date:20161017

Re: [Freeipa-users] Upgrade 4.4.2-1.fc24 security library failure.

2016-10-17 Thread 郑磊

May be you should specify the specific $SUFFIX according to your environment.





--
祝：
工作顺利！生活愉快！
--
长沙研发中心 郑磊 
Phone：18684703229
Email：zheng...@kylinos.cn
Company：天津麒麟信息技术有限公司
Address：湖南长沙市开福区三一大道工美大厦十四楼
 

 
 
 
-- Original --
From:  "Matt .";
Date:  Tue, Oct 18, 2016 06:30 AM
To:  "freeipa-users@redhat.com"; 

Subject:  [Freeipa-users] Upgrade 4.4.2-1.fc24 security library failure.

 
Hi Guys,

I'm having a failure on my upgrade for 4.4.2-1 on Fedora 24

I already checked some info and:

ldapsearch -Y GSSAPI -b cn=CAcert,cn=ipa,cn=etc,$SUFFIX

Gives me TU instead of MII as expected.

Any suggestions further ?

Thanks,

Matt


2016-10-17T22:19:10Z DEBUG Starting external process
2016-10-17T22:19:10Z DEBUG args=/usr/bin/certutil -d
/etc/dirsrv/slapd-MY-REALM -L -n Server-Cert -a
2016-10-17T22:19:10Z DEBUG Process finished, return code=255
2016-10-17T22:19:10Z DEBUG stdout=
2016-10-17T22:19:10Z DEBUG stderr=certutil: Could not find cert: Server-Cert
: PR_FILE_NOT_FOUND_ERROR: File not found

2016-10-17T22:19:10Z ERROR IPA server upgrade failed: Inspect
/var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2016-10-17T22:19:11Z DEBUG   File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172,
in execute
return_value = self.run()
  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
line 46, in run
server.upgrade()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1867, in upgrade
upgrade_configuration()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1770, in upgrade_configuration
certificate_renewal_update(ca, ds, http),
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1027, in certificate_renewal_update
ds.start_tracking_certificates(serverid)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py",
line 996, in start_tracking_certificates
'restart_dirsrv %s' % serverid)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
line 307, in track_server_cert
nsscert = x509.load_certificate(cert, dbdir=self.secdir)
  File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 129, in
load_certificate
return nss.Certificate(buffer(data))  # pylint: disable=buffer-builtin


016-10-17T22:19:11Z DEBUG The ipa-server-upgrade command failed,
exception: NSPRError: (SEC_ERROR_LIBRARY_FAILURE)
security library failure.
2016-10-17T22:19:11Z ERROR Unexpected error - see
/var/log/ipaupgrade.log for details:
NSPRError: (SEC_ERROR_LIBRARY_FAILURE) security library failure.
2016-10-17T22:19:11Z ERROR The ipa-server-upgrade command failed. See
/var/log/ipaupgrade.log for more information

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Upgrade 4.4.2-1.fc24 security library failure.

2016-10-17 Thread Martin Babinsky


On 10/18/2016 12:30 AM, Matt . wrote:

Hi Guys,

I'm having a failure on my upgrade for 4.4.2-1 on Fedora 24

I already checked some info and:

ldapsearch -Y GSSAPI -b cn=CAcert,cn=ipa,cn=etc,$SUFFIX

Gives me TU instead of MII as expected.

Any suggestions further ?

Thanks,

Matt


2016-10-17T22:19:10Z DEBUG Starting external process
2016-10-17T22:19:10Z DEBUG args=/usr/bin/certutil -d
/etc/dirsrv/slapd-MY-REALM -L -n Server-Cert -a
2016-10-17T22:19:10Z DEBUG Process finished, return code=255
2016-10-17T22:19:10Z DEBUG stdout=
2016-10-17T22:19:10Z DEBUG stderr=certutil: Could not find cert: Server-Cert
: PR_FILE_NOT_FOUND_ERROR: File not found

2016-10-17T22:19:10Z ERROR IPA server upgrade failed: Inspect
/var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2016-10-17T22:19:11Z DEBUG   File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172,
in execute
return_value = self.run()
  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
line 46, in run
server.upgrade()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1867, in upgrade
upgrade_configuration()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1770, in upgrade_configuration
certificate_renewal_update(ca, ds, http),
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1027, in certificate_renewal_update
ds.start_tracking_certificates(serverid)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py",
line 996, in start_tracking_certificates
'restart_dirsrv %s' % serverid)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
line 307, in track_server_cert
nsscert = x509.load_certificate(cert, dbdir=self.secdir)
  File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 129, in
load_certificate
return nss.Certificate(buffer(data))  # pylint: disable=buffer-builtin


016-10-17T22:19:11Z DEBUG The ipa-server-upgrade command failed,
exception: NSPRError: (SEC_ERROR_LIBRARY_FAILURE)
security library failure.
2016-10-17T22:19:11Z ERROR Unexpected error - see
/var/log/ipaupgrade.log for details:
NSPRError: (SEC_ERROR_LIBRARY_FAILURE) security library failure.
2016-10-17T22:19:11Z ERROR The ipa-server-upgrade command failed. See
/var/log/ipaupgrade.log for more information



Hmmm strange,

looks like your DS certificate got lost or has some strange nickname in 
your directory server's NSS database.


Is this CA-less install, externally signed CA or 'self-signed' CA? 
Master or replica?


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Ubuntu 16.04 released with FreeIPA 4.3.1

2016-10-17 Thread Jochen Hein

Timo Aaltonen  writes:

> On 16.10.2016 08:00, Jochen Hein wrote:
>> Timo Aaltonen  writes:
>> 
>>> On 15.10.2016 22:33, Jochen Hein wrote:
 Timo Aaltonen  writes:
>>>
>>> Looks like it was due to a misunderstanding.. it got removed from Debian
>>> first (because of new uploads getting blocked due to minified javascript
>>> not being actual source), then added back and synced to yakkety, but
>>> again removed from there for the same reason it got removed from Debian..
>
> The dropped binaries are back, you can find them from yakkety-updates.

Thanks!

Jochen

-- 
The only problem with troubleshooting is that the trouble shoots back.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Upgrade 4.4.2-1.fc24 security library failure.

2016-10-17 Thread Matt .

Hi Guys,

I'm having a failure on my upgrade for 4.4.2-1 on Fedora 24

I already checked some info and:

ldapsearch -Y GSSAPI -b cn=CAcert,cn=ipa,cn=etc,$SUFFIX

Gives me TU instead of MII as expected.

Any suggestions further ?

Thanks,

Matt


2016-10-17T22:19:10Z DEBUG Starting external process
2016-10-17T22:19:10Z DEBUG args=/usr/bin/certutil -d
/etc/dirsrv/slapd-MY-REALM -L -n Server-Cert -a
2016-10-17T22:19:10Z DEBUG Process finished, return code=255
2016-10-17T22:19:10Z DEBUG stdout=
2016-10-17T22:19:10Z DEBUG stderr=certutil: Could not find cert: Server-Cert
: PR_FILE_NOT_FOUND_ERROR: File not found

2016-10-17T22:19:10Z ERROR IPA server upgrade failed: Inspect
/var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2016-10-17T22:19:11Z DEBUG   File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172,
in execute
return_value = self.run()
  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
line 46, in run
server.upgrade()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1867, in upgrade
upgrade_configuration()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1770, in upgrade_configuration
certificate_renewal_update(ca, ds, http),
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1027, in certificate_renewal_update
ds.start_tracking_certificates(serverid)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py",
line 996, in start_tracking_certificates
'restart_dirsrv %s' % serverid)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
line 307, in track_server_cert
nsscert = x509.load_certificate(cert, dbdir=self.secdir)
  File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 129, in
load_certificate
return nss.Certificate(buffer(data))  # pylint: disable=buffer-builtin


016-10-17T22:19:11Z DEBUG The ipa-server-upgrade command failed,
exception: NSPRError: (SEC_ERROR_LIBRARY_FAILURE)
security library failure.
2016-10-17T22:19:11Z ERROR Unexpected error - see
/var/log/ipaupgrade.log for details:
NSPRError: (SEC_ERROR_LIBRARY_FAILURE) security library failure.
2016-10-17T22:19:11Z ERROR The ipa-server-upgrade command failed. See
/var/log/ipaupgrade.log for more information

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Ubuntu 16.04 released with FreeIPA 4.3.1

2016-10-17 Thread Timo Aaltonen

On 16.10.2016 08:00, Jochen Hein wrote:
> Timo Aaltonen  writes:
> 
>> On 15.10.2016 22:33, Jochen Hein wrote:
>>> Timo Aaltonen  writes:
>>>
   Ubuntu 16.04 LTS got released today, and it comes with FreeIPA 4.3.1!
>>>
>>> Thanks for your work on packaging FreeIPA for Ubuntu (and Debian). I've
>>> just updated my laptop to Ubuntu 16.10, and now the freeipa packages are
>>> "orphaned", because these packages seems to be missing from yakkety. Is
>>> there a reason for this? I didn't see a bugreport for it.
>>
>> Looks like it was due to a misunderstanding.. it got removed from Debian
>> first (because of new uploads getting blocked due to minified javascript
>> not being actual source), then added back and synced to yakkety, but
>> again removed from there for the same reason it got removed from Debian..
> 
> That's what I've feared.
> 
>> I'll check if it can be added back.
> 
> Thanks for looking into it.

The dropped binaries are back, you can find them from yakkety-updates.


-- 
t

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Problems after install 3rd Party Certs

2016-10-17 Thread Joshua Ruybal

Forgot to add.

After some digging I saw the CA needed to be added to the nssdbs

I've added the CA cert to:

[root@ipa02 ipa02]# certutil -A -d /etc/pki/nssdb -n 'NewCA' -t CT,C,C -a
-i fullchain.pem
[root@ipa02 ipa02]# certutil -A -d /etc/httpd/alias -n 'NewCA' -t CT,C,C -a
-i fullchain.pem




On Mon, Oct 17, 2016 at 11:32 AM, Joshua Ruybal  wrote:

> Hi,
>
> We've recently tried to change our https web certs for our IPA servers
> following the instructions listed here: https://www.freeipa.org/
> page/Using_3rd_part_certificates_for_HTTP/LDAP
>
> The web gui is successfully using https now, however we are having several
> other problems.
>
> Enrollment now fails for new hosts, and we're unable to install replicas.
>
> Specifically we're seeing this error: (SEC_ERROR_UNTRUSTED_ISSUER) Peer's
> certificate issuer has been marked as not trusted by the user.
>
> Any advice on this?
>
> ipa-server 3.0.0
> CentOS 6.7
>
> Thanks,
>
> --Josh
>



-- 


*Joshua Ruybal | Systems Engineer*
o: (866) 870-2295 x823 <8668702293x823> c: (206) 724-4549 <2067244549>
e: jruy...@owneriq.com


  

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Problems after install 3rd Party Certs

2016-10-17 Thread Joshua Ruybal

Hi,

We've recently tried to change our https web certs for our IPA servers
following the instructions listed here:
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP

The web gui is successfully using https now, however we are having several
other problems.

Enrollment now fails for new hosts, and we're unable to install replicas.

Specifically we're seeing this error: (SEC_ERROR_UNTRUSTED_ISSUER) Peer's
certificate issuer has been marked as not trusted by the user.

Any advice on this?

ipa-server 3.0.0
CentOS 6.7

Thanks,

--Josh
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA as domain controller?

2016-10-17 Thread Alexander Bokovoy


On ma, 17 loka 2016, Brian Candler wrote:

On 17/10/2016 15:06, Alexander Bokovoy wrote:
Would there be any benefit the other way round - creating 
identities in S4 and using them to login to FreeIPA-joined *nix 
boxes? I guess the problem then is where posix attributes like uid 
and gid come from.

This works for Samba AD > 4.4. The code in Samba that supports forest
trust is a bit new (and was written by Red Hat's request) so depending
on what version you are using your experience will vary.

IPA supports different methods for mapping IDs, including algorithmic
ones. We default to algorithmic ID range if existing POSIX IDs aren't
found.

See ID MAPPING section in sssd-ad man page for details. You don't need
to configure anything in SSSD, though, because it is done automatically
based on the ID ranges in IPA.


OK, but let me just see if I can clarify. Given the following scenario:

SAMBA . . . . . . FREEIPA
 |  |
USER   SERVER

The server isn't joined directly to the Samba domain, but the manpage 
for sssd-ad says "This provider requires that the machine be joined to 
the AD domain".


So is it true that:

1. The server is not configured to use sssd-ad? Does it automatically 
use this module if, because of trust relationships, a user from the 
Samba domain logs into it? Would it need configuration, or does it 
pick up everything it needs from the DNS?

In case of IPA client, SSSD is configured to use SSSD's 'ipa' provider.
The provider is more complex than sssd-ldap or sssd-ad, it derives a lot
of own configuration based on the content of IPA LDAP server. In case of
trust to AD, it derives dynamically configurations of 'subdomains' for
IPA domain. These subdomains are driven by 'sssd-ad'-like provider.

To cut it short, the same ID MAPPING mechanism is in use if ID range in
IPA corresponding to the AD domain discovered via forest trust is set to 
'Active Directory domain range'. See 'ipa help idrange' for more

details.

When you establish trust between AD and IPA, the ranges for AD domains
are created automatically. There is a code that attempts to look up in
AD and understand whether POSIX attributes are stored there. In such
case ID range for the AD domains would be set to 'Active Directory
domain range with POSIX attributes'.



2. If I create the posix uids/gids as extra attributes in the Samba 
domain, the algorithmic ID mapping isn't required?

If you set ID range for corresponding AD domain in IPA to be
'ipa-ad-trust-posix' and make sure all users that need to logon to IPA
have POSIX attributes, then it should work.

I think most of this is described in the Windows Integration Guide for
RHEL7.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA as domain controller?

2016-10-17 Thread Brian Candler


On 17/10/2016 15:06, Alexander Bokovoy wrote:
Would there be any benefit the other way round - creating identities 
in S4 and using them to login to FreeIPA-joined *nix boxes? I guess 
the problem then is where posix attributes like uid and gid come from.

This works for Samba AD > 4.4. The code in Samba that supports forest
trust is a bit new (and was written by Red Hat's request) so depending
on what version you are using your experience will vary.

IPA supports different methods for mapping IDs, including algorithmic
ones. We default to algorithmic ID range if existing POSIX IDs aren't
found.

See ID MAPPING section in sssd-ad man page for details. You don't need
to configure anything in SSSD, though, because it is done automatically
based on the ID ranges in IPA. 


OK, but let me just see if I can clarify. Given the following scenario:

SAMBA . . . . . . FREEIPA
  |  |
USER   SERVER

The server isn't joined directly to the Samba domain, but the manpage 
for sssd-ad says "This provider requires that the machine be joined to 
the AD domain".


So is it true that:

1. The server is not configured to use sssd-ad? Does it automatically 
use this module if, because of trust relationships, a user from the 
Samba domain logs into it? Would it need configuration, or does it pick 
up everything it needs from the DNS?


2. If I create the posix uids/gids as extra attributes in the Samba 
domain, the algorithmic ID mapping isn't required?


Thanks,

Brian.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA as domain controller?

2016-10-17 Thread Brian Candler


On 17/10/2016 11:14, Alexander Bokovoy wrote:

We are not yet at the point you could use IPA-hosted identities to login
to Windows machines joined to AD, though, regardless which AD
implementation it is.

That's very helpful, thank you. So basically it means that for the time 
being, our admins will need two identities (one in each realm) and there 
is not much benefit in setting up cross-realm trust.


Would there be any benefit the other way round - creating identities in 
S4 and using them to login to FreeIPA-joined *nix boxes? I guess the 
problem then is where posix attributes like uid and gid come from.


Regards,

Brian.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Best and Secure Way for a System Account

2016-10-17 Thread Brian Candler


On 17/10/2016 14:56, freeipa-users-requ...@redhat.com wrote:

But now I have to create for this user a ACI to read the uid,
passwd,mail,mailAlternateAddress...

mailAlternateAddress is in "objectClass mailrecipient"

I mean I must have a ACI like
access to attribute= 

Have any a hint or link to understand this Problem?


I found this guide very helpful, specifically for allowing access to a 
NT password hash attribute for doing wireless authentication.


http://firstyear.id.au/blog/html/2015/07/06/FreeIPA:_Giving_permissions_to_service_accounts..html

They are doing it the correct way here: by creating a service principal 
for the RADIUS server, which it uses to get a kerberos ticket and 
authenticate itself to the directory.  But you could also use similar 
steps to apply those permissions to a regular user.


And the related guide if you're interested:

http://firstyear.id.au/blog/html/2016/01/13/FreeRADIUS:_Using_mschapv2_with_freeipa.html

Regards,

Brian.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Best and Secure Way for a System Account

2016-10-17 Thread Martin Babinsky


On 10/17/2016 02:25 PM, Günther J. Niederwimmer wrote:

Hello Martin and List

Thanks for the answer and Help.

I mean my big Problem is to understand the way to configure a ACI :-(.

I can't found any example or docs to configure this correct :-(.

I mean this is a problem for the professional LIGA in FreeIPA , and I am not a
professional :-(..

 I make this, for all LDAP configured Apps

ipa group-add systemers  --nonposix  #group

 ipa pwpolicy-add systemers --maxlife=2 --minclasses=3 --priority=0
#forever-passwords

 ipa user-add ldapbind --first=ldapbind --last=systemer --homedir=/ --gecos=""
--shell=/usr/sbin/nologin --email="" --random #user

This user (ldapbind) is only in group systemers

But now I have to create for this user a ACI to read the uid,
passwd,mail,mailAlternateAddress...

mailAlternateAddress is in "objectClass mailrecipient"

I mean I must have a ACI like
access to attribute= 

Have any a hint or link to understand this Problem?

Thanks for a answer and help,


Am Montag, 17. Oktober 2016, 07:35:26 schrieb Martin Babinsky:

On 10/16/2016 12:22 PM, Günther J. Niederwimmer wrote:

Hello,

IPA 4.3.1

I have a big Problem with my LDAP Read User (ldapbind) I like to install
dovecot with IPA, but I must have "mailAternateAddress" I found a Plugin
for this, but now I cant read this Attributes :-(.

Is this the actual way to implement a System Account

# ldapmodify -x -D 'cn=Directory Manager' -W
dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com
changetype: add
objectclass: account
objectclass: simplesecurityobject
uid: system
userPassword: secret123
passwordExpirationTime: 20380119031407Z
nsIdleTimeout: 0

^D

https://www.freeipa.org/page/HowTo/LDAP#System_Accounts

The IPA Docs have no time stamp to found out, is this actual or old :-(.

Thanks for a answer,


Hi Gunther,

that LDIF look ok to me.

Do not forget that you must set up the correct ACIs in order for the
system account to see the 'mailAlternaleAddress' attribute.




See the following document for a step-by-step guide on how to write ACIs:

https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Access_Control-Creating_ACIs_Manually.html

To allow the system account read access to your custom attributes, you 
can use LDIF like this (untested, hopefully I got it right from the top 
of my head):


"""
dn: cn=users,cn=accounts,dc=example,dc=com
changetype: modify
add: aci
aci: 
(targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipient)")(version 
3.0; acl "Allow system account to read mail address"; allow(read, 
search, compare) userdn = 
"ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com;;)

"""
save it to file and then call

ldapmodify -D 'cn=Directory Manager' -W -f aci.ldif

to add this ACI to cn=users subtree. The ACI then applies to all entries 
in the subtree.


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Best and Secure Way for a System Account

2016-10-17 Thread Günther J . Niederwimmer

Hello Martin and List

Thanks for the answer and Help.

I mean my big Problem is to understand the way to configure a ACI :-(.

I can't found any example or docs to configure this correct :-(.

I mean this is a problem for the professional LIGA in FreeIPA , and I am not a 
professional :-(..

 I make this, for all LDAP configured Apps

ipa group-add systemers  --nonposix  #group

 ipa pwpolicy-add systemers --maxlife=2 --minclasses=3 --priority=0 
  
#forever-passwords

 ipa user-add ldapbind --first=ldapbind --last=systemer --homedir=/ --gecos="" 
--shell=/usr/sbin/nologin --email="" --random #user

This user (ldapbind) is only in group systemers

But now I have to create for this user a ACI to read the uid, 
passwd,mail,mailAlternateAddress...

mailAlternateAddress is in "objectClass mailrecipient"

I mean I must have a ACI like
access to attribute= 

Have any a hint or link to understand this Problem?

Thanks for a answer and help,

 
Am Montag, 17. Oktober 2016, 07:35:26 schrieb Martin Babinsky:
> On 10/16/2016 12:22 PM, Günther J. Niederwimmer wrote:
> > Hello,
> > 
> > IPA 4.3.1
> > 
> > I have a big Problem with my LDAP Read User (ldapbind) I like to install
> > dovecot with IPA, but I must have "mailAternateAddress" I found a Plugin
> > for this, but now I cant read this Attributes :-(.
> > 
> > Is this the actual way to implement a System Account
> > 
> > # ldapmodify -x -D 'cn=Directory Manager' -W
> > dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com
> > changetype: add
> > objectclass: account
> > objectclass: simplesecurityobject
> > uid: system
> > userPassword: secret123
> > passwordExpirationTime: 20380119031407Z
> > nsIdleTimeout: 0
> > 
> > ^D
> > 
> > https://www.freeipa.org/page/HowTo/LDAP#System_Accounts
> > 
> > The IPA Docs have no time stamp to found out, is this actual or old :-(.
> > 
> > Thanks for a answer,
> 
> Hi Gunther,
> 
> that LDIF look ok to me.
> 
> Do not forget that you must set up the correct ACIs in order for the
> system account to see the 'mailAlternaleAddress' attribute.

-- 
mit freundlichen Grüßen / best regards,

  Günther J. Niederwimmer

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Unable to resolve AD users from IPA client

2016-10-17 Thread Jakub Hrozek

On Mon, Oct 17, 2016 at 01:27:40PM +0200, Jan Karásek wrote:
> Hi, 
> please can you help me with troubleshooting IPA clients in IPA - AD trust 
> scenario ? We have two IPA servers and couple of clients running on RHEl 6 
> and 7. IPA is running on RHEL 7.2. 
> AD servers are in domains example.cz, cen.example.cz. Test users sits in 
> cen.example.cz. IPA is subdomain of AD - vs.example.cz. 
> Trust is set as one-way trust. User's POSIX attributes are stored in AD. 
> 
> ipa idrange-find 
>  
> 3 ranges matched 
>  
> Range name: CEN.EXAMPLE.CZ 
> First Posix ID of the range: 9880 
> Number of IDs in the range: 20 
> Domain SID of the trusted domain: S-1-5-21-527237240-1482476501-682003330 
> Range type: Active Directory trust range with POSIX attributes 
> 
> Range name: EXAMPLE.CZ_id_range 
> First Posix ID of the range: 6880 
> Number of IDs in the range: 20 
> Domain SID of the trusted domain: S-1-5-21-73586283-1958367476-682003330 
> Range type: Active Directory trust range with POSIX attributes 
> 
> Range name: VS.EXAMPLE.CZ_id_range 
> First Posix ID of the range: 93000 
> Number of IDs in the range: 20 
> First RID of the corresponding RID range: 1000 
> First RID of the secondary RID range: 1 
> Range type: local domain range 
>  
> Number of entries returned 3 
>  
> 
> I have no problem to resolve AD users from both IPA server: 
> 
> IPA Server: 
> root#:id tst99...@cen.example.cz 
> uid=20019(tst99...@cen.example.cz) gid=5001(csunix) 
> groups=5001(csunix),93008(final_test_group) - this is correct 
> 
> but from IPA client: 
> root#:id tst99...@cen.example.cz 
> id: tst99...@cen.example.cz: no such user 
> 
> ==> sssd_vs.example.cz.log <== 
> (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [be_get_account_info] 
> (0x0200): Got request for [0x1001][1][name=tst99654] 
> (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [be_req_set_domain] 
> (0x0400): Changing request domain from [vs.example.cz] to [cen.example.cz] 
> (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] 
> [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with 
> [(&(objectClass=ipaUserOverride)(uid=tst99654))][cn=Default Trust 
> View,cn=views,cn=accounts,dc=vs,dc=example,dc=cz]. 
> (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] 
> [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg 
> set 
> (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_send] 
> (0x0400): Executing extended operation 
> (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_done] 
> (0x0400): ldap_extended_operation result: Success(0), (null). 
> (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [sysdb_search_by_name] 
> (0x0400): No such entry 
> (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [sysdb_search_by_name] 
> (0x0400): No such entry 
> (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_send] 
> (0x0400): Executing extended operation 
> (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_done] 
> (0x0040): ldap_extended_operation result: No such object(32), (null). 
> (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] 
> [ipa_s2n_get_fqlist_next] (0x0040): s2n exop request failed. 
> (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] 
> [ipa_s2n_get_fqlist_done] (0x0040): s2n get_fqlist request failed. 
> (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [acctinfo_callback] 
> (0x0100): Request processed. Returned 0,0,Success (Success) 
> 
> All IPA clients have the same result - No such user. On the other hand 
> kerberos works fine - I can do kinit with AD users both on IPA servers and 
> clients. All IPA clients use the same DNS server as IPA servers. 
> 
> 
> On IPA server, I can see that it is able to find test user in AD. Log is 
> captured during IPA client request for id: 
> 
> (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] 
> [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with 
> [(&(sAMAccountName=tst99654)(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0][dc=cen,dc=example,dc=cz].
>  
> (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] 
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] 
> (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] 
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName] 
> (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] 
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixUserPassword] 
> (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] 
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] 
> (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] 
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] 
> (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] 
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] 
>

Re: [Freeipa-users] Unable to resolve AD users from IPA client

2016-10-17 Thread Sumit Bose

On Mon, Oct 17, 2016 at 01:27:40PM +0200, Jan Karásek wrote:
> Hi, 
> please can you help me with troubleshooting IPA clients in IPA - AD trust 
> scenario ? We have two IPA servers and couple of clients running on RHEl 6 
> and 7. IPA is running on RHEL 7.2. 
> AD servers are in domains example.cz, cen.example.cz. Test users sits in 
> cen.example.cz. IPA is subdomain of AD - vs.example.cz. 
> Trust is set as one-way trust. User's POSIX attributes are stored in AD. 
> 
> ipa idrange-find 
>  
> 3 ranges matched 
>  
> Range name: CEN.EXAMPLE.CZ 
> First Posix ID of the range: 9880 
> Number of IDs in the range: 20 
> Domain SID of the trusted domain: S-1-5-21-527237240-1482476501-682003330 
> Range type: Active Directory trust range with POSIX attributes 
> 
> Range name: EXAMPLE.CZ_id_range 
> First Posix ID of the range: 6880 
> Number of IDs in the range: 20 
> Domain SID of the trusted domain: S-1-5-21-73586283-1958367476-682003330 
> Range type: Active Directory trust range with POSIX attributes 
> 
> Range name: VS.EXAMPLE.CZ_id_range 
> First Posix ID of the range: 93000 
> Number of IDs in the range: 20 
> First RID of the corresponding RID range: 1000 
> First RID of the secondary RID range: 1 
> Range type: local domain range 
>  
> Number of entries returned 3 
>  
> 
> I have no problem to resolve AD users from both IPA server: 
> 
> IPA Server: 
> root#:id tst99...@cen.example.cz 
> uid=20019(tst99...@cen.example.cz) gid=5001(csunix) 
> groups=5001(csunix),93008(final_test_group) - this is correct 

Can you send your sssd.conf from the server? I wonder why the AD groups
are returned with a short name 'csunix' while the user is returned with
the full name (tst99...@cen.example.cz).

bye,
Sumit

> 
> but from IPA client: 
> root#:id tst99...@cen.example.cz 
> id: tst99...@cen.example.cz: no such user 
> 
> ==> sssd_vs.example.cz.log <== 
> (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [be_get_account_info] 
> (0x0200): Got request for [0x1001][1][name=tst99654] 
> (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [be_req_set_domain] 
> (0x0400): Changing request domain from [vs.example.cz] to [cen.example.cz] 
> (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] 
> [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with 
> [(&(objectClass=ipaUserOverride)(uid=tst99654))][cn=Default Trust 
> View,cn=views,cn=accounts,dc=vs,dc=example,dc=cz]. 
> (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] 
> [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg 
> set 
> (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_send] 
> (0x0400): Executing extended operation 
> (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_done] 
> (0x0400): ldap_extended_operation result: Success(0), (null). 
> (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [sysdb_search_by_name] 
> (0x0400): No such entry 
> (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [sysdb_search_by_name] 
> (0x0400): No such entry 
> (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_send] 
> (0x0400): Executing extended operation 
> (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_done] 
> (0x0040): ldap_extended_operation result: No such object(32), (null). 
> (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] 
> [ipa_s2n_get_fqlist_next] (0x0040): s2n exop request failed. 
> (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] 
> [ipa_s2n_get_fqlist_done] (0x0040): s2n get_fqlist request failed. 
> (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [acctinfo_callback] 
> (0x0100): Request processed. Returned 0,0,Success (Success) 
> 
> All IPA clients have the same result - No such user. On the other hand 
> kerberos works fine - I can do kinit with AD users both on IPA servers and 
> clients. All IPA clients use the same DNS server as IPA servers. 
> 
> 
> On IPA server, I can see that it is able to find test user in AD. Log is 
> captured during IPA client request for id: 
> 
> (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] 
> [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with 
> [(&(sAMAccountName=tst99654)(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0][dc=cen,dc=example,dc=cz].
>  
> (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] 
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] 
> (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] 
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName] 
> (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] 
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixUserPassword] 
> (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] 
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] 
> (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]]

[Freeipa-users] Unable to resolve AD users from IPA client

2016-10-17 Thread Jan Karásek

Hi, 
please can you help me with troubleshooting IPA clients in IPA - AD trust 
scenario ? We have two IPA servers and couple of clients running on RHEl 6 and 
7. IPA is running on RHEL 7.2. 
AD servers are in domains example.cz, cen.example.cz. Test users sits in 
cen.example.cz. IPA is subdomain of AD - vs.example.cz. 
Trust is set as one-way trust. User's POSIX attributes are stored in AD. 

ipa idrange-find 
 
3 ranges matched 
 
Range name: CEN.EXAMPLE.CZ 
First Posix ID of the range: 9880 
Number of IDs in the range: 20 
Domain SID of the trusted domain: S-1-5-21-527237240-1482476501-682003330 
Range type: Active Directory trust range with POSIX attributes 

Range name: EXAMPLE.CZ_id_range 
First Posix ID of the range: 6880 
Number of IDs in the range: 20 
Domain SID of the trusted domain: S-1-5-21-73586283-1958367476-682003330 
Range type: Active Directory trust range with POSIX attributes 

Range name: VS.EXAMPLE.CZ_id_range 
First Posix ID of the range: 93000 
Number of IDs in the range: 20 
First RID of the corresponding RID range: 1000 
First RID of the secondary RID range: 1 
Range type: local domain range 
 
Number of entries returned 3 
 

I have no problem to resolve AD users from both IPA server: 

IPA Server: 
root#:id tst99...@cen.example.cz 
uid=20019(tst99...@cen.example.cz) gid=5001(csunix) 
groups=5001(csunix),93008(final_test_group) - this is correct 

but from IPA client: 
root#:id tst99...@cen.example.cz 
id: tst99...@cen.example.cz: no such user 

==> sssd_vs.example.cz.log <== 
(Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [be_get_account_info] 
(0x0200): Got request for [0x1001][1][name=tst99654] 
(Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [be_req_set_domain] 
(0x0400): Changing request domain from [vs.example.cz] to [cen.example.cz] 
(Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] 
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with 
[(&(objectClass=ipaUserOverride)(uid=tst99654))][cn=Default Trust 
View,cn=views,cn=accounts,dc=vs,dc=example,dc=cz]. 
(Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] 
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg 
set 
(Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_send] 
(0x0400): Executing extended operation 
(Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_done] 
(0x0400): ldap_extended_operation result: Success(0), (null). 
(Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [sysdb_search_by_name] 
(0x0400): No such entry 
(Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [sysdb_search_by_name] 
(0x0400): No such entry 
(Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_send] 
(0x0400): Executing extended operation 
(Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_done] 
(0x0040): ldap_extended_operation result: No such object(32), (null). 
(Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_get_fqlist_next] 
(0x0040): s2n exop request failed. 
(Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_get_fqlist_done] 
(0x0040): s2n get_fqlist request failed. 
(Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [acctinfo_callback] 
(0x0100): Request processed. Returned 0,0,Success (Success) 

All IPA clients have the same result - No such user. On the other hand kerberos 
works fine - I can do kinit with AD users both on IPA servers and clients. All 
IPA clients use the same DNS server as IPA servers. 


On IPA server, I can see that it is able to find test user in AD. Log is 
captured during IPA client request for id: 

(Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] 
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with 
[(&(sAMAccountName=tst99654)(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0][dc=cen,dc=example,dc=cz].
 
(Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] 
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] 
(Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] 
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName] 
(Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] 
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixUserPassword] 
(Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] 
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] 
(Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] 
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] 
(Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] 
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] 
(Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] 
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixHomeDirectory] 
(Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] 
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] 
(Mon Oct

Re: [Freeipa-users] network ports requirements for a replica

2016-10-17 Thread Karl Forner

Thank you ! This is at last crystal clear for me !
Thank you also for the VPN/tunneling suggestion, I'll look into it.



On Mon, Oct 17, 2016 at 12:12 PM, Alexander Bokovoy 
wrote:

> On ma, 17 loka 2016, Karl Forner wrote:
>
>> On Mon, Oct 17, 2016 at 10:33 AM, Alexander Bokovoy 
>> wrote:
>>
>> On ma, 17 loka 2016, Karl Forner wrote:
>>>
>>> Thanks Alexander, unfortunately I could only find outdated documentation.
 I just realized that my question is not precise enough.

 The documentation I linked is the up-to-date one.
>>>
>>>
>> Yes I know. I was explaining...
>>
>>
>>
>>>
>>> From your answer, I understand that during the replica setup process,
 all I need (because I do not use RHEL) is a ssh port between the master
 and the replica.

 You did not read carefully what I quoted. SSH port is in addition to the
>>> ports required to be open for normal IPA master.
>>>
>>>
>> I did read.  I wrote "between the master and the replica". Each server has
>> its own set of open ports in its own network, used by its clients.
>>
> IPA replica is a client of IPA master, there isn't much difference,
> except where Kerberos tickets are obtained from as each master/replica
> host own KDC with exactly same keys, so they are able to 'short cut' it
> here.  However, the rest stands.
>
> What I want to know is what ports are used by the replication process, i.e.
>> what ports must I open on my firewall to enable the replication.
>>
> Exactly the same ports as specified in the documentation.
>
> Maybe all the ports are used for that purpose, but this is not, unless
>> mistaken, clearly stated in the documentation.
>>
> You are mistaken and the mistake most likely comes from your idea that
> somehow IPA master/replica are different from other IPA clients. They
> are not, they are IPA clients themselves. Replication exchange is built
> on LDAP protocol.
>
> In that case, this may be a security problem opening that many ports in the
>> firewall.
>>
> Nothing prevents you from organizing a proper VPN or other types of
> tunneling
> between the networks.
>
> --
> / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA as domain controller?

2016-10-17 Thread Alexander Bokovoy


On ma, 17 loka 2016, Brian Candler wrote:
Sorry if this is a frequently asked question, but it's not easy to 
find a simple answer.


* Can I use FreeIPA (v4) as a domain controller for Windows machines 
to join?

No.

* If not, what's the recommended free/open solution? Would it be to 
set up a Samba4 domain controller, and then set up cross-realm trust 
between FreeIPA and Samba4?

Yes.

We are not yet at the point you could use IPA-hosted identities to login
to Windows machines joined to AD, though, regardless which AD
implementation it is.

(That is: assuming I want central AAA for both Linux boxes and Windows 
boxes)


Things I found:

* http://www.freeipa.org/page/About

... but it only mentions FreeIPA v2 and v3

* 
https://sambaxp.org/archive_data/SambaXP2016-SLIDES/thu/track2/sambaxp2016-thu-track2-Alexander_Bokovoy-Andreas_Schneider-SambaAndFreeIPAAnUpdateOnActiveDirectoryIntegration.pdf

... report on work-in-progress. It does say:

" FreeIPA Domain Controller is unlike Samba AD → Windows cannot be 
joined to FreeIPA".  But it's not clear if this is an eventual goal, 
or whether it's likely to remain this way.

Eventual goal is to allow IPA-hosted identities to be used to login to
Windows machines joined to Samba AD.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] network ports requirements for a replica

2016-10-17 Thread Alexander Bokovoy


On ma, 17 loka 2016, Karl Forner wrote:

On Mon, Oct 17, 2016 at 10:33 AM, Alexander Bokovoy 
wrote:


On ma, 17 loka 2016, Karl Forner wrote:


Thanks Alexander, unfortunately I could only find outdated documentation.
I just realized that my question is not precise enough.


The documentation I linked is the up-to-date one.



Yes I know. I was explaining...






From your answer, I understand that during the replica setup process,
all I need (because I do not use RHEL) is a ssh port between the master
and the replica.


You did not read carefully what I quoted. SSH port is in addition to the
ports required to be open for normal IPA master.



I did read.  I wrote "between the master and the replica". Each server has
its own set of open ports in its own network, used by its clients.

IPA replica is a client of IPA master, there isn't much difference,
except where Kerberos tickets are obtained from as each master/replica
host own KDC with exactly same keys, so they are able to 'short cut' it
here.  However, the rest stands.


What I want to know is what ports are used by the replication process, i.e.
what ports must I open on my firewall to enable the replication.

Exactly the same ports as specified in the documentation.


Maybe all the ports are used for that purpose, but this is not, unless
mistaken, clearly stated in the documentation.

You are mistaken and the mistake most likely comes from your idea that
somehow IPA master/replica are different from other IPA clients. They
are not, they are IPA clients themselves. Replication exchange is built
on LDAP protocol.


In that case, this may be a security problem opening that many ports in the
firewall.

Nothing prevents you from organizing a proper VPN or other types of tunneling
between the networks.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] FreeIPA as domain controller?

2016-10-17 Thread Brian Candler

Sorry if this is a frequently asked question, but it's not easy to find 
a simple answer.


* Can I use FreeIPA (v4) as a domain controller for Windows machines to 
join?


* If not, what's the recommended free/open solution? Would it be to set 
up a Samba4 domain controller, and then set up cross-realm trust between 
FreeIPA and Samba4?


(That is: assuming I want central AAA for both Linux boxes and Windows 
boxes)


Things I found:

* http://www.freeipa.org/page/About

... but it only mentions FreeIPA v2 and v3

* 
https://sambaxp.org/archive_data/SambaXP2016-SLIDES/thu/track2/sambaxp2016-thu-track2-Alexander_Bokovoy-Andreas_Schneider-SambaAndFreeIPAAnUpdateOnActiveDirectoryIntegration.pdf


... report on work-in-progress. It does say:

" FreeIPA Domain Controller is unlike Samba AD → Windows cannot be 
joined to FreeIPA".  But it's not clear if this is an eventual goal, or 
whether it's likely to remain this way.


I guess keeping a lot of MS-specific nonsense out of FreeIPA is a good 
thing :-)


Thanks,

Brian.


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA Server installation on ubuntu 14.0

2016-10-17 Thread Lukas Slebodnik

On (13/10/16 08:15), Deepak Dimri wrote:
>
>Hi Alexander,
>
>I have tried it on ubuntu 16.04 as well but no luck either.  Getting the same 
>error:
>
>
>sudo apt-get install freeipa-server
>
>Reading package lists... Done
>
>Building dependency tree
>
>Reading state information... Done
>
>E: Unable to locate package freeipa-server
>
>any other ideas? I dont  find any good response to this issue either..
>
freeipa-server is only in xenial (16.04 + universe)
http://packages.ubuntu.com/xenial/freeipa-server

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] network ports requirements for a replica

2016-10-17 Thread Karl Forner

On Mon, Oct 17, 2016 at 10:33 AM, Alexander Bokovoy 
wrote:

> On ma, 17 loka 2016, Karl Forner wrote:
>
>> Thanks Alexander, unfortunately I could only find outdated documentation.
>> I just realized that my question is not precise enough.
>>
> The documentation I linked is the up-to-date one.
>

Yes I know. I was explaining...

>
>
>> From your answer, I understand that during the replica setup process,
>> all I need (because I do not use RHEL) is a ssh port between the master
>> and the replica.
>>
> You did not read carefully what I quoted. SSH port is in addition to the
> ports required to be open for normal IPA master.
>

I did read.  I wrote "between the master and the replica". Each server has
its own set of open ports in its own network, used by its clients.
What I want to know is what ports are used by the replication process, i.e.
what ports must I open on my firewall to enable the replication.
Maybe all the ports are used for that purpose, but this is not, unless
mistaken, clearly stated in the documentation.
In that case, this may be a security problem opening that many ports in the
firewall.

Thanks for your patience.
Karl
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] network ports requirements for a replica

2016-10-17 Thread Alexander Bokovoy


On ma, 17 loka 2016, Karl Forner wrote:

Thanks Alexander, unfortunately I could only find outdated documentation.
I just realized that my question is not precise enough.

The documentation I linked is the up-to-date one.


Suppose I have a master running in its LAN, with all required ports open.
Now I want to setup a replica running in a docker in a AWS EC2 instance.

It does not matter.



From your answer, I understand that during the replica setup process,
all I need (because I do not use RHEL) is a ssh port between the master
and the replica.

You did not read carefully what I quoted. SSH port is in addition to the
ports required to be open for normal IPA master.

Just follow documentation.


What about the after-setup replica synchronization ?
Does it also only use ssh ?

No, it is not. Please read the documentation, it has all the details,
really.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] network ports requirements for a replica

2016-10-17 Thread Karl Forner

Thanks Alexander, unfortunately I could only find outdated documentation.
I just realized that my question is not precise enough.

Suppose I have a master running in its LAN, with all required ports open.
Now I want to setup a replica running in a docker in a AWS EC2 instance.

>From your answer, I understand that during the replica setup process, all I
need (because I do not use RHEL) is a ssh port between the master and the
replica.
What about the after-setup replica synchronization ? Does it also only use
ssh ?

Regards,
Karl


On Wed, Oct 12, 2016 at 7:25 PM, Alexander Bokovoy 
wrote:

> On ke, 12 loka 2016, Karl Forner wrote:
>
>> Hello,
>>
>> A very simple question, but I could not find the answer. I'd like to setup
>> a replica on another network than my master. Is it possible to setup the
>> replication using only https, or other ports must be available ?
>>
> This is all documented, did you read the guide?
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterp
> rise_Linux/7/html/Linux_Domain_Identity_Authentication_and_
> Policy_Guide/prepping-replica.html
>
> 
> The replica requires additional ports to be open
>In addition to the standard IdM server port requirements described
> in Section 2.1.4, “Port Requirements”, make sure the following port
> requirements are complied as well:
>
>During the replica setup process, keep the TCP port 22 open.
> This port is required in order to use SSH to connect to the master
> server.
>If one of the servers is running Red Hat Enterprise Linux 6 and
> has a CA installed, keep also TCP port 7389 open during and after the
> replica configuration. In a purely Red Hat Enterprise Linux 7
> environment, port 7389 is not required. 
>
> Section 2.1.4:
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterp
> rise_Linux/7/html/Linux_Domain_Identity_Authentication_and_
> Policy_Guide/installing-ipa.html#prereq-ports
>
> --
> / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Announcing FreeIPA 4.4.2

2016-10-17 Thread Martin Kosek

On 10/14/2016 03:29 PM, Coy Hile wrote:
> 
> 
> Will there be builds in a COPR for rhel/cents 7?

I would recommend waiting on RHEL-7.3, which should be released soon enough.
RHEL-7.3 contains an IdM/FreeIPA version that is very close to upstream version
4.4.2.

Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Upgrade 4.4.2-1.fc24 security library failure.

Re: [Freeipa-users] Upgrade 4.4.2-1.fc24 security library failure.

Re: [Freeipa-users] Ubuntu 16.04 released with FreeIPA 4.3.1

[Freeipa-users] Upgrade 4.4.2-1.fc24 security library failure.

Re: [Freeipa-users] Ubuntu 16.04 released with FreeIPA 4.3.1

Re: [Freeipa-users] Problems after install 3rd Party Certs

[Freeipa-users] Problems after install 3rd Party Certs

Re: [Freeipa-users] FreeIPA as domain controller?

Re: [Freeipa-users] FreeIPA as domain controller?

Re: [Freeipa-users] FreeIPA as domain controller?

Re: [Freeipa-users] Best and Secure Way for a System Account

Re: [Freeipa-users] Best and Secure Way for a System Account

Re: [Freeipa-users] Best and Secure Way for a System Account

Re: [Freeipa-users] Unable to resolve AD users from IPA client

Re: [Freeipa-users] Unable to resolve AD users from IPA client

[Freeipa-users] Unable to resolve AD users from IPA client

Re: [Freeipa-users] network ports requirements for a replica

Re: [Freeipa-users] FreeIPA as domain controller?

Re: [Freeipa-users] network ports requirements for a replica

[Freeipa-users] FreeIPA as domain controller?

Re: [Freeipa-users] FreeIPA Server installation on ubuntu 14.0

Re: [Freeipa-users] network ports requirements for a replica

Re: [Freeipa-users] network ports requirements for a replica

Re: [Freeipa-users] network ports requirements for a replica

Re: [Freeipa-users] Announcing FreeIPA 4.4.2

25 matches

Site Navigation

Mail list logo

Footer information