Re: [Freeipa-users] Padding Scheme used in Fedora Dogtag
its for the encryption process. On Tue, Mar 7, 2017 at 7:55 PM, Simo Sorcewrote: > On Tue, 2017-03-07 at 12:38 +0530, Kaamel Periora wrote: > > Dear All, > > > > It is required to identify the padding scheme used by the Fedora dogtag > > system. Appreciate of someone could shed some light on this requirement. > > Padding scheme for what exactly ? > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Question about ipa user accounts and the compat container
Hello, I am running into an odd issue haven't been able to find any information through searching on this issue online. Environment: We are currently have a IPA master running ipa-server-4.4.0-14.el7_3.4.x86_64 on a RHEL 7.3 server. We have a mix of RHEL 6.8, RHEL 7.x and Solaris 10 clients. We also have a one way trust to a windows domain. Compatibility mode is enabled. The issue I'm seeing is that when I delete an IPA domain user through the web gui, the user account doesn't appear to be removed completely from the system. I verified via "ipa user-find" that the user is no longer in the system. I also checked via "ldapsearch" that the user account doesn't exist in the "accounts" container. However, when I look in the "users, compat" container, that user still exists. This is causing problems with my Solaris clients since they are pointing to the compat tree so that we can login with the windows accounts on those servers. The Solaris client is still seeing the account as being valid and is asking the user for a password on login which fails because the account doesn't exist in the IPA domain anymore. Do I need to remove the account from the ldap compat container manually or is the IPA user delete command (through the gui and/or command line) suppose to take care of this ? Or is there is some sort of clean up process that I have to wait for to occur before this account gets removed from that container ? If so, what is the time frame ? Thank you Rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Foreman => Insufficient 'add' privilege to the 'userPassword' attribute
I'm trying to add a host using Foreman to the FreeIPA realm but this doesn't work, all things seem to be fine and some other tests from people are working: The issue is reported here: http://projects.theforeman.org/issues/18850 My settings are like this: [root@ipa-01 ~]# ipa role-find --- 6 roles matched --- Role name: helpdesk Description: Helpdesk Role name: IT Security Specialist Description: IT Security Specialist Role name: IT Specialist Description: IT Specialist Role name: Security Architect Description: Security Architect Role name: Smart Proxy Host Manager Description: Smart Proxy management Role name: User Administrator Description: Responsible for creating Users and Groups Number of entries returned 6 [root@ipa-01 ~]# ipa role-show "Smart Proxy Host Manager" Role name: Smart Proxy Host Manager Description: Smart Proxy management Member users: foreman-proxy, foreman-realm-proxy Privileges: Smart Proxy Host Management [root@ipa-01 ~]# ipa privilege-show "Smart Proxy Host Management" Privilege name: Smart Proxy Host Management Description: Smart Proxy Host Management Permissions: Retrieve Certificates from the CA, System: Add DNS Entries, System: Read DNS Entries, System: Remove DNS Entries, System: Update DNS Entries, System: Manage Host Certificates, System: Manage Host Enrollment Password, System: Manage Host Keytab, System: Modify Hosts, System: Remove Hosts, System: Manage Service Keytab, System: Modify Services, Add Host Enrollment Password Granting privilege to roles: Smart Proxy Host Manager [root@ipa-01 ~]# [root@ipa-01 ~]# ipa permission-find "Add Host" - 3 permissions matched - Permission name: Add Host Enrollment Password Granted rights: add Effective attributes: userpassword Bind rule type: permission Subtree: cn=computers,cn=accounts,dc=office,dc=ipa,dc=domain,dc=tld Type: host Permission flags: V2, SYSTEM Permission name: System: Add Hostgroups Granted rights: add Bind rule type: permission Subtree: cn=hostgroups,cn=accounts,dc=office,dc=ipa,dc=domain,dc=tld Type: hostgroup Permission flags: V2, MANAGED, SYSTEM Permission name: System: Add Hosts Granted rights: add Bind rule type: permission Subtree: cn=computers,cn=accounts,dc=office,dc=ipa,dc=domain,dc=tld Type: host Permission flags: V2, MANAGED, SYSTEM Number of entries returned 3 Can anyone help me out as I'm unsure where this goes wrong. Thanks so far! Regards, Matt -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Question about ipa user accounts and the compat container
On to, 09 maalis 2017, Robert Johnson wrote: Hello, I am running into an odd issue haven't been able to find any information through searching on this issue online. Environment: We are currently have a IPA master running ipa-server-4.4.0-14.el7_3.4.x86_64 on a RHEL 7.3 server. We have a mix of RHEL 6.8, RHEL 7.x and Solaris 10 clients. We also have a one way trust to a windows domain. Compatibility mode is enabled. The issue I'm seeing is that when I delete an IPA domain user through the web gui, the user account doesn't appear to be removed completely from the system. I verified via "ipa user-find" that the user is no longer in the system. I also checked via "ldapsearch" that the user account doesn't exist in the "accounts" container. However, when I look in the "users, compat" container, that user still exists. This is causing problems with my Solaris clients since they are pointing to the compat tree so that we can login with the windows accounts on those servers. The Solaris client is still seeing the account as being valid and is asking the user for a password on login which fails because the account doesn't exist in the IPA domain anymore. Do I need to remove the account from the ldap compat container manually or is the IPA user delete command (through the gui and/or command line) suppose to take care of this ? Or is there is some sort of clean up process that I have to wait for to occur before this account gets removed from that container ? If so, what is the time frame ? Compat tree is automatically generated. It also tracks existing objects, so any time the object is removed from the primary tree, it should be cleared from the compat tree as well. If you can reliably demonstrate the problem using http://www.freeipa.org/page/Demo (it has compat tree enabled), then feel free to open a bug. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Question about ipa user accounts and the compat container
On Thu, Mar 9, 2017 at 4:06 PM, Alexander Bokovoywrote: > On to, 09 maalis 2017, Robert Johnson wrote: > >> Hello, >> >> I am running into an odd issue haven't been able to find any information >> through searching on this issue online. >> >> Environment: We are currently have a IPA master running >> ipa-server-4.4.0-14.el7_3.4.x86_64 on a RHEL 7.3 server. We have a mix >> of >> RHEL 6.8, RHEL 7.x and Solaris 10 clients. We also have a one way trust to >> a windows domain. Compatibility mode is enabled. >> >> The issue I'm seeing is that when I delete an IPA domain user through the >> web gui, the user account doesn't appear to be removed completely from the >> system. I verified via "ipa user-find" that the user is no longer in the >> system. I also checked via "ldapsearch" that the user account doesn't >> exist in the "accounts" container. However, when I look in the "users, >> compat" container, that user still exists. >> >> This is causing problems with my Solaris clients since they are pointing >> to >> the compat tree so that we can login with the windows accounts on those >> servers. The Solaris client is still seeing the account as being valid >> and >> is asking the user for a password on login which fails because the account >> doesn't exist in the IPA domain anymore. >> >> Do I need to remove the account from the ldap compat container manually or >> is the IPA user delete command (through the gui and/or command line) >> suppose to take care of this ? Or is there is some sort of clean up >> process that I have to wait for to occur before this account gets removed >> from that container ? If so, what is the time frame ? >> > Compat tree is automatically generated. It also tracks existing objects, > so any time the object is removed from the primary tree, it should be > cleared from the compat tree as well. > > If you can reliably demonstrate the problem using > http://www.freeipa.org/page/Demo (it has compat tree enabled), then feel > free to open a bug. > > -- > / Alexander Bokovoy > So after doing some more digging using ldapsearch, I discovered some "odd" entries. It appears that all my IPA users appear to have duplicate entries under the compat tree. So on a hunch I deleted another IPA user and one of the two entries disappeared from the container. I tried to use ldapdelete (and ldapmodify) to remove the "ghost" entry using the DN I found from the search and I get a "object not found" and then it says that it matched the base tree. If I dump the whole compat tree out to a file, the ghost objects look to be exact duplicates of the original entries (minus the guid which is different). I can't seem to find a way to remove them. Any ideas ? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Padding Scheme used in Fedora Dogtag
On Fri, 2017-03-10 at 10:50 +0530, Kaamel Periora wrote: > its for the encryption process. Which process ? What protocol ? For data at rest or for secure channels ? Please be very specific, we use crypto in a multitude of places within freeIPA. Simo. > On Tue, Mar 7, 2017 at 7:55 PM, Simo Sorcewrote: > > On Tue, 2017-03-07 at 12:38 +0530, Kaamel Periora wrote: > > > Dear All, > > > > > > It is required to identify the padding scheme used by the Fedora > > dogtag > > > system. Appreciate of someone could shed some light on this > > requirement. > > > > Padding scheme for what exactly ? > > > > Simo. > > > > -- > > Simo Sorce * Red Hat, Inc * New York > > > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Question about ipa user accounts and the compat container
On to, 09 maalis 2017, Robert Johnson wrote: On Thu, Mar 9, 2017 at 4:06 PM, Alexander Bokovoywrote: On to, 09 maalis 2017, Robert Johnson wrote: Hello, I am running into an odd issue haven't been able to find any information through searching on this issue online. Environment: We are currently have a IPA master running ipa-server-4.4.0-14.el7_3.4.x86_64 on a RHEL 7.3 server. We have a mix of RHEL 6.8, RHEL 7.x and Solaris 10 clients. We also have a one way trust to a windows domain. Compatibility mode is enabled. The issue I'm seeing is that when I delete an IPA domain user through the web gui, the user account doesn't appear to be removed completely from the system. I verified via "ipa user-find" that the user is no longer in the system. I also checked via "ldapsearch" that the user account doesn't exist in the "accounts" container. However, when I look in the "users, compat" container, that user still exists. This is causing problems with my Solaris clients since they are pointing to the compat tree so that we can login with the windows accounts on those servers. The Solaris client is still seeing the account as being valid and is asking the user for a password on login which fails because the account doesn't exist in the IPA domain anymore. Do I need to remove the account from the ldap compat container manually or is the IPA user delete command (through the gui and/or command line) suppose to take care of this ? Or is there is some sort of clean up process that I have to wait for to occur before this account gets removed from that container ? If so, what is the time frame ? Compat tree is automatically generated. It also tracks existing objects, so any time the object is removed from the primary tree, it should be cleared from the compat tree as well. If you can reliably demonstrate the problem using http://www.freeipa.org/page/Demo (it has compat tree enabled), then feel free to open a bug. -- / Alexander Bokovoy So after doing some more digging using ldapsearch, I discovered some "odd" entries. It appears that all my IPA users appear to have duplicate entries under the compat tree. So on a hunch I deleted another IPA user and one of the two entries disappeared from the container. I tried to use ldapdelete (and ldapmodify) to remove the "ghost" entry using the DN I found from the search and I get a "object not found" and then it says that it matched the base tree. If I dump the whole compat tree out to a file, the ghost objects look to be exact duplicates of the original entries (minus the guid which is different). I can't seem to find a way to remove them. Any ideas ? Demonstrate your problem using the FreeIPA demo instance, please. Compat tree is not writable, thus you cannot delete anything from it directly. You only can delete the original entry to cause removal of a compat entry. Show how it is not removed with step by step ldapsearch/ipa CLI operations against our demo instance, please. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Padding Scheme used in Fedora Dogtag
On pe, 10 maalis 2017, Kaamel Periora wrote: its for the encryption process. Sorry, but you need to be more detailed in what you want to achieve. Crypto libraries support multiple algorithms. What do you need to do? On Tue, Mar 7, 2017 at 7:55 PM, Simo Sorcewrote: On Tue, 2017-03-07 at 12:38 +0530, Kaamel Periora wrote: > Dear All, > > It is required to identify the padding scheme used by the Fedora dogtag > system. Appreciate of someone could shed some light on this requirement. Padding scheme for what exactly ? Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Potential problems when using a loadbalancer
Hi, what kind of challenges will I run into when I want to use a loadbalancer in front of my two IPA servers? - LDAP: Should not be a problem - Kerberos: will definitely be a challenge. Is this link the solution or am I still missing something: http://directory.fedoraproject.org/docs/389ds/howto/howto-loadbalance-gssapi.html - Certificates: I stumbled upon a RedHat Knowledgebase entry dealing with "Certificate CN not matching when using the loadbalancer's virtual name": https://access.redhat.com/solutions/547723 - What else will be a problem that needs to be solved? Any hints regarding the "what else" point would be highly appreciated! Regards, Ronald -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] What is the next free IP address for a DNS record
Hey, Is there an easy way to find out what the next free IP address is when adding a new DNS A record? The web interface sorts the records alphabetically on "Record name", even in-arpa zones. For the latter it would be more convenient to sort numerically. Anyway, what methods are there to know what IP address to use when adding a new DNS record? Did I overlook something? BTW. Right now I'm dumping the JSON with ipa -vv dnsrecord-find mydomain --sizelimit=9 --all --structured 2>&1 >/dev/null and a Python script to make a list sorted on ip address. -- Kees -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] What is the next free IP address for a DNS record
Comments inline On 09.03.2017 11:12, Kees Bakker wrote: > Hey, > > Is there an easy way to find out what the next free IP address is when adding > a new > DNS A record? The web interface sorts the records alphabetically on "Record > name", > even in-arpa zones. For the latter it would be more convenient to sort > numerically. No, it depends on your system. FreeIPA is not an authoritative source of IP addresses, this is job for DHCP server or any network management system. I don't think that we should sort numerically as DNS names works with bytes, so ASCII sorting is better. Nothing prevents you to use non-numeric domain with PTR RR type. > > Anyway, what methods are there to know what IP address to use when adding a > new > DNS record? Did I overlook something? Usually when you are adding a new A record, you know for which host it belongs, so you should use the IP address of the host. > > BTW. Right now I'm dumping the JSON with > ipa -vv dnsrecord-find mydomain --sizelimit=9 --all --structured 2>&1 > >/dev/null > and a Python script to make a list sorted on ip address. Martin signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Create Replica fail any idea?? thz
No expire cer prompt out ., All service ipa status oK. and 9444 port can telent Creating SSL certificate for the Directory Server preparation of replica failed: cannot connect to ' https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient': (PR_END_OF_FILE_ERROR) Encountered end of file. cannot connect to ' https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient': (PR_END_OF_FILE_ERROR) Encountered end of file. File "/usr/sbin/ipa-replica-prepare", line 490, in main() File "/usr/sbin/ipa-replica-prepare", line 361, in main export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "dscert", replica_fqdn, subject_base) File "/usr/sbin/ipa-replica-prepare", line 150, in export_certdb raise e -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SSSD bug found? FreeIPA vs SSSD
On Thu, Mar 09, 2017 at 11:32:35AM +0200, Alexander Bokovoy wrote: > On to, 09 maalis 2017, Jakub Hrozek wrote: > > On Thu, Mar 09, 2017 at 01:37:46PM +1100, Lachlan Musicman wrote: > > > Hola, > > > > > > On CentOS 7.3, using FreeIPA VERSION: 4.4.0, API_VERSION: 2.213 and sssd > > > (via COPR) 1.15.1, which has a one way trust to an AD domain. > > > unix.name.org > > > -> name.org > > > > > > I've seen some interesting behaviour. > > > > > > Being part of a large organisation with a smaller nix environment and a > > > larger Windows environment we see all the best of odd AD management > > > behaviour (eg spaces in usernames...). > > > > > > Turns out some of the groups in AD have an @ symbol in them. > > > > > > The behavioural difference we see is: given userA in group "name @ of > > > group" that on the FreeIPA server: > > > > > > [r...@vmpr-freeipa.unix.name.org ~]# id us...@name.org > > > > > > works as expected. > > > > > > But on a client > > > > > > [r...@vmpr-linuxclient1.unix.name.org ~]# id us...@name.org > > > > > > returns nothing. > > > > Yes, it is a know issue: > >https://pagure.io/SSSD/sssd/issue/3219 > > > > There were some users who reported this works better with a modified > > re_expression: > >re_expression = ((?P.+)@(?P[^@]+$)) > > but I agree we should fix this by default. However, the fix must be done > > at both the SSSD level and the IPA extdom plugin, which also searches > > for the @-sign in the user and group names. > Luckily, a change for extdom plugin seem to be straightforward -- search > for the *last* occurence of the domain separator, not the first one. We > had a similar issue with nfs idmapd code too. Yes, the most tricky part would be testing, to make sure the new regular expression doesn't break anything. I used the one I showed to unblock some RHEL customers that were complaining and were a bit stuck, but I didn't have enough time to run all our available tests with it, that's why we didn't switch by default.. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-client-install generates bad sssd.conf
On 03/05/17 11:47, Timo Aaltonen wrote: > > pam-auth-update configures pam, there's nothing else to be configured.. > I just ran ipa-client-install on Ubuntu zesty with freeipa-client > 4.4.3-3ubuntu1, and services on the newly created sssd.conf look fine: > > services = nss, sudo, pam, ssh > > Do you get the same for 4.4.3-3 (the version in Debian experimental, AFAICT) on sid? I don't :-(. Command line: ipa-client-install --hostname `hostname` --no-ssh --no-sshd --no-nisdomain Regards Harri -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] External DNS and replication
On 09.03.2017 09:04, Wimmer Ronald (BCC.B.SO) wrote: > > *From:*Martin Basti [mailto:mba...@redhat.com] > *Sent:* Mittwoch, 08. März 2017 14:54 > *To:* Wimmer Ronald (BCC.B.SO); > freeipa-users@redhat.com > *Subject:* Re: [Freeipa-users] External DNS and replication > > > > > > > > On 08.03.2017 14:05, Wimmer Ronald (BCC.B.SO) wrote: > > Hi, > > > > I am using FreeIPA with external DNS. Is it ok to balance the > requests between master and replica with DNS SRV records like this: > > > > _kerberos-master._tcp.example.net. 86400 IN SRV 10 50 88 > ipa1.example.net. > > _kerberos-master._udp.example.net. 86400 IN SRV 10 50 88 > ipa1.example.net. > > _kerberos._tcp.example.net. 86400 IN SRV 10 50 88 ipa1.example.net. > > _kerberos._udp.example.net. 86400 IN SRV 10 50 88 ipa1.example.net. > > _kpasswd._tcp.example.net. 86400 IN SRV 10 50 464 ipa1.example.net. > > _kpasswd._udp.example.net. 86400 IN SRV 10 50 464 ipa1.example.net. > > _ldap._tcp.example.net. 86400 IN SRV 10 50 389 ipa1.example.net. > > _ntp._udp.example.net. 86400 IN SRV 10 50 123 ipa1.example.net. > > > > _kerberos-master._tcp.example.net. 86400 IN SRV 10 50 88 > ipa2.example.net. > > _kerberos-master._udp.example.net. 86400 IN SRV 10 50 88 > ipa2.example.net. > > _kerberos._tcp.example.net. 86400 IN SRV 10 50 88 ipa2.example.net. > > _kerberos._udp.example.net. 86400 IN SRV 10 50 88 ipa2.example.net. > > _kpasswd._tcp.example.net. 86400 IN SRV 10 50 464 ipa2.example.net. > > _kpasswd._udp.example.net. 86400 IN SRV 10 50 464 ipa2.example.net. > > _ldap._tcp.example.net. 86400 IN SRV 10 50 389 ipa2.example.net. > > _ntp._udp.example.net. 86400 IN SRV 10 50 123 ipa2.example.net. > > > > _kerberos.example.net. 86400 IN TXT "example.net" > > Looks good to me > > > ipa-ca.example.net. 86400 IN A 10.66.39.130 > > > > What about the “ipa-ca” entry? > > > ipa-ca should contain all A/ records of CA replicas > > IPA4.4+ support command `ipa dns-update-system-records --dry-run` to > get all required records > > > > Regards, > > Ronald > > > > > Martin > > > > Thank’s a lot. In https://access.redhat.com/solutions/98043 RedHat > suggest to use same weight and same priority for the SRV records. Does > that make sense? > Priority should be same, otherwise servers with higher priority will work only as backups (preferably you should have priority 0). You can edit weight to distribute more load to beefy servers. Please note that priority and weight is handled on client side, so it will work only on clients that are processing SRV with priority and weight. Some clients may ignore it. > > > I also noticed that I have no ndp record. Are IPA clients relying on > that entry? Do I have to create these manually? > > > > _ntp._udp.example.net. 86400 IN SRV 10 50 123 > ipaserver1.example.net. > > _ntp._udp.example.net. 86400 IN SRV 10 50 123 > ipaserver2.example.net. > It depends on your system configuration on clients. This is basically used only by ipa-client-install because AFAIK ntp client doesn't support SRV lookup. Usually clients have default NTP client configured so it should work. > > > Ronald > > > signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Potential problems when using a loadbalancer
On 09.03.2017 11:04, Wimmer Ronald (BCC.B.SO) wrote: > > Hi, > > > > what kind of challenges will I run into when I want to use a > loadbalancer in front of my two IPA servers? > > > > - LDAP: Should not be a problem > > - Kerberos: will definitely be a challenge. > Is this link the solution or am I still missing something: > http://directory.fedoraproject.org/docs/389ds/howto/howto-loadbalance-gssapi.html > > - Certificates: I stumbled upon a RedHat Knowledgebase entry > dealing with “Certificate CN not matching when using the > loadbalancer’s virtual name”: https://access.redhat.com/solutions/547723 > > - What else will be a problem that needs to be solved? > > > > Any hints regarding the “what else” point would be highly appreciated! > > > > Regards, > > Ronald > > > This may help you https://www.adelton.com/freeipa/freeipa-behind-load-balancer signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SSSD bug found? FreeIPA vs SSSD
On to, 09 maalis 2017, Jakub Hrozek wrote: On Thu, Mar 09, 2017 at 01:37:46PM +1100, Lachlan Musicman wrote: Hola, On CentOS 7.3, using FreeIPA VERSION: 4.4.0, API_VERSION: 2.213 and sssd (via COPR) 1.15.1, which has a one way trust to an AD domain. unix.name.org -> name.org I've seen some interesting behaviour. Being part of a large organisation with a smaller nix environment and a larger Windows environment we see all the best of odd AD management behaviour (eg spaces in usernames...). Turns out some of the groups in AD have an @ symbol in them. The behavioural difference we see is: given userA in group "name @ of group" that on the FreeIPA server: [r...@vmpr-freeipa.unix.name.org ~]# id us...@name.org works as expected. But on a client [r...@vmpr-linuxclient1.unix.name.org ~]# id us...@name.org returns nothing. Yes, it is a know issue: https://pagure.io/SSSD/sssd/issue/3219 There were some users who reported this works better with a modified re_expression: re_expression = ((?P.+)@(?P[^@]+$)) but I agree we should fix this by default. However, the fix must be done at both the SSSD level and the IPA extdom plugin, which also searches for the @-sign in the user and group names. Luckily, a change for extdom plugin seem to be straightforward -- search for the *last* occurence of the domain separator, not the first one. We had a similar issue with nfs idmapd code too. -- / Alexander Bokovoy diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c index e629247..7c67fb7 100644 --- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c @@ -515,7 +515,7 @@ int pack_ber_user(struct ipa_extdom_ctx *ctx, char *short_user_name = NULL; short_user_name = strdup(user_name); -if ((locat = strchr(short_user_name, SSSD_DOMAIN_SEPARATOR)) != NULL) { +if ((locat = strrchr(short_user_name, SSSD_DOMAIN_SEPARATOR)) != NULL) { if (strcasecmp(locat+1, domain_name) == 0 ) { locat[0] = '\0'; } else { @@ -626,7 +626,7 @@ int pack_ber_group(enum response_types response_type, char *short_group_name = NULL; short_group_name = strdup(group_name); -if ((locat = strchr(short_group_name, SSSD_DOMAIN_SEPARATOR)) != NULL) { +if ((locat = strrchr(short_group_name, SSSD_DOMAIN_SEPARATOR)) != NULL) { if (strcasecmp(locat+1, domain_name) == 0 ) { locat[0] = '\0'; } else { @@ -901,7 +901,7 @@ static int handle_sid_or_cert_request(struct ipa_extdom_ctx *ctx, goto done; } -sep = strchr(fq_name, SSSD_DOMAIN_SEPARATOR); +sep = strrchr(fq_name, SSSD_DOMAIN_SEPARATOR); if (sep == NULL) { set_err_msg(req, "Failed to split fully qualified name"); ret = LDAP_OPERATIONS_ERROR; @@ -1023,7 +1023,7 @@ static int handle_name_request(struct ipa_extdom_ctx *ctx, char *buf = NULL; struct sss_nss_kv *kv_list = NULL; -if (strchr(name, SSSD_DOMAIN_SEPARATOR) == NULL) { +if (strrchr(name, SSSD_DOMAIN_SEPARATOR) == NULL) { ret = asprintf(_name, "%s%c%s", name, SSSD_DOMAIN_SEPARATOR, domain_name); } else { -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] External DNS and replication
From: Martin Basti [mailto:mba...@redhat.com] Sent: Mittwoch, 08. März 2017 14:54 To: Wimmer Ronald (BCC.B.SO); freeipa-users@redhat.com Subject: Re: [Freeipa-users] External DNS and replication On 08.03.2017 14:05, Wimmer Ronald (BCC.B.SO) wrote: Hi, I am using FreeIPA with external DNS. Is it ok to balance the requests between master and replica with DNS SRV records like this: _kerberos-master._tcp.example.net. 86400 IN SRV 10 50 88 ipa1.example.net. _kerberos-master._udp.example.net. 86400 IN SRV 10 50 88 ipa1.example.net. _kerberos._tcp.example.net. 86400 IN SRV 10 50 88 ipa1.example.net. _kerberos._udp.example.net. 86400 IN SRV 10 50 88 ipa1.example.net. _kpasswd._tcp.example.net. 86400 IN SRV 10 50 464 ipa1.example.net. _kpasswd._udp.example.net. 86400 IN SRV 10 50 464 ipa1.example.net. _ldap._tcp.example.net. 86400 IN SRV 10 50 389 ipa1.example.net. _ntp._udp.example.net. 86400 IN SRV 10 50 123 ipa1.example.net. _kerberos-master._tcp.example.net. 86400 IN SRV 10 50 88 ipa2.example.net. _kerberos-master._udp.example.net. 86400 IN SRV 10 50 88 ipa2.example.net. _kerberos._tcp.example.net. 86400 IN SRV 10 50 88 ipa2.example.net. _kerberos._udp.example.net. 86400 IN SRV 10 50 88 ipa2.example.net. _kpasswd._tcp.example.net. 86400 IN SRV 10 50 464 ipa2.example.net. _kpasswd._udp.example.net. 86400 IN SRV 10 50 464 ipa2.example.net. _ldap._tcp.example.net. 86400 IN SRV 10 50 389 ipa2.example.net. _ntp._udp.example.net. 86400 IN SRV 10 50 123 ipa2.example.net. _kerberos.example.net. 86400 IN TXT "example.net" Looks good to me ipa-ca.example.net. 86400 IN A 10.66.39.130 What about the "ipa-ca" entry? ipa-ca should contain all A/ records of CA replicas IPA4.4+ support command `ipa dns-update-system-records --dry-run` to get all required records Regards, Ronald Martin Thank's a lot. In https://access.redhat.com/solutions/98043 RedHat suggest to use same weight and same priority for the SRV records. Does that make sense? I also noticed that I have no ndp record. Are IPA clients relying on that entry? Do I have to create these manually? _ntp._udp.example.net. 86400 IN SRV 10 50 123 ipaserver1.example.net. _ntp._udp.example.net. 86400 IN SRV 10 50 123 ipaserver2.example.net. Ronald -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SSSD bug found? FreeIPA vs SSSD
On Thu, Mar 09, 2017 at 01:37:46PM +1100, Lachlan Musicman wrote: > Hola, > > On CentOS 7.3, using FreeIPA VERSION: 4.4.0, API_VERSION: 2.213 and sssd > (via COPR) 1.15.1, which has a one way trust to an AD domain. unix.name.org > -> name.org > > I've seen some interesting behaviour. > > Being part of a large organisation with a smaller nix environment and a > larger Windows environment we see all the best of odd AD management > behaviour (eg spaces in usernames...). > > Turns out some of the groups in AD have an @ symbol in them. > > The behavioural difference we see is: given userA in group "name @ of > group" that on the FreeIPA server: > > [r...@vmpr-freeipa.unix.name.org ~]# id us...@name.org > > works as expected. > > But on a client > > [r...@vmpr-linuxclient1.unix.name.org ~]# id us...@name.org > > returns nothing. Yes, it is a know issue: https://pagure.io/SSSD/sssd/issue/3219 There were some users who reported this works better with a modified re_expression: re_expression = ((?P.+)@(?P[^@]+$)) but I agree we should fix this by default. However, the fix must be done at both the SSSD level and the IPA extdom plugin, which also searches for the @-sign in the user and group names. > > We believe it is because of the group with the @ in the name. > > The AD management team agreed to change the name of one group with an @ in > it's name, and that has solved the problem - id us...@name.org now works on > the sssd client. > > Putting aside the critiques of having an @ in a group name, I believe that > if there isn't a bug, there is at least an inconsistency, between how > FreeIPA and sssd handle this situation. > > This was a guess based on seeing this in the logs: > > (Wed Mar 8 12:03:02 2017) [sssd[be[unix.name.org]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(objectClass=ipaUserOverride)(uid=awong))][cn=Default Trust > View,cn=views,cn=accounts,dc=unix,dc=name,dc=org]. > (Wed Mar 8 12:03:02 2017) [sssd[be[unix.name.org]]] [sdap_parse_entry] > (0x1000): OriginalDN: > [ipaanchoruuid=:SID:S-1-5-21-55386287-1424373824-1154838474-83519,cn=Default > Trust View,cn=views,cn=accounts,dc=unix,dc=name,dc=org]. > (Wed Mar 8 12:03:02 2017) [sssd[be[unix.name.org]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > (Wed Mar 8 12:03:02 2017) [sssd[be[unix.name.org]]] [sss_domain_get_state] > (0x1000): Domain unix.name.org is Active > (Wed Mar 8 12:03:02 2017) [sssd[be[unix.name.org]]] [sss_domain_get_state] > (0x1000): Domain name.org is Active > (Wed Mar 8 12:03:02 2017) [sssd[be[unix.name.org]]] [ipa_s2n_exop_send] > (0x0400): Executing extended operation > (Wed Mar 8 12:03:02 2017) [sssd[be[unix.name.org]]] [ipa_s2n_exop_done] > (0x0400): ldap_extended_operation result: Success(0), (null). > (Wed Mar 8 12:03:02 2017) [sssd[be[unix.name.org]]] [sss_domain_get_state] > (0x1000): Domain unix.name.org is Active > (Wed Mar 8 12:03:02 2017) [sssd[be[unix.name.org]]] [sss_domain_get_state] > (0x1000): Domain name.org is Active > ... > (Wed Mar 8 12:03:02 2017) [sssd[be[unix.name.org]]] [sss_domain_get_state] > (0x1000): Domain unix.name.org is Active > (Wed Mar 8 12:03:02 2017) [sssd[be[unix.name.org]]] [sss_domain_get_state] > (0x1000): Domain name.org is Active > (Wed Mar 8 12:03:02 2017) [sssd[be[unix.name.org]]] [sss_domain_get_state] > (0x1000): Domain unix.name.org is Active > (Wed Mar 8 12:03:02 2017) [sssd[be[unix.name.org]]] [sss_domain_get_state] > (0x1000): Domain name.org is Active > (Wed Mar 8 12:03:02 2017) [sssd[be[unix.name.org]]] [add_v1_user_data] > (0x0040): find_domain_by_name failed. > (Wed Mar 8 12:03:02 2017) [sssd[be[unix.name.org]]] > [s2n_response_to_attrs] (0x0040): add_v1_user_data failed. > (Wed Mar 8 12:03:02 2017) [sssd[be[unix.name.org]]] > [ipa_s2n_get_user_done] (0x0040): s2n_response_to_attrs failed. > > > The last three lines tipped off a colleague who was debugging why this > userA couldn't login to anything. > > Since then we have created IPA over rides for the groups with @ symbols in > them. This also works as a solution. It's not our preferred solution, but > we are users, not managers, of the AD system. > > Cheers > > L. > > > > > > -- > The most dangerous phrase in the language is, "We've always done it this > way." > > - Grace Hopper > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] What is the next free IP address for a DNS record
On Thu, 2017-03-09 at 13:33 +0100, Kees Bakker wrote: > On 09-03-17 13:26, Tomas Krizek wrote: > > On 03/09/2017 01:19 PM, Kees Bakker wrote: > > > On 09-03-17 12:08, Martin Basti wrote: > > > > On 09.03.2017 11:12, Kees Bakker wrote: > > > > > Hey, > > > > > > > > > > Is there an easy way to find out what the next free IP > > > > > address is when adding a new > > > > > DNS A record? The web interface sorts the records > > > > > alphabetically on "Record name", > > > > > even in-arpa zones. For the latter it would be more > > > > > convenient to sort numerically. > > > > > > > > No, it depends on your system. FreeIPA is not an authoritative > > > > source of > > > > IP addresses, this is job for DHCP server or any network > > > > management system. > > > > > > DHCP, no. > > > "any network management system", that would be the DNS service in > > > our FreeIPA. > > > > DNS A records only translate the hostnames to IPv4 addresses. DNS > > does > > not assign the addresses. That's something DHCP would do. If you do > > not > > use DHCP and assign the IP addresses statically, the network > > administrator would be the person responsible for assigning you a > > free > > IP address. > > > > Yes, I'm talking about static addresses. Is it really such a strange > question to > ask for static IP addresses? > > The network administrator, that would be me. Would it be sufficient to you to have a command line tool to run against LDAP top list all existing IP addresses and sort them ? If so this is what I use (assuming a realm called example.com): ldapsearch -Y GSSAPI -s one -b "idnsname=example.com.,cn=dns,dc=example,dc=com" aRecord 2>/dev/null |grep "^aRecord" |sort Note: You need to be logged in (kinit'ed) with a user that has rights to see the DNS tree. HTH, Simo. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] What is the next free IP address for a DNS record
On 03/09/2017 01:19 PM, Kees Bakker wrote: > On 09-03-17 12:08, Martin Basti wrote: >> Comments inline >> >> >> On 09.03.2017 11:12, Kees Bakker wrote: >>> Hey, >>> >>> Is there an easy way to find out what the next free IP address is when >>> adding a new >>> DNS A record? The web interface sorts the records alphabetically on "Record >>> name", >>> even in-arpa zones. For the latter it would be more convenient to sort >>> numerically. >> No, it depends on your system. FreeIPA is not an authoritative source of >> IP addresses, this is job for DHCP server or any network management system. > DHCP, no. > "any network management system", that would be the DNS service in our FreeIPA. DNS A records only translate the hostnames to IPv4 addresses. DNS does not assign the addresses. That's something DHCP would do. If you do not use DHCP and assign the IP addresses statically, the network administrator would be the person responsible for assigning you a free IP address. -- Tomas Krizek PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869 signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] What is the next free IP address for a DNS record
On 09-03-17 13:26, Tomas Krizek wrote: > On 03/09/2017 01:19 PM, Kees Bakker wrote: >> On 09-03-17 12:08, Martin Basti wrote: >>> On 09.03.2017 11:12, Kees Bakker wrote: Hey, Is there an easy way to find out what the next free IP address is when adding a new DNS A record? The web interface sorts the records alphabetically on "Record name", even in-arpa zones. For the latter it would be more convenient to sort numerically. >>> No, it depends on your system. FreeIPA is not an authoritative source of >>> IP addresses, this is job for DHCP server or any network management system. >> DHCP, no. >> "any network management system", that would be the DNS service in our >> FreeIPA. > DNS A records only translate the hostnames to IPv4 addresses. DNS does > not assign the addresses. That's something DHCP would do. If you do not > use DHCP and assign the IP addresses statically, the network > administrator would be the person responsible for assigning you a free > IP address. > Yes, I'm talking about static addresses. Is it really such a strange question to ask for static IP addresses? The network administrator, that would be me. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] What is the next free IP address for a DNS record
On 09.03.2017 13:19, Kees Bakker wrote: > On 09-03-17 12:08, Martin Basti wrote: >> Comments inline >> >> >> On 09.03.2017 11:12, Kees Bakker wrote: >>> Hey, >>> >>> Is there an easy way to find out what the next free IP address is when >>> adding a new >>> DNS A record? The web interface sorts the records alphabetically on "Record >>> name", >>> even in-arpa zones. For the latter it would be more convenient to sort >>> numerically. >> No, it depends on your system. FreeIPA is not an authoritative source of >> IP addresses, this is job for DHCP server or any network management system. > DHCP, no. > "any network management system", that would be the DNS service in our FreeIPA. DNS is not suitable to be a source of unused IP addresses, that's work for DHCP, DNS has no information about network ranges. FreeIPA works in different way, you are responsible for creating and provisioning a host, assigning an IP address and then enroll the host to FreeIPA (IP address should be automatically updated in DNS). FreeIPA is so far from being a network management system. > >> I don't think that we should sort numerically as DNS names works with >> bytes, so ASCII sorting is better. Nothing prevents you to use >> non-numeric domain with PTR RR type. > In this case I was referring to the reverse DNS records in the in-arpa > zones. The Record Name for these zones are alway numeric, aren't they? https://tools.ietf.org/html/rfc2317 > >>> Anyway, what methods are there to know what IP address to use when adding a >>> new >>> DNS record? Did I overlook something? >> Usually when you are adding a new A record, you know for which host it >> belongs, so you should use the IP address of the host. > I'm not talking about an existing host. I want to add a _new_ host > with a _new_ DNS A record. There is no IP address yet. And that's exactly > my problem. What IP address to pick? FreeIPA/DNS is my authority, so to speak. > But there is no simple method to find the next free IP address. > > In the "old days" we had a straightforward bind configuration. I'd had to edit > two files, one for the domain zone and one for the in-arpa zone. But now the > DNS server gets its zone information from FreeIPA (through LDAP). You can use AXFR from DNS to get all records from zone, sort it and check free IP addresses. But there is no standard tool for that in DNS. You have to create your own script > >>> BTW. Right now I'm dumping the JSON with >>> ipa -vv dnsrecord-find mydomain --sizelimit=9 --all --structured >>> 2>&1 >/dev/null >>> and a Python script to make a list sorted on ip address. >> Martin >> signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] What is the next free IP address for a DNS record
On 09-03-17 12:08, Martin Basti wrote: > Comments inline > > > On 09.03.2017 11:12, Kees Bakker wrote: >> Hey, >> >> Is there an easy way to find out what the next free IP address is when >> adding a new >> DNS A record? The web interface sorts the records alphabetically on "Record >> name", >> even in-arpa zones. For the latter it would be more convenient to sort >> numerically. > No, it depends on your system. FreeIPA is not an authoritative source of > IP addresses, this is job for DHCP server or any network management system. DHCP, no. "any network management system", that would be the DNS service in our FreeIPA. > > I don't think that we should sort numerically as DNS names works with > bytes, so ASCII sorting is better. Nothing prevents you to use > non-numeric domain with PTR RR type. In this case I was referring to the reverse DNS records in the in-arpa zones. The Record Name for these zones are alway numeric, aren't they? >> Anyway, what methods are there to know what IP address to use when adding a >> new >> DNS record? Did I overlook something? > Usually when you are adding a new A record, you know for which host it > belongs, so you should use the IP address of the host. I'm not talking about an existing host. I want to add a _new_ host with a _new_ DNS A record. There is no IP address yet. And that's exactly my problem. What IP address to pick? FreeIPA/DNS is my authority, so to speak. But there is no simple method to find the next free IP address. In the "old days" we had a straightforward bind configuration. I'd had to edit two files, one for the domain zone and one for the in-arpa zone. But now the DNS server gets its zone information from FreeIPA (through LDAP). > >> BTW. Right now I'm dumping the JSON with >> ipa -vv dnsrecord-find mydomain --sizelimit=9 --all --structured 2>&1 >> >/dev/null >> and a Python script to make a list sorted on ip address. > Martin > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] What is the next free IP address for a DNS record
On 09-03-17 14:07, Simo Sorce wrote: > On Thu, 2017-03-09 at 13:33 +0100, Kees Bakker wrote: >> On 09-03-17 13:26, Tomas Krizek wrote: >>> On 03/09/2017 01:19 PM, Kees Bakker wrote: On 09-03-17 12:08, Martin Basti wrote: > On 09.03.2017 11:12, Kees Bakker wrote: >> Hey, >> >> Is there an easy way to find out what the next free IP >> address is when adding a new >> DNS A record? The web interface sorts the records >> alphabetically on "Record name", >> even in-arpa zones. For the latter it would be more >> convenient to sort numerically. > No, it depends on your system. FreeIPA is not an authoritative > source of > IP addresses, this is job for DHCP server or any network > management system. DHCP, no. "any network management system", that would be the DNS service in our FreeIPA. >>> DNS A records only translate the hostnames to IPv4 addresses. DNS >>> does >>> not assign the addresses. That's something DHCP would do. If you do >>> not >>> use DHCP and assign the IP addresses statically, the network >>> administrator would be the person responsible for assigning you a >>> free >>> IP address. >>> >> Yes, I'm talking about static addresses. Is it really such a strange >> question to >> ask for static IP addresses? >> >> The network administrator, that would be me. > Would it be sufficient to you to have a command line tool to run > against LDAP top list all existing IP addresses and sort them ? > > If so this is what I use (assuming a realm called example.com): > > > ldapsearch -Y GSSAPI -s one -b > "idnsname=example.com.,cn=dns,dc=example,dc=com" aRecord 2>/dev/null |grep > "^aRecord" |sort > > Note: You need to be logged in (kinit'ed) with a user that has rights > to see the DNS tree. > Thanks. That is more or less like what I am doing, beit that I use the JSON output of ipa dnsrecord-find, and a Python script to massage the output and get a list like this: 172.16.16.87grift 172.16.16.88qlcmdevl 172.16.16.91sp2 172.16.16.95kwistbeek 172.16.16.96keersop 172.16.16.97lutjewad Anyway, from the answers I gather that this is what it is. Which is not a huge problem. I was just curious if there were easier methods. -- Kees -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project