[Freeipa-users] cleanallruv - no replica's :(

[Matt Wells]

Hey all I hoped anyone may be able to assist.  I had 2 dead replica's and
use the cleanallruv.pl as they refused to leave otherwise.
` /usr/sbin/cleanallruv.pl -v -D "cn=directory manager" -w - -b
'dc=mosaic451,dc=com' -r 17 `
17 being the bad guy.  Well it ran `woohoo` but deleted all of my
replica's.  The state it's in now is I can make changes on Box1 ( the one I
ran it on ) and they replicate to Box2 but never come back.
If I delete it on Box2 it never get's to Box1 however Box2 say's he has
that happy replication agreement.
So it's almost a split brain scenario.  I hoped someone may be able to
assist.
Can I just re-cut the replication agreement from Box2 and run it on Box1;
he's a full grown IPA so if I did that wouldn't I need to --uninstall him?

What do you guys think?
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] another certmonger question

[Natxo Asenjo]

On Fri, Sep 30, 2016 at 10:45 AM, Rob Crittenden 
wrote:

> Natxo Asenjo wrote:
>
>>
>>
>> On Thu, Sep 29, 2016 at 1:16 PM, Rob Crittenden > > wrote:
>>
>> Natxo Asenjo wrote:
>>
>>
>>
>> On Tue, Sep 27, 2016 at 1:42 PM, Rob Crittenden
>> 
>> >> wrote:
>>
>>
>>  It's hard to say, it may in fact not be a problem.
>>
>>  It is really a matter of what service the certificate(s)
>> are related
>>  to. I'd look at the serial numbers and then correlate those
>> to the
>>  issued certificates.
>>
>>  I'd also do a service-find on the hostname to see if any
>> services
>>  have certificates issued and with what serial numbers.
>>
>>
>> I agree, it could be that. But just for testing I have created a
>> vm,
>> joined it to the domain and resubmitted the certificate.
>>
>> Now there are two valid host certificates with the same subject:
>>
>>
>>$ ipa cert-find --subject=throwaway.unix.iriszorg.nl
>> 
>> > >
>> --
>> 2 certificates matched
>> --
>> Serial number (hex): 0x3FFE0002
>> Serial number: 1073610754
>> Status: VALID
>> Subject: CN=throwaway.unix.iriszorg.nl
>> 
>> > >,O=UNIX.IRISZORG.NL
>> 
>> 
>>
>> Serial number (hex): 0x3FFE0003
>> Serial number: 1073610755
>> Status: VALID
>> Subject: CN=throwaway.unix.iriszorg.nl
>> 
>> > >,O=UNIX.IRISZORG.NL
>> 
>> 
>> 
>> Number of entries returned 2
>> 
>>
>>
>> So it certmonger in this centos 6.8 32bit host is renewing but not
>> having the old certificate revoked.
>>
>>
>> I'd check the Apache log to find the cert_request call to see if you
>> can see if there are any issues raised. It should be doing a
>> cert_revoke at the same time.
>>
>> Can you should how this certificate is being tracked?
>>
>>
>> sure:
>>
>> $ sudo getcert list
>> Number of certificates and requests being tracked: 1.
>> Request ID '20160929100945':
>>  status: MONITORING
>>  stuck: no
>>  key pair storage:
>> type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine Certificate -
>> throwaway.unix.iriszorg.nl
>> ',token='NSS Certificate DB'
>>  certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA
>> Machine Certificate - throwaway.unix.iriszorg.nl
>> ',token='NSS Certificate DB'
>>  CA: IPA
>>  issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL
>> 
>>  subject: CN=throwaway.unix.iriszorg.nl
>> ,O=UNIX.IRISZORG.NL
>> 
>>  expires: 2018-09-30 10:13:17 UTC
>>  principal name: host/throwaway.unix.iriszorg...@unix.iriszorg.nl
>> 
>>  key usage:
>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>  eku: id-kp-serverAuth,id-kp-clientAuth
>>  pre-save command:
>>  post-save command:
>>  track: yes
>>  auto-renew: yes
>>
>> now, let's resubmit:
>>
>> $ sudo ipa-getcert resubmit -i 20160929100945
>> Resubmitting "20160929100945" to "IPA".
>> [jose.admin@throwaway ~]$ sudo getcert list
>> Number of certificates and requests being tracked: 1.
>> Request ID '20160929100945':
>>  status: MONITORING
>>  stuck: no
>>  key pair storage:
>> type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine Certificate -
>> throwaway.unix.iriszorg.nl
>> ',token='NSS Certificate DB'
>>  certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA
>> Machine Certificate - throwaway.unix.iriszorg.nl
>> ',token='NSS Certificate DB'
>>  CA: IPA
>>  issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL
>> 
>>  subject: CN=throwaway.unix.iriszorg.nl
>> ,O=UNIX.IRISZORG.NL
>> 
>>  expires: 2018-09-30 20:41:28 UTC
>>  principal name: 

Re: [Freeipa-users] RBAC - User Administrator - OTP tokens

[Martin Basti]

On 27.09.2016 17:16, Prashant Bapat wrote:
RBAC Role "User Administrator" should have access to all users OTP 
tokens. Specifically to remove if some one has lost their token. We 
get this a lot.


I found no permissions that give this access.

Can someone explain if this can be added easily either from the WebUI 
or CLI.


Thanks.
--Prashant






Hello,

OTP related access control is bounded with token owner and token 
manager, we don't have any system permission created for that.


Feel free to open ticket (just for deleting OTP): 
https://fedorahosted.org/freeipa/newticket

We will see if it is feasible.

You can create your own permission in RBAC tab in permissions section 
and assign this to User Administrator privilege but be careful with 
extending permissions related to OTP, it may open an attack vector.

http://www.freeipa.org/page/V4/OTP#Permissions

Martin^2


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Replica created with expired certs

[Rob Crittenden]

Jim Richard wrote:

Can I and how…

delete all certs for all hosts

I mean, we only use FreeIPA for user login/sssd

That said, do we even need those certs?


There is no simple answer, really.

Yes, you can deleted all certs for all hosts (not recommended as some of 
those are for IPA services). I doubt it would do anything positive and 
if the certificate is tracked by certmonger on the client it would 
eventually renew.


Do you need the certs? Only you would know that, but chances are the 
vast majority aren't being used.


In 3.0 when a client is registered a host certificate is obtained for 
it. This certificate was never used and in 4.something it isn't 
requested at all unless an option is passed to ipa-client-install.


rob






Jim Richard



SYSTEM ADMINISTRATOR III
/(646) 338-8905 /


PlaceIQ:Location

Data Accuracy





On Sep 29, 2016, at 8:53 PM, Jim Richard > wrote:

another interesting thing, my httpd/error_logs are constantly getting
spammed with: (I removed the stuff between the single quotes)

Notice those names don’t match, should they?

Me thinks not since those “principal=“ items are ALMOST all hosts that
no longer exist in the FreeIPA system. I rare few do exist.

So, that’s weird :)

[Thu Sep 29 20:44:59 2016] [error] ipa: INFO:
host/aerospike-cl1-203.nym1.placeiq@placeiq.net
:
cert_request(u’………..',
principal=u'host/sbtt-nyc1-028.thum01.nym1.placeiq@placeiq.net
',
add=True): CertificateOperationError

[Thu Sep 29 20:45:06 2016] [error] ipa: INFO:
host/aerospike-cl2-210.nym1.placeiq@placeiq.net
:
cert_request(u’………..',
principal=u'host/017.prod07.nym1.placeiq@placeiq.net
',
add=True): CertificateOperationError

[Thu Sep 29 20:45:09 2016] [error] ipa: INFO:
host/adsgateway-14.nym1.placeiq@placeiq.net
:
cert_request(u’...',
principal=u'host/025.prod07.nym1.placeiq@placeiq.net
',
add=True): CertificateOperationError

[Thu Sep 29 20:45:29 2016] [error] ipa: INFO:
host/ttsandbox-022.nym1.placeiq@placeiq.net
:
cert_request(u’….',
principal=u'host/sbtt-nyc1-022.thum01.nym1.placeiq@placeiq.net
',
add=True): CertificateOperationError







Jim Richard



SYSTEM ADMINISTRATOR III
/(646) 338-8905 /

Re: [Freeipa-users] Replica created with expired certs

[Rob Crittenden]

Jim Richard wrote:

another interesting thing, my httpd/error_logs are constantly getting
spammed with: (I removed the stuff between the single quotes)

Notice those names don’t match, should they?

Me thinks not since those “principal=“ items are ALMOST all hosts that
no longer exist in the FreeIPA system. I rare few do exist.

So, that’s weird :)


I suspect that certmonger is still tracking certificate(s) on those 
hosts. You should be able to clear things up on those hosts with 
something like:


# ipa-getcert list
# ipa-getcert stop-tracking -i 

It's hard to say if the hostname mismatch is expected or not, it depends 
on how the requests were done initially. The first value in the log 
represents the principal that did the BIND, so the host to look on is 
aerospike-cl1-203.nym1.placeiq.net. The second hostname is the principal 
that the certificate is being requested _for_. This is basically a 
delegated request.


rob



[Thu Sep 29 20:44:59 2016] [error] ipa: INFO:
host/aerospike-cl1-203.nym1.placeiq@placeiq.net
:
cert_request(u’………..',
principal=u'host/sbtt-nyc1-028.thum01.nym1.placeiq@placeiq.net
',
add=True): CertificateOperationError

[Thu Sep 29 20:45:06 2016] [error] ipa: INFO:
host/aerospike-cl2-210.nym1.placeiq@placeiq.net
:
cert_request(u’………..',
principal=u'host/017.prod07.nym1.placeiq@placeiq.net
',
add=True): CertificateOperationError

[Thu Sep 29 20:45:09 2016] [error] ipa: INFO:
host/adsgateway-14.nym1.placeiq@placeiq.net
:
cert_request(u’...',
principal=u'host/025.prod07.nym1.placeiq@placeiq.net
',
add=True): CertificateOperationError

[Thu Sep 29 20:45:29 2016] [error] ipa: INFO:
host/ttsandbox-022.nym1.placeiq@placeiq.net
:
cert_request(u’….',
principal=u'host/sbtt-nyc1-022.thum01.nym1.placeiq@placeiq.net
',
add=True): CertificateOperationError







Jim Richard



SYSTEM ADMINISTRATOR III
/(646) 338-8905 /


PlaceIQ:Location

Data Accuracy





On Sep 29, 2016, at 8:11 AM, Rob Crittenden > wrote:

Natxo Asenjo wrote:

hi Jim,

On Thu, Sep 29, 2016 at 7:37 AM, Jim Richard 
> wrote:

   Thanks Rob, that worked.

   Still on the subject of certs, any idea how to solve this error:

   Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The
   certificate/key database is in an old, unsupported format.

   I see that in the gui when querying hosts as well as from cli when I
   ipa-show or ipa-find


I have had this too, and we did not find a solution (search my recent
posts on the archives). As a workaround I have created replicas and
decommissioned the older replicas.


On the one hand I'm glad this fixed it for you. On the other it is a
rather unsatisfying answer. Unfortunately NSS doesn't always provide
the most context with its error messages. This error is usually seen
when one tries to open a non-existent database, which in this case is
a very 

Re: [Freeipa-users] another certmonger question

[Rob Crittenden]

Natxo Asenjo wrote:



On Thu, Sep 29, 2016 at 1:16 PM, Rob Crittenden > wrote:

Natxo Asenjo wrote:



On Tue, Sep 27, 2016 at 1:42 PM, Rob Crittenden

>> wrote:


 It's hard to say, it may in fact not be a problem.

 It is really a matter of what service the certificate(s)
are related
 to. I'd look at the serial numbers and then correlate those
to the
 issued certificates.

 I'd also do a service-find on the hostname to see if any
services
 have certificates issued and with what serial numbers.


I agree, it could be that. But just for testing I have created a vm,
joined it to the domain and resubmitted the certificate.

Now there are two valid host certificates with the same subject:


   $ ipa cert-find --subject=throwaway.unix.iriszorg.nl

>
--
2 certificates matched
--
Serial number (hex): 0x3FFE0002
Serial number: 1073610754
Status: VALID
Subject: CN=throwaway.unix.iriszorg.nl

>,O=UNIX.IRISZORG.NL



Serial number (hex): 0x3FFE0003
Serial number: 1073610755
Status: VALID
Subject: CN=throwaway.unix.iriszorg.nl

>,O=UNIX.IRISZORG.NL



Number of entries returned 2



So it certmonger in this centos 6.8 32bit host is renewing but not
having the old certificate revoked.


I'd check the Apache log to find the cert_request call to see if you
can see if there are any issues raised. It should be doing a
cert_revoke at the same time.

Can you should how this certificate is being tracked?


sure:

$ sudo getcert list
Number of certificates and requests being tracked: 1.
Request ID '20160929100945':
 status: MONITORING
 stuck: no
 key pair storage:
type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine Certificate -
throwaway.unix.iriszorg.nl
',token='NSS Certificate DB'
 certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA
Machine Certificate - throwaway.unix.iriszorg.nl
',token='NSS Certificate DB'
 CA: IPA
 issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL

 subject: CN=throwaway.unix.iriszorg.nl
,O=UNIX.IRISZORG.NL

 expires: 2018-09-30 10:13:17 UTC
 principal name: host/throwaway.unix.iriszorg...@unix.iriszorg.nl

 key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
 eku: id-kp-serverAuth,id-kp-clientAuth
 pre-save command:
 post-save command:
 track: yes
 auto-renew: yes

now, let's resubmit:

$ sudo ipa-getcert resubmit -i 20160929100945
Resubmitting "20160929100945" to "IPA".
[jose.admin@throwaway ~]$ sudo getcert list
Number of certificates and requests being tracked: 1.
Request ID '20160929100945':
 status: MONITORING
 stuck: no
 key pair storage:
type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine Certificate -
throwaway.unix.iriszorg.nl
',token='NSS Certificate DB'
 certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA
Machine Certificate - throwaway.unix.iriszorg.nl
',token='NSS Certificate DB'
 CA: IPA
 issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL

 subject: CN=throwaway.unix.iriszorg.nl
,O=UNIX.IRISZORG.NL

 expires: 2018-09-30 20:41:28 UTC
 principal name: host/throwaway.unix.iriszorg...@unix.iriszorg.nl

 key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
 eku: id-kp-serverAuth,id-kp-clientAuth
 pre-save command:
 post-save command:
 track: yes
 auto-renew: yes

so it has been successfully renewed.

In the access_log of the kdc I see this:

172.20.4.228 - - [29/Sep/2016:22:41:27 +0200] "POST

Re: [Freeipa-users] Certificate format error reported by GUI

[Pavel Vomacka]

Ah, ok, does /var/log/httpd/error_log contain any error after looking at 
hosts using GUI? And could you please send output of ipactl status after 
the error ocurres?



On 09/30/2016 02:40 AM, Jim Richard wrote:

Hi Paul, 3.0.0 on Centos 6.8


 	Jim Richard 	 
 


SYSTEM ADMINISTRATOR III
/(646) 338-8905 /


PlaceIQ:Location Data Accuracy 





On Sep 29, 2016, at 11:58 AM, Pavel Vomacka > wrote:


Hello,

which version of FreeIPA do you use?

On 09/28/2016 12:42 AM, Jim Richard wrote:
When I try to look at hosts under the hosts tab. ipactl restart or 
just restarting httpd seems to clear it up for a short period.


Three replicas in the environment, it only happens when I look at 
hosts using the GUI at one of the three replicas.



Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The 
certificate/key database is in an old, unsupported format.



 	Jim Richard 
 	 


SYSTEM ADMINISTRATOR III
/(646) 338-8905 /


PlaceIQ:Location Data Accuracy 









--
Pavel^3 Vomacka




--
Pavel^3 Vomacka

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SELinux errors with sssd-krb5-common-1.13.0-40.el7_2.12.x86_64

[Sumit Bose]

On Thu, Sep 29, 2016 at 12:07:13PM -0400, Prasun Gera wrote:
> I need to set SELinux to enforcing to get the relevant SSSD logs, right ?

yes, I think this would help to identify the operation which triggers
the AVC because it should fail.

bye,
Sumit

> 
> On Thu, Sep 29, 2016 at 3:42 AM, Sumit Bose  wrote:
> 
> > On Thu, Sep 29, 2016 at 12:47:34AM -0400, Prasun Gera wrote:
> > > I started seeing some selinux errors on one of my RHEL 7 clients recently
> > > (possibly after a recent yum update ?), which prevents users from logging
> > > in with passwords. I've put SELinux in permissive mode for now. Logs
> > follow
> >
> > This sounds like https://bugzilla.redhat.com/show_bug.cgi?id=1301686 .
> > Would you mind adding your findings and the SSSD logs as described in
> > https://bugzilla.redhat.com/show_bug.cgi?id=1301686#c2 to the bugzilla
> > ticket.
> >
> > Thank you.
> >
> > bye,
> > Sumit
> >
> > >
> > >
> > > SELinux is preventing /usr/libexec/sssd/krb5_child from read access on
> > the
> > > key Unknown.
> > >
> > > *  Plugin catchall (100. confidence) suggests
> > > **
> > >
> > > If you believe that krb5_child should be allowed read access on the
> > Unknown
> > > key by default.
> > > Then you should report this as a bug.
> > > You can generate a local policy module to allow this access.
> > > Do
> > > allow this access for now by executing:
> > > # grep krb5_child /var/log/audit/audit.log | audit2allow -M mypol
> > > # semodule -i mypol.pp
> > >
> > >
> > > Additional Information:
> > > Source Contextsystem_u:system_r:sssd_t:s0
> > > Target Contextsystem_u:system_r:unconfined_service_t:s0
> > > Target ObjectsUnknown [ key ]
> > > Sourcekrb5_child
> > > Source Path   /usr/libexec/sssd/krb5_child
> > > Port  
> > > Host  
> > > Source RPM Packages   sssd-krb5-common-1.13.0-40.el7_2.12.x86_64
> > > Target RPM Packages
> > > Policy RPMselinux-policy-3.13.1-60.el7_2.9.noarch
> > > Selinux Enabled   True
> > > Policy Type   targeted
> > > Enforcing ModePermissive
> > > Host Name example.com
> > > Platform  Linux example.com 4.4.19-1.el7.x86_64
> > >   #1 SMP Mon Aug 29 18:38:32 EDT 2016 x86_64
> > > x86_64
> > > Alert Count   38
> > > First Seen2016-09-28 18:37:43 EDT
> > > Last Seen 2016-09-28 22:08:41 EDT
> > > Local ID  aa5271fa-f708-46b0-a382-fb1f90ce8973
> > > Raw Audit Messages
> > > type=AVC msg=audit(1475114921.376:90787): avc:  denied  { read } for
> > >  pid=8272 comm="krb5_child" scontext=system_u:system_r:sssd_t:s0
> > > tcontext=system_u:system_r:unconfined_service_t:s0 tclass=key
> > permissive=0
> > >
> > >
> > > type=SYSCALL msg=audit(1475114921.376:90787): arch=x86_64 syscall=keyctl
> > > success=yes exit=EINTR a0=b a1=333b5463 a2=0 a3=0 items=0 ppid=891
> > pid=8272
> > > auid=4294967295 uid=1388200053 gid=1388200053 euid=1388200053
> > > suid=1388200053 fsuid=1388200053 egid=1388200053 sgid=1388200053
> > > fsgid=1388200053 tty=(none) ses=4294967295 comm=krb5_child
> > > exe=/usr/libexec/sssd/krb5_child subj=system_u:system_r:sssd_t:s0
> > key=(null)
> > >
> > > Hash: krb5_child,sssd_t,unconfined_service_t,key,read
> > >
> > > 
> > 
> > >
> > > SELinux is preventing /usr/libexec/sssd/krb5_child from view access on
> > the
> > > key Unknown.
> > >
> > > *  Plugin catchall (100. confidence) suggests
> > > **
> > >
> > > If you believe that krb5_child should be allowed view access on the
> > Unknown
> > > key by default.
> > > Then you should report this as a bug.
> > > You can generate a local policy module to allow this access.
> > > Do
> > > allow this access for now by executing:
> > > # grep krb5_child /var/log/audit/audit.log | audit2allow -M mypol
> > > # semodule -i mypol.pp
> > >
> > >
> > > Additional Information:
> > > Source Contextsystem_u:system_r:sssd_t:s0
> > > Target Contextsystem_u:system_r:unconfined_service_t:s0
> > > Target ObjectsUnknown [ key ]
> > > Sourcekrb5_child
> > > Source Path   /usr/libexec/sssd/krb5_child
> > > Port  
> > > Host  
> > > Source RPM Packages   sssd-krb5-common-1.13.0-40.el7_2.12.x86_64
> > > Target RPM Packages
> > > Policy RPMselinux-policy-3.13.1-60.el7_2.9.noarch
> > > Selinux Enabled   True
> > > Policy Type   targeted
> > > Enforcing ModePermissive
> > > Host Name example.com
> > > Platform  

[Freeipa-users] FreeIPA as CA for your own internal webservices

[Matt .]

Hi Guys,

I'm wondering how it's possible to use FreeIPA as your own CA for
apache vhosts and such.

I need to many certificates for subdomains (wildcards) that its
undoable and I would like to use my FreeIAP installs for this.

I installed the root certificate on windows from my IPA install and
that works, FreeIPA itself is now trusted. But how to do this for
other webservices no matter what software I use ?

I hope someone can give me direction here.

Thanks!

Matt

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Install IPA Servers with third-party certificate(external CA)

[Jakub Hrozek]

On Thu, Sep 29, 2016 at 10:03:08PM -0400, beeth beeth wrote:
> Thanks Florence and Rob! The replica worked after adding the certs during
> the replica preparation.
> 
> Now I got several IPA clients installed with user authentication(ssh login
> with the users in IPA) working after some work. However, one of them failed
> during login with the following messages in syslog:
> 
> Sep 29 21:41:13 ipaclient3 [sssd[krb5_child[2527]]]: Credentials cache
> permissions incorrect

This is RHEL-7, right? Then I'm not sure why would ccache permissions be
incorrect, maybe except for an SELinux issue.. (you are using the KEYRING
ccache, right?)

> Sep 29 21:41:13 ipaclient3 [sssd[krb5_child[2527]]]: Decrypt integrity
> check failed
> Sep 29 21:41:13 ipaclient3 [sssd[krb5_child[2527]]]: Decrypt integrity
> check failed

These two mean a wrong password was supplied.

You can enable sssd debugging and take a look into krb5_child.log. If
you crank up the debug_level all the way up to 10, then you'll also see
KRB5_TRACE-level messages..

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC rules stop working

[Jakub Hrozek]

On Thu, Sep 29, 2016 at 07:51:14PM -0600, Orion Poplawski wrote:
> server:
> ipa-server-4.2.0-15.sl7_2.19.x86_64
> sssd-1.13.0-40.el7_2.12.x86_64
> 
> client:
> sssd-1.14.1-3.el7.centos.x86_64
> 
> AD trust - users are in AD.  HBAC rule in place for client to allow a user
> to login/ssh/su/etc.
> 
> This seems to have happened a couple times now, and again today after
> rebooting the IPA server.  sssd was denying the user to ssh into the client
> by pam rules.  Logged on to the IPA server and disabled and then re-enabled
> the HBAC rule for the client and then was able to log back in again.  Has
> anyone else seen this before?
> 
> client sssd_pam just went from:
> 
> (Thu Sep 29 19:30:40 2016) [sssd[pam]] [pam_reply] (0x0200): pam_reply
> called with result [6]: Permission denied.
> 
> to
> 
> (Thu Sep 29 19:37:04 2016) [sssd[pam]] [pam_reply] (0x0200): pam_reply
> called with result [0]: Success.
> 
> so I assume I'll need to collect debug logs from sssd on the server next
> time.

Yes..please try to collect logs from a machine that exhibits the bug. I
suspect this is not related to HBAC per se, but rather to external group
memberships, so it would also be nice to check if the groups are
resolved on the faulty machine. And if they wouldn't be, please also
check if they are resolved on the server itself (and collect logs
there..)

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] external groups and /etc/group

[Jakub Hrozek]

On Thu, Sep 29, 2016 at 08:01:59PM -0400, Rusty Shackleford wrote:
> On Thu, Sep 29, 2016 at 4:47 PM, Jakub Hrozek  wrote:
> 
> >
> > I think you are looking for:
> > https://sourceware.org/glibc/wiki/Proposals/GroupMerging
> >
> 
> Well that's a bummer. Thanks for getting back to me.

The functionality is already implemented and should work in newer
Fedoras. Unfortunately it is not backported to RHEL/centos..

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project