[Freeipa-users] Failed to initialize credentials using keytab

[freeipa]

Hi All,

Server:
RHEL 6.3 
ipa-admintools-2.2.0-16.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-pki-common-theme-9.0.3-7.el6.noarch
ipa-python-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64
ipa-server-selinux-2.2.0-16.el6.x86_64
libipa_hbac-1.8.0-32.el6.x86_64
libipa_hbac-python-1.8.0-32.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch

Odd Error in /var/log/messages:
Jul 10 18:15:30 sysvm-ipa [sssd[ldap_child[2070]]]: Failed to initialize 
credentials using keytab [(null)]: Decrypt integrity check failed.
Unable to create GSSAPI-encrypted LDAP connection.

Jul 10 18:15:30 sysvm-ipa [sssd[ldap_child[2070]]]: Decrypt integrity
check failed

Jul 10 18:15:42 sysvm-ipa rhnsd[2194]: Red Hat Network Services Daemon
starting up, check in interval 240 minutes.

Jul 10 18:15:43 sysvm-ipa certmonger: Error setting up ccache for local
"host" service using default keytab.


I checked the servers ketab and as far as I can tell, it seems fine?
[root@sysvm-ipa etc]# klist -k /etc/krb5.keytab 
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal

--
   2 host/sysvm-ipa.example@example.com
   2 host/sysvm-ipa.example@example.com
   2 host/sysvm-ipa.example@example.com
   2 host/sysvm-ipa.example@example.com
   2 host/sysvm-ipa.example@example.com
   2 host/sysvm-ipa.example@example.com


cya

Craig

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Failed to initialize credentials using keytab

[Ondrej Valousek]

does
kinit -k host/sysvm-ipa.example@example.com
work for you?


On 07/10/2012 10:53 AM, free...@noboost.org wrote:

Hi All,

Server:
RHEL 6.3
ipa-admintools-2.2.0-16.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-pki-common-theme-9.0.3-7.el6.noarch
ipa-python-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64
ipa-server-selinux-2.2.0-16.el6.x86_64
libipa_hbac-1.8.0-32.el6.x86_64
libipa_hbac-python-1.8.0-32.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch

Odd Error in /var/log/messages:
Jul 10 18:15:30 sysvm-ipa [sssd[ldap_child[2070]]]: Failed to initialize
credentials using keytab [(null)]: Decrypt integrity check failed.
Unable to create GSSAPI-encrypted LDAP connection.

Jul 10 18:15:30 sysvm-ipa [sssd[ldap_child[2070]]]: Decrypt integrity
check failed

Jul 10 18:15:42 sysvm-ipa rhnsd[2194]: Red Hat Network Services Daemon
starting up, check in interval 240 minutes.

Jul 10 18:15:43 sysvm-ipa certmonger: Error setting up ccache for local
"host" service using default keytab.


I checked the servers ketab and as far as I can tell, it seems fine?
[root@sysvm-ipa etc]# klist -k /etc/krb5.keytab
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal

--
2 host/sysvm-ipa.example@example.com
2 host/sysvm-ipa.example@example.com
2 host/sysvm-ipa.example@example.com
2 host/sysvm-ipa.example@example.com
2 host/sysvm-ipa.example@example.com
2 host/sysvm-ipa.example@example.com


cya

Craig

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] ipa samba win7

[george he]

Hello all,
I have an ipa client that is also a file server. How do I set up a samba server 
on the file server so that the files can be accessed by a win7 machine, which 
is not a member of the ipa realm?
Should I set the file server as a domain controller? How do I deal with the 
"passdb backend" option? I guess I can set it to "ldapsam", but the user 
information is kept on the ipa server, not the file server.
What else should I take care of before I start?
ps. my ipa version is 2.2, running on fc17.

Thanks,
George
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa samba win7

[Ondrej Valousek]

Do you have an AD for the win7 machine or is it just standalone machine?
Ondrej

On 07/10/2012 03:01 PM, george he wrote:

Hello all,
I have an ipa client that is also a file server. How do I set up a samba server on the file server so that the files can be accessed by a 
win7 machine, which is not a member of the ipa realm?
Should I set the file server as a domain controller? How do I deal with the "passdb backend" option? I guess I can set it to "ldapsam", 
but the user information is kept on the ipa server, not the file server.

What else should I take care of before I start?
ps. my ipa version is 2.2, running on fc17.
Thanks,
George


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa samba win7

[george he]

Hi Ondrej,
The win7 is standing alone. I don't have an AD for it.

I used to have a samba domain controller that took care of user authentication 
for both linux and winxp machines.
Thanks,
George



>
> From: Ondrej Valousek 
>To: freeipa-users@redhat.com 
>Sent: Tuesday, July 10, 2012 9:12 AM
>Subject: Re: [Freeipa-users] ipa samba win7
> 
>
>Do you have an AD for the win7 machine or is it just standalone machine?
>Ondrej
>
>On 07/10/2012 03:01 PM, george he wrote: 
>Hello all,
>>I have an ipa client that is also a file server. How do I set up a samba 
>>server on the file server so that the files can be accessed by a win7 
>>machine, which is not a member of the ipa realm?
>>Should I set the file server as a domain controller? How do I deal with the 
>>"passdb backend" option? I guess I can set it to "ldapsam", but the user 
>>information is kept on the ipa server, not the file server.
>>What else should I take care of before I start?
>>ps. my ipa version is 2.2, running on fc17.
>>
>>Thanks,
>>George
>>
>>
>>___
Freeipa-users mailing list Freeipa-users@redhat.com 
https://www.redhat.com/mailman/listinfo/freeipa-users
>___
>Freeipa-users mailing list
>Freeipa-users@redhat.com
>https://www.redhat.com/mailman/listinfo/freeipa-users
>
>___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa samba win7

[Ondrej Valousek]

Well, if you want to integrate Windows machines, you'd better to stick with 
Samba (you can try Samba 4 if you prefer the IPA-like integration).
IPA itself "looks and feels" like AD but it is not compatible with AD - it is 
intended mainly for Linux machines.

Ondrej


On 07/10/2012 03:25 PM, george he wrote:

Hi Ondrej,
The win7 is standing alone. I don't have an AD for it.
I used to have a samba domain controller that took care of user authentication 
for both linux and winxp machines.
Thanks,
George



*From:* Ondrej Valousek 
*To:* freeipa-users@redhat.com
*Sent:* Tuesday, July 10, 2012 9:12 AM
*Subject:* Re: [Freeipa-users] ipa samba win7

Do you have an AD for the win7 machine or is it just standalone machine?
Ondrej

On 07/10/2012 03:01 PM, george he wrote:

Hello all,
I have an ipa client that is also a file server. How do I set up a samba 
server on the file server so that the files can be accessed
by a win7 machine, which is not a member of the ipa realm?
Should I set the file server as a domain controller? How do I deal with the 
"passdb backend" option? I guess I can set it to
"ldapsam", but the user information is kept on the ipa server, not the file 
server.
What else should I take care of before I start?
ps. my ipa version is 2.2, running on fc17.
Thanks,
George


___
Freeipa-users mailing list
Freeipa-users@redhat.com  
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com 
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa samba win7

[Simo Sorce]

On Tue, 2012-07-10 at 06:01 -0700, george he wrote:
> Hello all,
> I have an ipa client that is also a file server. How do I set up a
> samba server on the file server so that the files can be accessed by a
> win7 machine, which is not a member of the ipa realm?
> Should I set the file server as a domain controller? How do I deal
> with the "passdb backend" option? I guess I can set it to "ldapsam",
> but the user information is kept on the ipa server, not the file
> server.
> What else should I take care of before I start?
> ps. my ipa version is 2.2, running on fc17.
> 

You can install samba with the ldapsam passdb backend.
security = user will suffice, you do not need to make it a domain
controller.
Authentication will happen only using NTLM, so you will have to add the
samba samAccount objectclass to those users that you want to be able to
log in to samba and the sambaGroups class to those groups you want to
use with samba.
After you added the right objectclass to users you will need to change
the user's password once so that the ipa-pwd-exto plugin can generate NT
hashes for the user.
Once that is done samba should allow you to log in using the ipa
password.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa samba win7

[george he]

Hi Simo,
Could you advise how to add

1. thesamba samAccount objectclass to a user, and
2. the sambaGroups class to a group? 

I guess I would need to use ldap commands, which I don't know enough.
By the way, do I need to add both of the above, or if everybody is allowed to 
use the samba share, (and they are all in ipausers group), I would only need to 
add the sambaGroups class to ipausers group?
Thanks,
George




>
> From: Simo Sorce 
>To: george he  
>Cc: "freeipa-users@redhat.com"  
>Sent: Tuesday, July 10, 2012 9:56 AM
>Subject: Re: [Freeipa-users] ipa samba win7
> 
>On Tue, 2012-07-10 at 06:01 -0700, george he wrote:
>> Hello all,
>> I have an ipa client that is also a file server. How do I set up a
>> samba server on the file server so that the files can be accessed by a
>> win7 machine, which is not a member of the ipa realm?
>> Should I set the file server as a domain controller? How do I deal
>> with the "passdb backend" option? I guess I can set it to "ldapsam",
>> but the user information is kept on the ipa server, not the file
>> server.
>> What else should I take care of before I start?
>> ps. my ipa version is 2.2, running on fc17.
>> 
>
>You can install samba with the ldapsam passdb backend.
>security = user will suffice, you do not need to make it a domain
>controller.
>Authentication will happen only using NTLM, so you will have to add the
>samba samAccount objectclass to those users that you want to be able to
>log in to samba and the sambaGroups class to those groups you want to
>use with samba.
>After you added the right objectclass to users you will need to change
>the user's password once so that the ipa-pwd-exto plugin can generate NT
>hashes for the user.
>Once that is done samba should allow you to log in using the ipa
>password.
>
>Simo.
>
>-- 
>Simo Sorce * Red Hat, Inc * New York
>
>
>
>___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] sudo hostgroup sanity check, please?

[KodaK]

I'm running IPA 2.2.0 on RHEL6

Server:

[root@validserver ~]# rpm -qa | grep ipa
ipa-client-2.2.0-16.el6.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-python-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64
ipa-server-selinux-2.2.0-16.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
python-iniparse-0.3.1-2.1.el6.noarch
libipa_hbac-1.8.0-32.el6.x86_64
ipa-admintools-2.2.0-16.el6.x86_64

Client:

[root@validhost ~]# rpm -qa | grep ipa
ipa-client-2.2.0-16.el6.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-python-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64
ipa-server-selinux-2.2.0-16.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
python-iniparse-0.3.1-2.1.el6.noarch
libipa_hbac-1.8.0-32.el6.x86_64
ipa-admintools-2.2.0-16.el6.x86_64

My sudo-ldap.conf file:

binddn uid=sudo,cn=sysaccounts,cn=etc,dc=validserver,dc=com
bindpw validpassword

ssl start_tls
tls_cacertfile /etc/ipa/ca.crt
tls_checkpeer yes

bind_timelimit 5
timelimit 15

uri ldap://validserver ldap://validserver2
sudoers_base ou=SUDOers,dc=unix,dc=magellanhealth,dc=com

What I'm trying to do:  I have a group of users that I'd like to have
restart apache on a group of hosts.

What I've done:  created a user group, created a group of hosts (in a
grouplist.)

I can successfully run sudo in any configuration, *except* when using
a host group.  When I try I get:

Sorry, user validuser is not allowed to execute
'/etc/rc.d/init.d/httpd status' as root on validhost1.fqdn.com.

I can edit the same rule, change the host group (that only contains
two hosts) and specify the two hosts directly and it works fine.

Can someone else just try this and see if I've hit a bug?  I'm certain
I couldn't have messed up creating the host group, but I suppose it's
possible.

I get the same behavior when I try a simple "/bin/cat" command through
sudo, too.

Is there a special config for using host groups?  I suspect I may have
missed some obvious documentation.

-- 
The government is going to read our mail anyway, might as well make it
tough for them.  GPG Public key ID:  B6A1A7C6

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] sudo hostgroup sanity check, please?

[KodaK]

Further information:

I do have:

ldap_netgroup_search_base = cn=ng,cn=compat,dc=validdomain,dc=com

In /etc/sssd/sssd.conf

Is cn=ng,cn=compat correct?

--Jason

On Tue, Jul 10, 2012 at 2:15 PM, KodaK  wrote:
> I'm running IPA 2.2.0 on RHEL6
>
> Server:
>
> [root@validserver ~]# rpm -qa | grep ipa
> ipa-client-2.2.0-16.el6.x86_64
> ipa-pki-common-theme-9.0.3-7.el6.noarch
> libipa_hbac-python-1.8.0-32.el6.x86_64
> ipa-python-2.2.0-16.el6.x86_64
> ipa-server-2.2.0-16.el6.x86_64
> ipa-server-selinux-2.2.0-16.el6.x86_64
> ipa-pki-ca-theme-9.0.3-7.el6.noarch
> python-iniparse-0.3.1-2.1.el6.noarch
> libipa_hbac-1.8.0-32.el6.x86_64
> ipa-admintools-2.2.0-16.el6.x86_64
>
> Client:
>
> [root@validhost ~]# rpm -qa | grep ipa
> ipa-client-2.2.0-16.el6.x86_64
> ipa-pki-common-theme-9.0.3-7.el6.noarch
> libipa_hbac-python-1.8.0-32.el6.x86_64
> ipa-python-2.2.0-16.el6.x86_64
> ipa-server-2.2.0-16.el6.x86_64
> ipa-server-selinux-2.2.0-16.el6.x86_64
> ipa-pki-ca-theme-9.0.3-7.el6.noarch
> python-iniparse-0.3.1-2.1.el6.noarch
> libipa_hbac-1.8.0-32.el6.x86_64
> ipa-admintools-2.2.0-16.el6.x86_64
>
> My sudo-ldap.conf file:
>
> binddn uid=sudo,cn=sysaccounts,cn=etc,dc=validserver,dc=com
> bindpw validpassword
>
> ssl start_tls
> tls_cacertfile /etc/ipa/ca.crt
> tls_checkpeer yes
>
> bind_timelimit 5
> timelimit 15
>
> uri ldap://validserver ldap://validserver2
> sudoers_base ou=SUDOers,dc=unix,dc=magellanhealth,dc=com
>
> What I'm trying to do:  I have a group of users that I'd like to have
> restart apache on a group of hosts.
>
> What I've done:  created a user group, created a group of hosts (in a
> grouplist.)
>
> I can successfully run sudo in any configuration, *except* when using
> a host group.  When I try I get:
>
> Sorry, user validuser is not allowed to execute
> '/etc/rc.d/init.d/httpd status' as root on validhost1.fqdn.com.
>
> I can edit the same rule, change the host group (that only contains
> two hosts) and specify the two hosts directly and it works fine.
>
> Can someone else just try this and see if I've hit a bug?  I'm certain
> I couldn't have messed up creating the host group, but I suppose it's
> possible.
>
> I get the same behavior when I try a simple "/bin/cat" command through
> sudo, too.
>
> Is there a special config for using host groups?  I suspect I may have
> missed some obvious documentation.
>
> --
> The government is going to read our mail anyway, might as well make it
> tough for them.  GPG Public key ID:  B6A1A7C6



-- 
The government is going to read our mail anyway, might as well make it
tough for them.  GPG Public key ID:  B6A1A7C6

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] IPA + OpenAFS

[Qing Chang]

please forgive me if this is a question that has been answered somewhere 
already.

I am almost finished setting up my first OpenAFS cell using IPA's KDC for
authentication but stumble on this error:

[root@smb1 ~]# fs setacl /afs system:anyuser rl
fs: You don't have the required access rights on '/afs'

A thread on OpenAFS mailing list suggests that it is because I have wrong salt
with my afs service key. The right one should be "des-cbc-crc:v4", but 
following fails
when I tried to cretae the keytab file:

[root@smb1 ~]# ipa-getkeytab --server ipa2.sri.utoronto.ca -p 
afs/openafs.sri.utoronto...@sri.utoronto.ca --keytab /etc/afs.keytab -e des-cbc-crc:v4 -P

New Principal Password:
Verify Principal Password:
Bad or unsupported salt type (1)!
Failed to create key material


My IPA server kdc.conf file has this:
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal 
des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3


And the krb5.conf file on both IPA server and OpenAFS server has this:
allow_weak_crypto = true

Why does ipa-getkeytab fail here. Using both des-cbc-crc:normal and 
des-cbc-crc:afs3 works, but OpenAFS
does not like them.

Thanks,
Qing

--
--
Qing Chang
Senior Systems Administrator
M6-624 Research Computing
Sunnybrook Health Sciences Centre
2075 Bayview Ave.
Toronto, Ontario,  M4N 3M5
(416) 480-6100 x3263
qch...@sri.utoronto.ca
--

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] sudo hostgroup sanity check, please?

[Dmitri Pal]

On 07/10/2012 03:15 PM, KodaK wrote:
> I'm running IPA 2.2.0 on RHEL6
>
> Server:
>
> [root@validserver ~]# rpm -qa | grep ipa
> ipa-client-2.2.0-16.el6.x86_64
> ipa-pki-common-theme-9.0.3-7.el6.noarch
> libipa_hbac-python-1.8.0-32.el6.x86_64
> ipa-python-2.2.0-16.el6.x86_64
> ipa-server-2.2.0-16.el6.x86_64
> ipa-server-selinux-2.2.0-16.el6.x86_64
> ipa-pki-ca-theme-9.0.3-7.el6.noarch
> python-iniparse-0.3.1-2.1.el6.noarch
> libipa_hbac-1.8.0-32.el6.x86_64
> ipa-admintools-2.2.0-16.el6.x86_64
>
> Client:
>
> [root@validhost ~]# rpm -qa | grep ipa
> ipa-client-2.2.0-16.el6.x86_64
> ipa-pki-common-theme-9.0.3-7.el6.noarch
> libipa_hbac-python-1.8.0-32.el6.x86_64
> ipa-python-2.2.0-16.el6.x86_64
> ipa-server-2.2.0-16.el6.x86_64
> ipa-server-selinux-2.2.0-16.el6.x86_64
> ipa-pki-ca-theme-9.0.3-7.el6.noarch
> python-iniparse-0.3.1-2.1.el6.noarch
> libipa_hbac-1.8.0-32.el6.x86_64
> ipa-admintools-2.2.0-16.el6.x86_64
>
> My sudo-ldap.conf file:
>
> binddn uid=sudo,cn=sysaccounts,cn=etc,dc=validserver,dc=com
> bindpw validpassword
>
> ssl start_tls
> tls_cacertfile /etc/ipa/ca.crt
> tls_checkpeer yes
>
> bind_timelimit 5
> timelimit 15
>
> uri ldap://validserver ldap://validserver2
> sudoers_base ou=SUDOers,dc=unix,dc=magellanhealth,dc=com
>
> What I'm trying to do:  I have a group of users that I'd like to have
> restart apache on a group of hosts.
>
> What I've done:  created a user group, created a group of hosts (in a
> grouplist.)
>
> I can successfully run sudo in any configuration, *except* when using
> a host group.  When I try I get:
>
> Sorry, user validuser is not allowed to execute
> '/etc/rc.d/init.d/httpd status' as root on validhost1.fqdn.com.
>
> I can edit the same rule, change the host group (that only contains
> two hosts) and specify the two hosts directly and it works fine.
>
> Can someone else just try this and see if I've hit a bug?  I'm certain
> I couldn't have messed up creating the host group, but I suppose it's
> possible.
>
> I get the same behavior when I try a simple "/bin/cat" command through
> sudo, too.
>
> Is there a special config for using host groups?  I suspect I may have
> missed some obvious documentation.
>
How do your SUDO entries look like?
Do you see host netgroup coming over to the system when you enumerate
netgroups?
Does it have the two hosts you mentioned?

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] sudo hostgroup sanity check, please?

[KodaK]

On Tue, Jul 10, 2012 at 2:56 PM, Dmitri Pal  wrote:
> On 07/10/2012 03:15 PM, KodaK wrote:
>> I'm running IPA 2.2.0 on RHEL6
>>
>> Server:
>>
>> [root@validserver ~]# rpm -qa | grep ipa
>> ipa-client-2.2.0-16.el6.x86_64
>> ipa-pki-common-theme-9.0.3-7.el6.noarch
>> libipa_hbac-python-1.8.0-32.el6.x86_64
>> ipa-python-2.2.0-16.el6.x86_64
>> ipa-server-2.2.0-16.el6.x86_64
>> ipa-server-selinux-2.2.0-16.el6.x86_64
>> ipa-pki-ca-theme-9.0.3-7.el6.noarch
>> python-iniparse-0.3.1-2.1.el6.noarch
>> libipa_hbac-1.8.0-32.el6.x86_64
>> ipa-admintools-2.2.0-16.el6.x86_64
>>
>> Client:
>>
>> [root@validhost ~]# rpm -qa | grep ipa
>> ipa-client-2.2.0-16.el6.x86_64
>> ipa-pki-common-theme-9.0.3-7.el6.noarch
>> libipa_hbac-python-1.8.0-32.el6.x86_64
>> ipa-python-2.2.0-16.el6.x86_64
>> ipa-server-2.2.0-16.el6.x86_64
>> ipa-server-selinux-2.2.0-16.el6.x86_64
>> ipa-pki-ca-theme-9.0.3-7.el6.noarch
>> python-iniparse-0.3.1-2.1.el6.noarch
>> libipa_hbac-1.8.0-32.el6.x86_64
>> ipa-admintools-2.2.0-16.el6.x86_64
>>
>> My sudo-ldap.conf file:
>>
>> binddn uid=sudo,cn=sysaccounts,cn=etc,dc=validserver,dc=com
>> bindpw validpassword
>>
>> ssl start_tls
>> tls_cacertfile /etc/ipa/ca.crt
>> tls_checkpeer yes
>>
>> bind_timelimit 5
>> timelimit 15
>>
>> uri ldap://validserver ldap://validserver2
>> sudoers_base ou=SUDOers,dc=unix,dc=magellanhealth,dc=com
>>
>> What I'm trying to do:  I have a group of users that I'd like to have
>> restart apache on a group of hosts.
>>
>> What I've done:  created a user group, created a group of hosts (in a
>> grouplist.)
>>
>> I can successfully run sudo in any configuration, *except* when using
>> a host group.  When I try I get:
>>
>> Sorry, user validuser is not allowed to execute
>> '/etc/rc.d/init.d/httpd status' as root on validhost1.fqdn.com.
>>
>> I can edit the same rule, change the host group (that only contains
>> two hosts) and specify the two hosts directly and it works fine.
>>
>> Can someone else just try this and see if I've hit a bug?  I'm certain
>> I couldn't have messed up creating the host group, but I suppose it's
>> possible.
>>
>> I get the same behavior when I try a simple "/bin/cat" command through
>> sudo, too.
>>
>> Is there a special config for using host groups?  I suspect I may have
>> missed some obvious documentation.
>>

> How do your SUDO entries look like?

Rule name:  test rule
Options: none
Who: specified users and groups
Users: jebalicki
User groups: none
Access this host: specified users and groups
Hosts: none
Host groups: tds-webhosts (contains the two valid client systems)
RUN COMMANDS
ALLOW
command category the rule applies to: specified commands and groups
sudo allow commands: /bin/cat
sudo allow command groups: none
Nothing denied.
"As whom" is left as default.

> Do you see host netgroup coming over to the system when you enumerate
> netgroups?

I don't know how to do this at the command line.  I'm googling for it.
 The only thing I'm even vaguely familiar with (in that it exists) is
ypcat, but I thought sssd was taking care of "translating" the host
groups to netgroups for sudo?  I'm sorry, I'm just not familiar with
NIS at all.  The documentation tells me that a hidden netgroup is
created, so I shouldn't need to manually specify one, right?

> Does it have the two hosts you mentioned?

Once I find that I'll get back to you.  Thanks for taking the time.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] sudo hostgroup sanity check, please?

[Natxo Asenjo]

On Tue, Jul 10, 2012 at 10:16 PM, KodaK  wrote:

> On Tue, Jul 10, 2012 at 2:56 PM, Dmitri Pal  wrote:>
>


> Do you see host netgroup coming over to the system when you enumerate
> > netgroups?
>
> I don't know how to do this at the command line.  I'm googling for it.
>  The only thing I'm even vaguely familiar with (in that it exists) is
> ypcat, but I thought sssd was taking care of "translating" the host
> groups to netgroups for sudo?  I'm sorry, I'm just not familiar with
> NIS at all.  The documentation tells me that a hidden netgroup is
> created, so I shouldn't need to manually specify one, right?
>

getent netgroup 
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] sudo hostgroup sanity check, please?

[JR Aquino]

On Jul 10, 2012, at 12:28 PM, KodaK wrote:

> Further information:
> 
> I do have:
> 
> ldap_netgroup_search_base = cn=ng,cn=compat,dc=validdomain,dc=com

Go ahead and remove this line.  Previous legacy versions of sssd required it.  
I believe it just gets in the way now.

You also want to run: $ domainanme

Make sure it comes back with your domain, if not, please set your domainname.  
(/etc/rc.local is currently the place recommended to set this value)

Netgroups will come back as a tuple like: (testhost.domain.com, -, domain.com)  

Sudo will do the netgroup look up and wants to see that the hostname matches 
the hostname of the server, and that the domain also matches.

You can double-check this by doing: getent netgroup 

It should return a tuple like the one above.

If you are still having difficulty, you can add sudoers_debug 2 in your 
/etc/sudo-ldap.conf file then re-run your sudo command.  IT should show the 
various tests it performs and the output of the FreeIPA server.  It wants to 
match, user, host, and command.


> In /etc/sssd/sssd.conf
> 
> Is cn=ng,cn=compat correct?
> 
> --Jason
> 
> On Tue, Jul 10, 2012 at 2:15 PM, KodaK  wrote:
>> I'm running IPA 2.2.0 on RHEL6
>> 
>> Server:
>> 
>> [root@validserver ~]# rpm -qa | grep ipa
>> ipa-client-2.2.0-16.el6.x86_64
>> ipa-pki-common-theme-9.0.3-7.el6.noarch
>> libipa_hbac-python-1.8.0-32.el6.x86_64
>> ipa-python-2.2.0-16.el6.x86_64
>> ipa-server-2.2.0-16.el6.x86_64
>> ipa-server-selinux-2.2.0-16.el6.x86_64
>> ipa-pki-ca-theme-9.0.3-7.el6.noarch
>> python-iniparse-0.3.1-2.1.el6.noarch
>> libipa_hbac-1.8.0-32.el6.x86_64
>> ipa-admintools-2.2.0-16.el6.x86_64
>> 
>> Client:
>> 
>> [root@validhost ~]# rpm -qa | grep ipa
>> ipa-client-2.2.0-16.el6.x86_64
>> ipa-pki-common-theme-9.0.3-7.el6.noarch
>> libipa_hbac-python-1.8.0-32.el6.x86_64
>> ipa-python-2.2.0-16.el6.x86_64
>> ipa-server-2.2.0-16.el6.x86_64
>> ipa-server-selinux-2.2.0-16.el6.x86_64
>> ipa-pki-ca-theme-9.0.3-7.el6.noarch
>> python-iniparse-0.3.1-2.1.el6.noarch
>> libipa_hbac-1.8.0-32.el6.x86_64
>> ipa-admintools-2.2.0-16.el6.x86_64
>> 
>> My sudo-ldap.conf file:
>> 
>> binddn uid=sudo,cn=sysaccounts,cn=etc,dc=validserver,dc=com
>> bindpw validpassword
>> 
>> ssl start_tls
>> tls_cacertfile /etc/ipa/ca.crt
>> tls_checkpeer yes
>> 
>> bind_timelimit 5
>> timelimit 15
>> 
>> uri ldap://validserver ldap://validserver2
>> sudoers_base ou=SUDOers,dc=unix,dc=magellanhealth,dc=com
>> 
>> What I'm trying to do:  I have a group of users that I'd like to have
>> restart apache on a group of hosts.
>> 
>> What I've done:  created a user group, created a group of hosts (in a
>> grouplist.)
>> 
>> I can successfully run sudo in any configuration, *except* when using
>> a host group.  When I try I get:
>> 
>> Sorry, user validuser is not allowed to execute
>> '/etc/rc.d/init.d/httpd status' as root on validhost1.fqdn.com.
>> 
>> I can edit the same rule, change the host group (that only contains
>> two hosts) and specify the two hosts directly and it works fine.
>> 
>> Can someone else just try this and see if I've hit a bug?  I'm certain
>> I couldn't have messed up creating the host group, but I suppose it's
>> possible.
>> 
>> I get the same behavior when I try a simple "/bin/cat" command through
>> sudo, too.
>> 
>> Is there a special config for using host groups?  I suspect I may have
>> missed some obvious documentation.
>> 
>> --
>> The government is going to read our mail anyway, might as well make it
>> tough for them.  GPG Public key ID:  B6A1A7C6
> 
> 
> 
> -- 
> The government is going to read our mail anyway, might as well make it
> tough for them.  GPG Public key ID:  B6A1A7C6
> 
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] sudo hostgroup sanity check, please?

[Nalin Dahyabhai]

On Tue, Jul 10, 2012 at 02:15:41PM -0500, KodaK wrote:
[snip]
> My sudo-ldap.conf file:
> 
> binddn uid=sudo,cn=sysaccounts,cn=etc,dc=validserver,dc=com
> bindpw validpassword
> 
> ssl start_tls
> tls_cacertfile /etc/ipa/ca.crt
> tls_checkpeer yes
> 
> bind_timelimit 5
> timelimit 15
> 
> uri ldap://validserver ldap://validserver2

This may be unrelated, but keep in mind that these should be FQDNs,
because that's what the directory server SSL certificates have in them,
and a client will check that the name in the certificate the server uses
to identify itself matches the name that the client "thinks" the server
has, which the client derives from the URI values given here.

> sudoers_base ou=SUDOers,dc=unix,dc=magellanhealth,dc=com

Assuming your domain name is "UNIX.MAGELLANHEALTH.COM" and you haven't
changed the configuration for the Schema Compatibility plugin, this
looks correct.  If your domain name is something else, you'll need to
change this setting to "ou=SUDOers,$basedn", where "basedn" is the value
listed in your server's /etc/ipa/default.conf file.

HTH,

Nalin

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users