[Freeipa-users] RHEL5 IPA client for RHEL6.3 IPA server?

I have looked back through the last year of mail archives for this list and haven't yet found anything on this. I spent a day or so trying to get a RHEL6.3 server set up with several clients, Clients: RHEL 6.3 32-bit RHEL 6.3 64-bit RHEL 5.8 32-bit RHEL 5.8 64-bit So far I've been able to

Re: [Freeipa-users] RHEL5 IPA client for RHEL6.3 IPA server?

David Summers wrote: I have looked back through the last year of mail archives for this list and haven't yet found anything on this. I spent a day or so trying to get a RHEL6.3 server set up with several clients, Clients: RHEL 6.3 32-bit RHEL 6.3 64-bit RHEL 5.8 32-bit RHEL 5.8 64-bit So far

Re: [Freeipa-users] web admin tool will not login with kerberos ticket

Brian Vetter wrote: I had a happy, working 2.2 FreeIPA installation humming along last week. I had to do some maintenance so I shut everything down. When I brought everything up, I can no longer log into the web admin tool. I get a "Kerberos ticket is no longer valid" error. Using the troublesho

Re: [Freeipa-users] Sudo works for full access, but not on a per command or host level.

Okay, Rule name: test4 Enabled: TRUE Command category: all Users: asteinfeld Hosts: dbduwdu062.dbr.roche.com Host Groups: tempsudo Client dbduwdu062 is matched in the rule by both the hosts and groups entry. /etc/nsswitch.conf has: Netgroups: files sss Getent netgroup temps

Re: [Freeipa-users] Setting up sudo in FreeIPA v2.2

On Tue, Oct 16, 2012 at 10:50 PM, JR Aquino wrote: > On the host in question Run the command: domainname > > That wants to match whatever your domain is. If it doesn't it will fail > even if you have all the server rules configured correctly. This is a sudo > + netgroups/hostgroups 'feature' > >

Re: [Freeipa-users] Sudo works for full access, but not on a per command or host level.

On 10/17/2012 07:26 AM, Macklin, Jason wrote: Okay, Rule name: test4 Enabled: TRUE Command category: all Users: asteinfeld Hosts: dbduwdu062.dbr.roche.com Host Groups: tempsudo Client dbduwdu062 is matched in the rule by both the hosts and groups entry. /etc/nsswitch.conf has

Re: [Freeipa-users] Sudo works for full access, but not on a per command or host level.

On 10/17/2012 09:26 AM, Macklin, Jason wrote: > Okay, > > Rule name: test4 > Enabled: TRUE > Command category: all > Users: asteinfeld > Hosts: dbduwdu062.dbr.roche.com > Host Groups: tempsudo > > Client dbduwdu062 is matched in the rule by both the hosts and groups entry. > > /etc/nssw

Re: [Freeipa-users] Sudo works for full access, but not on a per command or host level.

ldapsearch -Y GSSAPI -H ldap://dbduvdu145.dbr.roche.com "ou=SUDOers,dc=dbr,dc=roche,dc=com" SASL/GSSAPI authentication started SASL username: ad...@dbr.roche.com SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <> (default) with scope subtree # filter: ou=SUDOers,

[Freeipa-users] Failed installation

I recently tried installing freeipa on a new server, but ipa-server-install had problems around this point: Configuring certificate server: Estimated time 3 minutes 30 seconds [1/18]: creating certificate server user [2/18]: creating pki-ca instance [3/18]: configuring certificate server ins

Re: [Freeipa-users] Sudo works for full access, but not on a per command or host level.

On Wed, 2012-10-17 at 09:53 -0600, Rich Megginson wrote: > On 10/17/2012 07:26 AM, Macklin, Jason wrote: > > Okay, > > > >Rule name: test4 > >Enabled: TRUE > >Command category: all > >Users: asteinfeld > >Hosts: dbduwdu062.dbr.roche.com > >Host Groups: tempsudo > > > > Clien

Re: [Freeipa-users] Sudo works for full access, but not on a per command or host level.

On 10/17/2012 10:46 AM, Simo Sorce wrote: On Wed, 2012-10-17 at 09:53 -0600, Rich Megginson wrote: On 10/17/2012 07:26 AM, Macklin, Jason wrote: Okay, Rule name: test4 Enabled: TRUE Command category: all Users: asteinfeld Hosts: dbduwdu062.dbr.roche.com Host Groups: tem

Re: [Freeipa-users] Sudo works for full access, but not on a per command or host level.

On 10/17/2012 12:33 PM, Macklin, Jason wrote: > ldapsearch -Y GSSAPI -H ldap://dbduvdu145.dbr.roche.com > "ou=SUDOers,dc=dbr,dc=roche,dc=com" You are missing -b ldapsearch -Y GSSAPI -H ldap://dbduvdu145.dbr.roche.com -b "ou=SUDOers,dc=dbr,dc=roche,dc=com" Currently the command treats it as filte

Re: [Freeipa-users] Sudo works for full access, but not on a per command or host level.

On 10/17/2012 10:33 AM, Macklin, Jason wrote: ldapsearch -Y GSSAPI -H ldap://dbduvdu145.dbr.roche.com "ou=SUDOers,dc=dbr,dc=roche,dc=com" SASL/GSSAPI authentication started SASL username: ad...@dbr.roche.com SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base<> (d

Re: [Freeipa-users] Sudo works for full access, but not on a per command or host level.

Thanks guys! Adding the "-b" did make a world of difference though it still doesn't make anything too obvious... at least to me. [jmacklin@dbduwdu062 Desktop]$ ldapsearch -Y GSSAPI -H ldap://dbduvdu145.dbr.roche.com -b "ou=SUDOers,dc=dbr,dc=roche,dc=com" SASL/GSSAPI authentication started SASL

Re: [Freeipa-users] Sudo works for full access, but not on a per command or host level.

None of my users have an LDAP password being requested by running that command (except the admin user). Does each user account require an ldap account to go along with their login account? I just get the following over and over no matter which account I switch in the command... [jmacklin@dbdu

Re: [Freeipa-users] Sudo works for full access, but not on a per command or host level.

On 10/17/2012 11:13 AM, Macklin, Jason wrote: None of my users have an LDAP password being requested by running that command (except the admin user). Does each user account require an ldap account to go along with their login account? I just get the following over and over no matter which acc

Re: [Freeipa-users] Sudo works for full access, but not on a per command or host level.

ldapsearch -xLLL -H ldap://dbduvdu145.dbr.roche.com -D "cn=directory manager" -W uid=asteinfeld \* krbPwdLockoutDuration ? Enter LDAP Password: ldap_bind: Invalid credentials (49) I know this user password because I reset it for the purpose of troubleshooting this issue with that account. I als

Re: [Freeipa-users] RHEL5 IPA client for RHEL6.3 IPA server?

David Summers wrote: On 10/17/2012 7:49 AM, Rob Crittenden wrote: David Summers wrote: I have looked back through the last year of mail archives for this list and haven't yet found anything on this. I spent a day or so trying to get a RHEL6.3 server set up with several clients, Clients: RHEL

Re: [Freeipa-users] RHEL5 IPA client for RHEL6.3 IPA server?

On 10/17/2012 7:49 AM, Rob Crittenden wrote: David Summers wrote: I have looked back through the last year of mail archives for this list and haven't yet found anything on this. I spent a day or so trying to get a RHEL6.3 server set up with several clients, Clients: RHEL 6.3 32-bit RHEL 6.3 6

Re: [Freeipa-users] Sudo works for full access, but not on a per command or host level.

Macklin, Jason wrote: ldapsearch -xLLL -H ldap://dbduvdu145.dbr.roche.com -D "cn=directory manager" -W uid=asteinfeld \* krbPwdLockoutDuration ? Enter LDAP Password: ldap_bind: Invalid credentials (49) I know this user password because I reset it for the purpose of troubleshooting this issue w

Re: [Freeipa-users] Failed installation

On 10/17/2012 12:40 PM, Bret Wortman wrote: > I recently tried installing freeipa on a new server, but > ipa-server-install had problems around this point: > > Configuring certificate server: Estimated time 3 minutes 30 seconds > [1/18]: creating certificate server user > [2/18]: creating pki-c

Re: [Freeipa-users] Failed installation

On 10/17/2012 12:40 PM, Bret Wortman wrote: I recently tried installing freeipa on a new server, but ipa-server-install had problems around this point: Configuring certificate server: Estimated time 3 minutes 30 seconds [1/18]: creating certificate server user [2/18]: creating pki-ca insta

Re: [Freeipa-users] Sudo works for full access, but not on a per command or host level.

I assume that this iteration was with the correct credentials as it responds with something other then "Invalid Credentials" ldapsearch -xLLL -H ldap://dbduvdu145.dbr.roche.com -D "cn=directory manager" -W uid=asteinfeld \* krbPwdLockoutDuration ? Enter LDAP Password: No such object (32) Worki

Re: [Freeipa-users] Sudo works for full access, but not on a per command or host level.

On 10/17/2012 11:21 AM, Macklin, Jason wrote: ldapsearch -xLLL -H ldap://dbduvdu145.dbr.roche.com -D "cn=directory manager" -W uid=asteinfeld \* krbPwdLockoutDuration ? Enter LDAP Password: ldap_bind: Invalid credentials (49) I know this user password user password? It's asking you for the di

Re: [Freeipa-users] Sudo works for full access, but not on a per command or host level.

On 10/17/2012 11:51 AM, Macklin, Jason wrote: I assume that this iteration was with the correct credentials as it responds with something other then "Invalid Credentials" ldapsearch -xLLL -H ldap://dbduvdu145.dbr.roche.com -D "cn=directory manager" -W uid=asteinfeld \* krbPwdLockoutDuration ?

Re: [Freeipa-users] Failed installation

Now it appears that whatever is supposed to be running on port 9445 (looks like mindarray-ca) isn't running, and I'm not sure how it gets started, exactly. I ran lsof -i:9445 on this server and on a FreeIPA test box I first set up, and it's running on the test box but not the new one. Where should

Re: [Freeipa-users] Failed installation

On 10/17/2012 02:31 PM, Bret Wortman wrote: > Now it appears that whatever is supposed to be running on port 9445 > (looks like mindarray-ca) isn't running, and I'm not sure how it gets > started, exactly. I ran lsof -i:9445 on this server and on a FreeIPA > test box I first set up, and it's runnin

Re: [Freeipa-users] Sudo works for full access, but not on a per command or host level.

ldapsearch -xLLL -H ldap://dbduvdu145.dbr.roche.com -D "cn=directory manager" -W -b "dc=dbr,dc=roche,dc=com" uid=asteinfeld \* Enter LDAP Password: dn: uid=asteinfeld,cn=users,cn=compat,dc=dbr,dc=roche,dc=com objectClass: posixAccount objectClass: top gecos: Axel Steinfeld cn: Axel Steinfeld uidN

Re: [Freeipa-users] Sudo works for full access, but not on a per command or host level.

On 10/17/2012 01:05 PM, Macklin, Jason wrote: > Thanks guys! Adding the "-b" did make a world of difference though it still > doesn't make anything too obvious... at least to me. > > [jmacklin@dbduwdu062 Desktop]$ ldapsearch -Y GSSAPI -H > ldap://dbduvdu145.dbr.roche.com -b "ou=SUDOers,dc=dbr,dc

Re: [Freeipa-users] Sudo works for full access, but not on a per command or host level.

Yes Dmitri, this is the user I'm doing the tests with on that client. Though I would expect this user to have sudo capabilities on this host he does not. I first came across the idea that maybe domainname/nisdomainname/dnsdomainname did not match and that was causing the problem. I have since

Re: [Freeipa-users] Sudo works for full access, but not on a per command or host level.

On 10/17/2012 12:49 PM, Macklin, Jason wrote: ldapsearch -xLLL -H ldap://dbduvdu145.dbr.roche.com -D "cn=directory manager" -W -b "dc=dbr,dc=roche,dc=com" uid=asteinfeld \* dn: uid=asteinfeld,cn=users,cn=accounts,dc=dbr,dc=roche,dc=com ...snip... krbPrincipalName: asteinf...@dbr.roche.com

Re: [Freeipa-users] Failed installation

Bret Wortman wrote: Now it appears that whatever is supposed to be running on port 9445 (looks like mindarray-ca) isn't running, and I'm not sure how it gets started, exactly. I ran lsof -i:9445 on this server and on a FreeIPA test box I first set up, and it's running on the test box but not the

Re: [Freeipa-users] Sudo works for full access, but not on a per command or host level.

On 10/17/2012 03:05 PM, Macklin, Jason wrote: > Yes Dmitri, this is the user I'm doing the tests with on that client. Though > I would expect this user to have sudo capabilities on this host he does not. > I first came across the idea that maybe > domainname/nisdomainname/dnsdomainname did not

Re: [Freeipa-users] Sudo works for full access, but not on a per command or host level.

Rich Megginson wrote: On 10/17/2012 12:49 PM, Macklin, Jason wrote: ldapsearch -xLLL -H ldap://dbduvdu145.dbr.roche.com -D "cn=directory manager" -W -b "dc=dbr,dc=roche,dc=com" uid=asteinfeld \* dn: uid=asteinfeld,cn=users,cn=accounts,dc=dbr,dc=roche,dc=com ...snip... krbPrincipalName: ast

Re: [Freeipa-users] Sudo works for full access, but not on a per command or host level.

Can you confirm that you have sudoer_debug set to 2? If I gather correctly, this is on RHEL 6.3? What version of sudo? I'm seeing different output. Mine includes the number of candidate results for sudoUser are found. If you watch /var/log/dirsrv/slapd-REALM/access on your IPA server you'll

Re: [Freeipa-users] Sudo works for full access, but not on a per command or host level.

On Wed, Oct 17, 2012 at 2:26 PM, Rob Crittenden wrote: > Rich Megginson wrote: > >> On 10/17/2012 12:49 PM, Macklin, Jason wrote: >> >>> ldapsearch -xLLL -H >>> ldap://dbduvdu145.dbr.roche.**com-D >>> "cn=directory >>> manager" -W -b "dc=dbr,dc=roche,dc=com" uid

Re: [Freeipa-users] Failed installation

I think I have SELinux turned off but will double-check in the morning. And reply to the list -- Bret Wortman http://bretwortman.com/ http://twitter.com/bretwortman On Wednesday, October 17, 2012 at 3:17 PM, Rob Crittenden wrote: > Bret Wortman wrote: > > Now it appears that whatever is