[Freeipa-users] Re: wildcard ssl on free-ipa 3.1

[Umarzuki Mochlis via FreeIPA-users]

2018-02-15 4:34 GMT+08:00 Rob Crittenden :

>
> Let me circle back around. So your certs are currently expired and not
> working? I assume then that your IPA master is basically dead, and has
> been for 2 years?
>
> Your best bet would be to stop ntpd, go back in time, restart httpd,
> tomcat andcertmonger to kick off renewal again. Watch the syslog for any
> messages from certmonger.
>
> Assuming the certs all get renewed return to current time and run ipactl
> restart.
>
> rob

These are messages after I restarted httpd, tomcat & cermonger

Feb 15 07:15:41 ipa systemd[1]: Stopping Apache Tomcat Web Application
Container...
Feb 15 07:15:41 ipa systemd[1]: tomcat.service: main process exited,
code=exited, status=143/n/a
Feb 15 07:15:41 ipa systemd[1]: Unit tomcat.service entered failed state
Feb 15 07:15:41 ipa systemd[1]: Starting Apache Tomcat Web Application
Container...
Feb 15 07:15:41 ipa systemd[1]: Started Apache Tomcat Web Application Container.
Feb 15 07:15:48 ipa systemd[1]: Stopping Certificate monitoring and
PKI enrollment...
Feb 15 07:15:48 ipa systemd[1]: Starting Certificate monitoring and
PKI enrollment...
Feb 15 07:15:48 ipa systemd[1]: Started Certificate monitoring and PKI
enrollment.
Feb 15 07:15:49 ipa certmonger[21863]: 2015-02-15 07:15:49 [21863]
Server failed request, will retry: 4301 (RPC failed at server.
Certificate operation cannot be completed: Unable to communicate with
CMS (Not Found)).
Feb 15 07:15:49 ipa certmonger[21863]: 2015-02-15 07:15:49 [21863]
Server failed request, will retry: 4301 (RPC failed at server.
Certificate operation cannot be completed: Unable to communicate with
CMS (Not Found)).
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: debugging enabled, suppressing output

[Rob Crittenden via FreeIPA-users]

Jim Richard via FreeIPA-users wrote:
> As far as I can tell I have not enabled debugging but when I do a ipactl 
> restart I see:
> 
> 
> [root@sso-109:(NYM) etc]$ ipactl restart
> Stopping pki-tomcatd Service
> Restarting Directory Service
> debugging enabled, suppressing output.
> Restarting krb5kdc Service
> Restarting kadmin Service
> Restarting httpd Service
> Restarting ipa-custodia Service
> Restarting ntpd Service
> Restarting pki-tomcatd Service
> Restarting ipa-otpd Service
> 
> FreeIPA 4.5 on CentOS 7.4

It looks for nsslapd-errorlog-level > 0.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Fixing limit on DNS searches

[Rob Crittenden via FreeIPA-users]

Bret Wortman via FreeIPA-users wrote:
> I did figure out that I can use
> 
> # ldapsearch -D 'directory manager' -W -E pr=2 -b
> idnsname=damascusgrp.com,cn=dns,dc=damascusgrp,dc=com
> 
> to list out all the entries, but the format isn't what I'm expecting.
> 
> What I'm actually trying to do is move our whole infrastructure from one
> set of old & busted servers to some shiny new VMs. We'd like to extract
> the data and start fresh, as our replication agreements just don't seem
> to be working as expected. Changes to one don't always make it to the
> other and vice versa. While I'd love to dig in and solve that, it's
> easier right now to try to extract the data and reload it into a new
> server, build new replicas, then unbind & re-bind every client to the
> new server using ansible since we also lost our internal CA in the process.
> 
> So while our current configuration is a mess, we can't afford to lose
> all the host/user/dns/hbac data in our servers. Thus, I've been
> capturing the output to text using various ipa *-find commands and have
> parsers to turn those back into new entries on the fresh hosts. DNS is
> the only thing that's holding me up.

I almost wonder if you'd be better off massaging an LDIF to achieve
this. It could be rather horrible but it may be easier in the long-run
and it'd just be one big text file to tweak.

You probably will need to exclude some attributes (createdby,
nsuniqueid, etc) but off the top of my head I think it might be
otherwise straightforward.

rob

> 
> 
> Bret
> 
> 
> On 02/14/2018 06:33 AM, Bret Wortman wrote:
>>
>> Also, this doesn't solve the fact that the Web UI always produces an
>> error dialog whenever accessing our primary zone.
>>
>>
>> On 02/13/2018 02:19 PM, Natxo Asenjo via FreeIPA-users wrote:
>>>
>>>
>>> On Tue, Feb 13, 2018 at 8:13 PM, Natxo Asenjo >> > wrote:
>>>
>>>
>>> the canonical way to do this is using ldap paging, with
>>> ldapsearch  you could try using the -E pr= parameter, where
>>>  could be 1000 for instance. That way you know you are always
>>> under the limit imposed by the server.
>>>
>>>
>>> if you use -E pr=1000/noprompt, it will not prompt to continue, nicer
>>> for scripts obviously.
>>>
>>> --
>>> Groeten,
>>> natxo
>>>
>>>
>>> ___
>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>>
> 
> 
> 
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Exclude only one command on SUDO ?

[Rob Crittenden via FreeIPA-users]

Jim Ntosas via FreeIPA-users wrote:
> Hello team!
> 
> I wanted to ask if there is any way to exclude only one sudo commands
> and allow all the others.
> 
> For example, I want to exclude "passwd" command but allow all the others
> without need to write each of the one by one.

This is more a sudo question than an IPA question but it is not
recommended to even try this.

See the SECURITY NOTES section in sudoers(5).

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: wildcard ssl on free-ipa 3.1

[Rob Crittenden via FreeIPA-users]

Umarzuki Mochlis wrote:
> 2018-02-14 4:55 GMT+08:00 Rob Crittenden :
>> Umarzuki Mochlis wrote:
>>> 2018-02-13 22:59 GMT+08:00 Rob Crittenden :
 Umarzuki Mochlis via FreeIPA-users wrote:
> it stuck with "status: SUBMITTING" when I issue command "ipa-getcert
> list" after I resubmit cert renew "get-cert resubmit -i ID"

 Which request is stuck? Can you provide the output of ipa-getcert list
 -i ID?

 rob
>>>
>>> these request still 'submitting' since service started. I resubmit
>>> them one or two years ago.
>>
>> The certs are certainly very expired at this point. Do these exist in
>> reality anymore?
>>
>> # certutil -L -d /etc/dirsrv/slapd-DOMAIN-COM
>> # certutil -L -d /etc/httpd/alias
>> # grep NSSNickname /etc/httpd/conf.d/nss.conf
>>
>> rob
>>
> 
> yes
> 
> [root@ipa ~]# certutil -L -d /etc/dirsrv/slapd-DOMAIN-COM
> 
> Certificate Nickname Trust Attributes
>  
> SSL,S/MIME,JAR/XPI
> 
> Server-Cert  u,u,u
> DOMAIN.COM IPA CACT,,C
> [root@ipa ~]# certutil -L -d /etc/httpd/alias
> 
> Certificate Nickname Trust Attributes
>  
> SSL,S/MIME,JAR/XPI
> 
> Signing-Cert u,u,u
> DOMAIN.COM IPA CACT,C,C
> ipaCert  u,u,u
> Server-Cert  u,u,u
> [root@ipa ~]# grep NSSNickname /etc/httpd/conf.d/nss.conf
> NSSNickname Server-Cert
> 

Let me circle back around. So your certs are currently expired and not
working? I assume then that your IPA master is basically dead, and has
been for 2 years?

Your best bet would be to stop ntpd, go back in time, restart httpd,
tomcat andcertmonger to kick off renewal again. Watch the syslog for any
messages from certmonger.

Assuming the certs all get renewed return to current time and run ipactl
restart.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: IPA-Server Deletion issues

[Jamal Mahmoud via FreeIPA-users]

Perfect! Thanks for all the help Rob!

Jamal

On Wed 14 Feb 2018 at 19:08, Rob Crittenden  wrote:

> Jamal Mahmoud wrote:
> > Thank you Thierry for your help!
> >
> > I just deleted all the entries and hey presto! Oxygen is no longer
> > lingering around. Except that in my defaultServerList entry, oxygen is
> > still there, i have a feeling that is affecting something somewhere, or
> > will in the future. Would anyone know how to fix this?
> > after running:
> >
> > ldapsearch -LLL -D "cn=directory manager" -W -b "dc=eggvfx,dc=ie"
> > "(objectclass=*)" | grep oxygen
> >
> > The output is:
> > defaultServerList: oxygen.eggvfx.ie 
> > nitrogen.eggvfx.ie  lithium.eggvfx.ie
> > 
>
> You can use ldapmodify to drop the oxygen entry.
>
> defaultServerList is used for some kinds of discovery (DUA profiles).
>
> rob
>
> >
> > Thanks again for your help!
> > Jamal
> >
> > 
> >
> >
> >
> > *Jamal Mahmoud* / Pipeline TD
> > jamal.mahm...@egg.ie 
> >
> > 35 Fitzwilliam Street Upper, Dublin.
> > P: +353 1 6345440
> >
> > Twitter   Facebook
> >  LinkedIn
> >  Vimeo
> > 
> >
> >
> > On 14 February 2018 at 16:20, thierry bordaz  > > wrote:
> >
> > I think it is okay to do the delete.
> > topology plugin is a reader of master container and should take into
> > account those changes. Now it may require a restart.
> >
> > Just for your information I will be out of the office tonight being
> > back Feb 23rd
> >
> > best regards
> > thierry
> >
> > On 02/14/2018 04:25 PM, Jamal Mahmoud wrote:
> >> Would it hurt to try running those ldapdelete commands? or would
> >> that make it worse?
> >>
> >> Thanks for your help Thierry,
> >>
> >> 
> >>
> >>
> >>
> >> *Jamal Mahmoud* / Pipeline TD
> >> jamal.mahm...@egg.ie 
> >>
> >> 35 Fitzwilliam Street Upper, Dublin.
> >> P: +353 1 6345440 
> >>
> >> Twitter   Facebook
> >>  LinkedIn
> >>  Vimeo
> >> 
> >>
> >>
> >>
> >>
> >>
> >> On 14 February 2018 at 14:56, thierry bordaz  >> > wrote:
> >>
> >> Hummm... to be honest I have not the skill of support guys to
> >> get rid of conflicts in IPA :(
> >>
> >> Removing the conflicts entries under 'masters' should relax
> >> topology plugin to accept deletion of the segments.
> >> You may ping again freeipa-users to get more advice how to
> >> repair a topology with conflicts entries.
> >>
> >> We know that we have a former server that is a conflict entry
> >> under 'master'.
> >> Also that it exists segments to that server, likely because
> >> topology plugin hit the same issues than others IPA CLI.
> >>
> >> On 02/14/2018 03:43 PM, Jamal Mahmoud wrote:
> >>> Haha! I almost went ahead and ran those deletes without
> >>> thinking! Sick of oxygen at this point!
> >>> Okay so I grepped oxygen from that output file and if i'm not
> >>> mistaken there are references to it in the topology.
> >>>
> >>> dn: cn=nitrogen.eggvfx.ie-to-oxygen.eggvfx.ie
> >>>  >,cn=domain,cn=topology,cn=ipa,cn=
> >>> cn: nitrogen.eggvfx.ie-to-oxygen.eggvfx.ie
> >>> 
> >>> ipaReplTopoSegmentRightNode: oxygen.eggvfx.ie
> >>> 
> >>> dn: cn=nitrogen.eggvfx.ie-to-oxygen.eggvfx.ie
> >>>  >,cn=ca,cn=topology,cn=ipa,cn=etc,
> >>> cn: nitrogen.eggvfx.ie-to-oxygen.eggvfx.ie
> >>> 
> >>> ipaReplTopoSegmentRightNode: oxygen.eggvfx.ie
> >>> 
> >>> dn: cn=oxygen.eggvfx.ie
> >>>  >+nsuniqueid=562f6f20-04de11e8-a003fb96-902b0a77,cn=mast
> >>> cn: oxygen.eggvfx.ie 
> >>>
> >>>
> >>> I see that some of the lines have been truncated but you can
> >>> see the start of some lines point to segment nodes with
> >>> Nitrogen, is it okay still to run this ldapdelete?
> >>>
> >>>
> >>> 
> >>>
> >>>
> >>>
> >>> *Jamal Mahmoud* / Pipeline TD
> >>> jamal.mahm...@egg.ie 
> >>>
> >>> 35 Fitzwilliam Street 

[Freeipa-users] Re: mkhomedir option doesn't works

[Rob Crittenden via FreeIPA-users]

Alex Corcoles via FreeIPA-users wrote:
> Is there are ticket for this to watch?

I don't see one. Feel free to file it.

rob

> 
> On Wed, Feb 14, 2018 at 5:27 PM, Alexander Bokovoy via FreeIPA-users
>  > wrote:
> 
> On ke, 14 helmi 2018, Felipe_G0NZÁLEZ_SANTIAG0 via FreeIPA-users wrote:
> 
> I have a Freeipa server version 4.3.1 on Ubuntu 16.04. Then I
> installed freeipa-client, and run
> #i pa-client-install --mkhomedir
> 
> However, when I try to loggin no freeipa client machine it fails.
> I supposed it was because the home directories have not been
> created.
> So, I configured PAM modules manually by editing the
> /etc/pam.d/common-session and adding this+ line:
> session required pam_mkhomedir.so
> 
> and then loggin proccess works perfectly!
> 
> Any idea why the option -- mkhomedir is not well working here?
> 
> Debian platform does basically nothing to provide support for adding
> pam_mkhomdir in ipaplatform/debian/tasks.py:
> 
> class DebianTaskNamespace(RedHatTaskNamespace):
>  
>    @staticmethod
>    def modify_nsswitch_pam_stack(sssd, mkhomedir, statestore):
>        # Debian doesn't use authconfig, this is handled by
> pam-auth-update
>        return True
> 
> But nothing calls pam-auth-update from within IPA client installer.
> 
> Someone needs to develop these methods further, to allow actual
> configuration to be changed.
> 
> 
> 
> -- 
> / Alexander Bokovoy
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> 
> To unsubscribe send an email to
> freeipa-users-le...@lists.fedorahosted.org
> 
> 
> 
> 
> 
> -- 
>    ___
>  {~._.~}
>   ( Y )
>  ()~*~()  mail: alex at corcoles dot net
>  (_)-(_)  http://alex.corcoles.net/
> 
> 
> 
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: mkhomedir option doesn't works

[Alex Corcoles via FreeIPA-users]

Is there are ticket for this to watch?

On Wed, Feb 14, 2018 at 5:27 PM, Alexander Bokovoy via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> On ke, 14 helmi 2018, Felipe_G0NZÁLEZ_SANTIAG0 via FreeIPA-users wrote:
>
>> I have a Freeipa server version 4.3.1 on Ubuntu 16.04. Then I installed
>> freeipa-client, and run
>> #i pa-client-install --mkhomedir
>>
>> However, when I try to loggin no freeipa client machine it fails.
>> I supposed it was because the home directories have not been created.
>> So, I configured PAM modules manually by editing the
>> /etc/pam.d/common-session and adding this+ line:
>> session required pam_mkhomedir.so
>>
>> and then loggin proccess works perfectly!
>>
>> Any idea why the option -- mkhomedir is not well working here?
>>
> Debian platform does basically nothing to provide support for adding
> pam_mkhomdir in ipaplatform/debian/tasks.py:
>
> class DebianTaskNamespace(RedHatTaskNamespace):
>  
>@staticmethod
>def modify_nsswitch_pam_stack(sssd, mkhomedir, statestore):
># Debian doesn't use authconfig, this is handled by pam-auth-update
>return True
>
> But nothing calls pam-auth-update from within IPA client installer.
>
> Someone needs to develop these methods further, to allow actual
> configuration to be changed.
>
>
>
> --
> / Alexander Bokovoy
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>



-- 
   ___
 {~._.~}
  ( Y )
 ()~*~()  mail: alex at corcoles dot net
 (_)-(_)  http://alex.corcoles.net/
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: user/admin

[Charles Hedrick via FreeIPA-users]

I have two identifies, one a normal user and one with privileges in IPA. The 
normal Kerberos convention is for them to be hedrick and hedrick/admin.

> On Feb 13, 2018, at 5:03 PM, Rob Crittenden  wrote:
> 
> Charles Hedrick via FreeIPA-users wrote:
>> There’s a convention of creating admin instances for users, usually named 
>> user/admin. IPA doesn’t seem to allow such instances. Is there a way to make 
>> them work? 
>> 
>> As far as I can tell the instance can only be a hostname. That doesn’t seem 
>> like a sensible restriction.
> 
> To be used for what purpose?
> 
> rob

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Fixing limit on DNS searches

[Bret Wortman via FreeIPA-users]

On 02/14/2018 10:22 AM, Florence Blanc-Renaud wrote:

On 02/14/2018 12:52 PM, Bret Wortman via FreeIPA-users wrote:

I did figure out that I can use

# ldapsearch -D 'directory manager' -W -E pr=2 -b 
idnsname=damascusgrp.com,cn=dns,dc=damascusgrp,dc=com


to list out all the entries, but the format isn't what I'm expecting.

What I'm actually trying to do is move our whole infrastructure from 
one set of old & busted servers to some shiny new VMs. We'd like to 
extract the data and start fresh, as our replication agreements just 
don't seem to be working as expected. Changes to one don't always 
make it to the other and vice versa. While I'd love to dig in and 
solve that, it's easier right now to try to extract the data and 
reload it into a new server, build new replicas, then unbind & 
re-bind every client to the new server using ansible since we also 
lost our internal CA in the process.


So while our current configuration is a mess, we can't afford to lose 
all the host/user/dns/hbac data in our servers. Thus, I've been 
capturing the output to text using various ipa *-find commands and 
have parsers to turn those back into new entries on the fresh hosts. 
DNS is the only thing that's holding me up.



Bret


On 02/14/2018 06:33 AM, Bret Wortman wrote:


Also, this doesn't solve the fact that the Web UI always produces an 
error dialog whenever accessing our primary zone.



On 02/13/2018 02:19 PM, Natxo Asenjo via FreeIPA-users wrote:



On Tue, Feb 13, 2018 at 8:13 PM, Natxo Asenjo 
> wrote:



    the canonical way to do this is using ldap paging, with
    ldapsearch  you could try using the -E pr= parameter, where
     could be 1000 for instance. That way you know you are always
    under the limit imposed by the server.


if you use -E pr=1000/noprompt, it will not prompt to continue, 
nicer for scripts obviously.


--
Groeten,
natxo


___
FreeIPA-users mailing list --freeipa-users@lists.fedorahosted.org
To unsubscribe send an email 
tofreeipa-users-le...@lists.fedorahosted.org






___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to 
freeipa-users-le...@lists.fedorahosted.org



Hi Bret,

the search limits can be set at multiple levels:
- for the whole 389-ds server
nsslapd-sizelimit (in cn=config)
nsslapd-lookthroughlimit (in cn=config,cn=ldbm 
database,cn=plugins,cn=config)


- for operations performed through ipa * commands (or the webGUI):
ipaSearchRecordsLimit (in cn=ipaConfig,cn=etc,$BASEDN)

- for each user:
nssizelimit and nsLookThroughLimit attributes (in 
uid=$USER,cn=users,cn=accounts,$BASEDN)


You are probably hitting one of these limits in your ipa *-find command.

HTH,
Flo



So I found almost all of these:

# ldapsearch -D 'cn=directory manager' -W -b 'cn=config' cn=config | 
grep nsslapd-sizelimit

nsslapd-sizelimit: 2000

# ldapsearch -D 'cn=directory manager' -W -b 'cn=config,cn=ldbm 
database,cn=plugins,cn=config' | grep lookthroughlimit

nsslapd-lookthroughlimit: 10

# ldapsearch -D 'cn=directory manager' -W -b 
'cn=ipaConfig,cn=etc,dc=damascusgrp,dc=com' | grep ipaSearchRecordsLimit

ipaSearchRecordsLimit: 9

# ldapsearch -D 'cn=directory manager' -W -b 
'uid=admin,cn=users,cn=accounts,dc=damascusgrp,dc=com' | grep -i limit

(returns data but nothing matches)

The first doesn't seem to be something I can change. It's stuck at 2000, 
but since my issue occurs at 5000, I'm not worried about it. I believe 
that I'm missing something in the fourth search that might point me 
toward the attributes you mentioned but I'm not sure where.


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: mkhomedir option doesn't works

[Alexander Bokovoy via FreeIPA-users]

On ke, 14 helmi 2018, Felipe_G0NZÁLEZ_SANTIAG0 via FreeIPA-users wrote:

I have a Freeipa server version 4.3.1 on Ubuntu 16.04. Then I installed 
freeipa-client, and run
#i pa-client-install --mkhomedir

However, when I try to loggin no freeipa client machine it fails.
I supposed it was because the home directories have not been created.
So, I configured PAM modules manually by editing the /etc/pam.d/common-session 
and adding this+ line:
session required pam_mkhomedir.so

and then loggin proccess works perfectly!

Any idea why the option -- mkhomedir is not well working here?

Debian platform does basically nothing to provide support for adding
pam_mkhomdir in ipaplatform/debian/tasks.py:

class DebianTaskNamespace(RedHatTaskNamespace):
 
   @staticmethod
   def modify_nsswitch_pam_stack(sssd, mkhomedir, statestore):
   # Debian doesn't use authconfig, this is handled by pam-auth-update
   return True

But nothing calls pam-auth-update from within IPA client installer.

Someone needs to develop these methods further, to allow actual
configuration to be changed.



--
/ Alexander Bokovoy
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] mkhomedir option doesn't works

[Felipe_G0NZÁLEZ_SANTIAG0 via FreeIPA-users]

I have a Freeipa server version 4.3.1 on Ubuntu 16.04. Then I installed 
freeipa-client, and run 
#i pa-client-install --mkhomedir 

However, when I try to loggin no freeipa client machine it fails. 
I supposed it was because the home directories have not been created. 
So, I configured PAM modules manually by editing the /etc/pam.d/common-session 
and adding this+ line: 
session required pam_mkhomedir.so 

and then loggin proccess works perfectly! 

Any idea why the option -- mkhomedir is not well working here? 

Thanks in advance! 

La @universidad_uci es Fidel: 15 años conectados al futuro... conectados a la 
Revolución
2002-2017___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Trusted AD users can no longer authenticate via SSH

[Alexandre Pitre via FreeIPA-users]

Thanks Alexander that was it.

On Wed, Feb 14, 2018 at 6:06 AM, Alexander Bokovoy 
wrote:

> On ke, 14 helmi 2018, Alexandre Pitre via FreeIPA-users wrote:
>
>> Earlier this week, users reported they could no longer ssh to freeipa
>> joined servers using their AD login. After some inverstigation, it was
>> discovered if krb5_validate was set to false in the sssd.conf, AD ssh
>> login
>> would start working again.
>>
>> One of our IPA server is showing these errors in /var/log/messages:
>>
>> Feb 13 20:53:28 ipaserver ns-slapd: [13/Feb/2018:20:53:28.823685558
>> +]
>> - ERR - is_allowed_to_access_attr - [file ipa_pwd_extop.c, line 786]:
>> slapi_access_allowed does not allow READ to ipaProtectedOperation;read_key
>> s!
>> Feb 13 20:53:28 ipaserver ns-slapd: [13/Feb/2018:20:53:28.826357278
>> +]
>> - ERR - ipapwd_getkeytab - [file ipa_pwd_extop.c, line 1646]: Not allowed
>> to retrieve keytab on [IPA$@DOMAIN.COM] as user [fqdn=
>> ipaserver.ipa.domain.com,cn=computers,cn=accounts,dc=ipa,dc=
>> domain,dc=com]!
>> Feb 13 20:53:28 ipaserver sssd: Failed to parse result: Insufficient
>> access
>> rights
>> Feb 13 20:53:28 ipaserver sssd: Failed to get keytab
>>
>> I could paste the the debug logs from sssd but I'm pretty sure that error
>> in /var/log/messages is the root cause preventing AD ssh login. I did some
>> research and couldn't find anything revelant.
>>
>> Any ideas how to fix this ?
>>
> It looks like ipaserver.ipa.domain.com is not a trust agent. Remember
> that only trust agents and trust controllers can retrieve trusted domain
> object credentials to communicate to AD DCs.
>
> --
> / Alexander Bokovoy
>



-- 
Alexandre Pitre
alexandre.pi...@gmail.com
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Exclude only one command on SUDO ?

[Jim Ntosas via FreeIPA-users]

Hello team!

I wanted to ask if there is any way to exclude only one sudo commands and
allow all the others.

For example, I want to exclude "passwd" command but allow all the others
without need to write each of the one by one.

Thank you in advance for your time

Jim
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Fixing limit on DNS searches

[Florence Blanc-Renaud via FreeIPA-users]

On 02/14/2018 12:52 PM, Bret Wortman via FreeIPA-users wrote:

I did figure out that I can use

# ldapsearch -D 'directory manager' -W -E pr=2 -b 
idnsname=damascusgrp.com,cn=dns,dc=damascusgrp,dc=com


to list out all the entries, but the format isn't what I'm expecting.

What I'm actually trying to do is move our whole infrastructure from one 
set of old & busted servers to some shiny new VMs. We'd like to extract 
the data and start fresh, as our replication agreements just don't seem 
to be working as expected. Changes to one don't always make it to the 
other and vice versa. While I'd love to dig in and solve that, it's 
easier right now to try to extract the data and reload it into a new 
server, build new replicas, then unbind & re-bind every client to the 
new server using ansible since we also lost our internal CA in the process.


So while our current configuration is a mess, we can't afford to lose 
all the host/user/dns/hbac data in our servers. Thus, I've been 
capturing the output to text using various ipa *-find commands and have 
parsers to turn those back into new entries on the fresh hosts. DNS is 
the only thing that's holding me up.



Bret


On 02/14/2018 06:33 AM, Bret Wortman wrote:


Also, this doesn't solve the fact that the Web UI always produces an 
error dialog whenever accessing our primary zone.



On 02/13/2018 02:19 PM, Natxo Asenjo via FreeIPA-users wrote:



On Tue, Feb 13, 2018 at 8:13 PM, Natxo Asenjo > wrote:



the canonical way to do this is using ldap paging, with
ldapsearch  you could try using the -E pr= parameter, where
 could be 1000 for instance. That way you know you are always
under the limit imposed by the server.


if you use -E pr=1000/noprompt, it will not prompt to continue, nicer 
for scripts obviously.


--
Groeten,
natxo


___
FreeIPA-users mailing list --freeipa-users@lists.fedorahosted.org
To unsubscribe send an email tofreeipa-users-le...@lists.fedorahosted.org






___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


Hi Bret,

the search limits can be set at multiple levels:
- for the whole 389-ds server
nsslapd-sizelimit (in cn=config)
nsslapd-lookthroughlimit (in cn=config,cn=ldbm 
database,cn=plugins,cn=config)


- for operations performed through ipa * commands (or the webGUI):
ipaSearchRecordsLimit (in cn=ipaConfig,cn=etc,$BASEDN)

- for each user:
nssizelimit and nsLookThroughLimit attributes (in 
uid=$USER,cn=users,cn=accounts,$BASEDN)


You are probably hitting one of these limits in your ipa *-find command.

HTH,
Flo
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Fixing limit on DNS searches

[Bret Wortman via FreeIPA-users]

I did figure out that I can use

# ldapsearch -D 'directory manager' -W -E pr=2 -b 
idnsname=damascusgrp.com,cn=dns,dc=damascusgrp,dc=com


to list out all the entries, but the format isn't what I'm expecting.

What I'm actually trying to do is move our whole infrastructure from one 
set of old & busted servers to some shiny new VMs. We'd like to extract 
the data and start fresh, as our replication agreements just don't seem 
to be working as expected. Changes to one don't always make it to the 
other and vice versa. While I'd love to dig in and solve that, it's 
easier right now to try to extract the data and reload it into a new 
server, build new replicas, then unbind & re-bind every client to the 
new server using ansible since we also lost our internal CA in the process.


So while our current configuration is a mess, we can't afford to lose 
all the host/user/dns/hbac data in our servers. Thus, I've been 
capturing the output to text using various ipa *-find commands and have 
parsers to turn those back into new entries on the fresh hosts. DNS is 
the only thing that's holding me up.



Bret


On 02/14/2018 06:33 AM, Bret Wortman wrote:


Also, this doesn't solve the fact that the Web UI always produces an 
error dialog whenever accessing our primary zone.



On 02/13/2018 02:19 PM, Natxo Asenjo via FreeIPA-users wrote:



On Tue, Feb 13, 2018 at 8:13 PM, Natxo Asenjo > wrote:



the canonical way to do this is using ldap paging, with
ldapsearch  you could try using the -E pr= parameter, where
 could be 1000 for instance. That way you know you are always
under the limit imposed by the server.


if you use -E pr=1000/noprompt, it will not prompt to continue, nicer 
for scripts obviously.


--
Groeten,
natxo


___
FreeIPA-users mailing list --freeipa-users@lists.fedorahosted.org
To unsubscribe send an email tofreeipa-users-le...@lists.fedorahosted.org




___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Fixing limit on DNS searches

[Bret Wortman via FreeIPA-users]

Also, this doesn't solve the fact that the Web UI always produces an 
error dialog whenever accessing our primary zone.



On 02/13/2018 02:19 PM, Natxo Asenjo via FreeIPA-users wrote:



On Tue, Feb 13, 2018 at 8:13 PM, Natxo Asenjo > wrote:



the canonical way to do this is using ldap paging, with
ldapsearch  you could try using the -E pr= parameter, where
 could be 1000 for instance. That way you know you are always
under the limit imposed by the server.


if you use -E pr=1000/noprompt, it will not prompt to continue, nicer 
for scripts obviously.


--
Groeten,
natxo


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Fixing limit on DNS searches

[Bret Wortman via FreeIPA-users]

I pulled up our dse.ldif and we've got:

nsslapd-sizelimit: 9

and

nsslapd-lookthroughlimit: 9
nsslapd-idlistscanlimit: 9

So I'm still not sure why I'm being limited to 5000 in my query 
response. In fact, the number 5000 doesn't exist in dse.ldif at all.


BTW, I misspoke in my original post -- "searchlimit" should read, 
"sizelimit".



Bret

On 02/13/2018 01:09 PM, Rob Crittenden wrote:

Bret Wortman via FreeIPA-users wrote:

I've run up against a limit I can't seem to adjust.

When listing a particular DNS zone which has well over 5000 hosts in it,
we keep getting "Search result has been truncated: Configured
administrative server limit exceeded."

I've tried fixing this in a number of ways. We've shut down the
services, edited dse.ldif to raise nsslapd-searchlimit to 9 and
restarted, but:

#ldapsearch -D 'cn=directory manager' -W -b cn=config cn=config | grep
nsslapd-sizelimit
snsslapd-sizelimit: 2000

What do I need to do to be able to list all my DNS entries for this
zone? This 5000 limit is enforced through the CLI as well, as "ipa
dnsrecord-find damascusgrp.com --sizelimit=9" will only return 5000
entries. I know it's taxing and intensive, but I need to be able to
query the WHOLE set of records we have without this restriction.

How can I get around this?

Have you looked at
http://directory.fedoraproject.org/docs/389ds/howto/howto-ldapsearchmanyattr.html

rob

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Trusted AD users can no longer authenticate via SSH

[Alexander Bokovoy via FreeIPA-users]

On ke, 14 helmi 2018, Alexandre Pitre via FreeIPA-users wrote:

Earlier this week, users reported they could no longer ssh to freeipa
joined servers using their AD login. After some inverstigation, it was
discovered if krb5_validate was set to false in the sssd.conf, AD ssh login
would start working again.

One of our IPA server is showing these errors in /var/log/messages:

Feb 13 20:53:28 ipaserver ns-slapd: [13/Feb/2018:20:53:28.823685558 +]
- ERR - is_allowed_to_access_attr - [file ipa_pwd_extop.c, line 786]:
slapi_access_allowed does not allow READ to ipaProtectedOperation;read_keys!
Feb 13 20:53:28 ipaserver ns-slapd: [13/Feb/2018:20:53:28.826357278 +]
- ERR - ipapwd_getkeytab - [file ipa_pwd_extop.c, line 1646]: Not allowed
to retrieve keytab on [IPA$@DOMAIN.COM] as user [fqdn=
ipaserver.ipa.domain.com,cn=computers,cn=accounts,dc=ipa,dc=domain,dc=com]!
Feb 13 20:53:28 ipaserver sssd: Failed to parse result: Insufficient access
rights
Feb 13 20:53:28 ipaserver sssd: Failed to get keytab

I could paste the the debug logs from sssd but I'm pretty sure that error
in /var/log/messages is the root cause preventing AD ssh login. I did some
research and couldn't find anything revelant.

Any ideas how to fix this ?

It looks like ipaserver.ipa.domain.com is not a trust agent. Remember
that only trust agents and trust controllers can retrieve trusted domain
object credentials to communicate to AD DCs.

--
/ Alexander Bokovoy
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Fixing limit on DNS searches

[Bret Wortman via FreeIPA-users]

Thanks. Is it possible to list the DNS entries using ldapsearch? I've 
been using:


# ipa dnsrecord-find --all


On 02/13/2018 02:13 PM, Natxo Asenjo via FreeIPA-users wrote:



On Tue, Feb 13, 2018 at 3:33 PM, Bret Wortman via FreeIPA-users 
> wrote:


I've run up against a limit I can't seem to adjust.

When listing a particular DNS zone which has well over 5000 hosts
in it, we keep getting "Search result has been truncated:
Configured administrative server limit exceeded."

I've tried fixing this in a number of ways. We've shut down the
services, edited dse.ldif to raise nsslapd-searchlimit to 9
and restarted, but:


the canonical way to do this is using ldap paging, with ldapsearch  
you could try using the -E pr= parameter, where  could be 1000 
for instance. That way you know you are always under the limit imposed 
by the server.


If you set pr= to higher than 5000 then it should give all the 
results in one go.



--
Groeten,
natxo


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: ipa-server-install --dirsrv-config-file example

[Alex M via FreeIPA-users]

Rob,

From my log file:
line 8764:
2018-02-13T14:48:08Z DEBUG Parsing update file 
'/usr/share/ipa/updates/10-config.update'
2018-02-13T14:48:08Z DEBUG Updating existing entry: cn=config

file /usr/share/ipa/updates/10-config.update:
~lines 61-65
# Default SASL buffer size was too small and could lead for example to
# migration errors
# Can be removed when https://fedorahosted.org/389/ticket/47457 is fixed
dn: cn=config
only:nsslapd-sasl-max-buffer-size:2097152
~
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Trusted AD users can no longer authenticate via SSH

[Alexandre Pitre via FreeIPA-users]

Earlier this week, users reported they could no longer ssh to freeipa
joined servers using their AD login. After some inverstigation, it was
discovered if krb5_validate was set to false in the sssd.conf, AD ssh login
would start working again.

One of our IPA server is showing these errors in /var/log/messages:

Feb 13 20:53:28 ipaserver ns-slapd: [13/Feb/2018:20:53:28.823685558 +]
- ERR - is_allowed_to_access_attr - [file ipa_pwd_extop.c, line 786]:
slapi_access_allowed does not allow READ to ipaProtectedOperation;read_keys!
Feb 13 20:53:28 ipaserver ns-slapd: [13/Feb/2018:20:53:28.826357278 +]
- ERR - ipapwd_getkeytab - [file ipa_pwd_extop.c, line 1646]: Not allowed
to retrieve keytab on [IPA$@DOMAIN.COM] as user [fqdn=
ipaserver.ipa.domain.com,cn=computers,cn=accounts,dc=ipa,dc=domain,dc=com]!
Feb 13 20:53:28 ipaserver sssd: Failed to parse result: Insufficient access
rights
Feb 13 20:53:28 ipaserver sssd: Failed to get keytab

I could paste the the debug logs from sssd but I'm pretty sure that error
in /var/log/messages is the root cause preventing AD ssh login. I did some
research and couldn't find anything revelant.

Any ideas how to fix this ?

Thanks
-- 
Alexandre Pitre
alexandre.pi...@gmail.com
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org