Re: [Freeipa-users] In webgui, ID Views slow, to crashingly slow
On 09/20/2016 12:17 AM, Simpson Lachlan wrote: -Original Message- On 09/19/2016 03:12 AM, Lachlan Musicman wrote: Hi Sometimes when I visit the ID Views page in the webgui, it is crushingly slow, and often it times out. Centos 7, ipa --version VERSION: 4.2.0, API_VERSION: 2.156 Is there a reason, can I do something to fix this? What kind of ID Views do you use? Do you use them to override AD users? Is there any useful info in '/var/log/httpd/error_log'? There is the single ID View Name, Default Trust View, and in that we have a number of users over riding the AD usernames and home dirs. The httpd error log is relatively large, tbh, but there's nothing in there that looks like an obvious reason. In fact, for an error log, there is a hell of a lot of "SUCCESS" messages? The most obvious culprit in the error log is jsonserver_session... Next time I see it (I only see it intermittently), I'll grab the logs and have a look. Cheers L. This email (including any attachments or links) may contain confidential and/or legally privileged information and is intended only to be read or used by the addressee. If you are not the intended addressee, any use, distribution, disclosure or copying of this email is strictly prohibited. Confidentiality and legal privilege attached to this email (including any attachments) are not waived or lost by reason of its mistaken delivery to you. If you have received this email in error, please delete it and notify us immediately by telephone or email. Peter MacCallum Cancer Centre provides no guarantee that this transmission is free of virus or that it has not been intercepted or altered and will not be liable for any delay in its receipt. One thing that crossed my mind is to check the connectivity to the AD domain controllers. To resolve AD user overrides, FreeIPA uses SSSD to contact AD DCs to do the username -> SID translation. If there is some problem contacting them, then there may be hangs/timeouts when resolving override anchors. Thus you may also want to to check SSSD logs (see https://fedorahosted.org/sssd/wiki/Troubleshooting) to see whether this is not the case. -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] sssd.conf - the server and host-client relationship
Hola, What is the relationship between the IPA server, host-clients and the sssd.conf? >From what I can tell, sssd.conf is edited/changed by the ipa-client-install process on the host-client. What level of similarity does there need to be between the two sssd.confs? My server's sssd.conf has a significant number of extra parameters set that are not getting put onto the clients. Debug levels are the most obvious, and understandable, omissions - but some others are frustrating. The (non debug_level) parameters missing are: -- [domain/unixdev.etc] ignore_group_members = True ldap_purge_cache_timeout = 0 subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout selinux_provider = none ipa_server_mode = True sudo_provider = ldap ldap_uri = ldap://vmdv-linuxidm1.unixdev.petermac.org.au ldap_sudo_search_base = or=sudoers,dc=unixdev,dc=petermac,dc=org,dc=au ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/vmdv-linuxidm1.unixdev.petermac.org.au ldap_sasl_realm = UNIXDEV.PETERMAC.ORG.AU krb5_server = vmdv-linuxidm1.unixdev.petermac.org.au [sssd] config_file_version = 2 domains = unixdev.etc [nss] memcache_timeout = 600 -- The other diff is that the host has: ipa_server = vmdv-linuxidm1.unixdev.petermac.org.au client has: ipa_server = _srv_, vmdv-linuxidm1.unixdev.petermac.org.au Which I presume is expected/desired. And the reason I ask is because we have selinux disabled, and without the "selinux_provider = none" line, we would get kicked out as soon as freeipa had logged us in with message: Connection to test_client.unixdev.petermac.org.au closed by remote host. and on that host-client there was a brand new selinux_child.log that I'd never seen before. cheers L. -- The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] HBAC doesn't work issues
(redface) It seems to be working. Thanks -- The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper On 20 September 2016 at 09:57, Lachlan Musicmanwrote: > We have one "allow all" sudo rule (anyone, any host, any command). > > Matching Defaults entries for root on this host: > requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS > DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 > PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE > LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY > LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL > LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", > secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin > > User root may run the following commands on this host: > (ALL) ALL > > > My sssd.conf has: > > [domain/unixdev.etc] > ... > sudo_provider = ldap > ldap_uri = ldap://vmdv-linuxidm1.unixdev.petermac.org.au > ldap_sudo_search_base = or=sudoers,dc=unixdev,dc=petermac,dc=org,dc=au > ldap_sasl_mech = GSSAPI > ldap_sasl_authid = host/vmdv-linuxidm1.unixdev.petermac.org.au > ldap_sasl_realm = UNIXDEV.PETERMAC.ORG.AU > krb5_server = vmdv-linuxidm1.unixdev.petermac.org.au > > [sssd] > services = nss, sudo, pam, ssh > config_file_version = 2 > domains = unixdev.petermac.org.au > debug_level = 6 > > [sudo] > debug_level = 6 > > but only on the server - does that need to filter down to each client? The > client side sssd.confs seem to be auto created when ipa-client-install is > run, and are stripped down... > > cheers > L. > > -- > The most dangerous phrase in the language is, "We've always done it this > way." > > - Grace Hopper > > On 19 September 2016 at 18:21, Lukas Slebodnik > wrote: > >> On (19/09/16 16:43), Lachlan Musicman wrote: >> >I must have made an error again: >> > >> >- ipa hbactest gives seemingly correct answer on both server and client >> >- user can't actually use sudo on client? >> > >> >Centos 7, freeipa 4.2.o/2.156; sssd 1.14.1 from COPR >> > >> >>From the server: >> > >> >[root@vmdv-linuxidm1 ~]# ipa hbactest --user=lsimp...@petermac.org.au >> >--host=vmts-linuxclient1.unixdev.petermac.org.au --service=sudo >> > >> >Access granted: True >> > >> > Matched rules: Cluster Admin Users (sudo) >> > Not matched rules: Cluster Users >> >[root@vmdv-linuxidm1 ~]# >> > >> > >> >>From the host in question: >> > >> >[root@vmts-linuxclient1 ~]# ipa hbactest --user lsimp...@petermac.org.au >> >--host `hostname` --service sudo >> > >> >Access granted: True >> > >> > Matched rules: Cluster Admin Users (sudo) >> > Not matched rules: Cluster Users >> >[root@vmts-linuxclient1 ~]# >> > >> > >> >[lsimp...@petermac.org.au@vmts-linuxclient1 ~]$ sudo reboot >> >[sudo] password for lsimp...@petermac.org.au: >> >lsimp...@petermac.org.au is not allowed to run sudo on >> vmts-linuxclient1. >> >This incident will be reported. >> > >> Did you configure sudo rules for such user? >> What is an output of "sudo -l" >> >> LS >> > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] HBAC doesn't work issues
We have one "allow all" sudo rule (anyone, any host, any command). Matching Defaults entries for root on this host: requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User root may run the following commands on this host: (ALL) ALL My sssd.conf has: [domain/unixdev.etc] ... sudo_provider = ldap ldap_uri = ldap://vmdv-linuxidm1.unixdev.petermac.org.au ldap_sudo_search_base = or=sudoers,dc=unixdev,dc=petermac,dc=org,dc=au ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/vmdv-linuxidm1.unixdev.petermac.org.au ldap_sasl_realm = UNIXDEV.PETERMAC.ORG.AU krb5_server = vmdv-linuxidm1.unixdev.petermac.org.au [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = unixdev.petermac.org.au debug_level = 6 [sudo] debug_level = 6 but only on the server - does that need to filter down to each client? The client side sssd.confs seem to be auto created when ipa-client-install is run, and are stripped down... cheers L. -- The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper On 19 September 2016 at 18:21, Lukas Slebodnikwrote: > On (19/09/16 16:43), Lachlan Musicman wrote: > >I must have made an error again: > > > >- ipa hbactest gives seemingly correct answer on both server and client > >- user can't actually use sudo on client? > > > >Centos 7, freeipa 4.2.o/2.156; sssd 1.14.1 from COPR > > > >>From the server: > > > >[root@vmdv-linuxidm1 ~]# ipa hbactest --user=lsimp...@petermac.org.au > >--host=vmts-linuxclient1.unixdev.petermac.org.au --service=sudo > > > >Access granted: True > > > > Matched rules: Cluster Admin Users (sudo) > > Not matched rules: Cluster Users > >[root@vmdv-linuxidm1 ~]# > > > > > >>From the host in question: > > > >[root@vmts-linuxclient1 ~]# ipa hbactest --user lsimp...@petermac.org.au > >--host `hostname` --service sudo > > > >Access granted: True > > > > Matched rules: Cluster Admin Users (sudo) > > Not matched rules: Cluster Users > >[root@vmts-linuxclient1 ~]# > > > > > >[lsimp...@petermac.org.au@vmts-linuxclient1 ~]$ sudo reboot > >[sudo] password for lsimp...@petermac.org.au: > >lsimp...@petermac.org.au is not allowed to run sudo on vmts-linuxclient1. > >This incident will be reported. > > > Did you configure sudo rules for such user? > What is an output of "sudo -l" > > LS > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] bind crashes on rndc reload
On Monday, September 19, 2016 2:16:55 PM CDT Petr Spacek wrote: > On 12.9.2016 11:55, Anthony Joseph Messina wrote: > > On Monday, September 12, 2016 10:31:10 AM CDT Jochen Demmer wrote: > >> Hi, > >> > >> I have a major issue with my setup: > >> Fedora 24 > >> freeipa-common-4.3.2-2.fc24.noarch > >> freeipa-admintools-4.3.2-2.fc24.noarch > >> freeipa-server-dns-4.3.2-2.fc24.noarch > >> freeipa-client-common-4.3.2-2.fc24.noarch > >> freeipa-server-4.3.2-2.fc24.x86_64 > >> freeipa-server-common-4.3.2-2.fc24.noarch > >> freeipa-client-4.3.2-2.fc24.x86_64 > >> bind-dyndb-ldap-9.0-3.fc24.x86_64 > >> bind-libs-lite-9.10.4-1.P2.fc24.x86_64 > >> bind-pkcs11-libs-9.10.4-1.P2.fc24.x86_64 > >> bind99-libs-9.9.9-1.P2.fc24.x86_64 > >> bind-utils-9.10.4-1.P2.fc24.x86_64 > >> rpcbind-0.2.3-11.rc1.fc24.x86_64 > >> bind-license-9.10.4-1.P2.fc24.noarch > >> bind-pkcs11-9.10.4-1.P2.fc24.x86_64 > >> bind-9.10.4-1.P2.fc24.x86_64 > >> bind-libs-9.10.4-1.P2.fc24.x86_64 > >> bind99-license-9.9.9-1.P2.fc24.noarch > >> bind-pkcs11-utils-9.10.4-1.P2.fc24.x86_64 > >> > >> It seems that there is a regular but not daily "rndc reload" sent to the > >> nameserver that leads to a crash of it. I sent a SIGHUP to the named > >> process, but that didn't lead to a crash. Only "rndc reload" does. It > >> does not crash EVERY time, but most of the times. I need to do an > >> "ipactl restart" in order to get the nameserver up and running again. > >> > >> I found this thread, but this doesn't give me any clues: > >> https://www.redhat.com/archives/freeipa-users/2012-May/msg00340.html > >> > >> This is what the log says: > >> http://paste.debian.net/818354/ > >> Please understand that I obfuscated my IP addresses and domain names > >> > >> This is the strace: > >> http://paste.debian.net/818365/ > >> > >> This is my named.conf: > >> http://paste.debian.net/818368/ > >> > >> Hope someone can help. > >> Jochen > > > > I wish I could, as I have the same issue, usually early Sunday morning > > after some cron/timer job that reloads: > > > > https://bugzilla.redhat.com/show_bug.cgi?id=1362162 > > Could you please try bind-dyndb-ldap-10.1-1.fc24 from updates-testing? > > Alternatively the package can be downloaded from > http://koji.fedoraproject.org/koji/buildinfo?buildID=792505 > > Please let me know if it fixes your problem or not. bind-dyndb-ldap-10.1-1.fc24 from updates-testing seems to work, or at least is does not crash on rndc reload. I'll give it some time and see what happens, since it didn't crash every time before either. Thank you Petr. -A -- Anthony - https://messinet.com/ - https://messinet.com/~amessina/gallery F9B6 560E 68EA 037D 8C3D D1C9 FF31 3BDB D9D8 99B6 signature.asc Description: This is a digitally signed message part. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] In webgui, ID Views slow, to crashingly slow
> -Original Message- > > On 09/19/2016 03:12 AM, Lachlan Musicman wrote: > > Hi > > > > Sometimes when I visit the ID Views page in the webgui, it is > > crushingly slow, and often it times out. > > > > Centos 7, ipa --version > > VERSION: 4.2.0, API_VERSION: 2.156 > > > > Is there a reason, can I do something to fix this? > > > > What kind of ID Views do you use? Do you use them to override AD users? > Is there any useful info in '/var/log/httpd/error_log'? There is the single ID View Name, Default Trust View, and in that we have a number of users over riding the AD usernames and home dirs. The httpd error log is relatively large, tbh, but there's nothing in there that looks like an obvious reason. In fact, for an error log, there is a hell of a lot of "SUCCESS" messages? The most obvious culprit in the error log is jsonserver_session... Next time I see it (I only see it intermittently), I'll grab the logs and have a look. Cheers L. This email (including any attachments or links) may contain confidential and/or legally privileged information and is intended only to be read or used by the addressee. If you are not the intended addressee, any use, distribution, disclosure or copying of this email is strictly prohibited. Confidentiality and legal privilege attached to this email (including any attachments) are not waived or lost by reason of its mistaken delivery to you. If you have received this email in error, please delete it and notify us immediately by telephone or email. Peter MacCallum Cancer Centre provides no guarantee that this transmission is free of virus or that it has not been intercepted or altered and will not be liable for any delay in its receipt. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Fwd: Re: Increase ListenBacklog for httpd
Rakesh Rajasekharanwrites: > On Mon, Sep 12, 2016 at 10:13 AM, Rakesh Rajasekharan > > > wrote: > > sorry I guess I did not put the question correctly > > I wanted to know .. like we have the ListenBacklog for apache to > basically define the number of connections it can handle.. do we > have some thing similar for our krb5kdc service.. as the SYN floodin > at 88 looks like krb5kdc service is not able to handle sudden spurt > in connections or the number of connections are more than it could > handle.. > > So, would be great if I could know how many connection it can > support at any given time ..most of the times I see this error while > i add clients to IPA master.. so if thers a known limit , I could > first check netstat to see how many connections I have at any point > and if its below the limit only then setup ipa-client-install We intentionally do not have such a parameter in krb5. We call listen(5) internally, but please note this is probably not the parameter you want to be able to tune. The listen() backlog is the number of connections that are waiting to be accept()ed by the process. They sit in the kernel, not receiving SYNACK. This number does not count connections that the process - here krb5kdc - has accept()ed and is currently processing. If you're truly seeing connections faster than they can be accept()ed, you have a load problem that tuning this parameter likely won't fix. You should probably configure replicas: krb5 will fall back if the connection is refused from one kdc to the next configured one. This will result in faster operation for your users than waiting on an enormous listen() backlog will as well. A tunable for the listen value may be added in the future, but is not available at the present time. signature.asc Description: PGP signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] certificates not renewing CA_UNREACHEABLE
Natxo Asenjo wrote: hi, On Fri, Sep 16, 2016 at 4:22 PM, Rob Crittenden> wrote: The 3 certs you list are the ones that are renewed via the IPA API (as opposed to the subsystem certs renewed directly by dogtag). I think the failures are all related. I had someone else report the CSR decoding failure and he just restarted IPA and that fixes things for him though it was a rather unsatisfying fix. What I'd do is this. Assuming each step works, move onto the next. 1. ipa cert-show 1 The serial # picked more or less at random, we're testing connectivity and that the CA is up and operational. 2. I assume that getcert list | grep expire shows all certs currently valid? The IPA service certs expire in a month, how about the CA subsystem certs? 3. Is this the same server having problems talking to the CA due to the other NSS errors? If so what I'd do is restart httpd then immediately use ipa-getcert to resubmit the requests to try to get into that few minute window. If this is the same box you already have debugging enabled so seeing what that shows might be helpful. rob yes, all certs are valid (see attachment getcert.txt). So I restarted httpd, I could execute ipa cert-show 1 and get an answer, inmediately after I run $ sudo ipa-getcert resubmit -i 20121107212513 Resubmitting "20121107212513" to "IPA". and now the status is the one you see in the attached getcert.txt file. The server failed request, will retry. I do not know if it's important, but I saw that the usercertificate attribute of the pki user admin was expired.1 I attach the error_log of httpd as well. Ok, how about we work around the problem. Since it is failing on the revocation what you might try is removing the userCertificate value from the ldap/kdc01.unix.iriszorg.nl service entry. I think this will work: $ ipa service-show ldap/kdc01.unix.iriszorg.nl |grep Serial $ ipa service-mod --certificate= ldap/kdc01.unix.iriszorg.nl If this doesn't work you can use ldapmodify to delete the usercertificate value. This will remove the certificate value so there is nothing to revoke and a new cert will be saved (hopefully). Now try to resubmit the request via certmonger. It if works then you can run ipa cert-revooke It isn't a great answer long-term because it is really just working around the problem but it should get the certs renewed. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] CA: Cannot add Centos7.2 replica to Centos6.8 ipa server
On 09/16/2016 06:39 PM, Petr Vobornik wrote: On 09/14/2016 07:26 PM, Giorgos Kafataridis wrote: On 09/13/2016 10:36 PM, Endi Sukma Dewata wrote: On 9/12/2016 9:35 PM, Endi Sukma Dewata wrote: On 9/9/2016 2:46 PM, Georgios Kafataridis wrote: I've tried that but still the same result. [root@ipa-server /]# ldapsearch -D "cn=directory manager" -W -p 389 -h localhost -b "uid=admin,ou=people,o=ipaca" Enter LDAP Password: # extended LDIF # # LDAPv3 # base
Re: [Freeipa-users] bind crashes on rndc reload
On 12.9.2016 11:55, Anthony Joseph Messina wrote: > On Monday, September 12, 2016 10:31:10 AM CDT Jochen Demmer wrote: >> Hi, >> >> I have a major issue with my setup: >> Fedora 24 >> freeipa-common-4.3.2-2.fc24.noarch >> freeipa-admintools-4.3.2-2.fc24.noarch >> freeipa-server-dns-4.3.2-2.fc24.noarch >> freeipa-client-common-4.3.2-2.fc24.noarch >> freeipa-server-4.3.2-2.fc24.x86_64 >> freeipa-server-common-4.3.2-2.fc24.noarch >> freeipa-client-4.3.2-2.fc24.x86_64 >> bind-dyndb-ldap-9.0-3.fc24.x86_64 >> bind-libs-lite-9.10.4-1.P2.fc24.x86_64 >> bind-pkcs11-libs-9.10.4-1.P2.fc24.x86_64 >> bind99-libs-9.9.9-1.P2.fc24.x86_64 >> bind-utils-9.10.4-1.P2.fc24.x86_64 >> rpcbind-0.2.3-11.rc1.fc24.x86_64 >> bind-license-9.10.4-1.P2.fc24.noarch >> bind-pkcs11-9.10.4-1.P2.fc24.x86_64 >> bind-9.10.4-1.P2.fc24.x86_64 >> bind-libs-9.10.4-1.P2.fc24.x86_64 >> bind99-license-9.9.9-1.P2.fc24.noarch >> bind-pkcs11-utils-9.10.4-1.P2.fc24.x86_64 >> >> It seems that there is a regular but not daily "rndc reload" sent to the >> nameserver that leads to a crash of it. I sent a SIGHUP to the named >> process, but that didn't lead to a crash. Only "rndc reload" does. It >> does not crash EVERY time, but most of the times. I need to do an >> "ipactl restart" in order to get the nameserver up and running again. >> >> I found this thread, but this doesn't give me any clues: >> https://www.redhat.com/archives/freeipa-users/2012-May/msg00340.html >> >> This is what the log says: >> http://paste.debian.net/818354/ >> Please understand that I obfuscated my IP addresses and domain names >> >> This is the strace: >> http://paste.debian.net/818365/ >> >> This is my named.conf: >> http://paste.debian.net/818368/ >> >> Hope someone can help. >> Jochen > > I wish I could, as I have the same issue, usually early Sunday morning after > some cron/timer job that reloads: > > https://bugzilla.redhat.com/show_bug.cgi?id=1362162 Could you please try bind-dyndb-ldap-10.1-1.fc24 from updates-testing? Alternatively the package can be downloaded from http://koji.fedoraproject.org/koji/buildinfo?buildID=792505 Please let me know if it fixes your problem or not. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Want to extend schema for ipahost
Thank You Flo This helped!!! Best regards,Deepak > Subject: Re: [Freeipa-users] Want to extend schema for ipahost > To: deepak_di...@hotmail.com; freeipa-users@redhat.com > From: f...@redhat.com > Date: Mon, 19 Sep 2016 13:41:00 +0200 > > On 09/19/2016 01:31 PM, Deepak Dimri wrote: > > Hi All, > > > > I want to add couple of custom attribute to IPA Host. I have already > > added custom attributes and objectclass "AWSInstanceDetails" to my > > schema succesfully but when i am trying to modify existing host to > > include the new objectclass i am getting below error > > > > ldap_modify: Object class violation (65) > > > > additional info: missing attribute "sn" required by object class > > "AWSInstanceDetails" > > > > > > my ldif file to add the newly created objectclass. > > > > > > dn: fqdn=testhost,dc=ddiam,dd=online > > > > changetype: modify > > > > add: objectclass > > > > objectclass: AWSInstanceDetails > > > > > > How can i extend my ipahost objectclass to include additional > > attributes? i followed this document to extend ipa > > userobjectclass > > https://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf but > > now i need help with ipahost > > > > > > As always any help would be much appreciated! > > > > > > Thanks, > > > > Deepak > > > > > > > > Hi Deepak, > > What is your schema definition for AWSInstanceDetails? If it requires > the "sn" attribute as a mandatory attribute (i.e in the MUST section), > then you need to define a value for sn in your ldif file. Otherwise the > schema would not be respected by your object. > > For instance: > dn: fqdn=testhost,dc=ddiam,dd=online > changetype: modify > add: objectclass > objectclass: AWSInstanceDetails > - > add: sn > sn: myValue > > If, on the contrary, you do not want the attribute to be mandatory, you > can define the AWSInstanceDetails objectclass with an optional "sn" > attribute, by putting sn in the MAY section. > > Hope this helps, > Flo. > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Want to extend schema for ipahost
On 19.09.2016 13:41, Florence Blanc-Renaud wrote: On 09/19/2016 01:31 PM, Deepak Dimri wrote: Hi All, I want to add couple of custom attribute to IPA Host. I have already added custom attributes and objectclass "AWSInstanceDetails" to my schema succesfully but when i am trying to modify existing host to include the new objectclass i am getting below error ldap_modify: Object class violation (65) additional info: missing attribute "sn" required by object class "AWSInstanceDetails" my ldif file to add the newly created objectclass. dn: fqdn=testhost,dc=ddiam,dd=online changetype: modify add: objectclass objectclass: AWSInstanceDetails How can i extend my ipahost objectclass to include additional attributes? i followed this document to extend ipa userobjectclass https://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf but now i need help with ipahost As always any help would be much appreciated! Thanks, Deepak Hi Deepak, What is your schema definition for AWSInstanceDetails? If it requires the "sn" attribute as a mandatory attribute (i.e in the MUST section), then you need to define a value for sn in your ldif file. Otherwise the schema would not be respected by your object. For instance: dn: fqdn=testhost,dc=ddiam,dd=online changetype: modify add: objectclass objectclass: AWSInstanceDetails - add: sn sn: myValue If, on the contrary, you do not want the attribute to be mandatory, you can define the AWSInstanceDetails objectclass with an optional "sn" attribute, by putting sn in the MAY section. Hope this helps, Flo. Yes please use only MAY attributes otherwise you will not be able to create new entries using IPA CLI/webUI Martin^2 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] User gecos in IPA-AD trust
On Mon, Sep 19, 2016 at 01:47:22PM +0200, Troels Hansen wrote: > Hi, i'm having some problems setting user's gecos in AD trust environment. > > No matter what I change ldap_user_gecos to its not changes on AD users. > > I guess its because I can only set it on the IPA domain, in SSSD config, and > it can't be added to the subdomain_inherit ? Currently it's not possible. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] User gecos in IPA-AD trust
Hi, i'm having some problems setting user's gecos in AD trust environment. No matter what I change ldap_user_gecos to its not changes on AD users. I guess its because I can only set it on the IPA domain, in SSSD config, and it can't be added to the subdomain_inherit ? -- Med venlig hilsen Troels Hansen Systemkonsulent Casalogic A/S T (+45) 70 20 10 63 M (+45) 22 43 71 57 Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og meget mere. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Want to extend schema for ipahost
On 09/19/2016 01:31 PM, Deepak Dimri wrote: Hi All, I want to add couple of custom attribute to IPA Host. I have already added custom attributes and objectclass "AWSInstanceDetails" to my schema succesfully but when i am trying to modify existing host to include the new objectclass i am getting below error ldap_modify: Object class violation (65) additional info: missing attribute "sn" required by object class "AWSInstanceDetails" my ldif file to add the newly created objectclass. dn: fqdn=testhost,dc=ddiam,dd=online changetype: modify add: objectclass objectclass: AWSInstanceDetails How can i extend my ipahost objectclass to include additional attributes? i followed this document to extend ipa userobjectclass https://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf but now i need help with ipahost As always any help would be much appreciated! Thanks, Deepak Hi Deepak, What is your schema definition for AWSInstanceDetails? If it requires the "sn" attribute as a mandatory attribute (i.e in the MUST section), then you need to define a value for sn in your ldif file. Otherwise the schema would not be respected by your object. For instance: dn: fqdn=testhost,dc=ddiam,dd=online changetype: modify add: objectclass objectclass: AWSInstanceDetails - add: sn sn: myValue If, on the contrary, you do not want the attribute to be mandatory, you can define the AWSInstanceDetails objectclass with an optional "sn" attribute, by putting sn in the MAY section. Hope this helps, Flo. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] 3rd party Cert install now IPA total broken
On 09/16/2016 03:06 PM, Günther J. Niederwimmer wrote: Hello, Freeipa 4.3.1 I have now install a 3rd Party Certificat from Startcom now my IPA is total broken? I make this ipa-cacert-manage -p '' -n STARTCOM-ROOT -t C,, install root.crt ipa-certupdate ipa-server-certinstall -w -d ipa_3rd_ca.p12 I create this p12 with key.pem, cert.pem root.crt I insert also in the cert.pem the intermediate.crt Hi, there were some issues with ipa-server-certinstall (see tickets #4785, #4786 and #6263). In order to check your configuration, you must make sure that the NSS DBs for Apache and the LDAP server (/etc/httpd/alias, /var/lib/pki/pki-tomcat/alias, /etc/dirsrv/slapd-DOMxx) contain: - the server certificate with flags u,u,u (= the one contained in ipa_3rd_ca.p12) - the certificate of the CA which signed the server certificate, with flags C,, (= the one contained in root.rt) Then you can also check if the nickname for the server cert is properly set in /etc/httpd/conf.d/nss.conf (in the directive NSSNickname), and in the LDAP entry cn=RSA,cn=encryption,cn=config (in the attribute nsSSLPersonalitySSL). If this doesn't fix the issue, the logs of pki-tomcat/ca/debug may provide more information. Also note that it is important to run ipa-certupdate on all the clients and replicas in order to install the new certificates in the NSS DBs *before* you run ipa-server-certinstall. Hope this helps, Flo. the kerberos don't start anymore ? The Error Is Unspecified GSS failure.Minor (2529639068): Cannot contact any KDC for realm '4GJN.COM' after insert in nss.conf "NSSEnforceValidCerts off" ipactl restart is starting (?) but ipactl status tell me Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING ipa_memcached Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-ods-exporter Service: STOPPED ods-enforcerd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful with certutil -d /etc/httpd/alias -L I have now this Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Signing-Cert u,u,u 4GJN_CA_FILE u,u,u ipaCert u,u,u 4GJN.COM IPA CA CT,C,C STARTCOM-ROOTC,, I can Insert in nss.conf by the #NSSNickname "Signing-Cert" original or NSSNickname 4GJN_CA_FILE but all is now broken ? I also add this, found in Bugzilla certutil -d /var/lib/pki/pki-tomcat/alias -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-cau,u,u caSigningCert cert-pki-caCTu,Cu,Cu Server-Cert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu STARTCOM-ROOTCT,, this is created in the certutil -d /etc/dirsrv/slapd-4GJN.COM -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI 4GJN_CA_FILE u,u,u 4GJN.COM IPA CA CT,C,C STARTCOM-ROOTC,, Can any help a little, please ;-) The bad Problem, I tested this with my master server with DNS / DNSSEC I can't new install (DNSSEC Keys) -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] how to revert ipa-adtrust-install...
thanks a lot! On 19/09/16 08:49, Martin Babinsky wrote: ipaConfigString: enabledService -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] HBAC doesn't work issues
On (19/09/16 16:43), Lachlan Musicman wrote: >I must have made an error again: > >- ipa hbactest gives seemingly correct answer on both server and client >- user can't actually use sudo on client? > >Centos 7, freeipa 4.2.o/2.156; sssd 1.14.1 from COPR > >>From the server: > >[root@vmdv-linuxidm1 ~]# ipa hbactest --user=lsimp...@petermac.org.au >--host=vmts-linuxclient1.unixdev.petermac.org.au --service=sudo > >Access granted: True > > Matched rules: Cluster Admin Users (sudo) > Not matched rules: Cluster Users >[root@vmdv-linuxidm1 ~]# > > >>From the host in question: > >[root@vmts-linuxclient1 ~]# ipa hbactest --user lsimp...@petermac.org.au >--host `hostname` --service sudo > >Access granted: True > > Matched rules: Cluster Admin Users (sudo) > Not matched rules: Cluster Users >[root@vmts-linuxclient1 ~]# > > >[lsimp...@petermac.org.au@vmts-linuxclient1 ~]$ sudo reboot >[sudo] password for lsimp...@petermac.org.au: >lsimp...@petermac.org.au is not allowed to run sudo on vmts-linuxclient1. >This incident will be reported. > Did you configure sudo rules for such user? What is an output of "sudo -l" LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] In webgui, ID Views slow, to crashingly slow
On 09/19/2016 03:12 AM, Lachlan Musicman wrote: Hi Sometimes when I visit the ID Views page in the webgui, it is crushingly slow, and often it times out. Centos 7, ipa --version VERSION: 4.2.0, API_VERSION: 2.156 Is there a reason, can I do something to fix this? cheers L. -- The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper What kind of ID Views do you use? Do you use them to override AD users? Is there any useful info in '/var/log/httpd/error_log'? -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] how to revert ipa-adtrust-install...
On 09/19/2016 09:49 AM, Martin Babinsky wrote: On 09/17/2016 12:43 PM, lejeczek wrote: On 15/09/16 22:37, Rob Crittenden wrote: What do you mean control? If you don't want ipactl to manage the smb service, look for an entry in cn=masters,cn=ipa,cn=etc,dc=example,dc=com and delete it if you find it. rob all I find there is: objectClass: nsContainer objectClass: top cn: masters You must perform subtree search and search for the entry named 'cn=ADTRUST', like so: """ ldapsearch -Y GSSAPI -b 'cn=masters,cn=ipa,cn=etc,dc=ipa,dc=test' '(cn=ADTRUST)' SASL/GSSAPI authentication started SASL username: ad...@ipa.test SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base
Re: [Freeipa-users] ipa trust-add using password
> If you add 'log level = 50' to /usr/share/ipa/smb.conf.empty, then > /var/log/httpd/error_log will contain detailed debug information from > IPA attempts to talk to AD DCs. > > -- > / Alexander Bokovoy Hi Alexander I added the log level, and had the domain admin try to create the trust, and today it just worked, soo... not any further on finding out what went wrong last week, but the trust got created so not going to spent more time on this. Anyway, thanks for the help. I have made a mental note on debugging IPA-AD trust creation. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] HBAC doesn't work issues
I must have made an error again: - ipa hbactest gives seemingly correct answer on both server and client - user can't actually use sudo on client? Centos 7, freeipa 4.2.o/2.156; sssd 1.14.1 from COPR >From the server: [root@vmdv-linuxidm1 ~]# ipa hbactest --user=lsimp...@petermac.org.au --host=vmts-linuxclient1.unixdev.petermac.org.au --service=sudo Access granted: True Matched rules: Cluster Admin Users (sudo) Not matched rules: Cluster Users [root@vmdv-linuxidm1 ~]# >From the host in question: [root@vmts-linuxclient1 ~]# ipa hbactest --user lsimp...@petermac.org.au --host `hostname` --service sudo Access granted: True Matched rules: Cluster Admin Users (sudo) Not matched rules: Cluster Users [root@vmts-linuxclient1 ~]# [lsimp...@petermac.org.au@vmts-linuxclient1 ~]$ sudo reboot [sudo] password for lsimp...@petermac.org.au: lsimp...@petermac.org.au is not allowed to run sudo on vmts-linuxclient1. This incident will be reported. On the client, in the sssd_sudo.log I can see (debug_level=6) a number of lines, most notably three that start "Searching sysdb with" and then follow with all my ipa and AD groups - both groups that would give me HBAC sudo are listed in those log entries. What should I try next? cheers L. -- The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project