Re: [Freeipa-users] 389-ds memory usage
On Wed, June 6, 2012 00:54, JR Aquino wrote: On Jun 5, 2012, at 3:42 PM, Sigbjorn Lie wrote: On 06/06/2012 12:26 AM, JR Aquino wrote: On Jun 5, 2012, at 3:12 PM, Sigbjorn Lie wrote: On 06/05/2012 11:44 PM, JR Aquino wrote: On Jun 5, 2012, at 1:54 PM, Sigbjorn Lie wrote: On 06/05/2012 10:42 PM, Steven Jones wrote: Hi This has bug has pretty much destroyed my IPA deployment...I had a pretty bad memory leak had to reboot every 36 hours...made worse by trying later 6.3? rpms didnt fix the leak and it went split brain2 months and no fixboy did that open up a can of worms. :/ In my case I cant see how its churn as I have so few entries (50) and Im adding no more items at presentunless a part of ipa is replicating and diffing in the background to check consistency? I also have only one way replication now at most, master to replica and no memory leak shows in Munin at present. but I seem to be faced with a rebuild from scratch... Did you do the max entry cache size tuning? If you did, what did you set it to? Did you do any other tuning from the 389-ds tuning guide? Rgds, Siggi When I had similar problems using Feodra (Not Redhat or CentOS) my underlying issues were: managed entries firing off any time an object was updated (every time someone successfully authenticates, kerberos updates the user object, which in turn would touch the mepmanaged entry for the user's private group) Similar things happened when hostgroups were modified... This was further complicated by inefficiencies in the way that slapi-nis was processing the compat pieces for the sudo rules and the netgroups (which are automatically create from every hostgroup) Thus, when memberof fired off, slapi-nis recomputed a great deal of its chunk... After getting those issues resolved, I tuned the max entry cache size. But it took all the fixes to finally resolve the memory creep problem. It is not at all clear to me whether or not the bug fixes for my problem have made it up into Redhat / CentOS though... The slapi-nis versions definitely don't line up between fedora and redhat/centos... Perhaps Nalin Or Rich can speak to some of that. The bug itself was easiest to replicate with _big_ changes like deleting a group that had a great number of members for example, but the symptoms were similar for me were similar for day to date operation resulting in consumption that never freed. https://bugzilla.redhat.com/show_bug.cgi?id=771493 Are either of you currently utilizing sudo? I read your bug report a while back, and made sure that slapi-nis was disabled. I have tuned my cache size to 256MB. I believe that should be OK as my cache hit ratio sits at 97-99% ? I understand you have a farily large deployment, what cache size are you using? Are you using Fedora or Red Hat / CentOS as your production environment? I do not use sudo with IPA yet, I am planning for doing that later. Is there any issues I should be aware of with sudo integration? Rich/Nalin, Was there a bug in managed entries that's been fixed in the current 389-ds versions available in Red Hat / CentOS 6? Regards, Siggi Ya it is true that I do have a large environment, but some of the hurdles that I had to jump appeared to be ones that weren't related so much to the number of hosts I had, but rather their amount of activity. I.e. automated single-sign on scripts, people authenticating, general binds taking place all over... I am using Fedora with FreeIPA 2.2 pending a migration to RHEL 6.3 and IPA 2.2 My measurements... ;) dn: cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config objectClass: top objectClass: extensibleObject cn: monitor database: ldbm database readonly: 0 entrycachehits: 904077 entrycachetries: 923802 entrycachehitratio: 97 currententrycachesize: 79607895 maxentrycachesize: 104857600 currententrycachecount: 10301 maxentrycachecount: -1 dncachehits: 3 dncachetries: 10302 dncachehitratio: 0 currentdncachesize: 1861653 maxdncachesize: 10485760 currentdncachecount: 10301 maxdncachecount: -1 Ok, we have a fair amount of logons happening too with Nagios running lots of ssh connections to the hosts, as well as normal users. Can't really disable that. :) I see your cache size is 100MB, that's less than half of mine. I increased my cache quite a bit as I was advised by Rich about a bug that's not been fixed in RHEL 6.2 version of 389-ds related to when entries in cache is being removed to make room for new cache entries. I was hoping for that issue would go away with a large cache size. Right, I was advised over the same. Though it sounds like your not hitting your limit and are still seeing the memory creep... This makes me question the other factors. Nagios checking everything (probably every 5 mins?) might be a good source of
Re: [Freeipa-users] token/swipe pass deployments with IPA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 05/06/12 23:50, Dmitri Pal wrote: On 06/01/2012 03:14 AM, Dale Macartney wrote: On 31/05/12 23:54, Dmitri Pal wrote: On 05/31/2012 03:03 PM, Dale Macartney wrote: Evening all http://www.youtube.com/watch?v=uvfkj8V6ylM This video was floating around Google plus a few days ago which is brilliant to show off RHEV's VDI technologies. I was wondering if anyone has some a similar business case of vdi deployments with swipe passes or token, but using IPA as the backing authentication store? I am not quite sure what is used as an authentication source in this case. I can ask. I was just thinking as I seem to be doing alot lately, can it be done with ipa? is token support on the road map? If some are not already supported. Define token? You mean smart cards or 2FA using tokens like SecurID? All on the roadmap. I was thniking anything along the lines of a physical medium which an end user can use to authenticate themselves with. This can be single auth or 2FA. I was thinking things like SecurID, smartcards, yubikeys, RSA keyfobs, Citrix CAG tokens etc. If its on the road map thats fine. I'll keep an eager eye open for the integration in the future ;-) Has anyone done something similar themselves? Dale ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPzxnqAAoJEAJsWS61tB+qMdcQAMXTuOy8hljyIMS/U1vIZKHT WgkRGrm3gspyVcJQqWLIFcOBp/EL0NzVEBJ1CjwmkDA5IYL2Ezzj24YMnqjOYQqV rrj94K8beXmvAC+HTJ73P/AC24L3fd0ZzhCcojKdtlbSKeKH0DTsHlCLKUX3uL3L c0YjfY+J+6aIYdtMB78DOGGWhgCXmJM/BGvVcTbmWYH3HulYVDypjYKe/9c8Usqn QU6Cm7zFoIC1jlZuvWorC4c0kpmR0bSmP6lVFjWjAYw/BETpjxOYKxAtZKZHZiAu D0MviZSiZHCtH0RuU4sm/+BqBa2XjERbSsTKS89kAvTT4CB4KvX5i1SoEMMyu1j8 pqPCaIiBhLmpKLuMAdqMg61/mRSqMFUAKvRpdhStFRN2uzYLLnt6he6WxC1zta5e 9VS3yj+rjG46Xy/uwcv+IJdV/6bW3OOoIiUZxboc+6NcHtRQZKDxKfKVxQWO8fbb +9wrOEcDe1s1efCl5mJ83xot5YMa15plmkqdnGxOhDkCrqehXVJ42xRygi3dE6o2 7wHeWk8soduty18wLioPLwNs9sbE699fAQa+wYG3sBsolhGyqh7HO1mz4ypLuv4P EaQV3T5xa/Xxswfx1HZCtKysdSLolirzapPOXXnQNvFzdthuBpKMljFye9Yl/Kk3 H1VzUGfUgp42D807MN47 =e3T0 -END PGP SIGNATURE- 0xB5B41FAA.asc Description: application/pgp-keys 0xB5B41FAA.asc.sig Description: PGP signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Provision user accounts groups from external IM
Hi Alexander, I did some experimenting with the example at http://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/and am now able to create a user using the following as input to curl (-d @user_add.json) : { method:user_add, params:[ [], { uid:test, givenname:test, sn:test, userpassword:test } ] } I'm left with two questions : - Is it possible to use a hashed password (as stored in the 'meta-IM') as a value for userpassword? And if so, will this propagate to the created Kerberos principal? - After creation, I'm forced to change the password when running `kinit test`. Is it possible to reset prevent the forced password change? As a test, I tried to set the '-needchange' attribute using kadmin but that returned ... Insufficient access while modifying... I grepped the mailing list archives / API.txt / source code / etc. for clues but without success... Regards, Willem. On Tue, Jun 5, 2012 at 12:51 PM, Alexander Bokovoy aboko...@redhat.comwrote: On Tue, 05 Jun 2012, Willem Bos wrote: Hi Alexander, Thanks for your quick response. Yes, the server on which the external IM environment is hosted does not have the ipa utils available. As a matter of fact, the server might even be hosted off-site. We're just beginning to explore IM solutions for our environment and the most likely architecture is a 'meta-IM' service that provisions platform specific IM's like AD, Oracle's Internet Directory and IPA. It will probably be a requirement that the meta-IM is to provision IPA directly (instead of Meta-IM - AD - IPA). The JASON interface looks promising, I will certainly try the example provided. Would user_add be the suitable command to use? It's the obvious candidate, but I just want to make sure... Yes, user_add is the command. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] 389-ds memory usage
On Jun 6, 2012, at 12:30 AM, Sigbjorn Lie sigbj...@nixtra.com wrote: On Wed, June 6, 2012 00:54, JR Aquino wrote: On Jun 5, 2012, at 3:42 PM, Sigbjorn Lie wrote: On 06/06/2012 12:26 AM, JR Aquino wrote: On Jun 5, 2012, at 3:12 PM, Sigbjorn Lie wrote: On 06/05/2012 11:44 PM, JR Aquino wrote: On Jun 5, 2012, at 1:54 PM, Sigbjorn Lie wrote: On 06/05/2012 10:42 PM, Steven Jones wrote: Hi This has bug has pretty much destroyed my IPA deployment...I had a pretty bad memory leak had to reboot every 36 hours...made worse by trying later 6.3? rpms didnt fix the leak and it went split brain2 months and no fixboy did that open up a can of worms. :/ In my case I cant see how its churn as I have so few entries (50) and Im adding no more items at presentunless a part of ipa is replicating and diffing in the background to check consistency? I also have only one way replication now at most, master to replica and no memory leak shows in Munin at present. but I seem to be faced with a rebuild from scratch... Did you do the max entry cache size tuning? If you did, what did you set it to? Did you do any other tuning from the 389-ds tuning guide? Rgds, Siggi When I had similar problems using Feodra (Not Redhat or CentOS) my underlying issues were: managed entries firing off any time an object was updated (every time someone successfully authenticates, kerberos updates the user object, which in turn would touch the mepmanaged entry for the user's private group) Similar things happened when hostgroups were modified... This was further complicated by inefficiencies in the way that slapi-nis was processing the compat pieces for the sudo rules and the netgroups (which are automatically create from every hostgroup) Thus, when memberof fired off, slapi-nis recomputed a great deal of its chunk... After getting those issues resolved, I tuned the max entry cache size. But it took all the fixes to finally resolve the memory creep problem. It is not at all clear to me whether or not the bug fixes for my problem have made it up into Redhat / CentOS though... The slapi-nis versions definitely don't line up between fedora and redhat/centos... Perhaps Nalin Or Rich can speak to some of that. The bug itself was easiest to replicate with _big_ changes like deleting a group that had a great number of members for example, but the symptoms were similar for me were similar for day to date operation resulting in consumption that never freed. https://bugzilla.redhat.com/show_bug.cgi?id=771493 Are either of you currently utilizing sudo? I read your bug report a while back, and made sure that slapi-nis was disabled. I have tuned my cache size to 256MB. I believe that should be OK as my cache hit ratio sits at 97-99% ? I understand you have a farily large deployment, what cache size are you using? Are you using Fedora or Red Hat / CentOS as your production environment? I do not use sudo with IPA yet, I am planning for doing that later. Is there any issues I should be aware of with sudo integration? Rich/Nalin, Was there a bug in managed entries that's been fixed in the current 389-ds versions available in Red Hat / CentOS 6? Regards, Siggi Ya it is true that I do have a large environment, but some of the hurdles that I had to jump appeared to be ones that weren't related so much to the number of hosts I had, but rather their amount of activity. I.e. automated single-sign on scripts, people authenticating, general binds taking place all over... I am using Fedora with FreeIPA 2.2 pending a migration to RHEL 6.3 and IPA 2.2 My measurements... ;) dn: cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config objectClass: top objectClass: extensibleObject cn: monitor database: ldbm database readonly: 0 entrycachehits: 904077 entrycachetries: 923802 entrycachehitratio: 97 currententrycachesize: 79607895 maxentrycachesize: 104857600 currententrycachecount: 10301 maxentrycachecount: -1 dncachehits: 3 dncachetries: 10302 dncachehitratio: 0 currentdncachesize: 1861653 maxdncachesize: 10485760 currentdncachecount: 10301 maxdncachecount: -1 Ok, we have a fair amount of logons happening too with Nagios running lots of ssh connections to the hosts, as well as normal users. Can't really disable that. :) I see your cache size is 100MB, that's less than half of mine. I increased my cache quite a bit as I was advised by Rich about a bug that's not been fixed in RHEL 6.2 version of 389-ds related to when entries in cache is being removed to make room for new cache entries. I was hoping for that issue would go away with a large cache size. Right, I was advised over the same. Though it sounds like your not hitting your limit and are still seeing the memory creep...
Re: [Freeipa-users] 389-ds memory usage
On Wed, June 6, 2012 15:15, JR Aquino wrote: On Jun 6, 2012, at 12:30 AM, Sigbjorn Lie sigbj...@nixtra.com wrote: On Wed, June 6, 2012 00:54, JR Aquino wrote: On Jun 5, 2012, at 3:42 PM, Sigbjorn Lie wrote: On 06/06/2012 12:26 AM, JR Aquino wrote: On Jun 5, 2012, at 3:12 PM, Sigbjorn Lie wrote: On 06/05/2012 11:44 PM, JR Aquino wrote: On Jun 5, 2012, at 1:54 PM, Sigbjorn Lie wrote: On 06/05/2012 10:42 PM, Steven Jones wrote: Hi This has bug has pretty much destroyed my IPA deployment...I had a pretty bad memory leak had to reboot every 36 hours...made worse by trying later 6.3? rpms didnt fix the leak and it went split brain2 months and no fixboy did that open up a can of worms. :/ In my case I cant see how its churn as I have so few entries (50) and Im adding no more items at presentunless a part of ipa is replicating and diffing in the background to check consistency? I also have only one way replication now at most, master to replica and no memory leak shows in Munin at present. but I seem to be faced with a rebuild from scratch... Did you do the max entry cache size tuning? If you did, what did you set it to? Did you do any other tuning from the 389-ds tuning guide? Rgds, Siggi When I had similar problems using Feodra (Not Redhat or CentOS) my underlying issues were: managed entries firing off any time an object was updated (every time someone successfully authenticates, kerberos updates the user object, which in turn would touch the mepmanaged entry for the user's private group) Similar things happened when hostgroups were modified... This was further complicated by inefficiencies in the way that slapi-nis was processing the compat pieces for the sudo rules and the netgroups (which are automatically create from every hostgroup) Thus, when memberof fired off, slapi-nis recomputed a great deal of its chunk... After getting those issues resolved, I tuned the max entry cache size. But it took all the fixes to finally resolve the memory creep problem. It is not at all clear to me whether or not the bug fixes for my problem have made it up into Redhat / CentOS though... The slapi-nis versions definitely don't line up between fedora and redhat/centos... Perhaps Nalin Or Rich can speak to some of that. The bug itself was easiest to replicate with _big_ changes like deleting a group that had a great number of members for example, but the symptoms were similar for me were similar for day to date operation resulting in consumption that never freed. https://bugzilla.redhat.com/show_bug.cgi?id=771493 Are either of you currently utilizing sudo? I read your bug report a while back, and made sure that slapi-nis was disabled. I have tuned my cache size to 256MB. I believe that should be OK as my cache hit ratio sits at 97-99% ? I understand you have a farily large deployment, what cache size are you using? Are you using Fedora or Red Hat / CentOS as your production environment? I do not use sudo with IPA yet, I am planning for doing that later. Is there any issues I should be aware of with sudo integration? Rich/Nalin, Was there a bug in managed entries that's been fixed in the current 389-ds versions available in Red Hat / CentOS 6? Regards, Siggi Ya it is true that I do have a large environment, but some of the hurdles that I had to jump appeared to be ones that weren't related so much to the number of hosts I had, but rather their amount of activity. I.e. automated single-sign on scripts, people authenticating, general binds taking place all over... I am using Fedora with FreeIPA 2.2 pending a migration to RHEL 6.3 and IPA 2.2 My measurements... ;) dn: cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config objectClass: top objectClass: extensibleObject cn: monitor database: ldbm database readonly: 0 entrycachehits: 904077 entrycachetries: 923802 entrycachehitratio: 97 currententrycachesize: 79607895 maxentrycachesize: 104857600 currententrycachecount: 10301 maxentrycachecount: -1 dncachehits: 3 dncachetries: 10302 dncachehitratio: 0 currentdncachesize: 1861653 maxdncachesize: 10485760 currentdncachecount: 10301 maxdncachecount: -1 Ok, we have a fair amount of logons happening too with Nagios running lots of ssh connections to the hosts, as well as normal users. Can't really disable that. :) I see your cache size is 100MB, that's less than half of mine. I increased my cache quite a bit as I was advised by Rich about a bug that's not been fixed in RHEL 6.2 version of 389-ds related to when entries in cache is being removed to make room for new cache entries. I was hoping for that issue would go away with a large cache size. Right, I was advised over the same. Though it sounds like your not hitting your limit and are still seeing
Re: [Freeipa-users] Administration question: root user
On Wed, 2012-06-06 at 06:59 -0700, Joe Linoff wrote: Hi Folks: I am a newbie so I apologize in advance if this is a silly set of questions. I am using FreeIPA 2.1.3 on CentOS 6.2 and am very happy with it but I have a couple of questions about root access. When I setup my systems, I configured root manually on each of them. Does it make sense to define the root user in FreeIPA? No, this is unsafe. You always want to be able to log in locally as root if something goes wrong. We specifically exclude 'root' from being managed by SSSD for this reason. Is it desirable from a security and administration perspective? Absolutely not. Your better bet would be to maintain SUDO rules on each of the systems instead. If it does make sense, is it as simple as adding the “root” user in “ipa user-add”? Please don't :) signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Administration question: root user
Thank you. I really appreciate your help and for taking the time to answer so quickly. I will NOT manage root through FreeIPA. Regards, Joe -Original Message- From: Stephen Gallagher [mailto:sgall...@redhat.com] Sent: Wednesday, June 06, 2012 7:15 AM To: Joe Linoff Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Administration question: root user On Wed, 2012-06-06 at 06:59 -0700, Joe Linoff wrote: Hi Folks: I am a newbie so I apologize in advance if this is a silly set of questions. I am using FreeIPA 2.1.3 on CentOS 6.2 and am very happy with it but I have a couple of questions about root access. When I setup my systems, I configured root manually on each of them. Does it make sense to define the root user in FreeIPA? No, this is unsafe. You always want to be able to log in locally as root if something goes wrong. We specifically exclude 'root' from being managed by SSSD for this reason. Is it desirable from a security and administration perspective? Absolutely not. Your better bet would be to maintain SUDO rules on each of the systems instead. If it does make sense, is it as simple as adding the “root” user in “ipa user-add”? Please don't :) ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Provision user accounts groups from external IM
Hi Simo, I totally missed http://www.freeipa.org/page/PasswordSynchronization (and chapter 8.5.3 of the IPA guide :-) Thanks for pointing it out! Regards, Willem. On Wed, Jun 6, 2012 at 2:46 PM, Simo Sorce s...@redhat.com wrote: On Wed, 2012-06-06 at 14:34 +0200, Willem Bos wrote: Hi Alexander, I did some experimenting with the example at http://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/and am now able to create a user using the following as input to curl (-d @user_add.json) : { method:user_add, params:[ [], { uid:test, givenname:test, sn:test, userpassword:test } ] } I'm left with two questions : - Is it possible to use a hashed password (as stored in the 'meta-IM') as a value for userpassword? And if so, will this propagate to the created Kerberos principal? Nope, we need the clear text in order to generate the krb5 keys. - After creation, I'm forced to change the password when running `kinit test`. Is it possible to reset prevent the forced password change? Yes, see: http://www.freeipa.org/page/PasswordSynchronization As a test, I tried to set the '-needchange' attribute using kadmin but that returned ... Insufficient access while modifying... This is not controlled by kadmin. I grepped the mailing list archives / API.txt / source code / etc. for clues but without success... See above, it is really easy to create an agent with the right permissions. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Setting up sudo clients
Hi Folks: I am trying to configure sudo clients using FreeIPA 2.1.3 on CentOS 6.2 but it I am running into a problem that I do not know how to debug. I used the instructions provided here: http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/example -configuring-sudo.html. The server installation went fine and I even did a sudo client installation on the server which worked well. Unfortunately, when I did the same client setup on another host in the network I got the message: user not in sudoers files when I tried to execute a command. Here is the output from /var/log/secure on the client. I didn't see anything strange on the server. The user name is bigbob. Jun 6 10:38:35 docs unix_chkpwd[8737]: password check failed for user (bigbob) Jun 6 10:38:35 docs sudo: pam_unix(sudo:auth): authentication failure; logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob rhost= user=bigbob Jun 6 10:38:36 docs sudo: pam_sss(sudo:auth): authentication success; logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob rhost= user=bigbob Jun 6 10:38:36 docs sudo: bigbob : user NOT in sudoers ; TTY=pts/2 ; PWD=/home/bigbob ; USER=root ; COMMAND=/bin/ls Jun 6 10:44:09 docs unix_chkpwd[8767]: password check failed for user (bigbob) Jun 6 10:44:09 docs sudo: pam_unix(sudo:auth): authentication failure; logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob rhost= user=bigbob Jun 6 10:44:10 docs sudo: pam_sss(sudo:auth): authentication success; logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob rhost= user=bigbob Jun 6 10:44:10 docs sudo: bigbob : user NOT in sudoers ; TTY=pts/2 ; PWD=/home/bigbob ; USER=root ; COMMAND=/bin/pwd The command /bin/pwd is in the sudo commands and in the sudo command group. Any help would be greatly appreciated. Here are the setup steps that I performed on the client. The domain is foo.example.com. # CITATION: http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/example -configuring-sudo.html # # Update /etc/nsswitch.conf # cat /etc/nsswitch.conf EOF # # FreeIPA sudo support # sudoers: files ldap sudoers_debug: 1 EOF # # Insert this just after the ipa_server line and restart sssd: # ldap_netgroup_search_base = cn=ng,cn=compat,dc=foo,dc=example,dc=com # cat /etc/sssd/sssd.conf | \ awk '{print $0;if($1==ipa_server){printf(ldap_netgroup_search_base = cn=ng,cn=compat,dc=foo,dc=example,dc=com\n);}}' /tmp/x cp /tmp/x /etc/sssd/sssd.conf rm -f /tmp/x service sssd restart # # Create the /etc/nslcd.conf file # ls /etc/nslcd.conf cat /etc/nslcd.conf EOF binddn uid=sudo,cn=sysaccounts,cn=etc,dc=foo,dc=example,dc=com bindpw pwd/sudo ssl start_tls tls_cacertfile /etc/ipa/ca.crt tls_checkpeer yes bind_timelimit 5 timelimit 15 uri ldap://cuthbert.foo.example.com sudoers_base ou=SUDOers,dc=foo,dc=example,dc=com EOF # # Set the NIS domain name (even though NIS is not used) # nisdomainname foo.example.com Thank you, Joe ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Setting up sudo clients
On 06/06/2012 01:59 PM, Joe Linoff wrote: Hi Folks: I am trying to configure sudo clients using FreeIPA 2.1.3 on CentOS 6.2 but it I am running into a problem that I do not know how to debug. I used the instructions provided here: http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/example-configuring-sudo.html. The server installation went fine and I even did a sudo client installation on the server which worked well. Unfortunately, when I did the same client setup on another host in the network I got the message: user not in sudoers files when I tried to execute a command. Here is the output from /var/log/secure on the client. I didn't see anything strange on the server. The user name is bigbob. Jun 6 10:38:35 docs unix_chkpwd[8737]: password check failed for user (bigbob) Jun 6 10:38:35 docs sudo: pam_unix(sudo:auth): authentication failure; logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob rhost= user=bigbob Jun 6 10:38:36 docs sudo: pam_sss(sudo:auth): authentication success; logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob rhost= user=bigbob Jun 6 10:38:36 docs sudo: bigbob : user NOT in sudoers ; TTY=pts/2 ; PWD=/home/bigbob ; USER=root ; COMMAND=/bin/ls Jun 6 10:44:09 docs unix_chkpwd[8767]: password check failed for user (bigbob) Jun 6 10:44:09 docs sudo: pam_unix(sudo:auth): authentication failure; logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob rhost= user=bigbob Jun 6 10:44:10 docs sudo: pam_sss(sudo:auth): authentication success; logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob rhost= user=bigbob Jun 6 10:44:10 docs sudo: bigbob : user NOT in sudoers ; TTY=pts/2 ; PWD=/home/bigbob ; USER=root ; COMMAND=/bin/pwd Looks like sudo utility is not going over the ldap and tries to find user in the local file. Can you bind to the ldap server? Is firewall port open? The command /bin/pwd is in the sudo commands and in the sudo command group. Any help would be greatly appreciated. Here are the setup steps that I performed on the client. The domain is foo.example.com. # CITATION: http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/example-configuring-sudo.html # # Update /etc/nsswitch.conf # cat/etc/nsswitch.conf EOF # # FreeIPA sudo support # sudoers: files ldap sudoers_debug: 1 EOF # # Insert this just after the ipa_server line and restart sssd: # ldap_netgroup_search_base = cn=ng,cn=compat,dc=foo,dc=example,dc=com # cat/etc/sssd/sssd.conf | \ awk'{print $0;if($1==ipa_server){printf(ldap_netgroup_search_base = cn=ng,cn=compat,dc=foo,dc=example,dc=com\n);}}'/tmp/x cp/tmp/x/etc/sssd/sssd.conf rm-f /tmp/x service sssd restart # # Create the /etc/nslcd.conf file # ls/etc/nslcd.conf cat/etc/nslcd.conf EOF binddn uid=sudo,cn=sysaccounts,cn=etc,dc=foo,dc=example,dc=com bindpw pwd/sudo ssl start_tls tls_cacertfile /etc/ipa/ca.crt tls_checkpeer yes bind_timelimit 5 timelimit 15 uri ldap://cuthbert.foo.example.com sudoers_base ou=SUDOers,dc=foo,dc=example,dc=com EOF # # Set the NIS domain name (even though NIS is not used) # nisdomainname foo.example.com Thank you, Joe ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] token/swipe pass deployments with IPA
On 06/06/2012 04:50 AM, Dale Macartney wrote: I was thniking anything along the lines of a physical medium which an end user can use to authenticate themselves with. This can be single auth or 2FA. I was thinking things like SecurID, smartcards, yubikeys, RSA keyfobs, Citrix CAG tokens etc. If its on the road map thats fine. I'll keep an eager eye open for the integration in the future ;-) It is. Via AuthHub but any help to make it more usable will be appreciated. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] 389-ds memory usage
Should be installedwill take a look. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Simo Sorce [s...@redhat.com] Sent: Thursday, 7 June 2012 12:39 a.m. To: Steven Jones Cc: Sigbjorn Lie; freeipa-users@redhat.com Subject: Re: [Freeipa-users] 389-ds memory usage On Tue, 2012-06-05 at 22:23 +, Steven Jones wrote: I started with 2gb but went to 4 gb to try and last overnight and the weekend...might have to go to 8gb to last the weekend I also have a frequent failure to start IPA when I do a service ipa restart that means I cant cron an over-night restart And the KDC on the master IPA server seems to die for no reason Please install abrtd and provide back info in a bug next time it 'dies', If the KDC is failing in your specific case we want to know asap so we can fix it. We haven't experienced any KDC failure in ages here. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users