Re: [Freeipa-users] FreeIPA installation on centos 7

2017-02-05 Thread Lachlan Musicman 
On 4 February 2017 at 02:40, deepak dimri 
wrote:

> Thanks Rob
>
> Is there a place/link i can download the release for centos 7?
>
>
Amit,

You can get them from the vault:

http://vault.centos.org/7.2.1511/updates/x86_64/Packages/


I've still not done a comprehensive test, but the tests I have done show
sssd 1.14 working nicely (ie, as expected) with 4.4.0, *after* an upgrade
from 4.2.0.

Cheers
L.

--
The most dangerous phrase in the language is, "We've always done it this
way."

- Grace Hopper




> ~Amit
>
> On Fri, Feb 3, 2017 at 3:03 PM, Rob Crittenden 
> wrote:
>
>> amit bhatt wrote:
>>
>>> My QA development setup is running with IPA VERSION: 4.2.0 on centos 7
>>> and I want to install the same version in my production environment as
>>> well.  however when i am running yum install ipa-server i am getting
>>> VERSION: 4.4.0 (package ipa-server-4.4.0-14.el7.centos.4.x86_64)
>>> installed.
>>>
>>> How can i force IPA server to install 4.2.0 and not 4.4.0?
>>>
>>
>> You'd need to create your own yum repository with the older bits and
>> install from there (or push the packages onto your system and do a local
>> install).
>>
>> Note that the IPA packages are tested against the current versions of the
>> release which means that some packages may be newer and are therefore
>> untested against IPA 4.2.x. Chances are things will work fine but there are
>> no guarantees when mixing packages.
>>
>> rob
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] freeipa hostbased auth "connection closed"

2017-02-05 Thread Jakub Hrozek 
On Sun, Feb 05, 2017 at 07:47:43PM +0530, Rakesh Rajasekharan wrote:
> Hi,
> 
> I am running a freeipa server version 4.4.0 and have setup hbac rules which
> work fine
> 
> However, just on one single host , I am seeing this issue wherein it is not
> allowing me ssh access.
> When I check my hbac permissions.. it say access granted but on trying to
> login.. it blocks me
> 
> On the Freeipa server
> ipa hbactest --user=p-testhbac --host=>my-test-host> --service=sshd
> 
> 
> Access granted: True
> 
>   Matched rules: ipa-alluser-access
>   Not matched rules: ipa-alluser-sudo-access
> 
> On the client I get this message while doing an ssh "Connection closed by
> 10.0.30.28".
> 
> In /var/log/secure I see these messages
> Feb  5 13:57:41 10 sshd[26692]: pam_sss(sshd:auth): authentication success;
> logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.4.6 user=p-testhbac
> Feb  5 13:57:41 10 sshd[26692]: pam_sss(sshd:account): Access denied for
> user p-testhbac: 4 (System error)

If SSSD throws a System Error, you really need to look into SSSD's logs
-- System Error is kind of an unhandled exception in SSSD's code.

> Feb  5 13:57:41 10 sshd[26692]: Failed password for p-testhbac from
> 10.0.4.6 port 40540 ssh2

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] freeipa hostbased auth "connection closed"

2017-02-05 Thread Sullivan, Daniel [CRI] 
Also, check your ssshd configuration, there might be some restriction in there.

Dan

> On Feb 5, 2017, at 8:21 AM, Sullivan, Daniel [CRI] 
>  wrote:
> 
> Did you check /var/log/messages and /var/log/secure?  I think I’ve seen 
> problems with hosts.allow/hosts.deny dump output in there.
> 
> Dan
> 
> On Feb 5, 2017, at 8:17 AM, Rakesh Rajasekharan 
> > wrote:
> 
> Hi,
> 
> I am running a freeipa server version 4.4.0 and have setup hbac rules which 
> work fine
> 
> However, just on one single host , I am seeing this issue wherein it is not 
> allowing me ssh access.
> When I check my hbac permissions.. it say access granted but on trying to 
> login.. it blocks me
> 
> On the Freeipa server
> ipa hbactest --user=p-testhbac --host=>my-test-host> --service=sshd
> 
> 
> Access granted: True
> 
>  Matched rules: ipa-alluser-access
>  Not matched rules: ipa-alluser-sudo-access
> 
> On the client I get this message while doing an ssh "Connection closed by 
> 10.0.30.28".
> 
> In /var/log/secure I see these messages
> Feb  5 13:57:41 10 sshd[26692]: pam_sss(sshd:auth): authentication success; 
> logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.4.6 user=p-testhbac
> Feb  5 13:57:41 10 sshd[26692]: pam_sss(sshd:account): Access denied for user 
> p-testhbac: 4 (System error)
> Feb  5 13:57:41 10 sshd[26692]: Failed password for p-testhbac from 10.0.4.6 
> port 40540 ssh2
> Feb  5 13:57:41 10 sshd[26692]: fatal: Access denied for user p-testhbac by 
> PAM account configuration [preauth]
> 
> /var/log/sssd/sssd_domain.log I see this error at the end,
> 
> 
> (Sun Feb  5 13:57:41 2017) [sssd[be[mydomain.com]]] 
> [dp_req_destructor] (0x0400): DP Request [PAM SELinux #13]: Request removed.
> (Sun Feb  5 13:57:41 2017) [sssd[be[mydomain.com]]] 
> [dp_req_destructor] (0x0400): Number of active DP request: 0
> (Sun Feb  5 13:57:41 2017) [sssd[be[mydomain.com]]] 
> [dp_pam_reply] (0x1000): DP Request [PAM Account #12]: Sending result 
> [4][mydomain.com]
> (Sun Feb  5 13:57:41 2017) [sssd[be[mydomain.com]]] 
> [child_sig_handler] (0x1000): Waiting for child [26795].
> (Sun Feb  5 13:57:41 2017) [sssd[be[mydomain.com]]] 
> [child_sig_handler] (0x0020): child [26795] failed with status [1].
> 
> 
> 
> But few lines above.. I see that I was allowed in by the hbac rule.
> 
> 
> (Sun Feb  5 13:57:41 2017) [sssd[be[mydomain.com]]] 
> [hbac_evaluate] (0x0100): ALLOWED by rule [ipa-alluser-access].
> (Sun Feb  5 13:57:41 2017) [sssd[be[mydomain.com]]] 
> [hbac_evaluate] (0x0100): hbac_evaluate() >]
> (Sun Feb  5 13:57:41 2017) [sssd[be[mydomain.com]]] 
> [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule 
> [ipa-alluser-access]
> (Sun Feb  5 13:57:41 2017) [sssd[be[mydomain.com]]] 
> [dp_req_done] (0x0400): DP Request [PAM Account #12]: Request handler 
> finished [0]: Success
> (Sun Feb  5 13:57:41 2017) [sssd[be[mydomain.com]]] 
> [_dp_req_recv] (0x0400): DP Request [PAM Account #12]: Receiving request data.
> (Sun Feb  5 13:57:41 2017) [sssd[be[mydomain.com]]] 
> [dp_req_destructor] (0x0400): DP Request [PAM Account #12]: Request removed.I 
> was allowed in per the HBAC rule
> 
> 
> Not sure whats blocking me..
> 
> 
> Thanks
> Rakesh
> 
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
> 
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] freeipa hostbased auth "connection closed"

2017-02-05 Thread Sullivan, Daniel [CRI] 
Did you check /var/log/messages and /var/log/secure?  I think I’ve seen 
problems with hosts.allow/hosts.deny dump output in there.

Dan

On Feb 5, 2017, at 8:17 AM, Rakesh Rajasekharan 
> wrote:

Hi,

I am running a freeipa server version 4.4.0 and have setup hbac rules which 
work fine

However, just on one single host , I am seeing this issue wherein it is not 
allowing me ssh access.
When I check my hbac permissions.. it say access granted but on trying to 
login.. it blocks me

On the Freeipa server
ipa hbactest --user=p-testhbac --host=>my-test-host> --service=sshd


Access granted: True

  Matched rules: ipa-alluser-access
  Not matched rules: ipa-alluser-sudo-access

On the client I get this message while doing an ssh "Connection closed by 
10.0.30.28".

In /var/log/secure I see these messages
Feb  5 13:57:41 10 sshd[26692]: pam_sss(sshd:auth): authentication success; 
logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.4.6 user=p-testhbac
Feb  5 13:57:41 10 sshd[26692]: pam_sss(sshd:account): Access denied for user 
p-testhbac: 4 (System error)
Feb  5 13:57:41 10 sshd[26692]: Failed password for p-testhbac from 10.0.4.6 
port 40540 ssh2
Feb  5 13:57:41 10 sshd[26692]: fatal: Access denied for user p-testhbac by PAM 
account configuration [preauth]

/var/log/sssd/sssd_domain.log I see this error at the end,


(Sun Feb  5 13:57:41 2017) [sssd[be[mydomain.com]]] 
[dp_req_destructor] (0x0400): DP Request [PAM SELinux #13]: Request removed.
(Sun Feb  5 13:57:41 2017) [sssd[be[mydomain.com]]] 
[dp_req_destructor] (0x0400): Number of active DP request: 0
(Sun Feb  5 13:57:41 2017) [sssd[be[mydomain.com]]] 
[dp_pam_reply] (0x1000): DP Request [PAM Account #12]: Sending result 
[4][mydomain.com]
(Sun Feb  5 13:57:41 2017) [sssd[be[mydomain.com]]] 
[child_sig_handler] (0x1000): Waiting for child [26795].
(Sun Feb  5 13:57:41 2017) [sssd[be[mydomain.com]]] 
[child_sig_handler] (0x0020): child [26795] failed with status [1].



But few lines above.. I see that I was allowed in by the hbac rule.


 (Sun Feb  5 13:57:41 2017) [sssd[be[mydomain.com]]] 
[hbac_evaluate] (0x0100): ALLOWED by rule [ipa-alluser-access].
(Sun Feb  5 13:57:41 2017) [sssd[be[mydomain.com]]] 
[hbac_evaluate] (0x0100): hbac_evaluate() >]
(Sun Feb  5 13:57:41 2017) [sssd[be[mydomain.com]]] 
[ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule 
[ipa-alluser-access]
(Sun Feb  5 13:57:41 2017) [sssd[be[mydomain.com]]] 
[dp_req_done] (0x0400): DP Request [PAM Account #12]: Request handler finished 
[0]: Success
(Sun Feb  5 13:57:41 2017) [sssd[be[mydomain.com]]] 
[_dp_req_recv] (0x0400): DP Request [PAM Account #12]: Receiving request data.
(Sun Feb  5 13:57:41 2017) [sssd[be[mydomain.com]]] 
[dp_req_destructor] (0x0400): DP Request [PAM Account #12]: Request removed.I 
was allowed in per the HBAC rule


Not sure whats blocking me..


Thanks
Rakesh

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] freeipa hostbased auth "connection closed"

2017-02-05 Thread Rakesh Rajasekharan 
Hi,

I am running a freeipa server version 4.4.0 and have setup hbac rules which
work fine

However, just on one single host , I am seeing this issue wherein it is not
allowing me ssh access.
When I check my hbac permissions.. it say access granted but on trying to
login.. it blocks me

On the Freeipa server
ipa hbactest --user=p-testhbac --host=>my-test-host> --service=sshd


Access granted: True

  Matched rules: ipa-alluser-access
  Not matched rules: ipa-alluser-sudo-access

On the client I get this message while doing an ssh "Connection closed by
10.0.30.28".

In /var/log/secure I see these messages
Feb  5 13:57:41 10 sshd[26692]: pam_sss(sshd:auth): authentication success;
logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.4.6 user=p-testhbac
Feb  5 13:57:41 10 sshd[26692]: pam_sss(sshd:account): Access denied for
user p-testhbac: 4 (System error)
Feb  5 13:57:41 10 sshd[26692]: Failed password for p-testhbac from
10.0.4.6 port 40540 ssh2
Feb  5 13:57:41 10 sshd[26692]: fatal: Access denied for user p-testhbac by
PAM account configuration [preauth]

/var/log/sssd/sssd_domain.log I see this error at the end,


(Sun Feb  5 13:57:41 2017) [sssd[be[mydomain.com]]] [dp_req_destructor]
(0x0400): DP Request [PAM SELinux #13]: Request removed.
(Sun Feb  5 13:57:41 2017) [sssd[be[mydomain.com]]] [dp_req_destructor]
(0x0400): Number of active DP request: 0
(Sun Feb  5 13:57:41 2017) [sssd[be[mydomain.com]]] [dp_pam_reply]
(0x1000): DP Request [PAM Account #12]: Sending result [4][mydomain.com]
(Sun Feb  5 13:57:41 2017) [sssd[be[mydomain.com]]] [child_sig_handler]
(0x1000): Waiting for child [26795].
(Sun Feb  5 13:57:41 2017) [sssd[be[mydomain.com]]] [child_sig_handler]
(0x0020): child [26795] failed with status [1].



But few lines above.. I see that I was allowed in by the hbac rule.


 (Sun Feb  5 13:57:41 2017) [sssd[be[mydomain.com]]] [hbac_evaluate]
(0x0100): ALLOWED by rule [ipa-alluser-access].
(Sun Feb  5 13:57:41 2017) [sssd[be[mydomain.com]]] [hbac_evaluate]
(0x0100): hbac_evaluate() >]
(Sun Feb  5 13:57:41 2017) [sssd[be[mydomain.com]]]
[ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule
[ipa-alluser-access]
(Sun Feb  5 13:57:41 2017) [sssd[be[mydomain.com]]] [dp_req_done] (0x0400):
DP Request [PAM Account #12]: Request handler finished [0]: Success
(Sun Feb  5 13:57:41 2017) [sssd[be[mydomain.com]]] [_dp_req_recv]
(0x0400): DP Request [PAM Account #12]: Receiving request data.
(Sun Feb  5 13:57:41 2017) [sssd[be[mydomain.com]]] [dp_req_destructor]
(0x0400): DP Request [PAM Account #12]: Request removed.I was allowed in
per the HBAC rule


Not sure whats blocking me..


Thanks
Rakesh
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project