[Freeipa-users] Dynamic DNS
hi! Anyone out there gotten Dynamic DNS freeipa-managed DNS server? I've been trying for days following instructions from various freeipa and redhat docs! I've set up keytabs, set up /etc/rndc.key, set Dynamic update to True and put the following in my BIND update policy: grant host\047foreman.collmedia@collmedia.net wildcard * ANY; grant host\047ipadevmstr.collmedia@collmedia.net wildcard * ANY; I keep getting: # nsupdate -g a_update update failed: REFUSED update failed: REFUSED [root@ipadevmstr ~]# cat a_update server ipadevmstr.collmedia.net zone collmedia.net. update add client.collmedia.net.86400 IN A 192.168.8.120 send update delete client.collmedia.net. IN A send tail /var/log/messages Apr 30 11:52:32 ipadevmstr named[9349]: client 192.168.8.111#26141: query: collmedia.net IN SOA - (192.168.8.111) Apr 30 11:52:32 ipadevmstr named[9349]: client 192.168.8.111#37600: query: 692300375.sig-ipadevmstr.collmedia.net ANY TKEY -T (192.168.8.111) Apr 30 11:52:32 ipadevmstr named[9349]: client 192.168.8.111#52609: updating zone 'collmedia.net/IN': update failed: rejected by secure update (REFUSED) Apr 30 11:52:32 ipadevmstr named[9349]: client 192.168.8.111#26141: query: collmedia.net IN SOA - (192.168.8.111) Apr 30 11:52:32 ipadevmstr named[9349]: client 192.168.8.111#40423: query: 718499086.sig-ipadevmstr.collmedia.net ANY TKEY -T (192.168.8.111) Apr 30 11:52:32 ipadevmstr named[9349]: client 192.168.8.111#37000: updating zone 'collmedia.net/IN': update failed: rejected by secure update (REFUSED) Any help would be GREATLY appreciated . . . Thanks a lot, Guy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Dynamic DNS
Hi Guy! I've been working with this recently - maybe I can help. Have you enrolled the ipadevmstr.collmedia.net as a service with `ipa service-add DNS/ipadevmstr.collmedia.net`? On the client, can you `kinit -kt $dnskeytab -p DNS/ipadevmstr.collmedia.net` just fine? You'll have to kinit before you can do `nsupdate -g a_update`. If all else fails, on the IPA Server, what does your kdc log say in /var/log/krb5kdc.log? HTH, Lynn Root @roguelynn Associate Software Engineer On Apr 30, 2013, at 9:08 AM, Guy Matz gm...@collective.com wrote: hi! Anyone out there gotten Dynamic DNS freeipa-managed DNS server? I've been trying for days following instructions from various freeipa and redhat docs! I've set up keytabs, set up /etc/rndc.key, set Dynamic update to True and put the following in my BIND update policy: grant host\047foreman.collmedia@collmedia.net wildcard * ANY; grant host\047ipadevmstr.collmedia@collmedia.net wildcard * ANY; I keep getting: # nsupdate -g a_update update failed: REFUSED update failed: REFUSED [root@ipadevmstr ~]# cat a_update server ipadevmstr.collmedia.net zone collmedia.net. update add client.collmedia.net.86400 IN A 192.168.8.120 send update delete client.collmedia.net. IN A send tail /var/log/messages Apr 30 11:52:32 ipadevmstr named[9349]: client 192.168.8.111#26141: query: collmedia.net IN SOA - (192.168.8.111) Apr 30 11:52:32 ipadevmstr named[9349]: client 192.168.8.111#37600: query: 692300375.sig-ipadevmstr.collmedia.net ANY TKEY -T (192.168.8.111) Apr 30 11:52:32 ipadevmstr named[9349]: client 192.168.8.111#52609: updating zone 'collmedia.net/IN': update failed: rejected by secure update (REFUSED) Apr 30 11:52:32 ipadevmstr named[9349]: client 192.168.8.111#26141: query: collmedia.net IN SOA - (192.168.8.111) Apr 30 11:52:32 ipadevmstr named[9349]: client 192.168.8.111#40423: query: 718499086.sig-ipadevmstr.collmedia.net ANY TKEY -T (192.168.8.111) Apr 30 11:52:32 ipadevmstr named[9349]: client 192.168.8.111#37000: updating zone 'collmedia.net/IN': update failed: rejected by secure update (REFUSED) Any help would be GREATLY appreciated . . . Thanks a lot, Guy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] automember issues
Anyone have any suggestions to using the auto member function in IPA? I've tried to set it up so if a server is enrolled by a user called build then it should add it to a specific server group. I put in an inclusive rule and the expression is just build, but it doesn't work. Do I need to specify more than just build in the expression area? Thanks, _ John Moyer ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Samba 4 with IPA
Hi I don't know if anyone has tried what I want to do, I really just want to know if it's possible at the moment. A few pointers to any information would be helpful too! I have an existing FreeIPA server running on a CentOS machine. It is used to authenticate all users on the network. This works very well, but setting up Windows workstations is a bit of a pain. I also want to provide some network storage for the windows machines. To this end, I would like to set up a Samba 4 server as a slave to FreeIPA so that the Windows workstations could join an AD domain controlled by Samba 4, but actually authenticating against FreeIPA. I really want to keep FreeIPA in the driving seat, but would love to be able to make the Windows workstations behave as though they were on a domain. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Samba 4 with IPA
On Tue, 30 Apr 2013, Simon Williams wrote: Hi I don't know if anyone has tried what I want to do, I really just want to know if it's possible at the moment. A few pointers to any information would be helpful too! Short answer: not possible right now if by 'Samba 4' you mean Samba AD DC. I have an existing FreeIPA server running on a CentOS machine. It is used to authenticate all users on the network. This works very well, but setting up Windows workstations is a bit of a pain. I also want to provide some network storage for the windows machines. To this end, I would like to set up a Samba 4 server as a slave to FreeIPA so that the Windows workstations could join an AD domain controlled by Samba 4, but actually authenticating against FreeIPA. I really want to keep FreeIPA in the driving seat, but would love to be able to make the Windows workstations behave as though they were on a domain. So you describe above several disconnected cases: 1. Samba file server (smbd) authenticating against FreeIPA. 2. Samba AD DC controlling its own Active Directory-compatible deployment trusting FreeIPA deployment. (1) is possible to implement with few caveats and some details are still rough. We have plans on making the experience smoother for FreeIPA 3.3+ or so. For now, if there is cross-realm trust with Active Directory, each IPA master which serves as domain controller (after ipa-adtrust-install was run on it) could serve as file server but access control setup is a bit complex. (2) is not possible right now due to the fact that Samba AD DC does not support cross-forest trusts right now. There is certain amount of work to be done to implement needed logic in Samba. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] automember issues
On Apr 30, 2013, at 9:30 AM, John Moyer john.mo...@digitalreasoning.commailto:john.mo...@digitalreasoning.com wrote: Anyone have any suggestions to using the auto member function in IPA? I've tried to set it up so if a server is enrolled by a user called build then it should add it to a specific server group. I put in an inclusive rule and the expression is just build, but it doesn't work. Do I need to specify more than just build in the expression area? That -should- be enough to catch new hosts that are built by the 'build' user. Can you verify that the Attribute you are matching on is: enrolledby ? Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ Thanks, _ John Moyer ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Dynamic DNS
On Tue, 2013-04-30 at 12:08 -0400, Guy Matz wrote: hi! Anyone out there gotten Dynamic DNS freeipa-managed DNS server? I've been trying for days following instructions from various freeipa and redhat docs! I've set up keytabs, set up /etc/rndc.key, set Dynamic update to True and put the following in my BIND update policy: grant host\047foreman.collmedia@collmedia.net wildcard * ANY; grant host\047ipadevmstr.collmedia@collmedia.net wildcard * ANY; This looks good, you've put these in LDAP right ? Can you show the attributes as retrieved from a ldapsearch just to check the formatting is correct ? I keep getting: # nsupdate -g a_update update failed: REFUSED update failed: REFUSED [root@ipadevmstr ~]# cat a_update server ipadevmstr.collmedia.net zone collmedia.net. update add client.collmedia.net.86400 IN A 192.168.8.120 send update delete client.collmedia.net. IN A send shouldn't you delete first add second ? tail /var/log/messages Apr 30 11:52:32 ipadevmstr named[9349]: client 192.168.8.111#26141: query: collmedia.net IN SOA - (192.168.8.111) Apr 30 11:52:32 ipadevmstr named[9349]: client 192.168.8.111#37600: query: 692300375.sig-ipadevmstr.collmedia.net ANY TKEY -T (192.168.8.111) Apr 30 11:52:32 ipadevmstr named[9349]: client 192.168.8.111#52609: updating zone 'collmedia.net/IN': update failed: rejected by secure update (REFUSED) Apr 30 11:52:32 ipadevmstr named[9349]: client 192.168.8.111#26141: query: collmedia.net IN SOA - (192.168.8.111) Apr 30 11:52:32 ipadevmstr named[9349]: client 192.168.8.111#40423: query: 718499086.sig-ipadevmstr.collmedia.net ANY TKEY -T (192.168.8.111) Apr 30 11:52:32 ipadevmstr named[9349]: client 192.168.8.111#37000: updating zone 'collmedia.net/IN': update failed: rejected by secure update (REFUSED) Something seem wrong with the Access Control policy ... Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] automember issues
Yep, enrolledby is what I'm using, but I have been adding them manually since it hasn't been working. Thanks, _ John Moyer On Apr 30, 2013, at 1:21 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 9:30 AM, John Moyer john.mo...@digitalreasoning.commailto:john.mo...@digitalreasoning.com wrote: Anyone have any suggestions to using the auto member function in IPA? I've tried to set it up so if a server is enrolled by a user called build then it should add it to a specific server group. I put in an inclusive rule and the expression is just build, but it doesn't work. Do I need to specify more than just build in the expression area? That -should- be enough to catch new hosts that are built by the 'build' user. Can you verify that the Attribute you are matching on is: enrolledby ? Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ Thanks, _ John Moyer ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Upgrade Test Case
I have a small FreeIPA 3.1 installation on Fedora 18. I thought it might be useful to try to upgrade it to FreeIPA 3.2 on Fedora 19 before I tried to rebuild it from scratch, as I imagined larger installations would not be able to rebuild. I thought the test cases for FreeIPA Test Day might have instructions for the upgrade, but I did not find an upgrade test case. Is an upgrade as trivial as pointing yum to a different set of repositories and updating? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] automember issues
One thing to add is that this build user only has the following access: Host Administrators Host enrollment Would he need more access to do the membership? My original thought was that technically the user is not doing the addition to the group it's the system technically doing it so there shouldn't be a permissions issue. Thanks, _ John Moyer On Apr 30, 2013, at 1:21 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 9:30 AM, John Moyer john.mo...@digitalreasoning.commailto:john.mo...@digitalreasoning.com wrote: Anyone have any suggestions to using the auto member function in IPA? I've tried to set it up so if a server is enrolled by a user called build then it should add it to a specific server group. I put in an inclusive rule and the expression is just build, but it doesn't work. Do I need to specify more than just build in the expression area? That -should- be enough to catch new hosts that are built by the 'build' user. Can you verify that the Attribute you are matching on is: enrolledby ? Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ Thanks, _ John Moyer ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] automember issues
On Apr 30, 2013, at 10:43 AM, John Moyer john.mo...@digitalreasoning.com wrote: One thing to add is that this build user only has the following access: Host Administrators Host enrollment Would he need more access to do the membership? My original thought was that technically the user is not doing the addition to the group it's the system technically doing it so there shouldn't be a permissions issue. The user's roles shouldn't really matter to the best of my knowledge (Nathan Kinder may need to refresh my memory), but the 389 plugin, should be catching the insertion of the new object, then match the watched-attribute, and execute the hostgroup assignment based upon the rights of the plugin rather than that of the user. Would it be possible to ask you to do an automember-find --type=hostgroup on the CLI and send it back to the thread? If we are missing something or if we have any bugs in there, we need to get them identified and fixed. Thanks, _ John Moyer On Apr 30, 2013, at 1:21 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 9:30 AM, John Moyer john.mo...@digitalreasoning.commailto:john.mo...@digitalreasoning.com wrote: Anyone have any suggestions to using the auto member function in IPA? I've tried to set it up so if a server is enrolled by a user called build then it should add it to a specific server group. I put in an inclusive rule and the expression is just build, but it doesn't work. Do I need to specify more than just build in the expression area? That -should- be enough to catch new hosts that are built by the 'build' user. Can you verify that the Attribute you are matching on is: enrolledby ? Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ Thanks, _ John Moyer ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] automember issues
Not a problem, here is the output ipa automember-find --type=hostgroup --- 1 rules matched --- Automember Rule: test-group Inclusive Regex: enrolledby=build Number of entries returned 1 Thanks, _ John Moyer On Apr 30, 2013, at 1:48 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 10:43 AM, John Moyer john.mo...@digitalreasoning.com wrote: One thing to add is that this build user only has the following access: Host Administrators Host enrollment Would he need more access to do the membership? My original thought was that technically the user is not doing the addition to the group it's the system technically doing it so there shouldn't be a permissions issue. The user's roles shouldn't really matter to the best of my knowledge (Nathan Kinder may need to refresh my memory), but the 389 plugin, should be catching the insertion of the new object, then match the watched-attribute, and execute the hostgroup assignment based upon the rights of the plugin rather than that of the user. Would it be possible to ask you to do an automember-find --type=hostgroup on the CLI and send it back to the thread? If we are missing something or if we have any bugs in there, we need to get them identified and fixed. Thanks, _ John Moyer On Apr 30, 2013, at 1:21 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 9:30 AM, John Moyer john.mo...@digitalreasoning.commailto:john.mo...@digitalreasoning.com wrote: Anyone have any suggestions to using the auto member function in IPA? I've tried to set it up so if a server is enrolled by a user called build then it should add it to a specific server group. I put in an inclusive rule and the expression is just build, but it doesn't work. Do I need to specify more than just build in the expression area? That -should- be enough to catch new hosts that are built by the 'build' user. Can you verify that the Attribute you are matching on is: enrolledby ? Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ Thanks, _ John Moyer ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] automember issues
On 04/30/2013 10:48 AM, JR Aquino wrote: On Apr 30, 2013, at 10:43 AM, John Moyer john.mo...@digitalreasoning.com wrote: One thing to add is that this build user only has the following access: Host Administrators Host enrollment Would he need more access to do the membership? My original thought was that technically the user is not doing the addition to the group it's the system technically doing it so there shouldn't be a permissions issue. The user's roles shouldn't really matter to the best of my knowledge (Nathan Kinder may need to refresh my memory), but the 389 plugin, should be catching the insertion of the new object, then match the watched-attribute, and execute the hostgroup assignment based upon the rights of the plugin rather than that of the user. This is correct. The user doesn't matter, as the operation that deals with the group membership is done internally by the AutoMember plug-in. Would it be possible to ask you to do an automember-find --type=hostgroup on the CLI and send it back to the thread? If we are missing something or if we have any bugs in there, we need to get them identified and fixed. Thanks, _ John Moyer On Apr 30, 2013, at 1:21 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 9:30 AM, John Moyer john.mo...@digitalreasoning.commailto:john.mo...@digitalreasoning.com wrote: Anyone have any suggestions to using the auto member function in IPA? I've tried to set it up so if a server is enrolled by a user called build then it should add it to a specific server group. I put in an inclusive rule and the expression is just build, but it doesn't work. Do I need to specify more than just build in the expression area? That -should- be enough to catch new hosts that are built by the 'build' user. Can you verify that the Attribute you are matching on is: enrolledby ? Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ Thanks, _ John Moyer ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] automember issues
On Apr 30, 2013, at 10:52 AM, John Moyer john.mo...@digitalreasoning.com wrote: Not a problem, here is the output ipa automember-find --type=hostgroup --- 1 rules matched --- Automember Rule: test-group Inclusive Regex: enrolledby=build Number of entries returned 1 interesting. When you do an: ipa host-show test-hostname.example.com --all --raw Does it clearly show that enrolledby=build? Thanks, _ John Moyer On Apr 30, 2013, at 1:48 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 10:43 AM, John Moyer john.mo...@digitalreasoning.com wrote: One thing to add is that this build user only has the following access: Host Administrators Host enrollment Would he need more access to do the membership? My original thought was that technically the user is not doing the addition to the group it's the system technically doing it so there shouldn't be a permissions issue. The user's roles shouldn't really matter to the best of my knowledge (Nathan Kinder may need to refresh my memory), but the 389 plugin, should be catching the insertion of the new object, then match the watched-attribute, and execute the hostgroup assignment based upon the rights of the plugin rather than that of the user. Would it be possible to ask you to do an automember-find --type=hostgroup on the CLI and send it back to the thread? If we are missing something or if we have any bugs in there, we need to get them identified and fixed. Thanks, _ John Moyer On Apr 30, 2013, at 1:21 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 9:30 AM, John Moyer john.mo...@digitalreasoning.commailto:john.mo...@digitalreasoning.com wrote: Anyone have any suggestions to using the auto member function in IPA? I've tried to set it up so if a server is enrolled by a user called build then it should add it to a specific server group. I put in an inclusive rule and the expression is just build, but it doesn't work. Do I need to specify more than just build in the expression area? That -should- be enough to catch new hosts that are built by the 'build' user. Can you verify that the Attribute you are matching on is: enrolledby ? Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ Thanks, _ John Moyer ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] automember issues
It comes back with a ton of stuff the row you are probably interested in is this one: enrolledby: uid=build,cn=users,cn=accounts,dc=example,dc=com Thanks, _ John Moyer On Apr 30, 2013, at 1:57 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 10:52 AM, John Moyer john.mo...@digitalreasoning.com wrote: Not a problem, here is the output ipa automember-find --type=hostgroup --- 1 rules matched --- Automember Rule: test-group Inclusive Regex: enrolledby=build Number of entries returned 1 interesting. When you do an: ipa host-show test-hostname.example.com --all --raw Does it clearly show that enrolledby=build? Thanks, _ John Moyer On Apr 30, 2013, at 1:48 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 10:43 AM, John Moyer john.mo...@digitalreasoning.com wrote: One thing to add is that this build user only has the following access: Host Administrators Host enrollment Would he need more access to do the membership? My original thought was that technically the user is not doing the addition to the group it's the system technically doing it so there shouldn't be a permissions issue. The user's roles shouldn't really matter to the best of my knowledge (Nathan Kinder may need to refresh my memory), but the 389 plugin, should be catching the insertion of the new object, then match the watched-attribute, and execute the hostgroup assignment based upon the rights of the plugin rather than that of the user. Would it be possible to ask you to do an automember-find --type=hostgroup on the CLI and send it back to the thread? If we are missing something or if we have any bugs in there, we need to get them identified and fixed. Thanks, _ John Moyer On Apr 30, 2013, at 1:21 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 9:30 AM, John Moyer john.mo...@digitalreasoning.commailto:john.mo...@digitalreasoning.com wrote: Anyone have any suggestions to using the auto member function in IPA? I've tried to set it up so if a server is enrolled by a user called build then it should add it to a specific server group. I put in an inclusive rule and the expression is just build, but it doesn't work. Do I need to specify more than just build in the expression area? That -should- be enough to catch new hosts that are built by the 'build' user. Can you verify that the Attribute you are matching on is: enrolledby ? Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ Thanks, _ John Moyer ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] automember issues
On Apr 30, 2013, at 11:02 AM, John Moyer john.mo...@digitalreasoning.com wrote: It comes back with a ton of stuff the row you are probably interested in is this one: enrolledby: uid=build,cn=users,cn=accounts,dc=example,dc=com Bingo! Ok, try to adjust your automember rule. Delete your previous inclusive regex, and replace it with uid=build,cn=users,cn=accounts,dc=example,dc=com See if that does the trick Thanks, _ John Moyer On Apr 30, 2013, at 1:57 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 10:52 AM, John Moyer john.mo...@digitalreasoning.com wrote: Not a problem, here is the output ipa automember-find --type=hostgroup --- 1 rules matched --- Automember Rule: test-group Inclusive Regex: enrolledby=build Number of entries returned 1 interesting. When you do an: ipa host-show test-hostname.example.com --all --raw Does it clearly show that enrolledby=build? Thanks, _ John Moyer On Apr 30, 2013, at 1:48 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 10:43 AM, John Moyer john.mo...@digitalreasoning.com wrote: One thing to add is that this build user only has the following access: Host Administrators Host enrollment Would he need more access to do the membership? My original thought was that technically the user is not doing the addition to the group it's the system technically doing it so there shouldn't be a permissions issue. The user's roles shouldn't really matter to the best of my knowledge (Nathan Kinder may need to refresh my memory), but the 389 plugin, should be catching the insertion of the new object, then match the watched-attribute, and execute the hostgroup assignment based upon the rights of the plugin rather than that of the user. Would it be possible to ask you to do an automember-find --type=hostgroup on the CLI and send it back to the thread? If we are missing something or if we have any bugs in there, we need to get them identified and fixed. Thanks, _ John Moyer On Apr 30, 2013, at 1:21 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 9:30 AM, John Moyer john.mo...@digitalreasoning.commailto:john.mo...@digitalreasoning.com wrote: Anyone have any suggestions to using the auto member function in IPA? I've tried to set it up so if a server is enrolled by a user called build then it should add it to a specific server group. I put in an inclusive rule and the expression is just build, but it doesn't work. Do I need to specify more than just build in the expression area? That -should- be enough to catch new hosts that are built by the 'build' user. Can you verify that the Attribute you are matching on is: enrolledby ? Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ Thanks, _ John Moyer ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Upgrade Test Case
On Tue, 30 Apr 2013, Dean Hunter wrote: I have a small FreeIPA 3.1 installation on Fedora 18. I thought it might be useful to try to upgrade it to FreeIPA 3.2 on Fedora 19 before I tried to rebuild it from scratch, as I imagined larger installations would not be able to rebuild. I thought the test cases for FreeIPA Test Day might have instructions for the upgrade, but I did not find an upgrade test case. Is an upgrade as trivial as pointing yum to a different set of repositories and updating? Apart from general F18-F19 upgrade issues (if any), there is Kerberos change from 1.10 to 1.11 which brings change in KDC driver ABI. As result, you will need to restart KDC after upgrade. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Upgrade Test Case
Dean Hunter wrote: I have a small FreeIPA 3.1 installation on Fedora 18. I thought it might be useful to try to upgrade it to FreeIPA 3.2 on Fedora 19 before I tried to rebuild it from scratch, as I imagined larger installations would not be able to rebuild. I thought the test cases for FreeIPA Test Day might have instructions for the upgrade, but I did not find an upgrade test case. Is an upgrade as trivial as pointing yum to a different set of repositories and updating? It should work like previous Fedora updates. Just upgrade the distro in-place it should upgrade FreeIPA as well, to 3.2 beta1. https://fedoraproject.org/wiki/Upgrading_Fedora_using_yum#Fedora_18_-.3E_Fedora_19_.28pre_release_branched.29 rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] automember issues
I tried adding it in addition to the current rule and that didn't work. I then deleted the old rule to only leave the rule with the full name (uid=build,cn=users,cn=accounts,dc=example,dc=com) and that didn't work either. This is the new output of that command you had me run earlier: ipa automember-find --type=hostgroup --- 1 rules matched --- Automember Rule: test-group Inclusive Regex: enrolledby=uid=build,cn=users,cn=accounts,dc=example,dc=com Number of entries returned 1 Thanks, _ John Moyer On Apr 30, 2013, at 2:07 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 11:02 AM, John Moyer john.mo...@digitalreasoning.com wrote: It comes back with a ton of stuff the row you are probably interested in is this one: enrolledby: uid=build,cn=users,cn=accounts,dc=example,dc=com Bingo! Ok, try to adjust your automember rule. Delete your previous inclusive regex, and replace it with uid=build,cn=users,cn=accounts,dc=example,dc=com See if that does the trick Thanks, _ John Moyer On Apr 30, 2013, at 1:57 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 10:52 AM, John Moyer john.mo...@digitalreasoning.com wrote: Not a problem, here is the output ipa automember-find --type=hostgroup --- 1 rules matched --- Automember Rule: test-group Inclusive Regex: enrolledby=build Number of entries returned 1 interesting. When you do an: ipa host-show test-hostname.example.com --all --raw Does it clearly show that enrolledby=build? Thanks, _ John Moyer On Apr 30, 2013, at 1:48 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 10:43 AM, John Moyer john.mo...@digitalreasoning.com wrote: One thing to add is that this build user only has the following access: Host Administrators Host enrollment Would he need more access to do the membership? My original thought was that technically the user is not doing the addition to the group it's the system technically doing it so there shouldn't be a permissions issue. The user's roles shouldn't really matter to the best of my knowledge (Nathan Kinder may need to refresh my memory), but the 389 plugin, should be catching the insertion of the new object, then match the watched-attribute, and execute the hostgroup assignment based upon the rights of the plugin rather than that of the user. Would it be possible to ask you to do an automember-find --type=hostgroup on the CLI and send it back to the thread? If we are missing something or if we have any bugs in there, we need to get them identified and fixed. Thanks, _ John Moyer On Apr 30, 2013, at 1:21 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 9:30 AM, John Moyer john.mo...@digitalreasoning.commailto:john.mo...@digitalreasoning.com wrote: Anyone have any suggestions to using the auto member function in IPA? I've tried to set it up so if a server is enrolled by a user called build then it should add it to a specific server group. I put in an inclusive rule and the expression is just build, but it doesn't work. Do I need to specify more than just build in the expression area? That -should- be enough to catch new hosts that are built by the 'build' user. Can you verify that the Attribute you are matching on is: enrolledby ? Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ Thanks, _ John Moyer ___
Re: [Freeipa-users] automember issues
On Apr 30, 2013, at 11:12 AM, John Moyer john.mo...@digitalreasoning.com wrote: I tried adding it in addition to the current rule and that didn't work. I then deleted the old rule to only leave the rule with the full name (uid=build,cn=users,cn=accounts,dc=example,dc=com) and that didn't work either. This is the new output of that command you had me run earlier: ipa automember-find --type=hostgroup --- 1 rules matched --- Automember Rule: test-group Inclusive Regex: enrolledby=uid=build,cn=users,cn=accounts,dc=example,dc=com Number of entries returned 1 Interesting. What about if you just do something silly like: .*build.* Nathan... I believe the plugin is set to expect string values... how does it handle a DN such as the enrolled by above? Thanks, _ John Moyer On Apr 30, 2013, at 2:07 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 11:02 AM, John Moyer john.mo...@digitalreasoning.com wrote: It comes back with a ton of stuff the row you are probably interested in is this one: enrolledby: uid=build,cn=users,cn=accounts,dc=example,dc=com Bingo! Ok, try to adjust your automember rule. Delete your previous inclusive regex, and replace it with uid=build,cn=users,cn=accounts,dc=example,dc=com See if that does the trick Thanks, _ John Moyer On Apr 30, 2013, at 1:57 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 10:52 AM, John Moyer john.mo...@digitalreasoning.com wrote: Not a problem, here is the output ipa automember-find --type=hostgroup --- 1 rules matched --- Automember Rule: test-group Inclusive Regex: enrolledby=build Number of entries returned 1 interesting. When you do an: ipa host-show test-hostname.example.com --all --raw Does it clearly show that enrolledby=build? Thanks, _ John Moyer On Apr 30, 2013, at 1:48 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 10:43 AM, John Moyer john.mo...@digitalreasoning.com wrote: One thing to add is that this build user only has the following access: Host Administrators Host enrollment Would he need more access to do the membership? My original thought was that technically the user is not doing the addition to the group it's the system technically doing it so there shouldn't be a permissions issue. The user's roles shouldn't really matter to the best of my knowledge (Nathan Kinder may need to refresh my memory), but the 389 plugin, should be catching the insertion of the new object, then match the watched-attribute, and execute the hostgroup assignment based upon the rights of the plugin rather than that of the user. Would it be possible to ask you to do an automember-find --type=hostgroup on the CLI and send it back to the thread? If we are missing something or if we have any bugs in there, we need to get them identified and fixed. Thanks, _ John Moyer On Apr 30, 2013, at 1:21 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 9:30 AM, John Moyer john.mo...@digitalreasoning.commailto:john.mo...@digitalreasoning.com wrote: Anyone have any suggestions to using the auto member function in IPA? I've tried to set it up so if a server is enrolled by a user called build then it should add it to a specific server group. I put in an inclusive rule and the expression is just build, but it doesn't work. Do I need to specify more than just build in the expression area? That -should- be enough to catch new hosts that are built by the 'build' user. Can you verify that the Attribute you are matching on is: enrolledby ? Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1
Re: [Freeipa-users] Samba 4 with IPA
That is actually pretty good news. The real requirement is network storage for the Windows workstations secured by FreeIPA authentication. If I read what you’ve said correctly this is possible now. I can live with the magical incantations to enrol any new Windows machines for now. There are a few things that would work better if Windows thought it was logging on to a domain, but we have lived without those features for the last year. Once a Windows machine has been set up correctly, which can be a bit hit and miss, the authentication works flawlessly . It sounds as though I can set up the file server now and then extend it to do the AD DC bit when it is ready. I don’t suppose there is a Samba 4 + FreeIPA 3 file server HowTo anywhere is there? Sent from Windows Mail From: Alexander Bokovoy Sent: Tuesday, 30 April 2013 18:01 To: Simon Williams Cc: freeipa-users On Tue, 30 Apr 2013, Simon Williams wrote: Hi I don't know if anyone has tried what I want to do, I really just want to know if it's possible at the moment. A few pointers to any information would be helpful too! Short answer: not possible right now if by 'Samba 4' you mean Samba AD DC. I have an existing FreeIPA server running on a CentOS machine. It is used to authenticate all users on the network. This works very well, but setting up Windows workstations is a bit of a pain. I also want to provide some network storage for the windows machines. To this end, I would like to set up a Samba 4 server as a slave to FreeIPA so that the Windows workstations could join an AD domain controlled by Samba 4, but actually authenticating against FreeIPA. I really want to keep FreeIPA in the driving seat, but would love to be able to make the Windows workstations behave as though they were on a domain. So you describe above several disconnected cases: 1. Samba file server (smbd) authenticating against FreeIPA. 2. Samba AD DC controlling its own Active Directory-compatible deployment trusting FreeIPA deployment. (1) is possible to implement with few caveats and some details are still rough. We have plans on making the experience smoother for FreeIPA 3.3+ or so. For now, if there is cross-realm trust with Active Directory, each IPA master which serves as domain controller (after ipa-adtrust-install was run on it) could serve as file server but access control setup is a bit complex. (2) is not possible right now due to the fact that Samba AD DC does not support cross-forest trusts right now. There is certain amount of work to be done to implement needed logic in Samba. -- / Alexander Bokovoy___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] automember issues
On Apr 30, 2013, at 11:23 AM, John Moyer john.mo...@digitalreasoning.com wrote: Ha! I tried .*build and build.* before contacting you guys, I didn't try .*build.* That worked, it automatically added the machine to the group! Thanks! That will save me s much time! Not a problem John, thanks for your patience! Glad to be of help! I'm very happy to see that some of the stuff that I use daily saves other folks time and headaches too! -JR Thanks, _ John Moyer On Apr 30, 2013, at 2:17 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 11:12 AM, John Moyer john.mo...@digitalreasoning.com wrote: I tried adding it in addition to the current rule and that didn't work. I then deleted the old rule to only leave the rule with the full name (uid=build,cn=users,cn=accounts,dc=example,dc=com) and that didn't work either. This is the new output of that command you had me run earlier: ipa automember-find --type=hostgroup --- 1 rules matched --- Automember Rule: test-group Inclusive Regex: enrolledby=uid=build,cn=users,cn=accounts,dc=example,dc=com Number of entries returned 1 Interesting. What about if you just do something silly like: .*build.* Nathan... I believe the plugin is set to expect string values... how does it handle a DN such as the enrolled by above? Thanks, _ John Moyer On Apr 30, 2013, at 2:07 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 11:02 AM, John Moyer john.mo...@digitalreasoning.com wrote: It comes back with a ton of stuff the row you are probably interested in is this one: enrolledby: uid=build,cn=users,cn=accounts,dc=example,dc=com Bingo! Ok, try to adjust your automember rule. Delete your previous inclusive regex, and replace it with uid=build,cn=users,cn=accounts,dc=example,dc=com See if that does the trick Thanks, _ John Moyer On Apr 30, 2013, at 1:57 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 10:52 AM, John Moyer john.mo...@digitalreasoning.com wrote: Not a problem, here is the output ipa automember-find --type=hostgroup --- 1 rules matched --- Automember Rule: test-group Inclusive Regex: enrolledby=build Number of entries returned 1 interesting. When you do an: ipa host-show test-hostname.example.com --all --raw Does it clearly show that enrolledby=build? Thanks, _ John Moyer On Apr 30, 2013, at 1:48 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 10:43 AM, John Moyer john.mo...@digitalreasoning.com wrote: One thing to add is that this build user only has the following access: Host Administrators Host enrollment Would he need more access to do the membership? My original thought was that technically the user is not doing the addition to the group it's the system technically doing it so there shouldn't be a permissions issue. The user's roles shouldn't really matter to the best of my knowledge (Nathan Kinder may need to refresh my memory), but the 389 plugin, should be catching the insertion of the new object, then match the watched-attribute, and execute the hostgroup assignment based upon the rights of the plugin rather than that of the user. Would it be possible to ask you to do an automember-find --type=hostgroup on the CLI and send it back to the thread? If we are missing something or if we have any bugs in there, we need to get them identified and fixed. Thanks, _ John Moyer On Apr 30, 2013, at 1:21 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 9:30 AM, John Moyer john.mo...@digitalreasoning.commailto:john.mo...@digitalreasoning.com wrote: Anyone have any suggestions to using the auto member function in IPA? I've tried to set it up so if a server is enrolled by a user called build then it should add it to a specific server group. I put in an inclusive rule and the expression is just build, but it doesn't work. Do I need to specify more than just build in the expression area? That -should- be enough to catch new hosts that are built by the 'build' user. Can you verify that the Attribute you are matching on is: enrolledby ? Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister
Re: [Freeipa-users] automember issues
On 04/30/2013 02:17 PM, JR Aquino wrote: On Apr 30, 2013, at 11:12 AM, John Moyer john.mo...@digitalreasoning.com wrote: I tried adding it in addition to the current rule and that didn't work. I then deleted the old rule to only leave the rule with the full name (uid=build,cn=users,cn=accounts,dc=example,dc=com) and that didn't work either. This is the new output of that command you had me run earlier: ipa automember-find --type=hostgroup --- 1 rules matched --- Automember Rule: test-group Inclusive Regex: enrolledby=uid=build,cn=users,cn=accounts,dc=example,dc=com Number of entries returned 1 Interesting. What about if you just do something silly like: .*build.* Nathan... I believe the plugin is set to expect string values... how does it handle a DN such as the enrolled by above? Don't you need to specify target group? It might be that the filter is working but it is not placing it anywhere because nothing is specifying where to place it. Thanks, _ John Moyer On Apr 30, 2013, at 2:07 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 11:02 AM, John Moyer john.mo...@digitalreasoning.com wrote: It comes back with a ton of stuff the row you are probably interested in is this one: enrolledby: uid=build,cn=users,cn=accounts,dc=example,dc=com Bingo! Ok, try to adjust your automember rule. Delete your previous inclusive regex, and replace it with uid=build,cn=users,cn=accounts,dc=example,dc=com See if that does the trick Thanks, _ John Moyer On Apr 30, 2013, at 1:57 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 10:52 AM, John Moyer john.mo...@digitalreasoning.com wrote: Not a problem, here is the output ipa automember-find --type=hostgroup --- 1 rules matched --- Automember Rule: test-group Inclusive Regex: enrolledby=build Number of entries returned 1 interesting. When you do an: ipa host-show test-hostname.example.com --all --raw Does it clearly show that enrolledby=build? Thanks, _ John Moyer On Apr 30, 2013, at 1:48 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 10:43 AM, John Moyer john.mo...@digitalreasoning.com wrote: One thing to add is that this build user only has the following access: Host Administrators Host enrollment Would he need more access to do the membership? My original thought was that technically the user is not doing the addition to the group it's the system technically doing it so there shouldn't be a permissions issue. The user's roles shouldn't really matter to the best of my knowledge (Nathan Kinder may need to refresh my memory), but the 389 plugin, should be catching the insertion of the new object, then match the watched-attribute, and execute the hostgroup assignment based upon the rights of the plugin rather than that of the user. Would it be possible to ask you to do an automember-find --type=hostgroup on the CLI and send it back to the thread? If we are missing something or if we have any bugs in there, we need to get them identified and fixed. Thanks, _ John Moyer On Apr 30, 2013, at 1:21 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 9:30 AM, John Moyer john.mo...@digitalreasoning.commailto:john.mo...@digitalreasoning.com wrote: Anyone have any suggestions to using the auto member function in IPA? I've tried to set it up so if a server is enrolled by a user called build then it should add it to a specific server group. I put in an inclusive rule and the expression is just build, but it doesn't work. Do I need to specify more than just build in the expression area? That -should- be enough to catch new hosts that are built by the 'build' user. Can you verify that the Attribute you are matching on is: enrolledby ? Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler
Re: [Freeipa-users] Samba 4 with IPA
On Tue, 30 Apr 2013, simon.willi...@thehelpfulcat.com wrote: That is actually pretty good news. The real requirement is network storage for the Windows workstations secured by FreeIPA authentication. If I read what you’ve said correctly this is possible now. I can live with the magical incantations to enrol any new Windows machines for now. There are a few things that would work better if Windows thought it was logging on to a domain, but we have lived without those features for the last year. Once a Windows machine has been set up correctly, which can be a bit hit and miss, the authentication works flawlessly . To be clear, we have not tested this combination so you'll be in uncharted waters. Since TGT for these users would still be issued by FreeIPA KDC, it would include MS-PAC with SIDs of these users in FreeIPA domain -- once you have run ipa-adtrust-install, of course. Thus, smbd on IPA master would be able to recognize them as FreeIPA users regardless where they come from -- IPA or Windows machines, as long as Kerberos is in use. Any reports of how such setup would actually behave are welcomed. It sounds as though I can set up the file server now and then extend it to do the AD DC bit when it is ready. I don’t suppose there is a Samba 4 + FreeIPA 3 file server HowTo anywhere is there? The only requirements for simplistic setup is to: 1. run file server on IPA master (you can make a dedicated replica for that) 2. run ipa-adtrust-install on that master to setup Samba configuration and enable KDC + directory server to handle SIDs 3. use 'net conf setparm ...' to setup shares, since Samba on IPA master uses registry backend to store smb.conf configuration. See http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Using_Samba_shares for sample how to work with 'net conf setparm'. For 'valid users' I guess you can use simply user names since these would be our local ones. Again, this is completely untested right now. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Samba 4 with IPA
On Tue, 30 Apr 2013, Alexander Bokovoy wrote: On Tue, 30 Apr 2013, simon.willi...@thehelpfulcat.com wrote: That is actually pretty good news. The real requirement is network storage for the Windows workstations secured by FreeIPA authentication. If I read what you’ve said correctly this is possible now. I can live with the magical incantations to enrol any new Windows machines for now. There are a few things that would work better if Windows thought it was logging on to a domain, but we have lived without those features for the last year. Once a Windows machine has been set up correctly, which can be a bit hit and miss, the authentication works flawlessly . To be clear, we have not tested this combination so you'll be in uncharted waters. Since TGT for these users would still be issued by FreeIPA KDC, it would include MS-PAC with SIDs of these users in FreeIPA domain -- once you have run ipa-adtrust-install, of course. Thus, smbd on IPA master would be able to recognize them as FreeIPA users regardless where they come from -- IPA or Windows machines, as long as Kerberos is in use. Any reports of how such setup would actually behave are welcomed. It sounds as though I can set up the file server now and then extend it to do the AD DC bit when it is ready. I don’t suppose there is a Samba 4 + FreeIPA 3 file server HowTo anywhere is there? The only requirements for simplistic setup is to: 1. run file server on IPA master (you can make a dedicated replica for that) 2. run ipa-adtrust-install on that master to setup Samba configuration and enable KDC + directory server to handle SIDs 3. use 'net conf setparm ...' to setup shares, since Samba on IPA master uses registry backend to store smb.conf configuration. See http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Using_Samba_shares for sample how to work with 'net conf setparm'. For 'valid users' I guess you can use simply user names since these would be our local ones. Again, this is completely untested right now. So, I tried quick test for this, using admins group: 1. Setup shared space, apply SELinux context and modify ACLs: [root@red samba-4.0.5]# mkdir /srv/testshare [root@red samba-4.0.5]# chcon -t samba_share_t /srv/testshare [root@red samba-4.0.5]# setfacl -m g:admins:rwx /srv/testshare [root@red samba-4.0.5]# getfacl /srv/testshare getfacl: Removing leading '/' from absolute path names # file: srv/testshare # owner: root # group: root user::rwx group::r-x group:admins:rwx mask::rwx other::r-x 2. Create actual Samba share: [root@red samba-4.0.5]# net conf addshare testshare /srv/testshare writeable=y guest_ok=N 3. Obtain TGT for Kerberos identity (admin, belongs to admins group): [root@red samba-4.0.5]# kinit Password for admin@BIRD.CLONE: [root@red samba-4.0.5]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin@BIRD.CLONE Valid starting Expires Service principal 30.04.2013 22:10:13 01.05.2013 22:10:11 krbtgt/BIRD.CLONE@BIRD.CLONE Now try connecting to //red.bird.clone/testshare and use it (I've copied few files in several sessions, showing last one): [root@red samba-4.0.5]# smbclient -k //red.bird.clone/testshare lp_load_ex: changing to config backend registry Domain=[BIRD] OS=[Unix] Server=[Samba 4.0.5] smb: \ dir . D0 Tue Apr 30 22:06:51 2013 .. D0 Tue Apr 30 21:40:04 2013 foobar.txt N0 Tue Apr 30 21:51:54 2013 README A 7998 Tue Apr 30 22:06:51 2013 40918 blocks of size 262144. 19277 blocks available smb: \ put WHATSNEW.txt putting file WHATSNEW.txt as \WHATSNEW.txt (182,6 kb/s) (average 182,6 kb/s) smb: \ dir . D0 Tue Apr 30 22:10:35 2013 .. D0 Tue Apr 30 21:40:04 2013 WHATSNEW.txtA47112 Tue Apr 30 22:10:35 2013 foobar.txt N0 Tue Apr 30 21:51:54 2013 README A 7998 Tue Apr 30 22:06:51 2013 40918 blocks of size 262144. 19277 blocks available smb: \ Check status of the last copied file, notice permissions and SELinux contet: [root@red samba-4.0.5]# stat /srv/testshare/WHATSNEW.txt File: ‘/srv/testshare/WHATSNEW.txt’ Size: 47112 Blocks: 96 IO Block: 4096 regular file Device: fc03h/64515dInode: 153050 Links: 1 Access: (0744/-rwxr--r--) Uid: (156440/ admin) Gid: (156440/ admins) Context: system_u:object_r:samba_share_t:s0 Access: 2013-04-30 22:10:35.484270784 +0300 Modify: 2013-04-30 22:10:35.580239030 +0300 Change: 2013-04-30 22:10:35.579270116 +0300 Birth: - -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] automember issues
So I must have looked at the wrong server name, I just tried to add 4 more servers and none of them worked. Anymore ideas? The target is specified by the rule name test-group is the target. Thanks, _ John Moyer On Apr 30, 2013, at 2:25 PM, Dmitri Pal d...@redhat.com wrote: On 04/30/2013 02:17 PM, JR Aquino wrote: On Apr 30, 2013, at 11:12 AM, John Moyer john.mo...@digitalreasoning.com wrote: I tried adding it in addition to the current rule and that didn't work. I then deleted the old rule to only leave the rule with the full name (uid=build,cn=users,cn=accounts,dc=example,dc=com) and that didn't work either. This is the new output of that command you had me run earlier: ipa automember-find --type=hostgroup --- 1 rules matched --- Automember Rule: test-group Inclusive Regex: enrolledby=uid=build,cn=users,cn=accounts,dc=example,dc=com Number of entries returned 1 Interesting. What about if you just do something silly like: .*build.* Nathan... I believe the plugin is set to expect string values... how does it handle a DN such as the enrolled by above? Don't you need to specify target group? It might be that the filter is working but it is not placing it anywhere because nothing is specifying where to place it. Thanks, _ John Moyer On Apr 30, 2013, at 2:07 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 11:02 AM, John Moyer john.mo...@digitalreasoning.com wrote: It comes back with a ton of stuff the row you are probably interested in is this one: enrolledby: uid=build,cn=users,cn=accounts,dc=example,dc=com Bingo! Ok, try to adjust your automember rule. Delete your previous inclusive regex, and replace it with uid=build,cn=users,cn=accounts,dc=example,dc=com See if that does the trick Thanks, _ John Moyer On Apr 30, 2013, at 1:57 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 10:52 AM, John Moyer john.mo...@digitalreasoning.com wrote: Not a problem, here is the output ipa automember-find --type=hostgroup --- 1 rules matched --- Automember Rule: test-group Inclusive Regex: enrolledby=build Number of entries returned 1 interesting. When you do an: ipa host-show test-hostname.example.com --all --raw Does it clearly show that enrolledby=build? Thanks, _ John Moyer On Apr 30, 2013, at 1:48 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 10:43 AM, John Moyer john.mo...@digitalreasoning.com wrote: One thing to add is that this build user only has the following access: Host Administrators Host enrollment Would he need more access to do the membership? My original thought was that technically the user is not doing the addition to the group it's the system technically doing it so there shouldn't be a permissions issue. The user's roles shouldn't really matter to the best of my knowledge (Nathan Kinder may need to refresh my memory), but the 389 plugin, should be catching the insertion of the new object, then match the watched-attribute, and execute the hostgroup assignment based upon the rights of the plugin rather than that of the user. Would it be possible to ask you to do an automember-find --type=hostgroup on the CLI and send it back to the thread? If we are missing something or if we have any bugs in there, we need to get them identified and fixed. Thanks, _ John Moyer On Apr 30, 2013, at 1:21 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 9:30 AM, John Moyer john.mo...@digitalreasoning.commailto:john.mo...@digitalreasoning.com wrote: Anyone have any suggestions to using the auto member function in IPA? I've tried to set it up so if a server is enrolled by a user called build then it should add it to a specific server group. I put in an inclusive rule and the expression is just build, but it doesn't work. Do I need to specify more than just build in the expression area? That -should- be enough to catch new hosts that are built by the 'build' user. Can you verify that the Attribute you are matching on is: enrolledby ? Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1
Re: [Freeipa-users] automember issues
I've got about 30mins before I get into my next meeting. Are you able to hop into IRC in Freenode to work in realtime on #freeipa? Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ On Apr 30, 2013, at 12:23 PM, John Moyer john.mo...@digitalreasoning.commailto:john.mo...@digitalreasoning.com wrote: So I must have looked at the wrong server name, I just tried to add 4 more servers and none of them worked. Anymore ideas? The target is specified by the rule name test-group is the target. Thanks, _ John Moyer On Apr 30, 2013, at 2:25 PM, Dmitri Pal d...@redhat.commailto:d...@redhat.com wrote: On 04/30/2013 02:17 PM, JR Aquino wrote: On Apr 30, 2013, at 11:12 AM, John Moyer john.mo...@digitalreasoning.commailto:john.mo...@digitalreasoning.com wrote: I tried adding it in addition to the current rule and that didn't work. I then deleted the old rule to only leave the rule with the full name (uid=build,cn=users,cn=accounts,dc=example,dc=com) and that didn't work either. This is the new output of that command you had me run earlier: ipa automember-find --type=hostgroup --- 1 rules matched --- Automember Rule: test-group Inclusive Regex: enrolledby=uid=build,cn=users,cn=accounts,dc=example,dc=com Number of entries returned 1 Interesting. What about if you just do something silly like: .*build.* Nathan... I believe the plugin is set to expect string values... how does it handle a DN such as the enrolled by above? Don't you need to specify target group? It might be that the filter is working but it is not placing it anywhere because nothing is specifying where to place it. Thanks, _ John Moyer On Apr 30, 2013, at 2:07 PM, JR Aquino jr.aqu...@citrix.commailto:jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 11:02 AM, John Moyer john.mo...@digitalreasoning.commailto:john.mo...@digitalreasoning.com wrote: It comes back with a ton of stuff the row you are probably interested in is this one: enrolledby: uid=build,cn=users,cn=accounts,dc=example,dc=com Bingo! Ok, try to adjust your automember rule. Delete your previous inclusive regex, and replace it with uid=build,cn=users,cn=accounts,dc=example,dc=com See if that does the trick Thanks, _ John Moyer On Apr 30, 2013, at 1:57 PM, JR Aquino jr.aqu...@citrix.commailto:jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 10:52 AM, John Moyer john.mo...@digitalreasoning.commailto:john.mo...@digitalreasoning.com wrote: Not a problem, here is the output ipa automember-find --type=hostgroup --- 1 rules matched --- Automember Rule: test-group Inclusive Regex: enrolledby=build Number of entries returned 1 interesting. When you do an: ipa host-show test-hostname.example.comhttp://test-hostname.example.com --all --raw Does it clearly show that enrolledby=build? Thanks, _ John Moyer On Apr 30, 2013, at 1:48 PM, JR Aquino jr.aqu...@citrix.commailto:jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 10:43 AM, John Moyer john.mo...@digitalreasoning.commailto:john.mo...@digitalreasoning.com wrote: One thing to add is that this build user only has the following access: Host Administrators Host enrollment Would he need more access to do the membership? My original thought was that technically the user is not doing the addition to the group it's the system technically doing it so there shouldn't be a permissions issue. The user's roles shouldn't really matter to the best of my knowledge (Nathan Kinder may need to refresh my memory), but the 389 plugin, should be catching the insertion of the new object, then match the watched-attribute, and execute the hostgroup assignment based upon the rights of the plugin rather than that of the user. Would it be possible to ask you to do an automember-find --type=hostgroup on the CLI and send it back to the thread? If we are missing something or if we have any bugs in there, we need to get them identified and fixed. Thanks, _ John Moyer On Apr 30, 2013, at 1:21 PM, JR Aquino jr.aqu...@citrix.commailto:jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 9:30 AM, John Moyer
Re: [Freeipa-users] Samba 4 with IPA
On Tue, 30 Apr 2013, Alexander Bokovoy wrote: On Tue, 30 Apr 2013, Alexander Bokovoy wrote: On Tue, 30 Apr 2013, simon.willi...@thehelpfulcat.com wrote: That is actually pretty good news. The real requirement is network storage for the Windows workstations secured by FreeIPA authentication. If I read what you’ve said correctly this is possible now. I can live with the magical incantations to enrol any new Windows machines for now. There are a few things that would work better if Windows thought it was logging on to a domain, but we have lived without those features for the last year. Once a Windows machine has been set up correctly, which can be a bit hit and miss, the authentication works flawlessly . To be clear, we have not tested this combination so you'll be in uncharted waters. Since TGT for these users would still be issued by FreeIPA KDC, it would include MS-PAC with SIDs of these users in FreeIPA domain -- once you have run ipa-adtrust-install, of course. Thus, smbd on IPA master would be able to recognize them as FreeIPA users regardless where they come from -- IPA or Windows machines, as long as Kerberos is in use. Any reports of how such setup would actually behave are welcomed. It sounds as though I can set up the file server now and then extend it to do the AD DC bit when it is ready. I don’t suppose there is a Samba 4 + FreeIPA 3 file server HowTo anywhere is there? The only requirements for simplistic setup is to: 1. run file server on IPA master (you can make a dedicated replica for that) 2. run ipa-adtrust-install on that master to setup Samba configuration and enable KDC + directory server to handle SIDs 3. use 'net conf setparm ...' to setup shares, since Samba on IPA master uses registry backend to store smb.conf configuration. See http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Using_Samba_shares for sample how to work with 'net conf setparm'. For 'valid users' I guess you can use simply user names since these would be our local ones. Again, this is completely untested right now. So, I tried quick test for this, using admins group: 1. Setup shared space, apply SELinux context and modify ACLs: [root@red samba-4.0.5]# mkdir /srv/testshare [root@red samba-4.0.5]# chcon -t samba_share_t /srv/testshare [root@red samba-4.0.5]# setfacl -m g:admins:rwx /srv/testshare [root@red samba-4.0.5]# getfacl /srv/testshare getfacl: Removing leading '/' from absolute path names # file: srv/testshare # owner: root # group: root user::rwx group::r-x group:admins:rwx mask::rwx other::r-x 2. Create actual Samba share: [root@red samba-4.0.5]# net conf addshare testshare /srv/testshare writeable=y guest_ok=N 3. Obtain TGT for Kerberos identity (admin, belongs to admins group): [root@red samba-4.0.5]# kinit Password for admin@BIRD.CLONE: [root@red samba-4.0.5]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin@BIRD.CLONE Valid starting Expires Service principal 30.04.2013 22:10:13 01.05.2013 22:10:11 krbtgt/BIRD.CLONE@BIRD.CLONE Now try connecting to //red.bird.clone/testshare and use it (I've copied few files in several sessions, showing last one): [root@red samba-4.0.5]# smbclient -k //red.bird.clone/testshare lp_load_ex: changing to config backend registry Domain=[BIRD] OS=[Unix] Server=[Samba 4.0.5] smb: \ dir . D0 Tue Apr 30 22:06:51 2013 .. D0 Tue Apr 30 21:40:04 2013 foobar.txt N0 Tue Apr 30 21:51:54 2013 README A 7998 Tue Apr 30 22:06:51 2013 40918 blocks of size 262144. 19277 blocks available smb: \ put WHATSNEW.txt putting file WHATSNEW.txt as \WHATSNEW.txt (182,6 kb/s) (average 182,6 kb/s) smb: \ dir . D0 Tue Apr 30 22:10:35 2013 .. D0 Tue Apr 30 21:40:04 2013 WHATSNEW.txtA47112 Tue Apr 30 22:10:35 2013 foobar.txt N0 Tue Apr 30 21:51:54 2013 README A 7998 Tue Apr 30 22:06:51 2013 40918 blocks of size 262144. 19277 blocks available smb: \ Check status of the last copied file, notice permissions and SELinux contet: [root@red samba-4.0.5]# stat /srv/testshare/WHATSNEW.txt File: ‘/srv/testshare/WHATSNEW.txt’ Size: 47112 Blocks: 96 IO Block: 4096 regular file Device: fc03h/64515dInode: 153050 Links: 1 Access: (0744/-rwxr--r--) Uid: (156440/ admin) Gid: (156440/ admins) Context: system_u:object_r:samba_share_t:s0 Access: 2013-04-30 22:10:35.484270784 +0300 Modify: 2013-04-30 22:10:35.580239030 +0300 Change: 2013-04-30 22:10:35.579270116 +0300 Birth: - And for those who are too enjoyed -- this only works for FreeIPA own users. AD users, coming through a trust, are not supported this way yet, only through
Re: [Freeipa-users] Samba 4 with IPA
Thanks for all your help. I'll give it a go and see how far I get. On 30 Apr 2013 19:37, Alexander Bokovoy aboko...@redhat.com wrote: On Tue, 30 Apr 2013, simon.williams@thehelpfulcat.**comsimon.willi...@thehelpfulcat.comwrote: That is actually pretty good news. The real requirement is network storage for the Windows workstations secured by FreeIPA authentication. If I read what you’ve said correctly this is possible now. I can live with the magical incantations to enrol any new Windows machines for now. There are a few things that would work better if Windows thought it was logging on to a domain, but we have lived without those features for the last year. Once a Windows machine has been set up correctly, which can be a bit hit and miss, the authentication works flawlessly . To be clear, we have not tested this combination so you'll be in uncharted waters. Since TGT for these users would still be issued by FreeIPA KDC, it would include MS-PAC with SIDs of these users in FreeIPA domain -- once you have run ipa-adtrust-install, of course. Thus, smbd on IPA master would be able to recognize them as FreeIPA users regardless where they come from -- IPA or Windows machines, as long as Kerberos is in use. Any reports of how such setup would actually behave are welcomed. It sounds as though I can set up the file server now and then extend it to do the AD DC bit when it is ready. I don’t suppose there is a Samba 4 + FreeIPA 3 file server HowTo anywhere is there? The only requirements for simplistic setup is to: 1. run file server on IPA master (you can make a dedicated replica for that) 2. run ipa-adtrust-install on that master to setup Samba configuration and enable KDC + directory server to handle SIDs 3. use 'net conf setparm ...' to setup shares, since Samba on IPA master uses registry backend to store smb.conf configuration. See http://www.freeipa.org/page/**Howto/IPAv3_AD_trust_setup#** Using_Samba_shareshttp://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Using_Samba_shares for sample how to work with 'net conf setparm'. For 'valid users' I guess you can use simply user names since these would be our local ones. Again, this is completely untested right now. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Samba 4 with IPA
On Tue, 30 Apr 2013, Simo Sorce wrote: On Tue, 2013-04-30 at 22:37 +0300, Alexander Bokovoy wrote: We need to add some smart logic to ipasam module to handle it. The logic for trusted users needs to go into winbindd or sssd, ipasam is only about our own domain. In SSSD 1.10 there is new SID translation interface in libsss_nss_idmap that we can use to build such logic. I only pointed to ipasam because this is a place where we know everything about all IPA trusts and idranges and which gets contacted if winbindd is unable to resolve uid/gid to SID. A fallback case. For SSSD-based solution we would need to differentiate between it being installed on IPA master with ipa-adtrust-install configuration and other machines to avoid loops as SSSD on IPA master asks winbindd currently for SID translation and other SSSDs ask IPA's extdom plugin on Directory server side. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users