[Freeipa-users] FreeIPA, Netgroup and access.conf

2015-06-02 Thread Yves Degauquier 

Hi,

I have a FreeIPA server in place with netgroup in order to limit access 
to some users only to some hosts (by environment).


It works fine on AIX clients.

But now I try to do the same with Linux.

I register the client in the server, without any problem, all users from 
FreeIPA can login in the Linux boxes.


I activate now pam_access and configure the /etc/security/access.conf to 
allow local root user and users from netgroup.


But my users in the netgroup can't login... If in place of the netgroup 
I put the name of the users, the users defined can login...


But this is not anymore a centally managed user...

Any idea of what the problem could be?

Thanks in advance for your help.

Yves

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA, Netgroup and access.conf

2015-06-02 Thread Yves Degauquier 

Yes getent netgroup netgroupname give me the list of servers.

Can't understant what is going wrong...

Yves

On 02/06/15 13:38, freeipa-users-requ...@redhat.com wrote:

Send Freeipa-users mailing list submissions to
freeipa-users@redhat.com

To subscribe or unsubscribe via the World Wide Web, visit
https://www.redhat.com/mailman/listinfo/freeipa-users
or, via email, send a message with subject or body 'help' to
freeipa-users-requ...@redhat.com

You can reach the person managing the list at
freeipa-users-ow...@redhat.com

When replying, please edit your Subject line so it is more specific
than Re: Contents of Freeipa-users digest...


Today's Topics:

1. Re: FreeIPA, Netgroup and access.conf (Jakub Hrozek)
2. Re: login delay with sssd (Jakub Hrozek)
3. Re: Copy attributes to compat tree (Jakub Hrozek)
4. Re: AD user password change via ssh login (Alexander Frolushkin)
5. Re: Copy attributes to compat tree (Vangass)
6. deny to change shell (Ivars Strazdi??)
7. Re: vSphere and freeIPA (Sam)


--

Message: 1
Date: Tue, 2 Jun 2015 12:10:19 +0200
From: Jakub Hrozek jhro...@redhat.com
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] FreeIPA, Netgroup and access.conf
Message-ID: 20150602101019.GL2805@hendrix
Content-Type: text/plain; charset=us-ascii

On Tue, Jun 02, 2015 at 11:11:56AM +0200, Yves Degauquier wrote:

Hi,

I have a FreeIPA server in place with netgroup in order to limit access to
some users only to some hosts (by environment).

It works fine on AIX clients.

But now I try to do the same with Linux.

I register the client in the server, without any problem, all users from
FreeIPA can login in the Linux boxes.

I activate now pam_access and configure the /etc/security/access.conf to
allow local root user and users from netgroup.

But my users in the netgroup can't login... If in place of the netgroup I
put the name of the users, the users defined can login...

But this is not anymore a centally managed user...

Any idea of what the problem could be?

Thanks in advance for your help.

Does getent netgr report the host as a member of the netgroup?



--

Message: 2
Date: Tue, 2 Jun 2015 12:11:57 +0200
From: Jakub Hrozek jhro...@redhat.com
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] login delay with sssd
Message-ID: 20150602101157.GM2805@hendrix
Content-Type: text/plain; charset=utf-8

On Tue, Jun 02, 2015 at 10:28:29AM +0100, Ivars Strazdi?? wrote:



Ar laipniem sveicieniem,
Ivars Strazdi??


On 2. j?n. 2015, at 07:21, Lukas Slebodnik lsleb...@redhat.com wrote:

How many groups does problematic user have?

I can call any user problematic, because all have login delays.
sitaadmin user, being able to to login via ssh, probably has most groups - 4. 
Doesn?t seem too many, does it?

siteadmin@mail:~$ id
uid=9268000XX(siteadmin) gid=9268000XX(siteadmin) 
groups=9268000XX(siteadmin),9268Y(vpnusers),9268Z(mailusers),9268W(scanned)
 context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

I have sssh-1.12.2 installed as per Centos 7.1.
I will have to wait until 1.12.4 or 5 is coming down the pipe with Centos 
updates.

We plan on 7.1.z update, but with different bugzillas.

Then we plan on putting 1.13 to 7.2


Hopefully that will resolve or mitigate the issue.
I cannot create mess by putting Fedora updates into Centos, not sure if that's 
even possible.

Lukas keeps the 1.12 branch builds in his COPR repo, maybe those would
be easier to test for you?



--

Message: 3
Date: Tue, 2 Jun 2015 12:12:38 +0200
From: Jakub Hrozek jhro...@redhat.com
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Copy attributes to compat tree
Message-ID: 20150602101238.GN2805@hendrix
Content-Type: text/plain; charset=us-ascii

On Tue, Jun 02, 2015 at 11:45:44AM +0200, Vangass wrote:

Hi,

Is it possible to copy all of memberOf users attributes from
cn=users,cn=accounts,dc=example,dc=com
to cn=users,cn=compat,dc=example,dc=com?

If yes, how can I do this?

No, the compat tree uses a different schema.

Why do you need this?



--

Message: 4
Date: Tue, 2 Jun 2015 10:24:35 +
From: Alexander Frolushkin alexander.frolush...@megafon.ru
To: Jakub Hrozek jhro...@redhat.com, freeipa-users@redhat.com
freeipa-users@redhat.com
Subject: Re: [Freeipa-users] AD user password change via ssh login
Message-ID: 9ec27b853e134e21b1c7bcf17fc39...@sib-ums03.megafon.ru
Content-Type: text/plain; charset=utf-8

Hello Jakub!
Thank you for respond, I'll comment in text

-Original Message-
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Jakub Hrozek
Sent: Tuesday, June 02, 2015 1:24 PM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] AD user password change via ssh login

On Tue, Jun 02, 2015 at 06:21:59AM +, Alexander

Re: [Freeipa-users] FreeIPA integration with AIX and sudo

2013-12-16 Thread Yves Degauquier 

Hi,

I'm running the Sudo version 1.8.8 downloaded as RPM on 
http://www.oss4aix.org/download/RPMS/sudo/


Authentication is fine, but sudo is wrong.

If in /etc/security/user for default stanza I don't mention

SYSTEM = KRB5ALDAP
registry = LDAP

then when running sudo with a freeipa user it return the message that 
the id of the user is wrong.


If I mention the 2 lines, then I have a Memory fault message.


On 16/12/13 19:38, KodaK wrote:
I am an unfortunate AIX sufferer as well.  I've gotten through setting 
this up.


First, what version of sudo are you running on the AIX box?


On Mon, Dec 16, 2013 at 8:46 AM, y...@degauquier.net 
mailto:y...@degauquier.net wrote:


Hi,

I'm trying to integrate on AIX environment (as clients) a
centralized authentication and authorization with freeipa, and
using sudo also with sudo rules on freeipa.

I followed several how-to and notes found by googeling, but still
have problem with sudo.

Everything is fine wiith root account (sudo -l list all sudo
rules), but with a user from freeipa I have Memory fault.

Does anybody have good experience with FreeIPA (installed on
CentOS), AIX (6.1) and sudo (from Perzl)?

Thanks in advance,

Yves

___
Freeipa-users mailing list
Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users




--
The government is going to read our mail anyway, might as well make it 
tough for them.  GPG Public key ID:  B6A1A7C6


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users