Re: [Freeipa-users] WEB UI - wrong fonts or incomplete page loaded

2017-02-24 Thread Iulian Roman 
On Fri, Feb 24, 2017 at 5:41 PM, Petr Vobornik  wrote:

> On 02/24/2017 05:13 PM, Iulian Roman wrote:
>
>>
>>
>> On Fri, Feb 24, 2017 at 4:55 PM, Petr Vobornik > > wrote:
>>
>> On 02/24/2017 12:15 PM, Iulian Roman wrote:
>>
>> Hello,
>>
>> After a successful installation of the ipa-server when i try to
>> login
>> via WEB UI
>> i've noticed that the web page looks strange (wrong fonts and
>> page seems not
>> completely/correctly loaded).
>>
>>
>>
>> The network debugger in chrome/firefox does
>>
>>
>> So it won't be browser or extension related. The only possibility is
>> to have
>> same extension on both browsers.
>>
>> display 2 errors :
>>
>> - json /ipa/session/ 401 Unauthorized
>>
>>
>> This is expected.
>>
>> - login _kerberos?=...  net::ERR_ACCESS_DENIED
>>
>>
>> This one should return also "401 Unauthorized" if you don't have SSO
>> configured on browser or SSO(kerberos) ticket.
>>
>> net::ERR_ACCESS_DENIED indicates something wrong. Maybe some other
>> software
>> interferes in the communication with server.
>>
>> What OS it is? Could there be an overzealous antivirus (the web check
>> part).  Or maybe a custom proxy setting?
>>
>>
>> it behaves the same from all browsers (firefox,chrome) and from both
>> Linux and
>> windows. i do use proxy, but trying with the firefox directly from the ipa
>> server - therefore without proxy - does have the same result.
>>
>>
>>
>> I do not intend to use SSO for login into WEBUI (although it is
>> the
>> default in
>> the ipa version i am using)  but apparently a supported method to
>> disable  it is
>> not known.
>>
>>
>> Right, it is not currently possible. I've opened RFE ticket.
>> https://fedorahosted.org/freeipa/ticket/6709
>>  Please comment if you
>> use
>> case is different than the proposed user story.
>>
>> I can login with user and password but the WEB UI is almost
>> unusable
>> because of wrongly loaded page .
>>
>>
>> I wonder if something did not temper in the loaded files. If all
>> files are
>> loaded correctly and if it is fresh install(to mitigate possibility
>> of old
>> cache) then it is weird. Maybe it is the antivirus.
>>
>> i wonder too. the strange thing is that from the same browser i can access
>> properly a different ipa server (which i've configured some time ago).
>>
>>
>> Do you have some Web UI plugin installed on IPA server?
>>
>>
>> it is default installation. How can i check which plugins are installed ?
>>
>
>
> Plugins are in /usr/share/ipa/ui/js/plugins/ if the directory is empty
> then there is no plugin.
>
> i've just checked and there are no plugins installed.

> But plugin would not cause:
>   login _kerberos?=...  net::ERR_ACCESS_DENIED

indeed, but what would cause that ? it quite strange and i am almost
clueless. i try to narrow it down and in my opinion the issues is most
probably on the server side, but i have no evidence for that so far.

>
>
>
>>
>>
>>
>>
>> Did  anyone experience  the same issue and is there any
>> fix/solution for
>> that ?
>>
>>
>>
>> --
>> Petr Vobornik
>>
>> Associate Manager, Engineering, Identity Management
>> Red Hat, Inc.
>>
>>
>>
>
> --
> Petr Vobornik
>
> Associate Manager, Engineering, Identity Management
> Red Hat, Inc.
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] New install, unsupported format?

2017-02-24 Thread Steve Huston 
So, I tried a different tack.  Took my bare VM configured as an IPA
client, did a 'yum install ipa-server' and edited the cainstance.py
file to fix the IPv6 issue.  Then, without adding the host to
ipaservers in the webui, I simply tried to promote it:

# kinit admin
Password for ad...@astro.princeton.edu:
# ipa-replica-install --verbose
ipa.ipapython.install.cli.install_tool(Replica): DEBUGLogging to
/var/log/ipareplica-install.log
ipa.ipapython.install.cli.install_tool(Replica): DEBUG
ipa-replica-install was invoked with arguments [] and options:
{'no_dns_sshfp': None, 'skip_schema_check': None, 'setup_kra': None,
'ip_addresses': None
, 'mkhomedir': None, 'http_cert_files': None, 'ssh_trust_dns': None,
'reverse_zones': None, 'no_forwarders': None, 'keytab': None,
'no_ntp': None, 'domain_name': None, 'http_cert_name': None,
'dirsrv_cert_files
': None, 'no_dnssec_validation': None, 'no_reverse': None,
'unattended': False, 'auto_reverse': None, 'auto_forwarders': None,
'no_host_dns': None, 'no_sshd': None, 'no_ui_redirect': None,
'dirsrv_config_file':
 None, 'forwarders': None, 'verbose': True, 'setup_ca': None,
'realm_name': None, 'skip_conncheck': None, 'no_ssh': None,
'forward_policy': None, 'dirsrv_cert_name': None, 'quiet': False,
'server': None, 'setup_dns': None, 'host_name': None, 'log_file':
None, 'allow_zone_overlap': None}
ipa.ipapython.install.cli.install_tool(Replica): DEBUGIPA version
4.4.0-14.el7_3.4
ipa : DEBUGStarting external process
ipa : DEBUGargs=/usr/sbin/selinuxenabled
ipa : DEBUGProcess finished, return code=0
ipa : DEBUGstdout=
ipa : DEBUGstderr=
ipa : DEBUGLoading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
ipa : DEBUGLoading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'
ipa : DEBUGhttpd is not configured
ipa : DEBUGkadmin is not configured
ipa : DEBUGdirsrv is not configured
ipa : DEBUGpki-tomcatd is not configured
ipa : DEBUGinstall is not configured
ipa : DEBUGkrb5kdc is not configured
ipa : DEBUGntpd is not configured
ipa : DEBUGnamed is not configured
ipa : DEBUGipa_memcached is not configured
ipa : DEBUGfilestore is tracking no files
ipa : DEBUGLoading Index file from
'/var/lib/ipa-client/sysrestore/sysrestore.index'
ipa : DEBUGConfiguring client side components
Configuring client side components
ipa : DEBUGStarting external process
ipa : DEBUGargs=/usr/sbin/ipa-client-install --unattended --no-ntp
IPA client is already configured on this system.
If you want to reinstall the IPA client, uninstall it first using
'ipa-client-install --uninstall'.
ipa : DEBUGProcess finished, return code=3
Removing client side components
ipa : DEBUGStarting external process
ipa : DEBUGargs=/usr/sbin/ipa-client-install --unattended
--uninstall
Unenrolling client from IPA server
Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to
/etc/sssd/sssd.conf.deleted
nslcd daemon is not installed, skip configuration
Client uninstall complete.
ipa : DEBUGProcess finished, return code=0

ipa.ipapython.install.cli.install_tool(Replica): DEBUG  File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171,
in execute
return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py",
line 318, in run
cfgr.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 308, in run
self.validate()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 317, in validate
for nothing in self._validator():
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 372, in __runner
self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 394, in _handle_exception
six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 362, in __runner
step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 359, in 
step = lambda: next(self.__gen)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 564, in _configure
next(validator)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 372, in __runner
self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 449, in

Re: [Freeipa-users] support for rfc2307AIX schema in IPA server

2017-02-24 Thread Michael Ströder 
Iulian Roman wrote:
> Michael Ströder  wrote:
>> Being in your position I'd first compile a list of functional and security 
>> requirements and ask then whether these requirements can be implemented with
>> FreeIPA. I'm curious to learn whether "some other security related 
>> attributes" are
>> still needed after all.
> 
> It is not a matter if they increase the security or not or if they are really 
> needed,
> but a matter of complying to some security standards agreed between two 
> parties . It
> would be easy to keep them in the same format than to change the security 
> standard ,
> tooling and processes behind (bureaucracy , overhead and complexity of the 
> enterprise
> environment makes me try to avoid that as much as possible , especially when 
> there are
> many people and departments involved , with their own mindset and playing 
> different
> politics).

Sounds like the usual IAM business - nothing special.

Still my recommendation would to go the route to list the requirements and 
implement them
in with methods native in the IAM system of your choice (here FreeIPA). This 
might look
harder in the beginning but pays off pretty soon.

Ciao, Michael.





smime.p7s
Description: S/MIME Cryptographic Signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] WEB UI - wrong fonts or incomplete page loaded

2017-02-24 Thread Petr Vobornik 

On 02/24/2017 05:13 PM, Iulian Roman wrote:



On Fri, Feb 24, 2017 at 4:55 PM, Petr Vobornik > wrote:

On 02/24/2017 12:15 PM, Iulian Roman wrote:

Hello,

After a successful installation of the ipa-server when i try to login
via WEB UI
i've noticed that the web page looks strange (wrong fonts and page 
seems not
completely/correctly loaded).



The network debugger in chrome/firefox does


So it won't be browser or extension related. The only possibility is to have
same extension on both browsers.

display 2 errors :

- json /ipa/session/ 401 Unauthorized


This is expected.

- login _kerberos?=...  net::ERR_ACCESS_DENIED


This one should return also "401 Unauthorized" if you don't have SSO
configured on browser or SSO(kerberos) ticket.

net::ERR_ACCESS_DENIED indicates something wrong. Maybe some other software
interferes in the communication with server.

What OS it is? Could there be an overzealous antivirus (the web check
part).  Or maybe a custom proxy setting?


it behaves the same from all browsers (firefox,chrome) and from both Linux and
windows. i do use proxy, but trying with the firefox directly from the ipa
server - therefore without proxy - does have the same result.



I do not intend to use SSO for login into WEBUI (although it is the
default in
the ipa version i am using)  but apparently a supported method to
disable  it is
not known.


Right, it is not currently possible. I've opened RFE ticket.
https://fedorahosted.org/freeipa/ticket/6709
 Please comment if you use
case is different than the proposed user story.

I can login with user and password but the WEB UI is almost unusable
because of wrongly loaded page .


I wonder if something did not temper in the loaded files. If all files are
loaded correctly and if it is fresh install(to mitigate possibility of old
cache) then it is weird. Maybe it is the antivirus.

i wonder too. the strange thing is that from the same browser i can access
properly a different ipa server (which i've configured some time ago).


Do you have some Web UI plugin installed on IPA server?


it is default installation. How can i check which plugins are installed ?



Plugins are in /usr/share/ipa/ui/js/plugins/ if the directory is empty 
then there is no plugin.


But plugin would not cause:
  login _kerberos?=...  net::ERR_ACCESS_DENIED







Did  anyone experience  the same issue and is there any fix/solution for
that ?



--
Petr Vobornik

Associate Manager, Engineering, Identity Management
Red Hat, Inc.





--
Petr Vobornik

Associate Manager, Engineering, Identity Management
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] WEB UI - wrong fonts or incomplete page loaded

2017-02-24 Thread Iulian Roman 
On Fri, Feb 24, 2017 at 4:55 PM, Petr Vobornik  wrote:

> On 02/24/2017 12:15 PM, Iulian Roman wrote:
>
>> Hello,
>>
>> After a successful installation of the ipa-server when i try to login via
>> WEB UI
>> i've noticed that the web page looks strange (wrong fonts and page seems
>> not
>> completely/correctly loaded).
>>
>
>
> The network debugger in chrome/firefox does
>>
>
> So it won't be browser or extension related. The only possibility is to
> have same extension on both browsers.
>
> display 2 errors :
>>
>> - json /ipa/session/ 401 Unauthorized
>>
>
> This is expected.
>
> - login _kerberos?=...  net::ERR_ACCESS_DENIED
>>
>
> This one should return also "401 Unauthorized" if you don't have SSO
> configured on browser or SSO(kerberos) ticket.
>
> net::ERR_ACCESS_DENIED indicates something wrong. Maybe some other
> software interferes in the communication with server.
>
> What OS it is? Could there be an overzealous antivirus (the web check
> part).  Or maybe a custom proxy setting?
>

it behaves the same from all browsers (firefox,chrome) and from both Linux
and windows. i do use proxy, but trying with the firefox directly from the
ipa server - therefore without proxy - does have the same result.

>
>
>> I do not intend to use SSO for login into WEBUI (although it is the
>> default in
>> the ipa version i am using)  but apparently a supported method to
>> disable  it is
>> not known.
>>
>
> Right, it is not currently possible. I've opened RFE ticket.
> https://fedorahosted.org/freeipa/ticket/6709 Please comment if you use
> case is different than the proposed user story.
>
> I can login with user and password but the WEB UI is almost unusable
>> because of wrongly loaded page .
>>
>
> I wonder if something did not temper in the loaded files. If all files are
> loaded correctly and if it is fresh install(to mitigate possibility of old
> cache) then it is weird. Maybe it is the antivirus.
>
i wonder too. the strange thing is that from the same browser i can access
properly a different ipa server (which i've configured some time ago).

>
> Do you have some Web UI plugin installed on IPA server?


it is default installation. How can i check which plugins are installed ?

>
>
>
>>
>> Did  anyone experience  the same issue and is there any fix/solution for
>> that ?
>>
>>
>
> --
> Petr Vobornik
>
> Associate Manager, Engineering, Identity Management
> Red Hat, Inc.
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] WEB UI - wrong fonts or incomplete page loaded

2017-02-24 Thread Petr Vobornik 

On 02/24/2017 12:15 PM, Iulian Roman wrote:

Hello,

After a successful installation of the ipa-server when i try to login via WEB UI
i've noticed that the web page looks strange (wrong fonts and page seems not
completely/correctly loaded).




The network debugger in chrome/firefox does


So it won't be browser or extension related. The only possibility is to 
have same extension on both browsers.



display 2 errors :

- json /ipa/session/ 401 Unauthorized


This is expected.


- login _kerberos?=...  net::ERR_ACCESS_DENIED


This one should return also "401 Unauthorized" if you don't have SSO 
configured on browser or SSO(kerberos) ticket.


net::ERR_ACCESS_DENIED indicates something wrong. Maybe some other 
software interferes in the communication with server.


What OS it is? Could there be an overzealous antivirus (the web check 
part).  Or maybe a custom proxy setting?




I do not intend to use SSO for login into WEBUI (although it is the default in
the ipa version i am using)  but apparently a supported method to disable  it is
not known.


Right, it is not currently possible. I've opened RFE ticket. 
https://fedorahosted.org/freeipa/ticket/6709 Please comment if you use 
case is different than the proposed user story.



I can login with user and password but the WEB UI is almost unusable
because of wrongly loaded page .


I wonder if something did not temper in the loaded files. If all files 
are loaded correctly and if it is fresh install(to mitigate possibility 
of old cache) then it is weird. Maybe it is the antivirus.


Do you have some Web UI plugin installed on IPA server?




Did  anyone experience  the same issue and is there any fix/solution for that ?




--
Petr Vobornik

Associate Manager, Engineering, Identity Management
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] New user group not shown on IPA client

2017-02-24 Thread Jakub Hrozek 
On Fri, Feb 24, 2017 at 12:36:03PM +0100, Gerald Zabos wrote:
> Hello *,
> 
> i just created a new user group 'it_testusers' (9068) on one of
> the IPA servers and added three existing users:
> 
> 'test' (9065)
> 'ipajoin' (9061)
> 'ldaptest' (9063).
> 
> When look up the group membership of these users on one of our IPA
> clients with 'id ' it shows uid, gid and groups=, but
> the new group 'it_testusers' is still missing.
> 
> Looking up group membership with 'id ' on all of our IPA
> servers works, i can see the new group in the list of user's groups.
> 
> Server OS: Redhat 7.3
> ipa-server: ipa-server-4.4.0-14.el7_3.4
> 
> Client OS: CentOS 7.3
> ipa-client: ipa-client-4.4.0-14.el7.centos.4
> 
> I've read https://www.redhat.com/archives/freeipa-users/2015-May/msg00463.html
> as it seems to be a similar problem.
> 
> I stopped sssd, removed the files in /var/lib/sss/db and started sssd
> on the client -> still can't see the new group
> 
> I rebooted the client -> still can't see the new group

I'm afraid you need to look into sssd logs on the client:
https://fedorahosted.org/sssd/wiki/Troubleshooting

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] New install, unsupported format?

2017-02-24 Thread Steve Huston 
On Fri, Feb 24, 2017 at 2:31 AM, Standa Laznicka  wrote:
> Hello,
> I don't quite understand your situation - have the error happened during an
> addition of the host to the "ipaservers" group or during replica
> installation?

It was during the addition of the host.  In fact, any 'ipa' command
fails with the same error, even 'ipa help'.  I could understand if the
CA needs to be setup before these commands work, but then I'm pretty
sure I followed the order of the instructions for creating a replica
and this was the result.

Interestingly, when I first started to do this, I had other failures
related to the directory level.  I later realized that it's because I
was trying to create the replica on the test VM that I hadn't yet
upgraded from RHEL6 to RHEL7 so was trying to use IPA 3.x.  In that
instance, the command to add the soon-to-be replica to ipaservers
succeeded, but the command to create the replica failed with needing
the replica file (which I later realized what was going on and
reinstalled the VM as I intended originally).

> Certutil is a wonderful piece of software that returns
> "(SEC_ERROR_LEGACY_DATABASE)" in about 90% of most common cases but I have
> never seen an actual legacy database. Usually, this error means that the
> directory you're pointing the certutil tool to either does not exist or you
> don't have the permissions to read/write in this exact directory.

Everything else on the server seems to be working fine, and the error
containing the URL to the running server leads me to believe it's a
problem with communication between the two.  However there is no
firewalling on either host (yet) so I'm not sure why they wouldn't be
able to communicate.  I did run an strace of the process and didn't
see anything highly useful, in fact the only connect syscall I saw was
to the socket of the local nscd.

Debug output of 'ipa -d help':
ipa: DEBUG: Starting external process
ipa: DEBUG: args=keyctl search @s user
ipa_session_cookie:ad...@astro.princeton.edu
ipa: DEBUG: Process finished, return code=1
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=keyctl_search: Required key not available

ipa: DEBUG: failed to find session_cookie in persistent storage for
principal 'ad...@astro.princeton.edu'
ipa: INFO: trying https://ipa.astro.princeton.edu/ipa/json
ipa: DEBUG: Created connection context.rpcclient_49093200
ipa: INFO: Forwarding 'schema' to json server
'https://ipa.astro.princeton.edu/ipa/json'
ipa: DEBUG: NSSConnection init ipa.astro.princeton.edu
ipa: DEBUG: Destroyed connection context.rpcclient_49093200
ipa: ERROR: cannot connect to
'https://ipa.astro.princeton.edu/ipa/json':
(SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old,
unsupported format.

> Cheers,
> Standa
>
> P.S.: I might have sent you this email twice because I am a bad person when
> it comes to the "Send" button, please reply to the email which has
> "freeipa-users" in CC :)

No worries :D

> On 02/23/2017 10:38 PM, Steve Huston wrote:
>>
>> I already had to do that previously to get other things to work; I had
>> solved it by changing line 582 of
>> /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py from
>> "::1" to "localhost" before installing the server.  I did do this on
>> the to-be-promoted client as well, to no avail.
>>
>> On Thu, Feb 23, 2017 at 4:25 PM, Rob Crittenden 
>> wrote:
>>>
>>> Steve Huston wrote:

 Next stage of my testing was to make a replica of the FreeIPA server,
 and I started by doing a 'yum install ipa-server' and then moved on to
 adding the host to the ipaservers group.  This fails every time
 however, with the error:

 ipa: ERROR: cannot connect to
 'https://ipa.astro.princeton.edu/ipa/json':
 (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old,
 unsupported format.

 Searches on this seem to turn up things like expired certificates, or
 "reboot httpd" (I went ahead and rebooted the whole ipa server), but
 nothing concrete.  Suggestions?  Everything (server and soon-to-be
 replica) running RHEL7.3 with all updates.

>>> See the workaround in
>>> https://fedorahosted.org/freeipa/ticket/6575#comment:9
>>>
>>> rob
>>
>>
>>
>



-- 
Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci
  Princeton University  |ICBM Address: 40.346344   -74.652242
345 Lewis Library   |"On my ship, the Rocinante, wheeling through
  Princeton, NJ   08544 | the galaxies; headed for the heart of Cygnus,
(267) 793-0852  | headlong into mystery."  -Rush, 'Cygnus X-1'

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Can mount NFS, but user only gets the permission question marks

2017-02-24 Thread Brendan Kearney 

On 02/24/2017 03:33 AM, Kees Bakker wrote:

On 23-02-17 15:39, Brendan Kearney wrote:

On 02/23/2017 09:11 AM, Kees Bakker wrote:

On 23-02-17 13:51, Brendan Kearney wrote:

On 02/23/2017 07:32 AM, Kees Bakker wrote:

On 22-02-17 17:33, Brendan Kearney wrote:

On 02/22/2017 10:26 AM, Kees Bakker wrote:

On 22-02-17 14:05, Brendan Kearney wrote:

On 02/22/2017 05:23 AM, Kees Bakker wrote:

On 21-02-17 19:49, Brendan Kearney wrote:

On 02/21/2017 10:57 AM, Kees Bakker wrote:

Hey,

Maybe one of the NFS users on this list could give me a hint what
could be wrong. I'm not sure if it has any relation with FreeIPA/Kerberos.

I've set up an NFS server and I can mount the NFS directory on my client. So, 
I'm
guessing that setting up Kerberos principal was done correctly.

However, only root can actually access the mounted contents. Any other user
only sees question marks as shown below.

The mount command is simple.
$ sudo mount -v -t nfs srv1.example.com:/home /nfshome
mount.nfs: timeout set for Tue Feb 21 16:36:39 2017
mount.nfs: trying text-based options 
'vers=4,addr=172.16.16.45,clientaddr=172.16.16.30'

On the server side /etc/exports looks like this.
/home*(rw,sync,sec=krb5i,no_subtree_check)

$ sudo mount |grep nfs
srv1.example.com:/home on /nfshome type nfs4 
(rw,relatime,vers=4.0,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=krb5i,clientaddr=172.16.16.30,local_lock=none,addr=172.16.16.45)

$ sudo ls -ld /nfshome
drwxr-xr-x 1 root root 72 feb 21 04:22 /nfshome
$ sudo ls -l /nfshome
total 0
drwxr-xr-x 1 keesb  keesb  116 jan 27 12:56 keesb

$ ls -l /nfshome
ls: cannot access '/nfshome': Permission denied
$ ls -l / | grep nfshome
ls: cannot access '/nfshome': Permission denied
d?   ? ??   ?? nfshome


sec=krb* means that the user accessing the mount has to authenticate with a 
kerberos ticket, and has to be the user or in the group granted access to the 
share.  from the looks of things, the user did not authenticate, and that is 
why the permissions are question marks.  check the kerberos tickets that the 
user has (klist output).  Otherwise, the ownership might be user and group that 
the client machine does not recognize (think posix user/group that is not in 
sync between the NFS server and the client)

Thanks for the reply.

In this case the user _is_ authenticated.
keesb@client1:~$ klist
Ticket cache: KEYRING:persistent:60001:60001
Default principal: ke...@example.com

Valid starting ExpiresService principal
22-02-17 09:20:30  23-02-17 09:20:25  krbtgt/example@example.com

no, the user has a TGT.  a nfs/host.domain.tld@REALM ticket is needed to 
authenticate.

(( I'm trying to catch up on the acronyms. TGT. Reading wikipedia now. ))


What other grants could be needed? HBAC Rules?

Do I need an nfs principal for the client? (I didn't think so, but many HOWTO's 
say so [2]. Anyway, it
doesn't help to get access for the user.)

there are principals to create and keytabs to be updated on hte NFS sever, if 
not done already.

I did create a principal for the NFS server (using ipa service-add) and
add to the keytab on the NFS server (using ipa-getkeytab) ...
root@srv1# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
 --
   1 host/srv1.example@example.com (aes256-cts-hmac-sha1-96)
   1 host/srv1.example@example.com (aes128-cts-hmac-sha1-96)
   1 nfs/srv1.example@example.com (aes256-cts-hmac-sha1-96)
   1 nfs/srv1.example@example.com (aes128-cts-hmac-sha1-96)

Is this what you mean?

yes, if that is done, the server side components should be done for kerberos.  
have you set things up in /etc/idmapd.conf so your domain, REALM, etc are setup?

I don't think that a change of idmapd.conf (on the NFS server) is needed 
because all host
names are FQDN and everything is in one and the same REALM.

NFS needs to know how to map a user object to an ID and groups. identities 
established by kerberos do not directly translate to users.  usually some sort 
of directory services are leveraged in order to accomplish this, though PAM and 
things like that can be used to.  by setting things in idmapd.conf, you are 
telling NFS who to translate kerberos identities into usernames, so ownership 
and permissions can be sync'd.

Both the NFS server and the client are configured as FreeIPA client.
On the server the users are known (through PAM, SSSD). Only user
"ubuntu" is a local (/etc/passwd) user. All other users are defined on
the IPA server.

root@srv1:~# ls -l /home
total 0
drwxr-xr-x 1 keesb  keesb  116 jan 27 12:56 keesb
drwxr-xr-x 1 ubuntu ubuntu 142 aug 17  2016 ubuntu
root@srv1:~# ls -ln /home
total 0
drwxr-xr-x 1 60001 60001 116 jan 27 12:56 keesb
drwxr-xr-x 1  1000  1000 142 aug 17  2016 ubuntu

On the client, same story

root@client1:~# ls -l /nfshome
total 0
drwxr-xr-x 1 keesb  keesb  116 jan 27 12:56

Re: [Freeipa-users] Default domain for AD groups

2017-02-24 Thread Hanoz Elavia 
Thanks Alexander!!


On Fri, Feb 24, 2017 at 6:04 AM, Alexander Bokovoy 
wrote:

> On to, 23 helmi 2017, Hanoz Elavia wrote:
>
>> Hello,
>>
>> My FreeIPA clients and server are setup to use the AD domain as the
>> default. This is done using the default_domain_suffix parameter in the
>> sssd
>> section of the sssd.conf file.
>>
>> This works fine for users when we use ldapsearch but not so much for
>> groups. For e.g.:
>>
>> ldapsearch -x -W -s sub -H 'ldap://ipa.server.com' -b
>> 'cn=compat,dc=ipa,dc=server,dc=com' -D
>> 'uid=binduser,cn=users,cn=accounts,dc=ipa,dc=server,dc=com' '(cn=
>> domaingr...@server.com)'
>>
>> works fine but
>>
>> ldapsearch -x -W -s sub -H 'ldap://ipa.server.com' -b
>> 'cn=compat,dc=ipa,dc=server,dc=com' -D
>> 'uid=binduser,cn=users,cn=accounts,dc=ipa,dc=server,dc=com'
>> '(cn=domaingroup)'
>>
>> won't work. However, the above will work fine for users. I'm using the
>>
> No, compat tree is designed to be used with fully-qualified groups and
> users. There is no way around it.
>
> --
> / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] New user group not shown on IPA client

2017-02-24 Thread Gerald Zabos 
Hello *,

i just created a new user group 'it_testusers' (9068) on one of
the IPA servers and added three existing users:

'test' (9065)
'ipajoin' (9061)
'ldaptest' (9063).

When look up the group membership of these users on one of our IPA
clients with 'id ' it shows uid, gid and groups=, but
the new group 'it_testusers' is still missing.

Looking up group membership with 'id ' on all of our IPA
servers works, i can see the new group in the list of user's groups.

Server OS: Redhat 7.3
ipa-server: ipa-server-4.4.0-14.el7_3.4

Client OS: CentOS 7.3
ipa-client: ipa-client-4.4.0-14.el7.centos.4

I've read https://www.redhat.com/archives/freeipa-users/2015-May/msg00463.html
as it seems to be a similar problem.

I stopped sssd, removed the files in /var/lib/sss/db and started sssd
on the client -> still can't see the new group

I rebooted the client -> still can't see the new group

Any hints on how to proceed with this problem?

Regards,

Gerald

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] WEB UI - wrong fonts or incomplete page loaded

2017-02-24 Thread Iulian Roman 
Hello,

After a successful installation of the ipa-server when i try to login via
WEB UI i've noticed that the web page looks strange (wrong fonts and page
seems not completely/correctly loaded). The network debugger in
chrome/firefox does  display 2 errors :

- json /ipa/session/ 401 Unauthorized
- login _kerberos?=...  net::ERR_ACCESS_DENIED

I do not intend to use SSO for login into WEBUI (although it is the default
in the ipa version i am using)  but apparently a supported method to
disable  it is not known. I can login with user and password but the WEB UI
is almost unusable because of wrongly loaded page .


Did  anyone experience  the same issue and is there any fix/solution for
that ?
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] integrated DNS vs external DNS

2017-02-24 Thread Martin Basti 

Adding freeipa-users back to loop


On 24.02.2017 12:02, Iulian Roman wrote:
On Thu, Feb 23, 2017 at 4:21 PM, Martin Basti > wrote:


Hello,

comments inline


On 23.02.2017 15:07, Iulian Roman wrote:

Despite reading the freeipa and Redhat IdM documentation
regarding the DNS , it is still unclear to me if and when is
integrated DNS mandatory .  We do have an environment with a
pretty complex DNS setup , which is in place for years and there
are no  plans to change it.


Integrated DNS is not mandatory at all. Without IPA DNS you have
to manage all IPA system records manually on external DNS



if i understood correctly from the documentation , integrated DNS
is mandatory for configuring AD trust. is that correct ?

No, it is not needed for AD trust, you need to add additional DNS
records



Can the integrated DNS be configured as forward only ? Do the
clients need to have IPA DNS as a resolver or they can just use
existing DNS server ?

You don't need to install IPA DNS.

All records the IPA needs can be received from command `ipa
dns-update-system-records --dry-run` (IPA4.4+)


there are some SRV records (_kerberos, _kpasswd, _ldap, _ntp) reported 
by the above command which would not be easy to add them to existing 
DNS (DNS updates are form based and they allow only A and CNAME 
records). When and by whom are those records used and what is the 
consequence of not adding them  into existing DNS ?




These are mainly used by ipa-clients (SSSD) with dynamic configuration. 
However you may configure client to use static configuration (without 
auto detection of working IPA servers) and it should work. However I'm 
not sure about DNS records required for AD Trust, who is the consumer, 
if only SSSD or not.












Martin




-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Can mount NFS, but user only gets the permission question marks

2017-02-24 Thread Kees Bakker 
On 23-02-17 15:39, Brendan Kearney wrote:
> On 02/23/2017 09:11 AM, Kees Bakker wrote:
>> On 23-02-17 13:51, Brendan Kearney wrote:
>>> On 02/23/2017 07:32 AM, Kees Bakker wrote:
 On 22-02-17 17:33, Brendan Kearney wrote:
> On 02/22/2017 10:26 AM, Kees Bakker wrote:
>> On 22-02-17 14:05, Brendan Kearney wrote:
>>> On 02/22/2017 05:23 AM, Kees Bakker wrote:
 On 21-02-17 19:49, Brendan Kearney wrote:
> On 02/21/2017 10:57 AM, Kees Bakker wrote:
>> Hey,
>>
>> Maybe one of the NFS users on this list could give me a hint what
>> could be wrong. I'm not sure if it has any relation with 
>> FreeIPA/Kerberos.
>>
>> I've set up an NFS server and I can mount the NFS directory on my 
>> client. So, I'm
>> guessing that setting up Kerberos principal was done correctly.
>>
>> However, only root can actually access the mounted contents. Any 
>> other user
>> only sees question marks as shown below.
>>
>> The mount command is simple.
>> $ sudo mount -v -t nfs srv1.example.com:/home /nfshome
>> mount.nfs: timeout set for Tue Feb 21 16:36:39 2017
>> mount.nfs: trying text-based options 
>> 'vers=4,addr=172.16.16.45,clientaddr=172.16.16.30'
>>
>> On the server side /etc/exports looks like this.
>> /home*(rw,sync,sec=krb5i,no_subtree_check)
>>
>> $ sudo mount |grep nfs
>> srv1.example.com:/home on /nfshome type nfs4 
>> (rw,relatime,vers=4.0,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=krb5i,clientaddr=172.16.16.30,local_lock=none,addr=172.16.16.45)
>>
>> $ sudo ls -ld /nfshome
>> drwxr-xr-x 1 root root 72 feb 21 04:22 /nfshome
>> $ sudo ls -l /nfshome
>> total 0
>> drwxr-xr-x 1 keesb  keesb  116 jan 27 12:56 keesb
>>
>> $ ls -l /nfshome
>> ls: cannot access '/nfshome': Permission denied
>> $ ls -l / | grep nfshome
>> ls: cannot access '/nfshome': Permission denied
>> d?   ? ??   ?? nfshome
>>
> sec=krb* means that the user accessing the mount has to authenticate 
> with a kerberos ticket, and has to be the user or in the group 
> granted access to the share.  from the looks of things, the user did 
> not authenticate, and that is why the permissions are question marks. 
>  check the kerberos tickets that the user has (klist output).  
> Otherwise, the ownership might be user and group that the client 
> machine does not recognize (think posix user/group that is not in 
> sync between the NFS server and the client)
 Thanks for the reply.

 In this case the user _is_ authenticated.
 keesb@client1:~$ klist
 Ticket cache: KEYRING:persistent:60001:60001
 Default principal: ke...@example.com

 Valid starting ExpiresService principal
 22-02-17 09:20:30  23-02-17 09:20:25  krbtgt/example@example.com
>>> no, the user has a TGT.  a nfs/host.domain.tld@REALM ticket is needed 
>>> to authenticate.
>> (( I'm trying to catch up on the acronyms. TGT. Reading wikipedia now. ))
>>
 What other grants could be needed? HBAC Rules?

 Do I need an nfs principal for the client? (I didn't think so, but 
 many HOWTO's say so [2]. Anyway, it
 doesn't help to get access for the user.)
>>> there are principals to create and keytabs to be updated on hte NFS 
>>> sever, if not done already.
>> I did create a principal for the NFS server (using ipa service-add) and
>> add to the keytab on the NFS server (using ipa-getkeytab) ...
>> root@srv1# klist -ke
>> Keytab name: FILE:/etc/krb5.keytab
>> KVNO Principal
>>  
>> --
>>   1 host/srv1.example@example.com (aes256-cts-hmac-sha1-96)
>>   1 host/srv1.example@example.com (aes128-cts-hmac-sha1-96)
>>   1 nfs/srv1.example@example.com (aes256-cts-hmac-sha1-96)
>>   1 nfs/srv1.example@example.com (aes128-cts-hmac-sha1-96)
>>
>> Is this what you mean?
> yes, if that is done, the server side components should be done for 
> kerberos.  have you set things up in /etc/idmapd.conf so your domain, 
> REALM, etc are setup?
 I don't think that a change of idmapd.conf (on the NFS server) is needed 
 because all host
 names are FQDN and everything is in one and the same REALM.
>>> NFS needs to know how to map a user object to an ID and groups. identities 
>>> established by kerberos do not directly translate to users.  usually some 
>>> sort of directory services are leveraged in order to accomplish this, 
>>>

Re: [Freeipa-users] sudo NOPASSWD for a single command

2017-02-24 Thread Pavel Březina 

On 02/23/2017 03:43 PM, Auerbach, Steven wrote:

Yes, I implemented in Policy -> Sudo -> Sudo Commands as:

Sudo Command:  NOPASSWD: /sbin/vgs


NOPASSWD is used in /etc/sudoers. In IPA, create a sudo option 
"!authenticate" instead.






The script (executed by a non-root, administrative group user on an
enrolled host) specifies:

….

hostname >> statresults.txt

cat /etc/redhat-release >> statresults.txt

uname -r >> statresults.txt

printf "\n " >> statresults.txt

sudo vgs >> statresults.txt

…..

Running the script I still was prompted for a password. So I guess this
does not work.



*From:* Jason B. Nance [mailto:ja...@tresgeek.net]
*Sent:* Wednesday, February 22, 2017 11:59 AM
*To:* Auerbach, Steven 
*Cc:* freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] sudo NOPASSWD for a single command





We have a script stored on a particular server in our realm that
executes a number of non-privileged commands and are wanting to add
/sbin/vgs command. The script uses SSH to then execute the same set
of commands on all the servers in the realm.

The owner of the script is in the administrator group and there are
sudoer commands for the administrator group in general.  We need to
place a rule for this one command for either this group or the
script owner to run NOPASSWD.

Where and how would I specify that in the IPA admin console?

Have you tried creating your command in IPA as "NOPASSWD: /sbin/vgs"
(Policy -> Sudo -> Sudo Commands)?







--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project