From marc.schlinger at agorabox.org Fri Jun 4 10:21:00 2010 From: marc.schlinger at agorabox.org (Marc Schlinger) Date: Fri, 04 Jun 2010 12:21:00 +0200 Subject: [Freeipa-users] Reports and questions In-Reply-To: <4BDF0D0A.70309@redhat.com> References: <4BDEDAEE.5090203@agorabox.org> <4BDEEDFE.4020308@redhat.com> <4BDEF4A4.7000909@agorabox.org> <4BDF0688.1030807@redhat.com> <4BDF0D0A.70309@redhat.com> Message-ID: <4C08D38C.1030505@agorabox.org> Hello, At last I did manage to create and use my certs, but with nss tools. I've stop using openssl ones, since they are not integrated with freeipa. So I encounter no problems. Last things I'd like to know. I've seen that I'was able to modify the content signed certs through this file /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg In this folder "/var/lib/pki-ca/profiles/ca/" there's a lots of cfg files, but I do not understant how to "choose" them when signing a request. I'd need very specific certs for an application, specific extensions, but I don't want to add this extensions to all the certs that can be issued. Any hints ? Thanks, Marc Schlinger From rob.townley at gmail.com Fri Jun 4 15:18:56 2010 From: rob.townley at gmail.com (Rob Townley) Date: Fri, 4 Jun 2010 10:18:56 -0500 Subject: [Freeipa-users] Dynamic DNS and Kerberos... In-Reply-To: <1275058932.23651.6.camel@fedora.sistemnet.local> References: <1275058932.23651.6.camel@fedora.sistemnet.local> Message-ID: On Fri, May 28, 2010 at 10:02 AM, Stjepan Gros wrote: > Hi! > > I have a simple question regarding adding hosts in Kerberos when hosts > are dynamically assigned IP addresses and registered to DNS. In such > cases, ipa-addservice complains that host has to have A record in DNS > and doesn't want to add new principal. > > So, there are two choices: > > 1. temporarily add DNS records, run ipa-addservice, and remove DNS > records, or > > 2. connect PC to network in order for host to receive IP address and > registers with DNS, and then run ipa-addservice > > Unfortunatelly, my situation is such that option 2 isn't possible, and > option 1 seems more like a hack than something systematic. > > So, is there a third option? > > Stjepan > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > i haven't even installed freeipa yet, so someone somewhere probably already addressed this. Consider these 4 random thoughts: Why not use an offline IP address and an online IP address? If a hosts normal online address is 10.10.10.125, a hosts offline IP address is 172.16.10.125. Actually, offline address is traditionally 0.0.0.0. Does ipa-addservice work when the dns entry is 0.0.0.0? Does ipa-addservice work when multiple hosts have the same zero ip 0.0.0.0? Some systems pull DNS info from LDAP (pdns-ldap http://www.linuxnetworks.de/doc/index.php/PowerDNS_LDAP_Backend). So even if the DNS entries are not all there, a precreated ldap entry could exist. Maybe the --force option does this. ipa-addservice could use UUID / GUID entries instead of IP addresses. If the clients are powered on and connected to the internet but not your LAN, then a secondary remotely accessible virtual IP may help, but there is likely a chicken and egg problem at this point. From jamespo.mailinglist at gmail.com Sun Jun 6 22:06:24 2010 From: jamespo.mailinglist at gmail.com (James Po) Date: Sun, 6 Jun 2010 23:06:24 +0100 Subject: [Freeipa-users] can't reset password on fedora 13 Message-ID: I've installed (from yum) on fedora 13, created a user but cannot ssh in as that user - it fails to reset the password. I've disabled iptables & SELinux (for testing purposes) to no avail. macbook:~ james$ ssh bshit at 192.168.5.58 bshit at 192.168.5.58's password: Warning: Your password will expire in less than one hour. Password expired. Change your password now. Last login: Sun Jun 6 22:25:17 2010 from 192.168.5.249 WARNING: Your password has expired. You must change your password now and login again! Changing password for user bshit. Current Password: New password: Retype new password: Warning: Your password will expire in less than one hour. Warning: Your password will expire in less than one hour. passwd: Authentication token manipulation error Connection to 192.168.5.58 closed. /var/log/secure: Jun 6 22:32:30 ipa passwd: pam_sss(passwd:chauthtok): system info: [Cannot contact any KDC for requested realm] Jun 6 22:32:30 ipa passwd: pam_sss(passwd:chauthtok): User info message: Warning: Your password will expire in less than one hour. Jun 6 22:32:30 ipa passwd: pam_sss(passwd:chauthtok): system info: [Cannot contact any KDC for requested realm] Jun 6 22:32:30 ipa passwd: pam_sss(passwd:chauthtok): User info message: Warning: Your password will expire in less than one hour. Jun 6 22:32:30 ipa passwd: pam_sss(passwd:chauthtok): Password change failed for user bshit: 22 (Authentication token lock busy) Jun 6 22:32:30 ipa passwd: gkr-pam: couldn't update the login keyring password: no old password was entered Jun 6 22:32:32 ipa sshd[1635]: pam_unix(sshd:session): session closed for user bshit /var/log/krb5kdc.log: Jun 06 22:32:30 ipa.dev.webscalability.com krb5kdc[1349](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.5.58: NEEDED_PREAUTH: bshit at DEV.WEBSCALABILITY.COM for kadmin/changepw at DEV.WEBSCALABILITY.COM, Additional pre-authentication required Jun 06 22:32:30 ipa.dev.webscalability.com krb5kdc[1349](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.5.58: ISSUE: authtime 1275859950, etypes {rep=18 tkt=18 ses=18}, bshit at DEV.WEBSCALABILITY.COM for kadmin/changepw at DEV.WEBSCALABILITY.COM Jun 06 22:32:30 ipa.dev.webscalability.com krb5kdc[1349](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.5.58: NEEDED_PREAUTH: bshit at DEV.WEBSCALABILITY.COM for kadmin/changepw at DEV.WEBSCALABILITY.COM, Additional pre-authentication required Jun 06 22:32:30 ipa.dev.webscalability.com krb5kdc[1349](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.5.58: ISSUE: authtime 1275859950, etypes {rep=18 tkt=18 ses=18}, bshit at DEV.WEBSCALABILITY.COM for kadmin/changepw at DEV.WEBSCALABILITY.COM From rcritten at redhat.com Mon Jun 7 13:48:29 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 07 Jun 2010 09:48:29 -0400 Subject: [Freeipa-users] Dynamic DNS and Kerberos... In-Reply-To: References: <1275058932.23651.6.camel@fedora.sistemnet.local> Message-ID: <4C0CF8AD.3000600@redhat.com> Rob Townley wrote: > On Fri, May 28, 2010 at 10:02 AM, Stjepan Gros wrote: >> Hi! >> >> I have a simple question regarding adding hosts in Kerberos when hosts >> are dynamically assigned IP addresses and registered to DNS. In such >> cases, ipa-addservice complains that host has to have A record in DNS >> and doesn't want to add new principal. >> >> So, there are two choices: >> >> 1. temporarily add DNS records, run ipa-addservice, and remove DNS >> records, or >> >> 2. connect PC to network in order for host to receive IP address and >> registers with DNS, and then run ipa-addservice >> >> Unfortunatelly, my situation is such that option 2 isn't possible, and >> option 1 seems more like a hack than something systematic. >> >> So, is there a third option? >> >> Stjepan >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > i haven't even installed freeipa yet, so someone somewhere probably > already addressed this. Consider these 4 random thoughts: > > Why not use an offline IP address and an online IP address? > If a hosts normal online address is 10.10.10.125, > a hosts offline IP address is 172.16.10.125. > Actually, offline address is traditionally 0.0.0.0. > Does ipa-addservice work when the dns entry is 0.0.0.0? > Does ipa-addservice work when multiple hosts have the same zero ip 0.0.0.0? > > > Some systems pull DNS info from LDAP (pdns-ldap > http://www.linuxnetworks.de/doc/index.php/PowerDNS_LDAP_Backend). So > even if the DNS entries are not all there, a precreated ldap entry > could exist. Maybe the --force option does this. > > > ipa-addservice could use UUID / GUID entries instead of IP addresses. > > > If the clients are powered on and connected to the internet but not > your LAN, then a secondary remotely accessible virtual IP may help, > but there is likely a chicken and egg problem at this point. The whole reason for the DNS check is that kerberos is basically useless without a working DNS system. If hostnames don't match service principals then nothing is going to work, so we enforce it. We added the --force flag so an admin could work around this if they know what they are doing. rob From sgallagh at redhat.com Mon Jun 7 14:04:19 2010 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 07 Jun 2010 10:04:19 -0400 Subject: [Freeipa-users] can't reset password on fedora 13 In-Reply-To: References: Message-ID: <4C0CFC63.1070803@redhat.com> On 06/06/2010 06:06 PM, James Po wrote: > I've installed (from yum) on fedora 13, created a user but cannot ssh > in as that user - it fails to reset the password. > > I've disabled iptables& SELinux (for testing purposes) to no avail. > > > macbook:~ james$ ssh bshit at 192.168.5.58 > bshit at 192.168.5.58's password: > Warning: Your password will expire in less than one hour. > Password expired. Change your password now. > Last login: Sun Jun 6 22:25:17 2010 from 192.168.5.249 > WARNING: Your password has expired. > You must change your password now and login again! > Changing password for user bshit. > Current Password: > New password: > Retype new password: > Warning: Your password will expire in less than one hour. > Warning: Your password will expire in less than one hour. > passwd: Authentication token manipulation error > Connection to 192.168.5.58 closed. > > > /var/log/secure: > > Jun 6 22:32:30 ipa passwd: pam_sss(passwd:chauthtok): system info: > [Cannot contact any KDC for requested realm] > Jun 6 22:32:30 ipa passwd: pam_sss(passwd:chauthtok): User info > message: Warning: Your password will expire in less than one hour. > Jun 6 22:32:30 ipa passwd: pam_sss(passwd:chauthtok): system info: > [Cannot contact any KDC for requested realm] > Jun 6 22:32:30 ipa passwd: pam_sss(passwd:chauthtok): User info > message: Warning: Your password will expire in less than one hour. > Jun 6 22:32:30 ipa passwd: pam_sss(passwd:chauthtok): Password change > failed for user bshit: 22 (Authentication token lock busy) > Jun 6 22:32:30 ipa passwd: gkr-pam: couldn't update the login keyring > password: no old password was entered > Jun 6 22:32:32 ipa sshd[1635]: pam_unix(sshd:session): session closed > for user bshit > > > /var/log/krb5kdc.log: > > Jun 06 22:32:30 ipa.dev.webscalability.com krb5kdc[1349](info): AS_REQ > (7 etypes {18 17 16 23 1 3 2}) 192.168.5.58: NEEDED_PREAUTH: > bshit at DEV.WEBSCALABILITY.COM for > kadmin/changepw at DEV.WEBSCALABILITY.COM, Additional pre-authentication > required > Jun 06 22:32:30 ipa.dev.webscalability.com krb5kdc[1349](info): AS_REQ > (7 etypes {18 17 16 23 1 3 2}) 192.168.5.58: ISSUE: authtime > 1275859950, etypes {rep=18 tkt=18 ses=18}, > bshit at DEV.WEBSCALABILITY.COM for > kadmin/changepw at DEV.WEBSCALABILITY.COM > Jun 06 22:32:30 ipa.dev.webscalability.com krb5kdc[1349](info): AS_REQ > (7 etypes {18 17 16 23 1 3 2}) 192.168.5.58: NEEDED_PREAUTH: > bshit at DEV.WEBSCALABILITY.COM for > kadmin/changepw at DEV.WEBSCALABILITY.COM, Additional pre-authentication > required > Jun 06 22:32:30 ipa.dev.webscalability.com krb5kdc[1349](info): AS_REQ > (7 etypes {18 17 16 23 1 3 2}) 192.168.5.58: ISSUE: authtime > 1275859950, etypes {rep=18 tkt=18 ses=18}, > bshit at DEV.WEBSCALABILITY.COM for > kadmin/changepw at DEV.WEBSCALABILITY.COM This looks like an error in the SSSD. Could you edit /etc/sssd/sssd.conf and change debug_level=0 to debug_level=9 and then try this again. Then examine /var/log/sssd/krb5_child.log and /var/log/sssd/sssd_.log for clues? -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ From rcritten at redhat.com Mon Jun 7 14:08:48 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 07 Jun 2010 10:08:48 -0400 Subject: [Freeipa-users] Reports and questions In-Reply-To: <4C08D38C.1030505@agorabox.org> References: <4BDEDAEE.5090203@agorabox.org> <4BDEEDFE.4020308@redhat.com> <4BDEF4A4.7000909@agorabox.org> <4BDF0688.1030807@redhat.com> <4BDF0D0A.70309@redhat.com> <4C08D38C.1030505@agorabox.org> Message-ID: <4C0CFD70.8080400@redhat.com> Marc Schlinger wrote: > Hello, > > At last I did manage to create and use my certs, but with nss tools. > > I've stop using openssl ones, since they are not integrated with > freeipa. So I encounter no problems. > > Last things I'd like to know. I've seen that I'was able to modify the > content signed certs through this file > > /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg > > > In this folder "/var/lib/pki-ca/profiles/ca/" there's a lots of cfg > files, but I do not understant how to "choose" them when signing a request. > > I'd need very specific certs for an application, specific extensions, > but I don't want to add this extensions to all the certs that can be > issued. > > Any hints ? > > Thanks, > Marc Schlinger dogtag issues different types of certificates through the configuration files you're seeing. They call them profiles. IPA supports only a single profile right now, the caIPAserviceCert profile. Adding support for other profiles is possible but would require changes in both the IPA RA backend and in the IPA cert plugin. If you'd be interested in pursuing that I can give some guidance on how that might be done. rob From kozlov at spbcas.ru Tue Jun 8 05:13:05 2010 From: kozlov at spbcas.ru (Konstantin Kozlov) Date: Tue, 8 Jun 2010 09:13:05 +0400 Subject: [Freeipa-users] can't reset password on fedora 13 In-Reply-To: <4C0CFC63.1070803@redhat.com> References: <4C0CFC63.1070803@redhat.com> Message-ID: <20100608091305.1046ff3e@wave.bio.spbcas.ru> Hi, I apologize for not reporting my information on the list earlier. I have a working installation of FreeIPA v.1 and a few days ago I added a F13 client. I've installed everything from official repos. SSSD caused problems because ipa-client-install made a 'default' domain in sssd.conf and sssd was looking for SRV records in DNS for LDAP and KDC with '.default' suffix. There are no such records and other FreeIPA clients are happy with that so I add those lines to sssd.conf [domain/default] .... krb5_kdcip = XXX.XXX.XXX.XXX ldap_uri = ldap://ldap.example.com .... Kostya On Mon, 07 Jun 2010 10:04:19 -0400 Stephen Gallagher wrote: > On 06/06/2010 06:06 PM, James Po wrote: > > I've installed (from yum) on fedora 13, created a user but cannot > > ssh in as that user - it fails to reset the password. > > > > I've disabled iptables& SELinux (for testing purposes) to no avail. > > > > > > macbook:~ james$ ssh bshit at 192.168.5.58 > > bshit at 192.168.5.58's password: > > Warning: Your password will expire in less than one hour. > > Password expired. Change your password now. > > Last login: Sun Jun 6 22:25:17 2010 from 192.168.5.249 > > WARNING: Your password has expired. > > You must change your password now and login again! > > Changing password for user bshit. > > Current Password: > > New password: > > Retype new password: > > Warning: Your password will expire in less than one hour. > > Warning: Your password will expire in less than one hour. > > passwd: Authentication token manipulation error > > Connection to 192.168.5.58 closed. > > > > > > /var/log/secure: > > > > Jun 6 22:32:30 ipa passwd: pam_sss(passwd:chauthtok): system info: > > [Cannot contact any KDC for requested realm] > > Jun 6 22:32:30 ipa passwd: pam_sss(passwd:chauthtok): User info > > message: Warning: Your password will expire in less than one hour. > > Jun 6 22:32:30 ipa passwd: pam_sss(passwd:chauthtok): system info: > > [Cannot contact any KDC for requested realm] > > Jun 6 22:32:30 ipa passwd: pam_sss(passwd:chauthtok): User info > > message: Warning: Your password will expire in less than one hour. > > Jun 6 22:32:30 ipa passwd: pam_sss(passwd:chauthtok): Password > > change failed for user bshit: 22 (Authentication token lock busy) > > Jun 6 22:32:30 ipa passwd: gkr-pam: couldn't update the login > > keyring password: no old password was entered > > Jun 6 22:32:32 ipa sshd[1635]: pam_unix(sshd:session): session > > closed for user bshit > > > > > > /var/log/krb5kdc.log: > > > > Jun 06 22:32:30 ipa.dev.webscalability.com krb5kdc[1349](info): > > AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.5.58: NEEDED_PREAUTH: > > bshit at DEV.WEBSCALABILITY.COM for > > kadmin/changepw at DEV.WEBSCALABILITY.COM, Additional > > pre-authentication required > > Jun 06 22:32:30 ipa.dev.webscalability.com krb5kdc[1349](info): > > AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.5.58: ISSUE: authtime > > 1275859950, etypes {rep=18 tkt=18 ses=18}, > > bshit at DEV.WEBSCALABILITY.COM for > > kadmin/changepw at DEV.WEBSCALABILITY.COM > > Jun 06 22:32:30 ipa.dev.webscalability.com krb5kdc[1349](info): > > AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.5.58: NEEDED_PREAUTH: > > bshit at DEV.WEBSCALABILITY.COM for > > kadmin/changepw at DEV.WEBSCALABILITY.COM, Additional > > pre-authentication required > > Jun 06 22:32:30 ipa.dev.webscalability.com krb5kdc[1349](info): > > AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.5.58: ISSUE: authtime > > 1275859950, etypes {rep=18 tkt=18 ses=18}, > > bshit at DEV.WEBSCALABILITY.COM for > > kadmin/changepw at DEV.WEBSCALABILITY.COM > > > This looks like an error in the SSSD. Could you > edit /etc/sssd/sssd.conf and change debug_level=0 to debug_level=9 > and then try this again. Then examine /var/log/sssd/krb5_child.log > and /var/log/sssd/sssd_.log for clues? > From jhrozek at redhat.com Tue Jun 8 07:05:58 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 08 Jun 2010 09:05:58 +0200 Subject: [Freeipa-users] can't reset password on fedora 13 In-Reply-To: <20100608091305.1046ff3e@wave.bio.spbcas.ru> References: <4C0CFC63.1070803@redhat.com> <20100608091305.1046ff3e@wave.bio.spbcas.ru> Message-ID: <4C0DEBD6.302@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/08/2010 07:13 AM, Konstantin Kozlov wrote: > I've installed everything from official repos. SSSD caused problems > because ipa-client-install made a 'default' domain in sssd.conf and > sssd was looking for SRV records in DNS for LDAP and KDC with > '.default' suffix. There are no such records and other FreeIPA clients > are happy with that so I add those lines to sssd.conf Yes, this is a known problem when using authconfig, which I presume ipa-client-install uses. The fix will be in SSSD 1.3 (https://fedorahosted.org/sssd/ticket/479). If you would like to continue using service discovery, you can rename the SSSD domain from default to whatever your IPA domain is. Also please note that the krb5_kdcip option is named a little misleading, it doesn't have to be an IP address, hostname is OK, too. Jakub -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkwN69YACgkQHsardTLnvCUBGgCfefHDDjBGbr+i7QegFm8uidyG K2cAoMCfANy8Z5COAXs88ZZNIkeYmeFK =Mf8q -----END PGP SIGNATURE----- From kozlov at spbcas.ru Tue Jun 8 08:05:47 2010 From: kozlov at spbcas.ru (Konstantin Kozlov) Date: Tue, 8 Jun 2010 12:05:47 +0400 Subject: [Freeipa-users] can't reset password on fedora 13 In-Reply-To: <4C0DEBD6.302@redhat.com> References: <4C0CFC63.1070803@redhat.com> <20100608091305.1046ff3e@wave.bio.spbcas.ru> <4C0DEBD6.302@redhat.com> Message-ID: <20100608120547.56c4206d@wave.bio.spbcas.ru> On Tue, 08 Jun 2010 09:05:58 +0200 Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 06/08/2010 07:13 AM, Konstantin Kozlov wrote: > > I've installed everything from official repos. SSSD caused problems > > because ipa-client-install made a 'default' domain in sssd.conf and > > sssd was looking for SRV records in DNS for LDAP and KDC with > > '.default' suffix. There are no such records and other FreeIPA > > clients are happy with that so I add those lines to sssd.conf > > Yes, this is a known problem when using authconfig, which I presume > ipa-client-install uses. The fix will be in SSSD 1.3 > (https://fedorahosted.org/sssd/ticket/479). If you would like to > continue using service discovery, you can rename the SSSD domain from > default to whatever your IPA domain is. > If I do that will sssd look for records in DNS with another suffix or what? I don't have any suffix for such records at all. Do I need to modify DNS records? > Also please note that the krb5_kdcip option is named a little > misleading, it doesn't have to be an IP address, hostname is OK, too. > > Jakub > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.14 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkwN69YACgkQHsardTLnvCUBGgCfefHDDjBGbr+i7QegFm8uidyG > K2cAoMCfANy8Z5COAXs88ZZNIkeYmeFK > =Mf8q > -----END PGP SIGNATURE----- > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From marc.schlinger at agorabox.org Tue Jun 8 12:49:22 2010 From: marc.schlinger at agorabox.org (Marc Schlinger) Date: Tue, 08 Jun 2010 14:49:22 +0200 Subject: [Freeipa-users] Reports and questions In-Reply-To: <4C0CFD70.8080400@redhat.com> References: <4BDEDAEE.5090203@agorabox.org> <4BDEEDFE.4020308@redhat.com> <4BDEF4A4.7000909@agorabox.org> <4BDF0688.1030807@redhat.com> <4BDF0D0A.70309@redhat.com> <4C08D38C.1030505@agorabox.org> <4C0CFD70.8080400@redhat.com> Message-ID: <4C0E3C52.6030707@agorabox.org> > Adding support for other profiles is possible but would require > changes in both the IPA RA backend and in the IPA cert plugin. If > you'd be interested in pursuing that I can give some guidance on how > that might be done. > > rob Yes, I'm interested, I will need this feature soon in order to generate, "software" client cert among others things. Marc Schlinger From afkkir at gmail.com Thu Jun 10 13:37:25 2010 From: afkkir at gmail.com (ALAHYANE Rachid) Date: Thu, 10 Jun 2010 15:37:25 +0200 Subject: [Freeipa-users] Modify the mail forgot in the aci "Modify Users" Message-ID: Hi, I am working with ACIs and I noticed that you forgot to add mail in the set of attribute that it can be modified : ============================================ ipa aci-find "Modify Users" --------- aci-find: --------- (targetattr = "givenName || sn || cn || displayName || title || initials || loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneNumber || telephoneNumber || street || roomNumber || l || st || postalCode || manager || secretary || description || carLicense || labeledURI || inetUserHTTPURL || seeAlso || employeeType || businessCategory || ou")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=gamma,dc=domain,dc=org")(version 3.0;acl "Modify Users";allow (write) groupdn = "ldap:///cn=modifyusers,cn=taskgroups,cn=accounts,dc=gamma,dc=domain,dc=org";) ============================================ when i try to fixe this problem I do not know why my ACI is deleted ! ============================================ ipa -v aci-mod "Modify Users" --attrs=mail --memberof=ipausers ipa: INFO: skipping plugin module ipalib.plugins.cert: env.enable_ra is not True ipa: INFO: Created connection context.xmlclient ipa: INFO: aci_mod(u'Modify Users', attrs=(u'mail',), memberof=u'ipausers') ipa: INFO: Forwarding 'aci_mod' to server u' https://server.gamma.domain.org/ipa/xml' ipa: INFO: Destroyed connection context.xmlclient ipa: ERROR: overlapping arguments and options: ['aciname'] ============================================ ipa -v aci-mod --attrs=mail "Modify Users" ipa: INFO: skipping plugin module ipalib.plugins.cert: env.enable_ra is not True ipa: INFO: Created connection context.xmlclient ipa: INFO: aci_mod(u'Modify Users', attrs=(u'mail',)) ipa: INFO: Forwarding 'aci_mod' to server u' https://server.gamma.domain.org/ipa/xml' ipa: INFO: Destroyed connection context.xmlclient ipa: ERROR: ACI with name "Modify Users" not found ============================================ ipa -v aci-show "Modify Users" ipa: INFO: skipping plugin module ipalib.plugins.cert: env.enable_ra is not True ipa: INFO: Created connection context.xmlclient ipa: INFO: aci_show(u'Modify Users') ipa: INFO: Forwarding 'aci_show' to server u' https://server.gamma.domain.org/ipa/xml' ipa: INFO: Destroyed connection context.xmlclient ipa: ERROR: ACI with name "Modify Users" not found ============================================ I am using the v1.9.0 version and I do not know if it is fixed now. -- Meilleures salutations / Best Regards Rachid ALAHYANE -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Jun 10 14:58:48 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 10 Jun 2010 10:58:48 -0400 Subject: [Freeipa-users] Modify the mail forgot in the aci "Modify Users" In-Reply-To: References: Message-ID: <4C10FDA8.30605@redhat.com> ALAHYANE Rachid wrote: > Hi, > > I am working with ACIs and I noticed that you forgot to add mail in the > set of attribute that it can be modified : > > > ============================================ > ipa aci-find "Modify Users" > --------- > aci-find: > --------- > (targetattr = "givenName || sn || cn || displayName || title || initials > || loginShell || gecos || homePhone || mobile || pager || > facsimileTelephoneNumber || telephoneNumber || street || roomNumber || l > || st || postalCode || manager || secretary || description || carLicense > || labeledURI || inetUserHTTPURL || seeAlso || employeeType || > businessCategory || ou")(target = > "ldap:///uid=*,cn=users,cn=accounts,dc=gamma,dc=domain,dc=org")(version > 3.0;acl "Modify Users";allow (write) groupdn = > "ldap:///cn=modifyusers,cn=taskgroups,cn=accounts,dc=gamma,dc=domain,dc=org";) > ============================================ > > when i try to fixe this problem I do not know why my ACI is deleted ! > > ============================================ > ipa -v aci-mod "Modify Users" --attrs=mail --memberof=ipausers > ipa: INFO: skipping plugin module ipalib.plugins.cert: env.enable_ra is > not True > ipa: INFO: Created connection context.xmlclient > ipa: INFO: aci_mod(u'Modify Users', attrs=(u'mail',), memberof=u'ipausers') > ipa: INFO: Forwarding 'aci_mod' to server > u'https://server.gamma.domain.org/ipa/xml' > ipa: INFO: Destroyed connection context.xmlclient > ipa: ERROR: overlapping arguments and options: ['aciname'] > ============================================ > ipa -v aci-mod --attrs=mail "Modify Users" > ipa: INFO: skipping plugin module ipalib.plugins.cert: env.enable_ra is > not True > ipa: INFO: Created connection context.xmlclient > ipa: INFO: aci_mod(u'Modify Users', attrs=(u'mail',)) > ipa: INFO: Forwarding 'aci_mod' to server > u'https://server.gamma.domain.org/ipa/xml' > ipa: INFO: Destroyed connection context.xmlclient > ipa: ERROR: ACI with name "Modify Users" not found > ============================================ > ipa -v aci-show "Modify Users" > ipa: INFO: skipping plugin module ipalib.plugins.cert: env.enable_ra is > not True > ipa: INFO: Created connection context.xmlclient > ipa: INFO: aci_show(u'Modify Users') > ipa: INFO: Forwarding 'aci_show' to server > u'https://server.gamma.domain.org/ipa/xml' > ipa: INFO: Destroyed connection context.xmlclient > ipa: ERROR: ACI with name "Modify Users" not found > ============================================ > > > I am using the v1.9.0 version and I do not know if it is fixed now. I don't think it's anything you're doing wrong. Looks like a bug in the aci plugin, I'll take a look. As an aside though I wouldn't set the ipausers as a memberof on this ACI. What that will do is allow any user to modify any other user. I doubt this is what you want. Even if you did it would be better to add the ipausers group as a member of the "Modify Users" rolegroup. rob From afkkir at gmail.com Thu Jun 10 15:34:39 2010 From: afkkir at gmail.com (ALAHYANE Rachid) Date: Thu, 10 Jun 2010 17:34:39 +0200 Subject: [Freeipa-users] Modify the mail forgot in the aci "Modify Users" In-Reply-To: <4C10FDA8.30605@redhat.com> References: <4C10FDA8.30605@redhat.com> Message-ID: Thank you for your response, > As an aside though I wouldn't set the ipausers as a memberof on this ACI. > What that will do is allow any user to modify any other user. I doubt this > is what you want. > > You are right, it is not what I want to do. My second command is wrong: ipa -v aci-mod "Modify Users" --attrs=mail --memberof=ipausers However, what I want to do is modify "Modify Users" ACI by adding the attribute "mail" in the targetattr. I do not assimilate yet the syntaxe of aci commands. Thanks for help > Even if you did it would be better to add the ipausers group as a member of > the "Modify Users" rolegroup. > > rob > -- Meilleures salutations / Best Regards Rachid ALAHYANE -------------- next part -------------- An HTML attachment was scrubbed... URL: From afkkir at gmail.com Thu Jun 10 17:50:57 2010 From: afkkir at gmail.com (ALAHYANE Rachid) Date: Thu, 10 Jun 2010 19:50:57 +0200 Subject: [Freeipa-users] Modify the mail forgot in the aci "Modify Users" In-Reply-To: References: <4C10FDA8.30605@redhat.com> Message-ID: I execute this command hoping it'll work but I get some errors : on my client ====================================== ipa -v aci-mod --taskgroup=modifyusers --permissions=write --attrs=mail --type=user "Modify Users" ipa: INFO: skipping plugin module ipalib.plugins.cert: env.enable_ra is not True ipa: INFO: Created connection context.xmlclient ipa: INFO: aci_mod(u'Modify Users', taskgroup=u'modifyusers', permissions=(u'write',), attrs=(u'mail',), type=u'user') ipa: INFO: Forwarding 'aci_mod' to server u' https://server.gamma.domain.org/ipa/xml' ipa: INFO: Destroyed connection context.xmlclient ipa: ERROR: an internal error has occurred ====================================== logs on the server ====================================== ==> /var/log/httpd/error_log <== [Thu Jun 10 18:30:31 2010] [error] ipa: INFO: Created connection context.ldap2 [Thu Jun 10 18:30:31 2010] [error] ipa: DEBUG: raw: aci_mod(u'Modify Users', taskgroup=u'modifyusers', permissions=(u'write',), attrs=(u'mail',), type=u'user') [Thu Jun 10 18:30:31 2010] [error] ipa: INFO: aci_mod(u'Modify Users', taskgroup=u'modifyusers', permissions=(u'write',), attrs=(u'mail',), type=u'user') [Thu Jun 10 18:30:31 2010] [error] ipa: ERROR: non-public: KeyError: 'targetfilter' [Thu Jun 10 18:30:31 2010] [error] Traceback (most recent call last): [Thu Jun 10 18:30:31 2010] [error] File "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 206, in wsgi_execute [Thu Jun 10 18:30:31 2010] [error] result = self.Command[name](*args, **options) [Thu Jun 10 18:30:31 2010] [error] File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 401, in __call__ [Thu Jun 10 18:30:31 2010] [error] ret = self.run(*args, **options) [Thu Jun 10 18:30:31 2010] [error] File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 669, in run [Thu Jun 10 18:30:31 2010] [error] return self.execute(*args, **options) [Thu Jun 10 18:30:31 2010] [error] File "/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py", line 374, in execute [Thu Jun 10 18:30:31 2010] [error] kw['filter'] = aci.target['targetfilter']['expression'] [Thu Jun 10 18:30:31 2010] [error] KeyError: 'targetfilter' [Thu Jun 10 18:30:31 2010] [error] ipa: INFO: response: InternalError: an internal error has occurred [Thu Jun 10 18:30:31 2010] [error] ipa: INFO: Destroyed connection context.ldap2 ====================================== Hoping it will help. NB : Sorry Rob for the duplicate mail ;) 2010/6/10 ALAHYANE Rachid > Thank you for your response, > > >> As an aside though I wouldn't set the ipausers as a memberof on this ACI. >> What that will do is allow any user to modify any other user. I doubt this >> is what you want. >> >> You are right, it is not what I want to do. My second command is wrong: > ipa -v aci-mod "Modify Users" --attrs=mail --memberof=ipausers > > However, what I want to do is modify "Modify Users" ACI by adding the > attribute "mail" in the targetattr. I do not assimilate yet the syntaxe of > aci commands. > > Thanks for help > > >> Even if you did it would be better to add the ipausers group as a member >> of the "Modify Users" rolegroup. >> >> rob >> > > > > -- > Meilleures salutations / Best Regards > Rachid ALAHYANE > > -- Meilleures salutations / Best Regards Rachid ALAHYANE -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Jun 10 17:59:32 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 10 Jun 2010 13:59:32 -0400 Subject: [Freeipa-users] Modify the mail forgot in the aci "Modify Users" In-Reply-To: References: <4C10FDA8.30605@redhat.com> Message-ID: <4C112804.8070807@redhat.com> ALAHYANE Rachid wrote: > I execute this command hoping it'll work but I get some errors : > > on my client > ====================================== > ipa -v aci-mod --taskgroup=modifyusers --permissions=write --attrs=mail > --type=user "Modify Users" > ipa: INFO: skipping plugin module ipalib.plugins.cert: env.enable_ra is > not True > ipa: INFO: Created connection context.xmlclient > ipa: INFO: aci_mod(u'Modify Users', taskgroup=u'modifyusers', > permissions=(u'write',), attrs=(u'mail',), type=u'user') > ipa: INFO: Forwarding 'aci_mod' to server > u'https://server.gamma.domain.org/ipa/xml' > ipa: INFO: Destroyed connection context.xmlclient > ipa: ERROR: an internal error has occurred > ====================================== > > logs on the server > ====================================== > ==> /var/log/httpd/error_log <== > [Thu Jun 10 18:30:31 2010] [error] ipa: INFO: Created connection > context.ldap2 > [Thu Jun 10 18:30:31 2010] [error] ipa: DEBUG: raw: aci_mod(u'Modify > Users', taskgroup=u'modifyusers', permissions=(u'write',), > attrs=(u'mail',), type=u'user') > [Thu Jun 10 18:30:31 2010] [error] ipa: INFO: aci_mod(u'Modify Users', > taskgroup=u'modifyusers', permissions=(u'write',), attrs=(u'mail',), > type=u'user') > [Thu Jun 10 18:30:31 2010] [error] ipa: ERROR: non-public: KeyError: > 'targetfilter' > [Thu Jun 10 18:30:31 2010] [error] Traceback (most recent call last): > [Thu Jun 10 18:30:31 2010] [error] File > "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 206, in > wsgi_execute > [Thu Jun 10 18:30:31 2010] [error] result = > self.Command[name](*args, **options) > [Thu Jun 10 18:30:31 2010] [error] File > "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 401, in __call__ > [Thu Jun 10 18:30:31 2010] [error] ret = self.run(*args, **options) > [Thu Jun 10 18:30:31 2010] [error] File > "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 669, in run > [Thu Jun 10 18:30:31 2010] [error] return self.execute(*args, **options) > [Thu Jun 10 18:30:31 2010] [error] File > "/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py", line 374, in > execute > [Thu Jun 10 18:30:31 2010] [error] kw['filter'] = > aci.target['targetfilter']['expression'] > [Thu Jun 10 18:30:31 2010] [error] KeyError: 'targetfilter' > [Thu Jun 10 18:30:31 2010] [error] ipa: INFO: response: InternalError: > an internal error has occurred > [Thu Jun 10 18:30:31 2010] [error] ipa: INFO: Destroyed connection > context.ldap2 > ====================================== > > Hoping it will help. > > NB : Sorry Rob for the duplicate mail ;) > No worries, thanks for your persistence :-) It looks like this plugin is just plain broken. I wrote it for use internally as an aid to write the original ACIs and hadn't intended on shipping it. I decided that I didn't know everything about what other users would want in an ACI so I cleaned it up a little and went ahead and included it. Looks like it needs some more attention. As I'm sure you've seen there are a ton of options in ACIs, some of which are mutually exclusive. I think this bug is related to an attempt at enforcing that and it looks like I assume there will always be a target filter. On a change this is likely to not be true. regards rob From marc.schlinger at agorabox.org Fri Jun 11 16:21:07 2010 From: marc.schlinger at agorabox.org (Marc Schlinger) Date: Fri, 11 Jun 2010 18:21:07 +0200 Subject: [Freeipa-users] CLIENT KEY EXPIRED right after an ipa-join Message-ID: <4C126273.40301@agorabox.org> hello all, I'm doing bulk enrollment, with ipa-client-install -w mypassword . But after this command when I launch #id test-user, I see in the kdc log that the client key for my host principal has expired, and the command fails. This is because the host principal has the krbPasswordExpiration set to the time at wich the client join. Am'I missing a step or is this behaviour not normal? Marc SCHLINGER From rcritten at redhat.com Fri Jun 11 17:42:45 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 11 Jun 2010 13:42:45 -0400 Subject: [Freeipa-users] Reports and questions In-Reply-To: <4C0E3C52.6030707@agorabox.org> References: <4BDEDAEE.5090203@agorabox.org> <4BDEEDFE.4020308@redhat.com> <4BDEF4A4.7000909@agorabox.org> <4BDF0688.1030807@redhat.com> <4BDF0D0A.70309@redhat.com> <4C08D38C.1030505@agorabox.org> <4C0CFD70.8080400@redhat.com> <4C0E3C52.6030707@agorabox.org> Message-ID: <4C127595.7020902@redhat.com> Marc Schlinger wrote: > >> Adding support for other profiles is possible but would require >> changes in both the IPA RA backend and in the IPA cert plugin. If >> you'd be interested in pursuing that I can give some guidance on how >> that might be done. >> >> rob > > Yes, I'm interested, I will need this feature soon in order to generate, > "software" client cert among others things. > Marc Schlinger Ok, this is sort of off the top of my head but it should point you in the right direction. There are two things that need to change. You need a way to specify the profile when requesting the cert on the client side (using the ipa command) and on the server for requesting the right profile. I would add a --profile or --type argument to takes_options in cert_request(), something like: StrEnum('type?', cli_name='type', label=_('Certificate type'), values=(u'user', u'service', u'specialservice'), ), Next you need to tell the backend what to do with this. Update ipaserver/plugins/dogtag.py to look something like: def request_certificate(self, csr, request_type='pkcs10', type=u'service'): I would add a dictionary somewhere in here that defines something like: profile_types = (u'user': 'caUserCert', u'service': 'caIPAserviceCert', u'specialservice': 'foo'} Then change the call that actually submits the request: self._sslget('/ca/ee/ca/profileSubmitSSLClient', self.env.ca_ee_port, profileId=profile_types[type], cert_request_type=request_type, cert_request=csr, xml='true') This only gets you part of the way. Currently it is hardcoded in ipalib/plugins/cert.py that we request only service certificates, requiruing a service principal to make a request. The resulting certificate is stored within that principal. You'd have to do something differently for other cert types. rob From rcritten at redhat.com Fri Jun 11 18:23:40 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 11 Jun 2010 14:23:40 -0400 Subject: [Freeipa-users] CLIENT KEY EXPIRED right after an ipa-join In-Reply-To: <4C126273.40301@agorabox.org> References: <4C126273.40301@agorabox.org> Message-ID: <4C127F2C.7030706@redhat.com> Marc Schlinger wrote: > hello all, > > I'm doing bulk enrollment, with ipa-client-install -w mypassword . > > But after this command when I launch #id test-user, I see in the kdc log > that the client key for my host principal has expired, and the command > fails. > > This is because the host principal has the krbPasswordExpiration set to > the time at wich the client join. > > Am'I missing a step or is this behaviour not normal? I see the krbPasswordExpiration attribute getting set as you describe, which is probably a side-effect from having a userPassword defined. I'll see if I can remove this. Otherwise I can't duplicate this behavior. My host principal is technically expired but sssd works fine and I can kinit as the prinicpal and use it against the management framework: # kinit -kt /etc/krb5.keytab host/panther.example.com # getent passwd admin admin:*:1881057830:1881057830:Administrator:/home/admin:/bin/bash # id admin uid=1881057830(admin) gid=1881057830(admin) groups=1881057830(admin) # ipa user-show admin User login: admin Last name: Administrator Home directory: /home/admin Login shell: /bin/bash Groups: admins Rolegroups: replicaadmin Taskgroups: managereplica, deletereplica rob From rcritten at redhat.com Fri Jun 11 20:18:33 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 11 Jun 2010 16:18:33 -0400 Subject: [Freeipa-users] CLIENT KEY EXPIRED right after an ipa-join In-Reply-To: <4C127F2C.7030706@redhat.com> References: <4C126273.40301@agorabox.org> <4C127F2C.7030706@redhat.com> Message-ID: <4C129A19.9090005@redhat.com> Rob Crittenden wrote: > Marc Schlinger wrote: >> hello all, >> >> I'm doing bulk enrollment, with ipa-client-install -w mypassword . >> >> But after this command when I launch #id test-user, I see in the kdc >> log that the client key for my host principal has expired, and the >> command fails. >> >> This is because the host principal has the krbPasswordExpiration set >> to the time at wich the client join. >> >> Am'I missing a step or is this behaviour not normal? > > I see the krbPasswordExpiration attribute getting set as you describe, > which is probably a side-effect from having a userPassword defined. I'll > see if I can remove this. > > Otherwise I can't duplicate this behavior. My host principal is > technically expired but sssd works fine and I can kinit as the prinicpal > and use it against the management framework: > > # kinit -kt /etc/krb5.keytab host/panther.example.com > # getent passwd admin > admin:*:1881057830:1881057830:Administrator:/home/admin:/bin/bash > # id admin > uid=1881057830(admin) gid=1881057830(admin) groups=1881057830(admin) > # ipa user-show admin > User login: admin > Last name: Administrator > Home directory: /home/admin > Login shell: /bin/bash > Groups: admins > Rolegroups: replicaadmin > Taskgroups: managereplica, deletereplica > > rob Ok, I figured out why the expiration date was getting set. We have a pre-bind function that we use for migrating users imported from an LDAP server. The idea is that the first time you bind with your LDAP password it will create kerberos credentials for you if they don't exist. We don't want to execute this when a host is enrolling with a one-time password. I added some code so it skips this in the case of a host principal. See ipa-devel for the patch. rob From dpal at redhat.com Tue Jun 15 19:31:07 2010 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 15 Jun 2010 15:31:07 -0400 Subject: [Freeipa-users] Process improvements in the IPA project Message-ID: <4C17D4FB.8090304@redhat.com> Hello, We had some delay with the implementation of the UI for v2. Now when the problems are cleared we are marching forward towards the end of the project cycle. As we dive more and more into the details of the implementation related to the UI we get more and more questions. Since the UI is the most user facing component of the project we want to have a broader discussion and hear your opinion. Sorry that we have not been that open in the past. We should have been but that slipped through the cracks a bit. Also recently we started to track our remaining work using trac instance connected to the project. If you are interested in where we are and what we are doing or have an issue you would like to report please use trac instance at: https://fedorahosted.org/freeipa -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Tue Jun 15 19:59:34 2010 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 15 Jun 2010 15:59:34 -0400 Subject: [Freeipa-users] [Freeipa-devel] Process improvements in the IPA project In-Reply-To: <4C17D4FB.8090304@redhat.com> References: <4C17D4FB.8090304@redhat.com> Message-ID: <4C17DBA6.1080000@redhat.com> Dmitri Pal wrote: > Hello, > > We had some delay with the implementation of the UI for v2. Now when the > problems are cleared we are marching forward towards the end of the > project cycle. > As we dive more and more into the details of the implementation related > to the UI we get more and more questions. Since the UI is the most user > facing component of the project we want to have a broader discussion and > hear your opinion. Sorry that we have not been that open in the past. We > should have been but that slipped through the cracks a bit. > > Also recently we started to track our remaining work using trac instance > connected to the project. > If you are interested in where we are and what we are doing or have an > issue you would like to report please use trac instance at: > https://fedorahosted.org/freeipa > > > The new UI screens and site roadmap are published here: http://www.freeipa.org/page/Second_Round_Of_UI_design -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Tue Jun 15 20:28:23 2010 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 15 Jun 2010 16:28:23 -0400 Subject: [Freeipa-users] Question about administrative granularity Message-ID: <4C17E267.8050408@redhat.com> Hello, Please join the discussion around the following ticket: https://fedorahosted.org/freeipa/ticket/47 Instead of adding a comment there I would comment here: Approach 1: Identify privileged and non privileged uses by dynamically looking at their ACIs, show the UI that is applicable to the user based on this dynamic evaluation Pros: Most dynamic approach Cons: can get too complex and performance costly Approach 2: Create fixed views of the items in the system (that can in future be adjusted) Unprivileged view - brings user right to sef service screen. In future it can be extended to other screens like: what hosts I am allowed to access; search for user contact information etc. Low level privileged user - this user probably can mange some identities (users, user groups, hosts, host groups, and netgroups) but he will not see other menu choices so he will be brought to choose an item under the "identities" panel right away. Top level choices will not be available to him. Medium level privileged user - will see identities and policies High level user - sees everything. Now we can say this actually each of the 4 described UI views can be represented by a configuration entry in the back end that would describe which menu items are available in each of the four views. We can come up with the schema - it is not a problem. If we go this route we will have 4 configurable layouts that can be adjusted by admins based on the specific deployment use cases. The actual fields that will be shown to the users depend on his ACI. This is a separate discussion. If we go this route we will need some smarts around the cases when the top level menu has just one item or there is just one item left in the sub menu panel but I think we can work it out. Next step is to say that we in future would allow creation of the new configurations so that we are not limited to just 4 predefined. May be we should allow it right away? It is a separate topic that can be deferred. Next we need to associate the user with the view. There are traditionally two ways of doing it: * Via groups * Via attributes In the case of groups we would effectively have to create a corresponding group for each of the configuration entries we have. The view config entry will have a reference to the DN of the corresponding group. Placing the user into the group will relate him to the corresponding view. The logic of the resolution which view to use will be the following: * Get current user based on his kerberos ticket * Get the list of views in the ascending priority order * For each view get a referenced group entry * Check if user is a member of the group * The first group he is found in will identify the view to use * If user is not found in any group assume lowest level view The group entry can be created automatically using managed entry plugin when the view config entry is created. If we decide to use the attributes we have to add an attribute to each user entry (or to some and assume absence as unprivileged) . We would have to invent the method of doing bulk assignments in UI and CLI. This approach seems less straightforward than using groups. So I would vote for the config entry + managed group approach described above. If there are no objections I will come up with the schema for those. Comments welcome! -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From sgros at zemris.fer.hr Wed Jun 16 19:41:08 2010 From: sgros at zemris.fer.hr (Stjepan Gros) Date: Wed, 16 Jun 2010 21:41:08 +0200 Subject: [Freeipa-users] Problem with FreeIPA and Samba 3... Message-ID: <1276717268.3649.6.camel@w500.sistemnet.local> Hi all, I'm trying to integrate Samba 3 into FreeIPA domain. After following the instructions given in this mailing list (http://www.mail-archive.com/freeipa-users at redhat.com/msg00111.html) I'm unable to add new users. The ipa-adduser command complains with the following error message: A database error occurred: Object class violation: missing attribute "sambaSID" required by object class "sambaSamAccount" It seems as if ipa-dna plugin isn't working, i.e. isn't adding sambaSID attribute. Here are the relevant entries from LDAP (with mangled domains): dn: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject objectClass: nsContainer cn: Distributed Numeric Assignment Plugin nsslapd-pluginInitfunc: dna_init nsslapd-pluginType: preoperation nsslapd-pluginEnabled: on nsslapd-pluginPath: libdna-plugin nsslapd-plugin-depends-on-type: database nsslapd-pluginId: Distributed Numeric Assignment nsslapd-pluginVersion: 1.2.5 nsslapd-pluginVendor: 389 Project nsslapd-pluginDescription: Distributed Numeric Assignment plugin # sambaGroupType, Distributed Numeric Assignment Plugin, plugins, config dn: cn=sambaGroupType,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config objectClass: top objectClass: extensibleObject cn: sambaGroupType dnatype: sambaGroupType dnainterval: 0 dnamagicregen: ASSIGN dnafilter: (objectClass=sambaGroupMapping) dnanextvalue: 2 # SambaSid, Distributed Numeric Assignment Plugin, plugins, config dn: cn=SambaSid,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config objectClass: top objectClass: extensibleObject dnatype: sambaSID dnaprefix: S-1-5-21-2932961863-1130097162-856551529 dnainterval: 1 dnamagicregen: assign dnafilter: (|(objectclass=sambaSamAccount)(objectclass=sambaGroupMapping)) dnascope: dc=example,dc=com cn: SambaSid dnanextvalue: 15277 Can someone sched ligth on what's going on, or how to debug these problems? In the log files (/var/log/dirsrv/dirsrv-EXAMPLE-COM) there is nothing useful. SG P.S. dnaprefix has to end with hyphen, but I don't believe it's the problem. From ssorce at redhat.com Wed Jun 16 21:06:10 2010 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 16 Jun 2010 17:06:10 -0400 Subject: [Freeipa-users] Problem with FreeIPA and Samba 3... In-Reply-To: <1276717268.3649.6.camel@w500.sistemnet.local> References: <1276717268.3649.6.camel@w500.sistemnet.local> Message-ID: <20100616170610.7e4f37a8@willson.li.ssimo.org> On Wed, 16 Jun 2010 21:41:08 +0200 Stjepan Gros wrote: > Hi all, > > I'm trying to integrate Samba 3 into FreeIPA domain. After following > the instructions given in this mailing list > (http://www.mail-archive.com/freeipa-users at redhat.com/msg00111.html) > I'm unable to add new users. The ipa-adduser command complains with > the following error message: > > A database error occurred: Object class violation: missing attribute > "sambaSID" required by object class "sambaSamAccount" > > It seems as if ipa-dna plugin isn't working, i.e. isn't adding > sambaSID attribute. > > Here are the relevant entries from LDAP (with mangled domains): > > dn: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config > objectClass: top > objectClass: nsSlapdPlugin > objectClass: extensibleObject > objectClass: nsContainer > cn: Distributed Numeric Assignment Plugin > nsslapd-pluginInitfunc: dna_init > nsslapd-pluginType: preoperation > nsslapd-pluginEnabled: on > nsslapd-pluginPath: libdna-plugin > nsslapd-plugin-depends-on-type: database > nsslapd-pluginId: Distributed Numeric Assignment > nsslapd-pluginVersion: 1.2.5 > nsslapd-pluginVendor: 389 Project > nsslapd-pluginDescription: Distributed Numeric Assignment plugin > > # sambaGroupType, Distributed Numeric Assignment Plugin, plugins, > config dn: cn=sambaGroupType,cn=Distributed Numeric Assignment > Plugin,cn=plugins,cn=config > objectClass: top > objectClass: extensibleObject > cn: sambaGroupType > dnatype: sambaGroupType > dnainterval: 0 > dnamagicregen: ASSIGN > dnafilter: (objectClass=sambaGroupMapping) > dnanextvalue: 2 > > # SambaSid, Distributed Numeric Assignment Plugin, plugins, config > dn: cn=SambaSid,cn=Distributed Numeric Assignment > Plugin,cn=plugins,cn=config > objectClass: top > objectClass: extensibleObject > dnatype: sambaSID > dnaprefix: S-1-5-21-2932961863-1130097162-856551529 > dnainterval: 1 > dnamagicregen: assign > dnafilter: > (|(objectclass=sambaSamAccount)(objectclass=sambaGroupMapping)) > dnascope: dc=example,dc=com > cn: SambaSid > dnanextvalue: 15277 > > Can someone sched ligth on what's going on, or how to debug these > problems? In the log files (/var/log/dirsrv/dirsrv-EXAMPLE-COM) there > is nothing useful. > > SG > > P.S. dnaprefix has to end with hyphen, but I don't believe it's the > problem. It is not, the instructions in that thread are wrong. We already debugged them with another user, and there are quite a few things that need to be changed. First of all sambaGroupType is a fixed value, not a counter, so the DNA configuration for it just need to be removed. Second, in IPa v1.2.2 we are still using the embedded DNA plugin, so the DNS in that configuration are incorrect for v1.2.2, the DN to be used IIRC is cn=ipa-dna,cn=plugins,cn=config There may be something else we found I am missing, but these 2 are pretty fundamental things. Simo. -- Simo Sorce * Red Hat, Inc * New York From sgros at zemris.fer.hr Thu Jun 17 09:38:45 2010 From: sgros at zemris.fer.hr (Stjepan Gros) Date: Thu, 17 Jun 2010 11:38:45 +0200 Subject: [Freeipa-users] Problem with FreeIPA and Samba 3... In-Reply-To: <20100616170610.7e4f37a8@willson.li.ssimo.org> References: <1276717268.3649.6.camel@w500.sistemnet.local> <20100616170610.7e4f37a8@willson.li.ssimo.org> Message-ID: <1276767525.3738.10.camel@w500.sistemnet.local> On Wed, 2010-06-16 at 17:06 -0400, Simo Sorce wrote: > On Wed, 16 Jun 2010 21:41:08 +0200 > Stjepan Gros wrote: > > > Hi all, > > > > I'm trying to integrate Samba 3 into FreeIPA domain. After following > > the instructions given in this mailing list > > (http://www.mail-archive.com/freeipa-users at redhat.com/msg00111.html) > > I'm unable to add new users. The ipa-adduser command complains with > > the following error message: > > > > A database error occurred: Object class violation: missing attribute > > "sambaSID" required by object class "sambaSamAccount" > > > > It seems as if ipa-dna plugin isn't working, i.e. isn't adding > > sambaSID attribute. > > > > Here are the relevant entries from LDAP (with mangled domains): > > > > dn: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config > > objectClass: top > > objectClass: nsSlapdPlugin > > objectClass: extensibleObject > > objectClass: nsContainer > > cn: Distributed Numeric Assignment Plugin > > nsslapd-pluginInitfunc: dna_init > > nsslapd-pluginType: preoperation > > nsslapd-pluginEnabled: on > > nsslapd-pluginPath: libdna-plugin > > nsslapd-plugin-depends-on-type: database > > nsslapd-pluginId: Distributed Numeric Assignment > > nsslapd-pluginVersion: 1.2.5 > > nsslapd-pluginVendor: 389 Project > > nsslapd-pluginDescription: Distributed Numeric Assignment plugin > > > > # sambaGroupType, Distributed Numeric Assignment Plugin, plugins, > > config dn: cn=sambaGroupType,cn=Distributed Numeric Assignment > > Plugin,cn=plugins,cn=config > > objectClass: top > > objectClass: extensibleObject > > cn: sambaGroupType > > dnatype: sambaGroupType > > dnainterval: 0 > > dnamagicregen: ASSIGN > > dnafilter: (objectClass=sambaGroupMapping) > > dnanextvalue: 2 > > > > # SambaSid, Distributed Numeric Assignment Plugin, plugins, config > > dn: cn=SambaSid,cn=Distributed Numeric Assignment > > Plugin,cn=plugins,cn=config > > objectClass: top > > objectClass: extensibleObject > > dnatype: sambaSID > > dnaprefix: S-1-5-21-2932961863-1130097162-856551529 > > dnainterval: 1 > > dnamagicregen: assign > > dnafilter: > > (|(objectclass=sambaSamAccount)(objectclass=sambaGroupMapping)) > > dnascope: dc=example,dc=com > > cn: SambaSid > > dnanextvalue: 15277 > > > > Can someone sched ligth on what's going on, or how to debug these > > problems? In the log files (/var/log/dirsrv/dirsrv-EXAMPLE-COM) there > > is nothing useful. > > > > SG > > > > P.S. dnaprefix has to end with hyphen, but I don't believe it's the > > problem. > > It is not, the instructions in that thread are wrong. > > We already debugged them with another user, and there are quite a few > things that need to be changed. > > First of all sambaGroupType is a fixed value, not a counter, so the > DNA configuration for it just need to be removed. > > Second, in IPa v1.2.2 we are still using the embedded DNA plugin, so > the DNS in that configuration are incorrect for v1.2.2, the DN to be > used IIRC is cn=ipa-dna,cn=plugins,cn=config > > There may be something else we found I am missing, but these 2 are > pretty fundamental things. First, thank you for your help. It saves me a lot of time. And I hope that I'll document the whole procedure for the others. One important general question. Are there any changes in FreeIPA 2 that will invalidate all this procedure? Back to the main problem, I removed the entries for DNA that were in a wrong place and after adding DNA configuration for sambaSID in cn=ipa-dna,cn=plugins,cn=config I can now add users. All the samba related attributes are added to a new user after I set initial password. But I can not login using smbclient because samba thinks that the password is expired. Either I have to set X in samba flags (password never expires) or I have to properly initialize password related fields for samba. Setting password fields would be preferable, is it possible and how? Easier way (and necessary in case of groups) is to set fixed value when creating new users and groups. The question is, is it possible to configure DNA plugin to set fixed value, or there is specialized (or more appropriate) plugin for that? SG From ssorce at redhat.com Thu Jun 17 15:26:46 2010 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 17 Jun 2010 11:26:46 -0400 Subject: [Freeipa-users] Problem with FreeIPA and Samba 3... In-Reply-To: <1276767525.3738.10.camel@w500.sistemnet.local> References: <1276717268.3649.6.camel@w500.sistemnet.local> <20100616170610.7e4f37a8@willson.li.ssimo.org> <1276767525.3738.10.camel@w500.sistemnet.local> Message-ID: <20100617112646.34711ac3@willson.li.ssimo.org> On Thu, 17 Jun 2010 11:38:45 +0200 Stjepan Gros wrote: > First, thank you for your help. It saves me a lot of time. And I hope > that I'll document the whole procedure for the others. One important > general question. Are there any changes in FreeIPA 2 that will > invalidate all this procedure? It will not invalidate it, but in v2 we use the plugin provided from DS directly aqnd do not build our own version anymore so the DN of the config changes to the one you were using before. > Back to the main problem, I removed the entries for DNA that were in a > wrong place and after adding DNA configuration for sambaSID in > cn=ipa-dna,cn=plugins,cn=config I can now add users. All the samba > related attributes are added to a new user after I set initial > password. > > But I can not login using smbclient because samba thinks that the > password is expired. Either I have to set X in samba flags (password > never expires) or I have to properly initialize password related > fields for samba. Setting password fields would be preferable, is it > possible and how? > > Easier way (and necessary in case of groups) is to set fixed value > when creating new users and groups. The question is, is it possible to > configure DNA plugin to set fixed value, or there is specialized (or > more appropriate) plugin for that? Unfortunately in v1.x we didn't have enough infrastructure to make it easier to set additional attributes beyond the default one we set on user/group creation. v2.x should make this possible. Simo. -- Simo Sorce * Red Hat, Inc * New York From sgros at zemris.fer.hr Thu Jun 17 20:03:40 2010 From: sgros at zemris.fer.hr (Stjepan Gros) Date: Thu, 17 Jun 2010 22:03:40 +0200 Subject: [Freeipa-users] Problem with FreeIPA and Samba 3... In-Reply-To: <20100617112646.34711ac3@willson.li.ssimo.org> References: <1276717268.3649.6.camel@w500.sistemnet.local> <20100616170610.7e4f37a8@willson.li.ssimo.org> <1276767525.3738.10.camel@w500.sistemnet.local> <20100617112646.34711ac3@willson.li.ssimo.org> Message-ID: <1276805020.6643.1.camel@w500.sistemnet.local> On Thu, 2010-06-17 at 11:26 -0400, Simo Sorce wrote: > Unfortunately in v1.x we didn't have enough infrastructure to make it > easier to set additional attributes beyond the default one we set on > user/group creation. v2.x should make this possible. In other words, the only way samba attributes can be added is to create new user/group and then "manually" add/modify all the relevant attributes using e.g. ldapmodify? SG From rcritten at redhat.com Fri Jun 18 12:50:23 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 18 Jun 2010 08:50:23 -0400 Subject: [Freeipa-users] Problem with FreeIPA and Samba 3... In-Reply-To: <1276805020.6643.1.camel@w500.sistemnet.local> References: <1276717268.3649.6.camel@w500.sistemnet.local> <20100616170610.7e4f37a8@willson.li.ssimo.org> <1276767525.3738.10.camel@w500.sistemnet.local> <20100617112646.34711ac3@willson.li.ssimo.org> <1276805020.6643.1.camel@w500.sistemnet.local> Message-ID: <4C1B6B8F.9010707@redhat.com> Stjepan Gros wrote: > On Thu, 2010-06-17 at 11:26 -0400, Simo Sorce wrote: > >> Unfortunately in v1.x we didn't have enough infrastructure to make it >> easier to set additional attributes beyond the default one we set on >> user/group creation. v2.x should make this possible. > > In other words, the only way samba attributes can be added is to create > new user/group and then "manually" add/modify all the relevant > attributes using e.g. ldapmodify? > > SG It depends on what you need and whether we're talking about the UI or command-line. Look at the --addattr and --setattr options of ipa-useradd (and the other cli commands). You can add the options at creation time that way. The UI has some limited capability of adding new attributes to the add/edit user screen. Groups have no equivalent capability. What Simo is saying is that there is no way to automatically add new attributes without hacking code. rob From danieljamesscott at gmail.com Mon Jun 28 16:14:51 2010 From: danieljamesscott at gmail.com (Dan Scott) Date: Mon, 28 Jun 2010 12:14:51 -0400 Subject: [Freeipa-users] Fedora 13 client login problems Message-ID: Hello, I've just installed a new Fedora 13 client and configured it to use FreeIPA. During ipa-client install, I received the following error: nss_ldap is not able to use DNS discovery! However, the /etc/ldap.conf and /etc/krb5.conf appear to be configured correctly. I am unable to login to the machine. Here is an extract from /var/log/secure: Jun 28 12:12:01 pc45 sshd[2263]: Invalid user djscott from 192.168.1.35 Jun 28 12:12:01 pc45 sshd[2264]: input_userauth_request: invalid user djscott Jun 28 12:12:07 pc45 sshd[2263]: pam_unix(sshd:auth): check pass; user unknown Jun 28 12:12:07 pc45 sshd[2263]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=pc35.example.com Jun 28 12:12:07 pc45 sshd[2263]: pam_succeed_if(sshd:auth): error retrieving information about user djscott Jun 28 12:12:09 pc45 sshd[2263]: Failed password for invalid user djscott from 192.168.1.35 port 50502 ssh2 Here is the PAM configuration: [root at pc45 ~]# cat /etc/pam.d/sshd #%PAM-1.0 auth required pam_sepermit.so auth include password-auth account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params #session optional pam_keyinit.so force revoke session include password-auth [root at pc45 ~]# cat /etc/pam.d/password-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_krb5.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_krb5.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_krb5.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5.so [root at pc45 ~]# Does anyone have any suggestions for why this is not working? Thanks, Dan Scott From sgallagh at redhat.com Mon Jun 28 18:12:43 2010 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 28 Jun 2010 14:12:43 -0400 Subject: [Freeipa-users] Fedora 13 client login problems In-Reply-To: References: Message-ID: <4C28E61B.4060009@redhat.com> On 06/28/2010 12:14 PM, Dan Scott wrote: > Hello, > > I've just installed a new Fedora 13 client and configured it to use > FreeIPA. During ipa-client install, I received the following error: > > nss_ldap is not able to use DNS discovery! However, the /etc/ldap.conf > and /etc/krb5.conf appear to be configured correctly. > > I am unable to login to the machine. Here is an extract from /var/log/secure: > > Jun 28 12:12:01 pc45 sshd[2263]: Invalid user djscott from 192.168.1.35 > Jun 28 12:12:01 pc45 sshd[2264]: input_userauth_request: invalid user djscott > Jun 28 12:12:07 pc45 sshd[2263]: pam_unix(sshd:auth): check pass; user unknown > Jun 28 12:12:07 pc45 sshd[2263]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=pc35.example.com > Jun 28 12:12:07 pc45 sshd[2263]: pam_succeed_if(sshd:auth): error > retrieving information about user djscott > Jun 28 12:12:09 pc45 sshd[2263]: Failed password for invalid user > djscott from 192.168.1.35 port 50502 ssh2 > > Here is the PAM configuration: > > [root at pc45 ~]# cat /etc/pam.d/sshd > #%PAM-1.0 > auth required pam_sepermit.so > auth include password-auth > account required pam_nologin.so > account include password-auth > password include password-auth > # pam_selinux.so close should be the first session rule > session required pam_selinux.so close > session required pam_loginuid.so > # pam_selinux.so open should only be followed by sessions to be > executed in the user context > session required pam_selinux.so open env_params > #session optional pam_keyinit.so force revoke > session include password-auth > > [root at pc45 ~]# cat /etc/pam.d/password-auth > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > auth required pam_env.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid>= 500 quiet > auth sufficient pam_krb5.so use_first_pass > auth required pam_deny.so > > account required pam_unix.so broken_shadow > account sufficient pam_localuser.so > account sufficient pam_succeed_if.so uid< 500 quiet > account [default=bad success=ok user_unknown=ignore] pam_krb5.so > account required pam_permit.so > > password requisite pam_cracklib.so try_first_pass retry=3 > password sufficient pam_unix.so sha512 shadow nullok > try_first_pass use_authtok > password sufficient pam_krb5.so use_authtok > password required pam_deny.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > session optional pam_mkhomedir.so > session [success=1 default=ignore] pam_succeed_if.so service in > crond quiet use_uid > session required pam_unix.so > session optional pam_krb5.so > [root at pc45 ~]# > > > Does anyone have any suggestions for why this is not working? > Fedora 13 is using nss-ldapd, not nss_ldap anymore. Probably ipa-client needs to be updated to modify /etc/nslcd.conf instead of /etc/ldap.conf. In the meantime, you might have better luck configuring sssd instead of nss-ldap for user lookups. man sssd.conf man sssd-ldap -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ From danieljamesscott at gmail.com Tue Jun 29 20:51:39 2010 From: danieljamesscott at gmail.com (Dan Scott) Date: Tue, 29 Jun 2010 16:51:39 -0400 Subject: [Freeipa-users] SSSD Cache Message-ID: Hi, I'm using Fedora 13 with the new SSSD daemon (Which conflicts with the old nscd daemon). Does anyone know how to clear the cache of this service? I've added a user to a few groups and "id username" shows the correct groups on the FreeIPA server, but not on my client machine. I used to run "/etc/init.d/nscd reload" for nscd, but this does not appear to work for sssd. I've read through the SSSD howto: https://fedorahosted.org/sssd/wiki/HOWTO_Configure_1_0_2 but this does not mention clearing the cache - only how to set the cache timeouts. Thanks, Dan From ssorce at redhat.com Tue Jun 29 22:57:38 2010 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 29 Jun 2010 18:57:38 -0400 Subject: [Freeipa-users] SSSD Cache In-Reply-To: References: Message-ID: <20100629185738.35c75acc@willson.li.ssimo.org> On Tue, 29 Jun 2010 16:51:39 -0400 Dan Scott wrote: > Hi, > > I'm using Fedora 13 with the new SSSD daemon (Which conflicts with the > old nscd daemon). Does anyone know how to clear the cache of this > service? > > I've added a user to a few groups and "id username" shows the correct > groups on the FreeIPA server, but not on my client machine. I used to > run "/etc/init.d/nscd reload" for nscd, but this does not appear to > work for sssd. > > I've read through the SSSD howto: > > https://fedorahosted.org/sssd/wiki/HOWTO_Configure_1_0_2 > > but this does not mention clearing the cache - only how to set the > cache timeouts. Dan, SSSD will update the cache on any login that goes through PAM. Do you need a way to refresh specific user information it logs in ? If so, at the moment you can reset the cache by stopping SSSD and deleting the appropriate file in /var/lib/sss/db and restarting SSSD. The db file to be deleted has the domain name (as used in the sssd.conf section tag) in the file name. Simo. -- Simo Sorce * Red Hat, Inc * New York From dpal at redhat.com Tue Jun 29 23:32:40 2010 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 29 Jun 2010 19:32:40 -0400 Subject: [Freeipa-users] SSSD Cache In-Reply-To: <20100629185738.35c75acc@willson.li.ssimo.org> References: <20100629185738.35c75acc@willson.li.ssimo.org> Message-ID: <4C2A8298.1080209@redhat.com> Simo Sorce wrote: > On Tue, 29 Jun 2010 16:51:39 -0400 > Dan Scott wrote: > > >> Hi, >> >> I'm using Fedora 13 with the new SSSD daemon (Which conflicts with the >> old nscd daemon). Does anyone know how to clear the cache of this >> service? >> >> I've added a user to a few groups and "id username" shows the correct >> groups on the FreeIPA server, but not on my client machine. I used to >> run "/etc/init.d/nscd reload" for nscd, but this does not appear to >> work for sssd. >> >> I've read through the SSSD howto: >> >> https://fedorahosted.org/sssd/wiki/HOWTO_Configure_1_0_2 >> >> but this does not mention clearing the cache - only how to set the >> cache timeouts. >> > > Dan, > SSSD will update the cache on any login that goes through PAM. > > Do you need a way to refresh specific user information it logs in ? > > If so, at the moment you can reset the cache by stopping SSSD and > deleting the appropriate file in /var/lib/sss/db and restarting SSSD. > The db file to be deleted has the domain name (as used in the sssd.conf > section tag) in the file name. > > Simo. > > ... and we already have a ticket to add this procedure to the documentation. -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ssorce at redhat.com Wed Jun 30 19:42:59 2010 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 30 Jun 2010 15:42:59 -0400 Subject: [Freeipa-users] SSSD Cache In-Reply-To: References: <20100629185738.35c75acc@willson.li.ssimo.org> Message-ID: <20100630154259.556ae0d1@willson.li.ssimo.org> On Wed, 30 Jun 2010 15:39:48 -0400 Dan Scott wrote: > This has worked, now the client reports that user belongs to the > correct groups. It also appears to correctly refresh the cache when I > login. I have added and removed my user from a few groups and this is > correctly reflected by the results of the 'id' command. Ok this is the expected behavior. > Maybe the cache was corrupted? Unlikely, maybe your SSSD went offline and wasn't able to get back online for some reason until you restarted it ? Simo. -- Simo Sorce * Red Hat, Inc * New York From danieljamesscott at gmail.com Wed Jun 30 19:39:48 2010 From: danieljamesscott at gmail.com (Dan Scott) Date: Wed, 30 Jun 2010 15:39:48 -0400 Subject: [Freeipa-users] SSSD Cache In-Reply-To: <20100629185738.35c75acc@willson.li.ssimo.org> References: <20100629185738.35c75acc@willson.li.ssimo.org> Message-ID: Thanks for the response. On Tue, Jun 29, 2010 at 18:57, Simo Sorce wrote: > SSSD will update the cache on any login that goes through PAM. > > Do you need a way to refresh specific user information it logs in ? Well I was looking to specifically refresh the groups that a user belonged to - I kept trying and even after 24hrs, the old information was still being returned. > If so, at the moment you can reset the cache by stopping SSSD and > deleting the appropriate file in /var/lib/sss/db and restarting SSSD. > The db file to be deleted has the domain name (as used in the sssd.conf > section tag) in the file name. This has worked, now the client reports that user belongs to the correct groups. It also appears to correctly refresh the cache when I login. I have added and removed my user from a few groups and this is correctly reflected by the results of the 'id' command. Maybe the cache was corrupted? Thanks, Dan