Re: [Freeipa-users] Add user - custom script
On Fri, 16 Sep 2011, Dmitri Pal wrote: On 09/15/2011 04:14 PM, Sigbjorn Lie wrote: On 09/15/2011 09:59 PM, Dmitri Pal wrote: On 09/15/2011 03:45 PM, Sigbjorn Lie wrote: Hi, Is there a custom script hook for when a user account is added using either the cli, webui, or the winsync module? I have a custom script I run when creating a user account, and having this run automatically by IPA would make my life a lot easier. Can you describe what kind of operations you need to do? Have you looked at the automembership plugin? I'm doing a SSH login on to a filer, creating a home folder ZFS dataset for the new user, setting quota and ACL on the newly created dataset, and adding files from a skeleton folder into the home folder. It might be a stupid question but... you seem to do all the operation described above on the filer. I am not quite clear what part of it, if any, needs to be run on the server side, I mean on the IPA. Or you actually want to be able to create an account on the server side and make it trapped and send the event to the filer and run a script there? We can't do it now. AFAIR there was a ticket about something like this in the deferred bucket... Could not find it... But I remember a discussion. We might need to file a ticket to track this but sound like something that will take a lot of time to accomplish. Attached untested patch is a proof of concept. If /etc/ipa/server.conf has following setting: ipa_user_script=/path/to/script then during add/delete/modify of an user, it will be called with add/del/mod as first parameter and user's dn as second. Result of the call is ignored but return from IPA server is blocked by the execution so be quick in ipa_user_script! -- / Alexander Bokovoy diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index 92a026d..b8631e3 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -25,6 +25,7 @@ from ipalib.request import context from time import gmtime, strftime import copy from ipalib import _, ngettext +from ipapython import ipautil __doc__ = _( Users @@ -413,6 +414,12 @@ class user_add(LDAPCreate): entry_from_entry(entry_attrs, newentry) self.obj.get_password_attributes(ldap, dn, entry_attrs) +# If there is a ipa_user_script set in configuration, call it out +if 'ipa_user_script' in self.api.env: +try: +ipautil.run(self.api.env.ipa_user_script,[add, dn]) +except: +pass return dn api.register(user_add) @@ -424,6 +431,12 @@ class user_del(LDAPDelete): msg_summary = _('Deleted user %(value)s') def post_callback(self, ldap, dn, *keys, **options): +# If there is a ipa_user_script set in configuration, call it out +if 'ipa_user_script' in self.api.env: +try: +ipautil.run(self.api.env.ipa_user_script,[del, dn]) +except: +pass return True api.register(user_del) @@ -446,6 +459,12 @@ class user_mod(LDAPUpdate): convert_nsaccountlock(entry_attrs) self.obj._convert_manager(entry_attrs, **options) self.obj.get_password_attributes(ldap, dn, entry_attrs) +# If there is a ipa_user_script set in configuration, call it out +if 'ipa_user_script' in self.api.env: +try: +ipautil.run(self.api.env.ipa_user_script,[mod, dn]) +except: +pass return dn api.register(user_mod) ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Add user - custom script
On Fri, 2011-09-16 at 11:29 +0300, Alexander Bokovoy wrote: On Fri, 16 Sep 2011, Dmitri Pal wrote: On 09/15/2011 04:14 PM, Sigbjorn Lie wrote: On 09/15/2011 09:59 PM, Dmitri Pal wrote: On 09/15/2011 03:45 PM, Sigbjorn Lie wrote: Hi, Is there a custom script hook for when a user account is added using either the cli, webui, or the winsync module? I have a custom script I run when creating a user account, and having this run automatically by IPA would make my life a lot easier. Can you describe what kind of operations you need to do? Have you looked at the automembership plugin? I'm doing a SSH login on to a filer, creating a home folder ZFS dataset for the new user, setting quota and ACL on the newly created dataset, and adding files from a skeleton folder into the home folder. It might be a stupid question but... you seem to do all the operation described above on the filer. I am not quite clear what part of it, if any, needs to be run on the server side, I mean on the IPA. Or you actually want to be able to create an account on the server side and make it trapped and send the event to the filer and run a script there? We can't do it now. AFAIR there was a ticket about something like this in the deferred bucket... Could not find it... But I remember a discussion. We might need to file a ticket to track this but sound like something that will take a lot of time to accomplish. Attached untested patch is a proof of concept. If /etc/ipa/server.conf has following setting: ipa_user_script=/path/to/script then during add/delete/modify of an user, it will be called with add/del/mod as first parameter and user's dn as second. Result of the call is ignored but return from IPA server is blocked by the execution so be quick in ipa_user_script! As a proof of concept sounds nice, but as is this would be bad, as changes to /etc/ipa/server.conf are not replicated through all masters. So a change on one server would require manual synchronization to all others or users create from one server will trigger something while users create through another will trigger something else. Also the issue is that this script is run as the apache user so you'd have to give that user access as root (passwordless private ssh key ? brrr). For things like this I think we should provide a more sophisticated mechanism in many ways, maybe we should discuss on freeipa-devel Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Add user - custom script
On Fri, 16 Sep 2011, Simo Sorce wrote: As a proof of concept sounds nice, but as is this would be bad, as changes to /etc/ipa/server.conf are not replicated through all masters. So a change on one server would require manual synchronization to all others or users create from one server will trigger something while users create through another will trigger something else. Also the issue is that this script is run as the apache user so you'd have to give that user access as root (passwordless private ssh key ? brrr). For things like this I think we should provide a more sophisticated mechanism in many ways, maybe we should discuss on freeipa-devel Sure. I only wanted to show how large is amount of work to hook something in. You can treat my POC as means to provoke discussion. :) -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Add user - custom script
Alexander Bokovoy wrote: On Fri, 16 Sep 2011, Simo Sorce wrote: As a proof of concept sounds nice, but as is this would be bad, as changes to /etc/ipa/server.conf are not replicated through all masters. So a change on one server would require manual synchronization to all others or users create from one server will trigger something while users create through another will trigger something else. Also the issue is that this script is run as the apache user so you'd have to give that user access as root (passwordless private ssh key ? brrr). For things like this I think we should provide a more sophisticated mechanism in many ways, maybe we should discuss on freeipa-devel Sure. I only wanted to show how large is amount of work to hook something in. You can treat my POC as means to provoke discussion. :) Well, ideally we'd integrate this into the baseclasses so any plugin could use it. I'd probably either read the script name out of LDAP or we would require a plugin extension to do it. LDAP is probably lower-hanging fruit. At one point Nalin suggested using oddjob to do the privilege escalation but I never really followed up. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client logon
I tried that but still cannot successfully log in as a IPA user. The same system can be configured as a Kerberos client(non-IPA) defined in MIT Kerberos, and authenticate against MIT Kerberos. The system uses AES when authenticating to MIT Kerberos so those are the only encryption types I defined manually. In the network trace for this transaction I see the error KRB_AP_ERR_BAD_INTEGRITY (31) Commands used(different iterations): ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -k krb5.keytab -P[entering into the main keytab /etc/krb5.keytab] ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -k krb5.keytab.sys1 -P [entering into a new keytab krb5.keytab.sys1] ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e aes256-cts-hmac-sha1-96 -k krb5.keytab -P ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e aes128-cts-hmac-sha1-96 -k krb5.keytab -P ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e aes256-cts-hmac-sha1-96 -k krb5.keytab.sys1 -P ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e aes128-cts-hmac-sha1-96 -k krb5.keytab.sys1 -P Log entries: Sep 15 21:21:04 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.201.9: NEEDED_PREAUTH: o...@pdh.csp for krbtgt/pdh@pdh.csp, Additional pre-authentication required Sep 15 21:21:04 csp-idm.pdh.csp krb5kdc[1227](info): preauth (timestamp) verify failure: Decrypt integrity check failed Sep 15 21:21:04 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.201.9: PREAUTH_FAILED: o...@pdh.csp for krbtgt/pdh@pdh.csp, Decrypt integrity check failed Sep 15 21:21:04 csp-idm.pdh.csp krb5kdc[1227](info): preauth (timestamp) verify failure: Decrypt integrity check failed Sep 15 21:21:04 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.201.9: PREAUTH_FAILED: o...@pdh.csp for krbtgt/pdh@pdh.csp, Decrypt integrity check failed ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client logon
On Fri, 2011-09-16 at 09:31 -0400, Jimmy wrote: ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -k krb5.keytab -P[entering into the main keytab /etc/krb5.keytab] ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -k krb5.keytab.sys1 -P [entering into a new keytab krb5.keytab.sys1] ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e aes256-cts-hmac-sha1-96 -k krb5.keytab -P ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e aes128-cts-hmac-sha1-96 -k krb5.keytab -P ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e aes256-cts-hmac-sha1-96 -k krb5.keytab.sys1 -P ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e aes128-cts-hmac-sha1-96 -k krb5.keytab.sys1 -P This is not how it works. You must define all types in one single go. Every time you invoke ipa-getkeytab for a principal you are discarding any previous key in the KDC, and only the last one is available. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client logon
When I do not specify the encryption type it does put them all in in a single go. I just was attempting to eliminate the other types in case that was creating a problem. The system defaults to type x18 (aes256-cts-hmac-sha1-96). Thanks for your help on this. [root@csp-idm etc]# klist -kte krb5.keytab.sys1 Keytab name: WRFILE:krb5.keytab.sys1 KVNO Timestamp Principal - 6 09/16/11 13:40:03 host/ews1-cybsec.pdh@pdh.csp(aes256-cts-hmac-sha1-96) 6 09/16/11 13:40:03 host/ews1-cybsec.pdh@pdh.csp(aes128-cts-hmac-sha1-96) 6 09/16/11 13:40:04 host/ews1-cybsec.pdh@pdh.csp (des3-cbc-sha1) 6 09/16/11 13:40:04 host/ews1-cybsec.pdh@pdh.csp (arcfour-hmac) On Fri, Sep 16, 2011 at 9:35 AM, Simo Sorce s...@redhat.com wrote: On Fri, 2011-09-16 at 09:31 -0400, Jimmy wrote: ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -k krb5.keytab -P[entering into the main keytab /etc/krb5.keytab] ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -k krb5.keytab.sys1 -P [entering into a new keytab krb5.keytab.sys1] ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e aes256-cts-hmac-sha1-96 -k krb5.keytab -P ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e aes128-cts-hmac-sha1-96 -k krb5.keytab -P ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e aes256-cts-hmac-sha1-96 -k krb5.keytab.sys1 -P ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e aes128-cts-hmac-sha1-96 -k krb5.keytab.sys1 -P This is not how it works. You must define all types in one single go. Every time you invoke ipa-getkeytab for a principal you are discarding any previous key in the KDC, and only the last one is available. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Add user - custom script
On 09/16/2011 07:35 AM, Dmitri Pal wrote: On 09/15/2011 04:14 PM, Sigbjorn Lie wrote: On 09/15/2011 09:59 PM, Dmitri Pal wrote: On 09/15/2011 03:45 PM, Sigbjorn Lie wrote: Hi, Is there a custom script hook for when a user account is added using either the cli, webui, or the winsync module? I have a custom script I run when creating a user account, and having this run automatically by IPA would make my life a lot easier. Can you describe what kind of operations you need to do? Have you looked at the automembership plugin? I'm doing a SSH login on to a filer, creating a home folder ZFS dataset for the new user, setting quota and ACL on the newly created dataset, and adding files from a skeleton folder into the home folder. It might be a stupid question but... you seem to do all the operation described above on the filer. I am not quite clear what part of it, if any, needs to be run on the server side, I mean on the IPA. Or you actually want to be able to create an account on the server side and make it trapped and send the event to the filer and run a script there? We can't do it now. AFAIR there was a ticket about something like this in the deferred bucket... Could not find it... But I remember a discussion. We might need to file a ticket to track this but sound like something that will take a lot of time to accomplish. The filer get it's user account data from the IPA server. The commands I'm running on the filer is to create a personal dataset (filesystem) for the newly created user account, as well as setting the correct ACL for the filesystem. The filer is a ZFS based filer, and the command being used is zfs create There is no remote API for this command. However I feel like you have misinterpreted the request. It does not matter to IPA what I'm trying to accomplish with my script. I require a script to be run after a user account has been created (or deleted, or perhaps deleted). There are plenty of environments where custom scripts is required to run after a new user account is created. In a typical Microsoft AD environments this is often accomplished with additional expensive-to-buy-and-complicated-to-set-up Identify Management suites, so after a user account is created, additional accounts is created in systems such as SAP, Incident Management tool, or any other company specific databases or applications. In the UNIX/Linux environments I've seen, any post-user-creation tasks is accomplished with a script, run by the user management tool after the account has been created. Hence my request for the option to run a post-user-creation script. :) Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Add user - custom script
On 09/16/2011 01:53 PM, Simo Sorce wrote: On Fri, 2011-09-16 at 11:29 +0300, Alexander Bokovoy wrote: On Fri, 16 Sep 2011, Dmitri Pal wrote: On 09/15/2011 04:14 PM, Sigbjorn Lie wrote: On 09/15/2011 09:59 PM, Dmitri Pal wrote: On 09/15/2011 03:45 PM, Sigbjorn Lie wrote: Hi, Is there a custom script hook for when a user account is added using either the cli, webui, or the winsync module? I have a custom script I run when creating a user account, and having this run automatically by IPA would make my life a lot easier. Can you describe what kind of operations you need to do? Have you looked at the automembership plugin? I'm doing a SSH login on to a filer, creating a home folder ZFS dataset for the new user, setting quota and ACL on the newly created dataset, and adding files from a skeleton folder into the home folder. It might be a stupid question but... you seem to do all the operation described above on the filer. I am not quite clear what part of it, if any, needs to be run on the server side, I mean on the IPA. Or you actually want to be able to create an account on the server side and make it trapped and send the event to the filer and run a script there? We can't do it now. AFAIR there was a ticket about something like this in the deferred bucket... Could not find it... But I remember a discussion. We might need to file a ticket to track this but sound like something that will take a lot of time to accomplish. Attached untested patch is a proof of concept. If /etc/ipa/server.conf has following setting: ipa_user_script=/path/to/script then during add/delete/modify of an user, it will be called with add/del/mod as first parameter and user's dn as second. Result of the call is ignored but return from IPA server is blocked by the execution so be quick in ipa_user_script! As a proof of concept sounds nice, but as is this would be bad, as changes to /etc/ipa/server.conf are not replicated through all masters. So a change on one server would require manual synchronization to all others or users create from one server will trigger something while users create through another will trigger something else. Also the issue is that this script is run as the apache user so you'd have to give that user access as root (passwordless private ssh key ? brrr). For things like this I think we should provide a more sophisticated mechanism in many ways, maybe we should discuss on freeipa-devel I manage my environment with CFengine, so distributing a few patches and files does not bother me. :) Actually, in my specific case the script does not have to do more than write the username(s) to a file, and CFengine can pick up the file and do the rest of the job for me. No root access required for the apache server. :) Rgds, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Add user - custom script
On 09/16/2011 02:45 PM, Rob Crittenden wrote: Alexander Bokovoy wrote: On Fri, 16 Sep 2011, Simo Sorce wrote: As a proof of concept sounds nice, but as is this would be bad, as changes to /etc/ipa/server.conf are not replicated through all masters. So a change on one server would require manual synchronization to all others or users create from one server will trigger something while users create through another will trigger something else. Also the issue is that this script is run as the apache user so you'd have to give that user access as root (passwordless private ssh key ? brrr). For things like this I think we should provide a more sophisticated mechanism in many ways, maybe we should discuss on freeipa-devel Sure. I only wanted to show how large is amount of work to hook something in. You can treat my POC as means to provoke discussion. :) Well, ideally we'd integrate this into the baseclasses so any plugin could use it. I'd probably either read the script name out of LDAP or we would require a plugin extension to do it. LDAP is probably lower-hanging fruit. At one point Nalin suggested using oddjob to do the privilege escalation but I never really followed up. Having the variable for what script to run in the LDAP would sure be nice. Just modify Alex's script to read from LDAP instead. Job done. :) Rgds, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Add user - custom script
On 09/16/2011 11:34 AM, Sigbjorn Lie wrote: On 09/16/2011 07:35 AM, Dmitri Pal wrote: On 09/15/2011 04:14 PM, Sigbjorn Lie wrote: On 09/15/2011 09:59 PM, Dmitri Pal wrote: On 09/15/2011 03:45 PM, Sigbjorn Lie wrote: Hi, Is there a custom script hook for when a user account is added using either the cli, webui, or the winsync module? I have a custom script I run when creating a user account, and having this run automatically by IPA would make my life a lot easier. Can you describe what kind of operations you need to do? Have you looked at the automembership plugin? I'm doing a SSH login on to a filer, creating a home folder ZFS dataset for the new user, setting quota and ACL on the newly created dataset, and adding files from a skeleton folder into the home folder. It might be a stupid question but... you seem to do all the operation described above on the filer. I am not quite clear what part of it, if any, needs to be run on the server side, I mean on the IPA. Or you actually want to be able to create an account on the server side and make it trapped and send the event to the filer and run a script there? We can't do it now. AFAIR there was a ticket about something like this in the deferred bucket... Could not find it... But I remember a discussion. We might need to file a ticket to track this but sound like something that will take a lot of time to accomplish. The filer get it's user account data from the IPA server. The commands I'm running on the filer is to create a personal dataset (filesystem) for the newly created user account, as well as setting the correct ACL for the filesystem. The filer is a ZFS based filer, and the command being used is zfs create There is no remote API for this command. However I feel like you have misinterpreted the request. It does not matter to IPA what I'm trying to accomplish with my script. I require a script to be run after a user account has been created (or deleted, or perhaps deleted). There are plenty of environments where custom scripts is required to run after a new user account is created. In a typical Microsoft AD environments this is often accomplished with additional expensive-to-buy-and-complicated-to-set-up Identify Management suites, so after a user account is created, additional accounts is created in systems such as SAP, Incident Management tool, or any other company specific databases or applications. In the UNIX/Linux environments I've seen, any post-user-creation tasks is accomplished with a script, run by the user management tool after the account has been created. Hence my request for the option to run a post-user-creation script. :) Regards, Siggi What we need to do is to have a way from the DS plugin to send notification messages about record operation and then let services to subscribe and consume notifications and do whatever they need in an async way. It might make sense to have an option QPID broker for that. I will talk to qpid guys. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Add user - custom script
On 09/16/2011 05:59 PM, Dmitri Pal wrote: On 09/16/2011 11:34 AM, Sigbjorn Lie wrote: On 09/16/2011 07:35 AM, Dmitri Pal wrote: On 09/15/2011 04:14 PM, Sigbjorn Lie wrote: On 09/15/2011 09:59 PM, Dmitri Pal wrote: On 09/15/2011 03:45 PM, Sigbjorn Lie wrote: Hi, Is there a custom script hook for when a user account is added using either the cli, webui, or the winsync module? I have a custom script I run when creating a user account, and having this run automatically by IPA would make my life a lot easier. Can you describe what kind of operations you need to do? Have you looked at the automembership plugin? I'm doing a SSH login on to a filer, creating a home folder ZFS dataset for the new user, setting quota and ACL on the newly created dataset, and adding files from a skeleton folder into the home folder. It might be a stupid question but... you seem to do all the operation described above on the filer. I am not quite clear what part of it, if any, needs to be run on the server side, I mean on the IPA. Or you actually want to be able to create an account on the server side and make it trapped and send the event to the filer and run a script there? We can't do it now. AFAIR there was a ticket about something like this in the deferred bucket... Could not find it... But I remember a discussion. We might need to file a ticket to track this but sound like something that will take a lot of time to accomplish. The filer get it's user account data from the IPA server. The commands I'm running on the filer is to create a personal dataset (filesystem) for the newly created user account, as well as setting the correct ACL for the filesystem. The filer is a ZFS based filer, and the command being used is zfs create There is no remote API for this command. However I feel like you have misinterpreted the request. It does not matter to IPA what I'm trying to accomplish with my script. I require a script to be run after a user account has been created (or deleted, or perhaps deleted). There are plenty of environments where custom scripts is required to run after a new user account is created. In a typical Microsoft AD environments this is often accomplished with additional expensive-to-buy-and-complicated-to-set-up Identify Management suites, so after a user account is created, additional accounts is created in systems such as SAP, Incident Management tool, or any other company specific databases or applications. In the UNIX/Linux environments I've seen, any post-user-creation tasks is accomplished with a script, run by the user management tool after the account has been created. Hence my request for the option to run a post-user-creation script. :) Regards, Siggi What we need to do is to have a way from the DS plugin to send notification messages about record operation and then let services to subscribe and consume notifications and do whatever they need in an async way. It might make sense to have an option QPID broker for that. I will talk to qpid guys. Sounds even better! Much more secure! Thanks! :) ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Debian clients?
On Fri, 2011-09-16 at 15:19 +, Johan Sunnerstig wrote: Hello. I'm wondering if anyone has used FreeIPA with Debian clients, and if so, what client software you opted to use? Right now I have nss-pam-ldapd (http://arthurdejong.org/nss-pam-ldapd/) and the MIT-based krb software that's included in Debian 6 working decently. By that I mean I can use it to allow logins as expected, but so far I haven't worked out allowing or disallowing login based on group membership. Obviously the best solution would be a real IPA client, but has anyone attempted this? I mucked around a bit with the SSSD included in the Debian repos(1.2.1) but didn't get it to work. Though in all fairness I didn't try THAT hard since it seems like SSSD has evolved quite a bit since 1.2.1. Is the SSSD route worthwhile? SSSD is certainly the preferred client as it has many, many useful features others lack including simplified configuration in a ipa-specific backend. But 1.2.1 is too old. I really just need group based logins, sudo controls I can handle based on groups with Puppet, but again, if the real client route isn't too much work that's of course preferable. I hope this makes sense, late friday and I have a horrible headache, so if it doesn't I apologize in advance. :) There is some work being done to make ipa-client -install more cross platforms, and we also have some contrib scripts, but we do not have a complete ipa-client-install script for debian based distributions yet. So you'll have to manually (or script) configure all components for now. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Debian clients?
On 09/16/2011 05:19 PM, Johan Sunnerstig wrote: Hello. I'm wondering if anyone has used FreeIPA with Debian clients, and if so, what client software you opted to use? Right now I have nss-pam-ldapd (http://arthurdejong.org/nss-pam-ldapd/) and the MIT-based krb software that's included in Debian 6 working decently. By that I mean I can use it to allow logins as expected, but so far I haven't worked out allowing or disallowing login based on group membership. Obviously the best solution would be a real IPA client, but has anyone attempted this? I mucked around a bit with the SSSD included in the Debian repos(1.2.1) but didn't get it to work. Though in all fairness I didn't try THAT hard since it seems like SSSD has evolved quite a bit since 1.2.1. Is the SSSD route worthwhile? I really just need group based logins, sudo controls I can handle based on groups with Puppet, but again, if the real client route isn't too much work that's of course preferable. I hope this makes sense, late friday and I have a horrible headache, so if it doesn't I apologize in advance. :) Hi Johan, I'm using Ubuntu with FreeIPA. I'm not using the ldapd as I've found it unreliable. I'm using the libnss-ldap and manually configured kerberos. ldapd does not support nested groups last I checked, that's a downside too. It's not perfect, sssd would have been better, but it works just fine. If you lower the bind_timelimit and timelimit quite low (a few seconds) it's not too bad when a ipa server is unavailable. nscd is required to overcome some issues with the libnss-ldap. (Such as Thunderbird segfaulting...) I've used cfengine to make an IPA config script for clients not supporting sssd and ipa-client-install. I'm sure you could do the same with puppet. To get group based login, I've used the AllowGroups property in sshd. Hope this makes sense. :) Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Debian clients?
On Fri, 2011-09-16 at 14:01 -0400, Simo Sorce wrote: There is some work being done to make ipa-client -install more cross platforms, and we also have some contrib scripts, but we do not have a complete ipa-client-install script for debian based distributions yet. So you'll have to manually (or script) configure all components for now. I've opened https://fedorahosted.org/freeipa/ticket/1809 (Document manual steps to configure SSSD as an IPA client). signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Debian clients?
Hi, On Fri, 16 Sep 2011, Johan Sunnerstig wrote: Hello. I'm wondering if anyone has used FreeIPA with Debian clients, and if so, what client software you opted to use? Right now I have nss-pam-ldapd (http://arthurdejong.org/nss-pam-ldapd/) and the MIT-based krb software that's included in Debian 6 working decently. By that I mean I can use it to allow logins as expected, but so far I haven't worked out allowing or disallowing login based on group membership. Obviously the best solution would be a real IPA client, but has anyone attempted this? I mucked around a bit with the SSSD included in the Debian repos(1.2.1) but didn't get it to work. Though in all fairness I didn't try THAT hard since it seems like SSSD has evolved quite a bit since 1.2.1. Is the SSSD route worthwhile? I have made first step into allowing to support other platforms in FreeIPA. FreeIPA 2.1.2 will have an infrastructure to add new platform backends that implement details of platform-specific interaction with services. This does not affect configuration files per se but rather services' start/stop and check for service availability. I'm working on systemd support right now for Fedora 16 and, of course, any help on GNU/Debian-based systems is welcomed -- we are probably too far from making server bits distribution-independent but for client side we are quite close. We 'just' miss full featured replacement for Fedora's authconfig utility on Debian side (parts of which should be imported into FreeIPA in my humble opinion). If you are willing to help or have someone else with spare hands, look at ipapython/platform/* in freeipa's upstream and check http://fedorapeople.org/gitweb?p=abbra/public_git/freeipa.git;a=shortlog;h=refs/heads/systemd-ipa-2-1 as an example on how to extend it -- it is work in progress too but it shows what you can achieve. I really just need group based logins, sudo controls I can handle based on groups with Puppet, but again, if the real client route isn't too much work that's of course preferable. I hope this makes sense, late friday and I have a horrible headache, so if it doesn't I apologize in advance. :) Friday night is a nice time to talk about serious stuff :) -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Debian clients?
On 09/16/2011 11:19 AM, Johan Sunnerstig wrote: Hello. I'm wondering if anyone has used FreeIPA with Debian clients, and if so, what client software you opted to use? Right now I have nss-pam-ldapd (http://arthurdejong.org/nss-pam-ldapd/) and the MIT-based krb software that's included in Debian 6 working decently. By that I mean I can use it to allow logins as expected, but so far I haven't worked out allowing or disallowing login based on group membership. Obviously the best solution would be a real IPA client, but has anyone attempted this? I mucked around a bit with the SSSD included in the Debian repos(1.2.1) but didn't get it to work. Though in all fairness I didn't try THAT hard since it seems like SSSD has evolved quite a bit since 1.2.1. Is the SSSD route worthwhile? If you can get SSSD 1.5.x (latest) working that would be best avenue as it supports natively IPA host based access control features. If you manage to do so we will help you to setup it manually. If you as a result of this would be able to share youer experience and create a wiki page with the steps need to do all this manually would be awesome. An alternative would be to try and port ipa-client to Debian. I really just need group based logins, sudo controls I can handle based on groups with Puppet, but again, if the real client route isn't too much work that's of course preferable. If you want something simple there might be some options in the nss ldap but you need to dig it from man pages or from Nalin... I hope this makes sense, late friday and I have a horrible headache, so if it doesn't I apologize in advance. :) Regards Johan ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Add user - custom script
On 09/16/2011 10:29 AM, Alexander Bokovoy wrote: On Fri, 16 Sep 2011, Dmitri Pal wrote: On 09/15/2011 04:14 PM, Sigbjorn Lie wrote: On 09/15/2011 09:59 PM, Dmitri Pal wrote: On 09/15/2011 03:45 PM, Sigbjorn Lie wrote: Hi, Is there a custom script hook for when a user account is added using either the cli, webui, or the winsync module? I have a custom script I run when creating a user account, and having this run automatically by IPA would make my life a lot easier. Can you describe what kind of operations you need to do? Have you looked at the automembership plugin? I'm doing a SSH login on to a filer, creating a home folder ZFS dataset for the new user, setting quota and ACL on the newly created dataset, and adding files from a skeleton folder into the home folder. It might be a stupid question but... you seem to do all the operation described above on the filer. I am not quite clear what part of it, if any, needs to be run on the server side, I mean on the IPA. Or you actually want to be able to create an account on the server side and make it trapped and send the event to the filer and run a script there? We can't do it now. AFAIR there was a ticket about something like this in the deferred bucket... Could not find it... But I remember a discussion. We might need to file a ticket to track this but sound like something that will take a lot of time to accomplish. Attached untested patch is a proof of concept. If /etc/ipa/server.conf has following setting: ipa_user_script=/path/to/script then during add/delete/modify of an user, it will be called with add/del/mod as first parameter and user's dn as second. Result of the call is ignored but return from IPA server is blocked by the execution so be quick in ipa_user_script! I got the patch installed OK, env variable set, and the script is being run when do user modifications. Great! :) But the action (add/del/mod) and the dn is not being supplied as arguments. For testing's sake I've made a very simple script just to capture the env variables. Do you have any suggestion to why the arguments is not getting supplied to the script? #!/bin/bash echo a:$1 u:$2 /tmp/ipa_custom_$$ env /tmp/ipa_custom_$$ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client logon
This was installed using yum. I need to be able to authenticate users against Kerberos from a Windows client machine and it fails at login saying the username/password is incorrect. The krb5kdc.log shows: Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.201.9: NEEDED_PREAUTH: o...@pdh.csp for krbtgt/pdh@pdh.csp, Additional pre-authentication required Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): preauth (timestamp) verify failure: Decrypt integrity check failed Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.201.9: PREAUTH_FAILED: o...@pdh.csp for krbtgt/pdh@pdh.csp, Decrypt integrity check failed Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): preauth (timestamp) verify failure: Decrypt integrity check failed Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.201.9: PREAUTH_FAILED: o...@pdh.csp for krbtgt/pdh@pdh.csp, Decrypt integrity check failed I know the user's password I'm using is correct because I can kinit with that username/password on the IPA server. I used the ipa-getkeytab to set the machine password, but I'm not sure that it's doing what I would normally do in a stand alone MIT Kerberos server using kadmin. Using ksetup on the windows7 client I can reconfigure for a couple different realms and authentication works just fine, but I'm missing something on the IPA config that would allow the same authentication. Thanks,Jimmy On Fri, Sep 16, 2011 at 4:45 PM, Dmitri Pal d...@redhat.com wrote: On 09/16/2011 02:26 PM, Jimmy wrote: I can create a keytab using ipa-getkeytab for any entity, say for instance a user, and store a password in the keytab but as soon as the user attempts to kinit with the set password it expires and must be changed. Is this happening with the host(workstation) entities? Are you using latest hand built IPA from the master? There is a bug about passwords being expired. A more stable version is available from Fedora if you are using Fedora or from 2.1 branch. On Fri, Sep 16, 2011 at 9:44 AM, Jimmy g17ji...@gmail.com wrote: When I do not specify the encryption type it does put them all in in a single go. I just was attempting to eliminate the other types in case that was creating a problem. The system defaults to type x18 (aes256-cts-hmac-sha1-96). Thanks for your help on this. [root@csp-idm etc]# klist -kte krb5.keytab.sys1 Keytab name: WRFILE:krb5.keytab.sys1 KVNO Timestamp Principal - 6 09/16/11 13:40:03 host/ews1-cybsec.pdh@pdh.csp(aes256-cts-hmac-sha1-96) 6 09/16/11 13:40:03 host/ews1-cybsec.pdh@pdh.csp(aes128-cts-hmac-sha1-96) 6 09/16/11 13:40:04 host/ews1-cybsec.pdh@pdh.csp (des3-cbc-sha1) 6 09/16/11 13:40:04 host/ews1-cybsec.pdh@pdh.csp (arcfour-hmac) On Fri, Sep 16, 2011 at 9:35 AM, Simo Sorce s...@redhat.com wrote: On Fri, 2011-09-16 at 09:31 -0400, Jimmy wrote: ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -k krb5.keytab -P[entering into the main keytab /etc/krb5.keytab] ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -k krb5.keytab.sys1 -P [entering into a new keytab krb5.keytab.sys1] ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e aes256-cts-hmac-sha1-96 -k krb5.keytab -P ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e aes128-cts-hmac-sha1-96 -k krb5.keytab -P ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e aes256-cts-hmac-sha1-96 -k krb5.keytab.sys1 -P ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e aes128-cts-hmac-sha1-96 -k krb5.keytab.sys1 -P This is not how it works. You must define all types in one single go. Every time you invoke ipa-getkeytab for a principal you are discarding any previous key in the KDC, and only the last one is available. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs?www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client logon
On Fri, 2011-09-16 at 17:24 -0400, Jimmy wrote: This was installed using yum. I need to be able to authenticate users against Kerberos from a Windows client machine and it fails at login saying the username/password is incorrect. The krb5kdc.log shows: Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.201.9: NEEDED_PREAUTH: o...@pdh.csp for krbtgt/pdh@pdh.csp, Additional pre-authentication required Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): preauth (timestamp) verify failure: Decrypt integrity check failed Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.201.9: PREAUTH_FAILED: o...@pdh.csp for krbtgt/pdh@pdh.csp, Decrypt integrity check failed Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): preauth (timestamp) verify failure: Decrypt integrity check failed Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.201.9: PREAUTH_FAILED: o...@pdh.csp for krbtgt/pdh@pdh.csp, Decrypt integrity check failed These logs say that either the password is wrong, or the clock on your windows client is way off (more than 5 min. skew) wrt the ipa server. I know the user's password I'm using is correct because I can kinit with that username/password on the IPA server. I used the ipa-getkeytab to set the machine password, but I'm not sure that it's doing what I would normally do in a stand alone MIT Kerberos server using kadmin. Using ksetup on the windows7 client I can reconfigure for a couple different realms and authentication works just fine, but I'm missing something on the IPA config that would allow the same authentication. The reason to have a password (windows) or a keytab (unix) for the machine is to be able to validate the account against a possible rouge KDC+attacker at login prompt pair. But you are not even getting to the validation step as you are failing to get a TGT for the user in the first place. If the user password is right and your Freeipa REALM name is indeed PDH.CSP then it is probably clock skew. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users