[Freeipa-users] what was the meaning of 'ion' in SELinux docs?
Hello, I'm forwarding the question below to FreeIPA-users list. Broader audience could be interested in the answer :-) Petr^2 Spacek Original Message Subject: [Freeipa-devel] [DOC] what was the meaning? Date: Mon, 7 Oct 2013 22:43:05 +0200 To: freeipa-de...@redhat.com freeipa-de...@redhat.com Hi all, Found in SelinuxMap.xml: As with adding a user to a ion value identifies the host-based access control rule to use for mapping. The access control rule must specify both users and hosts appropriately so that the SELinux map can construct the SELinux user, IPA; user, and host triple. What was ion supposed to be? Regards, J. -- Jérôme Fenal ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] what was the meaning of 'ion' in SELinux docs?
On 10/08/2013 08:43 AM, Petr Spacek wrote: Hello, I'm forwarding the question below to FreeIPA-users list. Broader audience could be interested in the answer :-) Petr^2 Spacek Original Message Subject: [Freeipa-devel] [DOC] what was the meaning? Date: Mon, 7 Oct 2013 22:43:05 +0200 To: freeipa-de...@redhat.com freeipa-de...@redhat.com Hi all, Found in SelinuxMap.xml: As with adding a user to a ion value identifies the host-based access control rule to use for mapping. The access control rule must specify both users and hosts appropriately so that the SELinux map can construct the SELinux user, IPA; user, and host triple. What was ion supposed to be? Regards, J. This is just a typo in docs, see my response on freeipa-devel: Original Message Subject: Re: [Freeipa-devel] [DOC] what was the meaning? Date: Tue, 08 Oct 2013 09:31:59 +0200 From: Martin Kosek mko...@redhat.com To: Jérôme Fenal jfe...@gmail.com CC: freeipa-de...@redhat.com freeipa-de...@redhat.com ... I see this was wrong even in the original version of the paragraph. The first sentence is actually pretty cryptic. I would rather replace the whole paragraph with A specific user or host can be removed from an SELinux map by using either the selinuxusermap-remove-host or selinuxusermap-remove-user command. which is now above it. Ccing Petr and Martin to check that. Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA 3.0 RHEL 6.4
Hello Dmitri, We are currently using Samba as a file server and a DC with NT style domain for our Windows clients. IPA is the password backend for Samba. Our Red Hat consultant originally had the following items working when this system was installed last year. ** Ability to add groups in the IPA web interface for samba I have these patches and need to make sure that they work with IPA 3.0 and RHEL 6.4 before I apply them. ** We have a default password policy of 90 days expiration. This policy also has complexity, history, length, etc. Early this year that 90 day expiration stopped working and my Windows users were no longer receiving a must change password notice. We were hoping the update to RHEL 6.4 and IPA 3.0 would fix this but it has not. Currently my users are showing an EXPIRATION in IPA of June/July or so time frame. Back in April we manually changed all user's passwords to a temporary. That prompted them to login and change their password, hoping this would kickstart the 90 day expiration again. That was NOT successful. At a MINIMUM we are needing to correctly have IPA expire a user's password and allow Samba to understand that as well based on the password policy IPA shows for a given user. I have a test user who has a 2nd password policy we created. That users has 1 day expiration within IPA. When I change the following value using ldapmodify, It CORRECTLY makes Samba prompt the user to change their password when logging in the next time. When I change this test password, IPA reset's the EXPIRATION DATE to 90 days out and not 1 day from the time password was changed. --- A third item we need fixed if possible, is the ability to enforce password complexity, history, length, etc. through Samba based on what IPA shows for a user's password policy. I cannot confirm if this WAS working or not after it was initially installed. I guess you or Rob would be the individuals who could tell me what is possible to enable this feature. On Fri, Oct 4, 2013 at 9:56 AM, Rob Crittenden rcrit...@redhat.com wrote: Zach Musselman wrote: Hello, My company is having issues with our current install of IPA on RHEL 6.4. ** We had group patches that worked with IPA 2.2.0 and allowed us to enter samba groups directly in the IPA web interface. Red Hat is unable to confirm these patches are updated for IPA 3.0 RHEL 6.4 even though their Red Hat consultant created these a year ago. I'm not clear what you mean by updated for IPA 3.0. Are you asking the patches to be rebased? It is also unclear if things were working properly with 2.2.0 and broke with 3.0, or if these things never worked, or something else. ** IPA password policy (history, length, complexity, etc.) enforcement Our current versions are not allowing the IPA password policy to work with Samba. My Windows users are able to change their password either MANUALLY or WHEN FORCED to reset via the IPA interface. However, non of the password history, length, complexity and so on are enforced with Samba and users are able to either keep the same password or change it to anything they want without restrictions. Can you be more specific about where the password changes are happening? What do mean by manually? Changing it via the UI should apply password policy because that is really independent of any Samba changes that have been made. ** Samba password change also changing correctly the IPA expiration date so IPA can successfully reset the (sambaPwdLastSet: 0) value upon 90 days since last password change If we manually run ldapmodify and change the value of sambaPwdLastSet to equal 0, this correctly forces the end user to change their password in Windows. The issue though is their IPA password expiration date listed in the interface isn't correctly showing the amount of days to expire NEXT. I have a test user that has a password policy of 1 day expiration. I would expect this user to show an expiration date of the next day after password change but for some reason it always keeps showing about 90 days out, which is my default policy for all users. I need to be able to test that IPA is correctly expiring the password after 1 day so that I know in 90 days my other users will receive the same expiration. For most of this year password expiration was not working and IPA is showing a password expiration of months ago when their password should have expired (samba never prompted for this change). Since we updated to IPA 3.0, I'm hoping that when I reset their sambaPwdLastSet to 0 that IPA will start enforcing a 90 day expiration again. I don't really know much about how Windows/Samba does password expiration, but IPA has no process to look at the last set date, compare that to the policy, and reset sambaPwdLastSet. Is that what you're expecting? Any help you can provide on these issues would be greatly appreciated! Also, what would you recommend for future IPA versions and
Re: [Freeipa-users] Required services are not started after reboot
On 10/08/2013 06:33 PM, Mateusz Marzantowicz wrote: Finally, I've managed to install FreeIPA on Fedora 20 without any errors. I was even able to log in through web UI and make some changes. Sadly after system reboot, non of IPA related services were started and now nothing works as expected. What services need to be enabled (I need to enable manually) to make ipa server operational again? I'd be thankful for any links to official documentation that covers this topic. See: https://bugzilla.redhat.com/show_bug.cgi?id=1008306 t ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Force to change password in first login
I've used this to extend the password expiration. It should work for setting an expired password expiration. You have to hit enter twice after the krbPasswordExpiration: 2013100800Z line. # ldapmodify -x -D 'cn=Directory Manager' -W Enter LDAP Password: dn: uid=username,cn=users,cn=accounts,dc=example,dc=com changetype: modify replace: krbPasswordExpiration krbPasswordExpiration: 2013100800Z modifying entry uid=username,cn=users,cn=accounts,dc=example,dc=com ctrl-d On Tue, 2013-10-08 at 11:51 -0500, cbul...@gmail.com wrote: Hi All, I created a script to add users to freeipa using ldapadd command and it works great. Now I want to forcibly change the password in the first user login. What attribute do I have to change to accomplish this? Thanks! ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA 3.0 RHEL 6.4
El mar, 08-10-2013 a las 09:25 -0500, Zachary Musselman escribió: Hello Dmitri, We are currently using Samba as a file server and a DC with NT style domain for our Windows clients. IPA is the password backend for Samba. Our Red Hat consultant originally had the following items working when this system was installed last year. ** Ability to add groups in the IPA web interface for samba I have these patches and need to make sure that they work with IPA 3.0 and RHEL 6.4 before I apply them. Those patches surely could be adapted without much work. The web interface for groups has not changed much between IPA 2.2 and 3.0 Anyway, there is not a real need to patch the web interface to have IPA add the objectClasses (sambaGroupMapping) and attributes (sambaSID and sambaGroupType) required by Samba. I've done this for some customers adding a DNA plugin configuration for sambaSID and extending the IPA group object to add the objectclass and sambagrouptype, as explained in http://abbra.fedorapeople.org/guide.html#sec-4. No need to patch the Web UI here. ** We have a default password policy of 90 days expiration. This policy also has complexity, history, length, etc. Early this year that 90 day expiration stopped working and my Windows users were no longer receiving a must change password notice. We were hoping the update to RHEL 6.4 and IPA 3.0 would fix this but it has not. Currently my users are showing an EXPIRATION in IPA of June/July or so time frame. Back in April we manually changed all user's passwords to a temporary. That prompted them to login and change their password, hoping this would kickstart the 90 day expiration again. That was NOT successful. At a MINIMUM we are needing to correctly have IPA expire a user's password and allow Samba to understand that as well based on the password policy IPA shows for a given user. To have some correspondence between IPA password policies and samba password policies you need to: 1. Create a sufficiently privileged bind user in ipa and have samba connect to IPA using that bind user. For example uid=sambaadmin,cn=sysaccounts,cn=etc,dc=example,dc=com 2. To have password changes in windows work as normal user password changes (instead of password resets) you must add the above bind user to the passsyncmanagersdn attribute of the ipa_pwd_extop plugin configuration. Similar to what is explained here: http://www.freeipa.org/docs/1.2/Installation_Deployment_Guide/en-US/html/sect-Installation_and_Deployment_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Setting_up_Windows_Sync_on_the_IPA_Server.html 3. Samba should not mess with password expiration attributes in ldap, so you should set ldap passwd sync = only in smb.conf 4. You need a small patch in the ipa_pwd_extop plugin to have it set the sambaPwdLastSet attributes on password changes 5. Samba password policies (Maximum password duration, minimum password duration) should match the IPA password policies At least that is the route we took with customers and it has worked fairly well. I have a test user who has a 2nd password policy we created. That users has 1 day expiration within IPA. When I change the following value using ldapmodify, It CORRECTLY makes Samba prompt the user to change their password when logging in the next time. When I change this test password, IPA reset's the EXPIRATION DATE to 90 days out and not 1 day from the time password was changed. Probably samba is connecting to IPA with an admin user and password changes work end being don by IPA as password resets. See point 2 above A third item we need fixed if possible, is the ability to enforce password complexity, history, length, etc. through Samba based on what IPA shows for a user's password policy. I cannot confirm if this WAS working or not after it was initially installed. I guess you or Rob would be the individuals who could tell me what is possible to enable this feature. We've done it manually (with pdbedit -P) and after that everything works ok, password history, password length, password duration and complexity, all match between samba and IPA. Hope it helps. On Fri, Oct 4, 2013 at 9:56 AM, Rob Crittenden rcrit...@redhat.com wrote: Zach Musselman wrote: Hello, My company is having issues with our current install of IPA on RHEL 6.4. ** We had group patches that worked with IPA 2.2.0 and allowed us to enter samba groups directly in the IPA web interface. Red Hat is unable to confirm these patches are updated for IPA 3.0 RHEL 6.4 even though their Red Hat consultant created these a year ago. I'm not clear
Re: [Freeipa-users] Force to change password in first login
Rodney, Thanks!...I forgot it totally... Let me ask you about modify the password using ldapmodify command, I tried changing userPassword attribute with {MD5} encryption and it did not work. ldapmodify -x -H ldap://ipaserver -D cn=directory manager -w 'password' EOF changetype: modify replace: userPassword userPassword: {MD5}QvdJref54ZW/R183pEyvyw== EOF Do I need to modify another attribute?...any clue? Thanks in advance! On 10/08/2013 12:07 PM, Rodney L. Mercer wrote: I've used this to extend the password expiration. It should work for setting an expired password expiration. You have to hit enter twice after the krbPasswordExpiration: 2013100800Z line. # ldapmodify -x -D 'cn=Directory Manager' -W Enter LDAP Password: dn: uid=username,cn=users,cn=accounts,dc=example,dc=com changetype: modify replace: krbPasswordExpiration krbPasswordExpiration: 2013100800Z modifying entry uid=username,cn=users,cn=accounts,dc=example,dc=com ctrl-d On Tue, 2013-10-08 at 11:51 -0500, cbul...@gmail.com wrote: Hi All, I created a script to add users to freeipa using ldapadd command and it works great. Now I want to forcibly change the password in the first user login. What attribute do I have to change to accomplish this? Thanks! ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Force to change password in first login
I've used grub-md5-crypt to create a password for an openldap server and used this format: # grub-md5-crypt Password: Retype password: $1$mGzMO1$zF/c9QxKV.ZZXwlvyR8UO1 Here is the ldif that I used to modify the entry on the openldap server: #cat usermod.ldif dn: uid=username,cn=users,cn=accounts,dc=example,dc=com changetype: modify replace: userPassword userPassword: {crypt}$1$mGzMO1$zF/c9QxKV.ZZXwlvyR8UO1 I'm not sure if this will work for the directory server that IPA uses? Worth a shot I suppose. Rodney. On Tue, 2013-10-08 at 12:28 -0500, cbul...@gmail.com wrote: Rodney, Thanks!...I forgot it totally... Let me ask you about modify the password using ldapmodify command, I tried changing userPassword attribute with {MD5} encryption and it did not work. ldapmodify -x -H ldap://ipaserver -D cn=directory manager -w 'password' EOF changetype: modify replace: userPassword userPassword: {MD5}QvdJref54ZW/R183pEyvyw== EOF Do I need to modify another attribute?...any clue? Thanks in advance! On 10/08/2013 12:07 PM, Rodney L. Mercer wrote: I've used this to extend the password expiration. It should work for setting an expired password expiration. You have to hit enter twice after the krbPasswordExpiration: 2013100800Z line. # ldapmodify -x -D 'cn=Directory Manager' -W Enter LDAP Password: dn: uid=username,cn=users,cn=accounts,dc=example,dc=com changetype: modify replace: krbPasswordExpiration krbPasswordExpiration: 2013100800Z modifying entry uid=username,cn=users,cn=accounts,dc=example,dc=com ctrl-d On Tue, 2013-10-08 at 11:51 -0500, cbul...@gmail.com wrote: Hi All, I created a script to add users to freeipa using ldapadd command and it works great. Now I want to forcibly change the password in the first user login. What attribute do I have to change to accomplish this? Thanks! ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Force to change password in first login
Rodney L. Mercer wrote: I've used grub-md5-crypt to create a password for an openldap server and used this format: # grub-md5-crypt Password: Retype password: $1$mGzMO1$zF/c9QxKV.ZZXwlvyR8UO1 Here is the ldif that I used to modify the entry on the openldap server: #cat usermod.ldif dn: uid=username,cn=users,cn=accounts,dc=example,dc=com changetype: modify replace: userPassword userPassword: {crypt}$1$mGzMO1$zF/c9QxKV.ZZXwlvyR8UO1 I'm not sure if this will work for the directory server that IPA uses? Worth a shot I suppose. crypt will work. Or you can pass it in the clear and it will encrypt it for you using the default password scheme, SSHA1 IIRC. rob Rodney. On Tue, 2013-10-08 at 12:28 -0500, cbul...@gmail.com wrote: Rodney, Thanks!...I forgot it totally... Let me ask you about modify the password using ldapmodify command, I tried changing userPassword attribute with {MD5} encryption and it did not work. ldapmodify -x -H ldap://ipaserver -D cn=directory manager -w 'password' EOF changetype: modify replace: userPassword userPassword: {MD5}QvdJref54ZW/R183pEyvyw== EOF Do I need to modify another attribute?...any clue? Thanks in advance! On 10/08/2013 12:07 PM, Rodney L. Mercer wrote: I've used this to extend the password expiration. It should work for setting an expired password expiration. You have to hit enter twice after the krbPasswordExpiration: 2013100800Z line. # ldapmodify -x -D 'cn=Directory Manager' -W Enter LDAP Password: dn: uid=username,cn=users,cn=accounts,dc=example,dc=com changetype: modify replace: krbPasswordExpiration krbPasswordExpiration: 2013100800Z modifying entry uid=username,cn=users,cn=accounts,dc=example,dc=com ctrl-d On Tue, 2013-10-08 at 11:51 -0500, cbul...@gmail.com wrote: Hi All, I created a script to add users to freeipa using ldapadd command and it works great. Now I want to forcibly change the password in the first user login. What attribute do I have to change to accomplish this? Thanks! ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA 3.0 RHEL 6.4
Hi Loris, Thanks for the quick and informational response. I'm going to ask for a little hand holding here. I'm not well versed in LDAP or IPA. How would I use ldapsearch to check that this value is correctly set already? I have already set ldap passwd sync = only in smb.conf as recommended by our Red Hat Consultant. Where can I find that patch that is needed to correctly set the sambaPwdLastSet attribute? To have some correspondence between IPA password policies and samba password policies you need to: 1. Create a sufficiently privileged bind user in ipa and have samba connect to IPA using that bind user. For example uid=sambaadmin,cn=sysaccounts,cn=etc,dc=example,dc=com 2. To have password changes in windows work as normal user password changes (instead of password resets) you must add the above bind user to the passsyncmanagersdn attribute of the ipa_pwd_extop plugin configuration. Similar to what is explained here: http://www.freeipa.org/docs/1.2/Installation_Deployment_Guide/en-US/html/sect-Installation_and_Deployment_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Setting_up_Windows_Sync_on_the_IPA_Server.html 3. Samba should not mess with password expiration attributes in ldap, so you should set ldap passwd sync = only in smb.conf 4. You need a small patch in the ipa_pwd_extop plugin to have it set the sambaPwdLastSet attributes on password changes 5. Samba password policies (Maximum password duration, minimum password duration) should match the IPA password policies Below are the patches I received from our Red Hat consultant. Is this similar to what your talking about? -- --- group.js.orig 2012-06-25 11:59:02.789096058 -0700 +++ group.js2012-06-25 12:02:47.669143612 -0700 @@ -37,7 +37,8 @@ columns: [ 'cn', 'gidnumber', -'description' +'description', +'sambagrouptype' ] }). details_facet({ @@ -50,7 +51,8 @@ type: 'textarea', name: 'description' }, -'gidnumber' +'gidnumber', + 'sambagrouptype' ] } ] @@ -116,6 +118,14 @@ label: IPA.messages.objects.group.posix, checked: true }, +{ +factory: IPA.select_widget, +name: 'sambagrouptype', +label: IPA.messages.objects.group.sambagrouptype, +options: [ +{label: 'Domain', value: 2}, +{label: 'Local', value: 4}] +}, 'gidnumber' ] }); --- group.py.orig 2012-06-25 12:06:13.265838223 -0700 +++ group.py2012-06-25 12:06:19.513906111 -0700 @@ -102,7 +102,7 @@ takes_params = ( Str('cn', -pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', +pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_. -]{0,252}[a-zA-Z0-9_.$-]?$', pattern_errmsg='may only include letters, numbers, _, -, . and $', maxlength=255, cli_name='group_name', @@ -121,6 +121,13 @@ doc=_('GID (use this option to set it manually)'), minvalue=1, ), +Int('sambagrouptype', +cli_name='sgt', +label=_('Samba Group Type'), +doc=_('Samba Group Type (default is 2)'), +default=2, +autofill=True, +), ) api.register(group) --- On Tue, Oct 8, 2013 at 12:15 PM, Loris Santamaria lo...@lgs.com.ve wrote: El mar, 08-10-2013 a las 09:25 -0500, Zachary Musselman escribió: Hello Dmitri, We are currently using Samba as a file server and a DC with NT style domain for our Windows clients. IPA is the password backend for Samba. Our Red Hat consultant originally had the following items working when this system was installed last year. ** Ability to add groups in the IPA web interface for samba I have these patches and need to make sure that they work with IPA 3.0 and RHEL 6.4 before I apply them. Those patches surely could be adapted without
Re: [Freeipa-users] Force to change password in first login
Thanks Rob and Rodney! Your recommendations worked. On 10/08/2013 12:53 PM, Rob Crittenden wrote: Rodney L. Mercer wrote: I've used grub-md5-crypt to create a password for an openldap server and used this format: # grub-md5-crypt Password: Retype password: $1$mGzMO1$zF/c9QxKV.ZZXwlvyR8UO1 Here is the ldif that I used to modify the entry on the openldap server: #cat usermod.ldif dn: uid=username,cn=users,cn=accounts,dc=example,dc=com changetype: modify replace: userPassword userPassword: {crypt}$1$mGzMO1$zF/c9QxKV.ZZXwlvyR8UO1 I'm not sure if this will work for the directory server that IPA uses? Worth a shot I suppose. crypt will work. Or you can pass it in the clear and it will encrypt it for you using the default password scheme, SSHA1 IIRC. rob Rodney. On Tue, 2013-10-08 at 12:28 -0500, cbul...@gmail.com wrote: Rodney, Thanks!...I forgot it totally... Let me ask you about modify the password using ldapmodify command, I tried changing userPassword attribute with {MD5} encryption and it did not work. ldapmodify -x -H ldap://ipaserver -D cn=directory manager -w 'password' EOF changetype: modify replace: userPassword userPassword: {MD5}QvdJref54ZW/R183pEyvyw== EOF Do I need to modify another attribute?...any clue? Thanks in advance! On 10/08/2013 12:07 PM, Rodney L. Mercer wrote: I've used this to extend the password expiration. It should work for setting an expired password expiration. You have to hit enter twice after the krbPasswordExpiration: 2013100800Z line. # ldapmodify -x -D 'cn=Directory Manager' -W Enter LDAP Password: dn: uid=username,cn=users,cn=accounts,dc=example,dc=com changetype: modify replace: krbPasswordExpiration krbPasswordExpiration: 2013100800Z modifying entry uid=username,cn=users,cn=accounts,dc=example,dc=com ctrl-d On Tue, 2013-10-08 at 11:51 -0500, cbul...@gmail.com wrote: Hi All, I created a script to add users to freeipa using ldapadd command and it works great. Now I want to forcibly change the password in the first user login. What attribute do I have to change to accomplish this? Thanks! ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users