Re: [Freeipa-users] SSSD client (amazon linux) + IPA server (Redhat)

2015-09-21 Thread Gustavo Mateus 
I used compat because that is what ipa-advise provided me. I did not pay
attention to that part.
And yes, that did the trick :)

Thank you very much
Gustavo

On Sun, Sep 20, 2015 at 8:51 AM, Jakub Hrozek <jhro...@redhat.com> wrote:

> On Sat, Sep 19, 2015 at 07:47:55PM +0300, Alexander Bokovoy wrote:
> > On Sat, 19 Sep 2015, Jakub Hrozek wrote:
> > >
> > >>On 18 Sep 2015, at 19:17, Gustavo Mateus <gustavo.mat...@gmail.com>
> wrote:
> > >>
> > >>That only shows this:
> > >>
> > >># extended LDIF
> > >>#
> > >># LDAPv3
> > >># base

Re: [Freeipa-users] SSSD client (amazon linux) + IPA server (Redhat)

2015-09-19 Thread Gustavo Mateus 
I've already included that in the IPA permissions.
Anonymous access to ipaSshPubKey is marked as public already. Read and
Search is allowed.


On Sat, Sep 19, 2015 at 4:36 AM, Jakub Hrozek <jhro...@redhat.com> wrote:

>
> > On 18 Sep 2015, at 19:17, Gustavo Mateus <gustavo.mat...@gmail.com>
> wrote:
> >
> > That only shows this:
> >
> > # extended LDIF
> > #
> > # LDAPv3
> > # base

Re: [Freeipa-users] SSSD client (amazon linux) + IPA server (Redhat)

2015-09-18 Thread Gustavo Mateus 
That only shows this:

# extended LDIF
#
# LDAPv3
# base

Re: [Freeipa-users] SSSD client (amazon linux) + IPA server (Redhat)

2015-09-17 Thread Gustavo Mateus 
When I use id_provider=ipa I get:

[sssd[be[default]]] [main] (0x0010): Could not initialize backend [2]


Adding a [ssh] section with just "debug_level = 10"on it, I get:

(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [get_client_cred] (0x4000): Client
creds: euid[174221] egid[174221] pid[6295].
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle
timer re-set for client [0xd34eb0][17]
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [accept_fd_handler] (0x0400): Client
connected!
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle
timer re-set for client [0xd34eb0][17]
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_cmd_get_version] (0x0200):
Received client version [0].
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_cmd_get_version] (0x0200):
Offered version [0].
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle
timer re-set for client [0xd34eb0][17]
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle
timer re-set for client [0xd34eb0][17]
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ssh_cmd_parse_request] (0x0400):
Requested domain []
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ssh_cmd_parse_request] (0x0400):
Parsing name [admin][]
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_parse_name] (0x0100): Domain
not provided!
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_parse_name_for_domains]
(0x0200): name 'admin' matched without domain, user is admin
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_ssh_cmd_get_user_pubkeys]
(0x0400): Requesting SSH user public keys for [admin] from []
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_issue_request] (0x0400):
Issuing request for [0x40aba0:1:admin@default]
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_get_account_msg] (0x0400):
Creating request for [default][1][1][name=admin]
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sbus_add_timeout] (0x2000): 0xd32ba0
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_internal_get_send] (0x0400):
Entering request [0x40aba0:1:admin@default]
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sbus_remove_timeout] (0x2000):
0xd32ba0
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sbus_dispatch] (0x4000): dbus conn:
0xd310f0
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sbus_dispatch] (0x4000):
Dispatching.
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_get_reply] (0x1000): Got
reply from Data Provider - DP error code: 0 errno: 0 error message: Success
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ssh_user_pubkeys_search_next]
(0x0400): Requesting SSH user public keys for [admin@default]
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_parse_name] (0x0100): Domain
not provided!
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Added timed event
"ltdb_callback": 0xd3f3b0

(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Added timed event
"ltdb_timeout": 0xd3f470

(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Running timer event
0xd3f3b0 "ltdb_callback"

(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Destroying timer
event 0xd3f470 "ltdb_timeout"

(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Ending timer event
0xd3f3b0 "ltdb_callback"

(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_req_destructor] (0x0400):
Deleting request: [0x40aba0:1:admin@default]
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle
timer re-set for client [0xd34eb0][17]
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle
timer re-set for client [0xd34eb0][17]
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [client_recv] (0x0200): Client
disconnected!
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [client_destructor] (0x2000):
Terminated client [0xd34eb0][17]




ldbsearch shows this (ldbsearch -H /var/lib/sss/db/cache_default.ldb
name=admin):


asq: Unable to register control with rootdse!
# record 1
dn: name=admin,cn=users,cn=default,cn=sysdb
createTimestamp: 1442509579
fullName: Administrator
gecos: Administrator
gidNumber: 174220
homeDirectory: /home/admin
loginShell: /bin/bash
name: admin
objectClass: user
uidNumber: 174220
originalDN: uid=admin,cn=users,cn=compat,dc=my,dc=domain,dc=com
originalModifyTimestamp: 20150829000451Z
entryUSN: 1428
lastUpdate: 1442509579
dataExpireTimestamp: 1442514979
distinguishedName: name=admin,cn=users,cn=default,cn=sysdb

# returned 1 records
# 1 entries
# 0 referrals




Thanks,
Gustavo





On Thu, Sep 17, 2015 at 12:25 AM, Jakub Hrozek <jhro...@redhat.com> wrote:

> On Wed, Sep 16, 2015 at 11:28:49AM -0700, Gustavo Mateus wrote:
> > Hi,
> >
> > I have an IPA server running on redhat and I'm trying find the best way
> to
> > get my amazon linux instances to use it for authentication, ssh key
> > management and sudo rules.
> >
> > I'm now trying to use SSSD to achieve those goals. Authentication is
> > working but I'm having problems to get the user public ssh keys using
> > /usr/bin/sss_ssh_authorizedkeys.
> &g

[Freeipa-users] SSSD client (amazon linux) + IPA server (Redhat)

2015-09-16 Thread Gustavo Mateus 
Hi,

I have an IPA server running on redhat and I'm trying find the best way to
get my amazon linux instances to use it for authentication, ssh key
management and sudo rules.

I'm now trying to use SSSD to achieve those goals. Authentication is
working but I'm having problems to get the user public ssh keys using
/usr/bin/sss_ssh_authorizedkeys.


This is my sssd.conf:

[sssd]
services = nss, pam, ssh, sudo
config_file_version = 2
domains = default
re_expression = (?P.+)

[domain/default]
debug_level = 8
cache_credentials = True
id_provider = ldap
auth_provider = ldap
ldap_uri = ldap://ipa.my.domain.com
ldap_search_base = cn=compat,dc=my,dc=domain,dc=com
ldap_tls_cacert = /etc/openldap/cacerts/ipa.crt
ldap_user_ssh_public_key = ipaSshPubKey


The original configuration was done using ipa-advise ipa-advise
config-redhat-sssd-before-1-9. I just hanged the services parameter to
include "ssh, sudo" and "ldap_user_ssh_public_key"

When I run it on the client I get no response or error. Even running it in
debug mode:

/usr/bin/sss_ssh_authorizedkeys admin --debug 10


ipaSshPubKey is already public in the IPA permissions.


The ssd_default.log on the client shows this when I run it (debug_level =
8):

(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sbus_get_sender_id_send]
(0x2000): Not a sysbus message, quit
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sbus_get_sender_id_send]
(0x2000): Not a sysbus message, quit
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [be_get_account_info]
(0x0200): Got request for [0x1][1][name=admin]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [be_req_set_domain]
(0x0400): Changing request domain from [default] to [default]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_search_user_next_base]
(0x0400): Searching for users with base [cn=compat,dc=my,dc=domain,dc=com]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_print_server]
(0x2000): Searching 10.0.0.2
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step]
(0x0400): calling ldap_search_ext with
[(&(uid=admin)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0][cn=compat,dc=my,dc=domain,dc=com].
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [objectClass]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [uid]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [userPassword]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [uidNumber]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [gidNumber]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [gecos]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [homeDirectory]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [loginShell]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [krbPrincipalName]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [cn]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [memberOf]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [modifyTimestamp]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [entryUSN]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [shadowLastChange]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [shadowMin]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [shadowMax]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [shadowWarning]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [shadowInactive]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [shadowExpire]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [shadowFlag]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [krbLastPwdChange]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [krbPasswordExpiration]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [pwdAttribute]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [authorizedService]
(Wed Sep 16 18:13:36 2015)

Re: [Freeipa-users] AuthorizedKeysCommand for clients using nss-pam-ldapd

2015-09-14 Thread Gustavo Mateus 
I did not try that setup because the config-redhat-sssd-before-1-9 because
its description says it works with version 1.5 - 1.8, and Amazon linux has
1.2

config-redhat-sssd-before-1-9: Instructions for configuring a
system

   with an old version of SSSD
(1.5-1.8)

   as a IPA client. This set of

   instructions is targeted for

   platforms that include the
authconfig

   utility, which are all Red Hat
based

   platforms.


It is good to know that it works. I'll give it a try.


Thanks,
Gustavo

On Mon, Sep 14, 2015 at 7:01 AM, Pawel Fiuto <pawel.fi...@mixrad.io> wrote:

> Hi Gustavo,
>
> Using settings from  'ipa-advise config-redhat-sssd-before-1-9' with below
> modifications seems to work quite well:
>
> - on ipa server add permisson to read ipaSshPubKey anonymously:
>
> [ipa-server]# ipa permission-add 'Read ipaSshPubKey' --type=user
> --attrs=ipaSshPubKey --bindtype=anonymous --permissions=read
>
> [ipa-client]# diff /etc/sssd/sssd.conf /etc/sssd/sssd.conf.orig
> 2c2
> < services = nss, pam, ssh
> ---
> > services = nss, pam
> 12c12
> < ldap_search_base = cn=accounts,dc=example,dc=org
> ---
> > ldap_search_base = cn=compat,dc=example,dc=org
> 14d13
> < ldap_user_ssh_public_key = ipaSshPubKey
>
>
>
> --
> *From:* freeipa-users-boun...@redhat.com <freeipa-users-boun...@redhat.com>
> on behalf of Gustavo Mateus <gustavo.mat...@gmail.com>
> *Sent:* 11 September 2015 00:30
> *To:* freeipa-users@redhat.com
> *Subject:* [Freeipa-users] AuthorizedKeysCommand for clients using
> nss-pam-ldapd
>
> Hi,
>
> I'm trying to setup my Amazon Linux instances to be able to fetch the IPA
> users public ssh key.
>
> Do I have to setup a binddn and bindpw in the ldap.conf file and use
> /usr/libexec/openssh/ssh-ldap-wrapper or is there a better way to do it?
>
> Thanks,
> Gustavo
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] AuthorizedKeysCommand for clients using nss-pam-ldapd

2015-09-10 Thread Gustavo Mateus 
Hi,

I'm trying to setup my Amazon Linux instances to be able to fetch the IPA
users public ssh key.

Do I have to setup a binddn and bindpw in the ldap.conf file and use
/usr/libexec/openssh/ssh-ldap-wrapper or is there a better way to do it?

Thanks,
Gustavo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client on aws (amazon linux)

2015-09-02 Thread Gustavo Mateus 
I think I'll go with ipa-advise for now since my main goal is to move away
from openldap and allow AD users to ssh into my linux boxes.
And eventually, when AWS decides to finally include ipa-client in amazon
linux, I move to that approach.




On Wed, Sep 2, 2015 at 12:36 AM, Lukas Slebodnik 
wrote:

> On (02/09/15 12:58), Prashant Bapat wrote:
> >Lukas,
> >
> >ipa-client-install is part of the freeipa-client rpm. On Amazon Linux this
> >rpm cannot be installed. This is the basic issue.
> >
> Indeed.
> there is a strict requires for sssd
>
> Requires: sssd >= 1.12.3  #from fedora spec file
>
> Using ipa-advise might be more comfortable way rather then
> patch spec file or create modified rpms.
>
> LS
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ipa-client on aws (amazon linux)

2015-09-01 Thread Gustavo Mateus 
Hi,

Does anyone have an updated list of packages or installation steps to get
the ipa-client properly installed on an Amazon Linux (2015.03.1 to be more
precise).

I plan to use Red Hat as my ipa-server but the clients need to be Amazon
Linux.

Thanks,

Gustavo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project