Re: [Freeipa-users] Error looking up public keys

2016-10-06 Thread Alessandro De Maria 
The workaround worked thank you!

On 6 Oct 2016 5:09 pm, "Sumit Bose"  wrote:

> On Thu, Oct 06, 2016 at 03:48:10PM +0100, Alessandro De Maria wrote:
> > Hello,
> >
> > We are moving some of our servers to use 16.04 and for all new installs I
> > have noticed that I am unable to fetch the ssh_authorized keys from the
> > server.
> >
> > /usr/bin/sss_ssh_authorizedkeys --debug 10 -d prod.zzz.com ademaria
> > (Thu Oct  6 11:29:59:823635 2016) [/usr/bin/sss_ssh_authorizedkeys]
> [main]
> > (0x0020): sss_ssh_get_ent() failed (14): Bad address
> > Error looking up public keys
> >
> > This only happens on Ubuntu 16.04. We have a number of 12.04 that work
> > perfectly.
> >
> > The configuration seems ok or at least matches the one on 12.04.
> > I increased the debug level on sssd and sss_ssh and this is the output I
> get
>
> ...
>
> > (Thu Oct  6 15:42:01 2016) [sssd[ssh]] [cert_to_ssh_key] (0x0040):
> > NSS_InitContext failed [-8015].
> > (Thu Oct  6 15:42:01 2016) [sssd[ssh]] [decode_and_add_base64_data]
> > (0x0040): cert_to_ssh_key failed.
> > (Thu Oct  6 15:42:01 2016) [sssd[ssh]] [ssh_cmd_build_reply] (0x0040):
> > decode_and_add_base64_data failed.
> > (Thu Oct  6 15:42:01 2016) [sssd[ssh]] [ssh_cmd_done] (0x0020): Fatal
> > error, killing connection!
>
> ...
>
> Newer version of SSSD can derive ssh-keys from valid X.509 certificates
> stored in the LDAP entry of the user. Unfortunately it looks like in
> your build of SSSD needs a fix for
> https://fedorahosted.org/sssd/ticket/2977. Please open a ticket for your
> distribution to include the patch for this issue which is linked at the
> end of the ticket.
>
> As a workaround you can set 'ldap_user_certificate = noSuchAttribute' in
> the [domain/...] section of sssd.conf. This should prevent SSSD from
> reading the certificate stored in the user entry. After changing
> sssd.conf you should invalidate the cache by calling 'sss_cache -E' and
> restart SSSD.
>
> HTH
>
> bye,
> Sumit
>
> >
> > Could you help me understand what is the issue with it?
> >
> > Regards
> > Alessandro
> >
> > --
> > Alessandro De Maria
> > alessandro.dema...@gmail.com
>
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA and Samba

2016-10-06 Thread Степаненко Алексей 

Thank you for your reply.

I've got Samba server for a company, accounts are created by hand. 
Clients are different windows or linux desktops.


I want to install FreeIPA and have one area for managing accounts (SMB, 
SSH-access for others servers). Now, I prepare clean samba installation 
for testing. It would be great to use FreeIPA as authorization server 
for samba.


I was looking for information about samba + freeIPA, but I found only 
this document. Maybe, I miss obvious things.



06.10.2016 20:31, Loris Santamaria пишет:

The document you are linking to explains how to configure a samba file
server in a freeipa domain, which is one of many ways you can configure
and use a samba server.

What do you want to achieve with samba, and what is your current setup?


El jue, 06-10-2016 a las 19:23 +0300, Степаненко Алексей escribió:

Hello.

I've read the topic about FreeIPA and SAMBA
http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_Wit
h_IPA

If I understand clearly, samba's client must be present in
FreeIPA  AD.
Unfortunately, it does not work for me. I can't join some work
desktops
to AD. Is it possible to make Samba auth trough LDAP IPA ? Samba has
ldap support

  ldap admin dn
  ldap group suffix
  ldap idmap suffix
  ldap machine suffix
  ldap passwd sync
  ldap suffix
  ldap user suffix

Does it work with IPA ?

Thanks.



--
С уважением,
Степаненко Алексей,
Руководитель группы информационных технологий,
ООО "Глобал Веб Групп"
Сайт: http//gw.spb.ru
Тел.: +7 (812) 409-00-90



smime.p7s
Description: ÐÑипÑогÑаÑиÑеÑÐºÐ°Ñ Ð¿Ð¾Ð´Ð¿Ð¸ÑÑ S/MIME
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Question about an error in the logs.

2016-10-06 Thread Michael Rainey (Contractor) 

Hello,

I've been reviewing an error log for IPA located in 
/var/log/dirsrv//error.  I've noticed there is an error 
that keeps repeating.


[06/Oct/2016:09:56:03 -0500] attrlist_replace - attr_replace 
(nsslapd-referral, ldap://kodiak.:389/o%3Dipaca) failed.
[06/Oct/2016:09:56:03 -0500] attrlist_replace - attr_replace 
(nsslapd-referral, ldap://voge.:389/o%3Dipaca) failed.
[06/Oct/2016:09:56:03 -0500] attrlist_replace - attr_replace 
(nsslapd-referral, ldap://voge.:389/o%3Dipaca) failed.
[06/Oct/2016:09:56:03 -0500] attrlist_replace - attr_replace 
(nsslapd-referral, ldap://voge.:389/o%3Dipaca) failed.
[06/Oct/2016:09:56:06 -0500] attrlist_replace - attr_replace 
(nsslapd-referral, ldap://fitch.:389/o%3Dipaca) failed.
[06/Oct/2016:09:56:06 -0500] attrlist_replace - attr_replace 
(nsslapd-referral, ldap://fitch.:389/o%3Dipaca) failed.
[06/Oct/2016:09:56:06 -0500] attrlist_replace - attr_replace 
(nsslapd-referral, ldap://fitch.:389/o%3Dipaca) failed.


I was wondering if this is a sign of a larger problem.  All of my 
replicas continue to be updated as changes are made and users are able 
to log into their systems.  Everything seems to be fine.


Sincerely,

Scientific Linux 7.2 64-bit
1.13.0-40.el7_2.12
--
*Michael Rainey*
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA and Samba

2016-10-06 Thread Loris Santamaria 
The document you are linking to explains how to configure a samba file
server in a freeipa domain, which is one of many ways you can configure
and use a samba server.

What do you want to achieve with samba, and what is your current setup?


El jue, 06-10-2016 a las 19:23 +0300, Степаненко Алексей escribió:
> Hello.
> 
> I've read the topic about FreeIPA and SAMBA 
> http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_Wit
> h_IPA
> 
> If I understand clearly, samba's client must be present in
> FreeIPA  AD. 
> Unfortunately, it does not work for me. I can't join some work
> desktops 
> to AD. Is it possible to make Samba auth trough LDAP IPA ? Samba has 
> ldap support
> 
>  ldap admin dn
>  ldap group suffix
>  ldap idmap suffix
>  ldap machine suffix
>  ldap passwd sync
>  ldap suffix
>  ldap user suffix
> 
> Does it work with IPA ?
> 
> Thanks.
> 
-- 
Loris Santamaria   linux user #70506   xmpp:lo...@lgs.com.ve
Links Global Services, C.A.http://www.lgs.com.ve
Tel: 0286 952.06.87  Cel: 0414 095.00.10  sip:1...@lgs.com.ve

"If I'd asked my customers what they wanted, they'd have said
a faster horse" - Henry Ford

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] FreeIPA and Samba

2016-10-06 Thread Степаненко Алексей 

Hello.

I've read the topic about FreeIPA and SAMBA 
http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA


If I understand clearly, samba's client must be present in FreeIPA  AD. 
Unfortunately, it does not work for me. I can't join some work desktops 
to AD. Is it possible to make Samba auth trough LDAP IPA ? Samba has 
ldap support


ldap admin dn
ldap group suffix
ldap idmap suffix
ldap machine suffix
ldap passwd sync
ldap suffix
ldap user suffix

Does it work with IPA ?

Thanks.

--
With best regards.



smime.p7s
Description: ÐÑипÑогÑаÑиÑеÑÐºÐ°Ñ Ð¿Ð¾Ð´Ð¿Ð¸ÑÑ S/MIME
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Error looking up public keys

2016-10-06 Thread Sumit Bose 
On Thu, Oct 06, 2016 at 03:48:10PM +0100, Alessandro De Maria wrote:
> Hello,
> 
> We are moving some of our servers to use 16.04 and for all new installs I
> have noticed that I am unable to fetch the ssh_authorized keys from the
> server.
> 
> /usr/bin/sss_ssh_authorizedkeys --debug 10 -d prod.zzz.com ademaria
> (Thu Oct  6 11:29:59:823635 2016) [/usr/bin/sss_ssh_authorizedkeys] [main]
> (0x0020): sss_ssh_get_ent() failed (14): Bad address
> Error looking up public keys
> 
> This only happens on Ubuntu 16.04. We have a number of 12.04 that work
> perfectly.
> 
> The configuration seems ok or at least matches the one on 12.04.
> I increased the debug level on sssd and sss_ssh and this is the output I get

...

> (Thu Oct  6 15:42:01 2016) [sssd[ssh]] [cert_to_ssh_key] (0x0040):
> NSS_InitContext failed [-8015].
> (Thu Oct  6 15:42:01 2016) [sssd[ssh]] [decode_and_add_base64_data]
> (0x0040): cert_to_ssh_key failed.
> (Thu Oct  6 15:42:01 2016) [sssd[ssh]] [ssh_cmd_build_reply] (0x0040):
> decode_and_add_base64_data failed.
> (Thu Oct  6 15:42:01 2016) [sssd[ssh]] [ssh_cmd_done] (0x0020): Fatal
> error, killing connection!

...

Newer version of SSSD can derive ssh-keys from valid X.509 certificates
stored in the LDAP entry of the user. Unfortunately it looks like in
your build of SSSD needs a fix for
https://fedorahosted.org/sssd/ticket/2977. Please open a ticket for your
distribution to include the patch for this issue which is linked at the
end of the ticket.

As a workaround you can set 'ldap_user_certificate = noSuchAttribute' in
the [domain/...] section of sssd.conf. This should prevent SSSD from
reading the certificate stored in the user entry. After changing
sssd.conf you should invalidate the cache by calling 'sss_cache -E' and
restart SSSD.

HTH

bye,
Sumit

> 
> Could you help me understand what is the issue with it?
> 
> Regards
> Alessandro
> 
> -- 
> Alessandro De Maria
> alessandro.dema...@gmail.com

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Error looking up public keys

2016-10-06 Thread Alessandro De Maria 
Hello,

We are moving some of our servers to use 16.04 and for all new installs I
have noticed that I am unable to fetch the ssh_authorized keys from the
server.

/usr/bin/sss_ssh_authorizedkeys --debug 10 -d prod.zzz.com ademaria
(Thu Oct  6 11:29:59:823635 2016) [/usr/bin/sss_ssh_authorizedkeys] [main]
(0x0020): sss_ssh_get_ent() failed (14): Bad address
Error looking up public keys

This only happens on Ubuntu 16.04. We have a number of 12.04 that work
perfectly.

The configuration seems ok or at least matches the one on 12.04.
I increased the debug level on sssd and sss_ssh and this is the output I get

(Thu Oct  6 15:42:01 2016) [sssd[ssh]] [sss_cmd_get_version] (0x0200):
Offered version [0].
(Thu Oct  6 15:42:01 2016) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle
timer re-set for client [0x67b890][18]
(Thu Oct  6 15:42:01 2016) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle
timer re-set for client [0x67b890][18]
(Thu Oct  6 15:42:01 2016) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle
timer re-set for client [0x67b890][18]
(Thu Oct  6 15:42:01 2016) [sssd[ssh]] [ssh_cmd_parse_request] (0x0400):
Requested domain [prod.zzz]
(Thu Oct  6 15:42:01 2016) [sssd[ssh]] [ssh_cmd_parse_request] (0x0400):
Parsing name [ademaria][prod.zzz]
(Thu Oct  6 15:42:01 2016) [sssd[ssh]] [sss_parse_name_for_domains]
(0x0200): name 'ademaria' matched without domain, user is ademaria
(Thu Oct  6 15:42:01 2016) [sssd[ssh]] [sss_parse_name_for_domains]
(0x0200): using default domain [prod.zzz]
(Thu Oct  6 15:42:01 2016) [sssd[ssh]] [sss_ssh_cmd_get_user_pubkeys]
(0x0400): Requesting SSH user public keys for [ademaria] from [prod.zzz]
(Thu Oct  6 15:42:01 2016) [sssd[ssh]] [sss_dp_issue_request] (0x0400):
Issuing request for [0x40b850:1:ademaria@prod.zzz]
(Thu Oct  6 15:42:01 2016) [sssd[ssh]] [sss_dp_get_account_msg] (0x0400):
Creating request for [prod.zzz][0x1][BE_REQ_USER][1][name=ademaria]
(Thu Oct  6 15:42:01 2016) [sssd[ssh]] [sbus_add_timeout] (0x2000): 0x658390
(Thu Oct  6 15:42:01 2016) [sssd[ssh]] [sss_dp_internal_get_send] (0x0400):
Entering request [0x40b850:1:ademaria@prod.zzz]
(Thu Oct  6 15:42:01 2016) [sssd[ssh]] [sbus_remove_timeout] (0x2000):
0x658390
(Thu Oct  6 15:42:01 2016) [sssd[ssh]] [sbus_dispatch] (0x4000): dbus conn:
0x65a7b0
(Thu Oct  6 15:42:01 2016) [sssd[ssh]] [sbus_dispatch] (0x4000):
Dispatching.
(Thu Oct  6 15:42:01 2016) [sssd[ssh]] [sss_dp_get_reply] (0x1000): Got
reply from Data Provider - DP error code: 0 errno: 0 error message: Success
(Thu Oct  6 15:42:01 2016) [sssd[ssh]] [ssh_user_pubkeys_search_next]
(0x0400): Requesting SSH user public keys for [ademaria@prod.zzz]
(Thu Oct  6 15:42:01 2016) [sssd[ssh]] [ldb] (0x4000): Added timed event
"ltdb_callback": 0x666a00
(Thu Oct  6 15:42:01 2016) [sssd[ssh]] [ldb] (0x4000): Added timed event
"ltdb_timeout": 0x666ac0
(Thu Oct  6 15:42:01 2016) [sssd[ssh]] [ldb] (0x4000): Running timer event
0x666a00 "ltdb_callback"
(Thu Oct  6 15:42:01 2016) [sssd[ssh]] [ldb] (0x4000): Destroying timer
event 0x666ac0 "ltdb_timeout"
(Thu Oct  6 15:42:01 2016) [sssd[ssh]] [ldb] (0x4000): Ending timer event
0x666a00 "ltdb_callback"
(Thu Oct  6 15:42:01 2016) [sssd[ssh]] [decode_and_add_base64_data]
(0x4000): Mssing element, nothing to do.
(Thu Oct  6 15:42:01 2016) [sssd[ssh]] [decode_and_add_base64_data]
(0x4000): Mssing element, nothing to do.
(Thu Oct  6 15:42:01 2016) [sssd[ssh]] [cert_to_ssh_key] (0x0040):
NSS_InitContext failed [-8015].
(Thu Oct  6 15:42:01 2016) [sssd[ssh]] [decode_and_add_base64_data]
(0x0040): cert_to_ssh_key failed.
(Thu Oct  6 15:42:01 2016) [sssd[ssh]] [ssh_cmd_build_reply] (0x0040):
decode_and_add_base64_data failed.
(Thu Oct  6 15:42:01 2016) [sssd[ssh]] [ssh_cmd_done] (0x0020): Fatal
error, killing connection!
(Thu Oct  6 15:42:01 2016) [sssd[ssh]] [client_destructor] (0x2000):
Terminated client [0x67b890][18]
(Thu Oct  6 15:42:01 2016) [sssd[ssh]] [sss_dp_req_destructor] (0x0400):
Deleting request: [0x40b850:1:ademaria@prod.zzz]
(Thu Oct  6 15:42:10 2016) [sssd[ssh]] [sbus_dispatch] (0x4000): dbus conn:
0x6566b0
(Thu Oct  6 15:42:10 2016) [sssd[ssh]] [sbus_dispatch] (0x4000):
Dispatching.
(Thu Oct  6 15:42:10 2016) [sssd[ssh]] [sbus_message_handler] (0x2000):
Received SBUS method org.freedesktop.sssd.service.ping on path
/org/freedesktop/sssd/service
(Thu Oct  6 15:42:10 2016) [sssd[ssh]] [sbus_get_sender_id_send] (0x2000):
Not a sysbus message, quit
(Thu Oct  6 15:42:20 2016) [sssd[ssh]] [sbus_dispatch] (0x4000): dbus conn:
0x6566b0
(Thu Oct  6 15:42:20 2016) [sssd[ssh]] [sbus_dispatch] (0x4000):
Dispatching.
(Thu Oct  6 15:42:20 2016) [sssd[ssh]] [sbus_message_handler] (0x2000):
Received SBUS method org.freedesktop.sssd.service.ping on path
/org/freedesktop/sssd/service
(Thu Oct  6 15:42:20 2016) [sssd[ssh]] [sbus_get_sender_id_send] (0x2000):
Not a sysbus message, quit

Could you help me understand what is the issue with it?

Regards
Alessandro

-- 
Alessandro De Maria

Re: [Freeipa-users] FreeIPA Server Hosting - Public Cloud vs Private Cloud

2016-10-06 Thread Deepak Dimri 
Awesome.. Thanks Petr


I will see if i can get some more pointers on it and its great to see the case 
study.


Already loving FreeIPA with such a wonderful support from you all!



regards,
Deepak


From: freeipa-users-boun...@redhat.com  on 
behalf of Petr Spacek 
Sent: Thursday, October 6, 2016 3:33 AM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] FreeIPA Server Hosting - Public Cloud vs Private 
Cloud

On 5.10.2016 11:16, Deepak Dimri wrote:
> Hi All,
>
> I want to understand if there are any best practices wrt FreeIPA Server 
> deployment in Public vis a vis  Private cloud.  Lets assume a case that most 
> IPA Clients are hosted in private clouds at multiple data centers or across 
> AWS VPCs. In this situation hosting of freeIPA in the public cloud i reckon 
> would be an easier approach (clients can connect over the internet).  The 
> other option would be to host FreeIPA Server in private cloud, which would be 
> more secure,  but then you need to make changes in your network/FW settings 
> across private clouds. Are there any major security concerns if FreeIPA is 
> deployed in public cloud?
Properly configured FreeIPA can run on public Internet. I would recommend you
to read thread
https://www.redhat.com/archives/freeipa-users/2014-April/msg00246.html .

> Any examples of  freeIPA running in public cloud in production?

Here you go:
https://www.dragonsreach.it/2014/10/07/the-gnome-infrastructure-is-now-powered-by-freeipa/
The GNOME Infrastructure is now powered by 
FreeIPA!
www.dragonsreach.it
As preannounced here the GNOME Infrastructure switched to a new Account 
Management System which is reachable at https://account.gnome.org. All the 
details will follow.




--
Petr^2 Spacek

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Freeipa-users Info Page - Red 
Hat
www.redhat.com
Freeipa-users -- List dedicated to discussions about use, configuration and 
deployment of the IPA server. About Freeipa-users



Go to http://freeipa.org for more info on the project
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA Server Hosting - Public Cloud vs Private Cloud

2016-10-06 Thread Petr Spacek 
On 5.10.2016 11:16, Deepak Dimri wrote:
> Hi All,
> 
> I want to understand if there are any best practices wrt FreeIPA Server 
> deployment in Public vis a vis  Private cloud.  Lets assume a case that most 
> IPA Clients are hosted in private clouds at multiple data centers or across 
> AWS VPCs. In this situation hosting of freeIPA in the public cloud i reckon 
> would be an easier approach (clients can connect over the internet).  The 
> other option would be to host FreeIPA Server in private cloud, which would be 
> more secure,  but then you need to make changes in your network/FW settings 
> across private clouds. Are there any major security concerns if FreeIPA is 
> deployed in public cloud?
Properly configured FreeIPA can run on public Internet. I would recommend you
to read thread
https://www.redhat.com/archives/freeipa-users/2014-April/msg00246.html .

> Any examples of  freeIPA running in public cloud in production?

Here you go:
https://www.dragonsreach.it/2014/10/07/the-gnome-infrastructure-is-now-powered-by-freeipa/

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project