Re: [Freeipa-users] Limiting Host access by UID/GID
On Thu, May 30, 2013 at 07:23:38PM -0400, Dmitri Pal wrote: On 05/30/2013 06:52 PM, Chandan Kumar wrote: Hello, As part of migration from passwd/shadow to IPA, I want to roll out IPA/SSSD based password first for a small number of users and then for all. (same goes with host. first small number of host and then all). I was trying to limit it using max_id/min_id parameters in sssd but it does not seems to work the way I expected. --- min_id = 5000 max_id = 5100 -- So there is a user kchandan with UID/GID 2 -- [root@tipa1 ~]# id kchandan uid=2(kchandan) gid=2 groups=2 --- But It is allowing me to login with that ID with only error showing GID 2 not found. --- ssh 10.2.3.105 -l kchandan kchandan@10.2.3.105 mailto:kchandan@10.2.3.105's password: id: cannot find name for group ID 2 - Is there any way to achieve this? So you want to allow only a subset of users with a specific range to log into the systems controlled by SSSD before you open it to a broader public? I would defer to SSSD gurus but the hack that comes to mind is to configure a simple access provider to limit the access to just the users you care about (man sssd-simple) or configure ldap access provider based on a filter (man sssd-ldap). Hi, The user shouldn't be even saved to cache if it's filtered out of range. But looking at the current NSS code, the entry would have been returned if it was saved *before* you changed the min_id/max_id parameters. Could that be the case? Can you check if after removing the cache the entry still shows up? I think that the fact that the entry is returned from cache even if it should be filtered out is a bug: https://fedorahosted.org/sssd/ticket/1954 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA AD trust question
On 05/31/2013 09:37 AM, Sumit Bose wrote: On Fri, May 31, 2013 at 06:52:27AM +, Ondrej Valousek wrote: Hi List, I have a question - is it possible to use AD trust the way that: 1. All users are stored in AD 2. All Unix specific information (automount maps, sudo rules, HBAC rules) are stored in IPA? Yes, sudo and HBAC for sure, I haven't tested automount maps but so far I can see no issues. If yes then: 1. Will this scenario honour the RFC2307 user attributes in AD? We are trying to support RFC2307 attributes in AD with the next releases for SSSD and FreeIPA. Currently only algorithmic IP mapping based on the AD user's RID is available. Ondreji, this is by the way the upstream ticket under which this feature is being implemented (in case you want to follow it): https://fedorahosted.org/freeipa/ticket/2904 There are other tickets targeted on AD cooperation in FreeIPA 3.3 release (https://fedorahosted.org/freeipa/report/3), you may also want to check that they address your needs (and provide comments if they don't). We are still in a design phase, so some amendments are possible. Thanks, Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] IPA privileges question
Hi! I'm writing a web UI to front-end a ipa host-add . . . the web ui runs as a special user who I would like to give credentials to allow it to be able to run the ipa commands necessary . . . I thought I would need to give it a host privilege, but I'm bumping up into the following: ipa: ERROR: Insufficient access: Insufficient 'add' privilege to the 'userPassword' attribute That looks like more of an LDAP issue . . . Any yous guys know how I get around this? Thanks a lot, Guy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Limiting Host access by UID/GID
As far as my understanding goes it does not stop even if I disable cache credentials. I set following parameters in sssd.conf but still UID 2 is able to login. cache_credentials = False krb5_store_password_if_offline = False min_id=5000 max_id=5010 enumerate = False entry_cache_timeout=3 Package Info: Client; sssd-client-1.9.2-82.7.el6_4.x86_64 Server: ipa-server-2.2.0-16.el6.x86_64 Thanks Chandan On Friday, May 31, 2013, Jakub Hrozek wrote: On Fri, May 31, 2013 at 09:26:40AM -0400, Simo Sorce wrote: On Fri, 2013-05-31 at 11:55 +0200, Jakub Hrozek wrote: On Thu, May 30, 2013 at 07:23:38PM -0400, Dmitri Pal wrote: On 05/30/2013 06:52 PM, Chandan Kumar wrote: Hello, As part of migration from passwd/shadow to IPA, I want to roll out IPA/SSSD based password first for a small number of users and then for all. (same goes with host. first small number of host and then all). I was trying to limit it using max_id/min_id parameters in sssd but it does not seems to work the way I expected. --- min_id = 5000 max_id = 5100 -- So there is a user kchandan with UID/GID 2 -- [root@tipa1 ~]# id kchandan uid=2(kchandan) gid=2 groups=2 --- But It is allowing me to login with that ID with only error showing GID 2 not found. --- ssh 10.2.3.105 -l kchandan kchandan@10.2.3.105 mailto:kchandan@10.2.3.105's password: id: cannot find name for group ID 2 - Is there any way to achieve this? So you want to allow only a subset of users with a specific range to log into the systems controlled by SSSD before you open it to a broader public? I would defer to SSSD gurus but the hack that comes to mind is to configure a simple access provider to limit the access to just the users you care about (man sssd-simple) or configure ldap access provider based on a filter (man sssd-ldap). Hi, The user shouldn't be even saved to cache if it's filtered out of range. But looking at the current NSS code, the entry would have been returned if it was saved *before* you changed the min_id/max_id parameters. Could that be the case? Can you check if after removing the cache the entry still shows up? I think that the fact that the entry is returned from cache even if it should be filtered out is a bug: https://fedorahosted.org/sssd/ticket/1954 So far we always maintained that if you consistently change configuration (and a change of ranges is a big change) then it's on the admin to wipe the cache file. Yes, that's why the ticket is minor. But mostly I don't like the inconsistency where some requests check the ranges even in the responder and some don't. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- -- http://about.me/chandank ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA privileges question
Guy Matz wrote: Hi! I'm writing a web UI to front-end a ipa host-add . . . the web ui runs as a special user who I would like to give credentials to allow it to be able to run the ipa commands necessary . . . I thought I would need to give it a host privilege, but I'm bumping up into the following: ipa: ERROR: Insufficient access: Insufficient 'add' privilege to the 'userPassword' attribute That looks like more of an LDAP issue . . . Any yous guys know how I get around this? What privileges did you assign to the role that this user is a member of? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA privileges question
Sorry, should have mentioned that. I had host principal and have since added ldap: # klist -k krb5.keytab Keytab name: FILE:krb5.keytab KVNO Principal -- 3 host/ipadevmstr.collmedia@collmedia.net 3 host/ipadevmstr.collmedia@collmedia.net 3 host/ipadevmstr.collmedia@collmedia.net 3 host/ipadevmstr.collmedia@collmedia.net 3 ldap/ipadevmstr.collmedia@collmedia.net 3 ldap/ipadevmstr.collmedia@collmedia.net 3 ldap/ipadevmstr.collmedia@collmedia.net 3 ldap/ipadevmstr.collmedia@collmedia.net I now get this error: Insufficient access: SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context Invalid credentials with this in my krb5.log: May 31 14:42:30 ipadevmstr.collmedia.net krb5kdc[4190](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.8.111: NEEDED_PREAUTH: DNS/ipadevmstr.collmedia@collmedia.net for krbtgt/collmedia@collmedia.net, Additional pre-authentication required May 31 14:42:30 ipadevmstr.collmedia.net krb5kdc[4190](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.8.111: ISSUE: authtime 1370025750, etypes {rep=18 tkt=18 ses=18}, DNS/ipadevmstr.collmedia@collmedia.net for krbtgt/collmedia@collmedia.net May 31 14:42:31 ipadevmstr.collmedia.net krb5kdc[4190](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.8.111: ISSUE: authtime 1370025263, etypes {rep=18 tkt=18 ses=18}, HTTP/ipadevmstr.collmedia@collmedia.net for ldap/ipadevmstr.collmedia@collmedia.net May 31 14:42:31 ipadevmstr.collmedia.net krb5kdc[4190](info): ... CONSTRAINED-DELEGATION s4u-client=DNS/ipadevmstr.collmedia@collmedia.net Do I need to add DNS too? Thanks a lot, Guy On 05/31/2013 12:48 PM, Rob Crittenden wrote: Guy Matz wrote: Hi! I'm writing a web UI to front-end a ipa host-add . . . the web ui runs as a special user who I would like to give credentials to allow it to be able to run the ipa commands necessary . . . I thought I would need to give it a host privilege, but I'm bumping up into the following: ipa: ERROR: Insufficient access: Insufficient 'add' privilege to the 'userPassword' attribute That looks like more of an LDAP issue . . . Any yous guys know how I get around this? What privileges did you assign to the role that this user is a member of? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA privileges question
Guy Matz wrote: Sorry, should have mentioned that. I had host principal and have since added ldap: # klist -k krb5.keytab Keytab name: FILE:krb5.keytab KVNO Principal -- 3 host/ipadevmstr.collmedia@collmedia.net 3 host/ipadevmstr.collmedia@collmedia.net 3 host/ipadevmstr.collmedia@collmedia.net 3 host/ipadevmstr.collmedia@collmedia.net 3 ldap/ipadevmstr.collmedia@collmedia.net 3 ldap/ipadevmstr.collmedia@collmedia.net 3 ldap/ipadevmstr.collmedia@collmedia.net 3 ldap/ipadevmstr.collmedia@collmedia.net I now get this error: Insufficient access: SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context Invalid credentials with this in my krb5.log: May 31 14:42:30 ipadevmstr.collmedia.net krb5kdc[4190](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.8.111: NEEDED_PREAUTH: DNS/ipadevmstr.collmedia@collmedia.net for krbtgt/collmedia@collmedia.net, Additional pre-authentication required May 31 14:42:30 ipadevmstr.collmedia.net krb5kdc[4190](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.8.111: ISSUE: authtime 1370025750, etypes {rep=18 tkt=18 ses=18}, DNS/ipadevmstr.collmedia@collmedia.net for krbtgt/collmedia@collmedia.net May 31 14:42:31 ipadevmstr.collmedia.net krb5kdc[4190](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.8.111: ISSUE: authtime 1370025263, etypes {rep=18 tkt=18 ses=18}, HTTP/ipadevmstr.collmedia@collmedia.net for ldap/ipadevmstr.collmedia@collmedia.net May 31 14:42:31 ipadevmstr.collmedia.net krb5kdc[4190](info): ... CONSTRAINED-DELEGATION s4u-client=DNS/ipadevmstr.collmedia@collmedia.net Do I need to add DNS too? I'm not quite sure what your goal is. I thought you had created a user for the purpose of creating hosts and you wanted to delegate permissions to that user. Is this what you've done? If so, what roles is the user a member of, and what privileges are associated with that role? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] How IPA handles AD computer groups
On 05/31/2013 08:39 AM, rashard.ke...@sita.aero wrote: I am working on a team to plan a migration to IPA on our UNIX based systems. One thing I was seeking information on is Computer groups. If a trust is established with our campus AD infrasturcture, will its computer groups be shared with IPA or just users? If computer groups are transferred to host groups this will make managing permissions easier without having to recreate all the groups on the IPA side I could not find any info in this document _http://www.freeipa.org/page/IPAv3_testing_AD_trust_.If someone could point me to some documentation about the subject it would be really helpful. IPA does not share or transfer host groups from AD and it is conceptually does not make sense since. The systems managed by AD and the systems managed by IPA are in our view completely no overlapping sets of systems. Can you please share your reasoning why it is something that makes sense to have? So far our view of the world was that AD manages Windows systems and groupings and polices around those while IPA does the same for Linux systems. Thank You, *Rashard Kelly** S*enior Linux Specialist From:Martin Kosek mko...@redhat.com To:Sumit Bose sb...@redhat.com Cc:freeipa-users@redhat.com Date:05/31/2013 06:41 AM Subject:Re: [Freeipa-users] IPA AD trust question Sent by:freeipa-users-boun...@redhat.com On 05/31/2013 09:37 AM, Sumit Bose wrote: On Fri, May 31, 2013 at 06:52:27AM +, Ondrej Valousek wrote: Hi List, I have a question - is it possible to use AD trust the way that: 1. All users are stored in AD 2. All Unix specific information (automount maps, sudo rules, HBAC rules) are stored in IPA? Yes, sudo and HBAC for sure, I haven't tested automount maps but so far I can see no issues. If yes then: 1. Will this scenario honour the RFC2307 user attributes in AD? We are trying to support RFC2307 attributes in AD with the next releases for SSSD and FreeIPA. Currently only algorithmic IP mapping based on the AD user's RID is available. Ondreji, this is by the way the upstream ticket under which this feature is being implemented (in case you want to follow it): https://fedorahosted.org/freeipa/ticket/2904 There are other tickets targeted on AD cooperation in FreeIPA 3.3 release (https://fedorahosted.org/freeipa/report/3), you may also want to check that they address your needs (and provide comments if they don't). We are still in a design phase, so some amendments are possible. Thanks, Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users See you at the 2013 Air Transport IT Summit, Brussels, 18-20 June. Click here to register http://www.sita.aero/microsites/air-transport-it-summit-2013/registration This document is strictly confidential and intended only for use by the addressee unless otherwise stated. If you are not the intended recipient, please notify the sender immediately and delete it from your system. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users