Re: [Freeipa-users] LDAP server failover via altServer attribute?

2016-05-20 Thread Răzvan Corneliu C.R. VILT 
Hi guys,

Regarding the Macs, there are a few notes:

1) The template kerberos setup can be pushed through LDAP (cn=KerberosClient 
and cn=KerberosKDC,cn=config)
2) The LDAP replicas can be also configured in cn=config and it is cached by 
OpenDirectory in the following format:

dn: cn=ldapreplicas, cn=config, dc=example, dc=com
objectClass: apple-configuration
apple-ldap-replica: ldap://192.168.1.1 
apple-ldap-replica: ldap://192.168.2.2 
apple-ldap-writable-replica: ldap://192.168.1.1 
apple-ldap-writable-replica: ldap://192.168.2.2 
apple-xml-plist: base64 encode of:
-

http://www.apple.com/DTDs/PropertyList-1.0.dtd;>


GUID
01234567-89AB-CDEF-0123-456789ABCDEF
IPaddresses

192.168.1.1
10.0.0.1

PrimaryMaster
ipa-server.example.org
ReplicaName
Master
Replicas

   ipa-bkserver.example.org

   


--

3) The main problem with FreeIPA and Mac OS X comes from the SSL part (CRL 
and/or OCSP are enforced). IPA refuses PLAIN authentication on SSL.


If you do this manually instead of OpenDirectory compatible way, your machine 
doesn't create an account for itself in IPA so service access without login are 
not available, it doesn't download the root CA automatically and you don't get 
SSO out of the box.


> On 20 mai 2016, at 22:13, Guillermo Fuentes 
>  wrote:
> 
> SRV record failover works for Kerberos on the Mac. Setting "dns_lookup_kdc = 
> yes" and removing the KDC server ("kdc = xxx") entries from the 
> /Library/Preferences/edu.mit.Kerberos config file does the trick.
> 
> For LDAP, although you can enable it, I can't see it documented anywhere so 
> I'm assuming that isn't the recommended way for the Mac. This can be enabled 
> by running this for the LDAP server you're using:
> sudo odutil set configuration /LDAPv3/ipa1.example.com 
>  module ldap option "Use DNS replicas" "true"
> 
> Adding the altServer values with the Directory Manager credentials worked and 
> I'm happy to report that the failover on the Mac works great with FreeIPA!
> 
> As suggested by Rob, for three servers, on server ipa1:
> $ ldapmodify -x -D 'cn=directory manager' -W
> Enter LDAP Password:
> dn:
> changetype: modify
> add: altServer
> altServer: ldap://ipa2.example.com 
> -
> add: altServer
> altServer: ldap://ipa3.example.com 
> 
> modifying entry ""
> ^D
> 
> The altServer values didn't replicate so I had to add them to each of the 
> FreeIPA servers.
> 
> Then, tell the Mac (testing on OS X v10.11.5) to use the altServer attribute 
> to look for replicas in case of failover: 
> sudo odutil set configuration /LDAPv3/ipa1.example.com 
>  module ldap option "Use altServer replicas" "true"
> 
> And, viola! Highly available authentication with a FreeIPA cluster for the 
> Mac!
> 
> Thanks so much for your help!
> Guillermo
> 
> 
> On Fri, May 20, 2016 at 10:38 AM, Rob Crittenden  > wrote:
> Martin Basti wrote:
> Hello,
> 
> IPA uses SRV records for failover to another replica/LDAP.
> 
> I don't know how it works on MACs, but in case that there is no
> possibility to use SRV, you may need to file a RFE ticket
> (https://fedorahosted.org/freeipa/newticket 
> )
> 
> Agreed, SRV records are the preferred mechanism. I was curious though so 
> played with this a bit and it is possible to add altServer values:
> 
> $ ldapmodify -x -D 'cn=directory manager' -W
> Enter LDAP Password:
> dn:
> changetype: modify
> add: altServer
> altServer: ldap://gyre.example.com 
> 
> modifying entry ""
> ^D
> 
> $ ldapsearch -LLL -x -b "" -s base altServer
> dn:
> altServer: ldap://gyre.example.com 
> 
> My test rig is a single master so I don't know if this replicates or not.
> 
> rob
> 
> 
> Martin
> 
> 
> On 19.05.2016 17:43, Guillermo Fuentes wrote:
> Hello all,
> 
> As OS X allows LDAP server failover via the altServer attribute
> (RFC4512) from RootDSE, it would be great to be able to configure our
> Macs to connect to a single FreeIPA server and add other FreeIPA
> servers as multiple altServer values.
> The current schema doesn't seem to support adding this attribute.
> Can this be done in a way I'm missing?
> 
> Thanks in advance!
> 
> GUILLERMO FUENTES
> SR. SYSTEMS ADMINISTRATOR
> 
> 561-880-2998 x1337 
> 
> guillermo.fuen...@modmed.com  
> >
> 
> 
> [ Modernizing Medicine ] >
> [ Facebook ]

Re: [Freeipa-users] LDAP server failover via altServer attribute?

2016-05-20 Thread Guillermo Fuentes 
SRV record failover works for Kerberos on the Mac. Setting "dns_lookup_kdc
= yes" and removing the KDC server ("kdc = xxx") entries from the
/Library/Preferences/edu.mit.Kerberos config file does the trick.

For LDAP, although you can enable it, I can't see it documented anywhere so
I'm assuming that isn't the recommended way for the Mac. This can be
enabled by running this for the LDAP server you're using:
sudo odutil set configuration /LDAPv3/ipa1.example.com module ldap option
"Use DNS replicas" "true"

Adding the altServer values with the Directory Manager credentials worked
and I'm happy to report that the failover on the Mac works great with
FreeIPA!

As suggested by Rob, for three servers, on server ipa1:
$ ldapmodify -x -D 'cn=directory manager' -W
Enter LDAP Password:
dn:
changetype: modify
add: altServer
altServer: ldap://ipa2.example.com
-
add: altServer
altServer: ldap://ipa3.example.com

modifying entry ""
^D

The altServer values didn't replicate so I had to add them to each of the
FreeIPA servers.

Then, tell the Mac (testing on OS X v10.11.5) to use the altServer
attribute to look for replicas in case of failover:
sudo odutil set configuration /LDAPv3/ipa1.example.com module ldap option
"Use altServer replicas" "true"

And, viola! Highly available authentication with a FreeIPA cluster for the
Mac!

Thanks so much for your help!
Guillermo


On Fri, May 20, 2016 at 10:38 AM, Rob Crittenden 
wrote:

> Martin Basti wrote:
>
>> Hello,
>>
>> IPA uses SRV records for failover to another replica/LDAP.
>>
>> I don't know how it works on MACs, but in case that there is no
>> possibility to use SRV, you may need to file a RFE ticket
>> (https://fedorahosted.org/freeipa/newticket)
>>
>
> Agreed, SRV records are the preferred mechanism. I was curious though so
> played with this a bit and it is possible to add altServer values:
>
> $ ldapmodify -x -D 'cn=directory manager' -W
> Enter LDAP Password:
> dn:
> changetype: modify
> add: altServer
> altServer: ldap://gyre.example.com
>
> modifying entry ""
> ^D
>
> $ ldapsearch -LLL -x -b "" -s base altServer
> dn:
> altServer: ldap://gyre.example.com
>
> My test rig is a single master so I don't know if this replicates or not.
>
> rob
>
>
>> Martin
>>
>>
>> On 19.05.2016 17:43, Guillermo Fuentes wrote:
>>
>>> Hello all,
>>>
>>> As OS X allows LDAP server failover via the altServer attribute
>>> (RFC4512) from RootDSE, it would be great to be able to configure our
>>> Macs to connect to a single FreeIPA server and add other FreeIPA
>>> servers as multiple altServer values.
>>> The current schema doesn't seem to support adding this attribute.
>>> Can this be done in a way I'm missing?
>>>
>>> Thanks in advance!
>>>
>>> GUILLERMO FUENTES
>>> SR. SYSTEMS ADMINISTRATOR
>>>
>>> 561-880-2998 x1337
>>>
>>> guillermo.fuen...@modmed.com 
>>>
>>>
>>> [ Modernizing Medicine ] 
>>> [ Facebook ] 
>>> [
>>> LinkedIn ] 
>>> [
>>> YouTube ] 
>>>  [
>>> Twitter ]   [ Blog ]
>>>    [ Instagram ]
>>> 
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Mostly working trust, SSH failure

2016-05-20 Thread Erik Mackdanz 
Thanks Jakub,

Yes, the "marking subdomain ... inactive" portion is below.

There are failures in resolving the Global Catalog via SRV, but what
I've read says that should be okay because we fall back to the
SID<->UID mapping.  With dig, I can reproduce sssd's finding that
those SRV records don't exist.  Is the DNS failure as fatal as it
appears?

Yes, we can kinit AD users.  We can also 'getent' AD users and groups
(at least the group we authorized in our trust).

Does it matter that the user we used to establish the trust was later
demoted?  (Was domain admin, now regular user).

Cheers,
Erik


[ipa_srv_ad_acct_retried] (0x0400): Sudomain re-set, will retry lookup
[be_fo_reset_svc] (0x1000): Resetting all servers in service na.bazzlegroup.com
[set_srv_data_status] (0x0100): Marking SRV lookup of service
'na.bazzlegroup.com' as 'neutral'
[set_server_common_status] (0x0100): Marking server
'deda9w1004.na.bazzlegroup.com' as 'name not resolved'
[fo_set_port_status] (0x0100): Marking port 389 of server
'deda9w1004.na.bazzlegroup.com' as 'neutral'
[ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP
[fo_set_port_status] (0x0400): Marking port 389 of duplicate server
'deda9w1004.na.bazzlegroup.com' as 'neutral'
[ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP
[set_srv_data_status] (0x0100): Marking SRV lookup of service
'na.bazzlegroup.com' as 'neutral'
[set_server_common_status] (0x0100): Marking server
'usbe9w2003.na.bazzlegroup.com' as 'name not resolved'
[fo_set_port_status] (0x0100): Marking port 389 of server
'usbe9w2003.na.bazzlegroup.com' as 'neutral'
[ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP
[ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP
[fo_set_port_status] (0x0400): Marking port 389 of duplicate server
'usbe9w2003.na.bazzlegroup.com' as 'neutral'
[ipa_srv_ad_acct_lookup_step] (0x0400): Looking up AD account
[sdap_id_op_connect_step] (0x4000): beginning to connect
[fo_resolve_service_send] (0x0100): Trying to resolve service
'gc_na.bazzlegroup.com'
[get_port_status] (0x1000): Port status of port 0 for server '(no
name)' is 'not working'
[fo_resolve_service_send] (0x0020): No available servers for service
'gc_na.bazzlegroup.com'
[be_resolve_server_done] (0x1000): Server resolution failed: 5
[sdap_id_op_connect_done] (0x0400): Failed to connect to server, but
ignore mark offline is enabled.
[sdap_id_op_connect_done] (0x4000): notify error to op #1: 5
[Input/output error]
[be_mark_dom_offline] (0x1000): Marking subdomain na.bazzlegroup.com offline
[be_mark_subdom_offline] (0x1000): Marking subdomain
na.bazzlegroup.com as inactive
[ipa_srv_ad_acct_lookup_done] (0x0040): ipa_get_*_acct request failed:
[1432158262]: Subdomain is inactive.
[ipa_subdomain_account_done] (0x0040): ipa_get_*_acct request failed: 1432158262
[sdap_id_op_destroy] (0x4000): releasing operation connection

On Fri, May 20, 2016 at 2:02 AM, Jakub Hrozek  wrote:
> On Thu, May 19, 2016 at 05:18:43PM -0500, Erik Mackdanz wrote:
>> Hello,
>>
>> I've set up a one-way trust to an Active Directory domain.  Things
>> seem to roughly work, but something's missing.
>>
>> Can any kind soul spot a problem with my configuration, or advise on
>> how to further troubleshoot?
>>
>> Facts:
>>
>> - An AD user gets 'Access denied' when SSH'ing by password to the
>>   FreeIPA host.  This is my concern.
>>
>> - This AD user has not been locked out.
>>
>> - getent passwd succeeds for the AD user
>>
>> - A FreeIPA user can successfully SSH by password to the same FreeIPA
>>   host.
>>
>> - That FreeIPA user can then successfully kinit as the AD user (the
>>   same AD user denied above)
>>
>> - HBAC is set to the default allow_all rule, which is enabled.
>>   Running the HBAC Test tool on the AD user confirms that they are
>>   authorized for sshd.
>>
>> This tells me something is awry in sssd.conf or sshd_config or pam.d
>> or HBAC.
>>
>> Thanks,
>> Erik
>>
>> I've got sssd debug to 9.  Here's some output:
>>
>>
>
> [...]
>
>> (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
>> [ipa_srv_ad_acct_lookup_step] (0x0400): Looking up AD account
>> (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
>> [be_mark_dom_offline] (0x1000): Marking subdomain na.bazzlegroup.com
>> offline
>> (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
>> [be_mark_subdom_offline] (0x4000): Subdomain already inactive
>> (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
>
> Here it looks like sssd previously had issues connectying to AD and went
> offline. Can you search the logs a bit earlier for the first occurence of
> "Marking subdomain xxx as offline" ? Can you kinit as that user?
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more

Re: [Freeipa-users] LDAP server failover via altServer attribute?

2016-05-20 Thread Rob Crittenden 

Martin Basti wrote:

Hello,

IPA uses SRV records for failover to another replica/LDAP.

I don't know how it works on MACs, but in case that there is no
possibility to use SRV, you may need to file a RFE ticket
(https://fedorahosted.org/freeipa/newticket)


Agreed, SRV records are the preferred mechanism. I was curious though so 
played with this a bit and it is possible to add altServer values:


$ ldapmodify -x -D 'cn=directory manager' -W
Enter LDAP Password:
dn:
changetype: modify
add: altServer
altServer: ldap://gyre.example.com

modifying entry ""
^D

$ ldapsearch -LLL -x -b "" -s base altServer
dn:
altServer: ldap://gyre.example.com

My test rig is a single master so I don't know if this replicates or not.

rob



Martin


On 19.05.2016 17:43, Guillermo Fuentes wrote:

Hello all,

As OS X allows LDAP server failover via the altServer attribute
(RFC4512) from RootDSE, it would be great to be able to configure our
Macs to connect to a single FreeIPA server and add other FreeIPA
servers as multiple altServer values.
The current schema doesn't seem to support adding this attribute.
Can this be done in a way I'm missing?

Thanks in advance!

GUILLERMO FUENTES
SR. SYSTEMS ADMINISTRATOR

561-880-2998 x1337

guillermo.fuen...@modmed.com 


[ Modernizing Medicine ] 
[ Facebook ] [
LinkedIn ]   
  [
YouTube ]    [
Twitter ] [ Blog ]
 [ Instagram ]












--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] LDAP server failover via altServer attribute?

2016-05-20 Thread Martin Basti 

Hello,

IPA uses SRV records for failover to another replica/LDAP.

I don't know how it works on MACs, but in case that there is no 
possibility to use SRV, you may need to file a RFE ticket 
(https://fedorahosted.org/freeipa/newticket)


Martin


On 19.05.2016 17:43, Guillermo Fuentes wrote:

Hello all,

As OS X allows LDAP server failover via the altServer attribute 
(RFC4512) from RootDSE, it would be great to be able to configure our 
Macs to connect to a single FreeIPA server and add other FreeIPA 
servers as multiple altServer values.

The current schema doesn't seem to support adding this attribute.
Can this be done in a way I'm missing?

Thanks in advance!

GUILLERMO FUENTES
SR. SYSTEMS ADMINISTRATOR

561-880-2998 x1337

guillermo.fuen...@modmed.com 


[ Modernizing Medicine ] 
[ Facebook ]  		[ 
LinkedIn ]  		[ 
YouTube ]  		[ 
Twitter ]  		[ Blog ] 
 		[ Instagram ] 









-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa -v ping lies about the cert database

2016-05-20 Thread Harald Dunkel 
On 05/13/16 14:48, Lukas Slebodnik wrote:
> You might see in ticket that planned milestone is "Future Releases"
> that isn't any particular release (4.4.x ...)
> 
> It basically mean that patches are welcome.
> That's how it works in open source world.
> 
> LS
> 

Sorry, I got confused about the comment on
https://bugzilla.redhat.com/show_bug.cgi?id=1296665.
I thought the "Changing version to '24'." means it is
supposed to be fixed for F24. This bug was reported >4
months ago.


Regards
Harri

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] AD membership realmd way + samba?

2016-05-20 Thread Sumit Bose 
On Thu, May 19, 2016 at 05:42:27PM +0100, lejeczek wrote:
> hi users/devs
> 
> I've poked around samba list but was suggested to ask sssd people, I thought
> IPA's might know as well.
> 
> Having joined AD with realm - can samba take advantage of this membership?
> And if so then to what extent?

realmd can use different backends to join the AD domain Samba's net
utility or adcli, this can be chosen with the --membership-software
option. If you use net Samba should work out-of-the-box. adcli does not
write the host keys into Samba's internal secrets.tdb and hence you
might need some additional configuration on the Samba side, see the
'kerberos method' entry in the smb.conf man page for details.

HTH

bye,
Sumit

> 
> many thanks,
> 
> L.
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SSSD, sudo and FQDNs

2016-05-20 Thread Jakub Hrozek 
On Fri, May 20, 2016 at 10:36:30AM +1000, Lachlan Musicman wrote:
> Hola,
> 
> We couldn't get sssd and sudo to work and discovered this on the SSSD
> troubleshooting page:
> 
> https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO#Knownissues
> 
> Is this on the radar to be solved at all or is it unsolvable?

On the radar for 7.3.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Mostly working trust, SSH failure

2016-05-20 Thread Jakub Hrozek 
On Thu, May 19, 2016 at 05:18:43PM -0500, Erik Mackdanz wrote:
> Hello,
> 
> I've set up a one-way trust to an Active Directory domain.  Things
> seem to roughly work, but something's missing.
> 
> Can any kind soul spot a problem with my configuration, or advise on
> how to further troubleshoot?
> 
> Facts:
> 
> - An AD user gets 'Access denied' when SSH'ing by password to the
>   FreeIPA host.  This is my concern.
> 
> - This AD user has not been locked out.
> 
> - getent passwd succeeds for the AD user
> 
> - A FreeIPA user can successfully SSH by password to the same FreeIPA
>   host.
> 
> - That FreeIPA user can then successfully kinit as the AD user (the
>   same AD user denied above)
> 
> - HBAC is set to the default allow_all rule, which is enabled.
>   Running the HBAC Test tool on the AD user confirms that they are
>   authorized for sshd.
> 
> This tells me something is awry in sssd.conf or sshd_config or pam.d
> or HBAC.
> 
> Thanks,
> Erik
> 
> I've got sssd debug to 9.  Here's some output:
> 
> 

[...]

> (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
> [ipa_srv_ad_acct_lookup_step] (0x0400): Looking up AD account
> (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
> [be_mark_dom_offline] (0x1000): Marking subdomain na.bazzlegroup.com
> offline
> (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
> [be_mark_subdom_offline] (0x4000): Subdomain already inactive
> (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]

Here it looks like sssd previously had issues connectying to AD and went
offline. Can you search the logs a bit earlier for the first occurence of
"Marking subdomain xxx as offline" ? Can you kinit as that user?

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project