[Freeipa-users] Re: [EXTERNAL] Re: Keys vs certificates

[Patterson, David via FreeIPA-users]

RHEL 7.7 
sssd 1.16.4

David Patterson
Sandia National Laboratories
Ground System Platforms, Infrastructures & Integration
Phone:(505) 284-3322
Pager: (505) 951-8112

-Original Message-
From: Sumit Bose via FreeIPA-users  
Sent: Tuesday, August 27, 2019 11:05 AM
To: freeipa-users@lists.fedorahosted.org
Cc: Sumit Bose 
Subject: [EXTERNAL] [Freeipa-users] Re: Keys vs certificates

On Tue, Aug 27, 2019 at 02:43:22PM +, Patterson, David via FreeIPA-users 
wrote:
> Hello,
> 
> I followed the instructions from this page 
> (https://frasertweedale.github.io/blog-redhat/posts/2015-08-06-freeipa-custom-certprofile.html)
>  to create User Certificates.
> While testing I noticed that when I create a User Cert for an account, the 
> ssh keys stopped working for that same account.
> 
> I was hoping to have both SSH keys and User Certificates.
> 
> Is this a bug, a feature or is there some setting that I'm missing?

Hi,

which version of SSSD are you using? There was a bug in an older version of 
SSSD which might have the effect you are describing.

bye,
Sumit

> 
> Thanks!
> 
> David Patterson

> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to 
> freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: 
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedor
> ahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Samba 4.10 with ipasam

[Alexander Bokovoy via FreeIPA-users]

Please don't do that.

There are many patches required. They are in ipa-4-6 branch upstream.

But I'd recommend to avoid messing up between samba and FreeIPA versions. Until 
FreeIPA 4.8.1, there are few issues that prevent file server operations. And 
there's still an issue on samba side that I haven't fixed yet for domain member 
operation. Finally, only in very recent samba version I fixed 12 year old bug 
that prevented resolving is users from Windows side.

There are so many fragile points if you'd deviate from tried and tested 
packaged versions.

- João Baúto via FreeIPA-users  wrote:
> Hi all,
> 
> I'm setting FreeIPA along with Samba and currently I'm running into an
> issue with the ipasam module where if I use samba 4.9.X everything works as
> expected while upgrading to 4.10.X, samba fails to load ipasam. Since the
> ipasam.so comes from ipa-server-trust-ad, I'm linking it to the samba
> modules folder.
> 
>-   Error loading module '/usr/local/samba/lib/pdb/ipasam.so': /usr
>/local/samba/lib/pdb/ipasam.so: undefined symbol: DEBUGLEVEL_CLASS
> 
> Is there a way of compiling a compatible version of ipasam with samba
> 4.10.X?
> 
> I'm running CentOS 7.6.1810 with FreeIPA 4.6.4.
> 
> Thanks!
> JB

-- 
/ Alexander Bokovoy
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Samba 4.10 with ipasam

[Rob Crittenden via FreeIPA-users]

João Baúto via FreeIPA-users wrote:
> Hi all,
> 
> I'm setting FreeIPA along with Samba and currently I'm running into an
> issue with the ipasam module where if I use samba 4.9.X everything works
> as expected while upgrading to 4.10.X, samba fails to load ipasam. Since
> the ipasam.so comes from ipa-server-trust-ad, I'm linking it to the
> samba modules folder.
> 
>   *   Error loading module '/usr/local/samba/lib/pdb/ipasam.so':
> /usr/local/samba/lib/pdb/ipasam.so: undefined symbol: DEBUGLEVEL_CLASS
> 
> Is there a way of compiling a compatible version of ipasam with samba
> 4.10.X?
> 
> I'm running CentOS 7.6.1810 with FreeIPA 4.6.4. 

See https://pagure.io/freeipa/issue/7893

rob

> 
> Thanks!
> JB
> 
> 
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Keys vs certificates

[Sumit Bose via FreeIPA-users]

On Tue, Aug 27, 2019 at 02:43:22PM +, Patterson, David via FreeIPA-users 
wrote:
> Hello,
> 
> I followed the instructions from this page 
> (https://frasertweedale.github.io/blog-redhat/posts/2015-08-06-freeipa-custom-certprofile.html)
>  to create User Certificates.
> While testing I noticed that when I create a User Cert for an account, the 
> ssh keys stopped working for that same account.
> 
> I was hoping to have both SSH keys and User Certificates.
> 
> Is this a bug, a feature or is there some setting that I'm missing?

Hi,

which version of SSSD are you using? There was a bug in an older version
of SSSD which might have the effect you are describing.

bye,
Sumit

> 
> Thanks!
> 
> David Patterson

> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Samba 4.10 with ipasam

[João Baúto via FreeIPA-users]

Hi all,

I'm setting FreeIPA along with Samba and currently I'm running into an
issue with the ipasam module where if I use samba 4.9.X everything works as
expected while upgrading to 4.10.X, samba fails to load ipasam. Since the
ipasam.so comes from ipa-server-trust-ad, I'm linking it to the samba
modules folder.

   -   Error loading module '/usr/local/samba/lib/pdb/ipasam.so': /usr
   /local/samba/lib/pdb/ipasam.so: undefined symbol: DEBUGLEVEL_CLASS

Is there a way of compiling a compatible version of ipasam with samba
4.10.X?

I'm running CentOS 7.6.1810 with FreeIPA 4.6.4.

Thanks!
JB
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Keys vs certificates

[Patterson, David via FreeIPA-users]

Hello,

I followed the instructions from this page 
(https://frasertweedale.github.io/blog-redhat/posts/2015-08-06-freeipa-custom-certprofile.html)
 to create User Certificates.
While testing I noticed that when I create a User Cert for an account, the ssh 
keys stopped working for that same account.

I was hoping to have both SSH keys and User Certificates.

Is this a bug, a feature or is there some setting that I'm missing?

Thanks!

David Patterson
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: CA Master Confusion

[Florence Blanc-Renaud via FreeIPA-users]

On 8/6/19 9:21 PM, Auerbach, Steven via FreeIPA-users wrote:

As I work through understanding the current state of my CA mastering in this 
realm I am getting results I do not understand from these ipa commands (on the 
v4.6.4 server) and from the ldapsearch commands (on the v3.0.0 server):
On the v4.6.4 replica (ipa<3>):
$ sudo ipa config-show |grep 'CA renewal master'
[sudo] password for :
$
$

On the v3.0.0 (ipa<1>):
$  sudo ldapsearch -H ldap://$HOSTNAME -D 'cn=Directory Manager' -W -b 
'cn=masters,cn=ipa,cn=etc,dc=fbog,dc=local' 
'(&(cn=CA)(ipaConfigString=caRenewalMaster))' dn
[sudo] password for :
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base ,dc=local> with scope subtree
# filter: (&(cn=CA)(ipaConfigString=caRenewalMaster))
# requesting: dn
#

# search result
search: 2
result: 0 Success

# numResponses: 1



Hi,
the ipaConfigString=caRenewalMaster attribute was introduced in freeIPA 
4.0 (please see [1] Howto/Promote_CA_to_Renewal_and_CRL_Master), hence I 
am not surprised that the search does not return anything.
When the 3.0 server was installed, the attribute did not exist yet. When 
the 4.x replica was installed, the attribute was not added since the new 
replica wasn't CA master.


As the attribute is not set at all, the ipa config-show command 
(internally using the same ldapsearch you did) is unable to find a CA 
master.


If you want to move the CA master role to ipa3, just follow the steps in 
[1], making sure to apply the steps for the corresponding IPA version.


Also please note that we do not recommend using versions 3.x and 4.x 
together over a long period of time. This is completely OK when you want 
to migrate but once you have ensured all the services are properly 
working, the 3.x master should be decommissioned. Please see [2].

HTH,
flo

[1] https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master
[2] 
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/migrate-6-to-7





Neither tells me anything.  Is it possible that the original installation never had a 
CA master at all?  This seems odd considering when I look for CA Master(s), on the 
v4.6.4 (ipa<3>) tells me:

$ sudo ipa server-role-find --role 'CA server'
[sudo] password for :
--
3 server roles matched
--
   Server name: ipa<2>.mydomain.local
   Role name: CA server
   Role status: absent

   Server name: ipa<1>.mydomain.local
   Role name: CA server
   Role status: enabled

   Server name: ipa<3>.mydomain.local
   Role name: CA server
   Role status: absent

Number of entries returned 3


And on the v3.0.0 (ipa<1>) I get:

$  sudo ldapsearch -H ldap://$HOSTNAME -D 'cn=Directory Manager' -W -b 
'cn=masters,cn=ipa,cn=etc,dc=,dc=local' 
'(&(cn=CA)(ipaConfigString=caServer))' dn
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base  with scope subtree
# filter: (&(cn=CA)(ipaConfigString=caServer))
# requesting: dn
#

# search result
search: 2
result: 0 Success

# numResponses: 1

I know I am missing something basic and fundamental here.  Is there a CA Master or 
not?  If not, would I want to just enable the CA Master on the newest server 
(ipa<3>)?

The way forward is not clear.
-Steven Auerbach
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: ipa_automount_location

[Ronald Wimmer via FreeIPA-users]

On 27.08.19 14:06, Rob Crittenden via FreeIPA-users wrote:

Ronald Wimmer via FreeIPA-users wrote:

Is it possible to use multiple automount locations (i.e. sssd.conf
containing ipa_automount_location=locationA,locationB)?

A location provides the master map so there can be only one.

Thanks a lot for the clarification.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: ipa_automount_location

[Rob Crittenden via FreeIPA-users]

Ronald Wimmer via FreeIPA-users wrote:
> Is it possible to use multiple automount locations (i.e. sssd.conf
> containing ipa_automount_location=locationA,locationB)?

A location provides the master map so there can be only one.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] ipa_automount_location

[Ronald Wimmer via FreeIPA-users]

Is it possible to use multiple automount locations (i.e. sssd.conf 
containing ipa_automount_location=locationA,locationB)?


Cheers,
Ronald

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Could not chdir to home directory: Permission denied

[Florence Blanc-Renaud via FreeIPA-users]

On 8/17/19 10:05 PM, Selman Keskin via FreeIPA-users wrote:

Any idea?

Sent from Mail  for 
Windows 10



___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org


Hi,

we need a little more information in order to help you. When is this 
issue happening? I assume you are trying to connect to an IPA client 
either using ssh or console login.

First check what is defined as homedir for the user on an IPA server
# kinit admin
# ipa user-show  | grep 'Home directory'
/home/

Then on the machine where you got the error 'Could not chdir', check the 
directory permissions:

# ls -ld /home/
The directory needs to belong to the user and have the right permissions 
(drwx--).


By default, the home directory of every user is computed from 
/

and the HomeDirectoryBase can be found with:

# ipa config-show | grep 'Home directory base'
  Home directory base: /home

If you want to modify the Home Directory Base, you can use
# ipa config-mod --homedirectory=

Note that the new setting will be applied to users created after this 
command and will not modify existing users' home directory.

If you want to modify the home directory for a specific user, you can use
# ipa user-mod  --homedir=.

HTH,
flo
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: freeipa-client-install error

[Florence Blanc-Renaud via FreeIPA-users]

On 8/17/19 6:15 AM, Elhamsadat Azarian via FreeIPA-users wrote:

dear friends
no one have idea about my problem?

i install freeipa server base on a windows DNS server. i mean there was a windows DNS Server and 
while i was installing freeipa i set resolve.conf and hosts base on this windows DNS. then i 
installed a freeipa-client on my client server. base on instructions i changed client's 
resolve.conf to free-ipa IP. (mean i set DNS of my client to free-ipa-server IP) when i did 
freeipa-client-install it show an error: "Failed to verify that ipa-server.shs.dc is an IPA 
server. this may mean that the remote server is not up or reachabe due to network settings." 
in ipaclient-install files: "search DNS for SRV record of _ldap._tcp.shs.dc DNS record not 
found: timeout." of course i opened all ports in firewall and im sure the server is up.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org



Hi,

Did you install freeipa server with integrated DNS (i.e did you use 
--setup-dns option in ipa-server-install)? If it's not the case, the 
client should use the windows DNS server and you need to add DNS records 
in the DNS server as specified in [1].


Please read "Determining whether to use integrated DNS" [2] for more 
information. If you intend to use integrated DNS, you can setup the DNS 
server either during the server install by specifying ipa-server-install 
[...] --setup-dns or on an already installed server with the command 
ipa-dns-install. With integrated DNS the client should use the freeIPA 
server as DNS server and the DNS records are automatically created.


HTH,
flo

[1] 
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/installing-ipa#dns-reqs


[2] 
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/install-server#install-determine-dns

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org