Re: [Freeipa-users] FreeIPA AD password sync

2015-12-01 Thread Gašper Bregar 
Thank you for the quick reply and a solution.

I will try it in the next couple of days.

Regards,
Gašper

On Tue, Dec 1, 2015 at 2:51 PM, Martin Kosek  wrote:

> On 12/01/2015 02:41 PM, Simo Sorce wrote:
> > On Tue, 2015-12-01 at 12:57 +0100, Martin Kosek wrote:
> >> On 11/30/2015 02:25 PM, Gašper Bregar wrote:
> >>> I have been strugling with FreeIPA and AD password sync for a couple of
> >>> days now. At first everything was working fine, but then all of a
> sudden
> >>> the synchronization started to fail for me and another user.
> >>>
> >>> The error in passsync log was
> >>>
> >>> Ldap error in ModifyPassword
>  50: Insufficient access
> >>>
> >>>
> >>> It took me some time to figure out that it was failing just for the
> two us.
> >>> It was failing because we were in the admin user group in FreeIPA. Is
> this
> >>> intentional? Is it possible to somehow change this behaviour with a
> >>> setting?
> >>>
> >>> Regards,
> >>> Gašper
> >>
> >> Hello Gašper,
> >>
> >> I assume you are running with FreeIPA version 4.0 and above. At the
> moment,
> >> this is expected behavior, based on the permission configuration:
> >>
> >> 'System: Change User password': {
> >> 'ipapermright': {'write'},
> >> 'ipapermtargetfilter': [
> >> '(objectclass=posixaccount)',
> >> '(!(memberOf=%s))' % DN('cn=admins',
> >> api.env.container_group,
> >> api.env.basedn),
> >> ],
> >> 'ipapermdefaultattr': {
> >> 'krbprincipalkey', 'passwordhistory', 'sambalmpassword',
> >> 'sambantpassword', 'userpassword'
> >> },
> >> ...
> >> 'default_privileges': {
> >> 'User Administrators',
> >> 'Modify Users and Reset passwords',
> >> 'PassSync Service',
> >> },
> >> },
> >>
> >>
> >> "PassSync Service" cannot indeed change passwords of admins group. I am
> >> wondering if we want to change the default, which was added so that
> lower-level
> >> administrators cannot change password of top level admins and
> impersonate them
> >> for example. Simo, any opinion?
> >
> > We do not want to change the default behavior.
> >
> > Simo.
>
> Ok. I requested a Doc update:
> https://bugzilla.redhat.com/show_bug.cgi?id=1287092
>
> Please feel free to comment in Bugzilla.
>
> Martin
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA AD password sync

2015-12-01 Thread Martin Kosek 
On 11/30/2015 02:25 PM, Gašper Bregar wrote:
> I have been strugling with FreeIPA and AD password sync for a couple of
> days now. At first everything was working fine, but then all of a sudden
> the synchronization started to fail for me and another user.
> 
> The error in passsync log was
> 
> Ldap error in ModifyPassword
>> 50: Insufficient access
> 
> 
> It took me some time to figure out that it was failing just for the two us.
> It was failing because we were in the admin user group in FreeIPA. Is this
> intentional? Is it possible to somehow change this behaviour with a
> setting?
> 
> Regards,
> Gašper

Hello Gašper,

I assume you are running with FreeIPA version 4.0 and above. At the moment,
this is expected behavior, based on the permission configuration:

'System: Change User password': {
'ipapermright': {'write'},
'ipapermtargetfilter': [
'(objectclass=posixaccount)',
'(!(memberOf=%s))' % DN('cn=admins',
api.env.container_group,
api.env.basedn),
],
'ipapermdefaultattr': {
'krbprincipalkey', 'passwordhistory', 'sambalmpassword',
'sambantpassword', 'userpassword'
},
...
'default_privileges': {
'User Administrators',
'Modify Users and Reset passwords',
'PassSync Service',
},
},


"PassSync Service" cannot indeed change passwords of admins group. I am
wondering if we want to change the default, which was added so that lower-level
administrators cannot change password of top level admins and impersonate them
for example. Simo, any opinion?

If you want to allow that, you could also add a new permission to allow
changing admins group password and assign it to "PassSync Service" privilege.

Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA AD password sync

2015-12-01 Thread Simo Sorce 
On Tue, 2015-12-01 at 12:57 +0100, Martin Kosek wrote:
> On 11/30/2015 02:25 PM, Gašper Bregar wrote:
> > I have been strugling with FreeIPA and AD password sync for a couple of
> > days now. At first everything was working fine, but then all of a sudden
> > the synchronization started to fail for me and another user.
> > 
> > The error in passsync log was
> > 
> > Ldap error in ModifyPassword
> >> 50: Insufficient access
> > 
> > 
> > It took me some time to figure out that it was failing just for the two us.
> > It was failing because we were in the admin user group in FreeIPA. Is this
> > intentional? Is it possible to somehow change this behaviour with a
> > setting?
> > 
> > Regards,
> > Gašper
> 
> Hello Gašper,
> 
> I assume you are running with FreeIPA version 4.0 and above. At the moment,
> this is expected behavior, based on the permission configuration:
> 
> 'System: Change User password': {
> 'ipapermright': {'write'},
> 'ipapermtargetfilter': [
> '(objectclass=posixaccount)',
> '(!(memberOf=%s))' % DN('cn=admins',
> api.env.container_group,
> api.env.basedn),
> ],
> 'ipapermdefaultattr': {
> 'krbprincipalkey', 'passwordhistory', 'sambalmpassword',
> 'sambantpassword', 'userpassword'
> },
> ...
> 'default_privileges': {
> 'User Administrators',
> 'Modify Users and Reset passwords',
> 'PassSync Service',
> },
> },
> 
> 
> "PassSync Service" cannot indeed change passwords of admins group. I am
> wondering if we want to change the default, which was added so that 
> lower-level
> administrators cannot change password of top level admins and impersonate them
> for example. Simo, any opinion?

We do not want to change the default behavior.

Simo.

> If you want to allow that, you could also add a new permission to allow
> changing admins group password and assign it to "PassSync Service" privilege.
> 
> Martin



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA AD password sync

2015-12-01 Thread Martin Kosek 
On 12/01/2015 02:41 PM, Simo Sorce wrote:
> On Tue, 2015-12-01 at 12:57 +0100, Martin Kosek wrote:
>> On 11/30/2015 02:25 PM, Gašper Bregar wrote:
>>> I have been strugling with FreeIPA and AD password sync for a couple of
>>> days now. At first everything was working fine, but then all of a sudden
>>> the synchronization started to fail for me and another user.
>>>
>>> The error in passsync log was
>>>
>>> Ldap error in ModifyPassword
 50: Insufficient access
>>>
>>>
>>> It took me some time to figure out that it was failing just for the two us.
>>> It was failing because we were in the admin user group in FreeIPA. Is this
>>> intentional? Is it possible to somehow change this behaviour with a
>>> setting?
>>>
>>> Regards,
>>> Gašper
>>
>> Hello Gašper,
>>
>> I assume you are running with FreeIPA version 4.0 and above. At the moment,
>> this is expected behavior, based on the permission configuration:
>>
>> 'System: Change User password': {
>> 'ipapermright': {'write'},
>> 'ipapermtargetfilter': [
>> '(objectclass=posixaccount)',
>> '(!(memberOf=%s))' % DN('cn=admins',
>> api.env.container_group,
>> api.env.basedn),
>> ],
>> 'ipapermdefaultattr': {
>> 'krbprincipalkey', 'passwordhistory', 'sambalmpassword',
>> 'sambantpassword', 'userpassword'
>> },
>> ...
>> 'default_privileges': {
>> 'User Administrators',
>> 'Modify Users and Reset passwords',
>> 'PassSync Service',
>> },
>> },
>>
>>
>> "PassSync Service" cannot indeed change passwords of admins group. I am
>> wondering if we want to change the default, which was added so that 
>> lower-level
>> administrators cannot change password of top level admins and impersonate 
>> them
>> for example. Simo, any opinion?
> 
> We do not want to change the default behavior.
> 
> Simo.

Ok. I requested a Doc update:
https://bugzilla.redhat.com/show_bug.cgi?id=1287092

Please feel free to comment in Bugzilla.

Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] FreeIPA AD password sync

2015-11-30 Thread Gašper Bregar 
I have been strugling with FreeIPA and AD password sync for a couple of
days now. At first everything was working fine, but then all of a sudden
the synchronization started to fail for me and another user.

The error in passsync log was

Ldap error in ModifyPassword
> 50: Insufficient access


It took me some time to figure out that it was failing just for the two us.
It was failing because we were in the admin user group in FreeIPA. Is this
intentional? Is it possible to somehow change this behaviour with a
setting?

Regards,
Gašper
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project