[Freeipa-users] Mass update IP addresses
For various reasons, I need to move a lot of my IPA clients to a different subnet. I'd like to automate this as much as possible. My initial thought is to use a combination of puppet and ipa commands, but I wanted to see if anyone had any advice. Anything I should watch out for in IPA? I know that's vague, but I'm just seeking general advice. Thanks, --Jason -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] AD trusts HBACs such
I've been working with support on how to set up HBAC and sudo rules with AD users. From what they've described I can only manage them on an aggregate level using an external group. For example, I can define an hbac rule, but that hbac rule will be vaild for *all* AD users in the external group that was created to handle them. Am I missing something? If that's the case then this isn't flexible enough for our needs. I have to be able to specify rules based on individual accounts. It seems like there might be a work-around by using multiple external groups and having each AD user in their own external group, but that would be really cumbersome (if it's even possible.) Do I have any other options? Thanks, --Jason ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] passwordless login into IPA clients possible from non IPA client?
Andrew's suggestion works fine, but you can also set up a simple krb5.conf on the source hosts and then issue a kinit. It doesn't have to be a full IPA client for that to work. You can also do this from a Windows box by using the MIT Kerberos for Windows package: http://web.mit.edu/Kerberos/dist/ (you can also do ssh keys from windows with putty.) On Wed, Mar 19, 2014 at 7:20 AM, Andrew Holway andrew.hol...@gmail.comwrote: Hi Fred, You can add your public keys to the users profile via the GUI of CLI. Take contents of the .ssh/id_rsa.pub from your Fedora20 Laptop and insert it in the GUI. User - ACCOUNT SETTINGS - SSH public keys - add http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/user-keys.html Thanks, Andrew On 19 March 2014 09:38, Fred van Zwieten fvzwie...@vxcompany.com wrote: Hi, Subject says it all actually. I have a laptop with Fedora20. I work as a contractor on different assignments. Some of them have an IPA domain set up. Their RHEL6 servers are all IPA clients. I would like to ssh into these servers passwordless using ssh-agent and such. Is this possible? If so, how would I set this up? BTW passwordless login already works when ssh-ing from an IPA client into another IPA client. Fred ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AIX kerberos client to IPA
I had this issue, but I gave up. I have my users either log into a Linux box to change passwords or use a web based password reset I set up for them. When your users log in successfully do they have tickets? That's my situation: they can get tickets once they're logged in, but can't change when prompted at login, nor can they change interactively using passwd. If you ever figure anything out let me know, but I spent quite a bit of time on it (once I had the workaround I stopped, though. You may be more persistent.) Good luck, --Jason On Wed, Mar 12, 2014 at 4:52 PM, Rob robert.ro...@xerox.com wrote: Hi, I have configured an AIX 6.1 server to connect to a RHEL 6.5 IPA server. The AIX server is configured to use netgroups and all that works for existing the users. The problem is when a users password expires or when a new user is created. They cannot change their password WARNING: Your password has expired. You must change your password now and login again! Changing password for testuser testuser's Old password: testuser's New password: Connection to localhost closed. The problem seems to be related to not getting a kerberos ticket as kinit can be used to change the password. Logging is enabled but no logs ever get updated [logging] kdc = FILE:/var/krb5/log/krb5kdc.log admin_server = FILE:/var/krb5/log/kadmin.log kadmin_local = FILE:/var/krb5/log/kadmin_local.log default = FILE:/var/krb5/log/krb5lib.log Anybody ever come across this? Or know how to get logging working? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] scripting ipa commands
Once again, I'm probably missing something that's well documented. I promise I searched. We have a daily termination list that needs to be enforced at 5:00 PM every day. I can script it up just fine, but sometimes I like to sneak out early. I tried to use at, but since I'm logged out when the job runs there's no ticket and the ipa commands fail. ex: echo sh terminate | at 5:00 PM Friday works if I'm logged in with a ticket (terminate contains the ipa command to disable / delete users.) Is there some way to automate this? I can leave a terminal open on a VM as a work-around, but I'd like to be cleaner if I can. --Jason ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] scripting ipa commands [solved]
That's pretty much exactly what I was looking for. Thanks JR. --Jason On Thu, Mar 6, 2014 at 11:23 AM, JR Aquino jr.aqu...@citrix.com wrote: If you don't find an answer for doing it -minus- a ticket, here is what I would suggest. Create a service user who's only role permissions give them the ability to delete users. Then perform a getkeytab for the user: ipa-getkeytab -s ipa.example.com -p user name to export@EXAMPLE.COM -k /path/to/username.keytab Then associate the following along with your cron. I would also recommend a kdestroy -after- the task is run. #!/bin/bash ### # Auto Kinit /usr/kerberos/bin/klist -s EXITCODE=$? if [ $EXITCODE != 0 ] ; then /usr/kerberos/bin/kdestroy /dev/null 21 /usr/kerberos/bin/kinit -F usern...@example.com -k -t /path/to/username.keytab fi On Mar 6, 2014, at 8:48 AM, KodaK sako...@gmail.com wrote: Once again, I'm probably missing something that's well documented. I promise I searched. We have a daily termination list that needs to be enforced at 5:00 PM every day. I can script it up just fine, but sometimes I like to sneak out early. I tried to use at, but since I'm logged out when the job runs there's no ticket and the ipa commands fail. ex: echo sh terminate | at 5:00 PM Friday works if I'm logged in with a ticket (terminate contains the ipa command to disable / delete users.) Is there some way to automate this? I can leave a terminal open on a VM as a work-around, but I'd like to be cleaner if I can. --Jason ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] TLS error on master server / CA issue?
Hey everyone, A couple of days ago I started getting the following message: [jebalicki@slpidml01 ~]$ ipa cert-show 1 ipa: INFO: trying https://slpidml01.unix.xxx.com/ipa/xml ipa: INFO: Forwarding 'cert_show' to server u' https://slpidml01.unix.xxx.com/ipa/xml' ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) I get a similar error in the GUI when looking at hosts. slpidml01 is my master -- the one I initially built. The other replicas also replicated the CA. After some digging (and prompting from Red Hat support) I've found the following: [root@slpidml01 ~]# ldapsearch -ZZ -H ldap://slpidml01.unix.xxx.com -D cn=Directory Manager -W -b dc=unix,dc=xxx,dc=com -x ldap_start_tls: Connect error (-11) additional info: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user. But, interestingly, from another replica: [jebalicki@slpidml02 ~]$ ldapsearch -ZZ -H ldap://slpidml01.unix.xxx.com -D cn=Directory Manager -W -b dc=unix,dc=xxx,dc=com -x Enter LDAP Password: # extended LDIF # # LDAPv3 # base dc=unix,dc=xxx,dc=com with scope subtree # filter: (objectclass=*) # requesting: ALL ... So, obviously some certificate got hosed up somewhere. I've been digging but I haven't found it yet. Anyone have any ideas? I have a ticket open with RH support, but I think I somehow got put with someone with a completely different sleep schedule -- I get replies at 3 in the morning. So, I'm asking here because I'm impatient. :) Thanks, --Jason ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] TLS error on master server / CA issue?
On Fri, Feb 28, 2014 at 11:14 AM, Rob Crittenden rcrit...@redhat.comwrote: KodaK wrote: Hey everyone, A couple of days ago I started getting the following message: [jebalicki@slpidml01 ~]$ ipa cert-show 1 ipa: INFO: trying https://slpidml01.unix.xxx.com/ipa/xml ipa: INFO: Forwarding 'cert_show' to server u'https://slpidml01.unix.xxx.com/ipa/xml' ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) I get a similar error in the GUI when looking at hosts. slpidml01 is my master -- the one I initially built. The other replicas also replicated the CA. After some digging (and prompting from Red Hat support) I've found the following: [root@slpidml01 ~]# ldapsearch -ZZ -H ldap://slpidml01.unix.xxx.com http://slpidml01.unix.xxx.com -D cn=Directory Manager -W -b dc=unix,dc=xxx,dc=com -x ldap_start_tls: Connect error (-11) additional info: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user. But, interestingly, from another replica: [jebalicki@slpidml02 ~]$ ldapsearch -ZZ -H ldap://slpidml01.unix.xxx.com http://slpidml01.unix.xxx.com -D cn=Directory Manager -W -b dc=unix,dc=xxx,dc=com -x Enter LDAP Password: # extended LDIF # # LDAPv3 # base dc=unix,dc=xxx,dc=com with scope subtree # filter: (objectclass=*) # requesting: ALL ... So, obviously some certificate got hosed up somewhere. I've been digging but I haven't found it yet. Anyone have any ideas? I have a ticket open with RH support, but I think I somehow got put with someone with a completely different sleep schedule -- I get replies at 3 in the morning. So, I'm asking here because I'm impatient. :) Check certificate expiration. Run getcert list to see what the status is. rob None are expired, but there are some coming up soon: [root@slpidml01 ~]# getcert list | grep expires expires: 2014-03-29 19:03:31 UTC expires: 2014-03-29 19:04:04 UTC expires: 2014-03-29 19:04:30 UTC expires: 2016-02-09 06:26:34 UTC expires: 2016-02-09 06:25:34 UTC expires: 2016-02-09 06:25:34 UTC expires: 2016-02-09 06:25:34 UTC expires: 2016-02-09 06:25:34 UTC Everything is set to auto-renew: [root@slpidml01 ~]# getcert list | grep auto-renew auto-renew: yes auto-renew: yes auto-renew: yes auto-renew: yes auto-renew: yes auto-renew: yes auto-renew: yes auto-renew: yes ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] [solved] TLS error on master server / CA issue?
On Fri, Feb 28, 2014 at 1:05 PM, Rob Crittenden rcrit...@redhat.com wrote: KodaK wrote: On Fri, Feb 28, 2014 at 11:14 AM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: KodaK wrote: Hey everyone, A couple of days ago I started getting the following message: [jebalicki@slpidml01 ~]$ ipa cert-show 1 ipa: INFO: trying https://slpidml01.unix.xxx.__com/ipa/xml https://slpidml01.unix.xxx.com/ipa/xml ipa: INFO: Forwarding 'cert_show' to server u'https://slpidml01.unix.xxx.__com/ipa/xml https://slpidml01.unix.xxx.com/ipa/xml' ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) I get a similar error in the GUI when looking at hosts. slpidml01 is my master -- the one I initially built. The other replicas also replicated the CA. After some digging (and prompting from Red Hat support) I've found the following: [root@slpidml01 ~]# ldapsearch -ZZ -H ldap://slpidml01.unix.xxx.com http://slpidml01.unix.xxx.com http://slpidml01.unix.xxx.com__ -D cn=Directory Manager -W -b dc=unix,dc=xxx,dc=com -x ldap_start_tls: Connect error (-11) additional info: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user. But, interestingly, from another replica: [jebalicki@slpidml02 ~]$ ldapsearch -ZZ -H ldap://slpidml01.unix.xxx.com http://slpidml01.unix.xxx.com http://slpidml01.unix.xxx.com__ -D cn=Directory Manager -W -b dc=unix,dc=xxx,dc=com -x Enter LDAP Password: # extended LDIF # # LDAPv3 # base dc=unix,dc=xxx,dc=com with scope subtree # filter: (objectclass=*) # requesting: ALL ... So, obviously some certificate got hosed up somewhere. I've been digging but I haven't found it yet. Anyone have any ideas? I have a ticket open with RH support, but I think I somehow got put with someone with a completely different sleep schedule -- I get replies at 3 in the morning. So, I'm asking here because I'm impatient. :) Check certificate expiration. Run getcert list to see what the status is. rob None are expired, but there are some coming up soon: [root@slpidml01 ~]# getcert list | grep expires expires: 2014-03-29 19:03:31 UTC expires: 2014-03-29 19:04:04 UTC expires: 2014-03-29 19:04:30 UTC expires: 2016-02-09 06:26:34 UTC expires: 2016-02-09 06:25:34 UTC expires: 2016-02-09 06:25:34 UTC expires: 2016-02-09 06:25:34 UTC expires: 2016-02-09 06:25:34 UTC Ok. CA requests are proxied through Apache so a Not Found means that the CA isn't running. Check the trust on the audit cert: # certutil -L -d /var/lib/pki-ca/alias The trust for the audit signing cert should be u,u,Pu If it doesn't have it, fix it with: # certutil -M -d /var/lib/pki-ca/alias -n 'auditSigningCert cert-pki-ca' -t u,u,Pu Then restart the CA (or all of IPA if you wish). For the LDAP searches you may want to try the commands again, preceding them with LDAPTLS_CACERT=/etc/ipa/ca.crt rob Thanks a bunch, that worked! ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] HP ILO Authentication via LDAP (or even kerberos)
For the record, I spent quite a long time on this and finally gave up. I never found a work-around other than providing the entire DN, which I wasn't about to do. On Tue, Jan 14, 2014 at 11:53 PM, Alexander Bokovoy aboko...@redhat.comwrote: On Wed, 15 Jan 2014, Les Stott wrote: I can confirm that the password was typed in correctly. Maybe its not matching the account because it's the compat tree? No, it is not matching because BIND over compat tree is only supported with slapi-nis 0.48+ which is not RHEL 6.x feature. As Dmitri said, it is feature available with FreeIPA 3.3.x, not 3.0. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA integration with AIX and sudo
I am an unfortunate AIX sufferer as well. I've gotten through setting this up. First, what version of sudo are you running on the AIX box? On Mon, Dec 16, 2013 at 8:46 AM, y...@degauquier.net wrote: Hi, I'm trying to integrate on AIX environment (as clients) a centralized authentication and authorization with freeipa, and using sudo also with sudo rules on freeipa. I followed several how-to and notes found by googeling, but still have problem with sudo. Everything is fine wiith root account (sudo -l list all sudo rules), but with a user from freeipa I have Memory fault. Does anybody have good experience with FreeIPA (installed on CentOS), AIX (6.1) and sudo (from Perzl)? Thanks in advance, Yves ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Lesson learned: don't do this.
Just wanted to pass along an issue I just had. We have some legacy local users on some boxes, and we need to have a mix of those local users and IPA users in the same groups. In order for that to happen (at least on AIX) I need to create a group in IPA with the GID of the local group. This can be a problem because the GID may be used by different groups on different boxes (we inherited this mess.) To organize this, I would create groups like this in IPA: host1-foogroup:208 host2-bargroup:208 host3-bazgroup:208 This worked, until I added a fourth group with the same GID. AIX stopped allowing members of 208 to connect to any hosts. I was forced to move them all into a single group and abandon my attempts at organization. This was hard to find, but obvious in retrospect. -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Revisiting ILO
I'm attempting to get HP ILO authenticating against IPA again. I've configured the user context in ILO as: cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com When ILO tries to connect, it sends the string: CN=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com Which, of course, doesn't exist. IPA uses uid=username, but as far as I can tell I can't tell ILO to use a different username attribute. It doesn't even look like it's trying to use a username attribute. I've tried to force it to look for uid=jebalicki by using uid=jebalicki in the login field, but that fails too. The errors in the errors log look like this: [05/Nov/2013:13:22:05 -0600] ipalockout_preop - [file ipa_lockout.c, line 645]: Failed to retrieve entry jebalicki: 32 [05/Nov/2013:13:22:05 -0600] ipalockout_postop - [file ipa_lockout.c, line 421]: Failed to retrieve entry jebalicki: 32 [05/Nov/2013:13:22:05 -0600] ipalockout_preop - [file ipa_lockout.c, line 645]: Failed to retrieve entry CN=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com: 32 [05/Nov/2013:13:22:05 -0600] ipalockout_postop - [file ipa_lockout.c, line 421]: Failed to retrieve entry CN=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com: 32 [05/Nov/2013:13:22:05 -0600] ipalockout_preop - [file ipa_lockout.c, line 645]: Failed to retrieve entry jebalicki: 32 [05/Nov/2013:13:22:05 -0600] ipalockout_postop - [file ipa_lockout.c, line 421]: Failed to retrieve entry jebalicki: 32 [05/Nov/2013:13:22:05 -0600] ipalockout_preop - [file ipa_lockout.c, line 645]: Failed to retrieve entry CN=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com: 32 [05/Nov/2013:13:22:05 -0600] ipalockout_postop - [file ipa_lockout.c, line 421]: Failed to retrieve entry CN=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com: 32 [05/Nov/2013:13:22:05 -0600] ipalockout_preop - [file ipa_lockout.c, line 645]: Failed to retrieve entry jebalicki: 32 [05/Nov/2013:13:22:05 -0600] ipalockout_postop - [file ipa_lockout.c, line 421]: Failed to retrieve entry jebalicki: 32 [05/Nov/2013:13:22:05 -0600] ipalockout_preop - [file ipa_lockout.c, line 645]: Failed to retrieve entry CN=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com: 32 [05/Nov/2013:13:22:05 -0600] ipalockout_postop - [file ipa_lockout.c, line 421]: Failed to retrieve entry CN=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com: 32 [05/Nov/2013:13:27:39 -0600] ipalockout_preop - [file ipa_lockout.c, line 645]: Failed to retrieve entry uid=jebalicki: 32 [05/Nov/2013:13:27:39 -0600] ipalockout_postop - [file ipa_lockout.c, line 421]: Failed to retrieve entry uid=jebalicki: 32 [05/Nov/2013:13:27:39 -0600] ipalockout_preop - [file ipa_lockout.c, line 645]: Failed to retrieve entry CN=uid=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com: 32 [05/Nov/2013:13:27:39 -0600] ipalockout_postop - [file ipa_lockout.c, line 421]: Failed to retrieve entry CN=uid=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com: 32 [05/Nov/2013:13:27:39 -0600] ipalockout_preop - [file ipa_lockout.c, line 645]: Failed to retrieve entry uid=jebalicki: 32 [05/Nov/2013:13:27:39 -0600] ipalockout_postop - [file ipa_lockout.c, line 421]: Failed to retrieve entry uid=jebalicki: 32 [05/Nov/2013:13:27:39 -0600] ipalockout_preop - [file ipa_lockout.c, line 645]: Failed to retrieve entry CN=uid=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com: 32 [05/Nov/2013:13:27:39 -0600] ipalockout_postop - [file ipa_lockout.c, line 421]: Failed to retrieve entry CN=uid=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com: 32 [05/Nov/2013:13:27:39 -0600] ipalockout_preop - [file ipa_lockout.c, line 645]: Failed to retrieve entry uid=jebalicki: 32 [05/Nov/2013:13:27:39 -0600] ipalockout_postop - [file ipa_lockout.c, line 421]: Failed to retrieve entry uid=jebalicki: 32 [05/Nov/2013:13:27:39 -0600] ipalockout_preop - [file ipa_lockout.c, line 645]: Failed to retrieve entry CN=uid=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com: 32 [05/Nov/2013:13:27:39 -0600] ipalockout_postop - [file ipa_lockout.c, line 421]: Failed to retrieve entry CN=uid=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com: 32 And the access log looks like this: [05/Nov/2013:13:32:06 -0600] conn=214941 fd=438 slot=438 SSL connection from 10.200.10.192 to 10.200.16.170 [05/Nov/2013:13:32:06 -0600] conn=214941 SSL 256-bit AES [05/Nov/2013:13:32:06 -0600] conn=214941 op=0 BIND dn=uid=jebalicki method=128 version=2 [05/Nov/2013:13:32:06 -0600] conn=214941 op=0 RESULT err=32 tag=97 nentries=0 etime=0 [05/Nov/2013:13:32:06 -0600] conn=214941 op=1 BIND dn=CN=uid=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com method=128 version=2 [05/Nov/2013:13:32:07 -0600] conn=214941 op=1 RESULT err=32 tag=97 nentries=0 etime=1 [05/Nov/2013:13:32:07 -0600] conn=214941 op=2 UNBIND [05/Nov/2013:13:32:07 -0600] conn=214941 op=2 fd=438 closed - U1 [05/Nov/2013:13:32:07
Re: [Freeipa-users] Revisiting ILO
If I use the whole connection string: uid=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com I can authenticate. On Tue, Nov 5, 2013 at 1:40 PM, KodaK sako...@gmail.com wrote: I'm attempting to get HP ILO authenticating against IPA again. I've configured the user context in ILO as: cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com When ILO tries to connect, it sends the string: CN=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com Which, of course, doesn't exist. IPA uses uid=username, but as far as I can tell I can't tell ILO to use a different username attribute. It doesn't even look like it's trying to use a username attribute. I've tried to force it to look for uid=jebalicki by using uid=jebalicki in the login field, but that fails too. The errors in the errors log look like this: [05/Nov/2013:13:22:05 -0600] ipalockout_preop - [file ipa_lockout.c, line 645]: Failed to retrieve entry jebalicki: 32 [05/Nov/2013:13:22:05 -0600] ipalockout_postop - [file ipa_lockout.c, line 421]: Failed to retrieve entry jebalicki: 32 [05/Nov/2013:13:22:05 -0600] ipalockout_preop - [file ipa_lockout.c, line 645]: Failed to retrieve entry CN=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com: 32 [05/Nov/2013:13:22:05 -0600] ipalockout_postop - [file ipa_lockout.c, line 421]: Failed to retrieve entry CN=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com: 32 [05/Nov/2013:13:22:05 -0600] ipalockout_preop - [file ipa_lockout.c, line 645]: Failed to retrieve entry jebalicki: 32 [05/Nov/2013:13:22:05 -0600] ipalockout_postop - [file ipa_lockout.c, line 421]: Failed to retrieve entry jebalicki: 32 [05/Nov/2013:13:22:05 -0600] ipalockout_preop - [file ipa_lockout.c, line 645]: Failed to retrieve entry CN=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com: 32 [05/Nov/2013:13:22:05 -0600] ipalockout_postop - [file ipa_lockout.c, line 421]: Failed to retrieve entry CN=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com: 32 [05/Nov/2013:13:22:05 -0600] ipalockout_preop - [file ipa_lockout.c, line 645]: Failed to retrieve entry jebalicki: 32 [05/Nov/2013:13:22:05 -0600] ipalockout_postop - [file ipa_lockout.c, line 421]: Failed to retrieve entry jebalicki: 32 [05/Nov/2013:13:22:05 -0600] ipalockout_preop - [file ipa_lockout.c, line 645]: Failed to retrieve entry CN=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com: 32 [05/Nov/2013:13:22:05 -0600] ipalockout_postop - [file ipa_lockout.c, line 421]: Failed to retrieve entry CN=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com: 32 [05/Nov/2013:13:27:39 -0600] ipalockout_preop - [file ipa_lockout.c, line 645]: Failed to retrieve entry uid=jebalicki: 32 [05/Nov/2013:13:27:39 -0600] ipalockout_postop - [file ipa_lockout.c, line 421]: Failed to retrieve entry uid=jebalicki: 32 [05/Nov/2013:13:27:39 -0600] ipalockout_preop - [file ipa_lockout.c, line 645]: Failed to retrieve entry CN=uid=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com: 32 [05/Nov/2013:13:27:39 -0600] ipalockout_postop - [file ipa_lockout.c, line 421]: Failed to retrieve entry CN=uid=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com: 32 [05/Nov/2013:13:27:39 -0600] ipalockout_preop - [file ipa_lockout.c, line 645]: Failed to retrieve entry uid=jebalicki: 32 [05/Nov/2013:13:27:39 -0600] ipalockout_postop - [file ipa_lockout.c, line 421]: Failed to retrieve entry uid=jebalicki: 32 [05/Nov/2013:13:27:39 -0600] ipalockout_preop - [file ipa_lockout.c, line 645]: Failed to retrieve entry CN=uid=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com: 32 [05/Nov/2013:13:27:39 -0600] ipalockout_postop - [file ipa_lockout.c, line 421]: Failed to retrieve entry CN=uid=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com: 32 [05/Nov/2013:13:27:39 -0600] ipalockout_preop - [file ipa_lockout.c, line 645]: Failed to retrieve entry uid=jebalicki: 32 [05/Nov/2013:13:27:39 -0600] ipalockout_postop - [file ipa_lockout.c, line 421]: Failed to retrieve entry uid=jebalicki: 32 [05/Nov/2013:13:27:39 -0600] ipalockout_preop - [file ipa_lockout.c, line 645]: Failed to retrieve entry CN=uid=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com: 32 [05/Nov/2013:13:27:39 -0600] ipalockout_postop - [file ipa_lockout.c, line 421]: Failed to retrieve entry CN=uid=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com: 32 And the access log looks like this: [05/Nov/2013:13:32:06 -0600] conn=214941 fd=438 slot=438 SSL connection from 10.200.10.192 to 10.200.16.170 [05/Nov/2013:13:32:06 -0600] conn=214941 SSL 256-bit AES [05/Nov/2013:13:32:06 -0600] conn=214941 op=0 BIND dn=uid=jebalicki method=128 version=2 [05/Nov/2013:13:32:06 -0600] conn=214941 op=0 RESULT err=32 tag=97 nentries=0 etime=0 [05/Nov/2013:13:32:06 -0600] conn=214941 op=1 BIND dn=CN=uid=jebalicki,cn=users,cn=accounts,dc
Re: [Freeipa-users] Force IPA to accept password?
Here's what I had to do: http://www.freeipa.org/page/PasswordSynchronization On Thu, Sep 26, 2013 at 10:35 AM, KodaK sako...@gmail.com wrote: As far as I can tell, password policy is enforced on the client side, not the directory side. I set up a self-service password reset utility which enforces its own rules and bypasses the IPA password policies. I used this one: http://ltb-project.org http://ltb-project.org/wiki/ I created a user that had the ability to create passwords, but IIRC there was some setting I had to change so that the passwords created didn't require a change. I'm pretty sure someone in this list told me how, so I'll search and see if I can find it. --Jason On Thu, Sep 26, 2013 at 8:58 AM, Innes, Duncan duncan.in...@virginmoney.com wrote: Sorry, -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: 26 September 2013 14:29 To: Innes, Duncan Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Force IPA to accept password? On 09/26/2013 01:05 PM, Innes, Duncan wrote: Hi, Can I force IPA to accept a new password that I have chosen? What password do you have in mind? A password of an IPA user? Yes - for my authentication when SSHing onto a Linux box. Today I've had to change my password in 2x AD domains and other places according to policy. I've done this. But coming to IPA, I find that I've chosen a BAD PASSWORD. Without getting into the merits of the AD password policy and the security of the password I've chosen, can I force IPA to accept my new password at all? Well, without getting into security of the approach, you could change the global password policy or group password policy so that the new password is accepted: $ ipa pwpolicy-mod --minlength=5 or $ ipa pwpolicy-add usergroup --minlength=5 ... to fix whatever failing password policy attribute. The error comes from a dictionary check I think. AD does as well as far as I know, but would appear to have a smaller dictionary or looser rules. Kind of what I expected/feared though. I don't want to change the IPA policy at all, just override it's objection. For now, I went the long route and changed my IPA password first, then changed the other passwords To match what IPA was happy with. HTH, Martin Cheers thanks for your help Duncan This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Discovery House, Whiting Road, Norwich NR4 6EJ: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482). For further details of Virgin Money group companies please visit our website at virginmoney.com ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Timeout (?) issues
I'm pretty sure this is the root of my problem (not confirmed yet, but it's AIX -- that's always the problem): http://www-01.ibm.com/support/docview.wss?uid=swg21212940 The takeaway is this: The first query (184) is a normal IPV4 lookup for ldap.austin.texas.com, which returns 192.168.1.255. But then an IPV6 lookup is done for the same name. Because there is no IPV6 address for ldap.austin.texas.com, it continues searching every search domain in the resolv.conf file ( example.austin.texas.com austin.texas.com texas.com) trying to find one. On Fri, Sep 20, 2013 at 3:07 AM, Petr Spacek pspa...@redhat.com wrote: On 20.9.2013 01:24, KodaK wrote: This is ridiculous, right? IPA server 1: # for i in $(ls access*); do echo -n $i:\ ;grep err=32 $i | wc -l; done access: 248478 access.20130916-043207: 302774 access.20130916-123642: 272572 access.20130916-201516: 294308 access.20130917-081053: 295060 access.20130917-144559: 284498 access.20130917-231435: 281035 access.20130918-091611: 291165 access.20130918-154945: 275792 access.20130919-014322: 296113 IPA server 2: access: 4313 access.20130909-200216: 4023 access.20130910-200229: 4161 access.20130911-200239: 4182 access.20130912-200249: 5069 access.20130913-200258: 3833 access.20130914-200313: 4208 access.20130915-200323: 4702 access.20130916-200332: 4532 IPA server 3: access: 802 access.20130910-080737: 3876 access.20130911-080748: 3902 access.20130912-080802: 3678 access.20130913-080810: 3765 access.20130914-080826: 3524 access.20130915-080907: 4142 access.20130916-080916: 4930 access.20130917-080926: 4769 access.20130918-081005: 2879 IPA server 4: access: 2812 access.20130910-003051: 4095 access.20130911-003105: 3623 access.20130912-003113: 3606 access.20130913-003125: 3581 access.20130914-003135: 3758 access.20130915-003150: 3935 access.20130916-003159: 4184 access.20130917-003210: 3859 access.20130918-003221: 5110 The vast majority of the err=32 messages are DNS entries. It depends on your setup. Bind-dyndb-ldap does LDAP search for each non-existent name to verify that the name wasn't added to LDAP in meanwhile. If you have clients doing 1M queries for non-existing names per day, then you will see 1M LDAP queries with err=32 per day. Next major version of bind-dyndb-ldap will have reworked internal database and it will support negative caching, so number of err=32 should drop significantly. Here are some samples: [19/Sep/2013:18:19:51 -0500] conn=9 op=169764 SRCH base=idnsName=xxx.com ,idnsname=unix.xxx.com,cn=dns,**dc=unix,dc=xxx,dc=com scope=0 filter=(objectClass=**idnsRecord) attrs=ALL [19/Sep/2013:18:19:51 -0500] conn=9 op=169764 RESULT err=32 tag=101 nentries=0 etime=0 This is interesting, because this LDAP query is equal to DNS query for xxx.com.unix.xxx.com. Are your clients that crazy? :-) [19/Sep/2013:18:19:51 -0500] conn=9 op=169774 SRCH base=idnsName= slpoxacl01.unix.xxx.com,**idnsname=unix.xxx.com,cn=dns,** dc=unix,dc=xxx,dc=com scope=0 filter=(objectClass=**idnsRecord) attrs=ALL [19/Sep/2013:18:19:51 -0500] conn=9 op=169774 RESULT err=32 tag=101 nentries=0 etime=0 This is equivalent to DNS query for slpoxacl01.unix.xxx.com.unix.** xxx.com http://slpoxacl01.unix.xxx.com.unix.xxx.com.. [19/Sep/2013:18:19:51 -0500] conn=9 op=169770 SRCH base=idnsName= sla400q1.unix.xxx.com,**idnsname=unix.xxx.com,cn=dns,** dc=unix,dc=xxx,dc=com scope=0 filter=(objectClass=**idnsRecord) attrs=ALL [19/Sep/2013:18:19:51 -0500] conn=9 op=169770 RESULT err=32 tag=101 nentries=0 etime=0 And this is sla400q1.unix.xxx.com.unix.**xxx.comhttp://sla400q1.unix.xxx.com.unix.xxx.com .. [19/Sep/2013:18:19:51 -0500] conn=9 op=169772 SRCH base=idnsName= magellanhealth.com,idnsname=un**ix.magellanhealth.comhttp://unix.magellanhealth.com ,cn=dns,**dc=unix,dc=magellanhealth,dc=**com scope=0 filter=(objectClass=**idnsRecord) attrs=ALL [19/Sep/2013:18:19:51 -0500] conn=9 op=169772 RESULT err=32 tag=101 nentries=0 etime=0 So far today there are over half a million of these. That can't be right. I would recommend you to use network sniffer and check which clients sends these crazy queries. My guess is that your resolver library (libc?) causes this. On my Linux system with glibc-2.17-14.fc19.x86_64 it behaves in this way: client query = nonexistent.example.com. (I used $ ping nonexistent.example.com.) search domain in /etc/resolv.conf = brq.redhat.com. DNS query #1: nonexistent.example.com. = NXDOMAIN DNS query #2: nonexistent.example.com.brq.**redhat.comhttp://nonexistent.example.com.brq.redhat.com. = NXDOMAIN DNS query #3: nonexistent.example.com.**redhat.comhttp://nonexistent.example.com.redhat.com. = NXDOMAIN On Thu, Sep 19, 2013 at 3:05 PM, KodaK sako...@gmail.com wrote: I didn't realize that DNS created one connection. I thought it was one connection spanning several days. In theory, there should be 2-4 LDAP connections
Re: [Freeipa-users] Timeout (?) issues
SRV records were missing for _ldaps_tcp. I added them in for the IPA servers and that knocked out some of the errors, but there are still a lot. I suspect these boxes are overloaded with bad dns queries (probably due to something I've messed up.) Any help would be appreciated, but I'm opening a RH ticket. Thanks, --Jason On Thu, Sep 19, 2013 at 1:57 PM, KodaK sako...@gmail.com wrote: Well, this is awkward: [root@slpidml01 slapd-UNIX-xxx-COM]# grep conn=170902 access* | wc -l 5453936 [root@slpidml01 slapd-UNIX-xxx-COM]# On Thu, Sep 19, 2013 at 1:48 PM, KodaK sako...@gmail.com wrote: Thanks. I've been running that against my logs, and this has to be abnormal: err=32 129274No Such Object err=0 10952Successful Operations err=14 536SASL Bind in Progress err=53 39Unwilling To Perform err=493Invalid Credentials (Bad Password) I'm still trying to figure out why there are so many error 32s. Are there any usual suspects I should know about? (That's just the current access log, btw.) On Tue, Sep 17, 2013 at 9:01 AM, Rich Megginson rmegg...@redhat.comwrote: On 09/16/2013 07:57 PM, Dmitri Pal wrote: On 09/16/2013 12:02 PM, KodaK wrote: Yet another AIX related problem: The AIX LDAP client is called secldapclntd (sure, they could make it more awkward, but the budget ran out.) I'm running into the issue detailed here: http://www-01.ibm.com/support/docview.wss?uid=isg1IV11344 If an LDAP server fails to answer an LDAP query, secldapclntd caches the non-answered query negatively. This may happen if the LDAP server is down for example. After the LDAP server is back again secldapclntd will use the negative cache entry and the application initiating the original query will still fail until the cache entry expires. IBM is working on porting the fix to our specific TL and SP levels. What I'm concerned with here, though, is *why* is it timing out? I don't know what the current timeout values are (AIX sucks, etc.) I don't see timeout issues on my Linux boxes, which leads me to believe that either the sssd timouts are longer or that sssd is just more robust when dealing with timeouts. I believe I'm seeing similar behavior with LDAP sudo on AIX as well, because I occasionally have to re-run sudo commands because they initially fail (and I know I'm using the right passwords.) However, sudo doesn't appear to have a cache (or it handles caching better.) Does anyone have any troubleshooting suggestions? Any general speed things up suggestions on the IPA side? Thanks, --Jason -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users Is the server FreeIPA? Can see in the server logs what is actually happening is it the server that really takes time or there is a network connectivity issue or FW is dropping packets? I would really start with the server side logs. As far as 389 goes, run logconv.pl against the access logs in /var/log/dirsrv/slapd-DOMAIN-COM -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs?www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Timeout (?) issues
Well, this is awkward: [root@slpidml01 slapd-UNIX-xxx-COM]# grep conn=170902 access* | wc -l 5453936 [root@slpidml01 slapd-UNIX-xxx-COM]# On Thu, Sep 19, 2013 at 1:48 PM, KodaK sako...@gmail.com wrote: Thanks. I've been running that against my logs, and this has to be abnormal: err=32 129274No Such Object err=0 10952Successful Operations err=14 536SASL Bind in Progress err=53 39Unwilling To Perform err=493Invalid Credentials (Bad Password) I'm still trying to figure out why there are so many error 32s. Are there any usual suspects I should know about? (That's just the current access log, btw.) On Tue, Sep 17, 2013 at 9:01 AM, Rich Megginson rmegg...@redhat.comwrote: On 09/16/2013 07:57 PM, Dmitri Pal wrote: On 09/16/2013 12:02 PM, KodaK wrote: Yet another AIX related problem: The AIX LDAP client is called secldapclntd (sure, they could make it more awkward, but the budget ran out.) I'm running into the issue detailed here: http://www-01.ibm.com/support/docview.wss?uid=isg1IV11344 If an LDAP server fails to answer an LDAP query, secldapclntd caches the non-answered query negatively. This may happen if the LDAP server is down for example. After the LDAP server is back again secldapclntd will use the negative cache entry and the application initiating the original query will still fail until the cache entry expires. IBM is working on porting the fix to our specific TL and SP levels. What I'm concerned with here, though, is *why* is it timing out? I don't know what the current timeout values are (AIX sucks, etc.) I don't see timeout issues on my Linux boxes, which leads me to believe that either the sssd timouts are longer or that sssd is just more robust when dealing with timeouts. I believe I'm seeing similar behavior with LDAP sudo on AIX as well, because I occasionally have to re-run sudo commands because they initially fail (and I know I'm using the right passwords.) However, sudo doesn't appear to have a cache (or it handles caching better.) Does anyone have any troubleshooting suggestions? Any general speed things up suggestions on the IPA side? Thanks, --Jason -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users Is the server FreeIPA? Can see in the server logs what is actually happening is it the server that really takes time or there is a network connectivity issue or FW is dropping packets? I would really start with the server side logs. As far as 389 goes, run logconv.pl against the access logs in /var/log/dirsrv/slapd-DOMAIN-COM -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs?www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Replication causing long etimes
Terry, did you ever get to the bottom of this? I appear to be having a similar issue with the same version of IPA. On Wed, Sep 4, 2013 at 1:18 PM, Terry Soucy tso...@salesforce.com wrote: I am experiencing some long execution times, and I'm wondering if anyone can give me some insight. We are running FreeIPA 3.0.0-26 on Redhat 6.1. We have multimaster replication running among 4 hosts. We have approv 100 users, 25 usergroups and hostgroups, and approx 2000 hosts in a single domain. We noticed that some DNS queries were timing out periodically. When I investigated further, I found several of the DNS requests in the access log [04/Sep/2013:13:42:24 -0300] conn=122491 op=3888679 SRCH base=idnsName=compute- 1.amazonaws.com,idnsname=prod.ca2.example.com,cn=dns,dc=example,dc=com scope=0 filter= (objectClass=idnsRecord) attrs=ALL [04/Sep/2013:13:42:44 -0300] conn=122491 op=3888679 RESULT err=32 tag=101 nentri es=0 etime=20 There are a lot of those, as expected, since we first noticed this issue with DNS. Then I found this ... [04/Sep/2013:13:42:23 -0300] conn=368561 op=9 EXT oid=2.16.840.1.113730.3.5.5 name=Netscape Replication End Session [04/Sep/2013:13:42:44 -0300] conn=368561 op=9 RESULT err=0 tag=120 nentries=0 etime=22 and lots of this ... [04/Sep/2013:13:42:26 -0300] conn=368604 op=0 BIND dn= method=sasl version=3 mech=GSSAPI [04/Sep/2013:13:42:44 -0300] conn=368604 op=0 RESULT err=14 tag=97 nentries=0 etime=18, SASL bind in progress So, is my SASL bind causing the replication to go long, or is the replication taking a long time and causing the hang? Is there a way I can see the details of the replication? There is not a lot of changes going on that require replication with regards to dns, users, hosts, etc, so I'm not sure why it would take so long. Also, can I remove the SASL bind and just add a replication user to the dse.ldif to remove the requirement for kerberos for replication? Terry -- Terry Soucy - Systems Engineer Salesforce MarketingCloud - http://www.salesforce.com (o) 506.631.7445 (c) 506.609.3247 | (e) tso...@salesforce.com ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Timeout (?) issues
I didn't realize that DNS created one connection. I thought it was one connection spanning several days. On Thu, Sep 19, 2013 at 2:51 PM, Rich Megginson rmegg...@redhat.com wrote: On 09/19/2013 12:57 PM, KodaK wrote: Well, this is awkward: [root@slpidml01 slapd-UNIX-xxx-COM]# grep conn=170902 access* | wc -l 5453936 [root@slpidml01 slapd-UNIX-xxx-COM]# Why is it awkward? On Thu, Sep 19, 2013 at 1:48 PM, KodaK sako...@gmail.com wrote: Thanks. I've been running that against my logs, and this has to be abnormal: err=32 129274No Such Object err=0 10952Successful Operations err=14 536SASL Bind in Progress err=53 39Unwilling To Perform err=493Invalid Credentials (Bad Password) I'm still trying to figure out why there are so many error 32s. Are there any usual suspects I should know about? (That's just the current access log, btw.) On Tue, Sep 17, 2013 at 9:01 AM, Rich Megginson rmegg...@redhat.comwrote: On 09/16/2013 07:57 PM, Dmitri Pal wrote: On 09/16/2013 12:02 PM, KodaK wrote: Yet another AIX related problem: The AIX LDAP client is called secldapclntd (sure, they could make it more awkward, but the budget ran out.) I'm running into the issue detailed here: http://www-01.ibm.com/support/docview.wss?uid=isg1IV11344 If an LDAP server fails to answer an LDAP query, secldapclntd caches the non-answered query negatively. This may happen if the LDAP server is down for example. After the LDAP server is back again secldapclntd will use the negative cache entry and the application initiating the original query will still fail until the cache entry expires. IBM is working on porting the fix to our specific TL and SP levels. What I'm concerned with here, though, is *why* is it timing out? I don't know what the current timeout values are (AIX sucks, etc.) I don't see timeout issues on my Linux boxes, which leads me to believe that either the sssd timouts are longer or that sssd is just more robust when dealing with timeouts. I believe I'm seeing similar behavior with LDAP sudo on AIX as well, because I occasionally have to re-run sudo commands because they initially fail (and I know I'm using the right passwords.) However, sudo doesn't appear to have a cache (or it handles caching better.) Does anyone have any troubleshooting suggestions? Any general speed things up suggestions on the IPA side? Thanks, --Jason -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users Is the server FreeIPA? Can see in the server logs what is actually happening is it the server that really takes time or there is a network connectivity issue or FW is dropping packets? I would really start with the server side logs. As far as 389 goes, run logconv.pl against the access logs in /var/log/dirsrv/slapd-DOMAIN-COM -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs?www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Timeout (?) issues
This is ridiculous, right? IPA server 1: # for i in $(ls access*); do echo -n $i:\ ;grep err=32 $i | wc -l; done access: 248478 access.20130916-043207: 302774 access.20130916-123642: 272572 access.20130916-201516: 294308 access.20130917-081053: 295060 access.20130917-144559: 284498 access.20130917-231435: 281035 access.20130918-091611: 291165 access.20130918-154945: 275792 access.20130919-014322: 296113 IPA server 2: access: 4313 access.20130909-200216: 4023 access.20130910-200229: 4161 access.20130911-200239: 4182 access.20130912-200249: 5069 access.20130913-200258: 3833 access.20130914-200313: 4208 access.20130915-200323: 4702 access.20130916-200332: 4532 IPA server 3: access: 802 access.20130910-080737: 3876 access.20130911-080748: 3902 access.20130912-080802: 3678 access.20130913-080810: 3765 access.20130914-080826: 3524 access.20130915-080907: 4142 access.20130916-080916: 4930 access.20130917-080926: 4769 access.20130918-081005: 2879 IPA server 4: access: 2812 access.20130910-003051: 4095 access.20130911-003105: 3623 access.20130912-003113: 3606 access.20130913-003125: 3581 access.20130914-003135: 3758 access.20130915-003150: 3935 access.20130916-003159: 4184 access.20130917-003210: 3859 access.20130918-003221: 5110 The vast majority of the err=32 messages are DNS entries. Here are some samples: [19/Sep/2013:18:19:51 -0500] conn=9 op=169764 SRCH base=idnsName=xxx.com ,idnsname=unix.xxx.com,cn=dns,dc=unix,dc=xxx,dc=com scope=0 filter=(objectClass=idnsRecord) attrs=ALL [19/Sep/2013:18:19:51 -0500] conn=9 op=169764 RESULT err=32 tag=101 nentries=0 etime=0 [19/Sep/2013:18:19:51 -0500] conn=9 op=169774 SRCH base=idnsName= slpoxacl01.unix.xxx.com,idnsname=unix.xxx.com,cn=dns,dc=unix,dc=xxx,dc=com scope=0 filter=(objectClass=idnsRecord) attrs=ALL [19/Sep/2013:18:19:51 -0500] conn=9 op=169774 RESULT err=32 tag=101 nentries=0 etime=0 [19/Sep/2013:18:19:51 -0500] conn=9 op=169770 SRCH base=idnsName= sla400q1.unix.xxx.com,idnsname=unix.xxx.com,cn=dns,dc=unix,dc=xxx,dc=com scope=0 filter=(objectClass=idnsRecord) attrs=ALL [19/Sep/2013:18:19:51 -0500] conn=9 op=169770 RESULT err=32 tag=101 nentries=0 etime=0 [19/Sep/2013:18:19:51 -0500] conn=9 op=169772 SRCH base=idnsName= magellanhealth.com,idnsname=unix.magellanhealth.com,cn=dns,dc=unix,dc=magellanhealth,dc=com scope=0 filter=(objectClass=idnsRecord) attrs=ALL [19/Sep/2013:18:19:51 -0500] conn=9 op=169772 RESULT err=32 tag=101 nentries=0 etime=0 So far today there are over half a million of these. That can't be right. On Thu, Sep 19, 2013 at 3:05 PM, KodaK sako...@gmail.com wrote: I didn't realize that DNS created one connection. I thought it was one connection spanning several days. On Thu, Sep 19, 2013 at 2:51 PM, Rich Megginson rmegg...@redhat.comwrote: On 09/19/2013 12:57 PM, KodaK wrote: Well, this is awkward: [root@slpidml01 slapd-UNIX-xxx-COM]# grep conn=170902 access* | wc -l 5453936 [root@slpidml01 slapd-UNIX-xxx-COM]# Why is it awkward? On Thu, Sep 19, 2013 at 1:48 PM, KodaK sako...@gmail.com wrote: Thanks. I've been running that against my logs, and this has to be abnormal: err=32 129274No Such Object err=0 10952Successful Operations err=14 536SASL Bind in Progress err=53 39Unwilling To Perform err=493Invalid Credentials (Bad Password) I'm still trying to figure out why there are so many error 32s. Are there any usual suspects I should know about? (That's just the current access log, btw.) On Tue, Sep 17, 2013 at 9:01 AM, Rich Megginson rmegg...@redhat.comwrote: On 09/16/2013 07:57 PM, Dmitri Pal wrote: On 09/16/2013 12:02 PM, KodaK wrote: Yet another AIX related problem: The AIX LDAP client is called secldapclntd (sure, they could make it more awkward, but the budget ran out.) I'm running into the issue detailed here: http://www-01.ibm.com/support/docview.wss?uid=isg1IV11344 If an LDAP server fails to answer an LDAP query, secldapclntd caches the non-answered query negatively. This may happen if the LDAP server is down for example. After the LDAP server is back again secldapclntd will use the negative cache entry and the application initiating the original query will still fail until the cache entry expires. IBM is working on porting the fix to our specific TL and SP levels. What I'm concerned with here, though, is *why* is it timing out? I don't know what the current timeout values are (AIX sucks, etc.) I don't see timeout issues on my Linux boxes, which leads me to believe that either the sssd timouts are longer or that sssd is just more robust when dealing with timeouts. I believe I'm seeing similar behavior with LDAP sudo on AIX as well, because I occasionally have to re-run sudo commands because they initially fail (and I know I'm using the right passwords.) However, sudo doesn't appear to have a cache (or it handles caching
Re: [Freeipa-users] Timeout (?) issues
Thanks. I've been running that against my logs, and this has to be abnormal: err=32 129274No Such Object err=0 10952Successful Operations err=14 536SASL Bind in Progress err=53 39Unwilling To Perform err=493Invalid Credentials (Bad Password) I'm still trying to figure out why there are so many error 32s. Are there any usual suspects I should know about? (That's just the current access log, btw.) On Tue, Sep 17, 2013 at 9:01 AM, Rich Megginson rmegg...@redhat.com wrote: On 09/16/2013 07:57 PM, Dmitri Pal wrote: On 09/16/2013 12:02 PM, KodaK wrote: Yet another AIX related problem: The AIX LDAP client is called secldapclntd (sure, they could make it more awkward, but the budget ran out.) I'm running into the issue detailed here: http://www-01.ibm.com/support/docview.wss?uid=isg1IV11344 If an LDAP server fails to answer an LDAP query, secldapclntd caches the non-answered query negatively. This may happen if the LDAP server is down for example. After the LDAP server is back again secldapclntd will use the negative cache entry and the application initiating the original query will still fail until the cache entry expires. IBM is working on porting the fix to our specific TL and SP levels. What I'm concerned with here, though, is *why* is it timing out? I don't know what the current timeout values are (AIX sucks, etc.) I don't see timeout issues on my Linux boxes, which leads me to believe that either the sssd timouts are longer or that sssd is just more robust when dealing with timeouts. I believe I'm seeing similar behavior with LDAP sudo on AIX as well, because I occasionally have to re-run sudo commands because they initially fail (and I know I'm using the right passwords.) However, sudo doesn't appear to have a cache (or it handles caching better.) Does anyone have any troubleshooting suggestions? Any general speed things up suggestions on the IPA side? Thanks, --Jason -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users Is the server FreeIPA? Can see in the server logs what is actually happening is it the server that really takes time or there is a network connectivity issue or FW is dropping packets? I would really start with the server side logs. As far as 389 goes, run logconv.pl against the access logs in /var/log/dirsrv/slapd-DOMAIN-COM -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs?www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Timeout (?) issues
Yet another AIX related problem: The AIX LDAP client is called secldapclntd (sure, they could make it more awkward, but the budget ran out.) I'm running into the issue detailed here: http://www-01.ibm.com/support/docview.wss?uid=isg1IV11344 If an LDAP server fails to answer an LDAP query, secldapclntd caches the non-answered query negatively. This may happen if the LDAP server is down for example. After the LDAP server is back again secldapclntd will use the negative cache entry and the application initiating the original query will still fail until the cache entry expires. IBM is working on porting the fix to our specific TL and SP levels. What I'm concerned with here, though, is *why* is it timing out? I don't know what the current timeout values are (AIX sucks, etc.) I don't see timeout issues on my Linux boxes, which leads me to believe that either the sssd timouts are longer or that sssd is just more robust when dealing with timeouts. I believe I'm seeing similar behavior with LDAP sudo on AIX as well, because I occasionally have to re-run sudo commands because they initially fail (and I know I'm using the right passwords.) However, sudo doesn't appear to have a cache (or it handles caching better.) Does anyone have any troubleshooting suggestions? Any general speed things up suggestions on the IPA side? Thanks, --Jason -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Sanity check on hbac rule on foreign domains.
On Mon, Aug 5, 2013 at 4:23 AM, Sumit Bose sb...@redhat.com wrote: Which version of FreeIPA are you using on the server? Maybe the sssd logs at a high debug level will give more details why the access is denied you you try to log in with ssh as testuser on stlmoracsbx01.domain.com. Something must have been cached, somewhere. (Even though I cleared every cache I could think of.) I haven't had time until now; I just tried again and allowed users work and disallowed users don't. I have no idea. Thanks, --Jason ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Mountain Lion GUI Login
On Tue, Aug 6, 2013 at 4:31 PM, Davis Goodman davis.good...@digital-district.ca wrote: Hi, I have an FreeIPA server configured, managed to configure a Mountain Lion Client for automounts and user logins. My issue is that whenever I first login with a user the New Password box shows up and even if I try to change the password the box keeps reappearing without any success. If I log onto the machine with the local admin user and try to get a ticket for this user I get a New Password prompt. From there I can change the password and I get a ticket without an issue. After that I can login through the GUI without being asked for a new password. Anyone has seen this behaviour before? That's the expected behavior. When you set the user's password as an admin, it sets the force a password change flag. I don't know anything aobut OSX, but there may be a way to configure the login GUI to deal with the password change correctly. Failing that, you can use a web based password change utility and let users do self service, or if you don't want that you can set up a special password administrator you can use that when it sets passwords it doesn't force a change (bad idea.) For setting up either, you need to do this: http://www.freeipa.org/page/PasswordSynchronization for the password change user. This is the web based password change utility I chose to use, but there are others -- or you can roll your own: http://ltb-project.org/wiki/documentation/self-service-password --Jason -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Sanity check on hbac rule on foreign domains.
First, before we go any further: is it supported to use sssd when the client machines domain differs from the realm name? If not, then the rest of this is moot. Client box is a RHEL 5.something. I didn't do ipa-client-install because I wanted to configure by hand as a test. The client box has a DNS name of stlmoracsbx01.domain.com, and the realm is UNIX.DOMAIN.COM I've configured the box with sssd, and I can log in with my personal credentials because I have a wide-open rule for admins. I've created a simple rule for a test user, and it's not working. [xxx@slpidml01 ~]$ ipa hbacrule-show stlmoracsbx01-access Rule name: stlmoracsbx01-access Source host category: all Service category: all Enabled: TRUE Users: testuser Hosts: stlmoracsbx01.domain.com However: [xxx@slpidml01 ~]$ ipa hbactest --user=testuser --host=stlmoracsbx01.domain.com --service=sshd - Access granted: False - And my access: [xxx@slpidml01 ~]$ ipa hbactest --user=xxx --host=stlmoracsbx01.domain.com --service=sshd Access granted: True Matched rules: admin access I also tried opening that host up to everyone: [jebalicki@slpidml01 ~]$ ipa hbacrule-show stlmoracsbx01-access Rule name: stlmoracsbx01-access User category: all Source host category: all Service category: all Enabled: TRUE Hosts: stlmoracsbx01.domain.com But the rule fails. I thought maybe there might be something with the user testuser, so I tried another user and I still get a failure. Any ideas would be appreciated. -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] authenticate with base domain name?
On Wed, Jul 31, 2013 at 6:56 AM, Sumit Bose sb...@redhat.com wrote: I think that's the issue. You have to make sure that host.domain.com has a DNS entry somewhere, it does not have to be the IPA DNS but the DNS setup must be correct so the IPA DNS can forward the request to the right server. Then you can call 'ipa host-add host.domain.com' which will create a host entry with the principal host/host.domain@unix.domain.com. Now you can call ipa-getkeytab and transfer the new keytab to host.domain.com. Ok, I'm dumbfounded (again.) I've removed the old host from IPA: xxx@slpidml01 ~]$ ipa host-show sla400q1.unix.domain.com ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/session/xml ipa: INFO: Forwarding 'host_show' to server u' https://slpidml01.unix.domain.com/ipa/session/xml' ipa: ERROR: sla400q1.unix.domain.com: host not found And I added the new host: [xxx@slpidml01 ~]$ ipa host-show sla400q1.domain.com ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/xml ipa: INFO: Forwarding 'host_show' to server u' https://slpidml01.unix.domain.com/ipa/xml' Host name: sla400q1.domain.com Principal name: host/sla400q1.domain@unix.domain.com Password: False Keytab: True Managed by: sla400q1.domain.com I generated the keytab: [xxx@slpidml01 ~]$ ipa-getkeytab -s slpidml01.unix.domain.com -p host/ sla400q1.domain.com -k /tmp/sla400q1.keytabKeytab successfully retrieved and stored in: /tmp/sla400q1.keytab [xxx@slpidml01 ~]$ Then I copied that keytab to the host and put it in /etc/krb5/krb5.keytab But, when I list the principals in the keytab: sla400q1:/var/adm /usr/krb5/bin/klist -k -e Keytab name: FILE:/etc/krb5/krb5.keytab KVNO Principal - 1 host/sla400q1.unix.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 1 host/sla400q1.unix.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 1 host/sla400q1.unix.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 1 host/sla400q1.unix.domain@unix.domain.com (ArcFour with HMAC/md5) 2 host/sla400q1.unix.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 2 host/sla400q1.unix.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 2 host/sla400q1.unix.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 2 host/sla400q1.unix.domain@unix.domain.com (ArcFour with HMAC/md5) 1 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 1 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 1 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 1 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5) 2 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 2 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 2 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 2 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5) 3 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 3 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 3 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 3 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5) 4 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 4 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 4 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 4 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5) 5 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 5 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 5 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 5 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5) 6 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 6 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 6 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 6 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5) Where are the sla400q1.unix.domain.com coming from? I've done this over and over, I can't find any reference to sla400q1.unix.domain.com in DNS in IPA, and the box never had any unix.comain.com references. In addition, I’m still getting the error: Miscellaneous failure\nNo principal in keytab matches desired name\n in the logs, even though: sla400q1:/var/adm grep sla400q1 /etc/hosts 192.168.42.108 sla400q1-bk #10.200.5.48sla400q1.domain.com sla400q1 10.200.5.48 sla400q1.domain.com sla400q1 sla400q1:/var/adm hostname sla400q1.domain.com sla400q1:/var/adm domainname
Re: [Freeipa-users] authenticate with base domain name?
On Wed, Jul 31, 2013 at 11:09 AM, KodaK sako...@gmail.com wrote: On Wed, Jul 31, 2013 at 6:56 AM, Sumit Bose sb...@redhat.com wrote: I think that's the issue. You have to make sure that host.domain.com has a DNS entry somewhere, it does not have to be the IPA DNS but the DNS setup must be correct so the IPA DNS can forward the request to the right server. Then you can call 'ipa host-add host.domain.com' which will create a host entry with the principal host/host.domain@unix.domain.com. Now you can call ipa-getkeytab and transfer the new keytab to host.domain.com. Ok, I'm dumbfounded (again.) I've removed the old host from IPA: xxx@slpidml01 ~]$ ipa host-show sla400q1.unix.domain.com ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/session/xml ipa: INFO: Forwarding 'host_show' to server u' https://slpidml01.unix.domain.com/ipa/session/xml' ipa: ERROR: sla400q1.unix.domain.com: host not found And I added the new host: [xxx@slpidml01 ~]$ ipa host-show sla400q1.domain.com ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/xml ipa: INFO: Forwarding 'host_show' to server u' https://slpidml01.unix.domain.com/ipa/xml' Host name: sla400q1.domain.com Principal name: host/sla400q1.domain@unix.domain.com Password: False Keytab: True Managed by: sla400q1.domain.com I generated the keytab: [xxx@slpidml01 ~]$ ipa-getkeytab -s slpidml01.unix.domain.com -p host/ sla400q1.domain.com -k /tmp/sla400q1.keytabKeytab successfully retrieved and stored in: /tmp/sla400q1.keytab [xxx@slpidml01 ~]$ Then I copied that keytab to the host and put it in /etc/krb5/krb5.keytab But, when I list the principals in the keytab: sla400q1:/var/adm /usr/krb5/bin/klist -k -e Keytab name: FILE:/etc/krb5/krb5.keytab KVNO Principal - 1 host/sla400q1.unix.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 1 host/sla400q1.unix.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 1 host/sla400q1.unix.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 1 host/sla400q1.unix.domain@unix.domain.com (ArcFour with HMAC/md5) 2 host/sla400q1.unix.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 2 host/sla400q1.unix.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 2 host/sla400q1.unix.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 2 host/sla400q1.unix.domain@unix.domain.com (ArcFour with HMAC/md5) 1 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 1 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 1 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 1 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5) 2 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 2 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 2 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 2 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5) 3 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 3 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 3 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 3 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5) 4 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 4 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 4 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 4 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5) 5 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 5 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 5 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 5 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5) 6 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 6 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 6 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 6 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5) Where are the sla400q1.unix.domain.com coming from? I've done this over and over, I can't find any reference to sla400q1.unix.domain.com in DNS in IPA, and the box never had any unix.comain.com references. In addition, I’m still getting the error: Miscellaneous failure\nNo principal in keytab matches desired name\n in the logs, even though: sla400q1:/var/adm grep sla400q1 /etc/hosts 192.168.42.108 sla400q1-bk
Re: [Freeipa-users] authenticate with base domain name?
On Wed, Jul 31, 2013 at 11:24 AM, Sumit Bose sb...@redhat.com wrote:
On Wed, Jul 31, 2013 at 11:12:47AM -0500, KodaK wrote:
On Wed, Jul 31, 2013 at 11:09 AM, KodaK sako...@gmail.com wrote:
On Wed, Jul 31, 2013 at 6:56 AM, Sumit Bose sb...@redhat.com wrote:
I think that's the issue. You have to make sure that host.domain.com has
a DNS entry somewhere, it does not have to be the IPA DNS but the DNS
setup must be correct so the IPA DNS can forward the request to the
right server. Then you can call 'ipa host-add host.domain.com' which
will create a host entry with the principal
host/host.domain@unix.domain.com. Now you can call ipa-getkeytab and
transfer the new keytab to host.domain.com.
Ok, I'm dumbfounded (again.)
I've removed the old host from IPA:
xxx@slpidml01 ~]$ ipa host-show sla400q1.unix.domain.com
ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/session/xml
ipa: INFO: Forwarding 'host_show' to server u'
https://slpidml01.unix.domain.com/ipa/session/xml'
ipa: ERROR: sla400q1.unix.domain.com: host not found
And I added the new host:
[xxx@slpidml01 ~]$ ipa host-show sla400q1.domain.com
ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/xml
ipa: INFO: Forwarding 'host_show' to server u'
https://slpidml01.unix.domain.com/ipa/xml'
Host name: sla400q1.domain.com
Principal name: host/sla400q1.domain@unix.domain.com
Password: False
Keytab: True
Managed by: sla400q1.domain.com
I generated the keytab:
[xxx@slpidml01 ~]$ ipa-getkeytab -s slpidml01.unix.domain.com -p host/
sla400q1.domain.com -k /tmp/sla400q1.keytabKeytab successfully retrieved
and stored in: /tmp/sla400q1.keytab
[xxx@slpidml01 ~]$
Then I copied that keytab to the host and put it in /etc/krb5/krb5.keytab
But, when I list the principals in the keytab:
sla400q1:/var/adm /usr/krb5/bin/klist -k -e
Keytab name: FILE:/etc/krb5/krb5.keytab
KVNO Principal
-
1 host/sla400q1.unix.domain@unix.domain.com (AES-256 CTS mode with
96-bit SHA-1 HMAC)
1 host/sla400q1.unix.domain@unix.domain.com (AES-128 CTS mode with
96-bit SHA-1 HMAC)
1 host/sla400q1.unix.domain@unix.domain.com (Triple DES cbc mode
with HMAC/sha1)
1 host/sla400q1.unix.domain@unix.domain.com (ArcFour with HMAC/md5)
2 host/sla400q1.unix.domain@unix.domain.com (AES-256 CTS mode with
96-bit SHA-1 HMAC)
2 host/sla400q1.unix.domain@unix.domain.com (AES-128 CTS mode with
96-bit SHA-1 HMAC)
2 host/sla400q1.unix.domain@unix.domain.com (Triple DES cbc mode
with HMAC/sha1)
2 host/sla400q1.unix.domain@unix.domain.com (ArcFour with HMAC/md5)
1 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with
96-bit SHA-1 HMAC)
1 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with
96-bit SHA-1 HMAC)
1 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with
HMAC/sha1)
1 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5)
2 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with
96-bit SHA-1 HMAC)
2 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with
96-bit SHA-1 HMAC)
2 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with
HMAC/sha1)
2 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5)
3 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with
96-bit SHA-1 HMAC)
3 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with
96-bit SHA-1 HMAC)
3 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with
HMAC/sha1)
3 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5)
4 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with
96-bit SHA-1 HMAC)
4 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with
96-bit SHA-1 HMAC)
4 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with
HMAC/sha1)
4 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5)
5 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with
96-bit SHA-1 HMAC)
5 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with
96-bit SHA-1 HMAC)
5 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with
HMAC/sha1)
5 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5)
6 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with
96-bit SHA-1 HMAC)
6 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with
96-bit SHA-1 HMAC)
6 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with
HMAC/sha1)
6 host/sla400q1.domain@unix.domain.com (ArcFour
Re: [Freeipa-users] authenticate with base domain name?
On Wed, Jul 31, 2013 at 1:28 PM, KodaK sako...@gmail.com wrote:
On Wed, Jul 31, 2013 at 11:24 AM, Sumit Bose sb...@redhat.com wrote:
On Wed, Jul 31, 2013 at 11:12:47AM -0500, KodaK wrote:
On Wed, Jul 31, 2013 at 11:09 AM, KodaK sako...@gmail.com wrote:
On Wed, Jul 31, 2013 at 6:56 AM, Sumit Bose sb...@redhat.com wrote:
I think that's the issue. You have to make sure that host.domain.com
has
a DNS entry somewhere, it does not have to be the IPA DNS but the DNS
setup must be correct so the IPA DNS can forward the request to the
right server. Then you can call 'ipa host-add host.domain.com' which
will create a host entry with the principal
host/host.domain@unix.domain.com. Now you can call ipa-getkeytab
and
transfer the new keytab to host.domain.com.
Ok, I'm dumbfounded (again.)
I've removed the old host from IPA:
xxx@slpidml01 ~]$ ipa host-show sla400q1.unix.domain.com
ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/session/xml
ipa: INFO: Forwarding 'host_show' to server u'
https://slpidml01.unix.domain.com/ipa/session/xml'
ipa: ERROR: sla400q1.unix.domain.com: host not found
And I added the new host:
[xxx@slpidml01 ~]$ ipa host-show sla400q1.domain.com
ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/xml
ipa: INFO: Forwarding 'host_show' to server u'
https://slpidml01.unix.domain.com/ipa/xml'
Host name: sla400q1.domain.com
Principal name: host/sla400q1.domain@unix.domain.com
Password: False
Keytab: True
Managed by: sla400q1.domain.com
I generated the keytab:
[xxx@slpidml01 ~]$ ipa-getkeytab -s slpidml01.unix.domain.com -p host/
sla400q1.domain.com -k /tmp/sla400q1.keytabKeytab successfully retrieved
and stored in: /tmp/sla400q1.keytab
[xxx@slpidml01 ~]$
Then I copied that keytab to the host and put it in /etc/krb5/krb5.keytab
But, when I list the principals in the keytab:
sla400q1:/var/adm /usr/krb5/bin/klist -k -e
Keytab name: FILE:/etc/krb5/krb5.keytab
KVNO Principal
-
1 host/sla400q1.unix.domain@unix.domain.com (AES-256 CTS mode with
96-bit SHA-1 HMAC)
1 host/sla400q1.unix.domain@unix.domain.com (AES-128 CTS mode with
96-bit SHA-1 HMAC)
1 host/sla400q1.unix.domain@unix.domain.com (Triple DES cbc mode
with HMAC/sha1)
1 host/sla400q1.unix.domain@unix.domain.com (ArcFour with HMAC/md5)
2 host/sla400q1.unix.domain@unix.domain.com (AES-256 CTS mode with
96-bit SHA-1 HMAC)
2 host/sla400q1.unix.domain@unix.domain.com (AES-128 CTS mode with
96-bit SHA-1 HMAC)
2 host/sla400q1.unix.domain@unix.domain.com (Triple DES cbc mode
with HMAC/sha1)
2 host/sla400q1.unix.domain@unix.domain.com (ArcFour with HMAC/md5)
1 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with
96-bit SHA-1 HMAC)
1 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with
96-bit SHA-1 HMAC)
1 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with
HMAC/sha1)
1 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5)
2 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with
96-bit SHA-1 HMAC)
2 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with
96-bit SHA-1 HMAC)
2 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with
HMAC/sha1)
2 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5)
3 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with
96-bit SHA-1 HMAC)
3 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with
96-bit SHA-1 HMAC)
3 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with
HMAC/sha1)
3 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5)
4 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with
96-bit SHA-1 HMAC)
4 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with
96-bit SHA-1 HMAC)
4 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with
HMAC/sha1)
4 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5)
5 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with
96-bit SHA-1 HMAC)
5 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with
96-bit SHA-1 HMAC)
5 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with
HMAC/sha1)
5 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5)
6 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with
96-bit SHA-1 HMAC)
6 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with
96-bit SHA-1 HMAC)
6 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode
Re: [Freeipa-users] authenticate with base domain name?
On Wed, Jul 31, 2013 at 1:28 PM, KodaK sako...@gmail.com wrote:
On Wed, Jul 31, 2013 at 11:24 AM, Sumit Bose sb...@redhat.com wrote:
On Wed, Jul 31, 2013 at 11:12:47AM -0500, KodaK wrote:
On Wed, Jul 31, 2013 at 11:09 AM, KodaK sako...@gmail.com wrote:
On Wed, Jul 31, 2013 at 6:56 AM, Sumit Bose sb...@redhat.com wrote:
I think that's the issue. You have to make sure that host.domain.com
has
a DNS entry somewhere, it does not have to be the IPA DNS but the DNS
setup must be correct so the IPA DNS can forward the request to the
right server. Then you can call 'ipa host-add host.domain.com' which
will create a host entry with the principal
host/host.domain@unix.domain.com. Now you can call ipa-getkeytab
and
transfer the new keytab to host.domain.com.
Ok, I'm dumbfounded (again.)
I've removed the old host from IPA:
xxx@slpidml01 ~]$ ipa host-show sla400q1.unix.domain.com
ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/session/xml
ipa: INFO: Forwarding 'host_show' to server u'
https://slpidml01.unix.domain.com/ipa/session/xml'
ipa: ERROR: sla400q1.unix.domain.com: host not found
And I added the new host:
[xxx@slpidml01 ~]$ ipa host-show sla400q1.domain.com
ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/xml
ipa: INFO: Forwarding 'host_show' to server u'
https://slpidml01.unix.domain.com/ipa/xml'
Host name: sla400q1.domain.com
Principal name: host/sla400q1.domain@unix.domain.com
Password: False
Keytab: True
Managed by: sla400q1.domain.com
I generated the keytab:
[xxx@slpidml01 ~]$ ipa-getkeytab -s slpidml01.unix.domain.com -p host/
sla400q1.domain.com -k /tmp/sla400q1.keytabKeytab successfully retrieved
and stored in: /tmp/sla400q1.keytab
[xxx@slpidml01 ~]$
Then I copied that keytab to the host and put it in /etc/krb5/krb5.keytab
But, when I list the principals in the keytab:
sla400q1:/var/adm /usr/krb5/bin/klist -k -e
Keytab name: FILE:/etc/krb5/krb5.keytab
KVNO Principal
-
1 host/sla400q1.unix.domain@unix.domain.com (AES-256 CTS mode with
96-bit SHA-1 HMAC)
1 host/sla400q1.unix.domain@unix.domain.com (AES-128 CTS mode with
96-bit SHA-1 HMAC)
1 host/sla400q1.unix.domain@unix.domain.com (Triple DES cbc mode
with HMAC/sha1)
1 host/sla400q1.unix.domain@unix.domain.com (ArcFour with HMAC/md5)
2 host/sla400q1.unix.domain@unix.domain.com (AES-256 CTS mode with
96-bit SHA-1 HMAC)
2 host/sla400q1.unix.domain@unix.domain.com (AES-128 CTS mode with
96-bit SHA-1 HMAC)
2 host/sla400q1.unix.domain@unix.domain.com (Triple DES cbc mode
with HMAC/sha1)
2 host/sla400q1.unix.domain@unix.domain.com (ArcFour with HMAC/md5)
1 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with
96-bit SHA-1 HMAC)
1 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with
96-bit SHA-1 HMAC)
1 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with
HMAC/sha1)
1 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5)
2 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with
96-bit SHA-1 HMAC)
2 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with
96-bit SHA-1 HMAC)
2 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with
HMAC/sha1)
2 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5)
3 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with
96-bit SHA-1 HMAC)
3 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with
96-bit SHA-1 HMAC)
3 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with
HMAC/sha1)
3 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5)
4 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with
96-bit SHA-1 HMAC)
4 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with
96-bit SHA-1 HMAC)
4 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with
HMAC/sha1)
4 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5)
5 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with
96-bit SHA-1 HMAC)
5 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with
96-bit SHA-1 HMAC)
5 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with
HMAC/sha1)
5 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5)
6 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with
96-bit SHA-1 HMAC)
6 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with
96-bit SHA-1 HMAC)
6 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode
[Freeipa-users] authenticate with base domain name?
I've been searching and I know it's been answered before but I can't find it. I have UNIX.DOMAIN.COM as my IPA realm. I have some hosts that sit on (in dns) domain.com (they are not part of any other Kerberos realms.) I'm unable to currently change the domain names on these boxes. In krb5.conf I have the mappings: domain.com = UNIX.DOMAIN.COM .domain.com = UNIX.DOMAIN.COM I can do a kinit admin from the client machine and get a ticket. I'm unable to authenticate via ssh to the client machine (with the user admin.) I'm able to su to the user, so we're talking to ldap and kerberos. I have the GSSAPI options set in sshd_config: GSSAPIAuthentication yes GSSAPICleanupCredentials yes But, in the syslog I see: Miscellaneous failure\nNo principal in keytab matches desired name\n I'm sure this is because I generated the keytab for host.unix.domain.com instead of host.domain.com -- but I don't know how to accomplish the second one. I may be on the wrong track here. Every time I think I understand this I get hit with something that shows me that I'm still clueless. A pointer to a previous discussion on this would be sufficient, I think. Thanks, --Jason -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] authenticate with base domain name?
Nevermind, AIX problem (surprise, surprise!) Since it's half-kerberized at this point (the default is system auth, not kerb/ldap) it failed. I had to create entries in /etc/security/user for the users I wanted to test with and explicitly state that I wanted them to log on via krb5/ldap. --Jason On Tue, Jul 30, 2013 at 2:41 PM, KodaK sako...@gmail.com wrote: I've been searching and I know it's been answered before but I can't find it. I have UNIX.DOMAIN.COM as my IPA realm. I have some hosts that sit on (in dns) domain.com (they are not part of any other Kerberos realms.) I'm unable to currently change the domain names on these boxes. In krb5.conf I have the mappings: domain.com = UNIX.DOMAIN.COM .domain.com = UNIX.DOMAIN.COM I can do a kinit admin from the client machine and get a ticket. I'm unable to authenticate via ssh to the client machine (with the user admin.) I'm able to su to the user, so we're talking to ldap and kerberos. I have the GSSAPI options set in sshd_config: GSSAPIAuthentication yes GSSAPICleanupCredentials yes But, in the syslog I see: Miscellaneous failure\nNo principal in keytab matches desired name\n I'm sure this is because I generated the keytab for host.unix.domain.com instead of host.domain.com -- but I don't know how to accomplish the second one. I may be on the wrong track here. Every time I think I understand this I get hit with something that shows me that I'm still clueless. A pointer to a previous discussion on this would be sufficient, I think. Thanks, --Jason -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] authenticate with base domain name?
Ok, so, yeah -- my first question stands. This works when it falls back to LDAP, but it does not honor a kerberos ticket. Is there a way to do that in the same circumstances? Thanks again, --Jason On Tue, Jul 30, 2013 at 2:58 PM, KodaK sako...@gmail.com wrote: Nevermind, AIX problem (surprise, surprise!) Since it's half-kerberized at this point (the default is system auth, not kerb/ldap) it failed. I had to create entries in /etc/security/user for the users I wanted to test with and explicitly state that I wanted them to log on via krb5/ldap. --Jason On Tue, Jul 30, 2013 at 2:41 PM, KodaK sako...@gmail.com wrote: I've been searching and I know it's been answered before but I can't find it. I have UNIX.DOMAIN.COM as my IPA realm. I have some hosts that sit on (in dns) domain.com (they are not part of any other Kerberos realms.) I'm unable to currently change the domain names on these boxes. In krb5.conf I have the mappings: domain.com = UNIX.DOMAIN.COM .domain.com = UNIX.DOMAIN.COM I can do a kinit admin from the client machine and get a ticket. I'm unable to authenticate via ssh to the client machine (with the user admin.) I'm able to su to the user, so we're talking to ldap and kerberos. I have the GSSAPI options set in sshd_config: GSSAPIAuthentication yes GSSAPICleanupCredentials yes But, in the syslog I see: Miscellaneous failure\nNo principal in keytab matches desired name\n I'm sure this is because I generated the keytab for host.unix.domain.com instead of host.domain.com -- but I don't know how to accomplish the second one. I may be on the wrong track here. Every time I think I understand this I get hit with something that shows me that I'm still clueless. A pointer to a previous discussion on this would be sufficient, I think. Thanks, --Jason -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] password resetting into IPA
On Tue, Jul 30, 2013 at 6:16 PM, Steven Jones steven.jo...@vuw.ac.nz wrote: Has anybody tried this? http://code.google.com/p/pwm/ Would it work is is it advised not to use it, if so reasons please? It's been talked about a bit in this mailing list. I had issues, and I know of another person who was setting it up (but I never heard any success reports.) Give it a shot and see where you can go with it. I used this: http://ltb-project.org/wiki/documentation/self-service-password But it's much simpler and feature-poor than PWM seems to be. (But works for what I need.) ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] IPA + AD authentication in apache
Another off the wall one from me, but I just want to know if this is worth pursuing. I have a series of internal web applications that authenticate variously to AD or IPA via prompted credentials. I'd like to use Kerberos tickets (and fall back to LDAP) instead. I have an IPA connected apache server that most of this stuff runs on. Is it possible to use both? I'm going to try following this example to get my feet wet: http://www.tuxlanding.net/kerberos-authentication-with-apache-in-a-multi-domain-active-directory/ but that's just talking about mutilple AD realms. I'd like to know if there was any special considerations for IPA Thanks again, --Jason -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] deleting password history?
On Mon, Jul 15, 2013 at 7:04 PM, Dmitri Pal d...@redhat.com wrote: You probably want to remove krbPwdHistory attribute and set krbPwdHistoryLength to 0. Just so I'm clear: I only want to do a one-time erase for one user so he can use a password he was using earlier. We changed it for testing and I don't think that should be held against him. :) I'm not sure if this disables password history for that user or just clears it. Thanks, --Jason -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules
On Thu, Jul 11, 2013 at 5:19 PM, Dmitri Pal d...@redhat.com wrote: I am not good with ldap syntax but SQL natural for me so conceptually the search would look like this: I don't think it's humanly possible to be good at ldap syntax. I hope it conveys what I have in mind. The result of such search would be a list of group members that have access to the host. This is pretty close to what you have done except it covers nested groups too and uses HBAC rules. I haven't had any luck with nested groups at all anyway, so I avoid using them. I may give this idea some more thought. Thanks. Private. I made a typo. It should have been V :-) Ah, ok. :) -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules
On Fri, Jul 12, 2013 at 7:31 AM, natxo asenjo natxo.ase...@gmail.comwrote: tcp wrappers support netgroups (iirc), you could use that too (you cannot mix hosts and users though, so you should create netgroups of users. I haven't used tcp wrappers in years, and I never knew it supported netgroups. That's great to know, thanks! -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules
On Mon, Jul 8, 2013 at 12:50 PM, Rob Crittenden rcrit...@redhat.com wrote: HBAC is enforced by sssd, so no sssd, no HBAC. I think you need to use pam_access to limit users in AIX. I have some work-arounds now, but I'd like to find a way to automate them. What I need is a way to ask IPA who is allowed to access this particular server? The goal is go just get a list of allowed users, then there are various mechanisms I can employ to allow access to only the listed users. I plan to do this from the puppet master so I can push the configs from there. I have ipa-admintools and openldap-clients installed on the puppet master. Right now I'm iterating through all the hbacrules and grepping for the server in question, then getting the details of that rule. This is a lot of requests. -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules
We've just discovered that AIX does not honor HBAC rules with telnet. ssh is fine. [jebalicki@mo0033802 ~]$ ipa hbactest --user=testuser --host= sla765q1.unix.magellanhealth.com --service=sshd - Access granted: False - There was no telnet service by default, I created one (but I'm not sure I did so correctly.) [jebalicki@mo0033802 ~]$ ipa hbactest --user=testuser --host= sla765q1.unix.magellanhealth.com --service=telnet - Access granted: False - [jebalicki@mo0033802 ~]$ ipa hbactest --user=testuser --host= sla765q1.unix.magellanhealth.com Service: any - Access granted: False - [jebalicki@mo0033802 ~]$ ipa hbactest --user=testuser --host= sla765q1.unix.magellanhealth.com --service=login - Access granted: False - But: [jebalicki@mo0033802 ~]$ telnet sla765q1 Trying 10.200.5.137... Connected to sla765q1. Escape character is '^]'. telnet (sla765q1.unix.magellanhealth.com) [login banner and blank lines removed] AIX Version 6 Copyright IBM Corporation, 1982, 2011. login: testuser testuser's Password: -bash-3.2$ logout Connection closed by foreign host. AIX was configured with standard authentication at first: r...@sla765q1.unix.magellanhealth.com:/etc/security/ldap # lsauthent Standard Aix But I changed that to add kerberos: r...@sla765q1.unix.magellanhealth.com:/etc/security/ldap # lsauthent Kerberos 5 Standard Aix However, all that does is cause kerberos to timeout on the invalid user and then fall back to allowing the user in anyway. I'm still investigating to see if this is an implementation problem, or if AIX is just incapable of this. I continue to lobby for turning off telnet, but there is political pressure to keep it open. Anyone have any ideas for things I could try? Thanks, --Jason -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] why default shell /bin/sh
On Thu, Jun 6, 2013 at 9:30 AM, Rob Crittenden rcrit...@redhat.com wrote: Lowest-common denominator. One can configure all sorts of *nix-like systems to use IPA for authentication so we needed a default shell that is available on all systems and that is the bourne shell. I have a bunch of AIX machines, the users on those demand ksh, mostly. Luckily I have ksh for Linux and bash for AIX to cover everyone, but I'm tempted to give them all csh just to teach them a lesson. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sudo rules user and host group bugs?
Sorry, for some reason gmail makes me forget about reply all. On Wed, Jun 5, 2013 at 2:45 PM, Dmitri Pal d...@redhat.com wrote: On 06/05/2013 11:20 AM, KodaK wrote: I know this has been discussed before, but I didn't see anything with a cursory search. There are bugs when using user and host groups with sudo rules. I have to split out my users and hosts into individual entries. I'm running ipa 3.0.0-26 on RHEL. All I really want to know is if this is fixed upstream. I am not sure I recall a bug you are referring to. A quick scan against the open tickets does not reveal anything like what you describe. Can you provide the description of the issue or point to the earlier thread on the matter? I'm going off of memory on seeing the previous bug. It very well could be a false memory. I have a rule like this: [jebalicki@mo0033802 ~]$ ipa sudorule-show esolutions-sandbox-root-access Rule name: esolutions-sandbox-root-access Enabled: TRUE Users: slfries, awellard Hosts: slnessbxl01.unix.magellanhealth.com Sudo Allow Commands: /bin/su - This works. However, if I change the rule to use hostgroups instead of listing the hosts individually the rule will not work. The groups still exist and look like this: [jebalicki@mo0033802 ~]$ ipa hostgroup-show esolutions-sandbox-hosts Host-group: esolutions-sandbox-hosts Description: esolutions sandbox hosts Member hosts: slnessbxl01.unix.magellanhealth.com Member of HBAC rule: esolutions-sandbox-access [jebalicki@mo0033802 ~]$ ipa group-show esolutions Group name: esolutions Description: esolutions group GID: 1115600250 Member users: awellard, slfries Member of HBAC rule: esolutions-sandbox-access Client machine is pretty much default-out-of-the-box IRT IPA configuration, here's the installer output (installs during kickstart): [root@slnessbxl01 ~]# cat ks-post.log Discovery was successful! Hostname: slnessbxl01.unix.magellanhealth.com Realm: UNIX.MAGELLANHEALTH.COM http://unix.magellanhealth.com/ DNS Domain: UNIX.MAGELLANHEALTH.COM http://unix.magellanhealth.com/ IPA Server: slpidml01.unix.magellanhealth.com BaseDN: dc=unix,dc=magellanhealth,dc=com Synchronizing time with KDC... Enrolled in IPA realm UNIX.MAGELLANHEALTH.COMhttp://unix.magellanhealth.com/ Created /etc/ipa/default.conf New SSSD config will be created. Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm UNIX.MAGELLANHEALTH.COMhttp://unix.magellanhealth.com/ Warning: Hostname (slnessbxl01.unix.magellanhealth.com) not found in DNS DNS server record set to: slnessbxl01.unix.magellanhealth.com - 10.200.12.104 SSSD enabled NTP enabled Client configuration complete. [root@slnessbxl01 ~]# rpm -qa | grep ipa python-iniparse-0.3.1-2.1.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 ipa-python-2.2.0-16.el6.x86_64 [root@slnessbxl01 ~]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 6.3 (Santiago) [root@slnessbxl01 ~]# ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Issues after setup
Run an hbactest: ipa hbactest --user=youruser --host=fqdn.of.host --service=sshd Make sure that works, if it does, then you can move on to troubleshooting the host itself. On Thu, Apr 4, 2013 at 2:27 PM, Shawn taaj.sh...@gmail.com wrote: Hi, I have configured a ipa-server, replica and client. In the GUI I can see that all hosts are in the hosts list.. I have created a single user as well and attached that user to the client. When trying to login as the user to the client, I see this in the secure.log. fatal: Access denied for user username by PAM account configuration. any suggestions on steps to troubleshoot this? Thanks -- *- Shawn Taaj* ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] IPA branding
I've been asked to look into the possibility of branding IPA. I'm running ipa 3.0.0-26 on RHEL 6. Is it safe to just modify the css files in /usr/share/ipa/ui, or is there (or will there be, since I've seen references to a branding patch) a preferred way to do this? They want the logo swapped out and the colors modified, basically. I'd personally be OK with it if someone were to say that's coming in a future release so I can relay that and then hope people forget. :) Thanks, --Jason -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Mail Challenge Password Reset
On Wed, Mar 20, 2013 at 7:54 PM, Simo Sorce s...@redhat.com wrote: You should have given the pwm user 'password sync' privileges. See this: http://www.freeipa.org/page/PasswordSynchronization I remember what my problem with PWM was now: it wants to go out and retrieve something from the cloud when it runs, and since we're behind a few dozen firewalls that's just not going to happen. 2013-03-21 14:16:28, TRACE, pwm.VersionChecker, sending cloud version request to: https://pwm-cloud.appspot.com/rest/pwm/current-version; It just hangs there. Anyway, I'm not going to bother trying to fix it, because: http://ltb-project.org/wiki/documentation/self-service-password That works just fine. I listed the user I set up for password management in passSyncManagersDNs and everything seems OK. I need to evaluate LTB quite a bit and make sure there aren't any glaring holes, but it looks like I may have a solution. PWM looks like it'd be nice, but I'm a path-of-least-resistance kind of guy. --Jason ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Mail Challenge Password Reset
On Wed, Mar 20, 2013 at 6:23 PM, Michael ORourke mrorou...@earthlink.net wrote: We have a POC with PWM and a testIPA server running freeIPA v2.2.0. It is working very well and we plan to move it into production soon. I haven't written a how-to, but I have several notes on setting this up. What part of PWM are you having trouble with? It's been a while, but IIRC when a user would request a reset via pwm and then set their password, it would require a further change because changing it through PWM was as-if an admin had done so. Something like that. Like I said, I didn't test that long with it. Like Dmitri said, if you could share your notes or write up a how-to the community would certainly appreciate it. Thanks, --Jason ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Mail Challenge Password Reset
On Tue, Mar 19, 2013 at 3:36 PM, Rob Crittenden rcrit...@redhat.com wrote: John Moyer wrote: Is there a mail challenge 3rd party tool that allows for users to change their own passwords if they don't know their password? Something like PWM for LDAP? https://code.google.com/p/pwm/ I've been looking around and no one seems to have done this yet, but wanted to yield to this group before giving up hope. No. There is a ticket to add support for this but it isn't planned to be worked on for some time. There was a thread about this last year: https://www.redhat.com/archives/freeipa-users/2012-July/msg00051.html That was me. I still haven't done much -- pwm didn't work out well because when it changes the users password it auto expires as if an admin changed it and I didn't look much past that. With 3.0 users are able to reset their expired passwords and that's 99% of the changes that need to be made at our site (many of my users only use AIX servers, and the version we're running is horribly broken in regards to passing along messages from the auth backend. I set up a Linux VM specifically for account administration of this type, too.) ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Revisiting auditing and avoiding reinvention of round rolling things
On Fri, Mar 15, 2013 at 8:54 PM, Dmitri Pal d...@redhat.com wrote: This is what HBAC test is about The HBAC test will allow me to see if a single user can access a given server. It doesn't give me a list of all the users that are allowed to access a given host. I can dump a list of users and run that list through an HBAC test, but it takes forever and it just seems like there should be a better way. Thanks for replying -- I may end up filing that ticket. --Jason ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Revisiting auditing and avoiding reinvention of round rolling things
Hi all. I know that the A part of IPA has been delayed, but that doesn't mean that the auditing requirement has gone away. Before I write a bunch of stuff for this, I wanted to see if anyone had any thoughts (or code!) regarding how to accomplish some of this stuff that auditors want to see. Here's an email I received from an EY auditor: ---cut--- Thanks for the great response! I think at this point its probably best to jump on a call/meet in person and try to figure out where to go from here. What we would like to understand is if IPA will be in scope for our audit this year. From what you have told me below, its 'possible' that user accounts on IPA may have access to our in-scope servers. And if this is the case we would need to obtain evidence of who has access to our in-scope servers through IPA, their level of access and how they authenticate to the server. Here's a couple of thoughts on my mind that I would like to discuss further before we 'formally' request this evidence: • Would we be able to obtain a 'system generated' list or screenshots showing all accounts on IPA that are able to access our in-scope servers? • Additionally, you mentioned that regular user accounts su or sudo to the application account (root). Would we be able to evidence which accounts on IPA are configured to able to su to the application account? • We would like to find a way to evidence the authentication path and the specific password parameters in place for the user accounts on IPA that we determine are in-scope for us this year. • How are accounts setup on IPA? What is the process for setting up new users? • Who has privileged access (the ability to add, delete or modify user accounts) to IPA and would we be able to obtain evidence to show who has these access rights. ---cut--- I know I can dump a list of users, then run that list through a series of HBAC tests to see if a user is allowed access to a particular server, but is there a say to easily ask what users can log into this server? Or even what users are allowed to su to this account on this server? as is being asked above? Does anyone already have any code they'd be willing to share to this end? Thanks for any thoughts at all, --Jason -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Solaris Clients
On Wed, Mar 13, 2013 at 3:39 PM, Luke Kearney l...@kearney.jp wrote: Hello, I have recently been working on integrating our solaris 10 fleet with FreeIPA. The first 'test' host went relatively smoothly and we recently created a new test host. Only this time it was more challenging to get the system working. On our original test installation every step went almost exactly as per the documentation [ http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html ] On the second install we found that whilst we were able to retrieve user account information via LDAP we could not login via ssh and kerberos for any amount of trying. This was overcome by inserting the following line into pam.conf other accountsufficient pam_ldap.so.1 Where is had not been needed on test host1. To the extent it works and doesn't break something else this is all fine. I understand why it works as the information in ldap is needed to open the terminal session, why would one need this stanza but not the other? IIRC, the instructions have you pulling information from Kerberos. This explicitly allows ldap -- I would suspect that Kerberos isn't working correctly on the second host. Check time first. -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] What does the u mean in IPA messages?
On Thu, Feb 28, 2013 at 5:01 PM, John Dennis jden...@redhat.com wrote: On 02/28/2013 05:34 PM, KodaK wrote: BTW, why are you parsing diagnostic output? I haven't actually started yet, I was just getting my bearings. I was going to wrap the commands in some scripts so I can do things like allow an auditor to view the results of an HBAC test without being able to modify them. Among other things. Is there a way to turn off the diagnostic messages? They appear to be on by default. -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] What does the u mean in IPA messages?
When performing an operation with the IPA tools, I get a message every time similar to this: ipa: INFO: Forwarding 'hbactest' to server u'https://ipaserver/ipa/xml' What does it mean? I've never seen it say anything other than u (that I've noticed.) A pointer to documentation is preferred, but I've been looking and haven't found anything. (Lots of stuff on the International Phonetic Alphabet's use of u though. I think I'm qualified to edit dictionaries now.) Thanks! -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] What does the u mean in IPA messages?
On Thu, Feb 28, 2013 at 3:27 PM, John Dennis jden...@redhat.com wrote: On 02/28/2013 04:18 PM, KodaK wrote: When performing an operation with the IPA tools, I get a message every time similar to this: ipa: INFO: Forwarding 'hbactest' to server u'https://ipaserver/ipa/xml' What does it mean? I've never seen it say anything other than u (that I've noticed.) A pointer to documentation is preferred, but I've been looking and haven't found anything. (Lots of stuff on the International Phonetic Alphabet's use of u though. I think I'm qualified to edit dictionaries now.) It means unicode, It's a Python'ism. In Python2 there are two different string types str and unicode. str's are have 8-bit characters, unicode have wide characters (either 16-bit UCS2 or 32-bit UCS4) depending on how Python was built (unicode is UCS4 on our builds). Since IPA in internationalized we use unicode for all strings. What the u prefix is telling you is the type of the string. The only reason you see it is because in some places we use the repr method to output string data and the repr method prefixes unicode with a u character. We've been fixing places where repr method is used, not sure if this is one of those or not. We were using repr because early on we were not consistent with whether we used str's or unicode objects and it was handy to know the difference, it's not so much of an issue any more. Ah, thanks for the explanation. If I build parsing scripts for things, is the u going to disappear in the future with the discontinuation of the repr method? (That's what set this off in the first place.) ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] proper way to clear sssd cache without sss_cache?
I know that at some point the sssd package (or maybe the tools package) started including sss_cache for managing the sssd cache. I have some RHEL5 boxes that don't have this utility. I've been stopping the sssd service, deleting the contents of /var/lib/sss/db/ and then restarting and things seem to be working OK, but I wanted to find out if there was a proper procedure? Thanks! -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] IPA with ILO
Just curious if anyone has configured HP ILO to authenticate against IPA. I'm just starting out and the fact that the ILO configuration screen has a section for a SID has me a bit concerned. -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA with ILO
On Fri, Feb 22, 2013 at 10:05 AM, Han Boetes hboe...@gmail.com wrote: Hi Kodak, The question is: Which authentication mechanisms does HP ILO support? Their documentation kind of blurs the lines. It appears that the only directory that exists (according to HP) is AD, so they freely mix LDAP, AD and directory when talking about it in their documentation. It's a moot point now, though, because I brought it up that I needed a directory license for ILO to the Windows admins (who also own the hardware) and they nixed it -- they want to use AD or nothing. Sigh. Thanks, --Jason ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Trouble creating replica
On Wed, Feb 20, 2013 at 8:41 AM, Bret Wortman bret.wort...@damascusgrp.comwrote: Eureka! Someone had deleted the contents of /etc/dirsrv/slapd-PKI-IPA/dse.ldif. I replaced it from a saved copy and now everything's working as expected. Thanks everyone for your contributions, patience, and indulgence. And for a wonderful product! I wouldn't be too sure that someone deleted it. A couple of weeks ago I had a crash and half of my replicas had an empty dse.ldif. I think you and I may be hitting a bug. --Jason ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA w/ Puppet?
On Fri, Feb 15, 2013 at 11:25 AM, Lynn Root lr...@redhat.com wrote: Hi all - I'm curious if anyone has written Puppet manifests for managing an IPA domain. If so, I'd like to pester you to take a peek at those manifests. More curious on the overall automated management process than anything specific. I did find a post [1] on IPA managing the certs that Puppet uses - but perhaps someone else has gone a bit deeper! I use puppet to push various things related to IPA. For example, I have a lot of AIX hosts, so I use puppet to push ipa.crt, sshd_config, ssh_config, ldap.cfg, ntpd.conf, netsvc (AIX's nsswitch.conf,) and some other things that I'm not thinking of at the moment. I do some of this for Linux hosts too, just to keep things in sync (resolv.conf, the ssh configs, PAM configs, etc.) Pretty basic stuff, I either push the whole config file or add lines to it. Nothing fancy. Here's a listing of my custom modules directory, it should give some idea of what I'm doing: aix_dot_profile aix_etc_profile aix_hacmp_facts aix_inittab aix_ldap aix_ldap_startup aix_ldap_temp_fix aix_methods_cfg aix_ntp_conf aix_puppet_conf aix_puppet_startup aix_rc_local aix_sendmail aix_snmpdv3_conf apache cloud_provisioner dashboard dnsmasq etc_hosts firewall ipa_cert ipa_resolv_conf krb5_aix motd mysql netsvc nsswitch_sudoers ntp pam_mkhomedir_linux passenger perldbi_link resolv_conf ruby sane_env_aix sendmail ssh_config sshd sshd_config sshd_deny_oracle sudo_ldap vmwaretools ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Adding other users to a user's created default group
I suspect the answer to this is no, but I'm asking anyway: Let's say I have an IPA user named bob. When bob was created, IPA created a matching GID for him. Is it possible, through IPA, to add another user to that GID? If not, and I add another user to that GID by directly manipulating LDAP, will that break anything in IPA? I know the correct way is to make a new group. -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Service accounts and groups
On Thu, Feb 7, 2013 at 1:46 PM, Steven Jones steven.jo...@vuw.ac.nz wrote: Hi, I have had little to do with permissions until now so bear with me if the Qs are obviously stupid, probably not really IPA but a linux blind spot I haveanyway, So I have a service account with its group this runs a database. So oracle with uid 2000 and gid 2000. I have some other users that need to be in the oracle user's group but I cant do that in IPA? Is oracle an IPA user and group or a local user and group? Assuming a Linux host and a local oracle user and group: you can add the IPA users to a local group and it will work. I have no idea if that's the right way to do it, though. I created a user group called oragrp gid 2001 but the user oracle is creating files with a uid of 2000 and gid of 2000 and not a gid of 2001 which I assume would fix it? Again, if oracle is a local user, you can change his primary group using usermod -G 2001 oracle -- but you might as well just add the IPA users to the local oracle group. --Jason ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Backup and Restoration of IPA Server
I use the following to dump my LDAP databases: #!/bin/sh /usr/lib64/dirsrv/slapd-PKI-IPA/db2ldif.pl -D cn=directory manager -j /var/lib/dirsrv/scripts-YOUR-KERB-REALM/dmanager.credentials -n ipaca -a /var/lib/dirsrv/slapd-PKI-IPA/bak/ipaca.`/bin/date +%Y%m%d%H%M%S`.ldif /var/lib/dirsrv/scripts-YOUR-KERB-REALM/db2ldif.pl -D cn=directory manager -j /var/lib/dirsrv/scripts-YOUR-KERB-REALM/dmanager.credentials -n userroot -a /var/lib/dirsrv/slapd-YOUR-KERB-REALM/bak/userroot.`/bin/date +%Y%m%d%H%M%S`.ldif I have that in a script that's run by cron, followed up by a script to delete old backups. Netbackup takes care of backing up the systems. dmanager.credentials just has the Directory Manager password in it in plain test. Not optimal, but it works. --Jason On Mon, Feb 4, 2013 at 10:51 AM, Rajnesh Kumar Siwal rajnesh.si...@gmail.com wrote: Thanks Christian. I am still looking for some workaround till then. On Mon, Feb 4, 2013 at 10:16 PM, Christian Hernandez christi...@4over.com wrote: Looks like a backup/restore procedure is in the roadmap http://www.freeipa.org/page/Roadmap Thank you, Christian Hernandez 1225 Los Angeles Street Glendale, CA 91204 Phone: 877-782-2737 ext. 4566 Fax: 818-265-3152 christi...@4over.com mailto:christi...@4over.com www.4over.com http://www.4over.com On Mon, Feb 4, 2013 at 2:54 AM, Rajnesh Kumar Siwal rajnesh.si...@gmail.com wrote: Does it means that we don't have any backup / restoration process as of now for IPA 2.2 ? I am really concerned about such a critical application. It would be greate if you could please specify the set of manual commands in case they can be used for Backup / Restoration purpose. -- Regards, Rajnesh Kumar Siwal ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Regards, Rajnesh Kumar Siwal ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Adding an IPA user that can't SSH?
On Fri, Jan 25, 2013 at 10:43 AM, Dmitri Pal d...@redhat.com wrote: AFAIK there is also some kind of no shell capability in SSH which might be useful in this case but I am not a specialist in this area. You can do this a few ways, but the easiest (IMO) is something like this in sshd_config: Match User limited-user ForceCommand echo 'This is a non-interactive account' This will cause that message to display if someone tries to log in with that account. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] non-expiring password policy (or as close as I can come)
I have a need to have certain mission critical application accounts non-expiring (people don't log in directly, but if the accounts expire it could stop production jobs.) I've set Max lifetime (days) to 9 in the web interface, but here's what I see when I do ipa pwpolicy show: Group: application-accounts Max lifetime (days): 8639913600 Min lifetime (hours): 0 History size: 0 Character classes: 3 Min length: 8 Priority: 0 Max failures: 0 Failure reset interval: 0 Lockout duration: 0 I have a user that is a member of the application-accounts group and they reset their password yesterday, but their password is set to expire in three months: krbpasswordexpiration: 20130423220808Z krbpwdpolicyreference: cn=application-accounts Have I hit some maximum and I'm confusing IPA? Or do I completely misunderstand these entries? I also have a case open with RH on this, but I haven't heard anything back yet. If I get this solved through them I'll be sure to reply with results. Thanks, --Jason ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] non-expiring password policy (or as close as I can come)
On Thu, Jan 24, 2013 at 4:03 PM, Rob Crittenden rcrit...@redhat.com wrote: It is a 32-bit time problem. I'd set the maxlife no higher than 5000 for now. Thanks. Is there a way to apply this policy retroactively without requiring my users to reset passwords? --Jason ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] non-expiring password policy (or as close as I can come)
On Thu, Jan 24, 2013 at 5:05 PM, Sigbjorn Lie sigbj...@nixtra.com wrote: A calender will be shown to choose a date and time for simplicity if you download and use the Apache Directory Studio (http://directory.apache.org/studio/) to edit the krbPasswordExpiration attribute for an user account. It works well. This is exactly what I ended up doing. I didn't have many, otherwise I would have rigged up an ldapmodify script. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] When will IPA v3 be available in RHEL?
This is a surprisingly difficult thing to google for. I'd really like to roll out an AD trust, but I want to stay within RHEL support. Approximate is fine, I just want to know if I can plan for it sometime this year or not. -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] anyone know how to do sssd filters?
On Tue, Dec 18, 2012 at 3:51 AM, Jakub Hrozek jhro...@redhat.com wrote: On Tue, Dec 18, 2012 at 10:39:56AM +0100, Jakub Hrozek wrote: On Mon, Dec 17, 2012 at 04:03:03PM -0500, Dmitri Pal wrote: On 12/17/2012 03:11 PM, KodaK wrote: I'm attempting to install Satellite in my IPA domain. There is a ridiculous requirement that the group dba must not already exist prior to installing. Red Hat support wanted me to *remove* the DBA group and then install. Anyway, I'm trying to play around with filter_groups in sssd, and I can't seem to get it to take. The man page isn't exactly clear, but here's what I've tried: filter_groups = dba filter_groups= dba@fqdn In the [domain], [sssd] and [nss] sections of the config file. What's the right syntax? Do I need it in every section? Is it a local group or a central group? Where Dmitri's question is headed is that if dba is a local group (aka stored in /etc/passwd), then the SSSD should be queried at all. ^^^ /etc/group obviously I figured. :) The group dba is stored in IPA. Here's a funny thing, though (short rundown): Installed RHEL 6.3 on Satelite server, joined it to the domain. Try to install Satellite: get the Could not install database. I try to filter out the group in IPA, try to install Satellite, get: The group 'dba' should exist. This makes me think that the filter is doing every dba not just dba on the IPA server. I removed the Satellite server from IPA (ipa-client-install --uninstall) and I get the same message (dba should exist.) Fun stuff. Now I'm re-installing RHEL so I can start from scratch, and I'll attempt to install Satellite without joining it to the domain. I'm not fond of this option -- I don't want to have stand-alone machines that I have to manage separately, that's why I installed IPA in the first place. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] anyone know how to do sssd filters?
On Mon, Dec 17, 2012 at 3:03 PM, Dmitri Pal d...@redhat.com wrote: On 12/17/2012 03:11 PM, KodaK wrote: I'm attempting to install Satellite in my IPA domain. There is a ridiculous requirement that the group dba must not already exist prior to installing. Red Hat support wanted me to *remove* the DBA group and then install. Anyway, I'm trying to play around with filter_groups in sssd, and I can't seem to get it to take. The man page isn't exactly clear, but here's what I've tried: filter_groups = dba filter_groups= dba@fqdn In the [domain], [sssd] and [nss] sections of the config file. What's the right syntax? Do I need it in every section? Is it a local group or a central group? Central group, in IPA. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] anyone know how to do sssd filters?
On Tue, Dec 18, 2012 at 9:17 AM, Jakub Hrozek jhro...@redhat.com wrote: On Tue, Dec 18, 2012 at 09:07:25AM -0600, KodaK wrote: On Tue, Dec 18, 2012 at 3:51 AM, Jakub Hrozek jhro...@redhat.com wrote: On Tue, Dec 18, 2012 at 10:39:56AM +0100, Jakub Hrozek wrote: On Mon, Dec 17, 2012 at 04:03:03PM -0500, Dmitri Pal wrote: On 12/17/2012 03:11 PM, KodaK wrote: I'm attempting to install Satellite in my IPA domain. There is a ridiculous requirement that the group dba must not already exist prior to installing. Red Hat support wanted me to *remove* the DBA group and then install. Anyway, I'm trying to play around with filter_groups in sssd, and I can't seem to get it to take. The man page isn't exactly clear, but here's what I've tried: filter_groups = dba filter_groups= dba@fqdn In the [domain], [sssd] and [nss] sections of the config file. What's the right syntax? Do I need it in every section? Is it a local group or a central group? Where Dmitri's question is headed is that if dba is a local group (aka stored in /etc/passwd), then the SSSD should be queried at all. ^^^ /etc/group obviously I figured. :) The group dba is stored in IPA. Here's a funny thing, though (short rundown): Installed RHEL 6.3 on Satelite server, joined it to the domain. Try to install Satellite: get the Could not install database. I try to filter out the group in IPA, try to install Satellite, get: The group 'dba' should exist. This makes me think that the filter is doing every dba not just dba on the IPA server. I removed the Satellite server from IPA (ipa-client-install --uninstall) and I get the same message (dba should exist.) Fun stuff. Unless you wiped out the machine completely, do you know if: $ getent group -s sss dba Returned the group or not? I wouldn't be surprised if the installer tools checked the files directly.. I did wipe it out, but I do know that getent group dba returned the IPA group *before* I put in the filter, I stupidly didn't check after. I'm in the middle of re-installing the OS now on the VM, we'll see how it goes. Red Hat says they got it to work in their lab with an IPA controlled Oracle user and dba group. -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] anyone know how to do sssd filters?
On Tue, Dec 18, 2012 at 10:38 AM, KodaK sako...@gmail.com wrote: On Tue, Dec 18, 2012 at 9:17 AM, Jakub Hrozek jhro...@redhat.com wrote: On Tue, Dec 18, 2012 at 09:07:25AM -0600, KodaK wrote: On Tue, Dec 18, 2012 at 3:51 AM, Jakub Hrozek jhro...@redhat.com wrote: On Tue, Dec 18, 2012 at 10:39:56AM +0100, Jakub Hrozek wrote: On Mon, Dec 17, 2012 at 04:03:03PM -0500, Dmitri Pal wrote: On 12/17/2012 03:11 PM, KodaK wrote: I'm attempting to install Satellite in my IPA domain. There is a ridiculous requirement that the group dba must not already exist prior to installing. Red Hat support wanted me to *remove* the DBA group and then install. Anyway, I'm trying to play around with filter_groups in sssd, and I can't seem to get it to take. The man page isn't exactly clear, but here's what I've tried: filter_groups = dba filter_groups= dba@fqdn In the [domain], [sssd] and [nss] sections of the config file. What's the right syntax? Do I need it in every section? Is it a local group or a central group? Where Dmitri's question is headed is that if dba is a local group (aka stored in /etc/passwd), then the SSSD should be queried at all. ^^^ /etc/group obviously I figured. :) The group dba is stored in IPA. Here's a funny thing, though (short rundown): Installed RHEL 6.3 on Satelite server, joined it to the domain. Try to install Satellite: get the Could not install database. I try to filter out the group in IPA, try to install Satellite, get: The group 'dba' should exist. This makes me think that the filter is doing every dba not just dba on the IPA server. I removed the Satellite server from IPA (ipa-client-install --uninstall) and I get the same message (dba should exist.) Fun stuff. Unless you wiped out the machine completely, do you know if: $ getent group -s sss dba Returned the group or not? I wouldn't be surprised if the installer tools checked the files directly.. I did wipe it out, but I do know that getent group dba returned the IPA group *before* I put in the filter, I stupidly didn't check after. I'm in the middle of re-installing the OS now on the VM, we'll see how it goes. Red Hat says they got it to work in their lab with an IPA controlled Oracle user and dba group. So, in case anyone else ever runs into this, this is what I had to do to get around the problem: First, maybe I missed it, but I don't see any recommendation in the documentation that the user oracle and dba *must* exist before you start the install. Combine that with the fact that the suggestion I got from support that the dba group can't exist and you have the recipe that had me going down the wrong path for quite some time. This had nothing to do with IPA at all, really. The answer, which like most is incredibly simple, was to create a local oracle user and dba group, overriding the dba group in IPA. After that the install went fine(ish.) --Jason ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] anyone know how to do sssd filters?
I'm attempting to install Satellite in my IPA domain. There is a ridiculous requirement that the group dba must not already exist prior to installing. Red Hat support wanted me to *remove* the DBA group and then install. Anyway, I'm trying to play around with filter_groups in sssd, and I can't seem to get it to take. The man page isn't exactly clear, but here's what I've tried: filter_groups = dba filter_groups= dba@fqdn In the [domain], [sssd] and [nss] sections of the config file. What's the right syntax? Do I need it in every section? -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Different primary group on different machines.
I've been having users use the newgrp command to change their primary group on different machines. I've poked around in the docs a bit and I don't see this addressed. I know, I know: if it works, use it -- but I'm wondering if I'm just missing a way to do it with IPA, or if there's another way to do it that might be better. Any thoughts? Thanks, --Jason -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Different primary group on different machines.
On Thu, Oct 25, 2012 at 12:35 PM, Dmitri Pal d...@redhat.com wrote: On 10/25/2012 11:49 AM, KodaK wrote: I've been having users use the newgrp command to change their primary group on different machines. I've poked around in the docs a bit and I don't see this addressed. I know, I know: if it works, use it -- but I'm wondering if I'm just missing a way to do it with IPA, or if there's another way to do it that might be better. Any thoughts? Thanks, --Jason By reading the description of the command it seems that it works only for local accounts. So I suspect it is not effective in any case when the users come from LDAP and not file. That brings the question: what is the use case and why you need it and subsequently is there any other way to solve the problem you are trying to solve with already existing means in SSSD? I have users that need different primary groups on different machines. The newgrp command works -- unfortunately putting it in a login script is a bad thing because newgrp reads those same login scripts, creating an infinite loop. We have many different development groups, but people can be members of multiple groups. For collaboration, they'd like it when creating a file to have that file have a group ownership of foo on machine-A, but bar on machine-B. I'd like to help the end users do this themselves so that I don't have to maintain separate files on each machine (one of the reasons I put in IPA in the first place. :) ) Thanks, --Jason ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Different primary group on different machines.
On Thu, Oct 25, 2012 at 2:30 PM, Dmitri Pal d...@redhat.com wrote: On 10/25/2012 03:11 PM, KodaK wrote: On Thu, Oct 25, 2012 at 12:35 PM, Dmitri Pal d...@redhat.com wrote: On 10/25/2012 11:49 AM, KodaK wrote: I've been having users use the newgrp command to change their primary group on different machines. I've poked around in the docs a bit and I don't see this addressed. I know, I know: if it works, use it -- but I'm wondering if I'm just missing a way to do it with IPA, or if there's another way to do it that might be better. Any thoughts? Thanks, --Jason By reading the description of the command it seems that it works only for local accounts. So I suspect it is not effective in any case when the users come from LDAP and not file. That brings the question: what is the use case and why you need it and subsequently is there any other way to solve the problem you are trying to solve with already existing means in SSSD? I have users that need different primary groups on different machines. The newgrp command works -- unfortunately putting it in a login script is a bad thing because newgrp reads those same login scripts, creating an infinite loop. We have many different development groups, but people can be members of multiple groups. For collaboration, they'd like it when creating a file to have that file have a group ownership of foo on machine-A, but bar on machine-B. I'd like to help the end users do this themselves so that I don't have to maintain separate files on each machine (one of the reasons I put in IPA in the first place. :) ) Thanks, --Jason I see it to be solvable in two different ways. One centrally in IPA. Something like an extra attribute attached to HBAC rule that would denote the alternative default group. This is just from top of my head. I already see problems with this approach but anyways this is one direction. I'd think it would have to be per-user or a separate policy area. these users get this pgrp on these servers. A different option is to have a local override in the sssd.conf and make SSSD swap primary group for the user but then you would have to configure it per user - not a nice approach too. Hmmm may be some kind of the sss_chache related utility that would update cache with the preferred GID, that would work as a command but has other implications - dealing with fast cache and server side changes that might override the value... Anyways not an easy fix. Can you please file an RFE? Sure. Where do I do that? :) (I'm kidding, I'll google it.) Would you be able to contribute some code for such feature? I'd love to say I could, but I'm not really a coder, and my day job has me working 50-60 hours a week as it is. And when I say I'd love to I really mean it. I'd rather be doing that than my day job. :) --Jason ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] slow ssh
On Mon, Sep 10, 2012 at 4:16 PM, Steven Jones steven.jo...@vuw.ac.nz wrote: Hi, Not sure if this is an IPA issue but Im finding ssh takes long time to login. It looks like ssh is querying IPA for authentication mechanisms?...if so can I simply turn this off? and if so how? Slow SSH is (in my experience, anyway) usually a DNS problem. Are you using IPA for DNS, or external? Either way, is reverse DNS working? I had an issue recently with users complaining about slow logins, but it turned out that bind on my primary IPA box died (I have no idea how.) Since resolv.conf goes in order, it would hit the primary, time out, then fail over to the other DNS servers. Once I restarted bind everything was fine again. I'm still investigating what happened, but there's only so much time in a day. As for auth mechanisms -- those are defined in your sshd_config, but why would you want to turn that off? That's the whole point of IPA. I'm probably misunderstanding something, though. :) -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Desperate help requested.
Thank you everyone. We finally had our meeting today (it was delayed from Tuesday.) It went much better than I was expecting. Regardless of the email that said we can't authenticate to anything but MS AD, apparently his *actual* concern was having a third party tie-in to Active Directory that would keep them from applying patches to AD. Pretty much all I had to say was good news, everyone! We don't need AD! It pissed off the Windows Director who was in the room and was pushing for us to auth directly against AD, but the veep who had the initial problem was satiated. All is right with the world again. Or at least my tiny piece of it. Until tomorrow. Thanks again, --Jason -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Desperate help requested.
Thanks, everyone, for your input. It has helped tremendously. --Jason -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Desperate help requested.
I've just been informed by my boss's boss's boss that, and I quote from his ridiculous email: we cannot use anything other than MS AD for authentication I've spent months of time and much effort rolling out IPA, consolidating authentication across our Linux and AIX machines. To paraphrase Babbage: I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a statement. Regardless, I need some help. I need some help with comparisons between FreeIPA and AD, and the problems and issues one might encounter when trying to authenticate Unix machines against AD. Anything that can show IPA being superior to AD for *nix authentication. Anything at all. We have a similar number of AIX and Linux servers. We have a week before we have a meeting to discuss this, and I'd like to be armed to the teeth, if at all possible. Thanks for any help you can give. And wish me luck. Thanks, --Jason -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Specifying load balancing to SSSD clients
On Tue, Aug 21, 2012 at 2:50 AM, Innes, Duncan duncan.in...@virginmoney.com wrote: I can't be alone in deploying IPA in a network already dominated by AD. You're certainly not. In my case it appears the Windows people have done everything they can to sabotage my efforts to implement SSO in unix-land that they can do without being overt about it. They've refused to make simple changes like adding our unix subdomain to the windows client dns search path, forcing our users to use FQDNs for everything. They won't do a domain trust with us, they won't let us sync passwords between AD and IPA, making things easier on our users. But we keep moving ahead anyway, because that's what we do. When did we become the red-headed step-children? --Jason ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Intermittent delay in authentication
I apologize in advance for not having very much information to go on. We have exactly 100 hosts in IPA right now. On occasion, maybe once or twice a day, all authentication just pauses for some amount of time. It can range from just a few seconds to about 30 seconds. I can see this happen, I can be doing an su on one box and an ssh into another, and people will yell over the cube walls that it's happening again but after a few seconds everything will start flowing again. I've been watching logs and I don't see anything that's corresponding with these events, but I'm willing to take any advice at the moment. What *could* cause something like this? Does replication block authentication (I can't imagine that it does.) I'm absolutely sure I have something misconfigured, but I don't even know where to start on this one. -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to get sudo commend to work...
OK, so it works if you allow all hosts, but fails if you specify a host. This leads me to believe that the host may not know who it is. Run the gamut on local hostname configuration: Check /etc/hosts, is the host listed with the FQDN first? Check hostname -- it should report the FQDN. Check domainname -- it should report the domain. I have a very similar rule, btw: [jebalicki@slpidml01 ~]$ ipa sudorule-show tds-web-restart ipa: INFO: trying https://slpidml01.unix.magellanhealth.com/ipa/xml ipa: INFO: Forwarding 'sudorule_show' to server u'http://slpidml01.unix.magellanhealth.com/ipa/xml' Rule name: tds-web-restart Enabled: TRUE User Groups: admins, tds-webserver-users, unixadmins Host Groups: tdswebhosts Sudo Allow Commands: /etc/rc.d/init.d/httpd [jebalicki@slpidml01 ~]$ On Tue, Aug 14, 2012 at 4:13 PM, Steven Jones steven.jo...@vuw.ac.nz wrote: Hi, I am trying to get a sudo-group command to work such that a group of users can reload apache's configI know the password is fine as I can ssh into the server [thing-sudo@vuwunicocatd001 ~]$ sudo /sbin/service httpd reload LDAP Config Summary === uri ldap://vuwunicoipam001.ods.vuw.ac.nz ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz ldap_version 3 sudoers_base ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz binddn uid=sudo,cn=sysaccounts,cn=etc,dc=ods,dc=vuw,dc=ac,dc=nz bindpw bind_timelimit 500 ssl start_tls tls_checkpeer(no) tls_cacertfile /etc/ipa/ca.crt === sudo: ldap_set_option: debug - 0 sudo: ldap_set_option: tls_checkpeer - 0 sudo: ldap_set_option: tls_cacertfile - /etc/ipa/ca.crt sudo: ldap_set_option: tls_cacert - /etc/ipa/ca.crt sudo: ldap_initialize(ld, ldap://vuwunicoipam001.ods.vuw.ac.nz ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz) sudo: ldap_set_option: ldap_version - 3 sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5000) sudo: ldap_start_tls_s() ok sudo: ldap_sasl_bind_s() ok sudo: no default options found in ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz sudo: ldap search '(|(sudoUser=thing-sudo)(sudoUser=%thing-sudo)(sudoUser=%ipausers)(sudoUser=%collectriveaccess-student)(sudoUser=%login04-mysql)(sudoUser=%360-ftp)(sudoUser=%become-mysql-users)(sudoUser=ALL))' sudo: found:cn=sudo-commands-catd-students,ou=sudoers,dc=ods,dc=vuw,dc=ac,dc=nz sudo: ldap sudoHost 'vuwunicocatd001.ods.vuw.ac.nz' ... MATCH! sudo: ldap sudoCommand '/sbin/service httpd reload' ... MATCH! sudo: ldap sudoCommand '/etc/init.d/httpd reload' ... MATCH! sudo: Command allowed sudo: user_matches=1 sudo: host_matches=1 sudo: sudo_ldap_lookup(0)=0x02 [sudo] password for thing-sudo: Sorry, try again. [sudo] password for thing-sudo: Sorry, try again. [sudo] password for thing-sudo: Sorry, try again. sudo: 3 incorrect password attempts [thing-sudo@vuwunicocatd001 ~]$ sudo /sbin/service httpd reload LDAP Config Summary === uri ldap://vuwunicoipam001.ods.vuw.ac.nz ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz ldap_version 3 sudoers_base ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz binddn uid=sudo,cn=sysaccounts,cn=etc,dc=ods,dc=vuw,dc=ac,dc=nz bindpw x bind_timelimit 500 ssl start_tls tls_checkpeer(no) tls_cacertfile /etc/ipa/ca.crt === sudo: ldap_set_option: debug - 0 sudo: ldap_set_option: tls_checkpeer - 0 sudo: ldap_set_option: tls_cacertfile - /etc/ipa/ca.crt sudo: ldap_set_option: tls_cacert - /etc/ipa/ca.crt sudo: ldap_initialize(ld, ldap://vuwunicoipam001.ods.vuw.ac.nz ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz) sudo: ldap_set_option: ldap_version - 3 sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5000) sudo: ldap_start_tls_s() ok sudo: ldap_sasl_bind_s() ok sudo: no default options found in ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz sudo: ldap search '(|(sudoUser=thing-sudo)(sudoUser=%thing-sudo)(sudoUser=%ipausers)(sudoUser=%collectriveaccess-student)(sudoUser=%login04-mysql)(sudoUser=%360-ftp)(sudoUser=%become-mysql-users)(sudoUser=ALL))' sudo: found:cn=sudo-commands-catd-students,ou=sudoers,dc=ods,dc=vuw,dc=ac,dc=nz sudo: ldap sudoHost 'vuwunicocatd001.ods.vuw.ac.nz' ... MATCH! sudo: ldap sudoCommand '/sbin/service httpd reload' ... MATCH! sudo: ldap sudoCommand '/etc/init.d/httpd reload' ... MATCH! sudo: Command allowed sudo: user_matches=1 sudo: host_matches=1 sudo: sudo_ldap_lookup(0)=0x02 [sudo] password for thing-sudo: Sorry, try again. [sudo] password for thing-sudo: Sorry, try again. [sudo] password for thing-sudo: Sorry, try again. sudo: 3 incorrect password attempts [thing-sudo@vuwunicocatd001 ~]$ [thing-sudo@vuwunicocatd001 ~]$ The secure log says system error, unable to read password, === Aug 15
Re: [Freeipa-users] Unable to get sudo commend to work...
Do: ipa hbactest --user=thing-sudo --host=vuwunicocatd001.ods.vuw.ac.nz --service=sudo with the hbac rule on and off. On Tue, Aug 14, 2012 at 4:47 PM, Steven Jones steven.jo...@vuw.ac.nz wrote: Hi, No it fails even if I specify the host, but it works if I re-enable the allowall HBAC rule. So for some reason HBAC is impacting sudo. = [thing-sudo@vuwunicocatd001 ~]$ hostname vuwunicocatd001.ods.vuw.ac.nz [thing-sudo@vuwunicocatd001 ~]$ domainname ods.vuw.ac.nz [thing-sudo@vuwunicocatd001 ~]$ [root@vuwunicocatd001 jonesst1]# more /etc/hosts # not remove the following line, or various programs # that require network functionality will fail. 127.0.0.1 localhost.localdomain localhost 10.70.1.14 vuwunicocatd001.ods.vuw.ac.nz vuwunicocatd001.vuw.ac.nz visualresourcest.vuw.ac.nz vuwunicocatd001 [root@vuwunicocatd001 jonesst1]# more /etc/sysconfig/network NETWORKING=yes HOSTNAME=vuwunicocatd001.ods.vuw.ac.nz GATEWAY=10.70.1.1 NTPSERVERARGS=iburst [root@vuwunicocatd001 jonesst1]# = All looks correct === regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: KodaK [sako...@gmail.com] Sent: Wednesday, 15 August 2012 9:41 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Unable to get sudo commend to work... OK, so it works if you allow all hosts, but fails if you specify a host. This leads me to believe that the host may not know who it is. Run the gamut on local hostname configuration: Check /etc/hosts, is the host listed with the FQDN first? Check hostname -- it should report the FQDN. Check domainname -- it should report the domain. I have a very similar rule, btw: [jebalicki@slpidml01 ~]$ ipa sudorule-show tds-web-restart ipa: INFO: trying https://slpidml01.unix.magellanhealth.com/ipa/xml ipa: INFO: Forwarding 'sudorule_show' to server u'http://slpidml01.unix.magellanhealth.com/ipa/xml' Rule name: tds-web-restart Enabled: TRUE User Groups: admins, tds-webserver-users, unixadmins Host Groups: tdswebhosts Sudo Allow Commands: /etc/rc.d/init.d/httpd [jebalicki@slpidml01 ~]$ On Tue, Aug 14, 2012 at 4:13 PM, Steven Jones steven.jo...@vuw.ac.nz wrote: Hi, I am trying to get a sudo-group command to work such that a group of users can reload apache's configI know the password is fine as I can ssh into the server [thing-sudo@vuwunicocatd001 ~]$ sudo /sbin/service httpd reload LDAP Config Summary === uri ldap://vuwunicoipam001.ods.vuw.ac.nz ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz ldap_version 3 sudoers_base ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz binddn uid=sudo,cn=sysaccounts,cn=etc,dc=ods,dc=vuw,dc=ac,dc=nz bindpw bind_timelimit 500 ssl start_tls tls_checkpeer(no) tls_cacertfile /etc/ipa/ca.crt === sudo: ldap_set_option: debug - 0 sudo: ldap_set_option: tls_checkpeer - 0 sudo: ldap_set_option: tls_cacertfile - /etc/ipa/ca.crt sudo: ldap_set_option: tls_cacert - /etc/ipa/ca.crt sudo: ldap_initialize(ld, ldap://vuwunicoipam001.ods.vuw.ac.nz ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz) sudo: ldap_set_option: ldap_version - 3 sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5000) sudo: ldap_start_tls_s() ok sudo: ldap_sasl_bind_s() ok sudo: no default options found in ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz sudo: ldap search '(|(sudoUser=thing-sudo)(sudoUser=%thing-sudo)(sudoUser=%ipausers)(sudoUser=%collectriveaccess-student)(sudoUser=%login04-mysql)(sudoUser=%360-ftp)(sudoUser=%become-mysql-users)(sudoUser=ALL))' sudo: found:cn=sudo-commands-catd-students,ou=sudoers,dc=ods,dc=vuw,dc=ac,dc=nz sudo: ldap sudoHost 'vuwunicocatd001.ods.vuw.ac.nz' ... MATCH! sudo: ldap sudoCommand '/sbin/service httpd reload' ... MATCH! sudo: ldap sudoCommand '/etc/init.d/httpd reload' ... MATCH! sudo: Command allowed sudo: user_matches=1 sudo: host_matches=1 sudo: sudo_ldap_lookup(0)=0x02 [sudo] password for thing-sudo: Sorry, try again. [sudo] password for thing-sudo: Sorry, try again. [sudo] password for thing-sudo: Sorry, try again. sudo: 3 incorrect password attempts [thing-sudo@vuwunicocatd001 ~]$ sudo /sbin/service httpd reload LDAP Config Summary === uri ldap://vuwunicoipam001.ods.vuw.ac.nz ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz ldap_version 3 sudoers_base ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz binddn uid=sudo,cn=sysaccounts,cn=etc,dc=ods,dc=vuw,dc=ac,dc=nz bindpw x bind_timelimit 500 ssl start_tls tls_checkpeer(no) tls_cacertfile /etc/ipa/ca.crt === sudo: ldap_set_option: debug - 0 sudo
[Freeipa-users] Prompting for expired passwords on AIX
I've kerberized a bunch of AIX machines, and I noticed when I was starting out that AIX allows people to connect that have expired passwords, and does not prompt for changes. 1) does anyone know what I need to do on AIX to make this happen (I don't hold out much hope for this.) 2) alternately, does anyone know what I'd have to do on Linux to change this behavior (maybe from that I can find something on AIX.) I plan on opening a ticket with IBM too, but I wanted to see if anyone has run into this before. Thanks! -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept
On Wed, Aug 8, 2012 at 11:06 AM, Petr Spacek pspa...@redhat.com wrote: Best way is to create subdomain UNIX.MYCOMPANY.COM and fill it with proper SRV records (or let IPA to manage it). Absolutely, this is the best way. You can configure each all servers and client statically with /etc/krb5.conf, but it is error-prone and not scalable. You *could* use something like puppet to manage your krb5.conf files (I have to with our AIX machines.) Also, it's important to note that your REALM does NOT need to match your dns domain name It's a convenience, and it's very, very helpful to do so, but it is possible to have a REALM called MIDDLEEARTH if you wanted. I'm not sure how IPA would deal with that, but I know you can do it in straight up Kerberos. --Jason ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept
Rob, you may want to read through this whole FAQ, but this one covers what I'm talking about: http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html#realms -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept
On Wed, Aug 8, 2012 at 2:16 PM, Rob Ogilvie r...@axpr.net wrote: On Wed, Aug 8, 2012 at 11:52 AM, Simo Sorce s...@redhat.com wrote: On Wed, 2012-08-08 at 11:23 -0700, Rob Ogilvie wrote: -I'm going to set up the IPA server with a new realm; UNIX.MYCOMPANY.COM (do I need to have our DNS folks put an SRV record up there for that? If so, what?) If your DNS people want to manually mange DNS for you then they need to create the unix.mydomain.com zone and manually create SRV and TXT records for kerberos and ldap IPA servers. Is there a doc that explains what those SRV and TXT records need to look like? If you're not familiar with this document then you need to spend some quality time with it: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html :) In it you'll find: If a DNS server is already configured in the network, then the configuration in the IPA-generated file can be added to the existing DNS zone file. This allows IPA clients to find LDAP and Kerberos servers that are required for them to participate in the IPA domain. For example, this DNS zone configuration is created for an IPA server with the KDC and DNS servers all on the same machine in the EXAMPLE.COM realm: ; ldap servers _ldap._tcp IN SRV 0 100 389ipaserver.example.com. ;kerberos realm _kerberos IN TXT EXAMPLE.COM ; kerberos servers _kerberos._tcp IN SRV 0 100 88 ipaserver.example.com. _kerberos._udp IN SRV 0 100 88 ipaserver.example.com. _kerberos-master._tcp IN SRV 0 100 88 ipaserver.example.com. _kerberos-master._udp IN SRV 0 100 88 ipaserver.example.com. _kpasswd._tcp IN SRV 0 100 464ipaserver.example.com. _kpasswd._udp IN SRV 0 100 464ipaserver.example.com. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] pam su configuration to ignore certain ipa/ldap users
I have an unusual situation. Our DBAs want different passwords for the oracle account on production and development machines. I'm using local authentication for oracle on all the boxes, but they're also not allowed to log in directly as oracle, only su, but su always wants to go to ldap first. Does anyone know what I need to do to get su to look at local auth first, then go to ldap? Another consideration is that this is AIX. I'm pretty sure if given a Linux solution to this I could adapt (AIX *can* use PAM, it just doesn't by default.) -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] pam su configuration to ignore certain ipa/ldap users
I've figured this out on AIX. If anyone googles this later: in /etc/security/user the default: stanza needs to have: system = compat or KRB5ALXAP or LDAP instead of: SYSTEM = KRB5ALXAP or LDAP or compat It could probably be done other ways (using PAM,) but this was easiest for now. On Tue, Aug 7, 2012 at 10:02 AM, KodaK sako...@gmail.com wrote: I have an unusual situation. Our DBAs want different passwords for the oracle account on production and development machines. I'm using local authentication for oracle on all the boxes, but they're also not allowed to log in directly as oracle, only su, but su always wants to go to ldap first. Does anyone know what I need to do to get su to look at local auth first, then go to ldap? Another consideration is that this is AIX. I'm pretty sure if given a Linux solution to this I could adapt (AIX *can* use PAM, it just doesn't by default.) -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Multiple hostnames
I suspect I'm SOL on this one, but I'd like confirmation. We have two servers in an HA cluster: source: sla710ph1.unix.magellanhealth.com target: slahat01.unix.magellanhealth.com and a service name of: sla710ph.unix.magellanhealth.com The service name will float between the HA source and target. The DBAs tell me that in order for Oracle to work, the hostname has to return the service name. There's absolutely no way to do this and remain kerberized, right? I can't have two servers (with two different IP addresses) be the same in IPA, right? -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept
On Tue, Aug 7, 2012 at 4:48 PM, Rob Ogilvie r...@axpr.net wrote: I just found this additional log file entries on my IPA server. The vm-mapsdc2 is one of the domain controllers/DNS servers not associated with IPA other than being one of our authoritative DNS servers. Is something misconfigured in IPA on the server side? It's hard to tell with the obfuscation, but is your DOMAIN the same as the one handled by the domain controller vm-mapsdc2? You can only have one Kerberos realm named DOMAIN. For example, if you have the windows domain/Kerb realm MYCOMPANY.COM, you will not be able to have it coexist with an IPA server controlling the realm MYCOMPANY.COM. If it's an oldschool NT type domain you should be OK, but if it's Active Directory (which uses Kerberos) you can't do it. -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] servers going out of sync
On Mon, Jul 23, 2012 at 9:42 AM, KodaK sako...@gmail.com wrote: Alright, this is pretty bad. My servers keep going out of sync. I have four replicas, slpidml01 through 04. I only figure it out when weird things start happening. Is there a log somewhere that I can parse that says that updates aren't getting sent out? What are the types of things that can cause this? I've googled around a bit and I don't see anyone else having a problem as bad as this seems to be. I'll be opening a ticket at RH, but I just wanted to put a feeler out here to see if anyone else has similar issues. I'm getting this on all my servers when I try to force a re-initialization from the first server: [root@slpidml03 ~]# ipa-replica-manage re-initialize --from slpidml01.unix.magellanhealth.com ipa: INFO: Setting agreement cn=meToslpidml03.unix.magellanhealth.com,cn=replica,cn=dc\3Dunix\2Cdc\3Dmagellanhealth\2Cdc\3Dcom,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch ipa: INFO: Deleting schedule 2358-2359 0 from agreement cn=meToslpidml03.unix.magellanhealth.com,cn=replica,cn=dc\3Dunix\2Cdc\3Dmagellanhealth\2Cdc\3Dcom,cn=mapping tree,cn=config [slpidml01.unix.magellanhealth.com] reports: Update failed! Status: [-2 - System error] [root@slpidml03 ~]# -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] another sudo su question
On Tue, Jul 17, 2012 at 11:06 AM, Dmitri Pal d...@redhat.com wrote: On 07/17/2012 11:50 AM, KodaK wrote: I've been banging my head on this for a couple of days, and I can't find anything in the docs or by searching. I'm trying to do what I think should be pretty simple: I have a group of users and an application account, all in IPA. I want users in that group to be able to sudo su - appacct. What I've found is that I probably can't do it exactly like that, so now I'm trying sudo -i appacct, but I can't get that to work either. My rule is set up like this: rule name: become-appacct sudo option: -i appacct (I'm not sure this is right.) user groups: admins, appgroup host groups: apphostgroup Everything else is blank. Note that this is just the current configuration, I've tried a bunch of iterations. Any help? Thanks, --Jason If you are using IPA it internally has a different schema for sudo than the one published on the sudo web site http://git.fedorahosted.org/git/?p=freeipa.git;a=blob;f=install/share/65ipasudo.ldif;h=7a85c8659c33794d3127d208452dcb54ad34d59e;hb=HEAD It is then transformed into a traditional sudo schema using the compat tree. So what you need to do is make sure you create the right sudo rule. Your sudo rule should use: user groups: admins, appgroup host groups: apphostgroup command: sudo -i Thanks. I had some fighting to do to get sudo to talk to ldap on this box, but I have that going now. If I understand you correctly, I've created a rule like you've suggested. however, I get: Sorry, user jebalicki is not allowed to execute '/bin/bash -c cdcadmin' as root on slncdcl01.unix.magellanhealth.com. (I've given up on obfuscation.) Here's the debug output: [jebalicki@slncdcl01 ~]$ sudo -i cdcadmin LDAP Config Summary === uri ldap://slpidml01.unix.magellanhealth.com ldap://slpidml02.unix.magellanhealth.com ldap_version 3 sudoers_base ou=SUDOers,dc=unix,dc=magellanhealth,dc=com binddn uid=sudo,cn=sysaccounts,cn=etc,dc=unix,dc=magellanhealth,dc=com bindpw xxx bind_timelimit 5000 timelimit15 ssl start_tls tls_checkpeer(yes) tls_cacertfile /etc/ipa/ca.crt === sudo: ldap_initialize(ld, ldap://slpidml01.unix.magellanhealth.com ldap://slpidml02.unix.magellanhealth.com) sudo: ldap_set_option: debug - 0 sudo: ldap_set_option: ldap_version - 3 sudo: ldap_set_option: tls_checkpeer - 1 sudo: ldap_set_option: tls_cacertfile - /etc/ipa/ca.crt sudo: ldap_set_option: timelimit - 15 sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5) sudo: ldap_start_tls_s() ok sudo: ldap_sasl_bind_s() ok sudo: no default options found! sudo: ldap search '(|(sudoUser=jebalicki)(sudoUser=%jebalicki)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%unixadmins)(sudoUser=ALL))' sudo: found:cn=become-cdcadmin,ou=sudoers,dc=unix,dc=magellanhealth,dc=com sudo: ldap sudoHost '+cdchosts' ... MATCH! sudo: ldap sudoRunAsUser 'cdcadmin' ... not sudo: found:cn=test rule,ou=sudoers,dc=unix,dc=magellanhealth,dc=com sudo: ldap sudoHost '+tdswebhosts' ... not sudo: ldap sudoHost '+cdchosts' ... MATCH! sudo: ldap sudoCommand '/bin/cat' ... not sudo: found:cn=tds-web-restart,ou=sudoers,dc=unix,dc=magellanhealth,dc=com sudo: ldap sudoHost '+tdswebhosts' ... not sudo: ldap search 'sudoUser=+*' sudo: user_matches=1 sudo: host_matches=1 sudo: sudo_ldap_lookup(0)=0x00 [sudo] password for jebalicki: Sorry, user jebalicki is not allowed to execute '/bin/bash -c cdcadmin' as root on slncdcl01.unix.magellanhealth.com. [jebalicki@slncdcl01 ~]$ And here's the rule: [root@slpidml01 ~]# ipa sudorule-show become-cdcadmin ipa: INFO: trying https://slpidml01.unix.magellanhealth.com/ipa/xml ipa: INFO: Forwarding 'sudorule_show' to server u'http://slpidml01.unix.magellanhealth.com/ipa/xml' Rule name: become-cdcadmin Enabled: TRUE User Groups: admins, stsg Host Groups: cdchosts Sudo Allow Commands: sudo -i RunAs Users: cdcadmin [root@slpidml01 ~]# If appacct is a user managed by IPA then he should be selected as run as user. If this account is not managed by IPA it should be an external user Use UI or CLI to add it. Doing it via ldap would not work unless you use the internal schema. objectClasses: (2.16.840.1.113730.3.8.8.1 NAME 'ipaSudoRule' SUP ipaAssociation STRUCTURAL MAY ( externalUser $ externalHost $ hostMask $ memberAllowCmd $ memberDenyCmd $ cmdCategory $ ipaSudoOpt $ ipaSudoRunAs $ ipaSudoRunAsExtUser $ ipaSudoRunAsUserCategory $ ipaSudoRunAsGroup $ ipaSudoRunAsExtGroup $ ipaSudoRunAsGroupCategory $ sudoNotBefore $ sudoNotAfter $$ sudoOrder ) X-ORIGIN 'IPA v2' ) -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users
Re: [Freeipa-users] another sudo su question
On Tue, Jul 17, 2012 at 1:40 PM, KodaK sako...@gmail.com wrote: On Tue, Jul 17, 2012 at 11:06 AM, Dmitri Pal d...@redhat.com wrote: On 07/17/2012 11:50 AM, KodaK wrote: I've been banging my head on this for a couple of days, and I can't find anything in the docs or by searching. I'm trying to do what I think should be pretty simple: I have a group of users and an application account, all in IPA. I want users in that group to be able to sudo su - appacct. What I've found is that I probably can't do it exactly like that, so now I'm trying sudo -i appacct, but I can't get that to work either. My rule is set up like this: rule name: become-appacct sudo option: -i appacct (I'm not sure this is right.) user groups: admins, appgroup host groups: apphostgroup Everything else is blank. Note that this is just the current configuration, I've tried a bunch of iterations. Any help? Thanks, --Jason If you are using IPA it internally has a different schema for sudo than the one published on the sudo web site http://git.fedorahosted.org/git/?p=freeipa.git;a=blob;f=install/share/65ipasudo.ldif;h=7a85c8659c33794d3127d208452dcb54ad34d59e;hb=HEAD It is then transformed into a traditional sudo schema using the compat tree. So what you need to do is make sure you create the right sudo rule. Your sudo rule should use: user groups: admins, appgroup host groups: apphostgroup command: sudo -i Thanks. I had some fighting to do to get sudo to talk to ldap on this box, but I have that going now. If I understand you correctly, I've created a rule like you've suggested. however, I get: Sorry, user jebalicki is not allowed to execute '/bin/bash -c cdcadmin' as root on slncdcl01.unix.magellanhealth.com. I got it. I was able to use: Rule name: become-cdcadmin Enabled: TRUE User Groups: admins, stsg Host Groups: cdchosts Sudo Allow Commands: /bin/su - cdcadmin I thought I tried that first, but I must have had something else wrong. Thanks, --Jason -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sudo hostgroup sanity check, please?
Further information: I do have: ldap_netgroup_search_base = cn=ng,cn=compat,dc=validdomain,dc=com In /etc/sssd/sssd.conf Is cn=ng,cn=compat correct? --Jason On Tue, Jul 10, 2012 at 2:15 PM, KodaK sako...@gmail.com wrote: I'm running IPA 2.2.0 on RHEL6 Server: [root@validserver ~]# rpm -qa | grep ipa ipa-client-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-python-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch python-iniparse-0.3.1-2.1.el6.noarch libipa_hbac-1.8.0-32.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 Client: [root@validhost ~]# rpm -qa | grep ipa ipa-client-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-python-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch python-iniparse-0.3.1-2.1.el6.noarch libipa_hbac-1.8.0-32.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 My sudo-ldap.conf file: binddn uid=sudo,cn=sysaccounts,cn=etc,dc=validserver,dc=com bindpw validpassword ssl start_tls tls_cacertfile /etc/ipa/ca.crt tls_checkpeer yes bind_timelimit 5 timelimit 15 uri ldap://validserver ldap://validserver2 sudoers_base ou=SUDOers,dc=unix,dc=magellanhealth,dc=com What I'm trying to do: I have a group of users that I'd like to have restart apache on a group of hosts. What I've done: created a user group, created a group of hosts (in a grouplist.) I can successfully run sudo in any configuration, *except* when using a host group. When I try I get: Sorry, user validuser is not allowed to execute '/etc/rc.d/init.d/httpd status' as root on validhost1.fqdn.com. I can edit the same rule, change the host group (that only contains two hosts) and specify the two hosts directly and it works fine. Can someone else just try this and see if I've hit a bug? I'm certain I couldn't have messed up creating the host group, but I suppose it's possible. I get the same behavior when I try a simple /bin/cat command through sudo, too. Is there a special config for using host groups? I suspect I may have missed some obvious documentation. -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Disaster Recovery Best Practices?
Hi, I have googled around a bit, but I still have a couple of questions: 1) is it possible to get getent shadow to return shadow entries from the ipa server? This is so we can do a DR test on some server or set of servers without also having to restore the IPA server first. I can do a getent passwd easily enough, and I could rebuild the shadow file for local users, so it's not critical, but it would be a nice to have in the case of a DR. 2) What is everyone else doing to prepare IPA for a DR? I've read that the best way to do it is to turn off the IPA services on a replica and then back that replica up. I also read that this will miss some important files that only exist on the master. I don't want to turn off the master server services for a DR due to failover lag. Would it be safe to take a backup of the master while hot, then restore a replica, and promote it to master using the hot backup of the master (just the specific CA files needed)? Thanks, --Jason ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Setting up replication, documentation unclear regarding DNS entries
I have two IPA servers. The primary/master is SLPIDML01 and the replica is SLPIDML01. I have followed the instructions for creating a replica and the install on SLPIDML02 completed successfully. However, the instructions tell me to add some entries to the DNS zone file, and I'm stumped. The FreeIPA documentation has this to say about setting up DNS for replicas: Updating DNS for IPA Replicas After you have configured a new IPA replica, you should update your DNS entries so that IPA clients can discover the new server. For example, for an IPA replica with a server name of $HOST, you should add the following entries to your zone file: _ldap._tcp IN SRV 0 100 389 $HOST _kerberos._tcp IN SRV 0 100 88 $HOST _kerberos._udp IN SRV 0 100 88 $HOST _kerberos-master._tcp IN SRV 0 100 88 $HOST _kerberos-master._udp IN SRV 0 100 88 $HOST _kpasswd._tcp IN SRV 0 100 464 $HOST _kpasswd._udp IN SRV 0 100 464 $HOST _ntp._udp IN SRV 0 100 123 $HOST I know very little about configuring DNS. Where exactly should this go? It says to add it to your zone file, all I see is a named.rfc1912.zones file, and it appears to be rather structured. Do I just dump these at the end? That doesn't seem to make any sense. I see a reference to /var/named/example.com.zone.db, but I don't have one for my domain, and I still don't know what the format of the file should be. Do I need to make entries for both hosts (and any others I add in the future?) Thanks, --Jason ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Setting up replication, documentation unclear regarding DNS entries
On Mon, Apr 9, 2012 at 1:56 PM, Dmitri Pal d...@redhat.com wrote: On 04/09/2012 02:53 PM, Dmitri Pal wrote: On 04/09/2012 02:50 PM, KodaK wrote: On Mon, Apr 9, 2012 at 1:46 PM, Dmitri Pal d...@redhat.com wrote: On 04/09/2012 02:41 PM, KodaK wrote: On Mon, Apr 9, 2012 at 1:34 PM, Dmitri Pal d...@redhat.com wrote: On 04/09/2012 02:07 PM, KodaK wrote: I have two IPA servers. The primary/master is SLPIDML01 and the replica is SLPIDML01. I have followed the instructions for creating a replica and the install on SLPIDML02 completed successfully. However, the instructions tell me to add some entries to the DNS zone file, and I'm stumped. The FreeIPA documentation has this to say about setting up DNS for replicas: Updating DNS for IPA Replicas After you have configured a new IPA replica, you should update your DNS entries so that IPA clients can discover the new server. For example, for an IPA replica with a server name of $HOST, you should add the following entries to your zone file: _ldap._tcp IN SRV 0 100 389 $HOST _kerberos._tcp IN SRV 0 100 88 $HOST _kerberos._udp IN SRV 0 100 88 $HOST _kerberos-master._tcp IN SRV 0 100 88 $HOST _kerberos-master._udp IN SRV 0 100 88 $HOST _kpasswd._tcp IN SRV 0 100 464 $HOST _kpasswd._udp IN SRV 0 100 464 $HOST _ntp._udp IN SRV 0 100 123 $HOST I know very little about configuring DNS. Where exactly should this go? It says to add it to your zone file, all I see is a named.rfc1912.zones file, and it appears to be rather structured. Do I just dump these at the end? That doesn't seem to make any sense. I see a reference to /var/named/example.com.zone.db, but I don't have one for my domain, and I still don't know what the format of the file should be. Do I need to make entries for both hosts (and any others I add in the future?) What DNS server do you use? Did you consider using DNS server that comes with IPA? I am using the DNS server that comes with IPA. Then the replicas are added automatically to the DNS servers managed by IPA. I think the documentation refers to the case when you are not using the DNS server provided by IPA. Then you need to add mentioned entries. If this is not clear please open a ticket and provide a pointer to the section that caused the confusion. I've opened a ticket, thanks. I do not see it. I opened a ticket at access.redhat.com, if there's another place you'd rather I open it I can do that too, sorry. --Jason ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Setting up replication, documentation unclear regarding DNS entries
On Mon, Apr 9, 2012 at 1:53 PM, Dmitri Pal d...@redhat.com wrote: On 04/09/2012 02:50 PM, KodaK wrote: On Mon, Apr 9, 2012 at 1:46 PM, Dmitri Pal d...@redhat.com wrote: On 04/09/2012 02:41 PM, KodaK wrote: On Mon, Apr 9, 2012 at 1:34 PM, Dmitri Pal d...@redhat.com wrote: On 04/09/2012 02:07 PM, KodaK wrote: I have two IPA servers. The primary/master is SLPIDML01 and the replica is SLPIDML01. I have followed the instructions for creating a replica and the install on SLPIDML02 completed successfully. However, the instructions tell me to add some entries to the DNS zone file, and I'm stumped. The FreeIPA documentation has this to say about setting up DNS for replicas: Updating DNS for IPA Replicas After you have configured a new IPA replica, you should update your DNS entries so that IPA clients can discover the new server. For example, for an IPA replica with a server name of $HOST, you should add the following entries to your zone file: _ldap._tcp IN SRV 0 100 389 $HOST _kerberos._tcp IN SRV 0 100 88 $HOST _kerberos._udp IN SRV 0 100 88 $HOST _kerberos-master._tcp IN SRV 0 100 88 $HOST _kerberos-master._udp IN SRV 0 100 88 $HOST _kpasswd._tcp IN SRV 0 100 464 $HOST _kpasswd._udp IN SRV 0 100 464 $HOST _ntp._udp IN SRV 0 100 123 $HOST I know very little about configuring DNS. Where exactly should this go? It says to add it to your zone file, all I see is a named.rfc1912.zones file, and it appears to be rather structured. Do I just dump these at the end? That doesn't seem to make any sense. I see a reference to /var/named/example.com.zone.db, but I don't have one for my domain, and I still don't know what the format of the file should be. Do I need to make entries for both hosts (and any others I add in the future?) What DNS server do you use? Did you consider using DNS server that comes with IPA? I am using the DNS server that comes with IPA. Then the replicas are added automatically to the DNS servers managed by IPA. I think the documentation refers to the case when you are not using the DNS server provided by IPA. Then you need to add mentioned entries. If this is not clear please open a ticket and provide a pointer to the section that caused the confusion. I've opened a ticket, thanks. When I manually turn off the network interfaces on the master, the replica does not take over. How you test it? The client will fail over if it can't access the server that you turned off. For the record, the documentation makes no discernible differentiation between IPA's DNS and external DNS: Once the installation process completes, update the DNS entries so that IPA clients can discover the new server. For example, for an IPA replica with a hostname of ipareplica.example.com: Sorry, I thought I did reply to the list. I must be misunderstanding something. When I ipa-replica-install it does not automatically set up a DNS replica, correct? When I run ipa dnsrecord-add domain.com @ --ns-rec slpidml02.unix.magellanhealth.com. I'm only telling IPA that this new host is now a nameserver, correct? So at what point do DNS entries replicate? Or do I set that up outside of IPA? Thanks again, --Jason ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Setting up replication, documentation unclear regarding DNS entries
On Mon, Apr 9, 2012 at 2:04 PM, KodaK sako...@gmail.com wrote: On Mon, Apr 9, 2012 at 1:56 PM, Dmitri Pal d...@redhat.com wrote: On 04/09/2012 02:53 PM, Dmitri Pal wrote: On 04/09/2012 02:50 PM, KodaK wrote: On Mon, Apr 9, 2012 at 1:46 PM, Dmitri Pal d...@redhat.com wrote: On 04/09/2012 02:41 PM, KodaK wrote: On Mon, Apr 9, 2012 at 1:34 PM, Dmitri Pal d...@redhat.com wrote: On 04/09/2012 02:07 PM, KodaK wrote: I have two IPA servers. The primary/master is SLPIDML01 and the replica is SLPIDML01. I have followed the instructions for creating a replica and the install on SLPIDML02 completed successfully. However, the instructions tell me to add some entries to the DNS zone file, and I'm stumped. The FreeIPA documentation has this to say about setting up DNS for replicas: Updating DNS for IPA Replicas After you have configured a new IPA replica, you should update your DNS entries so that IPA clients can discover the new server. For example, for an IPA replica with a server name of $HOST, you should add the following entries to your zone file: _ldap._tcp IN SRV 0 100 389 $HOST _kerberos._tcp IN SRV 0 100 88 $HOST _kerberos._udp IN SRV 0 100 88 $HOST _kerberos-master._tcp IN SRV 0 100 88 $HOST _kerberos-master._udp IN SRV 0 100 88 $HOST _kpasswd._tcp IN SRV 0 100 464 $HOST _kpasswd._udp IN SRV 0 100 464 $HOST _ntp._udp IN SRV 0 100 123 $HOST I know very little about configuring DNS. Where exactly should this go? It says to add it to your zone file, all I see is a named.rfc1912.zones file, and it appears to be rather structured. Do I just dump these at the end? That doesn't seem to make any sense. I see a reference to /var/named/example.com.zone.db, but I don't have one for my domain, and I still don't know what the format of the file should be. Do I need to make entries for both hosts (and any others I add in the future?) What DNS server do you use? Did you consider using DNS server that comes with IPA? I am using the DNS server that comes with IPA. Then the replicas are added automatically to the DNS servers managed by IPA. I think the documentation refers to the case when you are not using the DNS server provided by IPA. Then you need to add mentioned entries. If this is not clear please open a ticket and provide a pointer to the section that caused the confusion. I've opened a ticket, thanks. I do not see it. I opened a ticket at access.redhat.com, if there's another place you'd rather I open it I can do that too, sorry. I've opened a bugzilla ticket (two, actually.) --Jason ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
