Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?
Update to this one: It has been running smoothly on 6.5 [root@dev-zlei.sec1 ~]# cat /etc/redhat-release CentOS release 6.5 (Final) [root@dev-zlei.sec1 ~]# rpm -qa | grep sssd sssd-client-1.12.4-47.el6.x86_64 sssd-ldap-1.12.4-47.el6.x86_64 sssd-ad-1.12.4-47.el6.x86_64 python-sssdconfig-1.12.4-47.el6.noarch sssd-common-1.12.4-47.el6.x86_64 sssd-proxy-1.12.4-47.el6.x86_64 sssd-common-pac-1.12.4-47.el6.x86_64 sssd-krb5-1.12.4-47.el6.x86_64 sssd-ipa-1.12.4-47.el6.x86_64 sssd-krb5-common-1.12.4-47.el6.x86_64 sssd-1.12.4-47.el6.x86_64 On Wed, Jul 13, 2016 at 9:56 AM, Tomas Simecekwrote: > Thanks, > I will try. But I am afraid to update to more recent version then those in > official repos. > > Thanks anyway. > > T. > > 2016-07-13 15:39 GMT+02:00 : > >> Update to at least 1.12 sssd and libsss_sudo. As I recall sudo ipa >> provider did not work under 1.11 >> >> Sent from my iPhone >> >> On Jul 13, 2016, at 9:02 AM, Tomas Simecek >> wrote: >> >> Hi, >> versions are: >> sssd-client-1.11.6-30.el6.x86_64 >> sssd-ipa-1.11.6-30.el6.x86_64 >> ipa-client-3.0.0-50.el6.centos.1.x86_64 >> as part of: >> CentOS release 6.6 (Final) >> >> T. >> >> 2016-07-13 14:52 GMT+02:00 : >> >>> Again what is client version on 6.5? >>> >>> >>> Sent from my iPhone >>> >>> On Jul 13, 2016, at 8:25 AM, Tomas Simecek >>> wrote: >>> >>> Thanks for your information Lukas, >>> I have changed sudo_provider to ipa, restarted sssd and no difference. >>> Logfile still says "Access granted by HBAC rule..." and sudo says >>> simecek.to...@sd-stc.cz is not allowed to run sudo on zp-cml-test. >>> >>> Btw. man sssd-sudo says: >>> The following example shows how to configure SSSD to download >>> sudo rules from an LDAP server. >>> >>>[sssd] >>>config_file_version = 2 >>>services = nss, pam, sudo >>>domains = EXAMPLE >>> >>>[domain/EXAMPLE] >>>id_provider = ldap >>> >>> so I am not that sure what should be set on my version of sssd. >>> >>> Any idea? >>> >>> Thanks >>> >>> T. >>> >>> 2016-07-13 13:44 GMT+02:00 Lukas Slebodnik : >>> On (13/07/16 13:36), Tomas Simecek wrote: >Lukas, >yes, I went through that guide and I configured sssd.conf as per the doc >(you can see it in the beginning of the thread). > >Actually the installation is: >[root@zp-cml-test sssd]# cat /etc/redhat-release >CentOS release 6.6 (Final) > >and versions are: >[root@zp-cml-test sssd]# rpm -qa |grep sssd >sssd-proxy-1.11.6-30.el6.x86_64 >sssd-common-pac-1.11.6-30.el6.x86_64 >sssd-ipa-1.11.6-30.el6.x86_64 >sssd-1.11.6-30.el6.x86_64 >sssd-common-1.11.6-30.el6.x86_64 >sssd-ad-1.11.6-30.el6.x86_64 >sssd-ldap-1.11.6-30.el6.x86_64 >python-sssdconfig-1.11.6-30.el6.noarch >sssd-krb5-common-1.11.6-30.el6.x86_64 >sssd-krb5-1.11.6-30.el6.x86_64 >sssd-client-1.11.6-30.el6.x86_64 > 1.11 has sudo_provider=ipa @see instructions in man sssd-sudo how to configure it. It should avoid issues with two different providers (ipa and ldap) > >There are some reasons why not to upgrade to later versions, believe me, I >would do it if I could :-) > You can at least try to upgrade sssd from 6.8 if you do not want to upgrade whole OS. LS >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >>> >>> >> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Freeipa and sudo
Yeah, please enable logging in [sudo] section of sssd. On Wed, Jul 6, 2016 at 11:03 AM, Jakub Hrozekwrote: > On Wed, Jul 06, 2016 at 03:22:34PM +0200, Tomas Simecek wrote: > > Hi Danila and other freeipa gurus, > > sorry for my late answer, there is a bank holiday in CZ and I am off work > > these two days. > > Yes, /etc/nsswitch.conf is fine, see: > > > > [root@spcss-2t-www ~]# cat /etc/nsswitch.conf |grep sudo > > sudoers: files sss > > > > I think it is set up as part of freeipa-client package. > > I went through this guide: > > https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO > > We also need to see sssd_sudo.log and the log from the sudo itself > (configured in /etc/sudo.conf) > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Freeipa and sudo
What about /etc/nsswitch.conf? Does it have "sudo: files sss"? On Mon, Jul 4, 2016 at 3:50 AM, Tomas Simecekwrote: > Dear freeipa users/admins, > I'm trying to implement freeipa in our company, so that our Unix admins > can authenticate on Linux servers using their Windows AD account. > Following this guide > https://www.freeipa.org/page/Active_Directory_trust_setup it seems to > work well, they can login without problems. > What I cannot make working is sudo from their AD accounts on Linux. > > No matter what I try, it is still: > > sudo systemctl restart httpd > [sudo] password for simecek.to...@sd-stc.cz: > Sorry, try again. > > Here's our setup: > Freeipa server: CentOS Linux release 7.2.1511 (Core), > ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 > Freeipa client: the same > > AD domain name: sd-stc.cz > IPA domain: linuxdomain.cz > > When digging in logs and googling, I realized that the problem on client > side could be: > > [root@spcss-2t-www ~]# kinit -k > kinit: Cannot determine realm for host (principal host/spcss-2t-www@) > > But this seems to work: > [root@spcss-2t-www ~]# kinit simecek.to...@sd-stc.cz > Password for simecek.to...@sd-stc.cz: > [root@spcss-2t-www ~]# klist > Default principal: simecek.to...@sd-stc.cz > > Valid starting Expires Service principal > 07/04/2016 09:36:26 07/04/2016 19:36:26 krbtgt/sd-stc...@sd-stc.cz > renew until 07/05/2016 09:36:23 > > My /etc/sssd/sssd.conf: > [domain/linuxdomain.cz] > > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = linuxdomain.cz > krb5_realm = LINUXDOMAIN.CZ > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ipa_hostname = spcss-2t-www.linuxdomain.cz > chpass_provider = ipa > ipa_server = svlxxipap.linuxdomain.cz > ldap_tls_cacert = /etc/ipa/ca.crt > override_shell = /bin/bash > sudo_provider = ldap > ldap_uri = ldap://svlxxipap.linuxdomain.cz > ldap_sudo_search_base = ou=sudoers,dc=linuxdomain,dc=cz > ldap_sasl_mech = GSSAPI > ldap_sasl_authid = host/spcss-2t-www.linuxdomain...@linuxdomain.cz > ldap_sasl_realm = LINUXDOMAIN.CZ > krb5_server = svlxxipap.linuxdomain.cz > > [sssd] > services = nss, sudo, pam, ssh > config_file_version = 2 > > domains = linuxdomain.cz > [nss] > homedir_substring = /home > > > My /etc/krb5.conf: > #File modified by ipa-client-install > > includedir /var/lib/sss/pubconf/krb5.include.d/ > > [libdefaults] > default_realm = LINUXDOMAIN.CZ > dns_lookup_realm = true > dns_lookup_kdc = true > rdns = false > ticket_lifetime = 24h > forwardable = yes > udp_preference_limit = 0 > default_ccache_name = KEYRING:persistent:%{uid} > > > [realms] > LINUXDOMAIN.CZ = { > pkinit_anchors = FILE:/etc/ipa/ca.crt > } > > > [domain_realm] > .linuxdomain.cz = LINUXDOMAIN.CZ > linuxdomain.cz = LINUXDOMAIN.CZ > > Would you please suggest which way to investigate? > > Thanks > > Tomas Simecek > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Best practices on enrolling existing hosts.
Hello folks. What are the best practices on enrolling existing hosts in infrastructure into FreeIPA What do we do with local users which are present on the hosts and overlap with users in FreeIPA, should we remove local users? What happens to the files, directories owned by them? Is it usually a manual process? I was thinking creating some salt states since we have around 800 hosts to remove local accounts, just not sure how i can remap files and directories to be owned by ipa users, IPA users have same usernames but apparently different GIDs and UIDs. Would be useful to hear some insights on what folks do in the implementation process. Thank you, Danila Ladner. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Freeipa and spacewalk integration.
Thank you for reaching out. The problem has been fixed. I have forgotten to restart tomcat6 to disable tomcat auth. User error!!! On Thu, Jun 30, 2016 at 6:09 AM, Jan Pazdziora <jpazdzi...@redhat.com> wrote: > On Wed, Jun 29, 2016 at 03:33:34PM -0400, Danila Ladner wrote: > > Hello Folks. > > > > I am stuck at this task integrating spacewalk freeipa authorization. > > > > I have followed this docs from spacewalk to enable web authentication > with > > FreeIPA: > > > > https://fedorahosted.org/spacewalk/wiki/SpacewalkAndIPA > > > > I did all the steps above and trying to authenticate with the user I do > not > > have in the internal spacewalk database, but ssd ifp with sssd_dbus > should > > help me with that. > > [...] > > > I did enabled sssd and sssd_ifp logs and see all the lookups go through > if > > you need them i can provide them. > > The problem is it seems on the step where spacewalk can't create a new > user > > based on Organization Unit name. > > I am a little bit lost and firstly asked Spacewalk community but no one > was > > able to help me. > > If anyone has any additional information where can I troubleshoot > further, > > i'd appreciate it. I have integrated Jenkins UI with LDAP/IPA auth and it > > works just fine, so I am sure it is not IPA backend, but something in > > particular with spacewalk httpd modules, but still can't figure out what > > exactly is the issue. > > If anyone have some information or done similar integration, i'd > appreciate > > if you can share it. > > What Spacewalk version and what OS and version is this? > > -- > Jan Pazdziora > Senior Principal Software Engineer, Identity Management Engineering, Red > Hat > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Best practices on securing freeipa
Greetings Folks. I could not find any information on best practices of securing free ipa servers and its replicas. Since the hosts become an important part of IT IM infrastructure, wanted to see if anyone can point me to the right sources beyond default configuration. Thank you, Danila -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project