Re: [Freeipa-users] FreeIPA DMZ topology
Yes sorry I should expand on my question as per Josh's point my scenario also has an AD trust involved. I recently learned of KDC proxying but I am not sure if replica's and KDC proxies are the preferred/accepted design solutions for DMZ's Aly On Wed, Oct 7, 2015 at 1:18 PM, Baird, Josh <jba...@follett.com> wrote: > I'm also interested in how people are handling this - especially when > using AD Trusts. > > > > When using a trust, the IPA host not only has to communicate with IPA > servers, but with potentially every AD domain controller in your HUB site. > For us, this is a large number of domain controllers which means we would > need a large number of ACL's on our firewalls to permit the IPA DMZ client > access to the AD domain controllers. > > > > Any suggestions? > > > > Thanks, > > > > Josh > > > > *From:* freeipa-users-boun...@redhat.com [mailto: > freeipa-users-boun...@redhat.com] *On Behalf Of *Aly Khimji > *Sent:* Wednesday, October 07, 2015 1:12 PM > *To:* freeipa-users@redhat.com > *Subject:* [Freeipa-users] FreeIPA DMZ topology > > > > Hey guys, > > > > Question for you, would having a replica be the ideal solution for > authorizing hosts in a DMZ? > > > Do you have any use cases for DMZ access/authorization or topologies you > can share for DMZ zones where FreeIPA is used? > > > > Aly > > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] dns_lookup_kdc question
Hey guys, Quick question. Just running through a poc and ran into a question. I have a simple AD DC (win2k8r2 box) with a trust setup to our IPA server. Trust and all is setup properly and I can see users on the client/ipa server and on the ipa server I can ssh into it with the AD user. I am finding that users are unable to log into the "client nodes" and are getting a "4: System Error" failure in the ssh log. When I dig into the sssd in debug mode I can see its failing to find KDC for the "realm". Makes sense so far. So I enable dns_lookup_kdc = true and now it is able to find the realm and login is successful. My question is, this "dns_lookup_kdc = true" required in any setup with AD/IPA trust + ssh into IPA client with AD users? I am wondering as there may be a use case where the AD server is in another network and IPA clients won't have direct access to AD. I was wondering if there is any model in which the client only ever talks to IPA server and all the AD/Kerbos communication is handled via the IPA server and if so how is this done? I have read a bit and this looks as though what I am doing here is a "legacy" setup. Just wondering if this is different in sssd 1.9 or if kdc = True is always required. I am not doing anything extra on the client other then the ipa-client install. No manual adjustment of sssd.conf or krb5.conf. If I am missing something please advise. Thanks guys Aly SW info: Server ipa-admintools-4.1.0-18.el7.centos.4.x86_64 ipa-python-4.1.0-18.el7.centos.4.x86_64 ipa-client-4.1.0-18.el7.centos.4.x86_64 ipa-server-trust-ad-4.1.0-18.el7.centos.4.x86_64 ipa-server-4.1.0-18.el7.centos.4.x86_64 el7 Client sssd-client-1.12.2-58.el7_1.17.x86_64 sssd-common-1.12.2-58.el7_1.17.x86_64 sssd-ad-1.12.2-58.el7_1.17.x86_64 sssd-proxy-1.12.2-58.el7_1.17.x86_64 sssd-krb5-1.12.2-58.el7_1.17.x86_64 ipa-python-4.1.0-18.el7.centos.4.x86_64 sssd-krb5-common-1.12.2-58.el7_1.17.x86_64 sssd-common-pac-1.12.2-58.el7_1.17.x86_64 sssd-ipa-1.12.2-58.el7_1.17.x86_64 sssd-ldap-1.12.2-58.el7_1.17.x86_64 sssd-1.12.2-58.el7_1.17.x86_64 ipa-client-4.1.0-18.el7.centos.4.x86_64 el6 client sssd-common-1.12.4-47.el6.x86_64 sssd-proxy-1.12.4-47.el6.x86_64 sssd-krb5-common-1.12.4-47.el6.x86_64 sssd-ad-1.12.4-47.el6.x86_64 sssd-1.12.4-47.el6.x86_64 ipa-python-3.0.0-47.el6.centos.x86_64 sssd-client-1.12.4-47.el6.x86_64 sssd-ipa-1.12.4-47.el6.x86_64 sssd-krb5-1.12.4-47.el6.x86_64 ipa-client-3.0.0-47.el6.centos.x86_64 sssd-common-pac-1.12.4-47.el6.x86_64 sssd-ldap-1.12.4-47.el6.x86_64 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] dns_lookup_kdc question
Excellent, Thank you for the quick response. I will look further into your suggestions Aly On Wed, Sep 23, 2015 at 3:50 PM, Alexander Bokovoy <aboko...@redhat.com> wrote: > On Wed, 23 Sep 2015, Aly Khimji wrote: > >> Hey guys, >> >> Quick question. Just running through a poc and ran into a question. >> >> I have a simple AD DC (win2k8r2 box) with a trust setup to our IPA server. >> Trust and all is setup properly and I can see users on the client/ipa >> server and on the ipa server I can ssh into it with the AD user. >> >> I am finding that users are unable to log into the "client nodes" and are >> getting a "4: System Error" failure in the ssh log. When I dig into the >> sssd in debug mode I can see its failing to find KDC for the "realm". >> Makes >> sense so far. So I enable dns_lookup_kdc = true and now it is able to find >> the realm and login is successful. >> > Correct. > > > My question is, this "dns_lookup_kdc = true" required in any setup with >> AD/IPA trust + ssh into IPA client with AD users? >> > Yes, in currently released versions you have to have that in the > krb5.conf. > > I am wondering as there may be a use case where the AD server is in another >> network and IPA clients won't have direct access to AD. I was wondering if >> there is any model in which the client only ever talks to IPA server and >> all the AD/Kerbos communication is handled via the IPA server and if so >> how >> is this done? >> > Yes, there is a way to do so with FreeIPA 4.2, by using KDC proxy > functionality. > > You can enable KDC proxy on IPA master and make sure to set manually on > each client a 'kdc' property for each AD realm to point to > https://ipa.master/KDCProxy. Then on the IPA master itself have explicit > define in krb5.conf for AD realms pointing to proper AD DCs for 'kdc' > property. > With this setup you would have all Kerberos traffic (same can be done > with kadmin protocol too, I think) redirected via IPA masters to AD DCs. > > You need to have fairly recent MIT Kerberos library for that, though. > RHEL7 should be OK. I haven't checked latest MIT krb5 backports in > RHEL6, though. > > I have read a bit and this looks as though what I am doing here is a >> "legacy" setup. Just wondering if this is different in sssd 1.9 or if kdc >> = >> True is always required. >> >> I am not doing anything extra on the client other then the ipa-client >> install. >> No manual adjustment of sssd.conf or krb5.conf. If I am missing something >> please advise. >> > ipa-client-install sets 'dns_lookup_kdc = true' by default if your DNS > discovery of KDC was successful and no '--force' option was specified. > > > -- > / Alexander Bokovoy > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: Goodbye IBM, Hello Google
Congratulation! All the best to you and your future roles :) On Tue, Mar 24, 2015 at 4:00 PM, Wietse Venema wie...@porcupine.org wrote: After 18 years, including the best of my career, I decided that it was time to move on. I'll be working on security at Google NY. Please, there is no reason to say negative things about my old employer (or my new one!). Needless to say, I will continue to support Postfix. Wietse
Re: Anti spam filtering tools
Hey, I know it can be quite cumbersome but are you using a flat file for managing amavisd and policies or are using mysql backend? I have found putting all the policies, domains, managment, blacklists etc.. into mysql to be a much better way to manage it. Then you can use a tool like phpmyadmin to control things via a webui of sorts. Just my 2cents Aly On Mar 5, 2015 5:56 PM, b...@todoo.biz b...@todoo.biz wrote: I am quite surprised that no one has anything to say about this… ;-? G.B. Le 5 mars 2015 à 19:17, b...@todoo.biz a écrit : Hi, I am currently using postfix with amavisd + spamassassin on FreeBSD. I have also SPF implemented with some py module. It is working quite well but I found the management and update of amavisd quite heavy ! I wanted to know what you were using out there in order to filter efficiently spams ? Any new tools with leaner configuration files ? Thanks for sharing your knowledge. G.B. «?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§ BSD - BSD - BSD - BSD - BSD - BSD - BSD - BSD - «?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§ PGP ID -- 0x1BA3C2FD
Re: SNMP traps and unknown log file
Hey, Can you show the contents of your snmptt.conf file? From my experience I have found that anything the snmptt can't understand (eg doesn't have a definition for it will log as unknown). For that reason I have a catch all in my config as the very bottom of that config file. (see below) Example of a catchall in mine EVENT CatchAll .1.* snmptt catchall Critical FORMAT $D EXEC /usr/lib64/nagios/plugins/eventhandlers/submit_check_result $r TRAP 2 $O: $1 $2 $3 $4 $5 SDESC This is the catch all snmptt MIB definition. This means that this trap does not have a MIB definition in snmptt.conf on the server. EDESC Aly On Mon, Jan 26, 2015 at 2:57 PM, Brian Kejser br...@kaiserdigital.com wrote: Hi I’ve done the following. - Ubuntu Server 14.04.1 - Installed snmp, snmpd and snmp-mibs-downloader - Downloaded and unpacked Dell MIBS to the folder /usr/share/snmp/mibs - Deleted the file /usr/share/mibs/ietf/IPSEC-SPD-MIB - Deleted the file /usr/share/mibs/ietf/IPATM-IPMC-MIB - Deleted the file /usr/share/mibs/iana/IANA-IPPM-METRICS-REGISTRY-MIB - Deleted the file /usr/share/mibs/ietf/SNMPv2-PDU Edited the file /etc/default/snmp.conf mibs +ALL Edited the file /etc/default/snmpd TRAPDRUN=yes Edited the file /etc/snmp/snmptrapd.conf authCommunity log,execute,net public traphandle default /usr/sbin/snmptt ignoreauthfailure 1 disableAuthorization yes Edited the file /etc/snmp/snmptt.ini date_time_format = %H:%M:%S %Y/%m/%d log_system_enable = 1 unknown_trap_log_enable = 1 *When a trap is received, it ends up in the unknown trap log file. I am able to use snmptranslate to translate the MIBs in the unknown trap log file. Why are all SNMP traps being treated as unknown when snmptranslate can translate them?* Thanks -- Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ ___ Net-snmp-users mailing list Net-snmp-users@lists.sourceforge.net Please see the following page to unsubscribe or change other options: https://lists.sourceforge.net/lists/listinfo/net-snmp-users -- Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/___ Net-snmp-users mailing list Net-snmp-users@lists.sourceforge.net Please see the following page to unsubscribe or change other options: https://lists.sourceforge.net/lists/listinfo/net-snmp-users
snmptrapd TCP vs UDP for hostname
Hey All, Wondering if you can shed some light on an odd issue I am having. When sending UDP traps I am able to receive and translate the host name of the sender which I can translate and process in our Nagios setup without any issues. However when using a tcp sent trap, which is exactly the same in terms of payload, the host name either isn't received? or is not passed to snmptrapd? I am not sure. This is posing a problem for processing the trap as the host name is missing. I am aware we can do some extra processing to resolve the IP to a host name in a post processing fashion and pass it over to the trap processor, but if the host name was received this would save extra steps. Can anyone shed some light on the below? If you need more details please let me know. client: snmpinform -v 2c -c public nagios-mgmt '' enterprises..6 server: trap: drpmbuilderu01 UDP: [10.131.223.50]:46212-[10.137.217.19] .1.3.6.1.2.1.1.3.0 = 11:21:22:50.09, client: snmpinform -v 2c -c public tcp:nagios-mgmt '' enterprises..6 server: trap: TCP: [10.131.223.50]:40748 TCP: [10.131.223.50]:40748 .1.3.6.1.2.1.1.3.0 = 11:21:22:53.51, . installed pkgs net-snmp-libs-5.5-49.el6_5.1.x86_64 net-snmp-perl-5.5-49.el6_5.1.x86_64 net-snmp-utils-5.5-49.el6_5.1.x86_64 net-snmp-devel-5.5-49.el6_5.1.x86_64 net-snmp-5.5-49.el6_5.1.x86_64 cat /etc/snmp/snmptrapd.conf authCommunity log,execute,net public traphandle default /usr/bin/trapproc.sh cat /etc/sysconfig/snmptrapd OPTIONS=-t -c /etc/snmp/snmptrapd.conf -On -Lsd -p /var/run/snmptrapd.pid -m ALL udp:162 tcp:162 Thanks, Aly -- Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/___ Net-snmp-users mailing list Net-snmp-users@lists.sourceforge.net Please see the following page to unsubscribe or change other options: https://lists.sourceforge.net/lists/listinfo/net-snmp-users
Re: Thank you, Wietse
I just wanted to second that as well. Thx Sent from my BlackBerry device on the Rogers Wireless Network -Original Message- From: Venkat mvenkat...@gmail.com Sender: owner-postfix-us...@postfix.org Date: Sat, 11 Oct 2014 21:08:14 Cc: Postfix userspostfix-users@postfix.org Subject: Re: Thank you, Wietse On Sat, Oct 11, 2014 at 7:12 PM, LuKreme krem...@kreme.com wrote: On 10 Oct 2014, at 18:49 , Stephen Satchell l...@satchell.net wrote: Sometimes we just need to say this. Probably every day, but then the list would get kinda spammy and boring. But yes, thanks. -- Cecil is made of blood and unfinished leather Every day and more. Wietse (and Viktor) are some of the nicest guys I have found in the tech community and I really appreciate their taking the time to answer directly a multitude of questions on this mailing list. Thank you Wietse and Viktor and everyone who contributes to Postfix! It is awesome!
Re: [CentOS] SAMBA as AD DC
Yes Samba4 is capable of working as a AD domain controller and more. See link. https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO Aly On Sep 6, 2014 4:16 PM, Sergio Belkin seb...@gmail.com wrote: Hi folks, Is able SAMBA on CentOS 7 to work as Active Directory Domain Controller? If it's not, what is the recommended way of doing? Compiling from sources? Install packages from SerNet? Thanks in advance! -- -- Sergio Belkin http://www.sergiobelkin.com LPIC-2 Certified - http://www.lpi.org ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SAMBA as AD DC
It would appear the samba4 DC isn't available for C7 just yet. As Fedora and RHEL are using MIT Kerberos implementation as its Kerberos infrastructure of choice, the Samba Active Directory Domain Controller implementation is not available with MIT Kereberos at the moment. Ref: http://community.spiceworks.com/topic/535153-centos-7-samba-domain-controller HTH Aly H perhaps I don't explain myself enough. I already know that Samba capable of working as a AD domain controller and more. I'm asking about the official packages of CentOS, I mean from official repo's. Thanks in advance 2014-09-06 18:01 GMT-03:00 Aly Khimji aly.khi...@gmail.com: Yes Samba4 is capable of working as a AD domain controller and more. See link. https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO Aly On Sep 6, 2014 4:16 PM, Sergio Belkin seb...@gmail.com wrote: Hi folks, Is able SAMBA on CentOS 7 to work as Active Directory Domain Controller? If it's not, what is the recommended way of doing? Compiling from sources? Install packages from SerNet? Thanks in advance! -- -- Sergio Belkin http://www.sergiobelkin.com LPIC-2 Certified - http://www.lpi.org ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- -- Sergio Belkin http://www.sergiobelkin.com LPIC-2 Certified - http://www.lpi.org ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] [CentOS-announce] CentOS Project joins forces with Red Hat
That is amazing news, I hope this proves to be a great relationship. Congratulations, looking forward to the future. Aly Sent from my BlackBerry device on the Rogers Wireless Network -Original Message- From: Karanbir Singh kbsi...@centos.org Sender: centos-announce-boun...@centos.org Date: Tue, 07 Jan 2014 21:09:27 To: CentOS Announcements Listcentos-annou...@centos.org Reply-To: centos@centos.org Subject: [CentOS-announce] CentOS Project joins forces with Red Hat -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 With great excitement I'd like to announce that we are joining the Red Hat family. The CentOS Project ( http://www.centos.org ) is joining forces with Red Hat. Working as part of the Open Source and Standards team ( http://community.redhat.com/ ) to foster rapid innovation beyond the platform into the next generation of emerging technologies. Working alongside the Fedora and RHEL ecosystems, we hope to further expand on the community offerings by providing a platform that is easily consumed, by other projects to promote their code while we maintain the established base. We are also launching the new CentOS.org website ( http://www.centos.org ). - - The new initiative is going to be overseen by the new CentOS Governing Board. The initial Board comprises of the existing CentOS Core team members : - - Ralph Angenent - - Tru Hyunh - - Johnny Hughes JR - - Jim Perrin - - Karanbir Singh and also sees new members: - - Fabian Arrotin, who comes to the board nominated from the community - - Carl Trieloff, Karsten Wade, and Mike McLean join us, nominated by Red Hat. Please join me in welcoming the new members to the Board. The key operating points of the Board are going to be: Public, Open, and Inclusive. You can find more information about the governance model, the board, and the operating policies we are proposing at http://www.centos.org/about/governance/ Furthermore, some of the existing CentOS Core members are moving to take up roles at Red Hat, as a part of their sponsorship of the CentOS Project, allowing these people to work on the Project as their primary job function. This includes Johnny Hughes Jr, Jim Perrin, Fabian Arrotin, and myself. We will be working with and operating out of the Red Hat Open Source and Standards team in the CTO's Office. - - Some of the things that are not changing: - - The CentOS Linux platform isn't changing. The process and methods built up around the platform however are going to become more open, more inclusive and transparent. - - The sponsor driven content network that has been central to the success of the CentOS efforts over the years stays intact. - - The bugs, issues, and incident handling process stays as it has been with more opportunities for community members to get involved at various stages of the process. - - The Red Hat Enterprise Linux to CentOS firewall will also remain. Members and contributors to the CentOS efforts are still isolated from the RHEL Groups inside Red Hat, with the only interface being srpm / source path tracking, no sooner than is considered released. In summary: we retain an upstream. Feel free to reach out if you have specific concerns about how this change impacts your CentOS story. URLs mentioned at the bottom of this email should be a good starting point. - - Some of the key things that are changing: - - Some of us now work for Red Hat, but not RHEL. This should not have any impact to our ability to do what we have done in the past, it should facilitate a more rapid pace of development and evolution for our work on the community platform. - - Red Hat is offering to sponsor some of the buildsystem and initial content delivery resources - how we are able to consume these and when we are able to make use of this is to be decided. - - Sources that we consume, in the platform, in the addons, or the parallel stacks such as Xen4CentOS will become easier to consume with a git.centos.org being setup, with the scripts and rpm metadata needed to create binaries being published there. The Board also aims to put together a plan to allow groups to come together within the CentOS ecosystem as a Special Interest Group (SIG) and build CentOS Variants on our resources, as officially endorsed. You can read about the proposal at http://www.centos.org/variants/ - - Because we are now able to work with the Red Hat legal teams, some of the contraints that resulted in efforts like CentOS-QA being behind closed doors, now go away and we hope to have the entire build, test, and delivery chain open to anyone who wishes to come and join the effort. The changes we make are going to be community inclusive, and promoted, proposed, formalised, and actioned in an open community centric manner on the centos-devel mailing list. And I highly encourage everyone to come along and participate. - - Contacting us works best via the established community mechanisms. - - Real time chats via IRC (
Re: [CentOS-virt] Announcing a new HA KVM tutorial!
Thank you very much for this, looks like a good read. Will provide feedback :) Aly On Mon, Jan 6, 2014 at 11:11 AM, Digimer li...@alteeve.ca wrote: Almost exactly two years ago, I released the first tutorial for building an HA platform for KVM VMs. In that time, I have learned a lot, created some tools to simplify management and refined the design to handle corner-cases seen in the field. Today, the culmination of that learning is summed up in the 2nd Edition of that tutorial, now called AN!Cluster Tutorial 2. https://alteeve.ca/w/AN!Cluster_Tutorial_2 These HA KVM platforms have been in production for over two years now in facilities all over the world; Universities, municipal governments, corporate DCs, manufacturing facilities, etc. I've gotten wonderful feedback from users and all that real-world experience has been integrated into this new tutorial. As always, everything is 100% open source and free-as-in-beer! The major changes are: * SELinux and iptables are enabled and used. * Numerous slight changes made to the OS and cluster stack configuration to provide better corner-case fault handling. * Architecture refinements; ** Redundant PSUs, UPSes and fence methods emphasized. ** Monitoring multiple UPSes added via modified apcupsd ** Detailed monitoring of LSI-based RAID controllers and drives ** Discussion on hardware considerations for VM performance based on anticipated work loads * Naming convention changes to support the new AN!CDB dashboard[1] ** New alert system covered with fault and notable event alerting * Wider array of guest OSes are covered; ** Windows 7 ** Windows 8 ** Windows 2008 R2 ** Windows 2012 ** Solaris 11 ** FreeBSD 9 ** RHEL 6 ** SLES 11 Beyond that, the formatting of the tutorial itself has been slightly modified. I do think it is the easiest to follow tutorial I have yet been able to produce. I am very proud of this one! :D As always, feedback is always very much appreciated. Everything from typos/grammar mistakes, functional problems or anything else is very valuable. I take all the feedback I get and use it to helping make the tutorials better. Enjoy! Digimer, who now can now start the next tutorial in earnest! 1. https://alteeve.ca/w/AN!CDB -- Digimer Papers and Projects: https://alteeve.ca/w/ What if the cure for cancer is trapped in the mind of a person without access to education? ___ CentOS-virt mailing list CentOS-virt@centos.org http://lists.centos.org/mailman/listinfo/centos-virt ___ CentOS-virt mailing list CentOS-virt@centos.org http://lists.centos.org/mailman/listinfo/centos-virt
Re: [CentOS] Thank You To The CentOS Team
Agreed. Thank you all very much for your efforts. Aly On Dec 1, 2013 10:06 PM, B.J. McClure keepert...@bellsouth.net wrote: On 12/01/2013 09:56 PM, Mark LaPierre wrote: Hey all you dedicated folks out there who support the CentOS project. Thank you all for your dedicated effort and the great deal of work to get the 6.5 release up and running. Thank you all! +1 B.J. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [Freeipa-devel] [Freeipa-users] FreeIPA AD Trust improvements, Fedora 19 Test Day, July 25th
Wow.. These sound like some amazing additions and enhancements, great work! keep up the good job guys! Aly On Jul 19, 2013 5:57 PM, Dmitri Pal d...@redhat.com wrote: Hello, The FreeIPA team is happy to welcome you to a Fedora Test Day that is being held on Thursday, July 25th. We would like to invite you to take part in testing of the upcoming FreeIPA 3.3 release containing 2 major improvements for easier deployment of FreeIPA Active Directory Trust feature to existing environments: 1) Use POSIX attributes defined in Active Directory [1] With previous FreeIPA releases, users coming from Active Directory to FreeIPA managed machines were always assigned POSIX attributes (UID and GID) by algorithmic mapping. However, in some deployments, Active Directory users and groups already have defined custom POSIX attribute values (UID and GID), which may then be leveraged on Linux machines via other 3rd party Active Directory integration solutions. Administrator may choose to keep the values to not disrupt file ownerships. With FreeIPA 3.3, FreeIPA Active Directory Trust may be configured to use these attributes when Active Directory user authenticates to Linux machines. 2) Expose POSIX data on legacy systems without recent SSSD Administrators may have a deployment of machines which cannot use the recent SSSD with Active Directory Trust support but would still like to be able to authenticate with Active Directory user to these machines. This may affect for example older Linux machines, UNIX machines. With FreeIPA 3.3, Administrator may configure a compatibility LDAP tree which will contain identities of the Active Directory users to the legacy systems. These systems may then leverage standard LDAP authentication in this tree allowing selected Active Directory users to authenticate. To read more about the Test Day and suggested tests, see the following link: https://fedoraproject.org/wiki/Test_Day:2013-07-25_AD_trusts_with_POSIX_attributes_in_AD_and_support_for_old_clients Thank you for your help and participation! The FreeIPA team [1] http://www.freeipa.org/page/V3/Use_posix_attributes_defined_in_AD [2] http://www.freeipa.org/page/V3/Serving_legacy_clients_for_trusts [IdM | IPA] FAQs: https://url.corp.redhat.com/idm-faq Identity Management SME Team on Docspace https://url.corp.redhat.com/sme-idm Search the archives: post-office.corp.redhat.com/mailman/listinfo/idm-tech ___ Freeipa-users mailing list freeipa-us...@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-users] FreeIPA trusts with 2003 R2
So as others have mentioned windows obviously isn't my area of focus here either, however we have this working with 2003r2, but I do notice odd behaviour with id returning odd results sometimes depending on what system I am logged in from or initial logins failing the first time and working the second time, would this be a result of 2003 trust vs 2008 trust? Aly On Wed, Jun 19, 2013 at 8:59 AM, Alexander Bokovoy aboko...@redhat.comwrote: On Wed, 19 Jun 2013, Brian Lee wrote: Has anyone successfully set up trusts between 2003 R2 and FreeIPA? I noticed the documentation mentions 2008 R2 as a prerequisite. Unfortunately our organization has not completed the migration to 2008 R2 yet. I know, we're a little behind the curve on that, but fortunately Windows servers aren't my responsibility ;-) If the Kerberos realms are separate between Active Directory and FreeIPA, why does the domain controller need to be Windows 2008 R2 for an external trust? From what I understand, there is no difference in an external trust in Windows NT4, Active Directory 2003, 2008 R2 or Windows 2012. Please note that actual requirement is to have functional level 2008 or above, for cross-forest trusts. In our limited testing using functional level 2003 things did not work as expected. We didn't look deeper because functional level 2003 also lacks AES encryption and making it working with weaker encryption for TGT was to force downgrading encryption on IPA side, aside from unclear issues with RPC calls. -- / Alexander Bokovoy __**_ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/**mailman/listinfo/freeipa-usershttps://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA trusts with 2003 R2
hey guys, so at this point in time we haven't been having any issues, but I am not 100% if the odd issues we have been having have been related to 2003 vs 2008 issue when we joined our IPA server to the 2003r2 we got the following output [root@didmsvrua01 ~]# ipa trust-add --type=ad corpnonprd..com --admin Administrator --password Active directory domain administrator's password: -- Added Active Directory trust for realm CorpNonPrd..com -- Realm name: CorpNonPrd..com Domain NetBIOS name: CORPNONPRD Domain Security Identifier: S-1-5-21-417068303-3117552414-2168216644 Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified [root@didmsvrua01 ~]# This looks slightly different than yours, does this look like a properly established trust? I don't' seem to have any issues in regards to AES, and trust users can log into clients however there are issues where the first attempt takes a long time to login to the point of timeout and the second one works Aly On Wed, Jun 19, 2013 at 12:47 PM, Alexander Bokovoy aboko...@redhat.comwrote: On Wed, 19 Jun 2013, Dmitri Pal wrote: On 06/19/2013 12:35 PM, Alexander Bokovoy wrote: On Wed, 19 Jun 2013, Aly Khimji wrote: So as others have mentioned windows obviously isn't my area of focus here either, however we have this working with 2003r2, but I do notice odd behaviour with id returning odd results sometimes depending on what system I am logged in from or initial logins failing the first time and working the second time, would this be a result of 2003 trust vs 2008 trust? Ok, so I have tried another time and went through Windows Server 2003 R2 setup again. You need to select domain functional level Windows Server 2003 and after that raise forest functional level to Windows Server 2003. Only in this case it will work, though without AES encryption (only RC4 encryption is available). See http://technet.microsoft.com/**en-us/library/cc738822%28v=ws.** 10%29.aspxhttp://technet.microsoft.com/en-us/library/cc738822%28v=ws.10%29.aspx for Windows specifics. In order to raise forest functional level one needs to open 'Active Directory Domains and Trusts' snap-in and right-click on 'Active Directory Domains and Trusts' root in the left pane. Then select 'Raise forest functional level ...' and use Windows Server 2003 as the level to raise. After that you can try establishing trust from IPA side. Here is IPA behavior (the output corresponds to FreeIPA 3.2 but behavior should be the same in RHEL 6.4): # ipa trust-add ad.domain --admin Administrator --password Active directory domain administrator's password: ipa: ERROR: invalid 'AD domain controller': unsupported functional level (went and raised forest functional level) # ipa trust-add ad.domain --admin Administrator --password Active directory domain administrator's password: --** Added Active Directory trust for realm ad.domain --** Realm name: ad.domain Domain NetBIOS name: ADP Domain Security Identifier: S-1-5-21-426902846-1951547570-**376736459 SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20 SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20 Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified Note that there will be all kinds of issues due to AES encryption keys are missing -- you would not be able to use IPA credentials to obtain Kerberos tickets against Windows services, for example. This whole experiment is rather of a limited value. But at least, log-in with PuTTY 0.62 works. Should we put this on wiki as a how to? Definitely. If nobody beats me through the night, adding it to http://www.freeipa.org/page/**Howto/IPAv3_AD_trust_setuphttp://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup, I'll do it tomorrow. -- / Alexander Bokovoy __**_ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/**mailman/listinfo/freeipa-usershttps://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa
Re: [Freeipa-users] FreeIPA trusts with 2003 R2
Great I basically said just advised that if they want to make all the IDM bells and whistles work with AD and Elevated access they need to move on from a 2k3 as its just not being supported upstream really. Thanks guys. On Wed, Jun 19, 2013 at 3:24 PM, Ana Krivokapic akriv...@redhat.com wrote: On 06/19/2013 06:47 PM, Alexander Bokovoy wrote: On Wed, 19 Jun 2013, Dmitri Pal wrote: On 06/19/2013 12:35 PM, Alexander Bokovoy wrote: On Wed, 19 Jun 2013, Aly Khimji wrote: So as others have mentioned windows obviously isn't my area of focus here either, however we have this working with 2003r2, but I do notice odd behaviour with id returning odd results sometimes depending on what system I am logged in from or initial logins failing the first time and working the second time, would this be a result of 2003 trust vs 2008 trust? Ok, so I have tried another time and went through Windows Server 2003 R2 setup again. You need to select domain functional level Windows Server 2003 and after that raise forest functional level to Windows Server 2003. Only in this case it will work, though without AES encryption (only RC4 encryption is available). See http://technet.microsoft.com/en-us/library/cc738822%28v=ws.10%29.aspx for Windows specifics. In order to raise forest functional level one needs to open 'Active Directory Domains and Trusts' snap-in and right-click on 'Active Directory Domains and Trusts' root in the left pane. Then select 'Raise forest functional level ...' and use Windows Server 2003 as the level to raise. After that you can try establishing trust from IPA side. Here is IPA behavior (the output corresponds to FreeIPA 3.2 but behavior should be the same in RHEL 6.4): # ipa trust-add ad.domain --admin Administrator --password Active directory domain administrator's password: ipa: ERROR: invalid 'AD domain controller': unsupported functional level (went and raised forest functional level) # ipa trust-add ad.domain --admin Administrator --password Active directory domain administrator's password: -- Added Active Directory trust for realm ad.domain -- Realm name: ad.domain Domain NetBIOS name: ADP Domain Security Identifier: S-1-5-21-426902846-1951547570-376736459 SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20 SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20 Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified Note that there will be all kinds of issues due to AES encryption keys are missing -- you would not be able to use IPA credentials to obtain Kerberos tickets against Windows services, for example. This whole experiment is rather of a limited value. But at least, log-in with PuTTY 0.62 works. Should we put this on wiki as a how to? Definitely. If nobody beats me through the night, adding it to http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup, I'll do it tomorrow. The wiki page has been updated with this information. http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Trusts_and_Windows_Server_2003_R2 -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA different ID results on different nodes
[be[nix.corpnonprd..com]]] [pam_print_data] (0x0100): ruser: (Tue Jun 4 09:36:18 2013) [sssd[be[nix.corpnonprd..com]]] [pam_print_data] (0x0100): rhost: 10.210.240.246 (Tue Jun 4 09:36:18 2013) [sssd[be[nix.corpnonprd..com]]] [pam_print_data] (0x0100): authtok type: 0 (Tue Jun 4 09:36:18 2013) [sssd[be[nix.corpnonprd..com]]] [pam_print_data] (0x0100): authtok size: 0 (Tue Jun 4 09:36:18 2013) [sssd[be[nix.corpnonprd..com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Tue Jun 4 09:36:18 2013) [sssd[be[nix.corpnonprd..com]]] [pam_print_data] (0x0100): newauthtok size: 0 (Tue Jun 4 09:36:18 2013) [sssd[be[nix.corpnonprd..com]]] [pam_print_data] (0x0100): priv: 0 (Tue Jun 4 09:36:18 2013) [sssd[be[nix.corpnonprd..com]]] [pam_print_data] (0x0100): cli_pid: 10650 (Tue Jun 4 09:36:18 2013) [sssd[be[nix.corpnonprd..com]]] [be_pam_handler] (0x0100): Sending result [0][CorpNonPrd..com] (Tue Jun 4 09:36:23 2013) [sssd[be[nix.corpnonprd..com]]] [be_get_account_info] (0x0100): Got request for [4098][1][idnumber=162200012] (Tue Jun 4 09:36:23 2013) [sssd[be[nix.corpnonprd..com]]] [sdap_nested_get_user_send] (0x0080):* Couldn't parse out user information based on DN (null), falling back to an LDAP lookup* (Tue Jun 4 09:36:23 2013) [sssd[be[nix.corpnonprd..com]]] [sdap_save_grpmem] (0x0040): F*ailed to save user mirra-supapp-admin-nix-cde * (Tue Jun 4 09:36:23 2013) [sssd[be[nix.corpnonprd..com]]] [sdap_save_groups] (0x0040): *Failed to store group 0 members*. (Tue Jun 4 09:36:23 2013) [sssd[be[nix.corpnonprd..com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success Aly On Tue, Jun 4, 2013 at 3:56 AM, Sumit Bose sb...@redhat.com wrote: On Mon, Jun 03, 2013 at 09:22:21PM -0400, Aly Khimji wrote: Hey guys, Just wanted to say thank you for all your support with everything and answering all my questions. Just wanted to show you something, maybe you can shed some light.. Below is my self running the ID command on 2 different nodes (1) the IDM server and the other the IDM client. I get two different results of my user ID, the client being correct and the server not having the correct groups displaying with the ID, and even having one that has been deleted. Is there someplace this information in cached? or I can set an invalidator so that the information is pulled down or is forced to expire quicker so its checked from AD? CLIENT: -sh-4.1$ hostname rhidmclient.nix.corpnonprd..com -sh-4.1$ id uid=59401108(akhi...@corpnonprd..com) gid=59401108( akhi...@corpnonprd..com) groups=59401108(akhi...@corpnonprd..com),59400512(domain adm...@corpnonprd..com), 59400513(domain us...@corpnonprd..com),59401123( mirra-supapp-admin-corp-...@corpnonprd..com), 162200012(mirra-supapp-admin-nix-cde) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 SERVER: didmsvrua01.nix.corpnonprd..com [root@didmsvrua01 ~]# id akhimji@corpnonprd uid=59401108(akhi...@corpnonprd..com) gid=59401108( akhi...@corpnonprd..com) groups=59401108(akhi...@corpnonprd..com),59400513,59400513,59401113( s...@corpnonprd..com) just a note this group [59401113(s...@corpnonprd..com)] was deleted on AD, and correctly doesn't show up on the client, but remains in the server. Group-memberships are cached for some time by SSSD so I would guess you see cached data on the server. But during authentication the group-memberships of a user are updated. Can you check if s...@corpnonprd..com does away if you log in with akhimji@corpnonprd on the server? bye, Sumit Please let me know if you need more info (eg logs, etc..) Thx Aly ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Logging Failed User logins for Trust Users
Quick questions guys, can you advise if there is a particular place(s) successful and failed users authentication is logged? I know from local users I can go through the 389 access logs, but for trust based users can you advise where I would look? I know i see a proper ticket issued in krb5kdc logs, but mainly for failed logins. Thx Aly ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] IPA different ID results on different nodes
Hey guys, Just wanted to say thank you for all your support with everything and answering all my questions. Just wanted to show you something, maybe you can shed some light.. Below is my self running the ID command on 2 different nodes (1) the IDM server and the other the IDM client. I get two different results of my user ID, the client being correct and the server not having the correct groups displaying with the ID, and even having one that has been deleted. Is there someplace this information in cached? or I can set an invalidator so that the information is pulled down or is forced to expire quicker so its checked from AD? CLIENT: -sh-4.1$ hostname rhidmclient.nix.corpnonprd..com -sh-4.1$ id uid=59401108(akhi...@corpnonprd..com) gid=59401108( akhi...@corpnonprd..com) groups=59401108(akhi...@corpnonprd..com),59400512(domain adm...@corpnonprd..com), 59400513(domain us...@corpnonprd..com),59401123( mirra-supapp-admin-corp-...@corpnonprd..com), 162200012(mirra-supapp-admin-nix-cde) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 SERVER: didmsvrua01.nix.corpnonprd..com [root@didmsvrua01 ~]# id akhimji@corpnonprd uid=59401108(akhi...@corpnonprd..com) gid=59401108( akhi...@corpnonprd..com) groups=59401108(akhi...@corpnonprd..com),59400513,59400513,59401113( s...@corpnonprd..com) just a note this group [59401113(s...@corpnonprd..com)] was deleted on AD, and correctly doesn't show up on the client, but remains in the server. Please let me know if you need more info (eg logs, etc..) Thx Aly ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Issue IPA: AD Users and IPA Users when using SSS/LDAP with SUDO
Hey Pavel/guys Any luck recreating the problem? Thx for the help Aly Thanks Pavel, Very much appreciated Aly On Tue, Apr 30, 2013 at 1:41 PM, Pavel Brezina pbrez...@redhat.com wrote: - Original Message - From: Pavel Březina pbrez...@redhat.com To: Aly Khimji aly.khi...@gmail.com Cc: freeipa-users@redhat.com Sent: Monday, April 29, 2013 9:11:25 PM Subject: Re: [Freeipa-users] Issue IPA: AD Users and IPA Users when using SSS/LDAP with SUDO On 04/29/2013 08:31 PM, Aly Khimji wrote: Hey Pavel/Guys, Do you see anything in the new logs that might help? I saw this bug https://bugzilla.redhat.com/show_bug.cgi?id=871160 that reports this issue exactly. However its reported as fixed but I am still having the same issue. I am building out a new test environment and I am also deploying a FC18 client which seems to have newer sssd/libsss_sudo packages that i suppose haven't made it up stream yet Currently installed on my client libsss_sudo-1.9.2-82.7.el6_4.x86_64 sssd-client-1.9.2-82.7.el6_4.x86_64 libsss_idmap-1.9.2-82.7.el6_4.x86_64 libsss_autofs-1.9.2-82.el6.x86_64 sssd-1.9.2-82.7.el6_4.x86_64 I've increased the logging to 10, just incase it helps. here it the sss_sudo log for a login, then sudo attempt Thx Aly Hi, I'm sorry for such a late answer. The logs says, that in the time of using sudo, the user akhimji is not present in the cache, which should not happen if you managed to log in. I will try to reproduce the issue first thing tomorrow and let you know. Hi, I'm sorry, I had some technical diffucilties and didn't manage to get to it today. Will try it as soon as possible. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Issue IPA: AD Users and IPA Users when using SSS/LDAP with SUDO
Hey All, Hoping you can help out I have provided all details below. I have broken up diagnostics into sudo-ldap for AD/IPA users and sudo-sss for for AD/IPA users. Quick background. Have a 2003 Domain, with an IPA Trust Established and working. AD users and well as local IPA users are able to login into clients, HBAC with both type of users work as expected. Problem is with SUDO. sudo uid has been configured, and I have followed the RedHat IDM Setup docs for v3. AD users have been nested as required AD users - AD Grp - IPA Ext Grp - IPA Posix Grp --HBAC/SUDO applied to this group IPA User - Same HBAC/SUDO as above When using sudo-ldap on the client side neither local IPA users or AD users are able to use sudo(see below), when using sudo through sssd only the local IPA user is able to fetch the correct sudo rules. atest = local IPA user btest = AD trust user All platforms are RHEL6.4 fully updated 64bit Server Pkgs libipa_hbac-python-1.9.2-82.4.el6_4.x86_64 ipa-python-3.0.0-26.el6_4.2.x86_64 ipa-client-3.0.0-26.el6_4.2.x86_64 ipa-server-3.0.0-26.el6_4.2.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-server-trust-ad-3.0.0-26.el6_4.2.x86_64 libipa_hbac-1.9.2-82.4.el6_4.x86_64 ipa-admintools-3.0.0-26.el6_4.2.x86_64 ipa-server-selinux-3.0.0-26.el6_4.2.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch libsss_idmap-1.9.2-82.4.el6_4.x86_64 sssd-1.9.2-82.4.el6_4.x86_64 libsss_autofs-1.9.2-82.4.el6_4.x86_64 sssd-client-1.9.2-82.4.el6_4.x86_64 sudo-1.8.6p3-7.el6.x86_64 Client Pkgs ipa-python-3.0.0-25.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch libipa_hbac-python-1.9.2-82.el6.x86_64 ipa-client-3.0.0-25.el6.x86_64 libipa_hbac-1.9.2-82.el6.x86_64 sssd-1.9.2-82.el6.x86_64 libsss_sudo-1.9.2-82.el6.x86_64 sssd-client-1.9.2-82.el6.x86_64 libsss_autofs-1.9.2-82.el6.x86_64 libsss_idmap-1.9.2-82.el6.x86_64 sudo-1.8.6p3-7.el6.x86_6 Diag when using SUDO- SSS LOCAL IDM USER -sh-4.1$ sudo -l Matching Defaults entries for atest on this host: requiretty, !visiblepw, always_set_home, env_reset, env_keep=COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS, env_keep+=MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE, env_keep+=LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES, env_keep+=LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE, env_keep+=LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY, secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User atest may run the following commands on this host: (root : wheel) /usr/bin/less -sh-4.1$ AD TRUST USER -sh-4.1$ sudo -l [sudo] password for bt...@corpnonprd..com: User bt...@corpnonprd..com is not allowed to run sudo on rhidmclient. -sh-4.1$ [root@rhidmclient ~]# cat /etc/nsswitch.conf sudoers: files sss /etc/sssd/sssd.conf (CLIENT) [domain/nix.corpnonprd..com] debug_level = 5 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = nix.corpnonprd..com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = rhidmclient.nix.corpnonprd..com chpass_provider = ipa ipa_server = _srv_, didmsvrua01.nix.corpnonprd..com ldap_tls_cacert = /etc/ipa/ca.crt sudo_provider = ldap ldap_uri = ldap://didmsvrua01.nix.corpnonprd..com ldap_sudo_search_base = ou=sudoers,dc=nix,dc=corpnonprd,dc=,dc=com ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/rhidmclient.nix.corpnonprd..com ldap_sasl_realm = NIX.CORPNONPRD..COM krb5_server = didmsvrua01.nix.corpnonprd..com subdomains_provider = ipa [sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam, ssh, sudo, pac [sudo] /etc/krb5.conf (CLIENT) includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = NIX.CORPNONPRD..COM dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] NIX.CORPNONPRD..COM = { pkinit_anchors = FILE:/etc/ipa/ca.crt auth_to_local = RULE:[1:$1@$0](^.*@CORPNONPRD..COM$)s/@ CORPNONPRD..COM/@corpnonprd..com/ auth_to_local = DEFAULT } [domain_realm] .nix.corpnonprd..com = NIX.CORPNONPRD..COM nix.corpnonprd..com = NIX.CORPNONPRD..COM /var/log/sssd output (CLIENT) when triggering $sudo -l LOCAL IDM USER (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd..com]]] [be_get_account_info] (0x0100): Got request for [3][1][name=atest] (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd..com]]] [sdap_initgr_nested_search] (0x0040): Search for group cn=ipausers,cn=groups,cn=accounts,dc=nix,dc=corpnonprd,dc=,dc=com, returned 0 results. Skipping (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd..com]]] [sdap_initgr_nested_search] (0x0040): Search for group ipauniqueid=ca686218-ac49-11e2-b2da-0050569a7aa2,cn=sudorules,cn=sudo,dc=nix,dc=corpnonprd,dc=,dc=com, returned 0 results. Skipping (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd..com]]] [sdap_initgr_nested_search] (0x0040): Search for
Re: [Samba] Group access control under LDAP.
Take a look at pam. You can use pam modules to restrict access based of groups, even those supplied via ldap, local, etc I am not near a PC but ill get you the syntax soon. Aly --Original Message-- From: Daniel Lopes de Carvalho Sender: samba-boun...@lists.samba.org To: Daniel Carvalho Subject: [Samba] Group access control under LDAP. Sent: Sep 20, 2011 2:51 PM Hi. I would like to know if there is a way to restric access to computer under LDAP. In the SambaSamAccount I have a SambaUserWorkstation that allow me to set the workstation a user could logon. I'm looking for something like this, but under computer account, I would like to set a list of users group that is allowed to logon on this computer. Thanks Daniel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Sent from my BlackBerry device on the Rogers Wireless Network -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Group access control under LDAP.
Hmm, I've have never tried that but I'm sure its possible. Are you using Samba and OpenLDAP? Aly --Original Message-- From: Daniel Lopes de Carvalho Sender: samba-boun...@lists.samba.org To: Daniel Carvalho Subject: [Samba] Group access control under LDAP. Sent: Sep 20, 2011 2:51 PM Hi. I would like to know if there is a way to restric access to computer under LDAP. In the SambaSamAccount I have a SambaUserWorkstation that allow me to set the workstation a user could logon. I'm looking for something like this, but under computer account, I would like to set a list of users group that is allowed to logon on this computer. Thanks Daniel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Sent from my BlackBerry device on the Rogers Wireless Network -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Group access control under LDAP.
I have never done this before myself, but I am wondering is there is a group policy that can prevent/allow logon on to that machine for members in a certain group? This way you would just add/remove users to this group to allow/prevent access? Aly On Wed, Sep 21, 2011 at 10:01 AM, Daniel Lopes de Carvalho dlcarva...@gmail.com wrote: Yes. I'm using Samba 3.5.6 and OpenLDAP backend with MIT Kerberos. This Samba is my PDC and I have some windows box joined to my domain. Daniel On Wed, Sep 21, 2011 at 10:57 AM, aly.khi...@gmail.com wrote: Hmm, I've have never tried that but I'm sure its possible. Are you using Samba and OpenLDAP? Aly --Original Message-- From: Daniel Lopes de Carvalho Sender: samba-boun...@lists.samba.org To: Daniel Carvalho Subject: [Samba] Group access control under LDAP. Sent: Sep 20, 2011 2:51 PM Hi. I would like to know if there is a way to restric access to computer under LDAP. In the SambaSamAccount I have a SambaUserWorkstation that allow me to set the workstation a user could logon. I'm looking for something like this, but under computer account, I would like to set a list of users group that is allowed to logon on this computer. Thanks Daniel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Sent from my BlackBerry device on the Rogers Wireless Network -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Group access control under LDAP.
I am not sure if you are using XP, Vista, 7, etc.. http://mintywhite.com/windows-7/7maintenance/prevent-users-logging-domain-workstations/ But I found this link to prevent access based of groups + group policy Hope it points you in the right direction Aly On Wed, Sep 21, 2011 at 10:01 AM, Daniel Lopes de Carvalho dlcarva...@gmail.com wrote: Yes. I'm using Samba 3.5.6 and OpenLDAP backend with MIT Kerberos. This Samba is my PDC and I have some windows box joined to my domain. Daniel On Wed, Sep 21, 2011 at 10:57 AM, aly.khi...@gmail.com wrote: Hmm, I've have never tried that but I'm sure its possible. Are you using Samba and OpenLDAP? Aly --Original Message-- From: Daniel Lopes de Carvalho Sender: samba-boun...@lists.samba.org To: Daniel Carvalho Subject: [Samba] Group access control under LDAP. Sent: Sep 20, 2011 2:51 PM Hi. I would like to know if there is a way to restric access to computer under LDAP. In the SambaSamAccount I have a SambaUserWorkstation that allow me to set the workstation a user could logon. I'm looking for something like this, but under computer account, I would like to set a list of users group that is allowed to logon on this computer. Thanks Daniel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Sent from my BlackBerry device on the Rogers Wireless Network -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: How to integrate Postfix with MySql ?
Hiam, Google Postix+Mysql integration, postfix+mysql+virtual domains, etc... There are many howto's available on the topic. Also the check out the documentation on the Postfix website. This topic has been heavily documented by a lot of people doing many different integration using Postfix and Mysql AK Sent from my BlackBerry device on the Rogers Wireless Network
Re: Large ISP which use Postfix
I am almost 100% sure from bounce backs and certain errors I have seen in the past that RIM (here in Canada) the folks that run the Blackberry network, use postfix. AK Sent from my BlackBerry device on the Rogers Wireless Network
Re: constant relay access denied on VPS
Sent from my BlackBerry device on the Rogers Wireless Network
Re: constant relay access denied on VPS
This might seem obvious, but do you have your actual domain in mydestination in your main.cf file? AK Sent from my BlackBerry device on the Rogers Wireless Network
Re: constant relay access denied on VPS
Jeffrey, Does the user dukey actually exist in your recipient table? As you are using a VPS with plesk it looks like the mailboxes are probably made from the control panel in plesk virtual_mailbox_maps = hash:/var/spool/postfix/plesk/vmailbox Check in your control panel. btw this means now your mail server is accepting mail for your domain, but its being rejected because that user dukey isn't found. AK Sent from my BlackBerry device on the Rogers Wireless Network
Re: [CentOS] [CentOS-announce] Release for CentOS-6.0 i386 and x86_64
Just wanted to extend a personal thanks to the CentOS team for their hard work and dedication on this release and on the CentOS distro itself. Thanks for this release and everything else you all have provided and continue to provide, despite all the distractions and what not. Much appreciated AK Sent from my BlackBerry device on the Rogers Wireless Network ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos 6 Server has no GUI
This might seem obvious but have you checked to see if you have X or any GUI desktops installed? AK Sent from my BlackBerry device on the Rogers Wireless Network ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Log monitoring
Same here, I just recently started using/testing rsyslogd (to mysql [native mysql support is great])+LogAnalyzer web front end for a central log host. So far its been working quite well. Worth checking out Aly Sent from my BlackBerry device on the Rogers Wireless Network ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Rsyslog5 and CentOS
Not sure exactly what you need but I came across this when setting up rsyslog to work with mysql and was having SELinux protecting services. This is what I used you can see if it helps resolve your issue. Again I don't know if this will work for you but u can try it in a test environment and see if it helps # setenforce 0 # service rsyslog restart # cat /var/log/audit/audit.log | grep rsyslogd | audit2allow -M myselinuxmod; semodule -i myselinuxmod.pp # setenforce 1 # service rsyslog restart That should get all audit related errors, audit allow a policy file and load up the file. Tweak it as u see fit, HTH Aly Sent from my BlackBerry device on the Rogers Wireless Network ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Rsyslog5 and CentOS
Agreed, I was doing this in a test environment, and did review the rules created. Hopefully that part was assumed ;) but if not I agree it is wise to review the policy file it creates before they get snapped it. Aly Sent from my BlackBerry device on the Rogers Wireless Network ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [Samba] Fwd: getent group fails - fixed
Nice find! good work Aly Sent from my BlackBerry device on the Rogers Wireless Network -Original Message- From: Dermot paik...@googlemail.com Sender: samba-boun...@lists.samba.org Date: Thu, 23 Jun 2011 13:00:55 To: samba@lists.samba.org Subject: [Samba] Fwd: getent group fails - fixed Found it. It turns out that the config file for libnss-ldap is /etc/libnss-ldap.conf on my distro (Debian). So NSS was ignoring the config that I had been in /etc/ldap/ldap.conf and taking it from /etc/libnss-ldap.conf. The former had this nss_base_group ou=Groups,dc=example,dc=co,dc=uk?sub and the latter this nss_base_group ou=group,dc=example,dc=co,dc=uk?one. Once I edited group to Groups, it started working. Package: libnss-ldap Priority: extra Section: net Installed-Size: 304 Maintainer: Richard A Nelson (Rick) ... Architecture: amd64 Version: 261-2.1 Depends: libc6 (= 2.7-1), libcomerr2 (= 1.01), libkrb53 (= 1.6.dfsg.2), libldap-2.4-2 (= 2.4.7), libsasl2-2, debconf | debconf-2.0 Recommends: nscd, libpam-ldap ... Hope that saves someone the (huge) amount of time it's taken me to figure out where this problem was. Thanks, Dermot. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: about postfix reload
Usually a reload is sufficient. Aly --Original Message-- From: Li, Jilong (MU-Student) Sender: owner-postfix-us...@postfix.org To: postfix-users@postfix.org Subject: about postfix reload Sent: Jun 21, 2011 12:48 PM Hello, After changing the file main.cf, do I need to run postfix reload ? Or should I run /etc/rc.d/init.d/postfix restart ? Thank you very much! Sent from my BlackBerry device on the Rogers Wireless Network
Re: [CentOS] a hardware question
Indeed I agree, we are a full IBM shop and after working with there gear for a very long time, I also suggest the same, this will ensure you get everything you need and all the correct parts to get you back asap. Its just a safe bet with IBM. Aly --Original Message-- From: John R Pierce Sender: centos-boun...@centos.org To: centos@centos.org ReplyTo: CentOS mailing list Subject: Re: [CentOS] a hardware question Sent: May 17, 2011 4:47 PM On 05/17/11 12:49 PM, m.r...@5-cent.us wrote: We need to replace several servers, quickly - four of our Dell PE 1950's died in one week. (!!!) So, we're looking around, and I was checking out IBM. I customized to what we want, and hit 'continue', and suddenly there's another $800 for a system common planar that's required. Googling only finds specs with it - does anyone know what it is? I mean, it's not like it's the motherboard, right? indeed, Planar is IBM-speak for a mainboard. IBM has a lot of their own unique terminology. For ages disk drives were called DASD (Direct Access Storage Devices). generally, on the IBM 'express' configurations, everything required is included in the base configuration. sounds like you were off in their custom build land, which is mostly intended for bulk orders and everything is /a la carte/. I *highly* recommend working with an IBM VAR who will sort out the configurations for you. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos Sent from my BlackBerry device on the Rogers Wireless Network ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: amavis / emails in queue?
You might want to up the verbose log level in the amavisd.conf, and check your maillog to see if amavisd its having (example: connecting to sql if u have it back ended that way). I know the regular log level sometimes isn't enough. Might be a good place to start. HTH Aly Sent from my BlackBerry device on the Rogers Wireless Network -Original Message- From: Bailey, Damian S. baile...@lcps.k12.va.us Sender: owner-postfix-us...@postfix.org Date: Wed, 13 Apr 2011 12:05:26 To: postfix-users@postfix.org Subject: amavis / emails in queue? Hey all, Troubling question. I made some changes to our SA tagging / blocking score this morning, then restarted amavis. I had emails piling up in queue just now, like so: I did a sudo /etc/init.d/amavis restart And by the time I could run sudo qshape -s, the queue came up clear. Were these mails stuck in amavis, there were now dropped? I'm not very familiar with amavis, so I'm unsure what logs to check. My mail.log showed (queue active) on all mail ...emails were eventually getting through, just severely delayed. Thanks for any help. Damian Bailey | baile...@lcps.k12.va.us Lead Technician | LCPS Technology 540.894.4373x8220 Shipping Address: Louisa County Public Schools 953 Davis Hwy Mineral VA 23117 image001.png
Re: [CentOS] Monitoring power consumption
Peter, I have never done it directly of a servers PSU, however I am sure it can be done via SNMP or on a lower level via a management interface(iLO, B/RSA, etc..). However I have done it from a good APC PDU that had SNMP monitoring for all kinds of power aspects. Hope that helps. Aly --Original Message-- From: Peter Peltonen Sender: centos-boun...@centos.org To: CentOS mailing list ReplyTo: CentOS mailing list Subject: [CentOS] Monitoring power consumption Sent: Apr 13, 2011 10:16 AM Hi all, I would like to monitor the power consumption of my server. What I am looking for is: * a simple monitoring device that would measure the power consumption of 1 server * a way to get the consumption reading from that device to my centos server (via usb / wlan / whatever works) Any suggestions? Best, Peter ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos Sent from my BlackBerry device on the Rogers Wireless Network ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Monitoring power consumption
Peter, The ones I used were from APC and are under the product line of Metered Rack PDU, u can find them on the apc website. Here are a few product numbers from that line(APC7800,801,802) they all have web, snmp (u can graph with MRTG, or whatever), Telnet access, etc.. they start at about 300USD from what I've seen. HTH Aly --Original Message-- From: Peter Peltonen Sender: centos-boun...@centos.org To: CentOS mailing list ReplyTo: CentOS mailing list Subject: Re: [CentOS] Monitoring power consumption Sent: Apr 13, 2011 10:36 AM Hi, On Wed, Apr 13, 2011 at 5:26 PM, aly.khi...@gmail.com wrote: I have never done it directly of a servers PSU, however I am sure it can be done via SNMP or on a lower level via a management interface(iLO, B/RSA, etc..). However I have done it from a good APC PDU that had SNMP monitoring for all kinds of power aspects. I am also looking for a way to measure other devices than computers and I want to collect this information to the centos server. But I guess it doesn't matter what kind of device I connect to the PDU, it still can measure its power consumption and report it somehow? Can you recommend any cheap model? I was aware of these PDU's existing, but I haven't really considered them as they probably are quite expensive as they do also many other things (monitor the load of the server etc)... Best, Peter ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos Sent from my BlackBerry device on the Rogers Wireless Network ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] A round of applause!
Yes, well put, I second that! Thanks to all dev's. As I said earlier on the release date, all your efforts are greatly appreciated Aly --Original Message-- From: Chuck Munro Sender: centos-boun...@centos.org To: CentOS Mailing List ReplyTo: CentOS mailing list Subject: [CentOS] A round of applause! Sent: Apr 10, 2011 12:39 PM Hello All, Just a short note to add my vote for a HUGE round of applause to the CentOS team for their untiring efforts in getting releases out the door. I've just upgraded several servers to 5.6 and it all just works. None of the team's work is easy to accomplish, especially when less-than-useful complaints keep popping up from thoughtless users who don't appreciate the effort, and who waste the team's time trying to respond. RedHat's move to defend their support business against the freeloading distro vendors (we all know who those sharks are!) wasn't aimed at CentOS, but it has significantly increased the workload the team faces. Let's be patient and let them get the job done. Kudos to the CentOS team! Chuck ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos Sent from my BlackBerry device on the Rogers Wireless Network ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [Samba] rebuilt XP machine cannot see Samba server
What happens when on the XP machine you do a start- run- \\sambaIP\ What error do u get? Aly Sent from my BlackBerry device on the Rogers Wireless Network -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] rebuilt XP machine cannot see Samba server
Good work! That's why I was suggesting the IP in my reply ;) Aly --Original Message-- From: rodneytoady Sender: samba-boun...@lists.samba.org To: samba@lists.samba.org Subject: Re: [Samba] rebuilt XP machine cannot see Samba server Sent: Apr 8, 2011 9:03 PM OK. Solution found. For some reason I had to add the linux box name to my laptop's host file. Now it works. However, I'm sure that's not mentioned in the sambe connection instructions I've read, so it's probably to do with how I've configured my Windows network, not with Samba. Should I be using some kind of Windows LMHOSTS or something to allow it to find the samba server without editing my hosts file? -- View this message in context: http://samba.2283325.n4.nabble.com/rebuilt-XP-machine-cannot-see-Samba-server-tp3437663p3437736.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Sent from my BlackBerry device on the Rogers Wireless Network -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [CentOS] [CentOS-announce] Release for CentOS-5.6 i386 and x86_64
Amazing!! Great work!! Thank you Aly Sent from my BlackBerry device on the Rogers Wireless Network ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: Reject the other user
Do a quick google on postfix virtual domains and virtual users + mysql. Tons of great how to's and guides. Its quite simple once you see how it can be done in a guide or two and understand the concept. Check on howtoforge.com they have excellent guides for virtual users/domains using mysql + courier or dovecot. Aly Sent from my BlackBerry device on the Rogers Wireless Network -Original Message- From: Tolga to...@ozses.net Sender: owner-postfix-us...@postfix.org Date: Thu, 07 Apr 2011 00:53:45 To: postfix-users@postfix.org Subject: Reject the other user Hi, I'm planning to stuff a few domains, and I am currently adding users/domains virtually (in a mysql table). What I want to do is, when I have a user bob and have two domains like example.com and example.net, accept e-mail for b...@example.com and reject for b...@example.net. How is this possible? Below is my postconf -n output: alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no config_directory = /etc/postfix inet_interfaces = all mailbox_size_limit = 0 mydestination = ozses.net myhostname = vps.ozses.net mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 myorigin = /etc/mailname readme_directory = no recipient_delimiter = + relayhost = smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_use_tls = yes virtual_gid_maps = static:1001 virtual_mailbox_base = /srv/vmail virtual_mailbox_domains = bilgisayarciniz.org kunduz.org virtual_mailbox_maps = hash:/etc/postfix/vmailbox virtual_minimum_uid = 100 virtual_uid_maps = static:1001 Regards, Tolga
Re: [CentOS] sshd: Authentication Failures: 137 Time(s)
Hey you should check out fail2ban as well. Excellent little app that analysis the log for the corresponding demon using a regex (u can create custom ones too) and performs an action you choose including iptables, hosts.deny, etc.. You can easily adjust setting like 3 failed connections max per min, etc.. Works well for sshd, postfix, httpd, etc..also fires you an email when a attack is stopped Simple and very effective. Definitely worth checking out Aly Sent from my BlackBerry device on the Rogers Wireless Network -Original Message- From: Marian Marinov m...@yuhu.biz Sender: centos-boun...@centos.org Date: Mon, 4 Apr 2011 18:00:23 To: CentOS mailing listcentos@centos.org Reply-To: CentOS mailing list centos@centos.org Subject: Re: [CentOS] sshd: Authentication Failures: 137 Time(s) ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[Samba] Samba4 AD/LDAP question
Hi guys, First time poster so I do apologize if this question has been asked before. In a test set up we are trying to use samba4 to authenticate a small network with Linux, Win, and OSX clients. I have successfully deployed samba4 in domain controller mode, can attach windows machines to it, manage the DC via windows tools. We can also join Linux servers to the domain, however my problem is as follows, When attempting to log into a Linux server, excluding local users, the only directory user that can log in is the Administrator. Any other directory user that attempts to log in gets a No Logon Servers, however if move that same user into the Domain Admins group they can log in with no issues (yes as UID=0) as reported in /var/log/secure. Can someone please explain why this happens, and what step have i missed that would allow regular users to log in? That being said, my second question is, if it possible to have the samba4 server in domain controller mode, but have Linux clients authenticate via ldap as appose to winbind? For example, when configuring an authentication method if it would possible to use LDAP instead of samba/winbind? I tried to configure LDAP (correct base, host, uri, etc..) but when it doesn't seem to pull any info? eg id or getent doesn't work. Any pointers are greatly appreciated, I am just testing out the capabilities of 4, i understand its still in Alpha but hope you guys might have some experience with it. Thanks Aly -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 AD/LDAP question
Hi John, thanks for the feed back, I continued to have issues, then I realized I was missing the library in question and after a quick google realized I had samba/samba-winbind installed from repo but it was an older version. Samba3x in the RHEL/Centos repo contained the proper library and authentication now works for all users. So thank you very much. Samba4 in domain controller mode, is the only way for a Linux client to authenticate against it via winbind? can regular LDAP authentication not be used? Base DN, URI, etc..? Please advise Thanks Aly On Sun, Apr 3, 2011 at 9:00 PM, Taylor, Jonn jo...@taylortelephone.comwrote: On 04/03/2011 07:24 PM, Aly Khimji wrote: Hi guys, First time poster so I do apologize if this question has been asked before. In a test set up we are trying to use samba4 to authenticate a small network with Linux, Win, and OSX clients. I have successfully deployed samba4 in domain controller mode, can attach windows machines to it, manage the DC via windows tools. We can also join Linux servers to the domain, however my problem is as follows, When attempting to log into a Linux server, excluding local users, the only directory user that can log in is the Administrator. Any other directory user that attempts to log in gets a No Logon Servers, however if move that same user into the Domain Admins group they can log in with no issues (yes as UID=0) as reported in /var/log/secure. Can someone please explain why this happens, and what step have i missed that would allow regular users to log in? In smb.conf set template shell = /bin/bash That being said, my second question is, if it possible to have the samba4 server in domain controller mode, but have Linux clients authenticate via ldap as appose to winbind? You have to use winbind or you will not get the right id mapping. [global] workgroup = EXAMPLE realm = EXAMPLE.COM security = ADS password server = 192.168.173.10 log file = /var/log/samba/samba3.log ldap ssl = no idmap backend = idmap_rid:EXAMPLE=500-400 idmap uid = 500-400 idmap gid = 500-400 template homedir = /home/%U template shell = /bin/bash winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind offline logon = Yes For example, when configuring an authentication method if it would possible to use LDAP instead of samba/winbind? I tried to configure LDAP (correct base, host, uri, etc..) but when it doesn't seem to pull any info? eg id or getent doesn't work. In /etc/nsswitch.conf passwd: files winbind shadow: files winbind group: files winbind and link 2 modules, these are for a 64 bit system, if yours is not just remove 64 from the links ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib64/libnss_winbind.so ln -s /usr/local/samba/lib/pam_winbind.so /lib64/security/pam_winbind.so Any pointers are greatly appreciated, I am just testing out the capabilities of 4, i understand its still in Alpha but hope you guys might have some experience with it. Thanks Aly -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [CentOS] Download the repo DAG of CentOS 5.5
I believe there is a rpm available from the DAG site, that will install the .repo file and setup everything you need to access the repo Ak --Original Message-- From: Fidel Dominguez-Valero Sender: centos-boun...@centos.org To: centos@centos.org ReplyTo: CentOS mailing list Subject: [CentOS] Download the repo DAG of CentOS 5.5 Sent: Apr 3, 2011 2:12 PM hello somebody might help to create a script to download the repo DAG of CentOS 5.5 to my PC. I already did with OS, Update, and Extras packages. I want to do with DAG repository. I tried but I don't know much about scripts. Thanks Fidel ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos Sent from my BlackBerry device on the Rogers Wireless Network ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] dns question
What do you mean by refresh rate of the dns server? Like TTL length of records? Or..? Aly --Original Message-- From: ann kok Sender: centos-boun...@centos.org To: centos@centos.org ReplyTo: CentOS mailing list Subject: [CentOS] dns question Sent: Mar 22, 2011 9:13 AM Hi all How can I know the refresh rate of the dns server? Thank you ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos Sent from my BlackBerry device on the Rogers Wireless Network ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Dvd iso?
There is a dvd iso, just go through a few mirrors. Not all of them have it. Not sure if that's what u meant, but if so it does exist. Aly --Original Message-- From: mattias Sender: centos-boun...@centos.org To: centos@centos.org ReplyTo: CentOS mailing list Subject: [CentOS] Dvd iso? Sent: Mar 19, 2011 5:10 PM Exist none or only livecd? mail m...@mjw.se telefon 0104906298 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos Sent from my BlackBerry device on the Rogers Wireless Network ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Dvd iso?
They are installer only, if I recall correctly Aly --Original Message-- From: mattias Sender: centos-boun...@centos.org To: 'CentOS mailing list' ReplyTo: CentOS mailing list Subject: Re: [CentOS] Dvd iso? Sent: Mar 19, 2011 5:22 PM Yes I find it Are the dvd only installer or live cd too Hope installer only mail m...@mjw.se telefon 0104906298 -Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of John R Pierce Sent: Saturday, March 19, 2011 10:20 PM To: centos@centos.org Subject: Re: [CentOS] Dvd iso? On 03/19/11 2:10 PM, mattias wrote: Exist none or only livecd? many of the http/ftp mirrors don't carry them because they are so large, and files 2gb can be problematic for downloads. the standard way of getting the dvd iso is via bittorrent. go here to find a mirror near you that has direct DVD download http://www.centos.org/modules/tinycontent/index.php?id=30 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos Sent from my BlackBerry device on the Rogers Wireless Network ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Air Conditioning - ON!
I too am with the fella's on this. Thanks for all your time and hard work. It is greatly appreciated, more then words can say. Aly --Original Message-- From: Corey A Johnson Sender: centos-boun...@centos.org To: CentOS mailing list ReplyTo: CentOS mailing list Subject: Re: [CentOS] Air Conditioning - ON! Sent: Feb 21, 2011 1:34 PM John Hinton wrote: All, (and please do not turn this into the next long thread) snip I am not a man of many words.. and i am usually very quiet on this list. But would just like to say that i appreciate all the CentOS team members immensely. I sincerely thank you all for the time you put in to what i consider the best free Linux distro available. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos Sent on the TELUS Mobility network with BlackBerry ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] funding
I thinks is a great idea, Its our way of trying to contribute towards a common goal. Who knows it could be a great way to assist in any way we can. I think its a good thought, and I think we should point out, if you do help with hardware or whatever, then you still have no right to be bossy or be demanding as if your working on the project. Ak Sent on the TELUS Mobility network with BlackBerry -Original Message- From: compdoc comp...@hotrodpc.com Sender: centos-boun...@centos.org Date: Mon, 21 Feb 2011 17:47:16 To: 'CentOS mailing list'centos@centos.org Reply-To: CentOS mailing list centos@centos.org Subject: [CentOS] funding Maybe what Centos needs is a bridal registry. Here in the US, an engaged couple can tell their friends what they'd like to be given as wedding presents. They do this by listing items in a registry, in various stores around town. Anyway, the idea is, post stuff you need in a list on your site. Say you need 20 hard drives, or a particular power supply, or whatever items that get consumed in day to day operations. Just list what's needed, who needs it, and whatever info. It doesn't have to be hardware either - just something everyone can agree is OK to list. People visiting the site can look and decide if it's possible to contribute something - even if it's only one new hard drive of the type needed. Or maybe a canister of Columbia's finest coffee. (although I supposed consuming donated foods of any kind from unknown persons is a risk) And should a contributing member have a hardware failure on his own personal workstation, why not ask the world for some charity in return for his/her efforts? Just list what you need, what it is to be used for, and see if we like you enough to give it to you. 'Contributing members' meaning those known to the community, verifiable, and who are putting in the hours, or whatever efforts. And I'm thinking cash donations should be frowned upon because money can be so easily subverted to doing bad things in the world. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] System Log Error
Are you using a wireless keyboard?? AK Sent on the TELUS Mobility network with BlackBerry -Original Message- From: sync jian...@gmail.com Sender: centos-boun...@centos.org Date: Tue, 22 Feb 2011 14:25:31 To: CentOS mailing listcentos@centos.org Reply-To: CentOS mailing list centos@centos.org Subject: [CentOS] System Log Error ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] System Log Error
Hmm, I usually get tons of that on my desktop linux machine that has a wireless keyboard, but if I use a ps2 keyboard I none of it. I also notice it with keyboards with ton's of extra functions (volume, audio functions, etc..). I believe its something with special key mappings. Do u have another keyboard to test with? AK Sent on the TELUS Mobility network with BlackBerry -Original Message- From: sync jian...@gmail.com Sender: centos-boun...@centos.org Date: Tue, 22 Feb 2011 14:37:08 To: CentOS mailing listcentos@centos.org Reply-To: CentOS mailing list centos@centos.org Subject: Re: [CentOS] System Log Error ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos