Re: [Freeipa-users] svnserve authentication against IPA
Hi, On Sat, 27 Jun 2015, Dmitri Pal wrote: On 06/18/2015 05:09 AM, dbisc...@hrz.uni-kassel.de wrote: I have a svnserve (Subversion 1.6.11) running on my IPA server. Currently, there's a separate user database with SASL auth: /etc/sasl2/svn.conf --- pwcheck_method: auxprop auxprop_plugin: sasldb sasldb_path: /etc/sasldb2 mech_list: DIGEST-MD5 --- XXX/testrepo/conf/svnserve.conf --- [general] anon-access = none authz-db = authz realm = MYSUBDOMAIN.MYUNIVERSITY.DE [sasl] use-sasl = true min-encryption = 128 max-encryption = 256 --- On a test system, I changed svnserve auth to saslauthd and IPA: /etc/sasl2/svn.conf --- pwcheck_method: saslauthd auxprop_plugin: ldap mech_list: PLAIN ldapdb_mech: PLAIN --- XXX/testrepo/conf/svnserve.conf --- [general] anon-access = none authz-db = authz realm = MYSUBDOMAIN.MYUNIVERSITY.DE [sasl] use-sasl = true min-encryption = 0 max-encryption = 256 --- /etc/saslauthd.conf --- ldap_servers: ldaps://localhost/ ldap_search_base: cn=users,cn=accounts,dc=MYSUBDOMAIN,dc=MYUNIVERSITY,dc=DE --- Though this setup basically works and svnserve and IPA are running on the same machine I'm unhappy with PLAIN and "min-encryption = 0". What would you suggest to improve security/enable encryption in this setup? I considered switching from svnserve to Apache, but that would imply that my users will have to get used to something new. It seems that no one on the list knows details about svn configuration so if you figure it out please share the results with the list. -- Thank you, Dmitri Pal for the record: In the meantime, I've abandoned svnserve in favour of apache. It's more complicated to set up but also more flexible. In order to make it work with IPA, one needs (something similar to) the following included the apache configuration: --- LoadModule dav_svn_module modules/mod_dav_svn.so LoadModule authz_svn_module modules/mod_authz_svn.so LoadModule authnz_ldap_module modules/mod_authnz_ldap.so RedirectMatch ^(/svn)$ $1/ RedirectPermanent /svn/ /home/svn/ DAV svn SVNParentPath /home/svn SVNListParentPath On SVNAutoversioning On SVNReposName "example.com SVN Repositories" SVNPathAuthz short_circuit AuthType Basic AuthName "example.com SVN Repositories" AuthBasicProvider ldap AuthLDAPBindAuthoritative on AuthLDAPBindDN "uid=sysadev,CN=users,CN=accounts,DC=example,DC=com" AuthLDAPBindPassword XX AuthLDAPURL "ldaps://ipa.example.com/CN=users,CN=accounts,DC=example,DC=com?uid,nsAccountLock?sub?(ObjectClass=*)" Require ldap-attribute nsAccountLock!="true" Require valid-user AuthzSVNAccessFile /etc/subversion/svn.acl Options +Indexes +FollowSymLinks AllowOverride All Order Allow,Deny Allow from all --- I think this is more flexible and more secure than my svnserve approach. Remarks: 1. "sysadev" is the username that I use for LDAP binding (an IPA user with a long-term password, no home directory and /sbin/nologin as login shell). 2. "/etc/subversion/svn.acl" contains the access rights for the individual SVN repos. It is similar to the "authz" files that svnserve uses. 3. apache is HTTPS-only. Mit freundlichen Gruessen/With best regards, --Daniel. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] hp-ux and IPA
Hello. Is it possible to use IPA with HP-UX servers (ldapux) to authenticate users from AD via IPA-AD trusts, or such way only work for systems with sssd? WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 ?? ? ? ? ? ??? ?? ???, ??? ??? ??. ? ? ? ??? ??, ??? ?? ? ??? ???-, ? ?. ?? ?? ??? ? ?, ?? ?, ?, ??? ??? ??? ?? ? ??? ??? ? ? ? ?. ?? ??? ? , ??, ??? ??? ?? ? ??? ?? ?? ? ? ? ? ??? ? ? ??. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] problem in ipa trust with AD
hi i install centos 6.7 trust with Windows 2008 r2 (User AD can not Login) and get log in IPA SERVER file: /var/log/krb5kdc.log domain IPA: l.infotechpsp.net ++ Sep 09 15:09:20 ipareplica.l.infotechpsp.net krb5kdc[1518](info): AS_REQ (4 etypes {18 17 16 23}) 10.30.120.20: NEEDED_PREAUTH: host/ ussddm.l.infotechpsp@l.infotechpsp.net for krbtgt/ l.infotechpsp@l.infotechpsp.net, Additional pre-authentication required IS it correct? l.infotechpsp@l.infotechpsp.net -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER
On Wed, 09 Sep 2015, Morgan Marodin wrote: Hi Alexander. Ok, after enabling debugging I have these logs: --- ==> /var/log/httpd/error_log <== INFO: Current debug levels: all: 100 tdb: 100 printdrivers: 100 lanman: 100 smb: 100 rpc_parse: 100 rpc_srv: 100 rpc_cli: 100 passdb: 100 sam: 100 auth: 100 winbind: 100 vfs: 100 idmap: 100 quota: 100 acls: 100 locking: 100 msdfs: 100 dmapi: 100 registry: 100 scavenger: 100 dns: 100 ldb: 100 pm_process() returned Yes GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'sasl-DIGEST-MD5' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered Using binding ncacn_np:srv01.ipa.mydomain.com[,] s4_tevent: Added timed event "dcerpc_connect_timeout_handler": 0x7f8a3c224990 s4_tevent: Added timed event "composite_trigger": 0x7f8a3c042170 s4_tevent: Added timed event "composite_trigger": 0x7f8a3c25b4a0 s4_tevent: Running timer event 0x7f8a3c042170 "composite_trigger" s4_tevent: Destroying timer event 0x7f8a3c25b4a0 "composite_trigger" Mapped to DCERPC endpoint \pipe\lsarpc added interface eth0 ip=192.168.0.65 bcast=192.168.0.255 netmask=255.255.255.0 added interface eth0 ip=192.168.0.65 bcast=192.168.0.255 netmask=255.255.255.0 Do you have IPv6 stack enabled? [2015/09/09 08:45:05.032211, 50, pid=11196, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) s3_tevent: Schedule immediate event "tevent_req_trigger": 0x7f7118a92cf0 [2015/09/09 08:45:05.032282, 50, pid=11196, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) s3_tevent: Run immediate event "tevent_req_trigger": 0x7f7118a92cf0 [2015/09/09 08:45:05.032353, 4, pid=11196, effective(21740, 21740), real(21740, 0)] ../source3/smbd/sec_ctx.c:424(pop_sec_ctx) pop_sec_ctx (21740, 21740) - sec_ctx_stack_ndx = 0 [2015/09/09 08:45:05.032421, 2, pid=11196, effective(21740, 21740), real(21740, 0), class=rpc_srv] ../source3/rpc_server/rpc_ncacn_np.c:630(make_external_rpc_pipe_p) tstream_npa_connect_recv to /run/samba/ncalrpc/np for pipe lsarpc and user IPA\admin failed: No such file or directory I'm particularly worrying about his one -- /run/samba/ncalrpc/np pipe has to be there. Can you explain what is your setup in detail? -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] hp-ux and IPA
On Wed, 09 Sep 2015, Alexander Frolushkin wrote: Hello. Is it possible to use IPA with HP-UX servers (ldapux) to authenticate users from AD via IPA-AD trusts, or such way only work for systems with sssd? I suspect you need to test it -- set it up like against Netscape/iPlanet directory server and use 'ipa-advise' recipes for FreeBSD or generic Linux versions to get proper base DNs/attributes/objectclasses. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Troubles with extending FreeIPA Web UI to fit my environment
On 09/05/2015 09:12 PM, Mateusz Małek wrote: W dniu 01.09.2015 o 13:27, Petr Vobornik pisze: On 08/27/2015 05:17 AM, Mateusz Małek wrote: We're trying to adjust FreeIPA to our environment... quite a bit. Here are some bullet points: (...) For points 3, 5, 6 and to limit available choices in 2, we need to plug into Web UI. Samples at https://pvoborni.fedorapeople.org/plugins/ provided us with some basic info how to write plugins. Glad to read that the plugin support is used. Especially in this scale. I'd like to ask you for a feedback. What are the main things that would make extending IPA easier for you? Thank you for the feedback. I think that some Web UI documentation is needed - some kind of index of available widgets (their names, parameters, some usage examples for more complex widgets like entity_select), dialog windows and facets (like search), examples for various things like how to add new batch actions (with a new button at the top of search view) or to make layout and contents of facets/dialog boxes dependent on which user is using Web UI (like self-service differs from admin view). Yeah, this needs more love. Web UI has a documentation generated from comments but a lot of code is not commented/documented and examples are still missing. https://pvoborni.fedorapeople.org/doc/#!/api UI seems extremely extensible and probably many "examples" of how to do different things are already there, but it takes some time to find which part of UI uses them and can be copied to custom module (or adjusted in some other way). Do you have some tips on how to setup programming environment for UI development? only https://pvoborni.fedorapeople.org/doc/#!/guide/Debugging However, I face some issues when I register my module under different entity name instead of overriding user (I want to keep original user module available) Just curious, why do you want to keep the original user entity object? Maybe not necessarily to keep original entity object, but to manage the same object using two different UI plugins (keeping original module available was quick test of such scenario). We have sysadmins - who can modify all user details - and user administrator - who needs really simple interface for creating new accounts and prolonging validity of existing. Maybe a plugin can switch the entity in registry according to user role after the role is known - as in this plugin: https://pvoborni.fedorapeople.org/plugins/simpleuser/simpleuser.js User data should be in `IPA.whoami` It seems that check if (that.entity !== that.managed_entity) in freeipa/search.js fails (condition is true), which causes managed_entity_pkey_prefix function to return [""] instead of [] - object inspection shows both entity and managed_entity refer to user entity, but probably these are two different JS objects (and thats why they are considered different). Am I doing something wrong or is it some bug? There is no claim that it should work so I would say that it is a limitation of original design and unfinished refactoring than a bug. The code can be improved to support multiple entity objects for the same IPA object but I'm worried that it can break something else. Maybe simple comparison by an entity name would help. Oh, I see. I'll probably try to find other way around, as I'm a bit short on time. Extending FreeIPA is part of my engineering thesis, but at the same time I'm applying my changes to our CentOS-based production environment - that's why I'm trying to keep existing codebase intact (and it would take some time before any changes make their way to packages in RHEL repositories). It can be patch in a plugin, but it's not nice. Example: https://pvoborni.fedorapeople.org/plugins/association_search_fix/association_search_fix.js Thanks, Mateusz Małek -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] certificate add subject alt Name
On 5.9.2015 12:48, Günther J. Niederwimmer wrote: > Hello, > > System CentOS 7. > > is it possible to change a certificate to add a subject alt name? > > My "Problem" is, I have a Mail Server with name smtp.example.com and the > correct service certificates smtp/smtp.example.com & imap/example.com now I > make in my DNS Server (is a external system) a new Record "imap IN CNAME > smtp" > but this is now missing in the certificate? > > The Problem I mean is DNSSEC, so I can't setup this with freeIPA and I don’t > have a host/imap.example.com. I'm sorry but I do not see how this is related to DNS. It might not be related to IPA at all. IPA only issues the cert. If the cert contains both subjectAltNames then the problem is likely in your DNS configuration or in configuration on the application server side (where you installed the cert). Unfortunately I'm not able to tell you more without more details - what application you use, what versions, how did you it configured, etc. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER
Hi Alexander IPv6 stack is disabled on my RHEL like distro, v 7 x64, but is enable on my WIndows 2012. I have read in a freeipa article to disable IPv6. I've 2 Domain Controller with Windows Server 2012 and (at this time) one new freeipa server, just installed, in the same network. AD REALM is MYDOMAIN.COM and IPA REALM is IPA.MYDOMAIN.COM. I've installed bind in IPA that contains only ipa.mydomain.com zone. In AD servers is configured mydomain.com zone, with ipa.mydomain.com delegation to linux server (192.168.0.65). Do you have other question of my setup? Let me know, thanks. Morgan 2015-09-09 16:01 GMT+02:00 Alexander Bokovoy: > On Wed, 09 Sep 2015, Morgan Marodin wrote: > >> Hi Alexander. >> >> Ok, after enabling debugging I have these logs: >> --- >> ==> /var/log/httpd/error_log <== >> INFO: Current debug levels: >> all: 100 >> tdb: 100 >> printdrivers: 100 >> lanman: 100 >> smb: 100 >> rpc_parse: 100 >> rpc_srv: 100 >> rpc_cli: 100 >> passdb: 100 >> sam: 100 >> auth: 100 >> winbind: 100 >> vfs: 100 >> idmap: 100 >> quota: 100 >> acls: 100 >> locking: 100 >> msdfs: 100 >> dmapi: 100 >> registry: 100 >> scavenger: 100 >> dns: 100 >> ldb: 100 >> pm_process() returned Yes >> GENSEC backend 'gssapi_spnego' registered >> GENSEC backend 'gssapi_krb5' registered >> GENSEC backend 'gssapi_krb5_sasl' registered >> GENSEC backend 'sasl-DIGEST-MD5' registered >> GENSEC backend 'spnego' registered >> GENSEC backend 'schannel' registered >> GENSEC backend 'sasl-EXTERNAL' registered >> GENSEC backend 'ntlmssp' registered >> Using binding ncacn_np:srv01.ipa.mydomain.com[,] >> s4_tevent: Added timed event "dcerpc_connect_timeout_handler": >> 0x7f8a3c224990 >> s4_tevent: Added timed event "composite_trigger": 0x7f8a3c042170 >> s4_tevent: Added timed event "composite_trigger": 0x7f8a3c25b4a0 >> s4_tevent: Running timer event 0x7f8a3c042170 "composite_trigger" >> s4_tevent: Destroying timer event 0x7f8a3c25b4a0 "composite_trigger" >> Mapped to DCERPC endpoint \pipe\lsarpc >> added interface eth0 ip=192.168.0.65 bcast=192.168.0.255 >> netmask=255.255.255.0 >> added interface eth0 ip=192.168.0.65 bcast=192.168.0.255 >> netmask=255.255.255.0 >> > Do you have IPv6 stack enabled? > > [2015/09/09 08:45:05.032211, 50, pid=11196, effective(0, 0), real(0, 0)] >> ../lib/util/tevent_debug.c:63(samba_tevent_debug) >> s3_tevent: Schedule immediate event "tevent_req_trigger": 0x7f7118a92cf0 >> [2015/09/09 08:45:05.032282, 50, pid=11196, effective(0, 0), real(0, 0)] >> ../lib/util/tevent_debug.c:63(samba_tevent_debug) >> s3_tevent: Run immediate event "tevent_req_trigger": 0x7f7118a92cf0 >> [2015/09/09 08:45:05.032353, 4, pid=11196, effective(21740, >> 21740), real(21740, 0)] ../source3/smbd/sec_ctx.c:424(pop_sec_ctx) >> pop_sec_ctx (21740, 21740) - sec_ctx_stack_ndx = 0 >> [2015/09/09 08:45:05.032421, 2, pid=11196, effective(21740, >> 21740), real(21740, 0), class=rpc_srv] >> ../source3/rpc_server/rpc_ncacn_np.c:630(make_external_rpc_pipe_p) >> tstream_npa_connect_recv to /run/samba/ncalrpc/np for pipe lsarpc and >> user IPA\admin failed: No such file or directory >> > I'm particularly worrying about his one -- /run/samba/ncalrpc/np pipe > has to be there. > > Can you explain what is your setup in detail? > > -- > / Alexander Bokovoy > -- Morgan Marodin email: mor...@marodin.it mobile: +39.3477829069 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] pfSense DHCP to IPA's BIND dynamic updates success
On 9.9.2015 07:09, Alexander Bokovoy wrote: > On Wed, 09 Sep 2015, John Keates wrote: >> So I was having a DNS mess the other day and decided to clean it up. >> Before, I was running Unbound on pfSense which then had a domain >> override to the IPA box. It would forward all queries and IPA-wise all >> was well. Problem was that the domain was also used for a bunch of >> other things, like the outside world, and DHCP leases, because I want >> to be able to FQDN my machines and VM’s. >> >> At first, I thought I could somehow make a weird multi-master setup, or >> have Unbound rewrite queries or selectively forward or ignore the >> authoritative status of DNS servers, but that’s a rather nasty hackish >> way to attempt to fix things, so I went for the option to have DHCPd >> feed it’s leases and updates to BIND, and make Unbound the 2nd DNS >> server in case of an IPA meltdown. >> >> This turned out to be not-so-easy as you can’t use GSSAPI on the >> pfSense box and the IPA interface doesn’t allow you to create keys just >> like that. Solution? Manual edits! Now, I’m not sure if they will be >> preserved, but since I was using SaltStack to manage pretty much >> everything config-wise, I just make sure it keeps my settings around. >> >> Here is how to configure things: >> >> BIND-side: >> >> 1. Open /etc/named.conf in a root editor >> 2. Insert a key like this: >> >> key "dhcp-key" { >> algorithm hmac-md5; >> secret“base64_string_here="; >> }; >> >> Where the string “dhcp-key” can be anything, but you should remember >> what you put in there. The Secret is a base64 string, if you are >> slightly clueless about that, use: echo “yoursecrethere” | base64 >> and you will get your base64 string. Stick it in between the quotes and >> you’re good. >> >> 3. Next, log in to the IPA UI and go to the Zone you’d like to have DHCP >> dynamically push to. >> 4. Click settings and turn on “Dynamic update” if it’s not on already >> 5. Add an update policy, in this format: >> >> grant dhcp-key wildcard * ANY; >> >> This is rather insecure as you give anything that authenticates using >> the key called “dhcp-key” full update rights for all types on that >> zone. So if you want to restrict it, do so as you please. I believe it >> at least wants A and records and probably TXT. >> >> 6. Click the update button and you are all set on this end. Note: if >> you want to have reverse lookups as well, you have to repeat step 5 for >> the reverse zone too! >> >> pfSense-side: >> >> 1. In pfSense, go to the DHCP server page >> 2. Enable "Enable registration of DHCP client names in DNS.” >> 3. Enter the domain name of the zone you configured in IPA for dynamic >> updates >> 4. Enter the required fields (IP of the IPA server, the name (which is >> dhcp-key in this example) and the base64 string you generated >> 5. Press save and you’re good! >> >> A few extra’s: >> >> - You could add IPA as an NTP server here as well >> - You should add the IPA server as the 1st DNS server >> - You can add pfSense as the 2nd DNS server if you like >> >> Please remember that at this point no DNS-related stuff on pfSense is >> used anymore as all clients will talk to IPA for their DNS needs from >> now on. If all you need is the one domain name, for example, if you >> use a unique domain just for internal IPA use, you’re better off using >> the domain override. >> >> I hope this helps someone, and might work as a basis for more robust >> and secure configuration, as this is something I just came up with >> today in a test environment. > This looks reasonable. You may want to put your key definition into something > like > /etc/named/my-dhcp-keys.conf and include it from there via 'include' > statements but I think we don't upgrade named.conf after it was > originally created. > > John, could you please add this to FreeIPA wiki? BTW it is already documented here: http://www.freeipa.org/page/Howto/DNS_updates_and_zone_transfers_with_TSIG Have a nice day! :-) -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] attempting to restore IPA
So to restore IPA I tried, ipa-restore --data ipa-full-2015-09-10-10-28-11 and now I cannot loginopsie. The admin user password doesnt work and neither do my own accounts. NB I assume the flag --data restores the user data/HBAC rules etc? regards Steven -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] hp-ux and IPA
On Thu, 10 Sep 2015, Alexander Frolushkin wrote: Thank you, so it may work or may not work - we need to try such configuration first. I hoped somebody already do this and may share the experience :) BTW, I already do some part of this work before - for native IPA users it works, but of cause, without HBAC. As HBAC currently is done at client side, and there is no such support for HP-UX, nothing can change here. For combined AD and IPA users just use cn=compat subtrees like 'ipa-advise' rules suggest. It would be great if you would be able to update instructions for HP-UX setup we have on the wiki -- http://www.freeipa.org/page/ConfiguringUnixClients#HP-UX_11.0 -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] hp-ux and IPA
Thank you, so it may work or may not work - we need to try such configuration first. I hoped somebody already do this and may share the experience :) BTW, I already do some part of this work before - for native IPA users it works, but of cause, without HBAC. WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 -Original Message- From: Alexander Bokovoy [mailto:aboko...@redhat.com] Sent: Wednesday, September 09, 2015 8:07 PM To: Alexander Frolushkin (SIB) Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] hp-ux and IPA On Wed, 09 Sep 2015, Alexander Frolushkin wrote: >Hello. >Is it possible to use IPA with HP-UX servers (ldapux) to authenticate >users from AD via IPA-AD trusts, or such way only work for systems with >sssd? I suspect you need to test it -- set it up like against Netscape/iPlanet directory server and use 'ipa-advise' recipes for FreeBSD or generic Linux versions to get proper base DNs/attributes/objectclasses. -- / Alexander Bokovoy Информация в этом сообщении предназначена исключительно для конкретных лиц, которым она адресована. В сообщении может содержаться конфиденциальная информация, которая не может быть раскрыта или использована кем-либо, кроме адресатов. Если вы не адресат этого сообщения, то использование, переадресация, копирование или распространение содержания сообщения или его части незаконно и запрещено. Если Вы получили это сообщение ошибочно, пожалуйста, незамедлительно сообщите отправителю об этом и удалите со всем содержимым само сообщение и любые возможные его копии и приложения. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Add objectclasses to computer schema
Is there an equivalent host/computer default objectclasses that there is for ipa config-mod -groupobjectclasses/--userobjectclasses ? We are wanting to add some additional attributes to all of the servers, I'm able to add the object class to individual servers but not sure on the procedure so that all new servers automatically get the additional objectclasses when they are enrolled without having to manually add it. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER
On Wed, 09 Sep 2015, Morgan Marodin wrote: Hi Alexander IPv6 stack is disabled on my RHEL like distro, v 7 x64, but is enable on my WIndows 2012. I have read in a freeipa article to disable IPv6. Sorry, and why you did decide to disable IPv6 stack? FreeIPA article explicitly talks about not disabling IPv6. Samba and FreeIPA LDAP code require working IPv6 stack on the machine. You can have a system without IPv6 addresses but do not disable the infrastructure. All contemporary networking applications are written with the idea that you can use IPv6-only functions and work on both IPv4 and IPv6 at the same time. See ipv6(7) manual page: IPv4 connections can be handled with the v6 API by using the v4-mapped-on-v6 address type; thus a program needs to support only this API type to support both protocols. This is handled transparently by the address handling functions in the C library. IPv4 and IPv6 share the local port space. When you get an IPv4 connection or packet to a IPv6 socket, its source address will be mapped to v6 and it will be mapped to v6. I've 2 Domain Controller with Windows Server 2012 and (at this time) one new freeipa server, just installed, in the same network. AD REALM is MYDOMAIN.COM and IPA REALM is IPA.MYDOMAIN.COM. I've installed bind in IPA that contains only ipa.mydomain.com zone. In AD servers is configured mydomain.com zone, with ipa.mydomain.com delegation to linux server (192.168.0.65). Do you have other question of my setup? Let me know, thanks. Morgan 2015-09-09 16:01 GMT+02:00 Alexander Bokovoy: On Wed, 09 Sep 2015, Morgan Marodin wrote: Hi Alexander. Ok, after enabling debugging I have these logs: --- ==> /var/log/httpd/error_log <== INFO: Current debug levels: all: 100 tdb: 100 printdrivers: 100 lanman: 100 smb: 100 rpc_parse: 100 rpc_srv: 100 rpc_cli: 100 passdb: 100 sam: 100 auth: 100 winbind: 100 vfs: 100 idmap: 100 quota: 100 acls: 100 locking: 100 msdfs: 100 dmapi: 100 registry: 100 scavenger: 100 dns: 100 ldb: 100 pm_process() returned Yes GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'sasl-DIGEST-MD5' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered Using binding ncacn_np:srv01.ipa.mydomain.com[,] s4_tevent: Added timed event "dcerpc_connect_timeout_handler": 0x7f8a3c224990 s4_tevent: Added timed event "composite_trigger": 0x7f8a3c042170 s4_tevent: Added timed event "composite_trigger": 0x7f8a3c25b4a0 s4_tevent: Running timer event 0x7f8a3c042170 "composite_trigger" s4_tevent: Destroying timer event 0x7f8a3c25b4a0 "composite_trigger" Mapped to DCERPC endpoint \pipe\lsarpc added interface eth0 ip=192.168.0.65 bcast=192.168.0.255 netmask=255.255.255.0 added interface eth0 ip=192.168.0.65 bcast=192.168.0.255 netmask=255.255.255.0 Do you have IPv6 stack enabled? [2015/09/09 08:45:05.032211, 50, pid=11196, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) s3_tevent: Schedule immediate event "tevent_req_trigger": 0x7f7118a92cf0 [2015/09/09 08:45:05.032282, 50, pid=11196, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) s3_tevent: Run immediate event "tevent_req_trigger": 0x7f7118a92cf0 [2015/09/09 08:45:05.032353, 4, pid=11196, effective(21740, 21740), real(21740, 0)] ../source3/smbd/sec_ctx.c:424(pop_sec_ctx) pop_sec_ctx (21740, 21740) - sec_ctx_stack_ndx = 0 [2015/09/09 08:45:05.032421, 2, pid=11196, effective(21740, 21740), real(21740, 0), class=rpc_srv] ../source3/rpc_server/rpc_ncacn_np.c:630(make_external_rpc_pipe_p) tstream_npa_connect_recv to /run/samba/ncalrpc/np for pipe lsarpc and user IPA\admin failed: No such file or directory I'm particularly worrying about his one -- /run/samba/ncalrpc/np pipe has to be there. Can you explain what is your setup in detail? -- / Alexander Bokovoy -- Morgan Marodin email: mor...@marodin.it mobile: +39.3477829069 -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] rhel 6.7 upgrade - sssd/sudo
Ok I've got a strange one going on. I just updated several machines to RHEL 6.7 and seem to have broken my sudo rules. I've tracked the problem down to having Default_domain_suffix = ad.domain In the sssd.conf. If I remove that I can login using the fqn from AD and sudo rules are applied as configured. However I don't want to force my users to change to using their fqn to login, and due to having db2 in the environment our usernames are limited to 8 characters so we cannot use the fqn regardless. I testing adding a local sudo rule for %ad_domain_group@ipa.domain and it worked, but any IPA rules are not working. Update installed sssd-1.12.4-47.el6.x86_64 -andy *** This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. *** -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Sudo entry not found by sssd in the cache db
I have a working IPA server and a working client config on an OpenSuse 13.2 with the following versions: nappali:~ # rpm -qa |grep sssd sssd-tools-1.12.2-3.4.1.i586 sssd-krb5-1.12.2-3.4.1.i586 python-sssd-config-1.12.2-3.4.1.i586 sssd-ipa-1.12.2-3.4.1.i586 sssd-1.12.2-3.4.1.i586 sssd-dbus-1.12.2-3.4.1.i586 sssd-krb5-common-1.12.2-3.4.1.i586 sssd-ldap-1.12.2-3.4.1.i586 sssd is confihured for nss, pam, sudo There is a test sudo rule defined in the ipa server, which applies to user "doma". However when the user tries to use sudo the rule does not work. doma@nappali:/home/doma> sudo ls domas password: doma is not allowed to run sudo on nappali. This incident will be reported. The corresponding log in the sssd_sudo.log is this: (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name doma matched without domain, user is doma (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name doma matched without domain, user is doma (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [doma] from [] (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma@szilva] (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))] (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name doma matched without domain, user is doma (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name doma matched without domain, user is doma (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [doma] from [] (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma@szilva] (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))] (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))] (Wed Sep 9 21:25:30 2015) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! This seems perfectly OK with one exception. The query against the sysdb does not find the entry. This is strange because the entry is there. Log in sssd.log:(Wed Sep 2 08:52:13 2015) [sssd] [sysdb_domain_init_internal] (0x0200): DB File for szilva: /var/lib/sss/db/cache_szilva.ldb So we know that the sysdb is /var/lib/sss/db/cache_szilva.ldb Running the exact same query seen above in the sssd_sudo.log against the db returns: ldbsearch -H /var/lib/sss/db/cache_szilva.ldb "(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))" asq: Unable to register control with rootdse! # record 1 dn: name=Doma_ls,cn=sudorules,cn=custom,cn=szilva,cn=sysdb cn: Doma_ls dataExpireTimestamp: 1441830262 entryUSN: 20521 name: Doma_ls objectClass: sudoRule originalDN: cn=Doma_ls,ou=sudoers,dc=szilva sudoCommand: ls sudoHost: nappali.szilva sudoRunAsGroup: ALL sudoRunAsUser: ALL sudoUser: doma distinguishedName: name=Doma_ls,cn=sudorules,cn=custom,cn=szilva,cn=sysdb# returned 1 records # 1 entries # 0 referrals This confirms that the entry is indeed there in the db. Why is it found with ldbsearch and why does sssd_sudo not find it? I am pretty much stuck with this one. Anyone has an idea? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Logging?
Hello, I was wondering if anyone has played with thee extended logging of IPA and specifically SSSD and the kibana dashboards they put together. https://www.freeipa.org/page/Centralized_Logging I can't seem to get "clients" to send the login info (https://www.freeipa.org/images/6/65/Rek-user-logins.png) , even though I see the data in the logs, and was wondering if anyone has any tips? Thank you ~Janelle -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project