> > I know this may be a loaded question, but I am asking it anyways. > > > > > > Can anyone tell me what the current status and future plan for IPA / > > Samba 4 is? > > We plan to support setting up trusts with Samba4 just like we do with AD > when Samba4 will start supporting Cross-forest trusts. It currently > doesn't. > > Simo. > Yes, its amazing samba4 has finally gone GA. Plan to set up an instance as a backup AD to existing AD some day when I get some time. Not well documented though, wish there was well writen book on it. Anyway backup AD would be the best way to set some experience I am assuming A related question, would there be any need to have a replica when using trust if the AD is just one instance? What I am asking in another way is, if the AD fail, wouldn't the FreeIPA fail to authenticate users till AD issues are fixed? Regards, William > -- > Simo Sorce * Red Hat, Inc * New York > > > > ------------------------------ > > Message: 2 > Date: Mon, 17 Dec 2012 16:03:03 -0500 > From: Dmitri Pal <<a href="mailto:dpal@redhat.com">dpal@redhat.com</a>> > To: <a href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a> > Subject: Re: [Freeipa-users] anyone know how to do sssd filters? > Message-ID: <<a href="mailto:50CF8887.9020306@redhat.com">50CF8887.9020306@redhat.com</a>> > Content-Type: text/plain; charset=ISO-8859-1 > > On 12/17/2012 03:11 PM, KodaK wrote: > > I'm attempting to install Satellite in my IPA domain. There is a > > ridiculous requirement that the group "dba" must not already exist > > prior to installing. Red Hat support wanted me to *remove* the DBA > > group and then install. > > > > Anyway, I'm trying to play around with filter_groups in sssd, and I > > can't seem to get it to "take." The man page isn't exactly clear, but > > here's what I've tried: > > > > filter_groups = dba > > filter_groups= dba@fqdn > > > > In the [domain], [sssd] and [nss] sections of the config file. > > > > What's the right syntax? Do I need it in every section? > > > Is it a local group or a central group? > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > <a href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a> > > > > > > ------------------------------ > > Message: 3 > Date: Mon, 17 Dec 2012 16:29:00 -0500 > From: Dmitri Pal <<a href="mailto:dpal@redhat.com">dpal@redhat.com</a>> > To: Simo Sorce <<a href="mailto:simo@redhat.com">simo@redhat.com</a>> > Cc: freeipa-users <<a href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>>, Albert Adams > <<a href="mailto:biteoag@gmail.com">biteoag@gmail.com</a>> > Subject: Re: [Freeipa-users] Allow IPA users to create SSH tunnel with > no shell > Message-ID: <<a href="mailto:50CF8E9C.4020508@redhat.com">50CF8E9C.4020508@redhat.com</a>> > Content-Type: text/plain; charset=UTF-8 > > On 12/17/2012 09:36 AM, Simo Sorce wrote: > > On Mon, 2012-12-17 at 09:07 -0500, Albert Adams wrote: > >> Thank you for the responses. I was initially attempting to set this > >> value via the web UI and if I entered anything other than the hash > >> value of the user's public key it would get rejected. After thinking > >> about your response I realize that I really need to determine a method > >> of doing this via a HBAC rule. If I accomplish this with > >> authorized_keys then the user is restricted across the board and would > >> not be able to gain a shell on any system whereas HBAC would allow me > >> to restrict thier access as needed. We currently require users to > >> tunnel over SSH to gain access to certain sensitive web apps (like > >> Nessus) but those same users have shell access on a few boxes. > >> Thoughts?? > > One thing you could do is to use the override_shell parameter in sssd. > > However this one would override the shell for all users so just > > putting /sbin/nologin there would not work if you need some users to be > > able to log in (if you care only for root logins it would be enough). > > > > However you can still manage to use it to point to a script that would > > test something like whether the user belongs to a group or not, and if > > so run either /bin/bash or /bin/nologin > > > > This seem like a nice feature request for FreeIPA though, maybe we can > > extend HBAC to allow a special option to define a shell, maybe creating > > a special 'shell' service that sssd can properly interpret as a hint to > > set nologin vs the actual shell. > > > > Dmitri, should we open a RFE on this ? > > > > > > Simo. > > > OK , RFE would make sense. > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > <a href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a> > > > > > > ------------------------------ > > Message: 4 > Date: Tue, 18 Dec 2012 00:15:42 +0000 > From: Johan Petersson <<a href="mailto:Johan.Petersson@sscspace.com">Johan.Petersson@sscspace.com</a>> > To: "<a href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>" <<a href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>> > Subject: [Freeipa-users] Problem generating Oracle ZFS Storage > Appliance host and nfs principals and keys to IPA/Free IPA. > Message-ID: > <558C15177F5E714F83334217C9A197DF5DB40720@SSC-MBX2.ssc.internal> > Content-Type: text/plain; charset="iso-8859-1" > > Hi, > > When trying to generate a host and nfs principal + keys from the Oracle ZFS 7120/7320 Appliance i get the following error message (note that the information pasted are from a simulator but i get exactly the same error from our real Appliances). > I can't generate a key on the IPA server and copy it to the Appliance unfortunately it does not support that since it has a specialised webinterface and CLI. > The Appliance wants to generate the principals and keys itself after i add the Kerberos information realm/KDC and admin principal. > > NTP is synced and DNS is working with reverse, no firewalls and SELinux disabled. > > I have tested on both Red Hat/CentOS 6.3 and fedora 17 as IPA servers with the same results. > > Any ideas on what is wrong and if it is possible to get it working? > > > An unanticipated system error occurred: > > failed to create principal 'host/zfs1.home@HOME': libkadm5clnt error: 43787522 (Operation requires ``add'' privilege) > > Exception type: coXmlrpcFault > Native message: failed to create principal 'host/zfs1.home@HOME': libkadm5clnt error: 43787522 (Operation requires ``add'' privilege) > Mapped stack trace: > > Native file: <undefined> line ? > Native stack trace: > Message: <none> > Wrapped exception: <none> > Stack trace: > <none> > > at <a href="https://192.168.0.112:215/lib/crazyolait/index.js:370:21">https://192.168.0.112:215/lib/crazyolait/index.js:370:21</a> > Additional native members: > faultCode: 600 > faultString: failed to create principal 'host/zfs1.home@HOME': libkadm5clnt error: 43787522 (Operation requires ``add'' privilege) > coStack: top.akMulticall(argv:<array> "[object Object]", abort:true, func:<function> "function (ret, err, idx) {\n\t\t\tif (err && err.faultName !== 'EAK_KRB5_NOENT') {\n\t\t\t\takHandleFault(err, { set: widget.aknsn_vs });\n\t\t\t\treturn;\n\t\t\t}\n\t\t\tcommitprop(callback);\n\t\t}") > nasServiceNFS.prototype.commit(callback:<function> "function (err) {\n\t\tif (akHandleFault(err, {\n\t\t set: view.aksvc_current_set\n\t\t })) {\n\t\t\tif (callback)\n\t\t\t\tcallback(true);\n\t\t\tview.changed(true);\n\t\t\treturn;\n\t\t}\n\n\t\t/*\n\n\n\t\t */\n\t\tview.changed(false);\n\n\t\tif (enable === false) {\n\t\t\tif (callback)\n\t\t\t\tcallback();\n\t\t\treturn;\n\t\t}\n\n\t\takService.svc.setCompositeState(view.aksvc_id,\n\t\t akSvc.AK_SVC_STATE_ONLINE, function (ret, err) {\n\t\t\tif (akHandleFault(err)) {\n\t\t\t\tif (callback)\n\t\t\t\t\tcallback(true);\n\t\t\t} else {\n\t\t\t\tif (callback)\n\t\t\t\t\tcallback();\n\t\t\t}\n\t\t});\n\t}") > akSvcView.prototype.commitToServer(enable:false, callback:<function> "function (error) {\n\t\t\takStopWaiting(function () {\n\t\t\t\tif (view.aksvc_done && !error)\n\t\t\t\t\tview.aksvc_done();\n\t\t\t});\n\t\t}") > akSvcView.prototype.commit(callback:null) > <anonymous>(<object> "[object Object]", <object> "[object MouseEvent]") > <anonymous>(e:<object> "[object MouseEvent]") > [akEventListenerWrap,click,undefined](e:<object> "[object MouseEvent]") > > faultName: EAK_KADM5 > > In the kadmind.log on the IPA server i get the following: > > Dec 17 23:12:05 server.home kadmind[3614](Notice): Request: kadm5_init, admin@HOME, success, client=admin@HOME, service=kadmin/server.home@HOME, addr=192.168.0.112, vers=2, flavor=6 > Dec 17 23:12:05 server.home kadmind[3614](Notice): Unauthorized request: kadm5_create_principal, host/zfs1.home@HOME, client=admin@HOME, service=kadmin/server.home@HOME, addr=192.168.0.112 > > And in the krb5kdc.log: > > Dec 17 23:15:23 server.home krb5kdc[4015](info): AS_REQ (7 etypes {18 17 16 23 24 3 1}) <a href="http://192.168.0.112">192.168.0.112</a>: CLIENT_NOT_FOUND: root/zfs1.home@HOME for krbtgt/HOME@HOME, Client not found in Kerberos database > Dec 17 23:15:23 server.home krb5kdc[4016](info): AS_REQ (7 etypes {18 17 16 23 24 3 1}) <a href="http://192.168.0.112">192.168.0.112</a>: CLIENT_NOT_FOUND: host/zfs1.home@HOME for krbtgt/HOME@HOME, Client not found in Kerberos database > > If i add the host in IPA i instead get: > > Dec 17 23:48:18 server.home krb5kdc[4016](info): ... CONSTRAINED-DELEGATION s4u-client=admin@HOME > Dec 17 23:48:35 server.home krb5kdc[4016](info): AS_REQ (7 etypes {18 17 16 23 24 3 1}) <a href="http://192.168.0.112">192.168.0.112</a>: NEEDED_PREAUTH: admin@HOME for kadmin/server.home@HOME, Additional pre-authentication required > Dec 17 23:48:35 server.home krb5kdc[4015](info): AS_REQ (7 etypes {18 17 16 23 24 3 1}) <a href="http://192.168.0.112">192.168.0.112</a>: ISSUE: authtime 1355784515, etypes {rep=18 tkt=18 ses=18}, admin@HOME for kadmin/server.home@HOME > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: <<a href="https://www.redhat.com/archives/freeipa-users/attachments/20121218/aa8c09ef/attachment.html">https://www.redhat.com/archives/freeipa-users/attachments/20121218/aa8c09ef/attachment.html</a>> > > ------------------------------ > > Message: 5 > Date: Mon, 17 Dec 2012 19:36:29 -0500 > From: Dmitri Pal <<a href="mailto:dpal@redhat.com">dpal@redhat.com</a>> > To: <a href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a> > Subject: Re: [Freeipa-users] Problem generating Oracle ZFS Storage > Appliance host and nfs principals and keys to IPA/Free IPA. > Message-ID: <<a href="mailto:50CFBA8D.6070902@redhat.com">50CFBA8D.6070902@redhat.com</a>> > Content-Type: text/plain; charset="iso-8859-1" > > On 12/17/2012 07:15 PM, Johan Petersson wrote: > > Hi, > > > > When trying to generate a host and nfs principal + keys from the > > Oracle ZFS 7120/7320 Appliance i get the following error message (note > > that the information pasted are from a simulator but i get exactly the > > same error from our real Appliances). > > I can't generate a key on the IPA server and copy it to the Appliance > > unfortunately it does not support that since it has a specialised > > webinterface and CLI. > > The Appliance wants to generate the principals and keys itself after i > > add the Kerberos information realm/KDC and admin principal. > > > > NTP is synced and DNS is working with reverse, no firewalls and > > SELinux disabled. > > > > I have tested on both Red Hat/CentOS 6.3 and fedora 17 as IPA servers > > with the same results. > > > > Any ideas on what is wrong and if it is possible to get it working? > > > > > > An unanticipated system error occurred: > > > > failed to create principal 'host/zfs1.home@HOME': libkadm5clnt error: > > 43787522 (Operation requires ``add'' privilege) > > Do you have this principal already precreated? > It seems that the client tries to create a principal using its kadmin > library. I am not sure it would work. > The protocol we use in ipa-getkeytab is not a kadmin protocol. As far as > I recall it does an LDAP extended operation. > > > > > Exception type: coXmlrpcFault > > Native message: failed to create principal 'host/zfs1.home@HOME': > > libkadm5clnt error: 43787522 (Operation requires ``add'' privilege) > > Mapped stack trace: > > > > Native file: <undefined> line ? > > Native stack trace: > > Message: <none> > > Wrapped exception: <none> > > Stack trace: > > <none> > > > > at <a href="https://192.168.0.112:215/lib/crazyolait/index.js:370:21">https://192.168.0.112:215/lib/crazyolait/index.js:370:21</a> > > Additional native members: > > faultCode: 600 > > faultString: failed to create principal 'host/zfs1.home@HOME': > > libkadm5clnt error: 43787522 (Operation requires ``add'' privilege) > > coStack: top.akMulticall(argv:<array> "[object Object]", > > abort:true, func:<function> "function (ret, err, idx) {\n\t\t\tif (err > > && err.faultName !== 'EAK_KRB5_NOENT') {\n\t\t\t\takHandleFault(err, { > > set: widget.aknsn_vs > > });\n\t\t\t\treturn;\n\t\t\t}\n\t\t\tcommitprop(callback);\n\t\t}") > > nasServiceNFS.prototype.commit(callback:<function> "function (err) > > {\n\t\tif (akHandleFault(err, {\n\t\t set: > > view.aksvc_current_set\n\t\t })) {\n\t\t\tif > > (callback)\n\t\t\t\tcallback(true);\n\t\t\tview.changed(true);\n\t\t\treturn;\n\t\t}\n\n\t\t/*\n\n\n\t\t > > */\n\t\tview.changed(false);\n\n\t\tif (enable === false) {\n\t\t\tif > > (callback)\n\t\t\t\tcallback();\n\t\t\treturn;\n\t\t}\n\n\t\takService.svc.setCompositeState(view.aksvc_id,\n\t\t > > akSvc.AK_SVC_STATE_ONLINE, function (ret, err) {\n\t\t\tif > > (akHandleFault(err)) {\n\t\t\t\tif > > (callback)\n\t\t\t\t\tcallback(true);\n\t\t\t} else {\n\t\t\t\tif > > (callback)\n\t\t\t\t\tcallback();\n\t\t\t}\n\t\t});\n\t}") > > akSvcView.prototype.commitToServer(enable:false, callback:<function> > > "function (error) {\n\t\t\takStopWaiting(function () {\n\t\t\t\tif > > (view.aksvc_done && > > !error)\n\t\t\t\t\tview.aksvc_done();\n\t\t\t});\n\t\t}") > > akSvcView.prototype.commit(callback:null) > > <anonymous>(<object> "[object Object]", <object> "[object MouseEvent]") > > <anonymous>(e:<object> "[object MouseEvent]") > > [akEventListenerWrap,click,undefined](e:<object> "[object MouseEvent]") > > > > faultName: EAK_KADM5 > > > > In the kadmind.log on the IPA server i get the following: > > > > Dec 17 23:12:05 server.home kadmind[3614](Notice): Request: > > kadm5_init, admin@HOME, success, client=admin@HOME, > > service=kadmin/server.home@HOME, addr=192.168.0.112, vers=2, flavor=6 > > Dec 17 23:12:05 server.home kadmind[3614](Notice): Unauthorized > > request: kadm5_create_principal, host/zfs1.home@HOME, > > client=admin@HOME, service=kadmin/server.home@HOME, addr=192.168.0.112 > > > > And in the krb5kdc.log: > > > > Dec 17 23:15:23 server.home krb5kdc[4015](info): AS_REQ (7 etypes {18 > > 17 16 23 24 3 1}) <a href="http://192.168.0.112">192.168.0.112</a>: CLIENT_NOT_FOUND: root/zfs1.home@HOME > > for krbtgt/HOME@HOME, Client not found in Kerberos database > > Dec 17 23:15:23 server.home krb5kdc[4016](info): AS_REQ (7 etypes {18 > > 17 16 23 24 3 1}) <a href="http://192.168.0.112">192.168.0.112</a>: CLIENT_NOT_FOUND: host/zfs1.home@HOME > > for krbtgt/HOME@HOME, Client not found in Kerberos database > > > > If i add the host in IPA i instead get: > > > > Dec 17 23:48:18 server.home krb5kdc[4016](info): ... > > CONSTRAINED-DELEGATION s4u-client=admin@HOME > > Dec 17 23:48:35 server.home krb5kdc[4016](info): AS_REQ (7 etypes {18 > > 17 16 23 24 3 1}) <a href="http://192.168.0.112">192.168.0.112</a>: NEEDED_PREAUTH: admin@HOME for > > kadmin/server.home@HOME, Additional pre-authentication required > > Dec 17 23:48:35 server.home krb5kdc[4015](info): AS_REQ (7 etypes {18 > > 17 16 23 24 3 1}) <a href="http://192.168.0.112">192.168.0.112</a>: ISSUE: authtime 1355784515, etypes > > {rep=18 tkt=18 ses=18}, admin@HOME for kadmin/server.home@HOME > > > > > > _______________________________________________ > > Freeipa-users mailing list > > <a href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> > > <a href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a> > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > <a href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a> > > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: <<a href="https://www.redhat.com/archives/freeipa-users/attachments/20121217/7f262831/attachment.html">https://www.redhat.com/archives/freeipa-users/attachments/20121217/7f262831/attachment.html</a>> > > ------------------------------ > > _______________________________________________ > Freeipa-users mailing list > <a href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> > <a href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a> > > End of Freeipa-users Digest, Vol 53, Issue 25 > *********************************************