Re: [Freeipa-users] Centos 7 and 4.0
On (23/08/14 22:48), Dmitri Pal wrote: On 08/23/2014 10:32 PM, Kat wrote: I am working on the same thing - specifically I have found the libnl dependencies to be the biggest headache. If I get anywhere over the weekend, I will let you all know. do not forget about sssd, samba, certmonger, ging-libs; not all dependencies are yet polished in all distros. I rebuild lot of dependencies[1], but the most problematic is dogtag. Error: Package: freeipa-server-4.0.1-1.el7.x86_64 (lslebodn-ding-libs) Requires: pki-ca = 10.1.1 Available: pki-ca-10.0.5-3.el7.noarch (base) pki-ca = 10.0.5-3.el7 Available: pki-ca-10.0.6-1.el7.noarch (lslebodn-ding-libs) pki-ca = 10.0.6-1.el7 It requires resteasy = 3.0.1-3 I tried to rebuild new resteasy (resteasy-3.0.6-2.fc20.src.rpm), but there are lots of missing dependensies. So I gave up. I am not expert in java packaging. Error: No Package found for apache-james-project Error: No Package found for apache-mime4j = 0.7.2-2 Error: No Package found for bean-validation-api Error: No Package found for classmate Error: No Package found for hibernate-validator Error: No Package found for infinispan Error: No Package found for jackson-annotations Error: No Package found for jackson-core Error: No Package found for jackson-databind Error: No Package found for jackson-jaxrs-json-provider Error: No Package found for jackson-module-jaxb-annotations Error: No Package found for jcip-annotations Error: No Package found for jsonp Error: No Package found for maven-jaxb2-plugin Error: No Package found for maven-plugin-cobertura Error: No Package found for maven-pmd-plugin Error: No Package found for netty Error: No Package found for picketbox Error: No Package found for springframework-webmvc Error: No Package found for undertow just for record here is a list of successfully rebuild src.rpms and needed rpms [1] list of rebuilt packages 389-ds-base-1.3.2.22-1.fc20.src.rpm ctdb-2.4-1.fc20.src.rpm dogtag-pki-theme-10.1.1-1.fc20.src.rpm fontawesome-fonts-4.0.3-1.fc20.src.rpm krb5-1.11.5-12.fc20.src.rpm open-sans-fonts-1.10-1.fc20.src.rpm python-kerberos-1.1-14.fc20.src.rpm python-nss-0.15.0-1.fc20.src.rpm python-polib-1.0.3-3.fc20.src.rpm python-qrcode-2.4.1-5.fc20.src.rpm python-yubico-1.2.1-3.fc20.src.rpm pyusb-1.0.0-0.7.a3.fc20.src.rpm samba-4.1.9-4.fc20.src.rpm ttembed-1.1-1.fc20.src.rpm [2] list of missing dependecies pki-core-10.1.1-1.fc20.src.rpm and probably nevwe version of selinux-policy (for testing purposes, it could be removed from freeipa spec file and user can create their own rules.) LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Ubuntu 3.3.x client vs. 3.0.0 server
On 08/22/2014 10:41 PM, Michael Lasevich wrote: Trying to use ipa command line admin tools from Ubuntu 14.04 box against 3.0.0 CentOS 6 server and running into trouble. Seems like upgrading server is not an option without upgrading the server, and 3.3.0 client is not compatible with 3.0.0 server (seems to be sending invalid fields to the server in api) I cannot seem to easily find a way to get 3.0 client on ubuntu not do I see any pre-made 3.0 deb packages. Any suggestions? Thanks, -M Please see http://www.freeipa.org/page/Client#Compatibility which describes our current compatibility constrains for ipa tool. TLDR; your 3.3 clients should work just fine regarding to FreeIPA services (identity, authentication, authorization, sudo, ...). But when you want to use the ipa tool, you would either need to use the one on the FreeIPA server or use one from other CentOS 6 FreeIPA client (or use the Web UI). Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Installing a new Cert
Hi, Dne 25.8.2014 v 03:04 Chris Whittle napsal(a): Trying to do this http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP And I keep getting Error unable to get local issuer certificate getting chain. Where are you getting this error? ipa-server-certinstall, or httpd, or somewhere else? What version of ipa do you have installed? I'm wondering if it's because of this from the doc The certificate in mysite.crt must be signed by the CA used when installing FreeIPA. but it might not either... In this case you should get a file.p12 is not signed by /etc/ipa/ca.crt, or the full certificate chain is not present in the PKCS#12 file error in ipa-server-certinstall. Any ideas? Honza -- Jan Cholasta -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] ca.crt contains more than one certificate
Hi, Dne 8.8.2014 v 14:46 Nicklas Björk napsal(a): Trying to upgrade from FreeIPA 3.0 running on CentOS 6 to 3.3 on CentOS 7 using migration. I seem to have run into some certificate problems and the replica installation halts half-way through. We have a simple CA-structure, where FreeIPA has been installed as a sub-ca directly under ca root ca. A replica bundle was created on the master using: ipa-replica-prepare replica.example.net --ip-address 192.168.100.2 the gpg-file was copied to replica:/var/lib/ipa and the following command was executed: ipa-replica-install --mkhomedir -d --setup-ca --setup-dns --no-forwarders /var/lib/ipa/replica-info-replica.example.net.gpg During the first attempt, I was instructed to also run copy-schema-to-ca.py on the master server, which has been done. The replica installation halts complainig that ca.crt contains more than one certificate. Both the FreeIPA CA and the Root CA certificates are in that file. Debug output in /var/log/ipareplica-install.log tells the following: 2014-08-08T12:22:08Z DEBUG [17/34]: configuring ssl for ds instance 2014-08-08T12:22:08Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2014-08-08T12:22:08Z DEBUG Starting external process 2014-08-08T12:22:08Z DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-NET/ -N -f /etc/dirsrv/slapd-EXAMPLE-NET//pwdfile.txt 2014-08-08T12:22:08Z DEBUG Process finished, return code=0 2014-08-08T12:22:08Z DEBUG stdout= 2014-08-08T12:22:08Z DEBUG stderr= 2014-08-08T12:22:08Z DEBUG Starting external process 2014-08-08T12:22:08Z DEBUG args=/usr/bin/pk12util -d /etc/dirsrv/slapd-EXAMPLE-NET/ -i /tmp/tmpNOzZ3cipa/realm_info/dscert.p12 -k /etc/dirsrv/slapd-EXAMPLE-NET//pwdfile.txt -v -w /dev/stdin 2014-08-08T12:22:08Z DEBUG Process finished, return code=0 2014-08-08T12:22:08Z DEBUG stdout=pk12util: PKCS12 IMPORT SUCCESSFUL 2014-08-08T12:22:08Z DEBUG stderr= 2014-08-08T12:22:08Z DEBUG Starting external process 2014-08-08T12:22:08Z DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-NET/ -L 2014-08-08T12:22:08Z DEBUG Process finished, return code=0 2014-08-08T12:22:08Z DEBUG stdout= Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u CN=Example Root CA,O=Example AB,, EXAMPLE.NET IPA CA ,, 2014-08-08T12:22:08Z DEBUG stderr= 2014-08-08T12:22:08Z DEBUG Starting external process 2014-08-08T12:22:08Z DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-NET/ -A -n CA -t CT,CT, -a 2014-08-08T12:22:08Z DEBUG Process finished, return code=0 2014-08-08T12:22:08Z DEBUG stdout= 2014-08-08T12:22:08Z DEBUG stderr= 2014-08-08T12:22:08Z DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 638, in run_script return_value = main_function() File /usr/sbin/ipa-replica-install, line 664, in main ds = install_replica_ds(config) File /usr/sbin/ipa-replica-install, line 189, in install_replica_ds ca_file=config.dir + /ca.crt, File /usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py, line 360, in create_replica self.start_creation(runtime=60) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 364, in start_creation method() File /usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py, line 606, in enable_ssl ca_file=self.ca_file) File /usr/lib/python2.7/site-packages/ipaserver/install/certs.py, line 841, in create_from_pkcs12 self.nssdb.import_pem_cert('CA', 'CT,CT,', ca_file) File /usr/lib/python2.7/site-packages/ipaserver/install/certs.py, line 240, in import_pem_cert location) 2014-08-08T12:22:08Z DEBUG The ipa-replica-install command failed, exception: ValueError: /tmp/tmpNOzZ3cipa/realm_info/ca.crt contains more than one certificate Is there anything obvious that is wrong or odd with this setup or process? It seems you somehow ended up with more than one certificate in /etc/ipa/ca.crt on the master. It should contain only the IPA CA certificate, if you delete all other certificates from it and re-run ipa-replica-prepare, you should be able to successfully install the replica using ipa-replica-install. Best regards Nicklas Björk Honza -- Jan Cholasta -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] A prototype of merged domains (views)
On Sun, 24 Aug 2014, Nordgren, Bryce L -FS wrote: Over the past month, I rearranged my local systems for our collaboration environment. The essence of the work is to combine employee identities (defined in AD) with identities for external users (defined in FreeIPA), massage them so that they look the same, and export them to every posix desktop and web application I support. Defining cross-domain posix groups is included, and was successfully performed, but sssd doesn't have a vocabulary to describe a merged domain (one identity provider, multiple auth providers). Still trying to figure out if I can force this to work somehow. The activity may shine a light on some of the things views might be required to do. http://www.freeipa.org/page/V4/Use_Case_for_Views:_Collaboration After reading the page I think you are over-complicating your own deployment for no real benefit. What essentially you want is to arbitrate access control to certain services regardless the source users or groups are coming from. This is already possible to achieve with HBAC rules because we already can make external SIDs members of a non-POSIX group that is included into a POSIX group which is referenced by an HBAC rule. This works already and doesn't need any views because HBAC rules already can be subjected to a specific host and specific service on the host. We need to extend concept of external members of non-POSIX groups to have the same resolving features as we are planning with ID view overrides (SID:S-..., IPA:uuid, etc) so that external non-POSIX groups can be used more widely. Note that ID view overrides per host will then affect HBAC rule content automatically as SSSD would perform group/user resolution prior to evaluating the rule. Your other problem is that you seem to unable to establish two-way trust with AD as currently IPA requires. I have plans to get one-way trust back working but it needs additional changes on our side to properly protect trust account credentials when distributing them to a group of IPA masters participating in the trust. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] users AD can not sudo in centos 6.5
hi i integrated AD windows 208 R2 with IPA server (centos 6.5) i write a sudo policy and access for specified user and host with allow any command. user can execute sudo in centos 7 but when user loggin on centos 6.5 can not execute sudo and get error below user@AD is not in sudoers file. i configure /etc/nsswitch.conf --sudoers: file sss /etc/sss/sss.confservice nss, pam,ssh,sudo /etc/sysconfig/network - NISDOMAIN=ad.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] users AD can not sudo in centos 6.5
On 08/25/2014 12:01 PM, alireza baghery wrote: hi i integrated AD windows 208 R2 with IPA server (centos 6.5) i write a sudo policy and access for specified user and host with allow any command. user can execute sudo in centos 7 but when user loggin on centos 6.5 can not execute sudo and get error below user@AD is not in sudoers file. i configure /etc/nsswitch.conf --sudoers: file sss /etc/sss/sss.confservice nss, pam,ssh,sudo /etc/sysconfig/network - NISDOMAIN=ad.com http://ad.com AFAIR there was a bug in 6.5 around sudo and AD users, it has been fixed in fedora but I am not sure it made its way into all distros yet. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] sudo with freeIPA
Good Morning, I'm very new to freeIPA. I'm running centOS 6.5 with freeIPA v3 I have the freeIPA server up but i'm working on getting SUDO configured. Currently i'm having problems getting sudo commands to work on the client. I'm a bit unclear if i have everything configured correctly. The only thing that I can figure out might be an issue, is when i try the sudo command i see a filter search with objectclass=sudoRule but when i check the ldap server it has objectclass=sudoRole, so there are no results. Any ideas? Thank you in advance for any advice. [tuser2@map1 ~]$ sudo /sbin/iptables -L Enter RSA PIN+token: tuser2 is not allowed to run sudo on map1. This incident will be reported. CLIENT: yum installed libsss_sudo I added nisdomainname dir1.server.example.com to /etc/rc.d/rc.local **still not sure what this is for ** Created a sudo user on ldap server ldappasswd -x -S -W -h dir1.server.example.com -ZZ -D cn=Directory Manager uid=sudo,cn=sysaccounts,cn=etc,dc=server,dc=example,dc=com ** [root@map1 sssd]# cat /etc/nsswitch.conf # passwd: files sss shadow: files sss group: files sss sudoers:files sss sudoers_debug: 1 #sudoers:files hosts: files dns bootparams: files ethers: files netmasks: files networks: files protocols: files rpc:files services: files sss netgroup: files sss publickey: files automount: files ldap aliases:files [root@map1 sssd]# [root@map1 sssd]# cat sssd.conf [domain/server.example.com] debug_level = 5 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = server.example.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = map1.server.example.com chpass_provider = ipa ipa_server = _srv_, dir1.server.example.com ldap_netgroup_search_base = cn=ng,cn=compat,dc=server,dc=example,dc=com ldap_tls_cacert = /etc/ipa/ca.crt sudo_provider = ldap ldap_uri = ldap://dir1.server.example.com ldap_sudo_search_base = ou=sudoers,dc=server,dc=example,dc=com ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/dir1.server.example.com ldap_sasl_realm = server.example.com krb5_server = dir1.server.example.com [sssd] services = nss, pam, ssh, sudo config_file_version = 2 domains = server.example.com [nss] [pam] [sudo] debug_level=5 [autofs] [ssh] [pac] from the sssd_sudo.log (Mon Aug 25 10:36:31 2014) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [((objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=tuser2)(sudoUser=#107965)(sudoUser=%tuser2)(sudoUser=+*))((dataExpireTimestamp=1408962991)))] (Mon Aug 25 10:36:31 2014) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [((objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=tuser2)(sudoUser=#107965)(sudoUser=%tuser2)(sudoUser=+*)))] (Mon Aug 25 10:36:33 2014) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! [root@dir1 ~]# !ldaps ldapsearch -h dir1.server.example.com -x -D cn=Directory Manager -W -b dc=server,dc=example,dc=com 'objectclass=sudoRole' Enter LDAP Password: # extended LDIF # # LDAPv3 # base dc=server,dc=example,dc=com with scope subtree # filter: objectclass=sudoRole # requesting: ALL # # test, sudoers, server.example.com dn: cn=test,ou=sudoers,dc=server,dc=example,dc=com objectClass: sudoRole sudoUser: megan2 sudoUser: tuser2 sudoHost: map1.server.example.com sudoCommand: /sbin/iptables -L sudoCommand: /home/tuser1/test.sh sudoCommand: test2.sh cn: test # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 [root@dir1 ~]# ldapsearch -h dir1.server.example.com -x -D cn=Directory Manager -W -b dc=server,dc=example,dc=com 'objectclass=sudoRule' Enter LDAP Password: # extended LDIF # # LDAPv3 # base dc=server,dc=example,dc=com with scope subtree # filter: objectclass=sudoRule # requesting: ALL # # search result search: 2 result: 0 Success # numResponses: 1 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] sudo with freeIPA
On 08/25/2014 12:51 PM, Megan . wrote: Good Morning, I'm very new to freeIPA. Welcome on board! I'm running centOS 6.5 with freeIPA v3 I have the freeIPA server up but i'm working on getting SUDO configured. Currently i'm having problems getting sudo commands to work on the client. I'm a bit unclear if i have everything configured correctly. The only thing that I can figure out might be an issue, is when i try the sudo command i see a filter search with objectclass=sudoRule but when i check the ldap server it has objectclass=sudoRole, so there are no results. According to http://www.sudo.ws/sudoers.ldap.man.html the objectclass in the schema should really read sudoRole (I know, may be confusing). Any ideas? Thank you in advance for any advice. Where do you see the filter? [tuser2@map1 ~]$ sudo /sbin/iptables -L Enter RSA PIN+token: tuser2 is not allowed to run sudo on map1. This incident will be reported. CLIENT: yum installed libsss_sudo I added nisdomainname dir1.server.example.com to /etc/rc.d/rc.local **still not sure what this is for ** This is for setting the NIS domain permanently. sudo uses NIS domains when it uses sudo rules with host groups instead of individual host names. Created a sudo user on ldap server ldappasswd -x -S -W -h dir1.server.example.com -ZZ -D cn=Directory Manager uid=sudo,cn=sysaccounts,cn=etc,dc=server,dc=example,dc=com ** [root@map1 sssd]# cat /etc/nsswitch.conf # passwd: files sss shadow: files sss group: files sss sudoers:files sss sudoers_debug: 1 #sudoers:files hosts: files dns bootparams: files ethers: files netmasks: files networks: files protocols: files rpc:files services: files sss netgroup: files sss publickey: files automount: files ldap aliases:files [root@map1 sssd]# [root@map1 sssd]# cat sssd.conf [domain/server.example.com] debug_level = 5 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = server.example.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = map1.server.example.com chpass_provider = ipa ipa_server = _srv_, dir1.server.example.com ldap_netgroup_search_base = cn=ng,cn=compat,dc=server,dc=example,dc=com ldap_tls_cacert = /etc/ipa/ca.crt sudo_provider = ldap ldap_uri = ldap://dir1.server.example.com ldap_sudo_search_base = ou=sudoers,dc=server,dc=example,dc=com ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/dir1.server.example.com ldap_sasl_realm = server.example.com krb5_server = dir1.server.example.com [sssd] services = nss, pam, ssh, sudo config_file_version = 2 domains = server.example.com [nss] [pam] [sudo] debug_level=5 [autofs] [ssh] [pac] from the sssd_sudo.log (Mon Aug 25 10:36:31 2014) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [((objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=tuser2)(sudoUser=#107965)(sudoUser=%tuser2)(sudoUser=+*))((dataExpireTimestamp=1408962991)))] (Mon Aug 25 10:36:31 2014) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [((objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=tuser2)(sudoUser=#107965)(sudoUser=%tuser2)(sudoUser=+*)))] (Mon Aug 25 10:36:33 2014) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! I do not understand why it searches with sudorule objectclass. According to sssd-ldap man page, ldap_sudorule_object_class should default to sudoRole. Jakub or Pavel, any idea? [root@dir1 ~]# !ldaps ldapsearch -h dir1.server.example.com -x -D cn=Directory Manager -W -b dc=server,dc=example,dc=com 'objectclass=sudoRole' Enter LDAP Password: # extended LDIF # # LDAPv3 # base dc=server,dc=example,dc=com with scope subtree # filter: objectclass=sudoRole # requesting: ALL # # test, sudoers, server.example.com dn: cn=test,ou=sudoers,dc=server,dc=example,dc=com objectClass: sudoRole sudoUser: megan2 sudoUser: tuser2 sudoHost: map1.server.example.com sudoCommand: /sbin/iptables -L sudoCommand: /home/tuser1/test.sh sudoCommand: test2.sh cn: test # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 [root@dir1 ~]# ldapsearch -h dir1.server.example.com -x -D cn=Directory Manager -W -b dc=server,dc=example,dc=com 'objectclass=sudoRule' Enter LDAP Password: # extended LDIF # # LDAPv3 # base dc=server,dc=example,dc=com with scope subtree # filter: objectclass=sudoRule # requesting: ALL # # search result search: 2 result: 0 Success # numResponses: 1 I do not know the root cause, but Pavel or Jakub will be able to provide help. BTW, FreeIPA 4.0+ enable SUDO via SSSD's sudo provider automatically (https://fedorahosted.org/freeipa/ticket/3358). This functionality will be also available in RHEL-6.6. Martin -- Manage your subscription for the Freeipa-users mailing list:
Re: [Freeipa-users] sudo with freeIPA
On Mon, 25 Aug 2014, Martin Kosek wrote: On 08/25/2014 12:51 PM, Megan . wrote: Good Morning, I'm very new to freeIPA. Welcome on board! I'm running centOS 6.5 with freeIPA v3 I have the freeIPA server up but i'm working on getting SUDO configured. Currently i'm having problems getting sudo commands to work on the client. I'm a bit unclear if i have everything configured correctly. The only thing that I can figure out might be an issue, is when i try the sudo command i see a filter search with objectclass=sudoRule but when i check the ldap server it has objectclass=sudoRole, so there are no results. According to http://www.sudo.ws/sudoers.ldap.man.html the objectclass in the schema should really read sudoRole (I know, may be confusing). Any ideas? Thank you in advance for any advice. Where do you see the filter? [tuser2@map1 ~]$ sudo /sbin/iptables -L Enter RSA PIN+token: tuser2 is not allowed to run sudo on map1. This incident will be reported. CLIENT: yum installed libsss_sudo I added nisdomainname dir1.server.example.com to /etc/rc.d/rc.local **still not sure what this is for ** This is for setting the NIS domain permanently. sudo uses NIS domains when it uses sudo rules with host groups instead of individual host names. Created a sudo user on ldap server ldappasswd -x -S -W -h dir1.server.example.com -ZZ -D cn=Directory Manager uid=sudo,cn=sysaccounts,cn=etc,dc=server,dc=example,dc=com ** [root@map1 sssd]# cat /etc/nsswitch.conf # passwd: files sss shadow: files sss group: files sss sudoers:files sss sudoers_debug: 1 #sudoers:files hosts: files dns bootparams: files ethers: files netmasks: files networks: files protocols: files rpc:files services: files sss netgroup: files sss publickey: files automount: files ldap aliases:files [root@map1 sssd]# [root@map1 sssd]# cat sssd.conf [domain/server.example.com] debug_level = 5 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = server.example.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = map1.server.example.com chpass_provider = ipa ipa_server = _srv_, dir1.server.example.com ldap_netgroup_search_base = cn=ng,cn=compat,dc=server,dc=example,dc=com ldap_tls_cacert = /etc/ipa/ca.crt sudo_provider = ldap ldap_uri = ldap://dir1.server.example.com ldap_sudo_search_base = ou=sudoers,dc=server,dc=example,dc=com ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/dir1.server.example.com ldap_sasl_realm = server.example.com krb5_server = dir1.server.example.com [sssd] services = nss, pam, ssh, sudo config_file_version = 2 domains = server.example.com [nss] [pam] [sudo] debug_level=5 [autofs] [ssh] [pac] from the sssd_sudo.log (Mon Aug 25 10:36:31 2014) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [((objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=tuser2)(sudoUser=#107965)(sudoUser=%tuser2)(sudoUser=+*))((dataExpireTimestamp=1408962991)))] (Mon Aug 25 10:36:31 2014) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [((objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=tuser2)(sudoUser=#107965)(sudoUser=%tuser2)(sudoUser=+*)))] (Mon Aug 25 10:36:33 2014) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! I do not understand why it searches with sudorule objectclass. According to sssd-ldap man page, ldap_sudorule_object_class should default to sudoRole. Jakub or Pavel, any idea? It is a search against SSSD's local cache where the object class is sudoRule. A correct entry for searching against LDAP server should be in the sss_domain.log -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Installing a new Cert
I have 4 installed and I get it when I try to generate the pk12 On Aug 25, 2014 3:50 AM, Jan Cholasta jchol...@redhat.com wrote: Hi, Dne 25.8.2014 v 03:04 Chris Whittle napsal(a): Trying to do this http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP And I keep getting Error unable to get local issuer certificate getting chain. Where are you getting this error? ipa-server-certinstall, or httpd, or somewhere else? What version of ipa do you have installed? I'm wondering if it's because of this from the doc The certificate in mysite.crt must be signed by the CA used when installing FreeIPA. but it might not either... In this case you should get a file.p12 is not signed by /etc/ipa/ca.crt, or the full certificate chain is not present in the PKCS#12 file error in ipa-server-certinstall. Any ideas? Honza -- Jan Cholasta -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] users AD can not sudo in centos 6.5
On Mon, Aug 25, 2014 at 12:12:26PM +0200, Dmitri Pal wrote: On 08/25/2014 12:01 PM, alireza baghery wrote: hi i integrated AD windows 208 R2 with IPA server (centos 6.5) i write a sudo policy and access for specified user and host with allow any command. user can execute sudo in centos 7 but when user loggin on centos 6.5 can not execute sudo and get error below user@AD is not in sudoers file. i configure /etc/nsswitch.conf --sudoers: file sss /etc/sss/sss.confservice nss, pam,ssh,sudo /etc/sysconfig/network - NISDOMAIN=ad.com http://ad.com AFAIR there was a bug in 6.5 around sudo and AD users, it has been fixed in fedora but I am not sure it made its way into all distros yet. Yes, it would be best if you could run both sudo and with more debugging enabled. For sudo logs, something like: Debug sudo /tmp/sudo_debug all@debug Should produce pretty verbose logs SSSD debug_level should be enabled in [sudo] and [domain] sections. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] users AD can not sudo in centos 6.5
On (25/08/14 14:31), alireza baghery wrote: hi i integrated AD windows 208 R2 with IPA server (centos 6.5) i write a sudo policy and access for specified user and host with allow any command. user can execute sudo in centos 7 but when user loggin on centos 6.5 can not execute sudo and get error below user@AD is not in sudoers file. i configure /etc/nsswitch.conf --sudoers: file sss /etc/sss/sss.confservice nss, pam,ssh,sudo /etc/sysconfig/network - NISDOMAIN=ad.com I would like to see your sssd.conf files. Log files wuld be helpful as well. @see slides 18-19 http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] sudo with freeIPA
Below is the output from the sss_domain.log when i ran the sudo command as the user. I see things about offline replies and LDAP not working. Is this my problem or is this part of a normal series of items that are tried? (Mon Aug 25 11:53:23 2014) [sssd[be[server.example.com]]] [be_get_account_info] (0x0100): Got request for [4098][1][idnumber=107965] (Mon Aug 25 11:53:23 2014) [sssd[be[server.example.com]]] [be_get_account_info] (0x0100): Request processed. Returned 1,11,Fast reply - offline (Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]] [be_get_account_info] (0x0100): Got request for [3][1][name=tuser2] (Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 1,11,Offline (Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]] [be_pam_handler] (0x0100): Got request with the following data (Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]] [pam_print_data] (0x0100): domain: server.example.com (Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]] [pam_print_data] (0x0100): user: tuser2 (Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]] [pam_print_data] (0x0100): service: sudo (Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]] [pam_print_data] (0x0100): tty: /dev/pts/1 (Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]] [pam_print_data] (0x0100): ruser: tuser2 (Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]] [pam_print_data] (0x0100): rhost: (Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]] [pam_print_data] (0x0100): authtok type: 1 (Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]] [pam_print_data] (0x0100): authtok size: 23 (Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]] [pam_print_data] (0x0100): newauthtok size: 0 (Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]] [pam_print_data] (0x0100): priv: 0 (Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]] [pam_print_data] (0x0100): cli_pid: 17822 (Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]] [check_for_valid_tgt] (0x0080): TGT is valid. (Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]] [resolve_srv_send] (0x0200): The status of SRV lookup is neutral (Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]] [resolve_srv_cont] (0x0100): Searching for servers via SRV query '_ldap._tcp.server.example.com' (Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.server.example.com' (Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]] [resolve_srv_done] (0x0020): SRV query failed: [Domain name not found] (Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]] [fo_set_port_status] (0x0100): Marking port 0 of server '(no name)' as 'not working' (Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'IPA' as 'not resolved' (Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]] [be_resolve_server_process] (0x0080): Couldn't resolve server (SRV lookup meta-server), resolver returned (5) (Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]] [be_resolve_server_process] (0x0200): Found address for server dir1.server.example.com: [10.10.26.148] TTL 7200 (Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]] [krb5_find_ccache_step] (0x0080): Saved ccache FILE:/tmp/krb5cc_107965_Hfzpn4 if of different type than ccache in configuration file, reusing the old ccache (Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]] [sysdb_cache_auth] (0x0100): Hashes do match! (Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (1, 9, NULL) [Provider is Offline (Authentication service cannot retrieve authentication info)] (Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]] [be_pam_handler_callback] (0x0100): Sending result [9][server.example.com] (Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]] [be_pam_handler_callback] (0x0100): Sent result [9][server.example.com] (Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]] [be_pam_handler] (0x0100): Got request with the following data (Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT (Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]] [pam_print_data] (0x0100): domain: server.example.com (Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]] [pam_print_data] (0x0100):
Re: [Freeipa-users] sudo with freeIPA
On Mon, Aug 25, 2014 at 06:51:27AM -0400, Megan . wrote: Good Morning, I'm very new to freeIPA. I'm running centOS 6.5 with freeIPA v3 I have the freeIPA server up but i'm working on getting SUDO configured. Currently i'm having problems getting sudo commands to work on the client. I'm a bit unclear if i have everything configured correctly. The only thing that I can figure out might be an issue, is when i try the sudo command i see a filter search with objectclass=sudoRule but when i check the ldap server it has These two searches are unrelated. The sudoRule objectlass is what we use internally in sssd cache. On the LDAP side, sudoRole is used. In general, only the [domain] process works with LDAP data, all others (nss, pam, sudo, ...) work with cached data that might look totally different. objectclass=sudoRole, so there are no results. Any ideas? Thank you in advance for any advice. Can you put debug_level into the domain section as well and increase the debug_level of both to 7? [tuser2@map1 ~]$ sudo /sbin/iptables -L Enter RSA PIN+token: tuser2 is not allowed to run sudo on map1. This incident will be reported. CLIENT: yum installed libsss_sudo I added nisdomainname dir1.server.example.com to /etc/rc.d/rc.local **still not sure what this is for ** Created a sudo user on ldap server ldappasswd -x -S -W -h dir1.server.example.com -ZZ -D cn=Directory Manager uid=sudo,cn=sysaccounts,cn=etc,dc=server,dc=example,dc=com ** The config file looks good to me. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] users AD can not sudo in centos 6.5
On Mon, Aug 25, 2014 at 01:58:41PM +0200, Jakub Hrozek wrote: For sudo logs, something like: Debug sudo /tmp/sudo_debug all@debug Should produce pretty verbose logs Sorry, I should have said the Debug directive belongs to /etc/sudo.conf -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] sudo with freeIPA
On Mon, Aug 25, 2014 at 08:02:02AM -0400, Megan . wrote: Below is the output from the sss_domain.log when i ran the sudo command as the user. I see things about offline replies and LDAP not working. Is this my problem or is this part of a normal series of items that are tried? (Mon Aug 25 11:54:46 2014) [sssd[be[server.example.com]]] [be_resolve_server_process] (0x0200): Found address for server dir1.server.example.com: [10.10.26.148] TTL 7200 (Mon Aug 25 11:54:46 2014) [sssd[be[server.example.com]]] [child_sig_handler] (0x0100): child [17823] finished successfully. (Mon Aug 25 11:54:46 2014) [sssd[be[server.example.com]]] [sdap_kinit_done] (0x0100): Could not get TGT: 14 [Bad address] It appears your keytab is wrong. Can you run: kinit -k as root on that machine? If you prepend KRB5_TRACE you will see a lot of debugging info. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] sudo with freeIPA
ok. Changed debug_level to 7. I already it in the domain section (first line). Not sure if this makes a difference [root@map1 pam.d]# cat system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. authrequired pam_env.so authrequired pam_tally2.so deny=5 authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid = 500 quiet authsufficientpam_sss.so use_first_pass authrequired pam_deny.so account required pam_unix.so broken_shadow account sufficientpam_succeed_if.so uid 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so passwordrequisite pam_cracklib.so try_first_pass retry=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass use_authtok passwordsufficientpam_sss.so use_authtok passwordrequired pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_oddjob_mkhomedir.so skel=/etc/skel/ umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so from sssd_sudo.log (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [accept_fd_handler] (0x0400): Client connected! (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'tuser2' matched without domain, user is tuser2 (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)] (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'tuser2' matched without domain, user is tuser2 (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)] (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [tuser2] from [ALL] (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [tus...@server.domain.com] (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [tus...@server.domain.com] (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving default options for [tuser2] from [server.domain.com] (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [((objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=tuser2)(sudoUser=#107965)(sudoUser=%tuser2)(sudoUser=+*))((dataExpireTimestamp=1408969900)))] (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [((objectClass=sudoRule)(|(name=defaults)))] (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for [default options@server.domain.com] (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'tuser2' matched without domain, user is tuser2 (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)] (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'tuser2' matched without domain, user is tuser2 (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)] (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [tuser2] from [ALL] (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [tus...@server.domain.com] (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [tus...@server.domain.com] (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving rules for [tuser2] from [server.domain.com] (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [((objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=tuser2)(sudoUser=#107965)(sudoUser=%tuser2)(sudoUser=+*))((dataExpireTimestamp=1408969900)))] (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [((objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=tuser2)(sudoUser=#107965)(sudoUser=%tuser2)(sudoUser=+*)))] (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for [tus...@server.domain.com] (Mon Aug 25 12:31:42 2014) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! from sssd_server.log (Mon Aug 25 12:29:03 2014)
[Freeipa-users] Custom kinit
Hi, I would like to create a script in python that does the same that kinit, I don´t where to start. I have checked many examples and I guess I need to do some HTTP requests against the server, is that possible to do it using freeipa? What is the url? Thanks in advance Yago -- Yago Fernández Pinilla e-mail: yago...@gmail.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Custom kinit
On Mon, Aug 25, 2014 at 02:43:00PM +0200, Yago Fernández Pinilla wrote: Hi, I would like to create a script in python that does the same that kinit, I don´t where to start. Why do you need this? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Custom kinit
I want to integrate it in other service. Is there any good documentation about the APIs? Thanks in advance On Mon, Aug 25, 2014 at 3:08 PM, Jakub Hrozek jhro...@redhat.com wrote: On Mon, Aug 25, 2014 at 02:43:00PM +0200, Yago Fernández Pinilla wrote: Hi, I would like to create a script in python that does the same that kinit, I don´t where to start. Why do you need this? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Yago Fernández Pinilla e-mail: yago...@gmail.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Installing a new Cert
I found this but I think it's just IPA certs? http://www.freeipa.org/page/V4/CA_certificate_renewal Basically I want to use my existing wildcard cert for https and ldaps... I did this on my 3.3 install on CentOS but now I'm on a 4 install on Fedora Core. Any help would be more than appreciated! Thanks! On Mon, Aug 25, 2014 at 6:24 AM, Chris Whittle cwhi...@gmail.com wrote: I have 4 installed and I get it when I try to generate the pk12 On Aug 25, 2014 3:50 AM, Jan Cholasta jchol...@redhat.com wrote: Hi, Dne 25.8.2014 v 03:04 Chris Whittle napsal(a): Trying to do this http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP And I keep getting Error unable to get local issuer certificate getting chain. Where are you getting this error? ipa-server-certinstall, or httpd, or somewhere else? What version of ipa do you have installed? I'm wondering if it's because of this from the doc The certificate in mysite.crt must be signed by the CA used when installing FreeIPA. but it might not either... In this case you should get a file.p12 is not signed by /etc/ipa/ca.crt, or the full certificate chain is not present in the PKCS#12 file error in ipa-server-certinstall. Any ideas? Honza -- Jan Cholasta -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Custom kinit
Yago Fernández Pinilla wrote: I want to integrate it in other service. Is there any good documentation about the APIs? We really need more details in order to help you. The API for IPA is not documented though once you get the patterns down it is fairly straightforward. This of course is a completely separate issue of kinit in python. What release of IPA on which distro(s) are you looking at? rob Thanks in advance On Mon, Aug 25, 2014 at 3:08 PM, Jakub Hrozek jhro...@redhat.com mailto:jhro...@redhat.com wrote: On Mon, Aug 25, 2014 at 02:43:00PM +0200, Yago Fernández Pinilla wrote: Hi, I would like to create a script in python that does the same that kinit, I don´t where to start. Why do you need this? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Yago Fernández Pinilla e-mail: yago...@gmail.com mailto:yago...@gmail.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Custom kinit
Yago Fernández Pinilla wrote: I'm using FreeIpa 3.3.5. And according to what I saw, using the API, seems to be the best option. For the time being I just want to request tickets and check tickets. Is that possible? . I'm still not sure what it is you're trying to do. It's important to remember that IPA isn't a server itself, it is a collection of services configured to work together towards a common goal (centralized identity). What we add is a management framework on top to (hopefully) make things easier. This is what our API does, helps you manage users, groups, etc. A ticket is a Kerberos concept and you would obtain it directly from the KDC. The IPA API is not involved in that case. If that is what you want to do then it involves the python-krbV package which is difficult at best to use and doesn't implement the entire Kerberos stack. You can though do the equivalent of a kinit using a keytab doing something like: import krbV from ipalib import api api.bootstrap(context='test') api.finalize() ccache_file = 'FILE:/tmp/host_ccache' krbcontext = krbV.default_context() principal = str('host/%s@%s' % (api.env.host, api.env.realm)) keytab = krbV.Keytab(name='/etc/krb5.keytab', context=krbcontext) principal = krbV.Principal(name=principal, context=krbcontext) os.environ['KRB5CCNAME'] = ccache_file ccache = krbV.CCache(name=ccache_file, context=krbcontext, primary_principal=principal) ccache.init(principal) cache.init_creds_keytab(keytab=keytab, principal=principal) You'll definitely want to do something differently with the ccache file than I'm showing here. I threw in IPA client initialization here so you could use this to prepare to do IPA API calls. rob On Mon, Aug 25, 2014 at 3:49 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Yago Fernández Pinilla wrote: I want to integrate it in other service. Is there any good documentation about the APIs? We really need more details in order to help you. The API for IPA is not documented though once you get the patterns down it is fairly straightforward. This of course is a completely separate issue of kinit in python. What release of IPA on which distro(s) are you looking at? rob Thanks in advance On Mon, Aug 25, 2014 at 3:08 PM, Jakub Hrozek jhro...@redhat.com mailto:jhro...@redhat.com mailto:jhro...@redhat.com mailto:jhro...@redhat.com wrote: On Mon, Aug 25, 2014 at 02:43:00PM +0200, Yago Fernández Pinilla wrote: Hi, I would like to create a script in python that does the same that kinit, I don´t where to start. Why do you need this? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Yago Fernández Pinilla e-mail: yago...@gmail.com mailto:yago...@gmail.com mailto:yago...@gmail.com mailto:yago...@gmail.com -- Yago Fernández Pinilla e-mail: yago...@gmail.com mailto:yago...@gmail.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Installing a new Cert
ok I think I got it again... If anyone is looking for this here is the answer that worked for me 1. Here are the steps 1. http://stackoverflow.com/questions/23374894/mod-nss-with-apache-public-certificate-issue?noredirect=1#comment36504881_23374894 -- start at Convert crt file in PEM format and do that whole section completely 2. Then with the p12 from above you get do this (skip the line about generating a new one) http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP 1. If you run across the error /etc/ipa/ca.crt contains more than one certificate you will need to go into /etc/ipa/ca.crt, back it up and then try removing one of the certs and try ipa-server-certinstall from above again (if it doesn't work revert ca.crt to the original and then remove the other) 3. Then restart the both instances (bottom of the freeipa link) and you should be good to go. On Mon, Aug 25, 2014 at 8:45 AM, Chris Whittle cwhi...@gmail.com wrote: I found this but I think it's just IPA certs? http://www.freeipa.org/page/V4/CA_certificate_renewal Basically I want to use my existing wildcard cert for https and ldaps... I did this on my 3.3 install on CentOS but now I'm on a 4 install on Fedora Core. Any help would be more than appreciated! Thanks! On Mon, Aug 25, 2014 at 6:24 AM, Chris Whittle cwhi...@gmail.com wrote: I have 4 installed and I get it when I try to generate the pk12 On Aug 25, 2014 3:50 AM, Jan Cholasta jchol...@redhat.com wrote: Hi, Dne 25.8.2014 v 03:04 Chris Whittle napsal(a): Trying to do this http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP And I keep getting Error unable to get local issuer certificate getting chain. Where are you getting this error? ipa-server-certinstall, or httpd, or somewhere else? What version of ipa do you have installed? I'm wondering if it's because of this from the doc The certificate in mysite.crt must be signed by the CA used when installing FreeIPA. but it might not either... In this case you should get a file.p12 is not signed by /etc/ipa/ca.crt, or the full certificate chain is not present in the PKCS#12 file error in ipa-server-certinstall. Any ideas? Honza -- Jan Cholasta -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Installing a new Cert
I spoke a little too soon... It's working fine (browser is using new cert and also ldaps is using the new cert) except when you go to the certs page on the ui. https://DOMAIN/ipa/ui/#/e/cert/search An error has occurred (IPA Error 4301: CertificateOperationError) Certificate operation cannot be completed: Unable to communicate with CMS (Internal Server Error) On Mon, Aug 25, 2014 at 1:34 PM, Chris Whittle cwhi...@gmail.com wrote: ok I think I got it again... If anyone is looking for this here is the answer that worked for me 1. Here are the steps 1. http://stackoverflow.com/questions/23374894/mod-nss-with-apache-public-certificate-issue?noredirect=1#comment36504881_23374894 -- start at Convert crt file in PEM format and do that whole section completely 2. Then with the p12 from above you get do this (skip the line about generating a new one) http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP 1. If you run across the error /etc/ipa/ca.crt contains more than one certificate you will need to go into /etc/ipa/ca.crt, back it up and then try removing one of the certs and try ipa-server-certinstall from above again (if it doesn't work revert ca.crt to the original and then remove the other) 3. Then restart the both instances (bottom of the freeipa link) and you should be good to go. On Mon, Aug 25, 2014 at 8:45 AM, Chris Whittle cwhi...@gmail.com wrote: I found this but I think it's just IPA certs? http://www.freeipa.org/page/V4/CA_certificate_renewal Basically I want to use my existing wildcard cert for https and ldaps... I did this on my 3.3 install on CentOS but now I'm on a 4 install on Fedora Core. Any help would be more than appreciated! Thanks! On Mon, Aug 25, 2014 at 6:24 AM, Chris Whittle cwhi...@gmail.com wrote: I have 4 installed and I get it when I try to generate the pk12 On Aug 25, 2014 3:50 AM, Jan Cholasta jchol...@redhat.com wrote: Hi, Dne 25.8.2014 v 03:04 Chris Whittle napsal(a): Trying to do this http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP And I keep getting Error unable to get local issuer certificate getting chain. Where are you getting this error? ipa-server-certinstall, or httpd, or somewhere else? What version of ipa do you have installed? I'm wondering if it's because of this from the doc The certificate in mysite.crt must be signed by the CA used when installing FreeIPA. but it might not either... In this case you should get a file.p12 is not signed by /etc/ipa/ca.crt, or the full certificate chain is not present in the PKCS#12 file error in ipa-server-certinstall. Any ideas? Honza -- Jan Cholasta -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] sudo with freeIPA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi Megan, I had the same problem with CENTOS 6.5 and free-ipa. I did a ton of searching, and IIRC the conclusion was a bug in that version of sssd, I don't remember all of the details, however I do remember the work around. Create a system account (in this case I called it sudo). Create or edit the following file. /etc/sudo-ldap.conf ## BINDDN DN ## The BINDDN parameter specifies the identity, in the form of a Dis#8208; ## tinguished Name (DN), to use when performing LDAP operations. If ## not specified, LDAP operations are performed with an anonymous ## identity. By default, most LDAP servers will allow anonymous ## access. ## binddn uid=sudo,cn=sysaccounts,cn=etc,dc=domain,dc=com ## BINDPW secret ## The BINDPW parameter specifies the password to use when performing ## LDAP operations. This is typically used in conjunction with the ## BINDDN parameter. ## bindpw ${obfusticated} ## SSL start_tls ## If the SSL parameter is set to start_tls, the LDAP server connec#8208; ## tion is initiated normally and TLS encryption is begun before the ## bind credentials are sent. This has the advantage of not requiring ## a dedicated port for encrypted communications. This parameter is ## only supported by LDAP servers that honor the start_tls extension, ## such as the OpenLDAP and Tivoli Directory servers. ## ssl start_tls ## TLS_CACERTFILE file name ## The path to a certificate authority bundle which contains the cer#8208; ## tificates for all the Certificate Authorities the client knows to ## be valid, e.g. /etc/ssl/ca-bundle.pem. This option is only sup#8208; ## ported by the OpenLDAP libraries. Netscape-derived LDAP libraries ## use the same certificate database for CA and client certificates ## (see TLS_CERT). ## tls_cacertfile /etc/ipa/ca.crt ## TLS_CHECKPEER on/true/yes/off/false/no ## If enabled, TLS_CHECKPEER will cause the LDAP server's TLS certifi#8208; ## cated to be verified. If the server's TLS certificate cannot be ## verified (usually because it is signed by an unknown certificate ## authority), sudo will be unable to connect to it. If TLS_CHECKPEER ## is disabled, no check is made. Note that disabling the check cre#8208; ## ates an opportunity for man-in-the-middle attacks since the ## server's identity will not be authenticated. If possible, the CA's ## certificate should be installed locally so it can be verified. ## This option is not supported by the Tivoli Directory Server LDAP ## libraries. tls_checkpeer yes ## ## URI ldap[s]://[hostname[:port]] ... ## Specifies a whitespace-delimited list of one or more ## URIs describing the LDAP server(s) to connect to. ## uri ldap://freeipaserver1 ldap://freeipaserver2 ## ## SUDOERS_BASE base ## The base DN to use when performing sudo LDAP queries. ## Multiple SUDOERS_BASE lines may be specified, in which ## case they are queried in the order specified. ## sudoers_base ou=sudoers,dc=domain,dc=com ## ## BIND_TIMELIMIT seconds ## The BIND_TIMELIMIT parameter specifies the amount of ## time to wait while trying to connect to an LDAP server. ## #bind_timelimit 30 ## ## TIMELIMIT seconds ## The TIMELIMIT parameter specifies the amount of time ## to wait for a response to an LDAP query. ## #timelimit 30 ## ## SUDOERS_DEBUG debug_level ## This sets the debug level for sudo LDAP queries. Debugging ## information is printed to the standard error. A value of 1 ## results in a moderate amount of debugging information. ## A value of 2 shows the results of the matches themselves. ## sudoers_debug 0 And your nsswitch.conf change the sudoers line to: sudoers: files ldap sss On a side note the setting the nisdomain parameter in rc.local is a hack at best. This should be set, on a Red Hat based system (RHEL, CENTOS, etc), in /etc/sysconfig/network. And should look like NISDOMAIN=your.domain.here. The professionals may say otherwise on switching to ldap based auth/sudo access, and I will learn something. At least this gets you up and running until an actual solution is found. As I stated earlier, I believe I had found a bug report on this, I am just having a hard time finding it again. Thanks, Bill On Mon Aug 25 05:33:51 2014, Megan . wrote: ok. Changed debug_level to 7. I already it in the domain section (first line). Not sure if this makes a difference [root@map1 pam.d]# cat system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. authrequired pam_env.so authrequired pam_tally2.so deny=5 authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid = 500 quiet authsufficientpam_sss.so use_first_pass authrequired pam_deny.so account required pam_unix.so broken_shadow account sufficientpam_succeed_if.so uid 500 quiet account [default=bad success=ok
[Freeipa-users] Cert Renewal
I have an IPA setup, one master, one replica; originally installed as v 2.x and later updated to v 3.0. For whatever reasons, the certs did not automatically renew and the services would no longer start. I updated the certs manually on the master using the procedure shown at: http://www.freeipa.org/page/IPA_2x_Certificate_Renewal The master is now functioning properly. At this point, the IPA service is still stopped on the replica. I hesitate to start it for concern it could interfere with the now-working master. What would be the recommended method for returning the replica to service? Thanks for your help. Dennis -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Cert Renewal
Ott, Dennis wrote: I have an IPA setup, one master, one replica; originally installed as v 2.x and later updated to v 3.0. For whatever reasons, the certs did not automatically renew and the services would no longer start. I updated the certs manually on the master using the procedure shown at: http://www.freeipa.org/page/IPA_2x_Certificate_Renewal The master is now functioning properly. At this point, the IPA service is still stopped on the replica. I hesitate to start it for concern it could interfere with the now-working master. What would be the recommended method for returning the replica to service? It depends on whether the replica. Does it also run a CA? If not then you can try restarting the certmonger service. This should cause it to fetch new certificates for the other IPA servers. ipa-getcert list will show you the status, wait until they are all MONITORING. Once that works then you can safely restart the world. Any changes on the master will be replicated out, and vice versa. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Fedora Core IPTables or FirewallID?
I've got my server up and running great with one exception every time I reboot I have to login and flush the iptables or nothing can connect. I've found a ton of fixes and none seem to work, I'm on FC20 does anyone have experience with it and wouldn't mind helping? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project