[Freeipa-users] Re: sudoers issues

2017-11-08 Thread Jakub Hrozek via FreeIPA-users 
On Thu, Nov 09, 2017 at 02:07:03AM +, Andrew Meyer via FreeIPA-users wrote:
> Hello, I am trying to setup a few of my users to have the ability to su - 
> jira or another user using FreeIPA.
> Here is what happens when I am logged in as the user and try to su - jira
> [user1@jira02 ~]$ sudo su - process[sudo] password for user1:Sorry, user 
> user1 is not allowed to execute '/bin/su - jira' as root on 
> jira02.example.net.[user1@jira02 ~]$
> [andrew.meyer@jira02 ~]$ ipa sudorule-show su_jira  Rule name: su_jira  
> Enabled: TRUE  Host category: all  RunAs User category: all  RunAs Group 
> category: all  User Groups: developers, ops_sudoers  Sudo Allow Command 
> Groups: jira_access  Sudo Option: !authenticate[andrew.meyer@jira02 ~]$
> 
> [andrew.meyer@jira02 ~]$ ipa sudocmd-find su_jira_cmds--1 
> Sudo Command matched--  Sudo Command: /usr/bin/su - 
> jira,/usr/bin/sudo su - jira,/bin/su - jira,/bin/sudo - jira  Description: 
> su_jira_cmdsNumber of entries returned 
> 1
> What am I doing wrong?

I would first run "sudo -l" to see if the user is able to run any sudo
commands at all.

Then I'd proceed to sudo debugging from
https://docs.pagure.org/SSSD.sssd/users/sudo_troubleshooting.html#obtaining-logs
to see what data was transferred to sudo and how did sudo evaluate them.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Make custom attribute fail in UI and SAVE Button

2017-11-08 Thread Pavel Vomacka via FreeIPA-users 



On 11/09/2017 08:36 AM, barry...@gmail.com wrote:
Same Like this Lable no field no edit no save but fine in command base 
...any different freeipa4.0 vs 3.0 procedure?

Do you have IPA 4.x ? Or which version?

Try to add following line into the specification of your new field:

flags: ['w_if_no_aci']



內置圖片 2

2017-11-09 14:44 GMT+08:00 Pavel Vomacka >:



On 11/08/2017 07:29 AM, barrykfl--- via FreeIPA-users wrote:

Hi,

Dear all:

I follow the guide of freeipa 3.0 abt web plugin web ui. At
command base I successfully made
a custom attribute called Employee " Commencement Date" . I can
add using script / command.

BUT in web UI , it Display "Commencent date" Label only and
cannot display edit field and allow me edit.

After That I changed to Multivalue the field come out but still
the save button is grey I cannot save again.

Which part I made wrong ? please advise . thx

define(['freeipa/phases','freeipa/user'],
  function(phases, user_mod) {
    // helper function
    function get_item(array, attr, value) {
  for (var i=0,l=array.length; i
The dollar character should be at the beginning of type attribute
not the name. So try to change it to:
name: 'comDate',
$type: 'multivalued'

  type: 'multivalued',

  label: 'Commencement Date'
    });
    return true;
  };

  phases.on('customization', cdate_plugin.add_c_date);

  return cdate_plugin;
});



Does it help?



___
FreeIPA-users mailing list --freeipa-users@lists.fedorahosted.org

To unsubscribe send an email tofreeipa-users-le...@lists.fedorahosted.org



-- 
Pavel^3 Vomacka





--
Pavel^3 Vomacka

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: ldap cache

2017-11-08 Thread Jakub Hrozek via FreeIPA-users 
On Wed, Nov 08, 2017 at 03:52:57PM +, Andrew Meyer via FreeIPA-users wrote:
> Let's say I have a user that starts today and I forgot to add their
> username to FreeIPA.  I add their username and they need to start working
> fairly quickly.  I know that I can clear the sudo cache on each server
> with sss_cache -E but is there a way to do this w/ ldap/kerberos queries
> to have it reread the ldap database?
  ~~

I'm not sure what exactly do you mean by "it", but see man sssd-sudo for
some explanation of the caching mechanism.

Re-fetching the rules on-demand is not implemented yet.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Make custom attribute fail in UI and SAVE Button

2017-11-08 Thread barrykfl--- via FreeIPA-users 
Same Like this Lable no field no edit no save but fine in command base
...any different freeipa4.0 vs 3.0 procedure?

[image: 內置圖片 2]

2017-11-09 14:44 GMT+08:00 Pavel Vomacka :

>
> On 11/08/2017 07:29 AM, barrykfl--- via FreeIPA-users wrote:
>
> Hi,
>
> Dear all:
>
> I follow the guide of freeipa 3.0 abt web plugin web ui. At command base I
> successfully  made
> a custom attribute called Employee " Commencement Date" . I can add using
> script / command.
>
> BUT in web UI , it Display "Commencent date" Label only and cannot
> display edit field and allow me edit.
>
> After That I changed to Multivalue the field come out but still the save
> button is grey I cannot save again.
>
> Which part I made wrong ? please advise . thx
>
> define(['freeipa/phases','freeipa/user'],
>   function(phases, user_mod) {
> // helper function
> function get_item(array, attr, value) {
>   for (var i=0,l=array.length; i if (array[i][attr] === value) return array[i];
>   }
>   return null;
>   }
>
>   var cdate_plugin = {};
>
>   cdate_plugin.add_c_date = function() {
> var facet = get_item(user_mod.entity_spec.facets, '$type', 'details');
> var section = get_item(facet.sections, 'name', 'identity');
> section.fields.push({
>   $name: 'comDate',
>
> The dollar character should be at the beginning of type attribute not the
> name. So try to change it to:
> name: 'comDate',
> $type: 'multivalued'
>
>   type: 'multivalued',
>
>   label: 'Commencement Date'
> });
> return true;
>   };
>
>   phases.on('customization', cdate_plugin.add_c_date);
>
>   return cdate_plugin;
> });
>
>
> Does it help?
>
>
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>
>
> --
> Pavel^3 Vomacka
>
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Make custom attribute fail in UI and SAVE Button

2017-11-08 Thread Pavel Vomacka via FreeIPA-users 


On 11/08/2017 07:29 AM, barrykfl--- via FreeIPA-users wrote:

Hi,

Dear all:

I follow the guide of freeipa 3.0 abt web plugin web ui. At command 
base I successfully  made
a custom attribute called Employee " Commencement Date" . I can add 
using script / command.


BUT in web UI , it Display "Commencent date" Label only and cannot 
display edit field and allow me edit.


After That I changed to Multivalue the field come out but still the 
save button is grey I cannot save again.


Which part I made wrong ? please advise . thx

define(['freeipa/phases','freeipa/user'],
  function(phases, user_mod) {
    // helper function
    function get_item(array, attr, value) {
  for (var i=0,l=array.length; iThe dollar character should be at the beginning of type attribute not 
the name. So try to change it to:

name: 'comDate',
$type: 'multivalued'

  type: 'multivalued',

  label: 'Commencement Date'
    });
    return true;
  };

  phases.on('customization', cdate_plugin.add_c_date);

  return cdate_plugin;
});



Does it help?



___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


--
Pavel^3 Vomacka

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] sudoers issues

2017-11-08 Thread Andrew Meyer via FreeIPA-users 
Hello, I am trying to setup a few of my users to have the ability to su - jira 
or another user using FreeIPA.
Here is what happens when I am logged in as the user and try to su - jira
[user1@jira02 ~]$ sudo su - process[sudo] password for user1:Sorry, user user1 
is not allowed to execute '/bin/su - jira' as root on 
jira02.example.net.[user1@jira02 ~]$
[andrew.meyer@jira02 ~]$ ipa sudorule-show su_jira  Rule name: su_jira  
Enabled: TRUE  Host category: all  RunAs User category: all  RunAs Group 
category: all  User Groups: developers, ops_sudoers  Sudo Allow Command Groups: 
jira_access  Sudo Option: !authenticate[andrew.meyer@jira02 ~]$

[andrew.meyer@jira02 ~]$ ipa sudocmd-find su_jira_cmds--1 
Sudo Command matched--  Sudo Command: /usr/bin/su - 
jira,/usr/bin/sudo su - jira,/bin/su - jira,/bin/sudo - jira  Description: 
su_jira_cmdsNumber of entries returned 
1
What am I doing wrong?___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: FreeIPA sudoers

2017-11-08 Thread Andrew Meyer via FreeIPA-users 
OK now I need help w/ another aspect of sudo.  I need to setup a rule so taht 
certain users in a group can su - someuser, or sudo su - someuser.
I'm having difficulty researching this.  Can anyone shed light on this?

On Wednesday, November 8, 2017 2:57 PM, Andrew Meyer via FreeIPA-users 
 wrote:
 

 I tried to add to much to the rule.  I added a RunAs or AuthAs option which 
killed me. 

On Wednesday, November 8, 2017 2:51 PM, Patrick Grove via FreeIPA-users 
 wrote:
 

 What was the resolution?

Patrick Grove, 
System Administrator, IT Infrastructure
NHK International
E-mail: patrick.gr...@nhkusa.com
Office #: 248 308 5624

- Original Message -
From: "Andrew Meyer via FreeIPA-users" 
To: "Andrew Meyer" , "FreeIPA users list" 
, "FreeIPA users list" 

Cc: "Rob Crittenden" , "Andrew Meyer" 

Sent: Wednesday, November 8, 2017 3:47:42 PM
Subject: [Freeipa-users] Re: FreeIPA sudoers




Nm. I fixed it. 






On Wednesday, November 8, 2017 2:28 PM, Andrew Meyer via FreeIPA-users 
 wrote: 







so looking at the logs it find a rule: 


(Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sudosrv_cached_rules_by_user] (0x0400): 
Replacing sudoUser attribute with sudoUser: #115463 
(Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sudosrv_query_cache] (0x0200): 
Searching sysdb with 
[(&(objectClass=sudoRule)(sudoUser=+*)(!(|(sudoUser=ALL)(sudoUser=andrew.me...@mgt.stl.gatewaybl
 
end.net)(sudoUser=#115463)(sudoUser=%answers\20jira\20engine...@mgt.stl.example.net)(sudoUser=%answers\20jira\20adm...@mgt.stl.example.net)(sudoUser=%example-admins@mgt.s
 
tl.example.net)(sudoUser=%answers\20jira\20us...@mgt.stl.example.net)(sudoUser=%ipaus...@mgt.stl.example.net)(sudoUser=%adm...@mgt.stl.example.net)(sudoUser=%wheel@mgt.s
 
tl.example.net)(sudoUser=%ops_sudo...@mgt.stl.example.net)(sudoUser=%o...@mgt.stl.example.net)(sudoUser=%adm...@mgt.stl.example.net]
 
(Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sort_sudo_rules] (0x0400): Sorting 
rules with higher-wins logic 
(Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sudosrv_fetch_rules] (0x0400): 
Returning 1 rules for [andrew.me...@mgt.stl.example.net@mgt.stl.example.net] 
(Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sudosrv_build_response] (0x2000): 
error: [0] 
(Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sudosrv_build_response] (0x2000): 
rules_num: [0] 
(Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sudosrv_build_response] (0x2000): rule 
[1]/[1] 
(Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sudosrv_response_append_attr] (0x2000): 
cn:All 
(Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sudosrv_response_append_attr] (0x2000): 
objectClass:sudoRule 
(Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sudosrv_response_append_attr] (0x2000): 
sudoCommand:ALL 
(Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sudosrv_response_append_attr] (0x2000): 
sudoHost:ALL 
(Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sudosrv_response_append_attr] (0x2000): 
sudoOption:!authenticate 
(Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sudosrv_response_append_attr] (0x2000): 
sudoRunAsUser:process 
(Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sudosrv_response_append_attr] (0x2000): 
sudoUser:#115463 
(Wed Nov 8 14:23:40 2017) [sssd[sudo]] [client_recv] (0x0200): Client 
disconnected! 
(Wed Nov 8 14:23:40 2017) [sssd[sudo]] [client_close_fn] (0x2000): Terminated 
client [0x55fce3abe990][18] 


the sssd_hostname log is complaining about no SELinux maps... 







On Wednesday, November 8, 2017 1:43 PM, Rob Crittenden via FreeIPA-users 
 wrote: 




Andrew Meyer via FreeIPA-users wrote: 
> Hello, i'm having some trouble getting sudoers to work. 
> 
> I have 5 machines joined to the FreeIPA domain and I have a user group 
> called ops and ops_sudoers. Both have permission to full sudo. 
> 
> 
> [ andrew.meyer@jira02 ~]$ ipa sudorule-find ALL 
> --- 
> 1 Sudo Rule matched 
> --- 
> Rule name: All 
> Enabled: TRUE 
> Host category: all 
> Command category: all 
> Sudo Option: !authenticate 
>  
> Number of entries returned 1 
>  
> 
> [ andrew.meyer@jira02 ~]$ ipa sudorule-show ALL 
> Rule name: All 
> Enabled: TRUE 
> Host category: all 
> Command category: all 
> Users: brian.keithly, andrew.meyer 
> User Groups: ops_sudoers, ops 
> RunAs Users: process 
> Sudo Option: !authenticate 
> 
> [ andrew.meyer@jira02 ~]$ sudo su - 
> [sudo] password for andrew.meyer: 
> Sorry, user andrew.meyer is not allowed to execute '/bin/su -' as root 
> on jira02.mgt.example.net. 
> [ andrew.meyer@jira02 ~]$ 
> 
> My HBAC is set to allow_all. 
> 
> [ root@jira02 log]# cat /etc/sssd/sssd.conf 
> [domain/mgt.example.net] 
> 
> cache_credentials = True 
> krb5_store_password_if_offline = True 
> krb5_realm = EXAMPLE.NET 
> ipa_domain = mgt.example.net 
> id_provider = ipa 
> auth_provider = ipa 
> access_provider = ipa 
> ipa_hostname = jira02.mgt.example.net 
> chpass_provider = ipa 
> dyndns_update = True 
> ipa_server = _srv_, infra-test-ipa.example.net 
> dyndns_iface = ens160 
> ldap_tls_

[Freeipa-users] ipa-replica-install - DatabaseError: Server is unwilling to perform

2017-11-08 Thread Outback Dingo via FreeIPA-users 
so its a fresh CentOS 7 box, i installed the "master" ok but getting
replicas done is pitching me fits... any ideas?


ipa-client-install --domain=optimcloud.com --realm=OPTIMCLOUD.COM --force-join
Skip ipa2.optimcloud.com: LDAP server is not responding, unable to
verify if this is an IPA server
Discovery was successful!
Client hostname: ipa2.optimcloud.com
Realm: OPTIMCLOUD.COM
DNS Domain: optimcloud.com
IPA Server: ipa3.optimcloud.com
BaseDN: dc=optimcloud,dc=com

Continue to configure the system with these values? [no]: yes
Synchronizing time with KDC...
Attempting to sync time using ntpd.  Will timeout after 15 seconds
Attempting to sync time using ntpd.  Will timeout after 15 seconds
User authorized to enroll computers: admin
Password for ad...@optimcloud.com:
Successfully retrieved CA cert
   Subject: CN=Certificate Authority,O=OPTIMCLOUD.COM
   Issuer:  CN=Certificate Authority,O=OPTIMCLOUD.COM
   Valid From:  2017-11-08 09:51:27
   Valid Until: 2037-11-08 09:51:27

Enrolled in IPA realm OPTIMCLOUD.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm OPTIMCLOUD.COM
trying https://ipa3.optimcloud.com/ipa/json
[try 1]: Forwarding 'ping' to json server 'https://ipa3.optimcloud.com/ipa/json'
[try 1]: Forwarding 'ca_is_enabled' to json server
'https://ipa3.optimcloud.com/ipa/json'
Systemwide CA database updated.
Hostname (ipa2.optimcloud.com) does not have A/ record.
Missing A/ record(s) for host ipa2.optimcloud.com: 148.251.24.3.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
[try 1]: Forwarding 'host_mod' to json server
'https://ipa3.optimcloud.com/ipa/json'
SSSD enabled
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring optimcloud.com as NIS domain.
Client configuration complete.
The ipa-client-install command was successful
[root@ipa2 ~]# ipa-replica-install --skip-conncheck --setup-dns
--no-forwarders
ipa : ERRORReverse DNS resolution of address 148.251.24.3
(ipa2.optimcloud.com) failed. Clients may not function properly.
Please che
ck your DNS setup. (Note that this check queries IPA DNS directly and
ignores /etc/hosts.)
Continue? [no]: yes
Configuring NTP daemon (ntpd)
 [1/4]: stopping ntpd
 [2/4]: writing configuration
 [3/4]: configuring ntpd to start on boot
 [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 30 seconds
 [1/40]: creating directory server instance
 [2/40]: enabling ldapi
 [3/40]: configure autobind for root
 [4/40]: stopping directory server
 [5/40]: updating configuration in dse.ldif
 [6/40]: starting directory server
 [7/40]: adding default schema
 [8/40]: enabling memberof plugin
 [9/40]: enabling winsync plugin
 [10/40]: configuring replication version plugin
 [11/40]: enabling IPA enrollment plugin
 [12/40]: configuring uniqueness plugin
 [13/40]: configuring uuid plugin
 [14/40]: configuring modrdn plugin
 [15/40]: configuring DNS plugin
 [16/40]: enabling entryUSN plugin
 [17/40]: configuring lockout plugin
 [18/40]: configuring topology plugin
 [19/40]: creating indices
 [20/40]: enabling referential integrity plugin
 [21/40]: configuring certmap.conf
 [22/40]: configure new location for managed entries
 [23/40]: configure dirsrv ccache
 [24/40]: enabling SASL mapping fallback
 [25/40]: restarting directory server
 [26/40]: creating DS keytab
 [27/40]: setting up initial replication

 [error] DatabaseError: Server is unwilling to perform: Entry is
managed by topology plugin. Adding of entry not allowed.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall):
ERRORServer is unwilling to perform: Entry is managed by topology
plugin.
Adding of entry not allowed.
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall):
ERRORThe ipa-replica-install command failed. See
/var/log/ipareplica-inst
all.log for more information
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: FreeIPA sudoers

2017-11-08 Thread Andrew Meyer via FreeIPA-users 
I tried to add to much to the rule.  I added a RunAs or AuthAs option which 
killed me. 

On Wednesday, November 8, 2017 2:51 PM, Patrick Grove via FreeIPA-users 
 wrote:
 

 What was the resolution?

Patrick Grove, 
System Administrator, IT Infrastructure
NHK International
E-mail: patrick.gr...@nhkusa.com
Office #: 248 308 5624

- Original Message -
From: "Andrew Meyer via FreeIPA-users" 
To: "Andrew Meyer" , "FreeIPA users list" 
, "FreeIPA users list" 

Cc: "Rob Crittenden" , "Andrew Meyer" 

Sent: Wednesday, November 8, 2017 3:47:42 PM
Subject: [Freeipa-users] Re: FreeIPA sudoers




Nm. I fixed it. 






On Wednesday, November 8, 2017 2:28 PM, Andrew Meyer via FreeIPA-users 
 wrote: 







so looking at the logs it find a rule: 


(Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sudosrv_cached_rules_by_user] (0x0400): 
Replacing sudoUser attribute with sudoUser: #115463 
(Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sudosrv_query_cache] (0x0200): 
Searching sysdb with 
[(&(objectClass=sudoRule)(sudoUser=+*)(!(|(sudoUser=ALL)(sudoUser=andrew.me...@mgt.stl.gatewaybl
 
end.net)(sudoUser=#115463)(sudoUser=%answers\20jira\20engine...@mgt.stl.example.net)(sudoUser=%answers\20jira\20adm...@mgt.stl.example.net)(sudoUser=%example-admins@mgt.s
 
tl.example.net)(sudoUser=%answers\20jira\20us...@mgt.stl.example.net)(sudoUser=%ipaus...@mgt.stl.example.net)(sudoUser=%adm...@mgt.stl.example.net)(sudoUser=%wheel@mgt.s
 
tl.example.net)(sudoUser=%ops_sudo...@mgt.stl.example.net)(sudoUser=%o...@mgt.stl.example.net)(sudoUser=%adm...@mgt.stl.example.net]
 
(Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sort_sudo_rules] (0x0400): Sorting 
rules with higher-wins logic 
(Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sudosrv_fetch_rules] (0x0400): 
Returning 1 rules for [andrew.me...@mgt.stl.example.net@mgt.stl.example.net] 
(Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sudosrv_build_response] (0x2000): 
error: [0] 
(Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sudosrv_build_response] (0x2000): 
rules_num: [0] 
(Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sudosrv_build_response] (0x2000): rule 
[1]/[1] 
(Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sudosrv_response_append_attr] (0x2000): 
cn:All 
(Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sudosrv_response_append_attr] (0x2000): 
objectClass:sudoRule 
(Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sudosrv_response_append_attr] (0x2000): 
sudoCommand:ALL 
(Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sudosrv_response_append_attr] (0x2000): 
sudoHost:ALL 
(Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sudosrv_response_append_attr] (0x2000): 
sudoOption:!authenticate 
(Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sudosrv_response_append_attr] (0x2000): 
sudoRunAsUser:process 
(Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sudosrv_response_append_attr] (0x2000): 
sudoUser:#115463 
(Wed Nov 8 14:23:40 2017) [sssd[sudo]] [client_recv] (0x0200): Client 
disconnected! 
(Wed Nov 8 14:23:40 2017) [sssd[sudo]] [client_close_fn] (0x2000): Terminated 
client [0x55fce3abe990][18] 


the sssd_hostname log is complaining about no SELinux maps... 







On Wednesday, November 8, 2017 1:43 PM, Rob Crittenden via FreeIPA-users 
 wrote: 




Andrew Meyer via FreeIPA-users wrote: 
> Hello, i'm having some trouble getting sudoers to work. 
> 
> I have 5 machines joined to the FreeIPA domain and I have a user group 
> called ops and ops_sudoers. Both have permission to full sudo. 
> 
> 
> [ andrew.meyer@jira02 ~]$ ipa sudorule-find ALL 
> --- 
> 1 Sudo Rule matched 
> --- 
> Rule name: All 
> Enabled: TRUE 
> Host category: all 
> Command category: all 
> Sudo Option: !authenticate 
>  
> Number of entries returned 1 
>  
> 
> [ andrew.meyer@jira02 ~]$ ipa sudorule-show ALL 
> Rule name: All 
> Enabled: TRUE 
> Host category: all 
> Command category: all 
> Users: brian.keithly, andrew.meyer 
> User Groups: ops_sudoers, ops 
> RunAs Users: process 
> Sudo Option: !authenticate 
> 
> [ andrew.meyer@jira02 ~]$ sudo su - 
> [sudo] password for andrew.meyer: 
> Sorry, user andrew.meyer is not allowed to execute '/bin/su -' as root 
> on jira02.mgt.example.net. 
> [ andrew.meyer@jira02 ~]$ 
> 
> My HBAC is set to allow_all. 
> 
> [ root@jira02 log]# cat /etc/sssd/sssd.conf 
> [domain/mgt.example.net] 
> 
> cache_credentials = True 
> krb5_store_password_if_offline = True 
> krb5_realm = EXAMPLE.NET 
> ipa_domain = mgt.example.net 
> id_provider = ipa 
> auth_provider = ipa 
> access_provider = ipa 
> ipa_hostname = jira02.mgt.example.net 
> chpass_provider = ipa 
> dyndns_update = True 
> ipa_server = _srv_, infra-test-ipa.example.net 
> dyndns_iface = ens160 
> ldap_tls_cacert = /etc/ipa/ca.crt 
> [sssd] 
> services = nss, pam, ssh, sudo 
> 
> domains = mgt.example.net 
> [nss] 
> homedir_substring = /home 
> 
> [pam] 
> 
> [sudo] 
> 
> [autofs] 
> 
> [ssh] 
> 
> [pac] 
> 
> [ifp] 
> 
> [secrets] 
> 
> [ root@jira02 log]# 

Start here: 
https://docs.pagure.org/SSSD.sssd/u

[Freeipa-users] Re: FreeIPA sudoers

2017-11-08 Thread Patrick Grove via FreeIPA-users 
What was the resolution?

Patrick Grove, 
System Administrator, IT Infrastructure
NHK International
E-mail: patrick.gr...@nhkusa.com
Office #: 248 308 5624

- Original Message -
From: "Andrew Meyer via FreeIPA-users" 
To: "Andrew Meyer" , "FreeIPA users list" 
, "FreeIPA users list" 

Cc: "Rob Crittenden" , "Andrew Meyer" 

Sent: Wednesday, November 8, 2017 3:47:42 PM
Subject: [Freeipa-users] Re: FreeIPA sudoers




Nm. I fixed it. 






On Wednesday, November 8, 2017 2:28 PM, Andrew Meyer via FreeIPA-users 
 wrote: 







so looking at the logs it find a rule: 


(Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sudosrv_cached_rules_by_user] (0x0400): 
Replacing sudoUser attribute with sudoUser: #115463 
(Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sudosrv_query_cache] (0x0200): 
Searching sysdb with 
[(&(objectClass=sudoRule)(sudoUser=+*)(!(|(sudoUser=ALL)(sudoUser=andrew.me...@mgt.stl.gatewaybl
 
end.net)(sudoUser=#115463)(sudoUser=%answers\20jira\20engine...@mgt.stl.example.net)(sudoUser=%answers\20jira\20adm...@mgt.stl.example.net)(sudoUser=%example-admins@mgt.s
 
tl.example.net)(sudoUser=%answers\20jira\20us...@mgt.stl.example.net)(sudoUser=%ipaus...@mgt.stl.example.net)(sudoUser=%adm...@mgt.stl.example.net)(sudoUser=%wheel@mgt.s
 
tl.example.net)(sudoUser=%ops_sudo...@mgt.stl.example.net)(sudoUser=%o...@mgt.stl.example.net)(sudoUser=%adm...@mgt.stl.example.net]
 
(Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sort_sudo_rules] (0x0400): Sorting 
rules with higher-wins logic 
(Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sudosrv_fetch_rules] (0x0400): 
Returning 1 rules for [andrew.me...@mgt.stl.example.net@mgt.stl.example.net] 
(Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sudosrv_build_response] (0x2000): 
error: [0] 
(Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sudosrv_build_response] (0x2000): 
rules_num: [0] 
(Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sudosrv_build_response] (0x2000): rule 
[1]/[1] 
(Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sudosrv_response_append_attr] (0x2000): 
cn:All 
(Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sudosrv_response_append_attr] (0x2000): 
objectClass:sudoRule 
(Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sudosrv_response_append_attr] (0x2000): 
sudoCommand:ALL 
(Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sudosrv_response_append_attr] (0x2000): 
sudoHost:ALL 
(Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sudosrv_response_append_attr] (0x2000): 
sudoOption:!authenticate 
(Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sudosrv_response_append_attr] (0x2000): 
sudoRunAsUser:process 
(Wed Nov 8 14:23:29 2017) [sssd[sudo]] [sudosrv_response_append_attr] (0x2000): 
sudoUser:#115463 
(Wed Nov 8 14:23:40 2017) [sssd[sudo]] [client_recv] (0x0200): Client 
disconnected! 
(Wed Nov 8 14:23:40 2017) [sssd[sudo]] [client_close_fn] (0x2000): Terminated 
client [0x55fce3abe990][18] 


the sssd_hostname log is complaining about no SELinux maps... 







On Wednesday, November 8, 2017 1:43 PM, Rob Crittenden via FreeIPA-users 
 wrote: 




Andrew Meyer via FreeIPA-users wrote: 
> Hello, i'm having some trouble getting sudoers to work. 
> 
> I have 5 machines joined to the FreeIPA domain and I have a user group 
> called ops and ops_sudoers. Both have permission to full sudo. 
> 
> 
> [ andrew.meyer@jira02 ~]$ ipa sudorule-find ALL 
> --- 
> 1 Sudo Rule matched 
> --- 
> Rule name: All 
> Enabled: TRUE 
> Host category: all 
> Command category: all 
> Sudo Option: !authenticate 
>  
> Number of entries returned 1 
>  
> 
> [ andrew.meyer@jira02 ~]$ ipa sudorule-show ALL 
> Rule name: All 
> Enabled: TRUE 
> Host category: all 
> Command category: all 
> Users: brian.keithly, andrew.meyer 
> User Groups: ops_sudoers, ops 
> RunAs Users: process 
> Sudo Option: !authenticate 
> 
> [ andrew.meyer@jira02 ~]$ sudo su - 
> [sudo] password for andrew.meyer: 
> Sorry, user andrew.meyer is not allowed to execute '/bin/su -' as root 
> on jira02.mgt.example.net. 
> [ andrew.meyer@jira02 ~]$ 
> 
> My HBAC is set to allow_all. 
> 
> [ root@jira02 log]# cat /etc/sssd/sssd.conf 
> [domain/mgt.example.net] 
> 
> cache_credentials = True 
> krb5_store_password_if_offline = True 
> krb5_realm = EXAMPLE.NET 
> ipa_domain = mgt.example.net 
> id_provider = ipa 
> auth_provider = ipa 
> access_provider = ipa 
> ipa_hostname = jira02.mgt.example.net 
> chpass_provider = ipa 
> dyndns_update = True 
> ipa_server = _srv_, infra-test-ipa.example.net 
> dyndns_iface = ens160 
> ldap_tls_cacert = /etc/ipa/ca.crt 
> [sssd] 
> services = nss, pam, ssh, sudo 
> 
> domains = mgt.example.net 
> [nss] 
> homedir_substring = /home 
> 
> [pam] 
> 
> [sudo] 
> 
> [autofs] 
> 
> [ssh] 
> 
> [pac] 
> 
> [ifp] 
> 
> [secrets] 
> 
> [ root@jira02 log]# 

Start here: 
https://docs.pagure.org/SSSD.sssd/users/sudo_troubleshooting.html 

rob 

___ 
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org 
To unsubscribe send an

[Freeipa-users] Re: FreeIPA sudoers

2017-11-08 Thread Andrew Meyer via FreeIPA-users 
Nm.  I fixed it. 

On Wednesday, November 8, 2017 2:28 PM, Andrew Meyer via FreeIPA-users 
 wrote:
 

 so looking at the logs it find a rule:
(Wed Nov  8 14:23:29 2017) [sssd[sudo]] [sudosrv_cached_rules_by_user] 
(0x0400): Replacing sudoUser attribute with sudoUser: #115463(Wed Nov  8 
14:23:29 2017) [sssd[sudo]] [sudosrv_query_cache] (0x0200): Searching sysdb 
with 
[(&(objectClass=sudoRule)(sudoUser=+*)(!(|(sudoUser=ALL)(sudoUser=andrew.me...@mgt.stl.gatewayblend.net)(sudoUser=#115463)(sudoUser=%answers\20jira\20engine...@mgt.stl.example.net)(sudoUser=%answers\20jira\20adm...@mgt.stl.example.net)(sudoUser=%example-adm...@mgt.stl.example.net)(sudoUser=%answers\20jira\20us...@mgt.stl.example.net)(sudoUser=%ipaus...@mgt.stl.example.net)(sudoUser=%adm...@mgt.stl.example.net)(sudoUser=%wh...@mgt.stl.example.net)(sudoUser=%ops_sudo...@mgt.stl.example.net)(sudoUser=%o...@mgt.stl.example.net)(sudoUser=%adm...@mgt.stl.example.net](Wed
 Nov  8 14:23:29 2017) [sssd[sudo]] [sort_sudo_rules] (0x0400): Sorting rules 
with higher-wins logic(Wed Nov  8 14:23:29 2017) [sssd[sudo]] 
[sudosrv_fetch_rules] (0x0400): Returning 1 rules for 
[andrew.me...@mgt.stl.example.net@mgt.stl.example.net](Wed Nov  8 14:23:29 
2017) [sssd[sudo]] [sudosrv_build_response] (0x2000): error: [0](Wed Nov  8 
14:23:29 2017) [sssd[sudo]] [sudosrv_build_response] (0x2000): rules_num: 
[0](Wed Nov  8 14:23:29 2017) [sssd[sudo]] [sudosrv_build_response] (0x2000): 
rule [1]/[1](Wed Nov  8 14:23:29 2017) [sssd[sudo]] 
[sudosrv_response_append_attr] (0x2000): cn:All(Wed Nov  8 14:23:29 2017) 
[sssd[sudo]] [sudosrv_response_append_attr] (0x2000): objectClass:sudoRule(Wed 
Nov  8 14:23:29 2017) [sssd[sudo]] [sudosrv_response_append_attr] (0x2000): 
sudoCommand:ALL(Wed Nov  8 14:23:29 2017) [sssd[sudo]] 
[sudosrv_response_append_attr] (0x2000): sudoHost:ALL(Wed Nov  8 14:23:29 2017) 
[sssd[sudo]] [sudosrv_response_append_attr] (0x2000): 
sudoOption:!authenticate(Wed Nov  8 14:23:29 2017) [sssd[sudo]] 
[sudosrv_response_append_attr] (0x2000): sudoRunAsUser:process(Wed Nov  8 
14:23:29 2017) [sssd[sudo]] [sudosrv_response_append_attr] (0x2000): 
sudoUser:#115463(Wed Nov  8 14:23:40 2017) [sssd[sudo]] [client_recv] 
(0x0200): Client disconnected!(Wed Nov  8 14:23:40 2017) [sssd[sudo]] 
[client_close_fn] (0x2000): Terminated client [0x55fce3abe990][18]
the sssd_hostname log is complaining about no SELinux maps... 

On Wednesday, November 8, 2017 1:43 PM, Rob Crittenden via FreeIPA-users 
 wrote:
 

 Andrew Meyer via FreeIPA-users wrote:
> Hello, i'm having some trouble getting sudoers to work.  
> 
> I have 5 machines joined to the FreeIPA domain and I have a user group
> called ops and ops_sudoers.  Both have permission to full sudo.  
> 
> 
> [andrew.meyer@jira02 ~]$ ipa sudorule-find ALL
> ---
> 1 Sudo Rule matched
> ---
>  Rule name: All
>  Enabled: TRUE
>  Host category: all
>  Command category: all
>  Sudo Option: !authenticate
> 
> Number of entries returned 1
> 
> 
> [andrew.meyer@jira02 ~]$ ipa sudorule-show ALL
>  Rule name: All
>  Enabled: TRUE
>  Host category: all
>  Command category: all
>  Users: brian.keithly, andrew.meyer
>  User Groups: ops_sudoers, ops
>  RunAs Users: process
>  Sudo Option: !authenticate
> 
> [andrew.meyer@jira02 ~]$ sudo su -
> [sudo] password for andrew.meyer:
> Sorry, user andrew.meyer is not allowed to execute '/bin/su -' as root
> on jira02.mgt.example.net.
> [andrew.meyer@jira02 ~]$
> 
> My HBAC is set to allow_all.
> 
> [root@jira02 log]# cat /etc/sssd/sssd.conf
> [domain/mgt.example.net]
> 
> cache_credentials = True
> krb5_store_password_if_offline = True
> krb5_realm = EXAMPLE.NET
> ipa_domain = mgt.example.net
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = jira02.mgt.example.net
> chpass_provider = ipa
> dyndns_update = True
> ipa_server = _srv_, infra-test-ipa.example.net
> dyndns_iface = ens160
> ldap_tls_cacert = /etc/ipa/ca.crt
> [sssd]
> services = nss, pam, ssh, sudo
> 
> domains = mgt.example.net
> [nss]
> homedir_substring = /home
> 
> [pam]
> 
> [sudo]
> 
> [autofs]
> 
> [ssh]
> 
> [pac]
> 
> [ifp]
> 
> [secrets]
> 
> [root@jira02 log]#

Start here:
https://docs.pagure.org/SSSD.sssd/users/sudo_troubleshooting.html

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


   ___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


   ___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: FreeIPA sudoers

2017-11-08 Thread Andrew Meyer via FreeIPA-users 
so looking at the logs it find a rule:
(Wed Nov  8 14:23:29 2017) [sssd[sudo]] [sudosrv_cached_rules_by_user] 
(0x0400): Replacing sudoUser attribute with sudoUser: #115463(Wed Nov  8 
14:23:29 2017) [sssd[sudo]] [sudosrv_query_cache] (0x0200): Searching sysdb 
with 
[(&(objectClass=sudoRule)(sudoUser=+*)(!(|(sudoUser=ALL)(sudoUser=andrew.me...@mgt.stl.gatewayblend.net)(sudoUser=#115463)(sudoUser=%answers\20jira\20engine...@mgt.stl.example.net)(sudoUser=%answers\20jira\20adm...@mgt.stl.example.net)(sudoUser=%example-adm...@mgt.stl.example.net)(sudoUser=%answers\20jira\20us...@mgt.stl.example.net)(sudoUser=%ipaus...@mgt.stl.example.net)(sudoUser=%adm...@mgt.stl.example.net)(sudoUser=%wh...@mgt.stl.example.net)(sudoUser=%ops_sudo...@mgt.stl.example.net)(sudoUser=%o...@mgt.stl.example.net)(sudoUser=%adm...@mgt.stl.example.net](Wed
 Nov  8 14:23:29 2017) [sssd[sudo]] [sort_sudo_rules] (0x0400): Sorting rules 
with higher-wins logic(Wed Nov  8 14:23:29 2017) [sssd[sudo]] 
[sudosrv_fetch_rules] (0x0400): Returning 1 rules for 
[andrew.me...@mgt.stl.example.net@mgt.stl.example.net](Wed Nov  8 14:23:29 
2017) [sssd[sudo]] [sudosrv_build_response] (0x2000): error: [0](Wed Nov  8 
14:23:29 2017) [sssd[sudo]] [sudosrv_build_response] (0x2000): rules_num: 
[0](Wed Nov  8 14:23:29 2017) [sssd[sudo]] [sudosrv_build_response] (0x2000): 
rule [1]/[1](Wed Nov  8 14:23:29 2017) [sssd[sudo]] 
[sudosrv_response_append_attr] (0x2000): cn:All(Wed Nov  8 14:23:29 2017) 
[sssd[sudo]] [sudosrv_response_append_attr] (0x2000): objectClass:sudoRule(Wed 
Nov  8 14:23:29 2017) [sssd[sudo]] [sudosrv_response_append_attr] (0x2000): 
sudoCommand:ALL(Wed Nov  8 14:23:29 2017) [sssd[sudo]] 
[sudosrv_response_append_attr] (0x2000): sudoHost:ALL(Wed Nov  8 14:23:29 2017) 
[sssd[sudo]] [sudosrv_response_append_attr] (0x2000): 
sudoOption:!authenticate(Wed Nov  8 14:23:29 2017) [sssd[sudo]] 
[sudosrv_response_append_attr] (0x2000): sudoRunAsUser:process(Wed Nov  8 
14:23:29 2017) [sssd[sudo]] [sudosrv_response_append_attr] (0x2000): 
sudoUser:#115463(Wed Nov  8 14:23:40 2017) [sssd[sudo]] [client_recv] 
(0x0200): Client disconnected!(Wed Nov  8 14:23:40 2017) [sssd[sudo]] 
[client_close_fn] (0x2000): Terminated client [0x55fce3abe990][18]
the sssd_hostname log is complaining about no SELinux maps... 

On Wednesday, November 8, 2017 1:43 PM, Rob Crittenden via FreeIPA-users 
 wrote:
 

 Andrew Meyer via FreeIPA-users wrote:
> Hello, i'm having some trouble getting sudoers to work.  
> 
> I have 5 machines joined to the FreeIPA domain and I have a user group
> called ops and ops_sudoers.  Both have permission to full sudo.  
> 
> 
> [andrew.meyer@jira02 ~]$ ipa sudorule-find ALL
> ---
> 1 Sudo Rule matched
> ---
>  Rule name: All
>  Enabled: TRUE
>  Host category: all
>  Command category: all
>  Sudo Option: !authenticate
> 
> Number of entries returned 1
> 
> 
> [andrew.meyer@jira02 ~]$ ipa sudorule-show ALL
>  Rule name: All
>  Enabled: TRUE
>  Host category: all
>  Command category: all
>  Users: brian.keithly, andrew.meyer
>  User Groups: ops_sudoers, ops
>  RunAs Users: process
>  Sudo Option: !authenticate
> 
> [andrew.meyer@jira02 ~]$ sudo su -
> [sudo] password for andrew.meyer:
> Sorry, user andrew.meyer is not allowed to execute '/bin/su -' as root
> on jira02.mgt.example.net.
> [andrew.meyer@jira02 ~]$
> 
> My HBAC is set to allow_all.
> 
> [root@jira02 log]# cat /etc/sssd/sssd.conf
> [domain/mgt.example.net]
> 
> cache_credentials = True
> krb5_store_password_if_offline = True
> krb5_realm = EXAMPLE.NET
> ipa_domain = mgt.example.net
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = jira02.mgt.example.net
> chpass_provider = ipa
> dyndns_update = True
> ipa_server = _srv_, infra-test-ipa.example.net
> dyndns_iface = ens160
> ldap_tls_cacert = /etc/ipa/ca.crt
> [sssd]
> services = nss, pam, ssh, sudo
> 
> domains = mgt.example.net
> [nss]
> homedir_substring = /home
> 
> [pam]
> 
> [sudo]
> 
> [autofs]
> 
> [ssh]
> 
> [pac]
> 
> [ifp]
> 
> [secrets]
> 
> [root@jira02 log]#

Start here:
https://docs.pagure.org/SSSD.sssd/users/sudo_troubleshooting.html

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


   ___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: FreeIPA sudoers

2017-11-08 Thread Rob Crittenden via FreeIPA-users 
Andrew Meyer via FreeIPA-users wrote:
> Hello, i'm having some trouble getting sudoers to work.  
> 
> I have 5 machines joined to the FreeIPA domain and I have a user group
> called ops and ops_sudoers.  Both have permission to full sudo.  
> 
> 
> [andrew.meyer@jira02 ~]$ ipa sudorule-find ALL
> ---
> 1 Sudo Rule matched
> ---
>   Rule name: All
>   Enabled: TRUE
>   Host category: all
>   Command category: all
>   Sudo Option: !authenticate
> 
> Number of entries returned 1
> 
> 
> [andrew.meyer@jira02 ~]$ ipa sudorule-show ALL
>   Rule name: All
>   Enabled: TRUE
>   Host category: all
>   Command category: all
>   Users: brian.keithly, andrew.meyer
>   User Groups: ops_sudoers, ops
>   RunAs Users: process
>   Sudo Option: !authenticate
> 
> [andrew.meyer@jira02 ~]$ sudo su -
> [sudo] password for andrew.meyer:
> Sorry, user andrew.meyer is not allowed to execute '/bin/su -' as root
> on jira02.mgt.example.net.
> [andrew.meyer@jira02 ~]$
> 
> My HBAC is set to allow_all.
> 
> [root@jira02 log]# cat /etc/sssd/sssd.conf
> [domain/mgt.example.net]
> 
> cache_credentials = True
> krb5_store_password_if_offline = True
> krb5_realm = EXAMPLE.NET
> ipa_domain = mgt.example.net
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = jira02.mgt.example.net
> chpass_provider = ipa
> dyndns_update = True
> ipa_server = _srv_, infra-test-ipa.example.net
> dyndns_iface = ens160
> ldap_tls_cacert = /etc/ipa/ca.crt
> [sssd]
> services = nss, pam, ssh, sudo
> 
> domains = mgt.example.net
> [nss]
> homedir_substring = /home
> 
> [pam]
> 
> [sudo]
> 
> [autofs]
> 
> [ssh]
> 
> [pac]
> 
> [ifp]
> 
> [secrets]
> 
> [root@jira02 log]#

Start here:
https://docs.pagure.org/SSSD.sssd/users/sudo_troubleshooting.html

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] FreeIPA sudoers

2017-11-08 Thread Andrew Meyer via FreeIPA-users 
Hello, i'm having some trouble getting sudoers to work.  
I have 5 machines joined to the FreeIPA domain and I have a user group called 
ops and ops_sudoers.  Both have permission to full sudo.  

[andrew.meyer@jira02 ~]$ ipa sudorule-find ALL---1 Sudo Rule 
matched---  Rule name: All  Enabled: TRUE  Host category: all  
Command category: all  Sudo Option: 
!authenticateNumber of entries returned 
1
[andrew.meyer@jira02 ~]$ ipa sudorule-show ALL  Rule name: All  Enabled: TRUE  
Host category: all  Command category: all  Users: brian.keithly, andrew.meyer  
User Groups: ops_sudoers, ops  RunAs Users: process  Sudo Option: !authenticate
[andrew.meyer@jira02 ~]$ sudo su -[sudo] password for andrew.meyer:Sorry, user 
andrew.meyer is not allowed to execute '/bin/su -' as root on 
jira02.mgt.example.net.[andrew.meyer@jira02 ~]$
My HBAC is set to allow_all.
[root@jira02 log]# cat /etc/sssd/sssd.conf[domain/mgt.example.net]
cache_credentials = Truekrb5_store_password_if_offline = Truekrb5_realm = 
EXAMPLE.NETipa_domain = mgt.example.netid_provider = ipaauth_provider = 
ipaaccess_provider = ipaipa_hostname = jira02.mgt.example.netchpass_provider = 
ipadyndns_update = Trueipa_server = _srv_, 
infra-test-ipa.example.netdyndns_iface = ens160ldap_tls_cacert = 
/etc/ipa/ca.crt[sssd]services = nss, pam, ssh, sudo
domains = mgt.example.net[nss]homedir_substring = /home
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
[secrets]
[root@jira02 log]#___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Multiboot and FreeIPA

2017-11-08 Thread Alexander Bokovoy via FreeIPA-users 

On ke, 08 marras 2017, Pascal Ernster via FreeIPA-users wrote:

[2017-11-07 14:50] Alexander Bokovoy via FreeIPA-users:

If they all have the same hostname, you are better to enroll and share
keytab across all configurations. To do so, enroll first time and then
specify /etc/krb5.keytab from that installation with ipa-client-install
-k option. See ipa-client-install man page for more details.


Thanks for the advice. Would the kerberos keytab and the SSH host keys
be the only possible/likely causes for problems?

The only thing that would be common to all these machines is LDAP object
for the machine. It is indexed by the hostname, so having the same
hostname means sharing that LDAP object and all its attributes,
including Kerberos key.

You can have multiple SSHFP entries for the same host, this is normal.


Please note that I run FreeIPA with external nameservers, on which I
added the necessary DNS entries for the FreeIPA servers manually. The
FreeIPA client machines only have their respective A/ records (and
the corresponding reverse DNS records, of course).

How DNS is managed is irrelevant here.

--
/ Alexander Bokovoy
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Multiboot and FreeIPA

2017-11-08 Thread Pascal Ernster via FreeIPA-users 
Please disregard this message/subthread. I used the wrong envelope
sender due to a typo.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Multiboot and FreeIPA

2017-11-08 Thread Pascal Ernster via FreeIPA-users 
Please disregard this message/subthread. I used the wrong envelope
sender due to a bug in my mail client.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Multiboot and FreeIPA

2017-11-08 Thread Pascal Ernster via FreeIPA-users 
[2017-11-07 14:50] Alexander Bokovoy via FreeIPA-users:
> If they all have the same hostname, you are better to enroll and share
> keytab across all configurations. To do so, enroll first time and then
> specify /etc/krb5.keytab from that installation with ipa-client-install
> -k option. See ipa-client-install man page for more details.

Thanks for the advice. Would the kerberos keytab and the SSH host keys
be the only possible/likely causes for problems?

Please note that I run FreeIPA with external nameservers, on which I
added the necessary DNS entries for the FreeIPA servers manually. The
FreeIPA client machines only have their respective A/ records (and
the corresponding reverse DNS records, of course).


Regards
Pascal
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Multiboot and FreeIPA

2017-11-08 Thread Pascal Ernster via FreeIPA-users 
[2017-11-07 14:50] Alexander Bokovoy via FreeIPA-users:
> If they all have the same hostname, you are better to enroll and share
> keytab across all configurations. To do so, enroll first time and then
> specify /etc/krb5.keytab from that installation with ipa-client-install
> -k option. See ipa-client-install man page for more details.

Thanks for the advice. Would the kerberos keytab and the SSH host keys
be the only possible/likely causes for problems?

Please note that I run FreeIPA with external nameservers, on which I
added the necessary DNS entries for the FreeIPA servers manually. The
FreeIPA client machines only have their respective A/ records (and
the corresponding reverse DNS records, of course).


Regards
Pascal
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Multiboot and FreeIPA

2017-11-08 Thread Pascal Ernster via FreeIPA-users 

[2017-11-07 14:50] Alexander Bokovoy via FreeIPA-users:

If they all have the same hostname, you are better to enroll and share
keytab across all configurations. To do so, enroll first time and then
specify /etc/krb5.keytab from that installation with ipa-client-install
-k option. See ipa-client-install man page for more details.


Thanks for the advice. Would the kerberos keytab and the SSH host keys 
be the only possible/likely causes for problems?


Please note that I run FreeIPA with external nameservers, on which I 
added the necessary DNS entries for the FreeIPA servers manually. The 
FreeIPA client machines only have their respective A/ records (and 
the corresponding reverse DNS records, of course).



Regards
Pascal
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] ldap cache

2017-11-08 Thread Andrew Meyer via FreeIPA-users 
Let's say I have a user that starts today and I forgot to add their username to 
FreeIPA.  I add their username and they need to start working fairly quickly.  
I know that I can clear the sudo cache on each server with sss_cache -E but is 
there a way to do this w/ ldap/kerberos queries to have it reread the ldap 
database?___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: RHEL/CentOS 5 and IPA 4.5

2017-11-08 Thread Sigbjorn Lie via FreeIPA-users 
Hi,

Thank you. That worked well. :)


Regards,
Siggi

> On 7 Nov 2017, at 11:24, Alexander Bokovoy via FreeIPA-users 
>  wrote:
> 
> On ma, 06 marras 2017, Sigbjorn Lie via FreeIPA-users wrote:
>> Hi list,
>> 
>> RHEL/CentOS 5.11 clients does not seem to work with IPA 4.5 unless I go
>> from sssd-ipa to sssd-ldap. I would prefer to continue to use sssd-ipa
>> to allow the existing HBAC rules to function.
>> 
>> Is there a known workaround to get EL 5.11 clients to work with IPA 4.5
>> using sssd-ipa?
>> 
>> Thanks.
>> 
>> 
>> Regards,
>> Siggi
>> 
>> 
>> [root@ipaclient sssd]# kinit -kt /etc/krb5.keytab
>> 
>> kinit(v5): Preauthentication failed while getting initial credentials
>> 
> Uninstall pkinit-nss if you have it installed. Restart sssd.
> 
> -- 
> / Alexander Bokovoy
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Find IPA user or computer account from windows

2017-11-08 Thread Ronald Wimmer via FreeIPA-users 

Is there a chance that this will be implemented at some point in time?

My Use Case: I would like to use a System in the IPA domain as Citrix 
VDA - the Citrix management software can only add computers that can be 
found by their Windows-based tool.


Regards,
Ronald
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: master - replica relationship

2017-11-08 Thread dbischof--- via FreeIPA-users 

Hola,

On Wed, 8 Nov 2017, Lachlan Musicman via FreeIPA-users wrote:


I'm still trying to wrap my head around the master-replica concept.

From what I read in the documentation (Chapter 4 of 
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/linux_domain_identity_authentication_and_policy_guide/

)

the replica should be able to take over as master should master go 
offline.


Our replica was set up with CA & without DNS - the same as master, and 
it seems to be working on the whole.


The problem I'm having is in the replication. create user on master:

ipa user-add master_test_user --first=MT --last=ML

create user on replica:

ipa user-add replica_test_user --first=RT --last=RL

find user on master:

[root@vmpr-linuxidm ~]# ipa user-find test_user
---
2 users matched
---
[...]
find user on replica:
[root@vmdr-linuxidm ~]# ipa user-find test_user
--
1 user matched
--
[...]
If I run ipa user-add on the replica, I see it upstream on master, but 
if I run ipa add-user on the master, that's not replicated down to the 
replica.


Also, ipa user-del (even with --no-preserve) works on master, but 
doesn't delete the user on the replica.


What has gone wrong?


I had something similar recently (replica not "talking" to master). It 
turned out that replication refused to work in both directions for reasons 
still unknown to me. Finally, i had to reinstall my replica 
(ipa-replica-install --setup-ca) to make replication work again:


---
root@poolsrv:~# ipa topologysegment-find
Suffix name: domain
-
1 segment matched
-
  Segment name: o201.example.org-to-poolsrv.example.org
  Left node: o201.example.org
  Right node: poolsrv.example.org
  Connectivity: both

Number of entries returned 1

root@poolsrv:~# ipa topologysegment-find
Suffix name: ca
-
1 segment matched
-
  Segment name: o201.example.org-to-poolsrv.example.org
  Left node: o201.example.org
  Right node: poolsrv.example.org
  Connectivity: both

Number of entries returned 1

---

"Connectivity" is now "both" but used to be "left-right". I also had a lot 
of errors in the poolsrv (replica) directory server log referring to 
NSMMReplicationPlugin. You may want to check this in order to diagnose the 
problem.


Maybe, the augurs know a better way to fix this than to reinstall.


Mit freundlichen Gruessen/With best regards,

--Daniel.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: master - replica relationship

2017-11-08 Thread Florence Blanc-Renaud via FreeIPA-users 

On 11/08/2017 04:52 AM, Lachlan Musicman via FreeIPA-users wrote:

Hola,

I'm still trying to wrap my head around the master-replica concept.

 From what I read in the documentation (Chapter 4 of 
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/linux_domain_identity_authentication_and_policy_guide/)


the replica should be able to take over as master should master go offline.

Our replica was set up with CA & without DNS - the same as master, and 
it seems to be working on the whole.


The problem I'm having is in the replication.
create user on master:

ipa user-add master_test_user --first=MT --last=ML

create user on replica:

ipa user-add replica_test_user --first=RT --last=RL

find user on master:

[root@vmpr-linuxidm ~]# ipa user-find test_user
---
2 users matched
---
   User login: master_test_user
   First name: MT
   Last name: ML
   Home directory: /home/master_test_user
   Login shell: /bin/bash
   Principal name: master_test_u...@unix.domain.com 

   Principal alias: master_test_u...@unix.domain.com 

   Email address: master_test_u...@domain.com 


   UID: 1718800021
   GID: 1718800021
   Account disabled: False

   User login: replica_test_user
   First name: RT
   Last name: RL
   Home directory: /home/replica_test_user
   Login shell: /bin/bash
   Principal name: replica_test_u...@unix.domain.com 

   Principal alias: replica_test_u...@unix.domain.com 

   Email address: replica_test_u...@domain.com 


   UID: 1718850502
   GID: 1718850502
   Account disabled: False

Number of entries returned 2


find user on replica:
[root@vmdr-linuxidm ~]# ipa user-find test_user
--
1 user matched
--
   User login: replica_test_user
   First name: RT
   Last name: RL
   Home directory: /home/replica_test_user
   Login shell: /bin/bash
   Principal name: replica_test_u...@unix.domain.com 

   Principal alias: replica_test_u...@unix.domain.com 

   Email address: replica_test_u...@domain.com 


   UID: 1718850502
   GID: 1718850502
   Account disabled: False

Number of entries returned 1


If I run ipa user-add on the replica, I see it upstream on master, but 
if I run ipa add-user on the master, that's not replicated down to the 
replica.


Also, ipa user-del (even with --no-preserve) works on master, but 
doesn't delete the user on the replica.


What has gone wrong?

Cheers
L.



--
"The antidote to apocalypticism is *apocalyptic civics*. Apocalyptic 
civics is the insistence that we cannot ignore the truth, nor should we 
panic about it. It is a shared consciousness that our institutions have 
failed and our ecosystem is collapsing, yet we are still here — and we 
are creative agents who can shape our destinies. Apocalyptic civics is 
the conviction that the only way out is through, and the only way 
through is together. "


/Greg Bloom/ @greggish 
https://twitter.com/greggish/status/873177525903609857



___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org



Hi,

you are describing a situation where the replication from replica to 
master is working (user created on replica can be seen on master), but 
the replication from master to replica is not.


The replication should always be bilateral, meaning that you have an 
issue. These documents [1] and [2] both contain information how to 
troubleshoot replication issues. You will need to start by looking at 
the directory server error logs.


HTH,
Flo.

[1] 
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/linux_domain_identity_authentication_and_policy_guide/#trouble-gen-replication


[2] https://www.freeipa.org/page/Troubleshooting#Directory_Server_issues
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org