Re: [Freeipa-users] SSSD in redundant configuration

2015-03-20 Thread Jakub Hrozek
On Thu, Mar 19, 2015 at 10:32:08PM +0100, Andrew Holway wrote:
 
 
  I wasn't precise enough, I meant the sssd version, sorry. But given that
  you're on RHEL-7, I think you can switch to:
  sudo_provider=ipa
 
 
 That does indeed seem to work. Thanks!

You're welcome, btw if you set up your client using some documentation
we might want to correct those docs..

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] SSSD in redundant configuration

2015-03-20 Thread Jan Pazdziora
On Wed, Mar 18, 2015 at 01:11:44PM -0400, Rob Crittenden wrote:
 On Wed, Mar 18, 2015 at 17:40:19 +0100, Andrew Holway wrote:
  
  Im wondering how we should be handing SSSD for redundant configurations
  on our freeipa clients. We have three freeipa servers; how can we make
  SSSD check another freeipa in the event that one goes down?
  
  [...]
  
  ipa_server = _srv_, test-freeipa-2.cloud.domain.de
 
 _srv_ tells SSSD to check DNS for SRV records. The trailing server gives
 it a hardcoded fallback in case DNS fails for some reason. Their current
 configuration is correct.

However, it does not set priority for the preferred IPA server which
can be useful if they are in different geos and by default you want
the traffic to go to the local server. In that case

ipa_server = test-freeipa-2.cloud.domain.de, _srv_

might actually be preferred.

-- 
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] SSSD in redundant configuration

2015-03-20 Thread Andrew Holway
Actually, I stumbled across this which explains everything you need to do
to get sudo working on Centos6 clients.
https://www.redhat.com/archives/freeipa-users/2013-June/msg00064.html

I have had to kind of scratch together bits of information from various
sources including this list (thanks!!) but we are trying to do all of this
automated with saltstack which is a bit of a challenge.

Thanks,

Andrew

On 20 March 2015 at 09:00, Jakub Hrozek jhro...@redhat.com wrote:

 On Thu, Mar 19, 2015 at 10:32:08PM +0100, Andrew Holway wrote:
  
  
   I wasn't precise enough, I meant the sssd version, sorry. But given
 that
   you're on RHEL-7, I think you can switch to:
   sudo_provider=ipa
  
 
  That does indeed seem to work. Thanks!

 You're welcome, btw if you set up your client using some documentation
 we might want to correct those docs..

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SSSD in redundant configuration

2015-03-20 Thread Jakub Hrozek
On Fri, Mar 20, 2015 at 09:20:15AM +0100, Andrew Holway wrote:
 Actually, I stumbled across this which explains everything you need to do
 to get sudo working on Centos6 clients.
 https://www.redhat.com/archives/freeipa-users/2013-June/msg00064.html
 
 I have had to kind of scratch together bits of information from various
 sources including this list (thanks!!) but we are trying to do all of this
 automated with saltstack which is a bit of a challenge.

Ah, right, that's an old post in freeipa's terms :-)

We simplified the sudo configuration in 6.6 to the single line that sets
sudo_provider to ipa.

I'm glad your setup works now.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] SSSD in redundant configuration

2015-03-20 Thread Jakub Hrozek
On Fri, Mar 20, 2015 at 11:06:04AM +0100, Jan Pazdziora wrote:
 On Wed, Mar 18, 2015 at 01:11:44PM -0400, Rob Crittenden wrote:
  On Wed, Mar 18, 2015 at 17:40:19 +0100, Andrew Holway wrote:
   
   Im wondering how we should be handing SSSD for redundant configurations
   on our freeipa clients. We have three freeipa servers; how can we make
   SSSD check another freeipa in the event that one goes down?
   
   [...]
   
   ipa_server = _srv_, test-freeipa-2.cloud.domain.de
  
  _srv_ tells SSSD to check DNS for SRV records. The trailing server gives
  it a hardcoded fallback in case DNS fails for some reason. Their current
  configuration is correct.
 
 However, it does not set priority for the preferred IPA server which
 can be useful if they are in different geos and by default you want
 the traffic to go to the local server. In that case
 
   ipa_server = test-freeipa-2.cloud.domain.de, _srv_
 
 might actually be preferred.

Or even better, set the weight and priority fields on the server and
keep using SRV resolution :-)

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] SSSD in redundant configuration - part 2

2015-03-20 Thread Jakub Hrozek
On Fri, Mar 20, 2015 at 04:05:56PM +0100, Andrew Holway wrote:
 Hi,
 
 I am having one of those really annoying pesky troubles.
 
 I add clients to freeipa but the first time I am logging in and trying to
 sudo with my freeipa credentials the sudo is not working. If I restart the
 SSSD process this usually fixes it but not always. Im going to try and do
 some systematic tests and collect some logs but I thought someone might
 have a clue.
 
 I noticed that when I was using ldap_uri = _srv_ vs ldap_uri =
 ldap://address; I was getting the same problem so I am thinking its a DNS
 lookup glitch?

Is it only the first time on a new client with totally empty cache or
also first time a new user runs sudo?

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] SSSD in redundant configuration

2015-03-20 Thread Jan Pazdziora
On Fri, Mar 20, 2015 at 11:51:14AM +0100, Jakub Hrozek wrote:
 
 Or even better, set the weight and priority fields on the server and
 keep using SRV resolution :-)

How do you specify different priorities for different consumers if
the DNS is IPA-based (== the records are in LDAP and replicated)?

-- 
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] SSSD in redundant configuration

2015-03-20 Thread Jakub Hrozek
On Fri, Mar 20, 2015 at 01:02:58PM +0100, Jan Pazdziora wrote:
 On Fri, Mar 20, 2015 at 11:51:14AM +0100, Jakub Hrozek wrote:
  
  Or even better, set the weight and priority fields on the server and
  keep using SRV resolution :-)
 
 How do you specify different priorities for different consumers if
 the DNS is IPA-based (== the records are in LDAP and replicated)?

Ah, for different consumers..not sure currently. Maybe Petr Spacek has
some idea, but then I think your approach makes sense.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] SSSD in redundant configuration

2015-03-19 Thread Jakub Hrozek
On Thu, Mar 19, 2015 at 08:42:42AM +0100, Andrew Holway wrote:
 Cool stuff. Thanks.
 
 I had a look at our SRV records and found the following:
 _kerberos-master._tcp
 _kerberos-master._udp
 _kerberos._tcp
 _kerberos._udp
 _kpasswd._tcp
 _kpasswd._udp
 _ldap._tcp
 _ntp._udp
 
 No mention of and ipa srv records. Does sssd use _ldap._tcp?

Yes, for the IPA back end it does.

For the AD back end we use the special MS records for looking up sites
or Global Catalog servers, but for IPA we stick to the standard
services.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] SSSD in redundant configuration

2015-03-19 Thread Andrew Holway
I am having problems with sudo and using _srv_ in the sssd config.

This works:

# For the SUDO integration

sudo_provider = ldap

ldap_uri = ldap://test-freeipa-1.cloud.domain.de

ldap_sudo_search_base = ou=sudoers,dc=cloud,dc=native-instruments,dc=de

ldap_sasl_mech = GSSAPI

ldap_sasl_authid = host/test-freeipa-client-3.cloud.domain.de

ldap_sasl_realm = CLOUD.DOMAIN.DE

krb5_server = test-freeipa-2.cloud.domain.de


This does not work:

# For the SUDO integration

sudo_provider = ldap

ldap_uri = _srv_

ldap_sudo_search_base = ou=sudoers,dc=cloud,dc=domain,dc=de

ldap_sasl_mech = GSSAPI

ldap_sasl_authid = host/test-freeipa-client-3.cloud.domain.de

ldap_sasl_realm = CLOUD.DOMAIN.DE

krb5_server = _srv_


Thanks,

Andrew


On 19 March 2015 at 10:29, Jakub Hrozek jhro...@redhat.com wrote:

 On Thu, Mar 19, 2015 at 08:42:42AM +0100, Andrew Holway wrote:
  Cool stuff. Thanks.
 
  I had a look at our SRV records and found the following:
  _kerberos-master._tcp
  _kerberos-master._udp
  _kerberos._tcp
  _kerberos._udp
  _kpasswd._tcp
  _kpasswd._udp
  _ldap._tcp
  _ntp._udp
 
  No mention of and ipa srv records. Does sssd use _ldap._tcp?

 Yes, for the IPA back end it does.

 For the AD back end we use the special MS records for looking up sites
 or Global Catalog servers, but for IPA we stick to the standard
 services.

 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SSSD in redundant configuration

2015-03-19 Thread Andrew Holway


 I wasn't precise enough, I meant the sssd version, sorry. But given that
 you're on RHEL-7, I think you can switch to:
 sudo_provider=ipa


That does indeed seem to work. Thanks!



 and remove all the ldap_ config parameters as well as krb5_server.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SSSD in redundant configuration

2015-03-19 Thread Jakub Hrozek
On Thu, Mar 19, 2015 at 03:51:48PM +0100, Andrew Holway wrote:
 I am having problems with sudo and using _srv_ in the sssd config.
 
 This works:
 
 # For the SUDO integration
 
 sudo_provider = ldap
 
 ldap_uri = ldap://test-freeipa-1.cloud.domain.de
 
 ldap_sudo_search_base = ou=sudoers,dc=cloud,dc=native-instruments,dc=de
 
 ldap_sasl_mech = GSSAPI
 
 ldap_sasl_authid = host/test-freeipa-client-3.cloud.domain.de
 
 ldap_sasl_realm = CLOUD.DOMAIN.DE
 
 krb5_server = test-freeipa-2.cloud.domain.de
 
 
 This does not work:
 
 # For the SUDO integration
 
 sudo_provider = ldap
 
 ldap_uri = _srv_
 
 ldap_sudo_search_base = ou=sudoers,dc=cloud,dc=domain,dc=de
 
 ldap_sasl_mech = GSSAPI
 
 ldap_sasl_authid = host/test-freeipa-client-3.cloud.domain.de
 
 ldap_sasl_realm = CLOUD.DOMAIN.DE
 
 krb5_server = _srv_

What is the client version?

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] SSSD in redundant configuration

2015-03-19 Thread Andrew Holway
Hi Jakub,

Name: ipa-client
Arch: x86_64
Version : 3.3.3
Release : 28.0.1.el7.centos.3

On 19 March 2015 at 17:33, Jakub Hrozek jhro...@redhat.com wrote:

 On Thu, Mar 19, 2015 at 03:51:48PM +0100, Andrew Holway wrote:
  I am having problems with sudo and using _srv_ in the sssd config.
 
  This works:
 
  # For the SUDO integration
 
  sudo_provider = ldap
 
  ldap_uri = ldap://test-freeipa-1.cloud.domain.de
 
  ldap_sudo_search_base = ou=sudoers,dc=cloud,dc=native-instruments,dc=de
 
  ldap_sasl_mech = GSSAPI
 
  ldap_sasl_authid = host/test-freeipa-client-3.cloud.domain.de
 
  ldap_sasl_realm = CLOUD.DOMAIN.DE
 
  krb5_server = test-freeipa-2.cloud.domain.de
 
 
  This does not work:
 
  # For the SUDO integration
 
  sudo_provider = ldap
 
  ldap_uri = _srv_
 
  ldap_sudo_search_base = ou=sudoers,dc=cloud,dc=domain,dc=de
 
  ldap_sasl_mech = GSSAPI
 
  ldap_sasl_authid = host/test-freeipa-client-3.cloud.domain.de
 
  ldap_sasl_realm = CLOUD.DOMAIN.DE
 
  krb5_server = _srv_

 What is the client version?

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SSSD in redundant configuration

2015-03-19 Thread Jakub Hrozek
On Thu, Mar 19, 2015 at 05:38:49PM +0100, Andrew Holway wrote:
 Hi Jakub,
 
 Name: ipa-client
 Arch: x86_64
 Version : 3.3.3
 Release : 28.0.1.el7.centos.3

I wasn't precise enough, I meant the sssd version, sorry. But given that
you're on RHEL-7, I think you can switch to:
sudo_provider=ipa

and remove all the ldap_ config parameters as well as krb5_server.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] SSSD in redundant configuration

2015-03-18 Thread Rob Crittenden
Craig White wrote:
 *From:*freeipa-users-boun...@redhat.com
 [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Andrew Holway
 *Sent:* Wednesday, March 18, 2015 9:40 AM
 *To:* freeipa-users@redhat.com
 *Subject:* [Freeipa-users] SSSD in redundant configuration
 
  
 
 Hello,
 
  
 
 Im wondering how we should be handing SSSD for redundant configurations
 on our freeipa clients. We have three freeipa servers; how can we make
 SSSD check another freeipa in the event that one goes down?
 
  
 
 It appears we can do something like the following:
 
  
 
 ipa_hostname = test-freeipa-client-1.cloud.domain.de
 http://test-freeipa-client-1.cloud.domain.de,
 test-freeipa-client-2.cloud.domain.de
 http://test-freeipa-client-2.cloud.domain.de,
 test-freeipa-client-3.cloud.domain.de
 http://test-freeipa-client-3.cloud.domain.de
 
  
 
 However I thought SRV records were meant to supply the magic here?
 
  
 
 Thanks,
 
  
 
 Andrew  
 
  
 
  
 
 /etc/sssd/sssd.conf
 
 [domain/cloud.domain.de http://cloud.domain.de]
 
 cache_credentials = True
 
 krb5_store_password_if_offline = True
 
 ipa_domain = cloud.domain.de http://cloud.domain.de
 
 id_provider = ipa
 
 auth_provider = ipa
 
 access_provider = ipa
 
 ipa_hostname = test-freeipa-client-2.cloud.domain.de
 http://test-freeipa-client-2.cloud.domain.de
 
 chpass_provider = ipa
 
 ipa_dyndns_update = True
 
 ipa_server = _srv_, test-freeipa-2.cloud.domain.de
 http://test-freeipa-2.cloud.domain.de
 
 ldap_tls_cacert = /etc/ipa/ca.crt
 
 # For the SUDO integration
 
 sudo_provider = ldap
 
 ldap_uri = ldap://test-freeipa-1.cloud.domain.de
 http://test-freeipa-1.cloud.domain.de
 
 ldap_sudo_search_base = ou=sudoers,dc=cloud,dc=domain,dc=de
 
 ldap_sasl_mech = GSSAPI
 
 ldap_sasl_authid = host/test-freeipa-client-2.cloud.domain.de
 http://test-freeipa-client-2.cloud.domain.de
 
 ldap_sasl_realm = CLOUD.DOMAIN.DE http://CLOUD.DOMAIN.DE
 
 krb5_server = test-freeipa-2.cloud.domain.de
 http://test-freeipa-2.cloud.domain.de
 
 [sssd]
 
 services = nss, pam, ssh, sudo
 
 config_file_version = 2
 
 domains = cloud.domain.de http://cloud.domain.de
 
 [nss]
 
 [pam]
 
 [sudo]
 
 [autofs]
 
 [ssh]
 
 [pac]
 
 I think the magic you are looking for is in /etc/sssd/sssd.conf where
 you have…
 
 ipa_server = _srv_, test-freeipa-2.cloud.domain.de
 http://test-freeipa-2.cloud.domain.de
 
 and all you need is…
 
 ipa_server = _srv_

_srv_ tells SSSD to check DNS for SRV records. The trailing server gives
it a hardcoded fallback in case DNS fails for some reason. Their current
configuration is correct.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] SSSD in redundant configuration

2015-03-18 Thread Craig White
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Andrew Holway
Sent: Wednesday, March 18, 2015 9:40 AM
To: freeipa-users@redhat.com
Subject: [Freeipa-users] SSSD in redundant configuration

Hello,

Im wondering how we should be handing SSSD for redundant configurations on our 
freeipa clients. We have three freeipa servers; how can we make SSSD check 
another freeipa in the event that one goes down?

It appears we can do something like the following:

ipa_hostname = 
test-freeipa-client-1.cloud.domain.dehttp://test-freeipa-client-1.cloud.domain.de,
 
test-freeipa-client-2.cloud.domain.dehttp://test-freeipa-client-2.cloud.domain.de,
 
test-freeipa-client-3.cloud.domain.dehttp://test-freeipa-client-3.cloud.domain.de

However I thought SRV records were meant to supply the magic here?

Thanks,

Andrew


/etc/sssd/sssd.conf
[domain/cloud.domain.dehttp://cloud.domain.de]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = cloud.domain.dehttp://cloud.domain.de
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = 
test-freeipa-client-2.cloud.domain.dehttp://test-freeipa-client-2.cloud.domain.de
chpass_provider = ipa
ipa_dyndns_update = True
ipa_server = _srv_, 
test-freeipa-2.cloud.domain.dehttp://test-freeipa-2.cloud.domain.de
ldap_tls_cacert = /etc/ipa/ca.crt
# For the SUDO integration
sudo_provider = ldap
ldap_uri = 
ldap://test-freeipa-1.cloud.domain.dehttp://test-freeipa-1.cloud.domain.de
ldap_sudo_search_base = ou=sudoers,dc=cloud,dc=domain,dc=de
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = 
host/test-freeipa-client-2.cloud.domain.dehttp://test-freeipa-client-2.cloud.domain.de
ldap_sasl_realm = CLOUD.DOMAIN.DEhttp://CLOUD.DOMAIN.DE
krb5_server = 
test-freeipa-2.cloud.domain.dehttp://test-freeipa-2.cloud.domain.de
[sssd]
services = nss, pam, ssh, sudo
config_file_version = 2
domains = cloud.domain.dehttp://cloud.domain.de
[nss]
[pam]
[sudo]
[autofs]
[ssh]
[pac]
I think the magic you are looking for is in /etc/sssd/sssd.conf where you have…
ipa_server = _srv_, 
test-freeipa-2.cloud.domain.dehttp://test-freeipa-2.cloud.domain.de
and all you need is…
ipa_server = _srv_
for magic
Craig
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project