date:20140213


Shree wrote:

Ok, failed at the same stage, would you like the entire
/var/log/ipareplica-install.log. If yes, should I attach to the email?



pa : INFO   File
/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py,
line 614, in run_script
 return_value = main_function()

   File /usr/sbin/ipa-replica-install, line 467, in main
 (CA, cs) = cainstance.install_replica_ca(config)

   File
/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py, line
1604, in install_replica_ca
 subject_base=config.subject_base)

   File
/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py, line
617, in configure_instance
 self.start_creation(runtime=210)

   File /usr/lib/python2.6/site-packages/ipaserver/install/service.py,
line 358, in start_creation
 method()

   File
/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py, line
879, in __configure_instance
 raise RuntimeError('Configuration of CA failed')

ipa : INFO The ipa-replica-install command failed,
exception: RuntimeError: Configuration of CA failed

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Configuration of CA failed
[root@ldap2 ~]#



We need to see the full /var/log/ipareplica-install.log and the debug 
log from /var/log/pki-ca.


rob


Shreeraj



Change is the only Constant !


On Wednesday, February 12, 2014 2:55 PM, Dmitri Pal d...@redhat.com wrote:
On 02/12/2014 04:57 PM, Shree wrote:

If there aren't any other tests to perform, can I go ahead and
uninstall the ipa client and configure this Vm as a replica?


Thanks for trying. At least we know that certmonger can run by itself.
When you install replica please collect all the install logs.
Is SELinux on/off?


Shreeraj



Change is the only Constant !


On Wednesday, February 12, 2014 1:40 PM, Shree
shreerajkarul...@yahoo.com mailto:shreerajkarul...@yahoo.com wrote:
getcert list returned a bunch of info, see below

root@ldap2 ~]# getcert list
Number of certificates and requests being tracked: 2.
Request ID '20140206184920':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-retrieve-agent-submit
issuer: CN=Certificate Authority,..
.

Shreeraj



Change is the only Constant !


On Wednesday, February 12, 2014 12:43 PM, Dmitri Pal d...@redhat.com
mailto:d...@redhat.com wrote:
On 02/12/2014 03:41 PM, Shree wrote:

So I uninstalled the ipa server and installed the client
(ipa-client-install) on the same VM pointing at the master and
everything seems to work OK. All the sudo rules etc. Are there any
tests I can do check connectivity that could be helpful before I
configure this as a replica again.

Ask certmonger to get a certificate



Shreeraj



Change is the only Constant !


On Wednesday, February 12, 2014 11:46 AM, Dmitri Pal
d...@redhat.com mailto:d...@redhat.com wrote:
On 02/12/2014 02:09 PM, Shree wrote:

Rob
I really appreciate your help, please bear with me. At this point I
need to take you back to my  ipa-replica-install and what happened
there.

[1] My command: ipa-replica-install --setup-ca
/var/tmp/replica-info-ldap2.mydomain.com.gpg --skip-conncheck
 This ended with a
Done configuring NTP daemon (ntpd).
A CA is already configured on this system.

[2] So did a pkiremove with the following command
# pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca -force

[3] Re ran the ipa-replica-install command in step 1
The install went a little further but ended below.

Configuring directory server for the CA (pkids): Estimated time 30
seconds
  [1/3]: creating directory server user
  [2/3]: creating directory server instance
  [3/3]: restarting directory server
Done configuring directory server for the CA (pkids).
ipa   : ERROR  certmonger failed starting to track certificate:
Command '/usr/bin/ipa-getcert start-tracking -d
/etc/dirsrv/slapd-PKI-IPA -n Server-Cert -p
/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt -C
/usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA' returned non-zero
exit status 1
Configuring certificate server (pki-cad): Estimated time 3 minutes
30 seconds
  [1/17]: creating certificate server user
  [2/17]: creating pki-ca instance
  [3/17]: configuring certificate server instance
ipa   : CRITICAL failed to configure ca instance Command
'/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
.

Re: [Freeipa-users] SELinux user categories

Martin Kosek wrote:

On 02/12/2014 09:33 PM, Josh wrote:

On Feb 12, 2014, at 3:20 PM, Rob Crittenden rcrit...@redhat.com wrote:

Josh wrote:

On Feb 11, 2014, at 2:52 PM, Rob Crittenden rcrit...@redhat.com wrote:

Josh wrote:

On Feb 11, 2014, at 2:44 PM, Rob Crittenden rcrit...@redhat.com
mailto:rcrit...@redhat.com wrote:

Josh wrote:

I have a situation where I need to support more than 1024 categories
on a system. I modified the selinuxusermap.py file to check for the
number of categories I need but ipa still responds with the original
error message. Do I need to restart any of the services?

Here is the command that was run and the output after applying the
patch below:

Have you updated your SELinux policy to support a larger MCS range? If
not then this will get you past the IPA validator but it won't work
with SELinux. See semanage(8).

rob

Ok, then your patch looks reasonable. The current code is for the default
values and we haven't had cause to make this configurable before now. You might
consider filing a ticket in our trac about this.

As it is for a very unique situation which most people won’t encounter I don’t
think it’s worth making configurable.

Also note that this change will be lost on your next IPA upgrade, and you'll
need to make this change on any IPA master you want these values to be managed.
The data will remain unchanged, but the original python values will be restored
if you update the packages.

I’m ok with that because the values only need to be set during initial setup.
Any idea why the validator isn’t being modified?

I don't believe validators are currently extensible in the IPA framework. That
might be something we need to look at as well.

regards

rob

Thanks for the help.

Sure. I'm glad we made at least obvious enough for you to be able to work
around.

So I'm just curious about the need for this. You mentioned that semanage slows
way down. Have you talked to the SELinux team about this? They've been quite
responsive to our needs in the past, they may be able to fix something for you
as well.

I’m not sure if my coworker has talked to them about it directly, no. I’ll
ping him to see if it’s something we want to get worked on moving forward.

On a more general note, we haven't had a lot of user feedback on the SELinux
user map feature. Do you have any other suggestions on things we might do to
improve it?

We’ve got a network of systems running both targeted and MLS SELinux policy.
What this means is that we must define both valid selinux context is the user
map. I.e. we define both staff_u:s0-s0:c0.c1023 and staff_u:s0-s15:c0.c1023 in
the user map. We then use host groups and multiple user maps to map
appropriately. Our commands might be easier to understand:

It might be more straightforward if we didn’t have to split the configuration
like this but thanks to the flexibility of FreeIPA it’s very easy to do.

Thanks,
-josh

Nice. Not many of our users got back to us with experience on using the
advanced use of the SELinux feature - so feedback welcome!

Rob, I am wondering if it would make sense to extend the FreeIPA to allow
SELinux user map rules with more SELinux users, per policy? I.e. have a rule
like that:

# ipa selinuxusermap-show staff_u
Rule name: staff_u
SELinux User: staff_u:s0-s0:c0.c1023
SELinux User (mls): staff_u:s0-s15:c0.c1023
Enabled: TRUE
User Groups: wheel
Host Groups: selinuxhosts

This proposed rule structure is not ideal and

[Freeipa-users] cannot delete PTR DNS records from the command line

I have run into a problem where I cannot delete PTR DNS records from the
command line. This is something that until recently I have never attempted.

IPA version = ipa-server-2.2.0-17.el6_3.1.x86_64

When I try to delete a PTR record I get this message.
ipa dnsrecord-del 41.100.10.in-addr-arpa. 250 --ptr-rec test1
ipa: ERROR: invalid 'hostname': invalid domain-name: not fully qualified

ipa dnsrecord-del 41.100.10.in-addr-arpa. 250 --ptr-rec test1.test.com
ipa: ERROR: 250: DNS resource record not found

ipa dnsrecord-del 41.100.10.in-addr-arpa. test1.test.com. --ptr-rec 250
ipa: ERROR: invalid 'hostname': invalid domain-name: not fully qualified

Its got to be a simple thing I am missing, can someone please show what I
am doing wrong?

Thanks!
-- 
Brent S. Clark
NOC Engineer

2580 55th St.  |  Boulder, Colorado 80301
www.tendrilinc.com  |  blog http://www.tendrilinc.com/news-room/blog/
http://www.tendrilinc.com/

 
This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the sender.
Please note that any views or opinions presented in this email are solely those 
of the author and do not necessarily represent those of the company.
Finally, the recipient should check this email and any attachments for the 
presence of viruses.
The company accepts no liability for any damage caused by any virus transmitted 
by this email.
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] cannot delete PTR DNS records from the command line

2014-02-13 Thread Martin Kosek

On 02/13/2014 04:15 PM, Brent Clark wrote:
 I have run into a problem where I cannot delete PTR DNS records from the
 command line. This is something that until recently I have never attempted.
 
 IPA version = ipa-server-2.2.0-17.el6_3.1.x86_64
 
 When I try to delete a PTR record I get this message.
 ipa dnsrecord-del 41.100.10.in-addr-arpa. 250 --ptr-rec test1
 ipa: ERROR: invalid 'hostname': invalid domain-name: not fully qualified
 
 ipa dnsrecord-del 41.100.10.in-addr-arpa. 250 --ptr-rec test1.test.com
 ipa: ERROR: 250: DNS resource record not found
 
 ipa dnsrecord-del 41.100.10.in-addr-arpa. test1.test.com. --ptr-rec 250
 ipa: ERROR: invalid 'hostname': invalid domain-name: not fully qualified
 
 Its got to be a simple thing I am missing, can someone please show what I
 am doing wrong?
 
 Thanks!

Unqualified PTR records do not make sense, this is why we validate them on
addition. What does following command show?

$ ipa dnsrecord-show 41.100.10.in-addr-arpa. 250

Is the record really resolvable?

$ host 10.100.41.250

Martin

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] cannot delete PTR DNS records from the command line

2014-02-13 Thread Petr Spacek


On 13.2.2014 16:15, Brent Clark wrote:

I have run into a problem where I cannot delete PTR DNS records from the
command line. This is something that until recently I have never attempted.

IPA version = ipa-server-2.2.0-17.el6_3.1.x86_64

When I try to delete a PTR record I get this message.
ipa dnsrecord-del 41.100.10.in-addr-arpa. 250 --ptr-rec test1
ipa: ERROR: invalid 'hostname': invalid domain-name: not fully qualified

ipa dnsrecord-del 41.100.10.in-addr-arpa. 250 --ptr-rec test1.test.com
ipa: ERROR: 250: DNS resource record not found

ipa dnsrecord-del 41.100.10.in-addr-arpa. test1.test.com. --ptr-rec 250
ipa: ERROR: invalid 'hostname': invalid domain-name: not fully qualified

Its got to be a simple thing I am missing, can someone please show what I
am doing wrong?


Please send us output from commands:

$ ipa dnszone-show 41.100.10.in-addr-arpa.
$ ipa dnsrecord-find 41.100.10.in-addr-arpa. 250

Thank you.

--
Petr^2 Spacek

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] cannot delete PTR DNS records from the command line

Here are the results of the commands asked for. Also attached is a png of
the webui showing the zone and record exists that I want to delete.

Many Thanks!


ipa dnsrecord-find 41.100.10.in-addr-arpa. 250

Number of entries returned 0


ipa dnszone-show 41.100.10.in-addr-arpa.
ipa: ERROR: 41.100.10.in-addr-arpa.: DNS zone not found

host 10.100.41.250
250.41.100.10.in-addr.arpa domain name pointer test1.test.com.




On Thu, Feb 13, 2014 at 8:23 AM, Petr Spacek pspa...@redhat.com wrote:

 On 13.2.2014 16:15, Brent Clark wrote:

 I have run into a problem where I cannot delete PTR DNS records from the
 command line. This is something that until recently I have never
 attempted.

 IPA version = ipa-server-2.2.0-17.el6_3.1.x86_64

 When I try to delete a PTR record I get this message.
 ipa dnsrecord-del 41.100.10.in-addr-arpa. 250 --ptr-rec test1
 ipa: ERROR: invalid 'hostname': invalid domain-name: not fully qualified

 ipa dnsrecord-del 41.100.10.in-addr-arpa. 250 --ptr-rec test1.test.com
 ipa: ERROR: 250: DNS resource record not found

 ipa dnsrecord-del 41.100.10.in-addr-arpa. test1.test.com. --ptr-rec 250
 ipa: ERROR: invalid 'hostname': invalid domain-name: not fully qualified

 Its got to be a simple thing I am missing, can someone please show what I
 am doing wrong?


 Please send us output from commands:

 $ ipa dnszone-show 41.100.10.in-addr-arpa.
 $ ipa dnsrecord-find 41.100.10.in-addr-arpa. 250

 Thank you.

 --
 Petr^2 Spacek




-- 
Brent S. Clark
NOC Engineer

2580 55th St.  |  Boulder, Colorado 80301
www.tendrilinc.com  |  blog http://www.tendrilinc.com/news-room/blog/
http://www.tendrilinc.com/

 
This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the sender.
Please note that any views or opinions presented in this email are solely those 
of the author and do not necessarily represent those of the company.
Finally, the recipient should check this email and any attachments for the 
presence of viruses.
The company accepts no liability for any damage caused by any virus transmitted 
by this email.
attachment: 41.100.10-reversednszone.png___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] IPA Replica cannot add user

2014-02-13 Thread Bruno Henrique Barbosa




Hi everyone,


I've installed my IPA environment as it follows:


ipa01.example.com - master install
ipa02.example.com - replica install, as the guide says, with 
ipa-replica-prepare on ipa01 and ipa-replica-install using gpg key generated.


All good, environment is fine, can access both UI, but the underlying problem 
is: I can edit and remove users from IPA using instance ipa02 (replica), but I 
CANNOT add users from that instance. In the UI, error returned is:


IPA Error 4203
Operations error: Allocation of a new value for range cn=posix 
ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! 
Unable to proceed.




Via command-line, debug-enabled:


root@ipa02's password:
Last login: Thu Feb 13 15:36:34 2014
[root@ipa02 ~]# kinit admin
Password for ad...@example.com:
[root@ipa02 ~]# ipa-replica-manage list
ipa01.example.com: master
ipa02.example.com: master
[root@ipa02 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ad...@example.com


Valid starting Expires Service principal
02/13/14 15:37:48 02/14/14 15:37:29 krbtgt/example@example.com
02/13/14 15:38:03 02/14/14 15:37:29 ldap/ipa02.example@example.com
[root@ipa02 ~]# ipa -d user-add usertest
ipa: DEBUG: importing all plugin modules in 
'/usr/lib/python2.6/site-packages/ipalib/plugins'...
ipa: DEBUG: importing plugin module 
'/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py'
ipa: DEBUG: importing plugin module 
'/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py'
ipa: DEBUG: importing plugin module 
'/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py'
ipa: DEBUG: importing plugin module 
'/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py'
ipa: DEBUG: importing plugin module 
'/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py'
ipa: DEBUG: importing plugin module 
'/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py'
ipa: DEBUG: importing plugin module 
'/usr/lib/python2.6/site-packages/ipalib/plugins/config.py'
ipa: DEBUG: importing plugin module 
'/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py'
ipa: DEBUG: importing plugin module 
'/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py'
ipa: DEBUG: importing plugin module 
'/usr/lib/python2.6/site-packages/ipalib/plugins/group.py'
ipa: DEBUG: importing plugin module 
'/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py'
ipa: DEBUG: importing plugin module 
'/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py'
ipa: DEBUG: importing plugin module 
'/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py'
ipa: DEBUG: importing plugin module 
'/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py'
ipa: DEBUG: importing plugin module 
'/usr/lib/python2.6/site-packages/ipalib/plugins/host.py'
ipa: DEBUG: importing plugin module 
'/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py'
ipa: DEBUG: importing plugin module 
'/usr/lib/python2.6/site-packages/ipalib/plugins/idrange.py'
ipa: DEBUG: importing plugin module 
'/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py'
ipa: DEBUG: importing plugin module 
'/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py'
ipa: DEBUG: importing plugin module 
'/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py'
ipa: DEBUG: importing plugin module 
'/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py'
ipa: DEBUG: importing plugin module 
'/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py'
ipa: DEBUG: importing plugin module 
'/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py'
ipa: DEBUG: importing plugin module 
'/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py'
ipa: DEBUG: importing plugin module 
'/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py'
ipa: DEBUG: importing plugin module 
'/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py'
ipa: DEBUG: importing plugin module 
'/usr/lib/python2.6/site-packages/ipalib/plugins/privilege.py'
ipa: DEBUG: importing plugin module 
'/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py'
ipa: DEBUG: args=klist -V
ipa: DEBUG: stdout=Kerberos 5 version 1.10.3


ipa: DEBUG: stderr=
ipa: DEBUG: importing plugin module 
'/usr/lib/python2.6/site-packages/ipalib/plugins/role.py'
ipa: DEBUG: importing plugin module 
'/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py'
ipa: DEBUG: importing plugin module 
'/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py'
ipa: DEBUG: importing plugin module 
'/usr/lib/python2.6/site-packages/ipalib/plugins/service.py'
ipa: DEBUG: importing plugin module 
'/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py'
ipa: DEBUG: importing plugin module 
'/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py'
ipa: DEBUG: importing plugin module 
'/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py'
ipa: DEBUG: importing plugin module 
'/usr/lib/python2.6/site-packages/ipalib/plugins/trust.py'
ipa: DEBUG: importing plugin module

Re: [Freeipa-users] cannot delete PTR DNS records from the command line

Hmm, amazing what works when you spell stuff right.

Epic Fail on my part. Face plant in the mud.

Apologies to all for such silliness that I have put you all thru.

Thanks!


On Thu, Feb 13, 2014 at 9:25 AM, Petr Vobornik pvobo...@redhat.com wrote:

 Hello,

 The zone name is:
 41.100.10.in-addr.arpa.
 Not:
 41.100.10.in-addr-arpa.

 HTH


 On 13.2.2014 16:40, Brent Clark wrote:

 Here are the results of the commands asked for. Also attached is a png of
 the webui showing the zone and record exists that I want to delete.

 Many Thanks!


 ipa dnsrecord-find 41.100.10.in-addr-arpa. 250
 
 Number of entries returned 0
 

 ipa dnszone-show 41.100.10.in-addr-arpa.
 ipa: ERROR: 41.100.10.in-addr-arpa.: DNS zone not found

 host 10.100.41.250
 250.41.100.10.in-addr.arpa domain name pointer test1.test.com.




 On Thu, Feb 13, 2014 at 8:23 AM, Petr Spacek pspa...@redhat.com wrote:

  On 13.2.2014 16:15, Brent Clark wrote:

  I have run into a problem where I cannot delete PTR DNS records from the
 command line. This is something that until recently I have never
 attempted.

 IPA version = ipa-server-2.2.0-17.el6_3.1.x86_64

 When I try to delete a PTR record I get this message.
 ipa dnsrecord-del 41.100.10.in-addr-arpa. 250 --ptr-rec test1
 ipa: ERROR: invalid 'hostname': invalid domain-name: not fully qualified

 ipa dnsrecord-del 41.100.10.in-addr-arpa. 250 --ptr-rec test1.test.com
 ipa: ERROR: 250: DNS resource record not found

 ipa dnsrecord-del 41.100.10.in-addr-arpa. test1.test.com. --ptr-rec 250
 ipa: ERROR: invalid 'hostname': invalid domain-name: not fully qualified

 Its got to be a simple thing I am missing, can someone please show what
 I
 am doing wrong?


 Please send us output from commands:

 $ ipa dnszone-show 41.100.10.in-addr-arpa.
 $ ipa dnsrecord-find 41.100.10.in-addr-arpa. 250

 Thank you.

 --
 Petr^2 Spacek






 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users



 --
 Petr Vobornik




-- 
Brent S. Clark
NOC Engineer

2580 55th St.  |  Boulder, Colorado 80301
www.tendrilinc.com  |  blog http://www.tendrilinc.com/news-room/blog/
http://www.tendrilinc.com/

 
This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the sender.
Please note that any views or opinions presented in this email are solely those 
of the author and do not necessarily represent those of the company.
Finally, the recipient should check this email and any attachments for the 
presence of viruses.
The company accepts no liability for any damage caused by any virus transmitted 
by this email.
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] WebUI questions.

When I assign a user the role of User Administrator, when they log into
the WebUI, they can see all the role, dns, config, tab and links.

They should only see the necessary tabs and links that having that role
requires and none of the extra stuff.

Is there a way to limit when appears in the WebUI based on Role?

-- 
Brent S. Clark
NOC Engineer

2580 55th St.  |  Boulder, Colorado 80301
www.tendrilinc.com  |  blog http://www.tendrilinc.com/news-room/blog/
http://www.tendrilinc.com/

 
This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the sender.
Please note that any views or opinions presented in this email are solely those 
of the author and do not necessarily represent those of the company.
Finally, the recipient should check this email and any attachments for the 
presence of viruses.
The company accepts no liability for any damage caused by any virus transmitted 
by this email.
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] IPA not Starting after crash

2014-02-13 Thread John Moyer

Hello All, 

We’ve been running IPA now nicely for a while, and I wrote a script to 
run something every minute and that filled the logs and crashed the server.   I 
cleared the logs and started IPA again.  


[root@ log]# ipactl start
Starting Directory Service
Starting dirsrv:
DIGITALREASONING-COM... already running[  OK  ]
PKI-IPA... already running [  OK  ]
Failed to read data from Directory Service: Failed to get list of services to 
probe status!
Configured hostname ‘blah.digitalreasoning.com' does not match any master 
server in LDAP:
No master found because of error: {'matched': 'dc=digitalreasoning,dc=com', 
'desc': 'No such object'}


Thanks, 
_
John Moyer
Director, IT Operations



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] IPA not Starting after crash


John Moyer wrote:

Hello All,

We’ve been running IPA now nicely for a while, and I wrote a script to
run something every minute and that filled the logs and crashed the
server.   I cleared the logs and started IPA again.


[root@ log]# ipactl start
Starting Directory Service
Starting dirsrv:
 DIGITALREASONING-COM... already running[  OK  ]
 PKI-IPA... already running [  OK  ]
Failed to read data from Directory Service: Failed to get list of
services to probe status!
Configured hostname ‘blah.digitalreasoning.com
http://blah.digitalreasoning.com' does not match any master server in
LDAP:
No master found because of error: {'matched':
'dc=digitalreasoning,dc=com', 'desc': 'No such object'}


I'd check /var/log/dirsrv/slapd-DIGITALREASONNG-COM/errors to see if 
there are any database consistency problems.


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] WebUI questions.

On 02/13/2014 01:51 PM, Brent Clark wrote:
When I assign a user the role of User Administrator, when they log
into the WebUI, they can see all the role, dns, config, tab and links.

They should only see the necessary tabs and links that having that
role requires and none of the extra stuff.

Is there a way to limit when appears in the WebUI based on Role?

https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html#server-access-controls

--
Brent S. Clark
NOC Engineer

2580 55th St. | Boulder, Colorado 80301
www.tendrilinc.com http://www.tendrilinc.com/ | blog
http://www.tendrilinc.com/news-room/blog/

http://www.tendrilinc.com/

This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the sender.
Please note that any views or opinions presented in this email are solely those
of the author and do not necessarily represent those of the company.
Finally, the recipient should check this email and any attachments for the
presence of viruses.
The company accepts no liability for any damage caused by any virus transmitted
by this email.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

--
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.

---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] WebUI questions.


Brent Clark wrote:

When I assign a user the role of User Administrator, when they log
into the WebUI, they can see all the role, dns, config, tab and links.

They should only see the necessary tabs and links that having that role
requires and none of the extra stuff.

Is there a way to limit when appears in the WebUI based on Role?


Not yet, see https://fedorahosted.org/freeipa/ticket/217

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] IPA not Starting after crash


On 02/13/2014 02:12 PM, John Moyer wrote:

This is the error log when I try to start it:

[13/Feb/2014:19:08:28 +] - 389-Directory/1.2.11.15 B2013.357.177 
starting up
[13/Feb/2014:19:08:28 +] schema-compat-plugin - warning: no 
entries set up under cn=computers, cn=compat,dc=digitalreasoning,dc=com
[13/Feb/2014:19:08:28 +] schema-compat-plugin - warning: no 
entries set up under cn=groups, cn=compat,dc=digitalreasoning,dc=com
[13/Feb/2014:19:08:28 +] schema-compat-plugin - warning: no 
entries set up under cn=ng, cn=compat,dc=digitalreasoning,dc=com
[13/Feb/2014:19:08:28 +] schema-compat-plugin - warning: no 
entries set up under ou=sudoers,dc=digitalreasoning,dc=com
[13/Feb/2014:19:08:28 +] schema-compat-plugin - warning: no 
entries set up under cn=users, cn=compat,dc=digitalreasoning,dc=com
[13/Feb/2014:19:08:28 +] dna-plugin - dna_parse_config_entry: 
Unable to locate shared configuration entry 
(cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=digitalreasoning,dc=com)
[13/Feb/2014:19:08:28 +] dna-plugin - dna_parse_config_entry: 
Invalid config entry [cn=posix ids,cn=distributed numeric assignment 
plugin,cn=plugins,cn=config] skipped
[13/Feb/2014:19:08:28 +] - slapd started.  Listening on All 
Interfaces port 389 for LDAP requests
[13/Feb/2014:19:08:28 +] - Listening on All Interfaces port 636 
for LDAPS requests
[13/Feb/2014:19:08:28 +] - Listening on 
/var/run/slapd-DIGITALREASONING-COM.socket for LDAPI requests
[13/Feb/2014:19:08:30 +] - slapd shutting down - signaling 
operation threads
[13/Feb/2014:19:08:30 +] - slapd shutting down - closing down 
internal subsystems and plugins

[13/Feb/2014:19:08:30 +] - Waiting for 4 database threads to stop
[13/Feb/2014:19:08:30 +] - All database threads now stopped
[13/Feb/2014:19:08:30 +] - slapd stopped.


Seems like your dna-plugin configuration is corrupted or missing.
The easiest way would be probably to reinit or reinstall replica.
If we want to try to repair we need help from DS team.





Thanks,
_
John Moyer
Director, IT Operations

On Feb 13, 2014, at 2:10 PM, Rob Crittenden rcrit...@redhat.com 
mailto:rcrit...@redhat.com wrote:



John Moyer wrote:

Hello All,

We've been running IPA now nicely for a while, and I wrote a script to
run something every minute and that filled the logs and crashed the
server.   I cleared the logs and started IPA again.


[root@ log]# ipactl start
Starting Directory Service
Starting dirsrv:
DIGITALREASONING-COM... already running[  OK  ]
PKI-IPA... already running [  OK  ]
Failed to read data from Directory Service: Failed to get list of
services to probe status!
Configured hostname 'blah.digitalreasoning.com 
http://blah.digitalreasoning.com

http://blah.digitalreasoning.com' does not match any master server in
LDAP:
No master found because of error: {'matched':
'dc=digitalreasoning,dc=com', 'desc': 'No such object'}


I'd check /var/log/dirsrv/slapd-DIGITALREASONNG-COM/errors to see if 
there are any database consistency problems.


rob





___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



--
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] IPA not Starting after crash

2014-02-13 Thread John Moyer

I think I know my problem, back in August I was having performance issues so I 
hooked part of my IPA server to RAM disk.  I’m assuming looking at the symlink 
below that since I’ve rebooted the server that I’m completely out of luck. 

This is in this directory : /var/lib/dirsrv/slapd-DIGITALREASONING-COM/

lrwxrwxrwx 1 root   root 12 Aug 27 03:21 db - /dev/shm/db/

At this point I just want confirmation that my data is gone.   I was doing 
backups, but of the disks not the RAM.  

Thanks, 
_
John Moyer
Director, IT Operations

On Feb 13, 2014, at 2:20 PM, Dmitri Pal d...@redhat.com wrote:

 On 02/13/2014 02:12 PM, John Moyer wrote:
 
 This is the error log when I try to start it: 
 
 [13/Feb/2014:19:08:28 +] - 389-Directory/1.2.11.15 B2013.357.177 
 starting up
 [13/Feb/2014:19:08:28 +] schema-compat-plugin - warning: no entries set 
 up under cn=computers, cn=compat,dc=digitalreasoning,dc=com
 [13/Feb/2014:19:08:28 +] schema-compat-plugin - warning: no entries set 
 up under cn=groups, cn=compat,dc=digitalreasoning,dc=com
 [13/Feb/2014:19:08:28 +] schema-compat-plugin - warning: no entries set 
 up under cn=ng, cn=compat,dc=digitalreasoning,dc=com
 [13/Feb/2014:19:08:28 +] schema-compat-plugin - warning: no entries set 
 up under ou=sudoers,dc=digitalreasoning,dc=com
 [13/Feb/2014:19:08:28 +] schema-compat-plugin - warning: no entries set 
 up under cn=users, cn=compat,dc=digitalreasoning,dc=com
 [13/Feb/2014:19:08:28 +] dna-plugin - dna_parse_config_entry: Unable to 
 locate shared configuration entry 
 (cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=digitalreasoning,dc=com)
 [13/Feb/2014:19:08:28 +] dna-plugin - dna_parse_config_entry: Invalid 
 config entry [cn=posix ids,cn=distributed numeric assignment 
 plugin,cn=plugins,cn=config] skipped
 [13/Feb/2014:19:08:28 +] - slapd started.  Listening on All Interfaces 
 port 389 for LDAP requests
 [13/Feb/2014:19:08:28 +] - Listening on All Interfaces port 636 for 
 LDAPS requests
 [13/Feb/2014:19:08:28 +] - Listening on 
 /var/run/slapd-DIGITALREASONING-COM.socket for LDAPI requests
 [13/Feb/2014:19:08:30 +] - slapd shutting down - signaling operation 
 threads
 [13/Feb/2014:19:08:30 +] - slapd shutting down - closing down internal 
 subsystems and plugins
 [13/Feb/2014:19:08:30 +] - Waiting for 4 database threads to stop
 [13/Feb/2014:19:08:30 +] - All database threads now stopped
 [13/Feb/2014:19:08:30 +] - slapd stopped.
 
 Seems like your dna-plugin configuration is corrupted or missing.
 The easiest way would be probably to reinit or reinstall replica.
 If we want to try to repair we need help from DS team.
 
 
 
 
 Thanks, 
 _
 John Moyer
 Director, IT Operations
 
 On Feb 13, 2014, at 2:10 PM, Rob Crittenden rcrit...@redhat.com wrote:
 
 John Moyer wrote:
 Hello All,
 
 We’ve been running IPA now nicely for a while, and I wrote a script to
 run something every minute and that filled the logs and crashed the
 server.   I cleared the logs and started IPA again.
 
 
 [root@ log]# ipactl start
 Starting Directory Service
 Starting dirsrv:
 DIGITALREASONING-COM... already running[  OK  ]
 PKI-IPA... already running [  OK  ]
 Failed to read data from Directory Service: Failed to get list of
 services to probe status!
 Configured hostname ‘blah.digitalreasoning.com
 http://blah.digitalreasoning.com' does not match any master server in
 LDAP:
 No master found because of error: {'matched':
 'dc=digitalreasoning,dc=com', 'desc': 'No such object'}
 
 I'd check /var/log/dirsrv/slapd-DIGITALREASONNG-COM/errors to see if there 
 are any database consistency problems.
 
 rob
 
 
 
 
 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users
 
 
 -- 
 Thank you,
 Dmitri Pal
 
 Sr. Engineering Manager for IdM portfolio
 Red Hat Inc.
 
 
 ---
 Looking to carve out IT costs?
 www.redhat.com/carveoutcosts/
 
 
 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] authentication against compat

2014-02-13 Thread Steve Dainard

Is this server or client side where sudo_provider=ipa is included in ver 
1.11.x?

My fedora 20 client doesn't have this option listed, or is it baked in?

*Steve Dainard *
IT Infrastructure Manager
Miovision http://miovision.com/ | *Rethink Traffic*

*Blog http://miovision.com/blog  |  **LinkedIn
https://www.linkedin.com/company/miovision-technologies  |  Twitter
https://twitter.com/miovision  |  Facebook
https://www.facebook.com/miovision*
--
 Miovision Technologies Inc. | 148 Manitou Drive, Suite 101, Kitchener, ON,
Canada | N2C 1L3
This e-mail may contain information that is privileged or confidential. If
you are not the intended recipient, please delete the e-mail and any
attachments and notify us immediately.


On Thu, Feb 13, 2014 at 3:46 AM, Jakub Hrozek jhro...@redhat.com wrote:

 On Wed, Feb 12, 2014 at 03:35:58PM -0800, Will Sheldon wrote:
  Is SSSD working for IPA sudo now?

 It was working even before, just with a bit of manual config, as I said
 in the reply you quoted, you just had to configure 'sudo_provider=ldap'

  I saw this From Jakub Horozek in this list a little while back:
 
  Unfortunately with 6.5 there is still no sudo ipa provider, there might
  be with one in 6.6. So in order to download the sudo rules you need to
  configure the LDAP sudo provider manually.

 sudo_provider=ipa is included in 1.9.6 and also all recent versions
 (1.11.x)

 We're thinking about including a newer version in RHEL-6.6, where the
 sudo_provider=ipa would be included as well.

 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] IPA not Starting after crash

2014-02-13 Thread Rich Megginson


On 02/13/2014 12:58 PM, John Moyer wrote:
I think I know my problem, back in August I was having performance 
issues so I hooked part of my IPA server to RAM disk.  I'm assuming 
looking at the symlink below that since I've rebooted the server that 
I'm completely out of luck.


This is in this directory : /var/lib/dirsrv/slapd-DIGITALREASONING-COM/

lrwxrwxrwx 1 root   root 12 Aug 27 03:21 db - /dev/shm/db/

At this point I just want confirmation that my data is gone.   I was 
doing backups, but of the disks not the RAM.


I'm not sure where else the data would be, if it is not in /dev/shm/db, 
and not in /var/lib/dirsrv/slapd-DOMAIN


Do you have a replica?



Thanks,
_
John Moyer
Director, IT Operations

On Feb 13, 2014, at 2:20 PM, Dmitri Pal d...@redhat.com 
mailto:d...@redhat.com wrote:



On 02/13/2014 02:12 PM, John Moyer wrote:

This is the error log when I try to start it:

[13/Feb/2014:19:08:28 +] - 389-Directory/1.2.11.15 B2013.357.177 
starting up
[13/Feb/2014:19:08:28 +] schema-compat-plugin - warning: no 
entries set up under cn=computers, cn=compat,dc=digitalreasoning,dc=com
[13/Feb/2014:19:08:28 +] schema-compat-plugin - warning: no 
entries set up under cn=groups, cn=compat,dc=digitalreasoning,dc=com
[13/Feb/2014:19:08:28 +] schema-compat-plugin - warning: no 
entries set up under cn=ng, cn=compat,dc=digitalreasoning,dc=com
[13/Feb/2014:19:08:28 +] schema-compat-plugin - warning: no 
entries set up under ou=sudoers,dc=digitalreasoning,dc=com
[13/Feb/2014:19:08:28 +] schema-compat-plugin - warning: no 
entries set up under cn=users, cn=compat,dc=digitalreasoning,dc=com
[13/Feb/2014:19:08:28 +] dna-plugin - dna_parse_config_entry: 
Unable to locate shared configuration entry 
(cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=digitalreasoning,dc=com)
[13/Feb/2014:19:08:28 +] dna-plugin - dna_parse_config_entry: 
Invalid config entry [cn=posix ids,cn=distributed numeric assignment 
plugin,cn=plugins,cn=config] skipped
[13/Feb/2014:19:08:28 +] - slapd started.  Listening on All 
Interfaces port 389 for LDAP requests
[13/Feb/2014:19:08:28 +] - Listening on All Interfaces port 636 
for LDAPS requests
[13/Feb/2014:19:08:28 +] - Listening on 
/var/run/slapd-DIGITALREASONING-COM.socket for LDAPI requests
[13/Feb/2014:19:08:30 +] - slapd shutting down - signaling 
operation threads
[13/Feb/2014:19:08:30 +] - slapd shutting down - closing down 
internal subsystems and plugins

[13/Feb/2014:19:08:30 +] - Waiting for 4 database threads to stop
[13/Feb/2014:19:08:30 +] - All database threads now stopped
[13/Feb/2014:19:08:30 +] - slapd stopped.


Seems like your dna-plugin configuration is corrupted or missing.
The easiest way would be probably to reinit or reinstall replica.
If we want to try to repair we need help from DS team.





Thanks,
_
John Moyer
Director, IT Operations

On Feb 13, 2014, at 2:10 PM, Rob Crittenden rcrit...@redhat.com 
mailto:rcrit...@redhat.com wrote:



John Moyer wrote:

Hello All,

We've been running IPA now nicely for a while, and I wrote a script to
run something every minute and that filled the logs and crashed the
server.   I cleared the logs and started IPA again.


[root@ log]# ipactl start
Starting Directory Service
Starting dirsrv:
DIGITALREASONING-COM... already running[  OK  ]
PKI-IPA... already running [  OK  ]
Failed to read data from Directory Service: Failed to get list of
services to probe status!
Configured hostname 'blah.digitalreasoning.com 
http://blah.digitalreasoning.com/
http://blah.digitalreasoning.com 
http://blah.digitalreasoning.com/' does not match any master 
server in

LDAP:
No master found because of error: {'matched':
'dc=digitalreasoning,dc=com', 'desc': 'No such object'}


I'd check /var/log/dirsrv/slapd-DIGITALREASONNG-COM/errors to see 
if there are any database consistency problems.


rob





___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



--
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/


___
Freeipa-users mailing list
Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] authentication against compat

2014-02-13 Thread Jakub Hrozek

On Thu, Feb 13, 2014 at 03:05:07PM -0500, Steve Dainard wrote:
 Is this server or client side where sudo_provider=ipa is included in ver 
 1.11.x?

Client side (sssd)

 
 My fedora 20 client doesn't have this option listed, or is it baked in?
 

Where exactly do you see the documentation lacking, perhaps the sssd-ipa
man page, or the sssd-sudo man page? I agree that docs are important,
but my view might be skewed because I know the internals..

All that should be required with 1.9.6 or 1.11.x is:
sudo_provider=ipa

And enabling the 'sss' module in /etc/nsswitch.conf:
sudoers: files sss

That's it. Please let us know if you find any bugs in code or docs.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] authentication against compat

2014-02-13 Thread Steve Dainard

I don't think this is an issue of bugs or documentation, more of design.
Perhaps there's someplace other than a users list this belongs in but:

If IPA is a centrally managed identity and access control system, should
these configurations not be passed to clients, rather than every client
needing configuration changes post join? Obviously I can automate config
changes, but why would I want to? I don't think sudoers priv is a fringe
case, its pretty much THE case for access/admin control. I cringe to
compare to a Windows domain, but I don't have to manually tell a domain
client that it should respect the rules I set on a domain controller, I
joined it to the domain for this reason.

Maybe you're working towards this, but in the meantime it would be great if
the options existed in the config files so we immediately know what options
are available and can comment/uncomment them rather than searching around
man pages for options that might exist.

I believe you were looking for a documentation bug:

# man sssd-sudo
   To enable SSSD as a source for sudo rules, *add sss to the sudoers
entry* in nsswitch.conf(5).

   For example, to configure sudo to first lookup rules in the standard
sudoers(5) file (which
   should contain rules that apply to local users) and then in SSSD,
the nsswitch.conf file
   should contain the following line:

  * sudoers: files sss*

# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Valid entries include:
#
# nisplus Use NIS+ (NIS version 3)
# nis Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far
#

# To use db, put the db in front of files for entries you want to be
# looked up first in the databases
#
# Example:
#passwd:db files nisplus nis
#shadow:db files nisplus nis
#group: db files nisplus nis

passwd: files sss
shadow: files sss
group:  files sss
#initgroups: files

#hosts: db files nisplus nis dns
hosts:  files mdns4_minimal [NOTFOUND=return] dns

# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers: files
netmasks:   files
networks:   files
protocols:  files
rpc:files
services:   files sss

netgroup:   files sss

publickey:  nisplus

automount:  files sss
aliases:files nisplus



Entry does not exist.




*Steve Dainard *
IT Infrastructure Manager
Miovision http://miovision.com/ | *Rethink Traffic*

*Blog http://miovision.com/blog  |  **LinkedIn
https://www.linkedin.com/company/miovision-technologies  |  Twitter
https://twitter.com/miovision  |  Facebook
https://www.facebook.com/miovision*
--
 Miovision Technologies Inc. | 148 Manitou Drive, Suite 101, Kitchener, ON,
Canada | N2C 1L3
This e-mail may contain information that is privileged or confidential. If
you are not the intended recipient, please delete the e-mail and any
attachments and notify us immediately.


On Thu, Feb 13, 2014 at 5:15 PM, Jakub Hrozek jhro...@redhat.com wrote:

 On Thu, Feb 13, 2014 at 03:05:07PM -0500, Steve Dainard wrote:
  Is this server or client side where sudo_provider=ipa is included in ver
 
  1.11.x?

 Client side (sssd)

 
  My fedora 20 client doesn't have this option listed, or is it baked in?
 

 Where exactly do you see the documentation lacking, perhaps the sssd-ipa
 man page, or the sssd-sudo man page? I agree that docs are important,
 but my view might be skewed because I know the internals..

 All that should be required with 1.9.6 or 1.11.x is:
 sudo_provider=ipa

 And enabling the 'sss' module in /etc/nsswitch.conf:
 sudoers: files sss

 That's it. Please let us know if you find any bugs in code or docs.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Setting up sudo

2014-02-13 Thread Todd Maugh

the documentation is kinda vague on some parts

from the documentation:

Because the sudo information is not available anonymously over LDAP by default, 
Identity Management defines a default sudo user, 
uid=sudo,cn=sysaccounts,cn=etc,$SUFFIX, which can be set in the LDAP/sudo 
configuration file, /etc/sud-ldap.conf.

so is this user supposed to already pre defined. or do I need to create the 
user, and then modify them

thanks

-Todd
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Setting up sudo

2014-02-13 Thread Todd Maugh

and If I am configuring the sud-ldap.conf


what should it look like does any one have an example?



From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Todd Maugh [tma...@boingo.com]
Sent: Thursday, February 13, 2014 3:17 PM
To: freeipa-users@redhat.com
Subject: [Freeipa-users] Setting up sudo

the documentation is kinda vague on some parts

from the documentation:

Because the sudo information is not available anonymously over LDAP by default, 
Identity Management defines a default sudo user, 
uid=sudo,cn=sysaccounts,cn=etc,$SUFFIX, which can be set in the LDAP/sudo 
configuration file, /etc/sud-ldap.conf.

so is this user supposed to already pre defined. or do I need to create the 
user, and then modify them

thanks

-Todd
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] authentication against compat


On 02/13/2014 06:04 PM, Steve Dainard wrote:
I don't think this is an issue of bugs or documentation, more of 
design. Perhaps there's someplace other than a users list this belongs 
in but:


If IPA is a centrally managed identity and access control system, 
should these configurations not be passed to clients, rather than 
every client needing configuration changes post join? Obviously I can 
automate config changes, but why would I want to? I don't think 
sudoers priv is a fringe case, its pretty much THE case for 
access/admin control. I cringe to compare to a Windows domain, but I 
don't have to manually tell a domain client that it should respect the 
rules I set on a domain controller, I joined it to the domain for this 
reason.


Maybe you're working towards this, but in the meantime it would be 
great if the options existed in the config files so we immediately 
know what options are available and can comment/uncomment them rather 
than searching around man pages for options that might exist.


I believe you were looking for a documentation bug:

# man sssd-sudo
   To enable SSSD as a source for sudo rules, *add sss to the 
sudoers entry* in nsswitch.conf(5).


   For example, to configure sudo to first lookup rules in the 
standard sudoers(5) file (which
   should contain rules that apply to local users) and then in 
SSSD, the nsswitch.conf file

   should contain the following line:

* sudoers: files sss*

# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Valid entries include:
#
#nisplusUse NIS+ (NIS version 3)
#nisUse NIS (NIS version 2), also called YP
#dnsUse DNS (Domain Name Service)
#filesUse the local files
#dbUse the local database (.db) files
#compatUse NIS on compat mode
#hesiodUse Hesiod for user lookups
#[NOTFOUND=return]Stop searching if not found so far
#

# To use db, put the db in front of files for entries you want to be
# looked up first in the databases
#
# Example:
#passwd:db files nisplus nis
#shadow:db files nisplus nis
#group: db files nisplus nis

passwd: files sss
shadow: files sss
group:  files sss
#initgroups: files

#hosts: db files nisplus nis dns
hosts:  files mdns4_minimal [NOTFOUND=return] dns

# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers: files
netmasks:   files
networks:   files
protocols:  files
rpc:files
services:   files sss

netgroup:   files sss

publickey:  nisplus

automount:  files sss
aliases:files nisplus



Entry does not exist.




*Steve Dainard *
IT Infrastructure Manager
Miovision http://miovision.com/ | /Rethink Traffic/

*Blog http://miovision.com/blog  | **LinkedIn 
https://www.linkedin.com/company/miovision-technologies  | Twitter 
https://twitter.com/miovision  | Facebook 
https://www.facebook.com/miovision*


Miovision Technologies Inc. | 148 Manitou Drive, Suite 101, Kitchener, 
ON, Canada | N2C 1L3
This e-mail may contain information that is privileged or 
confidential. If you are not the intended recipient, please delete the 
e-mail and any attachments and notify us immediately.



On Thu, Feb 13, 2014 at 5:15 PM, Jakub Hrozek jhro...@redhat.com 
mailto:jhro...@redhat.com wrote:


On Thu, Feb 13, 2014 at 03:05:07PM -0500, Steve Dainard wrote:
 Is this server or client side where sudo_provider=ipa is
included in ver 
 1.11.x?

Client side (sssd)


 My fedora 20 client doesn't have this option listed, or is it
baked in?


Where exactly do you see the documentation lacking, perhaps the
sssd-ipa
man page, or the sssd-sudo man page? I agree that docs are important,
but my view might be skewed because I know the internals..

All that should be required with 1.9.6 or 1.11.x is:
sudo_provider=ipa

And enabling the 'sss' module in /etc/nsswitch.conf:
sudoers: files sss

That's it. Please let us know if you find any bugs in code or docs.




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Managing configuration files is outside of scope of IPA or SSSD. We 
looked at this at the beginning of the IPA project a got a push back 
from

Re: [Freeipa-users] Setting up sudo