Re: [Freeipa-users] FreeIPA, Netgroup and access.conf

2015-06-02 Thread Jakub Hrozek 
On Tue, Jun 02, 2015 at 11:11:56AM +0200, Yves Degauquier wrote:
 Hi,
 
 I have a FreeIPA server in place with netgroup in order to limit access to
 some users only to some hosts (by environment).
 
 It works fine on AIX clients.
 
 But now I try to do the same with Linux.
 
 I register the client in the server, without any problem, all users from
 FreeIPA can login in the Linux boxes.
 
 I activate now pam_access and configure the /etc/security/access.conf to
 allow local root user and users from netgroup.
 
 But my users in the netgroup can't login... If in place of the netgroup I
 put the name of the users, the users defined can login...
 
 But this is not anymore a centally managed user...
 
 Any idea of what the problem could be?
 
 Thanks in advance for your help.

Does getent netgr report the host as a member of the netgroup?

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA, Netgroup and access.conf

2015-06-02 Thread Yves Degauquier 

Yes getent netgroup netgroupname give me the list of servers.

Can't understant what is going wrong...

Yves

On 02/06/15 13:38, freeipa-users-requ...@redhat.com wrote:

Send Freeipa-users mailing list submissions to
freeipa-users@redhat.com

To subscribe or unsubscribe via the World Wide Web, visit
https://www.redhat.com/mailman/listinfo/freeipa-users
or, via email, send a message with subject or body 'help' to
freeipa-users-requ...@redhat.com

You can reach the person managing the list at
freeipa-users-ow...@redhat.com

When replying, please edit your Subject line so it is more specific
than Re: Contents of Freeipa-users digest...


Today's Topics:

1. Re: FreeIPA, Netgroup and access.conf (Jakub Hrozek)
2. Re: login delay with sssd (Jakub Hrozek)
3. Re: Copy attributes to compat tree (Jakub Hrozek)
4. Re: AD user password change via ssh login (Alexander Frolushkin)
5. Re: Copy attributes to compat tree (Vangass)
6. deny to change shell (Ivars Strazdi??)
7. Re: vSphere and freeIPA (Sam)


--

Message: 1
Date: Tue, 2 Jun 2015 12:10:19 +0200
From: Jakub Hrozek jhro...@redhat.com
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] FreeIPA, Netgroup and access.conf
Message-ID: 20150602101019.GL2805@hendrix
Content-Type: text/plain; charset=us-ascii

On Tue, Jun 02, 2015 at 11:11:56AM +0200, Yves Degauquier wrote:

Hi,

I have a FreeIPA server in place with netgroup in order to limit access to
some users only to some hosts (by environment).

It works fine on AIX clients.

But now I try to do the same with Linux.

I register the client in the server, without any problem, all users from
FreeIPA can login in the Linux boxes.

I activate now pam_access and configure the /etc/security/access.conf to
allow local root user and users from netgroup.

But my users in the netgroup can't login... If in place of the netgroup I
put the name of the users, the users defined can login...

But this is not anymore a centally managed user...

Any idea of what the problem could be?

Thanks in advance for your help.

Does getent netgr report the host as a member of the netgroup?



--

Message: 2
Date: Tue, 2 Jun 2015 12:11:57 +0200
From: Jakub Hrozek jhro...@redhat.com
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] login delay with sssd
Message-ID: 20150602101157.GM2805@hendrix
Content-Type: text/plain; charset=utf-8

On Tue, Jun 02, 2015 at 10:28:29AM +0100, Ivars Strazdi?? wrote:



Ar laipniem sveicieniem,
Ivars Strazdi??


On 2. j?n. 2015, at 07:21, Lukas Slebodnik lsleb...@redhat.com wrote:

How many groups does problematic user have?

I can call any user problematic, because all have login delays.
sitaadmin user, being able to to login via ssh, probably has most groups - 4. 
Doesn?t seem too many, does it?

siteadmin@mail:~$ id
uid=9268000XX(siteadmin) gid=9268000XX(siteadmin) 
groups=9268000XX(siteadmin),9268Y(vpnusers),9268Z(mailusers),9268W(scanned)
 context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

I have sssh-1.12.2 installed as per Centos 7.1.
I will have to wait until 1.12.4 or 5 is coming down the pipe with Centos 
updates.

We plan on 7.1.z update, but with different bugzillas.

Then we plan on putting 1.13 to 7.2


Hopefully that will resolve or mitigate the issue.
I cannot create mess by putting Fedora updates into Centos, not sure if that's 
even possible.

Lukas keeps the 1.12 branch builds in his COPR repo, maybe those would
be easier to test for you?



--

Message: 3
Date: Tue, 2 Jun 2015 12:12:38 +0200
From: Jakub Hrozek jhro...@redhat.com
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Copy attributes to compat tree
Message-ID: 20150602101238.GN2805@hendrix
Content-Type: text/plain; charset=us-ascii

On Tue, Jun 02, 2015 at 11:45:44AM +0200, Vangass wrote:

Hi,

Is it possible to copy all of memberOf users attributes from
cn=users,cn=accounts,dc=example,dc=com
to cn=users,cn=compat,dc=example,dc=com?

If yes, how can I do this?

No, the compat tree uses a different schema.

Why do you need this?



--

Message: 4
Date: Tue, 2 Jun 2015 10:24:35 +
From: Alexander Frolushkin alexander.frolush...@megafon.ru
To: Jakub Hrozek jhro...@redhat.com, freeipa-users@redhat.com
freeipa-users@redhat.com
Subject: Re: [Freeipa-users] AD user password change via ssh login
Message-ID: 9ec27b853e134e21b1c7bcf17fc39...@sib-ums03.megafon.ru
Content-Type: text/plain; charset=utf-8

Hello Jakub!
Thank you for respond, I'll comment in text

-Original Message-
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Jakub Hrozek
Sent: Tuesday, June 02, 2015 1:24 PM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] AD user password change via ssh login

On Tue, Jun 02, 2015 at 06:21:59AM +, Alexander