Re: [Freeipa-users] svnserve authentication against IPA

2015-09-09 Thread dbischof 

Hi,

On Sat, 27 Jun 2015, Dmitri Pal wrote:


On 06/18/2015 05:09 AM, dbisc...@hrz.uni-kassel.de wrote:


I have a svnserve (Subversion 1.6.11) running on my IPA server. Currently, 
there's a separate user database with SASL auth:


/etc/sasl2/svn.conf
---
pwcheck_method: auxprop
auxprop_plugin: sasldb
sasldb_path: /etc/sasldb2
mech_list: DIGEST-MD5
---

XXX/testrepo/conf/svnserve.conf
---
[general]
anon-access = none
authz-db = authz
realm = MYSUBDOMAIN.MYUNIVERSITY.DE
[sasl]
use-sasl = true
min-encryption = 128
max-encryption = 256
---

On a test system, I changed svnserve auth to saslauthd and IPA:

/etc/sasl2/svn.conf
---
pwcheck_method: saslauthd
auxprop_plugin: ldap
mech_list: PLAIN
ldapdb_mech: PLAIN
---

XXX/testrepo/conf/svnserve.conf
---
[general]
anon-access = none
authz-db = authz
realm = MYSUBDOMAIN.MYUNIVERSITY.DE
[sasl]
use-sasl = true
min-encryption = 0
max-encryption = 256
---

/etc/saslauthd.conf
---
ldap_servers: ldaps://localhost/
ldap_search_base: cn=users,cn=accounts,dc=MYSUBDOMAIN,dc=MYUNIVERSITY,dc=DE
---

Though this setup basically works and svnserve and IPA are running on 
the same machine I'm unhappy with PLAIN and "min-encryption = 0".


What would you suggest to improve security/enable encryption in this 
setup? I considered switching from svnserve to Apache, but that would 
imply that my users will have to get used to something new.


It seems that no one on the list knows details about svn configuration so if 
you figure it out please share the results with the list.


--
Thank you,
Dmitri Pal


for the record: In the meantime, I've abandoned svnserve in favour of 
apache. It's more complicated to set up but also more flexible. In order 
to make it work with IPA, one needs (something similar to) the following 
included the apache configuration:


---
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module   modules/mod_authz_svn.so
LoadModule authnz_ldap_module   modules/mod_authnz_ldap.so

RedirectMatch ^(/svn)$ $1/
RedirectPermanent /svn/ /home/svn/

   DAV svn
   SVNParentPath /home/svn
   SVNListParentPath On
   SVNAutoversioning On
   SVNReposName "example.com SVN Repositories"
   SVNPathAuthz short_circuit
   AuthType Basic
   AuthName "example.com SVN Repositories"
   AuthBasicProvider ldap
   AuthLDAPBindAuthoritative on
   AuthLDAPBindDN "uid=sysadev,CN=users,CN=accounts,DC=example,DC=com"
   AuthLDAPBindPassword XX
   AuthLDAPURL 
"ldaps://ipa.example.com/CN=users,CN=accounts,DC=example,DC=com?uid,nsAccountLock?sub?(ObjectClass=*)"
   Require ldap-attribute nsAccountLock!="true"
   
  Require valid-user
   
   AuthzSVNAccessFile /etc/subversion/svn.acl


   Options +Indexes +FollowSymLinks
   AllowOverride All
   Order Allow,Deny
   Allow from all

---

I think this is more flexible and more secure than my svnserve approach.

Remarks:

1. "sysadev" is the username that I use for LDAP binding (an IPA user with 
a long-term password, no home directory and /sbin/nologin as login shell).


2. "/etc/subversion/svn.acl" contains the access rights for the individual 
SVN repos. It is similar to the "authz" files that svnserve uses.


3. apache is HTTPS-only.


Mit freundlichen Gruessen/With best regards,

--Daniel.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] hp-ux and IPA

2015-09-09 Thread Alexander Frolushkin 
Hello.
Is it possible to use IPA with HP-UX servers (ldapux) to authenticate users 
from AD via IPA-AD trusts, or such way only work for systems with sssd?

WBR,
Alexander Frolushkin
Cell +79232508764
Work +79232507764




?? ?  ? ? ? ??? ?? ???, 
??? ??? ??. ? ? ? ???  
??, ??? ?? ?   ???  ???-, ? 
?.  ?? ?? ??? ? ?, ?? ?, ?, 
??? ??? ??? ?? ? ??? ??? ? ? ? 
?.  ??  ??? ? , ??, ??? 
 ??? ??  ? ??? ??  ??  ? ? 
? ? ??? ? ? ??.

The information contained in this communication is intended solely for the use 
of the individual or entity to whom it is addressed and others authorized to 
receive it. It may contain confidential or legally privileged information. The 
contents may not be disclosed or used by anyone other than the addressee. If 
you are not the intended recipient(s), any use, disclosure, copying, 
distribution or any action taken or omitted to be taken in reliance on it is 
prohibited and may be unlawful. If you have received this communication in 
error please notify us immediately by responding to this email and then delete 
the e-mail and all attachments and any copies thereof.

(c)20mf50
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] problem in ipa trust with AD

2015-09-09 Thread alireza baghery 
hi
i install centos 6.7 trust with Windows 2008 r2 (User AD can not Login)
and get log in IPA SERVER file: /var/log/krb5kdc.log
domain IPA:  l.infotechpsp.net

++
Sep 09 15:09:20 ipareplica.l.infotechpsp.net krb5kdc[1518](info): AS_REQ (4
etypes {18 17 16 23}) 10.30.120.20: NEEDED_PREAUTH: host/
ussddm.l.infotechpsp@l.infotechpsp.net for krbtgt/
l.infotechpsp@l.infotechpsp.net, Additional pre-authentication required

IS it correct? l.infotechpsp@l.infotechpsp.net
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER

2015-09-09 Thread Alexander Bokovoy 

On Wed, 09 Sep 2015, Morgan Marodin wrote:

Hi Alexander.

Ok, after enabling debugging I have these logs:
---
==> /var/log/httpd/error_log <==
INFO: Current debug levels:
 all: 100
 tdb: 100
 printdrivers: 100
 lanman: 100
 smb: 100
 rpc_parse: 100
 rpc_srv: 100
 rpc_cli: 100
 passdb: 100
 sam: 100
 auth: 100
 winbind: 100
 vfs: 100
 idmap: 100
 quota: 100
 acls: 100
 locking: 100
 msdfs: 100
 dmapi: 100
 registry: 100
 scavenger: 100
 dns: 100
 ldb: 100
pm_process() returned Yes
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'sasl-DIGEST-MD5' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
Using binding ncacn_np:srv01.ipa.mydomain.com[,]
s4_tevent: Added timed event "dcerpc_connect_timeout_handler":
0x7f8a3c224990
s4_tevent: Added timed event "composite_trigger": 0x7f8a3c042170
s4_tevent: Added timed event "composite_trigger": 0x7f8a3c25b4a0
s4_tevent: Running timer event 0x7f8a3c042170 "composite_trigger"
s4_tevent: Destroying timer event 0x7f8a3c25b4a0 "composite_trigger"
Mapped to DCERPC endpoint \pipe\lsarpc
added interface eth0 ip=192.168.0.65 bcast=192.168.0.255
netmask=255.255.255.0
added interface eth0 ip=192.168.0.65 bcast=192.168.0.255
netmask=255.255.255.0

Do you have IPv6 stack enabled?


[2015/09/09 08:45:05.032211, 50, pid=11196, effective(0, 0), real(0, 0)]
../lib/util/tevent_debug.c:63(samba_tevent_debug)
 s3_tevent: Schedule immediate event "tevent_req_trigger": 0x7f7118a92cf0
[2015/09/09 08:45:05.032282, 50, pid=11196, effective(0, 0), real(0, 0)]
../lib/util/tevent_debug.c:63(samba_tevent_debug)
 s3_tevent: Run immediate event "tevent_req_trigger": 0x7f7118a92cf0
[2015/09/09 08:45:05.032353,  4, pid=11196, effective(21740,
21740), real(21740, 0)] ../source3/smbd/sec_ctx.c:424(pop_sec_ctx)
 pop_sec_ctx (21740, 21740) - sec_ctx_stack_ndx = 0
[2015/09/09 08:45:05.032421,  2, pid=11196, effective(21740,
21740), real(21740, 0), class=rpc_srv]
../source3/rpc_server/rpc_ncacn_np.c:630(make_external_rpc_pipe_p)
 tstream_npa_connect_recv  to /run/samba/ncalrpc/np for pipe lsarpc and
user IPA\admin failed: No such file or directory

I'm particularly worrying about his one -- /run/samba/ncalrpc/np pipe
has to be there.

Can you explain what is your setup in detail?

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] hp-ux and IPA

2015-09-09 Thread Alexander Bokovoy 

On Wed, 09 Sep 2015, Alexander Frolushkin wrote:

Hello.
Is it possible to use IPA with HP-UX servers (ldapux) to authenticate
users from AD via IPA-AD trusts, or such way only work for systems with
sssd?

I suspect you need to test it -- set it up like against Netscape/iPlanet
directory server and use 'ipa-advise' recipes for FreeBSD or generic
Linux versions to get proper base DNs/attributes/objectclasses.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Troubles with extending FreeIPA Web UI to fit my environment

2015-09-09 Thread Petr Vobornik 

On 09/05/2015 09:12 PM, Mateusz Małek wrote:



W dniu 01.09.2015 o 13:27, Petr Vobornik pisze:

On 08/27/2015 05:17 AM, Mateusz Małek wrote:

We're trying to adjust FreeIPA to our environment... quite a bit. Here
are some bullet points:

(...)

For points 3, 5, 6 and to limit available choices in 2, we need to plug
into Web UI. Samples at https://pvoborni.fedorapeople.org/plugins/
provided us with some basic info how to write plugins.


Glad to read that the plugin support is used. Especially in this scale.

I'd like to ask you for a feedback. What are the main things that
would make extending IPA easier for you?




Thank you for the feedback.


I think that some Web UI documentation is needed - some kind of index of
available widgets (their names, parameters, some usage examples for more
complex widgets like entity_select), dialog windows and facets (like
search), examples for various things like how to add new batch actions
(with a new button at the top of search view) or to make layout and
contents of facets/dialog boxes dependent on which user is using Web UI
(like self-service differs from admin view).


Yeah, this needs more love. Web UI has a documentation generated from 
comments but a lot of code is not commented/documented and examples are 
still missing.


https://pvoborni.fedorapeople.org/doc/#!/api



UI seems extremely extensible and probably many "examples" of how to do
different things are already there, but it takes some time to find which
part of UI uses them and can be copied to custom module (or adjusted in
some other way).

Do you have some tips on how to setup programming environment for UI
development?


only https://pvoborni.fedorapeople.org/doc/#!/guide/Debugging




However, I face some issues when I register my module under different
entity name instead of overriding user (I want to keep original user
module available)


Just curious, why do you want to keep the original user entity object?


Maybe not necessarily to keep original entity object, but to manage the
same object using two different UI plugins (keeping original module
available was quick test of such scenario). We have sysadmins - who can
modify all user details - and user administrator - who needs really
simple interface for creating new accounts and prolonging validity of
existing.


Maybe a plugin can switch the entity in registry according to user role 
after the role is known - as in this plugin:


https://pvoborni.fedorapeople.org/plugins/simpleuser/simpleuser.js

User data should be in `IPA.whoami`






It seems that check if (that.entity !== that.managed_entity) in
freeipa/search.js fails (condition is true), which causes
managed_entity_pkey_prefix function to return [""] instead of [] -
object inspection shows both entity and managed_entity refer to user
entity, but probably these are two different JS objects (and thats why
they are considered different). Am I doing something wrong or is it some
bug?


There is no claim that it should  work so I would say that it is a
limitation of original design and unfinished refactoring than a bug.
The code can be improved to support multiple entity objects for the
same IPA object but I'm worried that it can break something else.

Maybe simple comparison by an entity name would help.


Oh, I see. I'll probably try to find other way around, as I'm a bit
short on time. Extending FreeIPA is part of my engineering thesis, but
at the same time I'm applying my changes to our CentOS-based production
environment - that's why I'm trying to keep existing codebase intact
(and it would take some time before any changes make their way to
packages in RHEL repositories).


It can be patch in a plugin, but it's not nice.

Example: 
https://pvoborni.fedorapeople.org/plugins/association_search_fix/association_search_fix.js




Thanks,

Mateusz Małek


--
Petr Vobornik

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] certificate add subject alt Name

2015-09-09 Thread Petr Spacek 
On 5.9.2015 12:48, Günther J. Niederwimmer wrote:
> Hello,
> 
> System CentOS 7.
> 
> is it possible to change a certificate to add a subject alt name?
> 
> My "Problem" is, I have a Mail Server with name smtp.example.com and the 
> correct service certificates smtp/smtp.example.com & imap/example.com now I 
> make in my DNS Server (is a external system) a new Record "imap IN CNAME 
> smtp" 
> but this is now missing in the certificate?
> 
> The Problem I mean is DNSSEC, so I can't setup this with freeIPA and I don’t 
> have a host/imap.example.com.

I'm sorry but I do not see how this is related to DNS. It might not be related
to IPA at all.

IPA only issues the cert. If the cert contains both subjectAltNames then the
problem is likely in your DNS configuration or in configuration on the
application server side (where you installed the cert).

Unfortunately I'm not able to tell you more without more details - what
application you use, what versions, how did you it configured, etc.

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER

2015-09-09 Thread Morgan Marodin 
Hi Alexander

IPv6 stack is disabled on my RHEL like distro, v 7 x64, but is enable on my
WIndows 2012.
I have read in a freeipa article to disable IPv6.

I've 2 Domain Controller with Windows Server 2012 and (at this time) one
new freeipa server, just installed, in the same network.
AD REALM is MYDOMAIN.COM and IPA REALM is IPA.MYDOMAIN.COM.
I've installed bind in IPA that contains only ipa.mydomain.com zone.
In AD servers is configured mydomain.com zone, with ipa.mydomain.com
delegation to linux server (192.168.0.65).

Do you have other question of my setup?
Let me know, thanks.
Morgan


2015-09-09 16:01 GMT+02:00 Alexander Bokovoy :

> On Wed, 09 Sep 2015, Morgan Marodin wrote:
>
>> Hi Alexander.
>>
>> Ok, after enabling debugging I have these logs:
>> ---
>> ==> /var/log/httpd/error_log <==
>> INFO: Current debug levels:
>>  all: 100
>>  tdb: 100
>>  printdrivers: 100
>>  lanman: 100
>>  smb: 100
>>  rpc_parse: 100
>>  rpc_srv: 100
>>  rpc_cli: 100
>>  passdb: 100
>>  sam: 100
>>  auth: 100
>>  winbind: 100
>>  vfs: 100
>>  idmap: 100
>>  quota: 100
>>  acls: 100
>>  locking: 100
>>  msdfs: 100
>>  dmapi: 100
>>  registry: 100
>>  scavenger: 100
>>  dns: 100
>>  ldb: 100
>> pm_process() returned Yes
>> GENSEC backend 'gssapi_spnego' registered
>> GENSEC backend 'gssapi_krb5' registered
>> GENSEC backend 'gssapi_krb5_sasl' registered
>> GENSEC backend 'sasl-DIGEST-MD5' registered
>> GENSEC backend 'spnego' registered
>> GENSEC backend 'schannel' registered
>> GENSEC backend 'sasl-EXTERNAL' registered
>> GENSEC backend 'ntlmssp' registered
>> Using binding ncacn_np:srv01.ipa.mydomain.com[,]
>> s4_tevent: Added timed event "dcerpc_connect_timeout_handler":
>> 0x7f8a3c224990
>> s4_tevent: Added timed event "composite_trigger": 0x7f8a3c042170
>> s4_tevent: Added timed event "composite_trigger": 0x7f8a3c25b4a0
>> s4_tevent: Running timer event 0x7f8a3c042170 "composite_trigger"
>> s4_tevent: Destroying timer event 0x7f8a3c25b4a0 "composite_trigger"
>> Mapped to DCERPC endpoint \pipe\lsarpc
>> added interface eth0 ip=192.168.0.65 bcast=192.168.0.255
>> netmask=255.255.255.0
>> added interface eth0 ip=192.168.0.65 bcast=192.168.0.255
>> netmask=255.255.255.0
>>
> Do you have IPv6 stack enabled?
>
> [2015/09/09 08:45:05.032211, 50, pid=11196, effective(0, 0), real(0, 0)]
>> ../lib/util/tevent_debug.c:63(samba_tevent_debug)
>>  s3_tevent: Schedule immediate event "tevent_req_trigger": 0x7f7118a92cf0
>> [2015/09/09 08:45:05.032282, 50, pid=11196, effective(0, 0), real(0, 0)]
>> ../lib/util/tevent_debug.c:63(samba_tevent_debug)
>>  s3_tevent: Run immediate event "tevent_req_trigger": 0x7f7118a92cf0
>> [2015/09/09 08:45:05.032353,  4, pid=11196, effective(21740,
>> 21740), real(21740, 0)] ../source3/smbd/sec_ctx.c:424(pop_sec_ctx)
>>  pop_sec_ctx (21740, 21740) - sec_ctx_stack_ndx = 0
>> [2015/09/09 08:45:05.032421,  2, pid=11196, effective(21740,
>> 21740), real(21740, 0), class=rpc_srv]
>> ../source3/rpc_server/rpc_ncacn_np.c:630(make_external_rpc_pipe_p)
>>  tstream_npa_connect_recv  to /run/samba/ncalrpc/np for pipe lsarpc and
>> user IPA\admin failed: No such file or directory
>>
> I'm particularly worrying about his one -- /run/samba/ncalrpc/np pipe
> has to be there.
>
> Can you explain what is your setup in detail?
>
> --
> / Alexander Bokovoy
>



-- 
Morgan Marodin
email: mor...@marodin.it
mobile: +39.3477829069
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] pfSense DHCP to IPA's BIND dynamic updates success

2015-09-09 Thread Petr Spacek 
On 9.9.2015 07:09, Alexander Bokovoy wrote:
> On Wed, 09 Sep 2015, John Keates wrote:
>> So I was having a DNS mess the other day and decided to clean it up.
>> Before, I was running Unbound on pfSense which then had a domain
>> override to the IPA box. It would forward all queries and IPA-wise all
>> was well.  Problem was that the domain was also used for a bunch of
>> other things, like the outside world, and DHCP leases, because I want
>> to be able to FQDN my machines and VM’s.
>>
>> At first, I thought I could somehow make a weird multi-master setup, or
>> have Unbound rewrite queries or selectively forward or ignore the
>> authoritative status of DNS servers, but that’s a rather nasty hackish
>> way to attempt to fix things, so I went for the option to have DHCPd
>> feed it’s leases and updates to BIND, and make Unbound the 2nd DNS
>> server in case of an IPA meltdown.
>>
>> This turned out to be not-so-easy as you can’t use GSSAPI on the
>> pfSense box and the IPA interface doesn’t allow you to create keys just
>> like that. Solution? Manual edits!  Now, I’m not sure if they will be
>> preserved, but since I was using SaltStack to manage pretty much
>> everything config-wise, I just make sure it keeps my settings around.
>>
>> Here is how to configure things:
>>
>> BIND-side:
>>
>> 1. Open /etc/named.conf in a root editor
>> 2. Insert a key like this:
>>
>> key "dhcp-key" {
>>   algorithm   hmac-md5;
>>   secret“base64_string_here=";
>> };
>>
>> Where the string “dhcp-key” can be anything, but you should remember
>> what you put in there.  The Secret is a base64 string, if you are
>> slightly clueless about that, use: echo “yoursecrethere” | base64
>> and you will get your base64 string. Stick it in between the quotes and
>> you’re good.
>>
>> 3. Next, log in to the IPA UI and go to the Zone you’d like to have DHCP
>> dynamically push to.
>> 4. Click settings and turn on “Dynamic update” if it’s not on already
>> 5. Add an update policy, in this format:
>>
>> grant dhcp-key wildcard * ANY;
>>
>> This is rather insecure as you give anything that authenticates using
>> the key called “dhcp-key” full update rights for all types on that
>> zone.  So if you want to restrict it, do so as you please. I believe it
>> at least wants A and  records and probably TXT.
>>
>> 6. Click the update button and you are all set on this end. Note: if
>> you want to have reverse lookups as well, you have to repeat step 5 for
>> the reverse zone too!
>>
>> pfSense-side:
>>
>> 1. In pfSense, go to the DHCP server page
>> 2. Enable "Enable registration of DHCP client names in DNS.”
>> 3. Enter the domain name of the zone you configured in IPA for dynamic 
>> updates
>> 4. Enter the required fields (IP of the IPA server, the name (which is
>> dhcp-key in this example) and the base64 string you generated
>> 5. Press save and you’re good!
>>
>> A few extra’s:
>>
>> - You could add IPA as an NTP server here as well
>> - You should add the IPA server as the 1st DNS server
>> - You can add pfSense as the 2nd DNS server if you like
>>
>> Please remember that at this point no DNS-related stuff on pfSense is
>> used anymore as all clients will talk to IPA for their DNS needs from
>> now on.  If all you need is the one domain name, for example, if you
>> use a unique domain just for internal IPA use, you’re better off using
>> the domain override.
>>
>> I hope this helps someone, and might work as a basis for more robust
>> and secure configuration, as this is something I just came up with
>> today in a test environment.
> This looks reasonable. You may want to put your key definition into something
> like
> /etc/named/my-dhcp-keys.conf and include it from there via 'include'
> statements but I think we don't upgrade named.conf after it was
> originally created.
> 
> John, could you please add this to FreeIPA wiki?

BTW it is already documented here:
http://www.freeipa.org/page/Howto/DNS_updates_and_zone_transfers_with_TSIG

Have a nice day! :-)

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] attempting to restore IPA

2015-09-09 Thread Steven Jones 
So to restore IPA I tried,

ipa-restore --data ipa-full-2015-09-10-10-28-11

and now I cannot loginopsie.

The admin user password doesnt work and neither do my own accounts.

NB I assume the  flag --data restores the user data/HBAC rules etc?

regards

Steven 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] hp-ux and IPA

2015-09-09 Thread Alexander Bokovoy 

On Thu, 10 Sep 2015, Alexander Frolushkin wrote:

Thank you,
so it may work or may not work - we need to try such configuration
first. I hoped somebody already do this and may share the experience :)

BTW, I already do some part of this work before - for native IPA users
it works, but of cause, without HBAC.

As HBAC currently is done at client side, and there is no such support
for HP-UX, nothing can change here.

For combined AD and IPA users just use cn=compat subtrees like
'ipa-advise' rules suggest.

It would be great if you would be able to update instructions for HP-UX
setup we have on the wiki -- 
http://www.freeipa.org/page/ConfiguringUnixClients#HP-UX_11.0

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] hp-ux and IPA

2015-09-09 Thread Alexander Frolushkin 
Thank you,
so it may work or may not work - we need to try such configuration first. I 
hoped somebody already do this and may share the experience :)

BTW, I already do some part of this work before - for native IPA users it 
works, but of cause, without HBAC.

WBR,
Alexander Frolushkin
Cell +79232508764
Work +79232507764

-Original Message-
From: Alexander Bokovoy [mailto:aboko...@redhat.com]
Sent: Wednesday, September 09, 2015 8:07 PM
To: Alexander Frolushkin (SIB)
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] hp-ux and IPA

On Wed, 09 Sep 2015, Alexander Frolushkin wrote:
>Hello.
>Is it possible to use IPA with HP-UX servers (ldapux) to authenticate
>users from AD via IPA-AD trusts, or such way only work for systems with
>sssd?
I suspect you need to test it -- set it up like against Netscape/iPlanet 
directory server and use 'ipa-advise' recipes for FreeBSD or generic Linux 
versions to get proper base DNs/attributes/objectclasses.

--
/ Alexander Bokovoy



Информация в этом сообщении предназначена исключительно для конкретных лиц, 
которым она адресована. В сообщении может содержаться конфиденциальная 
информация, которая не может быть раскрыта или использована кем-либо, кроме 
адресатов. Если вы не адресат этого сообщения, то использование, переадресация, 
копирование или распространение содержания сообщения или его части незаконно и 
запрещено. Если Вы получили это сообщение ошибочно, пожалуйста, незамедлительно 
сообщите отправителю об этом и удалите со всем содержимым само сообщение и 
любые возможные его копии и приложения.

The information contained in this communication is intended solely for the use 
of the individual or entity to whom it is addressed and others authorized to 
receive it. It may contain confidential or legally privileged information. The 
contents may not be disclosed or used by anyone other than the addressee. If 
you are not the intended recipient(s), any use, disclosure, copying, 
distribution or any action taken or omitted to be taken in reliance on it is 
prohibited and may be unlawful. If you have received this communication in 
error please notify us immediately by responding to this email and then delete 
the e-mail and all attachments and any copies thereof.

(c)20mf50

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Add objectclasses to computer schema

2015-09-09 Thread Thomas Suiter 
Is there an equivalent host/computer default objectclasses that there is for 
ipa config-mod -groupobjectclasses/--userobjectclasses ?  We are wanting to add 
some additional attributes to all of the servers, I'm able to add the object 
class to individual servers but not sure on the procedure so that all new 
servers automatically get the additional objectclasses when they are enrolled 
without having to manually add it.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER

2015-09-09 Thread Alexander Bokovoy 

On Wed, 09 Sep 2015, Morgan Marodin wrote:

Hi Alexander

IPv6 stack is disabled on my RHEL like distro, v 7 x64, but is enable on my
WIndows 2012.
I have read in a freeipa article to disable IPv6.

Sorry, and why you did decide to disable IPv6 stack? FreeIPA article
explicitly talks about not disabling IPv6.

Samba and FreeIPA LDAP code require working IPv6 stack on the machine.
You can have a system without IPv6 addresses but do not disable the
infrastructure. All contemporary networking applications are written
with the idea that you can use IPv6-only functions and work on both IPv4
and IPv6 at the same time. See ipv6(7) manual page:


IPv4 connections can be handled with the v6 API by using the
v4-mapped-on-v6 address type; thus a program needs to support only this
API type to support both protocols. This is handled transparently by the
address handling functions in the C library.

IPv4 and IPv6 share the local port space.  When you get an IPv4
connection or packet to a IPv6 socket, its source address will be mapped
to v6 and it will be mapped to v6.




I've 2 Domain Controller with Windows Server 2012 and (at this time) one
new freeipa server, just installed, in the same network.
AD REALM is MYDOMAIN.COM and IPA REALM is IPA.MYDOMAIN.COM.
I've installed bind in IPA that contains only ipa.mydomain.com zone.
In AD servers is configured mydomain.com zone, with ipa.mydomain.com
delegation to linux server (192.168.0.65).




Do you have other question of my setup?
Let me know, thanks.
Morgan


2015-09-09 16:01 GMT+02:00 Alexander Bokovoy :


On Wed, 09 Sep 2015, Morgan Marodin wrote:


Hi Alexander.

Ok, after enabling debugging I have these logs:
---
==> /var/log/httpd/error_log <==
INFO: Current debug levels:
 all: 100
 tdb: 100
 printdrivers: 100
 lanman: 100
 smb: 100
 rpc_parse: 100
 rpc_srv: 100
 rpc_cli: 100
 passdb: 100
 sam: 100
 auth: 100
 winbind: 100
 vfs: 100
 idmap: 100
 quota: 100
 acls: 100
 locking: 100
 msdfs: 100
 dmapi: 100
 registry: 100
 scavenger: 100
 dns: 100
 ldb: 100
pm_process() returned Yes
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'sasl-DIGEST-MD5' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
Using binding ncacn_np:srv01.ipa.mydomain.com[,]
s4_tevent: Added timed event "dcerpc_connect_timeout_handler":
0x7f8a3c224990
s4_tevent: Added timed event "composite_trigger": 0x7f8a3c042170
s4_tevent: Added timed event "composite_trigger": 0x7f8a3c25b4a0
s4_tevent: Running timer event 0x7f8a3c042170 "composite_trigger"
s4_tevent: Destroying timer event 0x7f8a3c25b4a0 "composite_trigger"
Mapped to DCERPC endpoint \pipe\lsarpc
added interface eth0 ip=192.168.0.65 bcast=192.168.0.255
netmask=255.255.255.0
added interface eth0 ip=192.168.0.65 bcast=192.168.0.255
netmask=255.255.255.0


Do you have IPv6 stack enabled?

[2015/09/09 08:45:05.032211, 50, pid=11196, effective(0, 0), real(0, 0)]

../lib/util/tevent_debug.c:63(samba_tevent_debug)
 s3_tevent: Schedule immediate event "tevent_req_trigger": 0x7f7118a92cf0
[2015/09/09 08:45:05.032282, 50, pid=11196, effective(0, 0), real(0, 0)]
../lib/util/tevent_debug.c:63(samba_tevent_debug)
 s3_tevent: Run immediate event "tevent_req_trigger": 0x7f7118a92cf0
[2015/09/09 08:45:05.032353,  4, pid=11196, effective(21740,
21740), real(21740, 0)] ../source3/smbd/sec_ctx.c:424(pop_sec_ctx)
 pop_sec_ctx (21740, 21740) - sec_ctx_stack_ndx = 0
[2015/09/09 08:45:05.032421,  2, pid=11196, effective(21740,
21740), real(21740, 0), class=rpc_srv]
../source3/rpc_server/rpc_ncacn_np.c:630(make_external_rpc_pipe_p)
 tstream_npa_connect_recv  to /run/samba/ncalrpc/np for pipe lsarpc and
user IPA\admin failed: No such file or directory


I'm particularly worrying about his one -- /run/samba/ncalrpc/np pipe
has to be there.

Can you explain what is your setup in detail?

--
/ Alexander Bokovoy





--
Morgan Marodin
email: mor...@marodin.it
mobile: +39.3477829069


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] rhel 6.7 upgrade - sssd/sudo

2015-09-09 Thread Andy Thompson 
Ok I've got a strange one going on.  I just updated several machines to RHEL 
6.7 and seem to have broken my sudo rules.  I've tracked the problem down to 
having

Default_domain_suffix = ad.domain

In the sssd.conf.  If I remove that I can login using the fqn from AD and sudo 
rules are applied as configured.  However I don't want to force my users to 
change to using their fqn to login, and due to having db2 in the environment 
our usernames are limited to 8 characters so we cannot use the fqn regardless.

I testing adding a local sudo rule for %ad_domain_group@ipa.domain and it 
worked, but any IPA rules are not working.

Update installed sssd-1.12.4-47.el6.x86_64

-andy



*** This communication may contain privileged and/or confidential information. 
It is intended solely for the use of the addressee. If you are not the intended 
recipient, you are strictly prohibited from disclosing, copying, distributing 
or using any of this information. If you received this communication in error, 
please contact the sender immediately and destroy the material in its entirety, 
whether electronic or hard copy. ***


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Sudo entry not found by sssd in the cache db

2015-09-09 Thread Molnár Domokos 
I have a working IPA server and a working client config on an OpenSuse 13.2 
with the following versions: nappali:~ # rpm -qa |grep sssd
sssd-tools-1.12.2-3.4.1.i586
sssd-krb5-1.12.2-3.4.1.i586
python-sssd-config-1.12.2-3.4.1.i586
sssd-ipa-1.12.2-3.4.1.i586
sssd-1.12.2-3.4.1.i586
sssd-dbus-1.12.2-3.4.1.i586
sssd-krb5-common-1.12.2-3.4.1.i586
sssd-ldap-1.12.2-3.4.1.i586 sssd is confihured for nss, pam, sudo There is a 
test sudo rule defined in the ipa server, which applies to user "doma".  
However when the user tries to use sudo the rule does not work. 
doma@nappali:/home/doma> sudo ls
domas password:
doma is not allowed to run sudo on nappali.  This incident will be reported. 
The corresponding log in the sssd_sudo.log is this: (Wed Sep  9 21:25:25 2015) 
[sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1].
(Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered 
version [1].
(Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): 
name doma matched without domain, user is doma
(Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): 
name doma matched without domain, user is doma
(Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] 
(0x0200): Requesting default options for [doma] from []
(Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting 
info about [doma@szilva]
(Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] 
(0x0200): Searching sysdb with 
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))]
(Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] 
(0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))]
(Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): 
name doma matched without domain, user is doma
(Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): 
name doma matched without domain, user is doma
(Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] 
(0x0200): Requesting rules for [doma] from []
(Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting 
info about [doma@szilva]
(Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] 
(0x0200): Searching sysdb with 
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))]
(Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] 
(0x0200): Searching sysdb with 
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))]
(Wed Sep  9 21:25:30 2015) [sssd[sudo]] [client_recv] (0x0200): Client 
disconnected! This seems perfectly OK with one exception. The query against the 
sysdb does not find the entry. This is strange because the entry is there. Log 
in sssd.log:(Wed Sep  2 08:52:13 2015) [sssd] [sysdb_domain_init_internal] 
(0x0200): DB File for szilva: /var/lib/sss/db/cache_szilva.ldb So we know that 
the sysdb is /var/lib/sss/db/cache_szilva.ldb Running the exact same query seen 
above in the sssd_sudo.log against the db returns: ldbsearch -H 
/var/lib/sss/db/cache_szilva.ldb 
"(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))"
asq: Unable to register control with rootdse!
# record 1
dn: name=Doma_ls,cn=sudorules,cn=custom,cn=szilva,cn=sysdb
cn: Doma_ls
dataExpireTimestamp: 1441830262
entryUSN: 20521
name: Doma_ls
objectClass: sudoRule
originalDN: cn=Doma_ls,ou=sudoers,dc=szilva
sudoCommand: ls
sudoHost: nappali.szilva
sudoRunAsGroup: ALL
sudoRunAsUser: ALL
sudoUser: doma
distinguishedName: name=Doma_ls,cn=sudorules,cn=custom,cn=szilva,cn=sysdb# 
returned 1 records
# 1 entries
# 0 referrals This confirms that the entry is indeed there in the db. Why is it 
found with ldbsearch and why does sssd_sudo not find it? I am pretty much stuck 
with this one. Anyone has an idea?  -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Logging?

2015-09-09 Thread Janelle 

Hello,

I was wondering if anyone has played with thee extended logging of IPA 
and specifically SSSD and the kibana dashboards they put together.  
https://www.freeipa.org/page/Centralized_Logging


I can't seem to get "clients" to send the login info 
(https://www.freeipa.org/images/6/65/Rek-user-logins.png) , even though 
I see the data in the logs, and was wondering if anyone has any tips?


Thank you
~Janelle

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project