Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

On (13/07/16 10:32), Danila Ladner wrote: >Update to this one: >It has been running smoothly on 6.5 > >[root@dev-zlei.sec1 ~]# cat /etc/redhat-release >CentOS release 6.5 (Final) > >[root@dev-zlei.sec1 ~]# rpm -qa | grep sssd >sssd-client-1.12.4-47.el6.x86_64 >sssd-ldap-1.12.4-47.el6.x86_64 >sssd-a

Re: [Freeipa-users] named-pkcs11 fails to start on new replica

On 07/13/2016 09:56 PM, Bob Hinton wrote: Hi, We are trying to create a new replica on RHEL 7.2 This completes but named-pkcs11 fails to start - systemctl status named-pkcs11.service ● named-pkcs11.service - Berkeley Internet Name Domain (DNS) with native PKCS#11 Loaded: loaded (/usr/lib/s

Re: [Freeipa-users] HBAC and AD users

On Thu, Jul 14, 2016 at 11:47:41AM +1000, Lachlan Musicman wrote: > Ok, I have some logs of sssd 1.13.0 not working. Same values as before: > > FreeIPA server: Centos 7, ipa 4.2, API_VERSION 2.156 > > Installed Packages > Name: ipa-server > Arch: x86_64 > Version : 4.2.0 > Rel

Re: [Freeipa-users] named-pkcs11 fails to start on new replica [SOLVED]

On 14/07/2016 08:39, Martin Babinsky wrote: > On 07/13/2016 09:56 PM, Bob Hinton wrote: >> Hi, >> >> We are trying to create a new replica on RHEL 7.2 >> >> This completes but named-pkcs11 fails to start - >> >> systemctl status named-pkcs11.service >> ● named-pkcs11.service - Berkeley Internet Na

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

On (14/07/16 10:09), Tomas Simecek wrote: >Thanks all of you guys, >I have updated to: >sssd-krb5-common-1.13.3-22.el6_8.4.x86_64 >sssd-1.13.3-22.el6_8.4.x86_64 >sssd-ldap-1.13.3-22.el6_8.4.x86_64 >sssd-client-1.13.3-22.el6_8.4.x86_64 >sssd-ad-1.13.3-22.el6_8.4.x86_64 >sssd-proxy-1.13.3-22.el6_8.4.

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

Hi Lukas, we have Active Directory group "UnixAdmins" . We have IPA external group ad_admins_external , which has Windows "UnixAdmins" group as a member. We have local IPA group grpunixadmins

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

hi, just a long shot here.. I've been battling sudo for a couple days now and found that my issue was one related to symlinks on centos7 'which cat' says /bin/cat but on centos /bin is a symlink to /usr/bin and sudo knows a symlink when it sees one and to prevent abuse it requires the 'real' path

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

Hi Rob, thanks, but this is not the case. Firstly, for initial test purposes I am not limiting sudo to specific commands, in the rule it is set to "any". Secondly, it fails even in non-symlink cases: [root@zp-cml-test ~]# which service /sbin/service [root@zp-cml-test ~]# ll /sbin/service -rwxr-xr-

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

On (14/07/16 11:26), Tomas Simecek wrote: >Hi Lukas, >we have Active Directory group "UnixAdmins" >. >We have IPA external group ad_admins_external >, which has >Windows "UnixAdmins" group as a member. >We have local IPA group grpunixadmi

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

Thanks Lukas, to be honest I am not sure what do you mean by "Please test with id simecek.to...@sd-stc.cz." It is the user I am testing with all the time. Here is what I see on client where sudo does not work: [simecek.to...@sd-stc.cz@zp-cml-test ~]$ id uid=988604700(simecek.to...@sd-stc.cz) gid=9

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

On (14/07/16 12:43), Tomas Simecek wrote: >Thanks Lukas, >to be honest I am not sure what do you mean by "Please test with id >simecek.to...@sd-stc.cz." >It is the user I am testing with all the time. > >Here is what I see on client where sudo does not work: >[simecek.to...@sd-stc.cz@zp-cml-test ~]

Re: [Freeipa-users] Replication Agreement issues noticed with repl-monitor.pl

On 07/13/2016 04:24 AM, Devin Acosta wrote: > > I was trying to create another Replica but then noticed it was constantly > having > issues trying to finish the joining of the replication. I then ran the > command: > repl-monitor.pl , It appears i have several > replic

[Freeipa-users] Sync & BaseDN change

Hello I hope this finds the right thread because the original thread was replied ot the list and not my email... I need to sync to another ldap directory which has a different SUFFIX than IPA sets up. I successfully imported from our OpenLDAP to IPA but I still need to sync with a separate maste

[Freeipa-users] named-pkcs11 fails on new ipa replica

Hi, We are trying to create a new replica on RHEL 7.2 This completes but named-pkcs11 fails to start - systemctl status named-pkcs11.service ● named-pkcs11.service - Berkeley Internet Name Domain (DNS) with native PKCS#11 Loaded: loaded (/usr/lib/systemd/system/named-pkcs11.service; disabled

[Freeipa-users] Migrating to FreeIPA from an existing Heimdal Kerberos and 389-ds deployment

Hi all, I'm part of the CMU Computer Club and our Kerberos/LDAP deployment has been a pain point for quite some time. I've heard that FreeIPA might be a solution worth exploring. I would like to try to avoid user visible disruption if possible, however. This means that we would like to keep our

Re: [Freeipa-users] Web UI access from outside the home network via port forwarding

Hi Jan, Cool doc. Thanks for writing it up! > On 14 Jul 2016, at 07:52, Jan Pazdziora wrote: > > On Mon, Jul 11, 2016 at 07:00:04PM -0700, Harry Kashouli wrote: >> >> I have a freeipa server set up, and would like to access the Web UI >> remotely (from outside my home network). >> >> I set

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

On (14/07/16 13:06), Tomas Simecek wrote: >Hi Lukas, >I did as you said. >Logs are attached to this mail. > Thank you very much for provided data. The main problem is that full refresh of sudo rules did not store any rules. It might be caused by following errors which might be caused by issues wi

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

Hi Lukas, sorry to say, but nothing helps. I have just updated IPA server, so that now it is: [root@svlxxipap ~]# cat /etc/redhat-release CentOS Linux release 7.2.1511 (Core) with: [root@svlxxipap ~]# rpm -qa|grep ipa ipa-server-trust-ad-4.2.0-15.0.1.el7.centos.17.x86_64 libipa_hbac-1.13.0-40.el7

Re: [Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8)

Hi, I have a brief follow up question regarding this issue; I’m actually not bent on using HBAC; it is a nice feature and I’d like to use it, but at the end of the day I’m not married to the idea of managing this type of policy centrally; in theory, group or user based access control using Al

Re: [Freeipa-users] Freeipa replication issue

On Thu, 14 Jul 2016, Stefan Uygur wrote: Hi All, Sorry if this would appear to be an obvious issue and maybe someone has already discussed about it but I couldn't get anywhere information about how to resolve this issue that I am experiencing. Basically I have an IPA master server where the admi

[Freeipa-users] Freeipa replication issue

Hi All, Sorry if this would appear to be an obvious issue and maybe someone has already discussed about it but I couldn't get anywhere information about how to resolve this issue that I am experiencing. Basically I have an IPA master server where the admin password was originally the same as Di

Re: [Freeipa-users] Freeipa replication issue

Hi Alexander, Thanks for a quick reply first of all and to be honest actually I have tried that link too, it didn't work either. This is my ipa version: ipa-server-3.0.0-47.el6_7.2.x86_64 and the system is RHEL 6 When I reproduce the last step of the instructions you provided: ldappasswd -h lo

Re: [Freeipa-users] Replication Agreement issues noticed with repl-monitor.pl

On 07/14/2016 12:57 PM, Martin Kosek wrote: > On 07/13/2016 04:24 AM, Devin Acosta wrote: >> >> I was trying to create another Replica but then noticed it was constantly >> having >> issues trying to finish the joining of the replication. I then ran the >> command: >> repl-monitor.pl

Re: [Freeipa-users] Freeipa replication issue

On 07/14/2016 10:10 AM, Stefan Uygur wrote: > Hi Alexander, > Thanks for a quick reply first of all and to be honest actually I have tried > that link too, it didn't work either. > > This is my ipa version: ipa-server-3.0.0-47.el6_7.2.x86_64 and the system is > RHEL 6 > > When I reproduce the l

Re: [Freeipa-users] Migrating to FreeIPA from an existing Heimdal Kerberos and 389-ds deployment

On 07/14/2016 07:13 AM, Grant Wu wrote: > Hi all, > > I'm part of the CMU Computer Club and our Kerberos/LDAP deployment has been a > pain point for quite some time. I've heard that FreeIPA might be a solution > worth exploring. > > I would like to try to avoid user visible disruption if possi

Re: [Freeipa-users] named-pkcs11 fails on new ipa replica

On 07/13/2016 08:51 PM, Bob Hinton wrote: > Hi, > > We are trying to create a new replica on RHEL 7.2 > > This completes but named-pkcs11 fails to start - > > systemctl status named-pkcs11.service > ● named-pkcs11.service - Berkeley Internet Name Domain (DNS) with native > PKCS#11 >Loaded:

Re: [Freeipa-users] FreeIPA (Add Replica fails on GSSAPI)

On 07/14/2016 07:18 AM, Bjarne Blichfeldt wrote: > Well, I just had the same problem, but in my case I also tried to install a > ca: > > “ipa-replica-install --setup-ca …..” > > Without “--set-up” the installation succeeded. > > Regards, > > Bjarne > The error below is not related to CA. I

Re: [Freeipa-users] Replication Agreement issues noticed with repl-monitor.pl

ipa01-jap was a host that is no more, is there a simple way to clear these replication agreements to clean it up? On Thu, Jul 14, 2016 at 7:14 AM, Petr Vobornik wrote: > On 07/14/2016 12:57 PM, Martin Kosek wrote: > > On 07/13/2016 04:24 AM, Devin Acosta wrote: > >> > >> I was trying to create a

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

On (14/07/16 13:52), Tomas Simecek wrote: >Hi Lukas, >sorry to say, but nothing helps. > >I have just updated IPA server, so that now it is: >[root@svlxxipap ~]# cat /etc/redhat-release >CentOS Linux release 7.2.1511 (Core) > >with: >[root@svlxxipap ~]# rpm -qa|grep ipa >ipa-server-trust-ad-4.2.0-1

Re: [Freeipa-users] FreeIPA (Add Replica fails on GSSAPI)

When i tried to create the replica from another server, it fails giving me this? [root@ipa02-aws ~]# ipa-replica-prepare ipa03-aws.rsinc.local --ip-address 10.40.x.x Directory Manager (existing master) password: If you installed IPA with your own certificates using PKCS#12 files you must provide

Re: [Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8)

Hello Daniel, Just to clarify the issue: user 'a.cri.dsulli...@bsdad.uchicago.edu' is a member of IDM POSIX group 'cri-cri_server_administrators_ipa' which is linked to the external group used for the AD trust. The following HBAC rule is not working to allow SSH access [root@cri-ksysipa

Re: [Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8)

Hi, I wanted to follow up on this thread in case others are experiencing this problem. Installing SSSD 1.14 from the copr repository seems to have completely eliminated the HBAC issue on all systems that were exhibiting the problem as previously described. https://copr.fedorainfracloud.org/co

Re: [Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8)

Justin, Thank you for taking the time to reply to me; I really appreciate your willingness to help. Upgrading to sssd1.14 (from the copr repo) on the client seems to have fixed this problem across the board. I don’t have a system that is currently broken to capture this data, but if it is imp

Re: [Freeipa-users] HBAC and AD users

On 14 July 2016 at 17:44, Sumit Bose wrote: > On Thu, Jul 14, 2016 at 11:47:41AM +1000, Lachlan Musicman wrote: > > Ok, I have some logs of sssd 1.13.0 not working. Same values as before: > > > > FreeIPA server: Centos 7, ipa 4.2, API_VERSION 2.156 > > > > Installed Packages > > Name: ipa

Re: [Freeipa-users] HBAC and AD users

AH. I'm seeing a lot of this now. hbac_eval_user_element is returning the wrong number of groups. I just found another instance in my logs : (Fri Jul 15 08:39:04 2016) [sssd[be[unix.petermac.org.au]]] [hbac_eval_user_element] (0x1000): [23] groups for [SimpsonLachlan] IPA server [root@vmpr-lin

[Freeipa-users] Error in selinux child: libsemanage can't parse spaces in AD user names

Hey, While hunting this sssd/hbac/AD user problem, I noticed in the selinux_child.log a lot of errors that look like this: (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446 [libsemanage] (0x0020): could not parse seuser record (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446 [libse

Re: [Freeipa-users] Error in selinux child: libsemanage can't parse spaces in AD user names

This line: We have SELinux disabled on all of our servers, but we hadn't disabled this check in sssd.conf. So we enabled it in sssd.conf and everything worked fine. Should read that we *disabled* selinux. selinux_provider = none Cheers L. -- The most dangerous phrase in the language is, "W

Re: [Freeipa-users] HBAC and AD users

I've updated all the relevant hosts and the FreeIPA server to the COPR sssd 1.14.0 release and the problem seems to have disappeared. Cheers L. -- The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper On 15 July 2016 at 10:09, Lachlan Musicman wrote:

[Freeipa-users] Please Provide the IPA Client Configuration Doc for Ubuntu 12.04, 14.04

Hi Team, Could you provide the client setup guide for Ubuntu systems. And we are using FreeIPA 4.2.0 version. it's been a while trying to find the document for Ubuntu with latest version FreeIPA Server, even now can not find the doc. so kindly provide the same doc via mail as soon as good. even

Re: [Freeipa-users] Please Provide the IPA Client Configuration Doc for Ubuntu 12.04, 14.04

Hi Team, I forgot to describe the actual requirement on IPA client machines, which we needs to configure client machine SUDO privilege from FreeIPA server for IPA Server users. after configuring client machines can able to login as a IPA user but unable to give sudo privilege from. Please revert

Re: [Freeipa-users] Replication Agreement issues noticed with repl-monitor.pl

You should be able to succeed with "ipa-replica-manage del " and --force/--cleanup flags: $ man ipa-replica-manage ... -c, --cleanup When deleting a master with the --force flag, remove leftover references to an already deleted master. ... Martin On 07/14/20

[Freeipa-users] Can we disable HTTP TRACE / TRACK Method in IPA

Hi In our Internal VA, Vulnerability Assessment tools generates the HTTP TRACE / TRACK method in IPA as a medium based vulnerability. Is there a need to allow those two methods in IPA ? If not, what is the optimal way to disable those methods ? Thanks, Zeal -- Manage your subscription for the