Re: [Freeipa-users] SSSD in redundant configuration

2015-03-20 Thread Jakub Hrozek
On Thu, Mar 19, 2015 at 10:32:08PM +0100, Andrew Holway wrote: I wasn't precise enough, I meant the sssd version, sorry. But given that you're on RHEL-7, I think you can switch to: sudo_provider=ipa That does indeed seem to work. Thanks! You're welcome, btw if you set up your

[Freeipa-users] Minimum rights to enrol a client

2015-03-20 Thread Andrew Holway
Hello, I'd like to find our what the minimum role would be to allow a user to join a new client to freeipa. Currently our enrol command looks like: ipa-client-install --force-join --enable-dns-updates -U -p admin -w : Thanks, Andrew -- Manage your subscription for the Freeipa-users

Re: [Freeipa-users] Problems with ssh and install-uninstall-install sequence on the server

2015-03-20 Thread Jakub Hrozek
On Thu, Mar 19, 2015 at 05:50:50PM -0400, Prasun Gera wrote: It's just that /var/lib/sss/db is not cleared between subsequent server installs and uninstall, and that seems to be creating problems on the server since the server is also a client. If you do install-uninstall-install on the server

Re: [Freeipa-users] Minimum rights to enrol a client

2015-03-20 Thread David Kupka
On 03/20/2015 09:16 AM, Andrew Holway wrote: Hello, I'd like to find our what the minimum role would be to allow a user to join a new client to freeipa. Currently our enrol command looks like: ipa-client-install --force-join --enable-dns-updates -U -p admin -w : Thanks, Andrew

Re: [Freeipa-users] Minimum rights to enrol a client

2015-03-20 Thread Alexander Bokovoy
On Fri, 20 Mar 2015, David Kupka wrote: On 03/20/2015 09:16 AM, Andrew Holway wrote: Hello, I'd like to find our what the minimum role would be to allow a user to join a new client to freeipa. Currently our enrol command looks like: ipa-client-install --force-join --enable-dns-updates -U -p

Re: [Freeipa-users] SSSD in redundant configuration

2015-03-20 Thread Jan Pazdziora
On Wed, Mar 18, 2015 at 01:11:44PM -0400, Rob Crittenden wrote: On Wed, Mar 18, 2015 at 17:40:19 +0100, Andrew Holway wrote: Im wondering how we should be handing SSSD for redundant configurations on our freeipa clients. We have three freeipa servers; how can we make SSSD check another

Re: [Freeipa-users] SSSD in redundant configuration

2015-03-20 Thread Andrew Holway
Actually, I stumbled across this which explains everything you need to do to get sudo working on Centos6 clients. https://www.redhat.com/archives/freeipa-users/2013-June/msg00064.html I have had to kind of scratch together bits of information from various sources including this list (thanks!!)

Re: [Freeipa-users] SSSD in redundant configuration

2015-03-20 Thread Jakub Hrozek
On Fri, Mar 20, 2015 at 09:20:15AM +0100, Andrew Holway wrote: Actually, I stumbled across this which explains everything you need to do to get sudo working on Centos6 clients. https://www.redhat.com/archives/freeipa-users/2013-June/msg00064.html I have had to kind of scratch together bits

Re: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode

2015-03-20 Thread Bobby Prins
On Thu, Mar 19, 2015 at 04:46:44PM +0100, Bobby Prins wrote: Hi there, I'm currently trying to use the 'AD Trust for Legacy Clients' freeIPA setup (described here: http://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf) to be able to autenticate AIX 7.1 clients against an AD

Re: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode

2015-03-20 Thread Bobby Prins
On Fri, 20 Mar 2015, Sumit Bose wrote: On Fri, Mar 20, 2015 at 11:44:43AM +0100, Bobby Prins wrote: On Thu, Mar 19, 2015 at 04:46:44PM +0100, Bobby Prins wrote: Hi there, I'm currently trying to use the 'AD Trust for Legacy Clients' freeIPA setup (described here:

Re: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode

2015-03-20 Thread Sumit Bose
On Fri, Mar 20, 2015 at 11:44:43AM +0100, Bobby Prins wrote: On Thu, Mar 19, 2015 at 04:46:44PM +0100, Bobby Prins wrote: Hi there, I'm currently trying to use the 'AD Trust for Legacy Clients' freeIPA setup (described here:

Re: [Freeipa-users] SSSD in redundant configuration

2015-03-20 Thread Jakub Hrozek
On Fri, Mar 20, 2015 at 11:06:04AM +0100, Jan Pazdziora wrote: On Wed, Mar 18, 2015 at 01:11:44PM -0400, Rob Crittenden wrote: On Wed, Mar 18, 2015 at 17:40:19 +0100, Andrew Holway wrote: Im wondering how we should be handing SSSD for redundant configurations on our freeipa clients.

Re: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode

2015-03-20 Thread Alexander Bokovoy
On Fri, 20 Mar 2015, Sumit Bose wrote: On Fri, Mar 20, 2015 at 11:44:43AM +0100, Bobby Prins wrote: On Thu, Mar 19, 2015 at 04:46:44PM +0100, Bobby Prins wrote: Hi there, I'm currently trying to use the 'AD Trust for Legacy Clients' freeIPA setup (described here:

Re: [Freeipa-users] ipa-client-install failure

2015-03-20 Thread Roberto Cornacchia
It seems so: $ firewall-cmd --list-all FedoraServer (default, active) interfaces: em2 sources: services: cockpit dhcpv6-client ssh ports: 8009/tcp 443/tcp 7999/tcp 464/tcp 9443/tcp 636/tcp 88/udp 464/udp 8010/tcp 88/tcp 7990/tcp 123/udp 80/tcp 389/tcp 7389/tcp 9444/tcp 9445/tcp 8011/tcp

Re: [Freeipa-users] Certificate and key problems in Linux

2015-03-20 Thread nathan
On 03/20/2015 04:51 PM, nat...@nathanpeters.com wrote: I have FreeIPA installed on several types of Linux machines and they are all experiencing strange issues with certificates and host keys. Here is the setup: Server : FreeIPA 4.1.2 on Centos 7 Client 12 : FreeIPA 3.0.0-42.el6 with sssd

Re: [Freeipa-users] Certificate and key problems in Linux

2015-03-20 Thread nathan
nat...@nathanpeters.com wrote: I have FreeIPA installed on several types of Linux machines and they are all experiencing strange issues with certificates and host keys. Here is the setup: Server : FreeIPA 4.1.2 on Centos 7 Client 12 : FreeIPA 3.0.0-42.el6 with sssd 1.11.6-30.el6_6.4 on

Re: [Freeipa-users] ipa-client-install failure

2015-03-20 Thread Roberto Cornacchia
Ah, I see, I had forgotten to enable debut in the nss section. Here its log. On 21 March 2015 at 00:40, Roberto Cornacchia roberto.cornacc...@gmail.com wrote: Two log files in attachment (the other files in /var/log/sssd are all empty). I'll also go through the troubleshooting page again,

Re: [Freeipa-users] Certificate and key problems in Linux

2015-03-20 Thread nathan
Actually this was the problem : I had added the following line to the [sssd] section of sssd.conf : [sssd] default_domain_suffix = addomain.net The reason I had added this is because our business asked if our active directory trusted users can be allowed to login without entering their

Re: [Freeipa-users] Certificate and key problems in Linux

2015-03-20 Thread Dmitri Pal
On 03/20/2015 08:18 PM, nat...@nathanpeters.com wrote: Actually this was the problem : I had added the following line to the [sssd] section of sssd.conf : [sssd] default_domain_suffix = addomain.net The reason I had added this is because our business asked if our active directory trusted users

Re: [Freeipa-users] ipa-client-install failure

2015-03-20 Thread Dmitri Pal
On 03/20/2015 07:40 PM, Roberto Cornacchia wrote: Two log files in attachment (the other files in /var/log/sssd are all empty). I'll also go through the troubleshooting page again, thanks Do the logs include an id call for admin? I do not see any instance of the word admin in the log. On

Re: [Freeipa-users] Certificate and key problems in Linux

2015-03-20 Thread Dmitri Pal
On 03/20/2015 07:41 PM, nat...@nathanpeters.com wrote: On 03/20/2015 04:51 PM, nat...@nathanpeters.com wrote: I have FreeIPA installed on several types of Linux machines and they are all experiencing strange issues with certificates and host keys. Here is the setup: Server : FreeIPA 4.1.2 on

Re: [Freeipa-users] ipa-client-install failure

2015-03-20 Thread Dmitri Pal
On 03/20/2015 07:56 PM, Roberto Cornacchia wrote: From https://fedorahosted.org/sssd/wiki/Troubleshooting, I see that invoking getent should correspond to seeing command 17 invoked in the nss log: Something like: [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input

Re: [Freeipa-users] ipa-client-install failure

2015-03-20 Thread Roberto Cornacchia
From https://fedorahosted.org/sssd/wiki/Troubleshooting, I see that invoking getent should correspond to seeing command 17 invoked in the nss log: Something like: [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [admin]. I don't see any command invocation in my sss_dnss

[Freeipa-users] Password entry through Trust not correct

2015-03-20 Thread McEvoy, James
When I look at the password entries for my rfc2307 account in Active directory I get three different answers. The only correct one is on a server where I used sssd to join AD directly ( the last one ). Do I need to configure rfc2307? When I configured the server to join AD directly I use the

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-20 Thread Rob Crittenden
Matt . wrote: The right way to sequest a SAN, this seems to need some extra config file ? Like I said before, use certmonger, it makes life easier. I'll create a new host balancer.example.com with a HTTP service. I'll generate a cert with a SAN for idp.example.com in that service. I'm

Re: [Freeipa-users] Really slow logins with AD SID Mapping vs. POSIX

2015-03-20 Thread Jakub Hrozek
On Fri, Mar 20, 2015 at 09:41:08AM -0400, Gould, Joshua wrote: Updated: libipa_hbac.x86_64 0:1.12.2-58.el7_1.6.1 libipa_hbac-python.x86_64 0:1.12.2-58.el7_1.6.1 libsss_idmap.x86_64 0:1.12.2-58.el7_1.6.1 libsss_nss_idmap.x86_64 0:1.12.2-58.el7_1.6.1 libsss_nss_idmap-python.x86_64

[Freeipa-users] SSSD in redundant configuration - part 2

2015-03-20 Thread Andrew Holway
Hi, I am having one of those really annoying pesky troubles. I add clients to freeipa but the first time I am logging in and trying to sudo with my freeipa credentials the sudo is not working. If I restart the SSSD process this usually fixes it but not always. Im going to try and do some

Re: [Freeipa-users] SSSD in redundant configuration - part 2

2015-03-20 Thread Jakub Hrozek
On Fri, Mar 20, 2015 at 04:05:56PM +0100, Andrew Holway wrote: Hi, I am having one of those really annoying pesky troubles. I add clients to freeipa but the first time I am logging in and trying to sudo with my freeipa credentials the sudo is not working. If I restart the SSSD process

Re: [Freeipa-users] ipa-client-install failure

2015-03-20 Thread Roberto Cornacchia
The zone settings: $ ipa dnszone-show --all Zone name: hq.example.com. dn: idnsname=hq.example.com.,cn=dns,dc=hq,dc=example,dc=com Zone name: hq.example.com. Active zone: TRUE Authoritative nameserver: ipa.hq.example.com. Administrator e-mail address: hostmaster.hq.example.com. SOA

Re: [Freeipa-users] SSSD in redundant configuration

2015-03-20 Thread Jan Pazdziora
On Fri, Mar 20, 2015 at 11:51:14AM +0100, Jakub Hrozek wrote: Or even better, set the weight and priority fields on the server and keep using SRV resolution :-) How do you specify different priorities for different consumers if the DNS is IPA-based (== the records are in LDAP and replicated)?

Re: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode

2015-03-20 Thread Alexander Bokovoy
On Fri, 20 Mar 2015, Bobby Prins wrote: On Fri, 20 Mar 2015, Sumit Bose wrote: On Fri, Mar 20, 2015 at 11:44:43AM +0100, Bobby Prins wrote: On Thu, Mar 19, 2015 at 04:46:44PM +0100, Bobby Prins wrote: Hi there, I'm currently trying to use the 'AD Trust for Legacy Clients' freeIPA setup

Re: [Freeipa-users] SSSD in redundant configuration

2015-03-20 Thread Jakub Hrozek
On Fri, Mar 20, 2015 at 01:02:58PM +0100, Jan Pazdziora wrote: On Fri, Mar 20, 2015 at 11:51:14AM +0100, Jakub Hrozek wrote: Or even better, set the weight and priority fields on the server and keep using SRV resolution :-) How do you specify different priorities for different consumers

Re: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode

2015-03-20 Thread Dmitri Pal
On 03/20/2015 08:05 AM, Alexander Bokovoy wrote: On Fri, 20 Mar 2015, Bobby Prins wrote: On Fri, 20 Mar 2015, Sumit Bose wrote: On Fri, Mar 20, 2015 at 11:44:43AM +0100, Bobby Prins wrote: On Thu, Mar 19, 2015 at 04:46:44PM +0100, Bobby Prins wrote: Hi there, I'm currently trying to use

Re: [Freeipa-users] Really slow logins with AD SID Mapping vs. POSIX

2015-03-20 Thread Gould, Joshua
Updated: libipa_hbac.x86_64 0:1.12.2-58.el7_1.6.1 libipa_hbac-python.x86_64 0:1.12.2-58.el7_1.6.1 libsss_idmap.x86_64 0:1.12.2-58.el7_1.6.1 libsss_nss_idmap.x86_64 0:1.12.2-58.el7_1.6.1 libsss_nss_idmap-python.x86_64 0:1.12.2-58.el7_1.6.1 python-sssdconfig.noarch 0:1.12.2-58.el7_1.6.1

[Freeipa-users] Certificate and key problems in Linux

2015-03-20 Thread nathan
I have FreeIPA installed on several types of Linux machines and they are all experiencing strange issues with certificates and host keys. Here is the setup: Server : FreeIPA 4.1.2 on Centos 7 Client 12 : FreeIPA 3.0.0-42.el6 with sssd 1.11.6-30.el6_6.4 on CentOS 6.5 Client 34 : FreeIPA

[Freeipa-users] Firewalld rules to allow AD Join

2015-03-20 Thread McEvoy, James
Hi FreeIPA Users: I can only get my new Fedora 21 freeipa to server to setup a trust with Active Directory if I turn off the firewall on the ipa server. I have looked through all the doc on which ports to open but have had no luck getting the join to work with firewalld running... Can

Re: [Freeipa-users] ipa-client-install failure

2015-03-20 Thread Dmitri Pal
On 03/20/2015 01:57 PM, Roberto Cornacchia wrote: But the ipa server itself is also enrolled as a client, just after the server installation, right?. And that worked fine. Are these VMs? There have been a similar case when the network was not set properly for the virtual test environment.

Re: [Freeipa-users] ipa-client-install failure

2015-03-20 Thread Roberto Cornacchia
No, all real machines. I'm really sorry it's taking so much of your time. I had tried almost everything on a VM setting first, and everything was fine. Everything always works fine, until you actually need it. On 20 March 2015 at 19:41, Dmitri Pal d...@redhat.com wrote: On 03/20/2015 01:57

Re: [Freeipa-users] ipa-client-install failure

2015-03-20 Thread Roberto Cornacchia
But the ipa server itself is also enrolled as a client, just after the server installation, right?. And that worked fine. On 20 March 2015 at 18:55, Roberto Cornacchia roberto.cornacc...@gmail.com wrote: No, sorry about the confusion, i shouldn't have posted so quickly. When I use the correct

Re: [Freeipa-users] ipa-client-install failure

2015-03-20 Thread Dmitri Pal
On 03/20/2015 01:55 PM, Roberto Cornacchia wrote: No, sorry about the confusion, i shouldn't have posted so quickly. When I use the correct domain (hq.example.com http://hq.example.com), then I really get all the same errors as before, also in the new client. Does it really hit the right

Re: [Freeipa-users] ipa-client-install failure

2015-03-20 Thread Roberto Cornacchia
Oops. Not true, forget last email. This secon client installation went different just because it took the wrong domain. It used *example.com http://example.com* (what was previously set) instead of *hq.example.com http://hq.example.com* Uninstalled, tried again with

Re: [Freeipa-users] ipa-client-install failure

2015-03-20 Thread Dmitri Pal
On 03/20/2015 01:25 PM, Roberto Cornacchia wrote: Oops. Not true, forget last email. This secon client installation went different just because it took the wrong domain. It used *example.com http://example.com* (what was previously set) instead of *hq.example.com http://hq.example.com*

Re: [Freeipa-users] ipa-client-install failure

2015-03-20 Thread Roberto Cornacchia
Update: I tried from another client. Also FC21, same network, same settings from the same DHCP. But obviously it must have something different because it partially succeeded. - I do not get errors about LDAP users. - I do not get errors about DNS update However: - I still get the initial error

Re: [Freeipa-users] ipa-client-install failure

2015-03-20 Thread Roberto Cornacchia
No, sorry about the confusion, i shouldn't have posted so quickly. When I use the correct domain (hq.example.com), then I really get all the same errors as before, also in the new client. On 20 Mar 2015 18:39, Dmitri Pal d...@redhat.com wrote: On 03/20/2015 01:25 PM, Roberto Cornacchia

Re: [Freeipa-users] ipa-client-install failure

2015-03-20 Thread Roberto Cornacchia
ipv6 re-enabled. No luck yet :( On 20 March 2015 at 17:06, Dmitri Pal d...@redhat.com wrote: On 03/20/2015 10:56 AM, Roberto Cornacchia wrote: The zone settings: $ ipa dnszone-show --all Zone name: hq.example.com. dn: idnsname=hq.example.com.,cn=dns,dc=hq,dc=example,dc=com Zone

Re: [Freeipa-users] ipa-client-install failure

2015-03-20 Thread Dmitri Pal
On 03/20/2015 10:56 AM, Roberto Cornacchia wrote: The zone settings: $ ipa dnszone-show --all Zone name: hq.example.com http://hq.example.com. dn: idnsname=hq.example.com http://hq.example.com.,cn=dns,dc=hq,dc=example,dc=com Zone name: hq.example.com http://hq.example.com. Active zone:

Re: [Freeipa-users] ipa-client-install failure

2015-03-20 Thread Dmitri Pal
On 03/20/2015 02:48 PM, Roberto Cornacchia wrote: No, all real machines. I'm really sorry it's taking so much of your time. I had tried almost everything on a VM setting first, and everything was fine. Everything always works fine, until you actually need it. We try to help as much as we

Re: [Freeipa-users] Certificate and key problems in Linux

2015-03-20 Thread Rob Crittenden
nat...@nathanpeters.com wrote: I have FreeIPA installed on several types of Linux machines and they are all experiencing strange issues with certificates and host keys. Here is the setup: Server : FreeIPA 4.1.2 on Centos 7 Client 12 : FreeIPA 3.0.0-42.el6 with sssd 1.11.6-30.el6_6.4 on

Re: [Freeipa-users] Certificate and key problems in Linux

2015-03-20 Thread Dmitri Pal
On 03/20/2015 04:51 PM, nat...@nathanpeters.com wrote: I have FreeIPA installed on several types of Linux machines and they are all experiencing strange issues with certificates and host keys. Here is the setup: Server : FreeIPA 4.1.2 on Centos 7 Client 12 : FreeIPA 3.0.0-42.el6 with sssd

Re: [Freeipa-users] AD users not getting single sign on (Solaris)

2015-03-20 Thread nathan
nat...@nathanpeters.com wrote: I have finally gotten all of my Solaris servers to accept AD users but the behavior is inconsistent. In my FreeIPA domain, I can login to a Linux server and then ssh to the Solaris server and I am automatically logged in because of my Kerberos ticket (I

Re: [Freeipa-users] ipa-client-install failure

2015-03-20 Thread Roberto Cornacchia
It certainly gets there, because the client gets in fact enrolled as a domain host. I can see it from the UI in Identity / Hosts. But not in the DNS zone. *Before ipa-client-install, all these do work: * $ ssh ipa.hq.example.com $ ntpdate ipa.hq.example.com $ ldapsearch -x -h ipa.hq.example.com

Re: [Freeipa-users] AD users not getting single sign on (Solaris)

2015-03-20 Thread Dmitri Pal
On 03/20/2015 05:23 PM, nat...@nathanpeters.com wrote: nat...@nathanpeters.com wrote: I have finally gotten all of my Solaris servers to accept AD users but the behavior is inconsistent. In my FreeIPA domain, I can login to a Linux server and then ssh to the Solaris server and I am

Re: [Freeipa-users] ipa-client-install failure

2015-03-20 Thread Dmitri Pal
On 03/20/2015 05:28 PM, Roberto Cornacchia wrote: It certainly gets there, because the client gets in fact enrolled as a domain host. I can see it from the UI in Identity / Hosts. But not in the DNS zone. *Before ipa-client-install, all these do work: * $ ssh ipa.hq.example.com

Re: [Freeipa-users] ipa-client-install failure

2015-03-20 Thread Roberto Cornacchia
SSSD logs are empty so far. Isn't sssd.conf written by ipa-client-install? If I raise the debug level after client installation, what activities do you suggest to attempt from the client? On 20 March 2015 at 22:37, Dmitri Pal d...@redhat.com wrote: On 03/20/2015 05:28 PM, Roberto Cornacchia

Re: [Freeipa-users] Really slow logins with AD SID Mapping vs. POSIX

2015-03-20 Thread Jakub Hrozek
On Thu, Mar 19, 2015 at 05:29:39PM -0400, Gould, Joshua wrote: Thank you! You're welcome, please try these builds: https://jhrozek.fedorapeople.org/sssd-test-builds/sssd-7.1-gr-request/ But please note that when POSIX attributes are requested, the lookups will /always/ be slower. With ID

Re: [Freeipa-users] Problems with ssh and install-uninstall-install sequence on the server

2015-03-20 Thread Prasun Gera
I'll open a ticket. It should probably be cleared, unless handled in some other way, before installs too. This looks like more of a client side issue than a server one. The database should be cleared when a client is explicitly uninstalled, and also if the client tries to register to a different

Re: [Freeipa-users] ipa-client-install failure

2015-03-20 Thread Dmitri Pal
On 03/20/2015 05:59 PM, Roberto Cornacchia wrote: SSSD logs are empty so far. This is wrong. Isn't sssd.conf written by ipa-client-install? Yes If I raise the debug level after client installation, (and restart) what activities do you suggest to attempt from the client? the ones

Re: [Freeipa-users] Certificate and key problems in Linux

2015-03-20 Thread nathan
nat...@nathanpeters.com wrote: I have FreeIPA installed on several types of Linux machines and they are all experiencing strange issues with certificates and host keys. Here is the setup: Server : FreeIPA 4.1.2 on Centos 7 Client 12 : FreeIPA 3.0.0-42.el6 with sssd 1.11.6-30.el6_6.4 on