Re: [Freeipa-users] freeipa / sudo
What command did you use to get sudo options working please? I noticed from below mail that you have Sudo Option: !authenticate I am having trouble getting that working The first issue is what version of FreeIPA you are using. Before version 4 sudo rules don't work without some manual setup on the client: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/config-sudo-clients.html#example-configuring-sudo-sss . If the client is setup correctly, then I found issues with sssd caching, and in particular the sss_cache command doesn't invalidate the cache of sudo rules yet. Once I reduced the default cache time for sssd I could see my sudo rule changes working on the client. I also had a problem with using host groups as part of the sudo rule, and this was down to the netgroup seen by the client having fully-qualified host names, while the hostname command on the client was only returning the short hostname - but this was down to the way OpenStack creates instances by default, not an issue with FreeIPA per se. Chris -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] strange problem - IPA related?
On 15.12.2014 19:28, Janelle wrote: Hi all.. Not sure if this is IPA related, but here it is: 1. IPA 4.1.2 install on CentOS 7 2. IPA 4.1.2 install on Fedora 21 So both systems are systemd based - the fedora system reboots in less than 30 seconds. The CentOS system reboots and has strange timers showing that it is waiting on various targets and servoces -- having trouble tracking it donw, but the bottom line is the CentOS 7 box takes almost 10-15 minutes to reboot. Thoughts? Ideas?? I know there is something in the startup that seems to MAYBE be related to the fedora-domain vs rhel-domain settings in some of the IPA python scripts -- or maybe not. Just thought I would see if anyone else is seeing something like this. ~J You are probably hitting: https://bugzilla.redhat.com/show_bug.cgi?id=1071969 For me this resulted in symted error messages on bootup and slowed the boot to 15-20min. Applying the following patch corrected this: https://git.fedorahosted.org/cgit/initscripts.git/commit/?h=rhel7-branchid=3deb3b3c177dd24b22cf912cd798aeaa7e35d30b I guess this is fixed in RHEL 7.1. Best regards Patrick -- Lobster SCM GmbH, Hindenburgstraße 15, D-82343 Pöcking HRB 178831, Amtsgericht München Geschäftsführer: Dr. Martin Fischer, Rolf Henrich -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Certificate Authorities requirement for Cross realm trust?
In the Windows Integration guide the need for CA is mentioned. Both Active Directory and Identity Management must be configured with integrated certificate services. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Windows_Integration_Guide/index.html#trust-requirements I cannot install CA-less IPA if i want to create a Cross realm trust? If so, why? As far as i understand the Trust is Kerberos based. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Certificate Authorities requirement for Cross realm trust?
On Tue, Dec 16, 2014 at 11:28:47AM +0200, Genadi Postrilko wrote: In the Windows Integration guide the need for CA is mentioned. Both Active Directory and Identity Management must be configured with integrated certificate services. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Windows_Integration_Guide/index.html#trust-requirements I cannot install CA-less IPA if i want to create a Cross realm trust? If so, why? As far as i understand the Trust is Kerberos based. Thank you for the feedback. You are correct, CAs are not needed to create trust. I guess the CA requirement (at least on the Windows side) came form a time where we might wanted to look up some data in AD which required an authenticated connection and we only wanted to use LDAPS/StartTLS for this. There is ongoing work to improve the Windows Integration Guide, I added a note so that you comment won't get lost. bye, Sumit -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] strange problem - IPA related?
That is indeed what it was -- thank you so much. Now they both boot in about 60 seconds. Gosh, keeping up with all the little annoyances is indeed a fulltime job. The team is doing great with the product and I truly appreciate all the work and quick responses on the mailing-list. ~J On 12/16/14 12:19 AM, Patrick Hurrelmann wrote: On 15.12.2014 19:28, Janelle wrote: Hi all.. Not sure if this is IPA related, but here it is: 1. IPA 4.1.2 install on CentOS 7 2. IPA 4.1.2 install on Fedora 21 So both systems are systemd based - the fedora system reboots in less than 30 seconds. The CentOS system reboots and has strange timers showing that it is waiting on various targets and servoces -- having trouble tracking it donw, but the bottom line is the CentOS 7 box takes almost 10-15 minutes to reboot. Thoughts? Ideas?? I know there is something in the startup that seems to MAYBE be related to the fedora-domain vs rhel-domain settings in some of the IPA python scripts -- or maybe not. Just thought I would see if anyone else is seeing something like this. ~J You are probably hitting: https://bugzilla.redhat.com/show_bug.cgi?id=1071969 For me this resulted in symted error messages on bootup and slowed the boot to 15-20min. Applying the following patch corrected this: https://git.fedorahosted.org/cgit/initscripts.git/commit/?h=rhel7-branchid=3deb3b3c177dd24b22cf912cd798aeaa7e35d30b I guess this is fixed in RHEL 7.1. Best regards Patrick -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] 3.0.0-42 Replication issue after Centos6.5-6.6 upgrade
Hi, On Mon, 15 Dec 2014, dbisc...@hrz.uni-kassel.de wrote: On Tue, 25 Nov 2014, Rich Megginson wrote: On 11/25/2014 12:32 PM, dbisc...@hrz.uni-kassel.de wrote: with the help of Thierry and Rich I managed to debug the running ns-slapd on Server1 (see below). The failing attempt of decoding the SASL data returns a not very fruitful -1 (SASL_FAIL, generic failure). Any ideas? Short summary: Server1 = running IPA server Server2 = intended IPA replica Both machines run the exact same, up-to-date version of CentOS 6.6. However: I had to run ipa-replica-install _without_ the option --setup-ca (didn't work, installation failed with some obscure Perl error), so there's no ns-slapd instance running for PKI-IPA. May this be related? [...] At this point, it's going to take more than a trivial amount of high latency back-and-forth on the mailling lists. I think we have probably run out of log levels for you to try. Please open a ticket against IPA. While this may turn out to be a bug in 389, at the moment it is only reproducible in your IPA environment. [...] I've opened Ticket #4807 https://fedorahosted.org/freeipa/ticket/4807 on this issue. problem resolved, increasing nsslapd-sasl-max-buffer-size to 2MB did it. I administer 2 very small installations, with ~20 users and ~10 hosts each. If this happens with installations like mine, the default for new installations should probably be raised in the next 3.0.0 update package. I've closed the ticket. Thank you for your support. Mit freundlichen Gruessen/With best regards, --Daniel. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Freeipa-users Digest, Vol 77, Issue 15
On Fri, Dec 5, 2014 at 12:26 PM, freeipa-users-requ...@redhat.com wrote: Send Freeipa-users mailing list submissions to freeipa-users@redhat.com To subscribe or unsubscribe via the World Wide Web, visit https://www.redhat.com/mailman/listinfo/freeipa-users or, via email, send a message with subject or body 'help' to freeipa-users-requ...@redhat.com You can reach the person managing the list at freeipa-users-ow...@redhat.com When replying, please edit your Subject line so it is more specific than Re: Contents of Freeipa-users digest... Today's Topics: 1. ad trust and default_domain_suffix (Nicolas Zin) 2. Re: ad trust and default_domain_suffix (Nicolas Zin) 3. Re: strange error - disconnecting a replica? (Martin Kosek) 4. Re: strange error - disconnecting a replica? (thierry bordaz) 5. Re: strange error - disconnecting a replica? (thierry bordaz) 6. Re: strange error - disconnecting a replica? (Martin Kosek) 7. Re: Cross-Realm authentification (Andreas Ladanyi) -- Message: 1 Date: Thu, 4 Dec 2014 12:49:36 -0500 (EST) From: Nicolas Zin nicolas@savoirfairelinux.com To: freeipa-users@redhat.com Subject: [Freeipa-users] ad trust and default_domain_suffix Message-ID: 227542639.160677.1417715376443.JavaMail.root@mail Content-Type: text/plain; charset=utf-8 Hi, I have a IDM (v3.3) installed on a Redhat7. I have a IDM realm connected to an AD via trust relationship. In the IDM realm there are Redhat6 and Redhat5 clients. My client ask to be able to connect to the Linux machine with their AD without entering their domain (just username). On Redhat 6 there is an option for sssd (default_domain_suffix=) Seems to be exactly what I need, but I have a problem. If I use this option, I can indeed login with my AD username with domain name, but I cannot login with my Linux IDM username anymore, even if I use my fully qualified username@realm. i.e. In the middle of the PAM authentication it seems to fails (when ssh to the machine with ssh server -l admin@realm, I get Write failed: Broken pipe). If needed I can send more logs. I reproduce the problem in a more simple environment: just a Linux realm, and default_domain_suffix set to a inexistant domain, and again I cannot ssh to my server with my fully qualified username@realm Here is my sssd.conf: [domain/idm1] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = idm1 id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = dc.idm1 chpass_provider = ipa ipa_server = dc.idm1 ipa_server_mode = True ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, pam, ssh config_file_version = 2 domains = idm1 default_domain_suffix=toto.com [nss] [pam] [sudo] [autofs] [ssh] [pac] Here is my krb5.conf: includedir /var/lib/sss/pubconf/krb5.include.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = IDM1 dns_lookup_realm = false dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes default_ccache_name = KEYRING:persistent:%{uid} ignore_acceptor_hostname = true [realms] IDM1 = { kdc = dc.idm1:88 master_kdc = dc.idm1:88 admin_server = dc.idm1:749 default_domain = idm1 pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .idm1 = IDM1 idm1 = IDM1 [dbmodules] IDM1 = { db_library = ipadb.so } is there something to add to make it working? Site note: also with Redhat5 which is configured following ipa-advise sssd-before-1.9, the default_domain_suffix is not understood with sssd1.9. Is there a way to connect to force RHEL5 to let my windows user connect without entering their domain. I don?t know if there is a way to tune the compatibility tree return by the ldap server for example. Or should I try to compile sssd 1.9 for RHEL5? (but I guess this is easier said than done) or it doesn?t worth it? (incompatibility with kerberos, or with the RHEL5 kernel?) Regards, Nicolas Zin -- Message: 2 Date: Thu, 4 Dec 2014 16:53:00 -0500 (EST) From: Nicolas Zin nicolas@savoirfairelinux.com To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] ad trust and default_domain_suffix Message-ID: 992955671.305465.1417729980028.JavaMail.root@mail Content-Type: text/plain; charset=utf-8 I answer to myself. (but my problem is not resolved) - Mail original - De: Nicolas Zin nicolas@savoirfairelinux.com ?: freeipa-users@redhat.com Envoy?: Jeudi 4 D?cembre 2014 18:49:36 Objet: [Freeipa-users] ad trust and default_domain_suffix Hi, I have a IDM (v3.3) installed on a Redhat7. I have a IDM realm connected to an AD via trust relationship. In the IDM realm there are Redhat6 and
[Freeipa-users] ldapsearch queries for audit
All, We are running the following versions on RHEL 6.6: ipa-server.x86_64 3.0.0-42.el6 389-ds.noarch1.2.2-1.el6 I'm not very experienced with the ldapsearch and would greatly appreciate some guidance. I'd like to run some ldapsearch's that will return access information for specific hosts. For example; I'd like to return what users have access to 'host x' and what sudo rules are available to these users. Any assistance is appreciated. TIA, Herb -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] ldapsearch queries for audit
From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Herb Burnswell Sent: Tuesday, December 16, 2014 12:32 PM To: freeipa-users@redhat.com Subject: [Freeipa-users] ldapsearch queries for audit All, We are running the following versions on RHEL 6.6: ipa-server.x86_64 3.0.0-42.el6 389-ds.noarch1.2.2-1.el6 I'm not very experienced with the ldapsearch and would greatly appreciate some guidance. I'd like to run some ldapsearch's that will return access information for specific hosts. For example; I'd like to return what users have access to 'host x' and what sudo rules are available to these users. Any assistance is appreciated. TIA, Herb Herb, I am sure that some if not all of that can be derived via LDAP but I have found this info is much more easily returned via IPA commands. ipa hostgroup-show $SOME_HOSTGROUP Craig -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] ldapsearch queries for audit
Craig, Thank you for the reply. Running the ipa hostgroup-show does not appear to provide specific information about individual users. Also, ideally I'd like to see if I can gather the actual sudo rules that one would see in an /etc/sudoers file to the specific hosts. I'll investigate if the IPA commands can provide more. Thanks, Herb On Tue, Dec 16, 2014 at 11:47 AM, Craig White cwh...@skytouchtechnology.com wrote: *From:* freeipa-users-boun...@redhat.com [mailto: freeipa-users-boun...@redhat.com] *On Behalf Of *Herb Burnswell *Sent:* Tuesday, December 16, 2014 12:32 PM *To:* freeipa-users@redhat.com *Subject:* [Freeipa-users] ldapsearch queries for audit All, We are running the following versions on RHEL 6.6: ipa-server.x86_64 3.0.0-42.el6 389-ds.noarch1.2.2-1.el6 I'm not very experienced with the ldapsearch and would greatly appreciate some guidance. I'd like to run some ldapsearch's that will return access information for specific hosts. For example; I'd like to return what users have access to 'host x' and what sudo rules are available to these users. Any assistance is appreciated. TIA, Herb Herb, I am sure that some if not all of that can be derived via LDAP but I have found this info is much more easily returned via IPA commands. ipa hostgroup-show $SOME_HOSTGROUP Craig -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Clients in multiple domains, any known issues?
On 12/16/2014 02:24 AM, Eivind Olsen wrote: Hello. I have so far been running IPA on RHEL6, with a single domain (and a matching realm). I now have a use-case where it looks like I'll need to set up a new IPA realm, with the IPA servers in one DNS domain and the IPA clients in multiple (2-4) other domains. The servers will be running RHEL6 or RHEL7 with the bundled IPA. The clients are running mainly RHEL5 and RHEL6, and have hostnames that don't exist in DNS. So how would be these hosts resolved? If you want them to be integrated with IPA using SSSD they need to be resolvable by the server which would require some kind of DNS entry. If you plan to use older tools on those clients like nss-pam-ldap I do not think there will be an issue but then you loose a lot of value of IPA/SSSD. Are there any known issues with this type of setup? I know, it sounds a bit hairy, but apart from that? :) Regards Eivind Olsen -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] ldapsearch queries for audit
On 12/16/2014 02:31 PM, Herb Burnswell wrote: All, We are running the following versions on RHEL 6.6: ipa-server.x86_64 3.0.0-42.el6 389-ds.noarch1.2.2-1.el6 I'm not very experienced with the ldapsearch and would greatly appreciate some guidance. I'd like to run some ldapsearch's that will return access information for specific hosts. For example; I'd like to return what users have access to 'host x' and what sudo rules are available to these users. This would be a pretty complex query. For users you might want to explore HBAC test. That allows checking if a specific user has access to a host. I do not think there is something reverse meaning which users can access a host. There is an HBAC library used on the client or by the tool that helps to collect all the data and do the evaluation. May be calling it or its bindings would be more helpful. For sudo I think we need to have a similar tool that would resolve what commands a user can run on a given host. I could not find a ticket. I thought there was one on the IPA side. In the absence of these tools you would have to join several LDAP searches. Any assistance is appreciated. TIA, Herb -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] trust non-IPA certificate client
On Mon, Dec 15, 2014 at 6:40 PM, Stephen Ingram sbing...@gmail.com wrote: I have one client using a certificate issued by a third party provider such that any secure (TLS) LDAP queries are refused since the certificates were not issued by IPA. Since there are only a few clients with foreign certificates, can the CA simply be added to the NSS database used by the 389 directory server so IPA will establish a secure connection with them? I should have added, or do I have to somehow add the certificate to the IPA directory? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project