[Freeipa-users] Advise for the best way to achieve AD Caching?

2016-05-04 Thread David LeVene 
Hey All,

I'm looking for a bit of direction around the best way to configure/setup an 
on-site cache &/or replica from an AD Server which will be uni-directional (AD 
-> IPA/slapd)

The master are multiple AD Servers located around the place, and we exist in a 
place which is outside of the core network and that network link is a single 
point of failure.

What I want to achieve is in the event we lose connectivity with the world 
users can still authenticate, but if someone is disabled/updated at the top 
level it replicates down. I've got a test AD Server & have been reviewing IPA, 
but have hit an issue in that I can't get software installed on the AD Masters 
for the 389 dir sync software.

Currently I've configured a synchronization based solution with one way 
replication from the AD Masters -> IPA. This works fine and I can see all the 
users being created in IPA - but as the passwords can't be synced without 
installing software I can't use this method.

Another nice thing would be to have a separate domain/tree available so we can 
split up the staff that are from the master servers and some client related 
user/passes that won't be in the Global Directory - but managed from the same 
place.

Are there any other setup's that will achieve what I require? Have seen slapd 
with proxy cache but I'm not sure on this options either and configuring slapd 
with all the ldif files manually seems a little daunting at first sight.

Thanks in advance,
David

This email and any attachments may contain confidential and proprietary 
information of Blackboard that is for the sole use of the intended recipient. 
If you are not the intended recipient, disclosure, copying, re-distribution or 
other use of any of this information is strictly prohibited. Please immediately 
notify the sender and delete this transmission if you received this email in 
error.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Dogtag migration to FreeIPA

2016-05-04 Thread Fraser Tweedale 
On Wed, May 04, 2016 at 06:51:20PM -0700, Ha T. Lam wrote:
> Hi,
> 
> We have an in-house CA system managed by a stand-alone Dogtag system, we
> would like to integrate it with our FreeIPA system which is already in use
> and is setup with the company LDAP. I'm new to FreeIPA and I have some
> questions about this process:
> 
> 1. Is it possible to add our current Dogtag on top of the FreeIPA system
> directly? If so, how would I achieve that?
> 
This is not supported, though it's technically feasible (we just
don't have any code to do it).

> 2. If it's not possible to do the above, what about setting up a clone of
> the current FreeIPA system and migrate Dogtag during the installation of
> the replica? Is this a better option?
> 
Same as above... technically feasible but no way to do it right now.

> 3. Any other alternative?
> 
One alternative is to export your CA signing cert and key, and
install a new Dogtag instance in your FreeIPA environment.  The IPA
Dogtag instance would be "detached" from your existing Dogtag
instance but, cryptographically speaking, it would be the same CA.

You would have to tweak serial number ranges to ensure the new
instance doesn't reuse serial numbers that were already used (a
simple procedure).

How well this would work in your organisation would depend on what
sorts of things you use the exiting Dogtag for, how clients expect
to renew certificates, etc.  I'm happy to answer questions you might
have in considering this approach.

Cheers,
Fraser

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Lost master 1 with CA service

2016-05-04 Thread Fraser Tweedale 
On Wed, May 04, 2016 at 08:45:19PM +0800, barry...@gmail.com wrote:
> Hi all:
> 
> I got master 1have ca and server 2 replicatiomng . Now master 1
> fail all lost.
> 
> Can i skip.it just make server 3 repliacted slaved or must
> recovered master 1.
> 
I take it `Server 2' was installed without the CA?  If this is the
case, and if you cannot recover the first master with the CA
instance, then as long as you still have the replica info file with
which the replica(s) were created, then you have the bits to recover
the CA - but it will be quite an involved process.

I have never performed this recovery so there is no documentation,
but off the top of my head the steps would be (at a high level; no
detail yet):

1. Make some manual changes to make FreeIPA think it is CA-less

2. Extract CA signing key from the replica info file

3. Run ipa-ca-install to install the CA on one of the IPA servers,
   with external CA.  This will generate a new private key and CSR
   to send to external CA.

4. Replace the new private key generated for the CSR, with the
   private key from the replica info file.

5. Continue the ipa-ca-install with the CA signing certificate from
   the replica info file.

6. Manually adjust serial number ranges to ensure the new CA
   instance does not issue certs with serial numbers that collide
   with certs issued by the original CA instance.  (This might have
   to be hacked into the ipa-ca-install process).

7? Depending on whether your CA is self-signed, might need to tell
   certmonger to track the CA signing certificate.

8! Install a CA replica on another IPA server, so you don't have to
   do it all again if you lose the CA host in future :)

If you want to embark on this adventure, and get stuck (I know my
instructures were not detailed...), let me know.  I will try and
find spare minutes to learn the details and document the process.

Cheers,
Fraser

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Dogtag migration to FreeIPA

2016-05-04 Thread Ha T. Lam 
Hi,

We have an in-house CA system managed by a stand-alone Dogtag system, we
would like to integrate it with our FreeIPA system which is already in use
and is setup with the company LDAP. I'm new to FreeIPA and I have some
questions about this process:

1. Is it possible to add our current Dogtag on top of the FreeIPA system
directly? If so, how would I achieve that?

2. If it's not possible to do the above, what about setting up a clone of
the current FreeIPA system and migrate Dogtag during the installation of
the replica? Is this a better option?

3. Any other alternative?

Thank you,
Ha
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Get Creation Time / Last Login Time for Users

2016-05-04 Thread Jeff Hallyburton 
Hello,

We're looking for a way to get last login time and creation time for
users configured in FreeIPA.  This information doesn't seem to be in
the WebUI and ipa user-status only provides limited information (last
failed/successful logins in seconds since epoch).  Is there a
supported way to get this information?

Jeff Hallyburton
Strategic Systems Engineer
Bloomip Inc.
Web: http://www.bloomip.com

Engineering Support: supp...@bloomip.com
Billing Support: bill...@bloomip.com
Customer Support Portal:  https://my.bloomip.com

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] get freeipa to update ad users and groups more often

2016-05-04 Thread Rob Verduijn 
Hi,

I avoided the slow filling group by using the AD-Group with spaces
(was a tad more challenging for scipting)

But here's the releases (some of them)

ipa 4.2 and sssd 1.13

ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64
sssd-common-1.13.0-40.el7_2.2.x86_64
sssd-client-1.13.0-40.el7_2.2.x86_64
sssd-ad-1.13.0-40.el7_2.2.x86_64

Cheers
Rob Verduijn

2016-05-04 18:06 GMT+02:00 Jakub Hrozek :
> On Wed, May 04, 2016 at 05:00:50PM +0200, Rob Verduijn wrote:
>> to make sure I did the following on the ipa host
>>
>> systemctl stop sssd.service
>> rm -f /var/lib/sss/db/*
>> systemctl start sssd.service
>>
>> now there is no cheating from cach
>> getent passwd u...@ad-domain.com works and gives userid
>> id u...@ad-domain.com works fine and show all goups the user is a
>> member of including ad_linux_administrators (ipa group) and 'linux
>> administrat...@ad-domain.com'
>> getent group ad_linux_administrators only shows the group ad, no
>> members, these pop up after a very long time
>> getent group 'linux administrat...@ad-domain.com' imediatly show all members
>
> Please note that getent group only works with very recent versions of
> ipa and sssd. What version are you running.
>
>>
>> weird
>>
>> Rob Verduijn
>>
>> 2016-05-04 16:41 GMT+02:00 Jakub Hrozek :
>> > On Wed, May 04, 2016 at 04:20:19PM +0200, Rob Verduijn wrote:
>> >> This goes especially for ad groups that are bested in ipa_groups
>> >>
>> >> ie :
>> >> microsft group is defined as an external group,
>> >> and that external group is member of an ipa group
>> >> and that ipa group takes forever.
>> >>
>> >> Regards
>> >> Rob Verduijn
>> >
>> > All the work in this area is done by sssd on the server. The sssd there
>> > runs a periodical task to re-fetch new external groups memberships every
>> > 10 seconds. So I would expect the group memberships to turn up after 10
>> > seconds at worst.
>> >
>> > Are you sure (from sssd logs) that maybe sssd is not going into offline
>> > state and just consults its cache?
>> >
>> >>
>> >>
>> >> 2016-05-04 16:10 GMT+02:00 Rob Verduijn :
>> >> > Hello,
>> >> >
>> >> > I'm using a trust to microsoft active directory to allow users access
>> >> > to linux servers.
>> >> >
>> >> > But when a user is added it takes a very long time for ipa to register 
>> >> > this.
>> >> > And even more time for the ipa clients since they have to wait for the
>> >> > ipa servers.
>> >> >
>> >> > Since I hate to tell the users to wait for a couple hours, and also I
>> >> > do not like to clean up the sssd cache folder each time a new user
>> >> > appears.
>> >> >
>> >> > Is there a way to tell ipa and all clients to refresh their cache ?
>> >> >
>> >> > Regards
>> >> > Rob Verduijn
>> >>
>> >> --
>> >> Manage your subscription for the Freeipa-users mailing list:
>> >> https://www.redhat.com/mailman/listinfo/freeipa-users
>> >> Go to http://freeipa.org for more info on the project
>> >
>> > --
>> > Manage your subscription for the Freeipa-users mailing list:
>> > https://www.redhat.com/mailman/listinfo/freeipa-users
>> > Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] service cert to a host/member/service

2016-05-04 Thread Rob Crittenden 

lejeczek wrote:

hi users,

as one follows official docs and issues a certificate for a
service/host, one wonders what is the correct way to move such a
certificate to a host(which is domain member) ?
I understand certificates issued with:

$ ipa cert-re­quest -add --prin­ci­pal

are stored in ldap backend, (yet I don't quite get the difference
between that tool and ipa-certget).


The first uses the IPA command-line to get a cert directly. ipa-getcert 
uses certmonger.


If you are getting a certificate for another host, particularly if that 
host isn't an IPA client, then the first form is the way to go.



How do I get such a certificate off the server and to a host-not-server?


$ ipa cert-show  --out cert.pem


In my case I'm hoping to use this certificate in apache+nss.
I realize I also will need CA certificate on that host, which I got hold
of with certutil operated on /etc/dirsrv/slapd-MY-DOMAIN - if it's the
right way?


So in this case you'd want to generate the CSR on the host-not-server 
using certutil. You'd take that CSR to the enrolled host and run ipa 
cert-request ...


Get a copy of the cert and get that and /etc/ipa/ca.crt to the 
host-not-server.


Use certutil to add both to your NSS database.

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] get freeipa to update ad users and groups more often

2016-05-04 Thread Jakub Hrozek 
On Wed, May 04, 2016 at 05:00:50PM +0200, Rob Verduijn wrote:
> to make sure I did the following on the ipa host
> 
> systemctl stop sssd.service
> rm -f /var/lib/sss/db/*
> systemctl start sssd.service
> 
> now there is no cheating from cach
> getent passwd u...@ad-domain.com works and gives userid
> id u...@ad-domain.com works fine and show all goups the user is a
> member of including ad_linux_administrators (ipa group) and 'linux
> administrat...@ad-domain.com'
> getent group ad_linux_administrators only shows the group ad, no
> members, these pop up after a very long time
> getent group 'linux administrat...@ad-domain.com' imediatly show all members

Please note that getent group only works with very recent versions of
ipa and sssd. What version are you running.

> 
> weird
> 
> Rob Verduijn
> 
> 2016-05-04 16:41 GMT+02:00 Jakub Hrozek :
> > On Wed, May 04, 2016 at 04:20:19PM +0200, Rob Verduijn wrote:
> >> This goes especially for ad groups that are bested in ipa_groups
> >>
> >> ie :
> >> microsft group is defined as an external group,
> >> and that external group is member of an ipa group
> >> and that ipa group takes forever.
> >>
> >> Regards
> >> Rob Verduijn
> >
> > All the work in this area is done by sssd on the server. The sssd there
> > runs a periodical task to re-fetch new external groups memberships every
> > 10 seconds. So I would expect the group memberships to turn up after 10
> > seconds at worst.
> >
> > Are you sure (from sssd logs) that maybe sssd is not going into offline
> > state and just consults its cache?
> >
> >>
> >>
> >> 2016-05-04 16:10 GMT+02:00 Rob Verduijn :
> >> > Hello,
> >> >
> >> > I'm using a trust to microsoft active directory to allow users access
> >> > to linux servers.
> >> >
> >> > But when a user is added it takes a very long time for ipa to register 
> >> > this.
> >> > And even more time for the ipa clients since they have to wait for the
> >> > ipa servers.
> >> >
> >> > Since I hate to tell the users to wait for a couple hours, and also I
> >> > do not like to clean up the sssd cache folder each time a new user
> >> > appears.
> >> >
> >> > Is there a way to tell ipa and all clients to refresh their cache ?
> >> >
> >> > Regards
> >> > Rob Verduijn
> >>
> >> --
> >> Manage your subscription for the Freeipa-users mailing list:
> >> https://www.redhat.com/mailman/listinfo/freeipa-users
> >> Go to http://freeipa.org for more info on the project
> >
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] service cert to a host/member/service

2016-05-04 Thread lejeczek 
hi users,

as one follows official docs and issues a certificate for a
service/host, one wonders what is the correct way to move such a
certificate to a host(which is domain member) ?
I understand certificates issued with:

$ ipa cert-re­quest -add --prin­ci­pal

are stored in ldap backend, (yet I don't quite get the difference
between that tool and ipa-certget).
How do I get such a certificate off the server and to a host-not-
server?
In my case I'm hoping to use this certificate in apache+nss.
I realize I also will need CA certificate on that host, which I got
hold of with certutil operated on /etc/dirsrv/slapd-MY-DOMAIN - if it's
the right way?##SELECTION_END##

many thanks.
L-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] get freeipa to update ad users and groups more often

2016-05-04 Thread Rob Verduijn 
to make sure I did the following on the ipa host

systemctl stop sssd.service
rm -f /var/lib/sss/db/*
systemctl start sssd.service

now there is no cheating from cach
getent passwd u...@ad-domain.com works and gives userid
id u...@ad-domain.com works fine and show all goups the user is a
member of including ad_linux_administrators (ipa group) and 'linux
administrat...@ad-domain.com'
getent group ad_linux_administrators only shows the group ad, no
members, these pop up after a very long time
getent group 'linux administrat...@ad-domain.com' imediatly show all members

weird

Rob Verduijn

2016-05-04 16:41 GMT+02:00 Jakub Hrozek :
> On Wed, May 04, 2016 at 04:20:19PM +0200, Rob Verduijn wrote:
>> This goes especially for ad groups that are bested in ipa_groups
>>
>> ie :
>> microsft group is defined as an external group,
>> and that external group is member of an ipa group
>> and that ipa group takes forever.
>>
>> Regards
>> Rob Verduijn
>
> All the work in this area is done by sssd on the server. The sssd there
> runs a periodical task to re-fetch new external groups memberships every
> 10 seconds. So I would expect the group memberships to turn up after 10
> seconds at worst.
>
> Are you sure (from sssd logs) that maybe sssd is not going into offline
> state and just consults its cache?
>
>>
>>
>> 2016-05-04 16:10 GMT+02:00 Rob Verduijn :
>> > Hello,
>> >
>> > I'm using a trust to microsoft active directory to allow users access
>> > to linux servers.
>> >
>> > But when a user is added it takes a very long time for ipa to register 
>> > this.
>> > And even more time for the ipa clients since they have to wait for the
>> > ipa servers.
>> >
>> > Since I hate to tell the users to wait for a couple hours, and also I
>> > do not like to clean up the sssd cache folder each time a new user
>> > appears.
>> >
>> > Is there a way to tell ipa and all clients to refresh their cache ?
>> >
>> > Regards
>> > Rob Verduijn
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great.

2016-05-04 Thread Anthony Cheng 
On Wed, May 4, 2016 at 9:07 AM, Rob Crittenden  wrote:
> Anthony Cheng wrote:
>>
>> Small update, I found an article on the RH solution library
>> (https://access.redhat.com/solutions/2020223) that has the same error
>> code that I am getting and I followed the steps with certutil to update
>> the cert attributes but it is still not working.  The article is listed
>> as "Solution in Progress".
>>
>> [root@test ~]# getcert list | more
>>
>> Number of certificates and requests being tracked: 7.
>>
>> Request ID '20111214223243':
>>
>> status: CA_UNREACHABLE
>>
>> ca-error: Server failed request, will retry: 4301 (RPC failed at
>> server.Certificate operation cannot be comp
>>
>> leted: Unable to communicate with CMS (Not Found)).
>
>
> Not Found means the CA didn't start. You need to examine the debug and
> selftest logs to determine why.
>
> rob

selftests.log is empty; there are entries for other time but not for
the test to when I set the clock to renew certs.

[root@test pki-ca]# clock
Fri 29 Jan 2016 08:19:54 AM UTC  -0.960583 seconds
[root@test pki-ca]#
[root@test pki-ca]#

[root@test pki-ca]# ll * | grep self
-rw-r-. 1 pkiuser pkiuser 0 Nov 23 14:11 selftests.log
-rw-r-. 1 pkiuser pkiuser  1206 Apr  7  2015
selftests.log.20150407143526
-rw-r-. 1 pkiuser pkiuser  3673 Jun 30  2015
selftests.log.20150630163924
-rw-r-. 1 pkiuser pkiuser  1217 Aug 31 20:07
selftests.log.20150831160735
-rw-r-. 1 pkiuser pkiuser  3798 Oct 24 14:12
selftests.log.20151024101159

>From debug log I see some error messages:

[28/Jan/2016:21:09:03][main]: SigningUnit init: debug
org.mozilla.jss.crypto.ObjectNotFoundException
[28/Jan/2016:21:09:03][main]: CMS:Caught EBaseException
Certificate object not found
at com.netscape.ca.SigningUnit.init(SigningUnit.java:190)

Full log:

[28/Jan/2016:21:07:30][main]: CMSEngine.shutdown()
[28/Jan/2016:21:09:02][main]: 
[28/Jan/2016:21:09:02][main]: =  DEBUG SUBSYSTEM INITIALIZED   ===
[28/Jan/2016:21:09:02][main]: 
[28/Jan/2016:21:09:02][main]: CMSEngine: done init id=debug
[28/Jan/2016:21:09:02][main]: CMSEngine: initialized debug
[28/Jan/2016:21:09:02][main]: CMSEngine: initSubsystem id=log
[28/Jan/2016:21:09:02][main]: CMSEngine: ready to init id=log
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
AUDIT_LOG_STARTUP
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
AUDIT_LOG_SHUTDOWN
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: ROLE_ASSUME
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
CONFIG_CERT_POLICY
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
CONFIG_CERT_PROFILE
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
CONFIG_CRL_PROFILE
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
CONFIG_OCSP_PROFILE
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_AUTH
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_ROLE
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_ACL
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
CONFIG_SIGNED_AUDIT
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
CONFIG_ENCRYPTION
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
CONFIG_TRUSTED_PUBLIC_KEY
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_DRM
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
SELFTESTS_EXECUTION
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: AUDIT_LOG_DELETE
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: LOG_PATH_CHANGE
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
PRIVATE_KEY_ARCHIVE_REQUEST
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
KEY_RECOVERY_REQUEST
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
KEY_RECOVERY_REQUEST_ASYNC
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
KEY_RECOVERY_AGENT_LOGIN
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
KEY_RECOVERY_REQUEST_PROCESSED
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
KEY_RECOVERY_REQUEST_PROCESSED_ASYNC
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
KEY_GEN_ASYMMETRIC
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
NON_PROFILE_CERT_REQUEST
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
PROFILE_CERT_REQUEST
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
CERT_REQUEST_PROCESSED

Re: [Freeipa-users] get freeipa to update ad users and groups more often

2016-05-04 Thread Jakub Hrozek 
On Wed, May 04, 2016 at 04:20:19PM +0200, Rob Verduijn wrote:
> This goes especially for ad groups that are bested in ipa_groups
> 
> ie :
> microsft group is defined as an external group,
> and that external group is member of an ipa group
> and that ipa group takes forever.
> 
> Regards
> Rob Verduijn

All the work in this area is done by sssd on the server. The sssd there
runs a periodical task to re-fetch new external groups memberships every
10 seconds. So I would expect the group memberships to turn up after 10
seconds at worst.

Are you sure (from sssd logs) that maybe sssd is not going into offline
state and just consults its cache?

> 
> 
> 2016-05-04 16:10 GMT+02:00 Rob Verduijn :
> > Hello,
> >
> > I'm using a trust to microsoft active directory to allow users access
> > to linux servers.
> >
> > But when a user is added it takes a very long time for ipa to register this.
> > And even more time for the ipa clients since they have to wait for the
> > ipa servers.
> >
> > Since I hate to tell the users to wait for a couple hours, and also I
> > do not like to clean up the sssd cache folder each time a new user
> > appears.
> >
> > Is there a way to tell ipa and all clients to refresh their cache ?
> >
> > Regards
> > Rob Verduijn
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] freeipa password policy ( hsitory ) getting reset with password reset

2016-05-04 Thread Jakub Hrozek 
On Wed, May 04, 2016 at 04:16:38PM +0200, Martin Kosek wrote:
> On 05/03/2016 08:20 AM, Rakesh Rajasekharan wrote:
> > Hi,
> > 
> > I am running a freeipa server 4.2.x.
> > 
> > I have the following password global password policy set to force a history 
> > of 3
> > 
> > ipa pwpolicy-mod global_policy --history=3 --maxlife=90 --minlength=8 
> > --maxfail=3 --failinterval=300
> > 
> > 
> > This works good when the user himself changes the password.. and IPA does 
> > not 
> > allow reusing older password.
> > 
> > However, if the admin resets it "ipa user-mod testuser --random" then it 
> > seems 
> > to reset the password history as well and the user can now re-use his older 
> > password
> > 
> > Is this expected or is there something I can do about it.
> 
> Good question, CCing Simo on this one.
> 
> > Also, is there a way to get the password expiry warning at the terminal 
> > when a 
> > user logs in , something similar to the "pwdExpireWarning" in ldap.
> > 
> > I searched a bit and could only find setting up email alerts .

Some more warnings are displayed when you bump the pam_verbosity option,
see man sssd.conf. I'm not sure if the expiry warning is one of them. If
not, feel free to file a bug.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] freeipa password policy ( hsitory ) getting reset with password reset

2016-05-04 Thread Simo Sorce 
On Wed, 2016-05-04 at 16:16 +0200, Martin Kosek wrote:
> On 05/03/2016 08:20 AM, Rakesh Rajasekharan wrote:
> > Hi,
> > 
> > I am running a freeipa server 4.2.x.
> > 
> > I have the following password global password policy set to force a history 
> > of 3
> > 
> > ipa pwpolicy-mod global_policy --history=3 --maxlife=90 --minlength=8 
> > --maxfail=3 --failinterval=300
> > 
> > 
> > This works good when the user himself changes the password.. and IPA does 
> > not 
> > allow reusing older password.
> > 
> > However, if the admin resets it "ipa user-mod testuser --random" then it 
> > seems 
> > to reset the password history as well and the user can now re-use his older 
> > password
> > 
> > Is this expected or is there something I can do about it.
> 
> Good question, CCing Simo on this one.

It is arguably a bug, history shouldn't be lost IMHO.

Simo.

> > Also, is there a way to get the password expiry warning at the terminal 
> > when a 
> > user logs in , something similar to the "pwdExpireWarning" in ldap.
> > 
> > I searched a bit and could only find setting up email alerts .
> 
> CCing Jakub from SSSD team.
> 
> Martin



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Who uses FreeIPA?

2016-05-04 Thread Jakub Hrozek 
On Wed, May 04, 2016 at 04:23:00PM +0200, Martin Kosek wrote:
> On 05/04/2016 09:23 AM, Jakub Hrozek wrote:
> > On Tue, May 03, 2016 at 11:31:02PM +0200, Lukas Slebodnik wrote:
> >> On (03/05/16 15:09), Alexandre de Verteuil wrote:
> >>> Hello all,
> >>>
> >>> I've deployed FreeIPA in my home lab and I'm happy to have single
> >>> sign-on for all my Archlinux virtual machines and Fedora laptops :)
> >>>
> >>> It took me lots of research and conversations before hearing about
> >>> FreeIPA for the first time while searching for a libre SSO solution. I
> >>> think FreeIPA needs much more exposure. I am really impressed with it.
> >>> Tomorrow I am giving a short presentation at my workplace to talk about
> >>> it and invite other sysadmins to try it.
> >>>
> >>> I would like to make a slide showing the current adoption of FreeIPA. I
> >>> read that Red Hat uses it internally, but do they actually deploy it in
> >>> their client's infrastructures? Are there any big companies that use it?
> >>> Even if I only have reports of schools and small businesses would be
> >>> good enough to say it's production ready and it has traction.
> >>>
> >>> Whether you are reporting about your own use or you know where I can
> >>> find out more would be greatly appreciated! I have not found a "Who uses
> >>> FreeIPA" page on the Internet.
> >>>
> >> The GNOME Infrastructure is now powered by FreeIPA!
> >> October 7, 2014
> >>
> >> https://www.dragonsreach.it/2014/10/07/the-gnome-infrastructure-is-now-powered-by-freeipa/
> > 
> > Would it make sense to add 'success stories' like this to the
> > freeipa.org home page? Of course, we can't use Red Hat IDM customers,
> > but those that use freeipa on Fedora/CentOS and hopefully soon on Ubuntu
> > could be added there if they would agree..
> 
> I think it would make sense. We already know at least about GNOME as Lukas
> mentioned or about eBay's Hadoop clusters:
> 
> https://hadoopsummit.uservoice.com/forums/344958-governance-and-security/suggestions/11664876-freeipa-for-securing-hadoop-fish
> 
> I think we should start a new "References" page on the FreeIPA.org wiki and 
> ask
> for success stories from this list. Any takers? :-)

I think we should ask those projects for permission first..

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sudorule

2016-05-04 Thread Martin Kosek 
On 05/04/2016 03:41 PM, Armstrong, Jeffrey wrote:
> Hi
> 
> I’m trying to add a to add a sudo command to a sudo rule.  It’s executing the 
> command but it’s not adding the sudo command.
> 
> ipa sudorule-add-allow-command  –sudocmds  "/bin/su "  bkrc_rule
> 
>Rule name: bkrc_rule
> 
>Enabled: TRUE
> 
> -
> 
> Number of members added 0
> 
> Thanks
> 
> Jeff Armstrong


Does the SUDO command object exists?

# ipa sudorule-add-allow-command  --sudocmds  "/bin/su" test
  Rule name: test
  Enabled: TRUE
-
Number of members added 0
-
# ipa sudocmd-show /bin/su
ipa: ERROR: /bin/su: sudo command not found

More info here:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/adding-sudo.html

I assume not. I actually think that this is a bug that FreeIPA does not display
any warning in this ticket. Can you please file a ticket/bug?

https://fedorahosted.org/freeipa/newticket

Thanks,
Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Who uses FreeIPA?

2016-05-04 Thread Martin Kosek 
On 05/04/2016 09:23 AM, Jakub Hrozek wrote:
> On Tue, May 03, 2016 at 11:31:02PM +0200, Lukas Slebodnik wrote:
>> On (03/05/16 15:09), Alexandre de Verteuil wrote:
>>> Hello all,
>>>
>>> I've deployed FreeIPA in my home lab and I'm happy to have single
>>> sign-on for all my Archlinux virtual machines and Fedora laptops :)
>>>
>>> It took me lots of research and conversations before hearing about
>>> FreeIPA for the first time while searching for a libre SSO solution. I
>>> think FreeIPA needs much more exposure. I am really impressed with it.
>>> Tomorrow I am giving a short presentation at my workplace to talk about
>>> it and invite other sysadmins to try it.
>>>
>>> I would like to make a slide showing the current adoption of FreeIPA. I
>>> read that Red Hat uses it internally, but do they actually deploy it in
>>> their client's infrastructures? Are there any big companies that use it?
>>> Even if I only have reports of schools and small businesses would be
>>> good enough to say it's production ready and it has traction.
>>>
>>> Whether you are reporting about your own use or you know where I can
>>> find out more would be greatly appreciated! I have not found a "Who uses
>>> FreeIPA" page on the Internet.
>>>
>> The GNOME Infrastructure is now powered by FreeIPA!
>> October 7, 2014
>>
>> https://www.dragonsreach.it/2014/10/07/the-gnome-infrastructure-is-now-powered-by-freeipa/
> 
> Would it make sense to add 'success stories' like this to the
> freeipa.org home page? Of course, we can't use Red Hat IDM customers,
> but those that use freeipa on Fedora/CentOS and hopefully soon on Ubuntu
> could be added there if they would agree..

I think it would make sense. We already know at least about GNOME as Lukas
mentioned or about eBay's Hadoop clusters:

https://hadoopsummit.uservoice.com/forums/344958-governance-and-security/suggestions/11664876-freeipa-for-securing-hadoop-fish

I think we should start a new "References" page on the FreeIPA.org wiki and ask
for success stories from this list. Any takers? :-)

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Inplace upgrade

2016-05-04 Thread Martin Kosek 
On 05/04/2016 01:31 PM, barry...@gmail.com wrote:
> U meant it fail  start if update minor version only?
> 
> 2016年5月4日 下午7:25 於 "Lukas Slebodnik"  > 寫道:
> 
> On (04/05/16 13:17), barry...@gmail.com  wrote:
>  >Can speicific ninor version?
> Yes you can
> 
> yum update ipa-server-3.0.0-37.el6.x86_64
> 
> However, it can fail if this version is not available in repositories.
> 
> BTW the latest version in el6 is 3.0.0-47.el6
> 
> LS

I believe all the info should be on this page:
http://www.freeipa.org/page/Upgrade

If not, we should improve it - suggestions welcome!

Thanks,
Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] get freeipa to update ad users and groups more often

2016-05-04 Thread Rob Verduijn 
This goes especially for ad groups that are bested in ipa_groups

ie :
microsft group is defined as an external group,
and that external group is member of an ipa group
and that ipa group takes forever.

Regards
Rob Verduijn


2016-05-04 16:10 GMT+02:00 Rob Verduijn :
> Hello,
>
> I'm using a trust to microsoft active directory to allow users access
> to linux servers.
>
> But when a user is added it takes a very long time for ipa to register this.
> And even more time for the ipa clients since they have to wait for the
> ipa servers.
>
> Since I hate to tell the users to wait for a couple hours, and also I
> do not like to clean up the sssd cache folder each time a new user
> appears.
>
> Is there a way to tell ipa and all clients to refresh their cache ?
>
> Regards
> Rob Verduijn

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] freeipa password policy ( hsitory ) getting reset with password reset

2016-05-04 Thread Martin Kosek 
On 05/03/2016 08:20 AM, Rakesh Rajasekharan wrote:
> Hi,
> 
> I am running a freeipa server 4.2.x.
> 
> I have the following password global password policy set to force a history 
> of 3
> 
> ipa pwpolicy-mod global_policy --history=3 --maxlife=90 --minlength=8 
> --maxfail=3 --failinterval=300
> 
> 
> This works good when the user himself changes the password.. and IPA does not 
> allow reusing older password.
> 
> However, if the admin resets it "ipa user-mod testuser --random" then it 
> seems 
> to reset the password history as well and the user can now re-use his older 
> password
> 
> Is this expected or is there something I can do about it.

Good question, CCing Simo on this one.

> Also, is there a way to get the password expiry warning at the terminal when 
> a 
> user logs in , something similar to the "pwdExpireWarning" in ldap.
> 
> I searched a bit and could only find setting up email alerts .

CCing Jakub from SSSD team.

Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] get freeipa to update ad users and groups more often

2016-05-04 Thread Rob Verduijn 
Hello,

I'm using a trust to microsoft active directory to allow users access
to linux servers.

But when a user is added it takes a very long time for ipa to register this.
And even more time for the ipa clients since they have to wait for the
ipa servers.

Since I hate to tell the users to wait for a couple hours, and also I
do not like to clean up the sssd cache folder each time a new user
appears.

Is there a way to tell ipa and all clients to refresh their cache ?

Regards
Rob Verduijn

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] sudorule

2016-05-04 Thread Armstrong, Jeffrey 
Hi

I'm trying to add a to add a sudo command to a sudo rule.  It's executing the 
command but it's not adding the sudo command.

ipa sudorule-add-allow-command  -sudocmds  "/bin/su "  bkrc_rule
  Rule name: bkrc_rule
  Enabled: TRUE
-
Number of members added 0

Thanks

Jeff Armstrong
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Free IPA Client in Docker

2016-05-04 Thread Rob Crittenden 

Hosakote Nagesh, Pawan wrote:

Our apps are running in a docker image based on Ubuntu 14.04 that cannot be 
changed to redhat. We want to install freeipa-clietn within this docker so that 
our app
Uses freeipa ldap as against default ldap.

The freeipa-client gets successfully installed in Ubuntu 14.04 plain machine, 
that why is why I am hoping making it run in a Ubun14.04 docker should also be 
very much possible.

As you can see the things get stuck in not starting bus process properly(this 
problem is not seen in ubuntu on plain machine). I cannot see much debug 
statements by enabling —debug option in ipa-client-install.
Its not clear why this process doesn’t get started and what is missing in 
container as against plain machine which is making this install fail.

I am on to this issue for 2 full days now. I am pasting whatever debug 
statements I got during install, here:

Command
—
ipa-client-install —domain= —server=  
hostname=jupyterhub.com --no-ntp --no-dns-sshfp



Log (After Error starts to happen)
—
Attached

My main suspect is dbus service unable to start in this container where it 
launches on a plain machine.


The root of the problem appears to be:

dbus: unrecognized service

rob



-
Best,
Pawan






On 5/3/16, 2:03 PM, "Lukas Slebodnik"  wrote:


On (03/05/16 18:25), Hosakote Nagesh, Pawan wrote:

Currently this is the error I m stuck with. There isn’t enough material online 
to proceed further. Failure starts with bus error..

Logs during ipa-client-install..


Synchronizing time with KDC...
Password for service_...@eaz.ebayc3.com:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=EAZ.EBAYC3.COM
Issuer:  CN=Certificate Authority,O=EAZ.EBAYC3.COM
Valid From:  Mon Dec 07 05:17:30 2015 UTC
Valid Until: Fri Dec 07 05:17:30 2035 UTC


Enrolled in IPA realm EAZ.EBAYC3.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm EAZ.EBAYC3.COM
dbus failed to start: Command '/usr/sbin/service dbus start ' returned non-zero 
exit status 1

I think the error message is clear.
There was a problem with starting dbus service within a container.


certmonger failed to stop: [Errno 2] No such file or directory: 
'/var/run/ipa/services.list'
certmonger request for host certificate failed
2016-05-02 22:11:53,099 CRIT reaped unknown pid 241)
.

On 5/3/16, 1:45 AM, "Lukas Slebodnik"  wrote:


On (29/04/16 17:16), Hosakote Nagesh, Pawan wrote:

Thanks for your quick response. I am trying this on ubuntu.

This is the bug I m facing right now: 
https://lists.launchpad.net/freeipa/msg00236.html
They say its fixed in Trusty release of Ubuntu. But it doesn’t work for me. 
There is no other material also
On how to fix this dbus error.

root@jupyterhub:/#  lsb_release -rd
Description:Ubuntu 14.04.4 LTS
Release:14.04
root@jupyterhub:/#

Do I understand it correctly that you want to build your own image
based on ubuntu?

If answer is yes then I would recommend to use ubuntu xenial (16.04).

But the benefit of container technologies is that you can use
image based on different distribution and therefore it would be the
best if you could use https://hub.docker.com/r/fedora/sssd/
(which was already mentioned.


May I know why you do not want to use existing working contianer
based on image fedora/sssd.

You would save some time with troubleshooting things which were already solved.

If you want a help then please provide more info.
I assume you use docker and not lxd (based on subject)
Please share details how did you build an image and how do you
run container ...

LS




--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great.

2016-05-04 Thread Rob Crittenden 

Anthony Cheng wrote:

Small update, I found an article on the RH solution library
(https://access.redhat.com/solutions/2020223) that has the same error
code that I am getting and I followed the steps with certutil to update
the cert attributes but it is still not working.  The article is listed
as "Solution in Progress".

[root@test ~]# getcert list | more

Number of certificates and requests being tracked: 7.

Request ID '20111214223243':

status: CA_UNREACHABLE

ca-error: Server failed request, will retry: 4301 (RPC failed at
server.Certificate operation cannot be comp

leted: Unable to communicate with CMS (Not Found)).


Not Found means the CA didn't start. You need to examine the debug and 
selftest logs to determine why.


rob



stuck: yes

key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-SAMPLE-NET',nickname='Server-Cert',token='NSS
Certifi

cate DB',pinfile='/etc/dirsrv/slapd-SAMPLE-NET//pwdfile.txt'

certificate:
type=NSSDB,location='/etc/dirsrv/slapd-SAMPLE-NET',nickname='Server-Cert',token='NSS
Certificate

DB'

CA: IPA

issuer: CN=Certificate Authority,O=SAMPLE.NET 

subject: CN=caer.SAMPLE.net ,O=SAMPLE.NET


expires: 2016-01-29 14:09:46 UTC

eku: id-kp-serverAuth

pre-save command:

post-save command:

track: yes

auto-renew: yes



On Mon, May 2, 2016 at 5:35 PM Anthony Cheng
> wrote:

On Mon, May 2, 2016 at 9:54 AM Rob Crittenden > wrote:

Anthony Cheng wrote:
 > On Sat, Apr 30, 2016 at 10:08 AM Rob Crittenden

 > >> wrote:
 >
 > Anthony Cheng wrote:
 >  > OK so I made process on my cert renew issue; I was
able to get kinit
 >  > working so I can follow the rest of the steps here
 >  > (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal)
 >  >
 >  > However, after using
 >  >
 >  > ldapmodify -x -h localhost -p 7389 -D 'cn=directory
manager' -w
 > password
 >  >
 >  > and restarting apache (/sbin/service httpd restart),
resubmitting 3
 >  > certs (ipa-getcert resubmit -i ) and restarting
IPA (resubmit
 > -i )
 >  > (/sbin/service ipa restart), I still see:
 >  >
 >  > [root@test ~]# ipa-getcert list | more
 >  > Number of certificates and requests being tracked: 8.
 >  > Request ID '20111214223243':
 >  >  status: CA_UNREACHABLE
 >  >  ca-error: Server failed request, will retry:
4301 (RPC
 > failed
 >  > at server.  Certificate operation cannot be compl
 >  > eted: Unable to communicate with CMS (Not Found)).
 >
 > IPA proxies requests to the CA through Apache. This means
that while
 > tomcat started ok it didn't load the dogtag CA
application, hence the
 > Not Found.
 >
 > Check the CA debug and selftest logs to see why it failed
to start
 > properly.
 >
 > [ snip ]
 >
 > Actually after a reboot that error went away and I just get
this error
 > instead "ca-error: Server failed request, will retry: -504
(libcurl
 > failed to execute the HTTP POST transaction. Peer certificate
cannot be
 > auth enticated with known CA certificates)." from "getcert list"
 >
 > Result of service ipa restart is interesting since it shows
today's time
 > when I already changed date/time/disable NTP so somehow the
system still
 > know today's time.
 >
 > PKI-IPA...[02/May/2016:13:26:10 +] - SSL alert:
 > CERT_VerifyCertificateNow: verify certificate failed for cert
 > Server-Cert of family cn=RSA,cn=encryption,cn=config
(Netscape Portable
 > Runtime error -8181 - Peer's Certificate has expired.)

Hard to say. I'd confirm that there is no time syncing service
running,
ntp or otherwise.


I found out why the time kept changing; it was due to the fact that
it has VM tools installed (i didn't configure this box) so it
automatically sync time during bootup.

I did still see this error message:

ca-error: Server failed request, will retry: 4301 (RPC failed at
server. Certificate operation cannot be completed: Unable to
communicate with CMS (Not Found))

I tried the step http://www.freeipa.org/page/Troubleshooting with

certutil -L -d /etc/httpd/alias -n ipaCert -a > /tmp/ra.crt
openssl x509 -text -in /tmp/ra.crt

[Freeipa-users] OTP token policies.

2016-05-04 Thread Peter Bisroev 
Dear Developers,

Firstly, thank you for a fantastic product. I have a few questions relating
to OTP that I could not find the answers to in the Red Hat IdM manual,
http://www.freeipa.org/page/V4/OTP document, and on both user and devel
mailing lists. Hopefully I have not missed anything obvious :)

With FreeIPA version 4.2, is it possible to enforce policies on what
administrators and/or users can do with OTP tokens? For example:

1) Is there a way to enforce how many tokens can be active for a user at
the same time?

2) Is it possible to force the number of digits to be eight and a specific
algorithm to be used?

3) Is it possible to force the user to create a new OTP token after the
first password change?

If there is such support, it can be used to overcome the soft OTP token
enrollment bootstrap issue. For example, currently, if the administrator
creates a new user and enables "Two factor authentication (password + OTP)"
but does not assign an OTP token, the user is able to login, change the
password and continue using the new password without enabling 2FA
indefinitely.

However, once the OTP token is created, either by administrator or the
user, the systems forces the token's use from this point on. Maybe in the
future, FreeIPA can force the user to enable OTP at first login into the
FreeIPA console? But I guess then, the system must somehow stop the users
from login in into any other service besides FreeIPA web console, until the
OTP token is generated.

A few more questions:

Would it be possible to describe a use case when having multiple OTP tokens
enabled at the same time is a requirement?

How does TOTP token synchronization work? Can it be disabled?

Thank you for your time and help!

Regards,
--peter
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Lost master 1 with CA service

2016-05-04 Thread barrykfl 
Hi all:

I got master 1have ca and server 2 replicatiomng . Now master 1 fail all
lost.

Can i skip.it just make server 3 repliacted slaved or must recovered master
1.

Regards
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Inplace upgrade

2016-05-04 Thread barrykfl 
U meant it fail  start if update minor version only?
2016年5月4日 下午7:25 於 "Lukas Slebodnik"  寫道:

> On (04/05/16 13:17), barry...@gmail.com wrote:
> >Can speicific ninor version?
> Yes you can
>
> yum update ipa-server-3.0.0-37.el6.x86_64
>
> However, it can fail if this version is not available in repositories.
>
> BTW the latest version in el6 is 3.0.0-47.el6
>
> LS
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Fail to Start up the server

2016-05-04 Thread barrykfl 
Hi:

Before the server can start up if i disable nasslsecuiry in dse.ldif.
But now after I update to minor version from -3.0.0-26 to
ipa-server-3.0.0-47.el6.centos.2.x86_64 , it not allow me to start any idea
.
I think it not relate to ssl cert issue.


[04/May/2016:17:32:52 +0800] - SSL alert: CERT_VerifyCertificateNow: verify
certificate failed for cert Server-Cert of family
cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 -
Peer's Certificate has expired.)
[04/May/2016:17:32:52 +0800] - 389-Directory/1.2.11.25 B2013.325.1951
starting up
[04/May/2016:17:32:52 +0800] - Detected Disorderly Shutdown last time
Directory Server was running, recovering database.
[04/May/2016:17:32:52 +0800] - libdb: file ipaca/id2entry.db4 has LSN
14/8738497, past end of log at 14/8626491
[04/May/2016:17:32:53 +0800] - libdb: Commonly caused by moving a database
from one database environment
[04/May/2016:17:32:53 +0800] - libdb: to another without clearing the
database LSNs, or by removing all of
[04/May/2016:17:32:53 +0800] - libdb: the log files from a database
environment
[04/May/2016:17:32:53 +0800] - libdb:
/var/lib/dirsrv/slapd-PKI-IPA/db/ipaca/id2entry.db4: unexpected file type
or format
[04/May/2016:17:32:53 +0800] - dbp->open("ipaca/id2entry.db4") failed:
Invalid argument (22)
[04/May/2016:17:32:53 +0800] - dblayer_instance_start fail: Invalid
argument (22)
[04/May/2016:17:32:53 +0800] - start: Failed to start databases, err=22
Invalid argument
[04/May/2016:17:32:53 +0800] - Failed to start database plugin ldbm database
[04/May/2016:17:32:53 +0800] - WARNING: ldbm instance userRoot already
exists
[04/May/2016:17:32:53 +0800] - ldbm_config_read_instance_entries: failed to
add instance entry cn=userRoot,cn=ldbm database,cn=plugins,cn=config
[04/May/2016:17:32:53 +0800] - ldbm_config_load_dse_info: failed to read
instance entries
[04/May/2016:17:32:53 +0800] - start: Loading database configuration failed
[04/May/2016:17:32:53 +0800] - Failed to start database plugin ldbm database
[04/May/2016:17:32:53 +0800] - Error: Failed to resolve plugin dependencies
[04/May/2016:17:32:53 +0800] - Error: preoperation plugin 7-bit check is
not started
[04/May/2016:17:32:53 +0800] - Error: preoperation plugin Account Usability
Plugin is not started
[04/May/2016:17:32:53 +0800] - Error: accesscontrol plugin ACL Plugin is
not started
[04/May/2016:17:32:53 +0800] - Error: preoperation plugin ACL preoperation
is not started
[04/May/2016:17:32:53 +0800] - Error: preoperation plugin attribute
uniqueness is not started
[04/May/2016:17:32:53 +0800] - Error: preoperation plugin Auto Membership
Plugin is not started
[04/May/2016:17:32:53 +0800] - Error: object plugin Class of Service is not
started
[04/May/2016:17:32:53 +0800] - Error: preoperation plugin deref is not
started
[04/May/2016:17:32:53 +0800] - Error: preoperation plugin HTTP Client is
not started
[04/May/2016:17:32:53 +0800] - Error: database plugin ldbm database is not
started
[04/May/2016:17:32:53 +0800] - Error: object plugin Legacy Replication
Plugin is not started
[04/May/2016:17:32:53 +0800] - Error: preoperation plugin Linked Attributes
is not started
[04/May/2016:17:32:53 +0800] - Error: preoperation plugin Managed Entries
is not started
[04/May/2016:17:32:54 +0800] - Error: object plugin Multimaster Replication
Plugin is not started
[04/May/2016:17:32:54 +0800] - Error: object plugin Roles Plugin is not
started
[04/May/2016:17:32:54 +0800] - Error: object plugin Views is not started
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Free IPA Client in Docker

2016-05-04 Thread Lukas Slebodnik 
On (03/05/16 21:27), Hosakote Nagesh, Pawan wrote:
>Our apps are running in a docker image based on Ubuntu 14.04 that cannot be 
>changed to redhat. We want to install freeipa-clietn within this docker so 
>that our app
>Uses freeipa ldap as against default ldap.
>
and that's the reason why you needn't care about base image
in container world.

sssd container can be based on fedora and other application
can be based on ubuntu. And they will share common directories
with unix pipes which are used communication with sssd.

In another words, you just need to install package  libnss-sss
and libpam-sss (if you need an authenticatio as well)
in client/application container
+ bind mount directories /var/lib/sss/pipes/ /var/lib/sss/mc/.

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How do I create single sudo grpoup for both Centos and Ubuntu?

2016-05-04 Thread Przemysław Orzechowski 

Hi

The problem was unclear for me with ubuntu and altrough in theory 
everything should work it did not so (checked fiew things that came to 
mind like kerberos sssd logs pam and figured out some problem with pam 
sssd integration so i went with the simplest solution (reinstall 
frreeipa-client on ubuntus)


I fixed the problem with sudo on ubuntu 14.4 and 16.4 with
ipa-client-install --uninstall
followed by
ipa-client-install --domain=myfqdndomain --principal=admin --mkhomedir
then checking /etc/sssd/sssd.conf if the sudo is in servicess line (it 
was prior to uninstall) and appropiate mod to pam so mkhomedir actualy works

for some reason afer this ubuntus started working
i skiped ubuntu 12.4 or now

currently im trying to get su and su - to work i mean restrict it to 
fiew admin users from ipa and local root.


from other things i observed (not related to the sudo issue i hope) was 
that most of the ubuntu hosts did not register theyr A record on IPA 
wheras all Centos based hosts did (just added missing records for 
ubuntus manually so its not an issue)


Next step after i get su right will be search for a way to get 
virt-manager work over ssh X forwarding for IPA users works for local 
accounts only right now


Regards
Przemysław Orzechowski

W dniu 02.05.2016 o 16:22, Rob Crittenden pisze:

Przemysław Orzechowski wrote:

Hi

Im trying to create a single usergroup for sudo enabled users for both
Centos and Ubuntu users
The problem is on centos its group wheel (10), and on ubuntu its sudo
(27) how do i have tried to do it using ID view but somehow im not
getting it right

btw
Centos clients versions 6.x, 7.x
Ubuntu clients versions 12.04,14.04,16.04
Ipa server is on Centos 7  IPA VERSION: 4.2.0, API_VERSION: 2.156

Regards
Przemyław Orzechowski



But aren't these groups used only if you use files for sudo (and even 
that is just a default)? If you are using IPA to provide the sudo 
rules then the group you choose shouldn't matter.


rob



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Who uses FreeIPA?

2016-05-04 Thread Martin Basti 



On 04.05.2016 09:23, Jakub Hrozek wrote:

On Tue, May 03, 2016 at 11:31:02PM +0200, Lukas Slebodnik wrote:

On (03/05/16 15:09), Alexandre de Verteuil wrote:

Hello all,

I've deployed FreeIPA in my home lab and I'm happy to have single
sign-on for all my Archlinux virtual machines and Fedora laptops :)

It took me lots of research and conversations before hearing about
FreeIPA for the first time while searching for a libre SSO solution. I
think FreeIPA needs much more exposure. I am really impressed with it.
Tomorrow I am giving a short presentation at my workplace to talk about
it and invite other sysadmins to try it.

I would like to make a slide showing the current adoption of FreeIPA. I
read that Red Hat uses it internally, but do they actually deploy it in
their client's infrastructures? Are there any big companies that use it?
Even if I only have reports of schools and small businesses would be
good enough to say it's production ready and it has traction.

Whether you are reporting about your own use or you know where I can
find out more would be greatly appreciated! I have not found a "Who uses
FreeIPA" page on the Internet.


The GNOME Infrastructure is now powered by FreeIPA!
October 7, 2014

https://www.dragonsreach.it/2014/10/07/the-gnome-infrastructure-is-now-powered-by-freeipa/

Would it make sense to add 'success stories' like this to the
freeipa.org home page? Of course, we can't use Red Hat IDM customers,
but those that use freeipa on Fedora/CentOS and hopefully soon on Ubuntu
could be added there if they would agree..


+1

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Who uses FreeIPA?

2016-05-04 Thread Jakub Hrozek 
On Tue, May 03, 2016 at 11:31:02PM +0200, Lukas Slebodnik wrote:
> On (03/05/16 15:09), Alexandre de Verteuil wrote:
> >Hello all,
> >
> >I've deployed FreeIPA in my home lab and I'm happy to have single
> >sign-on for all my Archlinux virtual machines and Fedora laptops :)
> >
> >It took me lots of research and conversations before hearing about
> >FreeIPA for the first time while searching for a libre SSO solution. I
> >think FreeIPA needs much more exposure. I am really impressed with it.
> >Tomorrow I am giving a short presentation at my workplace to talk about
> >it and invite other sysadmins to try it.
> >
> >I would like to make a slide showing the current adoption of FreeIPA. I
> >read that Red Hat uses it internally, but do they actually deploy it in
> >their client's infrastructures? Are there any big companies that use it?
> >Even if I only have reports of schools and small businesses would be
> >good enough to say it's production ready and it has traction.
> >
> >Whether you are reporting about your own use or you know where I can
> >find out more would be greatly appreciated! I have not found a "Who uses
> >FreeIPA" page on the Internet.
> >
> The GNOME Infrastructure is now powered by FreeIPA!
> October 7, 2014
> 
> https://www.dragonsreach.it/2014/10/07/the-gnome-infrastructure-is-now-powered-by-freeipa/

Would it make sense to add 'success stories' like this to the
freeipa.org home page? Of course, we can't use Red Hat IDM customers,
but those that use freeipa on Fedora/CentOS and hopefully soon on Ubuntu
could be added there if they would agree..

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project