Re: [Freeipa-users] [freeipa-users] Configuring Automount on Ubuntu Clients

2016-02-22 Thread Filip Pytloun 
My change was already applied in
bind9 (1:9.10.3.dfsg.P2-4) experimental; urgency=medium

I don't know if it could be shipped by sssd package as the policy is for
usr.bin.named binary.

On 2016/02/22 07:11, Timo Aaltonen wrote:
> 14.02.2016, 09:14, Filip Pytloun kirjoitti:
> > Hello,
> > 
> > we are using Ubuntu 14.04 on FreeIPA clients and Ubuntu 16.04 on FreeIPA
> > server for 2 months with no critical issues.
> > 
> > Using newer freeipa-client was not needed, only sssd update from here,
> > because trusty version is buggy:
> > https://launchpad.net/~sssd/+archive/ubuntu/updates?field.series_filter=trusty
> > 
> > On server side, it was only needed to fix apparmor policy for bind to
> > fix FreeIPA DNS zones:
> > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=814314
> 
> /var/lib/sss* bits belong to the apparmor profile shipped by sssd..
> mind removing them from the bind profile and testing this to
> /etc/apparmor.d/usr.sbin.sssd instead?
> 
> @@ -33,6 +33,7 @@
> 
>/var/lib/sss/* rw,
>/var/lib/sss/db/* rwk,
> +  /var/lib/sss/mc/initgroups r,
>/var/lib/sss/pipes/* rw,
>/var/lib/sss/pipes/private/* rw,
>/var/lib/sss/pubconf/* rw,
> @@ -42,6 +43,7 @@
>/{,var/}run/sssd.pid rw,
> 
>profile /usr/lib/@{multiarch}/sssd/* {
> +/var/lib/sss/pubconf/krb5.include.d/** rw,
>  /var/lib/sss/pubconf/krb5.include.d/ rw,
>}
> 
> 
> 
> -- 
> t


signature.asc
Description: Digital signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] [freeipa-users] Configuring Automount on Ubuntu Clients

2016-02-22 Thread Timo Aaltonen 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

22.02.2016, 10:00, Filip Pytloun kirjoitti:
> My change was already applied in bind9 (1:9.10.3.dfsg.P2-4)
> experimental; urgency=medium
> 
> I don't know if it could be shipped by sssd package as the policy
> is for usr.bin.named binary.

oh right, good point :)

I guess these rules should still get added to usr.sbin.sssd so I'll
apply them.


- -- 
t
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJWysC2AAoJEMtwMWWoiYTcuOMQAJqB2A0xzUyar/AiBR2PEoON
EeJEfF6m06vnpU7Vj1f4RfaBv5pcC/OxtHTStfbwc7pV+kgcX7tXe4B7LqaSt+fB
bBTdr6Sef2VDzNZTM9kzetYd0vNzpSTTL9uwQ8qvlyigQ+PmFlkAD4sLhuMEGRBc
Q+Dr71NtSNYCKlQrQYcK4X2HbIFIK4KlHIfHHbBAgdbOj563QyJSnSXNFtZ2BoGC
b3M6hYEFm0Rml4o2Oo+zhbaEl0phLbdhcfwfC9JkZgYNMCtsKBhJce4kZH/s3LQt
4g8Xbz/dr05W02amQJ+Qj0BmM5I6NlXJZPpPojD90el86bP4O8dJGcxiqJIrvfDv
RZKvWzyxk/C+IrL8dkjVF0kZFuZ/8plfRAMpqJkvAOZTDLpE27O+E5DMnZL0q9Ok
zOQjZvjHup1VBTKF0G59qkDJO/f09oruLx2lspPSEjFOmyaZE8zw1rr458HE9UsC
StUC4YlDyp1mFo8H7i0C2Xmr236utccaIplaawq4OhdGKojMJQDVjgAdbt08lbDn
VVvf2Z8X2Fu3l5WLQpHOUsZFoNCQ+sG2lGeVdYiPdH3JHPt1WnvreM5kKf01VMj6
gvSwQXP8XloBY7Vx4qEDhk+xXE9+WCIo+lfW7Du20ggJm9pjwLwV9TYb4SoUuHPp
QBUu0inQi5TLe0pfEGhQ
=s2YH
-END PGP SIGNATURE-

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] [freeipa-users] Configuring Automount on Ubuntu Clients

2016-02-21 Thread Timo Aaltonen 
14.02.2016, 09:14, Filip Pytloun kirjoitti:
> Hello,
> 
> we are using Ubuntu 14.04 on FreeIPA clients and Ubuntu 16.04 on FreeIPA
> server for 2 months with no critical issues.
> 
> Using newer freeipa-client was not needed, only sssd update from here,
> because trusty version is buggy:
> https://launchpad.net/~sssd/+archive/ubuntu/updates?field.series_filter=trusty
> 
> On server side, it was only needed to fix apparmor policy for bind to
> fix FreeIPA DNS zones:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=814314

/var/lib/sss* bits belong to the apparmor profile shipped by sssd..
mind removing them from the bind profile and testing this to
/etc/apparmor.d/usr.sbin.sssd instead?

@@ -33,6 +33,7 @@

   /var/lib/sss/* rw,
   /var/lib/sss/db/* rwk,
+  /var/lib/sss/mc/initgroups r,
   /var/lib/sss/pipes/* rw,
   /var/lib/sss/pipes/private/* rw,
   /var/lib/sss/pubconf/* rw,
@@ -42,6 +43,7 @@
   /{,var/}run/sssd.pid rw,

   profile /usr/lib/@{multiarch}/sssd/* {
+/var/lib/sss/pubconf/krb5.include.d/** rw,
 /var/lib/sss/pubconf/krb5.include.d/ rw,
   }



-- 
t

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] [freeipa-users] Configuring Automount on Ubuntu Clients

2016-02-13 Thread Prasun Gera 
Just replying to this thread to express interest in good client support in
Ubuntu. As 16.04 draws close to a release, it would be great if the client
side of things work well out of the box in 16.04 without any 3rd party
ppas. 12.04 was pretty bad, 14.04 was mostly usable with some issues. I'm
hoping that with 16.04, it reaches parity with Fedora based distros. I'll
 be happy to do some preliminary testing if needed.

On Mon, Feb 8, 2016 at 10:56 AM, Timo Aaltonen  wrote:

> 04.02.2016, 19:28, Jon kirjoitti:
> > Is Ubuntu not supported with FreeIPA?  Is there an updated install
> > script?  I installed the freeipa-client from public repos.
> >
> >>> ii  freeipa-client
> >  3.3.4-0ubuntu3.1amd64
> >  FreeIPA centralized identity framework -- client
> >>> ii  python-freeipa
> >  3.3.4-0ubuntu3.1amd64
> >  FreeIPA centralized identity framework -- python modules
>
> The stock packages in 14.04 are rather old, you'd probably be happier with
> the 4.0.5-based client available on the PPA:
>
> https://launchpad.net/~freeipa/+archive/ubuntu/4.0
>
>
>
> --
> t
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] [freeipa-users] Configuring Automount on Ubuntu Clients

2016-02-13 Thread Filip Pytloun 
Hello,

we are using Ubuntu 14.04 on FreeIPA clients and Ubuntu 16.04 on FreeIPA
server for 2 months with no critical issues.

Using newer freeipa-client was not needed, only sssd update from here,
because trusty version is buggy:
https://launchpad.net/~sssd/+archive/ubuntu/updates?field.series_filter=trusty

On server side, it was only needed to fix apparmor policy for bind to
fix FreeIPA DNS zones:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=814314

Maybe someone could be interested in Salt formula we are using to setup
Freeipa server/client: https://github.com/tcpcloud/salt-formula-freeipa

Filip

On 2016/02/13 17:40, Prasun Gera wrote:
> Just replying to this thread to express interest in good client support in
> Ubuntu. As 16.04 draws close to a release, it would be great if the client
> side of things work well out of the box in 16.04 without any 3rd party
> ppas. 12.04 was pretty bad, 14.04 was mostly usable with some issues. I'm
> hoping that with 16.04, it reaches parity with Fedora based distros. I'll
>  be happy to do some preliminary testing if needed.
> 
> On Mon, Feb 8, 2016 at 10:56 AM, Timo Aaltonen  wrote:
> 
> > 04.02.2016, 19:28, Jon kirjoitti:
> > > Is Ubuntu not supported with FreeIPA?  Is there an updated install
> > > script?  I installed the freeipa-client from public repos.
> > >
> > >>> ii  freeipa-client
> > >  3.3.4-0ubuntu3.1amd64
> > >  FreeIPA centralized identity framework -- client
> > >>> ii  python-freeipa
> > >  3.3.4-0ubuntu3.1amd64
> > >  FreeIPA centralized identity framework -- python modules
> >
> > The stock packages in 14.04 are rather old, you'd probably be happier with
> > the 4.0.5-based client available on the PPA:
> >
> > https://launchpad.net/~freeipa/+archive/ubuntu/4.0
> >
> >
> >
> > --
> > t
> >
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
> >

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project



signature.asc
Description: Digital signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] [freeipa-users] Configuring Automount on Ubuntu Clients

2016-02-08 Thread Timo Aaltonen 
04.02.2016, 19:28, Jon kirjoitti:
> Is Ubuntu not supported with FreeIPA?  Is there an updated install
> script?  I installed the freeipa-client from public repos.
> 
>>> ii  freeipa-client  
>  3.3.4-0ubuntu3.1amd64  
>  FreeIPA centralized identity framework -- client
>>> ii  python-freeipa  
>  3.3.4-0ubuntu3.1amd64  
>  FreeIPA centralized identity framework -- python modules

The stock packages in 14.04 are rather old, you'd probably be happier with the 
4.0.5-based client available on the PPA:

https://launchpad.net/~freeipa/+archive/ubuntu/4.0



-- 
t

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] [freeipa-users] Configuring Automount on Ubuntu Clients

2016-02-05 Thread Rob Crittenden 

Jon wrote:

Hello,

How do I configure automount for Ubuntu 14.04 clients?  My procedure on
CentOS has been: install free-ipa client, run ipa-client-install (auto
configures with dns discovery), run ipa-client-automount.  However, when
I run this on the ubuntu client, I receive the following errors:

 >> root@ubuntu-1404-x8664:~# ipa-client-automount -U
 >> Searching for IPA server...
 >> IPA server: DNS discovery
 >> Location: default
 >> Configured /etc/nsswitch.conf
 >> Configured /etc/default/nfs-common
 >> Configured /etc/idmapd.conf
 >> rpcidmapd failed to restart: Command '/usr/sbin/service rpcidmapd
restart ' returned non-zero exit status 1
 >> rpcgssd failed to restart: Command '/usr/sbin/service rpcgssd
restart ' returned non-zero exit status 1

As these are not the names of these services on Ubuntu, this will never
work.

 >> root@ubuntu-1404-x8664:~# service idmapd restart
 >> idmapd stop/waiting
 >> idmapd start/running, process 428
 >> root@ubuntu-1404-x8664:~# service gssd restart
 >> stop: Unknown instance:
 >> gssd start/running, process 567

Unfortunately, this appears to be hardcoded values in the install script:

 >> 290 if statestore.has_state('rpcidmapd'):
 >> 291 enabled = statestore.restore_state('rpcidmapd',
'enabled')
 >> 292 running = statestore.restore_state('rpcidmapd',
'running')
 >> 293 rpcidmapd = ipaservices.knownservices.rpcidmapd
 >> 294 if not enabled:
 >> 295 rpcidmapd.disable()
 >> 296 if not running:
 >> 297 rpcidmapd.stop()
 >> 298 if statestore.has_state('rpcgssd'):
 >> 299 enabled = statestore.restore_state('rpcgssd', 'enabled')
 >> 300 running = statestore.restore_state('rpcgssd', 'running')
 >> 301 rpcgssd = ipaservices.knownservices.rpcgssd

Is Ubuntu not supported with FreeIPA?  Is there an updated install
script?  I installed the freeipa-client from public repos.


One guy volunteers his time porting IPA to Ubuntu. He has invested a 
fair bit of time in generalizing other hardcoded elements in IPA. It's 
possible he hasn't gotten to ipa-client-automount yet or it hasn't been 
pushed out in a build yet.


rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] [freeipa-users] Configuring Automount on Ubuntu Clients

2016-02-04 Thread Jon 
Hello,

How do I configure automount for Ubuntu 14.04 clients?  My procedure on
CentOS has been: install free-ipa client, run ipa-client-install (auto
configures with dns discovery), run ipa-client-automount.  However, when I
run this on the ubuntu client, I receive the following errors:

>> root@ubuntu-1404-x8664:~# ipa-client-automount -U
>> Searching for IPA server...
>> IPA server: DNS discovery
>> Location: default
>> Configured /etc/nsswitch.conf
>> Configured /etc/default/nfs-common
>> Configured /etc/idmapd.conf
>> rpcidmapd failed to restart: Command '/usr/sbin/service rpcidmapd
restart ' returned non-zero exit status 1
>> rpcgssd failed to restart: Command '/usr/sbin/service rpcgssd restart '
returned non-zero exit status 1

As these are not the names of these services on Ubuntu, this will never
work.

>> root@ubuntu-1404-x8664:~# service idmapd restart
>> idmapd stop/waiting
>> idmapd start/running, process 428
>> root@ubuntu-1404-x8664:~# service gssd restart
>> stop: Unknown instance:
>> gssd start/running, process 567

Unfortunately, this appears to be hardcoded values in the install script:

>> 290 if statestore.has_state('rpcidmapd'):
>> 291 enabled = statestore.restore_state('rpcidmapd',
'enabled')
>> 292 running = statestore.restore_state('rpcidmapd',
'running')
>> 293 rpcidmapd = ipaservices.knownservices.rpcidmapd
>> 294 if not enabled:
>> 295 rpcidmapd.disable()
>> 296 if not running:
>> 297 rpcidmapd.stop()
>> 298 if statestore.has_state('rpcgssd'):
>> 299 enabled = statestore.restore_state('rpcgssd', 'enabled')
>> 300 running = statestore.restore_state('rpcgssd', 'running')
>> 301 rpcgssd = ipaservices.knownservices.rpcgssd

Is Ubuntu not supported with FreeIPA?  Is there an updated install script?
I installed the freeipa-client from public repos.

>> ii  freeipa-client
 3.3.4-0ubuntu3.1amd64FreeIPA
centralized identity framework -- client
>> ii  python-freeipa
 3.3.4-0ubuntu3.1amd64FreeIPA
centralized identity framework -- python modules

Thanks,
Jon A
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project