[Freeipa-users] KRA Cannot Authenticate with LDAP After Replication

2017-04-12 Thread Ilya Kogan 
Hi,

I’m wondering if anyone might be able to help me figure out why my KRA is 
failing after a fairly recent installation. It's throwing exceptions about LDAP 
authentication that look like the following (note, I’ve truncated some of the 
stacks for brevity:

Apr 12 21:14:22 server[7515]: Could not connect to LDAP server host 
ipa-1.mydomain.com port 636 Error netscape.ldap.LDAPException: error result (49)
Apr 12 21:14:22 server[7515]: at 
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:205)
Apr 12 21:14:22 server[7515]: at 
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.getConn(LdapBoundConnFactory.java:332)
Apr 12 21:14:22 server[7515]: at 
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.getConn(LdapBoundConnFactory.java:295)
Apr 12 21:14:22 server[7515]: at 
com.netscape.cmscore.dbs.DBSubsystem.hasRangeConflict(DBSubsystem.java:475)
Apr 12 21:14:22 server[7515]: at 
com.netscape.cmscore.dbs.Repository.checkRanges(Repository.java:500)
Apr 12 21:14:22 server[7515]: at 
com.netscape.cmscore.dbs.KeyRepository.updateKeyStatus(KeyRepository.java:189)
Apr 12 21:14:22 server[7515]: at 
com.netscape.cmscore.dbs.KeyStatusUpdateTask.run(KeyRepository.java:604)
Apr 12 21:14:22 server[7515]: at 
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
...
Apr 12 21:14:22 server[7515]: Could not connect to LDAP server host 
ipa-1.mydomain.com port 636 Error netscape.ldap.LDAPException: error result (49)
Apr 12 21:14:22 server[7515]: at 
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:205)
Apr 12 21:14:22 server[7515]: at 
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.getConn(LdapBoundConnFactory.java:332)
Apr 12 21:14:22 server[7515]: at 
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.getConn(LdapBoundConnFactory.java:295)
Apr 12 21:14:22 server[7515]: at 
com.netscape.cmscore.dbs.DBSubsystem.hasRangeConflict(DBSubsystem.java:475)
Apr 12 21:14:22 server[7515]: at 
com.netscape.cmscore.dbs.Repository.checkRanges(Repository.java:500)
Apr 12 21:14:22 server[7515]: at 
com.netscape.cmscore.dbs.KeyRepository.updateKeyStatus(KeyRepository.java:193)
Apr 12 21:14:22 server[7515]: at 
com.netscape.cmscore.dbs.KeyStatusUpdateTask.run(KeyRepository.java:604)
...

When I restart IPA, I get the following:

Apr 12 21:18:34 server[32159]: CA is started.
Apr 12 21:18:34 server[32159]: SSLAuthenticatorWithFallback: Creating SSL 
authenticator with fallback
Apr 12 21:18:34 server[32159]: SSLAuthenticatorWithFallback: Setting container
Apr 12 21:18:35 server[32159]: SSLAuthenticatorWithFallback: Initializing 
authenticators
Apr 12 21:18:35 server[32159]: SSLAuthenticatorWithFallback: Starting 
authenticators
Apr 12 21:18:35 server[32159]: CMSEngine.initializePasswordStore() begins
Apr 12 21:18:35 server[32159]: CMSEngine.initializePasswordStore(): 
tag=internaldb
Apr 12 21:18:35 server[32159]: testLDAPConnection connecting to 
ipa-1.mydomain.com:636
Apr 12 21:18:35 server[32159]: testLDAPConnection: Invalid Password
Apr 12 21:18:36 server[32159]: testLDAPConnection connecting to 
ipa-1.mydomain.com:636
Apr 12 21:18:36 server[32159]: testLDAPConnection: Invalid Password
Apr 12 21:18:36 server[32159]: testLDAPConnection connecting to 
ipa-1.mydomain.com:636
Apr 12 21:18:36 server[32159]: testLDAPConnection: Invalid Password
Apr 12 21:18:36 server[32159]: CMSEngine: init(): password test execution 
failed: 2
Apr 12 21:18:36 server[32159]: Password test execution failed. Is the database 
up?
Apr 12 21:18:36 server[32159]: Password test execution failed. Is the database 
up?
Apr 12 21:18:36 server[32159]: at 
com.netscape.cmscore.apps.CMSEngine.initializePasswordStore(CMSEngine.java:469)
Apr 12 21:18:36 server[32159]: at 
com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:537)
Apr 12 21:18:36 server[32159]: at 
com.netscape.certsrv.apps.CMS.init(CMS.java:188)
Apr 12 21:18:36 server[32159]: at 
com.netscape.certsrv.apps.CMS.start(CMS.java:1621)
Apr 12 21:18:36 server[32159]: at 
com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
Apr 12 21:18:36 server[32159]: at 
javax.servlet.GenericServlet.init(GenericServlet.java:158)
...

If I then try to add or delete a vault, I get the following:

Apr 12 22:19:08 server[32159]: SSLAuthenticatorWithFallback: Authenticate with 
client certificate authentication
Apr 12 22:19:08 server[32159]: java.lang.NullPointerException
Apr 12 22:19:08 server[32159]: at 
com.netscape.cms.realm.PKIRealm.authenticate(PKIRealm.java:114)
Apr 12 22:19:08 server[32159]: at 
com.netscape.cms.tomcat.ProxyRealm.authenticate(ProxyRealm.java:86)
Apr 12 22:19:08 server[32159]: at 
org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthenticator.java:81)
Apr 12 22:19:08

[Freeipa-users] DM Password Change & Password Storage

2017-04-12 Thread Jeremy Utley 
Hello all!  We've got 2 replicated instances of FreeIPA 4.4.0 from the EPEL
repository running on fully-updated CentOS 7 instances.  We're going thru
an audit right now, and I have to provide some proof of certain things
related to IPA to our auditors.  Unfortunately, the person who originally
set these up evidently did not document the Directory Manager password in
our docs, so I was forced to reset this password, using the process at:

http://directory.fedoraproject.org/docs/389ds/howto/howto-resetdirmgrpassword.html

This was successful, and I can now bind to the DS with the new password.
I'm now trying to follow the steps at:

https://www.freeipa.org/page/Howto/Change_Directory_Manager_Password

A few things are rather confusing to me.  I've tried Google searching
without much luck either.  So hopefully you guys can answer a few questions
for me.

1) First off, the doc says:

The following procedure is only applicable to FreeIPA 3.2.1 or older. Since
FreeIPA 3.2.2 (and ticket #3594
), the procedure is automated
as a part of preparing a replica info file by using ipa-replica-prepare

So do I even need to perform these steps at all, considering I'm well
beyond 3.2.2.  We don't have any intention of running ipa-replica-prepare
for the forseeable future (we shouldn't ever need to add a third directory
server here).

2) The first step (Update LDAP bind password) seems to indicate you're
adding the new password in clear-text to the password.conf file - this
seems like a major security issue.  Am I misunderstanding what is being
requested here?  The old password is not in this file (All my current files
have is lines for "internal" and "replicationdb"

3) The next step regenerates the cacert.p12 file, but seems to do nothing
with it, just leaves it sitting in /root - what should be done with this
file afterward?

Thanks for any help you can give!

Jeremy Utley
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] User policies

2017-04-12 Thread Michael Rainey (Contractor) 

Greetings,

I have a question about user policies which I hope some can provide some 
guidance.  I have a small set of users who are tightly restricted on our 
network.  They are only allowed to log into certain machines, and mount 
specific filesystems located on other machines.  At the moment we have 
these systems locked down through a combination of local system 
accounts, and static mounts in fstab.


I have setup a few test accounts, created an HBAC Rule, and a custom 
automount map for each account.  Is this the best way to achieve this?  
Is there a way to create a policy to restrict users to specific 
filesystems?  In my ideal world, it would be great to have the 
restricted user to login, have the restrictions applied, then have a 
non-restricted user log onto the same machine, and still have access as 
they would on another machine.


So, what are your thoughts/

--
*Michael Rainey*
Network Representative

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Problem automounting home shares

2017-04-12 Thread Jason B. Nance 
Hi Ronald,

> Some details regarding my setup: I have a CentOS 7.3 machine acting as
> an NFS server. It is a host within my IPA domain and enrolled as an IPA
> client.
> 
> [root@ipanfs ~]# cat /etc/exports
> 
> /homeshare*(rw,sec=krb5:krb5i:krb5p)

This isn't related to your issue but you have your exports setup as if you're 
using NFSv3.  They will still work, of course, but you aren't taking advantage 
of the pseudo filesystem.  For example, you could have something such as:

/etc/exports:

/export *(rw,sync,crossmnt,no_subtree_check,sec=krb5:krb5i:krb5p,fsid=0)

Then:

mkdir -p /export/homeshare
mount -o bind /homeshare /export/homeshare

(or even /home if you have autofs disabled on your NFS server)

It may be worth some Googling to see if you care about the benefits, but again, 
it isn't why you are having issues.

> I defined a automount location called ipauserhome. In this location I
> have a map called auto.home with this content:
> 
> * -fstype=nfs4,rw,sec=krb5 ipanfs.linux.oebb.at:/homeshare/&
> 
> On an ipa client I just did "ipa-client-automount
> --location=ipauserhome" and "authconfig --enablemkhomedir --update".

You cannot use indirect mounting and enablemkhomedir at the same time.  
Indirect mounts require that the directory you are attempting to mount already 
exists on the NFS server and that you let autofs fully manage the "parent" 
directory on the client machine.  In this case, no one other than autofs can 
create directories in the top-level of /home on your clients (/home/ is a 
different story).

So you either need to pre-create the home directories on your NFS server 
(including ownership, permissions, and any "skel" stuff you want in there like 
a default .bashrc) or you need to direct mount /home altogether and lose the 
benefits of indirect mounting (which may not matter to you).

> but for some reason it works not as expected. SELinux is set to
> permissive on both NFS server and the ipa client. Nevertheless, I get a
> suspicious message in /var/log/messages:

In permissive mode SELinux messages are still displayed in the logs but not 
enforced.  This allows you to troubleshoot SELinux-related issues.

To use NFS home directories with NFS you need to run the following on the 
client systems:

setsebool -P use_nfs_home_dirs on

Regards,

j

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Problem automounting home shares

2017-04-12 Thread Jason B. Nance 
>> You cannot use indirect mounting and enablemkhomedir at the same time.  
>> Indirect
>> mounts require that the directory you are attempting to mount already exists 
>> on
>> the NFS server and that you let autofs fully manage the "parent" directory on
>> the client machine.  In this case, no one other than autofs can create
>> directories in the top-level of /home on your clients (/home/ is a
>> different story).
>>
>> So you either need to pre-create the home directories on your NFS server
>> (including ownership, permissions, and any "skel" stuff you want in there 
>> like
>> a default .bashrc) or you need to direct mount /home altogether and lose the
>> benefits of indirect mounting (which may not matter to you).
>> [...]
> 
> So this means I can either use /home mounted as NFS share conventionally
> (without autofs) in combination with mkhomedir or use autofs magic with
> pre-created directories.

You can still use autofs and mkhomdir, just use a direct mount for /home 
instead of indirect mounts.  In other words, mount "/home" entirely vs. 
"/home/" individually.

Regards,

j

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Problem automounting home shares

2017-04-12 Thread Ronald Wimmer 

On 2017-04-12 14:55, Jason B. Nance wrote:

[...]
You cannot use indirect mounting and enablemkhomedir at the same time.  Indirect mounts require 
that the directory you are attempting to mount already exists on the NFS server and that you 
let autofs fully manage the "parent" directory on the client machine.  In this case, 
no one other than autofs can create directories in the top-level of /home on your clients 
(/home/ is a different story).

So you either need to pre-create the home directories on your NFS server (including 
ownership, permissions, and any "skel" stuff you want in there like a default 
.bashrc) or you need to direct mount /home altogether and lose the benefits of indirect 
mounting (which may not matter to you).
[...]


So this means I can either use /home mounted as NFS share conventionally 
(without autofs) in combination with mkhomedir or use autofs magic with 
pre-created directories.


As my users come from AD I do not even know which directories would have 
to be created in advance. So I will have to go for option 1.


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ipa-adtrust-install failing at samba restart

2017-04-12 Thread SOLER SANGUESA Miguel 
Hello,

I have the same error, can you explain how did you fixed, please?

Thanks & Regards.
__
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] 'NoneType' object is not iterable when removing broken ipa-server replica

2017-04-12 Thread Jake 
Rob,

IPA Version:
rpm -qa ipa-server
ipa-server-4.4.0-14.el7.centos.1.1.x86_64

Contents of httpd/error_log

[Wed Apr 12 08:53:21.442283 2017] [:error] [pid 19175] ipa: ERROR: non-public: 
TypeError: 'NoneType' object is not iterable
[Wed Apr 12 08:53:21.442318 2017] [:error] [pid 19175] Traceback (most recent 
call last):
[Wed Apr 12 08:53:21.442321 2017] [:error] [pid 19175]   File 
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 366, in 
wsgi_execute
[Wed Apr 12 08:53:21.442323 2017] [:error] [pid 19175] result = 
command(*args, **options)
[Wed Apr 12 08:53:21.442325 2017] [:error] [pid 19175]   File 
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 449, in __call__
[Wed Apr 12 08:53:21.442327 2017] [:error] [pid 19175] return 
self.__do_call(*args, **options)
[Wed Apr 12 08:53:21.442329 2017] [:error] [pid 19175]   File 
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 477, in __do_call
[Wed Apr 12 08:53:21.442331 2017] [:error] [pid 19175] ret = 
self.run(*args, **options)
[Wed Apr 12 08:53:21.442332 2017] [:error] [pid 19175]   File 
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 799, in run
[Wed Apr 12 08:53:21.442334 2017] [:error] [pid 19175] return 
self.execute(*args, **options)
[Wed Apr 12 08:53:21.442335 2017] [:error] [pid 19175]   File 
"/usr/lib/python2.7/site-packages/ipaserver/plugins/baseldap.py", line 1571, in 
execute
[Wed Apr 12 08:53:21.442337 2017] [:error] [pid 19175] delete_entry(pkey)
[Wed Apr 12 08:53:21.442339 2017] [:error] [pid 19175]   File 
"/usr/lib/python2.7/site-packages/ipaserver/plugins/baseldap.py", line 1524, in 
delete_entry
[Wed Apr 12 08:53:21.442340 2017] [:error] [pid 19175] dn = callback(self, 
ldap, dn, *nkeys, **options)
[Wed Apr 12 08:53:21.442342 2017] [:error] [pid 19175]   File 
"/usr/lib/python2.7/site-packages/ipaserver/plugins/server.py", line 692, in 
pre_callback
[Wed Apr 12 08:53:21.442344 2017] [:error] [pid 19175] self.api)
[Wed Apr 12 08:53:21.442345 2017] [:error] [pid 19175]   File 
"/usr/lib/python2.7/site-packages/ipaserver/topology.py", line 136, in __init__
[Wed Apr 12 08:53:21.442357 2017] [:error] [pid 19175] self.graphs = 
_create_topology_graphs(self.api)
[Wed Apr 12 08:53:21.442359 2017] [:error] [pid 19175]   File 
"/usr/lib/python2.7/site-packages/ipaserver/topology.py", line 100, in 
_create_topology_graphs
[Wed Apr 12 08:53:21.442360 2017] [:error] [pid 19175] suffix_to_masters = 
map_masters_to_suffixes(masters)
[Wed Apr 12 08:53:21.442362 2017] [:error] [pid 19175]   File 
"/usr/lib/python2.7/site-packages/ipaserver/topology.py", line 83, in 
map_masters_to_suffixes
[Wed Apr 12 08:53:21.442363 2017] [:error] [pid 19175] for suffix_name in 
managed_suffixes:
[Wed Apr 12 08:53:21.442365 2017] [:error] [pid 19175] TypeError: 'NoneType' 
object is not iterable

[Wed Apr 12 08:53:23.078960 2017] [:error] [pid 19176] ipa: ERROR: non-public: 
TypeError: 'NoneType' object is not iterable
[Wed Apr 12 08:53:23.078993 2017] [:error] [pid 19176] Traceback (most recent 
call last):
[Wed Apr 12 08:53:23.078997 2017] [:error] [pid 19176]   File 
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 366, in 
wsgi_execute
[Wed Apr 12 08:53:23.079000 2017] [:error] [pid 19176] result = 
command(*args, **options)
[Wed Apr 12 08:53:23.079003 2017] [:error] [pid 19176]   File 
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 449, in __call__
[Wed Apr 12 08:53:23.079006 2017] [:error] [pid 19176] return 
self.__do_call(*args, **options)
[Wed Apr 12 08:53:23.079008 2017] [:error] [pid 19176]   File 
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 477, in __do_call
[Wed Apr 12 08:53:23.079011 2017] [:error] [pid 19176] ret = 
self.run(*args, **options)
[Wed Apr 12 08:53:23.079013 2017] [:error] [pid 19176]   File 
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 799, in run
[Wed Apr 12 08:53:23.079016 2017] [:error] [pid 19176] return 
self.execute(*args, **options)
[Wed Apr 12 08:53:23.079019 2017] [:error] [pid 19176]   File 
"/usr/lib/python2.7/site-packages/ipaserver/plugins/baseldap.py", line 1571, in 
execute
[Wed Apr 12 08:53:23.079021 2017] [:error] [pid 19176] delete_entry(pkey)
[Wed Apr 12 08:53:23.079024 2017] [:error] [pid 19176]   File 
"/usr/lib/python2.7/site-packages/ipaserver/plugins/baseldap.py", line 1524, in 
delete_entry
[Wed Apr 12 08:53:23.079026 2017] [:error] [pid 19176] dn = callback(self, 
ldap, dn, *nkeys, **options)
[Wed Apr 12 08:53:23.079029 2017] [:error] [pid 19176]   File 
"/usr/lib/python2.7/site-packages/ipaserver/plugins/server.py", line 692, in 
pre_callback
[Wed Apr 12 08:53:23.079032 2017] [:error] [pid 19176] self.api)
[Wed Apr 12 08:53:23.079034 2017] [:error] [pid 19176]   File 
"/usr/lib/python2.7/site-packages/ipaserver/topology.py", line 136, in __init__
[Wed Apr 12 08:53:23.079037 2017] [:error] [pid 19176] self.graphs =

[Freeipa-users] bind-dyndb-ldap replication errors

2017-04-12 Thread Brendan Kearney 

list members,

i am using bind-dyndb-ldap without freeipa, and i consistently get the 
below errors in my logs:


update_zone (syncrepl) failed for master zone DN 
'idnsName=24.168.192.in-addr.arpa.,cn=dns,ou=Daemons,dc=bpk2,dc=com'. 
Zones can be outdated, run `rndc reload`: unexpected error


the zone that has issue varies, but it is always a zone that allows 
dynamic updates.  it seems that some replication event fails and a 
manual resync of things has to be performed.  any ideas what might be 
going on?


fedora 24, with nearly all recent updates
bind-9.10.4-3.P6.fc24.x86_64
bind-dyndb-ldap-10.1-1.fc24.x86_64
openldap-2.4.44-1.fc24.x86_64

i have multi master replication configured between 2 masters, and no 
other replication events seem to fail.  i am not sure where to look for 
issues.


named.conf:
dynamic-db "bpk2.com" {
library "ldap.so";
arg "uri ldap://192.168.88.1;;
arg "base cn=dns,ou=Daemons,dc=bpk2,dc=com";


arg "auth_method sasl";
arg "sasl_mech GSSAPI";
arg "sasl_realm BPK2.COM";
arg "krb5_keytab FILE:/etc/named.keytab";
arg "krb5_principal DNS/server1.bpk2.com";
arg "ldap_hostname server1.bpk2.com";

arg "fake_mname dns.bpk2.com.";
arg "dyn_update yes";
arg "connections 2";
};

zone config:
dn: idnsName=24.168.192.in-addr.arpa.,cn=dns,ou=Daemons,dc=bpk2,dc=com
dnsttl: 3600
idnsallowdynupdate: TRUE
idnsallowquery: any;
idnsallowsyncptr: TRUE
idnsname: 24.168.192.in-addr.arpa.
idnssoaexpire: 604800
idnssoaminimum: 86400
idnssoamname: dns.bpk2.com.
idnssoarefresh: 10800
idnssoaretry: 900
idnssoarname: root.bpk2.com.
idnssoaserial: 1491999811
idnsupdatepolicy: grant dhcp wildcard * any;
idnszoneactive: TRUE
nsrecord: dns.bpk2.com.
objectclass: top
objectclass: idnsZone
objectclass: idnsRecord

any help would be appreciated.

thanks,

brendan

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Centos7/IPA4.2 : disable/enable hosts

2017-04-12 Thread Johan Vermeulen 
Hello Rob,

doing it this way indeed works.
Thanks for helping me out.

Greetings, J.

2017-04-11 16:54 GMT+02:00 Rob Crittenden :

> Johan Vermeulen wrote:
> > Rob,
> >
> > thanks for helping me out.
> > I support some 80 laptop users at the moment, all running Centos7.
> > The users are now in ldap, the laptops ( hosts) are not. I'm testing the
> > ability to add the laptops as hosts.
> >
> > Under "identity - hosts", when selecting a host, I go to "actions". The
> > only way I see to disable ( block) a host, what I would do when
> > a laptop is stolen for instance, is unprovision.
> > I then tried to re-provision it, I see no "provision" option. I tried to
> > "rebuild auto membership" and " new certificate" but that doesn't seem
> > to work.
> > I hope I'm making sense.
>
> In the case of a lost or stolen laptop then disabling the host seems
> like a good mechanism. It will revoke and certificates issued for the
> host and invalidate its keytab.
>
> Provisioning happens when ipa-client-install is run on the host [1].
> There is no facility for remote provisioning.
>
> rob
>
> [1] technically a host is provisioned when it has a keytab but this
> doesn't configure that host to actually use it and you potentially need
> to safely transfer this keytab to the host.
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Problem automounting home shares

2017-04-12 Thread Ronald Wimmer 

Hi,

I am trying to automount user home shares from an NFS server. Up to now, 
without success.


Some details regarding my setup: I have a CentOS 7.3 machine acting as 
an NFS server. It is a host within my IPA domain and enrolled as an IPA 
client.


[root@ipanfs ~]# cat /etc/exports

/homeshare  *(rw,sec=krb5:krb5i:krb5p)


I followed this guide 
https://blog.delouw.ch/2015/03/14/using-ipa-to-provide-automount-maps-for-nfsv4-home-directories/


I defined a automount location called ipauserhome. In this location I 
have a map called auto.home with this content:


* -fstype=nfs4,rw,sec=krb5 ipanfs.linux.oebb.at:/homeshare/&

On an ipa client I just did "ipa-client-automount 
--location=ipauserhome" and "authconfig --enablemkhomedir --update".


When I login on the ipa client I get the error message "Could not chdir 
to home directory [...] No such file or directory.".


I see that home is mounted on the client

auto.home on /home type autofs 
(rw,relatime,fd=12,pgrp=1079,timeout=300,minproto=5,maxproto=5,indirect)


[root@testclient ~]# ls -alh /home

total 4,0K

drwxr-xr-x.  2 root root0 12. Apr 10:22 .

dr-xr-xr-x. 17 root root 4,0K 11. Apr 17:52 ..


but for some reason it works not as expected. SELinux is set to 
permissive on both NFS server and the ipa client. Nevertheless, I get a 
suspicious message in /var/log/messages:


Apr 12 10:22:48 testclient dbus[804]: [system] Successfully activated 
service 'org.fedoraproject.Setroubleshootd'


Apr 12 10:22:48 testclient dbus-daemon: dbus[804]: [system] Successfully 
activated service 'org.fedoraproject.Setroubleshootd'


Apr 12 10:22:49 testclient setroubleshoot: SELinux is preventing 
/usr/libexec/oddjob/mkhomedir from write access on the directory /. For 
complete SELinux messages. run sealert -l 
76dd44bd-9ba6-4bf3-ba75-72834533cb0e


Apr 12 10:22:49 testclient python: SELinux is preventing 
/usr/libexec/oddjob/mkhomedir from write access on the directory 
/.#012#012*  Plugin catchall (100. confidence) suggests 
**#012#012If you believe that mkhomedir should 
be allowed write access on the  directory by default.#012Then you should 
report this as a bug.#012You can generate a local policy module to allow 
this access.#012Do#012allow this access for now by executing:#012# 
ausearch -c 'mkhomedir' --raw | audit2allow -M my-mkhomedir#012# 
semodule -i my-mkhomedir.pp#012


Apr 12 10:22:49 testclient setroubleshoot: SELinux is preventing 
/usr/libexec/oddjob/mkhomedir from write access on the directory /. For 
complete SELinux messages. run sealert -l 
76dd44bd-9ba6-4bf3-ba75-72834533cb0e


Apr 12 10:22:49 testclient python: SELinux is preventing 
/usr/libexec/oddjob/mkhomedir from write access on the directory 
/.#012#012*  Plugin catchall (100. confidence) suggests 
**#012#012If you believe that mkhomedir should 
be allowed write access on the  directory by default.#012Then you should 
report this as a bug.#012You can generate a local policy module to allow 
this access.#012Do#012allow this access for now by executing:#012# 
ausearch -c 'mkhomedir' --raw | audit2allow -M my-mkhomedir#012# 
semodule -i my-mkhomedir.pp#012


Apr 12 10:22:49 testclient setroubleshoot: SELinux is preventing 
/usr/libexec/oddjob/mkhomedir from write access on the directory /. For 
complete SELinux messages. run sealert -l 
76dd44bd-9ba6-4bf3-ba75-72834533cb0e


Apr 12 10:22:49 testclient python: SELinux is preventing 
/usr/libexec/oddjob/mkhomedir from write access on the directory 
/.#012#012*  Plugin catchall (100. confidence) suggests 
**#012#012If you believe that mkhomedir should 
be allowed write access on the  directory by default.#012Then you should 
report this as a bug.#012You can generate a local policy module to allow 
this access.#012Do#012allow this access for now by executing:#012# 
ausearch -c 'mkhomedir' --raw | audit2allow -M my-mkhomedir#012# 
semodule -i my-mkhomedir.pp#012


Apr 12 10:23:51 testclient automount[1079]: st_expire: state 1 path /home

Apr 12 10:23:51 testclient automount[1079]: expire_proc: exp_proc = 
139761696524032 path /home


Apr 12 10:23:51 testclient automount[1079]: expire_cleanup: got thid 
139761696524032 path /home stat 0


Apr 12 10:23:51 testclient automount[1079]: expire_cleanup: sigchld: exp 
139761696524032 finished, switching from 2 to 1


Apr 12 10:23:51 testclient automount[1079]: st_ready: st_ready(): state 
= 2 path /home


Apr 12 10:25:06 testclient automount[1079]: st_expire: state 1 path /home

Where to look next?

Regards,
Ronald

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ldap.conf

2017-04-12 Thread Jakub Hrozek 
On Wed, Apr 12, 2017 at 09:47:06AM +0200, Jakub Hrozek wrote:
> You can drop this line as well, it's the default for the AD provider.
s/AD/IPA/

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ldap.conf

2017-04-12 Thread Jakub Hrozek 
On Wed, Apr 12, 2017 at 09:30:38AM +0200, Christoph Kaminski wrote:
> Hi
> 
> are the files /etc/ldap.conf and /etc/openldap/ldap.conf for ipa client 
> and/or server systeme necessary? What is the function of them?

They configure the openldap library. If you have an application (like
ldapsearch) that links against libldap, it reads the config from these
files. That's the same as libkrb5 and /etc/krb5.conf btw.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ldap.conf

2017-04-12 Thread Jakub Hrozek 
On Wed, Apr 12, 2017 at 09:34:59AM +0200, Christoph Kaminski wrote:
> Hi
> 
> is this ok as config for sssd on centos 7 AND 6?
> 
> [domain/hso]
> cache_credentials = True
> krb5_store_password_if_offline = True
> id_provider = ipa
> ldap_tls_cacert = /etc/ipa/ca.crt

You can drop this line as well, it's the default for the AD provider.

> 
> [sssd]
> services = nss, pam, ssh, sudo, autofs
> config_file_version = 2
> domains = hso
> 
> [nss]
> 
> [pam]
> 
> [sudo]
> 
> [autofs]
> 
> [ssh]
> 
> I mean it works but would I get any problems with it?

No, the configs are supposed to be minimal.

You can even drop the empty service sections like [nss].

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] minimal sssd config

2017-04-12 Thread Christoph Kaminski 
Hi

is this ok as config for sssd on centos 7 AND 6?

[domain/hso]
cache_credentials = True
krb5_store_password_if_offline = True
id_provider = ipa
ldap_tls_cacert = /etc/ipa/ca.crt

[sssd]
services = nss, pam, ssh, sudo, autofs
config_file_version = 2
domains = hso

[nss]

[pam]

[sudo]

[autofs]

[ssh]

I mean it works but would I get any problems with it?

Greetz
Christoph Kaminski

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ldap.conf

2017-04-12 Thread Christoph Kaminski 
Hi

is this ok as config for sssd on centos 7 AND 6?

[domain/hso]
cache_credentials = True
krb5_store_password_if_offline = True
id_provider = ipa
ldap_tls_cacert = /etc/ipa/ca.crt

[sssd]
services = nss, pam, ssh, sudo, autofs
config_file_version = 2
domains = hso

[nss]

[pam]

[sudo]

[autofs]

[ssh]

I mean it works but would I get any problems with it?

Greetz
Christoph Kaminski

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ldap.conf

2017-04-12 Thread Christoph Kaminski 
Hi

are the files /etc/ldap.conf and /etc/openldap/ldap.conf for ipa client 
and/or server systeme necessary? What is the function of them?

Greetz
Christoph Kaminski

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SSH access to only specific hosts useding ssh keys

2017-04-12 Thread Jakub Hrozek 
On Tue, Apr 11, 2017 at 10:50:34PM -0400, Tym Rehm wrote:
> So I want a user "bob" to ssh into server1 as the username of "support"
> with support@server1, but not let Bob ssh into support@server2. I have
> Bob's ssh public key added to the support user. I can block Bob from
> server1 or server2 with HBAC, but I have to add support to both servers and
> since Bob's keys are added to Support. The support account is able to ssh
> into both servers.

Yeah, I think id views could help here, but I haven't tested it myself.

> 
> I've looked into ID view, but I'm having troubles find a good document on
> how to setup ID views.

Does this help?

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/id-views.html

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project