FreeIPA server. It wants to match, user, host, and command. In /etc/sssd/sssd.conf Is cn=ng,cn=compat correct? --Jason On Tue, Jul 10, 2012 at 2:15 PM, KodaK sako...@gmail.com wrote: I'm running IPA 2.2.0 on RHEL6 Server: [root@validserver ~]# rpm -qa | grep ipa ipa-client-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-python-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch python-iniparse-0.3.1-2.1.el6.noarch libipa_hbac-1.8.0-32.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 Client: [root@validhost ~]# rpm -qa | grep ipa ipa-client-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-python-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch python-iniparse-0.3.1-2.1.el6.noarch libipa_hbac-1.8.0-32.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 My sudo-ldap.conf file: binddn uid=sudo,cn=sysaccounts,cn=etc,dc=validserver,dc=com bindpw validpassword ssl start_tls tls_cacertfile /etc/ipa/ca.crt tls_checkpeer yes bind_timelimit 5 timelimit 15 uri ldap://validserver ldap://validserver2 sudoers_base ou=SUDOers,dc=unix,dc=magellanhealth,dc=com What I'm trying to do: I have a group of users that I'd like to have restart apache on a group of hosts. What I've done: created a user group, created a group of hosts (in a grouplist.) I can successfully run sudo in any configuration, *except* when using a host group. When I try I get: Sorry, user validuser is not allowed to execute '/etc/rc.d/init.d/httpd status' as root on validhost1.fqdn.com. I can edit the same rule, change the host group (that only contains two hosts) and specify the two hosts directly and it works fine. Can someone else just try this and see if I've hit a bug? I'm certain I couldn't have messed up creating the host group, but I suppose it's possible. I get the same behavior when I try a simple /bin/cat command through sudo, too. Is there a special config for using host groups? I suspect I may have missed some obvious documentation. -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] 389-ds memory usage
On Jun 6, 2012, at 12:30 AM, Sigbjorn Lie sigbj...@nixtra.com wrote: On Wed, June 6, 2012 00:54, JR Aquino wrote: On Jun 5, 2012, at 3:42 PM, Sigbjorn Lie wrote: On 06/06/2012 12:26 AM, JR Aquino wrote: On Jun 5, 2012, at 3:12 PM, Sigbjorn Lie wrote: On 06/05/2012 11:44 PM, JR Aquino wrote: On Jun 5, 2012, at 1:54 PM, Sigbjorn Lie wrote: On 06/05/2012 10:42 PM, Steven Jones wrote: Hi This has bug has pretty much destroyed my IPA deployment...I had a pretty bad memory leak had to reboot every 36 hours...made worse by trying later 6.3? rpms didnt fix the leak and it went split brain2 months and no fixboy did that open up a can of worms. :/ In my case I cant see how its churn as I have so few entries (50) and Im adding no more items at presentunless a part of ipa is replicating and diffing in the background to check consistency? I also have only one way replication now at most, master to replica and no memory leak shows in Munin at present. but I seem to be faced with a rebuild from scratch... Did you do the max entry cache size tuning? If you did, what did you set it to? Did you do any other tuning from the 389-ds tuning guide? Rgds, Siggi When I had similar problems using Feodra (Not Redhat or CentOS) my underlying issues were: managed entries firing off any time an object was updated (every time someone successfully authenticates, kerberos updates the user object, which in turn would touch the mepmanaged entry for the user's private group) Similar things happened when hostgroups were modified... This was further complicated by inefficiencies in the way that slapi-nis was processing the compat pieces for the sudo rules and the netgroups (which are automatically create from every hostgroup) Thus, when memberof fired off, slapi-nis recomputed a great deal of its chunk... After getting those issues resolved, I tuned the max entry cache size. But it took all the fixes to finally resolve the memory creep problem. It is not at all clear to me whether or not the bug fixes for my problem have made it up into Redhat / CentOS though... The slapi-nis versions definitely don't line up between fedora and redhat/centos... Perhaps Nalin Or Rich can speak to some of that. The bug itself was easiest to replicate with _big_ changes like deleting a group that had a great number of members for example, but the symptoms were similar for me were similar for day to date operation resulting in consumption that never freed. https://bugzilla.redhat.com/show_bug.cgi?id=771493 Are either of you currently utilizing sudo? I read your bug report a while back, and made sure that slapi-nis was disabled. I have tuned my cache size to 256MB. I believe that should be OK as my cache hit ratio sits at 97-99% ? I understand you have a farily large deployment, what cache size are you using? Are you using Fedora or Red Hat / CentOS as your production environment? I do not use sudo with IPA yet, I am planning for doing that later. Is there any issues I should be aware of with sudo integration? Rich/Nalin, Was there a bug in managed entries that's been fixed in the current 389-ds versions available in Red Hat / CentOS 6? Regards, Siggi Ya it is true that I do have a large environment, but some of the hurdles that I had to jump appeared to be ones that weren't related so much to the number of hosts I had, but rather their amount of activity. I.e. automated single-sign on scripts, people authenticating, general binds taking place all over... I am using Fedora with FreeIPA 2.2 pending a migration to RHEL 6.3 and IPA 2.2 My measurements... ;) dn: cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config objectClass: top objectClass: extensibleObject cn: monitor database: ldbm database readonly: 0 entrycachehits: 904077 entrycachetries: 923802 entrycachehitratio: 97 currententrycachesize: 79607895 maxentrycachesize: 104857600 currententrycachecount: 10301 maxentrycachecount: -1 dncachehits: 3 dncachetries: 10302 dncachehitratio: 0 currentdncachesize: 1861653 maxdncachesize: 10485760 currentdncachecount: 10301 maxdncachecount: -1 Ok, we have a fair amount of logons happening too with Nagios running lots of ssh connections to the hosts, as well as normal users. Can't really disable that. :) I see your cache size is 100MB, that's less than half of mine. I increased my cache quite a bit as I was advised by Rich about a bug that's not been fixed in RHEL 6.2 version of 389-ds related to when entries in cache is being removed to make room for new cache entries. I was hoping for that issue would go away with a large cache size. Right, I was advised over the same. Though it sounds like your not hitting your limit and are still seeing the memory creep
Re: [Freeipa-users] FreeIPA webserver cert expired.
On Jun 5, 2012, at 11:18 AM, Paul Tader wrote: A couple days ago my (apache) certificates expired. Users are able to kinit but tools such as sudo fail because of the expired certificates. Lots of reading/Google'ing later I found this script (steps) to renew these certs: I'm just curious, but, isn't certmonger supposed to automatically renew these? Is certmonger failing in this case? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] 389-ds memory usage
On Jun 5, 2012, at 1:54 PM, Sigbjorn Lie wrote: On 06/05/2012 10:42 PM, Steven Jones wrote: Hi This has bug has pretty much destroyed my IPA deployment...I had a pretty bad memory leak had to reboot every 36 hours...made worse by trying later 6.3? rpms didnt fix the leak and it went split brain2 months and no fixboy did that open up a can of worms. :/ In my case I cant see how its churn as I have so few entries (50) and Im adding no more items at presentunless a part of ipa is replicating and diffing in the background to check consistency? I also have only one way replication now at most, master to replica and no memory leak shows in Munin at present. but I seem to be faced with a rebuild from scratch... Did you do the max entry cache size tuning? If you did, what did you set it to? Did you do any other tuning from the 389-ds tuning guide? Rgds, Siggi When I had similar problems using Feodra (Not Redhat or CentOS) my underlying issues were: managed entries firing off any time an object was updated (every time someone successfully authenticates, kerberos updates the user object, which in turn would touch the mepmanaged entry for the user's private group) Similar things happened when hostgroups were modified... This was further complicated by inefficiencies in the way that slapi-nis was processing the compat pieces for the sudo rules and the netgroups (which are automatically create from every hostgroup) Thus, when memberof fired off, slapi-nis recomputed a great deal of its chunk... After getting those issues resolved, I tuned the max entry cache size. But it took all the fixes to finally resolve the memory creep problem. It is not at all clear to me whether or not the bug fixes for my problem have made it up into Redhat / CentOS though... The slapi-nis versions definitely don't line up between fedora and redhat/centos... Perhaps Nalin Or Rich can speak to some of that. The bug itself was easiest to replicate with _big_ changes like deleting a group that had a great number of members for example, but the symptoms were similar for me were similar for day to date operation resulting in consumption that never freed. https://bugzilla.redhat.com/show_bug.cgi?id=771493 Are either of you currently utilizing sudo? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] 389-ds memory usage
On Jun 5, 2012, at 3:12 PM, Sigbjorn Lie wrote: On 06/05/2012 11:44 PM, JR Aquino wrote: On Jun 5, 2012, at 1:54 PM, Sigbjorn Lie wrote: On 06/05/2012 10:42 PM, Steven Jones wrote: Hi This has bug has pretty much destroyed my IPA deployment...I had a pretty bad memory leak had to reboot every 36 hours...made worse by trying later 6.3? rpms didnt fix the leak and it went split brain2 months and no fixboy did that open up a can of worms. :/ In my case I cant see how its churn as I have so few entries (50) and Im adding no more items at presentunless a part of ipa is replicating and diffing in the background to check consistency? I also have only one way replication now at most, master to replica and no memory leak shows in Munin at present. but I seem to be faced with a rebuild from scratch... Did you do the max entry cache size tuning? If you did, what did you set it to? Did you do any other tuning from the 389-ds tuning guide? Rgds, Siggi When I had similar problems using Feodra (Not Redhat or CentOS) my underlying issues were: managed entries firing off any time an object was updated (every time someone successfully authenticates, kerberos updates the user object, which in turn would touch the mepmanaged entry for the user's private group) Similar things happened when hostgroups were modified... This was further complicated by inefficiencies in the way that slapi-nis was processing the compat pieces for the sudo rules and the netgroups (which are automatically create from every hostgroup) Thus, when memberof fired off, slapi-nis recomputed a great deal of its chunk... After getting those issues resolved, I tuned the max entry cache size. But it took all the fixes to finally resolve the memory creep problem. It is not at all clear to me whether or not the bug fixes for my problem have made it up into Redhat / CentOS though... The slapi-nis versions definitely don't line up between fedora and redhat/centos... Perhaps Nalin Or Rich can speak to some of that. The bug itself was easiest to replicate with _big_ changes like deleting a group that had a great number of members for example, but the symptoms were similar for me were similar for day to date operation resulting in consumption that never freed. https://bugzilla.redhat.com/show_bug.cgi?id=771493 Are either of you currently utilizing sudo? I read your bug report a while back, and made sure that slapi-nis was disabled. I have tuned my cache size to 256MB. I believe that should be OK as my cache hit ratio sits at 97-99% ? I understand you have a farily large deployment, what cache size are you using? Are you using Fedora or Red Hat / CentOS as your production environment? I do not use sudo with IPA yet, I am planning for doing that later. Is there any issues I should be aware of with sudo integration? Rich/Nalin, Was there a bug in managed entries that's been fixed in the current 389-ds versions available in Red Hat / CentOS 6? Regards, Siggi Ya it is true that I do have a large environment, but some of the hurdles that I had to jump appeared to be ones that weren't related so much to the number of hosts I had, but rather their amount of activity. I.e. automated single-sign on scripts, people authenticating, general binds taking place all over... I am using Fedora with FreeIPA 2.2 pending a migration to RHEL 6.3 and IPA 2.2 My measurements... ;) dn: cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config objectClass: top objectClass: extensibleObject cn: monitor database: ldbm database readonly: 0 entrycachehits: 904077 entrycachetries: 923802 entrycachehitratio: 97 currententrycachesize: 79607895 maxentrycachesize: 104857600 currententrycachecount: 10301 maxentrycachecount: -1 dncachehits: 3 dncachetries: 10302 dncachehitratio: 0 currentdncachesize: 1861653 maxdncachesize: 10485760 currentdncachecount: 10301 maxdncachecount: -1 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] 389-ds memory usage
On Jun 5, 2012, at 3:42 PM, Sigbjorn Lie wrote: On 06/06/2012 12:26 AM, JR Aquino wrote: On Jun 5, 2012, at 3:12 PM, Sigbjorn Lie wrote: On 06/05/2012 11:44 PM, JR Aquino wrote: On Jun 5, 2012, at 1:54 PM, Sigbjorn Lie wrote: On 06/05/2012 10:42 PM, Steven Jones wrote: Hi This has bug has pretty much destroyed my IPA deployment...I had a pretty bad memory leak had to reboot every 36 hours...made worse by trying later 6.3? rpms didnt fix the leak and it went split brain2 months and no fixboy did that open up a can of worms. :/ In my case I cant see how its churn as I have so few entries (50) and Im adding no more items at presentunless a part of ipa is replicating and diffing in the background to check consistency? I also have only one way replication now at most, master to replica and no memory leak shows in Munin at present. but I seem to be faced with a rebuild from scratch... Did you do the max entry cache size tuning? If you did, what did you set it to? Did you do any other tuning from the 389-ds tuning guide? Rgds, Siggi When I had similar problems using Feodra (Not Redhat or CentOS) my underlying issues were: managed entries firing off any time an object was updated (every time someone successfully authenticates, kerberos updates the user object, which in turn would touch the mepmanaged entry for the user's private group) Similar things happened when hostgroups were modified... This was further complicated by inefficiencies in the way that slapi-nis was processing the compat pieces for the sudo rules and the netgroups (which are automatically create from every hostgroup) Thus, when memberof fired off, slapi-nis recomputed a great deal of its chunk... After getting those issues resolved, I tuned the max entry cache size. But it took all the fixes to finally resolve the memory creep problem. It is not at all clear to me whether or not the bug fixes for my problem have made it up into Redhat / CentOS though... The slapi-nis versions definitely don't line up between fedora and redhat/centos... Perhaps Nalin Or Rich can speak to some of that. The bug itself was easiest to replicate with _big_ changes like deleting a group that had a great number of members for example, but the symptoms were similar for me were similar for day to date operation resulting in consumption that never freed. https://bugzilla.redhat.com/show_bug.cgi?id=771493 Are either of you currently utilizing sudo? I read your bug report a while back, and made sure that slapi-nis was disabled. I have tuned my cache size to 256MB. I believe that should be OK as my cache hit ratio sits at 97-99% ? I understand you have a farily large deployment, what cache size are you using? Are you using Fedora or Red Hat / CentOS as your production environment? I do not use sudo with IPA yet, I am planning for doing that later. Is there any issues I should be aware of with sudo integration? Rich/Nalin, Was there a bug in managed entries that's been fixed in the current 389-ds versions available in Red Hat / CentOS 6? Regards, Siggi Ya it is true that I do have a large environment, but some of the hurdles that I had to jump appeared to be ones that weren't related so much to the number of hosts I had, but rather their amount of activity. I.e. automated single-sign on scripts, people authenticating, general binds taking place all over... I am using Fedora with FreeIPA 2.2 pending a migration to RHEL 6.3 and IPA 2.2 My measurements... ;) dn: cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config objectClass: top objectClass: extensibleObject cn: monitor database: ldbm database readonly: 0 entrycachehits: 904077 entrycachetries: 923802 entrycachehitratio: 97 currententrycachesize: 79607895 maxentrycachesize: 104857600 currententrycachecount: 10301 maxentrycachecount: -1 dncachehits: 3 dncachetries: 10302 dncachehitratio: 0 currentdncachesize: 1861653 maxdncachesize: 10485760 currentdncachecount: 10301 maxdncachecount: -1 Ok, we have a fair amount of logons happening too with Nagios running lots of ssh connections to the hosts, as well as normal users. Can't really disable that. :) I see your cache size is 100MB, that's less than half of mine. I increased my cache quite a bit as I was advised by Rich about a bug that's not been fixed in RHEL 6.2 version of 389-ds related to when entries in cache is being removed to make room for new cache entries. I was hoping for that issue would go away with a large cache size. Right, I was advised over the same. Though it sounds like your not hitting your limit and are still seeing the memory creep... This makes me question the other factors. Nagios checking everything (probably every 5 mins?) might be a good source of activity... Though I wonder how best to visualize
Re: [Freeipa-users] What to do next???: IPA replica host entry is removed on web UI by mistake
On May 16, 2012, at 12:23 PM, David Copperfield wrote: Hi all, I accidentally removed one of my IPA replica host on IPA web UI by mistake, on the host list I planed to remove ipaclient02.example.com, but accidentally the mouse moved to ipareplica02.example.com and the latter got removed without a prompt. I realized the mistake and tried to recover from this disaster but it was already too late, the change propagated to all the replicas and the poor ipareplica02 now stops functioning. [root@ipareplica02 slapd-EXAMPLE-COM]# ipa service-find ipa: ERROR: cannot connect to u'https://ipareplica02.qe9.jigsaw.com/ipa/xml': Internal Server Error [root@ipareplica02 slapd-EXAMPLE-COM]# ipa user-find ipa: ERROR: cannot connect to u'https://ipareplica02.qe9.jigsaw.com/ipa/xml': Internal Server Error [root@ipareplica02 slapd-EXAMPLE-COM]# ipa host-find ipa: ERROR: cannot connect to u'https://ipareplica02.qe9.jigsaw.com/ipa/xml': Internal Server Error [root@ipareplica02 slapd-EXAMPLE-COM]# On the IPA master, It was found that ipareplica02 didn't show up in 'host-find' list or 'service-find' list. Though it still showed in the master list reported by 'ipa-replica-manage' and 'ipa-csreplica-manage', the real command 'ipa-replica-manage list ipareplica02' fails with LDAP could't reach error. What should I do now? Is there are any other ways to recover besides uninstall and reinstall of IPA replica ipareplica02? BTW, it will be more than appreciated if the web UI could pop up a warning prompt when removing host/services entries associated with IPA masters and IPA replicas. Been there... Done that... The bug is fixed in 2.2... It will prompt and prevent you from deleting a replica host if there is an agreement. To clean up... 0. On the master replica: ipa-replica-manage del ipareplica02.example.com --force -This will delete the replica agreement for the host. 1. $ ldapsearch -xLLL -D cn=directory manager -W -b dc=example,dc=com \ '((nsuniqueid=---)(objectclass=nstombstone))' Look for your your nsds50ruv that matches your ghost replica. 2. Create an ldif following the directions here: http://directory.fedoraproject.org/wiki/Howto:CLEANRUV Something like: $ cat cleanup.ldif dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config changetype: modify replace: nsds5task nsds5task: CLEANRUV## - ## == The ReplicaID number for the ghost replica. 3. Run on all of the remaining replicas: ldapmodify -x -D cn=directory manager -W -f fixed.ldif - This removes the ghost entry. 4. on the broken replica: ipa-server-install --uninstall 5. Follow the normal directions for 'installing a replica' - on master: ipa-replica-prepare ipareplica02.example.com - scp /path/to/ipareplica02.example.com.gpg ipareplica02.example.com: ipareplica02.example.com.gpg - on replica: ipa-replica-install ipareplica02.example.com --whatever_options_you_used_previously 6. Check to make sure the server was built correctly and command work as expected: kinit admin, ipa user-find, ipa host-find, id admin, etc etc 7. Sigh and drink coffee Thanks. --David From: Rich Megginson rmegg...@redhat.com To: Ben Ho ben1...@hotmail.com Cc: freeipa-users@redhat.com Sent: Tuesday, May 15, 2012 5:33 PM Subject: Re: [Freeipa-users] Help with ipa-replica-manage On 05/15/2012 02:49 PM, Ben Ho wrote: This is the information I retrieved about my server. ipa-server-selinux-2.1.3-9.el6.x86_64 ipa-client-2.1.3-9.el6.x86_64 ipa-server-2.1.3-9.el6.x86_64 CentOS release 6.2 389-ds-base-1.2.9.14-1.el6_2.2.x86_64 Thanks again. Is replication otherwise working? -Ben Date: Tue, 15 May 2012 13:15:46 -0600 From: rmegg...@redhat.com To: ben1...@hotmail.com CC: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Help with ipa-replica-manage On 05/15/2012 01:00 PM, Ben Ho wrote: Hello, I am pretty new to IPA. Right now I have three servers that are running IPA. I am trying to replicate one server to two other servers. I use this command: ipa-replica-manage re-initialize --from example2.edu On the first server I need to replicate, it works fine. However, on the second server I get this message in my log files. The errors get printed out once every 1 to 5 minutes. [15/May/2012:14:22:43 -0400] NSMMReplicationPlugin - agmt=cn=meToexample1.edu (example1:389): Schema replication update failed: Type or value exists [15/May/2012:14:22:43 -0400] NSMMReplicationPlugin - agmt=cn=meToexample1.edu (example1:389): Warning: unable to replicate schema: rc=1 [15/May/2012:14:22:47 -0400] NSMMReplicationPlugin - agmt=cn=meToexample2.edu (example2:389): Schema replication update failed: Type or value exists [15/May/2012:14:22:47 -0400] NSMMReplicationPlugin - agmt=cn=meToexample2.edu (example2:389): Warning: unable to replicate schema: rc=1 Again, I am pretty new to this, so any help or tips would be
Re: [Freeipa-users] Still not working -- Re: What to do next???: IPA replica host entry is removed on web UI by mistake
Try: ipactl stop then ipactl start Doesn't look like dirsrv is running on 389 and 636 ~ Jr Aquino | Sr. Information Security Specialist GIAC Certified Incident Handler | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrixonline.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ On May 16, 2012, at 2:54 PM, David Copperfield wrote: Sorry to declare success too quick, :( In fact, it is worse now, the IPA master fail after performing the above steps including the RUV cleaning. I've only one working replica and I'm afraid to do anything on it. On The IPA master, after I ran 'service ipa restart' it reported OK, but 'ipa user-find' failed. so I cleared my Kerboers TGT ticket, ran 'kinit admin' to try my luck, the IPA master failed with the following message, it showed that 389 port listening disappeared for unknown reasons. [root@ipamaster slapd-EXAMPLE-COM]# kinit admin kinit: Generic error (see e-text) while getting initial credentials [root@ipamaster slapd-EXAMPLE-COM]# netstat -antup | grep -i LISTEN | grep ns tcp0 0 :::7389 :::* LISTEN 6550/ns-slapd tcp0 0 :::7390 :::* LISTEN 6550/ns-slapd [root@ipamaster slapd-EXAMPLE-COM]# The error logs are pasted here too. [16/May/2012:14:41:43 -0700] set_krb5_creds - Could not get initial credentials for principal [ldap/ipamaster.example@example.commailto:ldap/ipamaster.example@example.com] in keytab [WRFILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [16/May/2012:14:41:43 -0700] - slapd started. Listening on All Interfaces port 389 for LDAP requests [16/May/2012:14:41:43 -0700] - Listening on All Interfaces port 636 for LDAPS requests [16/May/2012:14:41:43 -0700] - Listening on /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests [16/May/2012:14:41:43 -0700] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_496' not found)) [16/May/2012:14:41:43 -0700] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [16/May/2012:14:41:43 -0700] NSMMReplicationPlugin - agmt=cn=meToipareplica01.example.com (ipareplica01:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_496' not found)) [16/May/2012:14:41:46 -0700] NSMMReplicationPlugin - agmt=cn=meToipareplica01.example.com (ipareplica01:389): Replication bind with GSSAPI auth resumed Thanks. --David From: David Copperfield cao2...@yahoo.commailto:cao2...@yahoo.com To: JR Aquino jr.aqu...@citrix.commailto:jr.aqu...@citrix.com Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com freeipa-users@redhat.commailto:freeipa-users@redhat.com Sent: Wednesday, May 16, 2012 1:23 PM Subject: Re: [Freeipa-users] What to do next???: IPA replica host entry is removed on web UI by mistake Hi JR, Thanks a lot! It works perfectly. The only extra thing probably goes with 2.1.3 only: I need to find and clear ghost RUV records for CA database, and remove it from master and all other live replicas as well. BTW, on 2.2.0 the two database backends still are separate, or merged into one? Thanks. --David From: JR Aquino jr.aqu...@citrix.commailto:jr.aqu...@citrix.com To: David Copperfield cao2...@yahoo.commailto:cao2...@yahoo.com Cc: FreeIPAUsers freeipa-users@redhat.commailto:freeipa-users@redhat.com Sent: Wednesday, May 16, 2012 12:57 PM Subject: Re: [Freeipa-users] What to do next???: IPA replica host entry is removed on web UI by mistake On May 16, 2012, at 12:23 PM, David Copperfield wrote: Hi all, I accidentally removed one of my IPA replica host on IPA web UI by mistake, on the host list I planed to remove ipaclient02.example.comhttp://ipaclient02.example.com/, but accidentally the mouse moved to ipareplica02.example.comhttp://ipareplica02.example.com/ and the latter got removed without a prompt. I realized the mistake and tried to recover from this disaster but it was already too late, the change propagated to all the replicas and the poor ipareplica02 now stops functioning. [root@ipareplica02 slapd-EXAMPLE-COM]# ipa service-find ipa: ERROR: cannot connect to u'https://ipareplica02.qe9.jigsaw.com/ipa/xml': Internal Server Error [root@ipareplica02 slapd
Re: [Freeipa-users] Still not working -- Re: What to do next???: IPA replica host entry is removed on web UI by mistake
Whew, glad to hear you got through it! The 389 ds crew is working on making the cleanruv into an internal automated process. I empathize completely. The gssapi errors are generally benign. They come up because ldap starts before the kdc. Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GIAC Certified Incident Handler | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 jr.aqu...@citrix.commailto:jr.aqu...@citrix.com http://www.citrixonline.com On May 16, 2012, at 4:29 PM, David Copperfield cao2...@yahoo.commailto:cao2...@yahoo.com wrote: Could that be because of removing ghost entries in CA database? Another possible place could be the deleting/clearing option itself. One annoying thing that I've found is: I cleared the RUV records from IPA servers one by one, then I restart IPA services on the servers one by one again, ldapsearch showed that the RUV ghost entries popped up again. :( I had to kill it again and again across the IPA server farms, then restart IPA servers one by one, check again, until the ghost RUV entries disappeared from all and didn't come back -- It is very, VERY exhausting and annoying. After that I still need to stop IPA replica first, then restart IPA master and until now it worked -- ipa commands and kinit worked. At last I brought up the valid replica and it worked this time as well. Now it was time to reinstall the failed IPA replica and it was installed and up and running well. After I tested with 'ipa user-add', 'ipa-user-delete' and found that the replication did work across the IPA master and IPA replicas. I tested the last time and found the following messages in the error log file on IPA master, it maybe harmless but I am not sure: [16/May/2012:16:18:36 -0700] - 389-Directory/1.2.9.16 B2012.023.214 starting up[16/May/2012:16:18:36 -0700] schema-compat-plugin - warning: no entries set up under ou=SUDOers, dc=jigsaw,dc=com [16/May/2012:16:18:36 -0700] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=jigsaw,dc=com--no CoS Templates found, which should be added before the CoS Definition. [16/May/2012:16:18:36 -0700] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=jigsaw,dc=com--no CoS Templates found, which should be added before the CoS Definition. [16/May/2012:16:18:36 -0700] set_krb5_creds - Could not get initial credentials for principal [ldap/ipamaster.example@example.commailto:ldap/ipamaster.example@example.com] in keytab [WRFILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text))[16/May/2012:16:18:36 -0700] - slapd started. Listening on All Interfaces port 389 for LDAP requests [16/May/2012:16:18:36 -0700] set_krb5_creds - Could not get initial credentials for principal [ldap/ipamaster.example@example.commailto:ldap/ipamaster.example@example.com] in keytab [WRFILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text))[16/May/2012:16:18:36 -0700] - Listening on All Interfaces port 636 for LDAPS requests [16/May/2012:16:18:36 -0700] - Listening on /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests [16/May/2012:16:18:36 -0700] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_496' not found)) [16/May/2012:16:18:36 -0700] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [16/May/2012:16:18:36 -0700] NSMMReplicationPlugin - agmt=cn=meToipareplica02.example.com (ipareplica02:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_496' not found)) [16/May/2012:16:18:36 -0700] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_496' not found)) [16/May/2012:16:18:36 -0700] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [16/May/2012:16:18:36 -0700] NSMMReplicationPlugin - agmt=cn=meToipareplica01.example.com (ipareplica01:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_496' not found))[16/May/2012:16:18:39 -0700] NSMMReplicationPlugin - agmt=cn=meToipareplica02.example.com (ipareplica02:389): Replication bind with GSSAPI auth resumed [16/May/2012:16:18:39 -0700
Re: [Freeipa-users] Please help: How to restore IPA Master/Replicas from daily IPA Replica setup???
I have successfully utilized a similar procedure. The restoration process is the same for both though. I would be willing to accept the tickets and document the various backup and recovery methods. Though, I'd like Dmitri's feedback on whether or not the team approves of making the official method of recovery from catastrophic failure be the use of frozen vm images. Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GIAC Certified Incident Handler | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 jr.aqu...@citrix.com http://www.citrixonline.com On May 15, 2012, at 2:16 AM, Petr Spacek pspa...@redhat.com wrote: Hello, IMHO it *must* be documented very well. Thank for scenario proposal! There is a new documentation ticket: https://fedorahosted.org/freeipa/ticket/2758 Another ticket exists for CA master recovery procedure: https://fedorahosted.org/freeipa/ticket/2749 Petr^2 Spacek On 05/15/2012 01:19 AM, Gelen James wrote: Hi Dimitri, thanks a lot for your offer. It will be more than appreciated if Rob, or some other talented genius could wiki the steps. The more details, the sooner, and the better. It will help IPA projects and its users dramatically, especially for newbies like me. :) Thanks again for you, Rob and others for the coming documentation work. --Gelen. -- *From:* Dmitri Pal d...@redhat.com *To:* Robinson Tiemuqinke hahaha_...@yahoo.com *Cc:* Freeipa-users@redhat.com Freeipa-users@redhat.com; Rich Megginson rmegg...@redhat.com *Sent:* Monday, May 14, 2012 1:20 PM *Subject:* Re: Please help: How to restore IPA Master/Replicas from daily IPA Replica setup??? On 05/14/2012 03:48 PM, Robinson Tiemuqinke wrote: Hi Dmitri, Rich and all, I am a newbie to Redhat IPA, It looks like pretty cool compared with other solutions I've tried before. Thanks a lot for this great product! :) But there are still some things I needs your help. My main question is: How to restore the IPA setup with a daily machine-level IPA Replica backup? Please let me explain my IPA setup background and backup/restore goals trying to reach: I'm running IPA 2.1.3 on Redhat Enterprise 6.2. The IPA master is setup with Dogtag CA system. It is installed first. Then two IPA replicas are installed -- with '--setup-ca' options -- for load balancing and failover purposes. To describe my problems/objectives, I'll name the IPA Master as machine A, IPA replicas as B and C. and now I've one more extra IPA replica 'D' (virtual machine) setup ONLY for backup purposes. The setup looks like the following, A is the configuration Hub. B,C,D are siblings. A / | \ B C D The following are the steps I backup IPA setups and LDAP backends daily -- it is a whole machine-level backup (through virtual machine D). 1, First, IPA replica D is backed up daily. The backup happens like this: 1.1 on IP replica D, run 'service IPA stop'. Then run 'shutdown -h D'. On the Hypervisor which holds virtual machine D, do a daily backup of the whole virtual disk that D is on. 1.2 turn on the IP replica D again. 1.3 after virtual machine D is up, on D optionally run a 'ipa-replica-manage --force-sync --from A' to sync the IPA databases forcibly. Now comes to restore part, which is pretty confusing to me. I've tried several times, and every times it comes this or that kinds of issues and so I am wondering that correct steps/ineraction of IPA Master/replicas are the king :( 2, case #1, A is broken, like disc failure, and then re-imaged after several days. 2.1 How to rebuild the IPA Master/Hub A after A is re-imaged, with the daily backup from IPA replica D? 2.2 do I have to check some files on A into subversion immediately after A was initially installed? 2.3 Please describe the steps. I'll follow exactly and report the results. 3, case #2, A is working, but either B, or C is broken. 3.1 It looks that I don't need the daily backup of D to kick in, is that right? 3.2 What are the correct steps on A; and B after it is re-imaged? 3.3 Please describe the steps. I'll follow exactly and report the results. 4, case #3, If some un-expected IPA changes happens on A -- like all users are deleted by human mistakes --, and even worse, all the changes are propagated to B and C in minutes. 4.1 How can I recover the IPA setup from daily backup from D? 4.2 which IPA master/replicas I should recover first? IPA master A, or IPA replicas B/C? and then how to recover others left one by one? 4.3 Do I have to disconnect replication agreement of B,C,D from A first? 4.4 Please describe the steps. I'll follow exactly and report the results. I've heard something about tombstone records too, Not sure whether the problem still exists in 2.1.3, or 2.2.0(on 6.3Beta)? If so, How can I
Re: [Freeipa-users] FreeIPA and others
On May 14, 2012, at 9:50 PM, Steven Jones steven.jo...@vuw.ac.nz wrote: 8- Mileage may vary. I for one have found no suitable scalable substitute for FreeIPA. 8-- Sure but depends on capability and experience, I for one am struggling.while significantly easier than say 389 (which I gave up on), its still a huge step up... I agree that it doesn't solve /all/ problems (yet) ;) However, I have looked for a very very long time to find a scalable LDAP implementation with integrated Kerberos and RBAC/HBAC. I've had numerous personal discussions with the creators /maintainers of openldap, pam_ldap, sudo, and some of the MIT-Kerb folk along my way. Because no one else had solve those problems, I was actually in the middle of writing my own solution when I stumbled onto FeeIPA... For example, Pam_ldap expect(s/ed) that every user object contain an attribute entry for every single host they are allowed to log into Doesn't quite scale when you have to manage complex mixtures of thousands of users to thousands of hosts... What do you feel is the biggest struggle? Is it the base core features, or is it external integration pains for things feature that don't exist yet? Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GIAC Certified Incident Handler | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 jr.aqu...@citrixonline.com http://www.citrixonline.com ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] dead in the water IPA server
On May 13, 2012, at 2:39 PM, Steven Jones steven.jo...@vuw.ac.nzmailto:steven.jo...@vuw.ac.nz wrote: Hi, I have what I'm told are 6.3 rpms on ipa2 and no its not fixed, the memory leak kills a server in 48 hours. I also find I have a problem with rebooting, IPA doesnt survive a reboot, so I cant even cron a reboot nightly. Right now both are in a bad way and I need to reboot them.. :( The interesting thing is I have a test setup that is stable, yet has the same rpmsso Im flumixt'd, maybe its something Ive done, but I cant think whatits bod standard as far as I know regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 When I was having similar problems, it turned out to be due to a few different factors... * my cache was too low, was being exceeded and triggering a leak in 389 * I discovered a bug in managed entries that caused the plugin to fire if _any_ change occurred to a managed object. As opposed to firing only when relivent attributes changed. * I also had a great deal of churning happening from slapi-nis in competition with the MemberOf plugin... Here is my bug, it was fixed in Fedora, but perhaps it is still a problem in RHEL: https://bugzilla.redhat.com/show_bug.cgi?format=multipleid=771493 From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.commailto:d...@redhat.com] Sent: Saturday, 12 May 2012 9:29 a.m. To: freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: Re: [Freeipa-users] dead in the water IPA server On 05/07/2012 05:05 PM, Rich Megginson wrote: On 05/07/2012 02:55 PM, Steven Jones wrote: Hi, Yes I have a memory leak see attached graphs Yes looks like the killer killed slapd...dont know what caused this yetif its the killer looks like its decided to kill slapd or slapd was going to kill the system anyway so it may have done the right thing. Looks like I have 3 days between reboots if i dont IPA losses the plot big timevery bad news..I will I think slow IPA deployment here at this timethis cant be deployed for us as it is, I cant even test as if something doesn't work I don't know if its my configuring error or an inconsistent IPA. :/ Thanks for this info I will pursue this through RH support for a perm fix, adding more memory doesn't strike me as the solution, 4gb of ram for 3~4 users and about 6 client machines seems a lot. Right. See https://fedorahosted.org/389/ticket/51 and especially all of the comments to https://bugzilla.redhat.com/show_bug.cgi?id=697701 You will need to closely monitor your entry cache usage. As far as I see the ticket is fixed upstream and is in testing for 6.3. Is this the correct understanding? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Sigbjorn Lie [sigbj...@nixtra.commailto:sigbj...@nixtra.com] Sent: Monday, 7 May 2012 9:45 p.m. To: Steven Jones Cc: Jan Cholasta; freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: Re: [Freeipa-users] dead in the water IPA server This sound very much the same as the issue I've been having. Did you check to see if it was the directory server that consumed all of your memory too? https://www.redhat.com/archives/freeipa-users/2012-April/msg00139.html Regards, Siggi On Mon, May 7, 2012 11:32, Jan Cholasta wrote: Hi, It seems that your system ate all the available memory and the kernel decided to kill a directory server instance to free some. The kernel agent responsible for this is called the out-of-memory killer, you can read more about it and how to configure it not to kill important processes here: http://lwn.net/Articles/317814/ On 7.5.2012 02:22, Steven Jones wrote: Interesting memory message.as attached I take it it isnt good? cant login that is for sure so whatever is behind the web gui is dead if nothing else... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 -- Jan Cholasta ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve
Re: [Freeipa-users] FreeIPA and others
On May 13, 2012, at 2:23 PM, Steven Jones steven.jo...@vuw.ac.nzmailto:steven.jo...@vuw.ac.nz wrote: Hi, From a user perspective such as myself, If its mission critical and complex need today then you need to also look at more mature solutions. Mileage may vary. I for one have found no suitable scalable substitute for FreeIPA. I currently run over 21 (soon to be 42) Production FreeIPA servers. These are globally dispersed in every major continent. They support over 5,000 servers (Mostly RHEL with some Fedora, and Ubuntu mixed in), 1,000 Networking devices (Cisco and Juniper) and around 2,000 users. I heavily utilize centralized authentication, SSO, hbac, sudo, and automember (with sometimes as many as 100 new hosts a week being built and automatically assigned to their respective hostgroups.). My use case tends to be the most complex that I've heard of. The important bugs that I find and report have patches sometimes within a few days. My advice is to stage thoroughly so you know what you need to have in order to run effectively in production. There is no real end all be all for all things relating to authentication. I suggest that if you find an important delta, don't give up, experiment with integrating whatever protocol you need. Document the success or the challenges for others to benefit or contribute. -JR These however will cost you a lot of time and money to deploy. We have been there and the costs are obscene and the support worryingly poor in AP. Since you have only mentioned 389 and Openldap as options I suspect IPA will suit you its the best of the three, so take a look. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com] on behalf of Chandan Kumar [chandank.ku...@gmail.commailto:chandank.ku...@gmail.com] Sent: Saturday, 12 May 2012 6:18 a.m. To: Freeipa-users@redhat.commailto:Freeipa-users@redhat.com Subject: [Freeipa-users] FreeIPA and others Hi All, I was considering different centralized authentication/authorization services such as FreeIPA, 389 and Open ldap to deploy into our network in order to have a good centralized user authentication/authorization machanism. I was wondering what are they key that FreeIPA provides as compared to other directory servies in terms of extra feature, ease of deployment and use etc. Thanks Chandan ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Replication status
I have been considering looking into using this: http://cnmonitor.sourceforge.net/ ~ Jr Aquino | Sr. Information Security Specialist GIAC Certified Incident Handler | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrixonline.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ On May 2, 2012, at 2:46 PM, Ian Levesque wrote: Hi, I'm curious how members of this list are monitoring their IPA servers' replication status. `ipa-replica-manage list` doesn't actually tell you if your replica is working. I just realized that our replica's IPA processes were hung (likely as a result of suspending resuming the VM it's running on). It would be great if our nagios could monitor the replica status - anyone here have any ideas? Cheers, Ian ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Replication status
Also See: http://directory.fedoraproject.org/wiki/Howto:CN%3DMonitor_LDAP_Monitoring ;) On May 3, 2012, at 9:26 AM, JR Aquino wrote: I have been considering looking into using this: http://cnmonitor.sourceforge.net/ ~ Jr Aquino | Sr. Information Security Specialist GIAC Certified Incident Handler | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrixonline.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ On May 2, 2012, at 2:46 PM, Ian Levesque wrote: Hi, I'm curious how members of this list are monitoring their IPA servers' replication status. `ipa-replica-manage list` doesn't actually tell you if your replica is working. I just realized that our replica's IPA processes were hung (likely as a result of suspending resuming the VM it's running on). It would be great if our nagios could monitor the replica status - anyone here have any ideas? Cheers, Ian ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] compat plug-in and replication
On Mar 16, 2012, at 11:54 AM, Stephen Ingram wrote: I've seen mention about the compat plug-in causing issues with replication. In my 2.1.4 installation I notice that the plug-in is turned on by default. Is compat only required for those supporting NIS or does it serve another purpose. As I don't use NIS, I'm just wondering if it's safe to turn off. To compliment what Rob mentioned... Compat is also generally necessary for any user who wishes to utilize Sudo with FreeIPA. Sudo does not natively understand what a 'hostgroup' is, so it can only utilize NIS netgroups for this. Care was taken when designing the FreeIPA hostgroup and nis compatibility system such that any hostgroup that is created has a mirrored (and semi hidden) NIS netgroup created. This way when you build Sudo rules and reference 'hostgroups', transparently, it is really referencing NIS netgroups stored inside of ldap and provided by the compat / nis plugins. Hope this helps clear some stuff up about why one would want compat and nis turned on in FreeIPA. ~ Jr Aquino | Sr. Information Security Specialist GIAC Certified Incident Handler | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrixonline.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] compat plug-in and replication
On Mar 16, 2012, at 1:06 PM, Stephen Ingram wrote: On Fri, Mar 16, 2012 at 12:33 PM, JR Aquino jr.aqu...@citrix.com wrote: On Mar 16, 2012, at 11:54 AM, Stephen Ingram wrote: I've seen mention about the compat plug-in causing issues with replication. In my 2.1.4 installation I notice that the plug-in is turned on by default. Is compat only required for those supporting NIS or does it serve another purpose. As I don't use NIS, I'm just wondering if it's safe to turn off. To compliment what Rob mentioned... Compat is also generally necessary for any user who wishes to utilize Sudo with FreeIPA. Sudo does not natively understand what a 'hostgroup' is, so it can only utilize NIS netgroups for this. Care was taken when designing the FreeIPA hostgroup and nis compatibility system such that any hostgroup that is created has a mirrored (and semi hidden) NIS netgroup created. This way when you build Sudo rules and reference 'hostgroups', transparently, it is really referencing NIS netgroups stored inside of ldap and provided by the compat / nis plugins. Hope this helps clear some stuff up about why one would want compat and nis turned on in FreeIPA. Glad you mentioned this. I would have turned it off just to save space, but I do need sudo. This makes more sense as to why its enabled by default. Very clever design too to hide the complexity from the user. Glad to know the info helps! We did such a good job at keeping that stuff in the background that it sometimes gets overlooked :) To be completely fair... The SSSD team is actively working toward the goal of eventually supporting FreeIPA natively via the Sudo plugin system. In the future it will not be necessary to use compat or nis for Sudo. -JR ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] A way to rename a host and/or a host group?
On Feb 22, 2012, at 1:24 PM, Marco Pizzoli wrote: Hi guys, I see that there's no way to rename a host once created. Same issue with host groups. Could you confirm that it is by design and so I never will be able to do that? Thanks Marco (wanting to rename everything :-( ) Hi Marco. Yes, you do need to fully delete and uninstall a host from FreeIPA before readding it with a new name. http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/renaming-machines.html What may make this easier for you is a feature in 389 DS called Automember: http://directory.fedoraproject.org/wiki/Auto_Membership_Design Automember is a way to use regular expression to tie a given fqdn-type to a given hostgroup. So that when you 'add' a host with a similar name. say: webserver2.example.com, the host automatically ends up in the 'webservers' host group. If you wish for a bunch of hosts to be renamed/re-provisioned, and automatically assigned to a new hostgroup, you can predefine the regex mapping and make this process a little easier. FreeIPA provides a CLI (and in 2.1.90, a WebUI) for managing these entries. Here is the help doc from the cli tool: Auto Membership Rule. Bring clarity to the membership of hosts and users by configuring inclusive or exclusive regex paterns, you can automatically assign a new entries into a group or hostgroup based upon attribute information. A rule is directly associated with a group by name, so you cannot create a rule without an accompanying group or hostgroup A condition is a regular expression used by 389-ds to match a new incoming entry with an automember rule. If it matches an inclusive rule then the entry is added to the appropriate group or hostgroup. EXAMPLES: Create the initial group or hostgroup: ipa hostgroup-add --desc=Web Servers webservers ipa group-add --desc=Developers devel Create the initial rule: ipa automember-add --type=hostgroup webservers ipa automember-add --type=group devel Add a condition to the rule: ipa automember-add-condition --key=fqdn --type=hostgroup --inclusive-regex=^web[1-9]+\.example\.com webservers ipa automember-add-condition --key=manager --type=group --inclusive-regex=^uid=mscott devel Add an exclusive condition to the rule to prevent auto assignment: ipa automember-add-condition --key=fqdn --type=hostgroup --exclusive-regex=^web5\.example\.com webservers Add a host: ipa host-add web1.example.com Add a user: ipa user-add --first=Tim --last=User --password tuser1 --manager=mscott Verify automembership: ipa hostgroup-show webservers Host-group: webservers Description: Web Servers Member hosts: web1.example.com ipa group-show devel Group name: devel Description: Developers GID: 100420 Member users: tuser Remove a condition from the rule: ipa automember-remove-condition --key=fqdn --type=hostgroup --inclusive-regex=^web[1-9]+\.example\.com webservers Modify the automember rule: ipa automember-mod Set the default target group: ipa automember-default-group-set --default-group=webservers --type=hostgroup ipa automember-default-group-set --default-group=ipausers --type=group Set the default target group: ipa automember-default-group-remove --type=hostgroup ipa automember-default-group-remove --type=group Show the default target group: ipa automember-default-group-show --type=hostgroup ipa automember-default-group-show --type=group Find all of the automember rules: ipa automember-find Display a automember rule: ipa automember-show --type=hostgroup webservers ipa automember-show --type=group devel Delete an automember rule: ipa automember-del --type=hostgroup webservers ipa automember-del --type=group devel Topic commands: automember-add Add an automember rule. automember-add-condition Add conditions to an automember rule. automember-default-group-remove Remove default group for all unmatched entries. automember-default-group-set Set default group for all unmatched entries. automember-default-group-showDisplay information about the default automember groups. automember-del Delete an automember rule. automember-find Search for automember rules. automember-mod Modify an automember rule. automember-remove-condition Remove conditions from an automember rule. automember-show Display information about an automember rule. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-getkeytab during %post
If you are really trying to go the route of using the password, the best way to accomplish that is to procedurally ADD the host ahead of time with the -random flag to generate a one-time-pass. Then insert that 1 time password dynamically into the kickstart script. If you want to approach the problem from a technical side and not procedural... I don't suppose you have Puppet ? You can utilize puppet to deploy a 'host provisioning' keytab that you then kinit -kt before issuing the other commands that require authentication. When it is finished, delete the keytab. The problem with authentication and complete hands off automation is that you always have to whittle it down to an area of acceptable risk with lots of compensating controls and logging. On Feb 8, 2012, at 6:44 AM, Dale Macartney wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Simo ipa-client-install is provided by the ipa-client rpm. Details below Name: ipa-client Arch: x86_64 Version : 2.1.3 Release : 9.el6 Size: 222 k Repo: installed What I am trying to achieve is these two commands in a post... ipa service-add HTTP/$(hostname) this definitely requires an authenticated user to add i'm sure ipa-getkeytab -s ds01.example.com -p HTTP/$(hostname) -k /etc/squid/krb5.keytab this one I suspect might be able to be retrieved using the host/ principle from the system after running ipa-client-install. Does this help paint a picture? Dale On 02/08/2012 01:49 PM, Simo Sorce wrote: On Wed, 2012-02-08 at 11:13 +, Dale Macartney wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 morning all... i'm dabbling with automated provisioning of ipa client servers, and i'm a little perplexed on how to add a keytab to a system during the %post section of a kickstart... i've run ipa-client-install -U -p admin -w redhat123 which works perfect, but in order to run ipa-getkeytab i need a tgt, which doesn't appear to be generated during the ipa-client-install. any suggestions on doing this during a post? What version of ipa-client-install are you using ? Newer versions (2.x) should fetch a keytab for your system (needs credentials or OTP password. Simo. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPMopXAAoJEAJsWS61tB+qyg8QAJPJJB8/9sxjKmKaEreRQyRb NgHUaaY1FRGs7CvtTeSTY177bnVerr8dJGj3nmqMCwlveUEXZS2T8mBWxVpRm/BW HrNR5i9kEIXL6HiaYfZMCVX1pyaxsStCnZJCiBjDDL5PsIX6FCsuUEYX4BGXyLAU s212Ugn46vYY4E5d8Cwi6BS0MW6c9a3yoPXAH4A8JCSjIptYXMuBY8YFHiQLLAPi AID7Q4N3U5FC6B0ahqhL64tAL8EggMkxhJ0Flhz7aWboz14bL7+M+vx3qVxF2W0z WgaO13ai/lTL/jTy1n3dBVegqdACRTgH/K094+iaq96flhBrfzYiDaeCtj9OgoAV ntHJksEPuC2X2lc8IRgzWVFa847+GMYl3YdYt0jflCcRAoWnpsaNW5F4HKG9K2Ob sXEo+/4sSku85Ezu7rJyS5zNn6BfdynxOGfaYqavWK3lyegxpHaIBdxR3YPi9Esm mrRvN3mkfAaUWboxImOJvZTgv+P/jq7CFlokaTGakeJT2N5/HpQADw1haNLDDvoY DFfE3EgkmkT04Lcg+tCxouybYYdWdNSLl86maDsxeIHbyrnHQjgZ+Pw2KsMd1BUD huqromxtFnUoY6DY2cwRFTGFJihkX3/Grai2ojPGFgiNA5H1G1APs5J2i9dafp1x UftjI6x2lzTqQw/BNqLL =mInj -END PGP SIGNATURE- 0xB5B41FAA.asc0xB5B41FAA.asc.sig___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] WebUI With Windows, Firefox, and MIT Kerberos
On Jan 30, 2012, at 6:12 PM, Adam Young wrote: On 01/28/2012 01:53 PM, Erinn Looney-Triggs wrote: On 1/27/2012 4:53 PM, JR Aquino wrote: On Jan 27, 2012, at 5:31 PM, Jr Aquino wrote: Has anyone successfully gotten firefox in windows with firefox and mit kerberos? I've followed several how to's, but i cant get firefox to take/pass my tgt. The Key to success: network.negotiate-auth.gsslib: C:\Program Files\MIT\Kerberos\bin\gssapi32.dll I had been previously using lib\i386/gssapi32.lib and thats what was breaking it. The rest of the documentation on the FreeIPA site is sound. We could probably stand to add that 1 line to the doc at http://freeipa.com/page/ClientConfigurationGuide ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users The only other thing I would add here, at least for me, was on an x86_64 install of windows I needed to use: C:\Program Files (x86)\MIT\Kerberos\bin\gssapi32.dll -Erinn OPPS! One other line I needed to change for firefox to work in windows: network.auth.use-sspi: false ^ This tells firefox not to use the built-in AD based Kerberos/SSO. I didn't realize I had missed this until I went back through from scratch to retest. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] WebUI With Windows, Firefox, and MIT Kerberos
Has anyone successfully gotten firefox in windows with firefox and mit kerberos? I've followed several how to's, but i cant get firefox to take/pass my tgt. -Jr ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Sudo options
On Jan 18, 2012, at 11:47 AM, Erinn Looney-Triggs wrote: I can't really figure out what the proper syntax is for the sudo rules in IPA. I have a number of options that I would like included by default, I have put them in place, from ipa sudorule-show: Sudo Option: env_keep = LESSSECURE, env_reset, mail_badpass, mail_no_host, mail_no_perms, syslog = local2 It looks to be getting confused by the whitespace. Remove the whitespace for env_keep = LESSSECURE syslog = local2 to: env_keep=LESSSECURE syslog=local2 Let me know if that helps. Also, can you post a compare against: ipa sudorule-show defaults vs a host you want to run sudo on $ sudo -l This doesn't appear to work, when sudo is run: sudo: unknown defaults entry `env_keep ' sudo: unknown defaults entry `mail_badpass, mail_no_host, mail_no_perms, syslog ' One thing that jumps out at me is that the '= whatever' portion is not being maintained. The directions in the IDM guide are less than clear, simply referencing the sudoers page for options. These are all valid sudo options, this is basically a straight port over from a sudoers file. So anyone have any experience doing this bit? -Erinn ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Sudo options
On Jan 18, 2012, at 1:24 PM, Erinn Looney-Triggs wrote: On 01/18/2012 11:50 AM, JR Aquino wrote: On Jan 18, 2012, at 11:47 AM, Erinn Looney-Triggs wrote: I can't really figure out what the proper syntax is for the sudo rules in IPA. I have a number of options that I would like included by default, I have put them in place, from ipa sudorule-show: Sudo Option: env_keep = LESSSECURE, env_reset, mail_badpass, mail_no_host, mail_no_perms, syslog = local2 It looks to be getting confused by the whitespace. Remove the whitespace for env_keep = LESSSECURE syslog = local2 to: env_keep=LESSSECURE syslog=local2 Let me know if that helps. Also, can you post a compare against: ipa sudorule-show defaults vs a host you want to run sudo on $ sudo -l This doesn't appear to work, when sudo is run: sudo: unknown defaults entry `env_keep ' sudo: unknown defaults entry `mail_badpass, mail_no_host, mail_no_perms, syslog ' One thing that jumps out at me is that the '= whatever' portion is not being maintained. The directions in the IDM guide are less than clear, simply referencing the sudoers page for options. These are all valid sudo options, this is basically a straight port over from a sudoers file. So anyone have any experience doing this bit? -Erinn ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users It looks like this was actually ttwo problems, one the quoting, and the second that via the web ui, I had put multiple options on a single line separated by a comma, so initially one rule was: mail_badpass, mail_no_host, mail_no_perms, syslog = local2 After fixing the spacing issue, as well as putting each into it's own statement everything worked just fine. There should probably either be better documentation, or better validation of input for those options, or ideally both :). I reckon I will open a bug up. Thanks! I agree with you. Might even help to do some level of input validation as well. Thanks again! ~ Jr Aquino, GCIH, GWAPT | Sr. Information Security Specialist Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 T: +1 805.690.3478 jr.aqu...@citrixonline.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.com [cid:image001.jpg@01CB2FE6.2B7BFA80] Access Your PC or Mac From Anywhere: www.gotomypc.com Online Meetings Made Easy: www.gotomeeting.com Web Events Made Easy:www.gotowebinar.com Remote Support Made Easy: www.gotoassist.com Thanks for the help, -Erinn inline: image001.jpg___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] HBAC issues
On Jan 5, 2012, at 3:14 PM, Stephen Gallagher sgall...@redhat.com wrote: On Jan 5, 2012, at 5:48 PM, Erinn Looney-Triggs erinn.looneytri...@gmail.com wrote: On 01/05/2012 11:54 AM, Stephen Gallagher wrote: On Thu, 2012-01-05 at 11:48 -0900, Erinn Looney-Triggs wrote: Yes that look about right, not able to confirm 100%, but that is probably the issue. We're looking into it. However, I should point out that using srchost is a very unreliable means of restricting access. There are numerous problems with it, most notably because we have to rely on what PAM sends us in the srchost field, which is not defined in the spec, so different applications such as 'login' and 'sshd' sometimes put different values in those fields. In SSSD upstream, we're defaulting to ignoring srchost rules because they're 1) unreliable and 2) cause significant performance impact on networks with lots of host entries. Our general recommendation is that if you want to restrict access from specific hosts, it's usually a better idea to do this at the firewall level, rather than the HBAC level. Well that kind of puts that whole HBAC thing on the skids doesn't it? Well, target host works fine. The real problem is with accurately identifying the remote host that the connection originated from. So you can still write rules that say only these users can log onto these hosts. If you absoluelty must use it I have found that access.conf works well enough to limit srchost ssh access: http://linux.die.net/man/5/access. Unfortunate that it works that way, and yes firewalling is always a good option. Thanks for the info, -Erinn ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Host Based Access Control and Solaris?
On Jan 4, 2012, at 2:39 AM, Craig T free...@noboost.org wrote: Hi, Server: RHEL6.2 Spec: ipa-server-2.1.3-9 1) After reading the IPA documentation, it seems that HBAC is only available to SSSD clients. This would suggest that I'm not going to be able to configure it for Solaris hosts? Using host-based access control requires SSSD to be installed and configured on the IPA client machine. I have written a custom python Pam module that fully supports HBAC in Linux, however, it utilizes http://ace-host.stuart.id.au/russell/files/pam_python/. Which is currently not OpenPAM compatible. I've been seeking help to find someone to port it to OpenPAM since that is what the BSD's, Solaris, and MacOSX use, but I haven't had any luck so far. 2) Does this mean that I won't be able to control who can log onto our solaris servers? Perhaps I'll have to configure a custom /etc/hosts.deny entry? cya Craig ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Expired SSL certificate issue with IPA
On Jan 3, 2012, at 8:37 AM, nasir nasir wrote: --- On Tue, 1/3/12, Rich Megginson rmegg...@redhat.com wrote: From: Rich Megginson rmegg...@redhat.com Subject: Re: [Freeipa-users] Expired SSL certificate issue with IPA To: nasir nasir kollath...@yahoo.com Cc: freeipa-users@redhat.com, fasilk...@gmail.com Date: Tuesday, January 3, 2012, 7:41 AM On 01/03/2012 12:52 AM, nasir nasir wrote: Hi, I am facing a serious issue with my production IPA server. When I try to access IPA web interface using Firefox, it hangs and doesn't allow me to get in. It seems to be due to expired SSL certificate as seen in the apache log file, [Tue Jan 03 10:34:08 2012] [error] Certificate not verified: 'Server-Cert' [Tue Jan 03 10:34:08 2012] [error] SSL Library Error: -8181 Certificate has expired [Tue Jan 03 10:34:08 2012] [error] Unable to verify certificate 'Server-Cert'. Add NSSEnforceValidCerts off to nss.conf so the server can start until the problem can be resolved. [Tue Jan 03 10:34:08 2012] [error] Certificate not verified: 'Server-Cert' Also, when I try to use the command line (ipa user-mod or user-show commands) it too just hangs and doesn't give any output or allow me for any input. I can see the following in krb5kdc.log , Jan 03 10:29:16 xx.xx.com krb5kdc[2426](info): preauth (timestamp) verify failure: Decrypt integrity check failed Jan 03 10:29:16 xx.xx.com krb5kdc[2426](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.1.10: PREAUTH_FAILED: host/x.x@xx.com for krbtgt/xx@xx.com, Decrypt integrity check failed Jan 03 10:29:16 xx.xx.com krb5kdc[2429](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.1.10: NEEDED_PREAUTH: host/.x@x.com for krbtgt/xx@xx.com, Additional pre-authentication required The output of certutil -L -d /etc/httpd/alias -n Server-Cert confirms that certificate is expired as given below. Certificate: Data: Version: 3 (0x2) Serial Number: 10 (0xa) Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: CN=Certificate Authority,O=XX.COM Validity: Not Before: Sun Jun 19 11:27:20 2011 Not After : Fri Dec 16 11:27:20 2011 Relevant info OS: RHEL 6.1 Output of rpm -qa | grep ipa ipa-client-2.0.0-23.el6.i686 ipa-pki-ca-theme-9.0.3-6.el6.noarch ipa-pki-common-theme-9.0.3-6.el6.noarch device-mapper-multipath-libs-0.4.9-41.el6.i686 python-iniparse-0.3.1-2.1.el6.noarch ipa-python-2.0.0-23.el6.i686 ipa-server-selinux-2.0.0-23.el6.i686 ipa-server-2.0.0-23.el6.i686 device-mapper-multipath-0.4.9-41.el6.i686 ipa-admintools-2.0.0-23.el6.i686 I went through the documentations to check how to renew the expired certs but it seems to be confusing and different across versions. Could someone please help me out by suggesting which is the best way to achieve this ? Any help would be greatly appreciated as I am unable to perform any task on the IPA server now because of this. I suggest following the mod_nss suggestion to allow it to start and use the expired cert while you attempt to figure this out. Thanks indeed for the suggestion. I will consider this. But can anyone point me the steps to renew certificate from the expired one ? Thankds and regards, Nidal wasn't certmonger supposed to be designed to automatically handle this situation? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Large slow down when using IPA
On Dec 30, 2011, at 5:45 PM, Erinn Looney-Triggs wrote: I have been slowly rolling out FreeIPA to my systems, trying to track differences/changes. One of the most noticeable has been a large slow down in file access times. Let me explain as best as I can. I use AIDE to track the file system (think tripwire) and it runs checks once a day. During these checks it is scanning (almost) the entire file system and comparing it to a stored database. On a moderately powered system with ~151k files, an AIDE run will usually take ~30 minutes. After the system becomes an IPA client the same run will generally take ~90-120 minutes. Un-install the ipa-client, back to ~30 minutes for an AIDE run. Now clearly a lot of lookups are being done for user names and group names, and this will have a performance hit that is dependant on the network. However, the odd thing is that even when running on the IPA server itself the slowdown is still the same. Not sure if this is an IPA problem, an SSSD problem, a bit of both, or neither, perhaps it is just the way it is, but a slowdown of 3-4x seems a bit much to me. Clearly the results are not scientific, however, they have been generally reproducible since I started rolling IPA out. As a side note this slowdown has also broken bacula backups, as the bacula client is scanning the filesystem for change (using accurate backups) the director times out. Any thoughts, or opinions? Workarounds etc? I have checked to make sure that SSSD caching is enabled, and functional. Thanks, -Erinn I am assuming that these are all running as local users. From the sssd.conf man page in the nss section: filter_users, filter_groups (string) Exclude certain users from being fetched from the sss NSS database. This is particularly useful for system accounts. This option can also be set per-domain or include fully-qualified names to filter only users from the particular domain. Default: root Try adding this to your sssd.conf: [nss] filter_groups = root,bacula,aide,otherdaemonuser -as needed filter_users = root,bacula,aide,otherdaemonuser - as needed Let me know if that solves your issue. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] FreeIPA Replica Manage Reinitialize causes ALL Severs to rerun memberof fixup
I have a multimaster infrastructure with 3 core FreeIPA servers and 10 supporting (procedurally read-only) FreeIPA servers. I notice that occasionally 1 of the systems starts producing errors filling up /var/log/dirsrv/slapd-DOMAIN-COM/errors: Replica has a different generation ID than the local data (I suspect this is due to ntp problems that I am trying to work out) http://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_Replication-Troubleshooting_Replication_Related_Problems.html ^ This document suggests that I should re-initialize the problematic system from one of the core master servers. Upon so doing, I am finding that all 13 servers CPU's spike to 100% of 1 core while they re-process memberof data... Even though there are many many cores in these systems the intense single threaded nature of this process causes a performance hit in all 13 data centers for all clients. Am I reading the documentation wrong? Shouldn't a re-initialization of the problematic host only cause a replication: master - slave + slave memberof fixup? This seems like a fairly severe performance effecting bug. -JR ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] [Freeipa-devel] Announcing FreeIPA 2.1.4
On Dec 6, 2011, at 1:09 PM, Simo Sorce wrote: Thanks Rob for all the great work! I want to add just one warning that may escape users attention. Due to the need to address the CSRF attack, our command line tools (including ipa-client-install) will not work on newer servers until you upgrade those clients. The reason is that the old tools never sent the Referer header. How do you upgrade your clients if they are RHEL and the Server is Fedora? The newer tools should work w/o any issue against an old server. Unfortunately although CSRF attacks are a concern only when using the Web UI, we had to break compatibility because a browser could be subverted to use the xml-rpc interface used by the CLI tools, and we couldn't leave that hole open even though this means we are breaking backwards compatibility. So if you need to have a gradual upgrade you should start from clients (and install images) before upgrading the server. Keep in mind though that the flaw will not be fixed until you upgrade the server. So, although the flaw is not really critical (IMO), you should not delay upgrades too long in production environments and be careful on administrative clients where you use admin credentials. HTH, Simo. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Firefox on Windows + FreeIPA WebUI
Has anyone got this working? I've installed MIT Kerb on my windows system and configured Firefox, but I've yet to get them all to play nicely together... If someone else has managed to figure this out, could you please hit me with the clue stick? I'd prefer to fix Kerb SSO rather than adventure down the path of enabling Basic Auth on my FreeIPA Server. Thanks! ~ Jr Aquino, GCIH, GWAPT | Sr. Information Security Specialist Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 T: +1 805.690.3478 jr.aqu...@citrixonline.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.com [cid:image001.jpg@01CB2FE6.2B7BFA80] Access Your PC or Mac From Anywhere: www.gotomypc.com Online Meetings Made Easy: www.gotomeeting.com Web Events Made Easy:www.gotowebinar.com Remote Support Made Easy: www.gotoassist.com inline: image001.jpg___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Where do I find info on how to allow or stop users logging into hosts?
On Jun 13, 2011, at 4:43 PM, Steven Jones wrote: I have put 3 clients into a netgroup and added a user, however when I remove the user from the netgroup the user can still login! Even if the user wasnt ever in teh netgroup they can login So how do I stop that? When will we see some documentation on doing user admin tasks like this? Have a look at this: http://obriend.fedorapeople.org/freeIPA2.0/Identity_and_Policy_Management_Guide/html-single/#sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Where do I find info on how to allow or stop users logging into hosts?
1) Create an HBAC Rule or rules: choose allow or deny 2) add users/usergroups to the rule 3) add hosts/hostgroups to the rule 4) disable the default 'allow all' rule Now any system that has SSSD 1.5 will enforce those HBAC rules. For systems that do not support sssd, I have been working on a proof of concept authorization module for HBAC written in python. -JR On Jun 13, 2011, at 5:32 PM, Steven Jones wrote: Hi, Ive seen/read it.and I have a hard copy on my desk in front of me right now I find it typical of such documents, it has lots of sections in great detail but it doesnt tell you how to achieve anything end to endand often its gives you written instructions on visual tasks so if you are not in the right bit of the gui you go nowhere.So it needs far more screenshots and wizards regards From: JR Aquino [jr.aqu...@citrix.com] Sent: Tuesday, 14 June 2011 11:53 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Where do I find info on how to allow or stop users logging into hosts? On Jun 13, 2011, at 4:43 PM, Steven Jones wrote: I have put 3 clients into a netgroup and added a user, however when I remove the user from the netgroup the user can still login! Even if the user wasnt ever in teh netgroup they can login So how do I stop that? When will we see some documentation on doing user admin tasks like this? Have a look at this: http://obriend.fedorapeople.org/freeIPA2.0/Identity_and_Policy_Management_Guide/html-single/#sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] RHEL client to IPA
Can you try both of those command with sudo? sudo service dirsrv status ? ~~ Jr Aquino Info. Security Specialist Citrix Online jr.aqu...@citrixonline.com 805.690.3478 GCIH, CCNA On May 18, 2011, at 1:38 PM, Steven Jones steven.jo...@vuw.ac.nz wrote: [jonesst1@vuwunicoipamt01 ipa]$ service dirsrv status /etc/sysconfig/dirsrv: line 50: ulimit: open files: cannot modify limit: Operation not permitted dirsrv UNIX-VUW-AC-NZ is stopped [jonesst1@vuwunicoipamt01 ipa]$ service krb5kdc status krb5kdc (pid 4686) is running... [jonesst1@vuwunicoipamt01 ipa]$ grep file-max /etc/sysctl.conf [jonesst1@vuwunicoipamt01 ipa]$ grep nofile /etc/security/limits.conf #- nofile - max number of open files dirsrv-nofile8192 [jonesst1@vuwunicoipamt01 ipa]$ cat /proc/sys/fs/file-max 97190 [jonesst1@vuwunicoipamt01 ipa]$ From: Rich Megginson [rmegg...@redhat.com] Sent: Thursday, 19 May 2011 1:22 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] RHEL client to IPA On 05/17/2011 09:36 PM, Steven Jones wrote: the dirsrv isnt running... its giving me line 50: ulimit: open files: cannot modify limit: operation not permitted dirsrv unix-vuw-ac-nz is stopped... What is the number of files that ulimit is attempting to use? What does grep file-max /etc/sysctl.conf say? what about grep nofile /etc/security/limits.conf ? what about cat /proc/sys/fs/file-max ? krb5kdc is running. regards From: JR Aquino [jr.aqu...@citrix.com] Sent: Wednesday, 18 May 2011 3:31 p.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] RHEL client to IPA Is ns-ldap / kdc running on vuwunicoipamt01.unix.vuw.ac.nz? service dirsrv status service krb5kdc status And are you running the command on vuwunicoipamt01.unix.vuw.ac.nz? On May 17, 2011, at 8:23 PM, Steven Jonessteven.jo...@vuw.ac.nzmailto:steven.jo...@vuw.ac.nz wrote: Im getting, SASL bind failed! 8 Steven Jones wrote: So what should the command be? # kinit admin # ipa-getkeytab -k /tmp/vuwnicologint2.keytab -p host/vuwunicologint2.unix.vuw.ac.nz -s vuwunicoipamt01.unix.vuw.ac.nz ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] RHEL client to IPA
Is ns-ldap / kdc running on vuwunicoipamt01.unix.vuw.ac.nz? service dirsrv status service krb5kdc status And are you running the command on vuwunicoipamt01.unix.vuw.ac.nz? On May 17, 2011, at 8:23 PM, Steven Jones steven.jo...@vuw.ac.nzmailto:steven.jo...@vuw.ac.nz wrote: Im getting, SASL bind failed! 8 Steven Jones wrote: So what should the command be? # kinit admin # ipa-getkeytab -k /tmp/vuwnicologint2.keytab -p host/vuwunicologint2.unix.vuw.ac.nz -s vuwunicoipamt01.unix.vuw.ac.nz ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
On May 11, 2011, at 10:51 AM, Sigbjorn Lie wrote: On Wed, May 11, 2011 14:42, Stephen Gallagher wrote: On Tue, 2011-05-10 at 23:42 +0200, Sigbjorn Lie wrote: Hi, I would like to see the ipa client scripts and possibly the admin tools in a nice Solaris package. This would make my job a lot easier as we have a lot of customers running Solaris. :) For the server part I agree with you, keep it at RHEL. SSSD @ Solaris / HP-UX / AIX ... well there isn't much (if any) of the UNIX vendors selling their iron as client machines anymore. And I don't see a considerable benefit in adding SSSD to servers, who will be well connected to the network anyway. Actually, SSSD is still valuable on server systems (and is used very often in datacenters). The reason is that it can allow a server to ride out an outage in the LDAP and/or Kerberos server and still handle authentication and identity requests from its cache. We've expressed interest several times in working WITH other platforms to help them port the SSSD, but we've received no real commitment to assisting with it. We have a lot on our plates already, so it is difficult for us to justify spending time improving our competitors' offerings :) Also, SSSD has additional features with FreeIPA integration that nss_ldap and pam_krb5 do not. Specifically, it has support for managing access-control using FreeIPA's host-based access control model. This is a very valuable piece of the puzzle and should not be ignored. I see you're having a valid point about the outage support. This could be worked around using the High Availability Add-on in RHEL, sharing an IP address between your IPA servers, which you would switch to the currently active IPA server. Not only is there a question of high availability with regard to lookups into ldap. But there is also a problem of scale and overhead. nss_ldap and pam_ldap perform a lookup per iteration in many cases. Consider for example. 4 data centers with 100 servers each, all tied back to ldap for uid/gid mappings and pam_ldap for authentication and authorization. If you have a task that logs into each of these 400 servers and performs a 'sudo ls -la /home' for example, your ldap servers are going to incur the cost of looking up each file on each server, the cost of each authentication, and the cost of performing several ldap lookups from the sudo binary. SSSD is not only beneficial during periods of network inaccessibility, but also crucial with regard to scale. With regards to IPA's host-based access control: What about doing access control through using netgroups via the tcp wrappers? You could still be configuring host based access control in IPA as it's creating transparent netgroups for the host groups. Host based access control is currently a mess in the Linux Community. There are currently a few ways to go about it. netgroups with TCP Wrappers Access.conf ^ This method implies that the changes in your central database must eventually be pushed to flatfile configs on the end hosts. While this works pretty well in small environments, it can fall apart and have serious scale issues when dealing with hundreds or thousands of hosts. (Yes, even when using something like Satellite or Puppet) Consider the case of Active Directory where you scratch your head and go: Gee, I'm SURE that i pushed that GPO, but for some reason, this set of hosts didn't get the memo pam_ldap + pam_check_host_attr ^ This issue has a sheer drop off problem with scale. In this approach, you need to fill the user objects with every host that the user is permitted to login to. When the number of users/administrators grow along with the number of hosts you have, you get: n^users * n^hosts and the administrative overhead becomes overwhelming. These are all workarounds, I assume having the functionality available trough the native sssd would be of an advantage. But this way you would the mentioned extra functionality of SSSD without having to do the work of supporting your competitors operating systems. :) There have been _some_ discussions surrounding a pam module that could be used as a very base level of hbac support since there are a lot of pre-required dependancies for sssd. The advantage would be theoretical portability, and the loss would be caching. I have personally written such a pam plugin prototype in python, and it functions just fine in linux installations. the c code that calls the python script is not compatible with open_pam, so there is still work to be done to support the BSD / MAC solutions, but I believe its just a matter of some syntax changes... I hope this information helps clarify these points. Rgds, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
On May 11, 2011, at 12:25 PM, JR Aquino wrote: These are all workarounds, I assume having the functionality available trough the native sssd would be of an advantage. But this way you would the mentioned extra functionality of SSSD without having to do the work of supporting your competitors operating systems. :) There have been _some_ discussions surrounding a pam module that could be used as a very base level of hbac support since there are a lot of pre-required dependancies for sssd. The advantage would be theoretical portability, and the loss would be caching. I have personally written such a pam plugin prototype in python, and it functions just fine in linux installations. the c code that calls the python script is not compatible with open_pam, so there is still work to be done to support the BSD / MAC solutions, but I believe its just a matter of some syntax changes... After closer inspection it appears that OpenPam appears to try to remain compatible with Solaris, so, a method for providing a non caching bare bones openpam compatible module would likely satisfy Solaris, MacOSX and the BSDs. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
On Apr 29, 2011, at 11:45 PM, nasir nasir kollath...@yahoo.commailto:kollath...@yahoo.com wrote: Hi All, First of all, many thanks indeed to the developers and community for making some great strides in the open source IPA world ! I am planning for a Linux deployment with the following requirements. -- About 50 Linux clients running Kubuntu (can change this to ubuntu if necessary) -- Centralized authentication -- Centralized storage with iSCSI for /home folder for each user by means of a dedicated storage -- NO Windows or other users -- Admin should be able to create and modify the accounts of all the users -- Admin should be able to set password policies -- Allocate /home folder for each user from the storage through iSCSI -- Server can be CentOS/RHEL (or even Fedora if absolutely required) -- Any other administration of users if possible ! I was wondering whether FreeIPA makes sense to me in this scenario ? can it satisfy all these or at least some of these ? if not, can anyone suggest me some alternative solutions which are open source ? I am flexible on the requirements and can make modifications if that is required. I would really appreciate any feedback on this. Thanks in advance and regards, Nidal __ Yes Nidal, you will find that FreeIPA satisfies almost all of these requirements. iSCSI managment is not a feature of FreeIPA. If you are looking to begin now, I would recommend that you start with Fedora as your base server distro. IPA will be available for RHEL as a Feature preview in 6.1 with plans to be fully supported and integrated by 6.2. -JR ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] allowing anonymous access to ipa directory
On Apr 13, 2011, at 5:26 PM, Stephen Ingram wrote: This question might be better posed on a general directory server list, however, as ipa obviously contains very sensitive data, I'm curious as to what ipa users think. Although ipa uses extensive acl's to shield the most important directory attributes from general view, it does allow anonymous access to many of the general entries. I notice that many directories do this to allow outside firms to view addressbook-type information of the company from their directories and referrals also depend on this functionality. I'm wondering though, if you have users from multiple domains in your directory with say name and email address information available, wouldn't this just be a free-for-all for some enterprising spammer or such? Or, if hosting dns from ipa, host records available to aid potential attackers to map network systems? Shouldn't this be controlled further in some instances and perhaps require at least a user bind (if not a TLS/SSL layer) to access this information? Steve This question has come up before Stephen. A conscious effort has been made to provide FreeIPA with a balance of security minded and usable defaults. There are circumstances with other Distributions/OS's and nss_ldap situations which require anonymous binds. It is for this reason that the default for FreeIPA permits read access to a limited scope of the LDAP directory. You will note that areas of the directory responsible for mapping security authorization controls have been deliberately protected with ACLs. That being said, there has been an ongoing effort to verify that the FreeIPA framework all functions correctly with ldap security features turned on: Always Encrypt/Disable Anonymous or Unauthenticated Binds. To turn on these features: You will want to look to: /etc/dirsrv/slapd-DOMAIN-COM/dse.ldif: nsslapd-allow-anonymous-access: on/off (This toggles anonymous / unauthenticated binds) and nsslapd-minssf: 56 (This enforces the encryption minimum security strength factor and prevents unencrypted communications) service dirsrv restart will be required for the features to take effect. -JR ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Auto membership plugin
Is there any way to capture a description associated with the regex - group mapping? I was thinking that after time, it would be important to look back on rules and know why they were put there. Particularly in the case of regex, since it may not be completely obvious by looking back at alphabet soup. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] [Freeipa-devel] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release
On 1/4/11 1:04 AM, Roland Kaeser roland.kae...@intersoft-networks.ch wrote: We return to this discussion once in a while... Samba 4 tries to do it and still struggles after many years of development. We definitely would look at Samba 4 again when we see it Sufficiently ready but this is not a priority for 2011. Maybe this is the reason why freeipa has that less users and nearly no echo in the linux community. I disagree Roland. The linux community at large, is generally living in the dark ages of authorization management. There are no comparative comprehensive linux solutions in the community thus far which actually address scalable authentication and authorization from linux systems by a linux solution. My observation of the quiet in the community is due to lack of solutions out there. /etc/access.conf, pam_ldap, Certify, hosts.allow are very primitive means to control access with to linux client. Regardless of how complex you make your authentication database, to this day, you are still limited to: pam_ldap, access.conf, Certify, hosts.allow... These are very primitive means to control access with to linux client. With FreeIPA and SSSD, the first means of providing real RBAC/HBAC is available to the Open Source community. We cannot and should not attempt to explain the quiet with answers of disinterest or lack of Microsoft support. The fact is, there has not yet been a competent linux solution and as a result the utilization of pure Linux environments has been stunted with people settling for things like, /etc/passwd, /etc/access.conf, pam_ldap, and NIS... What you are describing is the reinventing of the wheel. Which has previously been answered: If the goal is to provide an alternative linux authentication/authorization method for Microsoft Windows, then there are already existing solutions out there: Samba4, Novell eDirectory + Directory Services for Windows... FreeIPA serves to facilitate some of the most basic authentication/authorization interactions that other OS's have taken for granted for years. Samba 4 is intended to be a duplicate of AD this is how it is designed and implemented. The problem here is that samba 4 is still alpha. I would like to be able to use Linux as the IT backbone without having to resort to Microsoft. This also our most implemented scenario. Only in last year we migrated a half a dozend companies away from microsoft and AD (on the server side). This year a lot of companies are already planned for migration. Specially with the knowledge in mind that (based on the change of microsofts licensing model for hosters) around 1000 companies only in switzerland will switch their abacus (www.abacus.ch, large erp for switzerland) platform to linux so its REALLY, REALLY (I cannot write how much I would like to accentuate this) important to have a network wide authentication and identity management software to build up large linux server environments with windows frontents. So, having windows clients in the network is the reality we cannot close our eyes to this only because its challenge to implement it. Microsoft has designed a complete ecosystem to surround its client, server, email, and productivity solutions. It's not just a challenge to implement a successful means of replacing the backend, it is directly opposed to the goals of its creator: Microsoft. The various components within Microsoft's (and most commercial) solutions are designed at their core to be proprietary with the effort of drawing in consumers to more pieces of their puzzle. It is entirely likely that it will be necessary to have both solutions in place and working together, rather than attempting to circumvent Microsoft's solution. Linux is lacking a complete solution that acts as a central authentication and identity management platform I think also this is the only huge area in linux which is really missing. Just think about the huge potential of users and implementations if freeipa acts also as authentication instance for windows environments. Just we only (as small company with 8 persons) whould have the possibility for around 20 migrations this year. It just wage to dream a bit but from my point of view the authentication lack is the only remaining one which prevents the rest of the world (or even europe and switzerland) to massivly migrate to linux and opensource (at least on the server side). While I agree that a truly unified solution which answers all clients authentication needs is a worthwhile concept, in practice, throughout my entire career, I've learned that the commercial design of this ecosystem conflicts with this ambitious ideal. I have had a great deal of experience in highly dense and distributed (world wide) native Linux installations which service Windows Clients. All tools are best used by their intended design. If the only tool you have is a Hammer, you may approach all of your problems as if they are nails. ~~ Jr Aquino Information