[Freeipa-users] GID, groups and ipa group-show
Hello !
I contact you because I notice something strange with IPA environment.
I created a group :
ipa group-add g1 --desc=my first group
Then I created a user with the GID of g1
GID1=`ipa group-show g1 | awk '/GID/ {printf(%s,$2)}'`
ipa user-add --first=u1 --last=u1 --homedir=/home/u1 --shell=/bin/bash
--gidnumber=${GID1} u1
Then when I perform ipa group-show g1 command, I got the following result :
###
Group name: g1
Description: my first group
GID: gid1
###
Same for ipa user-show u1 :
###
User login: u1
First name: u1
Last name: u1
Home directory: /home/u1
Login shell: /bin/bash
Email address: u1@MYDOMAIN
UID: uid1
GID: gid1
Account disabled: False
Password: False
Member of groups: ipausers
Kerberos keys available: False
###
These 2 commands does not see u1 as a member of g1.
When I try the command id u1, I can see the group :
###
id u1
uid=uid1(u1) gid=gid1(g1) groups=gid1(g1)
###
Is it the normal behaviour of these IPA commands ?
Best regards.
Bahan
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA state - performace, commercial usage
I would have to throw in a comment. As someone who has a 16 server cluster with 10,000+ clients and growing, the hardest part is having to tune dirsrv on each and every server. Beyond that, the rest is pretty solid. Perhaps in the 5.x series they would consider adding a way to tune the primary dirsrv at installation time, and have it copy that config via ipa-replica-install or similar. ~Janelle On 8/21/15 4:44 AM, Loris Santamaria wrote: Hi, FWIW one of our customers (a bank) uses freeIPA 3.0 + samba with 4 servers and 5000+ clients, with no major issues. We were able to solve every issue they had tuning the dirsrv or with help from this list. Best regards El vie, 21-08-2015 a las 04:44 +0200, Vaclav Adamec escribió: Hi, Don't want to start flame, but my question is quite simple, is there anybody who use it in real production/commercial setup without any major issues ? don't you lack commercial support ? no issues with auditors ? after a year/two of usage/testing/troubleshooting of freeipa/redhat ipa it seems, for me as a simple admin, to be still not very mature project, even basic configuration isn't very stable/solid to use it in real production. I started with latest freeipa on fedora with one server (VM vmware), then add other master replicas but after many issues I carefully keep one server on redhat 7 with up2date version of ipa from rhel repos, default installation setup, no replication. But still with stability issue (processes died occasionally, mostly due multiple clients removing, sometimes it dies completely with cryptic errors in journal (but sometimes no errors at all just wait for something during restart) and only fast option is restore from snaphot backups with loosing some clients). Performance is also issue, we cannot register more then 4-5 servers at once, or it will timeout (but no visible network or cpu/mem load issue). As there are no other complex solutions like IPA it's quite hard decide what to use as a replacement, but right now it's seems that we have no other option and we probably switch to simple openldap and missing functionality cover by puppet and some 2factor solution. We don't need anything special, no dns handling, no certificates, no AD connection, just simple servers/clients, users with groups and rules for access/sudo. Multimaster (with DNS SRV) solution for higher performance and reliability would be nice, but not necessary if we can keep it stable and handle more clients registration. We have tens of users/groups, hundreds servers/clients with random registration burst as we use it also for temp. build environments and OpenStack instances. Oficial support from RedHat is not very helpful, also they don't provide any real training for IPA, so only option is mail conference (very helpful, thanks for that) and tones of documentation/examples for variety of versions, but for such complex thing probably not enough for commercial use. Can I ask you for your opinion ? Vasek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Missing data encountered + Incremental update failed and requires administrator action
I recently upgraded my CentOS7 machine to the latest el7.1 updates, and had oomkiller trigger in the middle of yum upgrade. I managed to recover by doing a number of things including restoring dirsrv's data/config from backup and re-running ipa-upgradeconfig, followed by an ipa-replica-manage re-initialize from a known-good machine. Now, when I start up ipa, everything seems to be in sync data-wise, but in dirsrv's error log, I see this: [21/Aug/2015:12:45:50 -0400] NSMMReplicationPlugin - agmt=cn=masterAgreement1-ipa2.opennms.com-pki-tomcat (ipa2:389): Missing data encountered [21/Aug/2015:12:45:50 -0400] NSMMReplicationPlugin - agmt=cn=masterAgreement1-ipa2.opennms.com-pki-tomcat (ipa2:389): Incremental update failed and requires administrator action I fear this means that something is still not properly in sync and will eventually come back to bite me. Any ideas what's going on here, and how to fix it? -- Benjamin Reed The OpenNMS Group http://www.opennms.org/ signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA state - performace, commercial usage
Hi, FWIW one of our customers (a bank) uses freeIPA 3.0 + samba with 4 servers and 5000+ clients, with no major issues. We were able to solve every issue they had tuning the dirsrv or with help from this list. Best regards El vie, 21-08-2015 a las 04:44 +0200, Vaclav Adamec escribió: Hi, Don't want to start flame, but my question is quite simple, is there anybody who use it in real production/commercial setup without any major issues ? don't you lack commercial support ? no issues with auditors ? after a year/two of usage/testing/troubleshooting of freeipa/redhat ipa it seems, for me as a simple admin, to be still not very mature project, even basic configuration isn't very stable/solid to use it in real production. I started with latest freeipa on fedora with one server (VM vmware), then add other master replicas but after many issues I carefully keep one server on redhat 7 with up2date version of ipa from rhel repos, default installation setup, no replication. But still with stability issue (processes died occasionally, mostly due multiple clients removing, sometimes it dies completely with cryptic errors in journal (but sometimes no errors at all just wait for something during restart) and only fast option is restore from snaphot backups with loosing some clients). Performance is also issue, we cannot register more then 4-5 servers at once, or it will timeout (but no visible network or cpu/mem load issue). As there are no other complex solutions like IPA it's quite hard decide what to use as a replacement, but right now it's seems that we have no other option and we probably switch to simple openldap and missing functionality cover by puppet and some 2factor solution. We don't need anything special, no dns handling, no certificates, no AD connection, just simple servers/clients, users with groups and rules for access/sudo. Multimaster (with DNS SRV) solution for higher performance and reliability would be nice, but not necessary if we can keep it stable and handle more clients registration. We have tens of users/groups, hundreds servers/clients with random registration burst as we use it also for temp. build environments and OpenStack instances. Oficial support from RedHat is not very helpful, also they don't provide any real training for IPA, so only option is mail conference (very helpful, thanks for that) and tones of documentation/examples for variety of versions, but for such complex thing probably not enough for commercial use. Can I ask you for your opinion ? Vasek -- Loris Santamaria linux user #70506 xmpp:lo...@lgs.com.ve Links Global Services, C.A.http://www.lgs.com.ve Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:1...@lgs.com.ve If I'd asked my customers what they wanted, they'd have said a faster horse - Henry Ford smime.p7s Description: S/MIME cryptographic signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Service and Headless Keytabs
On Fri, 21 Aug 2015, bahan w wrote: Hello ! I send you this mail because I have a noobish question about keytabs. What is the difference between a service keytab and a headless keytab. In which keytab do we use a service keytab ? What is the definition of a service ? Is that a daemon running on a specific host ? When we perform a service-add in FreeIPA, what is this service exactly ? Why not just use headless keytabs for everything ? Sorry for this noobish question ^_^ Keytab is a container to store Kerberos principal's keys. A key in terms of Kerberos can be some random bytes. You can use container to store a password for a user principal or a password (key) for a service principal. Think about glass jars you might have on your kitchen. You can put anything in these jars, from pasta to flour to prickles to ... Traditionally, Kerberos service is something that represents an application -- either acting as a client or as a server, it does not really matter which way. Such application may have own arrangement on how it runs (which UID/GID it uses on the operating system level) but it is not important from Kerberos point of view because Kerberos is not responsible for the identity of your application (or user), it only deals with Kerberos principals and their keys. What you cal 'headless keytab' is probably a keytab to store user principal keys. This already makes an assumption that you have a user principal that corresponds to certain POSIX user. Service principal is something that does not need to be a POSIX user, as I said above, most applications have own arrangement on how they run on the OS level. However, some Kerberos services have traditional meaning. For a host, there could be host/fqdn@REALM service principal that 'represents' this host in Kerberos realm. The same service principal may be shared by several applications: for example, both SSSD and SSH daemon use host/fqdn@REALM for own needs. SSSD uses it as a client when authenticating against IPA LDAP server using SASL GSSAPI, and SSH daemon uses host/fqdn@REALM key to represent itself as a server to incoming SSH clients using GSSAPI or Kerberos authentication methods. In FreeIPA it is recommended to create service principals to represent applications as they are not required to have global POSIX identity associated with them and they are usually running on a specific host. In addition, if they are accepting SASL GSSAPI authentication method to access themselves, a client application will usually build up a target principal based on the hostname they run on, e.g. HTTP/fqdn@REALM for a web server running on the host fqdn. Thus, there is clear arrangement between client and server applications on what they expect from each other on Kerberos (or SASL GSSAPI) level. For user principals there is no such expectation. You *can* store user's password in a 'headless keytab' to allow some impersonification of the user for certain needs but it is irrelevant from Kerberos level what identity is there, both service and user principals can equally be used at a client side to initiate authentication towards a server. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] LDAP user as client administrator
On Fri, 21 Aug 2015, Roberto Cornacchia wrote: In Fedora, adding a local user to the group wheel makes it administrator on that machine. In Gnome, you see this as the distinction between a Normal and and Administrator account. If the user is an LDAP user, how do we achieve the same? https://www.happyassassin.net/2014/09/09/freeipa-setting-polkit-policykit-rules-for-users-make-your-user-a-polkit-administrator-on-your-clients/ -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Service and Headless Keytabs
Hello ! I send you this mail because I have a noobish question about keytabs. What is the difference between a service keytab and a headless keytab. In which keytab do we use a service keytab ? What is the definition of a service ? Is that a daemon running on a specific host ? When we perform a service-add in FreeIPA, what is this service exactly ? Why not just use headless keytabs for everything ? Sorry for this noobish question ^_^ Best regards. Bahan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] LDAP user as client administrator
In Fedora, adding a local user to the group wheel makes it administrator on that machine. In Gnome, you see this as the distinction between a Normal and and Administrator account. If the user is an LDAP user, how do we achieve the same? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA state - performace, commercial usage
Hello. We have very fine experience with a production deployment of IPA 3.0 (two servers in domain) with over 200 users and near client 100 servers and no AD integration, only for our local branch. Based on this experience we tried to deploy company-wide IPA 3.3 (latter 4.1) with 19 servers in domain (over all the country) and AD integration (also a large distributed domain). Still having a lot of critical issues and unable to use it in full scale. Red Hat official support it very useful, this maillist also, but issues are very strong :) We are trying to feed it to full scale production, and I think in more simple conditions is could be nice and soft. WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Vaclav Adamec Sent: Friday, August 21, 2015 8:44 AM To: freeipa-users Subject: [Freeipa-users] FreeIPA state - performace, commercial usage Hi, Don't want to start flame, but my question is quite simple, is there anybody who use it in real production/commercial setup without any major issues ? don't you lack commercial support ? no issues with auditors ? after a year/two of usage/testing/troubleshooting of freeipa/redhat ipa it seems, for me as a simple admin, to be still not very mature project, even basic configuration isn't very stable/solid to use it in real production. I started with latest freeipa on fedora with one server (VM vmware), then add other master replicas but after many issues I carefully keep one server on redhat 7 with up2date version of ipa from rhel repos, default installation setup, no replication. But still with stability issue (processes died occasionally, mostly due multiple clients removing, sometimes it dies completely with cryptic errors in journal (but sometimes no errors at all just wait for something during restart) and only fast option is restore from snaphot backups with loosing some clients). Performance is also issue, we cannot register more then 4-5 servers at once, or it will timeout (but no visible network or cpu/mem load issue). As there are no other complex solutions like IPA it's quite hard decide what to use as a replacement, but right now it's seems that we have no other option and we probably switch to simple openldap and missing functionality cover by puppet and some 2factor solution. We don't need anything special, no dns handling, no certificates, no AD connection, just simple servers/clients, users with groups and rules for access/sudo. Multimaster (with DNS SRV) solution for higher performance and reliability would be nice, but not necessary if we can keep it stable and handle more clients registration. We have tens of users/groups, hundreds servers/clients with random registration burst as we use it also for temp. build environments and OpenStack instances. Oficial support from RedHat is not very helpful, also they don't provide any real training for IPA, so only option is mail conference (very helpful, thanks for that) and tones of documentation/examples for variety of versions, but for such complex thing probably not enough for commercial use. Can I ask you for your opinion ? Vasek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project Информация в этом сообщении предназначена исключительно для конкретных лиц, которым она адресована. В сообщении может содержаться конфиденциальная информация, которая не может быть раскрыта или использована кем-либо, кроме адресатов. Если вы не адресат этого сообщения, то использование, переадресация, копирование или распространение содержания сообщения или его части незаконно и запрещено. Если Вы получили это сообщение ошибочно, пожалуйста, незамедлительно сообщите отправителю об этом и удалите со всем содержимым само сообщение и любые возможные его копии и приложения. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] private groups
Thank you for your help! Well, my problem is a beginner problem. Not reading enough. :-} And i used a LDAP browser and saw error messages i misinterpreted. Sorry for the noise here. At least i found my answer here: https://fedorahosted.org/freeipa/ticket/3949 But i found also, that many other people have the same problem understanding this behavior. But i have one suggestion: It would be nice using the GUI creating new users to have the opportunity also to insert GID and UID. I know, i can edit it later, but why i have to use this small window with very few entries, when i can’t really use it and have to go to the big one. Maybe it is also a good idea to resign this small window or to have a switch in the configuration to stop this small window. (But, of course, this is not a really big problem.) Greetings Detlev -- Detlev | Institut fuer Mikroelektronische Systeme Habicht | D-30167 Hannover +49 511 76219662 habi...@ims.uni-hannover.de + Handy+49 172 5415752 --- Am 20.08.2015 um 15:48 schrieb Rob Crittenden rcrit...@redhat.com: Martin Kosek wrote: On 08/20/2015 11:57 AM, Detlev Habicht wrote: Hi all, i am new using IPA and learning IPA i am also learning some other things new for me. Migrating our system to IPA i found some problems with private groups. We don’t used it up to now. Trying to disable this feature with ipa-managed-entries -e „UPG Definition“ -p xxx disable crashed my database. By crashed, you mean that Directory Server process crashed? If yes, it would be really interesting to get a stack trace, steps in http://directory.fedoraproject.org/docs/389ds/FAQ/faq.html#debug_crashes This would allow 389-DS developers to fix the bug. I don’t know why. After this i can’t create new users. IIRC, you would need to turn the default ipausers group into POSIX group (group-mod --posix), to let it be used it instead of the user private groups. But this depends on the error you are getting. For this problem i have no more information. But i have a question: Can i delete a private group after creating an user? How can i do this? You can use group-detach command and then group-del on the detached managed group. And can i later create a private group again for this user? How? Hmm... You could do group-add command with the right GID, I do not know about single command doing that. There is no way to create the same kind of UPG for an existing user as can be done for a new user. The managed entries plugin manages the linkage between the user and group and IPA currently doesn't provide a way to create a linkage after the fact. You can create a group with the same gid with : ipa group-add myuser --gid uid-of-user, but this isn't exactly private. A private group doesn't allow members. One of the other features of UPG is that when the user is deleted, the group is also deleted. This would not happen in the case of manually created private groups. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
