Re: [Freeipa-users] Backend & UI plugin update for 4.4.x

2017-01-27 Thread Steve Huston 
Stranger, I did an install on a different VM with the CentOS 7 minimal
ISO, then installed ipa-server and enough things to get X11 and
Firefox, ran ipa-server-install and it worked fine.  I tested with
Firefox (and Safari) against my failing installation and it still
fails.  So there's something else different that's causing it to
break.  Will continue investigating, but if someone knows why the UI
would break this way it would be helpful to know where to look!

On Thu, Jan 26, 2017 at 11:53 AM, Steve Huston
 wrote:
> Just did it again with the same result.  Reinstalled the machine, then
> did a 'yum install ipa-server python2-ipaserver httpd' which pulled in
> version 4.4.0-14.el7_3.4 and a bunch of other packages.  Next was the
> ipa-server-install as I used before, only without --mkhomedir this
> time.  After entering the passwords for directory administrator and
> the admin user, I then logged in to the web interface, immediately
> clicked "add" and added a user 'foobar'.  When I clicked "add and
> edit" and was brought to the user information page, it looks like this
> at the bottom:
>
> https://www.dropbox.com/s/e67j8rdaq9wvkni/Screenshot%202017-01-26%2011.33.03.png?dl=0
>
> I then entered an employee number of '0001' just to give something to
> save, and clicked save.  The screen now shows this (I've clicked the
> drop-down on the manager field so the choices are visible):
>
> https://www.dropbox.com/s/oxmqwf2rsz15grd/Screenshot%202017-01-26%2011.33.58.png?dl=0
>
> Holding shift and clicking reload, the page now looks like this (the
> employee number field is also blank again):
>
> https://www.dropbox.com/s/f8ptycnetvsxjnb/Screenshot%202017-01-26%2011.35.03.png?dl=0
>
> Since we do run a repackaged distribution here (Springdale Linux), I
> just unpacked ipa-server-common from our repository with the above
> version, and 
> http://mirror.centos.org/centos/7/updates/x86_64/Packages/ipa-server-common-4.4.0-14.el7.centos.4.noarch.rpm,
> and 'diff' found zero differences between them.  Unlikely, but I
> wanted to rule out a packaging error causing the problem.
>
> On Wed, Jan 25, 2017 at 4:12 PM, Steve Huston
>  wrote:
>> No, that should be all of the major changes; the puppet module that
>> installs things only puts the two plugin files in their respective
>> places.  The client part of the IPA module makes changes to have the
>> machine join the domain and whatnot, but those shouldn't affect the
>> webui.
>>
>> I do modify the schema by adding some attribute types for Puppet,
>> namely puppetClass, parentNode, environment, puppetVar, and the object
>> class puppetClient.  That's basically right from one of the Puppet
>> webpages and also worked in the past - and is one of the things the
>> python plugin does, add the appropriate objectclass to host entries if
>> puppetVar is added to a host entry.
>>
>> My steps to install:
>> * ipa-server-install --realm= --domain= --mkhomedir
>> --hostname= --no-host-dns
>> * ldapmodify -ZZ -h localhost -x -D 'cn=Directory Manager' -W
>>   < paste puppet schema changes>
>>   < paste DN entry for uid=hostadder,cn=sysaccounts,cn=etc... - a
>> service account used by puppet for adding hosts to IPA >
>> * login to web UI
>> * * Change home directory base, default shell, default SELinux user
>> * * Add SELinux user map for staff/sysadmin users
>> * * Add "user adder" permission/privilege/role for users who will be
>> able to create stageusers
>>
>> That's about as far as I got before I realized some of the plugin
>> pieces weren't working, and then fixed the python plugin followed by
>> working on the UI plugin and finding this problem.  I'll go wipe and
>> reinstall the system again and walk through the steps, but test the UI
>> first and in between to see if I can find which of the steps might be
>> causing things to hiccup.
>>
>> On Wed, Jan 25, 2017 at 1:42 PM, Pavel Vomacka  wrote:
>>> Hello Steve,
>>>
>>> I tried to reproduce what you described on the very same version of
>>> ipa-server and I was not successful. Actually I was not used your back-end
>>> plugin. I tried it with no plugin and then with your UI plugin and both
>>> worked correctly. Did you do any other changes somewhere in your
>>> installation?
>>>
>>> I will try it again also with your Python plugin and we'll see.
>>>
>>>
>>> On 01/24/2017 08:59 PM, Steve Huston wrote:

 And now I'm convinced this has nothing to do with my plugin and
 instead is a bug somewhere in FreeIPA.

 I removed the entirety of the "astrocustom" plugin that I wrote,
 restarted httpd, and force reloaded the page in chrome.  I clicked to
 add a new user, gave the basic information, and clicked "add and
 edit".  The bottom of the page shows the "Employee information" on the
 left side bottom, and the manager drop-down is empty.  I entered '1'
 in the "employee type" field and clicked save, and now "Employee

[Freeipa-users] sudo sometimes doesn't work

2017-01-27 Thread Orion Poplawski 
EL7.3
Users are in active directory via AD trust with IPA server

sudo is configured via files - users in our default "nwra" group can run
certain sudo commands, e.g.:

Cmnd_Alias WAKEUP = /sbin/ether-wake *
%nwra,%visitor,%ivm   ALL=NOPASSWD: WAKEUP

However, sometimes when I run sudo /sbin/ether-wake I get prompted for my
password.  Other times it works fine.  I've attached some logs from failed
attempt.

In particular, these entries:

-barry.cora.DNSDOMAIN sssd_be[701]: Got request with the following data
-barry.cora.DNSDOMAIN sssd_be[701]: command: SSS_PAM_PREAUTH
-barry.cora.DNSDOMAIN sssd_be[701]: domain: ad.DNSDOMAIN
-barry.cora.DNSDOMAIN sssd_be[701]: user: USER@ad.DNSDOMAIN
-barry.cora.DNSDOMAIN sssd_be[701]: service: sudo
-barry.cora.DNSDOMAIN sssd_be[701]: tty: /dev/pts/0
-barry.cora.DNSDOMAIN sssd_be[701]: ruser: USER
-barry.cora.DNSDOMAIN sssd_be[701]: rhost:
-barry.cora.DNSDOMAIN sssd_be[701]: authtok type: 0
-barry.cora.DNSDOMAIN sssd_be[701]: newauthtok type: 0
-barry.cora.DNSDOMAIN sssd_be[701]: priv: 0
-barry.cora.DNSDOMAIN sssd_be[701]: cli_pid: 2860
-barry.cora.DNSDOMAIN sssd_be[701]: logon name: not set
-barry.cora.DNSDOMAIN sssd_be[701]: Trying to resolve service 'IPA'
-barry.cora.DNSDOMAIN sssd_be[701]: The status of SRV lookup is resolved
-barry.cora.DNSDOMAIN sssd_be[701]: Found address for server ipa1.DNSDOMAIN:
[10.0.1.74] TTL 86400
-barry.cora.DNSDOMAIN krb5_child[2869]: cmd [249] uid [22603] gid [22603]
validate [true] enterprise principal [false] offline [false] UPN
[u...@ad.nwra.com]
-barry.cora.DNSDOMAIN krb5_child[2869]: SSSD_KRB5_FAST_PRINCIPAL is set to
[host/barry.cora.dnsdom...@nwra.com]
-barry.cora.DNSDOMAIN krb5_child[2869]: FAST TGT is still valid.
-barry.cora.DNSDOMAIN krb5_child[2869]: Trying to become user [22603][22603].
-barry.cora.DNSDOMAIN krb5_child[2869]: Cannot read
[SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
-barry.cora.DNSDOMAIN krb5_child[2869]: Cannot read [SSSD_KRB5_LIFETIME] from
environment.
-barry.cora.DNSDOMAIN krb5_child[2869]: SSSD_KRB5_CANONICALIZE is set to [true]
-barry.cora.DNSDOMAIN krb5_child[2869]: Cannot handle password prompts.
-barry.cora.DNSDOMAIN krb5_child[2869]: Received error code 0
-barry.cora.DNSDOMAIN sssd_be[701]: child [2869] finished successfully.
-barry.cora.DNSDOMAIN sssd_be[701]: Marking port 389 of server
'ipa1.DNSDOMAIN' as 'working'
-barry.cora.DNSDOMAIN sssd_be[701]: Marking server 'ipa1.DNSDOMAIN' as 'working'
-barry.cora.DNSDOMAIN sssd_be[701]: connection is about to expire, releasing it
-barry.cora.DNSDOMAIN sssd_be[701]: Trying to resolve service 'IPA'
-barry.cora.DNSDOMAIN sssd_be[701]: The status of SRV lookup is resolved
-barry.cora.DNSDOMAIN sssd_be[701]: Found address for server ipa1.DNSDOMAIN:
[10.0.1.74] TTL 86400
-barry.cora.DNSDOMAIN sssd_be[701]: Trying to resolve service 'IPA'
-barry.cora.DNSDOMAIN sssd_be[701]: The status of SRV lookup is resolved
-barry.cora.DNSDOMAIN sssd_be[701]: Found address for server ipa1.DNSDOMAIN:
[10.0.1.74] TTL 86400
-barry.cora.DNSDOMAIN ldap_child[2889]: Will run as [0][0].
-barry.cora.DNSDOMAIN ldap_child[2889]: Trying to become user [0][0].
-barry.cora.DNSDOMAIN ldap_child[2889]: Already user [0].
-barry.cora.DNSDOMAIN ldap_child[2889]: Principal name is:
[host/barry.cora.dnsdom...@nwra.com]
-barry.cora.DNSDOMAIN ldap_child[2889]: Using keytab [MEMORY:/etc/krb5.keytab]
-barry.cora.DNSDOMAIN ldap_child[2889]: Will canonicalize principals
-barry.cora.DNSDOMAIN sssd_be[701]: GSSAPI client step 1
-barry.cora.DNSDOMAIN sssd_be[701]: expire timeout is 900
-barry.cora.DNSDOMAIN sssd_be[701]: GSSAPI client step 1
-barry.cora.DNSDOMAIN sssd_be[701]: Executing sasl bind mech: GSSAPI, user:
host/barry.cora.DNSDOMAIN
-barry.cora.DNSDOMAIN sssd_be[701]: GSSAPI client step 1
-barry.cora.DNSDOMAIN sssd_be[701]: GSSAPI client step 2
-barry.cora.DNSDOMAIN sssd_be[701]: child [2889] finished successfully.
-barry.cora.DNSDOMAIN sssd_be[701]: Marking port 389 of server
'ipa1.DNSDOMAIN' as 'working'
-barry.cora.DNSDOMAIN sssd_be[701]: Marking server 'ipa1.DNSDOMAIN' as 'working'
-barry.cora.DNSDOMAIN sssd_be[701]: No host groups were dereferenced
-barry.cora.DNSDOMAIN sssd_be[701]: Received 0 additional command groups
-barry.cora.DNSDOMAIN sssd_be[701]: Received 0 sudo rules
-barry.cora.DNSDOMAIN sssd_be[701]: SUDO higher USN value: [1]
-barry.cora.DNSDOMAIN sudo[2860]:USER : command not allowed ; TTY=pts/0 ;
PWD=/export/home/USER/fedora/fail2ban ; USER=root ; COMMAND=/sbin/ether-wake
-i eth0 00:25:64:e0:05:fa

seem to appear in the failed attempt but not a successful one.

-- 
Orion Poplawski
Technical Manager  720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane   or...@nwra.com
Boulder, CO 80301   http://www.nwra.com
Jan 27 13:25:43 barry.cora.DNSDOMAIN sssd_sudo[772]: Received client version [1].
Jan 27 13:25:43 barry.cora.DNSDOMAIN sssd_sudo[772]: Offered version [1].
Jan 27 13:25:43

[Freeipa-users] Search result has been truncated - Configured size limit exceeded

2017-01-27 Thread Christophe TREFOIS 
Dear all,

Since some time now, when we access a user details via the GUI in FreeIPA 4.4, 
we receive a

"Search result has been truncated: Configured size limit exceeded” popup. It 
seems all fields are properly loaded and updating fields etc works.

Does anybody know where this could come from and how to remove this message?

Thank you,
Christophe

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Search result has been truncated - Configured size limit exceeded

2017-01-27 Thread Martin Basti 



On 27.01.2017 12:18, Christophe TREFOIS wrote:

Dear all,

Since some time now, when we access a user details via the GUI in FreeIPA 4.4, 
we receive a

"Search result has been truncated: Configured size limit exceeded” popup. It 
seems all fields are properly loaded and updating fields etc works.

Does anybody know where this could come from and how to remove this message?

Thank you,
Christophe



Hello,

what is your configured search size limit (ipa config-show)?

Martin


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Search result has been truncated - Configured size limit exceeded

2017-01-27 Thread Tomasz Torcz 
On Fri, Jan 27, 2017 at 11:18:47AM +, Christophe TREFOIS wrote:
> Dear all,
> 
> Since some time now, when we access a user details via the GUI in FreeIPA 
> 4.4, we receive a
> 
> "Search result has been truncated: Configured size limit exceeded” popup. It 
> seems all fields are properly loaded and updating fields etc works.
> 
> Does anybody know where this could come from and how to remove this message?

  See 5.3.4.1. Adjusting the Search Size and Time Limit

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/managing-idm-cli.html#tune-search-adjust-limits


-- 
Tomasz   .. oo o.   oo o. .o   .o o. o. oo o.   ..
Torcz.. .o .o   .o .o oo   oo .o .. .. oo   oo
o.o.o.   .o .. o.   o. o. o.   o. o. oo .. ..   o.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] be_pam_handler_callback Backend returned: (3, 4, ) [Internal Error (System error)]

2017-01-27 Thread Harald Dunkel 
Hi Thierry,

On 01/26/17 16:55, thierry bordaz wrote:
> 
> 
> Those entries are managed entries and it is not possible to delete them from 
> direct ldap command.
> A solution proposed by Ludwig is not first make them unmanaged:
> 
> cn=ipaservers+nsuniqueid=109be304-ccd911e6-a5b3d0c8-d8da17db,cn=ng,cn=alt,dc=example,dc=de
> changetype: modify
> modify: objectclass
> delete: mepManagedEntry
> 
> cn=ipaservers+nsuniqueid=109be304-ccd911e6-a5b3d0c8-d8da17db,cn=ng,cn=alt,dc=example,dc=de
> changetype: modify
> modify: objectclass
> delete: mepManagedEntry
> 
> Then retry to delete them.
> It should work for the first one but unsure it will succeed for the second 
> one.
> 

I am not sure about this "managed" thing. This sounds like some
kind of external influence.

How can I make sure that removing these entries doesn't break
something? Is the original entry managed in the same way as
the duplicate?


Regards
Harri

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Search result has been truncated - Configured size limit exceeded

2017-01-27 Thread Christophe TREFOIS 
Hi Martin,

Thank you for your swift reply.

Here is the two parameters from that command:

  Search time limit: 2
  Search size limit: 200

Does this tell you anything?

Kind regards,
Christophe

> On 27 Jan 2017, at 12:25, Martin Basti  wrote:
> 
> 
> 
> On 27.01.2017 12:18, Christophe TREFOIS wrote:
>> Dear all,
>> 
>> Since some time now, when we access a user details via the GUI in FreeIPA 
>> 4.4, we receive a
>> 
>> "Search result has been truncated: Configured size limit exceeded” popup. It 
>> seems all fields are properly loaded and updating fields etc works.
>> 
>> Does anybody know where this could come from and how to remove this message?
>> 
>> Thank you,
>> Christophe
>> 
> 
> Hello,
> 
> what is your configured search size limit (ipa config-show)?
> 
> Martin
> 
> 


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Search result has been truncated - Configured size limit exceeded

2017-01-27 Thread Martin Basti 

Thanks,

could you check command ipa user-show  if there is a truncation 
warning?


Is possible you can suffer from this bug 
https://fedorahosted.org/freeipa/ticket/6618


how many users do you have?

Martin

On 27.01.2017 13:02, Christophe TREFOIS wrote:

Hi Martin,

Thank you for your swift reply.

Here is the two parameters from that command:

   Search time limit: 2
   Search size limit: 200

Does this tell you anything?

Kind regards,
Christophe


On 27 Jan 2017, at 12:25, Martin Basti  wrote:



On 27.01.2017 12:18, Christophe TREFOIS wrote:

Dear all,

Since some time now, when we access a user details via the GUI in FreeIPA 4.4, 
we receive a

"Search result has been truncated: Configured size limit exceeded” popup. It 
seems all fields are properly loaded and updating fields etc works.

Does anybody know where this could come from and how to remove this message?

Thank you,
Christophe


Hello,

what is your configured search size limit (ipa config-show)?

Martin




--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] User with rights for only adding hosts

2017-01-27 Thread Matt . 
Hi,

Is it possible to create a user that can/is allowed (to) only add
hosts using the ipa-client-install ?

Would be nice to know.

Cheers,

Matt

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] User with rights for only adding hosts

2017-01-27 Thread Rob Crittenden 

Matt . wrote:

Hi,

Is it possible to create a user that can/is allowed (to) only add
hosts using the ipa-client-install ?

Would be nice to know.


Are you asking if it can only add a host in the context of 
ipa-client-install? No.


Or are you asking "Is there a permission I can delegate to add hosts?" 
Yes, I just forget the name and don't have an install in front of me. 
ipa permission-find host should give you a reasonablly short list to 
search through.


I'm imagining that more than that single permission will be required 
though, depending on what it is you want to do (e.g. DNS updates, etc).


rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project