Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

2016-07-13 Thread Danila Ladner 
Update to this one:
It has been running smoothly on 6.5

[root@dev-zlei.sec1 ~]# cat /etc/redhat-release
CentOS release 6.5 (Final)

[root@dev-zlei.sec1 ~]# rpm -qa | grep sssd
sssd-client-1.12.4-47.el6.x86_64
sssd-ldap-1.12.4-47.el6.x86_64
sssd-ad-1.12.4-47.el6.x86_64
python-sssdconfig-1.12.4-47.el6.noarch
sssd-common-1.12.4-47.el6.x86_64
sssd-proxy-1.12.4-47.el6.x86_64
sssd-common-pac-1.12.4-47.el6.x86_64
sssd-krb5-1.12.4-47.el6.x86_64
sssd-ipa-1.12.4-47.el6.x86_64
sssd-krb5-common-1.12.4-47.el6.x86_64
sssd-1.12.4-47.el6.x86_64

On Wed, Jul 13, 2016 at 9:56 AM, Tomas Simecek 
wrote:

> Thanks,
> I will try. But I am afraid to update to more recent version then those in
> official repos.
>
> Thanks anyway.
>
> T.
>
> 2016-07-13 15:39 GMT+02:00 :
>
>> Update to at least 1.12 sssd and libsss_sudo. As I recall sudo ipa
>> provider did not work under 1.11
>>
>> Sent from my iPhone
>>
>> On Jul 13, 2016, at 9:02 AM, Tomas Simecek 
>> wrote:
>>
>> Hi,
>> versions are:
>> sssd-client-1.11.6-30.el6.x86_64
>> sssd-ipa-1.11.6-30.el6.x86_64
>> ipa-client-3.0.0-50.el6.centos.1.x86_64
>> as part of:
>> CentOS release 6.6 (Final)
>>
>> T.
>>
>> 2016-07-13 14:52 GMT+02:00 :
>>
>>> Again what is client version on 6.5?
>>>
>>>
>>> Sent from my iPhone
>>>
>>> On Jul 13, 2016, at 8:25 AM, Tomas Simecek 
>>> wrote:
>>>
>>> Thanks for your information Lukas,
>>> I have changed sudo_provider to ipa, restarted sssd and no difference.
>>> Logfile still says "Access granted by HBAC rule..." and sudo says
>>> simecek.to...@sd-stc.cz is not allowed to run sudo on zp-cml-test.
>>>
>>> Btw. man sssd-sudo says:
>>> The following example shows how to configure SSSD to download
>>> sudo rules from an LDAP server.
>>>
>>>[sssd]
>>>config_file_version = 2
>>>services = nss, pam, sudo
>>>domains = EXAMPLE
>>>
>>>[domain/EXAMPLE]
>>>id_provider = ldap
>>>
>>> so I am not that sure what should be set on my version of sssd.
>>>
>>> Any idea?
>>>
>>> Thanks
>>>
>>> T.
>>>
>>> 2016-07-13 13:44 GMT+02:00 Lukas Slebodnik :
>>>
 On (13/07/16 13:36), Tomas Simecek wrote:
 >Lukas,
 >yes, I went through that guide and I configured sssd.conf as per the
 doc
 >(you can see it in the beginning of the thread).
 >
 >Actually the installation is:
 >[root@zp-cml-test sssd]# cat /etc/redhat-release
 >CentOS release 6.6 (Final)
 >
 >and versions are:
 >[root@zp-cml-test sssd]# rpm -qa |grep sssd
 >sssd-proxy-1.11.6-30.el6.x86_64
 >sssd-common-pac-1.11.6-30.el6.x86_64
 >sssd-ipa-1.11.6-30.el6.x86_64
 >sssd-1.11.6-30.el6.x86_64
 >sssd-common-1.11.6-30.el6.x86_64
 >sssd-ad-1.11.6-30.el6.x86_64
 >sssd-ldap-1.11.6-30.el6.x86_64
 >python-sssdconfig-1.11.6-30.el6.noarch
 >sssd-krb5-common-1.11.6-30.el6.x86_64
 >sssd-krb5-1.11.6-30.el6.x86_64
 >sssd-client-1.11.6-30.el6.x86_64
 >
 1.11 has sudo_provider=ipa

 @see instructions in man sssd-sudo how to configure it.
 It should avoid issues with two different providers (ipa and ldap)

 >
 >There are some reasons why not to upgrade to later versions, believe
 me, I
 >would do it if I could :-)
 >
 You can at least try to upgrade sssd from 6.8 if you do not want
 to upgrade whole OS.

 LS

>>>
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>>>
>>>
>>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Freeipa and sudo

2016-07-06 Thread Danila Ladner 
Yeah, please enable logging in [sudo] section of sssd.

On Wed, Jul 6, 2016 at 11:03 AM, Jakub Hrozek  wrote:

> On Wed, Jul 06, 2016 at 03:22:34PM +0200, Tomas Simecek wrote:
> > Hi Danila and other freeipa gurus,
> > sorry for my late answer, there is a bank holiday in CZ and I am off work
> > these two days.
> > Yes, /etc/nsswitch.conf is fine, see:
> >
> > [root@spcss-2t-www ~]# cat /etc/nsswitch.conf |grep sudo
> > sudoers: files sss
> >
> > I think it is set up as part of freeipa-client package.
> > I went through this guide:
> > https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO
>
> We also need to see sssd_sudo.log and the log from the sudo itself
> (configured in /etc/sudo.conf)
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Freeipa and sudo

2016-07-05 Thread Danila Ladner 
What about /etc/nsswitch.conf?
Does it have "sudo: files sss"?

On Mon, Jul 4, 2016 at 3:50 AM, Tomas Simecek 
wrote:

> Dear freeipa users/admins,
> I'm trying to implement freeipa in our company, so that our Unix admins
> can authenticate on Linux servers using their Windows AD account.
> Following this guide
> https://www.freeipa.org/page/Active_Directory_trust_setup it seems to
> work well, they can login without problems.
> What I cannot make working is sudo from their AD accounts on Linux.
>
> No matter what I try, it is still:
>
> sudo systemctl restart httpd
> [sudo] password for simecek.to...@sd-stc.cz:
> Sorry, try again.
>
> Here's our setup:
> Freeipa server: CentOS Linux release 7.2.1511 (Core),
> ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64
> Freeipa client: the same
>
> AD domain name: sd-stc.cz
> IPA domain: linuxdomain.cz
>
> When digging in logs and googling, I realized that the problem on client
> side could be:
>
> [root@spcss-2t-www ~]# kinit -k
> kinit: Cannot determine realm for host (principal host/spcss-2t-www@)
>
> But this seems to work:
> [root@spcss-2t-www ~]# kinit simecek.to...@sd-stc.cz
> Password for simecek.to...@sd-stc.cz:
> [root@spcss-2t-www ~]# klist
> Default principal: simecek.to...@sd-stc.cz
>
> Valid starting   Expires  Service principal
> 07/04/2016 09:36:26  07/04/2016 19:36:26  krbtgt/sd-stc...@sd-stc.cz
> renew until 07/05/2016 09:36:23
>
> My /etc/sssd/sssd.conf:
> [domain/linuxdomain.cz]
>
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = linuxdomain.cz
> krb5_realm = LINUXDOMAIN.CZ
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = spcss-2t-www.linuxdomain.cz
> chpass_provider = ipa
> ipa_server = svlxxipap.linuxdomain.cz
> ldap_tls_cacert = /etc/ipa/ca.crt
> override_shell = /bin/bash
> sudo_provider = ldap
> ldap_uri = ldap://svlxxipap.linuxdomain.cz
> ldap_sudo_search_base = ou=sudoers,dc=linuxdomain,dc=cz
> ldap_sasl_mech = GSSAPI
> ldap_sasl_authid = host/spcss-2t-www.linuxdomain...@linuxdomain.cz
> ldap_sasl_realm = LINUXDOMAIN.CZ
> krb5_server = svlxxipap.linuxdomain.cz
>
> [sssd]
> services = nss, sudo, pam, ssh
> config_file_version = 2
>
> domains = linuxdomain.cz
> [nss]
> homedir_substring = /home
> 
>
> My /etc/krb5.conf:
> #File modified by ipa-client-install
>
> includedir /var/lib/sss/pubconf/krb5.include.d/
>
> [libdefaults]
>   default_realm = LINUXDOMAIN.CZ
>   dns_lookup_realm = true
>   dns_lookup_kdc = true
>   rdns = false
>   ticket_lifetime = 24h
>   forwardable = yes
>   udp_preference_limit = 0
>   default_ccache_name = KEYRING:persistent:%{uid}
>
>
> [realms]
>   LINUXDOMAIN.CZ = {
> pkinit_anchors = FILE:/etc/ipa/ca.crt
>   }
>
>
> [domain_realm]
>   .linuxdomain.cz = LINUXDOMAIN.CZ
>   linuxdomain.cz = LINUXDOMAIN.CZ
>
> Would you please suggest which way to investigate?
>
> Thanks
>
> Tomas Simecek
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Best practices on enrolling existing hosts.

2016-06-30 Thread Danila Ladner 
Hello folks.
What are the best practices on enrolling existing hosts in infrastructure
into FreeIPA
What do we do with local users which are present on the hosts and overlap
with users in FreeIPA, should we remove local users? What happens to the
files, directories owned by them? Is it usually a manual process?
I was thinking creating some salt states since we have around 800 hosts to
remove local accounts, just not sure how i can remap files and directories
to be owned by ipa users, IPA users have same usernames but apparently
different GIDs and UIDs.
Would be useful to hear some insights on what folks do in the
implementation process.

Thank you,
Danila Ladner.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Freeipa and spacewalk integration.

2016-06-30 Thread Danila Ladner 
Thank you for reaching out. The problem has been fixed. I have forgotten to
restart tomcat6 to disable tomcat auth. User error!!!

On Thu, Jun 30, 2016 at 6:09 AM, Jan Pazdziora <jpazdzi...@redhat.com>
wrote:

> On Wed, Jun 29, 2016 at 03:33:34PM -0400, Danila Ladner wrote:
> > Hello Folks.
> >
> > I am stuck at this task integrating spacewalk freeipa authorization.
> >
> > I have followed this docs from spacewalk to enable web authentication
> with
> > FreeIPA:
> >
> > https://fedorahosted.org/spacewalk/wiki/SpacewalkAndIPA
> >
> > I did all the steps above and trying to authenticate with the user I do
> not
> > have in the internal spacewalk database, but ssd ifp with sssd_dbus
> should
> > help me with that.
>
> [...]
>
> > I did enabled sssd and sssd_ifp logs and see all the lookups go through
> if
> > you need them i can provide them.
> > The problem is it seems on the step where spacewalk can't create a new
> user
> > based on Organization Unit name.
> > I am a little bit lost and firstly asked Spacewalk community but no one
> was
> > able to help me.
> > If anyone has any additional information where can I troubleshoot
> further,
> > i'd appreciate it. I have integrated Jenkins UI with LDAP/IPA auth and it
> > works just fine, so I am sure it is not IPA backend, but something in
> > particular with spacewalk httpd modules, but still can't figure out what
> > exactly is the issue.
> > If anyone have some information or done similar integration, i'd
> appreciate
> > if you can share it.
>
> What Spacewalk version and what OS and version is this?
>
> --
> Jan Pazdziora
> Senior Principal Software Engineer, Identity Management Engineering, Red
> Hat
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Best practices on securing freeipa

2016-06-14 Thread Danila Ladner 
Greetings Folks.
I could not find any information on best practices of securing free ipa
servers and its replicas.
Since the hosts become an important part of IT IM infrastructure, wanted to
see if anyone can point me to the right sources beyond default
configuration.
Thank you,
Danila
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project