[Freeipa-users] freeipa authentication token manipulation error
Hi, I am having some issues with freeipa. Whenever I change the password for any user, He is not able to change the password. and he gets error authentication token manipualtion error Changing password for user hq-testuser. Current Password: New password: Retype new password: passwd: Authentication token manipulation error I was able to get this running on another environment not sure whats went wrong here. I have migrated my exisitng users from openldap . Thanks, Rakesh -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Mount cifs share using kerberos
2015-01-10 13:32 GMT+01:00 Gianluca Cecchi gianluca.cec...@gmail.com: To get the whole root environment you have to run su - root did you try with it? ahh... that works fine Gianluca! Final question, if I have a file on the share like: [john@ipaserver mountpoint]$ ll test.txt -rwxr-. 1 root admins 12 11 jan 10.42 test.txt Should I be able to access it if I aquire an admin ticket? Currently I get Permission denied [john@ipaserver mountpoint]$ id uid=143444(john) gid=143444(john) grupper=143444(john) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [john@ipaserver mountpoint]$ getfacl test.txt # file: test.txt # owner: root # group: admins user::rwx group::r-- other::--- [john@ipaserver mountpoint]$ id admin uid=143440(admin) gid=143440(admins) groups=143440(admins) [john@ipaserver mountpoint]$ klist Ticket cache: KEYRING:persistent:143444:krb_ccache_MVjxTqf Default principal: ad...@my.lan Valid starting Expires Service principal 2015-01-11 10:43:52 2015-01-12 10:43:50 krbtgt/my@my.lan [john@ipaserver mountpoint]$ cat test.txt cat: test.txt: Permission denied -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa authentication token manipulation error
On Sun, Jan 11, 2015 at 02:31:26PM +0530, Rakesh Rajasekharan wrote: Hi, I am having some issues with freeipa. Whenever I change the password for any user, He is not able to change the password. and he gets error authentication token manipualtion error Changing password for user hq-testuser. Current Password: New password: Retype new password: passwd: Authentication token manipulation error I was able to get this running on another environment not sure whats went wrong here. I have migrated my exisitng users from openldap . Thanks, Rakesh What is the sssd version? Is the password changed despite the error (you can test with kinit and either the new or the old password) ? Increasing sssd log verbosity and checking krb5_child.log might help, too. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Mount cifs share using kerberos
On Sun, Jan 11, 2015 at 11:00:16AM +0100, John Obaterspok wrote: 2015-01-10 13:32 GMT+01:00 Gianluca Cecchi gianluca.cec...@gmail.com: To get the whole root environment you have to run su - root did you try with it? ahh... that works fine Gianluca! Final question, if I have a file on the share like: [john@ipaserver mountpoint]$ ll test.txt -rwxr-. 1 root admins 12 11 jan 10.42 test.txt Should I be able to access it if I aquire an admin ticket? Currently I get Permission denied [john@ipaserver mountpoint]$ id uid=143444(john) gid=143444(john) grupper=143444(john) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [john@ipaserver mountpoint]$ getfacl test.txt # file: test.txt # owner: root # group: admins user::rwx group::r-- other::--- [john@ipaserver mountpoint]$ id admin uid=143440(admin) gid=143440(admins) groups=143440(admins) [john@ipaserver mountpoint]$ klist Ticket cache: KEYRING:persistent:143444:krb_ccache_MVjxTqf Default principal: ad...@my.lan Valid starting Expires Service principal 2015-01-11 10:43:52 2015-01-12 10:43:50 krbtgt/my@my.lan [john@ipaserver mountpoint]$ cat test.txt cat: test.txt: Permission denied Looks like your account needs to be in the 'admins' group in order to access the file. Acquiring the admin ticket doesn't switch the user ID nor add you to the group.. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Group Policy-like features in FreeIPA
Morning folks I am currently working on a little pet project which I think some would find useful. I would like to introduce some group policy like functionality into a FreeIPA domain. For example: In an environment running FreeIPA Server with Fedora or RHEL based workstations, I would like to be able to introduce a few extra features which initially may be pushed via a login script (maybe even configure a dbus session as well, who knows?). My intentions here would be to be able to apply host specific policies as well as have the option for user specific policies which would be applied when the user logs in. Practically speaking, adding an attribute to LDAP to specify a login script file name is easy enough, however actually fetching this is where I am hoping for a bit of brain storming. My thoughts would be the local user would fetch the name of the login script via ldap, and then perhaps fetch the file from a shared resource on the FreeIPA masters in order to be executed locally. LDAP is obviously replicated, however to my knowledge, there is no file synchronization between masters. I am thinking something similar to the MS equivalent of the SYSVOL data that replicates between MS Domain Controllers. One option would be to store all data within LDAP, however I've seen many scenarios where admins store CD ISO's in replicated domain data, so I am not certain this would be the best option. With this replicated data folder, I would be able to store centrally managed scripts which would be used for hosts or users, and then configure the default user template on each workstation (/etc/skel/) to add the login script file name which would be fetched from the users LDAP attributes. Real world usability for what I am thinking of is a way to manage users who can have their corporate email mailbox configured on login, automatically setting the users session to point to an internal SSO enabled proxy server or perhaps any other number of things which an admin may wish to achieve without the need to manually do the work themselves. Has anyone undertaken a similar scenario in their environments or would perhaps have any suggestions on how to manage the centrally accessible file stores? Many thanks Dale -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project