[Freeipa-users] EL5 sudo and IdM
Hi, we've been using the IdM server 4.4.0 but still have some EL5 (build system) we'd like to be ipa-clients. The ipa-client v2.1.3 has been installed, that works well. And I believe that with EL5, there is no sssd support for sudo, hence it's configured via /etc/ldap.conf The situation I see is that sudo rule is successful only when using ALL for hosts, the example of debug message is: sudo: ldap sudoHost 'ALL' ... MATCH! Otherwise, it doesn't work and the message is: sudo: ldap sudoHost '+hostg_build' ... not The "hostg_build" is IPA host group, and if I read "man sudoers.ldap" correctly, sudoHost expects host netgroup (prefixed with a '+'). Is there any resolution here? thanks, Zarko -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Automount location design
OS is EL7.3 and ipa-serveris 4.4.0 From: Z D Sent: Friday, March 24, 2017 2:23:59 PM To: freeipa-users@redhat.com Subject: Automount location design Hi there, We've been looking to add indirect maps for users home directories, and did the next. 1. There is the automount location (named "global") with one map "auto_home", it has keys (they are username) and mount info is :/path 2. The idea is that this is "global location" 3. Another location (named "userdirs") has auto.master map with key = "/home" and mount info is like "ldap:automountmapname=auto_home,cn=global,cn=automount,dc=comp,dc=com" 4. It was added with command: ipa automountkey-add userdirs auto.master --key=/home --info=ldap:automountmapname=auto_home,cn=global,cn=automount,dc=comp,dc=com 5. All work as expected, the issue is that below command shows error. ipa automountlocation-tofiles userdirs ipa: ERROR: ldap:automountmapname=auto_home,cn=global,cn=automount,dc=comp,dc=com: automount map not found Is there any concern with such design? Thanks Zarko -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Automount location design
Hi there, We've been looking to add indirect maps for users home directories, and did the next. 1. There is the automount location (named "global") with one map "auto_home", it has keys (they are username) and mount info is :/path 2. The idea is that this is "global location" 3. Another location (named "userdirs") has auto.master map with key = "/home" and mount info is like "ldap:automountmapname=auto_home,cn=global,cn=automount,dc=comp,dc=com" 4. It was added with command: ipa automountkey-add userdirs auto.master --key=/home --info=ldap:automountmapname=auto_home,cn=global,cn=automount,dc=comp,dc=com 5. All work as expected, the issue is that below command shows error. ipa automountlocation-tofiles userdirs ipa: ERROR: ldap:automountmapname=auto_home,cn=global,cn=automount,dc=comp,dc=com: automount map not found Is there any concern with such design? Thanks Zarko -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA domain level is 1, so replica prepare fails (new installation)
Thank you David. From: David Kupka <dku...@redhat.com> Sent: Wednesday, March 22, 2017 12:06 AM To: Z D Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] IPA domain level is 1, so replica prepare fails (new installation) On Wed, Mar 22, 2017 at 04:38:58AM +0000, Z D wrote: > Hallo, I have a problem to prepare the replica. > > Environment: > > OS: Newly installed EL7.3 > > IPA Server: Newly installed ipa-server 4.4.0 > > The error: > > # ipa-replica-prepare > Replica creation using 'ipa-replica-prepare' to generate replica file > is supported only in 0-level IPA domain. > The current IPA domain level is 1 and thus the replica must > be created by promoting an existing IPA client. > To set up a replica use the following procedure: > 1.) set up a client on the host using 'ipa-client-install' > 2.) promote the client to replica running 'ipa-replica-install' > *without* replica file specified > 'ipa-replica-prepare' is allowed only in domain level 0 > The ipa-replica-prepare command failed. > > Any explanation for this and possible resolution, thanks, Zarko > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project You can also look into RHEL documentation: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the-replica.html -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] IPA domain level is 1, so replica prepare fails (new installation)
Hallo, I have a problem to prepare the replica. Environment: OS: Newly installed EL7.3 IPA Server: Newly installed ipa-server 4.4.0 The error: # ipa-replica-prepare Replica creation using 'ipa-replica-prepare' to generate replica file is supported only in 0-level IPA domain. The current IPA domain level is 1 and thus the replica must be created by promoting an existing IPA client. To set up a replica use the following procedure: 1.) set up a client on the host using 'ipa-client-install' 2.) promote the client to replica running 'ipa-replica-install' *without* replica file specified 'ipa-replica-prepare' is allowed only in domain level 0 The ipa-replica-prepare command failed. Any explanation for this and possible resolution, thanks, Zarko -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] The 3rd party cert for IPA Web GUI
Hi there, is it possible to have a cert (say from VeriSign) for a IPA host and use it for httpd (Web GUI), without breaking anything else? I've acquired one and added it to nssdb (/etc/httpd/alias). # certutil -L -d /etc/httpd/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ipaCert u,u,u Server-Cert u,u,u COMP.COM IPA CA CT,C,C Signing-Cert u,u,u CA-LDAP01-CHAINEDu,u,u Comp SSL CA - G2 - VeriSign, Inc. ,, It's now used in /etc/httpd/conf.d/nss.conf and the cert looks good via a browser. But it's breaking something, since I see this: # ipa user-show admin ipa: ERROR: cert validation failed for "CN=ca-ldap01.comp.com,OU=Corp,O=Corporation,L=City,ST=California,C=US" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.) ipa: ERROR: cannot connect to 'https://ca-ldap01.comp.com/ipa/json': (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user. Adding this cert to /etc/dirsrv/slapd-CORP-COM/ nssdb didn't resolve the issue. Thanks for any advice. Zarko -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] IPA Error 4301: CertificateOperationError
Hello, There is the error on ver 4.2 while viewing certs: "IPA Error 4301: CertificateOperationError", next it read " Certificate operation cannot be completed: Unable to communicate with CMS ([Errno 113] No route to host)". I suspect you'll be asking for below two commands, here are results. # ipa cert-show 1 Certificate: MIIDlzCCAn+gAwIBAgIBATANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1VUy5P ..shortened ... H6S7tS4pT9w77K8= Subject: CN=Certificate Authority,O=COMP.COM Issuer: CN=Certificate Authority,O=COMP.COM Not Before: Wed Aug 17 17:20:41 2016 UTC Not After: Sun Aug 17 17:20:41 2036 UTC Fingerprint (MD5): 00:a5:2c:2d:ea:c8:27:33:62:35:75:53:12:6a:0d:c1 Fingerprint (SHA1): d1:58:78:83:31:b8:ad:ae:af:2c:e7:05:44:67:6e:3a:37:8c:00:1a Serial number (hex): 0x1 Serial number: 1 # ipactl restart Restarting Directory Service Restarting krb5kdc Service Restarting kadmin Service Restarting named Service Restarting ipa_memcached Service Restarting httpd Service Restarting ipa-otpd Service Restarting ipa-dnskeysyncd Service ipa: INFO: The ipactl command was successful Any help is appreciated, thanks Zarko -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project