[Freeipa-users] login/su problem on ubuntu

[Karl Forner]

I just registered a new computer running ubuntu to our freeIPA system.
Some users (all I tried except me) are not able to login using lightdm.

The message on screen is "Permission denied".
On the system the user (joe) is created, its home directory also,  but it
only contains a .kde/ subdir and a .bash_history.

On my session, if I type:
$sudo su - joe
I get:
su: Permission denied
(Ignored)


The only log file that is modified is /var/log/auth.log.
The relevant lines during the graphical login are:

Feb 28 16:44:29 nyx lightdm: pam_unix(lightdm:auth): authentication
failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=joe
Feb 28 16:44:41 nyx lightdm: pam_sss(lightdm:auth): authentication success;
logname= uid=0 euid=0 tty=:0 ruser= rhost= user=joe
Feb 28 16:44:41 nyx lightdm: pam_kwallet(lightdm:auth): pam_sm_authenticate
Feb 28 16:44:43 nyx lightdm: pam_sss(lightdm:account): Access denied for
user joe: 6 (Permission denied)
Feb 28 16:44:54 nyx lightdm: pam_succeed_if(lightdm:auth): requirement
"user ingroup nopasswdlogin" not met by user "joe"

The relevant lines during the "sudo su - joe":
Feb 28 16:48:32 nyx su[26394]: pam_sss(su:account): Access denied for user
joe: 6 (Permission denied)
Feb 28 16:48:32 nyx su[26394]: pam_acct_mgmt: Permission denied
Feb 28 16:48:32 nyx su[26394]: FAILED su for joe by karl

This computer is setup exactly like a dozen of others that work fine.
What could be the problem ?

Thanks,
Karl Forner

P.S
Description:Ubuntu 14.04.5 LTS
3.16.0-76-generic #98~14.04.1-Ubuntu SM
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] network ports requirements for a replica

[Karl Forner]

Thank you ! This is at last crystal clear for me !
Thank you also for the VPN/tunneling suggestion, I'll look into it.



On Mon, Oct 17, 2016 at 12:12 PM, Alexander Bokovoy <aboko...@redhat.com>
wrote:

> On ma, 17 loka 2016, Karl Forner wrote:
>
>> On Mon, Oct 17, 2016 at 10:33 AM, Alexander Bokovoy <aboko...@redhat.com>
>> wrote:
>>
>> On ma, 17 loka 2016, Karl Forner wrote:
>>>
>>> Thanks Alexander, unfortunately I could only find outdated documentation.
>>>> I just realized that my question is not precise enough.
>>>>
>>>> The documentation I linked is the up-to-date one.
>>>
>>>
>> Yes I know. I was explaining...
>>
>>
>>
>>>
>>> From your answer, I understand that during the replica setup process,
>>>> all I need (because I do not use RHEL) is a ssh port between the master
>>>> and the replica.
>>>>
>>>> You did not read carefully what I quoted. SSH port is in addition to the
>>> ports required to be open for normal IPA master.
>>>
>>>
>> I did read.  I wrote "between the master and the replica". Each server has
>> its own set of open ports in its own network, used by its clients.
>>
> IPA replica is a client of IPA master, there isn't much difference,
> except where Kerberos tickets are obtained from as each master/replica
> host own KDC with exactly same keys, so they are able to 'short cut' it
> here.  However, the rest stands.
>
> What I want to know is what ports are used by the replication process, i.e.
>> what ports must I open on my firewall to enable the replication.
>>
> Exactly the same ports as specified in the documentation.
>
> Maybe all the ports are used for that purpose, but this is not, unless
>> mistaken, clearly stated in the documentation.
>>
> You are mistaken and the mistake most likely comes from your idea that
> somehow IPA master/replica are different from other IPA clients. They
> are not, they are IPA clients themselves. Replication exchange is built
> on LDAP protocol.
>
> In that case, this may be a security problem opening that many ports in the
>> firewall.
>>
> Nothing prevents you from organizing a proper VPN or other types of
> tunneling
> between the networks.
>
> --
> / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] network ports requirements for a replica

[Karl Forner]

On Mon, Oct 17, 2016 at 10:33 AM, Alexander Bokovoy <aboko...@redhat.com>
wrote:

> On ma, 17 loka 2016, Karl Forner wrote:
>
>> Thanks Alexander, unfortunately I could only find outdated documentation.
>> I just realized that my question is not precise enough.
>>
> The documentation I linked is the up-to-date one.
>

Yes I know. I was explaining...


>
>
>> From your answer, I understand that during the replica setup process,
>> all I need (because I do not use RHEL) is a ssh port between the master
>> and the replica.
>>
> You did not read carefully what I quoted. SSH port is in addition to the
> ports required to be open for normal IPA master.
>

I did read.  I wrote "between the master and the replica". Each server has
its own set of open ports in its own network, used by its clients.
What I want to know is what ports are used by the replication process, i.e.
what ports must I open on my firewall to enable the replication.
Maybe all the ports are used for that purpose, but this is not, unless
mistaken, clearly stated in the documentation.
In that case, this may be a security problem opening that many ports in the
firewall.

Thanks for your patience.
Karl
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] network ports requirements for a replica

[Karl Forner]

Thanks Alexander, unfortunately I could only find outdated documentation.
I just realized that my question is not precise enough.

Suppose I have a master running in its LAN, with all required ports open.
Now I want to setup a replica running in a docker in a AWS EC2 instance.

>From your answer, I understand that during the replica setup process, all I
need (because I do not use RHEL) is a ssh port between the master and the
replica.
What about the after-setup replica synchronization ? Does it also only use
ssh ?

Regards,
Karl


On Wed, Oct 12, 2016 at 7:25 PM, Alexander Bokovoy <aboko...@redhat.com>
wrote:

> On ke, 12 loka 2016, Karl Forner wrote:
>
>> Hello,
>>
>> A very simple question, but I could not find the answer. I'd like to setup
>> a replica on another network than my master. Is it possible to setup the
>> replication using only https, or other ports must be available ?
>>
> This is all documented, did you read the guide?
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterp
> rise_Linux/7/html/Linux_Domain_Identity_Authentication_and_
> Policy_Guide/prepping-replica.html
>
> 
> The replica requires additional ports to be open
>In addition to the standard IdM server port requirements described
> in Section 2.1.4, “Port Requirements”, make sure the following port
> requirements are complied as well:
>
>During the replica setup process, keep the TCP port 22 open.
> This port is required in order to use SSH to connect to the master
> server.
>If one of the servers is running Red Hat Enterprise Linux 6 and
> has a CA installed, keep also TCP port 7389 open during and after the
> replica configuration. In a purely Red Hat Enterprise Linux 7
> environment, port 7389 is not required. 
>
> Section 2.1.4:
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterp
> rise_Linux/7/html/Linux_Domain_Identity_Authentication_and_
> Policy_Guide/installing-ipa.html#prereq-ports
>
> --
> / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] network ports requirements for a replica

[Karl Forner]

Hello,

A very simple question, but I could not find the answer. I'd like to setup
a replica on another network than my master. Is it possible to setup the
replication using only https, or other ports must be available ?

Thanks,
Karl
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] how to setup apache reverse https proxy for freeipa web UI

[Karl Forner]

Thanks a lot Jan. It works perfectly, and it is crystal-clear.
Best,
Karl

On Mon, Jun 6, 2016 at 11:13 AM, Jan Pazdziora  wrote:
> On Fri, Jun 03, 2016 at 10:42:59PM +0200, Jan Pazdziora wrote:
>>
>> Hope this helps. I will likely do another writeup about this setup.
>
> https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name
>
> --
> Jan Pazdziora
> Senior Principal Software Engineer, Identity Management Engineering, Red Hat

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] how to setup apache reverse https proxy for freeipa web UI

[Karl Forner]

Hi,

My problem is:
I have an ipa.example.com server on the internal network, with
self-signed certificates.
I'd like to be able to connect to the UI from the internet, using
https with other certificates (e.g. let's encrypt certificates).

So I tried to setup an SNI apache reverse proxy, but I could not make it work.
I saw this blog
[https://www.adelton.com/freeipa/freeipa-behind-ssl-proxy] but I can
not use the same FQDN name for the LAN and the WAN.

I tried many many things, I could have the login form, but never could
not connect. What is the correct way of doing this ?

Thanks,
Karl

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] cups problem that may be related to freeIPA

[Karl Forner]

Very good idea indeed. Disabling the apparmor profile for cups solved the
problem.
Thanks a lot !

Just an idea:

> You probably have AppArmor running and its default policy might prevent
> cupsd to talk to sssd socket.
>
> --
> / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] cups problem that may be related to freeIPA

[Karl Forner]

Hello,

On an ubuntu 14.04 box, freeIPA enrolled, I am no longer authorized to
administer cups via the web UI.
It used to work before the freeIPA enrollment and it works with a local
account, so I strongly suspect that it is related to freeIPA.

Steps to reproduce:
open http://localhost:631/admin
click on "Add Printer"
a popup opens asking for CUPS credentials.
If I type my credentials (freeIPA user), it fails.

>From the /var/log/auth.log:
Mar  8 15:14:58 pyro cupsd: pam_unix(cups:auth): authentication failure;
logname= uid=0 euid=0 tty=cups ruser= rhost=localhost  user=karl
Mar  8 15:14:58 pyro cupsd: pam_sss(cups:auth): Request to sssd failed.
Permission denied
M

I added many local groups to my freeIPA user:
(sys),4(adm),7(lp),27(sudo),109(lpadmin),
If I enter the credentials of a local account (non managed by freeIPA), it
works.

What's wrong ?

Thanks,
Karl Forner
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Error setting krbpasswordexpiration using ipa user-mod

[Karl Forner]

>
> The docs you are referring to are quite old: 5 full Fedora releases,
> several IPA releases.
>

You're right, sorry. I found this documentation
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/pwd-expiration.html
which has updated instructions based on ldapmodify which worked for me.

Thanks.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Error setting krbpasswordexpiration using ipa user-mod

[Karl Forner]

I forgot to say that I did a "kinit admin" before the  ipa user-mod.

On Tue, Feb 23, 2016 at 2:31 PM, Karl Forner <karl.for...@gmail.com> wrote:

> Hello,
>
> I tried to postpone a password expiration date, as indicated here:
>
> https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/pwd-expiration.html
>
> % ipa user-mod myuser --setattr=krbpasswordexpiration=20170301121443Z
>
> ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the
> 'krbPasswordExpiration' attribute of entry
> 'uid=myuser,cn=users,cn=accounts,dc=quartzbio,dc=com'.
>
> Is this expected ? What is the canonical way of doing this ?
>
>
> Thanks,
> Karl
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] UnicodeEncodeError using ipa user-find

[Karl Forner]

# locale
LANG=C
LC_CTYPE="C"
LC_NUMERIC="C"
LC_TIME="C"
LC_COLLATE="C"
LC_MONETARY="C"
LC_MESSAGES="C"
LC_PAPER="C"
LC_NAME="C"
LC_ADDRESS="C"
LC_TELEPHONE="C"
LC_MEASUREMENT="C"
LC_IDENTIFICATION="C"
LC_ALL=

I confirm it works using LC_ALL=en_US.utf8 ipa  user-find --login=$login
I'm using the adelton docker. Maybe the default locale should be set to
en_US.utf8 ? Are there any expected downsides ?

Thanks.

On Thu, Jan 14, 2016 at 3:43 PM, Martin Basti <mba...@redhat.com> wrote:

>
>
> On 14.01.2016 11:42, Karl Forner wrote:
>
> Hello,
>
> When I do:
> ipa  user-find --login=$login
> I get:
>
> ipa: ERROR: UnicodeEncodeError: 'ascii' codec can't encode character
> u'\xf1' in position 25: ordinal not in range(128)
> Traceback (most recent call last):
>   File "/usr/lib/python2.7/site-packages/ipalib/cli.py", line 1340, in run
> sys.exit(api.Backend.cli.run(argv))
>   File "/usr/lib/python2.7/site-packages/ipalib/cli.py", line 1105, in run
> rv = cmd.output_for_cli(self.api.Backend.textui, result, *args,
> **options)
>   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1030,
> in output_for_cli
> textui.print_entries(result, order, labels, flags, print_all)
>   File "/usr/lib/python2.7/site-packages/ipalib/cli.py", line 355, in
> print_entries
> self.print_entry(entry, order, labels, flags, print_all, format,
> indent)
>   File "/usr/lib/python2.7/site-packages/ipalib/cli.py", line 395, in
> print_entry
> label, value, format, indent, one_value_per_line
>   File "/usr/lib/python2.7/site-packages/ipalib/cli.py", line 318, in
> print_attribute
> self.print_indented(format % (attr, text[0]), indent)
>   File "/usr/lib/python2.7/site-packages/ipalib/cli.py", line 241, in
> print_indented
> print (CLI_TAB * indent + text)
> UnicodeEncodeError: 'ascii' codec can't encode character u'\xf1' in
> position 25: ordinal not in range(128)
> ipa: ERROR: an internal error has occurred
>
> I checked that the last name of this user has a n with tilde (spanish for
> "gn" sound).
> Is this a system configuration error, or a freeIPA problem ?
>
> Thanks,
> Karl
>
>
>
>
>
> Hello,
>
> what is your lang settings?
>
> $ locale
>
> It works for me with utf-8, I was able to reproduce this only with
> LC_ALL=C, what is somehow expected
>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] UnicodeEncodeError using ipa user-find

[Karl Forner]

Hello,

When I do:
ipa  user-find --login=$login
I get:

ipa: ERROR: UnicodeEncodeError: 'ascii' codec can't encode character
u'\xf1' in position 25: ordinal not in range(128)
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipalib/cli.py", line 1340, in run
sys.exit(api.Backend.cli.run(argv))
  File "/usr/lib/python2.7/site-packages/ipalib/cli.py", line 1105, in run
rv = cmd.output_for_cli(self.api.Backend.textui, result, *args,
**options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1030, in
output_for_cli
textui.print_entries(result, order, labels, flags, print_all)
  File "/usr/lib/python2.7/site-packages/ipalib/cli.py", line 355, in
print_entries
self.print_entry(entry, order, labels, flags, print_all, format, indent)
  File "/usr/lib/python2.7/site-packages/ipalib/cli.py", line 395, in
print_entry
label, value, format, indent, one_value_per_line
  File "/usr/lib/python2.7/site-packages/ipalib/cli.py", line 318, in
print_attribute
self.print_indented(format % (attr, text[0]), indent)
  File "/usr/lib/python2.7/site-packages/ipalib/cli.py", line 241, in
print_indented
print (CLI_TAB * indent + text)
UnicodeEncodeError: 'ascii' codec can't encode character u'\xf1' in
position 25: ordinal not in range(128)
ipa: ERROR: an internal error has occurred

I checked that the last name of this user has a n with tilde (spanish for
"gn" sound).
Is this a system configuration error, or a freeIPA problem ?

Thanks,
Karl
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] how to list only enabled users using ipa user-find

[Karl Forner]

On Thu, Jan 14, 2016 at 3:12 PM, Rob Crittenden  wrote:

> '(nsAccountLock=TRUE)' dn



thanks
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] unable to add user in freeIPA 4.2.3 using the web UI

[Karl Forner]

>
> I purposely used rather weak working in my blog to ensure that one
> thinks carefully about making this kind of change. If your original
> master can be brought back up that is definitely the best way to resolve
> it.
>

ok, I'll try this first.


>
> If it was nuked from orbit then yeah the you'll need to manually set it.
>
> Note that you can use ipa-replica-manage to do this as well and it has a
> much less scary syntax:
>
> $ ipa-replica-manage dnarange-set yourhost.example.com
> 168970-168979
>

definitely less scary !


>
> I guess the range 168960-168969 is the rest of the original
> range, presumably assigned to the original master?
>

I am not sure to follow. The default used my master is 13400-13420
right ?
So I could set 13500-13520 for instance. Or did I miss something ?
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] unable to add user in freeIPA 4.2.3 using the web UI

[Karl Forner]

> >
> > I am not sure to follow. The default used my master is
> > 13400-13420 right ?
> > So I could set 13500-13520 for instance. Or did I miss something
> ?
> >
> >
>
> My example was based on the ldif you proposed.
>
> What the DNA plugin would have done is split the original range in two.
> If you want to stick with that it's fine but you'll never get back
> whatever was remaining of that original 100k, at least not
> automatically. It all depends on what your needs are.
>
> Using 13410-13419 is probably what you want.
>

Ok, I get it.



> Otherwise you are just picking a new range out of the blue.
>
> There is no tie-in now between the idrange and the DNA range but there
> may be at some point. At that time things could go sideways if you pick
> a new DNA range that isn't reflected in the idrange.
>

thanks.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] unable to add user in freeIPA 4.2.3 using the web UI

[Karl Forner]

Hello,

If I go to active users, click Add, fill in log, first and last name, then
click "Add", I get the error message:
Operations error: Allocation of a new value for range cn=posix
ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed!
Unable to proceed.

I also tried to add a staged user. This works, but when I try to activate
it, I get the same error:
Operations error: Allocation of a new value for range cn=posix
ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed!
Unable to proceed.


I looked in the IPA Server -> ID Ranges tab:
first id: 13400
nb of ids: 20
type: local domain range

The freeIPA server is a CA-replica, and the main server is currently down.

What could be the problem ?

Thanks.
Karl
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] unable to add user in freeIPA 4.2.3 using the web UI

[Karl Forner]

> If you never added users through this IPA server, it has no subset of ID
> range
> allocated to IDs issued on this server. To obtain this subset, it needs
> to talk back to the master on first allocation. Master is missing, thus
> it couldn't talk to it.
>

thanks.

But if I understand, I just can not add any users from my replica ?
Does not it defeat the purpose of the replica as a failover server ?
Or obtaining the subset of IDs should be part of the process of setting-up
a replica ?

 Best,

>
> --
> / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] unable to add user in freeIPA 4.2.3 using the web UI

[Karl Forner]

Ok.

I read a work-around on https://blog-rcritten.rhcloud.com/?p=50

It says that if one has figured out a safe new range for the replica, the
range could be set using:

ldapmodify -x -D 'cn=Directory Manager' -W
Enter LDAP Password:
dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
changetype: modify
replace: dnaNextValue
dnaNextValue: 168970
-
replace: dnaMaxValue
dnaMaxValue: 168979
^D

modifying entry "cn=Posix IDs,cn=Distributed Numeric Assignment
Plugin,cn=plugins,cn=config"


I suppose this can be dangerous, but would you consider it as a
work-around, or should it be avoided at all means ?






On Fri, Jan 8, 2016 at 5:17 PM, Alexander Bokovoy <aboko...@redhat.com>
wrote:

> On Fri, 08 Jan 2016, Karl Forner wrote:
>
>> If you never added users through this IPA server, it has no subset of ID
>>> range
>>> allocated to IDs issued on this server. To obtain this subset, it needs
>>> to talk back to the master on first allocation. Master is missing, thus
>>> it couldn't talk to it.
>>>
>>>
>> thanks.
>>
>> But if I understand, I just can not add any users from my replica ?
>> Does not it defeat the purpose of the replica as a failover server ?
>> Or obtaining the subset of IDs should be part of the process of setting-up
>> a replica ?
>>
> ID range is relatively scarce. We don't split it across multiple
> replicas automatically because most of them will not be used to create
> users and thus their sub-ranges will be wasted.
>
> Documentation for the DNA plugin:
>
> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Configuration_Command_and_File_Reference/dna-attributes.html
>
> --
> / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] faking DNS autodiscovery of servers

[Karl Forner]

Hello,

I have some web applications that use LDAP for
authentication/authorization, and which do not support LDAP auto-discovery.

I'm wondering if it's possible to fake the auto-discovery of server.
For instance, I could imagine using a DNS CNAME ldap_current.example.com
which should point to a currently available ldap server.

Then a cron job would query the DNS/ldaps to find an available ldap server,
and if different from the current, update the DNS CNAME
ldap_current.example.com.

Does it make sense ?
In that case, how to discover a working ldap server ?

Thanks.
Karl
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] how to force switch to another kdc

[Karl Forner]

Another piece of information:

the linux boxes are running ubuntu too, with the same configuration.
I have configured 2 dns servers, the first for my main freeipa server
(which is down), and rhe second for the replica.
After boot, the linux box can resolve addresses just fine, using the
secondary dns. But the box does not pick the kdc from the replica.

It seems to only use the cache, since when I do a klist, I have a ticked
expiring at 01/01/1970:
Valid starting   Expires  Service principal
01/01/1970 01:00:00  01/01/1970 01:00:00

If I do a kinit:
kinit: Cannot contact any KDC for realm 'EXAMPLE.COM' while getting initial
credentials

And once again, from a box just rebooted.

When I look at my /etc/krb5.conf, there's a kdc, master_kdc, and
admin_server set for my domain.
>From what I had understood, I thought they should be ignored, and that the
auto discovery should still happen.
Is that so ?

Thanks.



On Tue, Jan 5, 2016 at 12:16 AM, Karl Forner <karl.for...@gmail.com> wrote:

> Hello,
>
> My freeipa master has crashed, and I have a replica running.
> The problem is that I can not use anymore the webapps on my main server
> which use a kerberos authentication since my server will not switch to the
> kdc on my replica.
>
> I remember that someone replied me on this list about that problem, but
> I'd like to konw if there's something I can do besides rebooting my main
> server ?
>
> freeipa 4.3
>
> sssd 1.12.5-1 running on ubuntu 14.04
>
> Thanks.
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] how to force switch to another kdc

[Karl Forner]

update:

modifying the /etc/krb5.conf, and replacing the name of my freeipa master
by the replica fixes the problem.
So that proves that the kdc is not picked up by discovery.

The problem is that my ubuntu box was enrolled using the ipa-client-install
script, and so should be properly configured.

Did I miss any critical option ?
What should the /etc/krb5.conf be like ?

Thanks.




On Tue, Jan 5, 2016 at 7:06 PM, Karl Forner <karl.for...@gmail.com> wrote:

> Another piece of information:
>
> the linux boxes are running ubuntu too, with the same configuration.
> I have configured 2 dns servers, the first for my main freeipa server
> (which is down), and rhe second for the replica.
> After boot, the linux box can resolve addresses just fine, using the
> secondary dns. But the box does not pick the kdc from the replica.
>
> It seems to only use the cache, since when I do a klist, I have a ticked
> expiring at 01/01/1970:
> Valid starting   Expires  Service principal
> 01/01/1970 01:00:00  01/01/1970 01:00:00
>
> If I do a kinit:
> kinit: Cannot contact any KDC for realm 'EXAMPLE.COM' while getting
> initial credentials
>
> And once again, from a box just rebooted.
>
> When I look at my /etc/krb5.conf, there's a kdc, master_kdc, and
> admin_server set for my domain.
> From what I had understood, I thought they should be ignored, and that the
> auto discovery should still happen.
> Is that so ?
>
> Thanks.
>
>
>
> On Tue, Jan 5, 2016 at 12:16 AM, Karl Forner <karl.for...@gmail.com>
> wrote:
>
>> Hello,
>>
>> My freeipa master has crashed, and I have a replica running.
>> The problem is that I can not use anymore the webapps on my main server
>> which use a kerberos authentication since my server will not switch to the
>> kdc on my replica.
>>
>> I remember that someone replied me on this list about that problem, but
>> I'd like to konw if there's something I can do besides rebooting my main
>> server ?
>>
>> freeipa 4.3
>>
>> sssd 1.12.5-1 running on ubuntu 14.04
>>
>> Thanks.
>>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] how to force switch to another kdc

[Karl Forner]

Thanks a lot, that works if I comment out the explicit reference to a
server name, and that I switch dns_lookup_kdc to true.

I think I understand why it was not working from the install:
I used the ipa-client-install with the option --server.
According to the man page, in the "Failover" section, I understand that
"DNS Autodiscovery" is enabled when no "fixed server was passed to the
installer", which makes sense a posteriori.


I think that closes my topic, thanks again for all the help I got !


On Tue, Jan 5, 2016 at 7:34 PM, Natxo Asenjo  wrote:

>
>
> On Tue, Jan 5, 2016 at 7:31 PM, Natxo Asenjo 
> wrote:
>
>> includedir /var/lib/sss/pubconf/krb5.include.d/
>> #File modified by ipa-client-install
>>
>> [libdefaults]
>>   default_realm = IPA.DOMAIN.TLD
>>   dns_lookup_realm = true
>>   dns_lookup_kdc = true
>>   rdns = false
>>   ticket_lifetime = 24h
>>   forwardable = yes
>>
>> [realms]
>>   IPA.DOMAIN.TLD = {
>> pkinit_anchors = FILE:/etc/ipa/ca.crt
>>   }
>>
>> [domain_realm]
>>   .ipa.domain.tld = IPA.DOMAIN.TLD
>>   ipa.domain.tld = IPA.DOMAIN.TLD
>>
>> ]$ cat /etc/krb5.conf
>>
>
> with this config I can reach any realm, by the way, provided it has srv
> records. It works for our AD forests as well.
>
> --
> Groeten,
> natxo
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] how to force switch to another kdc

[Karl Forner]

On Tue, Jan 5, 2016 at 8:14 AM, Jakub Hrozek <jhro...@redhat.com> wrote:

> On Tue, Jan 05, 2016 at 12:16:48AM +0100, Karl Forner wrote:
> > Hello,
> >
> > My freeipa master has crashed, and I have a replica running.
> > The problem is that I can not use anymore the webapps on my main server
> > which use a kerberos authentication since my server will not switch to
> the
> > kdc on my replica.
>
> As long as the authentication is done via sssd this should happen
> automatically,


well it does not seem to.
The way I test it is using kinit.
The only log that gets updated in /var/log/sssd is ldap_child.log.1
(what's strange is that there's a ldap_child.log which is empty).
Each time I try a kinit, I get a log line like:

(Tue Jan  5 18:10:55 2016) [[sssd[ldap_child[10069
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Cannot
contact any KDC for realm 'EXAMPLE.COM'

I tried to send USR1 then USR2 to the main sssd process, without any
improvement,


In a previous email, Simo Sorce explained me that:

Unfortunately it is, it is a bug in the way we update the krb5 libraries
> to point to a KDC.
>
> SSSD updates this information in a file under /var/lib/sss/pubconf and
> krb5 libraries read from it, however kinit cannot force sssd to
> re-evaluate if the file needs updating.
>
> If you do a local login instead of a kinit, you will see that SSSD will
> switch to the new server and subsequent kinit will start using it.
>
> This is tracked here:
> https://fedorahosted.org/sssd/ticket/941
>


Could this be related ?


but you can send USR1 followed by USR2 to sssd to force
> going offline and back online. It would be nice to look into the logs,
> though, to see why wouldn't sssd fail over itself.
>
> >
> > I remember that someone replied me on this list about that problem, but
> I'd
> > like to konw if there's something I can do besides rebooting my main
> server
> > ?
> >
> > freeipa 4.3
> >
> > sssd 1.12.5-1 running on ubuntu 14.04
> >
> > Thanks.
>
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] how to force switch to another kdc

[Karl Forner]

Hello,

My freeipa master has crashed, and I have a replica running.
The problem is that I can not use anymore the webapps on my main server
which use a kerberos authentication since my server will not switch to the
kdc on my replica.

I remember that someone replied me on this list about that problem, but I'd
like to konw if there's something I can do besides rebooting my main server
?

freeipa 4.3

sssd 1.12.5-1 running on ubuntu 14.04

Thanks.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] unable to effectively delete a replica agreement

[Karl Forner]

>
> > It hangs forever.
>
> How long is forever?
>

officially it's about 15 mns. Do you mean that this delay could be expected
?


>
> > If I run it using the --cleanup option, it seems to work.
>
> That does other things.
>

and actually it did not really work.


>
> >
> > But when I try to run again from scratch my replica, using the same
> > name, I get:
> >
> > Checking forwarders, please wait ...
> > WARNING: DNS forwarder 10.9.70.7 does not return DNSSEC signatures in
> > answers
> > Please fix forwarder configuration to enable DNSSEC support.
> > (For BIND 9 add directive "dnssec-enable yes;" to "options {}")
> > WARNING: DNSSEC validation will be disabled
> > Warning: skipping DNS resolution of host ipa2.example.com
> > 
> > Warning: skipping DNS resolution of host ipa.example.com
> > 
> > Using reverse zone(s) 0.17.172.in-addr.arpa.
> > A replication agreement for this host already exists. It needs to be
> > removed.
> > Run this on the master that generated the info file:
> > % ipa-replica-manage del ipa2.example.com 
> > --force
> >
> > On my master:
> > # ipa-replica-manage list
> > ipas.example.com: master
> > ipa.example.com: master
> >
> > I manually removed all DNS entries from the 3 zones mentioning ipa2. I
> > can check in the web UI, using the search feature that ipa2 has no
> > occurrence.
> >
> > So I do not understand why the replica install thinks there's still a
> > replication agreement.
> > And I'd like to know:
> > 1) why this command did not work
> >
> > |ipa-replica-manage del ipa2.example.com 
> > --force -v|
>
> Because replication agreements are separate from IPA masters, DNS, etc.
>
> >
> > 2) How could I manually effectively delete this agrrement left-over.
> >
>
> To see the agreements on any given master:
>
> $ ldapsearch -x -D 'cn=directory manager' -W -b
> 'cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config'
>
> Use ldapdelete to delete the orphan one, or use something like Apache
> Studio if you're uncomfortable on the CLI.
>
> rob
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-replica-install --setup-ca: do or don't?

[Karl Forner]

> There is no need to have a CA on every ipa server, so a CA is not
> installed by default.

What is the downside of having every replica as a CA ?
Because in case of big trouble with your master, if your replica is not a
CA you can not replace your master from this replica right ?
In particular you can not make another replica from your existing replica.

On Mon, Dec 28, 2015 at 7:11 PM, Simo Sorce  wrote:

> On Mon, 2015-12-28 at 13:10 +0100, Harald Dunkel wrote:
> > Hi folks,
> >
> > how comes that '--setup-ca' is not the default for
> > ipa-replica-install? What is best practice wrt creating
> > a local ca on the replicas?
> >
> > Every insightful comment is highly appreciated.
>
> There is no need to have a CA on every ipa server, so a CA is not
> installed by default.
>
> You can pass --setup-ca at install time or you can use ipa-ca-install
> later on.
>
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-replica-prepare error: Profile caIPAserviceCert Not Found

[Karl Forner]

Hi Fraser,
The ipa-replica-prepare ran in a adelton/freeipa-server:lastest-systemd
docker, which I think is based on fedora 23 and contains freeIPA v 4.2.3.
I can try to patch it, but I'm really not used to fedora, and moreover
there's a debian/docker bug that prevents me from building the docker image
on my computers.

Thanks,
Karl

On Tue, Dec 22, 2015 at 2:46 AM, Fraser Tweedale <ftwee...@redhat.com>
wrote:

> On Mon, Dec 21, 2015 at 01:57:02PM +0100, Karl Forner wrote:
> > Hello,
> >
> > Running:
> > ipa-replica-prepare ipa-h3s1.example.com --ip-address xx.xx.xx.xx -d -v
> > fails
> > with
> > ipa: DEBUG: Protocol: TLS1.2
> > ipa: DEBUG: Cipher: TLS_RSA_WITH_AES_128_CBC_SHA
> > ipa: DEBUG: request status 200
> > ipa: DEBUG: request reason_phrase u'OK'
> > ipa: DEBUG: request headers {'date': 'Mon, 21 Dec 2015 12:50:59 GMT',
> > 'content-length': '148', 'content-type': 'application/xml', 'server':
> > 'Apache-Coyote/1.1'}
> > ipa: DEBUG: request body ' > standalone="no"?>1Profile
> > caIPAserviceCert Not Found'
> > ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG:   File
> > "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
> > execute
> >
> > The context is probably unusual:
> > I run the command on a replica with CA from a server in freeipa v4.1.4
> (in
> > a adelton/freeipa-server docker)
> > which is a freeipa v4.2.3  running in
> > adelton/freeipa-server:lastest-systemd docker
> >
> > I found this ticket which looks similar:
> > https://fedorahosted.org/freeipa/ticket/5376
> >
> > Is there something wrong with my replica knowing that it has been
> > replicated from a 4.1.4 ?
> > Is there a work-around ?
> >
> > Thanks
> > Karl
>
> Hi Karl,
>
> I have a patch for Dogtag that I think will fix this issue.  Would
> you be willing to test it?  If so, which version of Fedora/RHEL are
> you using and I will prepare a build.
>
> Regards,
> Fraser
>
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ipa-replica-prepare error: Profile caIPAserviceCert Not Found

[Karl Forner]

Hello,

Running:
ipa-replica-prepare ipa-h3s1.example.com --ip-address xx.xx.xx.xx -d -v
fails
with
ipa: DEBUG: Protocol: TLS1.2
ipa: DEBUG: Cipher: TLS_RSA_WITH_AES_128_CBC_SHA
ipa: DEBUG: request status 200
ipa: DEBUG: request reason_phrase u'OK'
ipa: DEBUG: request headers {'date': 'Mon, 21 Dec 2015 12:50:59 GMT',
'content-length': '148', 'content-type': 'application/xml', 'server':
'Apache-Coyote/1.1'}
ipa: DEBUG: request body '1Profile
caIPAserviceCert Not Found'
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG:   File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
execute

The context is probably unusual:
I run the command on a replica with CA from a server in freeipa v4.1.4 (in
a adelton/freeipa-server docker)
which is a freeipa v4.2.3  running in
adelton/freeipa-server:lastest-systemd docker

I found this ticket which looks similar:
https://fedorahosted.org/freeipa/ticket/5376

Is there something wrong with my replica knowing that it has been
replicated from a 4.1.4 ?
Is there a work-around ?

Thanks
Karl
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] unable to effectively delete a replica agreement

[Karl Forner]

It's quite a problem for me.
Would upgrading to a more recent version solve the problem ?

How does freeIPA knows that a host is a freeIPA host ? From the LDAP ?

Thanks

On Fri, Dec 18, 2015 at 3:45 PM, Karl Forner <karl.for...@gmail.com> wrote:

> I am running a master freeIPA called "ipa" in an adelton/freeipa-server
> (freeIPA 4.1.4).
> I am able to create a replica server "ipa2", still in an
> adelton/freeipa-server.
>
> If I stop my ipa2 replica, and try to delete the replication agreement:
>
> %ipa-replica-manage del ipa2.example.com --force  -v
>
> It hangs forever.
> If I run it using the --cleanup option, it seems to work.
>
> But when I try to run again from scratch my replica, using the same name,
> I get:
>
> Checking forwarders, please wait ...
> WARNING: DNS forwarder 10.9.70.7 does not return DNSSEC signatures in
> answers
> Please fix forwarder configuration to enable DNSSEC support.
> (For BIND 9 add directive "dnssec-enable yes;" to "options {}")
> WARNING: DNSSEC validation will be disabled
> Warning: skipping DNS resolution of host ipa2.example.com
> Warning: skipping DNS resolution of host ipa.example.com
> Using reverse zone(s) 0.17.172.in-addr.arpa.
> A replication agreement for this host already exists. It needs to be
> removed.
> Run this on the master that generated the info file:
> % ipa-replica-manage del ipa2.example.com --force
>
> On my master:
> # ipa-replica-manage list
> ipas.example.com: master
> ipa.example.com: master
>
> I manually removed all DNS entries from the 3 zones mentioning ipa2. I can
> check in the web UI, using the search feature that ipa2 has no occurrence.
>
> So I do not understand why the replica install thinks there's still a
> replication agreement.
> And I'd like to know:
> 1) why this command did not work
>
> ipa-replica-manage del ipa2.example.com --force  -v
>
>
> 2) How could I manually effectively delete this agrrement left-over.
>
>
> Thanks.
> Karl
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] unable to effectively delete a replica agreement

[Karl Forner]

I am running a master freeIPA called "ipa" in an adelton/freeipa-server
(freeIPA 4.1.4).
I am able to create a replica server "ipa2", still in an
adelton/freeipa-server.

If I stop my ipa2 replica, and try to delete the replication agreement:

%ipa-replica-manage del ipa2.example.com --force  -v

It hangs forever.
If I run it using the --cleanup option, it seems to work.

But when I try to run again from scratch my replica, using the same name, I
get:

Checking forwarders, please wait ...
WARNING: DNS forwarder 10.9.70.7 does not return DNSSEC signatures in
answers
Please fix forwarder configuration to enable DNSSEC support.
(For BIND 9 add directive "dnssec-enable yes;" to "options {}")
WARNING: DNSSEC validation will be disabled
Warning: skipping DNS resolution of host ipa2.example.com
Warning: skipping DNS resolution of host ipa.example.com
Using reverse zone(s) 0.17.172.in-addr.arpa.
A replication agreement for this host already exists. It needs to be
removed.
Run this on the master that generated the info file:
% ipa-replica-manage del ipa2.example.com --force

On my master:
# ipa-replica-manage list
ipas.example.com: master
ipa.example.com: master

I manually removed all DNS entries from the 3 zones mentioning ipa2. I can
check in the web UI, using the search feature that ipa2 has no occurrence.

So I do not understand why the replica install thinks there's still a
replication agreement.
And I'd like to know:
1) why this command did not work

ipa-replica-manage del ipa2.example.com --force  -v


2) How could I manually effectively delete this agrrement left-over.


Thanks.
Karl
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] bash completion freeze possibly related to freeipa/sssd

[Karl Forner]

Hello,

Since we use freeIPA, every ubuntu client experiences some sporadic freezes
with bash completion. It seems far-fetched but the other ubuntu not using
sssd/freeipa do not experience these problems.

Could it be related ? How to troubleshoot ?

Regards,
Karl
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] confused about replica role and use

[Karl Forner]

>
> Unfortunately it is, it is a bug in the way we update the krb5 libraries
> to point to a KDC.
>
> SSSD updates this information in a file under /var/lib/sss/pubconf and
> krb5 libraries read from it, however kinit cannot force sssd to
> re-evaluate if the file needs updating.
>

Is there a work-around ? I've run into this: Imy main server that is stuck
with the previous kdc, which is down.
And it can not pick up the new kdc. The problem is that the apache server
can not authenticate users anymore
for my kerberos-enabled web apps. How can I do without rebooting my server
?

Thanks.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] confused about replica role and use

[Karl Forner]

>
> If you do a local login instead of a kinit, you will see that SSSD will
> switch to the new server and subsequent kinit will start using it.
>

Ok, I checked and it works just fine for me, thanks.

This dynamic discovery of freeipa servers by sssd is very elegant and
smart;
but I still do not understand how do you automatically switch to a replica
(ipa2) if your master (ipa1) is down
in some cases:

 - to access the freeipa web ui. You have to use an url, e.g.
https://ipa1.example.com
 If ipa1 is down, how do you know which url to use ?

 - if you have other web apps that authenticate against the freeIPA LDAP
server.
 Usually you have to provide a ldap url in the web app configuration, e.g.
ldap://ipa1.example.com.
 What happens when ipa1 is down ?

Karl


> This is tracked here:
> https://fedorahosted.org/sssd/ticket/941
>
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] confused about replica role and use

[Karl Forner]

> SSSD mostly manages discovery of servers, it is normally configure with
> the name _srv_ + an actual name as fallback.
> SSSD also feeds the information to kerberos libraries via a plugin.

ok, I have this line in my /etc/sssd/sssd.conf:
ipa_server = _srv_, ipa.example.com

How do I check the current ipa_servers picked up by sssd ?
How do the info is fed to kerberos libraries ?

Because I set up a replica, using the adelton docker, which seems to work
fine. I can use its DNS, access its web UI, the changes are dynamically
updated both ways.
So far so good.
But if suddenly stops the freeIPA master, and try a kdestroy then kinit on
my client, I get
kinit: Cannot contact any KDC for realm 'EXAMPLE.COM' while getting initial
credentials

Looking at /etc/krb5.conf, I see hardcoded values:
 #File modified by ipa-client-install

includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
  default_realm = EXAMPLE.COM
  dns_lookup_realm = false
  dns_lookup_kdc = false
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes

[realms]
  EXAMPLE.COM = {
kdc = ipa.example.com:88
master_kdc = ipa.example.com:88
admin_server = ipa.example.com:749
default_domain = example.com
pkinit_anchors = FILE:/etc/ipa/ca.crt
  }

[domain_realm]
  .EXAMPLE.com = EXAMPLE.COM
  EXAMPLE.com = EXAMPLE.COM

the same for /etc/ipa/default.conf:
#File modified by ipa-client-install

[global]
basedn = dc=example,dc=com
realm = EXAMPLE.COM
domain = example.com
server = ipah.example.com
xmlrpc_uri = https://ipah.example.com/ipa/xml
enable_ra = True


Is this expected ?

Thanks
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] confused about replica role and use

[Karl Forner]

Hello,

>From what I understood, a freeipa replica server is a kind of backup of
another freeipa server.
Both are usable by clients, and they will dynamically update their
information.

But I do not understand how a client will make use of the replica if the
master server is down.
Naively I would imagine, that like for DNS servers, that you configure a
main freeipa server, and a secondary one in case the main one does not
respond, but I can not find how to do it.
Is this happening automagically ? Or this is not the way it is supposed to
be used ?

Thanks.
Karl
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] freeipa harware appliance

[Karl Forner]

Hello,

Could you recommend me a mini appliance/server to use as a freeIPA server ?
I guess the main points are an ethernet port, minimal consumption,
robustness.

Thanks,
Karl Forner
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] connection problems after reboot with unusual setting (Ubuntu 14.04 + freeipa docker)

[Karl Forner]

Hello,

My server runs ubuntu 14.04 and uses sssd 1.12.5-1~trusty1.
The freeipa server runs inside a docker (an adelton/freeipa-server), and
the docker host pretends to be the freeIPA server by forwarding the
appropriate ports.

This works very fine.
But when I reboot my server (which is in a locked server room. r), I
struggle to connect to it.

I'm unable to connect using ssh onto it, using any kind of local or freeIPA
accounts onto it.
The DNS server (provided by freeIPA) works kine though (i.e. nslookup
server server works).

Fortunately, I have the monit web app running on the server that allows to
restart the ssh service.

After restarting ssh remotely. I am now able to connect to the server.
It seems that all works fine again once I restart sssd on the server.

I know this is a pretty complex setup, but do you have hints that could
help me have a usable server after reboot ?

Thanks,
Karl Forner
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] freeipa harware appliance

[Karl Forner]

Thanks Martin.
My expected numbers: users ~ 50 max, concurrent clients/sessions < 20,
hosts < 20.
I was thinking about a server with an old intel cpu, 4Gb RAM and smal HDD
or USB key-based storage + an ethernet port.
I have no idea if it is a common use in IT to run such (critical)
application on its own dedicated appliance.



On Fri, Nov 20, 2015 at 6:29 PM, Martin Basti <mba...@redhat.com> wrote:

>
>
> On 20.11.2015 16:47, Karl Forner wrote:
>
> Hello,
>
> Could you recommend me a mini appliance/server to use as a freeIPA server
> ?
> I guess the main points are an ethernet port, minimal consumption,
> robustness.
>
> Thanks,
> Karl Forner
>
>
> Hello,
>
> I would say that minimal amount of RAM is 2GB with IPA 4.2, of course
> amount of resources depends on many things.
>
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/Preparing_for_an_IPA_Installation-Hardware_Requirements.html
>
> Disk space at least 500MB for basic installation + baseOS + stored data
>
> I do not know if IPA is limited by a CPU in somehow, but with very slow
> CPU you may need to increase timeouts (I saw the posts on this lists that
> it is possible to run IPA on raspberry pi with increased timeouts)
>
> Maybe would be better if you write what do you need this minimal
> configuration for and how many clients, users and connections should IPA
> handle.
>
> Martin
>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] freeIPA user can not use cron

[Karl Forner]

Hi,

cron jobs do no work using a freeIPA user account.

the cron job:
*/1 * * * * echo coucou

in /var/log/syslog:
Oct 15 15:48:02 asgard CRON[9779]: Permission denied

in /var/log/auth.log:
Oct 15 15:48:02 asgard CRON[9779]: pam_sss(cron:account): Access
denied for user qbuser: 6 (Permission denied)

in freeIPA I setup an hbac rule for this user and host that allow the services:
ftp
login
sshd
gdm-password
crond
gdm

What did I miss ?

Thanks.

Karl Forner

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] freeIPA user can not use cron

[Karl Forner]

Yes it works !!! Maybe this should be documented somewhere ?
Thanks.

On Thu, Oct 15, 2015 at 4:20 PM, Zoske, Fabian <f.zo...@euroimmun.de> wrote:
> Hi,
>
> we just had the same problem.
>
> You need to add a new service "cron" and assign this to the user/group.
>
> Best regards,
> Fabian
>
> -Ursprüngliche Nachricht-
> Von: freeipa-users-boun...@redhat.com 
> [mailto:freeipa-users-boun...@redhat.com] Im Auftrag von Karl Forner
> Gesendet: Donnerstag, 15. Oktober 2015 15:53
> An: freeipa-users@redhat.com
> Betreff: [Freeipa-users] freeIPA user can not use cron
>
> Hi,
>
> cron jobs do no work using a freeIPA user account.
>
> the cron job:
> */1 * * * * echo coucou
>
> in /var/log/syslog:
> Oct 15 15:48:02 asgard CRON[9779]: Permission denied
>
> in /var/log/auth.log:
> Oct 15 15:48:02 asgard CRON[9779]: pam_sss(cron:account): Access denied for 
> user qbuser: 6 (Permission denied)
>
> in freeIPA I setup an hbac rule for this user and host that allow the 
> services:
> ftp
> login
> sshd
> gdm-password
> crond
> gdm
>
> What did I miss ?
>
> Thanks.
>
> Karl Forner
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] freeIPA user can not use cron

[Karl Forner]

ok, makes sense. And ubuntu users are quite rare...

On Thu, Oct 15, 2015 at 4:26 PM, Zoske, Fabian <f.zo...@euroimmun.de> wrote:
> I think this is related to diferent names on different systems.
>
> RHEL and CentOS are using crond
> Ubuntu and similar are using cron
>
> ____
> From: Karl Forner [karl.for...@gmail.com]
> Sent: Thursday, October 15, 2015 16:24
> To: Zoske, Fabian
> Cc: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] freeIPA user can not use cron
>
> Yes it works !!! Maybe this should be documented somewhere ?
> Thanks.
>
> On Thu, Oct 15, 2015 at 4:20 PM, Zoske, Fabian <f.zo...@euroimmun.de> wrote:
>> Hi,
>>
>> we just had the same problem.
>>
>> You need to add a new service "cron" and assign this to the user/group.
>>
>> Best regards,
>> Fabian
>>
>> -Ursprüngliche Nachricht-
>> Von: freeipa-users-boun...@redhat.com 
>> [mailto:freeipa-users-boun...@redhat.com] Im Auftrag von Karl Forner
>> Gesendet: Donnerstag, 15. Oktober 2015 15:53
>> An: freeipa-users@redhat.com
>> Betreff: [Freeipa-users] freeIPA user can not use cron
>>
>> Hi,
>>
>> cron jobs do no work using a freeIPA user account.
>>
>> the cron job:
>> */1 * * * * echo coucou
>>
>> in /var/log/syslog:
>> Oct 15 15:48:02 asgard CRON[9779]: Permission denied
>>
>> in /var/log/auth.log:
>> Oct 15 15:48:02 asgard CRON[9779]: pam_sss(cron:account): Access denied for 
>> user qbuser: 6 (Permission denied)
>>
>> in freeIPA I setup an hbac rule for this user and host that allow the 
>> services:
>> ftp
>> login
>> sshd
>> gdm-password
>> crond
>> gdm
>>
>> What did I miss ?
>>
>> Thanks.
>>
>> Karl Forner
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] freeIPA user can not use cron

[Karl Forner]

%ipa hbactest
User name: qbuser
Target host: asgard
Service: crond

Access granted: True

On Thu, Oct 15, 2015 at 3:53 PM, Karl Forner <karl.for...@gmail.com> wrote:
> Hi,
>
> cron jobs do no work using a freeIPA user account.
>
> the cron job:
> */1 * * * * echo coucou
>
> in /var/log/syslog:
> Oct 15 15:48:02 asgard CRON[9779]: Permission denied
>
> in /var/log/auth.log:
> Oct 15 15:48:02 asgard CRON[9779]: pam_sss(cron:account): Access
> denied for user qbuser: 6 (Permission denied)
>
> in freeIPA I setup an hbac rule for this user and host that allow the 
> services:
> ftp
> login
> sshd
> gdm-password
> crond
> gdm
>
> What did I miss ?
>
> Thanks.
>
> Karl Forner

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] (no subject)

[Karl Forner]

Ok, that was it:
sssd Version: 1.12.5-1~trusty1

I inverted the sudoOrders:
sudo -l
Matching Defaults entries for karl on :
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User karl may run the following commands on :
(ALL) NOPASSWD: /usr/bin/less
(root) NOPASSWD: /usr/bin/git status, /usr/local/bin/git status
(root) NOPASSWD: /bin/chgrp qbstaff *, /bin/chmod g[+-]* *,
/bin/chmod -R g[+-]* *
(ALL) ALL
(ALL) ALL


and I can use sudo less without password.

Thanks a lot.


On Thu, Oct 8, 2015 at 5:26 PM, Pavel Březina <pbrez...@redhat.com> wrote:
> On 10/08/2015 04:26 PM, Karl Forner wrote:
>>
>> Hi,
>>
>>
>>> you are prompted for password because (ALL) ALL rule is applied because
>>> of last-match rule. > > > See:
>>> http://www.sudo.ws/man/1.8.13/sudoers.ldap.man.html sudoOrder.
>>
>>
>> Ok. I updated the rules to use a sudoorder attribute of 100 for the
>> /usr/bin/less sudo rule.
>> Now, if I type in a terminal:
>> %sudo -l
>> Matching Defaults entries for karl on midgard:
>>  env_reset, mail_badpass,
>>
>> secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
>>
>> User karl may run the following commands on :
>>  (ALL) ALL
>>  (root) NOPASSWD: /usr/bin/git status, /usr/local/bin/git status
>>  (ALL) ALL
>>  (ALL) NOPASSWD: /usr/bin/less
>>
>> so my less rule is the last one. So far so good.
>>
>> %sudo -l less
>> /usr/bin/less
>>
>> but if I type in a new terminal:
>> %sudo less .bashrc
>> [sudo] password for karl:
>>
>> I am prompted to type in a password.
>>
>> So there seems to be a problem, right ?
>>
>> Regards,
>> Karl
>>
>
> Hi,
> we have a bug in sssd in versions prior 1.13.1:
> https://fedorahosted.org/sssd/ticket/2682
>
> where sudoOrder attribute is treated the other ways around. Please, try
> inverting the order. What version of sssd do you use?
>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] (no subject)

[Karl Forner]

> Thanks. Please, keep in mind that we changed the default to the correct
> order in sssd 1.13.1. Therefore if you update sssd you will either have to
> invert the order again or set sudo_inverse_order = true in [sudo] in
> /etc/sssd/sssd.conf.

ok. I don't think there's an easy way to upgrade sssd right now with
ubuntu 14.04.
Is-it possible to set sudo_inverse_order = true with my current
version, i.e. even if it is not yet recognized ?




>
>
>>
>>
>> On Thu, Oct 8, 2015 at 5:26 PM, Pavel Březina <pbrez...@redhat.com> wrote:
>>>
>>> On 10/08/2015 04:26 PM, Karl Forner wrote:
>>>>
>>>>
>>>> Hi,
>>>>
>>>>
>>>>> you are prompted for password because (ALL) ALL rule is applied because
>>>>> of last-match rule. > > > See:
>>>>> http://www.sudo.ws/man/1.8.13/sudoers.ldap.man.html sudoOrder.
>>>>
>>>>
>>>>
>>>> Ok. I updated the rules to use a sudoorder attribute of 100 for the
>>>> /usr/bin/less sudo rule.
>>>> Now, if I type in a terminal:
>>>> %sudo -l
>>>> Matching Defaults entries for karl on midgard:
>>>>   env_reset, mail_badpass,
>>>>
>>>>
>>>> secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
>>>>
>>>> User karl may run the following commands on :
>>>>   (ALL) ALL
>>>>   (root) NOPASSWD: /usr/bin/git status, /usr/local/bin/git status
>>>>   (ALL) ALL
>>>>   (ALL) NOPASSWD: /usr/bin/less
>>>>
>>>> so my less rule is the last one. So far so good.
>>>>
>>>> %sudo -l less
>>>> /usr/bin/less
>>>>
>>>> but if I type in a new terminal:
>>>> %sudo less .bashrc
>>>> [sudo] password for karl:
>>>>
>>>> I am prompted to type in a password.
>>>>
>>>> So there seems to be a problem, right ?
>>>>
>>>> Regards,
>>>> Karl
>>>>
>>>
>>> Hi,
>>> we have a bug in sssd in versions prior 1.13.1:
>>> https://fedorahosted.org/sssd/ticket/2682
>>>
>>> where sudoOrder attribute is treated the other ways around. Please, try
>>> inverting the order. What version of sssd do you use?
>>>
>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sudo rules do not seem to work

[Karl Forner]

Sorry I had disabled the emailing, just was your answers in the archives.


>> How can I debug this ?

>Pavel (CC) has a nice sudo debug howto, maybe it would be helpful?

Where is it ? Do you mean the slide
"FreeIPA Training Series: Obtaining debugging information" from
https://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf
?

Thanks !
Karl

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] (no subject)

[Karl Forner]

Hi,


> you are prompted for password because (ALL) ALL rule is applied because of 
> last-match rule. > > > See: 
> http://www.sudo.ws/man/1.8.13/sudoers.ldap.man.html sudoOrder.

Ok. I updated the rules to use a sudoorder attribute of 100 for the
/usr/bin/less sudo rule.
Now, if I type in a terminal:
%sudo -l
Matching Defaults entries for karl on midgard:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User karl may run the following commands on :
(ALL) ALL
(root) NOPASSWD: /usr/bin/git status, /usr/local/bin/git status
(ALL) ALL
(ALL) NOPASSWD: /usr/bin/less

so my less rule is the last one. So far so good.

%sudo -l less
/usr/bin/less

but if I type in a new terminal:
%sudo less .bashrc
[sudo] password for karl:

I am prompted to type in a password.

So there seems to be a problem, right ?

Regards,
Karl

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] sudo rules do not seem to work

[Karl Forner]

Hello,

I had assumed sudo rules worked because I have an "allow_all for admins"
sudo rule that seemed to work, but I wonder if there is an implicit rule
for the special group admins ?


Because I have tried to replicate this allow_all rule for for other user
groups, and it does not seem to work at all.
What's strange is that "sudo -l"  report the appropriate rules, but they do
not work.

For instance, some users have: (ALL) ALL listed with sudo -l, but they can
not use sudo.

My user has:
(root) NOPASSWD: /usr/bin/git status, /usr/local/bin/git status
(ALL) ALL
(root) NOPASSWD: /bin/chgrp qbstaff *, /bin/chmod g[+-]* *, /bin/chmod
-R g[+-]* *
(ALL) NOPASSWD: /usr/bin/less
(ALL) ALL

but I'm prompted a password when doing "sudo /usr/bin/less".

How can I debug this ?

Best regards,

Karl
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipaSshPubKey and ldapsearch

[Karl Forner]

Sorry, my mistake.
The following works fine:
% ldapsearch -x -D
'uid=ldap_gitlab,cn=users,cn=accounts,dc=quartzbio,dc=com' -W uid=karl
cn ipaSshPubKey

Karl



On Fri, Sep 18, 2015 at 3:13 PM, Karl Forner <karl.for...@gmail.com> wrote:
> Hello,
>
> I'm trying to integrate the freeIPA SSH public key with gitlab
> Enterprise Edition.
>
> They have a configuration setting **ldap_sync_ssh_keys** that I tried
> to set to 'ipaSshPubKey'
> but it does not work.
>
> While trying to understand the problem, I realized that I don't even
> know how to retrieve this attribute using ldapsearch.
>
> Could you help with the ldapsearch command-line ?
>
> Could it be a permission problem ?
>
> Thanks,
> Karl

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ipaSshPubKey and ldapsearch

[Karl Forner]

Hello,

I'm trying to integrate the freeIPA SSH public key with gitlab
Enterprise Edition.

They have a configuration setting **ldap_sync_ssh_keys** that I tried
to set to 'ipaSshPubKey'
but it does not work.

While trying to understand the problem, I realized that I don't even
know how to retrieve this attribute using ldapsearch.

Could you help with the ldapsearch command-line ?

Could it be a permission problem ?

Thanks,
Karl

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] [work-around] sss_ssh_knownhostsproxy problem with sparkleshare due to setlocale()

[Karl Forner]

Hi,

I kind of fixed my problem, but I share it there in case it can help others.

I had problems with sparkleshare on my freeIPA-enrolled workstation, e.g. I
got
error messages like this:

19:04:52 | Cmd | QB_resources | git ls-remote --heads --exit-code
"ssh://xxxl@/secure/sparkleshare/resources" master
19:04:52 | Git | projects | (Wed Sep  9 19:04:52:432246 2015)
[/usr/bin/sss_ssh_knownhostsproxy] [main] (0x0020): set_locale() failed
(5): Input/output error

I went to see the source code of sss_ssh_knownhostsproxy, and it seems that
the problem comes from these lines:
   c = setlocale(LC_ALL, "");
if (c == NULL) {
return EIO;
}

According to "man setlocale()", this is perfectly good:

>On startup of the main program, the portable "C" locale is
selected as default.  A program may be made portable to all locales by
calling:
>   setlocale(LC_ALL, "");
 and
> For glibc, first (regardless of
 >  category), the environment variable LC_ALL is inspected, next the
environment variable with the same name as the  category  (LC_COLLATE,
LC_CTYPE,  LC_MESSAGES,  LC_MONETARY,  LC_NUMERIC,
 >  LC_TIME) and finally the environment variable LANG.  The first
existing environment variable is used.  If its value is not a valid locale
specification, the locale is unchanged, and setlo‐
 >  cale() returns NULL.

In my case, apparently setlocate() returns NULL. I could not reproduce this
setlocale() call by myself, event trying to use the environment of the
sparkleshare process (which by the way is a mono program).

But I noticed that running sparkleshare as followed fixed the problem:
   LC_ALL="en_US.UTF-8" mono "/usr/lib/sparkleshare/SparkleShare.exe"

So I just edited my /etc/default/locale to permanently fix my problem.
Nonetheless, I'd be curious the understand why the setlocale() call fails
when sss_ssh_knownhostsproxy is called via git via sparkleshare (via mono).

Regards,
Karl Forner
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] [work-around] sss_ssh_knownhostsproxy problem with sparkleshare due to setlocale()

[Karl Forner]

done:
Ticket #2785 <https://fedorahosted.org/sssd/ticket/2785>
On Fri, Sep 11, 2015 at 10:17 AM, Alexander Bokovoy <aboko...@redhat.com>
wrote:

> On Fri, 11 Sep 2015, Karl Forner wrote:
>
>> Hi,
>>
>> I kind of fixed my problem, but I share it there in case it can help
>> others.
>>
>> I had problems with sparkleshare on my freeIPA-enrolled workstation, e.g.
>> I
>> got
>> error messages like this:
>>
>> 19:04:52 | Cmd | QB_resources | git ls-remote --heads --exit-code
>> "ssh://xxxl@/secure/sparkleshare/resources" master
>> 19:04:52 | Git | projects | (Wed Sep  9 19:04:52:432246 2015)
>> [/usr/bin/sss_ssh_knownhostsproxy] [main] (0x0020): set_locale() failed
>> (5): Input/output error
>>
>> I went to see the source code of sss_ssh_knownhostsproxy, and it seems
>> that
>> the problem comes from these lines:
>>   c = setlocale(LC_ALL, "");
>>if (c == NULL) {
>>return EIO;
>>}
>>
>> According to "man setlocale()", this is perfectly good:
>>
>>On startup of the main program, the portable "C" locale is
>>>
>> selected as default.  A program may be made portable to all locales by
>> calling:
>>
>>>   setlocale(LC_ALL, "");
>>>
>> and
>>
>>> For glibc, first (regardless of
>>>
>> >  category), the environment variable LC_ALL is inspected, next the
>> environment variable with the same name as the  category  (LC_COLLATE,
>> LC_CTYPE,  LC_MESSAGES,  LC_MONETARY,  LC_NUMERIC,
>> >  LC_TIME) and finally the environment variable LANG.  The first
>> existing environment variable is used.  If its value is not a valid locale
>> specification, the locale is unchanged, and setlo‐
>> >  cale() returns NULL.
>>
>> In my case, apparently setlocate() returns NULL. I could not reproduce
>> this
>> setlocale() call by myself, event trying to use the environment of the
>> sparkleshare process (which by the way is a mono program).
>>
>> But I noticed that running sparkleshare as followed fixed the problem:
>>   LC_ALL="en_US.UTF-8" mono "/usr/lib/sparkleshare/SparkleShare.exe"
>>
>> So I just edited my /etc/default/locale to permanently fix my problem.
>> Nonetheless, I'd be curious the understand why the setlocale() call fails
>> when sss_ssh_knownhostsproxy is called via git via sparkleshare (via
>> mono).
>>
> Thanks for the report. Could you please file a bug against sssd to have
> this fixed?
>
> There are multiple cases when your own locale is different from the
> remote environment and in cloud images you might not even have
> additional locale information available, so when SSH is configured to
> pass LC_* variables (like in Fedora or RHEL), they are forced in the
> remote shell and the setlocale() result is often NULL. I'm stumbling
> with this all the time.
> --
> / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa client on ubuntu and sudo rules

[Karl Forner]

For reference:
I could not make the sudo rules on ubuntu 12.04, I tried many many things.

Worked like a charm on ubuntu 14.04: as simple as adding sudo to services
in [sssd] section of nsssd.conf.


On Fri, Jul 10, 2015 at 5:18 PM, Lukas Slebodnik lsleb...@redhat.com
wrote:

 On (10/07/15 16:19), Karl Forner wrote:
 Hello,
 
 I setup an ubuntu client for freeIPA 4.1.4, and sudo rules do not seem to
 work.
 I then realized that I used ipa-client-install version 3.3.4.
 Is this a plausible cause ?
 And if so, where can I get a more recent version for ubuntu/debian ?
 Never version of ipa-client configures sssd integration with sudo by
 default.
 Please follow intructions from manual page sssd-sudo and you should be able
 to configure it yourself. Different version of sssd requires different
 configuration with ipa provider.

 IIRC sssd  1.10 nas native ipa sudo provider so you need't to
 configure sudo ldap provider with IPA. That's the reason why it's better to
 follow instruction form man page sssd-sudo.

 LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ipa client on ubuntu and sudo rules

[Karl Forner]

Hello,

I setup an ubuntu client for freeIPA 4.1.4, and sudo rules do not seem to
work.
I then realized that I used ipa-client-install version 3.3.4.
Is this a plausible cause ?
And if so, where can I get a more recent version for ubuntu/debian ?

Thanks,
Karl
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] DNS configuration for not resolving some addresses

[Karl Forner]

Hello,

When using my freeIPA DNS name server for my domain example.test, I need to
exclude some names from the server( to be forwarded to the DNS forwarder
for instance.

For example, I'd like foo.example.test not to be resolved, but forwarded.
How could I implement this ?

Thanks.
Karl Forner
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] DNS configuration for not resolving some addresses

[Karl Forner]

On Wed, Jul 8, 2015 at 2:32 PM, Jan Pazdziora jpazdzi...@redhat.com wrote:

 On Wed, Jul 08, 2015 at 02:26:02PM +0200, Karl Forner wrote:
 
  When using my freeIPA DNS name server for my domain example.test, I need
 to
  exclude some names from the server( to be forwarded to the DNS forwarder
  for instance.
 
  For example, I'd like foo.example.test not to be resolved, but forwarded.
  How could I implement this ?

 That would mean you have two different nameservers authoritative for
 the same DNS domain. That is generally not recommended setup.


Yes, that's what I read, but I do not know how to easily do differently.
But in the end, what I'd like for my users, is to have foo.example.test
resolved from the outside to my external server IP, and from the inside to
the internal server IP.



 Can't you make foo.example.test a CNAME to foo.example.org or another
 hostname, in domain with different authoritative DNS server?


Hmm yes that should work, thanks !




 --
 Jan Pazdziora
 Senior Principal Software Engineer, Identity Management Engineering, Red
 Hat

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] DNS configuration for not resolving some addresses

[Karl Forner]

Okay, but DNS doesn't work in that way. Zone example.test. is
authoritative, so it must contain the record or delegation or NXDOMAIN is
returned. You cannot have multiple authoritative copies of one zone with
different data.


 The best solution would be to have only internal.example.test. zone
 managed by IPA, and add delegation to this zone into example.test.


Ok I understand. But in this setting, how would I implement the lookup so
that internally, ipa.example.test would resolve to
ipa.internal.example.test (internal IP), and externally to the external IP ?

thanks




 Martin






 On Wed, Jul 8, 2015 at 4:09 PM, Martin Basti mba...@redhat.com wrote:

   On 08/07/15 14:26, Karl Forner wrote:

Hello,

  When using my freeIPA DNS name server for my domain example.test, I need
 to exclude some names from the server( to be forwarded to the DNS forwarder
 for instance.

  For example, I'd like foo.example.test not to be resolved, but forwarded.
  How could I implement this ?

  Thanks.
  Karl Forner


   Hello,

 If you plan to forward whole subzone, you can use forward zones in IPA.

 example.test -- master zone
 foo.example.test -- forward zones

 which IPA version o IPA do you have?
 If IPA  4.0, than you can use ipa dnsforwardzone-add command.
 Otherwise dnszone-add with --forwarder option

 Do not forget to add proper NS delegation for all sub zones from parent
 zone.
 For example: ipa dnsrecord-add example.test. test
 --ns-rec=ipa.example.test.

 --
 Martin Basti




 --
 Martin Basti


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] DNS configuration for not resolving some addresses

[Karl Forner]

Thanks Petr.

My use case is: we have scripts that connect to some services, let's say a
docker registry.
I want these scripts to be work either internally or externally, without
changing the URLs.
What would the best or easiest setting to achieve this ?

On Wed, Jul 8, 2015 at 4:25 PM, Petr Spacek pspa...@redhat.com wrote:

 On 8.7.2015 15:07, Karl Forner wrote:
  On Wed, Jul 8, 2015 at 2:32 PM, Jan Pazdziora jpazdzi...@redhat.com
 wrote:
 
  On Wed, Jul 08, 2015 at 02:26:02PM +0200, Karl Forner wrote:
 
  When using my freeIPA DNS name server for my domain example.test, I
 need
  to
  exclude some names from the server( to be forwarded to the DNS
 forwarder
  for instance.
 
  For example, I'd like foo.example.test not to be resolved, but
 forwarded.
  How could I implement this ?
 
  That would mean you have two different nameservers authoritative for
  the same DNS domain. That is generally not recommended setup.
 
 
  Yes, that's what I read, but I do not know how to easily do differently.
  But in the end, what I'd like for my users, is to have foo.example.test
  resolved from the outside to my external server IP, and from the inside
 to
  the internal server IP.

 Such setup is generally not recommended because it is usually pain when it
 comes to long-term operation and maintenance.

 http://www.freeipa.org/page/DNS#Caveats
 http://www.freeipa.org/page/Deployment_Recommendations#DNS


 Two main use-cases are:

 a) Two or more different servers are using the same name and which server
 is
 used depends on client's network.

 This is usually very cumbersome because DNS caching will play against you,
 especially when we introduce system-wide cache into Fedora 23.

 It is also hard to manage and debug because you have to ask the same
 question
 from different networks etc. And it will be harder when you deploy DNSSEC
 to
 increase security...

 The typical recommendation is to use a sub-domain for internal names, e.g.
 i.example.com for internal names and example.com for
 externally-resolvable names.


 b) Seconds use-case: Attempt to optimize IP routing by using DNS tricks.

 Yes, it is as bad idea as it sounds.


  Can't you make foo.example.test a CNAME to foo.example.org or another
  hostname, in domain with different authoritative DNS server?
 
 
  Hmm yes that should work, thanks !

 Please keep in mind that it only hides the problem under yet another layer
 of
 indirection.

 humor
 Yes, it is always possible! We know it because it is written in
 The Twelve Networking Truths: https://tools.ietf.org/html/rfc1925#page-2
 point
 (6) but you should take into account point (3) into account, too :-)
 /humor

 --
 Petr^2 Spacek

 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] DNS configuration for not resolving some addresses

[Karl Forner]

Thanks Martin, but I do not want to forward the whole subzone.

I have the example.test zone from my web hosting site, that manages also
the domain example.test
I use the example.test domain in freeIPA.
So the problem is that in the internal network, I can no longer resolve
www.example.test.

Of course I can define all such names manually in the freeIPA dns, but
ideally (or naively) I'd like a way to
configure the freeIPA dns like: if you do not know foo.example.test,
instead of returning NXDOMAIN, please forward the request to this other
nameserver.





On Wed, Jul 8, 2015 at 4:09 PM, Martin Basti mba...@redhat.com wrote:

  On 08/07/15 14:26, Karl Forner wrote:

Hello,

  When using my freeIPA DNS name server for my domain example.test, I need
 to exclude some names from the server( to be forwarded to the DNS forwarder
 for instance.

  For example, I'd like foo.example.test not to be resolved, but forwarded.
  How could I implement this ?

  Thanks.
  Karl Forner


  Hello,

 If you plan to forward whole subzone, you can use forward zones in IPA.

 example.test -- master zone
 foo.example.test -- forward zones

 which IPA version o IPA do you have?
 If IPA  4.0, than you can use ipa dnsforwardzone-add command.
 Otherwise dnszone-add with --forwarder option

 Do not forget to add proper NS delegation for all sub zones from parent
 zone.
 For example: ipa dnsrecord-add example.test. test
 --ns-rec=ipa.example.test.

 --
 Martin Basti


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] DNS configuration for not resolving some addresses

[Karl Forner]

I forgot my main use case: I have name-based reverse proxies (SNI) for some
web apps/services , that are accessible both from the internal and external
network.
They must be accessed with the exact same name/url, otherwise the dispatch
can not work.
Until now I manage this by manually editing all /etc/hosts on all internal
computers, but I had hoped to benefit from the freeIPA DNS a more elegant
solution.


On Wed, Jul 8, 2015 at 4:50 PM, Petr Spacek pspa...@redhat.com wrote:

 On 8.7.2015 16:32, Karl Forner wrote:
  Thanks Petr.
 
  My use case is: we have scripts that connect to some services, let's say
 a
  docker registry.
  I want these scripts to be work either internally or externally, without
  changing the URLs.
  What would the best or easiest setting to achieve this ?

 Personally I use config file for this. I.e. the script is the same and
 URLs,
 names, passwords, etc. are read from config file stored alongside the
 script.

 This allows me to test it easily without any changes in DNS or system-wide
 configuration like /etc/hosts.

 Yes, it requires more code, but in long-term it is way more debug-able than
 DNS tricks.

 Petr^2 Spacek

  On Wed, Jul 8, 2015 at 4:25 PM, Petr Spacek pspa...@redhat.com wrote:
 
  On 8.7.2015 15:07, Karl Forner wrote:
  On Wed, Jul 8, 2015 at 2:32 PM, Jan Pazdziora jpazdzi...@redhat.com
  wrote:
 
  On Wed, Jul 08, 2015 at 02:26:02PM +0200, Karl Forner wrote:
 
  When using my freeIPA DNS name server for my domain example.test, I
  need
  to
  exclude some names from the server( to be forwarded to the DNS
  forwarder
  for instance.
 
  For example, I'd like foo.example.test not to be resolved, but
  forwarded.
  How could I implement this ?
 
  That would mean you have two different nameservers authoritative for
  the same DNS domain. That is generally not recommended setup.
 
 
  Yes, that's what I read, but I do not know how to easily do
 differently.
  But in the end, what I'd like for my users, is to have foo.example.test
  resolved from the outside to my external server IP, and from the inside
  to
  the internal server IP.
 
  Such setup is generally not recommended because it is usually pain when
 it
  comes to long-term operation and maintenance.
 
  http://www.freeipa.org/page/DNS#Caveats
  http://www.freeipa.org/page/Deployment_Recommendations#DNS
 
 
  Two main use-cases are:
 
  a) Two or more different servers are using the same name and which
 server
  is
  used depends on client's network.
 
  This is usually very cumbersome because DNS caching will play against
 you,
  especially when we introduce system-wide cache into Fedora 23.
 
  It is also hard to manage and debug because you have to ask the same
  question
  from different networks etc. And it will be harder when you deploy
 DNSSEC
  to
  increase security...
 
  The typical recommendation is to use a sub-domain for internal names,
 e.g.
  i.example.com for internal names and example.com for
  externally-resolvable names.
 
 
  b) Seconds use-case: Attempt to optimize IP routing by using DNS tricks.
 
  Yes, it is as bad idea as it sounds.
 
 
  Can't you make foo.example.test a CNAME to foo.example.org or another
  hostname, in domain with different authoritative DNS server?
 
 
  Hmm yes that should work, thanks !
 
  Please keep in mind that it only hides the problem under yet another
 layer
  of
  indirection.
 
  humor
  Yes, it is always possible! We know it because it is written in
  The Twelve Networking Truths:
 https://tools.ietf.org/html/rfc1925#page-2
  point
  (6) but you should take into account point (3) into account, too :-)
  /humor
 
  --
  Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project