[Freeipa-users] Certmonger (or similar) for FreeBSD?

2016-10-21 Thread Gilbert Wilson 
We have a lot of FreeBSD systems that I would like to streamline certificate 
issuance and renewal. Ideally, we could leverage our FreeIPA system's CA to do 
this. But, certmonger doesn't run on FreeBSD (or does it?). What other means 
have other people tried, or would you recommend investigating, to enable 
automated certificate issuance and renewal for FreeBSD FreeIPA clients?

Any pointers are appreciated!

Gil

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] cannot ssh in (sss_ssh_authorizedkeys returned status 1) ??

2016-10-21 Thread lejeczek 



On 21/10/16 14:11, Sumit Bose wrote:

On Fri, Oct 21, 2016 at 01:55:19PM +0100, lejeczek wrote:

hi all

I cannot ssh from a boxA (ipa-server-4.2.0-15.sl7_2.19.x86_64) to a boxB
(ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64)
I realize that to assume versions differences cause it is bit silly but
nothing changed except update of boxB's IPA a day before the problem occur.
Also, there is a boxC (ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64) (so
boxB == boxC IPA-wise) which does ssh in fine.
Other way around, boxB to boxA ssh works.
Logs are pretty quiet, I merely see:

error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned status
1

and that I'm not sure appears at the time of login attempt.
I do:
boxA$ ssh boxB
Connection closed by UNKNOWN

ps. boxA is not banned nor block by any tcp/ip means.

many! thanks for any help

Which version of SSSD is running? Do you have user certificates stored
in IPA? In this case you might hit


all three boxes run - sssd-1.13.0-40.el7_2.12.x86_64

but there is something weird going on with boxA 
ipa-server-4.2.0-15.sl7_2.19.x86_64
for a while when IPA started all seems ok but later, 
actually quiet soon


$ ipa dnszone-find
ipa: ERROR: Kerberos error: Kerberos error: ('Unspecified 
GSS failure.  Minor code may provide more information', 
851968)/('KDC returned error string: PROCESS_TGS', -1765328324)/


and I realize dirsrv "crashes" earlier

 slapd_ldap_sasl_interactive_bind - Error: could not 
perform interactive bind for id [] mech [GSSAPI]: LDAP error 
49 (Invalid credentials) (SASL(-13): authentication failure: 
GSSAPI Failure: gss_accept_sec_context) errno 0 (Success)
 slapi_ldap_bind - Error: could not perform interactive 
bind for id [] authentication mechanism [GSSAPI]: error 49 
(Invalid credentials)
 slapd_ldap_sasl_interactive_bind - Error: could not 
perform interactive bind for id [] mech [GSSAPI]: LDAP error 
49 (Invalid credentials) (SASL(-13): authentication failure: 
GSSAPI Failure: gss_accept_sec_context) errno 0 (Success)
 slapi_ldap_bind - Error: could not perform interactive 
bind for id [] authentication mechanism [GSSAPI]: error 49 
(Invalid credentials)
 NSMMReplicationPlugin - 
agmt="cn=meTodzien.private..xxx.private.xxx.xx.xx" 
(dzien:389): Replication bind with GSSAPI auth failed: LDAP 
error 49 (Invalid credentials) (SASL(-13): authentication 
failure: GSSAPI Failure: gss_accept_sec_context)
 NSMMReplicationPlugin - CleanAllRUV Task (rid 38): Replica 
not online 
(agmt="cn=meTodzien.private..xxx.private.xxx.xx.xx" 
(dzien:389))
 NSMMReplicationPlugin - CleanAllRUV Task (rid 38): Not all 
replicas online, retrying in 20 seconds...


which is that boxB ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64
but I can query that boxB from boxA manually

$ ldapsearch -LLL -D "cn=directory manager" -b cn=config -p 
389 -h boxB -W = results OK.


whats wrong with boxA ?



https://bugzilla.redhat.com/show_bug.cgi?id=1372042
https://fedorahosted.org/sssd/ticket/2977

If there are no updates with a fix available you might want to set

 ldap_user_certificate = noSuchSttribute

in the [domain/...] section of sssd.conf to tell SSSD to not read the
certificates from the server. As an alternative you can all CA
certificates needed to validate the user certificates properly to
/etc/pki/nssdb.

HTH

bye,
Sumit


L.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Best and Secure Way for a System Account

2016-10-21 Thread Günther J . Niederwimmer 
Hello,

many, many thanks, this was the Problem ;-)

now I have a
modifying entry "cn=users,cn=accounts,dc=example,dc=com"
:-)))

So now I hope I can configure my dovecot Server and the mailAlternatAddress was 
found!

Thanks again.

Am Freitag, 21. Oktober 2016, 16:21:35 schrieb Ludwig Krispenz:
> On 10/21/2016 04:05 PM, Günther J. Niederwimmer wrote:
> > Hello,
> > 
> > Thanks for the answer,
> > 
> > Am Freitag, 21. Oktober 2016, 07:11:58 schrieb Rich Megginson:
> >> On 10/21/2016 06:42 AM, Günther J. Niederwimmer wrote:
> >>> Hello Martin and List,
> >>> 
> >>> Pardon me, but anything is wrong with the ldif i
> > dn: cn=users,cn=accounts,dc=example,dc=com
> > changetype: modify
> > add: aci
> > aci:
> > (targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipie
> > nt)") (version
> > 3.0; acl "Allow system account to read mail address"; allow(read,
> > search, compare) userdn =
> > "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com;;)
> > ""
> > 
> > but what is wrong ?
> 
> the value for the aci attribute spans multiple lines.  In a ldif file a
> continuation line has to start with a space. Try
> 
> dn: cn=users,cn=accounts,dc=example,dc=com
> changetype: modify
> add: aci
> aci:
> (targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipien
> t)") (version
>   3.0; acl "Allow system account to read mail address"; allow(read,
>   search, compare) userdn =
>   "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com;;)
> 
> >>> I have search and read now any Days, but this FreeIPA / LDAP Problem
> >>> have
> >>> a to high level for me :-(.
> >>> 
> >>> Pleas help again..
> >>> 
> >>> Thanks for a answer
> >>> 
> >>> Am Montag, 17. Oktober 2016, 14:41:01 schrieb Martin Babinsky:
>  On 10/17/2016 02:25 PM, Günther J. Niederwimmer wrote:
> > Hello Martin and List
> > 
> > Thanks for the answer and Help.
> > 
> > I mean my big Problem is to understand the way to configure a ACI :-(.
> >>> 
> >>> # ldapmodify -x -D 'cn=Directory Manager' -W
> >>> 
> >>>dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com
> >>>changetype: add
> >>>objectclass: account
> >>>objectclass: simplesecurityobject
> >>>uid: system
> >>>userPassword: secret123
> >>>passwordExpirationTime: 20380119031407Z
> >>>nsIdleTimeout: 0
> >>>
> >>> 
> >>> ^D
> >>> 
> >>> https://www.freeipa.org/page/HowTo/LDAP#System_Accounts
> >>> 
> >>> The IPA Docs have no time stamp to found out, is this actual or old
> >>> 
> >>> :-(.
> >>> 
> >>> Thanks for a answer,
> >> 
> >> Hi Gunther,
> >> 
> >> that LDIF look ok to me.
> >> 
> >> Do not forget that you must set up the correct ACIs in order for the
> >> system account to see the 'mailAlternaleAddress' attribute.
>  
>  See the following document for a step-by-step guide on how to write
>  ACIs:
>  
>  https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/
>  10
>  /ht
>  ml/Administration_Guide/Managing_Access_Control-Creating_ACIs_Manually.
>  h
>  tml
>  
>  To allow the system account read access to your custom attributes, you
>  can use LDIF like this (untested, hopefully I got it right from the top
>  of my head):
>  
>  """
>  dn: cn=users,cn=accounts,dc=example,dc=com
>  changetype: modify
>  add: aci
>  aci:
>  (targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailreci
>  pi
>  ent )")(version 3.0; acl "Allow system account to read mail address";
>  allow(read,
>  search, compare) userdn =
>  "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com;;)
>  """
>  save it to file and then call
>  
>  ldapmodify -D 'cn=Directory Manager' -W -f aci.ldif
>  
>  to add this ACI to cn=users subtree. The ACI then applies to all
>  entries
>  in the subtree.

-- 
mit freundlichen Grüßen / best regards,

  Günther J. Niederwimmer

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Promote CA-less replica

2016-10-21 Thread James Harrison 
Hello all,
That is really good to know. Thank you for helping me out with this.
James

  From: Rob Crittenden 
 To: "jamesaharriso...@yahoo.co.uk" ; Martin 
Babinsky ; "freeipa-users@redhat.com" 
 
 Sent: Friday, 21 October 2016, 14:18
 Subject: Re: [Freeipa-users] Promote CA-less replica
   
James Harrison wrote:
> Hi,
> Thanks again.
>
> Lastly, we've switched away from Ubuntu's FreeIPA due to a bad Samba
> compilation choice stopping AD trusts from working (samba isn't using
> MIT kerberos).  We're now using CentOS 7.2.
>
> While we know the CentOS version will operate correctly, we only get to
> use 4.2 of FreeIPA, but the Ubuntu version is 4.4.2. Is there 4.4.2 for
> CentOS?

Not until RHEL 7.3 is released and rebuilt for CentOS.

rob

>
> Best regards
> James Harrison
> 
> *From:* Rob Crittenden 
> *To:* James Harrison ; Martin Babinsky
> ; "freeipa-users@redhat.com"
> 
> *Sent:* Wednesday, 19 October 2016, 14:28
> *Subject:* Re: [Freeipa-users] Promote CA-less replica
>
> James Harrison wrote:
>  > Hi,
>  > Martin thanks for your quick response. Based on your comments. I have
>  > further questions.
>  >
>  >  >> equal peers and can be considered masters
>  >
>  > 1. If there any urgency for us to recreate a "master" server to perform
>  > any "master" type functions? How do we re-attach "replicas" to this new
>  > "master"?
>
> Like he said, all IPA servers are equal (some are just more equal than
> others). If you truly have a CA-less system the the only thing that
> distinguishes one master from another is the presence of the DNS
> service. From below it looks like you install DNS on all which makes
> them all masters.
>
> You can manage the replication topology using ipa-replica-manage.
>
>  >
>  >  >> As long as the others have valid CA and server certs
>  > 2. This is the install script we are using on the "replicas"
>  >
>  > ipa-replica-install \
>  >      --setup-dns --ssh-trust-dns --no-dnssec-validation \
>  >      -p x \
>  >      --admin-password=xxx \
>  >      --ip-address=replica_ip  \
>  >      --no-forwarders \
>  >      -U --mkhomedir --log-file=freeipa_log_file $1
>  >
>  > 3. The $1 is the cert generated from the "master".  If theres no
>  > distinction between a "master" and a "replica" in a CA-less environment,
>  > can a "replica" run the ipa-replica-prepare script once
>  > ipa-replica-install has been successfully run?
>
> I think you mean $1 is the replica file generated from some master.
> Seeing how you generate that would tell us whether you are truly in a
> CA-less environment or not (e.g. you'd need to pass in PKCS#12 files to
> ipa-replica-prepare).
>
> To answer your question, yes. In a CA-less environment any master can
> generate a prepare file.
>
> You can add/remove connections using ipa-replica-manage. The initial
> connection is between the master that generated the prepare file and the
> host it was installed on.
>
> rob
>
>
>  >
>  > Thank you for any help.
>  > Best regards,
>  > James Harrison
>  >
>  > 
>  > *From:* Martin Babinsky 
>  > *To:* freeipa-users@redhat.com 
>  > *Sent:* Wednesday, 19 October 2016, 11:01
>  > *Subject:* Re: [Freeipa-users] Promote CA-less replica
>  >
>  > On 10/19/2016 11:35 AM, James Harrison wrote:
>  >
>  > Hi James,
>  >
>  >  > Hi,
>  >  > Were using FreeIPA on Ubuntu Xenial. We lost the Master server.
>  >  >
>  >  > I have some questions:
>  >  > 1. Do DNS replicate among other replicas is we change/add DNS records?
>  >  > If not can this behaviour be changed?
>  > IPA-intergrated DNS stores records in the replicated LDAP subtree so any
>  > added/removed DNS record will replicate to other IPA DNS servers.
>  >
>  >  > 2. How do we promote a replica to become a master? We have not
>  >  > configured our servers to become a CA. Our CA is Comodo and we have
>  >  > configured FreeIPA to use a certificate, key and interim certificates
>  >  > from Comodo. using the options:
>  >  >
>  >  > --http_pkcs12=
>  >  > --http_pin=
>  >  > --dirsrv_pkcs12=...
>  >  > --dirsrv_pin=
>  >  >
>  >  > Hope someone can help. Quite urgent.
>  >  >
>  > The terms FreeIPA master/replica are quite arbitrary as all replicas are
>  > equal peers and can be considered masters. The only notion of 'master'
>  > is when you use a Dogtag CA (then one of the CA replicas is designated a
>  > renewal master and does renew certificates in the topology and one is
>  > CRL master generating certificate revocation lists) and/or DNSSec (then
>  > one of DNS replica is designated a key master generating zone signing
>  > keys and other DNS replicas pull these keys).
> 

Re: [Freeipa-users] Best and Secure Way for a System Account

2016-10-21 Thread Ludwig Krispenz 


On 10/21/2016 04:05 PM, Günther J. Niederwimmer wrote:

Hello,

Thanks for the answer,

Am Freitag, 21. Oktober 2016, 07:11:58 schrieb Rich Megginson:

On 10/21/2016 06:42 AM, Günther J. Niederwimmer wrote:

Hello Martin and List,

Pardon me, but anything is wrong with the ldif i

ldapmodify -D 'cn=Directory Manager' -W -f alias.ldif
Enter LDAP Password:
ldapmodify: invalid format (line 5) entry:
"cn=users,cn=accounts,dc=4gjn,dc=com"

dn: cn=users,cn=accounts,dc=4gjn,dc=com

this is in the ldif ?

"""
dn: cn=users,cn=accounts,dc=example,dc=com
changetype: modify
add: aci
aci:
(targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipient)")
(version
3.0; acl "Allow system account to read mail address"; allow(read,
search, compare) userdn =
"ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com;;)
""

but what is wrong ?
the value for the aci attribute spans multiple lines.  In a ldif file a 
continuation line has to start with a space. Try


dn: cn=users,cn=accounts,dc=example,dc=com
changetype: modify
add: aci
aci: 
(targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipient)")
 (version
 3.0; acl "Allow system account to read mail address"; allow(read,
 search, compare) userdn =
 "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com;;)


  

I have search and read now any Days, but this FreeIPA / LDAP Problem have
a to high level for me :-(.

Pleas help again..

Thanks for a answer

Am Montag, 17. Oktober 2016, 14:41:01 schrieb Martin Babinsky:

On 10/17/2016 02:25 PM, Günther J. Niederwimmer wrote:

Hello Martin and List

Thanks for the answer and Help.

I mean my big Problem is to understand the way to configure a ACI :-(.

# ldapmodify -x -D 'cn=Directory Manager' -W

   dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com
   changetype: add
   objectclass: account
   objectclass: simplesecurityobject
   uid: system
   userPassword: secret123
   passwordExpirationTime: 20380119031407Z
   nsIdleTimeout: 0
   

^D


https://www.freeipa.org/page/HowTo/LDAP#System_Accounts

The IPA Docs have no time stamp to found out, is this actual or old
:-(.

Thanks for a answer,

Hi Gunther,

that LDIF look ok to me.

Do not forget that you must set up the correct ACIs in order for the
system account to see the 'mailAlternaleAddress' attribute.

See the following document for a step-by-step guide on how to write ACIs:

https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10
/ht
ml/Administration_Guide/Managing_Access_Control-Creating_ACIs_Manually.h
tml

To allow the system account read access to your custom attributes, you
can use LDIF like this (untested, hopefully I got it right from the top
of my head):

"""
dn: cn=users,cn=accounts,dc=example,dc=com
changetype: modify
add: aci
aci:
(targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipi
ent )")(version 3.0; acl "Allow system account to read mail address";
allow(read,
search, compare) userdn =
"ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com;;)
"""
save it to file and then call

ldapmodify -D 'cn=Directory Manager' -W -f aci.ldif

to add this ACI to cn=users subtree. The ACI then applies to all entries
in the subtree.


--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric 
Shander

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Best and Secure Way for a System Account

2016-10-21 Thread Rich Megginson 

On 10/21/2016 08:05 AM, Günther J. Niederwimmer wrote:

Hello,

Thanks for the answer,

Am Freitag, 21. Oktober 2016, 07:11:58 schrieb Rich Megginson:

On 10/21/2016 06:42 AM, Günther J. Niederwimmer wrote:

Hello Martin and List,

Pardon me, but anything is wrong with the ldif i

ldapmodify -D 'cn=Directory Manager' -W -f alias.ldif
Enter LDAP Password:
ldapmodify: invalid format (line 5) entry:
"cn=users,cn=accounts,dc=4gjn,dc=com"

dn: cn=users,cn=accounts,dc=4gjn,dc=com

this is in the ldif ?

"""
dn: cn=users,cn=accounts,dc=example,dc=com
changetype: modify
add: aci
aci:
(targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipient)")
(version
3.0; acl "Allow system account to read mail address"; allow(read,
search, compare) userdn =
"ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com;;)
""

but what is wrong ?


Sorry, I don't know, I thought it was complaining about the DN line format.


I have search and read now any Days, but this FreeIPA / LDAP Problem have
a to high level for me :-(.

Pleas help again..

Thanks for a answer

Am Montag, 17. Oktober 2016, 14:41:01 schrieb Martin Babinsky:

On 10/17/2016 02:25 PM, Günther J. Niederwimmer wrote:

Hello Martin and List

Thanks for the answer and Help.

I mean my big Problem is to understand the way to configure a ACI :-(.

# ldapmodify -x -D 'cn=Directory Manager' -W

   dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com
   changetype: add
   objectclass: account
   objectclass: simplesecurityobject
   uid: system
   userPassword: secret123
   passwordExpirationTime: 20380119031407Z
   nsIdleTimeout: 0
   

^D


https://www.freeipa.org/page/HowTo/LDAP#System_Accounts

The IPA Docs have no time stamp to found out, is this actual or old
:-(.

Thanks for a answer,

Hi Gunther,

that LDIF look ok to me.

Do not forget that you must set up the correct ACIs in order for the
system account to see the 'mailAlternaleAddress' attribute.

See the following document for a step-by-step guide on how to write ACIs:

https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10
/ht
ml/Administration_Guide/Managing_Access_Control-Creating_ACIs_Manually.h
tml

To allow the system account read access to your custom attributes, you
can use LDIF like this (untested, hopefully I got it right from the top
of my head):

"""
dn: cn=users,cn=accounts,dc=example,dc=com
changetype: modify
add: aci
aci:
(targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipi
ent )")(version 3.0; acl "Allow system account to read mail address";
allow(read,
search, compare) userdn =
"ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com;;)
"""
save it to file and then call

ldapmodify -D 'cn=Directory Manager' -W -f aci.ldif

to add this ACI to cn=users subtree. The ACI then applies to all entries
in the subtree.



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Best and Secure Way for a System Account

2016-10-21 Thread Günther J . Niederwimmer 
Hello,

Thanks for the answer,

Am Freitag, 21. Oktober 2016, 07:11:58 schrieb Rich Megginson:
> On 10/21/2016 06:42 AM, Günther J. Niederwimmer wrote:
> > Hello Martin and List,
> > 
> > Pardon me, but anything is wrong with the ldif i
> > 
> > ldapmodify -D 'cn=Directory Manager' -W -f alias.ldif
> > Enter LDAP Password:
> > ldapmodify: invalid format (line 5) entry:
> > "cn=users,cn=accounts,dc=4gjn,dc=com"
> 
> dn: cn=users,cn=accounts,dc=4gjn,dc=com

this is in the ldif ?

"""
dn: cn=users,cn=accounts,dc=example,dc=com
changetype: modify
add: aci
aci: 
(targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipient)")
(version 
3.0; acl "Allow system account to read mail address"; allow(read, 
search, compare) userdn = 
"ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com;;)
""

but what is wrong ?
 
> > I have search and read now any Days, but this FreeIPA / LDAP Problem have
> > a to high level for me :-(.
> > 
> > Pleas help again..
> > 
> > Thanks for a answer
> > 
> > Am Montag, 17. Oktober 2016, 14:41:01 schrieb Martin Babinsky:
> >> On 10/17/2016 02:25 PM, Günther J. Niederwimmer wrote:
> >>> Hello Martin and List
> >>> 
> >>> Thanks for the answer and Help.
> >>> 
> >>> I mean my big Problem is to understand the way to configure a ACI :-(.
> > 
> > # ldapmodify -x -D 'cn=Directory Manager' -W
> > 
> >   dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com
> >   changetype: add
> >   objectclass: account
> >   objectclass: simplesecurityobject
> >   uid: system
> >   userPassword: secret123
> >   passwordExpirationTime: 20380119031407Z
> >   nsIdleTimeout: 0
> >   
> > 
> > ^D
> > 
> > https://www.freeipa.org/page/HowTo/LDAP#System_Accounts
> > 
> > The IPA Docs have no time stamp to found out, is this actual or old
> > :-(.
> > 
> > Thanks for a answer,
>  
>  Hi Gunther,
>  
>  that LDIF look ok to me.
>  
>  Do not forget that you must set up the correct ACIs in order for the
>  system account to see the 'mailAlternaleAddress' attribute.
> >> 
> >> See the following document for a step-by-step guide on how to write ACIs:
> >> 
> >> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10
> >> /ht
> >> ml/Administration_Guide/Managing_Access_Control-Creating_ACIs_Manually.h
> >> tml
> >> 
> >> To allow the system account read access to your custom attributes, you
> >> can use LDIF like this (untested, hopefully I got it right from the top
> >> of my head):
> >> 
> >> """
> >> dn: cn=users,cn=accounts,dc=example,dc=com
> >> changetype: modify
> >> add: aci
> >> aci:
> >> (targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipi
> >> ent )")(version 3.0; acl "Allow system account to read mail address";
> >> allow(read,
> >> search, compare) userdn =
> >> "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com;;)
> >> """
> >> save it to file and then call
> >> 
> >> ldapmodify -D 'cn=Directory Manager' -W -f aci.ldif
> >> 
> >> to add this ACI to cn=users subtree. The ACI then applies to all entries
> >> in the subtree.

-- 
mit freundlichen Grüßen / best regards,

  Günther J. Niederwimmer

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Best and Secure Way for a System Account

2016-10-21 Thread Rich Megginson 

On 10/21/2016 06:42 AM, Günther J. Niederwimmer wrote:

Hello Martin and List,

Pardon me, but anything is wrong with the ldif i

ldapmodify -D 'cn=Directory Manager' -W -f alias.ldif
Enter LDAP Password:
ldapmodify: invalid format (line 5) entry:
"cn=users,cn=accounts,dc=4gjn,dc=com"


dn: cn=users,cn=accounts,dc=4gjn,dc=com



I have search and read now any Days, but this FreeIPA / LDAP Problem have a to
high level for me :-(.

Pleas help again..

Thanks for a answer

Am Montag, 17. Oktober 2016, 14:41:01 schrieb Martin Babinsky:

On 10/17/2016 02:25 PM, Günther J. Niederwimmer wrote:

Hello Martin and List

Thanks for the answer and Help.

I mean my big Problem is to understand the way to configure a ACI :-(.

# ldapmodify -x -D 'cn=Directory Manager' -W
  dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com
  changetype: add
  objectclass: account
  objectclass: simplesecurityobject
  uid: system
  userPassword: secret123
  passwordExpirationTime: 20380119031407Z
  nsIdleTimeout: 0
  
^D


https://www.freeipa.org/page/HowTo/LDAP#System_Accounts

The IPA Docs have no time stamp to found out, is this actual or old :-(.

Thanks for a answer,

Hi Gunther,

that LDIF look ok to me.

Do not forget that you must set up the correct ACIs in order for the
system account to see the 'mailAlternaleAddress' attribute.

See the following document for a step-by-step guide on how to write ACIs:

https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/ht
ml/Administration_Guide/Managing_Access_Control-Creating_ACIs_Manually.html

To allow the system account read access to your custom attributes, you
can use LDIF like this (untested, hopefully I got it right from the top
of my head):

"""
dn: cn=users,cn=accounts,dc=example,dc=com
changetype: modify
add: aci
aci:
(targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipient
)")(version 3.0; acl "Allow system account to read mail address";
allow(read,
search, compare) userdn =
"ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com;;)
"""
save it to file and then call

ldapmodify -D 'cn=Directory Manager' -W -f aci.ldif

to add this ACI to cn=users subtree. The ACI then applies to all entries
in the subtree.



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] cannot ssh in (sss_ssh_authorizedkeys returned status 1) ??

2016-10-21 Thread Sumit Bose 
On Fri, Oct 21, 2016 at 01:55:19PM +0100, lejeczek wrote:
> hi all
> 
> I cannot ssh from a boxA (ipa-server-4.2.0-15.sl7_2.19.x86_64) to a boxB
> (ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64)
> I realize that to assume versions differences cause it is bit silly but
> nothing changed except update of boxB's IPA a day before the problem occur.
> Also, there is a boxC (ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64) (so
> boxB == boxC IPA-wise) which does ssh in fine.
> Other way around, boxB to boxA ssh works.
> Logs are pretty quiet, I merely see:
> 
> error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned status
> 1
> 
> and that I'm not sure appears at the time of login attempt.
> I do:
> boxA$ ssh boxB
> Connection closed by UNKNOWN
> 
> ps. boxA is not banned nor block by any tcp/ip means.
> 
> many! thanks for any help

Which version of SSSD is running? Do you have user certificates stored
in IPA? In this case you might hit
https://bugzilla.redhat.com/show_bug.cgi?id=1372042
https://fedorahosted.org/sssd/ticket/2977

If there are no updates with a fix available you might want to set

ldap_user_certificate = noSuchSttribute

in the [domain/...] section of sssd.conf to tell SSSD to not read the
certificates from the server. As an alternative you can all CA
certificates needed to validate the user certificates properly to
/etc/pki/nssdb.

HTH

bye,
Sumit

> L.
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Promote CA-less replica

2016-10-21 Thread Rob Crittenden 

James Harrison wrote:

Hi,
Thanks again.

Lastly, we've switched away from Ubuntu's FreeIPA due to a bad Samba
compilation choice stopping AD trusts from working (samba isn't using
MIT kerberos).  We're now using CentOS 7.2.

While we know the CentOS version will operate correctly, we only get to
use 4.2 of FreeIPA, but the Ubuntu version is 4.4.2. Is there 4.4.2 for
CentOS?


Not until RHEL 7.3 is released and rebuilt for CentOS.

rob



Best regards
James Harrison

*From:* Rob Crittenden 
*To:* James Harrison ; Martin Babinsky
; "freeipa-users@redhat.com"

*Sent:* Wednesday, 19 October 2016, 14:28
*Subject:* Re: [Freeipa-users] Promote CA-less replica

James Harrison wrote:
 > Hi,
 > Martin thanks for your quick response. Based on your comments. I have
 > further questions.
 >
 >  >> equal peers and can be considered masters
 >
 > 1. If there any urgency for us to recreate a "master" server to perform
 > any "master" type functions? How do we re-attach "replicas" to this new
 > "master"?

Like he said, all IPA servers are equal (some are just more equal than
others). If you truly have a CA-less system the the only thing that
distinguishes one master from another is the presence of the DNS
service. From below it looks like you install DNS on all which makes
them all masters.

You can manage the replication topology using ipa-replica-manage.

 >
 >  >> As long as the others have valid CA and server certs
 > 2. This is the install script we are using on the "replicas"
 >
 > ipa-replica-install \
 >  --setup-dns --ssh-trust-dns --no-dnssec-validation \
 >  -p x \
 >  --admin-password=xxx \
 >  --ip-address=replica_ip  \
 >  --no-forwarders \
 >  -U --mkhomedir --log-file=freeipa_log_file $1
 >
 > 3. The $1 is the cert generated from the "master".  If theres no
 > distinction between a "master" and a "replica" in a CA-less environment,
 > can a "replica" run the ipa-replica-prepare script once
 > ipa-replica-install has been successfully run?

I think you mean $1 is the replica file generated from some master.
Seeing how you generate that would tell us whether you are truly in a
CA-less environment or not (e.g. you'd need to pass in PKCS#12 files to
ipa-replica-prepare).

To answer your question, yes. In a CA-less environment any master can
generate a prepare file.

You can add/remove connections using ipa-replica-manage. The initial
connection is between the master that generated the prepare file and the
host it was installed on.

rob


 >
 > Thank you for any help.
 > Best regards,
 > James Harrison
 >
 > 
 > *From:* Martin Babinsky 
 > *To:* freeipa-users@redhat.com 
 > *Sent:* Wednesday, 19 October 2016, 11:01
 > *Subject:* Re: [Freeipa-users] Promote CA-less replica
 >
 > On 10/19/2016 11:35 AM, James Harrison wrote:
 >
 > Hi James,
 >
 >  > Hi,
 >  > Were using FreeIPA on Ubuntu Xenial. We lost the Master server.
 >  >
 >  > I have some questions:
 >  > 1. Do DNS replicate among other replicas is we change/add DNS records?
 >  > If not can this behaviour be changed?
 > IPA-intergrated DNS stores records in the replicated LDAP subtree so any
 > added/removed DNS record will replicate to other IPA DNS servers.
 >
 >  > 2. How do we promote a replica to become a master? We have not
 >  > configured our servers to become a CA. Our CA is Comodo and we have
 >  > configured FreeIPA to use a certificate, key and interim certificates
 >  > from Comodo. using the options:
 >  >
 >  > --http_pkcs12=
 >  > --http_pin=
 >  > --dirsrv_pkcs12=...
 >  > --dirsrv_pin=
 >  >
 >  > Hope someone can help. Quite urgent.
 >  >
 > The terms FreeIPA master/replica are quite arbitrary as all replicas are
 > equal peers and can be considered masters. The only notion of 'master'
 > is when you use a Dogtag CA (then one of the CA replicas is designated a
 > renewal master and does renew certificates in the topology and one is
 > CRL master generating certificate revocation lists) and/or DNSSec (then
 > one of DNS replica is designated a key master generating zone signing
 > keys and other DNS replicas pull these keys).
 >
 > As you are using CA-less replicas then there should be no loss in the
 > fact that the one designated 'master' is down (unless it was e.g. the
 > only DNS server). As long as the others have valid CA and server certs
 > they should be working just fine.
 >
 >
 >
 > You can just install a new replica in place of the master by generating
 > replica file on another replicaa nd supplying the required certificates
 > through options.
 >
 >
 >  > Regards,
 >  > James Harrison
 >
 >  >
 >  >
 >
 >
 > --
 > Martin^3 Babinsky
 >
 > --
 > Manage your subscription for the Freeipa-users mailing list:
 >

[Freeipa-users] Do expired passwords remain usable indefinitely?

2016-10-21 Thread Brian Candler 
Question: when a password expires, does it remain in a usable state in 
the database indefinitely? For example, if someone comes along a year 
after their password has expired, can they still login once with that 
password?


This is actually what I want, but I just want to confirm there's not 
some sort of secondary threshold which means that an expired password is 
not usable X days after it has expired.  Or, if there is such a 
secondary threshold, where I can find it.


The scenario is a RADIUS server for wifi which reads NTLM password 
hashes out of the database to authenticate - this continues to work 
after expiry. However I want users to be able to do a self-reset later 
if and when they want to.


Thanks,

Brian.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] cannot ssh in (sss_ssh_authorizedkeys returned status 1) ??

2016-10-21 Thread lejeczek 

hi all

I cannot ssh from a boxA 
(ipa-server-4.2.0-15.sl7_2.19.x86_64) to a boxB 
(ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64)
I realize that to assume versions differences cause it is 
bit silly but nothing changed except update of boxB's IPA a 
day before the problem occur.
Also, there is a boxC 
(ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64) (so boxB == 
boxC IPA-wise) which does ssh in fine.

Other way around, boxB to boxA ssh works.
Logs are pretty quiet, I merely see:

error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys 
returned status 1


and that I'm not sure appears at the time of login attempt.
I do:
boxA$ ssh boxB
Connection closed by UNKNOWN

ps. boxA is not banned nor block by any tcp/ip means.

many! thanks for any help
L.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Best and Secure Way for a System Account

2016-10-21 Thread Günther J . Niederwimmer 
Hello Martin and List,

Pardon me, but anything is wrong with the ldif i 

ldapmodify -D 'cn=Directory Manager' -W -f alias.ldif
Enter LDAP Password: 
ldapmodify: invalid format (line 5) entry: 
"cn=users,cn=accounts,dc=4gjn,dc=com"

I have search and read now any Days, but this FreeIPA / LDAP Problem have a to 
high level for me :-(.

Pleas help again..

Thanks for a answer

Am Montag, 17. Oktober 2016, 14:41:01 schrieb Martin Babinsky:
> On 10/17/2016 02:25 PM, Günther J. Niederwimmer wrote:
> > Hello Martin and List
> > 
> > Thanks for the answer and Help.
> > 
> > I mean my big Problem is to understand the way to configure a ACI :-(.

# ldapmodify -x -D 'cn=Directory Manager' -W
 dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com
 changetype: add
 objectclass: account
 objectclass: simplesecurityobject
 uid: system
 userPassword: secret123
 passwordExpirationTime: 20380119031407Z
 nsIdleTimeout: 0
 
^D

> >>> 
> >>> https://www.freeipa.org/page/HowTo/LDAP#System_Accounts
> >>> 
> >>> The IPA Docs have no time stamp to found out, is this actual or old :-(.
> >>> 
> >>> Thanks for a answer,
> >> 
> >> Hi Gunther,
> >> 
> >> that LDIF look ok to me.
> >> 
> >> Do not forget that you must set up the correct ACIs in order for the
> >> system account to see the 'mailAlternaleAddress' attribute.
> 
> See the following document for a step-by-step guide on how to write ACIs:
> 
> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/ht
> ml/Administration_Guide/Managing_Access_Control-Creating_ACIs_Manually.html
> 
> To allow the system account read access to your custom attributes, you
> can use LDIF like this (untested, hopefully I got it right from the top
> of my head):
> 
> """
> dn: cn=users,cn=accounts,dc=example,dc=com
> changetype: modify
> add: aci
> aci:
> (targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipient
> )")(version 3.0; acl "Allow system account to read mail address";
> allow(read,
> search, compare) userdn =
> "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com;;)
> """
> save it to file and then call
> 
> ldapmodify -D 'cn=Directory Manager' -W -f aci.ldif
> 
> to add this ACI to cn=users subtree. The ACI then applies to all entries
> in the subtree.

-- 
mit freundlichen Grüßen / best regards,

  Günther J. Niederwimmer

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] questions regarding OTP tokens

2016-10-21 Thread Gábor Varga 

Hello,

I have a couple of questions regarding the OTP tokens:

1. Can I limit the number of active tokens a regular user can have at a 
given time? If yes, then how?


2. Can I forbid the regular to generate OTP tokens? (they should only 
have a token assigned by an administrator)


3. Other than editing the python class inside 
/usr/lib/python2.7/dist-packages/ipalib/plugins/otptoken.pyc how can I 
set the default algorithm for the newly generated OTP tokens? I would 
like to disable SHA-1 and only enable at least SHA-256.


4. How can I set the default lifetime for a new OTP token other than the 
beforementiond python class?


5. How can I prevent a regular user from modifying the properties of 
his/her OTP token? (The validiy period for example..)


Thanks!

--
sig Gábor VARGA
Systems Engineer
__

Zalaszám Informatika Kft.
8900 Zalaegerszeg, Mártírok útja 53.
Telefon: 36-92-502-500
Fax: 36-92-502-501
e-mail: varga.ga...@zalaszam.hu
web: www.zalaszam.hu 
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Setting "preserve" as default action when deleting in webUI

2016-10-21 Thread Sébastien Julliot 
Hi everyone,


In order to prevent administrators to make mistakes that could have

silly consequences, I would like to set "preserve" as the default selected

action in freeipa's webui.

What do you think would be the best way to achieve this ?


Thank you in advance,

Sebastien Julliot.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Replica or no replica

2016-10-21 Thread Gabriel Batir 
Hello

After I have lost the entire IPA infrastructure (due to admin error:( ) I
have recreated one server that I had a ipa backup for and restored the
backup.

First problem I had were the replication agreements with the now missing
servers.
I have used ipa-replica-manage del --force --clean  for all
the replicas. It did not work without --force.

So now I have this:

ipa --version
VERSION: 4.3.1, API_VERSION: 2.164

root@de-fra-irx08-ldap01  ~#ipa-replica-manage list
de-fra-irx08-ldap01.ipa.XX: master

root@de-fra-irx08-ldap01  ~# ipa-replica-manage list-ruv
de-fra-irx08-ldap01.ipa.XX:389: 8

root@de-fra-irx08-ldap01  ~# ipa-csreplica-manage list
Directory Manager password:

de-fra-irx08-ldap01.ipa.XX: master

But I still get this in the error log:
NSMMReplicationPlugin -
agmt="cn=masterAgreement1-ro-buh-nx02-ldap01.ipa.XX-pki-tomcat"
(ro-buh-nx02-ldap01:389): Replication bind w
ith SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) ()


root@de-fra-irx08-ldap01  ~# ldapsearch -D "cn=Directory Manager" -W -LLL
-x -b "cn=replica,cn=dc\3Dipa\2Cdc\3DXX,cn=mapping tree,cn=config"
Enter LDAP Password:
dn: cn=replica,cn=dc\3Dipa\2Cdc\3DXX,cn=mapping tree,cn=config
cn: replica
nsDS5Flags: 1
nsDS5ReplicaBindDN: cn=replication manager,cn=config
nsDS5ReplicaBindDN:
krbprincipalname=ldap/ro-buh-nx02-ldap01.ipa.XX@IPA.B
IGSTEP,cn=services,cn=accounts,dc=ipa,dc=XX
nsDS5ReplicaBindDN:
krbprincipalname=ldap/uk-rdg-evr01-ldap01.ipa.XX@IPA.
XX,cn=services,cn=accounts,dc=ipa,dc=XX
nsDS5ReplicaId: 8
nsDS5ReplicaName: b4848193-ef4611e5-8893afc8-cadb562e
nsDS5ReplicaRoot: dc=ipa,dc=XX
nsDS5ReplicaType: 3
nsState:: CAAU/glY2gQUAA==
nsds5ReplicaLegacyConsumer: off
nsds5replicabinddngroup: cn=replication
managers,cn=sysaccounts,cn=etc,dc=ipa,
dc=XX
nsds5replicabinddngroupcheckinterval: 60
objectClass: nsds5replica
objectClass: top
objectClass: extensibleobject
nsds5ReplicaChangeCount: 550
nsds5replicareapactive: 0

root@de-fra-irx08-ldap01  ~# ldapsearch -D "cn=Directory Manager" -W -LLL
-x -b
"cn=cloneAgreement1-de-fra-irx08-ldap01.ipa.XX-pki-tomcat,cn=replica,cn=o\3Dipaca
,cn=mapping tree,cn=config"
Enter LDAP Password:
dn:
cn=cloneAgreement1-de-fra-irx08-ldap01.ipa.XX-pki-tomcat,cn=replica,c
n=o\3Dipaca,cn=mapping tree,cn=config
cn: cloneAgreement1-de-fra-irx08-ldap01.ipa.XX-pki-tomcat
description: cloneAgreement1-de-fra-irx08-ldap01.ipa.XX-pki-tomcat
nsDS5ReplicaBindDN: cn=Replication Manager
masterAgreement1-de-fra-irx08-ldap0
1.ipa.XX-pki-tomcat,ou=csusers,cn=config
nsDS5ReplicaBindMethod: Simple
nsDS5ReplicaCredentials:
{AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG
RERBNEJDUTJPRE5rWXpkaVpDMWtPRFZpTTJJeg0KT0MxaFpHVm1aall5TUMwMk9HSTFOakExTVFBQ
0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQTF1K2UyWFJybUwyL0
ZWVTYrdmFDVw==}cJhPqOxvyGaExF/h3IO9UA==
nsDS5ReplicaHost: ro-buh-nx02-ldap01.ipa.XX
nsDS5ReplicaPort: 389
nsDS5ReplicaRoot: o=ipaca
nsDS5ReplicaTransportInfo: TLS
nsds50ruv: {replicageneration} 56efacec0060
nsds50ruv: {replica 96 ldap://ro-buh-nx02-ldap01.ipa.XX:389}
56efacf1
0060 580711f20060
nsds50ruv: {replica 81 ldap://de-fra-irx08-ldap02.ipa.XX:389}
57163ff7000
00051 575fedb70051
nsds50ruv: {replica 86 ldap://de-fra-irx08-ldap01.ipa.XX:389}
56efbe5b000
00056 571791490056
nsds50ruv: {replica 91 ldap://uk-rdg-evr01-ldap02.ipa.XX:389}
56efb7c5000
0005b 56efb80a0012005b
nsds50ruv: {replica 97 ldap://uk-rdg-evr01-ldap01.ipa.XX:389}
56efacf7000
00061 575ffeda0061
nsds50ruv: {replica 66} 575eb9f600030042 575eb9f600030042
nsds50ruv: {replica 71} 575eade7000e0047 575eade7000e0047
nsruvReplicaLastModified: {replica 96
ldap://ro-buh-nx02-ldap01.ipa.XX:38
9} 
nsruvReplicaLastModified: {replica 81
ldap://de-fra-irx08-ldap02.ipa.XX:3
89} 
nsruvReplicaLastModified: {replica 86
ldap://de-fra-irx08-ldap01.ipa.XX:3
89} 
nsruvReplicaLastModified: {replica 91
ldap://uk-rdg-evr01-ldap02.ipa.XX:3
89} 
nsruvReplicaLastModified: {replica 97
ldap://uk-rdg-evr01-ldap01.ipa.XX:3
89} 
nsruvReplicaLastModified: {replica 66} 
nsruvReplicaLastModified: {replica 71} 
objectClass: top
objectClass: nsds5replicationagreement
nsds5replicareapactive: 0
nsds5replicaLastUpdateStart: 1970010100Z
nsds5replicaLastUpdateEnd: 1970010100Z
nsds5replicaChangesSentSinceStartup:
nsds5replicaLastUpdateStatus: -1 Unable to acquire replicaLDAP error: Can't
co
ntact LDAP server
nsds5replicaUpdateInProgress: FALSE
nsds5replicaLastInitStart: 1970010100Z
nsds5replicaLastInitEnd: 1970010100Z


Is it safe to delete
cn=cloneAgreement1-de-fra-irx08-ldap01.ipa.XX-pki-tomcat,cn=replica,cn=o\3Dipaca,cn=mapping
tree,cn=config ?

Would this solve my problem?

Regards,
Gabriel Batir
-- 
Manage your subscription for the Freeipa-users

[Freeipa-users] Question Time and DS

2016-10-21 Thread Günther J . Niederwimmer 
Hello,

CentOS 7

1. is it possible to install the DS tools for installing / testing ACI
(found in Redhat Docs) without destroy the FreeIPA installation?

2. What is the best way to have a correct time in KVM Clients (FreeIPA 
Server)?

my way in the moment is" chrony", with NTP I have the Problem for a 
to big time difference and NTP can't correct this ?


-- 
mit freundlichen Grüßen / best regards,

  Günther J. Niederwimmer

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA-AD trust group membership: display 'short' group names for *two* AD domains?

2016-10-21 Thread Jakub Hrozek 
On Fri, Oct 21, 2016 at 04:07:16PM +1100, Robert Sturrock wrote:
> > On Thu, Oct 20, 2016 at 04:46:01PM +1100, Robert Sturrock wrote:
> > […]
> > > However, when I try logging in as a student domain user 
> > > (student.example.au),
> > > I don't see any of the groups (there should be 8):
> > > 
> > > $ ssh -l rnst student example au ipa-client-rh7.ipa.example.au
> > > [rnst ipa-client-rh7 ~]$ groups
> > > rnst
> > > 
> > > Is this expected behaviour?  Is there a possible client configuration that
> > > will support our AD forest setup or is this simply not possible?
> > 
> > What you did is quite correct, but unfortunately works only with
> > RHEL-7.3 or newer as it requires sssd-1.14 or newer, sorry.
> 
> I tried the same configuration on FC24, which has sssd-1.14.1-3, but it 
> didn’t work for the student domain either:
> 
> $ ssh -l r...@student.example.au ipa-client-fc24.ipa.example.au
> -sh-4.3$ groups
> rnst
> 
> Is the version shipping with RHEL7.3 likely to be different?

No, it's pretty much the same. Can you take a look at the logs and
create a dump of the ldb cache, please?

See:
https://fedorahosted.org/sssd/wiki/Troubleshooting

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project