From Steven.Jones at vuw.ac.nz Wed Aug 1 01:10:19 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 1 Aug 2012 01:10:19 +0000 Subject: [Freeipa-users] resetting an admin account. In-Reply-To: <50178548.80206@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CD66B77@STAWINCOX10MBX1.staff.vuw.ac.nz>, <50178548.80206@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CD6A29D@STAWINCOX10MBX1.staff.vuw.ac.nz> This appears to be a failure of the password change mechanism to fail say the password is either too short or not complex enough. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Martin Kosek [mkosek at redhat.com] Sent: Tuesday, 31 July 2012 7:12 p.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] resetting an admin account. On 07/27/2012 12:48 AM, Steven Jones wrote: > I have tried to reset my admin password (admjonesst1) using the admin account toa temp password, > > So I run a kinit admjonesst1 to reset it to a perm one and I get, > > ======== > [jonesst1 at 8kxl72s ~]$ kinit admjonesst1 > Password for admjonesst1 at ODS.VUW.AC.NZ: > Password expired. You must change it now. > Enter new password: > Enter it again: > kinit: Cannot contact any KDC for requested realm while getting initial credentials > [jonesst1 at 8kxl72s ~]$ kinit admjonesst1 > Password for admjonesst1 at ODS.VUW.AC.NZ: > Password expired. You must change it now. > Enter new password: > Enter it again: > kinit: Cannot contact any KDC for requested realm while getting initial credentials > [jonesst1 at 8kxl72s ~]$ > ======== > Would a kinit with a trace turned on show anything interesting? # KRB5_TRACE=/dev/stdout kinit admjonesst1 It may get us closer to the root cause of this issue. Martin From freeipa at noboost.org Wed Aug 1 04:13:29 2012 From: freeipa at noboost.org (freeipa at noboost.org) Date: Wed, 1 Aug 2012 14:13:29 +1000 Subject: [Freeipa-users] IPA Server Message-ID: <20120801041329.GA28655@noboost.org> Hi All, NOTE: I posted this on the 389 forum, they rightly suggested this is most likely and IPA issue. Spec: Redhat Enterprise Linux 6.3 x64 - ipa-server-2.2.0-16.el6.x86_64 - 389-ds-base-1.2.10.2-18.el6_3.x86_64 - 389-ds-base-libs-1.2.10.2-18.el6_3.x86_64 We had a simple (but quite drammatic) issue the other day. Our backup script simply does a cold backup of the 389 Directory Server, however this time it didn't start back up. Script simply runs: /etc/init.d/ipa stop Error from Log: [31/Jul/2012:02:00:38 +1000] - slapd stopped. [31/Jul/2012:02:00:43 +1000] createprlistensockets - PR_Bind() on All Interfaces port 636 failed: Netscape Portable Runtime error -5982 (Local Network address is in use.) Is there anyway to work out why this happened? Is this an IPA issue that is known about? When I did a manual restart in the morning it was fine. The backups even worked perfectly last night too. Sounds like a bug in the ipa shutdown script? cya Craig From tomasz at napierala.org Wed Aug 1 09:55:14 2012 From: tomasz at napierala.org (=?utf-8?Q?Tomasz_=27Zen=27_Napiera=C5=82a?=) Date: Wed, 1 Aug 2012 11:55:14 +0200 Subject: [Freeipa-users] IPA Server In-Reply-To: <20120801041329.GA28655@noboost.org> References: <20120801041329.GA28655@noboost.org> Message-ID: <7C05B262-EEAF-4B41-BA9F-0BA691C38C5D@napierala.org> On Aug 1, 2012, at 6:13 AM, freeipa at noboost.org wrote: > Script simply runs: /etc/init.d/ipa stop > > Error from Log: > [31/Jul/2012:02:00:38 +1000] - slapd stopped. > [31/Jul/2012:02:00:43 +1000] createprlistensockets - PR_Bind() on > All > Interfaces port 636 failed: Netscape Portable Runtime error -5982 > (Local > Network address is in use.) > > > Is there anyway to work out why this happened? > Is this an IPA issue that is known about? > > When I did a manual restart in the morning it was fine. The backups > even worked perfectly last night too. Sounds like a bug in the ipa > shutdown script? Looks like similar issue I had with selinux. Try reinstalling pki-selinux package. Regards, -- Tomasz 'Zen' Napiera?a tomasz at napierala.org From pspacek at redhat.com Wed Aug 1 10:03:54 2012 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 01 Aug 2012 12:03:54 +0200 Subject: [Freeipa-users] IPA Server In-Reply-To: <20120801041329.GA28655@noboost.org> References: <20120801041329.GA28655@noboost.org> Message-ID: <5018FF0A.2080308@redhat.com> On 08/01/2012 06:13 AM, freeipa at noboost.org wrote: > Hi All, > > NOTE: I posted this on the 389 forum, they rightly suggested this is > most likely and IPA issue. > > > Spec: > Redhat Enterprise Linux 6.3 x64 > > - ipa-server-2.2.0-16.el6.x86_64 > - 389-ds-base-1.2.10.2-18.el6_3.x86_64 > - 389-ds-base-libs-1.2.10.2-18.el6_3.x86_64 > > We had a simple (but quite drammatic) issue the other day. Our > backup script simply does a cold backup of the 389 Directory Server, > however this time it didn't start back up. > > > Script simply runs: /etc/init.d/ipa stop > > Error from Log: > [31/Jul/2012:02:00:38 +1000] - slapd stopped. > [31/Jul/2012:02:00:43 +1000] createprlistensockets - PR_Bind() on > All > Interfaces port 636 failed: Netscape Portable Runtime error -5982 > (Local > Network address is in use.) > > > Is there anyway to work out why this happened? > Is this an IPA issue that is known about? > > When I did a manual restart in the morning it was fine. The backups > even worked perfectly last night too. Sounds like a bug in the ipa > shutdown script? How long is a delay between slapd shutdown and restart? Sometimes there is time window (after process shutdown) in which port cannot be occupied again, I'm unsure why. (My guess: It is related to improperly closed TCP connections and some timers in TCP/IP stack...) "netstat" may or may not give you some clue to what is wrong. You can check ports in listening state with command: $ sudo netstat -lpt It should show currently running processes and TCP ports occupied by them. $ sudo netstat -ta This command should show all TCP connections (including connections in intermediate states) with process to which they belong. Petr^2 Spacek From SKline at tnsi.com Wed Aug 1 23:56:05 2012 From: SKline at tnsi.com (Kline, Sara) Date: Wed, 1 Aug 2012 16:56:05 -0700 Subject: [Freeipa-users] Re-run install script? Message-ID: One of the other admins that I work with re-installed one of our test boxes without telling me so the record is still in our FreeIPA server. As you would expect if you run the install script, it fails because it is already joined. I tried to remove the box from DNS but I get the following error: "Certificate operation cannot be completed: EXCEPTION (Invalid Credential.)" I can remove the other test boxes with no issue. I get the same error if I try to use ipa host-del although again this works fine for other entries. Is there a way to forcefully remove this entry, or do I need to manually configure this client? It's a test box but if this happens in Production I need to know what to do. Sara Kline System Administrator Transaction Network Services, Inc 4501 Intelco Loop, Lacey WA 98503 Wk: (360) 493-6736 Cell: (360) 280-2495 ________________________________ This e-mail message is for the sole use of the intended recipient(s)and may contain confidential and privileged information of Transaction Network Services. Any unauthorised review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. -------------- next part -------------- An HTML attachment was scrubbed... URL: From loris at lgs.com.ve Thu Aug 2 03:14:29 2012 From: loris at lgs.com.ve (Loris Santamaria) Date: Wed, 01 Aug 2012 22:44:29 -0430 Subject: [Freeipa-users] User Administrator role from the web UI Message-ID: <1343877269.5050.35.camel@toron.pzo.lgs.com.ve> Hi, I added a user to the "User Administrator Role" and when I do a kinit with this user I can use the "ipa user*" and "ipa group*" commands as expected to add, modify and delete groups. However from the IPA Web UI, logging in with the login form, I can see only the Identity->Users tab. I can modify users, except for group membership, but I can't create or delete users and I cannot create or delete groups. Is this an expected limitation of the web UI, a bug or a misconfiguration? Where I could start debugging this? Thanks -- Loris Santamaria linux user #70506 xmpp:loris at lgs.com.ve Links Global Services, C.A. http://www.lgs.com.ve Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:103 at lgs.com.ve ------------------------------------------------------------ "If I'd asked my customers what they wanted, they'd have said a faster horse" - Henry Ford -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 6187 bytes Desc: not available URL: From pvoborni at redhat.com Thu Aug 2 08:48:23 2012 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 02 Aug 2012 10:48:23 +0200 Subject: [Freeipa-users] User Administrator role from the web UI In-Reply-To: <1343877269.5050.35.camel@toron.pzo.lgs.com.ve> References: <1343877269.5050.35.camel@toron.pzo.lgs.com.ve> Message-ID: <501A3ED7.1050209@redhat.com> On 08/02/2012 05:14 AM, Loris Santamaria wrote: > Hi, I added a user to the "User Administrator Role" and when I do a > kinit with this user I can use the "ipa user*" and "ipa group*" commands > as expected to add, modify and delete groups. > > However from the IPA Web UI, logging in with the login form, I can see > only the Identity->Users tab. I can modify users, except for group > membership, but I can't create or delete users and I cannot create or > delete groups. > > Is this an expected limitation of the web UI, a bug or a > misconfiguration? Where I could start debugging this? > > Thanks > It should work. There is a bug when user is indirect member of a role. It will be fixed in 3.0 beta 2. https://fedorahosted.org/freeipa/ticket/2899 User should see full interface when he is a member of any role or a member or indirect member of group 'admins'. To debug this you can inspect 'IPA.whoami' object in browser's console (press F12 in most browsers or CTRL+SHIFT+K in latest Firefox in Fedora) after successful login. Look for 'admin' in memberof_group, memberofindirect_group or anything in memberof_role. -- Petr Vobornik From sigbjorn at nixtra.com Thu Aug 2 13:06:35 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Thu, 2 Aug 2012 15:06:35 +0200 (CEST) Subject: [Freeipa-users] Re-run install script? In-Reply-To: References: Message-ID: <24505.213.225.75.97.1343912795.squirrel@www.nixtra.com> Did you try using the "ipa-replica-manage" command to remove the IPA server? There is a force option to removal of an inactive IPA server when using that command. Rgds, Siggi On Thu, August 2, 2012 01:56, Kline, Sara wrote: > One of the other admins that I work with re-installed one of our test boxes without telling me so > the record is still in our FreeIPA server. As you would expect if you run the install script, it > fails because it is already joined. I tried to remove the box from DNS but I get the following > error: "Certificate operation cannot be completed: EXCEPTION (Invalid Credential.)" I can remove > the other test boxes with no issue. I get the same error if I try to use ipa host-del although > again this works fine for other entries. Is there a way to forcefully remove this entry, or do I > need to manually configure this client? It's a test box but if this happens in Production I need > to know what to do. > > > Sara Kline > System Administrator > Transaction Network Services, Inc > 4501 Intelco Loop, Lacey WA 98503 > Wk: (360) 493-6736 > Cell: (360) 280-2495 > > > > ________________________________ > This e-mail message is for the sole use of the intended recipient(s)and may > contain confidential and privileged information of Transaction Network Services. Any unauthorised > review, use, disclosure or distribution is prohibited. If you are not the intended recipient, > please contact the sender by reply e-mail and destroy all copies of the original message. > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From SKline at tnsi.com Thu Aug 2 15:08:11 2012 From: SKline at tnsi.com (Kline, Sara) Date: Thu, 2 Aug 2012 08:08:11 -0700 Subject: [Freeipa-users] Re-run install script? In-Reply-To: <24505.213.225.75.97.1343912795.squirrel@www.nixtra.com> References: <24505.213.225.75.97.1343912795.squirrel@www.nixtra.com> Message-ID: It isn't an IPA server it is just a host within DNS. When I try to remove the entry from DNS I get that error. Thanks, Sara Kline -----Original Message----- From: Sigbjorn Lie [mailto:sigbjorn at nixtra.com] Sent: Thursday, August 02, 2012 6:07 AM To: Kline, Sara Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Re-run install script? Did you try using the "ipa-replica-manage" command to remove the IPA server? There is a force option to removal of an inactive IPA server when using that command. Rgds, Siggi On Thu, August 2, 2012 01:56, Kline, Sara wrote: > One of the other admins that I work with re-installed one of our test > boxes without telling me so the record is still in our FreeIPA server. > As you would expect if you run the install script, it fails because it > is already joined. I tried to remove the box from DNS but I get the > following > error: "Certificate operation cannot be completed: EXCEPTION (Invalid > Credential.)" I can remove the other test boxes with no issue. I get > the same error if I try to use ipa host-del although again this works > fine for other entries. Is there a way to forcefully remove this > entry, or do I need to manually configure this client? It's a test box but if this happens in Production I need to know what to do. > > > Sara Kline > System Administrator > Transaction Network Services, Inc > 4501 Intelco Loop, Lacey WA 98503 > Wk: (360) 493-6736 > Cell: (360) 280-2495 > > > > ________________________________ > This e-mail message is for the sole use of the intended > recipient(s)and may contain confidential and privileged information of > Transaction Network Services. Any unauthorised review, use, disclosure > or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users This e-mail message is for the sole use of the intended recipient(s)and may contain confidential and privileged information of Transaction Network Services. Any unauthorised review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. From simo at redhat.com Thu Aug 2 15:17:35 2012 From: simo at redhat.com (Simo Sorce) Date: Thu, 02 Aug 2012 11:17:35 -0400 Subject: [Freeipa-users] Re-run install script? In-Reply-To: References: <24505.213.225.75.97.1343912795.squirrel@www.nixtra.com> Message-ID: <1343920655.20530.125.camel@willson.li.ssimo.org> ipa host-del ? On Thu, 2012-08-02 at 08:08 -0700, Kline, Sara wrote: > It isn't an IPA server it is just a host within DNS. When I try to remove the entry from DNS I get that error. > > Thanks, > Sara Kline > > > -----Original Message----- > From: Sigbjorn Lie [mailto:sigbjorn at nixtra.com] > Sent: Thursday, August 02, 2012 6:07 AM > To: Kline, Sara > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Re-run install script? > > Did you try using the "ipa-replica-manage" command to remove the IPA server? > > There is a force option to removal of an inactive IPA server when using that command. > > Rgds, > Siggi > > > > On Thu, August 2, 2012 01:56, Kline, Sara wrote: > > One of the other admins that I work with re-installed one of our test > > boxes without telling me so the record is still in our FreeIPA server. > > As you would expect if you run the install script, it fails because it > > is already joined. I tried to remove the box from DNS but I get the > > following > > error: "Certificate operation cannot be completed: EXCEPTION (Invalid > > Credential.)" I can remove the other test boxes with no issue. I get > > the same error if I try to use ipa host-del although again this works > > fine for other entries. Is there a way to forcefully remove this > > entry, or do I need to manually configure this client? It's a test box but if this happens in Production I need to know what to do. > > > > > > Sara Kline > > System Administrator > > Transaction Network Services, Inc > > 4501 Intelco Loop, Lacey WA 98503 > > Wk: (360) 493-6736 > > Cell: (360) 280-2495 > > > > > > > > ________________________________ > > This e-mail message is for the sole use of the intended > > recipient(s)and may contain confidential and privileged information of > > Transaction Network Services. Any unauthorised review, use, disclosure > > or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > This e-mail message is for the sole use of the intended recipient(s)and may > contain confidential and privileged information of Transaction Network Services. > Any unauthorised review, use, disclosure or distribution is prohibited. If you > are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Simo Sorce * Red Hat, Inc * New York From SKline at tnsi.com Thu Aug 2 15:22:06 2012 From: SKline at tnsi.com (Kline, Sara) Date: Thu, 2 Aug 2012 08:22:06 -0700 Subject: [Freeipa-users] Re-run install script? In-Reply-To: <1343920655.20530.125.camel@willson.li.ssimo.org> References: <24505.213.225.75.97.1343912795.squirrel@www.nixtra.com> <1343920655.20530.125.camel@willson.li.ssimo.org> Message-ID: Copied from below: I get the same error if I try to use ipa host-del although again this works fine for other entries. I have tried everything that the documentation suggested to try and have searched Google pretty extensively. I am not finding a way to clear this error, and I am not finding anyone else who has this particular error either. People taking systems down without notifying us happens more frequently than I care to admit so this could potentially come up in our production environment. I just want to make sure that there is a way to remove the entries...by force if necessary. Or if I need to do a manual configuration to get it to work then I will do that. Just need some guidance on if there is a tool that will remove the bad entry or if it will just be a manual setup now. Thanks, Sara Kline -----Original Message----- From: Simo Sorce [mailto:simo at redhat.com] Sent: Thursday, August 02, 2012 8:18 AM To: Kline, Sara Cc: Sigbjorn Lie; freeipa-users at redhat.com Subject: Re: [Freeipa-users] Re-run install script? ipa host-del ? On Thu, 2012-08-02 at 08:08 -0700, Kline, Sara wrote: > It isn't an IPA server it is just a host within DNS. When I try to remove the entry from DNS I get that error. > > Thanks, > Sara Kline > > > -----Original Message----- > From: Sigbjorn Lie [mailto:sigbjorn at nixtra.com] > Sent: Thursday, August 02, 2012 6:07 AM > To: Kline, Sara > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Re-run install script? > > Did you try using the "ipa-replica-manage" command to remove the IPA server? > > There is a force option to removal of an inactive IPA server when using that command. > > Rgds, > Siggi > > > > On Thu, August 2, 2012 01:56, Kline, Sara wrote: > > One of the other admins that I work with re-installed one of our > > test boxes without telling me so the record is still in our FreeIPA server. > > As you would expect if you run the install script, it fails because > > it is already joined. I tried to remove the box from DNS but I get > > the following > > error: "Certificate operation cannot be completed: EXCEPTION > > (Invalid Credential.)" I can remove the other test boxes with no > > issue. I get the same error if I try to use ipa host-del although > > again this works fine for other entries. Is there a way to > > forcefully remove this entry, or do I need to manually configure this client? It's a test box but if this happens in Production I need to know what to do. > > > > > > Sara Kline > > System Administrator > > Transaction Network Services, Inc > > 4501 Intelco Loop, Lacey WA 98503 > > Wk: (360) 493-6736 > > Cell: (360) 280-2495 > > > > > > > > ________________________________ > > This e-mail message is for the sole use of the intended > > recipient(s)and may contain confidential and privileged information > > of Transaction Network Services. Any unauthorised review, use, > > disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > This e-mail message is for the sole use of the intended > recipient(s)and may contain confidential and privileged information of Transaction Network Services. > Any unauthorised review, use, disclosure or distribution is > prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Simo Sorce * Red Hat, Inc * New York This e-mail message is for the sole use of the intended recipient(s)and may contain confidential and privileged information of Transaction Network Services. Any unauthorised review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. From simo at redhat.com Thu Aug 2 15:25:56 2012 From: simo at redhat.com (Simo Sorce) Date: Thu, 02 Aug 2012 11:25:56 -0400 Subject: [Freeipa-users] Re-run install script? In-Reply-To: References: <24505.213.225.75.97.1343912795.squirrel@www.nixtra.com> <1343920655.20530.125.camel@willson.li.ssimo.org> Message-ID: <1343921156.20530.128.camel@willson.li.ssimo.org> On Thu, 2012-08-02 at 08:22 -0700, Kline, Sara wrote: > Copied from below: > I get the same error if I try to use ipa host-del although again this works fine for other entries. > > I have tried everything that the documentation suggested to try and have searched Google pretty extensively. I am not finding a way to clear this error, and I am not finding anyone else who has this particular error either. > People taking systems down without notifying us happens more frequently than I care to admit so this could potentially come up in our production environment. I just want to make sure that there is a way to remove the entries...by force if necessary. Or if I need to do a manual configuration to get it to work then I will do that. Just need some guidance on if there is a tool that will remove the bad entry or if it will just be a manual setup now. > > Thanks, > Sara Kline Can you please provide the command you are running to re-join the machine ? Simo. -- Simo Sorce * Red Hat, Inc * New York From SKline at tnsi.com Thu Aug 2 15:31:14 2012 From: SKline at tnsi.com (Kline, Sara) Date: Thu, 2 Aug 2012 08:31:14 -0700 Subject: [Freeipa-users] Re-run install script? In-Reply-To: <1343921156.20530.128.camel@willson.li.ssimo.org> References: <24505.213.225.75.97.1343912795.squirrel@www.nixtra.com> <1343920655.20530.125.camel@willson.li.ssimo.org> <1343921156.20530.128.camel@willson.li.ssimo.org> Message-ID: I can't use ipa-client-install because it says that it is joined already. I can't run ipa-client-install --uninstall because as far its concerned the script has never been run so the package has not been set up. I am trying to remove the server from DNS. I have done it through the GUI and I have done it at the command line with ipa-host-del and neither one is working. I get the error: "Certificate operation cannot be completed: EXCEPTION (Invalid Credential.)" As I said before though, I can use this command on other systems just fine, it is just this one system that it is failing on. Thanks, Sara Kline -----Original Message----- From: Simo Sorce [mailto:simo at redhat.com] Sent: Thursday, August 02, 2012 8:26 AM To: Kline, Sara Cc: freeipa-users at redhat.com Subject: RE: [Freeipa-users] Re-run install script? On Thu, 2012-08-02 at 08:22 -0700, Kline, Sara wrote: > Copied from below: > I get the same error if I try to use ipa host-del although again this works fine for other entries. > > I have tried everything that the documentation suggested to try and have searched Google pretty extensively. I am not finding a way to clear this error, and I am not finding anyone else who has this particular error either. > People taking systems down without notifying us happens more frequently than I care to admit so this could potentially come up in our production environment. I just want to make sure that there is a way to remove the entries...by force if necessary. Or if I need to do a manual configuration to get it to work then I will do that. Just need some guidance on if there is a tool that will remove the bad entry or if it will just be a manual setup now. > > Thanks, > Sara Kline Can you please provide the command you are running to re-join the machine ? Simo. -- Simo Sorce * Red Hat, Inc * New York This e-mail message is for the sole use of the intended recipient(s)and may contain confidential and privileged information of Transaction Network Services. Any unauthorised review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. From simo at redhat.com Thu Aug 2 17:21:01 2012 From: simo at redhat.com (Simo Sorce) Date: Thu, 02 Aug 2012 13:21:01 -0400 Subject: [Freeipa-users] Re-run install script? In-Reply-To: References: <24505.213.225.75.97.1343912795.squirrel@www.nixtra.com> <1343920655.20530.125.camel@willson.li.ssimo.org> <1343921156.20530.128.camel@willson.li.ssimo.org> Message-ID: <1343928061.20530.131.camel@willson.li.ssimo.org> Hi Sara, DNS does not influence ipa-client-install, if that command fails it means the host is registered in the ipa server as a member of the domain and the correct command to remove it should be ipa host-del. The (Invalid credential) error is odd though. On what machine are you running ipa host-del and with what user credentials ? Simo. On Thu, 2012-08-02 at 08:31 -0700, Kline, Sara wrote: > I can't use ipa-client-install because it says that it is joined already. I can't run ipa-client-install --uninstall because as far its concerned the script has never been run so the package has not been set up. > > I am trying to remove the server from DNS. I have done it through the GUI and I have done it at the command line with ipa-host-del and neither one is working. I get the error: > "Certificate operation cannot be completed: EXCEPTION (Invalid Credential.)" As I said before though, I can use this command on other systems just fine, it is just this one system that it is failing on. > > Thanks, > Sara Kline > > > -----Original Message----- > From: Simo Sorce [mailto:simo at redhat.com] > Sent: Thursday, August 02, 2012 8:26 AM > To: Kline, Sara > Cc: freeipa-users at redhat.com > Subject: RE: [Freeipa-users] Re-run install script? > > On Thu, 2012-08-02 at 08:22 -0700, Kline, Sara wrote: > > Copied from below: > > I get the same error if I try to use ipa host-del although again this works fine for other entries. > > > > I have tried everything that the documentation suggested to try and have searched Google pretty extensively. I am not finding a way to clear this error, and I am not finding anyone else who has this particular error either. > > People taking systems down without notifying us happens more frequently than I care to admit so this could potentially come up in our production environment. I just want to make sure that there is a way to remove the entries...by force if necessary. Or if I need to do a manual configuration to get it to work then I will do that. Just need some guidance on if there is a tool that will remove the bad entry or if it will just be a manual setup now. > > > > Thanks, > > Sara Kline > > Can you please provide the command you are running to re-join the machine ? > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > > This e-mail message is for the sole use of the intended recipient(s)and may > contain confidential and privileged information of Transaction Network Services. > Any unauthorised review, use, disclosure or distribution is prohibited. If you > are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. > -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Thu Aug 2 18:58:38 2012 From: simo at redhat.com (Simo Sorce) Date: Thu, 02 Aug 2012 14:58:38 -0400 Subject: [Freeipa-users] Re-run install script? In-Reply-To: References: <24505.213.225.75.97.1343912795.squirrel@www.nixtra.com> <1343920655.20530.125.camel@willson.li.ssimo.org> Message-ID: <1343933918.20530.133.camel@willson.li.ssimo.org> On Thu, 2012-08-02 at 08:22 -0700, Kline, Sara wrote: > Copied from below: > I get the same error if I try to use ipa host-del although again this works fine for other entries. > > I have tried everything that the documentation suggested to try and have searched Google pretty extensively. I am not finding a way to clear this error, and I am not finding anyone else who has this particular error either. > People taking systems down without notifying us happens more frequently than I care to admit so this could potentially come up in our production environment. I just want to make sure that there is a way to remove the entries...by force if necessary. Or if I need to do a manual configuration to get it to work then I will do that. Just need some guidance on if there is a tool that will remove the bad entry or if it will just be a manual setup now. Can you see if there is any error in the https error log on the ipa server related to this error when running ipa host-del ? Simo. -- Simo Sorce * Red Hat, Inc * New York From baromi at mail.ru Fri Aug 3 06:58:41 2012 From: baromi at mail.ru (=?UTF-8?B?0KDQvtC80LDQvSDQkdCw0LzQsdGD0YDQuNC9?=) Date: Fri, 03 Aug 2012 10:58:41 +0400 Subject: [Freeipa-users] =?utf-8?q?unable_to_activate_the_ssh_service_in_s?= =?utf-8?q?ssd_config?= Message-ID: <1343977121.990095150@f126.mail.ru> hi, i trying to install freeipa-client and i have error "unable to activate the ssh service in sssd config" . What i need to do to resolve this problem? Thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jcholast at redhat.com Fri Aug 3 07:24:08 2012 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 03 Aug 2012 09:24:08 +0200 Subject: [Freeipa-users] unable to activate the ssh service in sssd config In-Reply-To: <1343977121.990095150@f126.mail.ru> References: <1343977121.990095150@f126.mail.ru> Message-ID: <501B7C98.9030303@redhat.com> Dne 3.8.2012 08:58, ????? ???????? napsal(a): > hi, i trying to install freeipa-client and i have error "unable to > activate the ssh service in sssd config" . What i need to do to resolve > this problem? Thanks. > Hi, you need to add the ssh service to /etc/sssd/sssd.conf manually. In order to do that, you need to modify this line in the [sssd] section: services = nss, pam to: services = nss, pam, ssh and add a new empty [ssh] section at the end of the file. Honza -- Jan Cholasta From baptiste.agasse at lyra-network.com Fri Aug 3 08:02:22 2012 From: baptiste.agasse at lyra-network.com (Baptiste AGASSE) Date: Fri, 3 Aug 2012 10:02:22 +0200 (CEST) Subject: [Freeipa-users] IPA 2.2 Windows 2008R2 sync In-Reply-To: <969695424.1232.1343980676963.JavaMail.root@sirismail.lyra-network.com> Message-ID: <2054101849.1234.1343980942532.JavaMail.root@sirismail.lyra-network.com> Hi all, i've a problem with winsync between ipa 2.2 on centos 6.3 and Active directory 2008R2. I'm following this documentation to enable synchronization: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Setting_up_Active_Directory.html When i run as admin 'certutil -installcert -v -config "ipa.foo.example.local\EXAMPLE.LOCAL Domain CA" c:\Users\John\Documents\ipa-ca.crt' it returns (translated from french) : CertUtil : -installCert command failure : 0x80070002 (WIN32: 2) CertUtil: Specified file not found someone saw this issue ? Have a nice day. Regards. Baptiste. From rmeggins at redhat.com Fri Aug 3 14:18:59 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 03 Aug 2012 08:18:59 -0600 Subject: [Freeipa-users] IPA 2.2 Windows 2008R2 sync In-Reply-To: <2054101849.1234.1343980942532.JavaMail.root@sirismail.lyra-network.com> References: <2054101849.1234.1343980942532.JavaMail.root@sirismail.lyra-network.com> Message-ID: <501BDDD3.6050609@redhat.com> On 08/03/2012 02:02 AM, Baptiste AGASSE wrote: > Hi all, > > i've a problem with winsync between ipa 2.2 on centos 6.3 and Active directory 2008R2. > > I'm following this documentation to enable synchronization: > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Setting_up_Active_Directory.html There is nothing on this page about running certutil? Which link talks about certutil? > > When i run as admin 'certutil -installcert -v -config "ipa.foo.example.local\EXAMPLE.LOCAL Domain CA" c:\Users\John\Documents\ipa-ca.crt' it returns (translated from french) : > > CertUtil : -installCert command failure : 0x80070002 (WIN32: 2) > CertUtil: Specified file not found > > someone saw this issue ? > > Have a nice day. > > Regards. > > Baptiste. > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From rmeggins at redhat.com Fri Aug 3 15:59:25 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 03 Aug 2012 09:59:25 -0600 Subject: [Freeipa-users] IPA 2.2 Windows 2008R2 sync In-Reply-To: <1911275892.61.1344009021282.JavaMail.root@sirismail.lyra-network.com> References: <1911275892.61.1344009021282.JavaMail.root@sirismail.lyra-network.com> Message-ID: <501BF55D.2010809@redhat.com> On 08/03/2012 09:50 AM, Baptiste AGASSE wrote: > Hi, > >>> Hi all, >>> >>> i've a problem with winsync between ipa 2.2 on centos 6.3 and Active >>> directory 2008R2. >>> >>> I'm following this documentation to enable synchronization: >>> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Setting_up_Active_Directory.html >> There is nothing on this page about running certutil? Which link talks >> about certutil? > Links present in the documentation talk about commands and options for certutil but i don't see anything about this error. http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html Can one of the IPA developers explain why it is necessary to install the IPA CA certificate into the Windows Cert Store in order to get Winsync/PassSync working? I don't believe it is necessary. For now, just skip steps 1 and 2 under 8.4.1. Trusting the Active Directory and IPA CA Certificates > > I a newbie on Microsoft OSes, but I don't understand why certutil don't find my file. > > I will ask on a microsoft forum. > > Regards > >>> When i run as admin 'certutil -installcert -v -config >>> "ipa.foo.example.local\EXAMPLE.LOCAL Domain CA" >>> c:\Users\John\Documents\ipa-ca.crt' it returns (translated from >>> french) : >>> >>> CertUtil : -installCert command failure : 0x80070002 (WIN32: 2) >>> CertUtil: Specified file not found >>> >>> someone saw this issue ? >>> >>> Have a nice day. >>> >>> Regards. >>> >>> Baptiste. >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users From pspacek at redhat.com Fri Aug 3 18:46:55 2012 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 03 Aug 2012 20:46:55 +0200 Subject: [Freeipa-users] Announcing bind-dyndb-ldap bugfix release: CVE-2012-3429 was fixed Message-ID: <501C1C9F.5070800@redhat.com> Hello list, package bind-dyndb-ldap (BIND<->LDAP interface for FreeIPA) was updated today. This release includes fix for the security issue CVE-2012-3429. CVE link: https://www.redhat.com/security/data/cve/CVE-2012-3429.html Information for Fedora users: Please update to bind-dyndb-ldap-1.1.0-0.14.rc1 or later. New packages are in updates-testing right now. Fedora bug: https://bugzilla.redhat.com/show_bug.cgi?id=845038 Information for RHEL 6.3 users: ERRATA: http://rhn.redhat.com/errata/RHSA-2012-1139.html RHEL bug: https://bugzilla.redhat.com/show_bug.cgi?id=842466 Other RHEL versions are unaffected. Acknowledgements: Red Hat would like to thank Sigbjorn Lie of the Atea Norway for reporting this issue. Petr^2 Spacek From Steven.Jones at vuw.ac.nz Sun Aug 5 20:52:27 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Sun, 5 Aug 2012 20:52:27 +0000 Subject: [Freeipa-users] hostgroups not working for Sudo commands Message-ID: <833D8E48405E064EBC54C84EC6B36E404CD6D169@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, I have setup a sudo command but no matter what I do I cannot get a host-group to work, but I can specify a specific host without issue.....I assume this is a problem with the sssd deamon on the RHEL6.3 client? So what info/logs are needed to fault find this please? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From JR.Aquino at citrix.com Mon Aug 6 05:19:41 2012 From: JR.Aquino at citrix.com (JR Aquino) Date: Mon, 6 Aug 2012 05:19:41 +0000 Subject: [Freeipa-users] hostgroups not working for Sudo commands In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CD6D169@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CD6D169@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <7DEA0283-7A8F-4AA2-8C9A-ECF953607F4B@citrix.com> On Aug 5, 2012, at 1:54 PM, "Steven Jones" wrote: > Hi, > > I have setup a sudo command but no matter what I do I cannot get a host-group to work, but I can specify a specific host without issue.....I assume this is a problem with the sssd deamon on the RHEL6.3 client? So what info/logs are needed to fault find this please? > > > Set sudoers_debug 2 On your sudo-ldap.conf Run the sudo command. You should see it scroll a list of hostgroups etc. If you do not have your domainname set, your sudo commands will fail on the hostgroup because they expect to see the nis domain match. > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From baptiste.agasse at lyra-network.com Mon Aug 6 08:28:56 2012 From: baptiste.agasse at lyra-network.com (Baptiste AGASSE) Date: Mon, 6 Aug 2012 10:28:56 +0200 (CEST) Subject: [Freeipa-users] IPA 2.2 Windows 2008R2 sync In-Reply-To: <501BF55D.2010809@redhat.com> Message-ID: <1602707639.295.1344241736360.JavaMail.root@sirismail.lyra-network.com> Hi, > > Hi, > > > >>> Hi all, > >>> > >>> i've a problem with winsync between ipa 2.2 on centos 6.3 and > >>> Active > >>> directory 2008R2. > >>> > >>> I'm following this documentation to enable synchronization: > >>> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Setting_up_Active_Directory.html > >> There is nothing on this page about running certutil? Which link > >> talks > >> about certutil? > > Links present in the documentation talk about commands and options > > for certutil but i don't see anything about this error. > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html > > > Can one of the IPA developers explain why it is necessary to install > the > IPA CA certificate into the Windows Cert Store in order to get > Winsync/PassSync working? I don't believe it is necessary. > > For now, just skip steps 1 and 2 under 8.4.1. Trusting the Active > Directory and IPA CA Certificates - I trusted IPA certificate on AD. To do this, i've launched mmc and added "Certificate" component for "local computer", and then added IPA cert to Trusted root CA. Now when i run "openssl s_client -host ad-server.example.com -port 636" i can see IPA certificate as Trusted client CA. - I tested AD ldap connection: LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-EXAMPLE-LOCAL ldapsearch -xLLL -H ldap://ad-server.example.com -ZZ -D "cn=ipasync,cn=users,dc=example,dc=com" -w XXXXX -s base -b "" 'objectclass=*' namingcontexts dn: namingContexts: DC=example,DC=com namingContexts: CN=Configuration,DC=example,DC=com namingContexts: CN=Schema,CN=Configuration,DC=example,DC=com namingContexts: DC=DomainDnsZones,DC=example,DC=com namingContexts: DC=ForestDnsZones,DC=example,DC=com - Now i fall on another problem, when i run: ipa-replica-manage connect --winsync --binddn cn=ipasync,cn=users,dc=example,dc=com --bindpw XXXXX --passsync XXXXX --cacert /etc/openldap/cacerts/ad-ca.crt ad-server.example.com -v Directory Manager password: Added CA certificate /etc/openldap/cacerts/ad-ca.crt to certificate database for ipa.foo.example.local ipa: INFO: AD Suffix is: DC=example,DC=com The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=example,dc=com Windows PassSync entry exists, not resetting password ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: FALSE: status: -11 - System error: start: 0: end: 0 ipa: INFO: Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. [ipa.foo.example.local] reports: Update failed! Status: [-11 - System error] Failed to start replication > > > > > I a newbie on Microsoft OSes, but I don't understand why certutil > > don't find my file. > > > > I will ask on a microsoft forum. > > > > Regards > > > >>> When i run as admin 'certutil -installcert -v -config > >>> "ipa.foo.example.local\EXAMPLE.LOCAL Domain CA" > >>> c:\Users\John\Documents\ipa-ca.crt' it returns (translated from > >>> french) : > >>> > >>> CertUtil : -installCert command failure : 0x80070002 (WIN32: 2) > >>> CertUtil: Specified file not found > >>> > >>> someone saw this issue ? > >>> > >>> Have a nice day. > >>> > >>> Regards. > >>> > >>> Baptiste. > >>> > >>> _______________________________________________ > >>> Freeipa-users mailing list > >>> Freeipa-users at redhat.com > >>> https://www.redhat.com/mailman/listinfo/freeipa-users Have a nice day. Regards Baptiste. From rmeggins at redhat.com Mon Aug 6 14:02:20 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 06 Aug 2012 08:02:20 -0600 Subject: [Freeipa-users] IPA 2.2 Windows 2008R2 sync In-Reply-To: <1602707639.295.1344241736360.JavaMail.root@sirismail.lyra-network.com> References: <1602707639.295.1344241736360.JavaMail.root@sirismail.lyra-network.com> Message-ID: <501FCE6C.3060603@redhat.com> On 08/06/2012 02:28 AM, Baptiste AGASSE wrote: > Hi, > >>> Hi, >>> >>>>> Hi all, >>>>> >>>>> i've a problem with winsync between ipa 2.2 on centos 6.3 and >>>>> Active >>>>> directory 2008R2. >>>>> >>>>> I'm following this documentation to enable synchronization: >>>>> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Setting_up_Active_Directory.html >>>> There is nothing on this page about running certutil? Which link >>>> talks >>>> about certutil? >>> Links present in the documentation talk about commands and options >>> for certutil but i don't see anything about this error. >> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html >> >> >> Can one of the IPA developers explain why it is necessary to install >> the >> IPA CA certificate into the Windows Cert Store in order to get >> Winsync/PassSync working? I don't believe it is necessary. >> >> For now, just skip steps 1 and 2 under 8.4.1. Trusting the Active >> Directory and IPA CA Certificates > - I trusted IPA certificate on AD. > To do this, i've launched mmc and added "Certificate" component for "local computer", and then added IPA cert to Trusted root CA. > > Now when i run "openssl s_client -host ad-server.example.com -port 636" i can see IPA certificate as Trusted client CA. > > - I tested AD ldap connection: > LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-EXAMPLE-LOCAL ldapsearch -xLLL -H ldap://ad-server.example.com -ZZ -D "cn=ipasync,cn=users,dc=example,dc=com" -w XXXXX -s base -b "" 'objectclass=*' namingcontexts > dn: > namingContexts: DC=example,DC=com > namingContexts: CN=Configuration,DC=example,DC=com > namingContexts: CN=Schema,CN=Configuration,DC=example,DC=com > namingContexts: DC=DomainDnsZones,DC=example,DC=com > namingContexts: DC=ForestDnsZones,DC=example,DC=com > > - Now i fall on another problem, when i run: > > ipa-replica-manage connect --winsync --binddn cn=ipasync,cn=users,dc=example,dc=com --bindpw XXXXX --passsync XXXXX --cacert /etc/openldap/cacerts/ad-ca.crt ad-server.example.com -v > Directory Manager password: > > Added CA certificate /etc/openldap/cacerts/ad-ca.crt to certificate database for ipa.foo.example.local > ipa: INFO: AD Suffix is: DC=example,DC=com > The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=example,dc=com > Windows PassSync entry exists, not resetting password > ipa: INFO: Added new sync agreement, waiting for it to become ready . . . > ipa: INFO: Replication Update in progress: FALSE: status: -11 - System error: start: 0: end: 0 > ipa: INFO: Agreement is ready, starting replication . . . > Starting replication, please wait until this has completed. > [ipa.foo.example.local] reports: Update failed! Status: [-11 - System error] > Failed to start replication What platform? What version of 389-ds-base? Can you post some excerpts from your 389 errors log from /var/log/dirsrv/slapd-YOUR-DOMAIN/errors from around the time of the error? > > >>> I a newbie on Microsoft OSes, but I don't understand why certutil >>> don't find my file. >>> >>> I will ask on a microsoft forum. >>> >>> Regards >>> >>>>> When i run as admin 'certutil -installcert -v -config >>>>> "ipa.foo.example.local\EXAMPLE.LOCAL Domain CA" >>>>> c:\Users\John\Documents\ipa-ca.crt' it returns (translated from >>>>> french) : >>>>> >>>>> CertUtil : -installCert command failure : 0x80070002 (WIN32: 2) >>>>> CertUtil: Specified file not found >>>>> >>>>> someone saw this issue ? >>>>> >>>>> Have a nice day. >>>>> >>>>> Regards. >>>>> >>>>> Baptiste. >>>>> >>>>> _______________________________________________ >>>>> Freeipa-users mailing list >>>>> Freeipa-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users > Have a nice day. > > Regards > > Baptiste. From dale at themacartneyclan.com Mon Aug 6 15:07:49 2012 From: dale at themacartneyclan.com (Dale Macartney) Date: Mon, 06 Aug 2012 16:07:49 +0100 Subject: [Freeipa-users] whats the recommended way to change OU structures in IPA? Message-ID: <501FDDC5.9030100@themacartneyclan.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Afternoon all Although I can use any ldapmodify capable tool to do this, I was wondering what the "recommended" way that we should be telling customers who want to change OU trees? e.g, say in a high school using IPA, they wished to create a parent OU called cn=school accounts,dc=example,dc=com and inside that OU there are two more OU's. One for staff and one for students? Presumably this is not possible through the webUI. Also what are the implications if I move a user that was created with "ipa user-add" into a non-default OU? will it break anything? Whats the best way to move an existing user into one of the above OU's? Any thoughts? Thanks Dale -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJQH93DAAoJEAJsWS61tB+qlz0P/3p7Cun4Cv73s9XMbH8borkK 7KaFj/NH6DLBpvRWtiQYvjMI1pD2c70JjKCiEFINkowyf0oR8yNRCo13AAecGTbk VYmdy7XhxHSqyj8wtybjMbF+sEZWeY+2VzFmhgnL5RiUC/MPtRSLoP58xZ04wAYU 5wm0Di4KBpQkUsUyYSCEsNJkfCLwE/TzGUaSFJ1nyYUOAWy8l9hxTIVm/cTBKelz xPZqnxZcQ1TlKPhQkRIL5VUp/p+t73aHB/plyacEiarja8wAe9a0DsXZ8uTiUqsF OHVfEF44YhSa3epYY5+CUmFmD0HCY90isWkAImy2Qhfupbuphe1yxa+8qWjjXXa1 lgFScQx6tQoLwDyjUhqriwmt59yU6R0YCiWnevOdS6CjY3MwH0zrssdnNq34H2LI 9XO9oIHmE2FtRyBqDH+rf9bH1ZkB5XcYhP9RjNOYFgX86yfkxIX/rTq6PhG0oip2 jwq4lFM4sGYel/hWa4Ej+p6YzXABUJBwjSEdDXGGy33c+AsaX8CgC68cJycrN/kL ZiiCuo95j9E+h8fPT/4a8eNX9Sy0ZRcV3vCiBwCg6wQQajrAvGvqK5v1MwqFOl07 P9NPHo9l2kwCFI58w30P5vxsPyIQsWdUg5SbSlzQo2+nfBZaQ1zl+u2ipMmjPlCM 02kAlnlppnissXuQfd5P =1idN -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc Type: application/pgp-keys Size: 5790 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc.sig Type: application/pgp-signature Size: 543 bytes Desc: not available URL: From jdennis at redhat.com Mon Aug 6 15:22:07 2012 From: jdennis at redhat.com (John Dennis) Date: Mon, 06 Aug 2012 11:22:07 -0400 Subject: [Freeipa-users] whats the recommended way to change OU structures in IPA? In-Reply-To: <501FDDC5.9030100@themacartneyclan.com> References: <501FDDC5.9030100@themacartneyclan.com> Message-ID: <501FE11F.6070702@redhat.com> On 08/06/2012 11:07 AM, Dale Macartney wrote: > Although I can use any ldapmodify capable tool to do this, I was > wondering what the "recommended" way that we should be telling customers > who want to change OU trees? > > e.g, say in a high school using IPA, they wished to create a parent OU > called cn=school accounts,dc=example,dc=com and inside that OU there are > two more OU's. One for staff and one for students? > > Presumably this is not possible through the webUI. > > Also what are the implications if I move a user that was created with > "ipa user-add" into a non-default OU? will it break anything? Whats the > best way to move an existing user into one of the above OU's? IPA only supports flat name spaces, you cannot partition the default containers. This was an early IPA design decision. If you use ldapmodify to move entries it will break your IPA installation. You can however assign users, hosts, etc. to groups. Then use group membership to control how a particular group of users behaves. It's easy to automate group membership via automember. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From simo at redhat.com Mon Aug 6 15:25:47 2012 From: simo at redhat.com (Simo Sorce) Date: Mon, 06 Aug 2012 11:25:47 -0400 Subject: [Freeipa-users] whats the recommended way to change OU structures in IPA? In-Reply-To: <501FDDC5.9030100@themacartneyclan.com> References: <501FDDC5.9030100@themacartneyclan.com> Message-ID: <1344266747.20530.206.camel@willson.li.ssimo.org> On Mon, 2012-08-06 at 16:07 +0100, Dale Macartney wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Afternoon all > > Although I can use any ldapmodify capable tool to do this, I was > wondering what the "recommended" way that we should be telling customers > who want to change OU trees? None, FreeIPA does not support non-flat trees at the moment, sorry. > e.g, say in a high school using IPA, they wished to create a parent OU > called cn=school accounts,dc=example,dc=com and inside that OU there are > two more OU's. One for staff and one for students? > > Presumably this is not possible through the webUI. It is not possible through any UI at the moment. We recommend you use groups to create organizational groups. You could use DS views [1] to then show them as trees in theory but we haven't any official guide on that for FeeeIPA yet. > Also what are the implications if I move a user that was created with > "ipa user-add" into a non-default OU? will it break anything? Whats the > best way to move an existing user into one of the above OU's? > > Any thoughts? WebUI and CLI tool will not behave properly if you try to change the DIT. Simo. [1] https://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Deployment_Guide/Designing_the_Directory_Tree.html#Designing_the_Directory_Tree-Virtual_Directory_Information_Tree_Views -- Simo Sorce * Red Hat, Inc * New York From baptiste.agasse at lyra-network.com Mon Aug 6 15:44:21 2012 From: baptiste.agasse at lyra-network.com (Baptiste AGASSE) Date: Mon, 6 Aug 2012 17:44:21 +0200 (CEST) Subject: [Freeipa-users] IPA 2.2 Windows 2008R2 sync In-Reply-To: <501FCE6C.3060603@redhat.com> Message-ID: <863988292.184.1344267861448.JavaMail.root@sirismail.lyra-network.com> > > Hi, > > > >>> Hi, > >>> > >>>>> Hi all, > >>>>> > >>>>> i've a problem with winsync between ipa 2.2 on centos 6.3 and > >>>>> Active > >>>>> directory 2008R2. > >>>>> > >>>>> I'm following this documentation to enable synchronization: > >>>>> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Setting_up_Active_Directory.html > >>>> There is nothing on this page about running certutil? Which link > >>>> talks > >>>> about certutil? > >>> Links present in the documentation talk about commands and options > >>> for certutil but i don't see anything about this error. > >> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html > >> > >> > >> Can one of the IPA developers explain why it is necessary to > >> install > >> the > >> IPA CA certificate into the Windows Cert Store in order to get > >> Winsync/PassSync working? I don't believe it is necessary. > >> > >> For now, just skip steps 1 and 2 under 8.4.1. Trusting the Active > >> Directory and IPA CA Certificates > > - I trusted IPA certificate on AD. > > To do this, i've launched mmc and added "Certificate" component for > > "local computer", and then added IPA cert to Trusted root CA. > > > > Now when i run "openssl s_client -host ad-server.example.com -port > > 636" i can see IPA certificate as Trusted client CA. > > > > - I tested AD ldap connection: > > LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-EXAMPLE-LOCAL ldapsearch -xLLL > > -H ldap://ad-server.example.com -ZZ -D > > "cn=ipasync,cn=users,dc=example,dc=com" -w XXXXX -s base -b "" > > 'objectclass=*' namingcontexts > > dn: > > namingContexts: DC=example,DC=com > > namingContexts: CN=Configuration,DC=example,DC=com > > namingContexts: CN=Schema,CN=Configuration,DC=example,DC=com > > namingContexts: DC=DomainDnsZones,DC=example,DC=com > > namingContexts: DC=ForestDnsZones,DC=example,DC=com > > > > - Now i fall on another problem, when i run: > > > > ipa-replica-manage connect --winsync --binddn > > cn=ipasync,cn=users,dc=example,dc=com --bindpw XXXXX --passsync > > XXXXX --cacert /etc/openldap/cacerts/ad-ca.crt ad-server.example.com > > -v > > Directory Manager password: > > > > Added CA certificate /etc/openldap/cacerts/ad-ca.crt to certificate > > database for ipa.foo.example.local > > ipa: INFO: AD Suffix is: DC=example,DC=com > > The user for the Windows PassSync service is > > uid=passsync,cn=sysaccounts,cn=etc,dc=example,dc=com > > Windows PassSync entry exists, not resetting password > > ipa: INFO: Added new sync agreement, waiting for it to become ready > > . . . > > ipa: INFO: Replication Update in progress: FALSE: status: -11 - > > System error: start: 0: end: 0 > > ipa: INFO: Agreement is ready, starting replication . . . > > Starting replication, please wait until this has completed. > > [ipa.foo.example.local] reports: Update failed! Status: [-11 - > > System error] > > Failed to start replication > What platform? What version of 389-ds-base? > Can you post some excerpts from your 389 errors log from > /var/log/dirsrv/slapd-YOUR-DOMAIN/errors from around the time of the > error? That was an TLS error, uploaded wrong AD CA cert on IPA server. Sorry for the noise. > > > > > > >>> I a newbie on Microsoft OSes, but I don't understand why certutil > >>> don't find my file. > >>> > >>> I will ask on a microsoft forum. > >>> > >>> Regards > >>> > >>>>> When i run as admin 'certutil -installcert -v -config > >>>>> "ipa.foo.example.local\EXAMPLE.LOCAL Domain CA" > >>>>> c:\Users\John\Documents\ipa-ca.crt' it returns (translated from > >>>>> french) : > >>>>> > >>>>> CertUtil : -installCert command failure : 0x80070002 (WIN32: 2) > >>>>> CertUtil: Specified file not found > >>>>> > >>>>> someone saw this issue ? > >>>>> > >>>>> Have a nice day. > >>>>> > >>>>> Regards. > >>>>> > >>>>> Baptiste. > >>>>> > >>>>> _______________________________________________ > >>>>> Freeipa-users mailing list > >>>>> Freeipa-users at redhat.com > >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users > > Have a nice day. > > > > Regards > > > > Baptiste. From dale at themacartneyclan.com Mon Aug 6 16:49:34 2012 From: dale at themacartneyclan.com (Dale Macartney) Date: Mon, 06 Aug 2012 17:49:34 +0100 Subject: [Freeipa-users] whats the recommended way to change OU structures in IPA? In-Reply-To: <501FE11F.6070702@redhat.com> References: <501FDDC5.9030100@themacartneyclan.com> <501FE11F.6070702@redhat.com> Message-ID: <501FF59E.8060401@themacartneyclan.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/08/12 16:22, John Dennis wrote: > On 08/06/2012 11:07 AM, Dale Macartney wrote: >> Although I can use any ldapmodify capable tool to do this, I was >> wondering what the "recommended" way that we should be telling customers >> who want to change OU trees? >> >> e.g, say in a high school using IPA, they wished to create a parent OU >> called cn=school accounts,dc=example,dc=com and inside that OU there are >> two more OU's. One for staff and one for students? >> >> Presumably this is not possible through the webUI. >> >> Also what are the implications if I move a user that was created with >> "ipa user-add" into a non-default OU? will it break anything? Whats the >> best way to move an existing user into one of the above OU's? > > IPA only supports flat name spaces, you cannot partition the default containers. This was an early IPA design decision. > > If you use ldapmodify to move entries it will break your IPA installation. Oh that sounds fun ;-) > > You can however assign users, hosts, etc. to groups. Then use group membership to control how a particular group of users behaves. It's easy to automate group membership via automember. I agree with using Groups instead of OU's for for application roles to be honest. I find it much neater. I was curious for certain software that does not make it very easy to use groups instead of OU's.. Thanks for giving me more firepower when asking them to raise an RFE ;-). -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJQH/WcAAoJEAJsWS61tB+q/B8QAJIhywkZqWVohykzqBT9CvLH e2f462HySAQFNyarJ42p16lXai92F7sWS8o6L5N5B25oBJCHrBUsza95wn+BGiq8 W2qI0KZw22TPEMrF4Sl/TO4HnNPht+gkPtO9bAYxeE/l/m3I3CNIVA4AKDJAZtP9 7d1BveT+pXtyF85+5ncwEtNwETe77mDvwnCVkZW/nc2F8Dwf45QCDLync52oEJxG J4McW1pxAdpad6MXHWrVxvQSwJtisNxKV3L/Biq453ISX+e/EXp4qZ1cvhwhq+7+ Gz7cnOnRO6co8ArI2BHhCNKGbVGOhFb8f8AHPKg0DyMytU78RJYUwgTt6zshn2cW bSXFvh/64CrQ88boGutdf9Z30LQ6932k12tJbvxAs4hgirQBLyAZS7b8bRqGJQLl oEx6j9Z+mBy7rzKbmmvdQhtb5ovG6dt1iOWkJZeHVwUtIroP4NYGItZK8qw4DdGX crK+bPK/E5BpNGTIIvSXYhml9IDPH3k5ulS3MfRnSQjXe4jcXE8eXSsfb+IC9M9O IRYg3mp0LG8D5jMAUxwPTx6GlRb3l43Mg3Zo4yR80qrAaANC+1vPFk7bEm1BLSzs KPP9Ryqa/I57Twf+tXrJtcQo/14qMzcToFr+q81eX0paxrCvYflZSf7v6nvVnohs 9ngrnlk1VZpWAahC0zhm =av31 -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc Type: application/pgp-keys Size: 5790 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc.sig Type: application/pgp-signature Size: 543 bytes Desc: not available URL: From Steven.Jones at vuw.ac.nz Mon Aug 6 21:50:19 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Mon, 6 Aug 2012 21:50:19 +0000 Subject: [Freeipa-users] hostgroups not working for Sudo commands In-Reply-To: <7DEA0283-7A8F-4AA2-8C9A-ECF953607F4B@citrix.com> References: <833D8E48405E064EBC54C84EC6B36E404CD6D169@STAWINCOX10MBX1.staff.vuw.ac.nz>, <7DEA0283-7A8F-4AA2-8C9A-ECF953607F4B@citrix.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CD6D66F@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Yes I'd missed this, echo "nisdomainname ods.vuw.ac.nz" >> /etc/rc.d/rc.local Is it not possible to automate this (sudo setup) more in the ipa-client-install ? control whether you want it via a sudo_enable=yes or no somewhere? Ive added it to my kickstart for now so my sudo setup is mostly automated. Thanks regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: JR Aquino [JR.Aquino at citrix.com] Sent: Monday, 6 August 2012 5:19 p.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] hostgroups not working for Sudo commands On Aug 5, 2012, at 1:54 PM, "Steven Jones" wrote: > Hi, > > I have setup a sudo command but no matter what I do I cannot get a host-group to work, but I can specify a specific host without issue.....I assume this is a problem with the sssd deamon on the RHEL6.3 client? So what info/logs are needed to fault find this please? > > > Set sudoers_debug 2 On your sudo-ldap.conf Run the sudo command. You should see it scroll a list of hostgroups etc. If you do not have your domainname set, your sudo commands will fail on the hostgroup because they expect to see the nis domain match. > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From james.hogarth at gmail.com Tue Aug 7 10:51:17 2012 From: james.hogarth at gmail.com (James Hogarth) Date: Tue, 7 Aug 2012 11:51:17 +0100 Subject: [Freeipa-users] hostgroups not working for Sudo commands In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CD6D66F@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CD6D169@STAWINCOX10MBX1.staff.vuw.ac.nz> <7DEA0283-7A8F-4AA2-8C9A-ECF953607F4B@citrix.com> <833D8E48405E064EBC54C84EC6B36E404CD6D66F@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: > > Yes I'd missed this, > > echo "nisdomainname ods.vuw.ac.nz" >> /etc/rc.d/rc.local > > Is it not possible to automate this (sudo setup) more in the ipa-client-install ? control whether you want it via a sudo_enable=yes or no somewhere? > > Ive added it to my kickstart for now so my sudo setup is mostly automated. > RHEL 6.3 added NISDOMAIN as a usable entry in /etc/sysconfig/network by the way - it's a bit cleaner than sticking stuff in rc.local ... From john at ox-consulting.com Tue Aug 7 13:54:37 2012 From: john at ox-consulting.com (Johnathan Phan) Date: Tue, 7 Aug 2012 14:54:37 +0100 Subject: [Freeipa-users] cross domain trust between two IPA servers Message-ID: Hi everyone, Is it possible to create a cross domain trust between two IPA servers? I would have thought FreeIPA would have dealt with this use case first rather than jump directly into integrating with AD. The reason for this is because your more likely to have satellite sites of Redhat servers you want to manage. Example of this is shown below. You require user details to be separated for two separate organizations that merge together. In the interim period or permanently you may want members data to be stored in the two separate Realms for either legal reasons or for company structure reasons (Management). As you do this quiet freqently with Microsoft AD environments when corporations merge or buy one another out. Or a parent company buys a smaller company but want to hook the two systems together with out merging them completely to keep the companies identity and major operations separate. Is there anyway to do this with two IPA servers? -- Johnathan Phan ox-consulting T: +44 (0)784 118 7080 john at ox-consulting.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Tue Aug 7 14:39:56 2012 From: simo at redhat.com (Simo Sorce) Date: Tue, 07 Aug 2012 10:39:56 -0400 Subject: [Freeipa-users] cross domain trust between two IPA servers In-Reply-To: References: Message-ID: <1344350396.20530.294.camel@willson.li.ssimo.org> On Tue, 2012-08-07 at 14:54 +0100, Johnathan Phan wrote: > Hi everyone, > > Is it possible to create a cross domain trust between two IPA servers? > I would have thought FreeIPA would have dealt with this use case first > rather than jump directly into integrating with AD. Not yet, the reason we dealt with AD first is that there was more request for that use case. > The reason for this is because your more likely to have satellite > sites of Redhat servers you want to manage. > > Example of this is shown below. > > You require user details to be separated for two separate > organizations that merge together. In the interim period or > permanently you may want members data to be stored in the two separate > Realms for either legal reasons or for company structure reasons > (Management). As you do this quiet freqently with Microsoft AD > environments when corporations merge or buy one another out. Or a > parent company buys a smaller company but want to hook the two systems > together with out merging them completely to keep the companies > identity and major operations separate. > > Is there anyway to do this with two IPA servers? We are planning to add FreeIPA<->FreeIPA trusts in due course, and a kerberos level trust between 2 IPA servers can be done with some manual work, but there are some details when it comes to providing identity to the other domain that are missing. (Although SSSD can be configured easily enough to use 2 separate FreeIPA domains if really needed). Simo. -- Simo Sorce * Red Hat, Inc * New York From sakodak at gmail.com Tue Aug 7 15:02:38 2012 From: sakodak at gmail.com (KodaK) Date: Tue, 7 Aug 2012 10:02:38 -0500 Subject: [Freeipa-users] pam su configuration to ignore certain ipa/ldap users Message-ID: I have an unusual situation. Our DBAs want different passwords for the oracle account on production and development machines. I'm using local authentication for oracle on all the boxes, but they're also not allowed to log in directly as oracle, only su, but su always wants to go to ldap first. Does anyone know what I need to do to get su to look at local auth first, then go to ldap? Another consideration is that this is AIX. I'm pretty sure if given a Linux solution to this I could adapt (AIX *can* use PAM, it just doesn't by default.) -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 From simo at redhat.com Tue Aug 7 15:44:42 2012 From: simo at redhat.com (Simo Sorce) Date: Tue, 07 Aug 2012 11:44:42 -0400 Subject: [Freeipa-users] cross domain trust between two IPA servers In-Reply-To: References: <1344350396.20530.294.camel@willson.li.ssimo.org> Message-ID: <1344354282.20530.302.camel@willson.li.ssimo.org> On Tue, 2012-08-07 at 16:36 +0100, Johnathan Phan wrote: > Hi Simo, > > This document here implies that this does it. > > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/Setting_Up_Cross_Realm_Authentication.html#basic-trust This document do not apply to Identity Management (FreeIPA in RHEL speak), it is for a classic Kerberos KDC. However it is a resonable guide to experiment with trusts. > However during testing it does not behave as expected. > > Do you have any documentation on how SSSD can be configured so that > when logging in on a server in a.example.com with a users that exists > in the IPA server responsible for domain b.example.com can happen. > Only based on the rights the group has in b.example.com. > > any reference material on how that could work will help me a long way. You should look into the fact SSSD can be defined to have multiple domains. This means tho that the 'receiving' machines need to be configured for both realms. This is one of the gotchas, given the current lack of actual integration, moving forward when we will have official integration manual configuration of a separate SSSD domain will not be necessary and group memberships will work better. Simo. -- Simo Sorce * Red Hat, Inc * New York From sakodak at gmail.com Tue Aug 7 17:33:15 2012 From: sakodak at gmail.com (KodaK) Date: Tue, 7 Aug 2012 12:33:15 -0500 Subject: [Freeipa-users] pam su configuration to ignore certain ipa/ldap users In-Reply-To: References: Message-ID: I've figured this out on AIX. If anyone googles this later: in /etc/security/user the default: stanza needs to have: system = "compat or KRB5ALXAP or LDAP" instead of: SYSTEM = "KRB5ALXAP or LDAP or compat" It could probably be done other ways (using PAM,) but this was easiest for now. On Tue, Aug 7, 2012 at 10:02 AM, KodaK wrote: > I have an unusual situation. Our DBAs want different passwords for > the oracle account > on production and development machines. I'm using local > authentication for oracle > on all the boxes, but they're also not allowed to log in directly as > oracle, only su, but > su always wants to go to ldap first. > > Does anyone know what I need to do to get su to look at local auth > first, then go to > ldap? > > Another consideration is that this is AIX. I'm pretty sure if given a > Linux solution to > this I could adapt (AIX *can* use PAM, it just doesn't by default.) > > -- > The government is going to read our mail anyway, might as well make it > tough for them. GPG Public key ID: B6A1A7C6 -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 From sakodak at gmail.com Tue Aug 7 19:56:06 2012 From: sakodak at gmail.com (KodaK) Date: Tue, 7 Aug 2012 14:56:06 -0500 Subject: [Freeipa-users] Multiple hostnames Message-ID: I suspect I'm SOL on this one, but I'd like confirmation. We have two servers in an HA cluster: source: sla710ph1.unix.magellanhealth.com target: slahat01.unix.magellanhealth.com and a service name of: sla710ph.unix.magellanhealth.com The service name will float between the HA source and target. The DBAs tell me that in order for Oracle to work, the hostname has to return the service name. There's absolutely no way to do this and remain kerberized, right? I can't have two servers (with two different IP addresses) be "the same" in IPA, right? -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 From rob at axpr.net Tue Aug 7 20:00:20 2012 From: rob at axpr.net (Rob Ogilvie) Date: Tue, 7 Aug 2012 13:00:20 -0700 Subject: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept Message-ID: Good Afternoon, I'm testing FreeIPA for a proof-of-concept replacement of NIS on OEL 6.3 (RHEL 6.3). I followed the guide to set up the FreeIPA server, and it seems to be working great on the IPA server itself. I can ssh in as admin, type my password, and I'm in. I then have been struggling with getting it going on client systems. As I'm not setting any of this up with DNS (I want this to be as un-obtrusive as possible), I executed the following command: ipa-client-install --no-dns-sshfp --no-ntp --server=ovm-auth. --domain= It asked me for admin's username and password and threw a warning about getent passwd admin not returning anything. Sure enough, it doesn't return anything on the client (although it does on the server). >From the client, I'm able to kinit admin, type my password, and then passwordlessly ssh over to the auth server. I do see these entries in my log file on the client: Aug 7 12:52:56 ovm-c19-db [sssd[ldap_child[2010]]]: Failed to initialize credentials using keytab [(null)]: Client 'host/ovm-c19-db@' not found in Kerberos database. Unable to create GSSAPI-encrypted LDAP connection. Aug 7 12:52:56 ovm-c19-db [sssd[ldap_child[2010]]]: Client not found in Kerberos database I'm pretty new at Kerberos, so am unsure exactly what this might mean. Thanks for any pointers! Rob -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Tue Aug 7 20:21:04 2012 From: simo at redhat.com (Simo Sorce) Date: Tue, 07 Aug 2012 16:21:04 -0400 Subject: [Freeipa-users] Multiple hostnames In-Reply-To: References: Message-ID: <1344370864.20530.310.camel@willson.li.ssimo.org> On Tue, 2012-08-07 at 14:56 -0500, KodaK wrote: > I suspect I'm SOL on this one, but I'd like confirmation. > > We have two servers in an HA cluster: > > source: > > sla710ph1.unix.magellanhealth.com > > target: > > slahat01.unix.magellanhealth.com > > and a service name of: > > sla710ph.unix.magellanhealth.com > > The service name will float between the HA source and target. > > The DBAs tell me that in order for Oracle to work, the hostname has to > return the service name. > > There's absolutely no way to do this and remain kerberized, right? I > can't have two servers (with two different IP addresses) be "the same" > in IPA, right? Not sure what 'source' and 'target' means, I guess they are the names of 2 peers in an active/passive HA solution ? There are ways to deal with that. A simple way is to share the same keytab using the "common" name for the fqdn part of the service (means you have to copy and keep the keytab in sync whenever you reconfigure it). Of course the service must be able to be configured to pass a specific name (not use the hostname) or, even better not specify *any* name, and let gssapi check if any key is able to decrypt the incoming ticket ignoring the service name entirely. Other ways entail using a CNAME for the "common" name and have DNS switch it from one to the other 'hard' name. In that case clients will resolve the CNAME and then acquire a ticket for the correct target host. however name caching and TTL issue may make failing over this way less desirable. The CNAME trick works better for load balancing (using DNS round robin) in active/active solutions. Simo. -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Tue Aug 7 20:24:35 2012 From: simo at redhat.com (Simo Sorce) Date: Tue, 07 Aug 2012 16:24:35 -0400 Subject: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept In-Reply-To: References: Message-ID: <1344371075.20530.313.camel@willson.li.ssimo.org> On Tue, 2012-08-07 at 13:00 -0700, Rob Ogilvie wrote: > Good Afternoon, > > > I'm testing FreeIPA for a proof-of-concept replacement of NIS on OEL > 6.3 (RHEL 6.3). I followed the guide to set up the FreeIPA server, > and it seems to be working great on the IPA server itself. I can ssh > in as admin, type my password, and I'm in. > > > I then have been struggling with getting it going on client systems. > As I'm not setting any of this up with DNS (I want this to be as > un-obtrusive as possible), I executed the following command: > > > ipa-client-install --no-dns-sshfp --no-ntp --server=ovm-auth. > --domain= > > > It asked me for admin's username and password and threw a warning > about getent passwd admin not returning anything. Sure enough, it > doesn't return anything on the client (although it does on the > server). > > > From the client, I'm able to kinit admin, type my password, and then > passwordlessly ssh over to the auth server. > > > I do see these entries in my log file on the client: > > > Aug 7 12:52:56 ovm-c19-db [sssd[ldap_child[2010]]]: Failed to > initialize credentials using keytab [(null)]: Client > 'host/ovm-c19-db@' not found in Kerberos database. > Unable to create GSSAPI-encrypted LDAP connection. > Aug 7 12:52:56 ovm-c19-db [sssd[ldap_child[2010]]]: Client not found > in Kerberos database > > > I'm pretty new at Kerberos, so am unsure exactly what this might mean. > Kerberos depends on proper name resolution. If a hostname cannot be resolved you cannot acquire tickets for it. So if your host ovm-c19-db does not have a DNS entry (either using IPA's DNS server or an external DNS server) you can't get tickets. also name resolution generally must match the hostname as that is what is used to register a client into ipa. Simo. -- Simo Sorce * Red Hat, Inc * New York From rob at axpr.net Tue Aug 7 20:35:02 2012 From: rob at axpr.net (Rob Ogilvie) Date: Tue, 7 Aug 2012 13:35:02 -0700 Subject: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept In-Reply-To: <1344371075.20530.313.camel@willson.li.ssimo.org> References: <1344371075.20530.313.camel@willson.li.ssimo.org> Message-ID: On Tue, Aug 7, 2012 at 1:24 PM, Simo Sorce wrote: > Kerberos depends on proper name resolution. If a hostname cannot be > resolved you cannot acquire tickets for it. > So if your host ovm-c19-db does not have a DNS entry (either using IPA's > DNS server or an external DNS server) you can't get tickets. > also name resolution generally must match the hostname as that is what > is used to register a client into ipa. That seems fair. DNS is well set up, though. ovm-c19-db. exists in DNS and ovm-auth is able to resolve it by short hostname and FQDN. On the client, hostname returns the FQDN, as well. Is there anything in my log entries that make it look like it's a DNS problem? Again, I must stress, I'm new with Kerberos. Thanks for your help! Rob From simo at redhat.com Tue Aug 7 20:59:30 2012 From: simo at redhat.com (Simo Sorce) Date: Tue, 07 Aug 2012 16:59:30 -0400 Subject: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept In-Reply-To: References: <1344371075.20530.313.camel@willson.li.ssimo.org> Message-ID: <1344373170.20530.317.camel@willson.li.ssimo.org> On Tue, 2012-08-07 at 13:35 -0700, Rob Ogilvie wrote: > On Tue, Aug 7, 2012 at 1:24 PM, Simo Sorce wrote: > > Kerberos depends on proper name resolution. If a hostname cannot be > > resolved you cannot acquire tickets for it. > > So if your host ovm-c19-db does not have a DNS entry (either using IPA's > > DNS server or an external DNS server) you can't get tickets. > > also name resolution generally must match the hostname as that is what > > is used to register a client into ipa. > > That seems fair. DNS is well set up, though. ovm-c19-db. > exists in DNS and ovm-auth is able to resolve it by short hostname and > FQDN. On the client, hostname returns the FQDN, as well. > > Is there anything in my log entries that make it look like it's a DNS > problem? Again, I must stress, I'm new with Kerberos. Does klist -kt /etc/krb5.keytab return entries with the right hostname ? If that works does ipa host-find list it ? Simo. -- Simo Sorce * Red Hat, Inc * New York From rob at axpr.net Tue Aug 7 21:17:57 2012 From: rob at axpr.net (Rob Ogilvie) Date: Tue, 7 Aug 2012 14:17:57 -0700 Subject: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept In-Reply-To: <1344373170.20530.317.camel@willson.li.ssimo.org> References: <1344371075.20530.313.camel@willson.li.ssimo.org> <1344373170.20530.317.camel@willson.li.ssimo.org> Message-ID: On Tue, Aug 7, 2012 at 1:59 PM, Simo Sorce wrote: > Does klist -kt /etc/krb5.keytab return entries with the right hostname ? It lists four entries, each with the correct FQDN: [root at ovm-c19-db ~]# klist -kt /etc/krb5.keytab Keytab name: WRFILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 1 08/07/12 12:51:03 host/ovm-c19-db.@ 1 08/07/12 12:51:03 host/ovm-c19-db.@ 1 08/07/12 12:51:03 host/ovm-c19-db.@ 1 08/07/12 12:51:03 host/ovm-c19-db.@ > If that works does ipa host-find list it ? It does, but not with a certificate listed (ovm-auth, the server, does have a certificate listed). Thanks! Rob From rob at axpr.net Tue Aug 7 21:48:39 2012 From: rob at axpr.net (Rob Ogilvie) Date: Tue, 7 Aug 2012 14:48:39 -0700 Subject: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept In-Reply-To: References: <1344371075.20530.313.camel@willson.li.ssimo.org> <1344373170.20530.317.camel@willson.li.ssimo.org> Message-ID: I just found this additional log file entries on my IPA server. The vm-mapsdc2 is one of the domain controllers/DNS servers not associated with IPA other than being one of our authoritative DNS servers. Is something misconfigured in IPA on the server side? Aug 07 14:01:02 ovm-auth. krb5kdc[1180](info): AS_REQ (4 etypes {18 17 16 23}) 172.30.40.60: NEEDED_PREAUTH: host/ovm-c19-db.@ for krbtgt/@, Additional pre-authentication required Aug 07 14:01:02 ovm-auth. krb5kdc[1178](info): AS_REQ (4 etypes {18 17 16 23}) 172.30.40.60: ISSUE: authtime 1344373262, etypes {rep=18 tkt=18 ses=18}, host/ovm-c19-db.@ for krbtgt/@ Aug 07 14:01:02 ovm-auth. krb5kdc[1180](info): TGS_REQ (4 etypes {18 17 16 23}) 172.30.40.60: ISSUE: authtime 1344373262, etypes {rep=18 tkt=18 ses=18}, host/ovm-c19-db.@ for krbtgt/@ Aug 07 14:01:02 ovm-auth. krb5kdc[1178](info): TGS_REQ (4 etypes {18 17 16 23}) 172.30.40.60: UNKNOWN_SERVER: authtime 0, host/ovm-c19-db.@ for ldap/vm-13thdc2.@, Server not found in Kerberos database Aug 07 14:01:02 ovm-auth. krb5kdc[1178](info): AS_REQ (4 etypes {18 17 16 23}) 172.30.40.60: NEEDED_PREAUTH: host/ovm-c19-db.@ for krbtgt/@, Additional pre-authentication required Aug 07 14:01:02 ovm-auth. krb5kdc[1180](info): AS_REQ (4 etypes {18 17 16 23}) 172.30.40.60: ISSUE: authtime 1344373262, etypes {rep=18 tkt=18 ses=18}, host/ovm-c19-db.@ for krbtgt/@ Aug 07 14:01:02 ovm-auth. krb5kdc[1178](info): TGS_REQ (4 etypes {18 17 16 23}) 172.30.40.60: ISSUE: authtime 1344373262, etypes {rep=18 tkt=18 ses=18}, host/ovm-c19-db.@ for krbtgt/@ Aug 07 14:01:02 ovm-auth. krb5kdc[1180](info): TGS_REQ (4 etypes {18 17 16 23}) 172.30.40.60: UNKNOWN_SERVER: authtime 0, host/ovm-c19-db.@ for ldap/vm-mapsdc2.@, Server not found in Kerberos database From sakodak at gmail.com Wed Aug 8 02:03:22 2012 From: sakodak at gmail.com (KodaK) Date: Tue, 7 Aug 2012 21:03:22 -0500 Subject: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept In-Reply-To: References: <1344371075.20530.313.camel@willson.li.ssimo.org> <1344373170.20530.317.camel@willson.li.ssimo.org> Message-ID: On Tue, Aug 7, 2012 at 4:48 PM, Rob Ogilvie wrote: > I just found this additional log file entries on my IPA server. The > vm-mapsdc2 is one of the domain controllers/DNS servers not associated > with IPA other than being one of our authoritative DNS servers. Is > something misconfigured in IPA on the server side? It's hard to tell with the obfuscation, but is your DOMAIN the same as the one handled by the domain controller vm-mapsdc2? You can only have one Kerberos realm named DOMAIN. For example, if you have the windows domain/Kerb realm MYCOMPANY.COM, you will not be able to have it coexist with an IPA server controlling the realm MYCOMPANY.COM. If it's an oldschool NT type domain you should be OK, but if it's Active Directory (which uses Kerberos) you can't do it. -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 From rob at axpr.net Wed Aug 8 15:42:28 2012 From: rob at axpr.net (Rob Ogilvie) Date: Wed, 8 Aug 2012 08:42:28 -0700 Subject: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept In-Reply-To: References: <1344371075.20530.313.camel@willson.li.ssimo.org> <1344373170.20530.317.camel@willson.li.ssimo.org> Message-ID: On Tue, Aug 7, 2012 at 7:03 PM, KodaK wrote: > It's hard to tell with the obfuscation, but is your DOMAIN the same as > the one handled by the domain controller vm-mapsdc2? Indeed, it is.... > You can only have one Kerberos realm named DOMAIN. How do they know about each other? > For example, if you have the windows domain/Kerb realm MYCOMPANY.COM, > you will not be able to have it coexist with an IPA server controlling > the realm MYCOMPANY.COM. That's quite unfortunate. How can I work around this? Can I create the realm BLAH.MYCOMPANY.COM or maybe even NOTMYCOMPANY.COM without a DNS domain to match, or will I need to interface with the DNS admins? Is there a good document that describes the nature of these realms and their relation to DNS? > If it's an oldschool NT type domain you should be OK, but if it's > Active Directory (which uses Kerberos) you can't do it. It's an Active Directory domain. Rob From pspacek at redhat.com Wed Aug 8 16:06:50 2012 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 08 Aug 2012 18:06:50 +0200 Subject: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept In-Reply-To: References: <1344371075.20530.313.camel@willson.li.ssimo.org> <1344373170.20530.317.camel@willson.li.ssimo.org> Message-ID: <50228E9A.8020802@redhat.com> On 08/08/2012 05:42 PM, Rob Ogilvie wrote: > On Tue, Aug 7, 2012 at 7:03 PM, KodaK wrote: >> It's hard to tell with the obfuscation, but is your DOMAIN the same as >> the one handled by the domain controller vm-mapsdc2? > > Indeed, it is.... > >> You can only have one Kerberos realm named DOMAIN. > > How do they know about each other? There are DNS SRV records for Kerberos KDC and realm names. Original Kerberos documentation mentions DNS is in: http://web.mit.edu/kerberos/www/krb5-1.10/krb5-1.10.2/doc/krb5-admin.html#Using-DNS Kerberos principles (not only DNS) are described in: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/Using_Kerberos.html > >> For example, if you have the windows domain/Kerb realm MYCOMPANY.COM, >> you will not be able to have it coexist with an IPA server controlling >> the realm MYCOMPANY.COM. > > That's quite unfortunate. How can I work around this? Can I create > the realm BLAH.MYCOMPANY.COM or maybe even NOTMYCOMPANY.COM without a > DNS domain to match, or will I need to interface with the DNS admins? > Is there a good document that describes the nature of these realms and > their relation to DNS? Best way is to create subdomain UNIX.MYCOMPANY.COM and fill it with proper SRV records (or let IPA to manage it). You can configure each all servers and client statically with /etc/krb5.conf, but it is error-prone and not scalable. Configuration with AD and IPA with same domain name is not supported, because it confuses Kerberos libraries. Petr^2 Spacek > >> If it's an oldschool NT type domain you should be OK, but if it's >> Active Directory (which uses Kerberos) you can't do it. > > It's an Active Directory domain. > > Rob From sakodak at gmail.com Wed Aug 8 16:14:06 2012 From: sakodak at gmail.com (KodaK) Date: Wed, 8 Aug 2012 11:14:06 -0500 Subject: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept In-Reply-To: <50228E9A.8020802@redhat.com> References: <1344371075.20530.313.camel@willson.li.ssimo.org> <1344373170.20530.317.camel@willson.li.ssimo.org> <50228E9A.8020802@redhat.com> Message-ID: On Wed, Aug 8, 2012 at 11:06 AM, Petr Spacek wrote: > Best way is to create subdomain UNIX.MYCOMPANY.COM and fill it with proper > SRV records (or let IPA to manage it). Absolutely, this is the best way. > You can configure each all servers and client statically with > /etc/krb5.conf, but it is error-prone and not scalable. You *could* use something like puppet to manage your krb5.conf files (I have to with our AIX machines.) Also, it's important to note that your REALM does NOT need to match your dns domain name It's a convenience, and it's very, very helpful to do so, but it is possible to have a REALM called "MIDDLEEARTH" if you wanted. I'm not sure how IPA would deal with that, but I know you can do it in straight up Kerberos. --Jason From sakodak at gmail.com Wed Aug 8 16:20:07 2012 From: sakodak at gmail.com (KodaK) Date: Wed, 8 Aug 2012 11:20:07 -0500 Subject: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept In-Reply-To: References: <1344371075.20530.313.camel@willson.li.ssimo.org> <1344373170.20530.317.camel@willson.li.ssimo.org> <50228E9A.8020802@redhat.com> Message-ID: Rob, you may want to read through this whole FAQ, but this one covers what I'm talking about: http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html#realms -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 From rob at axpr.net Wed Aug 8 17:27:03 2012 From: rob at axpr.net (Rob Ogilvie) Date: Wed, 8 Aug 2012 10:27:03 -0700 Subject: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept In-Reply-To: <50228E9A.8020802@redhat.com> References: <1344371075.20530.313.camel@willson.li.ssimo.org> <1344373170.20530.317.camel@willson.li.ssimo.org> <50228E9A.8020802@redhat.com> Message-ID: On Wed, Aug 8, 2012 at 9:06 AM, Petr Spacek wrote: > Best way is to create subdomain UNIX.MYCOMPANY.COM and fill it with proper > SRV records (or let IPA to manage it). Ugh, I hope this doesn't end up pushing us back to NIS. If I can get our infrastructure guys to buy off on making a unix.mycompany.com subdomain in DNS, would I need to move all the hosts to be under that subdomain in DNS? I have some services configured that are difficult to rename the DNS domain of. Could, for instance, host-one.mycompany.com be part of the UNIX.MYCOMPANY.COM realm, given a MYCOMPANY.COM realm also exists? I could then put some SRV records into the subdomain's zone to point the kerberos stuff to the IPA server, change the domain on the IPA server, change the realm on the IPA server, re-register clients, and everything would be happy? Ugh... actually... now that I think about this, I don't think I want half my servers in a unix subdomain in DNS, which means DNS and realm wouldn't match... Thoughts? Aside from rebuilding the infrastructure I've built already? :-) Rob From pspacek at redhat.com Wed Aug 8 17:59:28 2012 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 08 Aug 2012 19:59:28 +0200 Subject: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept In-Reply-To: References: <1344371075.20530.313.camel@willson.li.ssimo.org> <1344373170.20530.317.camel@willson.li.ssimo.org> <50228E9A.8020802@redhat.com> Message-ID: <5022A900.3000900@redhat.com> On 08/08/2012 07:27 PM, Rob Ogilvie wrote: > On Wed, Aug 8, 2012 at 9:06 AM, Petr Spacek wrote: >> Best way is to create subdomain UNIX.MYCOMPANY.COM and fill it with proper >> SRV records (or let IPA to manage it). > > Ugh, I hope this doesn't end up pushing us back to NIS. > > If I can get our infrastructure guys to buy off on making a > unix.mycompany.com subdomain in DNS, would I need to move all the > hosts to be under that subdomain in DNS? I have some services Definitely not. You can create subdomain UNIX.MYCOMPANY.COM, fill it with SRV records and leave this subdomain without hosts (maybe except IPA servers ...). It is not necessary to rename all hosts. Problem is simple - Kerberos libraries have to know where KDCs are located - and DNS is standardized way how to accomplish it. Let me quote another reply from this thread: On 08/08/2012 06:14 PM, KodaK wrote: > You*could* use something like puppet to manage your krb5.conf files > (I have to with our AIX machines.) > > Also, it's important to note that your REALM does NOT need to match > your dns domain name > It's a convenience, and it's very, very helpful to do so, but it is > possible to have a REALM called > "MIDDLEEARTH" if you wanted. I'm not sure how IPA would deal with > that, but I know you > can do it in straight up Kerberos. > configured that are difficult to rename the DNS domain of. Could, for > instance, host-one.mycompany.com be part of the UNIX.MYCOMPANY.COM > realm, given a MYCOMPANY.COM realm also exists? Yes, it could. > > I could then put some SRV records into the subdomain's zone to point > the kerberos stuff to the IPA server, change the domain on the IPA > server, change the realm on the IPA server, re-register clients, and > everything would be happy? I get lost in the renaming part. Can you describe your idea in bigger detail? > > Ugh... actually... now that I think about this, I don't think I want > half my servers in a unix subdomain in DNS, which means DNS and realm > wouldn't match... > > Thoughts? Aside from rebuilding the infrastructure I've built already? :-) Let all machines in MYCOMPANY.COM and use IPA realm UNIX.MYCOMPANY.COM. IMHO it is simplest way. This limitation comes from Kerberos: You are trying to use *single domain name* for *two independent Kerberos realms* - it is principally not possible. Petr^2 Spacek From simo at redhat.com Wed Aug 8 18:07:31 2012 From: simo at redhat.com (Simo Sorce) Date: Wed, 08 Aug 2012 14:07:31 -0400 Subject: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept In-Reply-To: <5022A900.3000900@redhat.com> References: <1344371075.20530.313.camel@willson.li.ssimo.org> <1344373170.20530.317.camel@willson.li.ssimo.org> <50228E9A.8020802@redhat.com> <5022A900.3000900@redhat.com> Message-ID: <1344449251.20530.347.camel@willson.li.ssimo.org> On Wed, 2012-08-08 at 19:59 +0200, Petr Spacek wrote: > On 08/08/2012 07:27 PM, Rob Ogilvie wrote: > > On Wed, Aug 8, 2012 at 9:06 AM, Petr Spacek wrote: > >> Best way is to create subdomain UNIX.MYCOMPANY.COM and fill it with proper > >> SRV records (or let IPA to manage it). > > > > Ugh, I hope this doesn't end up pushing us back to NIS. > > > > If I can get our infrastructure guys to buy off on making a > > unix.mycompany.com subdomain in DNS, would I need to move all the > > hosts to be under that subdomain in DNS? I have some services > > Definitely not. You can create subdomain UNIX.MYCOMPANY.COM, fill it with SRV > records and leave this subdomain without hosts (maybe except IPA servers ...). > It is not necessary to rename all hosts. > > Problem is simple - Kerberos libraries have to know where KDCs are located - > and DNS is standardized way how to accomplish it. > > Let me quote another reply from this thread: > On 08/08/2012 06:14 PM, KodaK wrote: > > You*could* use something like puppet to manage your krb5.conf files > > (I have to with our AIX machines.) > > > > Also, it's important to note that your REALM does NOT need to match > > your dns domain name > > It's a convenience, and it's very, very helpful to do so, but it is > > possible to have a REALM called > > "MIDDLEEARTH" if you wanted. I'm not sure how IPA would deal with > > that, but I know you > > can do it in straight up Kerberos. > > > > configured that are difficult to rename the DNS domain of. Could, for > > instance, host-one.mycompany.com be part of the UNIX.MYCOMPANY.COM > > realm, given a MYCOMPANY.COM realm also exists? > > Yes, it could. > > > > > I could then put some SRV records into the subdomain's zone to point > > the kerberos stuff to the IPA server, change the domain on the IPA > > server, change the realm on the IPA server, re-register clients, and > > everything would be happy? > > I get lost in the renaming part. Can you describe your idea in bigger detail? > > > > > Ugh... actually... now that I think about this, I don't think I want > > half my servers in a unix subdomain in DNS, which means DNS and realm > > wouldn't match... > > > > Thoughts? Aside from rebuilding the infrastructure I've built already? :-) > > Let all machines in MYCOMPANY.COM and use IPA realm UNIX.MYCOMPANY.COM. > IMHO it is simplest way. > > > This limitation comes from Kerberos: You are trying to use *single domain > name* for *two independent Kerberos realms* - it is principally not possible. I just need to pint one one problem with leaving all machines under MYDOMAIN.COM, and that is if you later want to make a trust (option available starting from ipa 3.0) between the AD realm and the IPA realm, the machines in the mydomain.com domain will not be able to be accessed by the users of the AD realm. That is because the machines joined to the AD realm will think that the mydomain.com machines are always served up by the AD domain. On the IPA side you amy also have so issues as you will not be able to tell IPA clients that they need to ask the AD KDC for the hosts under mydomain.com So ultimately, I would put as many machines as you can under UNIX.MYDOMAIN.COM, to minimize confusion in case later on you want to establish a trust between the AD domain and the IPA domain. Simo. -- Simo Sorce * Red Hat, Inc * New York From rob at axpr.net Wed Aug 8 18:23:07 2012 From: rob at axpr.net (Rob Ogilvie) Date: Wed, 8 Aug 2012 11:23:07 -0700 Subject: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept In-Reply-To: <5022A900.3000900@redhat.com> References: <1344371075.20530.313.camel@willson.li.ssimo.org> <1344373170.20530.317.camel@willson.li.ssimo.org> <50228E9A.8020802@redhat.com> <5022A900.3000900@redhat.com> Message-ID: So here's my plan, then... let me know if it seems like it'll make sense? -I'm going to uninstall everything IPA from the IPA server (ovm-auth.mycompany.com) after I unregister the client machines. -I'm going to set up the IPA server with a new realm; UNIX.MYCOMPANY.COM (do I need to have our DNS folks put an SRV record up there for that? If so, what?) -I'm going to try registering testserver.mycompany.com server as part of the UNIX.MYCOMPANY.COM realm. Sound reasonable and/or sane? :-) Rob From erinn.looneytriggs at gmail.com Wed Aug 8 18:45:47 2012 From: erinn.looneytriggs at gmail.com (Erinn Looney-Triggs) Date: Wed, 08 Aug 2012 10:45:47 -0800 Subject: [Freeipa-users] cannot find name for user ID Message-ID: <5022B3DB.6010806@gmail.com> An interesting problem has popped up and I am not sure where the issue lies. Users logging in are presented with "cannot find name for user ID" etc. etc. for all groups they are a member of id returns nothing but the numbers, and a getent passwd returns nothing, when running as the user. However, as root a getent passwd works. I am taking a look through logs and haven't found much so far, another user experienced a similar issue and a ipa-client-install --uninstall and reinstall (this is starting to feel like windows :) did the trick for them, however it has not solved the issue for me. I have also cleared the sssd cache, and given that process a kick to no avail. Firewall rules have not changed, and I assume the ipa-client-install process would have failed if a firewall issue was present. After increasing sssd logging levels I see a lot of requests for the user in the sssd logs, but no returns, not that I know if the logging is supposed to log the return. This is on a RHEL 5.8 client: ipa-client-2.1.3-2.el5_8 sssd-1.5.1-49.el5_8.1 Connecting to a RHEL 6.3 IPA server. Any ideas? -Erinn -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 554 bytes Desc: OpenPGP digital signature URL: From simo at redhat.com Wed Aug 8 18:52:56 2012 From: simo at redhat.com (Simo Sorce) Date: Wed, 08 Aug 2012 14:52:56 -0400 Subject: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept In-Reply-To: References: <1344371075.20530.313.camel@willson.li.ssimo.org> <1344373170.20530.317.camel@willson.li.ssimo.org> <50228E9A.8020802@redhat.com> <5022A900.3000900@redhat.com> Message-ID: <1344451976.20530.352.camel@willson.li.ssimo.org> On Wed, 2012-08-08 at 11:23 -0700, Rob Ogilvie wrote: > So here's my plan, then... let me know if it seems like it'll make sense? > > -I'm going to uninstall everything IPA from the IPA server > (ovm-auth.mycompany.com) after I unregister the client machines. > > -I'm going to set up the IPA server with a new realm; > UNIX.MYCOMPANY.COM (do I need to have our DNS folks put an SRV record > up there for that? If so, what?) If your DNS people want to manually mange DNS for you then they need to create the unix.mydomain.com zone and manually create SRV and TXT records for kerberos and ldap IPA servers. If they want to avoid having to manage DNS for you they can delegate the subdomain to you and you can install DNS integration in IPA so critical DNS record are automatically managed for you. For tests you can also just use the FreeIPA intyegrate DNS server and create your own DNS server there the forwards to your official DNS servers for any query out of unix.mydomain.com (you point it to your current DNS server when install ask for forwarders). If you do this you will have to point your IPA clients to your IPA server for DNS. And unless you get a zone delegation only machine spointing directly at your server in their resolv.conf will be able to see the unix.mydomain.com zone. > -I'm going to try registering testserver.mycompany.com server as part > of the UNIX.MYCOMPANY.COM realm. > > Sound reasonable and/or sane? :-) for the ipa server it should be in the unix.mydomain.com DNS zone to be useful. Simo. -- Simo Sorce * Red Hat, Inc * New York From rob at axpr.net Wed Aug 8 19:16:55 2012 From: rob at axpr.net (Rob Ogilvie) Date: Wed, 8 Aug 2012 12:16:55 -0700 Subject: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept In-Reply-To: <1344451976.20530.352.camel@willson.li.ssimo.org> References: <1344371075.20530.313.camel@willson.li.ssimo.org> <1344373170.20530.317.camel@willson.li.ssimo.org> <50228E9A.8020802@redhat.com> <5022A900.3000900@redhat.com> <1344451976.20530.352.camel@willson.li.ssimo.org> Message-ID: On Wed, Aug 8, 2012 at 11:52 AM, Simo Sorce wrote: > On Wed, 2012-08-08 at 11:23 -0700, Rob Ogilvie wrote: > > -I'm going to set up the IPA server with a new realm; > > UNIX.MYCOMPANY.COM (do I need to have our DNS folks put an SRV record > > up there for that? If so, what?) > > If your DNS people want to manually mange DNS for you then they need to > create the unix.mydomain.com zone and manually create SRV and TXT > records for kerberos and ldap IPA servers. Is there a doc that explains what those SRV and TXT records need to look like? > > -I'm going to try registering testserver.mycompany.com server as part > > of the UNIX.MYCOMPANY.COM realm. > > > > Sound reasonable and/or sane? :-) > > for the ipa server it should be in the unix.mydomain.com DNS zone to be > useful. The IPA server needs to be part of the unix.mycompany.com domain, then, and the IPA clients do not? Rob From simo at redhat.com Wed Aug 8 19:31:41 2012 From: simo at redhat.com (Simo Sorce) Date: Wed, 08 Aug 2012 15:31:41 -0400 Subject: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept In-Reply-To: References: <1344371075.20530.313.camel@willson.li.ssimo.org> <1344373170.20530.317.camel@willson.li.ssimo.org> <50228E9A.8020802@redhat.com> <5022A900.3000900@redhat.com> <1344451976.20530.352.camel@willson.li.ssimo.org> Message-ID: <1344454301.20530.357.camel@willson.li.ssimo.org> On Wed, 2012-08-08 at 12:16 -0700, Rob Ogilvie wrote: > On Wed, Aug 8, 2012 at 11:52 AM, Simo Sorce wrote: > > On Wed, 2012-08-08 at 11:23 -0700, Rob Ogilvie wrote: > > > -I'm going to set up the IPA server with a new realm; > > > UNIX.MYCOMPANY.COM (do I need to have our DNS folks put an SRV record > > > up there for that? If so, what?) > > > > If your DNS people want to manually mange DNS for you then they need to > > create the unix.mydomain.com zone and manually create SRV and TXT > > records for kerberos and ldap IPA servers. > > Is there a doc that explains what those SRV and TXT records need to look like? When you install freeipa it will generate a zone file if DNS is not installed as well, that's probably the most complete example. > > > -I'm going to try registering testserver.mycompany.com server as part > > > of the UNIX.MYCOMPANY.COM realm. > > > > > > Sound reasonable and/or sane? :-) > > > > for the ipa server it should be in the unix.mydomain.com DNS zone to be > > useful. > > The IPA server needs to be part of the unix.mycompany.com domain, > then, and the IPA clients do not? The simplest setup is when all clients are part of the same DNS zone which is not shared with an AD setup. Unlike AD we do not force all client to be positioned in the same DNS zone, however if you have clients not belonging to the same DNS domain you may have to change the krb5.conf file on all members of the realm to add additional [domain_realm] mappings so that you can tell that clients in zone foo.net are also to be looked for in the UNIX.MYDOMAIN.COM realm and its KDC. We are going to make it simpler to add these domains centrally in FreeIPA and have SSSD automatically provide these appings on all clients, but this work is being done in v 3.0. For now it needs to be manually configured on each client. Simo. -- Simo Sorce * Red Hat, Inc * New York From sakodak at gmail.com Wed Aug 8 19:33:01 2012 From: sakodak at gmail.com (KodaK) Date: Wed, 8 Aug 2012 14:33:01 -0500 Subject: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept In-Reply-To: References: <1344371075.20530.313.camel@willson.li.ssimo.org> <1344373170.20530.317.camel@willson.li.ssimo.org> <50228E9A.8020802@redhat.com> <5022A900.3000900@redhat.com> <1344451976.20530.352.camel@willson.li.ssimo.org> Message-ID: On Wed, Aug 8, 2012 at 2:16 PM, Rob Ogilvie wrote: > On Wed, Aug 8, 2012 at 11:52 AM, Simo Sorce wrote: >> On Wed, 2012-08-08 at 11:23 -0700, Rob Ogilvie wrote: >> > -I'm going to set up the IPA server with a new realm; >> > UNIX.MYCOMPANY.COM (do I need to have our DNS folks put an SRV record >> > up there for that? If so, what?) >> >> If your DNS people want to manually mange DNS for you then they need to >> create the unix.mydomain.com zone and manually create SRV and TXT >> records for kerberos and ldap IPA servers. > > Is there a doc that explains what those SRV and TXT records need to look like? If you're not familiar with this document then you need to spend some quality time with it: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html :) In it you'll find: If a DNS server is already configured in the network, then the configuration in the IPA-generated file can be added to the existing DNS zone file. This allows IPA clients to find LDAP and Kerberos servers that are required for them to participate in the IPA domain. For example, this DNS zone configuration is created for an IPA server with the KDC and DNS servers all on the same machine in the EXAMPLE.COM realm: ; ldap servers _ldap._tcp IN SRV 0 100 389 ipaserver.example.com. ;kerberos realm _kerberos IN TXT EXAMPLE.COM ; kerberos servers _kerberos._tcp IN SRV 0 100 88 ipaserver.example.com. _kerberos._udp IN SRV 0 100 88 ipaserver.example.com. _kerberos-master._tcp IN SRV 0 100 88 ipaserver.example.com. _kerberos-master._udp IN SRV 0 100 88 ipaserver.example.com. _kpasswd._tcp IN SRV 0 100 464 ipaserver.example.com. _kpasswd._udp IN SRV 0 100 464 ipaserver.example.com. From rob at axpr.net Wed Aug 8 20:15:51 2012 From: rob at axpr.net (Rob Ogilvie) Date: Wed, 8 Aug 2012 13:15:51 -0700 Subject: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept In-Reply-To: References: <1344371075.20530.313.camel@willson.li.ssimo.org> <1344373170.20530.317.camel@willson.li.ssimo.org> <50228E9A.8020802@redhat.com> <5022A900.3000900@redhat.com> <1344451976.20530.352.camel@willson.li.ssimo.org> Message-ID: On Wed, Aug 8, 2012 at 12:33 PM, KodaK wrote: > If you're not familiar with this document then you need to spend some > quality time with it: > > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html That is, as a matter of fact, the guide I've been using. I fear it was written with the assumption readers understood IPA realms couldn't easily coexist with Active Directory domains. Reading through the installation guide, I see no mention of needing a separate realm for IPA... it's probably assumed we know that already? Rob From lyamanishi at sesda2.com Wed Aug 8 20:19:22 2012 From: lyamanishi at sesda2.com (Lucas Yamanishi) Date: Wed, 08 Aug 2012 16:19:22 -0400 Subject: [Freeipa-users] Dogtag reinitialization Message-ID: <5022C9CA.7000305@sesda2.com> Is there any way to completely reinitialize the Dogtag instance atomically? My PKI-IPA directory looks like this: > ldapsearch -x -h localhost -p 7389 -D "cn=directory manager" -W -b 'o=ipaca' 'objectClass=*' > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base with scope subtree > # filter: objectClass=* > # requesting: ALL > # > > # ipaca > dn: o=ipaca > objectClass: top > objectClass: organization > o: ipaca > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 It's like that on both my master and replica, and my backups don't go back far enough. I think something happened during replica management, but I'm not sure. I haven't used the full range of PKI features up to this point, so this isn't a huge issue for me just yet. In any case, I imagine it will become a big deal at some point, if not for my usage, for management of the IPA instance as a whole. So, how can I fix this? I do have the private key, if that's any use. -- ----- *question everything*learn something*answer nothing* ------------ Lucas Yamanishi ------------------ Systems Administrator, ADNET Systems, Inc. NASA Space and Earth Science Data Analysis (606.9) 7515 Mission Drive, Suite A100 Lanham, MD 20706 * 301-352-4646 * 0xE23F3D7A From rolf at glptrading.com Wed Aug 8 17:10:22 2012 From: rolf at glptrading.com (Rolf Brusletto) Date: Wed, 08 Aug 2012 11:10:22 -0600 Subject: [Freeipa-users] Simple question about replication promotion Message-ID: <50229D7E.7060506@glptrading.com> We had a rather severe issue last night on our primary IPA server(ver 2.2.0), but the replica is still happily plugging along, which very nice. My question is, there is very, very little I can do with the 'master'. From what I've read, there ins't any replicaton, and I just want to verify that a replica is just another master, assuming you're not using the CA option. If so, when I rebuild the primary server, do I just configure it to be a replica to what was the secondary? Thanks, Rolf Brusletto From rob at axpr.net Wed Aug 8 20:48:24 2012 From: rob at axpr.net (Rob Ogilvie) Date: Wed, 8 Aug 2012 13:48:24 -0700 Subject: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept In-Reply-To: <1344454301.20530.357.camel@willson.li.ssimo.org> References: <1344371075.20530.313.camel@willson.li.ssimo.org> <1344373170.20530.317.camel@willson.li.ssimo.org> <50228E9A.8020802@redhat.com> <5022A900.3000900@redhat.com> <1344451976.20530.352.camel@willson.li.ssimo.org> <1344454301.20530.357.camel@willson.li.ssimo.org> Message-ID: On Wed, Aug 8, 2012 at 12:31 PM, Simo Sorce wrote: > Unlike AD we do not force all client to be positioned in the same DNS > zone, however if you have clients not belonging to the same DNS domain > you may have to change the krb5.conf file on all members of the realm to > add additional [domain_realm] mappings so that you can tell that clients > in zone foo.net are also to be looked for in the UNIX.MYDOMAIN.COM realm > and its KDC. I just, as a test, with no DNS set up for this, ran things with DNS being mycompany.com, and the IPA domain being set up as ovm.mycompany.com and realm of OVM.MYCOMPANY.COM, and everything appears to be working great. The only piece is the ipa-client-install needs to specify the (non-DNS) domain, realm, and server, but that's no problem for me at all... Any thoughts about problems I might see? Rob From Steven.Jones at vuw.ac.nz Wed Aug 8 21:05:57 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 8 Aug 2012 21:05:57 +0000 Subject: [Freeipa-users] Simple question about replication promotion In-Reply-To: <50229D7E.7060506@glptrading.com> References: <50229D7E.7060506@glptrading.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CD6E574@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, I lost my master so did a db2ldif on the replica and then a ldif2db on the master and it seemed to work fine. Its been more stable than the replicas which are on their 2nd rebuild in that many months... :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Rolf Brusletto [rolf at glptrading.com] Sent: Thursday, 9 August 2012 5:10 a.m. To: freeipa-users at redhat.com Subject: [Freeipa-users] Simple question about replication promotion We had a rather severe issue last night on our primary IPA server(ver 2.2.0), but the replica is still happily plugging along, which very nice. My question is, there is very, very little I can do with the 'master'. From what I've read, there ins't any replicaton, and I just want to verify that a replica is just another master, assuming you're not using the CA option. If so, when I rebuild the primary server, do I just configure it to be a replica to what was the secondary? Thanks, Rolf Brusletto _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Wed Aug 8 21:08:51 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 8 Aug 2012 21:08:51 +0000 Subject: [Freeipa-users] 2 factor authentication Message-ID: <833D8E48405E064EBC54C84EC6B36E404CD6E582@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi Is there anyway to use something like a hardware key with IPA for select users (such as myself)? So the idea is I not only have a password but a piece of hardware I need to login to my secure desktop..... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From jhrozek at redhat.com Wed Aug 8 21:11:46 2012 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 8 Aug 2012 23:11:46 +0200 Subject: [Freeipa-users] cannot find name for user ID In-Reply-To: <5022B3DB.6010806@gmail.com> References: <5022B3DB.6010806@gmail.com> Message-ID: <20120808211146.GA2973@hendrix.redhat.com> On Wed, Aug 08, 2012 at 10:45:47AM -0800, Erinn Looney-Triggs wrote: > An interesting problem has popped up and I am not sure where the issue > lies. Users logging in are presented with "cannot find name for user ID" > etc. etc. for all groups they are a member of > > id returns nothing but the numbers, and a getent passwd > returns nothing, when running as the user. > > However, as root a getent passwd works. > > I am taking a look through logs and haven't found much so far, another > user experienced a similar issue and a ipa-client-install --uninstall > and reinstall (this is starting to feel like windows :) did the trick > for them, however it has not solved the issue for me. > > I have also cleared the sssd cache, and given that process a kick to no > avail. > > Firewall rules have not changed, and I assume the ipa-client-install > process would have failed if a firewall issue was present. > > After increasing sssd logging levels I see a lot of requests for the > user in the sssd logs, but no returns, not that I know if the logging is > supposed to log the return. > > This is on a RHEL 5.8 client: > ipa-client-2.1.3-2.el5_8 > sssd-1.5.1-49.el5_8.1 > > Connecting to a RHEL 6.3 IPA server. > > Any ideas? > > -Erinn > Hi Erinn, The requests for the user you saw were only in the sssd_nss log or did they make it to the sssd_$domain.log as well? Can you paste sanitized contents of both, please? I can't think of a reason to make lookups work only as root, that's really strange. Can you check for AVC denials? Can you also check the permissions on /var/lib/sss/pipes/nss ? It should be 0666. From erinn.looneytriggs at gmail.com Wed Aug 8 21:23:20 2012 From: erinn.looneytriggs at gmail.com (Erinn Looney-Triggs) Date: Wed, 08 Aug 2012 13:23:20 -0800 Subject: [Freeipa-users] cannot find name for user ID In-Reply-To: <20120808211146.GA2973@hendrix.redhat.com> References: <5022B3DB.6010806@gmail.com> <20120808211146.GA2973@hendrix.redhat.com> Message-ID: <5022D8C8.8070603@gmail.com> On 08/08/2012 01:11 PM, Jakub Hrozek wrote: > On Wed, Aug 08, 2012 at 10:45:47AM -0800, Erinn Looney-Triggs wrote: >> An interesting problem has popped up and I am not sure where the issue >> lies. Users logging in are presented with "cannot find name for user ID" >> etc. etc. for all groups they are a member of >> >> id returns nothing but the numbers, and a getent passwd >> returns nothing, when running as the user. >> >> However, as root a getent passwd works. >> >> I am taking a look through logs and haven't found much so far, another >> user experienced a similar issue and a ipa-client-install --uninstall >> and reinstall (this is starting to feel like windows :) did the trick >> for them, however it has not solved the issue for me. >> >> I have also cleared the sssd cache, and given that process a kick to no >> avail. >> >> Firewall rules have not changed, and I assume the ipa-client-install >> process would have failed if a firewall issue was present. >> >> After increasing sssd logging levels I see a lot of requests for the >> user in the sssd logs, but no returns, not that I know if the logging is >> supposed to log the return. >> >> This is on a RHEL 5.8 client: >> ipa-client-2.1.3-2.el5_8 >> sssd-1.5.1-49.el5_8.1 >> >> Connecting to a RHEL 6.3 IPA server. >> >> Any ideas? >> >> -Erinn >> > > Hi Erinn, > > The requests for the user you saw were only in the sssd_nss log or did > they make it to the sssd_$domain.log as well? Can you paste sanitized > contents of both, please? > > I can't think of a reason to make lookups work only as root, that's > really strange. Can you check for AVC denials? Can you also check the > permissions on /var/lib/sss/pipes/nss ? It should be 0666. > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > Yes it is very odd. I have had a rash of system with SELinux labelling issues, so I ran a restorecon on the file system to no avail, as well I set SELinux to permissive mode, again no help there. Permissions appear correct: srw-rw-rw- 1 root root 0 Aug 8 18:35 nss srw-rw-rw- 1 root root 0 Aug 8 18:35 pam Is there a simple way to sanitize these log files? -Erinn -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 554 bytes Desc: OpenPGP digital signature URL: From rcritten at redhat.com Wed Aug 8 21:32:50 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 08 Aug 2012 17:32:50 -0400 Subject: [Freeipa-users] 2 factor authentication In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CD6E582@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CD6E582@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <5022DB02.80800@redhat.com> Steven Jones wrote: > Hi > > Is there anyway to use something like a hardware key with IPA for select users (such as myself)? > > So the idea is I not only have a password but a piece of hardware I need to login to my secure desktop..... We're looking into 2 factor auth but it isn't supported yet. You might want to follow the authhub project, https://fedorahosted.org/AuthHub/ rob From rcritten at redhat.com Wed Aug 8 21:34:25 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 08 Aug 2012 17:34:25 -0400 Subject: [Freeipa-users] Simple question about replication promotion In-Reply-To: <50229D7E.7060506@glptrading.com> References: <50229D7E.7060506@glptrading.com> Message-ID: <5022DB61.5020203@redhat.com> Rolf Brusletto wrote: > We had a rather severe issue last night on our primary IPA server(ver > 2.2.0), but the replica is still happily plugging along, which very > nice. My question is, there is very, very little I can do with the > 'master'. From what I've read, there ins't any replicaton, and I just > want to verify that a replica is just another master, assuming you're > not using the CA option. If so, when I rebuild the primary server, do I > just configure it to be a replica to what was the secondary? Just to be clear, you installed the original server with a dogtag CA installed? And then you created a replica but didn't configure a CA on it? rob From rcritten at redhat.com Wed Aug 8 21:36:13 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 08 Aug 2012 17:36:13 -0400 Subject: [Freeipa-users] Dogtag reinitialization In-Reply-To: <5022C9CA.7000305@sesda2.com> References: <5022C9CA.7000305@sesda2.com> Message-ID: <5022DBCD.5000302@redhat.com> Lucas Yamanishi wrote: > Is there any way to completely reinitialize the Dogtag instance atomically? > > My PKI-IPA directory looks like this: > >> ldapsearch -x -h localhost -p 7389 -D "cn=directory manager" -W -b 'o=ipaca' 'objectClass=*' >> Enter LDAP Password: >> # extended LDIF >> # >> # LDAPv3 >> # base with scope subtree >> # filter: objectClass=* >> # requesting: ALL >> # >> >> # ipaca >> dn: o=ipaca >> objectClass: top >> objectClass: organization >> o: ipaca >> >> # search result >> search: 2 >> result: 0 Success >> >> # numResponses: 2 >> # numEntries: 1 > > It's like that on both my master and replica, and my backups don't go > back far enough. I think something happened during replica management, > but I'm not sure. I haven't used the full range of PKI features up to > this point, so this isn't a huge issue for me just yet. In any case, I > imagine it will become a big deal at some point, if not for my usage, > for management of the IPA instance as a whole. > > So, how can I fix this? I do have the private key, if that's any use. I'm not sure what would cause every single entry to be removed. Do the logs shed any light on this? rob From rcritten at redhat.com Wed Aug 8 21:59:01 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 08 Aug 2012 17:59:01 -0400 Subject: [Freeipa-users] IPA 2.2 Windows 2008R2 sync In-Reply-To: <501BF55D.2010809@redhat.com> References: <1911275892.61.1344009021282.JavaMail.root@sirismail.lyra-network.com> <501BF55D.2010809@redhat.com> Message-ID: <5022E125.40005@redhat.com> Rich Megginson wrote: > On 08/03/2012 09:50 AM, Baptiste AGASSE wrote: >> Hi, >> >>>> Hi all, >>>> >>>> i've a problem with winsync between ipa 2.2 on centos 6.3 and Active >>>> directory 2008R2. >>>> >>>> I'm following this documentation to enable synchronization: >>>> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Setting_up_Active_Directory.html >>>> >>> There is nothing on this page about running certutil? Which link talks >>> about certutil? >> Links present in the documentation talk about commands and options for >> certutil but i don't see anything about this error. > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html I agree, I don't think this is necessary either. I'm not sure if this originated in the 389-ds docs or we provided Deon (or David) with bad information long ago. rob > > > > Can one of the IPA developers explain why it is necessary to install the > IPA CA certificate into the Windows Cert Store in order to get > Winsync/PassSync working? I don't believe it is necessary. > > For now, just skip steps 1 and 2 under 8.4.1. Trusting the Active > Directory and IPA CA Certificates > >> >> I a newbie on Microsoft OSes, but I don't understand why certutil >> don't find my file. >> >> I will ask on a microsoft forum. >> >> Regards >> >>>> When i run as admin 'certutil -installcert -v -config >>>> "ipa.foo.example.local\EXAMPLE.LOCAL Domain CA" >>>> c:\Users\John\Documents\ipa-ca.crt' it returns (translated from >>>> french) : >>>> >>>> CertUtil : -installCert command failure : 0x80070002 (WIN32: 2) >>>> CertUtil: Specified file not found >>>> >>>> someone saw this issue ? >>>> >>>> Have a nice day. >>>> >>>> Regards. >>>> >>>> Baptiste. >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From lyamanishi at sesda2.com Wed Aug 8 22:10:42 2012 From: lyamanishi at sesda2.com (Lucas Yamanishi) Date: Wed, 08 Aug 2012 18:10:42 -0400 Subject: [Freeipa-users] Dogtag reinitialization In-Reply-To: <5022DBCD.5000302@redhat.com> References: <5022C9CA.7000305@sesda2.com> <5022DBCD.5000302@redhat.com> Message-ID: <5022E3E2.9030509@sesda2.com> I wouldn't even know what to look for. /var/lib/dirsrv/slapd-PKI-IPA/error is like a debug log. All I can tell you is that I ran "ipa-csreplica-manage re-initialize --from master" on my replica, then on my "master" a few minutes later. ----- *question everything*learn something*answer nothing* ------------ Lucas Yamanishi ------------------ Systems Administrator, ADNET Systems, Inc. NASA Space and Earth Science Data Analysis (606.9) 7515 Mission Drive, Suite A100 Lanham, MD 20706 * 301-352-4646 * 0xE23F3D7A On 08/08/2012 05:36 PM, Rob Crittenden wrote: > Lucas Yamanishi wrote: >> Is there any way to completely reinitialize the Dogtag instance >> atomically? >> >> My PKI-IPA directory looks like this: >> >>> ldapsearch -x -h localhost -p 7389 -D "cn=directory manager" -W -b >>> 'o=ipaca' 'objectClass=*' >>> Enter LDAP Password: >>> # extended LDIF >>> # >>> # LDAPv3 >>> # base with scope subtree >>> # filter: objectClass=* >>> # requesting: ALL >>> # >>> >>> # ipaca >>> dn: o=ipaca >>> objectClass: top >>> objectClass: organization >>> o: ipaca >>> >>> # search result >>> search: 2 >>> result: 0 Success >>> >>> # numResponses: 2 >>> # numEntries: 1 >> >> It's like that on both my master and replica, and my backups don't go >> back far enough. I think something happened during replica management, >> but I'm not sure. I haven't used the full range of PKI features up to >> this point, so this isn't a huge issue for me just yet. In any case, I >> imagine it will become a big deal at some point, if not for my usage, >> for management of the IPA instance as a whole. >> >> So, how can I fix this? I do have the private key, if that's any use. > > I'm not sure what would cause every single entry to be removed. Do the > logs shed any light on this? > > rob > > > From rcritten at redhat.com Wed Aug 8 22:34:09 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 08 Aug 2012 18:34:09 -0400 Subject: [Freeipa-users] IPA Server In-Reply-To: <20120801041329.GA28655@noboost.org> References: <20120801041329.GA28655@noboost.org> Message-ID: <5022E961.1030403@redhat.com> freeipa at noboost.org wrote: > Hi All, > > NOTE: I posted this on the 389 forum, they rightly suggested this is > most likely and IPA issue. > > > Spec: > Redhat Enterprise Linux 6.3 x64 > > - ipa-server-2.2.0-16.el6.x86_64 > - 389-ds-base-1.2.10.2-18.el6_3.x86_64 > - 389-ds-base-libs-1.2.10.2-18.el6_3.x86_64 > > We had a simple (but quite drammatic) issue the other day. Our > backup script simply does a cold backup of the 389 Directory Server, > however this time it didn't start back up. > > > Script simply runs: /etc/init.d/ipa stop > > Error from Log: > [31/Jul/2012:02:00:38 +1000] - slapd stopped. > [31/Jul/2012:02:00:43 +1000] createprlistensockets - PR_Bind() on > All > Interfaces port 636 failed: Netscape Portable Runtime error -5982 > (Local > Network address is in use.) > > > Is there anyway to work out why this happened? > Is this an IPA issue that is known about? > > When I did a manual restart in the morning it was fine. The backups > even worked perfectly last night too. Sounds like a bug in the ipa > shutdown script? Does your backup script do any logging? I see a 5 second window between shutdown and start up. Is it possible your database backed up that quickly? It would seem that ns-slapd reported itself as stopped but it still had a process hanging around with the port open. rob From bin.echo at gmail.com Thu Aug 9 06:13:58 2012 From: bin.echo at gmail.com (bin.echo at gmail.com) Date: Thu, 9 Aug 2012 00:13:58 -0600 Subject: [Freeipa-users] Fedora 17 FreeIPA Replica not starting up Message-ID: After installing a replica on a fresh up to date install of FC17, everything seems fine until a reboot. FreeIPA is running on the new machine, etc. But after the reboot ldap doesn't start on it's own and can't be made to start manually. The origional FreeIPA instance, same software versions, is runny just fine. Release: 1.fc17 Arch: x86_64 FreeIPA Version: 2.2.0 here is the short error. I can post more if this symptom isn't enough. (I've replaced the names of my actual machines and domain) #> ipactl start Starting Directory Service Failed to read data from Directory Service: Unknown error when retrieving list of services from LDAP: [Errno 2] No such file or directory Shutting down #> tail -20 /var/log/messages Aug 8 23:56:04 replica systemd[1]: dirsrv at PKI-IPA.service: control process exited, code=exited status=1 Aug 8 23:56:04 replica systemd[1]: Unit dirsrv at PKI-IPA.service entered failed state. Aug 9 00:00:16 replica dbus-daemon[610]: dbus[610]: [system] Activating service name='net.reactivated.Fprint' (using servicehelper) Aug 9 00:00:16 replica dbus[610]: [system] Activating service name='net.reactivated.Fprint' (using servicehelper) Aug 9 00:00:16 replica dbus-daemon[610]: Launching FprintObject Aug 9 00:00:16 replica dbus-daemon[610]: dbus[610]: [system] Successfully activated service 'net.reactivated.Fprint' Aug 9 00:00:16 replica dbus[610]: [system] Successfully activated service 'net.reactivated.Fprint' Aug 9 00:00:16 replica dbus-daemon[610]: ** Message: D-Bus service launched with name: net.reactivated.Fprint Aug 9 00:00:16 replica dbus-daemon[610]: ** Message: entering main loop Aug 9 00:00:46 replica dbus-daemon[610]: ** Message: No devices in use, exit Aug 9 00:05:01 replica ns-slapd[2265]: [09/Aug/2012:00:05:01 -0600] startup - The default password storage scheme SSHA could not be read or was not found in the file /etc/dirsrv/slapd-PIVOTVFX-NET/dse.ldif. It is mandatory. Aug 9 00:05:01 replica systemd[1]: dirsrv at EXAMPLE-COM.service: control process exited, code=exited status=1 Aug 9 00:05:01 replica systemd[1]: Unit dirsrv at EXAMPLE-COM.service entered failed state. Aug 9 00:05:01 replica ns-slapd[2266]: [09/Aug/2012:00:05:01 -0600] startup - The default password storage scheme SSHA could not be read or was not found in the file /etc/dirsrv/slapd-PKI-IPA/dse.ldif. It is mandatory. Aug 9 00:05:01 replica systemd[1]: dirsrv at PKI-IPA.service: control process exited, code=exited status=1 From bin.echo at gmail.com Thu Aug 9 07:14:42 2012 From: bin.echo at gmail.com (bin.echo at gmail.com) Date: Thu, 9 Aug 2012 01:14:42 -0600 Subject: [Freeipa-users] Fedora 17 FreeIPA Replica not starting up In-Reply-To: References: Message-ID: I think I've narrowed it down to the "tombstone" problem. But now I'm at a loss for what to do. The only advice I can find involves using direct ldap code an that is way over my head. (I'd prefer to not completely destroy my database in the process of trying to clean out the zombies) Is there any kind of wrapper script I can use to kill the zombie {replicageneration} and nsds5replica? Thanks for any help! -Aaron On Thu, Aug 9, 2012 at 12:13 AM, wrote: > After installing a replica on a fresh up to date install of FC17, > everything seems fine until a reboot. FreeIPA is running on the new > machine, etc. > > But after the reboot ldap doesn't start on it's own and can't be made > to start manually. The origional FreeIPA instance, same software > versions, is runny just fine. > > Release: 1.fc17 Arch: x86_64 FreeIPA Version: 2.2.0 > > here is the short error. I can post more if this symptom isn't enough. > (I've replaced the names of my actual machines and domain) > > #> ipactl start > Starting Directory Service > Failed to read data from Directory Service: Unknown error when > retrieving list of services from LDAP: [Errno 2] No such file or > directory > Shutting down > > > #> tail -20 /var/log/messages > Aug 8 23:56:04 replica systemd[1]: dirsrv at PKI-IPA.service: control > process exited, code=exited status=1 > Aug 8 23:56:04 replica systemd[1]: Unit dirsrv at PKI-IPA.service > entered failed state. > Aug 9 00:00:16 replica dbus-daemon[610]: dbus[610]: [system] > Activating service name='net.reactivated.Fprint' (using servicehelper) > Aug 9 00:00:16 replica dbus[610]: [system] Activating service > name='net.reactivated.Fprint' (using servicehelper) > Aug 9 00:00:16 replica dbus-daemon[610]: Launching FprintObject > Aug 9 00:00:16 replica dbus-daemon[610]: dbus[610]: [system] > Successfully activated service 'net.reactivated.Fprint' > Aug 9 00:00:16 replica dbus[610]: [system] Successfully activated > service 'net.reactivated.Fprint' > Aug 9 00:00:16 replica dbus-daemon[610]: ** Message: D-Bus service > launched with name: net.reactivated.Fprint > Aug 9 00:00:16 replica dbus-daemon[610]: ** Message: entering main loop > Aug 9 00:00:46 replica dbus-daemon[610]: ** Message: No devices in use, exit > Aug 9 00:05:01 replica ns-slapd[2265]: [09/Aug/2012:00:05:01 -0600] > startup - The default password storage scheme SSHA could not be read > or was not found in the file /etc/dirsrv/slapd-PIVOTVFX-NET/dse.ldif. > It is mandatory. > Aug 9 00:05:01 replica systemd[1]: dirsrv at EXAMPLE-COM.service: > control process exited, code=exited status=1 > Aug 9 00:05:01 replica systemd[1]: Unit dirsrv at EXAMPLE-COM.service > entered failed state. > Aug 9 00:05:01 replica ns-slapd[2266]: [09/Aug/2012:00:05:01 -0600] > startup - The default password storage scheme SSHA could not be read > or was not found in the file /etc/dirsrv/slapd-PKI-IPA/dse.ldif. It is > mandatory. > Aug 9 00:05:01 replica systemd[1]: dirsrv at PKI-IPA.service: control > process exited, code=exited status=1 From erinn.looneytriggs at gmail.com Thu Aug 9 08:35:17 2012 From: erinn.looneytriggs at gmail.com (Erinn Looney-Triggs) Date: Thu, 09 Aug 2012 00:35:17 -0800 Subject: [Freeipa-users] cannot find name for user ID In-Reply-To: <20120808211146.GA2973@hendrix.redhat.com> References: <5022B3DB.6010806@gmail.com> <20120808211146.GA2973@hendrix.redhat.com> Message-ID: <50237645.106@gmail.com> On 08/08/2012 01:11 PM, Jakub Hrozek wrote: > On Wed, Aug 08, 2012 at 10:45:47AM -0800, Erinn Looney-Triggs wrote: >> An interesting problem has popped up and I am not sure where the issue >> lies. Users logging in are presented with "cannot find name for user ID" >> etc. etc. for all groups they are a member of >> >> id returns nothing but the numbers, and a getent passwd >> returns nothing, when running as the user. >> >> However, as root a getent passwd works. >> >> I am taking a look through logs and haven't found much so far, another >> user experienced a similar issue and a ipa-client-install --uninstall >> and reinstall (this is starting to feel like windows :) did the trick >> for them, however it has not solved the issue for me. >> >> I have also cleared the sssd cache, and given that process a kick to no >> avail. >> >> Firewall rules have not changed, and I assume the ipa-client-install >> process would have failed if a firewall issue was present. >> >> After increasing sssd logging levels I see a lot of requests for the >> user in the sssd logs, but no returns, not that I know if the logging is >> supposed to log the return. >> >> This is on a RHEL 5.8 client: >> ipa-client-2.1.3-2.el5_8 >> sssd-1.5.1-49.el5_8.1 >> >> Connecting to a RHEL 6.3 IPA server. >> >> Any ideas? >> >> -Erinn >> > > Hi Erinn, > > The requests for the user you saw were only in the sssd_nss log or did > they make it to the sssd_$domain.log as well? Can you paste sanitized > contents of both, please? > > I can't think of a reason to make lookups work only as root, that's > really strange. Can you check for AVC denials? Can you also check the > permissions on /var/lib/sss/pipes/nss ? It should be 0666. > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > Ok I figured out what was happening, or at least a portion of it, it looks like the sudo package update that was pushed out from red hat to rhel5 c86_64 systems (at least) modified the permissions of the /etc/nsswitch.conf to 600, thus blocking everyone but root from reading it and causing this weird issue where root could pull user info but no one else. At this point I only assume it was the sudo package as that is the package that was updated on 10 or so RHEL 5 hosts at the exact same time as the nsswitch file was updated and the permissions changed. I have to go dig through the rpm scripts to see what could cause this, then work with support to get it fixed overall. Thanks for the help, this was a really odd problem. -Erinn -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 554 bytes Desc: OpenPGP digital signature URL: From erinn.looneytriggs at gmail.com Thu Aug 9 08:52:47 2012 From: erinn.looneytriggs at gmail.com (Erinn Looney-Triggs) Date: Thu, 09 Aug 2012 00:52:47 -0800 Subject: [Freeipa-users] cannot find name for user ID In-Reply-To: <20120808211146.GA2973@hendrix.redhat.com> References: <5022B3DB.6010806@gmail.com> <20120808211146.GA2973@hendrix.redhat.com> Message-ID: <50237A5F.90403@gmail.com> On 08/08/2012 01:11 PM, Jakub Hrozek wrote: > On Wed, Aug 08, 2012 at 10:45:47AM -0800, Erinn Looney-Triggs wrote: >> An interesting problem has popped up and I am not sure where the issue >> lies. Users logging in are presented with "cannot find name for user ID" >> etc. etc. for all groups they are a member of >> >> id returns nothing but the numbers, and a getent passwd >> returns nothing, when running as the user. >> >> However, as root a getent passwd works. >> >> I am taking a look through logs and haven't found much so far, another >> user experienced a similar issue and a ipa-client-install --uninstall >> and reinstall (this is starting to feel like windows :) did the trick >> for them, however it has not solved the issue for me. >> >> I have also cleared the sssd cache, and given that process a kick to no >> avail. >> >> Firewall rules have not changed, and I assume the ipa-client-install >> process would have failed if a firewall issue was present. >> >> After increasing sssd logging levels I see a lot of requests for the >> user in the sssd logs, but no returns, not that I know if the logging is >> supposed to log the return. >> >> This is on a RHEL 5.8 client: >> ipa-client-2.1.3-2.el5_8 >> sssd-1.5.1-49.el5_8.1 >> >> Connecting to a RHEL 6.3 IPA server. >> >> Any ideas? >> >> -Erinn >> > > Hi Erinn, > > The requests for the user you saw were only in the sssd_nss log or did > they make it to the sssd_$domain.log as well? Can you paste sanitized > contents of both, please? > > I can't think of a reason to make lookups work only as root, that's > really strange. Can you check for AVC denials? Can you also check the > permissions on /var/lib/sss/pipes/nss ? It should be 0666. > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > Yeah I can confirm this for certain now, take a look below: erinn at numbersix ~ $ ls -l /etc/nsswitch.conf -rw-r--r-- 1 root root 1726 Dec 27 2011 /etc/nsswitch.conf erinn at numbersix ~ $ sudo yum -y update sudo Loaded plugins: rhnplugin, security Skipping security plugin, no data Setting up Update Process Resolving Dependencies Skipping security plugin, no data --> Running transaction check ---> Package sudo.x86_64 0:1.7.2p1-14.el5_8.2 set to be updated --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Updating: sudo x86_64 1.7.2p1-14.el5_8.2 rhel-x86_64-server-5 359 k Transaction Summary ================================================================================ Install 0 Package(s) Upgrade 1 Package(s) Total size: 359 k Downloading Packages: Running rpm_check_debug Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Updating : sudo 1/2 Cleanup : sudo 2/2 Updated: sudo.x86_64 0:1.7.2p1-14.el5_8.2 Complete! erinn at numbersix ~ $ ls -l /etc/nsswitch.conf -rw------- 1 root root 1727 Aug 9 08:43 /etc/nsswitch.conf So it appears the latest sudo update is causing this issue, I am uncertain whether this is intentional or not at this point (probably not), but it is the cause, and it sure does make things messy for IPA. I have filed a support case. -Erinn -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 554 bytes Desc: OpenPGP digital signature URL: From rolf at glptrading.com Thu Aug 9 04:47:46 2012 From: rolf at glptrading.com (Rolf Brusletto) Date: Wed, 08 Aug 2012 22:47:46 -0600 Subject: [Freeipa-users] Simple question about replication promotion In-Reply-To: <5022DB61.5020203@redhat.com> References: <50229D7E.7060506@glptrading.com> <5022DB61.5020203@redhat.com> Message-ID: <502340F2.9050506@glptrading.com> Yeah, that probably wasn't very clear... Original - IPA instance w/ DNS, and no Dogtag Replica - IPA instance w/ DNS, and no Dogtag On 8/8/12 3:34 PM, Rob Crittenden wrote: > Rolf Brusletto wrote: >> We had a rather severe issue last night on our primary IPA server(ver >> 2.2.0), but the replica is still happily plugging along, which very >> nice. My question is, there is very, very little I can do with the >> 'master'. From what I've read, there ins't any replicaton, and I just >> want to verify that a replica is just another master, assuming you're >> not using the CA option. If so, when I rebuild the primary server, do I >> just configure it to be a replica to what was the secondary? > > Just to be clear, you installed the original server with a dogtag CA > installed? And then you created a replica but didn't configure a CA on > it? > > rob From rcritten at redhat.com Thu Aug 9 12:31:04 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 09 Aug 2012 08:31:04 -0400 Subject: [Freeipa-users] Simple question about replication promotion In-Reply-To: <502340F2.9050506@glptrading.com> References: <50229D7E.7060506@glptrading.com> <5022DB61.5020203@redhat.com> <502340F2.9050506@glptrading.com> Message-ID: <5023AD88.2010009@redhat.com> Rolf Brusletto wrote: > Yeah, that probably wasn't very clear... > > Original - IPA instance w/ DNS, and no Dogtag > Replica - IPA instance w/ DNS, and no Dogtag The devil is always in the details. For user data yes, there is no difference between the initially installed master and any others. It is the CA where things get problematic. In your case, where you used --selfsign when installing, your CA is only on the initial master. You might want to take a look at section 18.8.2 here: http://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/promoting-replica.html If you try to run ipa-replica-prepare on your second master it will refuse to do so because it lacks a CA. You need to fetch it from the current master, or restore the PKCS#12 file you were warned to back up after the initial installation. In your case you a lso need to create a serial number file (if you don't have this you can always pick a new starting value). rob > > > On 8/8/12 3:34 PM, Rob Crittenden wrote: >> Rolf Brusletto wrote: >>> We had a rather severe issue last night on our primary IPA server(ver >>> 2.2.0), but the replica is still happily plugging along, which very >>> nice. My question is, there is very, very little I can do with the >>> 'master'. From what I've read, there ins't any replicaton, and I just >>> want to verify that a replica is just another master, assuming you're >>> not using the CA option. If so, when I rebuild the primary server, do I >>> just configure it to be a replica to what was the secondary? >> >> Just to be clear, you installed the original server with a dogtag CA >> installed? And then you created a replica but didn't configure a CA on >> it? >> >> rob > From rmeggins at redhat.com Thu Aug 9 13:53:42 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 09 Aug 2012 07:53:42 -0600 Subject: [Freeipa-users] Fedora 17 FreeIPA Replica not starting up In-Reply-To: References: Message-ID: <5023C0E6.60001@redhat.com> On 08/09/2012 01:14 AM, bin.echo at gmail.com wrote: > I think I've narrowed it down to the "tombstone" problem. What "tombstone" problem? ls -al /etc/dirsrv/slapd-* Also, please post a sanitized errors log from /var/log/dirsrv/slapd-YOUR-DOMAIN/errors > > But now I'm at a loss for what to do. The only advice I can find > involves using direct ldap code an that is way over my head. (I'd > prefer to not completely destroy my database in the process of trying > to clean out the zombies) > > Is there any kind of wrapper script I can use to kill the zombie > {replicageneration} and nsds5replica? > > Thanks for any help! > > -Aaron > > On Thu, Aug 9, 2012 at 12:13 AM, wrote: >> After installing a replica on a fresh up to date install of FC17, >> everything seems fine until a reboot. FreeIPA is running on the new >> machine, etc. >> >> But after the reboot ldap doesn't start on it's own and can't be made >> to start manually. The origional FreeIPA instance, same software >> versions, is runny just fine. >> >> Release: 1.fc17 Arch: x86_64 FreeIPA Version: 2.2.0 >> >> here is the short error. I can post more if this symptom isn't enough. >> (I've replaced the names of my actual machines and domain) >> >> #> ipactl start >> Starting Directory Service >> Failed to read data from Directory Service: Unknown error when >> retrieving list of services from LDAP: [Errno 2] No such file or >> directory >> Shutting down >> >> >> #> tail -20 /var/log/messages >> Aug 8 23:56:04 replica systemd[1]: dirsrv at PKI-IPA.service: control >> process exited, code=exited status=1 >> Aug 8 23:56:04 replica systemd[1]: Unit dirsrv at PKI-IPA.service >> entered failed state. >> Aug 9 00:00:16 replica dbus-daemon[610]: dbus[610]: [system] >> Activating service name='net.reactivated.Fprint' (using servicehelper) >> Aug 9 00:00:16 replica dbus[610]: [system] Activating service >> name='net.reactivated.Fprint' (using servicehelper) >> Aug 9 00:00:16 replica dbus-daemon[610]: Launching FprintObject >> Aug 9 00:00:16 replica dbus-daemon[610]: dbus[610]: [system] >> Successfully activated service 'net.reactivated.Fprint' >> Aug 9 00:00:16 replica dbus[610]: [system] Successfully activated >> service 'net.reactivated.Fprint' >> Aug 9 00:00:16 replica dbus-daemon[610]: ** Message: D-Bus service >> launched with name: net.reactivated.Fprint >> Aug 9 00:00:16 replica dbus-daemon[610]: ** Message: entering main loop >> Aug 9 00:00:46 replica dbus-daemon[610]: ** Message: No devices in use, exit >> Aug 9 00:05:01 replica ns-slapd[2265]: [09/Aug/2012:00:05:01 -0600] >> startup - The default password storage scheme SSHA could not be read >> or was not found in the file /etc/dirsrv/slapd-PIVOTVFX-NET/dse.ldif. >> It is mandatory. >> Aug 9 00:05:01 replica systemd[1]: dirsrv at EXAMPLE-COM.service: >> control process exited, code=exited status=1 >> Aug 9 00:05:01 replica systemd[1]: Unit dirsrv at EXAMPLE-COM.service >> entered failed state. >> Aug 9 00:05:01 replica ns-slapd[2266]: [09/Aug/2012:00:05:01 -0600] >> startup - The default password storage scheme SSHA could not be read >> or was not found in the file /etc/dirsrv/slapd-PKI-IPA/dse.ldif. It is >> mandatory. >> Aug 9 00:05:01 replica systemd[1]: dirsrv at PKI-IPA.service: control >> process exited, code=exited status=1 > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From jhrozek at redhat.com Thu Aug 9 16:40:14 2012 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 9 Aug 2012 18:40:14 +0200 Subject: [Freeipa-users] cannot find name for user ID In-Reply-To: <50237A5F.90403@gmail.com> References: <5022B3DB.6010806@gmail.com> <20120808211146.GA2973@hendrix.redhat.com> <50237A5F.90403@gmail.com> Message-ID: <20120809164014.GK7726@zeppelin.brq.redhat.com> On Thu, Aug 09, 2012 at 12:52:47AM -0800, Erinn Looney-Triggs wrote: > On 08/08/2012 01:11 PM, Jakub Hrozek wrote: > > On Wed, Aug 08, 2012 at 10:45:47AM -0800, Erinn Looney-Triggs wrote: > >> An interesting problem has popped up and I am not sure where the issue > >> lies. Users logging in are presented with "cannot find name for user ID" > >> etc. etc. for all groups they are a member of > >> > >> id returns nothing but the numbers, and a getent passwd > >> returns nothing, when running as the user. > >> > >> However, as root a getent passwd works. > >> > >> I am taking a look through logs and haven't found much so far, another > >> user experienced a similar issue and a ipa-client-install --uninstall > >> and reinstall (this is starting to feel like windows :) did the trick > >> for them, however it has not solved the issue for me. > >> > >> I have also cleared the sssd cache, and given that process a kick to no > >> avail. > >> > >> Firewall rules have not changed, and I assume the ipa-client-install > >> process would have failed if a firewall issue was present. > >> > >> After increasing sssd logging levels I see a lot of requests for the > >> user in the sssd logs, but no returns, not that I know if the logging is > >> supposed to log the return. > >> > >> This is on a RHEL 5.8 client: > >> ipa-client-2.1.3-2.el5_8 > >> sssd-1.5.1-49.el5_8.1 > >> > >> Connecting to a RHEL 6.3 IPA server. > >> > >> Any ideas? > >> > >> -Erinn > >> > > > > Hi Erinn, > > > > The requests for the user you saw were only in the sssd_nss log or did > > they make it to the sssd_$domain.log as well? Can you paste sanitized > > contents of both, please? > > > > I can't think of a reason to make lookups work only as root, that's > > really strange. Can you check for AVC denials? Can you also check the > > permissions on /var/lib/sss/pipes/nss ? It should be 0666. > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > Yeah I can confirm this for certain now, take a look below: > > erinn at numbersix ~ $ ls -l /etc/nsswitch.conf > -rw-r--r-- 1 root root 1726 Dec 27 2011 /etc/nsswitch.conf > erinn at numbersix ~ $ sudo yum -y update sudo > > Loaded plugins: rhnplugin, security > Skipping security plugin, no data > Setting up Update Process > Resolving Dependencies > Skipping security plugin, no data > --> Running transaction check > ---> Package sudo.x86_64 0:1.7.2p1-14.el5_8.2 set to be updated > --> Finished Dependency Resolution > > Dependencies Resolved > > ================================================================================ > Package Arch Version Repository > Size > ================================================================================ > Updating: > sudo x86_64 1.7.2p1-14.el5_8.2 rhel-x86_64-server-5 > 359 k > > Transaction Summary > ================================================================================ > Install 0 Package(s) > Upgrade 1 Package(s) > > Total size: 359 k > Downloading Packages: > Running rpm_check_debug > Running Transaction Test > Finished Transaction Test > Transaction Test Succeeded > Running Transaction > Updating : sudo > 1/2 > Cleanup : sudo > 2/2 > > Updated: > sudo.x86_64 0:1.7.2p1-14.el5_8.2 > > > Complete! > erinn at numbersix ~ $ ls -l /etc/nsswitch.conf > -rw------- 1 root root 1727 Aug 9 08:43 /etc/nsswitch.conf > > So it appears the latest sudo update is causing this issue, I am > uncertain whether this is intentional or not at this point (probably > not), but it is the cause, and it sure does make things messy for IPA. I > have filed a support case. > > -Erinn > You were a victim of https://bugzilla.redhat.com/show_bug.cgi?id=846631 From sakodak at gmail.com Thu Aug 9 21:28:02 2012 From: sakodak at gmail.com (KodaK) Date: Thu, 9 Aug 2012 16:28:02 -0500 Subject: [Freeipa-users] Prompting for expired passwords on AIX Message-ID: I've kerberized a bunch of AIX machines, and I noticed when I was starting out that AIX allows people to connect that have expired passwords, and does not prompt for changes. 1) does anyone know what I need to do on AIX to make this happen (I don't hold out much hope for this.) 2) alternately, does anyone know what I'd have to do on Linux to change this behavior (maybe from that I can find something on AIX.) I plan on opening a ticket with IBM too, but I wanted to see if anyone has run into this before. Thanks! -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 From bin.echo at gmail.com Fri Aug 10 07:26:30 2012 From: bin.echo at gmail.com (bin.echo at gmail.com) Date: Fri, 10 Aug 2012 01:26:30 -0600 Subject: [Freeipa-users] Fedora 17 FreeIPA Replica not starting up In-Reply-To: <5023C0E6.60001@redhat.com> References: <5023C0E6.60001@redhat.com> Message-ID: Hi Rich, tombstone problem mentioned here: http://danieljamesscott.org/documentation/12-troubleshooting/25-clean-tombstone-entries-from-freeipa-ldap-servers.html I was seeing similar symptoms. Mine is a new deployment so rather than monkey around trying to get an install on a dirty machine to work, I simply reinstalled the entire OS and changed the hostname of the replicant. The logs got blown away in the process so I'm sorry I can't give you more info about the bug I was getting. The good news is, using exactly the same install options except for the new hostname, and installing on to a pristine install of the OS, everything now seems to work fine. So I'm not insane, as I was beginning to believe I might be. There was some kind of issue with attempting to install the replica on a machine where a previous attempt at a replica had been uninstalled, but the next attempted install keeps the same hostname. I'm a noobie so I didn't get it right on the first try. I've noticed that trying to re-install clients with the same hostname causes unexpected problems also. I realize that's not something done every day but I wonder about cases where a machine is rebuilt and gets the same hostname? That is a scenario that could realistically occur. Again, I apologize for not having those logs to send. Hopefully it will be smooth sailing from here on. Next step, getting my back up and recovery strategy in place. cheers, -Aaron On Thu, Aug 9, 2012 at 7:53 AM, Rich Megginson wrote: > On 08/09/2012 01:14 AM, bin.echo at gmail.com wrote: >> >> I think I've narrowed it down to the "tombstone" problem. > > > What "tombstone" problem? > > ls -al /etc/dirsrv/slapd-* > > Also, please post a sanitized errors log from > /var/log/dirsrv/slapd-YOUR-DOMAIN/errors > >> >> But now I'm at a loss for what to do. The only advice I can find >> involves using direct ldap code an that is way over my head. (I'd >> prefer to not completely destroy my database in the process of trying >> to clean out the zombies) >> >> Is there any kind of wrapper script I can use to kill the zombie >> {replicageneration} and nsds5replica? >> >> Thanks for any help! >> >> -Aaron >> >> On Thu, Aug 9, 2012 at 12:13 AM, wrote: >>> >>> After installing a replica on a fresh up to date install of FC17, >>> everything seems fine until a reboot. FreeIPA is running on the new >>> machine, etc. >>> >>> But after the reboot ldap doesn't start on it's own and can't be made >>> to start manually. The origional FreeIPA instance, same software >>> versions, is runny just fine. >>> >>> Release: 1.fc17 Arch: x86_64 FreeIPA Version: 2.2.0 >>> >>> here is the short error. I can post more if this symptom isn't enough. >>> (I've replaced the names of my actual machines and domain) >>> >>> #> ipactl start >>> Starting Directory Service >>> Failed to read data from Directory Service: Unknown error when >>> retrieving list of services from LDAP: [Errno 2] No such file or >>> directory >>> Shutting down >>> >>> >>> #> tail -20 /var/log/messages >>> Aug 8 23:56:04 replica systemd[1]: dirsrv at PKI-IPA.service: control >>> process exited, code=exited status=1 >>> Aug 8 23:56:04 replica systemd[1]: Unit dirsrv at PKI-IPA.service >>> entered failed state. >>> Aug 9 00:00:16 replica dbus-daemon[610]: dbus[610]: [system] >>> Activating service name='net.reactivated.Fprint' (using servicehelper) >>> Aug 9 00:00:16 replica dbus[610]: [system] Activating service >>> name='net.reactivated.Fprint' (using servicehelper) >>> Aug 9 00:00:16 replica dbus-daemon[610]: Launching FprintObject >>> Aug 9 00:00:16 replica dbus-daemon[610]: dbus[610]: [system] >>> Successfully activated service 'net.reactivated.Fprint' >>> Aug 9 00:00:16 replica dbus[610]: [system] Successfully activated >>> service 'net.reactivated.Fprint' >>> Aug 9 00:00:16 replica dbus-daemon[610]: ** Message: D-Bus service >>> launched with name: net.reactivated.Fprint >>> Aug 9 00:00:16 replica dbus-daemon[610]: ** Message: entering main loop >>> Aug 9 00:00:46 replica dbus-daemon[610]: ** Message: No devices in use, >>> exit >>> Aug 9 00:05:01 replica ns-slapd[2265]: [09/Aug/2012:00:05:01 -0600] >>> startup - The default password storage scheme SSHA could not be read >>> or was not found in the file /etc/dirsrv/slapd-PIVOTVFX-NET/dse.ldif. >>> It is mandatory. >>> Aug 9 00:05:01 replica systemd[1]: dirsrv at EXAMPLE-COM.service: >>> control process exited, code=exited status=1 >>> Aug 9 00:05:01 replica systemd[1]: Unit dirsrv at EXAMPLE-COM.service >>> entered failed state. >>> Aug 9 00:05:01 replica ns-slapd[2266]: [09/Aug/2012:00:05:01 -0600] >>> startup - The default password storage scheme SSHA could not be read >>> or was not found in the file /etc/dirsrv/slapd-PKI-IPA/dse.ldif. It is >>> mandatory. >>> Aug 9 00:05:01 replica systemd[1]: dirsrv at PKI-IPA.service: control >>> process exited, code=exited status=1 >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > From pspacek at redhat.com Fri Aug 10 08:11:51 2012 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 10 Aug 2012 10:11:51 +0200 Subject: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept In-Reply-To: <1344449251.20530.347.camel@willson.li.ssimo.org> References: <1344371075.20530.313.camel@willson.li.ssimo.org> <1344373170.20530.317.camel@willson.li.ssimo.org> <50228E9A.8020802@redhat.com> <5022A900.3000900@redhat.com> <1344449251.20530.347.camel@willson.li.ssimo.org> Message-ID: <5024C247.8090209@redhat.com> On 08/08/2012 08:07 PM, Simo Sorce wrote: > On Wed, 2012-08-08 at 19:59 +0200, Petr Spacek wrote: >> On 08/08/2012 07:27 PM, Rob Ogilvie wrote: >>> On Wed, Aug 8, 2012 at 9:06 AM, Petr Spacek wrote: >>>> Best way is to create subdomain UNIX.MYCOMPANY.COM and fill it with proper >>>> SRV records (or let IPA to manage it). >>> >>> Ugh, I hope this doesn't end up pushing us back to NIS. >>> >>> If I can get our infrastructure guys to buy off on making a >>> unix.mycompany.com subdomain in DNS, would I need to move all the >>> hosts to be under that subdomain in DNS? I have some services >> >> Definitely not. You can create subdomain UNIX.MYCOMPANY.COM, fill it with SRV >> records and leave this subdomain without hosts (maybe except IPA servers ...). >> It is not necessary to rename all hosts. >> >> Problem is simple - Kerberos libraries have to know where KDCs are located - >> and DNS is standardized way how to accomplish it. >> >> Let me quote another reply from this thread: >> On 08/08/2012 06:14 PM, KodaK wrote: >> > You*could* use something like puppet to manage your krb5.conf files >> > (I have to with our AIX machines.) >> > >> > Also, it's important to note that your REALM does NOT need to match >> > your dns domain name >> > It's a convenience, and it's very, very helpful to do so, but it is >> > possible to have a REALM called >> > "MIDDLEEARTH" if you wanted. I'm not sure how IPA would deal with >> > that, but I know you >> > can do it in straight up Kerberos. >> >> >>> configured that are difficult to rename the DNS domain of. Could, for >>> instance, host-one.mycompany.com be part of the UNIX.MYCOMPANY.COM >>> realm, given a MYCOMPANY.COM realm also exists? >> >> Yes, it could. >> >>> >>> I could then put some SRV records into the subdomain's zone to point >>> the kerberos stuff to the IPA server, change the domain on the IPA >>> server, change the realm on the IPA server, re-register clients, and >>> everything would be happy? >> >> I get lost in the renaming part. Can you describe your idea in bigger detail? >> >>> >>> Ugh... actually... now that I think about this, I don't think I want >>> half my servers in a unix subdomain in DNS, which means DNS and realm >>> wouldn't match... >>> >>> Thoughts? Aside from rebuilding the infrastructure I've built already? :-) >> >> Let all machines in MYCOMPANY.COM and use IPA realm UNIX.MYCOMPANY.COM. >> IMHO it is simplest way. >> >> >> This limitation comes from Kerberos: You are trying to use *single domain >> name* for *two independent Kerberos realms* - it is principally not possible. > > I just need to pint one one problem with leaving all machines under > MYDOMAIN.COM, and that is if you later want to make a trust (option > available starting from ipa 3.0) between the AD realm and the IPA realm, > the machines in the mydomain.com domain will not be able to be accessed > by the users of the AD realm. That is because the machines joined to the > AD realm will think that the mydomain.com machines are always served up > by the AD domain. > > On the IPA side you amy also have so issues as you will not be able to > tell IPA clients that they need to ask the AD KDC for the hosts under > mydomain.com > > So ultimately, I would put as many machines as you can under > UNIX.MYDOMAIN.COM, to minimize confusion in case later on you want to > establish a trust between the AD domain and the IPA domain. > > Simo. > Is possible to workaround these problems with hostname-realm mappings? It is not clear solution, I know, but it should be doable for limited set of unix machines. AFAIK Windows AD (I tested it with 2008 R2) has ability to set hostname-realm mappings through Group policy. Petr^2 Spacek From dpal at redhat.com Fri Aug 10 20:24:21 2012 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 10 Aug 2012 16:24:21 -0400 Subject: [Freeipa-users] 2 factor authentication In-Reply-To: <5022DB02.80800@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CD6E582@STAWINCOX10MBX1.staff.vuw.ac.nz> <5022DB02.80800@redhat.com> Message-ID: <50256DF5.5000204@redhat.com> On 08/08/2012 05:32 PM, Rob Crittenden wrote: > Steven Jones wrote: >> Hi >> >> Is there anyway to use something like a hardware key with IPA for >> select users (such as myself)? >> >> So the idea is I not only have a password but a piece of hardware I >> need to login to my secure desktop..... > > We're looking into 2 factor auth but it isn't supported yet. You might > want to follow the authhub project, https://fedorahosted.org/AuthHub/ > > rob > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users Steven, Yes the whole idea is to be able to do exactly what you described. But it is a long way to go. The biggest problem turned out to be on the client (not on the server) with prompting the user for the right credential. We are working on it with MIT and this is planned for 1.11 release later this year. Once it is done in MIT code we will use it on the client and server to accomplish the desired functionality. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From bin.echo at gmail.com Fri Aug 10 21:09:05 2012 From: bin.echo at gmail.com (bin.echo at gmail.com) Date: Fri, 10 Aug 2012 15:09:05 -0600 Subject: [Freeipa-users] need FC17 autofs + FreeIPA pointers Message-ID: Hi Everyone, I can't figure out how to set up a FreeIPA based autofs from the docs at http://docs.fedoraproject.org. The docs are pretty terse and don't explain at all how the automount maps find thier way into LDAP or precisly how it is a working (NON-FreeIPA) autofs setup gets converted to LDAP based. I don't understand how an /etc/ auto.master based autofs is suppsed to convert to LDAP based on the instructions provided. There seems to be an entire setup step left undefined. I sort of understand that the info that would typically reside in "/etc/auto.home" will ultimately be provided by LDAP once everything is set up. I'm just unclear on how to get there based on all the info I can find via Google. Just how is it I need to push the required info into LDAP? How are the automount maps managed once everything is LDAP based? Any pointers would be greatly appreciated. A mini-howto from start to finish (start being NO autofs, finish being autofs + FreeIPA based automounts) would be even better. Thanks! -Aaron From rob at axpr.net Fri Aug 10 21:54:13 2012 From: rob at axpr.net (Rob Ogilvie) Date: Fri, 10 Aug 2012 14:54:13 -0700 Subject: [Freeipa-users] NFS Ownership Gone Message-ID: Hi All, Files accessed over NFS with users that are not local (FreeIPA users) are being squashed to nobody:nobody on my OEL6 box. My nfs is set to "defaults" on the client. I'm thinking this is probably something happens regularly? Rob From dpal at redhat.com Fri Aug 10 22:28:21 2012 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 10 Aug 2012 18:28:21 -0400 Subject: [Freeipa-users] NFS Ownership Gone In-Reply-To: References: Message-ID: <50258B05.4030608@redhat.com> On 08/10/2012 05:54 PM, Rob Ogilvie wrote: > Hi All, > > Files accessed over NFS with users that are not local (FreeIPA users) > are being squashed to nobody:nobody on my OEL6 box. My nfs is set to > "defaults" on the client. > > I'm thinking this is probably something happens regularly? Can you please give a more detailed description of your configuration? Do you use SSSD or nss_ldap + pam_krb5? What is the NFS server configuration, what is the client configuration etc? > Rob > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Fri Aug 10 22:29:57 2012 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 10 Aug 2012 18:29:57 -0400 Subject: [Freeipa-users] need FC17 autofs + FreeIPA pointers In-Reply-To: References: Message-ID: <50258B65.5030404@redhat.com> On 08/10/2012 05:09 PM, bin.echo at gmail.com wrote: > Hi Everyone, > > I can't figure out how to set up a FreeIPA based autofs from the docs > at http://docs.fedoraproject.org. The docs are pretty terse and don't > explain at all how the automount maps find thier way into LDAP or > precisly how it is a working (NON-FreeIPA) autofs setup gets converted > to LDAP based. I don't understand how an /etc/ auto.master based > autofs is suppsed to convert to LDAP based on the instructions > provided. There seems to be an entire setup step left undefined. > > I sort of understand that the info that would typically reside in > "/etc/auto.home" will ultimately be provided by LDAP once everything > is set up. I'm just unclear on how to get there based on all the info > I can find via Google. Just how is it I need to push the required info > into LDAP? How are the automount maps managed once everything is LDAP > based? > > Any pointers would be greatly appreciated. A mini-howto from start to > finish (start being NO autofs, finish being autofs + FreeIPA based > automounts) would be even better. > > Thanks! > -Aaron > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users Hope this would help: http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/automount.html -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rob at axpr.net Fri Aug 10 22:18:56 2012 From: rob at axpr.net (Rob Ogilvie) Date: Fri, 10 Aug 2012 15:18:56 -0700 Subject: [Freeipa-users] NFS Ownership Gone In-Reply-To: References: Message-ID: On Fri, Aug 10, 2012 at 2:54 PM, Rob Ogilvie wrote: > Files accessed over NFS with users that are not local (FreeIPA users) > are being squashed to nobody:nobody on my OEL6 box. My nfs is set to > "defaults" on the client. As an addendum to this: I'm not interested in strong security in my NFS implementation; simplicity is what we use NFS for. If there's a simpler way than copying files across all the clients, I'm game. :-) Rob From bin.echo at gmail.com Fri Aug 10 23:22:11 2012 From: bin.echo at gmail.com (bin.echo at gmail.com) Date: Fri, 10 Aug 2012 17:22:11 -0600 Subject: [Freeipa-users] need FC17 autofs + FreeIPA pointers In-Reply-To: <50258B65.5030404@redhat.com> References: <50258B65.5030404@redhat.com> Message-ID: Hi Dmitri, That is the doc I don't understand. I mean, if I follow those directions, it should just work? But where do the automaps come from once I switch over to LDAP? How to I administrate the mappings for things like host based automounts? The doc doesn't mention any of that. I have /etc/auto.* based automount working and I'm worried I'll break it if I mess up the switch over to the FreeIPA based mappings. -Aaron On Fri, Aug 10, 2012 at 4:29 PM, Dmitri Pal wrote: > On 08/10/2012 05:09 PM, bin.echo at gmail.com wrote: >> Hi Everyone, >> >> I can't figure out how to set up a FreeIPA based autofs from the docs >> at http://docs.fedoraproject.org. The docs are pretty terse and don't >> explain at all how the automount maps find thier way into LDAP or >> precisly how it is a working (NON-FreeIPA) autofs setup gets converted >> to LDAP based. I don't understand how an /etc/ auto.master based >> autofs is suppsed to convert to LDAP based on the instructions >> provided. There seems to be an entire setup step left undefined. >> >> I sort of understand that the info that would typically reside in >> "/etc/auto.home" will ultimately be provided by LDAP once everything >> is set up. I'm just unclear on how to get there based on all the info >> I can find via Google. Just how is it I need to push the required info >> into LDAP? How are the automount maps managed once everything is LDAP >> based? >> >> Any pointers would be greatly appreciated. A mini-howto from start to >> finish (start being NO autofs, finish being autofs + FreeIPA based >> automounts) would be even better. >> >> Thanks! >> -Aaron >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > Hope this would help: > > http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/automount.html > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From rmeggins at redhat.com Sat Aug 11 13:28:38 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Sat, 11 Aug 2012 07:28:38 -0600 Subject: [Freeipa-users] Fedora 17 FreeIPA Replica not starting up In-Reply-To: References: <5023C0E6.60001@redhat.com> Message-ID: <50265E06.4090605@redhat.com> On 08/10/2012 01:26 AM, bin.echo at gmail.com wrote: > Hi Rich, > > tombstone problem mentioned here: > > http://danieljamesscott.org/documentation/12-troubleshooting/25-clean-tombstone-entries-from-freeipa-ldap-servers.html > > I was seeing similar symptoms. Ok. Note that F-17 and later (389-ds-base-1.2.11 and later) have a much improved CLEANALLRUV process - http://port389.org/wiki/Howto:CLEANRUV > > Mine is a new deployment so rather than monkey around trying to get an > install on a dirty machine to work, I simply reinstalled the entire OS > and changed the hostname of the replicant. The logs got blown away in > the process so I'm sorry I can't give you more info about the bug I > was getting. > > The good news is, using exactly the same install options except for > the new hostname, and installing on to a pristine install of the OS, > everything now seems to work fine. So I'm not insane, as I was > beginning to believe I might be. There was some kind of issue with > attempting to install the replica on a machine where a previous > attempt at a replica had been uninstalled, but the next attempted > install keeps the same hostname. I'm a noobie so I didn't get it > right on the first try. > > I've noticed that trying to re-install clients with the same hostname > causes unexpected problems also. I realize that's not something done > every day but I wonder about cases where a machine is rebuilt and gets > the same hostname? That is a scenario that could realistically occur. > > Again, I apologize for not having those logs to send. Hopefully it > will be smooth sailing from here on. > > Next step, getting my back up and recovery strategy in place. > > cheers, > -Aaron > > > > On Thu, Aug 9, 2012 at 7:53 AM, Rich Megginson wrote: >> On 08/09/2012 01:14 AM, bin.echo at gmail.com wrote: >>> I think I've narrowed it down to the "tombstone" problem. >> >> What "tombstone" problem? >> >> ls -al /etc/dirsrv/slapd-* >> >> Also, please post a sanitized errors log from >> /var/log/dirsrv/slapd-YOUR-DOMAIN/errors >> >>> But now I'm at a loss for what to do. The only advice I can find >>> involves using direct ldap code an that is way over my head. (I'd >>> prefer to not completely destroy my database in the process of trying >>> to clean out the zombies) >>> >>> Is there any kind of wrapper script I can use to kill the zombie >>> {replicageneration} and nsds5replica? >>> >>> Thanks for any help! >>> >>> -Aaron >>> >>> On Thu, Aug 9, 2012 at 12:13 AM, wrote: >>>> After installing a replica on a fresh up to date install of FC17, >>>> everything seems fine until a reboot. FreeIPA is running on the new >>>> machine, etc. >>>> >>>> But after the reboot ldap doesn't start on it's own and can't be made >>>> to start manually. The origional FreeIPA instance, same software >>>> versions, is runny just fine. >>>> >>>> Release: 1.fc17 Arch: x86_64 FreeIPA Version: 2.2.0 >>>> >>>> here is the short error. I can post more if this symptom isn't enough. >>>> (I've replaced the names of my actual machines and domain) >>>> >>>> #> ipactl start >>>> Starting Directory Service >>>> Failed to read data from Directory Service: Unknown error when >>>> retrieving list of services from LDAP: [Errno 2] No such file or >>>> directory >>>> Shutting down >>>> >>>> >>>> #> tail -20 /var/log/messages >>>> Aug 8 23:56:04 replica systemd[1]: dirsrv at PKI-IPA.service: control >>>> process exited, code=exited status=1 >>>> Aug 8 23:56:04 replica systemd[1]: Unit dirsrv at PKI-IPA.service >>>> entered failed state. >>>> Aug 9 00:00:16 replica dbus-daemon[610]: dbus[610]: [system] >>>> Activating service name='net.reactivated.Fprint' (using servicehelper) >>>> Aug 9 00:00:16 replica dbus[610]: [system] Activating service >>>> name='net.reactivated.Fprint' (using servicehelper) >>>> Aug 9 00:00:16 replica dbus-daemon[610]: Launching FprintObject >>>> Aug 9 00:00:16 replica dbus-daemon[610]: dbus[610]: [system] >>>> Successfully activated service 'net.reactivated.Fprint' >>>> Aug 9 00:00:16 replica dbus[610]: [system] Successfully activated >>>> service 'net.reactivated.Fprint' >>>> Aug 9 00:00:16 replica dbus-daemon[610]: ** Message: D-Bus service >>>> launched with name: net.reactivated.Fprint >>>> Aug 9 00:00:16 replica dbus-daemon[610]: ** Message: entering main loop >>>> Aug 9 00:00:46 replica dbus-daemon[610]: ** Message: No devices in use, >>>> exit >>>> Aug 9 00:05:01 replica ns-slapd[2265]: [09/Aug/2012:00:05:01 -0600] >>>> startup - The default password storage scheme SSHA could not be read >>>> or was not found in the file /etc/dirsrv/slapd-PIVOTVFX-NET/dse.ldif. >>>> It is mandatory. >>>> Aug 9 00:05:01 replica systemd[1]: dirsrv at EXAMPLE-COM.service: >>>> control process exited, code=exited status=1 >>>> Aug 9 00:05:01 replica systemd[1]: Unit dirsrv at EXAMPLE-COM.service >>>> entered failed state. >>>> Aug 9 00:05:01 replica ns-slapd[2266]: [09/Aug/2012:00:05:01 -0600] >>>> startup - The default password storage scheme SSHA could not be read >>>> or was not found in the file /etc/dirsrv/slapd-PKI-IPA/dse.ldif. It is >>>> mandatory. >>>> Aug 9 00:05:01 replica systemd[1]: dirsrv at PKI-IPA.service: control >>>> process exited, code=exited status=1 >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> From ssorce at redhat.com Sun Aug 12 10:05:41 2012 From: ssorce at redhat.com (Simo Sorce) Date: Sun, 12 Aug 2012 06:05:41 -0400 (EDT) Subject: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept In-Reply-To: <5024C247.8090209@redhat.com> Message-ID: <71751779.3534817.1344765941493.JavaMail.root@redhat.com> ----- Original Message ----- > On 08/08/2012 08:07 PM, Simo Sorce wrote: > > On Wed, 2012-08-08 at 19:59 +0200, Petr Spacek wrote: > >> On 08/08/2012 07:27 PM, Rob Ogilvie wrote: > >>> On Wed, Aug 8, 2012 at 9:06 AM, Petr Spacek > >>> wrote: > >>>> Best way is to create subdomain UNIX.MYCOMPANY.COM and fill it > >>>> with proper > >>>> SRV records (or let IPA to manage it). > >>> > >>> Ugh, I hope this doesn't end up pushing us back to NIS. > >>> > >>> If I can get our infrastructure guys to buy off on making a > >>> unix.mycompany.com subdomain in DNS, would I need to move all the > >>> hosts to be under that subdomain in DNS? I have some services > >> > >> Definitely not. You can create subdomain UNIX.MYCOMPANY.COM, fill > >> it with SRV > >> records and leave this subdomain without hosts (maybe except IPA > >> servers ...). > >> It is not necessary to rename all hosts. > >> > >> Problem is simple - Kerberos libraries have to know where KDCs are > >> located - > >> and DNS is standardized way how to accomplish it. > >> > >> Let me quote another reply from this thread: > >> On 08/08/2012 06:14 PM, KodaK wrote: > >> > You*could* use something like puppet to manage your krb5.conf > >> > files > >> > (I have to with our AIX machines.) > >> > > >> > Also, it's important to note that your REALM does NOT need to > >> > match > >> > your dns domain name > >> > It's a convenience, and it's very, very helpful to do so, but > >> > it is > >> > possible to have a REALM called > >> > "MIDDLEEARTH" if you wanted. I'm not sure how IPA would deal > >> > with > >> > that, but I know you > >> > can do it in straight up Kerberos. > >> > >> > >>> configured that are difficult to rename the DNS domain of. > >>> Could, for > >>> instance, host-one.mycompany.com be part of the > >>> UNIX.MYCOMPANY.COM > >>> realm, given a MYCOMPANY.COM realm also exists? > >> > >> Yes, it could. > >> > >>> > >>> I could then put some SRV records into the subdomain's zone to > >>> point > >>> the kerberos stuff to the IPA server, change the domain on the > >>> IPA > >>> server, change the realm on the IPA server, re-register clients, > >>> and > >>> everything would be happy? > >> > >> I get lost in the renaming part. Can you describe your idea in > >> bigger detail? > >> > >>> > >>> Ugh... actually... now that I think about this, I don't think I > >>> want > >>> half my servers in a unix subdomain in DNS, which means DNS and > >>> realm > >>> wouldn't match... > >>> > >>> Thoughts? Aside from rebuilding the infrastructure I've built > >>> already? :-) > >> > >> Let all machines in MYCOMPANY.COM and use IPA realm > >> UNIX.MYCOMPANY.COM. > >> IMHO it is simplest way. > >> > >> > >> This limitation comes from Kerberos: You are trying to use *single > >> domain > >> name* for *two independent Kerberos realms* - it is principally > >> not possible. > > > > I just need to pint one one problem with leaving all machines under > > MYDOMAIN.COM, and that is if you later want to make a trust (option > > available starting from ipa 3.0) between the AD realm and the IPA > > realm, > > the machines in the mydomain.com domain will not be able to be > > accessed > > by the users of the AD realm. That is because the machines joined > > to the > > AD realm will think that the mydomain.com machines are always > > served up > > by the AD domain. > > > > On the IPA side you amy also have so issues as you will not be able > > to > > tell IPA clients that they need to ask the AD KDC for the hosts > > under > > mydomain.com > > > > So ultimately, I would put as many machines as you can under > > UNIX.MYDOMAIN.COM, to minimize confusion in case later on you want > > to > > establish a trust between the AD domain and the IPA domain. > > > > Simo. > > > Is possible to workaround these problems with hostname-realm > mappings? > > It is not clear solution, I know, but it should be doable for limited > set of > unix machines. > AFAIK Windows AD (I tested it with 2008 R2) has ability to set > hostname-realm > mappings through Group policy. Yes from the Linux side it is possible to map single hostnames to a realm, so the top domain could be generally mapped to the AD realm, and then single hosts mapped to the IPA realm. This is not possible for windows machines in the AD domain though (afaik). Simo. From qchang at sri.utoronto.ca Sun Aug 12 12:19:19 2012 From: qchang at sri.utoronto.ca (Qing Chang) Date: Sun, 12 Aug 2012 08:19:19 -0400 Subject: [Freeipa-users] migrate-ds fails with Can't contact LDAP server In-Reply-To: <5009C5E3.9040807@sri.utoronto.ca> References: <5009C5E3.9040807@sri.utoronto.ca> Message-ID: <50279F47.8020305@sri.utoronto.ca> Just installed a fresh RHEL 6.3 VM with IPA 2.2..0-16.el6 on our new ESXi host, after preparing migration mode as well as adding necessary objectclasses, tried to run following: ipa -d migrate-ds ldap://openldap:389 --bind-dn=cn=Manager --group-container=ou=group --schema=RFC2307 --with-compat --group-objectclass=posixGroup It failed promptly with this: ===== ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer ipa: DEBUG: cert valid True for "CN=ipa1.sri.utoronto.ca,O=SRI.UTORONTO.CA" ipa: DEBUG: handshake complete, peer = IP_of_ipa1:443 ipa: DEBUG: Caught fault 4203 from server http://ipa1.sri.utoronto.ca/ipa/xml: Can't contact LDAP server: ipa: DEBUG: Destroyed connection context.xmlclient ipa: ERROR: Can't contact LDAP server: ===== /var/log/dirsrv/access shows: ===== [12/Aug/2012:07:53:26 -0400] conn=81 op=6 SRCH base="cn=accounts,dc=sri,dc=utoronto,dc=ca" scope=2 filter="(&(uid=postfix)(objectClass=posixAccount))" attrs="objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn memberOf nsUniqueId modifyTimestamp entryusn shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdattribute authorizedService accountexpires useraccountcontrol nsAccountLock host logindisabled loginexpirationtime loginallowedtimemap ipaSshPubKey" [12/Aug/2012:07:53:26 -0400] conn=81 op=6 RESULT err=0 tag=101 nentries=0 etime=0 ===== Previous installation of VBox VM (RHEL 6.3 with IPA ) did not have this problem. Please help, Thanks, Qing From jhrozek at redhat.com Sun Aug 12 19:23:27 2012 From: jhrozek at redhat.com (Jakub Hrozek) Date: Sun, 12 Aug 2012 21:23:27 +0200 Subject: [Freeipa-users] need FC17 autofs + FreeIPA pointers In-Reply-To: References: <50258B65.5030404@redhat.com> Message-ID: <20120812192327.GB15447@hendrix.redhat.com> On Fri, Aug 10, 2012 at 05:22:11PM -0600, bin.echo at gmail.com wrote: > Hi Dmitri, > > That is the doc I don't understand. > > I mean, if I follow those directions, it should just work? > > But where do the automaps come from once I switch over to LDAP? How to > I administrate the mappings for things like host based automounts? The > doc doesn't mention any of that. > Hi Aaron, you can either define the maps from the ground up using the ipa automount-* admin commands or import the file-based automount mappings using the automountlocation-import command. See ipa automountlocation-import --help for more info. The client setup should be pretty straightforward if you're using IPA -- it should be enough to specify your location. There is a default location conveniently named "default" in the stock IPA server installation. > I have /etc/auto.* based automount working and I'm worried I'll break > it if I mess up the switch over to the FreeIPA based mappings. Well, if you already have the setup working, then I think the simplest way to test things is just to: 1) import the mappings to IPA 2) back up the file-based mappings (/etc/auto.master and related) 3) switch to using "files sss" as the data source in /etc/nsswitch.conf and make sure the client setup is correct. 4) comment out or remove the file-based mappings in /etc/auto.master to make sure the IPA mappings are being queries 5) test the setup. If it doesn't work for one reason or another, it would be quite simple to revert using only "files" as the data source in /etc/nsswitch.conf and restoring auto.master. I wrote a simple tutorial on the client side of the setup a while ago: http://jhrozek.livejournal.com/2500.html From pspacek at redhat.com Mon Aug 13 08:17:29 2012 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 13 Aug 2012 10:17:29 +0200 Subject: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept In-Reply-To: <71751779.3534817.1344765941493.JavaMail.root@redhat.com> References: <71751779.3534817.1344765941493.JavaMail.root@redhat.com> Message-ID: <5028B819.7070603@redhat.com> On 08/12/2012 12:05 PM, Simo Sorce wrote: > > > ----- Original Message ----- >> On 08/08/2012 08:07 PM, Simo Sorce wrote: >>> On Wed, 2012-08-08 at 19:59 +0200, Petr Spacek wrote: >>>> On 08/08/2012 07:27 PM, Rob Ogilvie wrote: >>>>> On Wed, Aug 8, 2012 at 9:06 AM, Petr Spacek >>>>> wrote: >>>>>> Best way is to create subdomain UNIX.MYCOMPANY.COM and fill it >>>>>> with proper >>>>>> SRV records (or let IPA to manage it). >>>>> >>>>> Ugh, I hope this doesn't end up pushing us back to NIS. >>>>> >>>>> If I can get our infrastructure guys to buy off on making a >>>>> unix.mycompany.com subdomain in DNS, would I need to move all the >>>>> hosts to be under that subdomain in DNS? I have some services >>>> >>>> Definitely not. You can create subdomain UNIX.MYCOMPANY.COM, fill >>>> it with SRV >>>> records and leave this subdomain without hosts (maybe except IPA >>>> servers ...). >>>> It is not necessary to rename all hosts. >>>> >>>> Problem is simple - Kerberos libraries have to know where KDCs are >>>> located - >>>> and DNS is standardized way how to accomplish it. >>>> >>>> Let me quote another reply from this thread: >>>> On 08/08/2012 06:14 PM, KodaK wrote: >>>> > You*could* use something like puppet to manage your krb5.conf >>>> > files >>>> > (I have to with our AIX machines.) >>>> > >>>> > Also, it's important to note that your REALM does NOT need to >>>> > match >>>> > your dns domain name >>>> > It's a convenience, and it's very, very helpful to do so, but >>>> > it is >>>> > possible to have a REALM called >>>> > "MIDDLEEARTH" if you wanted. I'm not sure how IPA would deal >>>> > with >>>> > that, but I know you >>>> > can do it in straight up Kerberos. >>>> >>>> >>>>> configured that are difficult to rename the DNS domain of. >>>>> Could, for >>>>> instance, host-one.mycompany.com be part of the >>>>> UNIX.MYCOMPANY.COM >>>>> realm, given a MYCOMPANY.COM realm also exists? >>>> >>>> Yes, it could. >>>> >>>>> >>>>> I could then put some SRV records into the subdomain's zone to >>>>> point >>>>> the kerberos stuff to the IPA server, change the domain on the >>>>> IPA >>>>> server, change the realm on the IPA server, re-register clients, >>>>> and >>>>> everything would be happy? >>>> >>>> I get lost in the renaming part. Can you describe your idea in >>>> bigger detail? >>>> >>>>> >>>>> Ugh... actually... now that I think about this, I don't think I >>>>> want >>>>> half my servers in a unix subdomain in DNS, which means DNS and >>>>> realm >>>>> wouldn't match... >>>>> >>>>> Thoughts? Aside from rebuilding the infrastructure I've built >>>>> already? :-) >>>> >>>> Let all machines in MYCOMPANY.COM and use IPA realm >>>> UNIX.MYCOMPANY.COM. >>>> IMHO it is simplest way. >>>> >>>> >>>> This limitation comes from Kerberos: You are trying to use *single >>>> domain >>>> name* for *two independent Kerberos realms* - it is principally >>>> not possible. >>> >>> I just need to pint one one problem with leaving all machines under >>> MYDOMAIN.COM, and that is if you later want to make a trust (option >>> available starting from ipa 3.0) between the AD realm and the IPA >>> realm, >>> the machines in the mydomain.com domain will not be able to be >>> accessed >>> by the users of the AD realm. That is because the machines joined >>> to the >>> AD realm will think that the mydomain.com machines are always >>> served up >>> by the AD domain. >>> >>> On the IPA side you amy also have so issues as you will not be able >>> to >>> tell IPA clients that they need to ask the AD KDC for the hosts >>> under >>> mydomain.com >>> >>> So ultimately, I would put as many machines as you can under >>> UNIX.MYDOMAIN.COM, to minimize confusion in case later on you want >>> to >>> establish a trust between the AD domain and the IPA domain. >>> >>> Simo. >>> >> Is possible to workaround these problems with hostname-realm >> mappings? >> >> It is not clear solution, I know, but it should be doable for limited >> set of >> unix machines. >> AFAIK Windows AD (I tested it with 2008 R2) has ability to set >> hostname-realm >> mappings through Group policy. > > Yes from the Linux side it is possible to map single hostnames to a realm, so the top domain could be generally mapped to the AD realm, and then single hosts mapped to the IPA realm. This is not possible for windows machines in the AD domain though (afaik). > > Simo. > It should be doable via AD Group Policy: http://support.microsoft.com/kb/947706/en-us Petr^2 Spacek From james.hogarth at gmail.com Mon Aug 13 11:05:33 2012 From: james.hogarth at gmail.com (James Hogarth) Date: Mon, 13 Aug 2012 12:05:33 +0100 Subject: [Freeipa-users] Heads up on dynamic DNS TTL weird behaviour... Message-ID: Hey all, Just a quick heads up in for the mailing list archive in case someone bumps into this after drilling through it a bit in IRC on Friday... If you are making use of --enable-dns-updates in ipa-client-install and for whatever reason your client may change its address more often than once per day after the first update other systems won't pick up the change for 24 hours... The cause is down to the difference in how the DNS record is created/updated on the initial install versus SSSD handling it later... The initial install has a hardcoded TTL of 1200 set at line 957 of /usr/sbin/ipa-client-install (as per Centos 6.3 current)... SSSD has a hardcoded TTL set of 86400 in the provider ipa/ipa_dyndns.c (line 989 or thereabouts)... The consequence is that when the system is first registered the DNS record that gets created only has a TTL of 1200 but if the IP address changes for that host then the record gets updated with a TTL of 86400 so that other DNS servers (or clients) will then have a day until it times out (unless caches can be manually cleared) and the correct address is found for any changes subsequent to that... This is a bit of an edge case given you'd need 2 changes of IP address since the initial registration and have SSSD configured to carry out the DNS updates (rather than a dhcpd/bind integration for example) for this to have an effect on the environment... I have filed a bug and a patch with the SSSD mailing list/trac but changing this locally requires a recompile of SSSD .... Moving forwards I plan to expose TTL in the IPA UI and provide a configurable value for TTL for both ipa-client-install and the sssd updates ... I'll update the list in a couple of weeks on any progress made... Kind regards, James From ondrejv at s3group.com Sun Aug 12 18:49:34 2012 From: ondrejv at s3group.com (ondrejv at s3group.com) Date: Sun, 12 Aug 2012 19:49:34 +0100 (IST) Subject: [Freeipa-users] NFS Ownership Gone In-Reply-To: References: Message-ID: <18715.90.178.156.11.1344797374.squirrel@webmail.s3group.com> Check your idmapper configuration (idmapd.conf) - not quite sure if IPA cares about NFSv4 ID mapper configuration.... > On Fri, Aug 10, 2012 at 2:54 PM, Rob Ogilvie wrote: >> Files accessed over NFS with users that are not local (FreeIPA users) >> are being squashed to nobody:nobody on my OEL6 box. My nfs is set to >> "defaults" on the client. > > As an addendum to this: I'm not interested in strong security in my > NFS implementation; simplicity is what we use NFS for. If there's a > simpler way than copying files across all the clients, I'm game. :-) > > Rob > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications at s3group.com. Thank You. Silicon and Software Systems Limited. Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18 From rcritten at redhat.com Mon Aug 13 14:39:09 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 13 Aug 2012 10:39:09 -0400 Subject: [Freeipa-users] migrate-ds fails with Can't contact LDAP server In-Reply-To: <50279F47.8020305@sri.utoronto.ca> References: <5009C5E3.9040807@sri.utoronto.ca> <50279F47.8020305@sri.utoronto.ca> Message-ID: <5029118D.6070306@redhat.com> Qing Chang wrote: > Just installed a fresh RHEL 6.3 VM with IPA 2.2..0-16.el6 on our new > ESXi host, > after preparing migration mode as well as adding necessary > objectclasses, tried > to run following: > ipa -d migrate-ds ldap://openldap:389 --bind-dn=cn=Manager > --group-container=ou=group --schema=RFC2307 --with-compat > --group-objectclass=posixGroup > > It failed promptly with this: > ===== > ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer > ipa: DEBUG: cert valid True for "CN=ipa1.sri.utoronto.ca,O=SRI.UTORONTO.CA" > ipa: DEBUG: handshake complete, peer = IP_of_ipa1:443 > ipa: DEBUG: Caught fault 4203 from server > http://ipa1.sri.utoronto.ca/ipa/xml: Can't contact LDAP server: > ipa: DEBUG: Destroyed connection context.xmlclient > ipa: ERROR: Can't contact LDAP server: > ===== > > /var/log/dirsrv/access shows: > ===== > [12/Aug/2012:07:53:26 -0400] conn=81 op=6 SRCH > base="cn=accounts,dc=sri,dc=utoronto,dc=ca" scope=2 > filter="(&(uid=postfix)(objectClass=posixAccount))" attrs="objectClass > uid userPassword uidNumber gidNumber gecos homeDirectory loginShell > krbPrincipalName cn memberOf nsUniqueId modifyTimestamp entryusn > shadowLastChange shadowMin shadowMax shadowWarning shadowInactive > shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration > pwdattribute authorizedService accountexpires useraccountcontrol > nsAccountLock host logindisabled loginexpirationtime loginallowedtimemap > ipaSshPubKey" > [12/Aug/2012:07:53:26 -0400] conn=81 op=6 RESULT err=0 tag=101 > nentries=0 etime=0 > ===== > > Previous installation of VBox VM (RHEL 6.3 with IPA ) did not have this > problem. > Check your iptables/firewall configuration on both hosts. rob From qchang at sri.utoronto.ca Mon Aug 13 18:47:01 2012 From: qchang at sri.utoronto.ca (Qing Chang) Date: Mon, 13 Aug 2012 14:47:01 -0400 Subject: [Freeipa-users] migrate-ds fails with Can't contact LDAP server In-Reply-To: <5029118D.6070306@redhat.com> References: <5009C5E3.9040807@sri.utoronto.ca> <50279F47.8020305@sri.utoronto.ca> <5029118D.6070306@redhat.com> Message-ID: <50294BA5.7080702@sri.utoronto.ca> On 13/08/2012 10:39 AM, Rob Crittenden wrote: > Qing Chang wrote: >> Just installed a fresh RHEL 6.3 VM with IPA 2.2..0-16.el6 on our new >> ESXi host, >> after preparing migration mode as well as adding necessary >> objectclasses, tried >> to run following: >> ipa -d migrate-ds ldap://openldap:389 --bind-dn=cn=Manager >> --group-container=ou=group --schema=RFC2307 --with-compat >> --group-objectclass=posixGroup >> >> It failed promptly with this: >> ===== >> ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer >> ipa: DEBUG: cert valid True for "CN=ipa1.sri.utoronto.ca,O=SRI.UTORONTO.CA" >> ipa: DEBUG: handshake complete, peer = IP_of_ipa1:443 >> ipa: DEBUG: Caught fault 4203 from server >> http://ipa1.sri.utoronto.ca/ipa/xml: Can't contact LDAP server: >> ipa: DEBUG: Destroyed connection context.xmlclient >> ipa: ERROR: Can't contact LDAP server: >> ===== >> >> /var/log/dirsrv/access shows: >> ===== >> [12/Aug/2012:07:53:26 -0400] conn=81 op=6 SRCH >> base="cn=accounts,dc=sri,dc=utoronto,dc=ca" scope=2 >> filter="(&(uid=postfix)(objectClass=posixAccount))" attrs="objectClass >> uid userPassword uidNumber gidNumber gecos homeDirectory loginShell >> krbPrincipalName cn memberOf nsUniqueId modifyTimestamp entryusn >> shadowLastChange shadowMin shadowMax shadowWarning shadowInactive >> shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration >> pwdattribute authorizedService accountexpires useraccountcontrol >> nsAccountLock host logindisabled loginexpirationtime loginallowedtimemap >> ipaSshPubKey" >> [12/Aug/2012:07:53:26 -0400] conn=81 op=6 RESULT err=0 tag=101 >> nentries=0 etime=0 >> ===== >> >> Previous installation of VBox VM (RHEL 6.3 with IPA ) did not have this >> problem. >> > > Check your iptables/firewall configuration on both hosts. > > rob I have disabled iptables on ipa1, ipa1 and openldap can ping each other. Thanks, Qing From qchang at sri.utoronto.ca Mon Aug 13 20:04:45 2012 From: qchang at sri.utoronto.ca (Qing Chang) Date: Mon, 13 Aug 2012 16:04:45 -0400 Subject: [Freeipa-users] migrate-ds fails with Can't contact LDAP server In-Reply-To: <5029118D.6070306@redhat.com> References: <5009C5E3.9040807@sri.utoronto.ca> <50279F47.8020305@sri.utoronto.ca> <5029118D.6070306@redhat.com> Message-ID: <50295DDD.2090805@sri.utoronto.ca> My sincere apologies: I forgot to start slapd on my openldap server... Qing On 13/08/2012 10:39 AM, Rob Crittenden wrote: > Qing Chang wrote: >> Just installed a fresh RHEL 6.3 VM with IPA 2.2..0-16.el6 on our new >> ESXi host, >> after preparing migration mode as well as adding necessary >> objectclasses, tried >> to run following: >> ipa -d migrate-ds ldap://openldap:389 --bind-dn=cn=Manager >> --group-container=ou=group --schema=RFC2307 --with-compat >> --group-objectclass=posixGroup >> >> It failed promptly with this: >> ===== >> ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer >> ipa: DEBUG: cert valid True for "CN=ipa1.sri.utoronto.ca,O=SRI.UTORONTO.CA" >> ipa: DEBUG: handshake complete, peer = IP_of_ipa1:443 >> ipa: DEBUG: Caught fault 4203 from server >> http://ipa1.sri.utoronto.ca/ipa/xml: Can't contact LDAP server: >> ipa: DEBUG: Destroyed connection context.xmlclient >> ipa: ERROR: Can't contact LDAP server: >> ===== >> >> /var/log/dirsrv/access shows: >> ===== >> [12/Aug/2012:07:53:26 -0400] conn=81 op=6 SRCH >> base="cn=accounts,dc=sri,dc=utoronto,dc=ca" scope=2 >> filter="(&(uid=postfix)(objectClass=posixAccount))" attrs="objectClass >> uid userPassword uidNumber gidNumber gecos homeDirectory loginShell >> krbPrincipalName cn memberOf nsUniqueId modifyTimestamp entryusn >> shadowLastChange shadowMin shadowMax shadowWarning shadowInactive >> shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration >> pwdattribute authorizedService accountexpires useraccountcontrol >> nsAccountLock host logindisabled loginexpirationtime loginallowedtimemap >> ipaSshPubKey" >> [12/Aug/2012:07:53:26 -0400] conn=81 op=6 RESULT err=0 tag=101 >> nentries=0 etime=0 >> ===== >> >> Previous installation of VBox VM (RHEL 6.3 with IPA ) did not have this >> problem. >> > > Check your iptables/firewall configuration on both hosts. > > rob From rob at axpr.net Mon Aug 13 23:13:26 2012 From: rob at axpr.net (Rob Ogilvie) Date: Mon, 13 Aug 2012 16:13:26 -0700 Subject: [Freeipa-users] NFS Ownership Gone In-Reply-To: <18715.90.178.156.11.1344797374.squirrel@webmail.s3group.com> References: <18715.90.178.156.11.1344797374.squirrel@webmail.s3group.com> Message-ID: On Sun, Aug 12, 2012 at 11:49 AM, wrote: > Check your idmapper configuration (idmapd.conf) - not quite sure if IPA > cares about NFSv4 ID mapper configuration.... We have a winner! I had to manually specify the domain and realm, likely because they don't match my DNS configuration. Rob From bin.echo at gmail.com Mon Aug 13 23:14:47 2012 From: bin.echo at gmail.com (bin.echo at gmail.com) Date: Mon, 13 Aug 2012 17:14:47 -0600 Subject: [Freeipa-users] backup plan Message-ID: Hi all, I've been doing a bit of research on back up and restore of FreeIPA and so far the best plan seems to be "just back up everything" That's fine except for "back up everything" doesn't lend itself to automation on a bare metal instance (which is what my primary and replica are). To be safe I would need to take the machine down rather than try to do a hot back up. (sync everything and backup from an inactive fs of better yet unmounted fs) That got me thinking, how about a vm? They are easy to stop, checkpoint, back up and restart. I want to run this by everyone and see what you think: Install a replica on a vm and then use THAT to capture "back ups". If it looks like a reasonable idea, does anyone have a suggestion for which hypervisor would be best to use? (preferably FOSS) I only have experience with VirtualBox but I'm not sure it's up to this type of project? Thanks! -Aaron -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Mon Aug 13 23:40:51 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Mon, 13 Aug 2012 23:40:51 +0000 Subject: [Freeipa-users] backup plan In-Reply-To: References: Message-ID: <833D8E48405E064EBC54C84EC6B36E404CD73770@STAWINCOX10MBX1.staff.vuw.ac.nz> for business use? ie do you want support? Licencing might be fun.... I use the free vsphere v4 VMware ESXi at home which allows a modest 1 pc setup....not sure if that can be used in business setting.....you get no support at least, but its the best Virtualisation platform Ive come across. So I boot off a 4gb USB key with a hardware raid 1 from 2 x 1tb disk setup and a 1 x 2 tb green disk off the motherboard for backups. You can do db2ldif outputs, then rsync or scp those off to a small 128meg ram debian guest which is how I plan to do it. In terms of checkpointing or snapshoting they this tech is best described as spawn of the devil and avoided...multiple snapshots of considerable age impacts disk i/o.... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of bin.echo at gmail.com [bin.echo at gmail.com] Sent: Tuesday, 14 August 2012 11:14 a.m. To: freeipa-users at redhat.com Subject: [Freeipa-users] backup plan Hi all, I've been doing a bit of research on back up and restore of FreeIPA and so far the best plan seems to be "just back up everything" That's fine except for "back up everything" doesn't lend itself to automation on a bare metal instance (which is what my primary and replica are). To be safe I would need to take the machine down rather than try to do a hot back up. (sync everything and backup from an inactive fs of better yet unmounted fs) That got me thinking, how about a vm? They are easy to stop, checkpoint, back up and restart. I want to run this by everyone and see what you think: Install a replica on a vm and then use THAT to capture "back ups". If it looks like a reasonable idea, does anyone have a suggestion for which hypervisor would be best to use? (preferably FOSS) I only have experience with VirtualBox but I'm not sure it's up to this type of project? Thanks! -Aaron -------------- next part -------------- An HTML attachment was scrubbed... URL: From lyamanishi at sesda2.com Tue Aug 14 00:16:42 2012 From: lyamanishi at sesda2.com (Lucas Yamanishi) Date: Mon, 13 Aug 2012 20:16:42 -0400 Subject: [Freeipa-users] backup plan In-Reply-To: References: Message-ID: <502998EA.7070407@sesda2.com> The libvirt range of tools works very well with KVM, and with virt-manager, they are easy to setup on the desktop or from a remote desktop. QEMU-KVM suports the QCOW2 and LVM storage back-ends, both of which have snapshot capabilities, and the virsh tool makes it easy and scriptable. They are all licensed under the GPL or LGPL. http://libvirt.org http;//linux-kvm.org http://qemu.org If you're using a Red Hat-based distribution, installing them should be as easy as "yum install libvirtd virt-manager qemu-kvm" or similar. ----- *question everything*learn something*answer nothing* ------------ Lucas Yamanishi ------------------ Systems Administrator, ADNET Systems, Inc. NASA Space and Earth Science Data Analysis (606.9) 7515 Mission Drive, Suite A100 Lanham, MD 20706 * 301-352-4646 * 0xE23F3D7A On 08/13/2012 07:14 PM, bin.echo at gmail.com wrote: > Hi all, > > I've been doing a bit of research on back up and restore of FreeIPA and > so far the best plan seems to be "just back up everything" > > That's fine except for "back up everything" doesn't lend itself to > automation on a bare metal instance (which is what my primary and > replica are). To be safe I would need to take the machine down rather > than try to do a hot back up. (sync everything and backup from an > inactive fs of better yet unmounted fs) > > That got me thinking, how about a vm? They are easy to stop, checkpoint, > back up and restart. > > I want to run this by everyone and see what you think: > > Install a replica on a vm and then use THAT to capture "back ups". > > If it looks like a reasonable idea, does anyone have a suggestion for > which hypervisor would be best to use? (preferably FOSS) I only have > experience with VirtualBox but I'm not sure it's up to this type of project? > > Thanks! > > -Aaron > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > From james.hogarth at gmail.com Tue Aug 14 14:50:42 2012 From: james.hogarth at gmail.com (James Hogarth) Date: Tue, 14 Aug 2012 15:50:42 +0100 Subject: [Freeipa-users] IPA Error 401 certificate not found Message-ID: Hi all, I was adding and removing the same hosts and a fairly high rate from IPA and I've managed to get myself into an odd situation... On trying to delete or unprovision one of the hosts I'm getting IPA error 401: Certificate operation cannot be completed: EXCEPTION (Certificate serial number 0x2fff0009 not found) I suspect I've hit a replication conflict... Has anyone encountered this before or know a way to resolve it cleanly? Regards, James From james.hogarth at gmail.com Tue Aug 14 14:56:08 2012 From: james.hogarth at gmail.com (James Hogarth) Date: Tue, 14 Aug 2012 15:56:08 +0100 Subject: [Freeipa-users] IPA Error 401 certificate not found In-Reply-To: References: Message-ID: > > I suspect I've hit a replication conflict... Just to close this off ... it was a replication issue - the certificates hadn't yet replicated... deleting from the server originally enrolled against it was fine. James From rcritten at redhat.com Tue Aug 14 18:54:07 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 14 Aug 2012 14:54:07 -0400 Subject: [Freeipa-users] IPA Error 401 certificate not found In-Reply-To: References: Message-ID: <502A9ECF.9050005@redhat.com> James Hogarth wrote: > Hi all, > > I was adding and removing the same hosts and a fairly high rate from > IPA and I've managed to get myself into an odd situation... > > On trying to delete or unprovision one of the hosts I'm getting IPA > error 401: Certificate operation cannot be completed: EXCEPTION > (Certificate serial number 0x2fff0009 not found) > > I suspect I've hit a replication conflict... > > Has anyone encountered this before or know a way to resolve it cleanly? > I assume you've got multiple dogtag instances? I'd start there. Use ipa-csreplica-manage --force-sync to be sure all of the updates have gone out. That may unblock something. This may be something to open a ticket on, perhaps adding a --force. When you delete a host it tries to delete all its services. When a service is deleted any certificate associated with it is revoked. Once those are all done the host's cert is revoke. If any of these revocations fail then the delete fails hard. rob From sakodak at gmail.com Tue Aug 14 20:28:52 2012 From: sakodak at gmail.com (KodaK) Date: Tue, 14 Aug 2012 15:28:52 -0500 Subject: [Freeipa-users] Intermittent delay in authentication Message-ID: I apologize in advance for not having very much information to go on. We have exactly 100 hosts in IPA right now. On occasion, maybe once or twice a day, all authentication just pauses for some amount of time. It can range from just a few seconds to about 30 seconds. I can see this happen, I can be doing an "su" on one box and an ssh into another, and people will yell over the cube walls that "it's happening again" but after a few seconds everything will start flowing again. I've been watching logs and I don't see anything that's corresponding with these events, but I'm willing to take any advice at the moment. What *could* cause something like this? Does replication block authentication (I can't imagine that it does.) I'm absolutely sure I have something misconfigured, but I don't even know where to start on this one. -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 From Steven.Jones at vuw.ac.nz Tue Aug 14 21:13:02 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 14 Aug 2012 21:13:02 +0000 Subject: [Freeipa-users] Unable to get sudo commend to work... Message-ID: <833D8E48405E064EBC54C84EC6B36E404CD74C03@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, I am trying to get a sudo-group command to work such that a group of users can reload apache's config....I know the password is fine as I can ssh into the server.... [thing-sudo at vuwunicocatd001 ~]$ sudo /sbin/service httpd reload LDAP Config Summary =================== uri ldap://vuwunicoipam001.ods.vuw.ac.nz ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz ldap_version 3 sudoers_base ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz binddn uid=sudo,cn=sysaccounts,cn=etc,dc=ods,dc=vuw,dc=ac,dc=nz bindpw xxxxxxxxxxxx bind_timelimit 5000000 ssl start_tls tls_checkpeer (no) tls_cacertfile /etc/ipa/ca.crt =================== sudo: ldap_set_option: debug -> 0 sudo: ldap_set_option: tls_checkpeer -> 0 sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt sudo: ldap_initialize(ld, ldap://vuwunicoipam001.ods.vuw.ac.nz ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz) sudo: ldap_set_option: ldap_version -> 3 sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5000) sudo: ldap_start_tls_s() ok sudo: ldap_sasl_bind_s() ok sudo: no default options found in ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz sudo: ldap search '(|(sudoUser=thing-sudo)(sudoUser=%thing-sudo)(sudoUser=%ipausers)(sudoUser=%collectriveaccess-student)(sudoUser=%login04-mysql)(sudoUser=%360-ftp)(sudoUser=%become-mysql-users)(sudoUser=ALL))' sudo: found:cn=sudo-commands-catd-students,ou=sudoers,dc=ods,dc=vuw,dc=ac,dc=nz sudo: ldap sudoHost 'vuwunicocatd001.ods.vuw.ac.nz' ... MATCH! sudo: ldap sudoCommand '/sbin/service httpd reload' ... MATCH! sudo: ldap sudoCommand '/etc/init.d/httpd reload' ... MATCH! sudo: Command allowed sudo: user_matches=1 sudo: host_matches=1 sudo: sudo_ldap_lookup(0)=0x02 [sudo] password for thing-sudo: Sorry, try again. [sudo] password for thing-sudo: Sorry, try again. [sudo] password for thing-sudo: Sorry, try again. sudo: 3 incorrect password attempts [thing-sudo at vuwunicocatd001 ~]$ sudo /sbin/service httpd reload LDAP Config Summary =================== uri ldap://vuwunicoipam001.ods.vuw.ac.nz ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz ldap_version 3 sudoers_base ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz binddn uid=sudo,cn=sysaccounts,cn=etc,dc=ods,dc=vuw,dc=ac,dc=nz bindpw xxxxxxxxxxxxx bind_timelimit 5000000 ssl start_tls tls_checkpeer (no) tls_cacertfile /etc/ipa/ca.crt =================== sudo: ldap_set_option: debug -> 0 sudo: ldap_set_option: tls_checkpeer -> 0 sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt sudo: ldap_initialize(ld, ldap://vuwunicoipam001.ods.vuw.ac.nz ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz) sudo: ldap_set_option: ldap_version -> 3 sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5000) sudo: ldap_start_tls_s() ok sudo: ldap_sasl_bind_s() ok sudo: no default options found in ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz sudo: ldap search '(|(sudoUser=thing-sudo)(sudoUser=%thing-sudo)(sudoUser=%ipausers)(sudoUser=%collectriveaccess-student)(sudoUser=%login04-mysql)(sudoUser=%360-ftp)(sudoUser=%become-mysql-users)(sudoUser=ALL))' sudo: found:cn=sudo-commands-catd-students,ou=sudoers,dc=ods,dc=vuw,dc=ac,dc=nz sudo: ldap sudoHost 'vuwunicocatd001.ods.vuw.ac.nz' ... MATCH! sudo: ldap sudoCommand '/sbin/service httpd reload' ... MATCH! sudo: ldap sudoCommand '/etc/init.d/httpd reload' ... MATCH! sudo: Command allowed sudo: user_matches=1 sudo: host_matches=1 sudo: sudo_ldap_lookup(0)=0x02 [sudo] password for thing-sudo: Sorry, try again. [sudo] password for thing-sudo: Sorry, try again. [sudo] password for thing-sudo: Sorry, try again. sudo: 3 incorrect password attempts [thing-sudo at vuwunicocatd001 ~]$ [thing-sudo at vuwunicocatd001 ~]$ ============ The secure log says system error, unable to read password, =============== Aug 15 08:49:09 vuwunicocatd001 sudo: pam_unix(sudo:auth): authentication failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo Aug 15 08:49:10 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication success; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo Aug 15 08:49:10 vuwunicocatd001 sudo: pam_sss(sudo:account): Access denied for user thing-sudo: 6 (Permission denied) Aug 15 08:49:43 vuwunicocatd001 sudo: pam_sss(sudo:auth): system info: [Cannot read password] Aug 15 08:49:43 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo Aug 15 08:49:43 vuwunicocatd001 sudo: pam_sss(sudo:auth): received for user thing-sudo: 4 (System error) Aug 15 08:49:45 vuwunicocatd001 sudo: pam_sss(sudo:auth): system info: [Cannot read password] Aug 15 08:49:45 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo Aug 15 08:49:45 vuwunicocatd001 sudo: pam_sss(sudo:auth): received for user thing-sudo: 4 (System error) Aug 15 08:49:47 vuwunicocatd001 sudo: thing-sudo : 3 incorrect password attempts ; TTY=pts/2 ; PWD=/home/thing-sudo ; USER=root ; COMMAND=/sbin/service httpd reload Aug 15 08:55:35 vuwunicocatd001 sudo: PAM unable to dlopen(/lib64/security/pam_fprintd.so): /lib64/security/pam_fprintd.so: cannot open shared object file: No such file or directory Aug 15 08:55:35 vuwunicocatd001 sudo: PAM adding faulty module: /lib64/security/pam_fprintd.so Aug 15 08:55:44 vuwunicocatd001 sudo: pam_unix(sudo:auth): authentication failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo Aug 15 08:55:44 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication success; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo Aug 15 08:55:44 vuwunicocatd001 sudo: pam_sss(sudo:account): Access denied for user thing-sudo: 6 (Permission denied) Aug 15 08:55:46 vuwunicocatd001 sudo: pam_sss(sudo:auth): system info: [Cannot read password] Aug 15 08:55:46 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo Aug 15 08:55:46 vuwunicocatd001 sudo: pam_sss(sudo:auth): received for user thing-sudo: 4 (System error) Aug 15 08:55:52 vuwunicocatd001 sudo: pam_sss(sudo:auth): system info: [Cannot read password] Aug 15 08:55:52 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo Aug 15 08:55:52 vuwunicocatd001 sudo: pam_sss(sudo:auth): received for user thing-sudo: 4 (System error) Aug 15 08:55:54 vuwunicocatd001 sudo: thing-sudo : 3 incorrect password attempts ; TTY=pts/2 ; PWD=/home/thing-sudo ; USER=root ; COMMAND=/sbin/service httpd reload Aug 15 08:55:57 vuwunicocatd001 sudo: PAM unable to dlopen(/lib64/security/pam_fprintd.so): /lib64/security/pam_fprintd.so: cannot open shared object file: No such file or directory Aug 15 08:55:57 vuwunicocatd001 sudo: PAM adding faulty module: /lib64/security/pam_fprintd.so Aug 15 08:56:04 vuwunicocatd001 sudo: pam_unix(sudo:auth): authentication failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo Aug 15 08:56:05 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication success; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo Aug 15 08:56:05 vuwunicocatd001 sudo: pam_sss(sudo:account): Access denied for user thing-sudo: 6 (Permission denied) Aug 15 08:56:06 vuwunicocatd001 sudo: pam_sss(sudo:auth): system info: [Cannot read password] Aug 15 08:56:06 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo Aug 15 08:56:06 vuwunicocatd001 sudo: pam_sss(sudo:auth): received for user thing-sudo: 4 (System error) Aug 15 08:56:08 vuwunicocatd001 sudo: pam_sss(sudo:auth): system info: [Cannot read password] Aug 15 08:56:08 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo Aug 15 08:56:08 vuwunicocatd001 sudo: pam_sss(sudo:auth): received for user thing-sudo: 4 (System error) Aug 15 08:56:09 vuwunicocatd001 sudo: thing-sudo : 3 incorrect password attempts ; TTY=pts/2 ; PWD=/home/thing-sudo ; USER=root ; COMMAND=/sbin/service httpd reload [root at vuwunicocatd001 jonesst1]# ================ Looks like Bug 814414 :( "Rob told me elsewhere that when he re-enabled the allow_all rule it started behaving properly, which seems highly suspect." So lets do that, and yes, ========= [thing-sudo at vuwunicocatd001 ~]$ [thing-sudo at vuwunicocatd001 ~]$ sudo /sbin/service httpd reload LDAP Config Summary =================== uri ldap://vuwunicoipam001.ods.vuw.ac.nz ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz ldap_version 3 sudoers_base ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz binddn uid=sudo,cn=sysaccounts,cn=etc,dc=ods,dc=vuw,dc=ac,dc=nz bindpw xxxxxxxxxxx bind_timelimit 5000000 ssl start_tls tls_checkpeer (no) tls_cacertfile /etc/ipa/ca.crt =================== sudo: ldap_set_option: debug -> 0 sudo: ldap_set_option: tls_checkpeer -> 0 sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt sudo: ldap_initialize(ld, ldap://vuwunicoipam001.ods.vuw.ac.nz ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz) sudo: ldap_set_option: ldap_version -> 3 sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5000) sudo: ldap_start_tls_s() ok sudo: ldap_sasl_bind_s() ok sudo: no default options found in ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz sudo: ldap search '(|(sudoUser=thing-sudo)(sudoUser=%thing-sudo)(sudoUser=%ipausers)(sudoUser=%collectriveaccess-student)(sudoUser=%login04-mysql)(sudoUser=%360-ftp)(sudoUser=%become-mysql-users)(sudoUser=ALL))' sudo: found:cn=sudo-commands-catd-students,ou=sudoers,dc=ods,dc=vuw,dc=ac,dc=nz sudo: ldap sudoHost 'vuwunicocatd001.ods.vuw.ac.nz' ... MATCH! sudo: ldap sudoCommand '/sbin/service httpd reload' ... MATCH! sudo: ldap sudoCommand '/etc/init.d/httpd reload' ... MATCH! sudo: Command allowed sudo: user_matches=1 sudo: host_matches=1 sudo: sudo_ldap_lookup(0)=0x02 [sudo] password for thing-sudo: Reloading httpd: [thing-sudo at vuwunicocatd001 ~]$ =================== and as we can see that indeed "fixes it". D: If you let me know exactly which logs you want to see I will send them to you. I have "sudoers_debug 3" at present, anything else needs to be set higher to help? What I can see is I made an oops is specifying the wrong host group but that contains the host anyway....but also Ive then bypassed hostgroups and set a specific host....this still fails as above. I am also getting other intermitant failures when I do a sudo su - but its not consistant. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From Steven.Jones at vuw.ac.nz Tue Aug 14 21:15:49 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 14 Aug 2012 21:15:49 +0000 Subject: [Freeipa-users] Intermittent delay in authentication In-Reply-To: References: Message-ID: <833D8E48405E064EBC54C84EC6B36E404CD74C26@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Ive seen this is if one of my ipa masters is off line....or its network has gone bye bye....or its a similar problem to you.....I cant trace it for sure. Just wondering if the IPA networking code is robust enough to deal with network issues like saturated links or something...... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of KodaK [sakodak at gmail.com] Sent: Wednesday, 15 August 2012 8:28 a.m. To: freeipa-users at redhat.com Subject: [Freeipa-users] Intermittent delay in authentication I apologize in advance for not having very much information to go on. We have exactly 100 hosts in IPA right now. On occasion, maybe once or twice a day, all authentication just pauses for some amount of time. It can range from just a few seconds to about 30 seconds. I can see this happen, I can be doing an "su" on one box and an ssh into another, and people will yell over the cube walls that "it's happening again" but after a few seconds everything will start flowing again. I've been watching logs and I don't see anything that's corresponding with these events, but I'm willing to take any advice at the moment. What *could* cause something like this? Does replication block authentication (I can't imagine that it does.) I'm absolutely sure I have something misconfigured, but I don't even know where to start on this one. -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From sakodak at gmail.com Tue Aug 14 21:41:05 2012 From: sakodak at gmail.com (KodaK) Date: Tue, 14 Aug 2012 16:41:05 -0500 Subject: [Freeipa-users] Unable to get sudo commend to work... In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CD74C03@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CD74C03@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: OK, so it works if you allow all hosts, but fails if you specify a host. This leads me to believe that the host may not "know" who it is. Run the gamut on local hostname configuration: Check /etc/hosts, is the host listed with the FQDN first? Check "hostname" -- it should report the FQDN. Check "domainname" -- it should report the domain. I have a very similar rule, btw: [jebalicki at slpidml01 ~]$ ipa sudorule-show tds-web-restart ipa: INFO: trying https://slpidml01.unix.magellanhealth.com/ipa/xml ipa: INFO: Forwarding 'sudorule_show' to server u'http://slpidml01.unix.magellanhealth.com/ipa/xml' Rule name: tds-web-restart Enabled: TRUE User Groups: admins, tds-webserver-users, unixadmins Host Groups: tdswebhosts Sudo Allow Commands: /etc/rc.d/init.d/httpd [jebalicki at slpidml01 ~]$ On Tue, Aug 14, 2012 at 4:13 PM, Steven Jones wrote: > Hi, > > I am trying to get a sudo-group command to work such that a group of users can reload apache's config....I know the password is fine as I can ssh into the server.... > > [thing-sudo at vuwunicocatd001 ~]$ sudo /sbin/service httpd reload > LDAP Config Summary > =================== > uri ldap://vuwunicoipam001.ods.vuw.ac.nz ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz > ldap_version 3 > sudoers_base ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz > binddn uid=sudo,cn=sysaccounts,cn=etc,dc=ods,dc=vuw,dc=ac,dc=nz > bindpw xxxxxxxxxxxx > bind_timelimit 5000000 > ssl start_tls > tls_checkpeer (no) > tls_cacertfile /etc/ipa/ca.crt > =================== > sudo: ldap_set_option: debug -> 0 > sudo: ldap_set_option: tls_checkpeer -> 0 > sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt > sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt > sudo: ldap_initialize(ld, ldap://vuwunicoipam001.ods.vuw.ac.nz ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz) > sudo: ldap_set_option: ldap_version -> 3 > sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5000) > sudo: ldap_start_tls_s() ok > sudo: ldap_sasl_bind_s() ok > sudo: no default options found in ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz > sudo: ldap search '(|(sudoUser=thing-sudo)(sudoUser=%thing-sudo)(sudoUser=%ipausers)(sudoUser=%collectriveaccess-student)(sudoUser=%login04-mysql)(sudoUser=%360-ftp)(sudoUser=%become-mysql-users)(sudoUser=ALL))' > sudo: found:cn=sudo-commands-catd-students,ou=sudoers,dc=ods,dc=vuw,dc=ac,dc=nz > sudo: ldap sudoHost 'vuwunicocatd001.ods.vuw.ac.nz' ... MATCH! > sudo: ldap sudoCommand '/sbin/service httpd reload' ... MATCH! > sudo: ldap sudoCommand '/etc/init.d/httpd reload' ... MATCH! > sudo: Command allowed > sudo: user_matches=1 > sudo: host_matches=1 > sudo: sudo_ldap_lookup(0)=0x02 > [sudo] password for thing-sudo: > Sorry, try again. > [sudo] password for thing-sudo: > Sorry, try again. > [sudo] password for thing-sudo: > Sorry, try again. > sudo: 3 incorrect password attempts > [thing-sudo at vuwunicocatd001 ~]$ sudo /sbin/service httpd reload > LDAP Config Summary > =================== > uri ldap://vuwunicoipam001.ods.vuw.ac.nz ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz > ldap_version 3 > sudoers_base ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz > binddn uid=sudo,cn=sysaccounts,cn=etc,dc=ods,dc=vuw,dc=ac,dc=nz > bindpw xxxxxxxxxxxxx > bind_timelimit 5000000 > ssl start_tls > tls_checkpeer (no) > tls_cacertfile /etc/ipa/ca.crt > =================== > sudo: ldap_set_option: debug -> 0 > sudo: ldap_set_option: tls_checkpeer -> 0 > sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt > sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt > sudo: ldap_initialize(ld, ldap://vuwunicoipam001.ods.vuw.ac.nz ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz) > sudo: ldap_set_option: ldap_version -> 3 > sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5000) > sudo: ldap_start_tls_s() ok > sudo: ldap_sasl_bind_s() ok > sudo: no default options found in ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz > sudo: ldap search '(|(sudoUser=thing-sudo)(sudoUser=%thing-sudo)(sudoUser=%ipausers)(sudoUser=%collectriveaccess-student)(sudoUser=%login04-mysql)(sudoUser=%360-ftp)(sudoUser=%become-mysql-users)(sudoUser=ALL))' > sudo: found:cn=sudo-commands-catd-students,ou=sudoers,dc=ods,dc=vuw,dc=ac,dc=nz > sudo: ldap sudoHost 'vuwunicocatd001.ods.vuw.ac.nz' ... MATCH! > sudo: ldap sudoCommand '/sbin/service httpd reload' ... MATCH! > sudo: ldap sudoCommand '/etc/init.d/httpd reload' ... MATCH! > sudo: Command allowed > sudo: user_matches=1 > sudo: host_matches=1 > sudo: sudo_ldap_lookup(0)=0x02 > [sudo] password for thing-sudo: > Sorry, try again. > [sudo] password for thing-sudo: > > Sorry, try again. > [sudo] password for thing-sudo: > > Sorry, try again. > sudo: 3 incorrect password attempts > [thing-sudo at vuwunicocatd001 ~]$ > [thing-sudo at vuwunicocatd001 ~]$ > > ============ > > The secure log says system error, unable to read password, > > =============== > Aug 15 08:49:09 vuwunicocatd001 sudo: pam_unix(sudo:auth): authentication failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo > Aug 15 08:49:10 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication success; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo > Aug 15 08:49:10 vuwunicocatd001 sudo: pam_sss(sudo:account): Access denied for user thing-sudo: 6 (Permission denied) > Aug 15 08:49:43 vuwunicocatd001 sudo: pam_sss(sudo:auth): system info: [Cannot read password] > Aug 15 08:49:43 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo > Aug 15 08:49:43 vuwunicocatd001 sudo: pam_sss(sudo:auth): received for user thing-sudo: 4 (System error) > Aug 15 08:49:45 vuwunicocatd001 sudo: pam_sss(sudo:auth): system info: [Cannot read password] > Aug 15 08:49:45 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo > Aug 15 08:49:45 vuwunicocatd001 sudo: pam_sss(sudo:auth): received for user thing-sudo: 4 (System error) > Aug 15 08:49:47 vuwunicocatd001 sudo: thing-sudo : 3 incorrect password attempts ; TTY=pts/2 ; PWD=/home/thing-sudo ; USER=root ; COMMAND=/sbin/service httpd reload > Aug 15 08:55:35 vuwunicocatd001 sudo: PAM unable to dlopen(/lib64/security/pam_fprintd.so): /lib64/security/pam_fprintd.so: cannot open shared object file: No such file or directory > Aug 15 08:55:35 vuwunicocatd001 sudo: PAM adding faulty module: /lib64/security/pam_fprintd.so > Aug 15 08:55:44 vuwunicocatd001 sudo: pam_unix(sudo:auth): authentication failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo > Aug 15 08:55:44 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication success; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo > Aug 15 08:55:44 vuwunicocatd001 sudo: pam_sss(sudo:account): Access denied for user thing-sudo: 6 (Permission denied) > Aug 15 08:55:46 vuwunicocatd001 sudo: pam_sss(sudo:auth): system info: [Cannot read password] > Aug 15 08:55:46 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo > Aug 15 08:55:46 vuwunicocatd001 sudo: pam_sss(sudo:auth): received for user thing-sudo: 4 (System error) > Aug 15 08:55:52 vuwunicocatd001 sudo: pam_sss(sudo:auth): system info: [Cannot read password] > Aug 15 08:55:52 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo > Aug 15 08:55:52 vuwunicocatd001 sudo: pam_sss(sudo:auth): received for user thing-sudo: 4 (System error) > Aug 15 08:55:54 vuwunicocatd001 sudo: thing-sudo : 3 incorrect password attempts ; TTY=pts/2 ; PWD=/home/thing-sudo ; USER=root ; COMMAND=/sbin/service httpd reload > Aug 15 08:55:57 vuwunicocatd001 sudo: PAM unable to dlopen(/lib64/security/pam_fprintd.so): /lib64/security/pam_fprintd.so: cannot open shared object file: No such file or directory > Aug 15 08:55:57 vuwunicocatd001 sudo: PAM adding faulty module: /lib64/security/pam_fprintd.so > Aug 15 08:56:04 vuwunicocatd001 sudo: pam_unix(sudo:auth): authentication failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo > Aug 15 08:56:05 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication success; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo > Aug 15 08:56:05 vuwunicocatd001 sudo: pam_sss(sudo:account): Access denied for user thing-sudo: 6 (Permission denied) > Aug 15 08:56:06 vuwunicocatd001 sudo: pam_sss(sudo:auth): system info: [Cannot read password] > Aug 15 08:56:06 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo > Aug 15 08:56:06 vuwunicocatd001 sudo: pam_sss(sudo:auth): received for user thing-sudo: 4 (System error) > Aug 15 08:56:08 vuwunicocatd001 sudo: pam_sss(sudo:auth): system info: [Cannot read password] > Aug 15 08:56:08 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo > Aug 15 08:56:08 vuwunicocatd001 sudo: pam_sss(sudo:auth): received for user thing-sudo: 4 (System error) > Aug 15 08:56:09 vuwunicocatd001 sudo: thing-sudo : 3 incorrect password attempts ; TTY=pts/2 ; PWD=/home/thing-sudo ; USER=root ; COMMAND=/sbin/service httpd reload > [root at vuwunicocatd001 jonesst1]# > ================ > > Looks like Bug 814414 > > :( > > "Rob told me elsewhere that when he re-enabled the allow_all rule it started behaving properly, which seems highly suspect." > > So lets do that, and yes, > > ========= > [thing-sudo at vuwunicocatd001 ~]$ > [thing-sudo at vuwunicocatd001 ~]$ sudo /sbin/service httpd reload > LDAP Config Summary > =================== > uri ldap://vuwunicoipam001.ods.vuw.ac.nz ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz > ldap_version 3 > sudoers_base ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz > binddn uid=sudo,cn=sysaccounts,cn=etc,dc=ods,dc=vuw,dc=ac,dc=nz > bindpw xxxxxxxxxxx > bind_timelimit 5000000 > ssl start_tls > tls_checkpeer (no) > tls_cacertfile /etc/ipa/ca.crt > =================== > sudo: ldap_set_option: debug -> 0 > sudo: ldap_set_option: tls_checkpeer -> 0 > sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt > sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt > sudo: ldap_initialize(ld, ldap://vuwunicoipam001.ods.vuw.ac.nz ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz) > sudo: ldap_set_option: ldap_version -> 3 > sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5000) > sudo: ldap_start_tls_s() ok > sudo: ldap_sasl_bind_s() ok > sudo: no default options found in ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz > sudo: ldap search '(|(sudoUser=thing-sudo)(sudoUser=%thing-sudo)(sudoUser=%ipausers)(sudoUser=%collectriveaccess-student)(sudoUser=%login04-mysql)(sudoUser=%360-ftp)(sudoUser=%become-mysql-users)(sudoUser=ALL))' > sudo: found:cn=sudo-commands-catd-students,ou=sudoers,dc=ods,dc=vuw,dc=ac,dc=nz > sudo: ldap sudoHost 'vuwunicocatd001.ods.vuw.ac.nz' ... MATCH! > sudo: ldap sudoCommand '/sbin/service httpd reload' ... MATCH! > sudo: ldap sudoCommand '/etc/init.d/httpd reload' ... MATCH! > sudo: Command allowed > sudo: user_matches=1 > sudo: host_matches=1 > sudo: sudo_ldap_lookup(0)=0x02 > [sudo] password for thing-sudo: > Reloading httpd: > [thing-sudo at vuwunicocatd001 ~]$ > =================== > > and as we can see that indeed "fixes it". > > D: > > If you let me know exactly which logs you want to see I will send them to you. > > I have "sudoers_debug 3" at present, anything else needs to be set higher to help? > > What I can see is I made an oops is specifying the wrong host group but that contains the host anyway....but also Ive then bypassed hostgroups and set a specific host....this still fails as above. > > I am also getting other intermitant failures when I do a sudo su - but its not consistant. > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 From Steven.Jones at vuw.ac.nz Tue Aug 14 21:47:40 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 14 Aug 2012 21:47:40 +0000 Subject: [Freeipa-users] Unable to get sudo commend to work... In-Reply-To: References: <833D8E48405E064EBC54C84EC6B36E404CD74C03@STAWINCOX10MBX1.staff.vuw.ac.nz>, Message-ID: <833D8E48405E064EBC54C84EC6B36E404CD74DAA@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, No it fails even if I specify the host, but it works if I re-enable the allowall HBAC rule. So for some reason HBAC is impacting sudo. ===== [thing-sudo at vuwunicocatd001 ~]$ hostname vuwunicocatd001.ods.vuw.ac.nz [thing-sudo at vuwunicocatd001 ~]$ domainname ods.vuw.ac.nz [thing-sudo at vuwunicocatd001 ~]$ [root at vuwunicocatd001 jonesst1]# more /etc/hosts # not remove the following line, or various programs # that require network functionality will fail. 127.0.0.1 localhost.localdomain localhost 10.70.1.14 vuwunicocatd001.ods.vuw.ac.nz vuwunicocatd001.vuw.ac.nz visualresourcest.vuw.ac.nz vuwunicocatd001 [root at vuwunicocatd001 jonesst1]# more /etc/sysconfig/network NETWORKING=yes HOSTNAME=vuwunicocatd001.ods.vuw.ac.nz GATEWAY=10.70.1.1 NTPSERVERARGS=iburst [root at vuwunicocatd001 jonesst1]# ===== All looks correct.... ======= regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: KodaK [sakodak at gmail.com] Sent: Wednesday, 15 August 2012 9:41 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Unable to get sudo commend to work... OK, so it works if you allow all hosts, but fails if you specify a host. This leads me to believe that the host may not "know" who it is. Run the gamut on local hostname configuration: Check /etc/hosts, is the host listed with the FQDN first? Check "hostname" -- it should report the FQDN. Check "domainname" -- it should report the domain. I have a very similar rule, btw: [jebalicki at slpidml01 ~]$ ipa sudorule-show tds-web-restart ipa: INFO: trying https://slpidml01.unix.magellanhealth.com/ipa/xml ipa: INFO: Forwarding 'sudorule_show' to server u'http://slpidml01.unix.magellanhealth.com/ipa/xml' Rule name: tds-web-restart Enabled: TRUE User Groups: admins, tds-webserver-users, unixadmins Host Groups: tdswebhosts Sudo Allow Commands: /etc/rc.d/init.d/httpd [jebalicki at slpidml01 ~]$ On Tue, Aug 14, 2012 at 4:13 PM, Steven Jones wrote: > Hi, > > I am trying to get a sudo-group command to work such that a group of users can reload apache's config....I know the password is fine as I can ssh into the server.... > > [thing-sudo at vuwunicocatd001 ~]$ sudo /sbin/service httpd reload > LDAP Config Summary > =================== > uri ldap://vuwunicoipam001.ods.vuw.ac.nz ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz > ldap_version 3 > sudoers_base ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz > binddn uid=sudo,cn=sysaccounts,cn=etc,dc=ods,dc=vuw,dc=ac,dc=nz > bindpw xxxxxxxxxxxx > bind_timelimit 5000000 > ssl start_tls > tls_checkpeer (no) > tls_cacertfile /etc/ipa/ca.crt > =================== > sudo: ldap_set_option: debug -> 0 > sudo: ldap_set_option: tls_checkpeer -> 0 > sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt > sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt > sudo: ldap_initialize(ld, ldap://vuwunicoipam001.ods.vuw.ac.nz ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz) > sudo: ldap_set_option: ldap_version -> 3 > sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5000) > sudo: ldap_start_tls_s() ok > sudo: ldap_sasl_bind_s() ok > sudo: no default options found in ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz > sudo: ldap search '(|(sudoUser=thing-sudo)(sudoUser=%thing-sudo)(sudoUser=%ipausers)(sudoUser=%collectriveaccess-student)(sudoUser=%login04-mysql)(sudoUser=%360-ftp)(sudoUser=%become-mysql-users)(sudoUser=ALL))' > sudo: found:cn=sudo-commands-catd-students,ou=sudoers,dc=ods,dc=vuw,dc=ac,dc=nz > sudo: ldap sudoHost 'vuwunicocatd001.ods.vuw.ac.nz' ... MATCH! > sudo: ldap sudoCommand '/sbin/service httpd reload' ... MATCH! > sudo: ldap sudoCommand '/etc/init.d/httpd reload' ... MATCH! > sudo: Command allowed > sudo: user_matches=1 > sudo: host_matches=1 > sudo: sudo_ldap_lookup(0)=0x02 > [sudo] password for thing-sudo: > Sorry, try again. > [sudo] password for thing-sudo: > Sorry, try again. > [sudo] password for thing-sudo: > Sorry, try again. > sudo: 3 incorrect password attempts > [thing-sudo at vuwunicocatd001 ~]$ sudo /sbin/service httpd reload > LDAP Config Summary > =================== > uri ldap://vuwunicoipam001.ods.vuw.ac.nz ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz > ldap_version 3 > sudoers_base ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz > binddn uid=sudo,cn=sysaccounts,cn=etc,dc=ods,dc=vuw,dc=ac,dc=nz > bindpw xxxxxxxxxxxxx > bind_timelimit 5000000 > ssl start_tls > tls_checkpeer (no) > tls_cacertfile /etc/ipa/ca.crt > =================== > sudo: ldap_set_option: debug -> 0 > sudo: ldap_set_option: tls_checkpeer -> 0 > sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt > sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt > sudo: ldap_initialize(ld, ldap://vuwunicoipam001.ods.vuw.ac.nz ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz) > sudo: ldap_set_option: ldap_version -> 3 > sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5000) > sudo: ldap_start_tls_s() ok > sudo: ldap_sasl_bind_s() ok > sudo: no default options found in ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz > sudo: ldap search '(|(sudoUser=thing-sudo)(sudoUser=%thing-sudo)(sudoUser=%ipausers)(sudoUser=%collectriveaccess-student)(sudoUser=%login04-mysql)(sudoUser=%360-ftp)(sudoUser=%become-mysql-users)(sudoUser=ALL))' > sudo: found:cn=sudo-commands-catd-students,ou=sudoers,dc=ods,dc=vuw,dc=ac,dc=nz > sudo: ldap sudoHost 'vuwunicocatd001.ods.vuw.ac.nz' ... MATCH! > sudo: ldap sudoCommand '/sbin/service httpd reload' ... MATCH! > sudo: ldap sudoCommand '/etc/init.d/httpd reload' ... MATCH! > sudo: Command allowed > sudo: user_matches=1 > sudo: host_matches=1 > sudo: sudo_ldap_lookup(0)=0x02 > [sudo] password for thing-sudo: > Sorry, try again. > [sudo] password for thing-sudo: > > Sorry, try again. > [sudo] password for thing-sudo: > > Sorry, try again. > sudo: 3 incorrect password attempts > [thing-sudo at vuwunicocatd001 ~]$ > [thing-sudo at vuwunicocatd001 ~]$ > > ============ > > The secure log says system error, unable to read password, > > =============== > Aug 15 08:49:09 vuwunicocatd001 sudo: pam_unix(sudo:auth): authentication failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo > Aug 15 08:49:10 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication success; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo > Aug 15 08:49:10 vuwunicocatd001 sudo: pam_sss(sudo:account): Access denied for user thing-sudo: 6 (Permission denied) > Aug 15 08:49:43 vuwunicocatd001 sudo: pam_sss(sudo:auth): system info: [Cannot read password] > Aug 15 08:49:43 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo > Aug 15 08:49:43 vuwunicocatd001 sudo: pam_sss(sudo:auth): received for user thing-sudo: 4 (System error) > Aug 15 08:49:45 vuwunicocatd001 sudo: pam_sss(sudo:auth): system info: [Cannot read password] > Aug 15 08:49:45 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo > Aug 15 08:49:45 vuwunicocatd001 sudo: pam_sss(sudo:auth): received for user thing-sudo: 4 (System error) > Aug 15 08:49:47 vuwunicocatd001 sudo: thing-sudo : 3 incorrect password attempts ; TTY=pts/2 ; PWD=/home/thing-sudo ; USER=root ; COMMAND=/sbin/service httpd reload > Aug 15 08:55:35 vuwunicocatd001 sudo: PAM unable to dlopen(/lib64/security/pam_fprintd.so): /lib64/security/pam_fprintd.so: cannot open shared object file: No such file or directory > Aug 15 08:55:35 vuwunicocatd001 sudo: PAM adding faulty module: /lib64/security/pam_fprintd.so > Aug 15 08:55:44 vuwunicocatd001 sudo: pam_unix(sudo:auth): authentication failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo > Aug 15 08:55:44 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication success; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo > Aug 15 08:55:44 vuwunicocatd001 sudo: pam_sss(sudo:account): Access denied for user thing-sudo: 6 (Permission denied) > Aug 15 08:55:46 vuwunicocatd001 sudo: pam_sss(sudo:auth): system info: [Cannot read password] > Aug 15 08:55:46 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo > Aug 15 08:55:46 vuwunicocatd001 sudo: pam_sss(sudo:auth): received for user thing-sudo: 4 (System error) > Aug 15 08:55:52 vuwunicocatd001 sudo: pam_sss(sudo:auth): system info: [Cannot read password] > Aug 15 08:55:52 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo > Aug 15 08:55:52 vuwunicocatd001 sudo: pam_sss(sudo:auth): received for user thing-sudo: 4 (System error) > Aug 15 08:55:54 vuwunicocatd001 sudo: thing-sudo : 3 incorrect password attempts ; TTY=pts/2 ; PWD=/home/thing-sudo ; USER=root ; COMMAND=/sbin/service httpd reload > Aug 15 08:55:57 vuwunicocatd001 sudo: PAM unable to dlopen(/lib64/security/pam_fprintd.so): /lib64/security/pam_fprintd.so: cannot open shared object file: No such file or directory > Aug 15 08:55:57 vuwunicocatd001 sudo: PAM adding faulty module: /lib64/security/pam_fprintd.so > Aug 15 08:56:04 vuwunicocatd001 sudo: pam_unix(sudo:auth): authentication failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo > Aug 15 08:56:05 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication success; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo > Aug 15 08:56:05 vuwunicocatd001 sudo: pam_sss(sudo:account): Access denied for user thing-sudo: 6 (Permission denied) > Aug 15 08:56:06 vuwunicocatd001 sudo: pam_sss(sudo:auth): system info: [Cannot read password] > Aug 15 08:56:06 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo > Aug 15 08:56:06 vuwunicocatd001 sudo: pam_sss(sudo:auth): received for user thing-sudo: 4 (System error) > Aug 15 08:56:08 vuwunicocatd001 sudo: pam_sss(sudo:auth): system info: [Cannot read password] > Aug 15 08:56:08 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo > Aug 15 08:56:08 vuwunicocatd001 sudo: pam_sss(sudo:auth): received for user thing-sudo: 4 (System error) > Aug 15 08:56:09 vuwunicocatd001 sudo: thing-sudo : 3 incorrect password attempts ; TTY=pts/2 ; PWD=/home/thing-sudo ; USER=root ; COMMAND=/sbin/service httpd reload > [root at vuwunicocatd001 jonesst1]# > ================ > > Looks like Bug 814414 > > :( > > "Rob told me elsewhere that when he re-enabled the allow_all rule it started behaving properly, which seems highly suspect." > > So lets do that, and yes, > > ========= > [thing-sudo at vuwunicocatd001 ~]$ > [thing-sudo at vuwunicocatd001 ~]$ sudo /sbin/service httpd reload > LDAP Config Summary > =================== > uri ldap://vuwunicoipam001.ods.vuw.ac.nz ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz > ldap_version 3 > sudoers_base ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz > binddn uid=sudo,cn=sysaccounts,cn=etc,dc=ods,dc=vuw,dc=ac,dc=nz > bindpw xxxxxxxxxxx > bind_timelimit 5000000 > ssl start_tls > tls_checkpeer (no) > tls_cacertfile /etc/ipa/ca.crt > =================== > sudo: ldap_set_option: debug -> 0 > sudo: ldap_set_option: tls_checkpeer -> 0 > sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt > sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt > sudo: ldap_initialize(ld, ldap://vuwunicoipam001.ods.vuw.ac.nz ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz) > sudo: ldap_set_option: ldap_version -> 3 > sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5000) > sudo: ldap_start_tls_s() ok > sudo: ldap_sasl_bind_s() ok > sudo: no default options found in ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz > sudo: ldap search '(|(sudoUser=thing-sudo)(sudoUser=%thing-sudo)(sudoUser=%ipausers)(sudoUser=%collectriveaccess-student)(sudoUser=%login04-mysql)(sudoUser=%360-ftp)(sudoUser=%become-mysql-users)(sudoUser=ALL))' > sudo: found:cn=sudo-commands-catd-students,ou=sudoers,dc=ods,dc=vuw,dc=ac,dc=nz > sudo: ldap sudoHost 'vuwunicocatd001.ods.vuw.ac.nz' ... MATCH! > sudo: ldap sudoCommand '/sbin/service httpd reload' ... MATCH! > sudo: ldap sudoCommand '/etc/init.d/httpd reload' ... MATCH! > sudo: Command allowed > sudo: user_matches=1 > sudo: host_matches=1 > sudo: sudo_ldap_lookup(0)=0x02 > [sudo] password for thing-sudo: > Reloading httpd: > [thing-sudo at vuwunicocatd001 ~]$ > =================== > > and as we can see that indeed "fixes it". > > D: > > If you let me know exactly which logs you want to see I will send them to you. > > I have "sudoers_debug 3" at present, anything else needs to be set higher to help? > > What I can see is I made an oops is specifying the wrong host group but that contains the host anyway....but also Ive then bypassed hostgroups and set a specific host....this still fails as above. > > I am also getting other intermitant failures when I do a sudo su - but its not consistant. > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 From sakodak at gmail.com Tue Aug 14 21:59:20 2012 From: sakodak at gmail.com (KodaK) Date: Tue, 14 Aug 2012 16:59:20 -0500 Subject: [Freeipa-users] Unable to get sudo commend to work... In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CD74DAA@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CD74C03@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404CD74DAA@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: Do: ipa hbactest --user=thing-sudo --host=vuwunicocatd001.ods.vuw.ac.nz --service=sudo with the hbac rule on and off. On Tue, Aug 14, 2012 at 4:47 PM, Steven Jones wrote: > Hi, > > No it fails even if I specify the host, but it works if I re-enable the allowall HBAC rule. > > So for some reason HBAC is impacting sudo. > > ===== > [thing-sudo at vuwunicocatd001 ~]$ hostname > vuwunicocatd001.ods.vuw.ac.nz > [thing-sudo at vuwunicocatd001 ~]$ domainname > ods.vuw.ac.nz > [thing-sudo at vuwunicocatd001 ~]$ > [root at vuwunicocatd001 jonesst1]# more /etc/hosts > # not remove the following line, or various programs > # that require network functionality will fail. > 127.0.0.1 localhost.localdomain localhost > 10.70.1.14 vuwunicocatd001.ods.vuw.ac.nz vuwunicocatd001.vuw.ac.nz visualresourcest.vuw.ac.nz vuwunicocatd001 > [root at vuwunicocatd001 jonesst1]# more /etc/sysconfig/network > NETWORKING=yes > HOSTNAME=vuwunicocatd001.ods.vuw.ac.nz > GATEWAY=10.70.1.1 > NTPSERVERARGS=iburst > [root at vuwunicocatd001 jonesst1]# > ===== > > All looks correct.... > > ======= > > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: KodaK [sakodak at gmail.com] > Sent: Wednesday, 15 August 2012 9:41 a.m. > To: Steven Jones > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Unable to get sudo commend to work... > > OK, so it works if you allow all hosts, but fails if you specify a > host. This leads me to believe that the host may not "know" who it > is. > > Run the gamut on local hostname configuration: > > Check /etc/hosts, is the host listed with the FQDN first? > Check "hostname" -- it should report the FQDN. > Check "domainname" -- it should report the domain. > > I have a very similar rule, btw: > > [jebalicki at slpidml01 ~]$ ipa sudorule-show tds-web-restart > ipa: INFO: trying https://slpidml01.unix.magellanhealth.com/ipa/xml > ipa: INFO: Forwarding 'sudorule_show' to server > u'http://slpidml01.unix.magellanhealth.com/ipa/xml' > Rule name: tds-web-restart > Enabled: TRUE > User Groups: admins, tds-webserver-users, unixadmins > Host Groups: tdswebhosts > Sudo Allow Commands: /etc/rc.d/init.d/httpd > [jebalicki at slpidml01 ~]$ > > > On Tue, Aug 14, 2012 at 4:13 PM, Steven Jones wrote: >> Hi, >> >> I am trying to get a sudo-group command to work such that a group of users can reload apache's config....I know the password is fine as I can ssh into the server.... >> >> [thing-sudo at vuwunicocatd001 ~]$ sudo /sbin/service httpd reload >> LDAP Config Summary >> =================== >> uri ldap://vuwunicoipam001.ods.vuw.ac.nz ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz >> ldap_version 3 >> sudoers_base ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz >> binddn uid=sudo,cn=sysaccounts,cn=etc,dc=ods,dc=vuw,dc=ac,dc=nz >> bindpw xxxxxxxxxxxx >> bind_timelimit 5000000 >> ssl start_tls >> tls_checkpeer (no) >> tls_cacertfile /etc/ipa/ca.crt >> =================== >> sudo: ldap_set_option: debug -> 0 >> sudo: ldap_set_option: tls_checkpeer -> 0 >> sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt >> sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt >> sudo: ldap_initialize(ld, ldap://vuwunicoipam001.ods.vuw.ac.nz ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz) >> sudo: ldap_set_option: ldap_version -> 3 >> sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5000) >> sudo: ldap_start_tls_s() ok >> sudo: ldap_sasl_bind_s() ok >> sudo: no default options found in ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz >> sudo: ldap search '(|(sudoUser=thing-sudo)(sudoUser=%thing-sudo)(sudoUser=%ipausers)(sudoUser=%collectriveaccess-student)(sudoUser=%login04-mysql)(sudoUser=%360-ftp)(sudoUser=%become-mysql-users)(sudoUser=ALL))' >> sudo: found:cn=sudo-commands-catd-students,ou=sudoers,dc=ods,dc=vuw,dc=ac,dc=nz >> sudo: ldap sudoHost 'vuwunicocatd001.ods.vuw.ac.nz' ... MATCH! >> sudo: ldap sudoCommand '/sbin/service httpd reload' ... MATCH! >> sudo: ldap sudoCommand '/etc/init.d/httpd reload' ... MATCH! >> sudo: Command allowed >> sudo: user_matches=1 >> sudo: host_matches=1 >> sudo: sudo_ldap_lookup(0)=0x02 >> [sudo] password for thing-sudo: >> Sorry, try again. >> [sudo] password for thing-sudo: >> Sorry, try again. >> [sudo] password for thing-sudo: >> Sorry, try again. >> sudo: 3 incorrect password attempts >> [thing-sudo at vuwunicocatd001 ~]$ sudo /sbin/service httpd reload >> LDAP Config Summary >> =================== >> uri ldap://vuwunicoipam001.ods.vuw.ac.nz ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz >> ldap_version 3 >> sudoers_base ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz >> binddn uid=sudo,cn=sysaccounts,cn=etc,dc=ods,dc=vuw,dc=ac,dc=nz >> bindpw xxxxxxxxxxxxx >> bind_timelimit 5000000 >> ssl start_tls >> tls_checkpeer (no) >> tls_cacertfile /etc/ipa/ca.crt >> =================== >> sudo: ldap_set_option: debug -> 0 >> sudo: ldap_set_option: tls_checkpeer -> 0 >> sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt >> sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt >> sudo: ldap_initialize(ld, ldap://vuwunicoipam001.ods.vuw.ac.nz ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz) >> sudo: ldap_set_option: ldap_version -> 3 >> sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5000) >> sudo: ldap_start_tls_s() ok >> sudo: ldap_sasl_bind_s() ok >> sudo: no default options found in ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz >> sudo: ldap search '(|(sudoUser=thing-sudo)(sudoUser=%thing-sudo)(sudoUser=%ipausers)(sudoUser=%collectriveaccess-student)(sudoUser=%login04-mysql)(sudoUser=%360-ftp)(sudoUser=%become-mysql-users)(sudoUser=ALL))' >> sudo: found:cn=sudo-commands-catd-students,ou=sudoers,dc=ods,dc=vuw,dc=ac,dc=nz >> sudo: ldap sudoHost 'vuwunicocatd001.ods.vuw.ac.nz' ... MATCH! >> sudo: ldap sudoCommand '/sbin/service httpd reload' ... MATCH! >> sudo: ldap sudoCommand '/etc/init.d/httpd reload' ... MATCH! >> sudo: Command allowed >> sudo: user_matches=1 >> sudo: host_matches=1 >> sudo: sudo_ldap_lookup(0)=0x02 >> [sudo] password for thing-sudo: >> Sorry, try again. >> [sudo] password for thing-sudo: >> >> Sorry, try again. >> [sudo] password for thing-sudo: >> >> Sorry, try again. >> sudo: 3 incorrect password attempts >> [thing-sudo at vuwunicocatd001 ~]$ >> [thing-sudo at vuwunicocatd001 ~]$ >> >> ============ >> >> The secure log says system error, unable to read password, >> >> =============== >> Aug 15 08:49:09 vuwunicocatd001 sudo: pam_unix(sudo:auth): authentication failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo >> Aug 15 08:49:10 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication success; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo >> Aug 15 08:49:10 vuwunicocatd001 sudo: pam_sss(sudo:account): Access denied for user thing-sudo: 6 (Permission denied) >> Aug 15 08:49:43 vuwunicocatd001 sudo: pam_sss(sudo:auth): system info: [Cannot read password] >> Aug 15 08:49:43 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo >> Aug 15 08:49:43 vuwunicocatd001 sudo: pam_sss(sudo:auth): received for user thing-sudo: 4 (System error) >> Aug 15 08:49:45 vuwunicocatd001 sudo: pam_sss(sudo:auth): system info: [Cannot read password] >> Aug 15 08:49:45 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo >> Aug 15 08:49:45 vuwunicocatd001 sudo: pam_sss(sudo:auth): received for user thing-sudo: 4 (System error) >> Aug 15 08:49:47 vuwunicocatd001 sudo: thing-sudo : 3 incorrect password attempts ; TTY=pts/2 ; PWD=/home/thing-sudo ; USER=root ; COMMAND=/sbin/service httpd reload >> Aug 15 08:55:35 vuwunicocatd001 sudo: PAM unable to dlopen(/lib64/security/pam_fprintd.so): /lib64/security/pam_fprintd.so: cannot open shared object file: No such file or directory >> Aug 15 08:55:35 vuwunicocatd001 sudo: PAM adding faulty module: /lib64/security/pam_fprintd.so >> Aug 15 08:55:44 vuwunicocatd001 sudo: pam_unix(sudo:auth): authentication failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo >> Aug 15 08:55:44 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication success; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo >> Aug 15 08:55:44 vuwunicocatd001 sudo: pam_sss(sudo:account): Access denied for user thing-sudo: 6 (Permission denied) >> Aug 15 08:55:46 vuwunicocatd001 sudo: pam_sss(sudo:auth): system info: [Cannot read password] >> Aug 15 08:55:46 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo >> Aug 15 08:55:46 vuwunicocatd001 sudo: pam_sss(sudo:auth): received for user thing-sudo: 4 (System error) >> Aug 15 08:55:52 vuwunicocatd001 sudo: pam_sss(sudo:auth): system info: [Cannot read password] >> Aug 15 08:55:52 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo >> Aug 15 08:55:52 vuwunicocatd001 sudo: pam_sss(sudo:auth): received for user thing-sudo: 4 (System error) >> Aug 15 08:55:54 vuwunicocatd001 sudo: thing-sudo : 3 incorrect password attempts ; TTY=pts/2 ; PWD=/home/thing-sudo ; USER=root ; COMMAND=/sbin/service httpd reload >> Aug 15 08:55:57 vuwunicocatd001 sudo: PAM unable to dlopen(/lib64/security/pam_fprintd.so): /lib64/security/pam_fprintd.so: cannot open shared object file: No such file or directory >> Aug 15 08:55:57 vuwunicocatd001 sudo: PAM adding faulty module: /lib64/security/pam_fprintd.so >> Aug 15 08:56:04 vuwunicocatd001 sudo: pam_unix(sudo:auth): authentication failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo >> Aug 15 08:56:05 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication success; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo >> Aug 15 08:56:05 vuwunicocatd001 sudo: pam_sss(sudo:account): Access denied for user thing-sudo: 6 (Permission denied) >> Aug 15 08:56:06 vuwunicocatd001 sudo: pam_sss(sudo:auth): system info: [Cannot read password] >> Aug 15 08:56:06 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo >> Aug 15 08:56:06 vuwunicocatd001 sudo: pam_sss(sudo:auth): received for user thing-sudo: 4 (System error) >> Aug 15 08:56:08 vuwunicocatd001 sudo: pam_sss(sudo:auth): system info: [Cannot read password] >> Aug 15 08:56:08 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo >> Aug 15 08:56:08 vuwunicocatd001 sudo: pam_sss(sudo:auth): received for user thing-sudo: 4 (System error) >> Aug 15 08:56:09 vuwunicocatd001 sudo: thing-sudo : 3 incorrect password attempts ; TTY=pts/2 ; PWD=/home/thing-sudo ; USER=root ; COMMAND=/sbin/service httpd reload >> [root at vuwunicocatd001 jonesst1]# >> ================ >> >> Looks like Bug 814414 >> >> :( >> >> "Rob told me elsewhere that when he re-enabled the allow_all rule it started behaving properly, which seems highly suspect." >> >> So lets do that, and yes, >> >> ========= >> [thing-sudo at vuwunicocatd001 ~]$ >> [thing-sudo at vuwunicocatd001 ~]$ sudo /sbin/service httpd reload >> LDAP Config Summary >> =================== >> uri ldap://vuwunicoipam001.ods.vuw.ac.nz ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz >> ldap_version 3 >> sudoers_base ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz >> binddn uid=sudo,cn=sysaccounts,cn=etc,dc=ods,dc=vuw,dc=ac,dc=nz >> bindpw xxxxxxxxxxx >> bind_timelimit 5000000 >> ssl start_tls >> tls_checkpeer (no) >> tls_cacertfile /etc/ipa/ca.crt >> =================== >> sudo: ldap_set_option: debug -> 0 >> sudo: ldap_set_option: tls_checkpeer -> 0 >> sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt >> sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt >> sudo: ldap_initialize(ld, ldap://vuwunicoipam001.ods.vuw.ac.nz ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz) >> sudo: ldap_set_option: ldap_version -> 3 >> sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5000) >> sudo: ldap_start_tls_s() ok >> sudo: ldap_sasl_bind_s() ok >> sudo: no default options found in ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz >> sudo: ldap search '(|(sudoUser=thing-sudo)(sudoUser=%thing-sudo)(sudoUser=%ipausers)(sudoUser=%collectriveaccess-student)(sudoUser=%login04-mysql)(sudoUser=%360-ftp)(sudoUser=%become-mysql-users)(sudoUser=ALL))' >> sudo: found:cn=sudo-commands-catd-students,ou=sudoers,dc=ods,dc=vuw,dc=ac,dc=nz >> sudo: ldap sudoHost 'vuwunicocatd001.ods.vuw.ac.nz' ... MATCH! >> sudo: ldap sudoCommand '/sbin/service httpd reload' ... MATCH! >> sudo: ldap sudoCommand '/etc/init.d/httpd reload' ... MATCH! >> sudo: Command allowed >> sudo: user_matches=1 >> sudo: host_matches=1 >> sudo: sudo_ldap_lookup(0)=0x02 >> [sudo] password for thing-sudo: >> Reloading httpd: >> [thing-sudo at vuwunicocatd001 ~]$ >> =================== >> >> and as we can see that indeed "fixes it". >> >> D: >> >> If you let me know exactly which logs you want to see I will send them to you. >> >> I have "sudoers_debug 3" at present, anything else needs to be set higher to help? >> >> What I can see is I made an oops is specifying the wrong host group but that contains the host anyway....but also Ive then bypassed hostgroups and set a specific host....this still fails as above. >> >> I am also getting other intermitant failures when I do a sudo su - but its not consistant. >> >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > > -- > The government is going to read our mail anyway, might as well make it > tough for them. GPG Public key ID: B6A1A7C6 > > -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 From Steven.Jones at vuw.ac.nz Tue Aug 14 22:11:04 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 14 Aug 2012 22:11:04 +0000 Subject: [Freeipa-users] Unable to get sudo commend to work... In-Reply-To: References: <833D8E48405E064EBC54C84EC6B36E404CD74C03@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404CD74DAA@STAWINCOX10MBX1.staff.vuw.ac.nz>, Message-ID: <833D8E48405E064EBC54C84EC6B36E404CD74DDA@STAWINCOX10MBX1.staff.vuw.ac.nz> from the bug report, "This is mostly misconfiguration, you also need to add "sudo" to the allowed services in the HBAC rule." So I added sudo and yes it works...they only had ssh..... doh..... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: KodaK [sakodak at gmail.com] Sent: Wednesday, 15 August 2012 9:59 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Unable to get sudo commend to work... Do: ipa hbactest --user=thing-sudo --host=vuwunicocatd001.ods.vuw.ac.nz --service=sudo with the hbac rule on and off. On Tue, Aug 14, 2012 at 4:47 PM, Steven Jones wrote: > Hi, > > No it fails even if I specify the host, but it works if I re-enable the allowall HBAC rule. > > So for some reason HBAC is impacting sudo. > > ===== > [thing-sudo at vuwunicocatd001 ~]$ hostname > vuwunicocatd001.ods.vuw.ac.nz > [thing-sudo at vuwunicocatd001 ~]$ domainname > ods.vuw.ac.nz > [thing-sudo at vuwunicocatd001 ~]$ > [root at vuwunicocatd001 jonesst1]# more /etc/hosts > # not remove the following line, or various programs > # that require network functionality will fail. > 127.0.0.1 localhost.localdomain localhost > 10.70.1.14 vuwunicocatd001.ods.vuw.ac.nz vuwunicocatd001.vuw.ac.nz visualresourcest.vuw.ac.nz vuwunicocatd001 > [root at vuwunicocatd001 jonesst1]# more /etc/sysconfig/network > NETWORKING=yes > HOSTNAME=vuwunicocatd001.ods.vuw.ac.nz > GATEWAY=10.70.1.1 > NTPSERVERARGS=iburst > [root at vuwunicocatd001 jonesst1]# > ===== > > All looks correct.... > > ======= > > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: KodaK [sakodak at gmail.com] > Sent: Wednesday, 15 August 2012 9:41 a.m. > To: Steven Jones > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Unable to get sudo commend to work... > > OK, so it works if you allow all hosts, but fails if you specify a > host. This leads me to believe that the host may not "know" who it > is. > > Run the gamut on local hostname configuration: > > Check /etc/hosts, is the host listed with the FQDN first? > Check "hostname" -- it should report the FQDN. > Check "domainname" -- it should report the domain. > > I have a very similar rule, btw: > > [jebalicki at slpidml01 ~]$ ipa sudorule-show tds-web-restart > ipa: INFO: trying https://slpidml01.unix.magellanhealth.com/ipa/xml > ipa: INFO: Forwarding 'sudorule_show' to server > u'http://slpidml01.unix.magellanhealth.com/ipa/xml' > Rule name: tds-web-restart > Enabled: TRUE > User Groups: admins, tds-webserver-users, unixadmins > Host Groups: tdswebhosts > Sudo Allow Commands: /etc/rc.d/init.d/httpd > [jebalicki at slpidml01 ~]$ > > > On Tue, Aug 14, 2012 at 4:13 PM, Steven Jones wrote: >> Hi, >> >> I am trying to get a sudo-group command to work such that a group of users can reload apache's config....I know the password is fine as I can ssh into the server.... >> >> [thing-sudo at vuwunicocatd001 ~]$ sudo /sbin/service httpd reload >> LDAP Config Summary >> =================== >> uri ldap://vuwunicoipam001.ods.vuw.ac.nz ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz >> ldap_version 3 >> sudoers_base ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz >> binddn uid=sudo,cn=sysaccounts,cn=etc,dc=ods,dc=vuw,dc=ac,dc=nz >> bindpw xxxxxxxxxxxx >> bind_timelimit 5000000 >> ssl start_tls >> tls_checkpeer (no) >> tls_cacertfile /etc/ipa/ca.crt >> =================== >> sudo: ldap_set_option: debug -> 0 >> sudo: ldap_set_option: tls_checkpeer -> 0 >> sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt >> sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt >> sudo: ldap_initialize(ld, ldap://vuwunicoipam001.ods.vuw.ac.nz ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz) >> sudo: ldap_set_option: ldap_version -> 3 >> sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5000) >> sudo: ldap_start_tls_s() ok >> sudo: ldap_sasl_bind_s() ok >> sudo: no default options found in ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz >> sudo: ldap search '(|(sudoUser=thing-sudo)(sudoUser=%thing-sudo)(sudoUser=%ipausers)(sudoUser=%collectriveaccess-student)(sudoUser=%login04-mysql)(sudoUser=%360-ftp)(sudoUser=%become-mysql-users)(sudoUser=ALL))' >> sudo: found:cn=sudo-commands-catd-students,ou=sudoers,dc=ods,dc=vuw,dc=ac,dc=nz >> sudo: ldap sudoHost 'vuwunicocatd001.ods.vuw.ac.nz' ... MATCH! >> sudo: ldap sudoCommand '/sbin/service httpd reload' ... MATCH! >> sudo: ldap sudoCommand '/etc/init.d/httpd reload' ... MATCH! >> sudo: Command allowed >> sudo: user_matches=1 >> sudo: host_matches=1 >> sudo: sudo_ldap_lookup(0)=0x02 >> [sudo] password for thing-sudo: >> Sorry, try again. >> [sudo] password for thing-sudo: >> Sorry, try again. >> [sudo] password for thing-sudo: >> Sorry, try again. >> sudo: 3 incorrect password attempts >> [thing-sudo at vuwunicocatd001 ~]$ sudo /sbin/service httpd reload >> LDAP Config Summary >> =================== >> uri ldap://vuwunicoipam001.ods.vuw.ac.nz ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz >> ldap_version 3 >> sudoers_base ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz >> binddn uid=sudo,cn=sysaccounts,cn=etc,dc=ods,dc=vuw,dc=ac,dc=nz >> bindpw xxxxxxxxxxxxx >> bind_timelimit 5000000 >> ssl start_tls >> tls_checkpeer (no) >> tls_cacertfile /etc/ipa/ca.crt >> =================== >> sudo: ldap_set_option: debug -> 0 >> sudo: ldap_set_option: tls_checkpeer -> 0 >> sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt >> sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt >> sudo: ldap_initialize(ld, ldap://vuwunicoipam001.ods.vuw.ac.nz ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz) >> sudo: ldap_set_option: ldap_version -> 3 >> sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5000) >> sudo: ldap_start_tls_s() ok >> sudo: ldap_sasl_bind_s() ok >> sudo: no default options found in ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz >> sudo: ldap search '(|(sudoUser=thing-sudo)(sudoUser=%thing-sudo)(sudoUser=%ipausers)(sudoUser=%collectriveaccess-student)(sudoUser=%login04-mysql)(sudoUser=%360-ftp)(sudoUser=%become-mysql-users)(sudoUser=ALL))' >> sudo: found:cn=sudo-commands-catd-students,ou=sudoers,dc=ods,dc=vuw,dc=ac,dc=nz >> sudo: ldap sudoHost 'vuwunicocatd001.ods.vuw.ac.nz' ... MATCH! >> sudo: ldap sudoCommand '/sbin/service httpd reload' ... MATCH! >> sudo: ldap sudoCommand '/etc/init.d/httpd reload' ... MATCH! >> sudo: Command allowed >> sudo: user_matches=1 >> sudo: host_matches=1 >> sudo: sudo_ldap_lookup(0)=0x02 >> [sudo] password for thing-sudo: >> Sorry, try again. >> [sudo] password for thing-sudo: >> >> Sorry, try again. >> [sudo] password for thing-sudo: >> >> Sorry, try again. >> sudo: 3 incorrect password attempts >> [thing-sudo at vuwunicocatd001 ~]$ >> [thing-sudo at vuwunicocatd001 ~]$ >> >> ============ >> >> The secure log says system error, unable to read password, >> >> =============== >> Aug 15 08:49:09 vuwunicocatd001 sudo: pam_unix(sudo:auth): authentication failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo >> Aug 15 08:49:10 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication success; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo >> Aug 15 08:49:10 vuwunicocatd001 sudo: pam_sss(sudo:account): Access denied for user thing-sudo: 6 (Permission denied) >> Aug 15 08:49:43 vuwunicocatd001 sudo: pam_sss(sudo:auth): system info: [Cannot read password] >> Aug 15 08:49:43 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo >> Aug 15 08:49:43 vuwunicocatd001 sudo: pam_sss(sudo:auth): received for user thing-sudo: 4 (System error) >> Aug 15 08:49:45 vuwunicocatd001 sudo: pam_sss(sudo:auth): system info: [Cannot read password] >> Aug 15 08:49:45 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo >> Aug 15 08:49:45 vuwunicocatd001 sudo: pam_sss(sudo:auth): received for user thing-sudo: 4 (System error) >> Aug 15 08:49:47 vuwunicocatd001 sudo: thing-sudo : 3 incorrect password attempts ; TTY=pts/2 ; PWD=/home/thing-sudo ; USER=root ; COMMAND=/sbin/service httpd reload >> Aug 15 08:55:35 vuwunicocatd001 sudo: PAM unable to dlopen(/lib64/security/pam_fprintd.so): /lib64/security/pam_fprintd.so: cannot open shared object file: No such file or directory >> Aug 15 08:55:35 vuwunicocatd001 sudo: PAM adding faulty module: /lib64/security/pam_fprintd.so >> Aug 15 08:55:44 vuwunicocatd001 sudo: pam_unix(sudo:auth): authentication failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo >> Aug 15 08:55:44 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication success; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo >> Aug 15 08:55:44 vuwunicocatd001 sudo: pam_sss(sudo:account): Access denied for user thing-sudo: 6 (Permission denied) >> Aug 15 08:55:46 vuwunicocatd001 sudo: pam_sss(sudo:auth): system info: [Cannot read password] >> Aug 15 08:55:46 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo >> Aug 15 08:55:46 vuwunicocatd001 sudo: pam_sss(sudo:auth): received for user thing-sudo: 4 (System error) >> Aug 15 08:55:52 vuwunicocatd001 sudo: pam_sss(sudo:auth): system info: [Cannot read password] >> Aug 15 08:55:52 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo >> Aug 15 08:55:52 vuwunicocatd001 sudo: pam_sss(sudo:auth): received for user thing-sudo: 4 (System error) >> Aug 15 08:55:54 vuwunicocatd001 sudo: thing-sudo : 3 incorrect password attempts ; TTY=pts/2 ; PWD=/home/thing-sudo ; USER=root ; COMMAND=/sbin/service httpd reload >> Aug 15 08:55:57 vuwunicocatd001 sudo: PAM unable to dlopen(/lib64/security/pam_fprintd.so): /lib64/security/pam_fprintd.so: cannot open shared object file: No such file or directory >> Aug 15 08:55:57 vuwunicocatd001 sudo: PAM adding faulty module: /lib64/security/pam_fprintd.so >> Aug 15 08:56:04 vuwunicocatd001 sudo: pam_unix(sudo:auth): authentication failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo >> Aug 15 08:56:05 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication success; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo >> Aug 15 08:56:05 vuwunicocatd001 sudo: pam_sss(sudo:account): Access denied for user thing-sudo: 6 (Permission denied) >> Aug 15 08:56:06 vuwunicocatd001 sudo: pam_sss(sudo:auth): system info: [Cannot read password] >> Aug 15 08:56:06 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo >> Aug 15 08:56:06 vuwunicocatd001 sudo: pam_sss(sudo:auth): received for user thing-sudo: 4 (System error) >> Aug 15 08:56:08 vuwunicocatd001 sudo: pam_sss(sudo:auth): system info: [Cannot read password] >> Aug 15 08:56:08 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo >> Aug 15 08:56:08 vuwunicocatd001 sudo: pam_sss(sudo:auth): received for user thing-sudo: 4 (System error) >> Aug 15 08:56:09 vuwunicocatd001 sudo: thing-sudo : 3 incorrect password attempts ; TTY=pts/2 ; PWD=/home/thing-sudo ; USER=root ; COMMAND=/sbin/service httpd reload >> [root at vuwunicocatd001 jonesst1]# >> ================ >> >> Looks like Bug 814414 >> >> :( >> >> "Rob told me elsewhere that when he re-enabled the allow_all rule it started behaving properly, which seems highly suspect." >> >> So lets do that, and yes, >> >> ========= >> [thing-sudo at vuwunicocatd001 ~]$ >> [thing-sudo at vuwunicocatd001 ~]$ sudo /sbin/service httpd reload >> LDAP Config Summary >> =================== >> uri ldap://vuwunicoipam001.ods.vuw.ac.nz ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz >> ldap_version 3 >> sudoers_base ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz >> binddn uid=sudo,cn=sysaccounts,cn=etc,dc=ods,dc=vuw,dc=ac,dc=nz >> bindpw xxxxxxxxxxx >> bind_timelimit 5000000 >> ssl start_tls >> tls_checkpeer (no) >> tls_cacertfile /etc/ipa/ca.crt >> =================== >> sudo: ldap_set_option: debug -> 0 >> sudo: ldap_set_option: tls_checkpeer -> 0 >> sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt >> sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt >> sudo: ldap_initialize(ld, ldap://vuwunicoipam001.ods.vuw.ac.nz ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz) >> sudo: ldap_set_option: ldap_version -> 3 >> sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5000) >> sudo: ldap_start_tls_s() ok >> sudo: ldap_sasl_bind_s() ok >> sudo: no default options found in ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz >> sudo: ldap search '(|(sudoUser=thing-sudo)(sudoUser=%thing-sudo)(sudoUser=%ipausers)(sudoUser=%collectriveaccess-student)(sudoUser=%login04-mysql)(sudoUser=%360-ftp)(sudoUser=%become-mysql-users)(sudoUser=ALL))' >> sudo: found:cn=sudo-commands-catd-students,ou=sudoers,dc=ods,dc=vuw,dc=ac,dc=nz >> sudo: ldap sudoHost 'vuwunicocatd001.ods.vuw.ac.nz' ... MATCH! >> sudo: ldap sudoCommand '/sbin/service httpd reload' ... MATCH! >> sudo: ldap sudoCommand '/etc/init.d/httpd reload' ... MATCH! >> sudo: Command allowed >> sudo: user_matches=1 >> sudo: host_matches=1 >> sudo: sudo_ldap_lookup(0)=0x02 >> [sudo] password for thing-sudo: >> Reloading httpd: >> [thing-sudo at vuwunicocatd001 ~]$ >> =================== >> >> and as we can see that indeed "fixes it". >> >> D: >> >> If you let me know exactly which logs you want to see I will send them to you. >> >> I have "sudoers_debug 3" at present, anything else needs to be set higher to help? >> >> What I can see is I made an oops is specifying the wrong host group but that contains the host anyway....but also Ive then bypassed hostgroups and set a specific host....this still fails as above. >> >> I am also getting other intermitant failures when I do a sudo su - but its not consistant. >> >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > > -- > The government is going to read our mail anyway, might as well make it > tough for them. GPG Public key ID: B6A1A7C6 > > -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 From jhrozek at redhat.com Wed Aug 15 08:23:39 2012 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 15 Aug 2012 10:23:39 +0200 Subject: [Freeipa-users] Intermittent delay in authentication In-Reply-To: References: Message-ID: <20120815082339.GA27273@zeppelin.brq.redhat.com> On Tue, Aug 14, 2012 at 03:28:52PM -0500, KodaK wrote: > I apologize in advance for not having very much information to go on. > > We have exactly 100 hosts in IPA right now. On occasion, maybe once > or twice a day, all authentication just pauses for some amount of > time. It can range from just a few seconds to about 30 seconds. I > can see this happen, I can be doing an "su" on one box and an ssh into > another, and people will yell over the cube walls that "it's happening > again" but after a few seconds everything will start flowing again. > > I've been watching logs and I don't see anything that's corresponding > with these events, but I'm willing to take any advice at the moment. > > What *could* cause something like this? Does replication block > authentication (I can't imagine that it does.) I'm absolutely sure I > have something misconfigured, but I don't even know where to start on > this one. > I suspect this is a SSSD issue. Is is possible that one of your replicas might have been unreachable at some point? We've had a bug where the SSSD would attempt to get a TGT from a replica rather than master and if that failed b/c the replica was down, the whole SSSD went offline. Anyhow, I think that SSSD domain logs would tell us more. From Steven.Jones at vuw.ac.nz Wed Aug 15 20:38:16 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 15 Aug 2012 20:38:16 +0000 Subject: [Freeipa-users] Intermittent delay in authentication In-Reply-To: <20120815082339.GA27273@zeppelin.brq.redhat.com> References: , <20120815082339.GA27273@zeppelin.brq.redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CD752DE@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Yes....Last time we lost a switch at DR which is 5km away on dark fibre...the 002 replica is at DR. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Jakub Hrozek [jhrozek at redhat.com] Sent: Wednesday, 15 August 2012 8:23 p.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Intermittent delay in authentication On Tue, Aug 14, 2012 at 03:28:52PM -0500, KodaK wrote: > I apologize in advance for not having very much information to go on. > > We have exactly 100 hosts in IPA right now. On occasion, maybe once > or twice a day, all authentication just pauses for some amount of > time. It can range from just a few seconds to about 30 seconds. I > can see this happen, I can be doing an "su" on one box and an ssh into > another, and people will yell over the cube walls that "it's happening > again" but after a few seconds everything will start flowing again. > > I've been watching logs and I don't see anything that's corresponding > with these events, but I'm willing to take any advice at the moment. > > What *could* cause something like this? Does replication block > authentication (I can't imagine that it does.) I'm absolutely sure I > have something misconfigured, but I don't even know where to start on > this one. > I suspect this is a SSSD issue. Is is possible that one of your replicas might have been unreachable at some point? We've had a bug where the SSSD would attempt to get a TGT from a replica rather than master and if that failed b/c the replica was down, the whole SSSD went offline. Anyhow, I think that SSSD domain logs would tell us more. _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Wed Aug 15 21:03:37 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 15 Aug 2012 21:03:37 +0000 Subject: [Freeipa-users] Intermittent delay in authentication In-Reply-To: <20120815082339.GA27273@zeppelin.brq.redhat.com> References: , <20120815082339.GA27273@zeppelin.brq.redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CD752FE@STAWINCOX10MBX1.staff.vuw.ac.nz> Is there a bugtraq? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Jakub Hrozek [jhrozek at redhat.com] Sent: Wednesday, 15 August 2012 8:23 p.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Intermittent delay in authentication On Tue, Aug 14, 2012 at 03:28:52PM -0500, KodaK wrote: > I apologize in advance for not having very much information to go on. > > We have exactly 100 hosts in IPA right now. On occasion, maybe once > or twice a day, all authentication just pauses for some amount of > time. It can range from just a few seconds to about 30 seconds. I > can see this happen, I can be doing an "su" on one box and an ssh into > another, and people will yell over the cube walls that "it's happening > again" but after a few seconds everything will start flowing again. > > I've been watching logs and I don't see anything that's corresponding > with these events, but I'm willing to take any advice at the moment. > > What *could* cause something like this? Does replication block > authentication (I can't imagine that it does.) I'm absolutely sure I > have something misconfigured, but I don't even know where to start on > this one. > I suspect this is a SSSD issue. Is is possible that one of your replicas might have been unreachable at some point? We've had a bug where the SSSD would attempt to get a TGT from a replica rather than master and if that failed b/c the replica was down, the whole SSSD went offline. Anyhow, I think that SSSD domain logs would tell us more. _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From erinn.looneytriggs at gmail.com Wed Aug 15 21:58:16 2012 From: erinn.looneytriggs at gmail.com (Erinn Looney-Triggs) Date: Wed, 15 Aug 2012 13:58:16 -0800 Subject: [Freeipa-users] Lost dse.ldif Message-ID: <502C1B78.5040000@gmail.com> After a restart of the system I received the following errors: Starting dirsrv: FOO-COM...[15/Aug/2012:21:48:26 +0000] startup - The default password storage scheme SSHA could not be read or was not found in the file /etc/dirsrv/slapd-FOO-COM/dse.ldif. It is mandatory. PKI-IPA...[15/Aug/2012:21:48:26 +0000] startup - The default password storage scheme SSHA could not be read or was not found in the file /etc/dirsrv/slapd-PKI-IPA/dse.ldif. It is mandatory. *** Warning: 2 instance(s) failed to start Failed to read data from Directory Service: Unknown error when retrieving list of services from LDAP: [Errno 2] No such file or directory Turns out the the dse.ldif files were both empty, I copied from the backup files, restarted, and everything worked fine. However I am wondering how a situation like this can come about? -Erinn -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 554 bytes Desc: OpenPGP digital signature URL: From rmeggins at redhat.com Thu Aug 16 01:13:55 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 15 Aug 2012 19:13:55 -0600 Subject: [Freeipa-users] Lost dse.ldif In-Reply-To: <502C1B78.5040000@gmail.com> References: <502C1B78.5040000@gmail.com> Message-ID: <502C4953.3040204@redhat.com> On 08/15/2012 03:58 PM, Erinn Looney-Triggs wrote: > After a restart of the system I received the following errors: > > Starting dirsrv: > FOO-COM...[15/Aug/2012:21:48:26 +0000] startup - The default > password storage scheme SSHA could not be read or was not found in the > file /etc/dirsrv/slapd-FOO-COM/dse.ldif. It is mandatory. > > PKI-IPA...[15/Aug/2012:21:48:26 +0000] startup - The default > password storage scheme SSHA could not be read or was not found in the > file /etc/dirsrv/slapd-PKI-IPA/dse.ldif. It is mandatory. > > *** Warning: 2 instance(s) failed to start > Failed to read data from Directory Service: Unknown error when > retrieving list of services from LDAP: [Errno 2] No such file or directory > > > Turns out the the dse.ldif files were both empty, I copied from the > backup files, restarted, and everything worked fine. However I am > wondering how a situation like this can come about? Me too. Did you have a power failure? kill -9 the directory server? > > -Erinn > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Thu Aug 16 07:57:07 2012 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 16 Aug 2012 09:57:07 +0200 Subject: [Freeipa-users] Intermittent delay in authentication In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CD752FE@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <20120815082339.GA27273@zeppelin.brq.redhat.com> <833D8E48405E064EBC54C84EC6B36E404CD752FE@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <20120816075707.GA21813@zeppelin.brq.redhat.com> On Wed, Aug 15, 2012 at 09:03:37PM +0000, Steven Jones wrote: > Is there a bugtraq? > https://fedorahosted.org/sssd/ticket/1447 https://bugzilla.redhat.com/show_bug.cgi?id=845253 > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 From bin.echo at gmail.com Thu Aug 16 07:56:33 2012 From: bin.echo at gmail.com (bin.echo at gmail.com) Date: Thu, 16 Aug 2012 01:56:33 -0600 Subject: [Freeipa-users] backup plan In-Reply-To: <502998EA.7070407@sesda2.com> References: <502998EA.7070407@sesda2.com> Message-ID: @Steven Jones I prefer a pure FOSS solution that has good community support. @Lucas Yamanishi I will check out the links. This weekend I played around with VirtualBox and I was surprised how much script-ability it has. I'd previously only used it in a desktop/GUI context so I was not up to speed on all it's automation features. VirtualBox is a hosted hypervisor but that doesn't bother me. Machines are so powerful these days a little overhead isn't a big deal... plus having a host OS opens up a lot of possibilities. libvirt looks super powerful but there is a lot of overlap with the management tools already in VirtualBox. I might not need anything more. One of the tests I did was exporting the VM and doing a binary delta on it against a previous full backup ( the full backup is basically the pristine VM of the freshly installed and synced replica) . It takes a while to run but the diff packs the backup down quite a bit. It's not a native snapshot but after some though I realized that's not really what I want. The desire is backups with some type of check pointing, to allow for fast recovery and a few fall back options. I would not ever actually use the snapshot since this is just for disaster recovery. The ability to rebuild the VM in it's latest state is the primary goal, the secondary goals being simplicity and frugality of storage use. The nice thing about the scheme is on a minimal install the full backup plus several delta files will easily fit on a DVD. The deltas can be sent offsite easily as they are not very large. Still plenty more research and testing to do but so far this seems like a workable scheme to facilitate "back up everything" without using much storage and in a way I can get my head around. -Aaron On Mon, Aug 13, 2012 at 6:16 PM, Lucas Yamanishi wrote: > The libvirt range of tools works very well with KVM, and with > virt-manager, they are easy to setup on the desktop or from a remote > desktop. QEMU-KVM suports the QCOW2 and LVM storage back-ends, both of > which have snapshot capabilities, and the virsh tool makes it easy and > scriptable. They are all licensed under the GPL or LGPL. > http://libvirt.org http;//linux-kvm.org http://qemu.org > > If you're using a Red Hat-based distribution, installing them should be > as easy as "yum install libvirtd virt-manager qemu-kvm" or similar. > > ----- > *question everything*learn something*answer nothing* > ------------ > Lucas Yamanishi > ------------------ > Systems Administrator, ADNET Systems, Inc. > NASA Space and Earth Science Data Analysis (606.9) > 7515 Mission Drive, Suite A100 > Lanham, MD 20706 * 301-352-4646 * 0xE23F3D7A > > > On 08/13/2012 07:14 PM, bin.echo at gmail.com wrote: > > Hi all, > > > > I've been doing a bit of research on back up and restore of FreeIPA and > > so far the best plan seems to be "just back up everything" > > > > That's fine except for "back up everything" doesn't lend itself to > > automation on a bare metal instance (which is what my primary and > > replica are). To be safe I would need to take the machine down rather > > than try to do a hot back up. (sync everything and backup from an > > inactive fs of better yet unmounted fs) > > > > That got me thinking, how about a vm? They are easy to stop, checkpoint, > > back up and restart. > > > > I want to run this by everyone and see what you think: > > > > Install a replica on a vm and then use THAT to capture "back ups". > > > > If it looks like a reasonable idea, does anyone have a suggestion for > > which hypervisor would be best to use? (preferably FOSS) I only have > > experience with VirtualBox but I'm not sure it's up to this type of > project? > > > > Thanks! > > > > -Aaron > > > > > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dimitris.tsompanidis at comeon.com Thu Aug 16 12:26:33 2012 From: dimitris.tsompanidis at comeon.com (Dimitris Tsompanidis) Date: Thu, 16 Aug 2012 14:26:33 +0200 Subject: [Freeipa-users] One-way replication Message-ID: <502CE6F9.9000807@comeon.com> Hi all, I'm looking into setting up a Samba file server with FreeIPA as the password backend. I don't need fancy stuff, just plain LDAP password authentication. (my first thought was using PAM as the LDAP frontend but apparently this does not work for Samba...) All the tutorials I've looked into mention the need to update the LDAP schema in FreeIPA as a part of the procedure. I'm not really keen on doing this, at least not in my production FreeIPA cluster, so I thought of setting up a test FreeIPA installation that would only replicate data from the FreeIPA "master" but not the either way around. My problem is that I can't find any way of doing this except by creating the replica and then deleting the test replica from the FreeIPA topology - basically creating a non-updating stand-alone copy of my production servers. Is there a way to force a one-way replication? (I'd also be grateful for any mentions of less painful ways of connecting samba to freeipa :)) -- Dimitris Tsompanidis System administrator at ComeOn! dimitris.tsompanidis at comeon.com From abokovoy at redhat.com Thu Aug 16 12:34:54 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 16 Aug 2012 15:34:54 +0300 Subject: [Freeipa-users] One-way replication In-Reply-To: <502CE6F9.9000807@comeon.com> References: <502CE6F9.9000807@comeon.com> Message-ID: <20120816123454.GB2549@redhat.com> On Thu, 16 Aug 2012, Dimitris Tsompanidis wrote: >Hi all, > >I'm looking into setting up a Samba file server with FreeIPA as the >password backend. I don't need fancy stuff, just plain LDAP password >authentication. http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/ >(my first thought was using PAM as the LDAP frontend but apparently >this does not work for Samba...) > >All the tutorials I've looked into mention the need to update the >LDAP schema in FreeIPA as a part of the procedure. I'm not really >keen on doing this, at least not in my production FreeIPA cluster, so >I thought of setting up a test FreeIPA installation that would only >replicate data from the FreeIPA "master" but not the either way >around. > >My problem is that I can't find any way of doing this except by >creating the replica and then deleting the test replica from the >FreeIPA topology - basically creating a non-updating stand-alone copy >of my production servers. > >Is there a way to force a one-way replication? > >(I'd also be grateful for any mentions of less painful ways of >connecting samba to freeipa :)) For IPA v2.x the link above explains fairly easy setup. -- / Alexander Bokovoy From dimitris.tsompanidis at comeon.com Thu Aug 16 13:01:40 2012 From: dimitris.tsompanidis at comeon.com (Dimitris Tsompanidis) Date: Thu, 16 Aug 2012 15:01:40 +0200 Subject: [Freeipa-users] One-way replication In-Reply-To: <20120816123454.GB2549@redhat.com> References: <502CE6F9.9000807@comeon.com> <20120816123454.GB2549@redhat.com> Message-ID: <502CEF34.9040908@comeon.com> On 16/08/2012 14:34, Alexander Bokovoy wrote: > On Thu, 16 Aug 2012, Dimitris Tsompanidis wrote: >> Hi all, >> >> I'm looking into setting up a Samba file server with FreeIPA as the >> password backend. I don't need fancy stuff, just plain LDAP password >> authentication. > http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/ > > >> (my first thought was using PAM as the LDAP frontend but apparently >> this does not work for Samba...) >> >> All the tutorials I've looked into mention the need to update the >> LDAP schema in FreeIPA as a part of the procedure. I'm not really >> keen on doing this, at least not in my production FreeIPA cluster, so >> I thought of setting up a test FreeIPA installation that would only >> replicate data from the FreeIPA "master" but not the either way around. >> >> My problem is that I can't find any way of doing this except by >> creating the replica and then deleting the test replica from the >> FreeIPA topology - basically creating a non-updating stand-alone copy >> of my production servers. >> >> Is there a way to force a one-way replication? >> >> (I'd also be grateful for any mentions of less painful ways of >> connecting samba to freeipa :)) > For IPA v2.x the link above explains fairly easy setup. > I am already aware of this guide - that's me in the second comment asking more or less the same thing :) Dimitris Tsompanidis System administrator at ComeOn! dimitris.tsompanidis at comeon.com From abokovoy at redhat.com Thu Aug 16 13:22:14 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 16 Aug 2012 16:22:14 +0300 Subject: [Freeipa-users] One-way replication In-Reply-To: <502CEF34.9040908@comeon.com> References: <502CE6F9.9000807@comeon.com> <20120816123454.GB2549@redhat.com> <502CEF34.9040908@comeon.com> Message-ID: <20120816132214.GC2549@redhat.com> On Thu, 16 Aug 2012, Dimitris Tsompanidis wrote: >On 16/08/2012 14:34, Alexander Bokovoy wrote: >>On Thu, 16 Aug 2012, Dimitris Tsompanidis wrote: >>>Hi all, >>> >>>I'm looking into setting up a Samba file server with FreeIPA as >>>the password backend. I don't need fancy stuff, just plain LDAP >>>password authentication. >>http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/ >> >> >>>(my first thought was using PAM as the LDAP frontend but >>>apparently this does not work for Samba...) >>> >>>All the tutorials I've looked into mention the need to update the >>>LDAP schema in FreeIPA as a part of the procedure. I'm not really >>>keen on doing this, at least not in my production FreeIPA >>>cluster, so I thought of setting up a test FreeIPA installation >>>that would only replicate data from the FreeIPA "master" but not >>>the either way around. >>> >>>My problem is that I can't find any way of doing this except by >>>creating the replica and then deleting the test replica from the >>>FreeIPA topology - basically creating a non-updating stand-alone >>>copy of my production servers. >>> >>>Is there a way to force a one-way replication? >>> >>>(I'd also be grateful for any mentions of less painful ways of >>>connecting samba to freeipa :)) >>For IPA v2.x the link above explains fairly easy setup. >> >I am already aware of this guide - that's me in the second comment >asking more or less the same thing :) :) Since that guide involves patching the code, the changed packages will need to get to other replicas as well. However, as configuration changes are added to the tree that is replicated by default, I think everything what's affected will be replicated. -- / Alexander Bokovoy From erinn.looneytriggs at gmail.com Thu Aug 16 17:46:25 2012 From: erinn.looneytriggs at gmail.com (Erinn Looney-Triggs) Date: Thu, 16 Aug 2012 09:46:25 -0800 Subject: [Freeipa-users] Lost dse.ldif In-Reply-To: <502C4953.3040204@redhat.com> References: <502C1B78.5040000@gmail.com> <502C4953.3040204@redhat.com> Message-ID: <502D31F1.9000506@gmail.com> On 08/15/2012 05:13 PM, Rich Megginson wrote: > On 08/15/2012 03:58 PM, Erinn Looney-Triggs wrote: >> After a restart of the system I received the following errors: >> >> Starting dirsrv: >> FOO-COM...[15/Aug/2012:21:48:26 +0000] startup - The default >> password storage scheme SSHA could not be read or was not found in the >> file /etc/dirsrv/slapd-FOO-COM/dse.ldif. It is mandatory. >> >> PKI-IPA...[15/Aug/2012:21:48:26 +0000] startup - The default >> password storage scheme SSHA could not be read or was not found in the >> file /etc/dirsrv/slapd-PKI-IPA/dse.ldif. It is mandatory. >> >> *** Warning: 2 instance(s) failed to start >> Failed to read data from Directory Service: Unknown error when >> retrieving list of services from LDAP: [Errno 2] No such file or directory >> >> >> Turns out the the dse.ldif files were both empty, I copied from the >> backup files, restarted, and everything worked fine. However I am >> wondering how a situation like this can come about? > > Me too. Did you have a power failure? kill -9 the directory server? > >> -Erinn >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > Hmm no, not directly at least. I suppose it is possible that init didn't want to wait for it to shut down, and eventually killed it as last resort. I think that is the default behaviour of init, or well upstart I guess. It does seem an odd way to deal with a kill though, nuke the config file. -Erinn -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 554 bytes Desc: OpenPGP digital signature URL: From rmeggins at redhat.com Thu Aug 16 19:08:24 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 16 Aug 2012 13:08:24 -0600 Subject: [Freeipa-users] Lost dse.ldif In-Reply-To: <502D31F1.9000506@gmail.com> References: <502C1B78.5040000@gmail.com> <502C4953.3040204@redhat.com> <502D31F1.9000506@gmail.com> Message-ID: <502D4528.6060402@redhat.com> On 08/16/2012 11:46 AM, Erinn Looney-Triggs wrote: > On 08/15/2012 05:13 PM, Rich Megginson wrote: >> On 08/15/2012 03:58 PM, Erinn Looney-Triggs wrote: >>> After a restart of the system I received the following errors: >>> >>> Starting dirsrv: >>> FOO-COM...[15/Aug/2012:21:48:26 +0000] startup - The default >>> password storage scheme SSHA could not be read or was not found in the >>> file /etc/dirsrv/slapd-FOO-COM/dse.ldif. It is mandatory. >>> >>> PKI-IPA...[15/Aug/2012:21:48:26 +0000] startup - The default >>> password storage scheme SSHA could not be read or was not found in the >>> file /etc/dirsrv/slapd-PKI-IPA/dse.ldif. It is mandatory. >>> >>> *** Warning: 2 instance(s) failed to start >>> Failed to read data from Directory Service: Unknown error when >>> retrieving list of services from LDAP: [Errno 2] No such file or directory >>> >>> >>> Turns out the the dse.ldif files were both empty, I copied from the >>> backup files, restarted, and everything worked fine. However I am >>> wondering how a situation like this can come about? >> Me too. Did you have a power failure? kill -9 the directory server? >> >>> -Erinn >>> >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users > Hmm no, not directly at least. I suppose it is possible that init didn't > want to wait for it to shut down, and eventually killed it as last > resort. I think that is the default behaviour of init, or well upstart I > guess. It does seem an odd way to deal with a kill though, nuke the > config file. I did not mean to imply that it is the intentional behavior of the directory server to nuke the config file in response to a kill -9. It is most certainly not. I'm just trying to figure out what caused this so we can attempt to reproduce and fix the issue. > > -Erinn > From sigbjorn at nixtra.com Thu Aug 16 19:18:21 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Thu, 16 Aug 2012 21:18:21 +0200 Subject: [Freeipa-users] Lost dse.ldif In-Reply-To: <502D4528.6060402@redhat.com> References: <502C1B78.5040000@gmail.com> <502C4953.3040204@redhat.com> <502D31F1.9000506@gmail.com> <502D4528.6060402@redhat.com> Message-ID: <502D477D.4000006@nixtra.com> On 08/16/2012 09:08 PM, Rich Megginson wrote: > On 08/16/2012 11:46 AM, Erinn Looney-Triggs wrote: >> On 08/15/2012 05:13 PM, Rich Megginson wrote: >>> On 08/15/2012 03:58 PM, Erinn Looney-Triggs wrote: >>>> After a restart of the system I received the following errors: >>>> >>>> Starting dirsrv: >>>> FOO-COM...[15/Aug/2012:21:48:26 +0000] startup - The default >>>> password storage scheme SSHA could not be read or was not found in the >>>> file /etc/dirsrv/slapd-FOO-COM/dse.ldif. It is mandatory. >>>> >>>> PKI-IPA...[15/Aug/2012:21:48:26 +0000] startup - The default >>>> password storage scheme SSHA could not be read or was not found in the >>>> file /etc/dirsrv/slapd-PKI-IPA/dse.ldif. It is mandatory. >>>> >>>> *** Warning: 2 instance(s) failed to start >>>> Failed to read data from Directory Service: Unknown error when >>>> retrieving list of services from LDAP: [Errno 2] No such file or >>>> directory >>>> >>>> >>>> Turns out the the dse.ldif files were both empty, I copied from the >>>> backup files, restarted, and everything worked fine. However I am >>>> wondering how a situation like this can come about? >>> Me too. Did you have a power failure? kill -9 the directory server? >>> >>>> -Erinn >>>> >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >> Hmm no, not directly at least. I suppose it is possible that init didn't >> want to wait for it to shut down, and eventually killed it as last >> resort. I think that is the default behaviour of init, or well upstart I >> guess. It does seem an odd way to deal with a kill though, nuke the >> config file. > > I did not mean to imply that it is the intentional behavior of the > directory server to nuke the config file in response to a kill -9. It > is most certainly not. I'm just trying to figure out what caused this > so we can attempt to reproduce and fix the issue. > I have also seen this, but it's been a long time ago now, perhaps in the 2.0 beta days or around that time. And I did have an issue with power cuts at that time. Regards, Siggi From erinn.looneytriggs at gmail.com Thu Aug 16 19:36:48 2012 From: erinn.looneytriggs at gmail.com (Erinn Looney-Triggs) Date: Thu, 16 Aug 2012 11:36:48 -0800 Subject: [Freeipa-users] Lost dse.ldif In-Reply-To: <502D477D.4000006@nixtra.com> References: <502C1B78.5040000@gmail.com> <502C4953.3040204@redhat.com> <502D31F1.9000506@gmail.com> <502D4528.6060402@redhat.com> <502D477D.4000006@nixtra.com> Message-ID: <502D4BD0.8060807@gmail.com> On 08/16/2012 11:18 AM, Sigbjorn Lie wrote: > On 08/16/2012 09:08 PM, Rich Megginson wrote: >> On 08/16/2012 11:46 AM, Erinn Looney-Triggs wrote: >>> On 08/15/2012 05:13 PM, Rich Megginson wrote: >>>> On 08/15/2012 03:58 PM, Erinn Looney-Triggs wrote: >>>>> After a restart of the system I received the following errors: >>>>> >>>>> Starting dirsrv: >>>>> FOO-COM...[15/Aug/2012:21:48:26 +0000] startup - The default >>>>> password storage scheme SSHA could not be read or was not found in the >>>>> file /etc/dirsrv/slapd-FOO-COM/dse.ldif. It is mandatory. >>>>> >>>>> PKI-IPA...[15/Aug/2012:21:48:26 +0000] startup - The default >>>>> password storage scheme SSHA could not be read or was not found in the >>>>> file /etc/dirsrv/slapd-PKI-IPA/dse.ldif. It is mandatory. >>>>> >>>>> *** Warning: 2 instance(s) failed to start >>>>> Failed to read data from Directory Service: Unknown error when >>>>> retrieving list of services from LDAP: [Errno 2] No such file or >>>>> directory >>>>> >>>>> >>>>> Turns out the the dse.ldif files were both empty, I copied from the >>>>> backup files, restarted, and everything worked fine. However I am >>>>> wondering how a situation like this can come about? >>>> Me too. Did you have a power failure? kill -9 the directory server? >>>> >>>>> -Erinn >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Freeipa-users mailing list >>>>> Freeipa-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Hmm no, not directly at least. I suppose it is possible that init didn't >>> want to wait for it to shut down, and eventually killed it as last >>> resort. I think that is the default behaviour of init, or well upstart I >>> guess. It does seem an odd way to deal with a kill though, nuke the >>> config file. >> >> I did not mean to imply that it is the intentional behavior of the >> directory server to nuke the config file in response to a kill -9. It >> is most certainly not. I'm just trying to figure out what caused this >> so we can attempt to reproduce and fix the issue. >> > > I have also seen this, but it's been a long time ago now, perhaps in the > 2.0 beta days or around that time. And I did have an issue with power > cuts at that time. > > > Regards, > Siggi > > Power wasn't cut, the system was restarted and then had hardware issues on restart, for which power had to be cut to the system. However during that time of power loss the OS wasn't up. So not real sure what to attribute this to, I wish I could you folks more data points on this, but I am afraid it was one of those damn it it is broken gotta fix it to get it working things, when investigation wasn't the highest priority. -Erinn -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 554 bytes Desc: OpenPGP digital signature URL: From Steven.Jones at vuw.ac.nz Thu Aug 16 21:00:23 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 16 Aug 2012 21:00:23 +0000 Subject: [Freeipa-users] sssd client cache timer and merging IPA domains Message-ID: <833D8E48405E064EBC54C84EC6B36E404CD759D8@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, What is the default length of time the sssd daemon on a client caches for once IPA is off line pls? Is there any practical way to take the user info from one ipa instance/domain and import it into another? I know the client machines will have to have ipa un-installed and resetting users passwords are not biggees I'd just not rather have to input all the groups and hbac rules by hand. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From lyamanishi at sesda2.com Thu Aug 16 21:26:35 2012 From: lyamanishi at sesda2.com (Lucas Yamanishi) Date: Thu, 16 Aug 2012 17:26:35 -0400 Subject: [Freeipa-users] sssd client cache timer and merging IPA domains In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CD759D8@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CD759D8@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <502D658B.9070900@sesda2.com> I just migrated my IPA instance from one to another a couple days ago to recover after a lost CA and failed yum upgrade. The "ipa migrate-ds" tool works very well, though I am having a few very minor issues. On the upside, as far as I can tell, you can skip the steps about Kerberos key generation as outlined in the documentation. I've been able to kinit just fine with my migrated users. Below are the few errors I've noticed. * When I ssh into an enrolled host using a migrated user's credentials I get this error: id: cannot find name for group ID 104600003 * I see this error in my dirsrv-EXAMPLE/errors log after changing a password: [15/Aug/2012:12:38:24 -0400] ipapwd_setPasswordHistory - [file ipapwd_common.c, line 926]: failed to generate new password history! ----- *question everything*learn something*answer nothing* ------------ Lucas Yamanishi ------------------ Systems Administrator, ADNET Systems, Inc. NASA Space and Earth Science Data Analysis (606.9) 7515 Mission Drive, Suite A100 Lanham, MD 20706 * 301-352-4646 * 0xE23F3D7A On 08/16/2012 05:00 PM, Steven Jones wrote: > Hi, > > What is the default length of time the sssd daemon on a client caches for once IPA is off line pls? > > Is there any practical way to take the user info from one ipa instance/domain and import it into another? I know the client machines will have to have ipa un-installed and resetting users passwords are not biggees I'd just not rather have to input all the groups and hbac rules by hand. > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 490 bytes Desc: OpenPGP digital signature URL: From rcritten at redhat.com Thu Aug 16 21:32:59 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 16 Aug 2012 17:32:59 -0400 Subject: [Freeipa-users] sssd client cache timer and merging IPA domains In-Reply-To: <502D658B.9070900@sesda2.com> References: <833D8E48405E064EBC54C84EC6B36E404CD759D8@STAWINCOX10MBX1.staff.vuw.ac.nz> <502D658B.9070900@sesda2.com> Message-ID: <502D670B.1020904@redhat.com> Lucas Yamanishi wrote: > I just migrated my IPA instance from one to another a couple days ago to > recover after a lost CA and failed yum upgrade. The "ipa migrate-ds" > tool works very well, though I am having a few very minor issues. On > the upside, as far as I can tell, you can skip the steps about Kerberos > key generation as outlined in the documentation. I've been able to > kinit just fine with my migrated users. > > > Below are the few errors I've noticed. > > * When I ssh into an enrolled host using a migrated user's credentials I > get this error: > > id: cannot find name for group ID 104600003\ Does a group exist with that GID? You can try something like: $ ipa group-find --gid=104600003 > > * I see this error in my dirsrv-EXAMPLE/errors log after changing a > password: > > [15/Aug/2012:12:38:24 -0400] ipapwd_setPasswordHistory - [file > ipapwd_common.c, line 926]: failed to generate new password history! It is a red herring. The default is to have no password history, so we don't generate any, then we complain that none was made! I actually have a fix in my tree I plan to propose soon. rob > > > ----- > *question everything*learn something*answer nothing* > ------------ > Lucas Yamanishi > ------------------ > Systems Administrator, ADNET Systems, Inc. > NASA Space and Earth Science Data Analysis (606.9) > 7515 Mission Drive, Suite A100 > Lanham, MD 20706 * 301-352-4646 * 0xE23F3D7A > > On 08/16/2012 05:00 PM, Steven Jones wrote: >> Hi, >> >> What is the default length of time the sssd daemon on a client caches for once IPA is off line pls? >> >> Is there any practical way to take the user info from one ipa instance/domain and import it into another? I know the client machines will have to have ipa un-installed and resetting users passwords are not biggees I'd just not rather have to input all the groups and hbac rules by hand. >> >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > From lyamanishi at sesda2.com Thu Aug 16 21:36:36 2012 From: lyamanishi at sesda2.com (Lucas Yamanishi) Date: Thu, 16 Aug 2012 17:36:36 -0400 Subject: [Freeipa-users] sssd client cache timer and merging IPA domains In-Reply-To: <502D670B.1020904@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CD759D8@STAWINCOX10MBX1.staff.vuw.ac.nz> <502D658B.9070900@sesda2.com> <502D670B.1020904@redhat.com> Message-ID: <502D67E4.6030801@sesda2.com> On 08/16/2012 05:32 PM, Rob Crittenden wrote: > Lucas Yamanishi wrote: >> I just migrated my IPA instance from one to another a couple days ago to >> recover after a lost CA and failed yum upgrade. The "ipa migrate-ds" >> tool works very well, though I am having a few very minor issues. On >> the upside, as far as I can tell, you can skip the steps about Kerberos >> key generation as outlined in the documentation. I've been able to >> kinit just fine with my migrated users. >> >> >> Below are the few errors I've noticed. >> >> * When I ssh into an enrolled host using a migrated user's credentials I >> get this error: >> >> id: cannot find name for group ID 104600003\ > > Does a group exist with that GID? You can try something like: > > $ ipa group-find --gid=104600003 > The group doesn't exist. The GID is the counterpart to my UID. >> >> * I see this error in my dirsrv-EXAMPLE/errors log after changing a >> password: >> >> [15/Aug/2012:12:38:24 -0400] ipapwd_setPasswordHistory - [file >> ipapwd_common.c, line 926]: failed to generate new password history! > > It is a red herring. The default is to have no password history, so we > don't generate any, then we complain that none was made! I actually have > a fix in my tree I plan to propose soon. > > rob > >> >> >> ----- >> *question everything*learn something*answer nothing* >> ------------ >> Lucas Yamanishi >> ------------------ >> Systems Administrator, ADNET Systems, Inc. >> NASA Space and Earth Science Data Analysis (606.9) >> 7515 Mission Drive, Suite A100 >> Lanham, MD 20706 * 301-352-4646 * 0xE23F3D7A >> >> On 08/16/2012 05:00 PM, Steven Jones wrote: >>> Hi, >>> >>> What is the default length of time the sssd daemon on a client caches >>> for once IPA is off line pls? >>> >>> Is there any practical way to take the user info from one ipa >>> instance/domain and import it into another? I know the client >>> machines will have to have ipa un-installed and resetting users >>> passwords are not biggees I'd just not rather have to input all the >>> groups and hbac rules by hand. >>> >>> regards >>> >>> Steven Jones >>> >>> Technical Specialist - Linux RHCE >>> >>> Victoria University, Wellington, NZ >>> >>> 0064 4 463 6272 >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > -- ----- *question everything*learn something*answer nothing* ------------ Lucas Yamanishi ------------------ Systems Administrator, ADNET Systems, Inc. 7515 Mission Drive, Suite A100 Lanham, MD 20706 * 301-352-4646 * 0xE23F3D7A -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 490 bytes Desc: OpenPGP digital signature URL: From rcritten at redhat.com Thu Aug 16 21:39:39 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 16 Aug 2012 17:39:39 -0400 Subject: [Freeipa-users] sssd client cache timer and merging IPA domains In-Reply-To: <502D67E4.6030801@sesda2.com> References: <833D8E48405E064EBC54C84EC6B36E404CD759D8@STAWINCOX10MBX1.staff.vuw.ac.nz> <502D658B.9070900@sesda2.com> <502D670B.1020904@redhat.com> <502D67E4.6030801@sesda2.com> Message-ID: <502D689B.7040500@redhat.com> Lucas Yamanishi wrote: > > On 08/16/2012 05:32 PM, Rob Crittenden wrote: >> Lucas Yamanishi wrote: >>> I just migrated my IPA instance from one to another a couple days ago to >>> recover after a lost CA and failed yum upgrade. The "ipa migrate-ds" >>> tool works very well, though I am having a few very minor issues. On >>> the upside, as far as I can tell, you can skip the steps about Kerberos >>> key generation as outlined in the documentation. I've been able to >>> kinit just fine with my migrated users. >>> >>> >>> Below are the few errors I've noticed. >>> >>> * When I ssh into an enrolled host using a migrated user's credentials I >>> get this error: >>> >>> id: cannot find name for group ID 104600003\ >> >> Does a group exist with that GID? You can try something like: >> >> $ ipa group-find --gid=104600003 >> > > The group doesn't exist. The GID is the counterpart to my UID. Try adding --private. rob > > >>> >>> * I see this error in my dirsrv-EXAMPLE/errors log after changing a >>> password: >>> >>> [15/Aug/2012:12:38:24 -0400] ipapwd_setPasswordHistory - [file >>> ipapwd_common.c, line 926]: failed to generate new password history! >> >> It is a red herring. The default is to have no password history, so we >> don't generate any, then we complain that none was made! I actually have >> a fix in my tree I plan to propose soon. >> >> rob >> >>> >>> >>> ----- >>> *question everything*learn something*answer nothing* >>> ------------ >>> Lucas Yamanishi >>> ------------------ >>> Systems Administrator, ADNET Systems, Inc. >>> NASA Space and Earth Science Data Analysis (606.9) >>> 7515 Mission Drive, Suite A100 >>> Lanham, MD 20706 * 301-352-4646 * 0xE23F3D7A >>> >>> On 08/16/2012 05:00 PM, Steven Jones wrote: >>>> Hi, >>>> >>>> What is the default length of time the sssd daemon on a client caches >>>> for once IPA is off line pls? >>>> >>>> Is there any practical way to take the user info from one ipa >>>> instance/domain and import it into another? I know the client >>>> machines will have to have ipa un-installed and resetting users >>>> passwords are not biggees I'd just not rather have to input all the >>>> groups and hbac rules by hand. >>>> >>>> regards >>>> >>>> Steven Jones >>>> >>>> Technical Specialist - Linux RHCE >>>> >>>> Victoria University, Wellington, NZ >>>> >>>> 0064 4 463 6272 >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >>> >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >> >> > From lyamanishi at sesda2.com Thu Aug 16 21:44:33 2012 From: lyamanishi at sesda2.com (Lucas Yamanishi) Date: Thu, 16 Aug 2012 17:44:33 -0400 Subject: [Freeipa-users] sssd client cache timer and merging IPA domains In-Reply-To: <502D689B.7040500@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CD759D8@STAWINCOX10MBX1.staff.vuw.ac.nz> <502D658B.9070900@sesda2.com> <502D670B.1020904@redhat.com> <502D67E4.6030801@sesda2.com> <502D689B.7040500@redhat.com> Message-ID: <502D69C1.3040301@sesda2.com> On 08/16/2012 05:39 PM, Rob Crittenden wrote: > Lucas Yamanishi wrote: >> >> On 08/16/2012 05:32 PM, Rob Crittenden wrote: >>> Lucas Yamanishi wrote: >>>> I just migrated my IPA instance from one to another a couple days >>>> ago to >>>> recover after a lost CA and failed yum upgrade. The "ipa migrate-ds" >>>> tool works very well, though I am having a few very minor issues. On >>>> the upside, as far as I can tell, you can skip the steps about Kerberos >>>> key generation as outlined in the documentation. I've been able to >>>> kinit just fine with my migrated users. >>>> >>>> >>>> Below are the few errors I've noticed. >>>> >>>> * When I ssh into an enrolled host using a migrated user's >>>> credentials I >>>> get this error: >>>> >>>> id: cannot find name for group ID 104600003\ >>> >>> Does a group exist with that GID? You can try something like: >>> >>> $ ipa group-find --gid=104600003 >>> >> >> The group doesn't exist. The GID is the counterpart to my UID. > > Try adding --private. > > rob > Nope. It doesn't exist. Other groups migrated. Why would the private groups fail? >> >> >>>> >>>> * I see this error in my dirsrv-EXAMPLE/errors log after changing a >>>> password: >>>> >>>> [15/Aug/2012:12:38:24 -0400] ipapwd_setPasswordHistory - [file >>>> ipapwd_common.c, line 926]: failed to generate new password history! >>> >>> It is a red herring. The default is to have no password history, so we >>> don't generate any, then we complain that none was made! I actually have >>> a fix in my tree I plan to propose soon. >>> >>> rob >>> >>>> >>>> >>>> ----- >>>> *question everything*learn something*answer nothing* >>>> ------------ >>>> Lucas Yamanishi >>>> ------------------ >>>> Systems Administrator, ADNET Systems, Inc. >>>> NASA Space and Earth Science Data Analysis (606.9) >>>> 7515 Mission Drive, Suite A100 >>>> Lanham, MD 20706 * 301-352-4646 * 0xE23F3D7A >>>> >>>> On 08/16/2012 05:00 PM, Steven Jones wrote: >>>>> Hi, >>>>> >>>>> What is the default length of time the sssd daemon on a client caches >>>>> for once IPA is off line pls? >>>>> >>>>> Is there any practical way to take the user info from one ipa >>>>> instance/domain and import it into another? I know the client >>>>> machines will have to have ipa un-installed and resetting users >>>>> passwords are not biggees I'd just not rather have to input all the >>>>> groups and hbac rules by hand. >>>>> >>>>> regards >>>>> >>>>> Steven Jones >>>>> >>>>> Technical Specialist - Linux RHCE >>>>> >>>>> Victoria University, Wellington, NZ >>>>> >>>>> 0064 4 463 6272 >>>>> >>>>> _______________________________________________ >>>>> Freeipa-users mailing list >>>>> Freeipa-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >>> >>> >> > > -- ----- *question everything*learn something*answer nothing* ------------ Lucas Yamanishi ------------------ Systems Administrator, ADNET Systems, Inc. 7515 Mission Drive, Suite A100 Lanham, MD 20706 * 301-352-4646 * 0xE23F3D7A -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 490 bytes Desc: OpenPGP digital signature URL: From mmercier at gmail.com Fri Aug 17 01:14:31 2012 From: mmercier at gmail.com (Michael Mercier) Date: Thu, 16 Aug 2012 21:14:31 -0400 Subject: [Freeipa-users] IPA over the Internet - Security Implications Message-ID: <051EF05B-E082-412B-8A53-43E5AC3B4AE5@gmail.com> Hello, I was wondering what the security implications would be setting up a server to be a freeipa client at one site, and have it join a freeipa system over the internet at another site. ipaclient (siteA) <-- internet --> ipaserver (siteB) Is there an IPA document that describes this situation? Thanks, Mike From Steven.Jones at vuw.ac.nz Fri Aug 17 01:43:46 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Fri, 17 Aug 2012 01:43:46 +0000 Subject: [Freeipa-users] IPA over the Internet - Security Implications In-Reply-To: <051EF05B-E082-412B-8A53-43E5AC3B4AE5@gmail.com> References: <051EF05B-E082-412B-8A53-43E5AC3B4AE5@gmail.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CD76135@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, I would assume you could do a point to point tunnel between each and do the authentication via that. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Michael Mercier [mmercier at gmail.com] Sent: Friday, 17 August 2012 1:14 p.m. To: freeipa-users at redhat.com Subject: [Freeipa-users] IPA over the Internet - Security Implications Hello, I was wondering what the security implications would be setting up a server to be a freeipa client at one site, and have it join a freeipa system over the internet at another site. ipaclient (siteA) <-- internet --> ipaserver (siteB) Is there an IPA document that describes this situation? Thanks, Mike _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From jhrozek at redhat.com Fri Aug 17 09:42:41 2012 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 17 Aug 2012 11:42:41 +0200 Subject: [Freeipa-users] sssd client cache timer and merging IPA domains In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CD759D8@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CD759D8@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <20120817094241.GA24190@zeppelin.brq.redhat.com> On Thu, Aug 16, 2012 at 09:00:23PM +0000, Steven Jones wrote: > Hi, > > What is the default length of time the sssd daemon on a client caches for once IPA is off line pls? > If the IPA provider is offline, we never remove anything from the cache, so indefinitely. If the provider is online, we cache for 90 minutes by default, then refresh the entry. From mmercier at gmail.com Fri Aug 17 11:02:49 2012 From: mmercier at gmail.com (Michael Mercier) Date: Fri, 17 Aug 2012 07:02:49 -0400 Subject: [Freeipa-users] IPA over the Internet - Security Implications In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CD76135@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <051EF05B-E082-412B-8A53-43E5AC3B4AE5@gmail.com> <833D8E48405E064EBC54C84EC6B36E404CD76135@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <9AE33A89-F8CF-41C6-A4E4-F998540FF194@gmail.com> Hi, Let us assume just the two systems directly connected to the internet. I am specifically interested in what the security implications would be, not ways to get around them (e.g. point-to- point tunnel). I have read that kerberos was designed for untrusted networks, just how untrusted can they be? Thanks, Mike On 16-Aug-12, at 9:43 PM, Steven Jones wrote: > Hi, > > I would assume you could do a point to point tunnel between each and > do the authentication via that. > > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com > ] on behalf of Michael Mercier [mmercier at gmail.com] > Sent: Friday, 17 August 2012 1:14 p.m. > To: freeipa-users at redhat.com > Subject: [Freeipa-users] IPA over the Internet - Security Implications > > Hello, > > I was wondering what the security implications would be setting up a > server to be a freeipa client at one site, and have it join a freeipa > system over the internet at another site. > > ipaclient (siteA) <-- internet --> ipaserver (siteB) > > Is there an IPA document that describes this situation? > > Thanks, > Mike > > > > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > From rcritten at redhat.com Fri Aug 17 12:38:50 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 17 Aug 2012 08:38:50 -0400 Subject: [Freeipa-users] sssd client cache timer and merging IPA domains In-Reply-To: <502D69C1.3040301@sesda2.com> References: <833D8E48405E064EBC54C84EC6B36E404CD759D8@STAWINCOX10MBX1.staff.vuw.ac.nz> <502D658B.9070900@sesda2.com> <502D670B.1020904@redhat.com> <502D67E4.6030801@sesda2.com> <502D689B.7040500@redhat.com> <502D69C1.3040301@sesda2.com> Message-ID: <502E3B5A.9030401@redhat.com> Lucas Yamanishi wrote: > > On 08/16/2012 05:39 PM, Rob Crittenden wrote: >> Lucas Yamanishi wrote: >>> >>> On 08/16/2012 05:32 PM, Rob Crittenden wrote: >>>> Lucas Yamanishi wrote: >>>>> I just migrated my IPA instance from one to another a couple days >>>>> ago to >>>>> recover after a lost CA and failed yum upgrade. The "ipa migrate-ds" >>>>> tool works very well, though I am having a few very minor issues. On >>>>> the upside, as far as I can tell, you can skip the steps about Kerberos >>>>> key generation as outlined in the documentation. I've been able to >>>>> kinit just fine with my migrated users. >>>>> >>>>> >>>>> Below are the few errors I've noticed. >>>>> >>>>> * When I ssh into an enrolled host using a migrated user's >>>>> credentials I >>>>> get this error: >>>>> >>>>> id: cannot find name for group ID 104600003\ >>>> >>>> Does a group exist with that GID? You can try something like: >>>> >>>> $ ipa group-find --gid=104600003 >>>> >>> >>> The group doesn't exist. The GID is the counterpart to my UID. >> >> Try adding --private. >> >> rob >> > > Nope. It doesn't exist. > > Other groups migrated. Why would the private groups fail? I don't know, what have you done to date, including versions? rob From ssorce at redhat.com Fri Aug 17 13:03:29 2012 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 17 Aug 2012 09:03:29 -0400 (EDT) Subject: [Freeipa-users] IPA over the Internet - Security Implications In-Reply-To: <9AE33A89-F8CF-41C6-A4E4-F998540FF194@gmail.com> Message-ID: <2852581.6686366.1345208609902.JavaMail.root@redhat.com> ----- Original Message ----- > Hi, > > Let us assume just the two systems directly connected to the > internet. I am specifically interested in what the security > implications would be, not ways to get around them (e.g. point-to- > point tunnel). I have read that kerberos was designed for untrusted > networks, just how untrusted can they be? I would say that it reallyt depends on your threat model. With recent versions of FreeIPa we disable by default using DES keys which were certainly not really secure anymore, given you can easily break DES encryption in a short enough period and without the need for expensive hardware these days. AES and RC4 which are the common ones used and even 3DES should be robust enough to allow to operate in safety, even if traffic is captured and rute force attacked, for the ticket validity period. We also always enabled by default required preauthentication for all principals, which avoid attacks against TGT packets. What you may want to do however is harden the LDAP server configuration a bit. You probably want to prevent anonymous connections and also make sure all connections always are encrypted by setting the right minssf limits. You need also to decide if you want to expose admin interfaces (kadmin, http) over the internet or only krb5/ldap. Simo. From jdennis at redhat.com Fri Aug 17 13:05:03 2012 From: jdennis at redhat.com (John Dennis) Date: Fri, 17 Aug 2012 09:05:03 -0400 Subject: [Freeipa-users] IPA over the Internet - Security Implications In-Reply-To: <051EF05B-E082-412B-8A53-43E5AC3B4AE5@gmail.com> References: <051EF05B-E082-412B-8A53-43E5AC3B4AE5@gmail.com> Message-ID: <502E417F.3030202@redhat.com> On 08/16/2012 09:14 PM, Michael Mercier wrote: > Hello, > > I was wondering what the security implications would be setting up a > server to be a freeipa client at one site, and have it join a freeipa > system over the internet at another site. > > ipaclient (siteA) <-- internet --> ipaserver (siteB) > > Is there an IPA document that describes this situation? I'm not aware of any such document but IPA was designed to be secure in multiple ways including traffic on open networks. All network traffic that is sensitive is tunneled in some fashion, usually either by the kerberos protocol or the SSL/TLS protocols. IPA also makes sure strong encryption is utilized for those tunnels. Strong authentication is also required at the endpoints of those tunnels. It really wouldn't make much sense to design an authentication and security manager that itself wasn't secure :-) -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From cevich at redhat.com Fri Aug 17 13:57:07 2012 From: cevich at redhat.com (Chris Evich) Date: Fri, 17 Aug 2012 09:57:07 -0400 Subject: [Freeipa-users] IPA over the Internet - Security Implications In-Reply-To: <9AE33A89-F8CF-41C6-A4E4-F998540FF194@gmail.com> References: <051EF05B-E082-412B-8A53-43E5AC3B4AE5@gmail.com> <833D8E48405E064EBC54C84EC6B36E404CD76135@STAWINCOX10MBX1.staff.vuw.ac.nz> <9AE33A89-F8CF-41C6-A4E4-F998540FF194@gmail.com> Message-ID: <502E4DB3.9000109@redhat.com> On 08/17/2012 07:02 AM, Michael Mercier wrote: > Hi, > > Let us assume just the two systems directly connected to the internet. I > am specifically interested in what the security implications would be, > not ways to get around them (e.g. point-to-point tunnel). I have read > that kerberos was designed for untrusted networks, just how untrusted > can they be? > > Thanks, > Mike > > On 16-Aug-12, at 9:43 PM, Steven Jones wrote: > >> Hi, >> >> I would assume you could do a point to point tunnel between each and >> do the authentication via that. >> >> >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> ________________________________________ >> From: freeipa-users-bounces at redhat.com >> [freeipa-users-bounces at redhat.com] on behalf of Michael Mercier >> [mmercier at gmail.com] >> Sent: Friday, 17 August 2012 1:14 p.m. >> To: freeipa-users at redhat.com >> Subject: [Freeipa-users] IPA over the Internet - Security Implications >> >> Hello, >> >> I was wondering what the security implications would be setting up a >> server to be a freeipa client at one site, and have it join a freeipa >> system over the internet at another site. >> >> ipaclient (siteA) <-- internet --> ipaserver (siteB) >> >> Is there an IPA document that describes this situation? >> >> Thanks, >> Mike Don't overlook DOS/DDOS type attacks against these servers. While it may not penetrate the encryption, they could limit your options for fixing the problem remotely, or even locally. I'm not aware of/if/how well these services are validated against DOS-type attacks. However, even if they are somewhat hardened, simple things like massive ping-floods could easily overload the networking stack. Further, all of these services are heavily dependent on DNS. I'd worry about this just as much as KDC/LDAP, for simple availability problems (whatever the attack vector). This could easily bottle up all other traffic, and the short client-side timeouts (6-seconds) aren't helping. Again thinking beyond just the encrypted traffic, the server processes are also exposed with whatever unknown flaws they have. While they're certainly tighter than the average app., I'd pay particular attention to keeping them updated, 0-day if possible. This again can impact availability, for example in the case of unknown and unrelated regressions in the updates themselves. -- Chris Evich, RHCA, RHCE, RHCDS, RHCSS Quality Assurance Engineer e-mail: cevich + `@' + redhat.com o: 1-888-RED-HAT1 x44214 From lyamanishi at sesda2.com Fri Aug 17 16:07:29 2012 From: lyamanishi at sesda2.com (Lucas Yamanishi) Date: Fri, 17 Aug 2012 12:07:29 -0400 Subject: [Freeipa-users] sssd client cache timer and merging IPA domains In-Reply-To: <502E3B5A.9030401@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CD759D8@STAWINCOX10MBX1.staff.vuw.ac.nz> <502D658B.9070900@sesda2.com> <502D670B.1020904@redhat.com> <502D67E4.6030801@sesda2.com> <502D689B.7040500@redhat.com> <502D69C1.3040301@sesda2.com> <502E3B5A.9030401@redhat.com> Message-ID: <502E6C41.1060209@sesda2.com> On 08/17/2012 08:38 AM, Rob Crittenden wrote: > Lucas Yamanishi wrote: >> >> On 08/16/2012 05:39 PM, Rob Crittenden wrote: >>> Lucas Yamanishi wrote: >>>> >>>> On 08/16/2012 05:32 PM, Rob Crittenden wrote: >>>>> Lucas Yamanishi wrote: >>>>>> I just migrated my IPA instance from one to another a couple days >>>>>> ago to >>>>>> recover after a lost CA and failed yum upgrade. The "ipa migrate-ds" >>>>>> tool works very well, though I am having a few very minor issues. On >>>>>> the upside, as far as I can tell, you can skip the steps about >>>>>> Kerberos >>>>>> key generation as outlined in the documentation. I've been able to >>>>>> kinit just fine with my migrated users. >>>>>> >>>>>> >>>>>> Below are the few errors I've noticed. >>>>>> >>>>>> * When I ssh into an enrolled host using a migrated user's >>>>>> credentials I >>>>>> get this error: >>>>>> >>>>>> id: cannot find name for group ID 104600003\ >>>>> >>>>> Does a group exist with that GID? You can try something like: >>>>> >>>>> $ ipa group-find --gid=104600003 >>>>> >>>> >>>> The group doesn't exist. The GID is the counterpart to my UID. >>> >>> Try adding --private. >>> >>> rob >>> >> >> Nope. It doesn't exist. >> >> Other groups migrated. Why would the private groups fail? > > I don't know, what have you done to date, including versions? > > rob I've been following the stable Scientific Linux releases since 6.1. Based on repo archives, I guess that would be 2.0.0-23.el6.x86_64. The version was at 2.2.0-16.el6.x86_64 when I migrated, which I had just upgraded from 2.1.3-9.el6.x86_64. I migrated to and use now 2.2.0-16.el6.x86_64. So... 2.0.0-23.el6.x86_64 -> 2.1.3-9.el6.x86_64 -> 2.2.0-16.el6.x86_64 ----> 2.2.0-16.el6.x86_64 -- ----- *question everything*learn something*answer nothing* ------------ Lucas Yamanishi ------------------ Systems Administrator, ADNET Systems, Inc. 7515 Mission Drive, Suite A100 Lanham, MD 20706 * 301-352-4646 * 0xE23F3D7A -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 490 bytes Desc: OpenPGP digital signature URL: From rcritten at redhat.com Fri Aug 17 16:13:29 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 17 Aug 2012 12:13:29 -0400 Subject: [Freeipa-users] Announcing FreeIPA v3.0.0 beta 2 Release Message-ID: <502E6DA9.30901@redhat.com> The FreeIPA team is proud to announce version FreeIPA v3.0.0 beta 2. It can be downloaded from http://www.freeipa.org/page/Downloads. A build is available in the Fedora 18 and rawhide repositories or for Fedora 17 via the freeipa-devel repo on www.freeipa.org: http://freeipa.org/downloads/freeipa-devel.repo . To install in Fedora 17 and 18 the updates-testing repository needs to be enabled as well. NOTE: The Fedora 18 build was submitted this morning (8/17) and has yet to hit updates-testing. The packages are also at http://koji.fedoraproject.org/koji/buildinfo?buildID=348836 For additional information see the AD Trust design page http://freeipa.org/page/IPAv3_AD_trust and the AD Trust testing page http://freeipa.org/page/IPAv3_testing_AD_trust. == Highlights since 3.0.0 beta 1 == * NTLM password hash is generated for existing users on first use of IPA cross-realm environment based on their Kerberos keys without requiring a password change. * Secure identifiers compatible with Active Directory are generated automatically for existing users upon set up of IPA cross-realm environment. * Use certmonger to renew CA subsystem certificates * Support for DNS zone transfers to non-IPA slaves * Internal change to LDAP Distinguished Name handling to be more robust * Better support for Internet Explorer 9 in the UI * Allow multiple servers on client install command-line and configuring without DNS discovery. * Translation updates == Upgrading == An IPA server can be upgraded simply by installing updated rpms. The server does not need to be shut down in advance. If you have multiple servers you may upgrade them one at a time. It is expected that all servers will be upgraded in a relatively short period (days or weeks not months). They should be able to co-exist peacefully but new features will not be available on old servers and enrolling a new client against an old server will result in the SSH keys not being uploaded. Downgrading a server once upgraded is not supported. Upgrading from 2.2.0 should work but has not been fully tested. Proceed with caution. An enrolled client does not need the new packages installed unless you want to re-enroll it. SSH keys for already installed clients are not uploaded, you will have to re-enroll the client or manually upload the keys (using host-mod). == Feedback == Please provide comments, bugs and other feedback via the freeipa-devel mailing list: http://www.redhat.com/mailman/listinfo/freeipa-devel == Detailed changelog == Alexander Bokovoy (11): * ipasam: improve SASL bind callback * Use smb.conf 'dedicated keytab file' parameter instead of hard-coded value * reduce redundant checks in ldapsam_search_users() to a single statement * ipalib/plugins/trust.py: ValidationError takes 'error' named argument, not 'reason' * Handle various forms of admin accounts when establishing trusts * Follow change in samba4 beta4 for sid_check_is_domain to sid_check_is_our_sam * Rework task naming in LDAP updates to avoid conflicting names in certain cases * When ipaNTHash is missing, ask IPA to generate it from kerberos keys * Ensure ipa-adtrust-install is run with Kerberos ticket for admin user * Handle exceptions when establishing trusts * Add internationalization to DCE RPC code David Sp?ngberg (1): * Indirect roles in WebUI Gowrishankar Rajaiyan (1): * Adding exit status 3 & 4 to ipa-client-install man page Jan Cholasta (2): * Add --{set,add,del}attr options to commands which are missing them. * Raise Base64DecodeError instead of ConversionError when base64 decoding fails in Bytes parameters. John Dennis (2): * Use DN objects instead of strings * Installation fails when CN is set in certificate subject base Martin Kosek (12): * Do not change LDAPObject objectclass list * Add automount map/key update permissions * Fix ipa-managed-entries man page typo * Improve address family handling in sockets * Enable SOA serial autoincrement * Add range-mod command * Warn user if an ID range with incorrect size was created * Print ipa-ldap-updater errors during RPM upgrade * Enforce CNAME constrains for DNS commands * Avoid redundant info message during RPM update * Bump bind-dyndb-ldap version for F18 * Fix winsync agreements creation Petr Viktorin (7): * Fix batch command error reporting * Fix wrong option name in ipa-managed-entries man page * Fix updating minimum_connections in ipa-upgradeconfig * Framework for admin/install tools, with ipa-ldap-updater * Arrange stripping .po files * Update translations * Create /etc/sysconfig/network if it doesn't exist Petr Vobornik (31): * Moved configuration to last position in navigation * Display loginas information only after login * Password policy measurement units. * Web UI: kerberos ticket policy measurement units * Add and remove dns per-domain permission in Web UI * Differentiation of widget type and text_widget input type * Fixed display of attributes_widget in IE9 * Bigger textarea for permission type=subtree * IDs and names for dialogs * Fix autoscroll to top in tables in IE * Fixed: Unable to select option in combobox in IE and Chrome * Fixed: Unable to select option in combobox in IE and Chrome * Fixed: combobox stacking in service adder dialog * PAC Type options for services in Web UI * Update to jquery.1.7.2.min * Update to jquery-ui-1.8.21.custom * Fix for incorrect event handler definition * Removal of unnecessary overrides of jquery-ui styles * Unified buttons * Web UI tests fix * Fixed incorrect use of jQuery.attr for setting disabled attribute * Replace use of attr with prop for booleans * Add external group * Make group external * Make group posix * Display group type * Attribute facet * Group external member facet * Read-only external facet for non-external groups * Handle case when trusted domain user access the Web UI * Disable caching of Web UI login_kerberos request * Update other facets on delete from search page Rob Crittenden (12): * Centralize timeout for waiting for servers to start. * Make client server option multi-valued, allow disabling DNS discovery * Don't hardcode serial_autoincrement to True. * Support per-principal sessions and handle session update failures * Default to no when trying trying to install a replica on wrong server. * Fix validator for SELinux user map settings in config plugin. * Use certmonger to renew CA subsystem certificates * Add per-service option to store the types of PAC it supports * Convert PKCS#11 subject to string before passing to ipapython.DN * Use DN object for Directory Manager in ipa-replica-manage connect command * Raise proper exception when given a bad DN attribute. * Validate default user in ordered list when using setattr, require MLS Simo Sorce (14): * Fix wrong check after allocation. * Fix safety checks to prevent orphaning replicas * Fix detection of deleted masters * Add libtalloc-devel as spec file BuildRequire * Add all external samba libraries to BuildRequires * Do not check for DNA magic values * Move code into common krb5 utils * Improve loops around slapi mods * Add special modify op to regen ipaNTHash * Move mspac structure to be a private pointer * Load list of trusted domain on connecting to ldap * Properly name function to add ipa external groups * Split out manipulation of logon_info blob * Add PAC filtering Sumit Bose (4): * Allow silent build if available * ipasam: fixes for clang warnings * ipasam: replace testing code * Fix typo Tomas Babej (5): * Adds check for ipa-join. * Permissions of replica files changed to 0600. * Handle SSSD restart crash more gently. * Corrects help description of selinuxusermap. * Improves exception handling in ipa-replica-prepare. From amessina at messinet.com Fri Aug 17 18:42:07 2012 From: amessina at messinet.com (Anthony Messina) Date: Fri, 17 Aug 2012 13:42:07 -0500 Subject: [Freeipa-users] FreeIPA, rkhunter & "unknown rootkit" In-Reply-To: <500D1489.9000608@messinet.com> References: <500D1489.9000608@messinet.com> Message-ID: <1483766.SmVgfPAbPz@linux-ws1.messinet.com> On Monday, July 23, 2012 04:08:25 AM Anthony Messina wrote: > I have installed freeipa-server-2.2.0-1.fc17.x86_64 and it's running > well. I have also installed rkhunter-1.4.0-1.fc17.noarch on the IPA > server and each morning I receive the following report from rkhunter. > > I imagine/hope that these are not actual rootkits and was wondering if > anyone knew of a way to inform rkhunter/rkhunter.conf to "never mind" > these as they seem like they would be a normal part of the IPA/CA process. > > By the way, UID 995 is the pkiuser on my IPA system. > > Thanks for any input. -A > > > rkhunter warning output follows: > > Warning: The following processes are using suspicious files: > Command: java > UID: 995 PID: 1513 > Pathname: /var/log/pki-ca/system > Possible Rootkit: Unknown rootkit > Command: java > UID: 1518 PID: 1513 > Pathname: 14287633 > Possible Rootkit: Unknown rootkit Is anyone able to offer some insight on this one? Perhaps there is some way to undate the rkhunter configuration to 'allow' this behavior, if it's intended. Thanks. -A -- Anthony - http://messinet.com - http://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part. URL: From sgallagh at redhat.com Fri Aug 17 19:20:46 2012 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 17 Aug 2012 15:20:46 -0400 Subject: [Freeipa-users] sssd client cache timer and merging IPA domains In-Reply-To: <20120817094241.GA24190@zeppelin.brq.redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CD759D8@STAWINCOX10MBX1.staff.vuw.ac.nz> <20120817094241.GA24190@zeppelin.brq.redhat.com> Message-ID: <1345231246.2307.0.camel@sgallagh520.sgallagh.bos.redhat.com> On Fri, 2012-08-17 at 11:42 +0200, Jakub Hrozek wrote: > On Thu, Aug 16, 2012 at 09:00:23PM +0000, Steven Jones wrote: > > Hi, > > > > What is the default length of time the sssd daemon on a client caches for once IPA is off line pls? > > > > If the IPA provider is offline, we never remove anything from the cache, so > indefinitely. > One exception: if you've opted to use the offline_credentials_expiration option in sssd.conf, then after the specified number of days, the user's cached password (but none of his other information) will be removed from the client. > If the provider is online, we cache for 90 minutes by default, then > refresh the entry. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From sgallagh at redhat.com Fri Aug 17 19:25:45 2012 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 17 Aug 2012 15:25:45 -0400 Subject: [Freeipa-users] FreeIPA, rkhunter & "unknown rootkit" In-Reply-To: <1483766.SmVgfPAbPz@linux-ws1.messinet.com> References: <500D1489.9000608@messinet.com> <1483766.SmVgfPAbPz@linux-ws1.messinet.com> Message-ID: <1345231545.2307.2.camel@sgallagh520.sgallagh.bos.redhat.com> On Fri, 2012-08-17 at 13:42 -0500, Anthony Messina wrote: > On Monday, July 23, 2012 04:08:25 AM Anthony Messina wrote: > > I have installed freeipa-server-2.2.0-1.fc17.x86_64 and it's running > > well. I have also installed rkhunter-1.4.0-1.fc17.noarch on the IPA > > server and each morning I receive the following report from rkhunter. > > > > I imagine/hope that these are not actual rootkits and was wondering if > > anyone knew of a way to inform rkhunter/rkhunter.conf to "never mind" > > these as they seem like they would be a normal part of the IPA/CA process. > > > > By the way, UID 995 is the pkiuser on my IPA system. > > > > Thanks for any input. -A > > > > > > rkhunter warning output follows: > > > > Warning: The following processes are using suspicious files: > > Command: java > > UID: 995 PID: 1513 > > Pathname: /var/log/pki-ca/system > > Possible Rootkit: Unknown rootkit > > Command: java > > UID: 1518 PID: 1513 > > Pathname: 14287633 > > Possible Rootkit: Unknown rootkit > > Is anyone able to offer some insight on this one? Perhaps there is some way > to undate the rkhunter configuration to 'allow' this behavior, if it's > intended. Thanks. -A This looks to me like it's a false positive. Please file a bug against the rkhunter package at bugzilla.redhat.com -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From mstlaure at redhat.com Fri Aug 17 18:59:31 2012 From: mstlaure at redhat.com (Mark St. Laurent) Date: Fri, 17 Aug 2012 14:59:31 -0400 (EDT) Subject: [Freeipa-users] FreeIPA, rkhunter & "unknown rootkit" In-Reply-To: <1483766.SmVgfPAbPz@linux-ws1.messinet.com> Message-ID: <44995191.12390007.1345229971639.JavaMail.root@redhat.com> Hi Anthony, I would start off by seeing what files the PID is opening to make sure it is truly being good: #lsof -p 1513 To avoid these warnings, you can reconfigure rkhunter to ignore these false positives by editing the rkhunter.conf file: vi /etc/rkhunter.conf. RTKT_FILE_WHITELIST=" /var/log/pki-ca/system " Hope this helps. Norman "Mark" St. Laurent Federal Team: Senior Solutions Architect Red Hat 8260 Greensboro Drive, Suite 300 McLean VA, 22102 Email: msl at redhat.com Cell: 703.772.1434 Check this Link out!!! Cool Stuff: http://mil-oss.org/ ----- Original Message ----- From: "Anthony Messina" To: freeipa-users at redhat.com Sent: Friday, August 17, 2012 2:42:07 PM Subject: Re: [Freeipa-users] FreeIPA, rkhunter & "unknown rootkit" On Monday, July 23, 2012 04:08:25 AM Anthony Messina wrote: > I have installed freeipa-server-2.2.0-1.fc17.x86_64 and it's running > well. I have also installed rkhunter-1.4.0-1.fc17.noarch on the IPA > server and each morning I receive the following report from rkhunter. > > I imagine/hope that these are not actual rootkits and was wondering if > anyone knew of a way to inform rkhunter/rkhunter.conf to "never mind" > these as they seem like they would be a normal part of the IPA/CA process. > > By the way, UID 995 is the pkiuser on my IPA system. > > Thanks for any input. -A > > > rkhunter warning output follows: > > Warning: The following processes are using suspicious files: > Command: java > UID: 995 PID: 1513 > Pathname: /var/log/pki-ca/system > Possible Rootkit: Unknown rootkit > Command: java > UID: 1518 PID: 1513 > Pathname: 14287633 > Possible Rootkit: Unknown rootkit Is anyone able to offer some insight on this one? Perhaps there is some way to undate the rkhunter configuration to 'allow' this behavior, if it's intended. Thanks. -A -- Anthony - http://messinet.com - http://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From amessina at messinet.com Fri Aug 17 19:53:11 2012 From: amessina at messinet.com (Anthony Messina) Date: Fri, 17 Aug 2012 14:53:11 -0500 Subject: [Freeipa-users] FreeIPA, rkhunter & "unknown rootkit" In-Reply-To: <44995191.12390007.1345229971639.JavaMail.root@redhat.com> References: <44995191.12390007.1345229971639.JavaMail.root@redhat.com> Message-ID: <3275310.7MySf1cXBr@linux-ws1.messinet.com> On Friday, August 17, 2012 02:59:31 PM Mark St. Laurent wrote: Hi Anthony, I would start off by seeing what files the PID is opening to make sure it is truly being good: #lsof -p 1513 To avoid these warnings, you can reconfigure rkhunter to ignore these false positives by editing the rkhunter.conf file: vi /etc/rkhunter.conf. RTKT_FILE_WHITELIST="/var/log/pki-ca/system" Hope this helps. Norman "Mark" St. Laurent Federal Team: Senior Solutions Architect Red Hat 8260 Greensboro Drive, Suite 300 McLean VA, 22102 Email: msl at redhat.com Cell: 703.772.1434 Check this Link out!!! Cool Stuff: http://mil-oss.org/ Thank you very much. The process looks that it is "truly being good." And your solution worked perfectly. -A -- Anthony - http://messinet.com - http://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part. URL: From amessina at messinet.com Fri Aug 17 19:59:35 2012 From: amessina at messinet.com (Anthony Messina) Date: Fri, 17 Aug 2012 14:59:35 -0500 Subject: [Freeipa-users] FreeIPA, rkhunter & "unknown rootkit" In-Reply-To: <1345231545.2307.2.camel@sgallagh520.sgallagh.bos.redhat.com> References: <500D1489.9000608@messinet.com> <1483766.SmVgfPAbPz@linux-ws1.messinet.com> <1345231545.2307.2.camel@sgallagh520.sgallagh.bos.redhat.com> Message-ID: <6728404.ov1jHCcHSk@linux-ws1.messinet.com> On Friday, August 17, 2012 03:25:45 PM Stephen Gallagher wrote: > On Fri, 2012-08-17 at 13:42 -0500, Anthony Messina wrote: > > On Monday, July 23, 2012 04:08:25 AM Anthony Messina wrote: > > > I have installed freeipa-server-2.2.0-1.fc17.x86_64 and it's running > > > well. I have also installed rkhunter-1.4.0-1.fc17.noarch on the IPA > > > server and each morning I receive the following report from rkhunter. > > > > > > > > > > > > I imagine/hope that these are not actual rootkits and was wondering if > > > anyone knew of a way to inform rkhunter/rkhunter.conf to "never mind" > > > these as they seem like they would be a normal part of the IPA/CA > > > process. > > > > > > > > > > > > By the way, UID 995 is the pkiuser on my IPA system. > > > > > > > > > > > > Thanks for any input. -A > > > > > > > > > > > > > > > rkhunter warning output follows: > > > > > > > > > Warning: The following processes are using suspicious files: > > > Command: java > > > UID: 995 PID: 1513 > > > Pathname: /var/log/pki-ca/system > > > Possible Rootkit: Unknown rootkit > > > Command: java > > > UID: 1518 PID: 1513 > > > Pathname: 14287633 > > > Possible Rootkit: Unknown rootkit > > > > > > > > Is anyone able to offer some insight on this one? Perhaps there is some > > way to undate the rkhunter configuration to 'allow' this behavior, if > > it's intended. Thanks. -A > > This looks to me like it's a false positive. Please file a bug against > the rkhunter package at bugzilla.redhat.com Thank you: https://bugzilla.redhat.com/show_bug.cgi?id=849251 -- Anthony - http://messinet.com - http://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part. URL: From jreg2k at gmail.com Fri Aug 17 20:55:39 2012 From: jreg2k at gmail.com (James James) Date: Fri, 17 Aug 2012 22:55:39 +0200 Subject: [Freeipa-users] Question about migration and scripts variables Message-ID: Hi, my first question is about the migrate process. Is it possible to renumber the users during the migrate process (ipa migrate-ds) in a way that all imported users will have a new UID ? my second question is about ipalib. I wanted to make a hook on the user creation. The hook works fine. I just want to know if there is a way to have the value of variables like the username, the name of the creator, the e-mail of the creator and stuff like that. Thanks for your answers. ps : sorry for my poor english :) -------------- next part -------------- An HTML attachment was scrubbed... URL: From franklinbc at gmail.com Sun Aug 19 14:39:34 2012 From: franklinbc at gmail.com (Franklin Catoni) Date: Sun, 19 Aug 2012 10:09:34 -0430 Subject: [Freeipa-users] Active Directory slave zone in FreeIPA DNS Message-ID: Greetings community. I do not speak English so I will do my best. I have two environments in my company, a domain "ejemplo.com" with Windows Active Directory running on Windows Server 2003 Enterprise Edition SP2 and domain "ejemplo.gob.ve" with FreeIPA v2.2. mounted on Centos 6.3 x64. This is because we are in the middle of a platform migration process (a very slow process) from proprietary solutions to open source. DNS and DHCP service for my two environments is offered by the server Centos 6.3 which is mounted FreeIPA directory, clients are Windows computers Active Directory domain and linux computers in the domain Ipa. Currently the zone "ejemplo.gob.ve" is administered by the FreeIPA DNS using the plugin (bind-dyndb-ldap.x86_64 v1.1.0) and I configure a slave zone using bind (bind-9.8.2-0.10.rc1.el6_3.2 . x86_64) for the domain " ejemplo.com" Active Directory Name resolution works perfectly for both Linux and Windows clients. Now here comes the tricky part In order to find a more centralized management of my services, I try to configure a slave zone to Active Directory through FreeIPA with dyndb bind-plugin-ldap and so to eliminate configuration through bind, but the transfers zone does not work, causing this many problems on both platforms. The log shows me the following error: ServidorIPA named[3706]: zone ejemplo.com/IN/local: zone serial (2012081801) unchanged. zone may fail to transfer to slaves I've spent enough time looking at Super Google information that can help me but it has not been easy, because it seems to be a rare situation. I ask. You can set this up under these circumstances? Someone has accomplished? Some information that horiente me to get a solution? Thanks for your time. -------------- next part -------------- An HTML attachment was scrubbed... URL: From sigbjorn at nixtra.com Sun Aug 19 16:23:20 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Sun, 19 Aug 2012 18:23:20 +0200 Subject: [Freeipa-users] Active Directory slave zone in FreeIPA DNS In-Reply-To: References: Message-ID: <503112F8.8000900@nixtra.com> On 08/19/2012 04:39 PM, Franklin Catoni wrote: > Greetings community. > > I do not speak English so I will do my best. > > I have two environments in my company, a domain "ejemplo.com > " with Windows Active Directory running on Windows > Server 2003 Enterprise Edition SP2 and domain "ejemplo.gob.ve > " with FreeIPA v2.2. mounted on Centos 6.3 x64. > This is because we are in the middle of a platform migration process > (a very slow process) from proprietary solutions to open source. > > DNS and DHCP service for my two environments is offered by the server > Centos 6.3 which is mounted FreeIPA directory, clients are Windows > computers Active Directory domain and linux computers in the domain Ipa. > > Currently the zone "ejemplo.gob.ve " is > administered by the FreeIPA DNS using the plugin > (bind-dyndb-ldap.x86_64 v1.1.0) and I configure a slave zone using > bind (bind-9.8.2-0.10.rc1.el6_3.2 . x86_64) for the domain > "ejemplo.com " Active Directory > > Name resolution works perfectly for both Linux and Windows clients. > > Now here comes the tricky part > > In order to find a more centralized management of my services, I try > to configure a slave zone to Active Directory through FreeIPA with > dyndb bind-plugin-ldap and so to eliminate configuration through bind, > but the transfers zone does not work, causing this many problems on > both platforms. > > The log shows me the following error: > > ServidorIPA named[3706]: zone ejemplo.com/IN/local > : zone serial (2012081801) unchanged. > zone may fail to transfer to slaves > > I've spent enough time looking at Super Google information that can > help me but it has not been easy, because it seems to be a rare situation. > > I ask. You can set this up under these circumstances? > Someone has accomplished? > Some information that horiente me to get a solution? > > Thanks for your time. > Hi, Is the zone not transferring at all, or is it just the updates that's not transferred to the AD slave server? If the zone is not transferring at all: Did yo modify the "Allow transfer" property of the zone ? If the updates is not transferring: I believe automatic increment of the zone serial number will be supported in IPA 3.0. The IPA developers will have to confirm that. However you can manually change the serial number under Zone Settings. Hope this helps. Regards, Siggi -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Aug 20 12:44:32 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 20 Aug 2012 08:44:32 -0400 Subject: [Freeipa-users] sssd client cache timer and merging IPA domains In-Reply-To: <502E6C41.1060209@sesda2.com> References: <833D8E48405E064EBC54C84EC6B36E404CD759D8@STAWINCOX10MBX1.staff.vuw.ac.nz> <502D658B.9070900@sesda2.com> <502D670B.1020904@redhat.com> <502D67E4.6030801@sesda2.com> <502D689B.7040500@redhat.com> <502D69C1.3040301@sesda2.com> <502E3B5A.9030401@redhat.com> <502E6C41.1060209@sesda2.com> Message-ID: <50323130.6030102@redhat.com> Lucas Yamanishi wrote: > > On 08/17/2012 08:38 AM, Rob Crittenden wrote: >> Lucas Yamanishi wrote: >>> >>> On 08/16/2012 05:39 PM, Rob Crittenden wrote: >>>> Lucas Yamanishi wrote: >>>>> >>>>> On 08/16/2012 05:32 PM, Rob Crittenden wrote: >>>>>> Lucas Yamanishi wrote: >>>>>>> I just migrated my IPA instance from one to another a couple days >>>>>>> ago to >>>>>>> recover after a lost CA and failed yum upgrade. The "ipa migrate-ds" >>>>>>> tool works very well, though I am having a few very minor issues. On >>>>>>> the upside, as far as I can tell, you can skip the steps about >>>>>>> Kerberos >>>>>>> key generation as outlined in the documentation. I've been able to >>>>>>> kinit just fine with my migrated users. >>>>>>> >>>>>>> >>>>>>> Below are the few errors I've noticed. >>>>>>> >>>>>>> * When I ssh into an enrolled host using a migrated user's >>>>>>> credentials I >>>>>>> get this error: >>>>>>> >>>>>>> id: cannot find name for group ID 104600003\ >>>>>> >>>>>> Does a group exist with that GID? You can try something like: >>>>>> >>>>>> $ ipa group-find --gid=104600003 >>>>>> >>>>> >>>>> The group doesn't exist. The GID is the counterpart to my UID. >>>> >>>> Try adding --private. >>>> >>>> rob >>>> >>> >>> Nope. It doesn't exist. >>> >>> Other groups migrated. Why would the private groups fail? >> >> I don't know, what have you done to date, including versions? >> >> rob > I've been following the stable Scientific Linux releases since 6.1. > Based on repo archives, I guess that would be 2.0.0-23.el6.x86_64. The > version was at 2.2.0-16.el6.x86_64 when I migrated, which I had just > upgraded from 2.1.3-9.el6.x86_64. I migrated to and use now > 2.2.0-16.el6.x86_64. > > So... > 2.0.0-23.el6.x86_64 -> 2.1.3-9.el6.x86_64 -> 2.2.0-16.el6.x86_64 ----> > 2.2.0-16.el6.x86_64 > > Can you verify that managed entries are configured: # ipa-managed-entries -l It should return: UPG Definition NGP Definition This enables user-private groups and netgroup-private groups. rob From rcritten at redhat.com Mon Aug 20 12:56:51 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 20 Aug 2012 08:56:51 -0400 Subject: [Freeipa-users] Question about migration and scripts variables In-Reply-To: References: Message-ID: <50323413.4090906@redhat.com> James James wrote: > Hi, > > my first question is about the migrate process. Is it possible to > renumber the users during the migrate process (ipa migrate-ds) in a way > that all imported users will have a new UID ? I haven't tested this but you might try --user-ignore-attribute=uidnumber,gidnumber. > my second question is about ipalib. I wanted to make a hook on the user > creation. The hook works fine. I just want to know if there is a way to > have the value of variables like the username, the name of the creator, > the e-mail of the creator and stuff like that. The current user is available via: principal = getattr(context, 'principal') Using this you can look up that user: (binddn, bindattrs) = find_entry_by_attr("krbprincipalname", principal, "krbPrincipalAux") rob From Duncan.Innes at virginmoney.com Mon Aug 20 13:48:30 2012 From: Duncan.Innes at virginmoney.com (Innes, Duncan) Date: Mon, 20 Aug 2012 14:48:30 +0100 Subject: [Freeipa-users] Specifying load balancing to SSSD clients In-Reply-To: <50323130.6030102@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CD759D8@STAWINCOX10MBX1.staff.vuw.ac.nz><502D658B.9070900@sesda2.com> <502D670B.1020904@redhat.com><502D67E4.6030801@sesda2.com> <502D689B.7040500@redhat.com><502D69C1.3040301@sesda2.com> <502E3B5A.9030401@redhat.com><502E6C41.1060209@sesda2.com> <50323130.6030102@redhat.com> Message-ID: <56343345B145C043AE990701E3D193952B5511@EXVS2.nrplc.localnet> Folks, Hopefully this isn't a dumb question, but I'm constrained by a few things on my estate and would be looking to deploy something like the following: 2 Datacentres 2 IPA servers at each datacentre ipa1.domain.com \_ datacentre A ipa2.domain.com / ipa3.domain.com \_ datacentre B ipa4.domain.com / The datacentres are linekd, but bandwidth not great. Client's in datacentre A should therefore use ipa1.domain.com and ipa2.domain.com as primary servers and only fail over to ipa3 & ipa4 when both 1 & 2 are out of action. Clients would revert to using ipa1/ipa2 whenever either of them came back online. I understand this configuration has already been done as part of https://fedorahosted.org/freeipa/ticket/2282 What I'm wondering is if I can force my clients to load balance communication between ipa1 & ipa2. I don't have the ability to use the _srv_ records in DNS as that's set up for the AD servers on our network. I also can't create separate DNS servers for the Linux estate (not that I'd particularly want to). Is there any current configuration that I can use to force load balancing between ipa1/ipa2 under ideal conditions. Falling back to ipa2 when ipa1 is out of action. Falling back to (load balanced perhaps?) ipa3/ipa4 when ipa1 & ipa2 are both out of action. Hope the description is reasonable. Thanks Duncan Innes | Linux Architect Northern Rock plc is part of the Virgin Money group of companies. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money Personal Financial Service Limited is authorised and regulated by the Financial Services Authority. Company no. 3072766. Virgin Money Unit Trust Managers Limited is authorised and regulated by the Financial Services Authority. Company no. 3000482. Virgin Money Cards Limited. Introducer appointed representative only of Virgin Money Personal Financial Service Limited. Company no. 4232392. Virgin Money Management Services Limited. Company no. 3072772. Virgin Money Holdings (UK) Limited. Company no. 3087587. Each of the above companies is registered in England and Wales and has its registered office at Discovery House, Whiting Road, Norwich NR4 6EJ. Northern Rock plc. Authorised and regulated by the Financial Services Authority. Registered in England and Wales (Company no. 6952311) with its registered office at Northern Rock House, Gosforth, Newcastle upon Tyne NE3 4PL. The above companies use the trading name Virgin Money. From mstlaure at redhat.com Mon Aug 20 14:15:08 2012 From: mstlaure at redhat.com (Mark St. Laurent) Date: Mon, 20 Aug 2012 10:15:08 -0400 (EDT) Subject: [Freeipa-users] Specifying load balancing to SSSD clients In-Reply-To: <56343345B145C043AE990701E3D193952B5511@EXVS2.nrplc.localnet> Message-ID: <290044214.13057699.1345472108805.JavaMail.root@redhat.com> http://www.redhat.com/products/enterprise-linux-add-ons/load-balancing/ Norman "Mark" St. Laurent Federal Team: Senior Solutions Architect Red Hat 8260 Greensboro Drive, Suite 300 McLean VA, 22102 Email: msl at redhat.com Cell: 703.772.1434 Check this Link out!!! Cool Stuff: http://mil-oss.org/ ----- Original Message ----- From: "Duncan Innes" To: freeipa-users at redhat.com Sent: Monday, August 20, 2012 9:48:30 AM Subject: [Freeipa-users] Specifying load balancing to SSSD clients Folks, Hopefully this isn't a dumb question, but I'm constrained by a few things on my estate and would be looking to deploy something like the following: 2 Datacentres 2 IPA servers at each datacentre ipa1.domain.com \_ datacentre A ipa2.domain.com / ipa3.domain.com \_ datacentre B ipa4.domain.com / The datacentres are linekd, but bandwidth not great. Client's in datacentre A should therefore use ipa1.domain.com and ipa2.domain.com as primary servers and only fail over to ipa3 & ipa4 when both 1 & 2 are out of action. Clients would revert to using ipa1/ipa2 whenever either of them came back online. I understand this configuration has already been done as part of https://fedorahosted.org/freeipa/ticket/2282 What I'm wondering is if I can force my clients to load balance communication between ipa1 & ipa2. I don't have the ability to use the _srv_ records in DNS as that's set up for the AD servers on our network. I also can't create separate DNS servers for the Linux estate (not that I'd particularly want to). Is there any current configuration that I can use to force load balancing between ipa1/ipa2 under ideal conditions. Falling back to ipa2 when ipa1 is out of action. Falling back to (load balanced perhaps?) ipa3/ipa4 when ipa1 & ipa2 are both out of action. Hope the description is reasonable. Thanks Duncan Innes | Linux Architect Northern Rock plc is part of the Virgin Money group of companies. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money Personal Financial Service Limited is authorised and regulated by the Financial Services Authority. Company no. 3072766. Virgin Money Unit Trust Managers Limited is authorised and regulated by the Financial Services Authority. Company no. 3000482. Virgin Money Cards Limited. Introducer appointed representative only of Virgin Money Personal Financial Service Limited. Company no. 4232392. Virgin Money Management Services Limited. Company no. 3072772. Virgin Money Holdings (UK) Limited. Company no. 3087587. Each of the above companies is registered in England and Wales and has its registered office at Discovery House, Whiting Road, Norwich NR4 6EJ. Northern Rock plc. Authorised and regulated by the Financial Services Authority. Registered in England and Wales (Company no. 6952311) with its registered office at Northern Rock House, Gosforth, Newcastle upon Tyne NE3 4PL. The above companies use the trading name Virgin Money. _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Mon Aug 20 14:27:42 2012 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 20 Aug 2012 16:27:42 +0200 Subject: [Freeipa-users] Specifying load balancing to SSSD clients In-Reply-To: <56343345B145C043AE990701E3D193952B5511@EXVS2.nrplc.localnet> References: <833D8E48405E064EBC54C84EC6B36E404CD759D8@STAWINCOX10MBX1.staff.vuw.ac.nz> <502D658B.9070900@sesda2.com> <502D670B.1020904@redhat.com> <502D67E4.6030801@sesda2.com> <502D689B.7040500@redhat.com> <502D69C1.3040301@sesda2.com> <502E3B5A.9030401@redhat.com> <502E6C41.1060209@sesda2.com> <50323130.6030102@redhat.com> <56343345B145C043AE990701E3D193952B5511@EXVS2.nrplc.localnet> Message-ID: <20120820142742.GH19061@zeppelin.brq.redhat.com> On Mon, Aug 20, 2012 at 02:48:30PM +0100, Innes, Duncan wrote: > Folks, > > Hopefully this isn't a dumb question, but I'm constrained by a few > things on my estate and would be looking to deploy something like the > following: > > 2 Datacentres > 2 IPA servers at each datacentre > > ipa1.domain.com \_ datacentre A > ipa2.domain.com / > > ipa3.domain.com \_ datacentre B > ipa4.domain.com / > > The datacentres are linekd, but bandwidth not great. > > Client's in datacentre A should therefore use ipa1.domain.com and > ipa2.domain.com as primary servers and only fail over to ipa3 & ipa4 > when both 1 & 2 are out of action. Clients would revert to using > ipa1/ipa2 whenever either of them came back online. > > I understand this configuration has already been done as part of > https://fedorahosted.org/freeipa/ticket/2282 Yes, this has been done on the SSSD side as https://fedorahosted.org/sssd/ticket/1128 The new feature is going to be part of SSSD 1.9.0. In particular, you would configure the IPA domain like this: ipa_server = ipa1.domain.com, ipa2.domain.com ipa_backup_server = ipa3.domain.com, ipa4.domain.com > > What I'm wondering is if I can force my clients to load balance > communication between ipa1 & ipa2. > No, load balancing is currently not supported. What *might* work, although I haven't tested the scenario, is creating a new DNS A record that would resolve to IP addresses of both ipa1 and ipa2. The clients would then connect to the first IP address they received. But as I said, I haven't tested this at all. Feel free to file an RFE, but quite frankly, I think this is precisely what SRV records have been designed for. The load balancing would be performed based on the value of the "weight" field in the SRV record. From Duncan.Innes at virginmoney.com Mon Aug 20 15:47:39 2012 From: Duncan.Innes at virginmoney.com (Innes, Duncan) Date: Mon, 20 Aug 2012 16:47:39 +0100 Subject: [Freeipa-users] Specifying load balancing to SSSD clients In-Reply-To: <290044214.13057699.1345472108805.JavaMail.root@redhat.com> References: <56343345B145C043AE990701E3D193952B5511@EXVS2.nrplc.localnet> <290044214.13057699.1345472108805.JavaMail.root@redhat.com> Message-ID: <56343345B145C043AE990701E3D193952B5515@EXVS2.nrplc.localnet> OK - thanks. But is there any way IPA can be tweaked to do this without an "external" product (albeit a Red Hat one)? Is it possible for the sssd clients to round-robin their requests between 2 or more servers? Is this an sssd question or generic enough to be in this list? Would this functionallity be of use to freeIPA in general? (my view = yes) Cheers Duncan Innes | Linux Architect ________________________________ From: Mark St. Laurent [mailto:mstlaure at redhat.com] Sent: 20 August 2012 15:15 To: Innes, Duncan Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Specifying load balancing to SSSD clients http://www.redhat.com/products/enterprise-linux-add-ons/load-balancing/ Norman "Mark" St. Laurent Federal Team: Senior Solutions Architect Red Hat 8260 Greensboro Drive, Suite 300 McLean VA, 22102 Email: msl at redhat.com Cell: 703.772.1434 Check this Link out!!! Cool Stuff: http://mil-oss.org/ ________________________________ From: "Duncan Innes" To: freeipa-users at redhat.com Sent: Monday, August 20, 2012 9:48:30 AM Subject: [Freeipa-users] Specifying load balancing to SSSD clients Folks, Hopefully this isn't a dumb question, but I'm constrained by a few things on my estate and would be looking to deploy something like the following: 2 Datacentres 2 IPA servers at each datacentre ipa1.domain.com \_ datacentre A ipa2.domain.com / ipa3.domain.com \_ datacentre B ipa4.domain.com / The datacentres are linekd, but bandwidth not great. Client's in datacentre A should therefore use ipa1.domain.com and ipa2.domain.com as primary servers and only fail over to ipa3 & ipa4 when both 1 & 2 are out of action. Clients would revert to using ipa1/ipa2 whenever either of them came back online. I understand this configuration has already been done as part of https://fedorahosted.org/freeipa/ticket/2282 What I'm wondering is if I can force my clients to load balance communication between ipa1 & ipa2. I don't have the ability to use the _srv_ records in DNS as that's set up for the AD servers on our network. I also can't create separate DNS servers for the Linux estate (not that I'd particularly want to). Is there any current configuration that I can use to force load balancing between ipa1/ipa2 under ideal conditions. Falling back to ipa2 when ipa1 is out of action. Falling back to (load balanced perhaps?) ipa3/ipa4 when ipa1 & ipa2 are both out of action. Hope the description is reasonable. Thanks Duncan Innes | Linux Architect Northern Rock plc is part of the Virgin Money group of companies. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money Personal Financial Service Limited is authorised and regulated by the Financial Services Authority. Company no. 3072766. Virgin Money Unit Trust Managers Limited is authorised and regulated by the Financial Services Authority. Company no. 3000482. Virgin Money Cards Limited. Introducer appointed representative only of Virgin Money Personal Financial Service Limited. Company no. 4232392. Virgin Money Management Services Limited. Company no. 3072772. Virgin Money Holdings (UK) Limited. Company no. 3087587. Each of the above companies is registered in England and Wales and has its registered office at Discovery House, Whiting Road, Norwich NR4 6EJ. Northern Rock plc. Authorised and regulated by the Financial Services Authority. Registered in England and Wales (Company no. 6952311) with its registered office at Northern Rock House, Gosforth, Newcastle upon Tyne NE3 4PL. The above companies use the trading name Virgin Money. -------------- next part -------------- An HTML attachment was scrubbed... URL: From lyamanishi at sesda2.com Mon Aug 20 16:09:03 2012 From: lyamanishi at sesda2.com (Lucas Yamanishi) Date: Mon, 20 Aug 2012 12:09:03 -0400 Subject: [Freeipa-users] sssd client cache timer and merging IPA domains In-Reply-To: <50323130.6030102@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CD759D8@STAWINCOX10MBX1.staff.vuw.ac.nz> <502D658B.9070900@sesda2.com> <502D670B.1020904@redhat.com> <502D67E4.6030801@sesda2.com> <502D689B.7040500@redhat.com> <502D69C1.3040301@sesda2.com> <502E3B5A.9030401@redhat.com> <502E6C41.1060209@sesda2.com> <50323130.6030102@redhat.com> Message-ID: <5032611F.4070907@sesda2.com> On 08/20/2012 08:44 AM, Rob Crittenden wrote: > Lucas Yamanishi wrote: >> >> On 08/17/2012 08:38 AM, Rob Crittenden wrote: >>> Lucas Yamanishi wrote: >>>> >>>> On 08/16/2012 05:39 PM, Rob Crittenden wrote: >>>>> Lucas Yamanishi wrote: >>>>>> >>>>>> On 08/16/2012 05:32 PM, Rob Crittenden wrote: >>>>>>> Lucas Yamanishi wrote: >>>>>>>> I just migrated my IPA instance from one to another a couple days >>>>>>>> ago to >>>>>>>> recover after a lost CA and failed yum upgrade. The "ipa >>>>>>>> migrate-ds" >>>>>>>> tool works very well, though I am having a few very minor >>>>>>>> issues. On >>>>>>>> the upside, as far as I can tell, you can skip the steps about >>>>>>>> Kerberos >>>>>>>> key generation as outlined in the documentation. I've been able to >>>>>>>> kinit just fine with my migrated users. >>>>>>>> >>>>>>>> >>>>>>>> Below are the few errors I've noticed. >>>>>>>> >>>>>>>> * When I ssh into an enrolled host using a migrated user's >>>>>>>> credentials I >>>>>>>> get this error: >>>>>>>> >>>>>>>> id: cannot find name for group ID 104600003\ >>>>>>> >>>>>>> Does a group exist with that GID? You can try something like: >>>>>>> >>>>>>> $ ipa group-find --gid=104600003 >>>>>>> >>>>>> >>>>>> The group doesn't exist. The GID is the counterpart to my UID. >>>>> >>>>> Try adding --private. >>>>> >>>>> rob >>>>> >>>> >>>> Nope. It doesn't exist. >>>> >>>> Other groups migrated. Why would the private groups fail? >>> >>> I don't know, what have you done to date, including versions? >>> >>> rob >> I've been following the stable Scientific Linux releases since 6.1. >> Based on repo archives, I guess that would be 2.0.0-23.el6.x86_64. The >> version was at 2.2.0-16.el6.x86_64 when I migrated, which I had just >> upgraded from 2.1.3-9.el6.x86_64. I migrated to and use now >> 2.2.0-16.el6.x86_64. >> >> So... >> 2.0.0-23.el6.x86_64 -> 2.1.3-9.el6.x86_64 -> 2.2.0-16.el6.x86_64 ----> >> 2.2.0-16.el6.x86_64 >> >> > > Can you verify that managed entries are configured: > > # ipa-managed-entries -l > > It should return: > > UPG Definition > NGP Definition > > This enables user-private groups and netgroup-private groups. > > rob Yes. That returned as expected. -- ----- *question everything*learn something*answer nothing* ------------ Lucas Yamanishi ------------------ Systems Administrator, ADNET Systems, Inc. 7515 Mission Drive, Suite A100 Lanham, MD 20706 * 301-352-4646 * 0xE23F3D7A From ssorce at redhat.com Tue Aug 21 07:04:09 2012 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 21 Aug 2012 03:04:09 -0400 (EDT) Subject: [Freeipa-users] Specifying load balancing to SSSD clients In-Reply-To: <56343345B145C043AE990701E3D193952B5515@EXVS2.nrplc.localnet> Message-ID: <1870644331.8116735.1345532649088.JavaMail.root@redhat.com> ----- Original Message ----- > OK - thanks. > > But is there any way IPA can be tweaked to do this without an > "external" > product (albeit a Red Hat one)? Is it possible for the sssd clients > to > round-robin their requests between 2 or more servers? At the monment only by using _srv_ records you could do some round-robin (assuming DNS supports it). Please do not use the load balancer as suggest in a previous reply, also using a A record would not work as machines joined to IPa need the 'correct' serve name to be able to perform GSSAPI authentication. A round-robin A record would make that fail. A round-robin CNAME record might work if your DNS server supports something like that. > Is this an sssd question or generic enough to be in this list? It's both, SSSD implements the client, but in FreeIPA domains we need a joint solution due to Kerberos requirements for DNS names. > Would this functionallity be of use to freeIPA in general? (my view = yes) Yes. HTH, Simo. > Cheers > > Duncan Innes | Linux Architect > > > > ________________________________ > > From: Mark St. Laurent [mailto:mstlaure at redhat.com] > Sent: 20 August 2012 15:15 > To: Innes, Duncan > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Specifying load balancing to SSSD > clients > > > > http://www.redhat.com/products/enterprise-linux-add-ons/load-balancing/ > > > Norman "Mark" St. Laurent > Federal Team: Senior Solutions Architect > Red Hat > 8260 Greensboro Drive, Suite 300 > McLean VA, 22102 > Email: msl at redhat.com > Cell: 703.772.1434 > > Check this Link out!!! Cool Stuff: http://mil-oss.org/ > > > ________________________________ > > From: "Duncan Innes" > To: freeipa-users at redhat.com > Sent: Monday, August 20, 2012 9:48:30 AM > Subject: [Freeipa-users] Specifying load balancing to SSSD > clients > > Folks, > > Hopefully this isn't a dumb question, but I'm constrained by a > few > things on my estate and would be looking to deploy something > like the > following: > > 2 Datacentres > 2 IPA servers at each datacentre > > ipa1.domain.com \_ datacentre A > ipa2.domain.com / > > ipa3.domain.com \_ datacentre B > ipa4.domain.com / > > The datacentres are linekd, but bandwidth not great. > > Client's in datacentre A should therefore use ipa1.domain.com > and > ipa2.domain.com as primary servers and only fail over to ipa3 & > ipa4 > when both 1 & 2 are out of action. Clients would revert to > using > ipa1/ipa2 whenever either of them came back online. > > I understand this configuration has already been done as part of > https://fedorahosted.org/freeipa/ticket/2282 > > What I'm wondering is if I can force my clients to load balance > communication between ipa1 & ipa2. > > I don't have the ability to use the _srv_ records in DNS as > that's set > up for the AD servers on our network. I also can't create > separate DNS > servers for the Linux estate (not that I'd particularly want > to). > > Is there any current configuration that I can use to force load > balancing between ipa1/ipa2 under ideal conditions. Falling > back to > ipa2 when ipa1 is out of action. Falling back to (load balanced > perhaps?) ipa3/ipa4 when ipa1 & ipa2 are both out of action. > > Hope the description is reasonable. > > Thanks > > Duncan Innes | Linux Architect > > > > > Northern Rock plc is part of the Virgin Money group of companies. > > This e-mail is intended to be confidential to the recipient. If you > receive a copy in error, please inform the sender and then delete > this message. > > Virgin Money Personal Financial Service Limited is authorised and > regulated by the Financial Services Authority. Company no. 3072766. > > Virgin Money Unit Trust Managers Limited is authorised and regulated > by the Financial Services Authority. Company no. 3000482. > > Virgin Money Cards Limited. Introducer appointed representative only > of Virgin Money Personal Financial Service Limited. Company no. > 4232392. > > Virgin Money Management Services Limited. Company no. 3072772. > > Virgin Money Holdings (UK) Limited. Company no. 3087587. > > Each of the above companies is registered in England and Wales and > has its registered office at Discovery House, Whiting Road, Norwich > NR4 6EJ. > > Northern Rock plc. Authorised and regulated by the Financial Services > Authority. Registered in England and Wales (Company no. 6952311) > with its registered office at Northern Rock House, Gosforth, > Newcastle upon Tyne NE3 4PL. > > The above companies use the trading name Virgin Money. > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From Duncan.Innes at virginmoney.com Tue Aug 21 07:33:23 2012 From: Duncan.Innes at virginmoney.com (Innes, Duncan) Date: Tue, 21 Aug 2012 08:33:23 +0100 Subject: [Freeipa-users] Specifying load balancing to SSSD clients In-Reply-To: <1870644331.8116735.1345532649088.JavaMail.root@redhat.com> References: <56343345B145C043AE990701E3D193952B5515@EXVS2.nrplc.localnet> <1870644331.8116735.1345532649088.JavaMail.root@redhat.com> Message-ID: <56343345B145C043AE990701E3D193952B551A@EXVS2.nrplc.localnet> Thanks Simo, I was hoping for an alternative to the DNS _srv_ records due to the Windows guys having exclusive use of those records (for now). Is it feasible for IPA communications to be "force" round robined between two or more servers that are replicas of each other? If it's a possibility, I will raise a ticket. Thanks Duncan Innes | Linux Architect > -----Original Message----- > From: Simo Sorce [mailto:ssorce at redhat.com] > Sent: 21 August 2012 08:04 > To: Innes, Duncan > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Specifying load balancing to SSSD clients > > ----- Original Message ----- > > OK - thanks. > > > > But is there any way IPA can be tweaked to do this without an > > "external" > > product (albeit a Red Hat one)? Is it possible for the > sssd clients > > to round-robin their requests between 2 or more servers? > > At the monment only by using _srv_ records you could do some > round-robin (assuming DNS supports it). > > Please do not use the load balancer as suggest in a previous > reply, also using a A record would not work as machines > joined to IPa need the 'correct' serve name to be able to > perform GSSAPI authentication. A round-robin A record would > make that fail. A round-robin CNAME record might work if your > DNS server supports something like that. > > > Is this an sssd question or generic enough to be in this list? > > It's both, SSSD implements the client, but in FreeIPA domains > we need a joint solution due to Kerberos requirements for DNS names. > > > Would this functionallity be of use to freeIPA in general? > (my view = > > yes) > > Yes. > > HTH, > Simo. > > > Cheers > > > > Duncan Innes | Linux Architect > > > > > > > > ________________________________ > > > > From: Mark St. Laurent [mailto:mstlaure at redhat.com] > > Sent: 20 August 2012 15:15 > > To: Innes, Duncan > > Cc: freeipa-users at redhat.com > > Subject: Re: [Freeipa-users] Specifying load balancing to SSSD > > clients > > > > > > > > > http://www.redhat.com/products/enterprise-linux-add-ons/load-balancing > > / > > > > > > Norman "Mark" St. Laurent > > Federal Team: Senior Solutions Architect > > Red Hat > > 8260 Greensboro Drive, Suite 300 > > McLean VA, 22102 > > Email: msl at redhat.com > > Cell: 703.772.1434 > > > > Check this Link out!!! Cool Stuff: http://mil-oss.org/ > > > > > > ________________________________ > > > > From: "Duncan Innes" > > To: freeipa-users at redhat.com > > Sent: Monday, August 20, 2012 9:48:30 AM > > Subject: [Freeipa-users] Specifying load balancing to > SSSD clients > > > > Folks, > > > > Hopefully this isn't a dumb question, but I'm > constrained by a few > > things on my estate and would be looking to deploy > something like the > > following: > > > > 2 Datacentres > > 2 IPA servers at each datacentre > > > > ipa1.domain.com \_ datacentre A > > ipa2.domain.com / > > > > ipa3.domain.com \_ datacentre B > > ipa4.domain.com / > > > > The datacentres are linekd, but bandwidth not great. > > > > Client's in datacentre A should therefore use > ipa1.domain.com and > > ipa2.domain.com as primary servers and only fail over to ipa3 & > > ipa4 > > when both 1 & 2 are out of action. Clients would > revert to using > > ipa1/ipa2 whenever either of them came back online. > > > > I understand this configuration has already been done as part of > > https://fedorahosted.org/freeipa/ticket/2282 > > > > What I'm wondering is if I can force my clients to load balance > > communication between ipa1 & ipa2. > > > > I don't have the ability to use the _srv_ records in > DNS as that's > > set > > up for the AD servers on our network. I also can't > create separate > > DNS > > servers for the Linux estate (not that I'd particularly > want to). > > > > Is there any current configuration that I can use to force load > > balancing between ipa1/ipa2 under ideal conditions. > Falling back to > > ipa2 when ipa1 is out of action. Falling back to (load balanced > > perhaps?) ipa3/ipa4 when ipa1 & ipa2 are both out of action. > > > > Hope the description is reasonable. > > > > Thanks > > > > Duncan Innes | Linux Architect > > > > > > > > > > Northern Rock plc is part of the Virgin Money group of companies. > > > > This e-mail is intended to be confidential to the recipient. If you > > receive a copy in error, please inform the sender and then > delete this > > message. > > > > Virgin Money Personal Financial Service Limited is authorised and > > regulated by the Financial Services Authority. Company no. 3072766. > > > > Virgin Money Unit Trust Managers Limited is authorised and > regulated > > by the Financial Services Authority. Company no. 3000482. > > > > Virgin Money Cards Limited. Introducer appointed > representative only > > of Virgin Money Personal Financial Service Limited. Company no. > > 4232392. > > > > Virgin Money Management Services Limited. Company no. 3072772. > > > > Virgin Money Holdings (UK) Limited. Company no. 3087587. > > > > Each of the above companies is registered in England and > Wales and has > > its registered office at Discovery House, Whiting Road, Norwich > > NR4 6EJ. > > > > Northern Rock plc. Authorised and regulated by the > Financial Services > > Authority. Registered in England and Wales (Company no. > 6952311) with > > its registered office at Northern Rock House, Gosforth, > Newcastle upon > > Tyne NE3 4PL. > > > > The above companies use the trading name Virgin Money. > > > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > This message has been checked for viruses and spam by the > Virgin Money email scanning system powered by Messagelabs. > Northern Rock plc is part of the Virgin Money group of companies. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money Personal Financial Service Limited is authorised and regulated by the Financial Services Authority. Company no. 3072766. Virgin Money Unit Trust Managers Limited is authorised and regulated by the Financial Services Authority. Company no. 3000482. Virgin Money Cards Limited. Introducer appointed representative only of Virgin Money Personal Financial Service Limited. Company no. 4232392. Virgin Money Management Services Limited. Company no. 3072772. Virgin Money Holdings (UK) Limited. Company no. 3087587. Each of the above companies is registered in England and Wales and has its registered office at Discovery House, Whiting Road, Norwich NR4 6EJ. Northern Rock plc. Authorised and regulated by the Financial Services Authority. Registered in England and Wales (Company no. 6952311) with its registered office at Northern Rock House, Gosforth, Newcastle upon Tyne NE3 4PL. The above companies use the trading name Virgin Money. From ssorce at redhat.com Tue Aug 21 07:39:34 2012 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 21 Aug 2012 03:39:34 -0400 (EDT) Subject: [Freeipa-users] Specifying load balancing to SSSD clients In-Reply-To: <56343345B145C043AE990701E3D193952B551A@EXVS2.nrplc.localnet> Message-ID: <128735575.8138021.1345534774316.JavaMail.root@redhat.com> ----- Original Message ----- > Thanks Simo, > > I was hoping for an alternative to the DNS _srv_ records due to the > Windows guys having exclusive use of those records (for now). > > Is it feasible for IPA communications to be "force" round robined > between two or more servers that are replicas of each other? If it's > a > possibility, I will raise a ticket. The easiest solution for now is to configure your clients by using the primary and backup options in SSSD, and just configure clients to have different orders, so that they will attach to separate servers by default. Ie client 1 has primary serves of "ipa1, ipa2", while client 2 has "ipa2, ipa1", and so on. Without control of name resolution on the server side at the moment we do not have other ways to do load balancing. Simo. > Thanks > > Duncan Innes | Linux Architect > > > > > -----Original Message----- > > From: Simo Sorce [mailto:ssorce at redhat.com] > > Sent: 21 August 2012 08:04 > > To: Innes, Duncan > > Cc: freeipa-users at redhat.com > > Subject: Re: [Freeipa-users] Specifying load balancing to SSSD > > clients > > > > ----- Original Message ----- > > > OK - thanks. > > > > > > But is there any way IPA can be tweaked to do this without an > > > "external" > > > product (albeit a Red Hat one)? Is it possible for the > > sssd clients > > > to round-robin their requests between 2 or more servers? > > > > At the monment only by using _srv_ records you could do some > > round-robin (assuming DNS supports it). > > > > Please do not use the load balancer as suggest in a previous > > reply, also using a A record would not work as machines > > joined to IPa need the 'correct' serve name to be able to > > perform GSSAPI authentication. A round-robin A record would > > make that fail. A round-robin CNAME record might work if your > > DNS server supports something like that. > > > > > Is this an sssd question or generic enough to be in this list? > > > > It's both, SSSD implements the client, but in FreeIPA domains > > we need a joint solution due to Kerberos requirements for DNS > > names. > > > > > Would this functionallity be of use to freeIPA in general? > > (my view = > > > yes) > > > > Yes. > > > > HTH, > > Simo. > > > > > Cheers > > > > > > Duncan Innes | Linux Architect > > > > > > > > > > > > ________________________________ > > > > > > From: Mark St. Laurent [mailto:mstlaure at redhat.com] > > > Sent: 20 August 2012 15:15 > > > To: Innes, Duncan > > > Cc: freeipa-users at redhat.com > > > Subject: Re: [Freeipa-users] Specifying load balancing to SSSD > > > clients > > > > > > > > > > > > > > http://www.redhat.com/products/enterprise-linux-add-ons/load-balancing > > > / > > > > > > > > > Norman "Mark" St. Laurent > > > Federal Team: Senior Solutions Architect > > > Red Hat > > > 8260 Greensboro Drive, Suite 300 > > > McLean VA, 22102 > > > Email: msl at redhat.com > > > Cell: 703.772.1434 > > > > > > Check this Link out!!! Cool Stuff: http://mil-oss.org/ > > > > > > > > > ________________________________ > > > > > > From: "Duncan Innes" > > > To: freeipa-users at redhat.com > > > Sent: Monday, August 20, 2012 9:48:30 AM > > > Subject: [Freeipa-users] Specifying load balancing to > > SSSD clients > > > > > > Folks, > > > > > > Hopefully this isn't a dumb question, but I'm > > constrained by a few > > > things on my estate and would be looking to deploy > > something like the > > > following: > > > > > > 2 Datacentres > > > 2 IPA servers at each datacentre > > > > > > ipa1.domain.com \_ datacentre A > > > ipa2.domain.com / > > > > > > ipa3.domain.com \_ datacentre B > > > ipa4.domain.com / > > > > > > The datacentres are linekd, but bandwidth not great. > > > > > > Client's in datacentre A should therefore use > > ipa1.domain.com and > > > ipa2.domain.com as primary servers and only fail over to ipa3 & > > > ipa4 > > > when both 1 & 2 are out of action. Clients would > > revert to using > > > ipa1/ipa2 whenever either of them came back online. > > > > > > I understand this configuration has already been done as part of > > > https://fedorahosted.org/freeipa/ticket/2282 > > > > > > What I'm wondering is if I can force my clients to load balance > > > communication between ipa1 & ipa2. > > > > > > I don't have the ability to use the _srv_ records in > > DNS as that's > > > set > > > up for the AD servers on our network. I also can't > > create separate > > > DNS > > > servers for the Linux estate (not that I'd particularly > > want to). > > > > > > Is there any current configuration that I can use to force load > > > balancing between ipa1/ipa2 under ideal conditions. > > Falling back to > > > ipa2 when ipa1 is out of action. Falling back to (load balanced > > > perhaps?) ipa3/ipa4 when ipa1 & ipa2 are both out of action. > > > > > > Hope the description is reasonable. > > > > > > Thanks > > > > > > Duncan Innes | Linux Architect > > > > > > > > > > > > > > > Northern Rock plc is part of the Virgin Money group of companies. > > > > > > This e-mail is intended to be confidential to the recipient. If > > > you > > > receive a copy in error, please inform the sender and then > > delete this > > > message. > > > > > > Virgin Money Personal Financial Service Limited is authorised and > > > regulated by the Financial Services Authority. Company no. > > > 3072766. > > > > > > Virgin Money Unit Trust Managers Limited is authorised and > > regulated > > > by the Financial Services Authority. Company no. 3000482. > > > > > > Virgin Money Cards Limited. Introducer appointed > > representative only > > > of Virgin Money Personal Financial Service Limited. Company no. > > > 4232392. > > > > > > Virgin Money Management Services Limited. Company no. 3072772. > > > > > > Virgin Money Holdings (UK) Limited. Company no. 3087587. > > > > > > Each of the above companies is registered in England and > > Wales and has > > > its registered office at Discovery House, Whiting Road, Norwich > > > NR4 6EJ. > > > > > > Northern Rock plc. Authorised and regulated by the > > Financial Services > > > Authority. Registered in England and Wales (Company no. > > 6952311) with > > > its registered office at Northern Rock House, Gosforth, > > Newcastle upon > > > Tyne NE3 4PL. > > > > > > The above companies use the trading name Virgin Money. > > > > > > > > > _______________________________________________ > > > Freeipa-users mailing list > > > Freeipa-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > This message has been checked for viruses and spam by the > > Virgin Money email scanning system powered by Messagelabs. > > > > > Northern Rock plc is part of the Virgin Money group of companies. > > This e-mail is intended to be confidential to the recipient. If you > receive a copy in error, please inform the sender and then delete > this message. > > Virgin Money Personal Financial Service Limited is authorised and > regulated by the Financial Services Authority. Company no. 3072766. > > Virgin Money Unit Trust Managers Limited is authorised and regulated > by the Financial Services Authority. Company no. 3000482. > > Virgin Money Cards Limited. Introducer appointed representative only > of Virgin Money Personal Financial Service Limited. Company no. > 4232392. > > Virgin Money Management Services Limited. Company no. 3072772. > > Virgin Money Holdings (UK) Limited. Company no. 3087587. > > Each of the above companies is registered in England and Wales and > has its registered office at Discovery House, Whiting Road, Norwich > NR4 6EJ. > > Northern Rock plc. Authorised and regulated by the Financial Services > Authority. Registered in England and Wales (Company no. 6952311) > with its registered office at Northern Rock House, Gosforth, > Newcastle upon Tyne NE3 4PL. > > The above companies use the trading name Virgin Money. > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > From yantd at qq.com Tue Aug 21 07:41:04 2012 From: yantd at qq.com (=?ISO-8859-1?B?VGVuZ2Rh?=) Date: Tue, 21 Aug 2012 15:41:04 +0800 Subject: [Freeipa-users] Which AD server is used by FreeIPA Message-ID: Hello, I'm trying to build trust between FreeIPA and Windows Server 2008R2. It is said that FreeIPA uses samba as the AD server, but I found that 389 Directory Server is also installed. So which is used as the directory service for FreeIPA. If it is samba, why 389 Director Server is needed? Thanks, Tengda -------------- next part -------------- An HTML attachment was scrubbed... URL: From Duncan.Innes at virginmoney.com Tue Aug 21 07:46:44 2012 From: Duncan.Innes at virginmoney.com (Innes, Duncan) Date: Tue, 21 Aug 2012 08:46:44 +0100 Subject: [Freeipa-users] Specifying load balancing to SSSD clients In-Reply-To: <128735575.8138021.1345534774316.JavaMail.root@redhat.com> References: <56343345B145C043AE990701E3D193952B551A@EXVS2.nrplc.localnet> <128735575.8138021.1345534774316.JavaMail.root@redhat.com> Message-ID: <56343345B145C043AE990701E3D193952B551B@EXVS2.nrplc.localnet> > > Thanks Simo, > > > > I was hoping for an alternative to the DNS _srv_ records due to the > > Windows guys having exclusive use of those records (for now). > > > > Is it feasible for IPA communications to be "force" round robined > > between two or more servers that are replicas of each other? If > > it's a possibility, I will raise a ticket. > > The easiest solution for now is to configure your clients by > using the primary and backup options in SSSD, and just > configure clients to have different orders, so that they will > attach to separate servers by default. > > Ie client 1 has primary serves of "ipa1, ipa2", while client > 2 has "ipa2, ipa1", and so on. > > Without control of name resolution on the server side at the > moment we do not have other ways to do load balancing. > > Simo. > That's exactly my strategy for now. Will be doing it randomly via script, so hopefully I won't end up with all the "noisy" servers hitting ipa1, for example! It'll do for now though. Duncan > > > Thanks > > > > Duncan Innes | Linux Architect > > > > > > > > > -----Original Message----- > > > From: Simo Sorce [mailto:ssorce at redhat.com] > > > Sent: 21 August 2012 08:04 > > > To: Innes, Duncan > > > Cc: freeipa-users at redhat.com > > > Subject: Re: [Freeipa-users] Specifying load balancing to SSSD > > > clients > > > > > > ----- Original Message ----- > > > > OK - thanks. > > > > > > > > But is there any way IPA can be tweaked to do this without an > > > > "external" > > > > product (albeit a Red Hat one)? Is it possible for the > > > sssd clients > > > > to round-robin their requests between 2 or more servers? > > > > > > At the monment only by using _srv_ records you could do some > > > round-robin (assuming DNS supports it). > > > > > > Please do not use the load balancer as suggest in a > previous reply, > > > also using a A record would not work as machines joined > to IPa need > > > the 'correct' serve name to be able to perform GSSAPI > > > authentication. A round-robin A record would make that fail. A > > > round-robin CNAME record might work if your DNS server supports > > > something like that. > > > > > > > Is this an sssd question or generic enough to be in this list? > > > > > > It's both, SSSD implements the client, but in FreeIPA domains we > > > need a joint solution due to Kerberos requirements for DNS names. > > > > > > > Would this functionallity be of use to freeIPA in general? > > > (my view = > > > > yes) > > > > > > Yes. > > > > > > HTH, > > > Simo. > > > > > > > Cheers > > > > > > > > Duncan Innes | Linux Architect > > > > > > > > > > > > > > > > ________________________________ > > > > > > > > From: Mark St. Laurent [mailto:mstlaure at redhat.com] > > > > Sent: 20 August 2012 15:15 > > > > To: Innes, Duncan > > > > Cc: freeipa-users at redhat.com > > > > Subject: Re: [Freeipa-users] Specifying load > balancing to SSSD > > > > clients > > > > > > > > > > > > > > > > > > > > http://www.redhat.com/products/enterprise-linux-add-ons/load-balanci > > > ng > > > > / > > > > > > > > > > > > Norman "Mark" St. Laurent > > > > Federal Team: Senior Solutions Architect > > > > Red Hat > > > > 8260 Greensboro Drive, Suite 300 > > > > McLean VA, 22102 > > > > Email: msl at redhat.com > > > > Cell: 703.772.1434 > > > > > > > > Check this Link out!!! Cool Stuff: http://mil-oss.org/ > > > > > > > > > > > > ________________________________ > > > > > > > > From: "Duncan Innes" > > > > To: freeipa-users at redhat.com > > > > Sent: Monday, August 20, 2012 9:48:30 AM > > > > Subject: [Freeipa-users] Specifying load balancing to > > > SSSD clients > > > > > > > > Folks, > > > > > > > > Hopefully this isn't a dumb question, but I'm > > > constrained by a few > > > > things on my estate and would be looking to deploy > > > something like the > > > > following: > > > > > > > > 2 Datacentres > > > > 2 IPA servers at each datacentre > > > > > > > > ipa1.domain.com \_ datacentre A > > > > ipa2.domain.com / > > > > > > > > ipa3.domain.com \_ datacentre B > > > > ipa4.domain.com / > > > > > > > > The datacentres are linekd, but bandwidth not great. > > > > > > > > Client's in datacentre A should therefore use > > > ipa1.domain.com and > > > > ipa2.domain.com as primary servers and only > fail over to ipa3 & > > > > ipa4 > > > > when both 1 & 2 are out of action. Clients would > > > revert to using > > > > ipa1/ipa2 whenever either of them came back online. > > > > > > > > I understand this configuration has already > been done as part of > > > > https://fedorahosted.org/freeipa/ticket/2282 > > > > > > > > What I'm wondering is if I can force my clients > to load balance > > > > communication between ipa1 & ipa2. > > > > > > > > I don't have the ability to use the _srv_ records in > > > DNS as that's > > > > set > > > > up for the AD servers on our network. I also can't > > > create separate > > > > DNS > > > > servers for the Linux estate (not that I'd particularly > > > want to). > > > > > > > > Is there any current configuration that I can > use to force load > > > > balancing between ipa1/ipa2 under ideal conditions. > > > Falling back to > > > > ipa2 when ipa1 is out of action. Falling back > to (load balanced > > > > perhaps?) ipa3/ipa4 when ipa1 & ipa2 are both > out of action. > > > > > > > > Hope the description is reasonable. > > > > > > > > Thanks > > > > > > > > Duncan Innes | Linux Architect > > > > > > > > > > > > > > > > Northern Rock plc is part of the Virgin Money group of companies. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money Personal Financial Service Limited is authorised and regulated by the Financial Services Authority. Company no. 3072766. Virgin Money Unit Trust Managers Limited is authorised and regulated by the Financial Services Authority. Company no. 3000482. Virgin Money Cards Limited. Introducer appointed representative only of Virgin Money Personal Financial Service Limited. Company no. 4232392. Virgin Money Management Services Limited. Company no. 3072772. Virgin Money Holdings (UK) Limited. Company no. 3087587. Each of the above companies is registered in England and Wales and has its registered office at Discovery House, Whiting Road, Norwich NR4 6EJ. Northern Rock plc. Authorised and regulated by the Financial Services Authority. Registered in England and Wales (Company no. 6952311) with its registered office at Northern Rock House, Gosforth, Newcastle upon Tyne NE3 4PL. The above companies use the trading name Virgin Money. From Duncan.Innes at virginmoney.com Tue Aug 21 07:50:44 2012 From: Duncan.Innes at virginmoney.com (Innes, Duncan) Date: Tue, 21 Aug 2012 08:50:44 +0100 Subject: [Freeipa-users] Specifying load balancing to SSSD clients In-Reply-To: <20120820142742.GH19061@zeppelin.brq.redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CD759D8@STAWINCOX10MBX1.staff.vuw.ac.nz><502D658B.9070900@sesda2.com> <502D670B.1020904@redhat.com><502D67E4.6030801@sesda2.com> <502D689B.7040500@redhat.com><502D69C1.3040301@sesda2.com> <502E3B5A.9030401@redhat.com><502E6C41.1060209@sesda2.com> <50323130.6030102@redhat.com><56343345B145C043AE990701E3D193952B5511@EXVS2.nrplc.localnet> <20120820142742.GH19061@zeppelin.brq.redhat.com> Message-ID: <56343345B145C043AE990701E3D193952B551C@EXVS2.nrplc.localnet> > -----Original Message----- > From: freeipa-users-bounces at redhat.com > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Jakub Hrozek > Sent: 20 August 2012 15:28 > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Specifying load balancing to SSSD clients > > On Mon, Aug 20, 2012 at 02:48:30PM +0100, Innes, Duncan wrote: > > Folks, > > > > Hopefully this isn't a dumb question, but I'm constrained by a few > > things on my estate and would be looking to deploy something like > > the following: > > > > 2 Datacentres > > 2 IPA servers at each datacentre > > > > ipa1.domain.com \_ datacentre A > > ipa2.domain.com / > > > > ipa3.domain.com \_ datacentre B > > ipa4.domain.com / > > > > The datacentres are linekd, but bandwidth not great. > > > > Client's in datacentre A should therefore use ipa1.domain.com and > > ipa2.domain.com as primary servers and only fail over to ipa3 & > > ipa4 when both 1 & 2 are out of action. Clients would revert to > > using ipa1/ipa2 whenever either of them came back online. > > > > I understand this configuration has already been done as part of > > https://fedorahosted.org/freeipa/ticket/2282 > > Yes, this has been done on the SSSD side as > https://fedorahosted.org/sssd/ticket/1128 > > The new feature is going to be part of SSSD 1.9.0. In > particular, you would configure the IPA domain like this: > > ipa_server = ipa1.domain.com, ipa2.domain.com > ipa_backup_server = ipa3.domain.com, ipa4.domain.com > > > > > What I'm wondering is if I can force my clients to load balance > > communication between ipa1 & ipa2. > > > > No, load balancing is currently not supported. > > What *might* work, although I haven't tested the scenario, is > creating a new DNS A record that would resolve to IP > addresses of both ipa1 and ipa2. The clients would then > connect to the first IP address they received. But as I said, > I haven't tested this at all. > > Feel free to file an RFE, but quite frankly, I think this is > precisely what SRV records have been designed for. The load > balancing would be performed based on the value of the > "weight" field in the SRV record. > I think I'll raise a ticket then. Not that the _srv_ records don't do the right job. It's just that in my scenario they are unusable. I can't be alone in deploying IPA in a network already "dominated" by AD. For now (as I said in another reply), I'll randomly configure clients to either ipa1/ipa2 or ipa2/ipa1. Thanks D Northern Rock plc is part of the Virgin Money group of companies. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money Personal Financial Service Limited is authorised and regulated by the Financial Services Authority. Company no. 3072766. Virgin Money Unit Trust Managers Limited is authorised and regulated by the Financial Services Authority. Company no. 3000482. Virgin Money Cards Limited. Introducer appointed representative only of Virgin Money Personal Financial Service Limited. Company no. 4232392. Virgin Money Management Services Limited. Company no. 3072772. Virgin Money Holdings (UK) Limited. Company no. 3087587. Each of the above companies is registered in England and Wales and has its registered office at Discovery House, Whiting Road, Norwich NR4 6EJ. Northern Rock plc. Authorised and regulated by the Financial Services Authority. Registered in England and Wales (Company no. 6952311) with its registered office at Northern Rock House, Gosforth, Newcastle upon Tyne NE3 4PL. The above companies use the trading name Virgin Money. From ssorce at redhat.com Tue Aug 21 07:59:13 2012 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 21 Aug 2012 03:59:13 -0400 (EDT) Subject: [Freeipa-users] Which AD server is used by FreeIPA In-Reply-To: Message-ID: <969158442.8154600.1345535953466.JavaMail.root@redhat.com> ----- Original Message ----- > Hello, > I'm trying to build trust between FreeIPA and Windows Server 2008R2. > It is said that FreeIPA uses samba as the AD server, but I found > that 389 Directory Server is also installed. So which is used as the > directory service for FreeIPA. If it is samba, why 389 Director > Server is needed? Hi Tengda, FreeIPA uses some samba components to handle windows specific operations, but does NOT uses Samba as an AD server. In fact FreeIPa is not an AD compatible server and you cannot join Windows machines to it. This is why we focused on trusts relationships. Our model is based on keeping Windows and Linux machines separate. Windows machine will use their native AD enviornment, while Linux machine are joined to the FreeIPA domain and have linux-oriented management options not availbel in AD domains (HBAC, SElinux integration, netgroups, sudo integration and so on..). 389 Directory server i the informations tore for the FreeIPA server and all services use it to store/read data. HTH, Simo. From ssorce at redhat.com Tue Aug 21 08:04:10 2012 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 21 Aug 2012 04:04:10 -0400 (EDT) Subject: [Freeipa-users] Specifying load balancing to SSSD clients In-Reply-To: <56343345B145C043AE990701E3D193952B551C@EXVS2.nrplc.localnet> Message-ID: <464630960.8159132.1345536250787.JavaMail.root@redhat.com> ----- Original Message ----- > I think I'll raise a ticket then. Not that the _srv_ records don't > do > the right job. It's just that in my scenario they are unusable. I > can't be alone in deploying IPA in a network already "dominated" by > AD. > > For now (as I said in another reply), I'll randomly configure clients > to > either ipa1/ipa2 or ipa2/ipa1. You are not alone but we strongly suggest to use a separate DNS domain for FreeIPA server, and if possible for its clients. Either a same level domain or, at least, a delegated zone. For example: corp.domain.com -> AD unix.domain.com -> FreeIPA with forwards between them. Or domain.com -> AD domain.net -> FreeIPA again with forwards Or domain.com -> AD unix.domain.com -> FreeIPA with Ad delegating out the unix. subdomain to FreeIPA. In general we strongly suggest not using the same DNS domain for AD and FreeIPA domain as using the same domain name makes it impossible to have kerberos level interop between the 2 domains otherwise (cannot establish trust relationships if they use the same DNS domain and/or the same realm name for example). Simo. From ondrejv at s3group.cz Tue Aug 21 08:10:27 2012 From: ondrejv at s3group.cz (Ondrej Valousek) Date: Tue, 21 Aug 2012 10:10:27 +0200 Subject: [Freeipa-users] Specifying load balancing to SSSD clients In-Reply-To: <464630960.8159132.1345536250787.JavaMail.root@redhat.com> References: <464630960.8159132.1345536250787.JavaMail.root@redhat.com> Message-ID: <50334273.3060408@s3group.cz> +1. Use DNS. I agree with Simo. On 08/21/2012 10:04 AM, Simo Sorce wrote: > You are not alone but we strongly suggest to use a separate DNS domain for FreeIPA server, and if possible for its clients. Either a same level domain or, at least, a delegated zone. > > For example: > > corp.domain.com -> AD > unix.domain.com -> FreeIPA > > with forwards between them. > > Or > domain.com -> AD > domain.net -> FreeIPA > > again with forwards > > Or > domain.com -> AD > unix.domain.com -> FreeIPA > > with Ad delegating out the unix. subdomain to FreeIPA. > > In general we strongly suggest not using the same DNS domain for AD and FreeIPA domain as using the same domain name makes it impossible to have kerberos level interop between the 2 domains otherwise (cannot establish trust relationships if they use the same DNS domain and/or the same realm name for example). > -------------- next part -------------- An HTML attachment was scrubbed... URL: From yantd at qq.com Tue Aug 21 13:52:23 2012 From: yantd at qq.com (=?gb18030?B?VGVuZ2Rh?=) Date: Tue, 21 Aug 2012 21:52:23 +0800 Subject: [Freeipa-users] Which AD server is used by FreeIPA Message-ID: Thank you Simo. My question is clarified. Best Regards, Tengda ------------------ Original ------------------ From: "Simo Sorce"; Date: 2012?8?21?(???) ??3:59 To: "Tengda"; Cc: "freeipa-users"; Subject: Re: [Freeipa-users] Which AD server is used by FreeIPA ----- Original Message ----- > Hello, > I'm trying to build trust between FreeIPA and Windows Server 2008R2. > It is said that FreeIPA uses samba as the AD server, but I found > that 389 Directory Server is also installed. So which is used as the > directory service for FreeIPA. If it is samba, why 389 Director > Server is needed? Hi Tengda, FreeIPA uses some samba components to handle windows specific operations, but does NOT uses Samba as an AD server. In fact FreeIPa is not an AD compatible server and you cannot join Windows machines to it. This is why we focused on trusts relationships. Our model is based on keeping Windows and Linux machines separate. Windows machine will use their native AD enviornment, while Linux machine are joined to the FreeIPA domain and have linux-oriented management options not availbel in AD domains (HBAC, SElinux integration, netgroups, sudo integration and so on..). 389 Directory server i the informations tore for the FreeIPA server and all services use it to store/read data. HTH, Simo. -------------- next part -------------- An HTML attachment was scrubbed... URL: From sakodak at gmail.com Tue Aug 21 16:05:07 2012 From: sakodak at gmail.com (KodaK) Date: Tue, 21 Aug 2012 11:05:07 -0500 Subject: [Freeipa-users] Specifying load balancing to SSSD clients In-Reply-To: <56343345B145C043AE990701E3D193952B551C@EXVS2.nrplc.localnet> References: <833D8E48405E064EBC54C84EC6B36E404CD759D8@STAWINCOX10MBX1.staff.vuw.ac.nz> <502D658B.9070900@sesda2.com> <502D670B.1020904@redhat.com> <502D67E4.6030801@sesda2.com> <502D689B.7040500@redhat.com> <502D69C1.3040301@sesda2.com> <502E3B5A.9030401@redhat.com> <502E6C41.1060209@sesda2.com> <50323130.6030102@redhat.com> <56343345B145C043AE990701E3D193952B5511@EXVS2.nrplc.localnet> <20120820142742.GH19061@zeppelin.brq.redhat.com> <56343345B145C043AE990701E3D193952B551C@EXVS2.nrplc.localnet> Message-ID: On Tue, Aug 21, 2012 at 2:50 AM, Innes, Duncan wrote: >I can't be alone in deploying IPA in a network already "dominated" by AD. You're certainly not. In my case it appears the Windows people have done everything they can to sabotage my efforts to implement SSO in unix-land that they can do without being overt about it. They've refused to make simple changes like adding our unix subdomain to the windows client dns search path, forcing our users to use FQDNs for everything. They won't do a domain trust with us, they won't let us sync passwords between AD and IPA, making things easier on our users. But we keep moving ahead anyway, because that's what we do. When did we become the red-headed step-children? --Jason From jreg2k at gmail.com Wed Aug 22 04:06:20 2012 From: jreg2k at gmail.com (James James) Date: Wed, 22 Aug 2012 06:06:20 +0200 Subject: [Freeipa-users] Question about migration and scripts variables In-Reply-To: <50323413.4090906@redhat.com> References: <50323413.4090906@redhat.com> Message-ID: Thanks a lot Rob. I will try that. 2012/8/20 Rob Crittenden > James James wrote: > >> Hi, >> >> my first question is about the migrate process. Is it possible to >> renumber the users during the migrate process (ipa migrate-ds) in a way >> that all imported users will have a new UID ? >> > > I haven't tested this but you might try --user-ignore-attribute=** > uidnumber,gidnumber. > > > my second question is about ipalib. I wanted to make a hook on the user >> creation. The hook works fine. I just want to know if there is a way to >> have the value of variables like the username, the name of the creator, >> the e-mail of the creator and stuff like that. >> > > The current user is available via: principal = getattr(context, > 'principal') > > Using this you can look up that user: > > (binddn, bindattrs) = find_entry_by_attr("**krbprincipalname", principal, > "krbPrincipalAux") > > rob > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mmercier at gmail.com Wed Aug 22 16:59:23 2012 From: mmercier at gmail.com (Michael Mercier) Date: Wed, 22 Aug 2012 12:59:23 -0400 Subject: [Freeipa-users] tacacs+ integration Message-ID: <3E60BCF6-E21C-44CD-A42B-38B6E429DC4C@gmail.com> Hello, In Aug 2010, someone posted a message to this list about integrating tacacs+ with freeipa https://www.redhat.com/archives/freeipa-users/2010-August/msg00058.html At the time, it was mentioned that this was not on the roadmap, has this changed? If RedHat has no plans to do this, where can I find the freeipa documentation that would allow me to do a proof-of-concept? I would use the freely available tac_plus (http://www.shrubbery.net/tac_plus/) as a staring point. Some of the specific things I am looking for: 1. How should passwords be verified? sssd, pam, ldap lookup, krb? 2. How the ldap schema should be designed for best integration? 3. The proper way to query the ldap server (standard ldap calls or is there some specific freeipa api) 4. I am sure I am not asking something!! I tried asking some similar questions on freeipa-devel but didn't receive a response. Thanks, Mike -------------- next part -------------- An HTML attachment was scrubbed... URL: From lagern at lafayette.edu Wed Aug 22 17:50:16 2012 From: lagern at lafayette.edu (Nathan Lager) Date: Wed, 22 Aug 2012 13:50:16 -0400 Subject: [Freeipa-users] sudden ipa errors. Message-ID: <50351BD8.8010806@lafayette.edu> I have a RHEL ipa server setup and running. Its been running for a while now, and suddenly, today, i'm having trouble authenticating to it, or changing my password. The error i'm getting at the command line is: [lagern at ipaserver PROD ~]$ ipa passwd Current Password: New Password: Enter New Password again to verify: ipa: ERROR: cannot connect to u'http://ipaserver.lafayette.edu/ipa/xml': Internal Server Error Looking at /var/log/httpd/error and access logs i see: [Wed Aug 22 13:18:07 2012] [error] [client References: <50351BD8.8010806@lafayette.edu> Message-ID: <50352232.4020402@redhat.com> Nathan Lager wrote: > I have a RHEL ipa server setup and running. Its been running for a > while now, and suddenly, today, i'm having trouble authenticating to > it, or changing my password. > > The error i'm getting at the command line is: > > [lagern at ipaserver PROD ~]$ ipa passwd > Current Password: > New Password: > Enter New Password again to verify: > ipa: ERROR: cannot connect to > u'http://ipaserver.lafayette.edu/ipa/xml': Internal Server Error > > Looking at /var/log/httpd/error and access logs i see: > > [Wed Aug 22 13:18:07 2012] [error] [client gss_acquire_cred() failed: Unspecified GSS failure. Minor code may > provide more information (, Unknown error), referer: > https://ipaserver.lafayette.edu/ipa/xml > > I'm wading through google at the moment, to see if i can find a fix, > but i'm coming up empty. > I'd look in your KDC Log to see if it has anything useful, /var/log/krb5kdc. rob From lagern at lafayette.edu Wed Aug 22 18:35:33 2012 From: lagern at lafayette.edu (Nathan Lager) Date: Wed, 22 Aug 2012 14:35:33 -0400 Subject: [Freeipa-users] sudden ipa errors. In-Reply-To: <50352232.4020402@redhat.com> References: <50351BD8.8010806@lafayette.edu> <50352232.4020402@redhat.com> Message-ID: <50352675.3010602@lafayette.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I tried the same, kinit, and then ipa passwd commands as before, here's the output: Aug 22 14:32:13 ipaserver.lafayette.edu krb5kdc[1438](info): AS_REQ (4 etypes {18 17 16 23}) ipa-servers-ip: NEEDED_PREAUTH: lagern at SYSTEMS.LAFAYETTE.EDU for krbtgt/SYSTEMS.LAFAYETTE.EDU at SYSTEMS.LAFAYETTE.EDU, Additional pre-authentication required Aug 22 14:32:19 ipaserver.lafayette.edu krb5kdc[1438](info): AS_REQ (4 etypes {18 17 16 23}) ipa-servers-ip: ISSUE: authtime 1345660339, etypes {rep=18 tkt=18 ses=18}, lagern at SYSTEMS.LAFAYETTE.EDU for krbtgt/SYSTEMS.LAFAYETTE.EDU at SYSTEMS.LAFAYETTE.EDU Aug 22 14:32:35 ipaserver.lafayette.edu krb5kdc[1438](info): TGS_REQ (4 etypes {18 17 16 23}) ipa-servers-ip: ISSUE: authtime 1345660339, etypes {rep=18 tkt=18 ses=18}, lagern at SYSTEMS.LAFAYETTE.EDU for HTTP/ipaserver.lafayette.edu at SYSTEMS.LAFAYETTE.EDU On 08/22/2012 02:17 PM, Rob Crittenden wrote: > Nathan Lager wrote: >> I have a RHEL ipa server setup and running. Its been running for >> a while now, and suddenly, today, i'm having trouble >> authenticating to it, or changing my password. >> >> The error i'm getting at the command line is: >> >> [lagern at ipaserver PROD ~]$ ipa passwd Current Password: New >> Password: Enter New Password again to verify: ipa: ERROR: cannot >> connect to u'http://ipaserver.lafayette.edu/ipa/xml': Internal >> Server Error >> >> Looking at /var/log/httpd/error and access logs i see: >> >> [Wed Aug 22 13:18:07 2012] [error] [client > gss_acquire_cred() failed: Unspecified GSS failure. Minor code >> may provide more information (, Unknown error), referer: >> https://ipaserver.lafayette.edu/ipa/xml >> >> I'm wading through google at the moment, to see if i can find a >> fix, but i'm coming up empty. >> > > I'd look in your KDC Log to see if it has anything useful, > /var/log/krb5kdc. > > rob > - -- - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nathan Lager, RHCSA, RHCE (#110-011-426) System Administrator 11 Pardee Hall Lafayette College, Easton, PA 18042 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlA1JnUACgkQsZqG4IN3sumDxACgpLzJEqvnbxT46EAiFlTnHjm9 figAn2wGao5ZYiGGuVi7PB5E5QJTkggv =aS7e -----END PGP SIGNATURE----- From rcritten at redhat.com Wed Aug 22 20:08:01 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 22 Aug 2012 16:08:01 -0400 Subject: [Freeipa-users] sudden ipa errors. In-Reply-To: <50352675.3010602@lafayette.edu> References: <50351BD8.8010806@lafayette.edu> <50352232.4020402@redhat.com> <50352675.3010602@lafayette.edu> Message-ID: <50353C21.1050002@redhat.com> Nathan Lager wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I tried the same, kinit, and then ipa passwd commands as before, > here's the output: > > Aug 22 14:32:13 ipaserver.lafayette.edu krb5kdc[1438](info): AS_REQ (4 > etypes {18 17 16 23}) ipa-servers-ip: NEEDED_PREAUTH: > lagern at SYSTEMS.LAFAYETTE.EDU for > krbtgt/SYSTEMS.LAFAYETTE.EDU at SYSTEMS.LAFAYETTE.EDU, Additional > pre-authentication required > > Aug 22 14:32:19 ipaserver.lafayette.edu krb5kdc[1438](info): AS_REQ (4 > etypes {18 17 16 23}) ipa-servers-ip: ISSUE: authtime 1345660339, > etypes {rep=18 tkt=18 ses=18}, lagern at SYSTEMS.LAFAYETTE.EDU for > krbtgt/SYSTEMS.LAFAYETTE.EDU at SYSTEMS.LAFAYETTE.EDU > > Aug 22 14:32:35 ipaserver.lafayette.edu krb5kdc[1438](info): TGS_REQ > (4 etypes {18 17 16 23}) ipa-servers-ip: ISSUE: authtime 1345660339, > etypes {rep=18 tkt=18 ses=18}, lagern at SYSTEMS.LAFAYETTE.EDU for > HTTP/ipaserver.lafayette.edu at SYSTEMS.LAFAYETTE.EDU What version of IPA is this? Does ipactl status show all services up? rob From rcritten at redhat.com Wed Aug 22 20:12:33 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 22 Aug 2012 16:12:33 -0400 Subject: [Freeipa-users] tacacs+ integration In-Reply-To: <3E60BCF6-E21C-44CD-A42B-38B6E429DC4C@gmail.com> References: <3E60BCF6-E21C-44CD-A42B-38B6E429DC4C@gmail.com> Message-ID: <50353D31.2050807@redhat.com> Michael Mercier wrote: > Hello, > > In Aug 2010, someone posted a message to this list about integrating > tacacs+ with freeipa > https://www.redhat.com/archives/freeipa-users/2010-August/msg00058.html > > At the time, it was mentioned that this was not on the roadmap, has this > changed? No, still not on the roadmap. > If RedHat has no plans to do this, where can I find the freeipa > documentation that would allow me to do a proof-of-concept? I would use > the freely available tac_plus (http://www.shrubbery.net/tac_plus/) as a > staring point. http://freeipa.org/page/Contribute (in Developer Documentation and Developement Process) and http://abbra.fedorapeople.org/freeipa-extensibility.html > > Some of the specific things I am looking for: > 1. How should passwords be verified? sssd, pam, ldap lookup, krb? > 2. How the ldap schema should be designed for best integration? I'd start by seeing if there is already one defined as a real or quasi standard. > 3. The proper way to query the ldap server (standard ldap calls or is > there some specific freeipa api) Standard LDAP calls. > 4. I am sure I am not asking something!! > > I tried asking some similar questions on freeipa-devel but didn't > receive a response. rob From lagern at lafayette.edu Wed Aug 22 20:59:24 2012 From: lagern at lafayette.edu (Nathan Lager) Date: Wed, 22 Aug 2012 16:59:24 -0400 Subject: [Freeipa-users] sudden ipa errors. In-Reply-To: <50353C21.1050002@redhat.com> References: <50351BD8.8010806@lafayette.edu> <50352232.4020402@redhat.com> <50352675.3010602@lafayette.edu> <50353C21.1050002@redhat.com> Message-ID: <5035482C.3080508@lafayette.edu> [root at ipaserver PROD krb5kdc]# ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING [root at ipaserver PROD krb5kdc]# rpm -qa | grep ipa-server ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 On 08/22/2012 04:08 PM, Rob Crittenden wrote: > Nathan Lager wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> I tried the same, kinit, and then ipa passwd commands as before, >> here's the output: >> >> Aug 22 14:32:13 ipaserver.lafayette.edu krb5kdc[1438](info): AS_REQ (4 >> etypes {18 17 16 23}) ipa-servers-ip: NEEDED_PREAUTH: >> lagern at SYSTEMS.LAFAYETTE.EDU for >> krbtgt/SYSTEMS.LAFAYETTE.EDU at SYSTEMS.LAFAYETTE.EDU, Additional >> pre-authentication required >> >> Aug 22 14:32:19 ipaserver.lafayette.edu krb5kdc[1438](info): AS_REQ (4 >> etypes {18 17 16 23}) ipa-servers-ip: ISSUE: authtime 1345660339, >> etypes {rep=18 tkt=18 ses=18}, lagern at SYSTEMS.LAFAYETTE.EDU for >> krbtgt/SYSTEMS.LAFAYETTE.EDU at SYSTEMS.LAFAYETTE.EDU >> >> Aug 22 14:32:35 ipaserver.lafayette.edu krb5kdc[1438](info): TGS_REQ >> (4 etypes {18 17 16 23}) ipa-servers-ip: ISSUE: authtime 1345660339, >> etypes {rep=18 tkt=18 ses=18}, lagern at SYSTEMS.LAFAYETTE.EDU for >> HTTP/ipaserver.lafayette.edu at SYSTEMS.LAFAYETTE.EDU > > What version of IPA is this? > > Does ipactl status show all services up? > > rob From Steven.Jones at vuw.ac.nz Wed Aug 22 21:40:23 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 22 Aug 2012 21:40:23 +0000 Subject: [Freeipa-users] sudo su - works on one server for a user but not on another (its twin) Message-ID: <833D8E48405E064EBC54C84EC6B36E404CD781AA@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Im trying to fault find why a user can sudo su - on a server but not its twin. I have nisdoaminnamae ods.vuw.ac.nz in rc.local..... and sudo-ldap.conf and nsswitch.conf appear to be identical but the hostname match fails. So for the working server, ======== sudo: ldap sudoHost '+servers-saas-root' ... MATCH! sudo: ldap sudoCommand '/bin/su -' ... MATCH! sudo: ldap sudoCommand '/bin/su - banner' ... MATCH! sudo: Command allowed sudo: user_matches=1 sudo: host_matches=1 ======== For the failing server, ======== sudo: ldap sudoHost '+servers-saas-root' ... not sudo: ldap search 'sudoUser=+*' sudo: user_matches=1 sudo: host_matches=0 ======== I have a host failure, yet the server is in that host group...the HBAC rule allows ssh and sudo....ssh works for both, so HBAC rule should be OK. The sudo command uses the same user and host groups as the HBAC... Damned if I can see a setup error. Ideas where to go looking next please? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Aug 22 21:42:29 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 22 Aug 2012 17:42:29 -0400 Subject: [Freeipa-users] sudo su - works on one server for a user but not on another (its twin) In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CD781AA@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CD781AA@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <50355245.5050405@redhat.com> Steven Jones wrote: > Hi, > > Im trying to fault find why a user can sudo su - on a server but not its > twin. > > I have nisdoaminnamae ods.vuw.ac.nz in rc.local..... > and sudo-ldap.conf and nsswitch.conf appear to be identical but the > hostname match fails. > > So for the working server, > ======== > sudo: ldap sudoHost '+servers-saas-root' ... MATCH! > sudo: ldap sudoCommand '/bin/su -' ... MATCH! > sudo: ldap sudoCommand '/bin/su - banner' ... MATCH! > sudo: Command allowed sudo: user_matches=1 sudo: host_matches=1 > ======== > > For the failing server, > ======== > sudo: ldap sudoHost '+servers-saas-root' ... not > sudo: ldap search 'sudoUser=+*' > sudo: user_matches=1 > sudo: host_matches=0 > ======== > > I have a host failure, yet the server is in that host group...the HBAC > rule allows ssh and sudo....ssh works for both, so HBAC rule should be OK. > > The sudo command uses the same user and host groups as the HBAC... > > Damned if I can see a setup error. > > Ideas where to go looking next please? Try temporarily enabling the allow_all HBAC rule so you can see if it is an HBAC or a sudo problem? rob From Steven.Jones at vuw.ac.nz Wed Aug 22 21:48:19 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 22 Aug 2012 21:48:19 +0000 Subject: [Freeipa-users] sudo su - works on one server for a user but not on another (its twin) In-Reply-To: <50355245.5050405@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CD781AA@STAWINCOX10MBX1.staff.vuw.ac.nz>, <50355245.5050405@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CD7821D@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, To quote myself, "Try a reboot...oh god a windows solution...." so sssd cache problem? The rc.local was missing so I put it in and restarted ssh, proof, ======== [root at vuwunicobandbt1 ~]# history |grep service 19 service sssd restart 25 service sssd restart 75 history |grep service [root at vuwunicobandbt1 ~]# history |grep vi 17 vi /etc/rc.d/rc.local 24 vi /etc/sudo-ldap.conf 76 history |grep vi [root at vuwunicobandbt1 ~]# ========= hrmmm....did I miss anything? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Rob Crittenden [rcritten at redhat.com] Sent: Thursday, 23 August 2012 9:42 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] sudo su - works on one server for a user but not on another (its twin) Steven Jones wrote: > Hi, > > Im trying to fault find why a user can sudo su - on a server but not its > twin. > > I have nisdoaminnamae ods.vuw.ac.nz in rc.local..... > and sudo-ldap.conf and nsswitch.conf appear to be identical but the > hostname match fails. > > So for the working server, > ======== > sudo: ldap sudoHost '+servers-saas-root' ... MATCH! > sudo: ldap sudoCommand '/bin/su -' ... MATCH! > sudo: ldap sudoCommand '/bin/su - banner' ... MATCH! > sudo: Command allowed sudo: user_matches=1 sudo: host_matches=1 > ======== > > For the failing server, > ======== > sudo: ldap sudoHost '+servers-saas-root' ... not > sudo: ldap search 'sudoUser=+*' > sudo: user_matches=1 > sudo: host_matches=0 > ======== > > I have a host failure, yet the server is in that host group...the HBAC > rule allows ssh and sudo....ssh works for both, so HBAC rule should be OK. > > The sudo command uses the same user and host groups as the HBAC... > > Damned if I can see a setup error. > > Ideas where to go looking next please? Try temporarily enabling the allow_all HBAC rule so you can see if it is an HBAC or a sudo problem? rob From rcritten at redhat.com Wed Aug 22 22:02:41 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 22 Aug 2012 18:02:41 -0400 Subject: [Freeipa-users] sudden ipa errors. In-Reply-To: <5035482C.3080508@lafayette.edu> References: <50351BD8.8010806@lafayette.edu> <50352232.4020402@redhat.com> <50352675.3010602@lafayette.edu> <50353C21.1050002@redhat.com> <5035482C.3080508@lafayette.edu> Message-ID: <50355701.403@redhat.com> Nathan Lager wrote: > [root at ipaserver PROD krb5kdc]# ipactl status > Directory Service: RUNNING > KDC Service: RUNNING > KPASSWD Service: RUNNING > MEMCACHE Service: RUNNING > HTTP Service: RUNNING > CA Service: RUNNING > [root at ipaserver PROD krb5kdc]# rpm -qa | grep ipa-server > ipa-server-selinux-2.2.0-16.el6.x86_64 > ipa-server-2.2.0-16.el6.x86_64 I'd try removing /tmp/krb5cc_48. This is the ccache used by Apache for doing S4U2Proxy. No restart of httpd should be required. rob > > > On 08/22/2012 04:08 PM, Rob Crittenden wrote: >> Nathan Lager wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> I tried the same, kinit, and then ipa passwd commands as before, >>> here's the output: >>> >>> Aug 22 14:32:13 ipaserver.lafayette.edu krb5kdc[1438](info): AS_REQ (4 >>> etypes {18 17 16 23}) ipa-servers-ip: NEEDED_PREAUTH: >>> lagern at SYSTEMS.LAFAYETTE.EDU for >>> krbtgt/SYSTEMS.LAFAYETTE.EDU at SYSTEMS.LAFAYETTE.EDU, Additional >>> pre-authentication required >>> >>> Aug 22 14:32:19 ipaserver.lafayette.edu krb5kdc[1438](info): AS_REQ (4 >>> etypes {18 17 16 23}) ipa-servers-ip: ISSUE: authtime 1345660339, >>> etypes {rep=18 tkt=18 ses=18}, lagern at SYSTEMS.LAFAYETTE.EDU for >>> krbtgt/SYSTEMS.LAFAYETTE.EDU at SYSTEMS.LAFAYETTE.EDU >>> >>> Aug 22 14:32:35 ipaserver.lafayette.edu krb5kdc[1438](info): TGS_REQ >>> (4 etypes {18 17 16 23}) ipa-servers-ip: ISSUE: authtime 1345660339, >>> etypes {rep=18 tkt=18 ses=18}, lagern at SYSTEMS.LAFAYETTE.EDU for >>> HTTP/ipaserver.lafayette.edu at SYSTEMS.LAFAYETTE.EDU >> >> What version of IPA is this? >> >> Does ipactl status show all services up? >> >> rob > > From franklinbc at gmail.com Thu Aug 23 05:00:38 2012 From: franklinbc at gmail.com (Franklin Catoni) Date: Thu, 23 Aug 2012 00:30:38 -0430 Subject: [Freeipa-users] Active Directory slave zone in FreeIPA DNS (Franklin) Message-ID: >>Hi, Hello, >>Is the zone not transferring at all, or is it just the updates that's >>not transferred to the AD slave server? It's not transferring at all. >>If the zone is not transferring at all: Did yo modify the "Allow >>transfer" property of the zone ? yes, I change the parameter to allow zone transfers from the AD >>If the updates is not transferring: I believe automatic increment of the >>zone serial number will be supported in IPA 3.0. The IPA developers will >>have to confirm that. However you can manually change the serial number >>under Zone Settings. Yes, I also read this information but I was hoping there was some other solution to the issue. And I've done manually change the serial number of the zone but without success >>Hope this helps. Thanks >>Regards, >>Siggi 2012/8/20 > Send Freeipa-users mailing list submissions to > freeipa-users at redhat.com > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.redhat.com/mailman/listinfo/freeipa-users > or, via email, send a message with subject or body 'help' to > freeipa-users-request at redhat.com > > You can reach the person managing the list at > freeipa-users-owner at redhat.com > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Freeipa-users digest..." > > > Today's Topics: > > 1. Re: Active Directory slave zone in FreeIPA DNS (Sigbjorn Lie) > 2. Re: sssd client cache timer and merging IPA domains > (Rob Crittenden) > 3. Re: Question about migration and scripts variables > (Rob Crittenden) > 4. Specifying load balancing to SSSD clients (Innes, Duncan) > 5. Re: Specifying load balancing to SSSD clients (Mark St. Laurent) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Sun, 19 Aug 2012 18:23:20 +0200 > From: Sigbjorn Lie > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Active Directory slave zone in FreeIPA > DNS > Message-ID: <503112F8.8000900 at nixtra.com> > Content-Type: text/plain; charset="iso-8859-1"; Format="flowed" > > On 08/19/2012 04:39 PM, Franklin Catoni wrote: > > Greetings community. > > > > I do not speak English so I will do my best. > > > > I have two environments in my company, a domain "ejemplo.com > > " with Windows Active Directory running on Windows > > Server 2003 Enterprise Edition SP2 and domain "ejemplo.gob.ve > > " with FreeIPA v2.2. mounted on Centos 6.3 x64. > > This is because we are in the middle of a platform migration process > > (a very slow process) from proprietary solutions to open source. > > > > DNS and DHCP service for my two environments is offered by the server > > Centos 6.3 which is mounted FreeIPA directory, clients are Windows > > computers Active Directory domain and linux computers in the domain Ipa. > > > > Currently the zone "ejemplo.gob.ve " is > > administered by the FreeIPA DNS using the plugin > > (bind-dyndb-ldap.x86_64 v1.1.0) and I configure a slave zone using > > bind (bind-9.8.2-0.10.rc1.el6_3.2 . x86_64) for the domain > > "ejemplo.com " Active Directory > > > > Name resolution works perfectly for both Linux and Windows clients. > > > > Now here comes the tricky part > > > > In order to find a more centralized management of my services, I try > > to configure a slave zone to Active Directory through FreeIPA with > > dyndb bind-plugin-ldap and so to eliminate configuration through bind, > > but the transfers zone does not work, causing this many problems on > > both platforms. > > > > The log shows me the following error: > > > > ServidorIPA named[3706]: zone ejemplo.com/IN/local > > : zone serial (2012081801) unchanged. > > zone may fail to transfer to slaves > > > > I've spent enough time looking at Super Google information that can > > help me but it has not been easy, because it seems to be a rare > situation. > > > > I ask. You can set this up under these circumstances? > > Someone has accomplished? > > Some information that horiente me to get a solution? > > > > Thanks for your time. > > > Hi, > > Is the zone not transferring at all, or is it just the updates that's > not transferred to the AD slave server? > > If the zone is not transferring at all: Did yo modify the "Allow > transfer" property of the zone ? > > If the updates is not transferring: I believe automatic increment of the > zone serial number will be supported in IPA 3.0. The IPA developers will > have to confirm that. However you can manually change the serial number > under Zone Settings. > > Hope this helps. > > > Regards, > Siggi > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > https://www.redhat.com/archives/freeipa-users/attachments/20120819/73825288/attachment.html > > > > ------------------------------ > > Message: 2 > Date: Mon, 20 Aug 2012 08:44:32 -0400 > From: Rob Crittenden > To: Lucas Yamanishi > Cc: "freeipa-users at redhat.com" > Subject: Re: [Freeipa-users] sssd client cache timer and merging IPA > domains > Message-ID: <50323130.6030102 at redhat.com> > Content-Type: text/plain; charset=UTF-8; format=flowed > > Lucas Yamanishi wrote: > > > > On 08/17/2012 08:38 AM, Rob Crittenden wrote: > >> Lucas Yamanishi wrote: > >>> > >>> On 08/16/2012 05:39 PM, Rob Crittenden wrote: > >>>> Lucas Yamanishi wrote: > >>>>> > >>>>> On 08/16/2012 05:32 PM, Rob Crittenden wrote: > >>>>>> Lucas Yamanishi wrote: > >>>>>>> I just migrated my IPA instance from one to another a couple days > >>>>>>> ago to > >>>>>>> recover after a lost CA and failed yum upgrade. The "ipa > migrate-ds" > >>>>>>> tool works very well, though I am having a few very minor issues. > On > >>>>>>> the upside, as far as I can tell, you can skip the steps about > >>>>>>> Kerberos > >>>>>>> key generation as outlined in the documentation. I've been able to > >>>>>>> kinit just fine with my migrated users. > >>>>>>> > >>>>>>> > >>>>>>> Below are the few errors I've noticed. > >>>>>>> > >>>>>>> * When I ssh into an enrolled host using a migrated user's > >>>>>>> credentials I > >>>>>>> get this error: > >>>>>>> > >>>>>>> id: cannot find name for group ID 104600003\ > >>>>>> > >>>>>> Does a group exist with that GID? You can try something like: > >>>>>> > >>>>>> $ ipa group-find --gid=104600003 > >>>>>> > >>>>> > >>>>> The group doesn't exist. The GID is the counterpart to my UID. > >>>> > >>>> Try adding --private. > >>>> > >>>> rob > >>>> > >>> > >>> Nope. It doesn't exist. > >>> > >>> Other groups migrated. Why would the private groups fail? > >> > >> I don't know, what have you done to date, including versions? > >> > >> rob > > I've been following the stable Scientific Linux releases since 6.1. > > Based on repo archives, I guess that would be 2.0.0-23.el6.x86_64. The > > version was at 2.2.0-16.el6.x86_64 when I migrated, which I had just > > upgraded from 2.1.3-9.el6.x86_64. I migrated to and use now > > 2.2.0-16.el6.x86_64. > > > > So... > > 2.0.0-23.el6.x86_64 -> 2.1.3-9.el6.x86_64 -> 2.2.0-16.el6.x86_64 ----> > > 2.2.0-16.el6.x86_64 > > > > > > Can you verify that managed entries are configured: > > # ipa-managed-entries -l > > It should return: > > UPG Definition > NGP Definition > > This enables user-private groups and netgroup-private groups. > > rob > > > > ------------------------------ > > Message: 3 > Date: Mon, 20 Aug 2012 08:56:51 -0400 > From: Rob Crittenden > To: James James > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Question about migration and scripts > variables > Message-ID: <50323413.4090906 at redhat.com> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > James James wrote: > > Hi, > > > > my first question is about the migrate process. Is it possible to > > renumber the users during the migrate process (ipa migrate-ds) in a way > > that all imported users will have a new UID ? > > I haven't tested this but you might try > --user-ignore-attribute=uidnumber,gidnumber. > > > my second question is about ipalib. I wanted to make a hook on the user > > creation. The hook works fine. I just want to know if there is a way to > > have the value of variables like the username, the name of the creator, > > the e-mail of the creator and stuff like that. > > The current user is available via: principal = getattr(context, > 'principal') > > Using this you can look up that user: > > (binddn, bindattrs) = find_entry_by_attr("krbprincipalname", principal, > "krbPrincipalAux") > > rob > > > > ------------------------------ > > Message: 4 > Date: Mon, 20 Aug 2012 14:48:30 +0100 > From: "Innes, Duncan" > To: > Subject: [Freeipa-users] Specifying load balancing to SSSD clients > Message-ID: > <56343345B145C043AE990701E3D193952B5511 at EXVS2.nrplc.localnet> > Content-Type: text/plain; charset="us-ascii" > > Folks, > > Hopefully this isn't a dumb question, but I'm constrained by a few > things on my estate and would be looking to deploy something like the > following: > > 2 Datacentres > 2 IPA servers at each datacentre > > ipa1.domain.com \_ datacentre A > ipa2.domain.com / > > ipa3.domain.com \_ datacentre B > ipa4.domain.com / > > The datacentres are linekd, but bandwidth not great. > > Client's in datacentre A should therefore use ipa1.domain.com and > ipa2.domain.com as primary servers and only fail over to ipa3 & ipa4 > when both 1 & 2 are out of action. Clients would revert to using > ipa1/ipa2 whenever either of them came back online. > > I understand this configuration has already been done as part of > https://fedorahosted.org/freeipa/ticket/2282 > > What I'm wondering is if I can force my clients to load balance > communication between ipa1 & ipa2. > > I don't have the ability to use the _srv_ records in DNS as that's set > up for the AD servers on our network. I also can't create separate DNS > servers for the Linux estate (not that I'd particularly want to). > > Is there any current configuration that I can use to force load > balancing between ipa1/ipa2 under ideal conditions. Falling back to > ipa2 when ipa1 is out of action. Falling back to (load balanced > perhaps?) ipa3/ipa4 when ipa1 & ipa2 are both out of action. > > Hope the description is reasonable. > > Thanks > > Duncan Innes | Linux Architect > > > Northern Rock plc is part of the Virgin Money group of companies. > > This e-mail is intended to be confidential to the recipient. If you > receive a copy in error, please inform the sender and then delete this > message. > > Virgin Money Personal Financial Service Limited is authorised and > regulated by the Financial Services Authority. Company no. 3072766. > > Virgin Money Unit Trust Managers Limited is authorised and regulated by > the Financial Services Authority. Company no. 3000482. > > Virgin Money Cards Limited. Introducer appointed representative only of > Virgin Money Personal Financial Service Limited. Company no. 4232392. > > Virgin Money Management Services Limited. Company no. 3072772. > > Virgin Money Holdings (UK) Limited. Company no. 3087587. > > Each of the above companies is registered in England and Wales and has its > registered office at Discovery House, Whiting Road, Norwich NR4 6EJ. > > Northern Rock plc. Authorised and regulated by the Financial Services > Authority. Registered in England and Wales (Company no. 6952311) with its > registered office at Northern Rock House, Gosforth, Newcastle upon Tyne NE3 > 4PL. > > The above companies use the trading name Virgin Money. > > > > > ------------------------------ > > Message: 5 > Date: Mon, 20 Aug 2012 10:15:08 -0400 (EDT) > From: "Mark St. Laurent" > To: Duncan Innes > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Specifying load balancing to SSSD clients > Message-ID: > <290044214.13057699.1345472108805.JavaMail.root at redhat.com> > Content-Type: text/plain; charset="utf-8" > > http://www.redhat.com/products/enterprise-linux-add-ons/load-balancing/ > > > Norman "Mark" St. Laurent > Federal Team: Senior Solutions Architect > Red Hat > 8260 Greensboro Drive, Suite 300 > McLean VA, 22102 > Email: msl at redhat.com > Cell: 703.772.1434 > > Check this Link out!!! Cool Stuff: http://mil-oss.org/ > > ----- Original Message ----- > > From: "Duncan Innes" > To: freeipa-users at redhat.com > Sent: Monday, August 20, 2012 9:48:30 AM > Subject: [Freeipa-users] Specifying load balancing to SSSD clients > > Folks, > > Hopefully this isn't a dumb question, but I'm constrained by a few > things on my estate and would be looking to deploy something like the > following: > > 2 Datacentres > 2 IPA servers at each datacentre > > ipa1.domain.com \_ datacentre A > ipa2.domain.com / > > ipa3.domain.com \_ datacentre B > ipa4.domain.com / > > The datacentres are linekd, but bandwidth not great. > > Client's in datacentre A should therefore use ipa1.domain.com and > ipa2.domain.com as primary servers and only fail over to ipa3 & ipa4 > when both 1 & 2 are out of action. Clients would revert to using > ipa1/ipa2 whenever either of them came back online. > > I understand this configuration has already been done as part of > https://fedorahosted.org/freeipa/ticket/2282 > > What I'm wondering is if I can force my clients to load balance > communication between ipa1 & ipa2. > > I don't have the ability to use the _srv_ records in DNS as that's set > up for the AD servers on our network. I also can't create separate DNS > servers for the Linux estate (not that I'd particularly want to). > > Is there any current configuration that I can use to force load > balancing between ipa1/ipa2 under ideal conditions. Falling back to > ipa2 when ipa1 is out of action. Falling back to (load balanced > perhaps?) ipa3/ipa4 when ipa1 & ipa2 are both out of action. > > Hope the description is reasonable. > > Thanks > > Duncan Innes | Linux Architect > > > Northern Rock plc is part of the Virgin Money group of companies. > > This e-mail is intended to be confidential to the recipient. If you > receive a copy in error, please inform the sender and then delete this > message. > > Virgin Money Personal Financial Service Limited is authorised and > regulated by the Financial Services Authority. Company no. 3072766. > > Virgin Money Unit Trust Managers Limited is authorised and regulated by > the Financial Services Authority. Company no. 3000482. > > Virgin Money Cards Limited. Introducer appointed representative only of > Virgin Money Personal Financial Service Limited. Company no. 4232392. > > Virgin Money Management Services Limited. Company no. 3072772. > > Virgin Money Holdings (UK) Limited. Company no. 3087587. > > Each of the above companies is registered in England and Wales and has its > registered office at Discovery House, Whiting Road, Norwich NR4 6EJ. > > Northern Rock plc. Authorised and regulated by the Financial Services > Authority. Registered in England and Wales (Company no. 6952311) with its > registered office at Northern Rock House, Gosforth, Newcastle upon Tyne NE3 > 4PL. > > The above companies use the trading name Virgin Money. > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > https://www.redhat.com/archives/freeipa-users/attachments/20120820/30f4d804/attachment.html > > > > ------------------------------ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > End of Freeipa-users Digest, Vol 49, Issue 34 > ********************************************* > -------------- next part -------------- An HTML attachment was scrubbed... URL: From lagern at lafayette.edu Thu Aug 23 17:24:31 2012 From: lagern at lafayette.edu (Nathan Lager) Date: Thu, 23 Aug 2012 13:24:31 -0400 Subject: [Freeipa-users] sudden ipa errors. In-Reply-To: <50355701.403@redhat.com> References: <50351BD8.8010806@lafayette.edu> <50352232.4020402@redhat.com> <50352675.3010602@lafayette.edu> <50353C21.1050002@redhat.com> <5035482C.3080508@lafayette.edu> <50355701.403@redhat.com> Message-ID: <5036674F.40400@lafayette.edu> This did not seem to help... On 08/22/2012 06:02 PM, Rob Crittenden wrote: > Nathan Lager wrote: >> [root at ipaserver PROD krb5kdc]# ipactl status >> Directory Service: RUNNING >> KDC Service: RUNNING >> KPASSWD Service: RUNNING >> MEMCACHE Service: RUNNING >> HTTP Service: RUNNING >> CA Service: RUNNING >> [root at ipaserver PROD krb5kdc]# rpm -qa | grep ipa-server >> ipa-server-selinux-2.2.0-16.el6.x86_64 >> ipa-server-2.2.0-16.el6.x86_64 > > I'd try removing /tmp/krb5cc_48. This is the ccache used by Apache for > doing S4U2Proxy. No restart of httpd should be required. > > rob > >> >> >> On 08/22/2012 04:08 PM, Rob Crittenden wrote: >>> Nathan Lager wrote: >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA1 >>>> >>>> I tried the same, kinit, and then ipa passwd commands as before, >>>> here's the output: >>>> >>>> Aug 22 14:32:13 ipaserver.lafayette.edu krb5kdc[1438](info): AS_REQ (4 >>>> etypes {18 17 16 23}) ipa-servers-ip: NEEDED_PREAUTH: >>>> lagern at SYSTEMS.LAFAYETTE.EDU for >>>> krbtgt/SYSTEMS.LAFAYETTE.EDU at SYSTEMS.LAFAYETTE.EDU, Additional >>>> pre-authentication required >>>> >>>> Aug 22 14:32:19 ipaserver.lafayette.edu krb5kdc[1438](info): AS_REQ (4 >>>> etypes {18 17 16 23}) ipa-servers-ip: ISSUE: authtime 1345660339, >>>> etypes {rep=18 tkt=18 ses=18}, lagern at SYSTEMS.LAFAYETTE.EDU for >>>> krbtgt/SYSTEMS.LAFAYETTE.EDU at SYSTEMS.LAFAYETTE.EDU >>>> >>>> Aug 22 14:32:35 ipaserver.lafayette.edu krb5kdc[1438](info): TGS_REQ >>>> (4 etypes {18 17 16 23}) ipa-servers-ip: ISSUE: authtime 1345660339, >>>> etypes {rep=18 tkt=18 ses=18}, lagern at SYSTEMS.LAFAYETTE.EDU for >>>> HTTP/ipaserver.lafayette.edu at SYSTEMS.LAFAYETTE.EDU >>> >>> What version of IPA is this? >>> >>> Does ipactl status show all services up? >>> >>> rob >> >> > > From ssorce at redhat.com Thu Aug 23 18:16:47 2012 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 23 Aug 2012 14:16:47 -0400 (EDT) Subject: [Freeipa-users] sudden ipa errors. In-Reply-To: <50351BD8.8010806@lafayette.edu> Message-ID: <794592396.9904204.1345745807877.JavaMail.root@redhat.com> ----- Original Message ----- > I have a RHEL ipa server setup and running. Its been running for a > while now, and suddenly, today, i'm having trouble authenticating to > it, or changing my password. > > The error i'm getting at the command line is: > > [lagern at ipaserver PROD ~]$ ipa passwd > Current Password: > New Password: > Enter New Password again to verify: > ipa: ERROR: cannot connect to > u'http://ipaserver.lafayette.edu/ipa/xml': Internal Server Error > > Looking at /var/log/httpd/error and access logs i see: > > [Wed Aug 22 13:18:07 2012] [error] [client gss_acquire_cred() failed: Unspecified GSS failure. Minor code may > provide more information (, Unknown error), referer: > https://ipaserver.lafayette.edu/ipa/xml > > I'm wading through google at the moment, to see if i can find a fix, > but i'm coming up empty. Can you check if the http keytab is ok ? kinit -kt /etc/httpd/conf/ipa.keytab HTTP/ipaserver.lafayette.edu Does this command work ? Simo. -- Simo Sorce * Red Hat, Inc. * New York From sylvainangers at gmail.com Thu Aug 23 19:53:05 2012 From: sylvainangers at gmail.com (Sylvain Angers) Date: Thu, 23 Aug 2012 15:53:05 -0400 Subject: [Freeipa-users] IBM Tivoli Identity Manager connector to manage IPA Message-ID: Hello all, Within our organisation, we use IBM Tivoli Identity Manager connectors to provision user/group onto all our different type of system. Currently there is as many connectors as we have unix box. As each unix box use local auth, we use ITIM to push user/group to local files...We are investigating IPA since a while, and now we wonder if a regular LDAP connector from IBM Tivoli Identity manager could be use to feed IPA so we would have one connector to manage our UNIX box via IPA. Our security folks would continue to have one single interface to do user/group provisionning. I found out that there is already an IITIM LDAP connector available, but Is there such thing as ldap interface to manage ipa? Or is the only way to get ITIM to manage IPA would be via new connector build from remote ipa command lines? Thank you! -- Sylvain Angers -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Thu Aug 23 21:26:13 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 23 Aug 2012 21:26:13 +0000 Subject: [Freeipa-users] RHEL 6.3 identity manual - IPA Message-ID: <833D8E48405E064EBC54C84EC6B36E404CD791C8@STAWINCOX10MBX1.staff.vuw.ac.nz> Some notes on the identity manual which says its for RHEl6, "13.4.2. Client Configuration for sudo Rules This example specifically configures a Red Hat Enterprise Linux 6 client for sudo rules. 8><---- 2. Enable debug logging for sudo operations in the /etc/ldap.conf file. If this file does not exist, it can be created. vim /etc/ldap.conf sudoers_debug: It seems for a RHEL6 client its /etc/sudo-ldap.conf ditto 4. Edit the NSS/LDAP configuration file and add the following sudo-related lines to the /etc/nslcd.conf file: binddn uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com bindpw sudo_password ssl start_tls tls_cacertfile /etc/ipa/ca.crt tls_checkpeer yes bind_timelimit 5 timelimit 15 uri ldap://ipaserver.example.com ldap://backup.example.com:3890 sudoers_base ou=SUDOers,dc=example,dc=com It seems for a RHEL6 client its /etc/sudo-ldap.conf So it that section referring to RHEL5? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbingram at gmail.com Thu Aug 23 23:00:55 2012 From: sbingram at gmail.com (Stephen Ingram) Date: Thu, 23 Aug 2012 16:00:55 -0700 Subject: [Freeipa-users] RHEL 6.3 identity manual - IPA In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CD791C8@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CD791C8@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: On Thu, Aug 23, 2012 at 2:26 PM, Steven Jones wrote: > Some notes on the identity manual which says its for RHEl6, > > "13.4.2. Client Configuration for sudo Rules This example specifically > configures a Red Hat Enterprise Linux 6 client for sudo rules. > > 8><---- > > 2. Enable debug logging for sudo operations in the /etc/ldap.conf file. If > this file does not exist, it can be created. vim /etc/ldap.conf > sudoers_debug: > > It seems for a RHEL6 client its /etc/sudo-ldap.conf > > ditto 4. > > Edit the NSS/LDAP configuration file and add the following sudo-related > lines to the > /etc/nslcd.conf file: > binddn uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com > bindpw sudo_password > ssl start_tls > tls_cacertfile /etc/ipa/ca.crt > tls_checkpeer yes > bind_timelimit 5 > timelimit 15 > uri ldap://ipaserver.example.com ldap://backup.example.com:3890 > sudoers_base ou=SUDOers,dc=example,dc=com > > It seems for a RHEL6 client its /etc/sudo-ldap.conf > > So it that section referring to RHEL5? Most likely. /etc/sudo-ldap.conf is new with RHEL 6.3. Before that (6.0-6.2) you had to use /etc/nslcd.conf. RHEL 5 series used a different configuration altogether. I think that will eventually change to as this becomes handled directly by sssd. Not a moment too soon if you ask me. There are so many competing ways to set this up, each with varying advantages and disadvantages. This is probably why RH decided to just write sssd from scratch such that they could handle all of the existing setups as well as new stuff like laptops out of the office that need cached credentials and such. Steve From Steven.Jones at vuw.ac.nz Thu Aug 23 23:16:21 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 23 Aug 2012 23:16:21 +0000 Subject: [Freeipa-users] RHEL 6.3 identity manual - IPA In-Reply-To: References: <833D8E48405E064EBC54C84EC6B36E404CD791C8@STAWINCOX10MBX1.staff.vuw.ac.nz>, Message-ID: <833D8E48405E064EBC54C84EC6B36E404CD79299@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Just found this doc, Red Hat Enterprise Linux 5.8 Configuring Identity Management So Im working through it. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Stephen Ingram [sbingram at gmail.com] Sent: Friday, 24 August 2012 11:00 a.m. To: Steven Jones Cc: Freeipa-users at redhat.com Subject: Re: [Freeipa-users] RHEL 6.3 identity manual - IPA On Thu, Aug 23, 2012 at 2:26 PM, Steven Jones wrote: > Some notes on the identity manual which says its for RHEl6, > > "13.4.2. Client Configuration for sudo Rules This example specifically > configures a Red Hat Enterprise Linux 6 client for sudo rules. > > 8><---- > > 2. Enable debug logging for sudo operations in the /etc/ldap.conf file. If > this file does not exist, it can be created. vim /etc/ldap.conf > sudoers_debug: > > It seems for a RHEL6 client its /etc/sudo-ldap.conf > > ditto 4. > > Edit the NSS/LDAP configuration file and add the following sudo-related > lines to the > /etc/nslcd.conf file: > binddn uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com > bindpw sudo_password > ssl start_tls > tls_cacertfile /etc/ipa/ca.crt > tls_checkpeer yes > bind_timelimit 5 > timelimit 15 > uri ldap://ipaserver.example.com ldap://backup.example.com:3890 > sudoers_base ou=SUDOers,dc=example,dc=com > > It seems for a RHEL6 client its /etc/sudo-ldap.conf > > So it that section referring to RHEL5? Most likely. /etc/sudo-ldap.conf is new with RHEL 6.3. Before that (6.0-6.2) you had to use /etc/nslcd.conf. RHEL 5 series used a different configuration altogether. I think that will eventually change to as this becomes handled directly by sssd. Not a moment too soon if you ask me. There are so many competing ways to set this up, each with varying advantages and disadvantages. This is probably why RH decided to just write sssd from scratch such that they could handle all of the existing setups as well as new stuff like laptops out of the office that need cached credentials and such. Steve From Steven.Jones at vuw.ac.nz Fri Aug 24 00:39:18 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Fri, 24 Aug 2012 00:39:18 +0000 Subject: [Freeipa-users] RHEL 6.3 identity manual - IPA In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CD79299@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CD791C8@STAWINCOX10MBX1.staff.vuw.ac.nz>, , <833D8E48405E064EBC54C84EC6B36E404CD79299@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CD7931E@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Except the doc says nss_ldap.conf when its actually ldap.conf...so doc is wrong. "4. Edit the NSS/LDAP configuration file and add the following sudo-related lines to the /etc/nss_ldap.conf file:" should read, "4. Edit the NSS/LDAP configuration file and add the following sudo-related lines to the /etc/ldap.conf file:" Unless someone can point out how sudo should be done....but it works this way. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Friday, 24 August 2012 11:16 a.m. Cc: Freeipa-users at redhat.com Subject: Re: [Freeipa-users] RHEL 6.3 identity manual - IPA Hi, Just found this doc, Red Hat Enterprise Linux 5.8 Configuring Identity Management So Im working through it. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Stephen Ingram [sbingram at gmail.com] Sent: Friday, 24 August 2012 11:00 a.m. To: Steven Jones Cc: Freeipa-users at redhat.com Subject: Re: [Freeipa-users] RHEL 6.3 identity manual - IPA On Thu, Aug 23, 2012 at 2:26 PM, Steven Jones wrote: > Some notes on the identity manual which says its for RHEl6, > > "13.4.2. Client Configuration for sudo Rules This example specifically > configures a Red Hat Enterprise Linux 6 client for sudo rules. > > 8><---- > > 2. Enable debug logging for sudo operations in the /etc/ldap.conf file. If > this file does not exist, it can be created. vim /etc/ldap.conf > sudoers_debug: > > It seems for a RHEL6 client its /etc/sudo-ldap.conf > > ditto 4. > > Edit the NSS/LDAP configuration file and add the following sudo-related > lines to the > /etc/nslcd.conf file: > binddn uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com > bindpw sudo_password > ssl start_tls > tls_cacertfile /etc/ipa/ca.crt > tls_checkpeer yes > bind_timelimit 5 > timelimit 15 > uri ldap://ipaserver.example.com ldap://backup.example.com:3890 > sudoers_base ou=SUDOers,dc=example,dc=com > > It seems for a RHEL6 client its /etc/sudo-ldap.conf > > So it that section referring to RHEL5? Most likely. /etc/sudo-ldap.conf is new with RHEL 6.3. Before that (6.0-6.2) you had to use /etc/nslcd.conf. RHEL 5 series used a different configuration altogether. I think that will eventually change to as this becomes handled directly by sssd. Not a moment too soon if you ask me. There are so many competing ways to set this up, each with varying advantages and disadvantages. This is probably why RH decided to just write sssd from scratch such that they could handle all of the existing setups as well as new stuff like laptops out of the office that need cached credentials and such. Steve _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From yantd at qq.com Fri Aug 24 02:24:07 2012 From: yantd at qq.com (=?ISO-8859-1?B?VGVuZ2Rh?=) Date: Fri, 24 Aug 2012 10:24:07 +0800 Subject: [Freeipa-users] Reset the password of service principal. Message-ID: Hello, The change_password command of kadmin can be used for reseting the password of a service principal. Can we use this command in FreeIPA? Or is there any other equivalent commands? We want to use a key which is made from password for testing. Thanks, Tengda -------------- next part -------------- An HTML attachment was scrubbed... URL: From whbos at xs4all.nl Fri Aug 24 06:21:50 2012 From: whbos at xs4all.nl (Willem Bos) Date: Fri, 24 Aug 2012 08:21:50 +0200 Subject: [Freeipa-users] IBM Tivoli Identity Manager connector to manage IPA In-Reply-To: References: Message-ID: Hi Sylvian, I'm not familiar with Tivoli but maybe it's able to generate HTTP requests? I recently did a proof-of-concept (with help from this mailing list) to provision IPA with usernames/passwords. It's really a re-write of a post from Adam Young (http://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/) and info from The IPA API documented at https://fedorahosted.org/freeipa/browser/API.txt In this procedure you should replace curl with Tivoli. # Add the (IPA) account you want to use for provisioning to the passSyncManagerDNs 'group' so that users that are created through provisioning do not have to change their passwords at first login. In this example I used 'admin' but you probably whant a dedicated user : cat > add_passsync_manager.ldif << EOF dn: cn=ipa_pwd_extop,cn=plugins,cn=config changetype: modify add: passSyncManagersDNs passSyncManagersDNs: uid=admin,cn=users,cn=accounts,dc=localdomain EOF ldapmodify -x -D "cn=Directory Manager" -W -f add_passsync_manager.ldif # Check : ldapsearch -LLL -x -D "cn=Directory Manager" -W -b "cn=ipa_pwd_extop,cn=plugins,cn=config" -s base passsyncmanagersdns ... passsyncmanagersdns: uid=admin,cn=users,cn=accounts,dc=localdomain # The .json file is the 'add user' request that Tivoli should generate.: cat > add_user_test.json << EOF { "method":"user_add", "params":[ [], { "uid":"test", "givenname":"test", "sn":"test", "userpassword":"test" } ] } EOF # Tivoli needs to be able to pass Kerberos credentials with the HTTP request (the '--negotiate -u : ` part) : kinit admin curl -v \ --header referer:https:///ipa \ --header "Content-Type:application/json" \ --header "Accept:applicaton/json"\ --negotiate -u : \ --delegation always \ --cacert /etc/ipa/ca.crt \ --data @add_user_test.json \ --request POST https:///ipa/json ? "summary": "Added user \"test\"", ? # Check. The user should not be asked to change his password... : kinit test Regards, Willem. On Thu, Aug 23, 2012 at 9:53 PM, Sylvain Angers wrote: > Hello all, > > Within our organisation, we use IBM Tivoli Identity Manager connectors to > provision user/group onto all our different type of system. Currently there > is as many connectors as we have unix box. As each unix box use local auth, > we use ITIM to push user/group to local files...We are investigating IPA > since a while, and now we wonder if a regular LDAP connector from IBM Tivoli > Identity manager could be use to feed IPA so we would have one connector to > manage our UNIX box via IPA. Our security folks would continue to have one > single interface to do user/group provisionning. > > I found out that there is already an IITIM LDAP connector available, but Is > there such thing as ldap interface to manage ipa? > Or is the only way to get ITIM to manage IPA would be via new connector > build from remote ipa command lines? > > Thank you! > > -- > Sylvain Angers > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From d.sastre.medina at gmail.com Fri Aug 24 09:56:15 2012 From: d.sastre.medina at gmail.com (David Sastre) Date: Fri, 24 Aug 2012 11:56:15 +0200 Subject: [Freeipa-users] Problem with webui: kerberos ticket no longer valid Message-ID: Hello, I'm having an issue with the web ui, it is returning "Kerberos ticket is no longer valid" message regardless I have a valid ticket: $ ssh sysadm at panoramix 'klist' Ticket cache: FILE:/tmp/krb5cc_500 Default principal: admin at DOMAIN.COM Valid starting Expires Service principal 08/24/12 10:42:57 08/25/12 10:42:53 krbtgt/DOMAIN.COM at DOMAIN.COM 08/24/12 10:43:19 08/25/12 10:42:53 HTTP/panoramix.domain.com at DOMAIN.COM Following the advice in: https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Troubleshooting-UI.html I have obtained this log: $ ssh -X sysadm at panoramix 'export NSPR_LOG_MODULES=negotiateauth:5; export NSPR_LOG_FILE=/tmp/moz.log; firefox' 973989664[7f8b38e5b040]: using REQ_DELEGATE 973989664[7f8b38e5b040]: service = panoramix.domain.com 973989664[7f8b38e5b040]: using negotiate-gss 973989664[7f8b38e5b040]: entering nsAuthGSSAPI::nsAuthGSSAPI() 973989664[7f8b38e5b040]: entering nsAuthGSSAPI::Init() 973989664[7f8b38e5b040]: nsHttpNegotiateAuth::GenerateCredentials() [challenge=Negotiate] 973989664[7f8b38e5b040]: entering nsAuthGSSAPI::GetNextToken() 973989664[7f8b38e5b040]: leaving nsAuthGSSAPI::GetNextToken [rv=0] 973989664[7f8b38e5b040]: Sending a token of length 1375 973989664[7f8b38e5b040]: nsHttpNegotiateAuth::GenerateCredentials() [challenge=Negotiate oRQwEqADCgEAoQsGCSqGSIb3EgECAg==] 973989664[7f8b38e5b040]: entering nsAuthGSSAPI::GetNextToken() 973989664[7f8b38e5b040]: leaving nsAuthGSSAPI::GetNextToken [rv=4b0028] 973989664[7f8b38e5b040]: No output token to send, exiting 973989664[7f8b38e5b040]: using REQ_DELEGATE 973989664[7f8b38e5b040]: service = panoramix.domain.com 973989664[7f8b38e5b040]: using negotiate-gss 973989664[7f8b38e5b040]: entering nsAuthGSSAPI::nsAuthGSSAPI() 973989664[7f8b38e5b040]: entering nsAuthGSSAPI::Init() 973989664[7f8b38e5b040]: nsHttpNegotiateAuth::GenerateCredentials() [challenge=Negotiate] 973989664[7f8b38e5b040]: entering nsAuthGSSAPI::GetNextToken() 973989664[7f8b38e5b040]: leaving nsAuthGSSAPI::GetNextToken [rv=0] 973989664[7f8b38e5b040]: Sending a token of length 1375 973989664[7f8b38e5b040]: using REQ_DELEGATE 973989664[7f8b38e5b040]: service = panoramix.domain.com 973989664[7f8b38e5b040]: using negotiate-gss 973989664[7f8b38e5b040]: entering nsAuthGSSAPI::nsAuthGSSAPI() 973989664[7f8b38e5b040]: entering nsAuthGSSAPI::Init() 973989664[7f8b38e5b040]: nsHttpNegotiateAuth::GenerateCredentials() [challenge=Negotiate] 973989664[7f8b38e5b040]: entering nsAuthGSSAPI::GetNextToken() 973989664[7f8b38e5b040]: leaving nsAuthGSSAPI::GetNextToken [rv=0] 973989664[7f8b38e5b040]: Sending a token of length 1375 973989664[7f8b38e5b040]: nsHttpNegotiateAuth::GenerateCredentials() [challenge=Negotiate oRQwEqADCgEAoQsGCSqGSIb3EgECAg==] 973989664[7f8b38e5b040]: entering nsAuthGSSAPI::GetNextToken() 973989664[7f8b38e5b040]: leaving nsAuthGSSAPI::GetNextToken [rv=4b0028] 973989664[7f8b38e5b040]: No output token to send, exiting Relevant portions of apache's access and error logs with LogLevel Debug are: 172.22.249.66 - - [24/Aug/2012:11:43:52 +0200] "POST /ipa/session/json HTTP/1.1" 401 1856 "https://panoramix.domain.com/ipa/ui/" "Mozilla/5.0 (X11; Linux x86_64; rv:10.0.6) Gecko/20120717 Firefox/10.0.6" 172.22.249.66 - admin at DOMAIN.COM [24/Aug/2012:11:43:52 +0200] "POST /ipa/session/json HTTP/1.1" 401 - "https://panoramix.domain.com/ipa/ui/" "Mozilla/5.0 (X11; Linux x86_64; rv:10.0.6) Gecko/20120717 Firefox/10.0.6" 172.22.249.66 - - [24/Aug/2012:11:43:52 +0200] "GET /ipa/session/login_kerberos HTTP/1.1" 401 1856 "https://panoramix.domain.com/ipa/ui/" "Mozilla/5.0 (X11; Linux x86_64; rv:10.0.6) Gecko/20120717 Firefox/10.0.6" 172.22.249.66 - admin at DOMAIN.COM [24/Aug/2012:11:43:52 +0200] "GET /ipa/session/login_kerberos HTTP/1.1" 200 - "https://panoramix.domain.com/ipa/ui/" "Mozilla/5.0 (X11; Linux x86_64; rv:10.0.6) Gecko/20120717 Firefox/10.0.6" 172.22.249.66 - - [24/Aug/2012:11:43:52 +0200] "POST /ipa/session/json HTTP/1.1" 401 1856 "https://panoramix.domain.com/ipa/ui/" "Mozilla/5.0 (X11; Linux x86_64; rv:10.0.6) Gecko/20120717 Firefox/10.0.6" 172.22.249.66 - admin at DOMAIN.COM [24/Aug/2012:11:43:52 +0200] "POST /ipa/session/json HTTP/1.1" 401 - "https://panoramix.domain.com/ipa/ui/" "Mozilla/5.0 (X11; Linux x86_64; rv:10.0.6) Gecko/20120717 Firefox/10.0.6" [Fri Aug 24 11:43:52 2012] [error] [client 172.22.249.66] File does not exist: /var/www/htdocs/panoramix.domain.com/ca [Fri Aug 24 11:43:52 2012] [info] Initial (No.1) HTTPS request received for child 194 (server panoramix.domain.com:443) [Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1939): [client 172.22.249.66] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://panoramix.domain.com/ipa/ui/ [Fri Aug 24 11:43:52 2012] [info] Connection to child 194 closed (server panoramix.domain.com:443, client 172.22.249.66) [Fri Aug 24 11:43:52 2012] [info] Connection to child 196 established (server panoramix.domain.com:443, client 172.22.249.66) [Fri Aug 24 11:43:52 2012] [info] Initial (No.1) HTTPS request received for child 196 (server panoramix.domain.com:443) [Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1939): [client 172.22.249.66] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://panoramix.domain.com/ipa/ui/ [Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1278): [client 172.22.249.66] Acquiring creds for HTTP at panoramix.domain.com, referer: https://panoramix.domain.com/ipa/ui/ [Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1691): [client 172.22.249.66] Verifying client data using KRB5 GSS-API , referer: https://panoramix.domain.com/ipa/ui/ [Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1707): [client 172.22.249.66] Client delegated us their credential, referer: https://panoramix.domain.com/ipa/ui/ [Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1726): [client 172.22.249.66] GSS-API token of length 22 bytes will be sent back, referer: https://panoramix.domain.com/ipa/ui/ [Fri Aug 24 11:43:52 2012] [info] Connection to child 196 closed (server panoramix.domain.com:443, client 172.22.249.66) [Fri Aug 24 11:43:52 2012] [info] Connection to child 197 established (server panoramix.domain.com:443, client 172.22.249.66) [Fri Aug 24 11:43:52 2012] [info] Initial (No.1) HTTPS request received for child 197 (server panoramix.domain.com:443) [Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1939): [client 172.22.249.66] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://panoramix.domain.com/ipa/ui/ [Fri Aug 24 11:43:52 2012] [info] Connection to child 197 closed (server panoramix.domain.com:443, client 172.22.249.66) [Fri Aug 24 11:43:52 2012] [info] Connection to child 198 established (server panoramix.domain.com:443, client 172.22.249.66) [Fri Aug 24 11:43:52 2012] [info] Initial (No.1) HTTPS request received for child 198 (server panoramix.domain.com:443) [Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1939): [client 172.22.249.66] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://panoramix.domain.com/ipa/ui/ [Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1278): [client 172.22.249.66] Acquiring creds for HTTP at panoramix.domain.com, referer: https://panoramix.domain.com/ipa/ui/ [Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1691): [client 172.22.249.66] Verifying client data using KRB5 GSS-API , referer: https://panoramix.domain.com/ipa/ui/ [Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1707): [client 172.22.249.66] Client delegated us their credential, referer: https://panoramix.domain.com/ipa/ui/ [Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1726): [client 172.22.249.66] GSS-API token of length 22 bytes will be sent back, referer: https://panoramix.domain.com/ipa/ui/ [Fri Aug 24 11:43:52 2012] [info] Connection to child 198 closed (server panoramix.domain.com:443, client 172.22.249.66) [Fri Aug 24 11:43:52 2012] [info] Connection to child 199 established (server panoramix.domain.com:443, client 172.22.249.66) [Fri Aug 24 11:43:52 2012] [info] Initial (No.1) HTTPS request received for child 199 (server panoramix.domain.com:443) [Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1939): [client 172.22.249.66] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://panoramix.domain.com/ipa/ui/ [Fri Aug 24 11:43:52 2012] [info] Connection to child 199 closed (server panoramix.domain.com:443, client 172.22.249.66) [Fri Aug 24 11:43:52 2012] [info] Connection to child 200 established (server panoramix.domain.com:443, client 172.22.249.66) [Fri Aug 24 11:43:52 2012] [info] Initial (No.1) HTTPS request received for child 200 (server panoramix.domain.com:443) [Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1939): [client 172.22.249.66] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://panoramix.domain.com/ipa/ui/ [Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1278): [client 172.22.249.66] Acquiring creds for HTTP at panoramix.domain.com, referer: https://panoramix.domain.com/ipa/ui/ [Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1691): [client 172.22.249.66] Verifying client data using KRB5 GSS-API , referer: https://panoramix.domain.com/ipa/ui/ [Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1707): [client 172.22.249.66] Client delegated us their credential, referer: https://panoramix.domain.com/ipa/ui/ [Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1726): [client 172.22.249.66] GSS-API token of length 22 bytes will be sent back, referer: https://panoramix.domain.com/ipa/ui/ [Fri Aug 24 11:43:52 2012] [info] Connection to child 200 closed (server panoramix.domain.com:443, client 172.22.249.66) # lsb_release -a LSB Version: :core-4.0-amd64:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-noarch:printing-4.0-amd64:printing-4.0-noarch Distributor ID: CentOS Description: CentOS release 6.3 (Final) Release: 6.3 Codename: Final # rpm -qa | egrep '(ipa-|sssd)' ipa-pki-common-theme-9.0.3-7.el6.noarch sssd-client-1.8.0-32.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-python-2.2.0-16.el6.x86_64 sssd-1.8.0-32.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 Thanks in advance. From ondrejv at s3group.cz Fri Aug 24 10:06:24 2012 From: ondrejv at s3group.cz (Ondrej Valousek) Date: Fri, 24 Aug 2012 12:06:24 +0200 Subject: [Freeipa-users] Problem with webui: kerberos ticket no longer valid In-Reply-To: References: Message-ID: <50375220.7080001@s3group.cz> try running 'kinit -R'? On 08/24/2012 11:56 AM, David Sastre wrote: > Hello, > > I'm having an issue with the web ui, it is returning "Kerberos ticket > is no longer valid" message regardless I have a valid ticket: > > $ ssh sysadm at panoramix 'klist' > > Ticket cache: FILE:/tmp/krb5cc_500 > Default principal: admin at DOMAIN.COM > > Valid starting Expires Service principal > 08/24/12 10:42:57 08/25/12 10:42:53 krbtgt/DOMAIN.COM at DOMAIN.COM > 08/24/12 10:43:19 08/25/12 10:42:53 HTTP/panoramix.domain.com at DOMAIN.COM > > Following the advice in: > > https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Troubleshooting-UI.html > > I have obtained this log: > > $ ssh -X sysadm at panoramix 'export NSPR_LOG_MODULES=negotiateauth:5; > export NSPR_LOG_FILE=/tmp/moz.log; firefox' > > 973989664[7f8b38e5b040]: using REQ_DELEGATE > 973989664[7f8b38e5b040]: service = panoramix.domain.com > 973989664[7f8b38e5b040]: using negotiate-gss > 973989664[7f8b38e5b040]: entering nsAuthGSSAPI::nsAuthGSSAPI() > 973989664[7f8b38e5b040]: entering nsAuthGSSAPI::Init() > 973989664[7f8b38e5b040]: nsHttpNegotiateAuth::GenerateCredentials() > [challenge=Negotiate] > 973989664[7f8b38e5b040]: entering nsAuthGSSAPI::GetNextToken() > 973989664[7f8b38e5b040]: leaving nsAuthGSSAPI::GetNextToken [rv=0] > 973989664[7f8b38e5b040]: Sending a token of length 1375 > 973989664[7f8b38e5b040]: nsHttpNegotiateAuth::GenerateCredentials() > [challenge=Negotiate oRQwEqADCgEAoQsGCSqGSIb3EgECAg==] > 973989664[7f8b38e5b040]: entering nsAuthGSSAPI::GetNextToken() > 973989664[7f8b38e5b040]: leaving nsAuthGSSAPI::GetNextToken [rv=4b0028] > 973989664[7f8b38e5b040]: No output token to send, exiting > 973989664[7f8b38e5b040]: using REQ_DELEGATE > 973989664[7f8b38e5b040]: service = panoramix.domain.com > 973989664[7f8b38e5b040]: using negotiate-gss > 973989664[7f8b38e5b040]: entering nsAuthGSSAPI::nsAuthGSSAPI() > 973989664[7f8b38e5b040]: entering nsAuthGSSAPI::Init() > 973989664[7f8b38e5b040]: nsHttpNegotiateAuth::GenerateCredentials() > [challenge=Negotiate] > 973989664[7f8b38e5b040]: entering nsAuthGSSAPI::GetNextToken() > 973989664[7f8b38e5b040]: leaving nsAuthGSSAPI::GetNextToken [rv=0] > 973989664[7f8b38e5b040]: Sending a token of length 1375 > 973989664[7f8b38e5b040]: using REQ_DELEGATE > 973989664[7f8b38e5b040]: service = panoramix.domain.com > 973989664[7f8b38e5b040]: using negotiate-gss > 973989664[7f8b38e5b040]: entering nsAuthGSSAPI::nsAuthGSSAPI() > 973989664[7f8b38e5b040]: entering nsAuthGSSAPI::Init() > 973989664[7f8b38e5b040]: nsHttpNegotiateAuth::GenerateCredentials() > [challenge=Negotiate] > 973989664[7f8b38e5b040]: entering nsAuthGSSAPI::GetNextToken() > 973989664[7f8b38e5b040]: leaving nsAuthGSSAPI::GetNextToken [rv=0] > 973989664[7f8b38e5b040]: Sending a token of length 1375 > 973989664[7f8b38e5b040]: nsHttpNegotiateAuth::GenerateCredentials() > [challenge=Negotiate oRQwEqADCgEAoQsGCSqGSIb3EgECAg==] > 973989664[7f8b38e5b040]: entering nsAuthGSSAPI::GetNextToken() > 973989664[7f8b38e5b040]: leaving nsAuthGSSAPI::GetNextToken [rv=4b0028] > 973989664[7f8b38e5b040]: No output token to send, exiting > > Relevant portions of apache's access and error logs with LogLevel Debug are: > > 172.22.249.66 - - [24/Aug/2012:11:43:52 +0200] "POST /ipa/session/json > HTTP/1.1" 401 1856 "https://panoramix.domain.com/ipa/ui/" "Mozilla/5.0 > (X11; Linux x86_64; rv:10.0.6) Gecko/20120717 Firefox/10.0.6" > 172.22.249.66 - admin at DOMAIN.COM [24/Aug/2012:11:43:52 +0200] "POST > /ipa/session/json HTTP/1.1" 401 - > "https://panoramix.domain.com/ipa/ui/" "Mozilla/5.0 (X11; Linux > x86_64; rv:10.0.6) Gecko/20120717 Firefox/10.0.6" > 172.22.249.66 - - [24/Aug/2012:11:43:52 +0200] "GET > /ipa/session/login_kerberos HTTP/1.1" 401 1856 > "https://panoramix.domain.com/ipa/ui/" "Mozilla/5.0 (X11; Linux > x86_64; rv:10.0.6) Gecko/20120717 Firefox/10.0.6" > 172.22.249.66 - admin at DOMAIN.COM [24/Aug/2012:11:43:52 +0200] "GET > /ipa/session/login_kerberos HTTP/1.1" 200 - > "https://panoramix.domain.com/ipa/ui/" "Mozilla/5.0 (X11; Linux > x86_64; rv:10.0.6) Gecko/20120717 Firefox/10.0.6" > 172.22.249.66 - - [24/Aug/2012:11:43:52 +0200] "POST /ipa/session/json > HTTP/1.1" 401 1856 "https://panoramix.domain.com/ipa/ui/" "Mozilla/5.0 > (X11; Linux x86_64; rv:10.0.6) Gecko/20120717 Firefox/10.0.6" > 172.22.249.66 - admin at DOMAIN.COM [24/Aug/2012:11:43:52 +0200] "POST > /ipa/session/json HTTP/1.1" 401 - > "https://panoramix.domain.com/ipa/ui/" "Mozilla/5.0 (X11; Linux > x86_64; rv:10.0.6) Gecko/20120717 Firefox/10.0.6" > > [Fri Aug 24 11:43:52 2012] [error] [client 172.22.249.66] File does > not exist: /var/www/htdocs/panoramix.domain.com/ca > [Fri Aug 24 11:43:52 2012] [info] Initial (No.1) HTTPS request > received for child 194 (server panoramix.domain.com:443) > [Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1939): [client > 172.22.249.66] kerb_authenticate_user entered with user (NULL) and > auth_type Kerberos, referer: https://panoramix.domain.com/ipa/ui/ > [Fri Aug 24 11:43:52 2012] [info] Connection to child 194 closed > (server panoramix.domain.com:443, client 172.22.249.66) > [Fri Aug 24 11:43:52 2012] [info] Connection to child 196 established > (server panoramix.domain.com:443, client 172.22.249.66) > [Fri Aug 24 11:43:52 2012] [info] Initial (No.1) HTTPS request > received for child 196 (server panoramix.domain.com:443) > [Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1939): [client > 172.22.249.66] kerb_authenticate_user entered with user (NULL) and > auth_type Kerberos, referer: https://panoramix.domain.com/ipa/ui/ > [Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1278): [client > 172.22.249.66] Acquiring creds for HTTP at panoramix.domain.com, referer: > https://panoramix.domain.com/ipa/ui/ > [Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1691): [client > 172.22.249.66] Verifying client data using KRB5 GSS-API , referer: > https://panoramix.domain.com/ipa/ui/ > [Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1707): [client > 172.22.249.66] Client delegated us their credential, referer: > https://panoramix.domain.com/ipa/ui/ > [Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1726): [client > 172.22.249.66] GSS-API token of length 22 bytes will be sent back, > referer: https://panoramix.domain.com/ipa/ui/ > [Fri Aug 24 11:43:52 2012] [info] Connection to child 196 closed > (server panoramix.domain.com:443, client 172.22.249.66) > [Fri Aug 24 11:43:52 2012] [info] Connection to child 197 established > (server panoramix.domain.com:443, client 172.22.249.66) > [Fri Aug 24 11:43:52 2012] [info] Initial (No.1) HTTPS request > received for child 197 (server panoramix.domain.com:443) > [Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1939): [client > 172.22.249.66] kerb_authenticate_user entered with user (NULL) and > auth_type Kerberos, referer: https://panoramix.domain.com/ipa/ui/ > [Fri Aug 24 11:43:52 2012] [info] Connection to child 197 closed > (server panoramix.domain.com:443, client 172.22.249.66) > [Fri Aug 24 11:43:52 2012] [info] Connection to child 198 established > (server panoramix.domain.com:443, client 172.22.249.66) > [Fri Aug 24 11:43:52 2012] [info] Initial (No.1) HTTPS request > received for child 198 (server panoramix.domain.com:443) > [Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1939): [client > 172.22.249.66] kerb_authenticate_user entered with user (NULL) and > auth_type Kerberos, referer: https://panoramix.domain.com/ipa/ui/ > [Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1278): [client > 172.22.249.66] Acquiring creds for HTTP at panoramix.domain.com, referer: > https://panoramix.domain.com/ipa/ui/ > [Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1691): [client > 172.22.249.66] Verifying client data using KRB5 GSS-API , referer: > https://panoramix.domain.com/ipa/ui/ > [Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1707): [client > 172.22.249.66] Client delegated us their credential, referer: > https://panoramix.domain.com/ipa/ui/ > [Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1726): [client > 172.22.249.66] GSS-API token of length 22 bytes will be sent back, > referer: https://panoramix.domain.com/ipa/ui/ > [Fri Aug 24 11:43:52 2012] [info] Connection to child 198 closed > (server panoramix.domain.com:443, client 172.22.249.66) > [Fri Aug 24 11:43:52 2012] [info] Connection to child 199 established > (server panoramix.domain.com:443, client 172.22.249.66) > [Fri Aug 24 11:43:52 2012] [info] Initial (No.1) HTTPS request > received for child 199 (server panoramix.domain.com:443) > [Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1939): [client > 172.22.249.66] kerb_authenticate_user entered with user (NULL) and > auth_type Kerberos, referer: https://panoramix.domain.com/ipa/ui/ > [Fri Aug 24 11:43:52 2012] [info] Connection to child 199 closed > (server panoramix.domain.com:443, client 172.22.249.66) > [Fri Aug 24 11:43:52 2012] [info] Connection to child 200 established > (server panoramix.domain.com:443, client 172.22.249.66) > [Fri Aug 24 11:43:52 2012] [info] Initial (No.1) HTTPS request > received for child 200 (server panoramix.domain.com:443) > [Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1939): [client > 172.22.249.66] kerb_authenticate_user entered with user (NULL) and > auth_type Kerberos, referer: https://panoramix.domain.com/ipa/ui/ > [Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1278): [client > 172.22.249.66] Acquiring creds for HTTP at panoramix.domain.com, referer: > https://panoramix.domain.com/ipa/ui/ > [Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1691): [client > 172.22.249.66] Verifying client data using KRB5 GSS-API , referer: > https://panoramix.domain.com/ipa/ui/ > [Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1707): [client > 172.22.249.66] Client delegated us their credential, referer: > https://panoramix.domain.com/ipa/ui/ > [Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1726): [client > 172.22.249.66] GSS-API token of length 22 bytes will be sent back, > referer: https://panoramix.domain.com/ipa/ui/ > [Fri Aug 24 11:43:52 2012] [info] Connection to child 200 closed > (server panoramix.domain.com:443, client 172.22.249.66) > > # lsb_release -a > LSB Version: > :core-4.0-amd64:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-noarch:printing-4.0-amd64:printing-4.0-noarch > Distributor ID: CentOS > Description: CentOS release 6.3 (Final) > Release: 6.3 > Codename: Final > > # rpm -qa | egrep '(ipa-|sssd)' > ipa-pki-common-theme-9.0.3-7.el6.noarch > sssd-client-1.8.0-32.el6.x86_64 > ipa-client-2.2.0-16.el6.x86_64 > ipa-pki-ca-theme-9.0.3-7.el6.noarch > ipa-admintools-2.2.0-16.el6.x86_64 > ipa-server-2.2.0-16.el6.x86_64 > ipa-python-2.2.0-16.el6.x86_64 > sssd-1.8.0-32.el6.x86_64 > ipa-server-selinux-2.2.0-16.el6.x86_64 > > Thanks in advance. > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From d.sastre.medina at gmail.com Fri Aug 24 10:31:42 2012 From: d.sastre.medina at gmail.com (David Sastre) Date: Fri, 24 Aug 2012 12:31:42 +0200 Subject: [Freeipa-users] Problem with webui: kerberos ticket no longer valid In-Reply-To: <50375220.7080001@s3group.cz> References: <50375220.7080001@s3group.cz> Message-ID: On Fri, Aug 24, 2012 at 12:06 PM, Ondrej Valousek wrote: > try running 'kinit -R'? Nope. It fails even after kdestroy and kinit a-new. From rcritten at redhat.com Fri Aug 24 13:07:06 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 24 Aug 2012 09:07:06 -0400 Subject: [Freeipa-users] RHEL 6.3 identity manual - IPA In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CD7931E@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CD791C8@STAWINCOX10MBX1.staff.vuw.ac.nz>, , <833D8E48405E064EBC54C84EC6B36E404CD79299@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404CD7931E@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <50377C7A.8040509@redhat.com> Steven Jones wrote: > Hi, > > Except the doc says nss_ldap.conf when its actually ldap.conf...so doc is wrong. > > "4. Edit the NSS/LDAP configuration file and add the following sudo-related lines to the > /etc/nss_ldap.conf file:" > > should read, > > "4. Edit the NSS/LDAP configuration file and add the following sudo-related lines to the > /etc/ldap.conf file:" > > Unless someone can point out how sudo should be done....but it works this way. It would be very helpful if you could file bugs at http://bugzilla.redhat.com on the documentation when you find errors. We review them before publishing but we miss things from time to time (clearly). The component to use is doc-Enterprise_Identity_Management_Guide. thanks rob > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] > Sent: Friday, 24 August 2012 11:16 a.m. > Cc: Freeipa-users at redhat.com > Subject: Re: [Freeipa-users] RHEL 6.3 identity manual - IPA > > Hi, > > Just found this doc, > > Red Hat Enterprise Linux 5.8 > Configuring Identity Management > > So Im working through it. > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: Stephen Ingram [sbingram at gmail.com] > Sent: Friday, 24 August 2012 11:00 a.m. > To: Steven Jones > Cc: Freeipa-users at redhat.com > Subject: Re: [Freeipa-users] RHEL 6.3 identity manual - IPA > > On Thu, Aug 23, 2012 at 2:26 PM, Steven Jones wrote: >> Some notes on the identity manual which says its for RHEl6, >> >> "13.4.2. Client Configuration for sudo Rules This example specifically >> configures a Red Hat Enterprise Linux 6 client for sudo rules. >> >> 8><---- >> >> 2. Enable debug logging for sudo operations in the /etc/ldap.conf file. If >> this file does not exist, it can be created. vim /etc/ldap.conf >> sudoers_debug: >> >> It seems for a RHEL6 client its /etc/sudo-ldap.conf >> >> ditto 4. >> >> Edit the NSS/LDAP configuration file and add the following sudo-related >> lines to the >> /etc/nslcd.conf file: >> binddn uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com >> bindpw sudo_password >> ssl start_tls >> tls_cacertfile /etc/ipa/ca.crt >> tls_checkpeer yes >> bind_timelimit 5 >> timelimit 15 >> uri ldap://ipaserver.example.com ldap://backup.example.com:3890 >> sudoers_base ou=SUDOers,dc=example,dc=com >> >> It seems for a RHEL6 client its /etc/sudo-ldap.conf >> >> So it that section referring to RHEL5? > > Most likely. /etc/sudo-ldap.conf is new with RHEL 6.3. Before that > (6.0-6.2) you had to use /etc/nslcd.conf. RHEL 5 series used a > different configuration altogether. I think that will eventually > change to as this becomes handled directly by sssd. Not a moment too > soon if you ask me. There are so many competing ways to set this up, > each with varying advantages and disadvantages. This is probably why > RH decided to just write sssd from scratch such that they could handle > all of the existing setups as well as new stuff like laptops out of > the office that need cached credentials and such. > > Steve > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > From rcritten at redhat.com Fri Aug 24 13:07:41 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 24 Aug 2012 09:07:41 -0400 Subject: [Freeipa-users] Reset the password of service principal. In-Reply-To: References: Message-ID: <50377C9D.8090209@redhat.com> Tengda wrote: > Hello, > The change_password command of kadmin can be used for reseting the > password of a service principal. > Can we use this command in FreeIPA? Or is there any other equivalent > commands? We want to use a key which is made from password for testing. > Thanks, > Tengda You can use ipa-getkeytab -P to set a specific password. rob From rcritten at redhat.com Fri Aug 24 20:43:27 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 24 Aug 2012 16:43:27 -0400 Subject: [Freeipa-users] sudden ipa errors. In-Reply-To: <5036674F.40400@lafayette.edu> References: <50351BD8.8010806@lafayette.edu> <50352232.4020402@redhat.com> <50352675.3010602@lafayette.edu> <50353C21.1050002@redhat.com> <5035482C.3080508@lafayette.edu> <50355701.403@redhat.com> <5036674F.40400@lafayette.edu> Message-ID: <5037E76F.7000902@redhat.com> Nathan Lager wrote: > This did not seem to help... > What else isn't working? Does the UI work? Do clients on other machines work? Does user lookup still work? rob > > On 08/22/2012 06:02 PM, Rob Crittenden wrote: >> Nathan Lager wrote: >>> [root at ipaserver PROD krb5kdc]# ipactl status >>> Directory Service: RUNNING >>> KDC Service: RUNNING >>> KPASSWD Service: RUNNING >>> MEMCACHE Service: RUNNING >>> HTTP Service: RUNNING >>> CA Service: RUNNING >>> [root at ipaserver PROD krb5kdc]# rpm -qa | grep ipa-server >>> ipa-server-selinux-2.2.0-16.el6.x86_64 >>> ipa-server-2.2.0-16.el6.x86_64 >> >> I'd try removing /tmp/krb5cc_48. This is the ccache used by Apache for >> doing S4U2Proxy. No restart of httpd should be required. >> >> rob >> >>> >>> >>> On 08/22/2012 04:08 PM, Rob Crittenden wrote: >>>> Nathan Lager wrote: >>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>> Hash: SHA1 >>>>> >>>>> I tried the same, kinit, and then ipa passwd commands as before, >>>>> here's the output: >>>>> >>>>> Aug 22 14:32:13 ipaserver.lafayette.edu krb5kdc[1438](info): AS_REQ (4 >>>>> etypes {18 17 16 23}) ipa-servers-ip: NEEDED_PREAUTH: >>>>> lagern at SYSTEMS.LAFAYETTE.EDU for >>>>> krbtgt/SYSTEMS.LAFAYETTE.EDU at SYSTEMS.LAFAYETTE.EDU, Additional >>>>> pre-authentication required >>>>> >>>>> Aug 22 14:32:19 ipaserver.lafayette.edu krb5kdc[1438](info): AS_REQ (4 >>>>> etypes {18 17 16 23}) ipa-servers-ip: ISSUE: authtime 1345660339, >>>>> etypes {rep=18 tkt=18 ses=18}, lagern at SYSTEMS.LAFAYETTE.EDU for >>>>> krbtgt/SYSTEMS.LAFAYETTE.EDU at SYSTEMS.LAFAYETTE.EDU >>>>> >>>>> Aug 22 14:32:35 ipaserver.lafayette.edu krb5kdc[1438](info): TGS_REQ >>>>> (4 etypes {18 17 16 23}) ipa-servers-ip: ISSUE: authtime 1345660339, >>>>> etypes {rep=18 tkt=18 ses=18}, lagern at SYSTEMS.LAFAYETTE.EDU for >>>>> HTTP/ipaserver.lafayette.edu at SYSTEMS.LAFAYETTE.EDU >>>> >>>> What version of IPA is this? >>>> >>>> Does ipactl status show all services up? >>>> >>>> rob >>> >>> >> >> > From sakodak at gmail.com Sun Aug 26 04:05:59 2012 From: sakodak at gmail.com (KodaK) Date: Sat, 25 Aug 2012 23:05:59 -0500 Subject: [Freeipa-users] Desperate help requested. Message-ID: I've just been informed by my boss's boss's boss that, and I quote from his ridiculous email: "we cannot use anything other than MS AD for authentication" I've spent months of time and much effort rolling out IPA, consolidating authentication across our Linux and AIX machines. To paraphrase Babbage: I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a statement. Regardless, I need some help. I need some help with comparisons between FreeIPA and AD, and the problems and issues one might encounter when trying to authenticate Unix machines against AD. Anything that can show IPA being superior to AD for *nix authentication. Anything at all. We have a similar number of AIX and Linux servers. We have a week before we have a meeting to discuss this, and I'd like to be armed to the teeth, if at all possible. Thanks for any help you can give. And wish me luck. Thanks, --Jason -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 From d.sastre.medina at gmail.com Mon Aug 27 06:57:20 2012 From: d.sastre.medina at gmail.com (David Sastre) Date: Mon, 27 Aug 2012 08:57:20 +0200 Subject: [Freeipa-users] Desperate help requested. In-Reply-To: References: Message-ID: On Sun, Aug 26, 2012 at 6:05 AM, KodaK wrote: > Regardless, I need some help. I need some help with comparisons > between FreeIPA and AD, and the problems and issues one might > encounter when trying to authenticate Unix machines against AD. > Anything that can show IPA being superior to AD for *nix > authentication. Anything at all. We have a similar number of AIX and > Linux servers. SELinux + sudo centralized management doesn't exist at all in AD. From chorn at fluxcoil.net Mon Aug 27 07:03:26 2012 From: chorn at fluxcoil.net (Christian Horn) Date: Mon, 27 Aug 2012 09:03:26 +0200 Subject: [Freeipa-users] Desperate help requested. In-Reply-To: References: Message-ID: <20120827070326.GA9711@fluxcoil.net> On Mon, Aug 27, 2012 at 08:57:20AM +0200, David Sastre wrote: > On Sun, Aug 26, 2012 at 6:05 AM, KodaK wrote: > > Regardless, I need some help. I need some help with comparisons > > between FreeIPA and AD, and the problems and issues one might > > encounter when trying to authenticate Unix machines against AD. > > Anything that can show IPA being superior to AD for *nix > > authentication. Anything at all. We have a similar number of AIX and > > Linux servers. > > SELinux + sudo centralized management doesn't exist at all in AD. I guess it comes down to - technical orientation of IPA: designed with linux/unix in mind, not windows - open source, so all the default open vs. proprietary points apply: - no vendor lockin, if vendor decides not to continue the product you can take the source and do this for yourself - code can be audited - code seen by many eyes - ... Christian From pspacek at redhat.com Mon Aug 27 07:53:00 2012 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 27 Aug 2012 09:53:00 +0200 Subject: [Freeipa-users] Question about migration and scripts variables In-Reply-To: References: Message-ID: <503B275C.9020104@redhat.com> On 08/17/2012 10:55 PM, James James wrote: > my second question is about ipalib. I wanted to make a hook on the user > creation. The hook works fine. I just want to know if there is a way to have > the value of variables like the username, the name of the creator, the e-mail > of the creator and stuff like that. If you want to simply store name of entry creator, then you can use operational attributes creatorsName, createTimestamp, modifiersName and modifyTimestamp. You don't need to code anything new. For example: $ ldapsearch -Y GSSAPI -b idnsname=e.org,cn=dns,dc=e,dc=org createTimestamp creatorsName ... will print: # txt2, e.org, dns, e.org dn: idnsName=txt2,idnsName=e.org,cn=dns,dc=e,dc=org createTimestamp: 20120810114214Z creatorsName: cn=directory manager -- Petr^2 Spacek From pspacek at redhat.com Mon Aug 27 11:53:09 2012 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 27 Aug 2012 13:53:09 +0200 Subject: [Freeipa-users] Active Directory slave zone in FreeIPA DNS (Franklin) In-Reply-To: References: Message-ID: <503B5FA5.3070503@redhat.com> Hello, On 08/23/2012 07:00 AM, Franklin Catoni wrote: > >>Hi, > Hello, > >>Is the zone not transferring at all, or is it just the updates that's > >>not transferred to the AD slave server? > It's not transferring at all. > >>If the zone is not transferring at all: Did yo modify the "Allow > >>transfer" property of the zone ? > yes, I change the parameter to allow zone transfers from the AD > >>If the updates is not transferring: I believe automatic increment of the > >>zone serial number will be supported in IPA 3.0. The IPA developers will > >>have to confirm that. However you can manually change the serial number > >>under Zone Settings. > Yes, I also read this information but I was hoping there was some other > solution to the issue. And I've done manually change the serial number of the > zone but without success > >>Hope this helps. > Thanks > > >>Regards, > >>Siggi I'm a bit confused, so I tried to summarize your configuration. Please correct me if I'm wrong: zone "ejemplo.com" = hosted on AD server zone "ejemplo.gob.ve" = hosted on FreeIPA server What is your target? Do you want to have both zones on each server? I.e. one server will be master for one zone and slave for the other zone (at the same time)? Zone transfers are supported from IPA 3.0. IPA can host only master zones, slave zones have to be set in /etc/named.conf manually. There is no centralized management of slave zones. Generally, you can test zone-transfers with dig: slave$ dig @master_IP -t AXFR zone.name It should print something like: zone.example. 86400 IN SOA unused-4-107.brq.redhat.com. nonexistent.zone.example. 1344953446 123 123 666 1 zone.example. 86400 IN NS unused-4-107.brq.redhat.com. zone.example. 86400 IN TXT "zone.example" ... zone.example. 86400 IN SOA unused-4-107.brq.redhat.com. nonexistent.zone.example. 1344953446 123 123 666 1 This way you can test ACL and other settings on master. Does transfer with dig it work for both master servers? Petr^2 Spacek > > 2012/8/20 > > > Send Freeipa-users mailing list submissions to > freeipa-users at redhat.com > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.redhat.com/mailman/listinfo/freeipa-users > or, via email, send a message with subject or body 'help' to > freeipa-users-request at redhat.com > > You can reach the person managing the list at > freeipa-users-owner at redhat.com > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Freeipa-users digest..." > > > Today's Topics: > > 1. Re: Active Directory slave zone in FreeIPA DNS (Sigbjorn Lie) > 2. Re: sssd client cache timer and merging IPA domains > (Rob Crittenden) > 3. Re: Question about migration and scripts variables > (Rob Crittenden) > 4. Specifying load balancing to SSSD clients (Innes, Duncan) > 5. Re: Specifying load balancing to SSSD clients (Mark St. Laurent) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Sun, 19 Aug 2012 18:23:20 +0200 > From: Sigbjorn Lie > > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Active Directory slave zone in FreeIPA > DNS > Message-ID: <503112F8.8000900 at nixtra.com > > Content-Type: text/plain; charset="iso-8859-1"; Format="flowed" > > On 08/19/2012 04:39 PM, Franklin Catoni wrote: > > Greetings community. > > > > I do not speak English so I will do my best. > > > > I have two environments in my company, a domain "ejemplo.com > > > " with Windows Active Directory running on Windows > > Server 2003 Enterprise Edition SP2 and domain "ejemplo.gob.ve > > > " with FreeIPA v2.2. mounted on Centos 6.3 x64. > > This is because we are in the middle of a platform migration process > > (a very slow process) from proprietary solutions to open source. > > > > DNS and DHCP service for my two environments is offered by the server > > Centos 6.3 which is mounted FreeIPA directory, clients are Windows > > computers Active Directory domain and linux computers in the domain Ipa. > > > > Currently the zone "ejemplo.gob.ve > " is > > administered by the FreeIPA DNS using the plugin > > (bind-dyndb-ldap.x86_64 v1.1.0) and I configure a slave zone using > > bind (bind-9.8.2-0.10.rc1.el6_3.2 . x86_64) for the domain > > "ejemplo.com " Active Directory > > > > Name resolution works perfectly for both Linux and Windows clients. > > > > Now here comes the tricky part > > > > In order to find a more centralized management of my services, I try > > to configure a slave zone to Active Directory through FreeIPA with > > dyndb bind-plugin-ldap and so to eliminate configuration through bind, > > but the transfers zone does not work, causing this many problems on > > both platforms. > > > > The log shows me the following error: > > > > ServidorIPA named[3706]: zone ejemplo.com/IN/local > > > : zone serial (2012081801) unchanged. > > zone may fail to transfer to slaves > > > > I've spent enough time looking at Super Google information that can > > help me but it has not been easy, because it seems to be a rare situation. > > > > I ask. You can set this up under these circumstances? > > Someone has accomplished? > > Some information that horiente me to get a solution? > > > > Thanks for your time. > > > Hi, > > Is the zone not transferring at all, or is it just the updates that's > not transferred to the AD slave server? > > If the zone is not transferring at all: Did yo modify the "Allow > transfer" property of the zone ? > > If the updates is not transferring: I believe automatic increment of the > zone serial number will be supported in IPA 3.0. The IPA developers will > have to confirm that. However you can manually change the serial number > under Zone Settings. > > Hope this helps. > > > Regards, > Siggi > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > > > ------------------------------ > > Message: 2 > Date: Mon, 20 Aug 2012 08:44:32 -0400 > From: Rob Crittenden > > To: Lucas Yamanishi > > Cc: "freeipa-users at redhat.com " > > > Subject: Re: [Freeipa-users] sssd client cache timer and merging IPA > domains > Message-ID: <50323130.6030102 at redhat.com > > Content-Type: text/plain; charset=UTF-8; format=flowed > > Lucas Yamanishi wrote: > > > > On 08/17/2012 08:38 AM, Rob Crittenden wrote: > >> Lucas Yamanishi wrote: > >>> > >>> On 08/16/2012 05:39 PM, Rob Crittenden wrote: > >>>> Lucas Yamanishi wrote: > >>>>> > >>>>> On 08/16/2012 05:32 PM, Rob Crittenden wrote: > >>>>>> Lucas Yamanishi wrote: > >>>>>>> I just migrated my IPA instance from one to another a couple days > >>>>>>> ago to > >>>>>>> recover after a lost CA and failed yum upgrade. The "ipa migrate-ds" > >>>>>>> tool works very well, though I am having a few very minor issues. On > >>>>>>> the upside, as far as I can tell, you can skip the steps about > >>>>>>> Kerberos > >>>>>>> key generation as outlined in the documentation. I've been able to > >>>>>>> kinit just fine with my migrated users. > >>>>>>> > >>>>>>> > >>>>>>> Below are the few errors I've noticed. > >>>>>>> > >>>>>>> * When I ssh into an enrolled host using a migrated user's > >>>>>>> credentials I > >>>>>>> get this error: > >>>>>>> > >>>>>>> id: cannot find name for group ID 104600003\ > >>>>>> > >>>>>> Does a group exist with that GID? You can try something like: > >>>>>> > >>>>>> $ ipa group-find --gid=104600003 > >>>>>> > >>>>> > >>>>> The group doesn't exist. The GID is the counterpart to my UID. > >>>> > >>>> Try adding --private. > >>>> > >>>> rob > >>>> > >>> > >>> Nope. It doesn't exist. > >>> > >>> Other groups migrated. Why would the private groups fail? > >> > >> I don't know, what have you done to date, including versions? > >> > >> rob > > I've been following the stable Scientific Linux releases since 6.1. > > Based on repo archives, I guess that would be 2.0.0-23.el6.x86_64. The > > version was at 2.2.0-16.el6.x86_64 when I migrated, which I had just > > upgraded from 2.1.3-9.el6.x86_64. I migrated to and use now > > 2.2.0-16.el6.x86_64. > > > > So... > > 2.0.0-23.el6.x86_64 -> 2.1.3-9.el6.x86_64 -> 2.2.0-16.el6.x86_64 ----> > > 2.2.0-16.el6.x86_64 > > > > > > Can you verify that managed entries are configured: > > # ipa-managed-entries -l > > It should return: > > UPG Definition > NGP Definition > > This enables user-private groups and netgroup-private groups. > > rob > > > > ------------------------------ > > Message: 3 > Date: Mon, 20 Aug 2012 08:56:51 -0400 > From: Rob Crittenden > > To: James James > > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Question about migration and scripts > variables > Message-ID: <50323413.4090906 at redhat.com > > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > James James wrote: > > Hi, > > > > my first question is about the migrate process. Is it possible to > > renumber the users during the migrate process (ipa migrate-ds) in a way > > that all imported users will have a new UID ? > > I haven't tested this but you might try > --user-ignore-attribute=uidnumber,gidnumber. > > > my second question is about ipalib. I wanted to make a hook on the user > > creation. The hook works fine. I just want to know if there is a way to > > have the value of variables like the username, the name of the creator, > > the e-mail of the creator and stuff like that. > > The current user is available via: principal = getattr(context, 'principal') > > Using this you can look up that user: > > (binddn, bindattrs) = find_entry_by_attr("krbprincipalname", principal, > "krbPrincipalAux") > > rob > > > > ------------------------------ > > Message: 4 > Date: Mon, 20 Aug 2012 14:48:30 +0100 > From: "Innes, Duncan" > > To: > > Subject: [Freeipa-users] Specifying load balancing to SSSD clients > Message-ID: > <56343345B145C043AE990701E3D193952B5511 at EXVS2.nrplc.localnet> > Content-Type: text/plain; charset="us-ascii" > > Folks, > > Hopefully this isn't a dumb question, but I'm constrained by a few > things on my estate and would be looking to deploy something like the > following: > > 2 Datacentres > 2 IPA servers at each datacentre > > ipa1.domain.com \_ datacentre A > ipa2.domain.com / > > ipa3.domain.com \_ datacentre B > ipa4.domain.com / > > The datacentres are linekd, but bandwidth not great. > > Client's in datacentre A should therefore use ipa1.domain.com > and > ipa2.domain.com as primary servers and only fail > over to ipa3 & ipa4 > when both 1 & 2 are out of action. Clients would revert to using > ipa1/ipa2 whenever either of them came back online. > > I understand this configuration has already been done as part of > https://fedorahosted.org/freeipa/ticket/2282 > > What I'm wondering is if I can force my clients to load balance > communication between ipa1 & ipa2. > > I don't have the ability to use the _srv_ records in DNS as that's set > up for the AD servers on our network. I also can't create separate DNS > servers for the Linux estate (not that I'd particularly want to). > > Is there any current configuration that I can use to force load > balancing between ipa1/ipa2 under ideal conditions. Falling back to > ipa2 when ipa1 is out of action. Falling back to (load balanced > perhaps?) ipa3/ipa4 when ipa1 & ipa2 are both out of action. > > Hope the description is reasonable. > > Thanks > > Duncan Innes | Linux Architect > > ------------------------------ > > Message: 5 > Date: Mon, 20 Aug 2012 10:15:08 -0400 (EDT) > From: "Mark St. Laurent" > > To: Duncan Innes > > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Specifying load balancing to SSSD clients > Message-ID: > <290044214.13057699.1345472108805.JavaMail.root at redhat.com > > > Content-Type: text/plain; charset="utf-8" > > http://www.redhat.com/products/enterprise-linux-add-ons/load-balancing/ > > > Norman "Mark" St. Laurent > Federal Team: Senior Solutions Architect > Red Hat > 8260 Greensboro Drive, Suite 300 > McLean VA, 22102 > Email: msl at redhat.com > Cell: 703.772.1434 > > Check this Link out!!! Cool Stuff: http://mil-oss.org/ > > ----- Original Message ----- > > From: "Duncan Innes" > > To: freeipa-users at redhat.com > Sent: Monday, August 20, 2012 9:48:30 AM > Subject: [Freeipa-users] Specifying load balancing to SSSD clients > > Folks, > > Hopefully this isn't a dumb question, but I'm constrained by a few > things on my estate and would be looking to deploy something like the > following: > > 2 Datacentres > 2 IPA servers at each datacentre > > ipa1.domain.com \_ datacentre A > ipa2.domain.com / > > ipa3.domain.com \_ datacentre B > ipa4.domain.com / > > The datacentres are linekd, but bandwidth not great. > > Client's in datacentre A should therefore use ipa1.domain.com > and > ipa2.domain.com as primary servers and only fail > over to ipa3 & ipa4 > when both 1 & 2 are out of action. Clients would revert to using > ipa1/ipa2 whenever either of them came back online. > > I understand this configuration has already been done as part of > https://fedorahosted.org/freeipa/ticket/2282 > > What I'm wondering is if I can force my clients to load balance > communication between ipa1 & ipa2. > > I don't have the ability to use the _srv_ records in DNS as that's set > up for the AD servers on our network. I also can't create separate DNS > servers for the Linux estate (not that I'd particularly want to). > > Is there any current configuration that I can use to force load > balancing between ipa1/ipa2 under ideal conditions. Falling back to > ipa2 when ipa1 is out of action. Falling back to (load balanced > perhaps?) ipa3/ipa4 when ipa1 & ipa2 are both out of action. > > Hope the description is reasonable. > > Thanks > > Duncan Innes | Linux Architect > From natxo.asenjo at gmail.com Mon Aug 27 12:17:30 2012 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Mon, 27 Aug 2012 14:17:30 +0200 Subject: [Freeipa-users] Desperate help requested. In-Reply-To: References: Message-ID: On Sun, Aug 26, 2012 at 6:05 AM, KodaK wrote: > I've just been informed by my boss's boss's boss that, and I quote > from his ridiculous email: > > "we cannot use anything other than MS AD for authentication" > > I've spent months of time and much effort rolling out IPA, > consolidating authentication across our Linux and AIX machines. To > paraphrase Babbage: I am not able rightly to apprehend the kind of > confusion of ideas that could provoke such a statement. > > Regardless, I need some help. I need some help with comparisons > between FreeIPA and AD, and the problems and issues one might > encounter when trying to authenticate Unix machines against AD. > Anything that can show IPA being superior to AD for *nix > authentication. Anything at all. We have a similar number of AIX and > Linux servers. We have a week before we have a meeting to discuss > this, and I'd like to be armed to the teeth, if at all possible. > hi, you need to explain to upper management why using IPA your company will save money. They usually understand that sort of talk. Write a business case. In the documentation (both from RHEL and from freeipa.org) you will get plenty of useful info. Magnify the points where AD comes short for your user case (selinux, sudo, automounts, service credentials management - having used ktpass.exe I was amazed at how nice the keytab capabilities are from ipa-, hostgroups, ssh public key management, ..., the list goes on and on). Explain that *that* will not change and how much money it will cost your business (admin hours, security risks, missed compliance). Explain why the future is in the trust model in ipa v3. Explain that Windows admins are not expected to run a Windows network without AD, so why are Linux/AIX admins expected to run a network without a proper Linux/AIX identity management solution. I feel your pain and can understand why you are upset, but try not to take this all personally. In the end, it is not your network. Regards, Natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From sakodak at gmail.com Mon Aug 27 18:12:46 2012 From: sakodak at gmail.com (KodaK) Date: Mon, 27 Aug 2012 13:12:46 -0500 Subject: [Freeipa-users] Desperate help requested. In-Reply-To: References: Message-ID: Thanks, everyone, for your input. It has helped tremendously. --Jason -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 From Steven.Jones at vuw.ac.nz Mon Aug 27 21:06:24 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Mon, 27 Aug 2012 21:06:24 +0000 Subject: [Freeipa-users] Desperate help requested. In-Reply-To: References: , Message-ID: <833D8E48405E064EBC54C84EC6B36E404CD7A6D2@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, LOL, your problem is like my problem we have Windows trained and educated managers, project managers and architects.... Well, on the plus side for IPA, Go to Centrify or Likewise as 2 examples and get a quote to authenticate against AD. We got an "educational price "that made my jaw drop. In the region of $600 per server and $60 per user plus 25% support per year was typical across all three products. v IPA which is "free" with one copy of RH. I think you'll find it a lot cheaper. The thing is, the above are hacks, if you want to do much with them you end up with their scripts on your machines all over the place and even writing your own. Have an issue and RH wont know where to turn. With Likewise for instance you may end up getting all your support via them that can add cost and delays as well. Here in NZ at least there is no real local support for these products, you ring an 0800 number (if you are lucky) and get told its 2am US time and ring back in 8 hours....bad joke. The big thing is IPA has depth, and a great road map its not just simple authenticate and authorise....you can control services with detail (like ssh only) and sudo....big pluses. Now the likes of Centrify say they can and that's true, if you code yourself or pay them to do it, or there is an existing script. Also look at the training and deployment costs of IPA v something like Centrify....with IPA and 4 days RH training you will probably be able to do a decent sized rollout....Centrify, well you might find you need a consultant or 2 at $2k a day.... On the minus side, IPA isnt yet mature/stable enough, IHMO. If our/my experiences are anything to go by it needs at least another 6 to 12months to work out the bugs, get the documentation usable and get RH support up to speed, but that will come. NB anyone on 6.2 and thinking of going to 6.3 it seems the chances of serious outages is significant. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Natxo Asenjo [natxo.asenjo at gmail.com] Sent: Tuesday, 28 August 2012 12:17 a.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Desperate help requested. On Sun, Aug 26, 2012 at 6:05 AM, KodaK > wrote: I've just been informed by my boss's boss's boss that, and I quote from his ridiculous email: "we cannot use anything other than MS AD for authentication" I've spent months of time and much effort rolling out IPA, consolidating authentication across our Linux and AIX machines. To paraphrase Babbage: I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a statement. Regardless, I need some help. I need some help with comparisons between FreeIPA and AD, and the problems and issues one might encounter when trying to authenticate Unix machines against AD. Anything that can show IPA being superior to AD for *nix authentication. Anything at all. We have a similar number of AIX and Linux servers. We have a week before we have a meeting to discuss this, and I'd like to be armed to the teeth, if at all possible. hi, you need to explain to upper management why using IPA your company will save money. They usually understand that sort of talk. Write a business case. In the documentation (both from RHEL and from freeipa.org) you will get plenty of useful info. Magnify the points where AD comes short for your user case (selinux, sudo, automounts, service credentials management - having used ktpass.exe I was amazed at how nice the keytab capabilities are from ipa-, hostgroups, ssh public key management, ..., the list goes on and on). Explain that *that* will not change and how much money it will cost your business (admin hours, security risks, missed compliance). Explain why the future is in the trust model in ipa v3. Explain that Windows admins are not expected to run a Windows network without AD, so why are Linux/AIX admins expected to run a network without a proper Linux/AIX identity management solution. I feel your pain and can understand why you are upset, but try not to take this all personally. In the end, it is not your network. Regards, Natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From Duncan.Innes at virginmoney.com Tue Aug 28 07:19:33 2012 From: Duncan.Innes at virginmoney.com (Innes, Duncan) Date: Tue, 28 Aug 2012 08:19:33 +0100 Subject: [Freeipa-users] Desperate help requested. In-Reply-To: References: Message-ID: <56343345B145C043AE990701E3D193952B5545@EXVS2.nrplc.localnet> > -----Original Message----- > From: freeipa-users-bounces at redhat.com > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of KodaK > Sent: 26 August 2012 05:06 > To: freeipa-users at redhat.com > Subject: [Freeipa-users] Desperate help requested. > > I've just been informed by my boss's boss's boss that, and I > quote from his ridiculous email: > > "we cannot use anything other than MS AD for authentication" > > I've spent months of time and much effort rolling out IPA, > consolidating authentication across our Linux and AIX > machines. To paraphrase Babbage: I am not able rightly to > apprehend the kind of confusion of ideas that could provoke > such a statement. > > Regardless, I need some help. I need some help with > comparisons between FreeIPA and AD, and the problems and > issues one might encounter when trying to authenticate Unix > machines against AD. > Anything that can show IPA being superior to AD for *nix > authentication. Anything at all. We have a similar number > of AIX and Linux servers. We have a week before we have a > meeting to discuss this, and I'd like to be armed to the > teeth, if at all possible. > > Thanks for any help you can give. And wish me luck. > > Thanks, > > --Jason > I faced a similar situation recently, but my version wasn't worded so harshly. The line to take has already been pointed out - IPA managed sudo & SELinux from a central point. These concepts are entirely outwith the capabilities of Active Directory. You could also state the yet-to-be-developed 'A' part of IPA for any Auditing requirements. We also emphasised here that AD was written purely for Windows domains and that the effort put in to allowing extra schema for Unix domains is really not ideal. You should state, if you have not already done so, that you plan to link the AD and IPA domains (via a trust or a sync). That will allay any fears that users will have different passwords or even usernames to access various machines. So your boss's boss's boss can be assured that you are *authenticating* against AD, but you should still be able to have IPA in there to manage the idiosyncrasies of the Unix estate. Hope this helps Duncan Northern Rock plc is part of the Virgin Money group of companies. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money Personal Financial Service Limited is authorised and regulated by the Financial Services Authority. Company no. 3072766. Virgin Money Unit Trust Managers Limited is authorised and regulated by the Financial Services Authority. Company no. 3000482. Virgin Money Cards Limited. Introducer appointed representative only of Virgin Money Personal Financial Service Limited. Company no. 4232392. Virgin Money Management Services Limited. Company no. 3072772. Virgin Money Holdings (UK) Limited. Company no. 3087587. Each of the above companies is registered in England and Wales and has its registered office at Discovery House, Whiting Road, Norwich NR4 6EJ. Northern Rock plc. Authorised and regulated by the Financial Services Authority. Registered in England and Wales (Company no. 6952311) with its registered office at Northern Rock House, Gosforth, Newcastle upon Tyne NE3 4PL. The above companies use the trading name Virgin Money. From freeipa at noboost.org Tue Aug 28 07:44:54 2012 From: freeipa at noboost.org (freeipa at noboost.org) Date: Tue, 28 Aug 2012 17:44:54 +1000 Subject: [Freeipa-users] Default Expiry on IPA? Message-ID: <20120828074454.GA28207@noboost.org> Hi All, System: Red Hat Enterprise Linux Server release 6.3 (Santiago) ipa-server-2.2.0 Question: Has anyone managed to to actually set an expiry date (or longer 900+ day expiry time) on user account passwords in IPA? >From my testing, the default of 90 days is hard coded and the only way to extend it is via LDAP and the "krbPasswordExpiration:" attribute? cya Craig From pvoborni at redhat.com Tue Aug 28 10:18:53 2012 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 28 Aug 2012 12:18:53 +0200 Subject: [Freeipa-users] Default Expiry on IPA? In-Reply-To: <20120828074454.GA28207@noboost.org> References: <20120828074454.GA28207@noboost.org> Message-ID: <503C9B0D.1050900@redhat.com> On 08/28/2012 09:44 AM, freeipa at noboost.org wrote: > Hi All, > > System: > Red Hat Enterprise Linux Server release 6.3 (Santiago) > ipa-server-2.2.0 > > > Question: > Has anyone managed to to actually set an expiry date (or longer 900+ day expiry > time) on user account passwords in IPA? > >>From my testing, the default of 90 days is hard coded and the only way > to extend it is via LDAP and the "krbPasswordExpiration:" attribute? > > cya > > Craig > Hi Craig, You can set password policies for various user groups. In IPA is a dafault policy: global_policy. You can change password max life to 1000 days by following command: # ipa pwpolicy-mod --maxlife=1000 Or in Web UI: Policy/Password Policies/global_policy When user resets his password this policy will be applied on it. IPA CLI and Web UI don't have options to set user password's expiration date directly. Regards -- Petr Vobornik From rcritten at redhat.com Tue Aug 28 12:56:56 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 28 Aug 2012 08:56:56 -0400 Subject: [Freeipa-users] Default Expiry on IPA? In-Reply-To: <503C9B0D.1050900@redhat.com> References: <20120828074454.GA28207@noboost.org> <503C9B0D.1050900@redhat.com> Message-ID: <503CC018.4000301@redhat.com> Petr Vobornik wrote: > On 08/28/2012 09:44 AM, freeipa at noboost.org wrote: >> Hi All, >> >> System: >> Red Hat Enterprise Linux Server release 6.3 (Santiago) >> ipa-server-2.2.0 >> >> >> Question: >> Has anyone managed to to actually set an expiry date (or longer 900+ >> day expiry >> time) on user account passwords in IPA? >> >>> From my testing, the default of 90 days is hard coded and the only way >> to extend it is via LDAP and the "krbPasswordExpiration:" attribute? >> >> cya >> >> Craig >> > > Hi Craig, > > You can set password policies for various user groups. In IPA is a > dafault policy: global_policy. You can change password max life to 1000 > days by following command: > > # ipa pwpolicy-mod --maxlife=1000 > > Or in Web UI: Policy/Password Policies/global_policy > > When user resets his password this policy will be applied on it. > > IPA CLI and Web UI don't have options to set user password's expiration > date directly. > I just want to stress one point here. The expiration date is set when a password is changed. Changing the policy does not affect current password expiration dates. rob From mstlaure at redhat.com Tue Aug 28 18:36:54 2012 From: mstlaure at redhat.com (Mark St. Laurent) Date: Tue, 28 Aug 2012 14:36:54 -0400 (EDT) Subject: [Freeipa-users] Desperate help requested. In-Reply-To: <56343345B145C043AE990701E3D193952B5545@EXVS2.nrplc.localnet> Message-ID: <1402259175.4699786.1346179014676.JavaMail.root@redhat.com> Don't forget security policies and governance... I am in the federal space, but know that Regulations such as Sarbanes-Oxley and HIPAA, FETPA, PCI, FERC, and Gramm--Leach-Bliley and audits are important in the commercial space. Regulations and Compliance force companies to become stricter with IT security and access management. Of course, it?s still possible to be compliant without identity governance, but the odds of encountering mistakes and less than perfect audits rises considerably. Identity governance is the automated control of user identity in order to manage access to company data. Typically, this pertains to business insiders, such as employees, partners, contractors, and so on. Perhaps you need to explain the situation in your bosses bosses boss language... Industries and companies are subject to a web of regulations that impose strict legal requirements with regard to the handling of information. A failure on your organization's part to comply with these laws can lead to fines, costly litigation, negative publicity, and lost business opportunities. Attached is one of our Red Hat Summit slides you can dig threw to get good information on to back your case. Every Slide will just about help you out Best regards, Norman "Mark" St. Laurent Federal Team: Senior Solutions Architect Red Hat 8260 Greensboro Drive, Suite 300 McLean VA, 22102 Email: msl at redhat.com Cell: 703.772.1434 Check this Link out!!! Cool Stuff: http://mil-oss.org/ ----- Original Message ----- From: "Duncan Innes" To: "KodaK" , freeipa-users at redhat.com Sent: Tuesday, August 28, 2012 3:19:33 AM Subject: Re: [Freeipa-users] Desperate help requested. > -----Original Message----- > From: freeipa-users-bounces at redhat.com > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of KodaK > Sent: 26 August 2012 05:06 > To: freeipa-users at redhat.com > Subject: [Freeipa-users] Desperate help requested. > > I've just been informed by my boss's boss's boss that, and I > quote from his ridiculous email: > > "we cannot use anything other than MS AD for authentication" > > I've spent months of time and much effort rolling out IPA, > consolidating authentication across our Linux and AIX > machines. To paraphrase Babbage: I am not able rightly to > apprehend the kind of confusion of ideas that could provoke > such a statement. > > Regardless, I need some help. I need some help with > comparisons between FreeIPA and AD, and the problems and > issues one might encounter when trying to authenticate Unix > machines against AD. > Anything that can show IPA being superior to AD for *nix > authentication. Anything at all. We have a similar number > of AIX and Linux servers. We have a week before we have a > meeting to discuss this, and I'd like to be armed to the > teeth, if at all possible. > > Thanks for any help you can give. And wish me luck. > > Thanks, > > --Jason > I faced a similar situation recently, but my version wasn't worded so harshly. The line to take has already been pointed out - IPA managed sudo & SELinux from a central point. These concepts are entirely outwith the capabilities of Active Directory. You could also state the yet-to-be-developed 'A' part of IPA for any Auditing requirements. We also emphasised here that AD was written purely for Windows domains and that the effort put in to allowing extra schema for Unix domains is really not ideal. You should state, if you have not already done so, that you plan to link the AD and IPA domains (via a trust or a sync). That will allay any fears that users will have different passwords or even usernames to access various machines. So your boss's boss's boss can be assured that you are *authenticating* against AD, but you should still be able to have IPA in there to manage the idiosyncrasies of the Unix estate. Hope this helps Duncan Northern Rock plc is part of the Virgin Money group of companies. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money Personal Financial Service Limited is authorised and regulated by the Financial Services Authority. Company no. 3072766. Virgin Money Unit Trust Managers Limited is authorised and regulated by the Financial Services Authority. Company no. 3000482. Virgin Money Cards Limited. Introducer appointed representative only of Virgin Money Personal Financial Service Limited. Company no. 4232392. Virgin Money Management Services Limited. Company no. 3072772. Virgin Money Holdings (UK) Limited. Company no. 3087587. Each of the above companies is registered in England and Wales and has its registered office at Discovery House, Whiting Road, Norwich NR4 6EJ. Northern Rock plc. Authorised and regulated by the Financial Services Authority. Registered in England and Wales (Company no. 6952311) with its registered office at Northern Rock House, Gosforth, Newcastle upon Tyne NE3 4PL. The above companies use the trading name Virgin Money. _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: newlands_managing_identity_and_access.pdf Type: application/pdf Size: 657482 bytes Desc: not available URL: From mmercier at gmail.com Tue Aug 28 20:48:00 2012 From: mmercier at gmail.com (Michael Mercier) Date: Tue, 28 Aug 2012 16:48:00 -0400 Subject: [Freeipa-users] PAM / SSSD / HBAC (was: Re: tacacs+ integration) In-Reply-To: <50353D31.2050807@redhat.com> References: <3E60BCF6-E21C-44CD-A42B-38B6E429DC4C@gmail.com> <50353D31.2050807@redhat.com> Message-ID: On 2012-08-22, at 4:12 PM, Rob Crittenden wrote: > Michael Mercier wrote: >> Hello, >> >> In Aug 2010, someone posted a message to this list about integrating >> tacacs+ with freeipa >> https://www.redhat.com/archives/freeipa-users/2010-August/msg00058.html >> >> At the time, it was mentioned that this was not on the roadmap, has this >> changed? > > No, still not on the roadmap. > > >> If RedHat has no plans to do this, where can I find the freeipa >> documentation that would allow me to do a proof-of-concept? I would use >> the freely available tac_plus (http://www.shrubbery.net/tac_plus/) as a >> staring point. > > http://freeipa.org/page/Contribute (in Developer Documentation and Developement Process) and > http://abbra.fedorapeople.org/freeipa-extensibility.html > >> >> Some of the specific things I am looking for: >> 1. How should passwords be verified? sssd, pam, ldap lookup, krb? >> 2. How the ldap schema should be designed for best integration? > > I'd start by seeing if there is already one defined as a real or quasi standard. > >> 3. The proper way to query the ldap server (standard ldap calls or is >> there some specific freeipa api) > > Standard LDAP calls. > >> 4. I am sure I am not asking something!! >> >> I tried asking some similar questions on freeipa-devel but didn't >> receive a response. > > rob Hello, I have started playing with having the tac_plus daemon use Freeipa and have some questions regarding HBAC. I have done the following: 1. Created a DNS entry for my device: pix.beta.local <-> 192.168.0.1 2. Disabled the 'allow_all' HBAC rule 3. Created an HBAC rule tacacs with the following: a) who: user group: ciscoadmin - user mike is part of ciscoadmin b) Accessing: hosts: pix.beta.local c) via service: tac_plus d) from: any host I can successfully login (auth) to a Cisco ASA via the tac_plus daemon using PAM. I have added some code to also attempt to do PAM accounting for the device and can't get this to work. Aug 28 16:13:34 ipaserver tac_plus[2217]: pam_sss(tac_plus:auth): authentication success; logname=root uid=0 euid=0 tty= ruser= rhost=192.168.0.1 user=mike Aug 28 16:13:34 ipaserver tac_plus[2217]: pam_sss(tac_plus:account): Access denied for user mike: 6 (Permission denied) If I add the host (ipaserver.beta.local) the daemon is running on to the 'Accessing' list or enable the 'allow_all' rule, I am able to login. I see the following in my audit.log type=USER_AUTH msg=audit(1346184814.834:168): user pid=2217 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="mike" exe="/home/tacacs/tacacs+-F4.0.4.26/.libs/lt-tac_plus" hostname=192.168.0.1 addr=192.168.0.1 terminal=pts/0 res=success' type=USER_ACCT msg=audit(1346184814.845:169): user pid=2217 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="mike" exe="/home/tacacs/tacacs+-F4.0.4.26/.libs/lt-tac_plus" hostname=192.168.0.1 addr=192.168.0.1 terminal=pts/0 res=failed' It seems that the machine the daemon is running on is being used for the HBAC rule (at least that is what is looks like from the dirsrv access log) [28/Aug/2012:16:13:33 -0400] conn=29 op=45 SRCH base="cn=hbac,dc=beta,dc=local" scope=2 filter="(&(objectClass=ipaHBACRule)(ipaEnabledFlag=TRUE)(|(hostCategory=all)(memberHost=fqdn=ipaserver.beta.local,cn=computers,cn=accounts,dc=beta,dc=local)))" attrs="objectClass cn ipaUniqueID ipaEnabledFlag accessRuleType memberUser userCategory memberService serviceCategory sourceHost sourceHostCategory externalHost memberHost hostCategory" Is it possible to get the 'hostname' (pix.beta.local/192.168.0.1) passed through to HBAC? It looks like the 'msg' portion of the audit data is coming from PAM (Is this correct)? Should I be posting this to the devel list instead? Thanks, Mike From rcritten at redhat.com Tue Aug 28 21:21:46 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 28 Aug 2012 17:21:46 -0400 Subject: [Freeipa-users] PAM / SSSD / HBAC In-Reply-To: References: <3E60BCF6-E21C-44CD-A42B-38B6E429DC4C@gmail.com> <50353D31.2050807@redhat.com> Message-ID: <503D366A.4060307@redhat.com> Michael Mercier wrote: > On 2012-08-22, at 4:12 PM, Rob Crittenden wrote: > >> Michael Mercier wrote: >>> Hello, >>> >>> In Aug 2010, someone posted a message to this list about integrating >>> tacacs+ with freeipa >>> https://www.redhat.com/archives/freeipa-users/2010-August/msg00058.html >>> >>> At the time, it was mentioned that this was not on the roadmap, has this >>> changed? >> >> No, still not on the roadmap. >> >> >>> If RedHat has no plans to do this, where can I find the freeipa >>> documentation that would allow me to do a proof-of-concept? I would use >>> the freely available tac_plus (http://www.shrubbery.net/tac_plus/) as a >>> staring point. >> >> http://freeipa.org/page/Contribute (in Developer Documentation and Developement Process) and >> http://abbra.fedorapeople.org/freeipa-extensibility.html >> >>> >>> Some of the specific things I am looking for: >>> 1. How should passwords be verified? sssd, pam, ldap lookup, krb? >>> 2. How the ldap schema should be designed for best integration? >> >> I'd start by seeing if there is already one defined as a real or quasi standard. >> >>> 3. The proper way to query the ldap server (standard ldap calls or is >>> there some specific freeipa api) >> >> Standard LDAP calls. >> >>> 4. I am sure I am not asking something!! >>> >>> I tried asking some similar questions on freeipa-devel but didn't >>> receive a response. >> >> rob > > Hello, > > I have started playing with having the tac_plus daemon use Freeipa and have some questions regarding HBAC. > > I have done the following: > > 1. Created a DNS entry for my device: pix.beta.local <-> 192.168.0.1 > 2. Disabled the 'allow_all' HBAC rule > 3. Created an HBAC rule tacacs with the following: > a) who: user group: ciscoadmin - user mike is part of ciscoadmin > b) Accessing: hosts: pix.beta.local > c) via service: tac_plus > d) from: any host > > I can successfully login (auth) to a Cisco ASA via the tac_plus daemon using PAM. I have added some code to also attempt to do PAM accounting for the device and can't get this to work. > > Aug 28 16:13:34 ipaserver tac_plus[2217]: pam_sss(tac_plus:auth): authentication success; logname=root uid=0 euid=0 tty= ruser= rhost=192.168.0.1 user=mike > Aug 28 16:13:34 ipaserver tac_plus[2217]: pam_sss(tac_plus:account): Access denied for user mike: 6 (Permission denied) > > If I add the host (ipaserver.beta.local) the daemon is running on to the 'Accessing' list or enable the 'allow_all' rule, I am able to login. > > I see the following in my audit.log > type=USER_AUTH msg=audit(1346184814.834:168): user pid=2217 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="mike" exe="/home/tacacs/tacacs+-F4.0.4.26/.libs/lt-tac_plus" hostname=192.168.0.1 addr=192.168.0.1 terminal=pts/0 res=success' > type=USER_ACCT msg=audit(1346184814.845:169): user pid=2217 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="mike" exe="/home/tacacs/tacacs+-F4.0.4.26/.libs/lt-tac_plus" hostname=192.168.0.1 addr=192.168.0.1 terminal=pts/0 res=failed' > > It seems that the machine the daemon is running on is being used for the HBAC rule (at least that is what is looks like from the dirsrv access log) > [28/Aug/2012:16:13:33 -0400] conn=29 op=45 SRCH base="cn=hbac,dc=beta,dc=local" scope=2 filter="(&(objectClass=ipaHBACRule)(ipaEnabledFlag=TRUE)(|(hostCategory=all)(memberHost=fqdn=ipaserver.beta.local,cn=computers,cn=accounts,dc=beta,dc=local)))" attrs="objectClass cn ipaUniqueID ipaEnabledFlag accessRuleType memberUser userCategory memberService serviceCategory sourceHost sourceHostCategory externalHost memberHost hostCategory" > > Is it possible to get the 'hostname' (pix.beta.local/192.168.0.1) passed through to HBAC? > It looks like the 'msg' portion of the audit data is coming from PAM (Is this correct)? > Should I be posting this to the devel list instead? > An educated guess would be that the tac_plus daemon would need to be modified to send the requesting server hostname to PAM. rob From erinn.looneytriggs at gmail.com Tue Aug 28 21:54:12 2012 From: erinn.looneytriggs at gmail.com (Erinn Looney-Triggs) Date: Tue, 28 Aug 2012 13:54:12 -0800 Subject: [Freeipa-users] SELinux user mapping Message-ID: <503D3E04.9030202@gmail.com> I am hoping I haven't missed something here, but it appears that the SELinux user mapping portion is not working for me. This is tested on a RHEL 6.3 client and server. The rule I have: Rule name: Developers staff_U SELinux User: staff_u:s0-s0:c0.c1023 Description: Confines developers on dev machines to the staff_u role, allowing them to run sudo. Enabled: TRUE User Groups: developers Host Groups: developer_systems What this rule seems to say, at least to me, is members of the developers groups, on a system in the developer_systems group, should be mapped to staff_u. However when logging in as a test user that is a member of that group, on a member host of the developer_systems group, id -Z lists the user as unconfined: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Is there some modification to the sssd config that needs to be made, or possibly something in PAM? Thanks, -Erinn -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 551 bytes Desc: OpenPGP digital signature URL: From jhrozek at redhat.com Wed Aug 29 07:23:03 2012 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 29 Aug 2012 09:23:03 +0200 Subject: [Freeipa-users] SELinux user mapping In-Reply-To: <503D3E04.9030202@gmail.com> References: <503D3E04.9030202@gmail.com> Message-ID: <20120829072303.GD28331@zeppelin.brq.redhat.com> On Tue, Aug 28, 2012 at 01:54:12PM -0800, Erinn Looney-Triggs wrote: > I am hoping I haven't missed something here, but it appears that the > SELinux user mapping portion is not working for me. This is tested on a > RHEL 6.3 client and server. > > The rule I have: > > Rule name: Developers staff_U > SELinux User: staff_u:s0-s0:c0.c1023 > Description: Confines developers on dev machines to the staff_u role, > allowing them to run sudo. > Enabled: TRUE > User Groups: developers > Host Groups: developer_systems > > What this rule seems to say, at least to me, is members of the > developers groups, on a system in the developer_systems group, should be > mapped to staff_u. > > However when logging in as a test user that is a member of that group, > on a member host of the developer_systems group, id -Z lists the user as > unconfined: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > > Is there some modification to the sssd config that needs to be made, or > possibly something in PAM? > > Thanks, > > -Erinn > Hi Erinn, unfortunately, the SELinux mapping feature was completely broken in 6.3. We've been working on fixing all the bugs during the 6.4 development, ended up pretty much rewriting the feature from scratch and as far as I know, it's working fine in the 1.9 pre-release. SSSD 1.9 is going to be part of 6.4..alternatively, the pre-releases were already built for Fedora 18. From erinn.looneytriggs at gmail.com Wed Aug 29 07:26:01 2012 From: erinn.looneytriggs at gmail.com (Erinn Looney-Triggs) Date: Tue, 28 Aug 2012 23:26:01 -0800 Subject: [Freeipa-users] SELinux user mapping In-Reply-To: <20120829072303.GD28331@zeppelin.brq.redhat.com> References: <503D3E04.9030202@gmail.com> <20120829072303.GD28331@zeppelin.brq.redhat.com> Message-ID: <503DC409.3030608@gmail.com> On 08/28/2012 11:23 PM, Jakub Hrozek wrote: > On Tue, Aug 28, 2012 at 01:54:12PM -0800, Erinn Looney-Triggs wrote: >> I am hoping I haven't missed something here, but it appears that the >> SELinux user mapping portion is not working for me. This is tested on a >> RHEL 6.3 client and server. >> >> The rule I have: >> >> Rule name: Developers staff_U >> SELinux User: staff_u:s0-s0:c0.c1023 >> Description: Confines developers on dev machines to the staff_u role, >> allowing them to run sudo. >> Enabled: TRUE >> User Groups: developers >> Host Groups: developer_systems >> >> What this rule seems to say, at least to me, is members of the >> developers groups, on a system in the developer_systems group, should be >> mapped to staff_u. >> >> However when logging in as a test user that is a member of that group, >> on a member host of the developer_systems group, id -Z lists the user as >> unconfined: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 >> >> Is there some modification to the sssd config that needs to be made, or >> possibly something in PAM? >> >> Thanks, >> >> -Erinn >> > > Hi Erinn, > > unfortunately, the SELinux mapping feature was completely broken in 6.3. > > We've been working on fixing all the bugs during the 6.4 development, > ended up pretty much rewriting the feature from scratch and as far as I > know, it's working fine in the 1.9 pre-release. > > SSSD 1.9 is going to be part of 6.4..alternatively, the pre-releases > were already built for Fedora 18. > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > Well that explains that. Glad it wasn't just me. Thanks for the info, -Erinn -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 551 bytes Desc: OpenPGP digital signature URL: From sgallagh at redhat.com Wed Aug 29 11:23:07 2012 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 29 Aug 2012 07:23:07 -0400 Subject: [Freeipa-users] PAM / SSSD / HBAC In-Reply-To: <503D366A.4060307@redhat.com> References: <3E60BCF6-E21C-44CD-A42B-38B6E429DC4C@gmail.com> <50353D31.2050807@redhat.com> <503D366A.4060307@redhat.com> Message-ID: <1346239387.2734.7.camel@sgallagh520.sgallagh.bos.redhat.com> On Tue, 2012-08-28 at 17:21 -0400, Rob Crittenden wrote: > Michael Mercier wrote: > > On 2012-08-22, at 4:12 PM, Rob Crittenden wrote: > > > >> Michael Mercier wrote: > >>> Hello, > >>> > >>> In Aug 2010, someone posted a message to this list about integrating > >>> tacacs+ with freeipa > >>> https://www.redhat.com/archives/freeipa-users/2010-August/msg00058.html > >>> > >>> At the time, it was mentioned that this was not on the roadmap, has this > >>> changed? > >> > >> No, still not on the roadmap. > >> > >> > >>> If RedHat has no plans to do this, where can I find the freeipa > >>> documentation that would allow me to do a proof-of-concept? I would use > >>> the freely available tac_plus (http://www.shrubbery.net/tac_plus/) as a > >>> staring point. > >> > >> http://freeipa.org/page/Contribute (in Developer Documentation and Developement Process) and > >> http://abbra.fedorapeople.org/freeipa-extensibility.html > >> > >>> > >>> Some of the specific things I am looking for: > >>> 1. How should passwords be verified? sssd, pam, ldap lookup, krb? > >>> 2. How the ldap schema should be designed for best integration? > >> > >> I'd start by seeing if there is already one defined as a real or quasi standard. > >> > >>> 3. The proper way to query the ldap server (standard ldap calls or is > >>> there some specific freeipa api) > >> > >> Standard LDAP calls. > >> > >>> 4. I am sure I am not asking something!! > >>> > >>> I tried asking some similar questions on freeipa-devel but didn't > >>> receive a response. > >> > >> rob > > > > Hello, > > > > I have started playing with having the tac_plus daemon use Freeipa and have some questions regarding HBAC. > > > > I have done the following: > > > > 1. Created a DNS entry for my device: pix.beta.local <-> 192.168.0.1 > > 2. Disabled the 'allow_all' HBAC rule > > 3. Created an HBAC rule tacacs with the following: > > a) who: user group: ciscoadmin - user mike is part of ciscoadmin > > b) Accessing: hosts: pix.beta.local > > c) via service: tac_plus > > d) from: any host > > > > I can successfully login (auth) to a Cisco ASA via the tac_plus daemon using PAM. I have added some code to also attempt to do PAM accounting for the device and can't get this to work. > > > > Aug 28 16:13:34 ipaserver tac_plus[2217]: pam_sss(tac_plus:auth): authentication success; logname=root uid=0 euid=0 tty= ruser= rhost=192.168.0.1 user=mike > > Aug 28 16:13:34 ipaserver tac_plus[2217]: pam_sss(tac_plus:account): Access denied for user mike: 6 (Permission denied) > > > > If I add the host (ipaserver.beta.local) the daemon is running on to the 'Accessing' list or enable the 'allow_all' rule, I am able to login. > > > > I see the following in my audit.log > > type=USER_AUTH msg=audit(1346184814.834:168): user pid=2217 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="mike" exe="/home/tacacs/tacacs+-F4.0.4.26/.libs/lt-tac_plus" hostname=192.168.0.1 addr=192.168.0.1 terminal=pts/0 res=success' > > type=USER_ACCT msg=audit(1346184814.845:169): user pid=2217 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="mike" exe="/home/tacacs/tacacs+-F4.0.4.26/.libs/lt-tac_plus" hostname=192.168.0.1 addr=192.168.0.1 terminal=pts/0 res=failed' > > > > It seems that the machine the daemon is running on is being used for the HBAC rule (at least that is what is looks like from the dirsrv access log) > > [28/Aug/2012:16:13:33 -0400] conn=29 op=45 SRCH base="cn=hbac,dc=beta,dc=local" scope=2 filter="(&(objectClass=ipaHBACRule)(ipaEnabledFlag=TRUE)(|(hostCategory=all)(memberHost=fqdn=ipaserver.beta.local,cn=computers,cn=accounts,dc=beta,dc=local)))" attrs="objectClass cn ipaUniqueID ipaEnabledFlag accessRuleType memberUser userCategory memberService serviceCategory sourceHost sourceHostCategory externalHost memberHost hostCategory" > > > > Is it possible to get the 'hostname' (pix.beta.local/192.168.0.1) passed through to HBAC? > > It looks like the 'msg' portion of the audit data is coming from PAM (Is this correct)? > > Should I be posting this to the devel list instead? > > > > An educated guess would be that the tac_plus daemon would need to be > modified to send the requesting server hostname to PAM. SSSD doesn't support source host processing because it was an impossible feature to implement properly. PAM provides a srchost attribute, but specifies no requirements for what it should contain. It may contain: * The remote host's hostname as offered by that remote host - This cannot be trusted, as the remote host may be lying. Potential security issue. * The remote host's IP address - this would necessitate us doing an rDNS lookup and trying every possible hostname that is returned, which exposes us to DNS poisoning attacks. Potential security issue * Some arbitrary data provided by either the remote server or the local application. Since we have no specification for what must be in this field or how it is presented to us, there's no secure way to determine whether the remote host actually is the one it claims to be. Our general answer here is that if you need to be doing srchost processing, the only secure way to do that is at the firewall level. This is a limitation of the existing PAM technology and is NOT solvable by SSSD. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From cevich at redhat.com Wed Aug 29 15:45:58 2012 From: cevich at redhat.com (Chris Evich) Date: Wed, 29 Aug 2012 11:45:58 -0400 Subject: [Freeipa-users] KISS: DHCP from IPA Message-ID: <503E3936.6040707@redhat.com> Kool Idm Simple Script :D In case it's helpful to anyone else, I've been using a simple script to keep my dhcp server's static entries in-sync with ipa host info. Since I'm using IPA 2.1 on Fedora 16, I had to hijack the 'location' host info. key to store the MAC address for each host. IIRC, IPA 2.2 and later can add custom keys, however 'location' works fine for my purposes. This is most probably the slowest way to do this, however it's simple and works well for my very small setup. First I configured dhcpd (/etc/dhcp/dhcpd.conf) similar to: ---cut--- authoritative; #we are the definitave DHCP server on network ping-check true; #try to ping all hosts before committing one-lease-per-client on; ddns-update-style none; max-lease-time 432000; #maximum lease time is 5 days default-lease-time 86400; #default to 24 hour leases pid-file-name "/var/run/dhcpd.pid"; lease-file-name "/var/lib/dhcpd/dhcpd.leases"; log-facility local5; subnet <> netmask 255.255.255.0 { option domain-name "fqdn.com"; option domain-name-servers <>, <>, <>; option subnet-mask 255.255.255.0; option broadcast-address <>; option routers <>; #pool of dynamically allocatable addresses 200 - 249 pool { range <>.200 <>.249; } } # static entries in separate file include "/etc/dhcp/dhcpd.known_hosts"; ---cut--- Then, I stuck a cron entry to redirect the output from the script below, into /etc/dhcp/dhcpd.known_hosts and it's been working beautifully. Enjoy! ---cut--- #!/bin/bash KRBPRINC='host/fqdn.com at DOMAIN.COM' print_entry() { hostinfo="$1" hostname=`echo "$1" | awk '/Host name: /{print $3}'` macaddr=`echo "$1" | awk '/Location: /{print $2}'` if [ -n "$hostname" ] && [ -n "$macaddr" ] then shortname=`echo "$hostname" | cut -d "." -f 1` echo "host $shortname { hardware ethernet $macaddr; fixed-address $hostname; }" #else # echo -e "Error parsing entry:\n${hostinfo}" > /dev/stderr fi } kinit -k $KRBPRINC infoblock="" ipa host-find --all | while read line do if ( echo "$line" | grep -q 'dn: fqdn=' ) || \ ( echo "$line" | grep -q 'Number of entries returned' ) then # parse last complete entry print_entry "$infoblock" # start recording new entry infoblock="$line" else # still getting lines for entry # append to previous lines infoblock="$infoblock $line" fi done kdestroy ---cut--- From jdennis at redhat.com Wed Aug 29 15:57:14 2012 From: jdennis at redhat.com (John Dennis) Date: Wed, 29 Aug 2012 11:57:14 -0400 Subject: [Freeipa-users] KISS: DHCP from IPA In-Reply-To: <503E3936.6040707@redhat.com> References: <503E3936.6040707@redhat.com> Message-ID: <503E3BDA.4010002@redhat.com> Thanks for the contribution Chris! Just as an aside if you know Python you can call the IPA commands directly and use Python to extract and reformat the data, it might be a lot simpler than doing the bash/awk dance. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From cevich at redhat.com Wed Aug 29 18:21:04 2012 From: cevich at redhat.com (Chris Evich) Date: Wed, 29 Aug 2012 14:21:04 -0400 Subject: [Freeipa-users] KISS: DHCP from IPA In-Reply-To: <503E3BDA.4010002@redhat.com> References: <503E3936.6040707@redhat.com> <503E3BDA.4010002@redhat.com> Message-ID: <503E5D90.3060307@redhat.com> On 08/29/2012 11:57 AM, John Dennis wrote: > Thanks for the contribution Chris! > > Just as an aside if you know Python you can call the IPA commands > directly and use Python to extract and reformat the data, it might be a > lot simpler than doing the bash/awk dance. > I agree that using bash/sed/awk is a bit clunky. I actually did stumble on the python stuff by accident, but wasn't able to find much reference / examples for how to use it. At the time I just needed something quick to toss-together. Maybe the python docs/examples are different today, any links handy? -- Chris Evich, RHCA, RHCE, RHCDS, RHCSS Quality Assurance Engineer e-mail: cevich + `@' + redhat.com o: 1-888-RED-HAT1 x44214 From lyamanishi at sesda2.com Wed Aug 29 19:02:30 2012 From: lyamanishi at sesda2.com (Lucas Yamanishi) Date: Wed, 29 Aug 2012 15:02:30 -0400 Subject: [Freeipa-users] sssd client cache timer and merging IPA domains In-Reply-To: <5032611F.4070907@sesda2.com> References: <833D8E48405E064EBC54C84EC6B36E404CD759D8@STAWINCOX10MBX1.staff.vuw.ac.nz> <502D658B.9070900@sesda2.com> <502D670B.1020904@redhat.com> <502D67E4.6030801@sesda2.com> <502D689B.7040500@redhat.com> <502D69C1.3040301@sesda2.com> <502E3B5A.9030401@redhat.com> <502E6C41.1060209@sesda2.com> <50323130.6030102@redhat.com> <5032611F.4070907@sesda2.com> Message-ID: <503E6746.7090408@sesda2.com> On 08/20/2012 12:09 PM, Lucas Yamanishi wrote: > On 08/20/2012 08:44 AM, Rob Crittenden wrote: >> Lucas Yamanishi wrote: >>> >>> On 08/17/2012 08:38 AM, Rob Crittenden wrote: >>>> Lucas Yamanishi wrote: >>>>> >>>>> On 08/16/2012 05:39 PM, Rob Crittenden wrote: >>>>>> Lucas Yamanishi wrote: >>>>>>> >>>>>>> On 08/16/2012 05:32 PM, Rob Crittenden wrote: >>>>>>>> Lucas Yamanishi wrote: >>>>>>>>> I just migrated my IPA instance from one to another a couple days >>>>>>>>> ago to >>>>>>>>> recover after a lost CA and failed yum upgrade. The "ipa >>>>>>>>> migrate-ds" >>>>>>>>> tool works very well, though I am having a few very minor >>>>>>>>> issues. On >>>>>>>>> the upside, as far as I can tell, you can skip the steps about >>>>>>>>> Kerberos >>>>>>>>> key generation as outlined in the documentation. I've been able to >>>>>>>>> kinit just fine with my migrated users. >>>>>>>>> >>>>>>>>> >>>>>>>>> Below are the few errors I've noticed. >>>>>>>>> >>>>>>>>> * When I ssh into an enrolled host using a migrated user's >>>>>>>>> credentials I >>>>>>>>> get this error: >>>>>>>>> >>>>>>>>> id: cannot find name for group ID 104600003\ >>>>>>>> >>>>>>>> Does a group exist with that GID? You can try something like: >>>>>>>> >>>>>>>> $ ipa group-find --gid=104600003 >>>>>>>> >>>>>>> >>>>>>> The group doesn't exist. The GID is the counterpart to my UID. >>>>>> >>>>>> Try adding --private. >>>>>> >>>>>> rob >>>>>> >>>>> >>>>> Nope. It doesn't exist. >>>>> >>>>> Other groups migrated. Why would the private groups fail? >>>> >>>> I don't know, what have you done to date, including versions? >>>> >>>> rob >>> I've been following the stable Scientific Linux releases since 6.1. >>> Based on repo archives, I guess that would be 2.0.0-23.el6.x86_64. The >>> version was at 2.2.0-16.el6.x86_64 when I migrated, which I had just >>> upgraded from 2.1.3-9.el6.x86_64. I migrated to and use now >>> 2.2.0-16.el6.x86_64. >>> >>> So... >>> 2.0.0-23.el6.x86_64 -> 2.1.3-9.el6.x86_64 -> 2.2.0-16.el6.x86_64 ----> >>> 2.2.0-16.el6.x86_64 >>> >>> >> >> Can you verify that managed entries are configured: >> >> # ipa-managed-entries -l >> >> It should return: >> >> UPG Definition >> NGP Definition >> >> This enables user-private groups and netgroup-private groups. >> >> rob > Yes. That returned as expected. > The why and how of this aside, is there any easy way to repopulate all my private groups? -- ----- *question everything*learn something*answer nothing* ------------ Lucas Yamanishi ------------------ Systems Administrator, ADNET Systems, Inc. 7515 Mission Drive, Suite A100 Lanham, MD 20706 * 301-352-4646 * 0xE23F3D7A From rcritten at redhat.com Wed Aug 29 19:35:13 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 29 Aug 2012 15:35:13 -0400 Subject: [Freeipa-users] sssd client cache timer and merging IPA domains In-Reply-To: <503E6746.7090408@sesda2.com> References: <833D8E48405E064EBC54C84EC6B36E404CD759D8@STAWINCOX10MBX1.staff.vuw.ac.nz> <502D658B.9070900@sesda2.com> <502D670B.1020904@redhat.com> <502D67E4.6030801@sesda2.com> <502D689B.7040500@redhat.com> <502D69C1.3040301@sesda2.com> <502E3B5A.9030401@redhat.com> <502E6C41.1060209@sesda2.com> <50323130.6030102@redhat.com> <5032611F.4070907@sesda2.com> <503E6746.7090408@sesda2.com> Message-ID: <503E6EF1.4060809@redhat.com> Lucas Yamanishi wrote: > On 08/20/2012 12:09 PM, Lucas Yamanishi wrote: >> On 08/20/2012 08:44 AM, Rob Crittenden wrote: >>> Lucas Yamanishi wrote: >>>> >>>> On 08/17/2012 08:38 AM, Rob Crittenden wrote: >>>>> Lucas Yamanishi wrote: >>>>>> >>>>>> On 08/16/2012 05:39 PM, Rob Crittenden wrote: >>>>>>> Lucas Yamanishi wrote: >>>>>>>> >>>>>>>> On 08/16/2012 05:32 PM, Rob Crittenden wrote: >>>>>>>>> Lucas Yamanishi wrote: >>>>>>>>>> I just migrated my IPA instance from one to another a couple days >>>>>>>>>> ago to >>>>>>>>>> recover after a lost CA and failed yum upgrade. The "ipa >>>>>>>>>> migrate-ds" >>>>>>>>>> tool works very well, though I am having a few very minor >>>>>>>>>> issues. On >>>>>>>>>> the upside, as far as I can tell, you can skip the steps about >>>>>>>>>> Kerberos >>>>>>>>>> key generation as outlined in the documentation. I've been able to >>>>>>>>>> kinit just fine with my migrated users. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Below are the few errors I've noticed. >>>>>>>>>> >>>>>>>>>> * When I ssh into an enrolled host using a migrated user's >>>>>>>>>> credentials I >>>>>>>>>> get this error: >>>>>>>>>> >>>>>>>>>> id: cannot find name for group ID 104600003\ >>>>>>>>> >>>>>>>>> Does a group exist with that GID? You can try something like: >>>>>>>>> >>>>>>>>> $ ipa group-find --gid=104600003 >>>>>>>>> >>>>>>>> >>>>>>>> The group doesn't exist. The GID is the counterpart to my UID. >>>>>>> >>>>>>> Try adding --private. >>>>>>> >>>>>>> rob >>>>>>> >>>>>> >>>>>> Nope. It doesn't exist. >>>>>> >>>>>> Other groups migrated. Why would the private groups fail? >>>>> >>>>> I don't know, what have you done to date, including versions? >>>>> >>>>> rob >>>> I've been following the stable Scientific Linux releases since 6.1. >>>> Based on repo archives, I guess that would be 2.0.0-23.el6.x86_64. The >>>> version was at 2.2.0-16.el6.x86_64 when I migrated, which I had just >>>> upgraded from 2.1.3-9.el6.x86_64. I migrated to and use now >>>> 2.2.0-16.el6.x86_64. >>>> >>>> So... >>>> 2.0.0-23.el6.x86_64 -> 2.1.3-9.el6.x86_64 -> 2.2.0-16.el6.x86_64 ----> >>>> 2.2.0-16.el6.x86_64 >>>> >>>> >>> >>> Can you verify that managed entries are configured: >>> >>> # ipa-managed-entries -l >>> >>> It should return: >>> >>> UPG Definition >>> NGP Definition >>> >>> This enables user-private groups and netgroup-private groups. >>> >>> rob >> Yes. That returned as expected. >> > > The why and how of this aside, is there any easy way to repopulate all > my private groups? > You'll need to use ldapmodify to achieve this, and add the missing values to each user and group separately. This should be relatively easily scriptable. Here is what it looks like to convert a single user/group. I created it by adding the user with --gid=### and --noprivate, then creating a group of the same name and with the gid of the user. $ ldapmodify -Y GSSAPI SASL/GSSAPI authentication started SASL username: admin at EXAMPLE.COM SASL SSF: 56 SASL data security layer installed. dn: cn=tuser1,cn=groups,cn=accounts,dc=example,dc=com changetype: modify replace: objectclass objectclass: top objectclass: posixgroup objectclass: ipaobject objectclass: mepManagedEntry - add: mepmanagedby mepmanagedby: uid=tuser1,cn=users,cn=accounts,dc=example,dc=com modifying entry "cn=tuser1,cn=groups,cn=accounts,dc=example,dc=com" $ ldapmodify -Y GSSAPI SASL/GSSAPI authentication started SASL username: admin at EXAMPLE.COM SASL SSF: 56 SASL data security layer installed. dn: uid=tuser1,cn=users,cn=accounts,dc=example,dc=com changetype: modify add: objectclass objectclass: mepOriginEntry - add: mepmanagedentry mepmanagedentry: cn=tuser1,cn=groups,cn=accounts,dc=example,dc=com modifying entry "uid=tuser1,cn=users,cn=accounts,dc=example,dc=com" From rcritten at redhat.com Wed Aug 29 19:52:46 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 29 Aug 2012 15:52:46 -0400 Subject: [Freeipa-users] KISS: DHCP from IPA In-Reply-To: <503E5D90.3060307@redhat.com> References: <503E3936.6040707@redhat.com> <503E3BDA.4010002@redhat.com> <503E5D90.3060307@redhat.com> Message-ID: <503E730E.2090802@redhat.com> Chris Evich wrote: > On 08/29/2012 11:57 AM, John Dennis wrote: >> Thanks for the contribution Chris! >> >> Just as an aside if you know Python you can call the IPA commands >> directly and use Python to extract and reformat the data, it might be a >> lot simpler than doing the bash/awk dance. >> > > I agree that using bash/sed/awk is a bit clunky. I actually did stumble > on the python stuff by accident, but wasn't able to find much reference > / examples for how to use it. At the time I just needed something quick > to toss-together. Maybe the python docs/examples are different today, > any links handy? > I seem to recall this came up on either freeipa-users or freeipa-devel but I can't find the thread. Some decent examples got posted. Here is something I've been twiddling with to add users from a well-formatted passwd file: import sys import re from ipalib import api from ipalib import errors filename='passwd' name_pattern = re.compile('(\w+) \w (\w+)') api.bootstrap(context='cli') api.finalize() api.Backend.xmlclient.connect() count = 0 fd = open(filename, 'r') while True: line = fd.readline() if not line: break line = unicode(line.strip()) try: (login, passwd, uid, gid, gecos, dir, shell) = line.split(':') except ValueError, e: print "mal-formed passwd entry: %s (%s)" % (e, line) continue m = name_pattern.match(gecos) if m: first = m.group(1) last = m.group(2) else: first = u'USER' last = u'NAME' try: api.Command['user_add'](login, gidnumber=int(gid), uidnumber=int(uid), gecos=gecos.strip(), homedir=dir, shell=shell, givenname=first, sn=last) except errors.DuplicateEntry: print "%s already exists" % login continue ... rob From george_he7 at yahoo.com Thu Aug 30 03:38:46 2012 From: george_he7 at yahoo.com (george he) Date: Wed, 29 Aug 2012 20:38:46 -0700 (PDT) Subject: [Freeipa-users] ip changed Message-ID: <1346297926.15934.YahooMailNeo@web120006.mail.ne1.yahoo.com> Hello all, I have free-ipa set up on my lab machines all running Fedora 17. Today the lab was moved to another building on campus and the IPs have to be changed. Now that the IPs are changed, I cannot even run kinit on the ipa-server. The error message returned with kinit is "connot contact any KDC for realm MYREALM while getting initial credentials" What I have done to change the IPs is to run system-config-network, modify the file /etc/hosts, and call the IT department to update the DNS server entries. What else do I need to do to make the ipa work with the new IPs? Thanks in advance for your help, George -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Thu Aug 30 07:10:50 2012 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 30 Aug 2012 09:10:50 +0200 Subject: [Freeipa-users] ip changed In-Reply-To: <1346297926.15934.YahooMailNeo@web120006.mail.ne1.yahoo.com> References: <1346297926.15934.YahooMailNeo@web120006.mail.ne1.yahoo.com> Message-ID: <503F11FA.2000101@redhat.com> On 08/30/2012 05:38 AM, george he wrote: > Hello all, > I have free-ipa set up on my lab machines all running Fedora 17. > Today the lab was moved to another building on campus and the IPs have to be > changed. > Now that the IPs are changed, I cannot even run kinit on the ipa-server. > The error message returned with kinit is "connot contact any KDC for realm > MYREALM while getting initial credentials" > What I have done to change the IPs is to run system-config-network, modify the > file /etc/hosts, and call the IT department to update the DNS server entries. > What else do I need to do to make the ipa work with the new IPs? > Thanks in advance for your help, > George > If you have FreeIPA with DNS support, you also need to update FreeIPA server A/AAAA records in LDAP. ipa "dnsrecord-mod" command should be able to do that if you have /etc/hosts set properly. Besides that, you should be OK with the changes you already requested. Important thing is that hostname cannot change, which as I understand is not the issue. With the changes I described, does the FreeIPA server start and works for you? If not, please send error messages and we can sort it out. Thank you, Martin From david at juran.se Thu Aug 30 07:30:52 2012 From: david at juran.se (David Juran) Date: Thu, 30 Aug 2012 09:30:52 +0200 Subject: [Freeipa-users] Desperate help requested. In-Reply-To: References: Message-ID: <1346311852.3744.19.camel@localhost.localdomain> On l?r, 2012-08-25 at 23:05 -0500, KodaK wrote: > I've just been informed by my boss's boss's boss that, and I quote > from his ridiculous email: > > "we cannot use anything other than MS AD for authentication" > > I've spent months of time and much effort rolling out IPA, > consolidating authentication across our Linux and AIX machines. To > paraphrase Babbage: I am not able rightly to apprehend the kind of > confusion of ideas that could provoke such a statement. > > Regardless, I need some help. I need some help with comparisons > between FreeIPA and AD, and the problems and issues one might > encounter when trying to authenticate Unix machines against AD. > Anything that can show IPA being superior to AD for *nix > authentication. Anything at all. We have a similar number of AIX and > Linux servers. We have a week before we have a meeting to discuss > this, and I'd like to be armed to the teeth, if at all possible. Apart from what everyone else already pointed out, I believe that if you register the Linux host in the AD, you'll need to purchase a CAL for it... /David -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From rcritten at redhat.com Thu Aug 30 12:39:40 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 30 Aug 2012 08:39:40 -0400 Subject: [Freeipa-users] ip changed In-Reply-To: <503F11FA.2000101@redhat.com> References: <1346297926.15934.YahooMailNeo@web120006.mail.ne1.yahoo.com> <503F11FA.2000101@redhat.com> Message-ID: <503F5F0C.1060808@redhat.com> Martin Kosek wrote: > On 08/30/2012 05:38 AM, george he wrote: >> Hello all, >> I have free-ipa set up on my lab machines all running Fedora 17. >> Today the lab was moved to another building on campus and the IPs have to be >> changed. >> Now that the IPs are changed, I cannot even run kinit on the ipa-server. >> The error message returned with kinit is "connot contact any KDC for realm >> MYREALM while getting initial credentials" >> What I have done to change the IPs is to run system-config-network, modify the >> file /etc/hosts, and call the IT department to update the DNS server entries. >> What else do I need to do to make the ipa work with the new IPs? >> Thanks in advance for your help, >> George >> > > If you have FreeIPA with DNS support, you also need to update FreeIPA server > A/AAAA records in LDAP. ipa "dnsrecord-mod" command should be able to do that > if you have /etc/hosts set properly. > > Besides that, you should be OK with the changes you already requested. > Important thing is that hostname cannot change, which as I understand is not > the issue. > > With the changes I described, does the FreeIPA server start and works for you? > If not, please send error messages and we can sort it out. You might want to check /etc/hosts too to be sure that it doesn't have stale IP entries. rob From cevich at redhat.com Thu Aug 30 14:16:32 2012 From: cevich at redhat.com (Chris Evich) Date: Thu, 30 Aug 2012 10:16:32 -0400 Subject: [Freeipa-users] KISS: DHCP from IPA In-Reply-To: <503E730E.2090802@redhat.com> References: <503E3936.6040707@redhat.com> <503E3BDA.4010002@redhat.com> <503E5D90.3060307@redhat.com> <503E730E.2090802@redhat.com> Message-ID: <503F75C0.3000909@redhat.com> On 08/29/2012 03:52 PM, Rob Crittenden wrote: > Chris Evich wrote: >> On 08/29/2012 11:57 AM, John Dennis wrote: >>> Thanks for the contribution Chris! >>> >>> Just as an aside if you know Python you can call the IPA commands >>> directly and use Python to extract and reformat the data, it might be a >>> lot simpler than doing the bash/awk dance. >>> >> >> I agree that using bash/sed/awk is a bit clunky. I actually did stumble >> on the python stuff by accident, but wasn't able to find much reference >> / examples for how to use it. At the time I just needed something quick >> to toss-together. Maybe the python docs/examples are different today, >> any links handy? >> > > I seem to recall this came up on either freeipa-users or freeipa-devel > but I can't find the thread. Some decent examples got posted. > > Here is something I've been twiddling with to add users from a > well-formatted passwd file: > > import sys > import re > from ipalib import api > from ipalib import errors > > filename='passwd' > name_pattern = re.compile('(\w+) \w (\w+)') > > api.bootstrap(context='cli') > api.finalize() > api.Backend.xmlclient.connect() > > count = 0 > fd = open(filename, 'r') > while True: > line = fd.readline() > if not line: > break > line = unicode(line.strip()) > try: > (login, passwd, uid, gid, gecos, dir, shell) = line.split(':') > except ValueError, e: > print "mal-formed passwd entry: %s (%s)" % (e, line) > continue > m = name_pattern.match(gecos) > if m: > first = m.group(1) > last = m.group(2) > else: > first = u'USER' > last = u'NAME' > > try: > api.Command['user_add'](login, gidnumber=int(gid), > uidnumber=int(uid), > gecos=gecos.strip(), homedir=dir, shell=shell, > givenname=first, sn=last) > except errors.DuplicateEntry: > print "%s already exists" % login > continue > ... > > rob Thanks! That helps. Still, one can only get so far by reading docstrings :) More examples like this on the wiki, or (even better) some API docs would be great! -- Chris Evich, RHCA, RHCE, RHCDS, RHCSS Quality Assurance Engineer e-mail: cevich + `@' + redhat.com o: 1-888-RED-HAT1 x44214 From Steven.Jones at vuw.ac.nz Thu Aug 30 20:41:09 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 30 Aug 2012 20:41:09 +0000 Subject: [Freeipa-users] Desperate help requested. In-Reply-To: <1346311852.3744.19.camel@localhost.localdomain> References: , <1346311852.3744.19.camel@localhost.localdomain> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CD7D1E5@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Also if its straight into AD Im not aware you can use AD to control a Linux authentication and authorisation adequately without something like likewise or centrify. I think the best yiu can do is one group? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of David Juran [david at juran.se] Sent: Thursday, 30 August 2012 7:30 p.m. To: KodaK Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Desperate help requested. On l?r, 2012-08-25 at 23:05 -0500, KodaK wrote: > I've just been informed by my boss's boss's boss that, and I quote > from his ridiculous email: > > "we cannot use anything other than MS AD for authentication" > > I've spent months of time and much effort rolling out IPA, > consolidating authentication across our Linux and AIX machines. To > paraphrase Babbage: I am not able rightly to apprehend the kind of > confusion of ideas that could provoke such a statement. > > Regardless, I need some help. I need some help with comparisons > between FreeIPA and AD, and the problems and issues one might > encounter when trying to authenticate Unix machines against AD. > Anything that can show IPA being superior to AD for *nix > authentication. Anything at all. We have a similar number of AIX and > Linux servers. We have a week before we have a meeting to discuss > this, and I'd like to be armed to the teeth, if at all possible. Apart from what everyone else already pointed out, I believe that if you register the Linux host in the AD, you'll need to purchase a CAL for it... /David From Steven.Jones at vuw.ac.nz Thu Aug 30 20:53:51 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 30 Aug 2012 20:53:51 +0000 Subject: [Freeipa-users] Desperate help requested. In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CD7D1E5@STAWINCOX10MBX1.staff.vuw.ac.nz> References: , <1346311852.3744.19.camel@localhost.localdomain>, <833D8E48405E064EBC54C84EC6B36E404CD7D1E5@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CD7D1F7@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, The biggest thing is really shear control. With the best will in the world AD is not unix orientated.... You can control who logs in to a server and from where, you can control who gets root remotely (or any other su - *) via IPA's sudo module. You can control what they can do like no-ftp, allow ssh, no login (console), sudo and its all easy to add users to and from via the web ui (once you get the hang of it). Ive gone through what you have gone through I feel your pain.....the problem is really Windows ppl dont understand and dont want to, I think its fear it certainly isnt logic. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Friday, 31 August 2012 8:41 a.m. To: David Juran; KodaK Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Desperate help requested. Hi, Also if its straight into AD Im not aware you can use AD to control a Linux authentication and authorisation adequately without something like likewise or centrify. I think the best yiu can do is one group? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of David Juran [david at juran.se] Sent: Thursday, 30 August 2012 7:30 p.m. To: KodaK Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Desperate help requested. On l?r, 2012-08-25 at 23:05 -0500, KodaK wrote: > I've just been informed by my boss's boss's boss that, and I quote > from his ridiculous email: > > "we cannot use anything other than MS AD for authentication" > > I've spent months of time and much effort rolling out IPA, > consolidating authentication across our Linux and AIX machines. To > paraphrase Babbage: I am not able rightly to apprehend the kind of > confusion of ideas that could provoke such a statement. > > Regardless, I need some help. I need some help with comparisons > between FreeIPA and AD, and the problems and issues one might > encounter when trying to authenticate Unix machines against AD. > Anything that can show IPA being superior to AD for *nix > authentication. Anything at all. We have a similar number of AIX and > Linux servers. We have a week before we have a meeting to discuss > this, and I'd like to be armed to the teeth, if at all possible. Apart from what everyone else already pointed out, I believe that if you register the Linux host in the AD, you'll need to purchase a CAL for it... /David _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From okelet at gmail.com Fri Aug 31 08:53:24 2012 From: okelet at gmail.com (=?UTF-8?Q?Juan_Asensio_S=C3=A1nchez?=) Date: Fri, 31 Aug 2012 10:53:24 +0200 Subject: [Freeipa-users] Compiling and deploying ipa-pwd-extop in a 389DS Message-ID: Hi all First, I am not using FreeIPA, just 389 Directory Server; we have a large installation and we can not (now) migrate the entire service. But I would like to use free ipa-pwd-extop plugin to auto-generate the Samba equivalent passwords (not Kerberos). Is the plugin ready to be deployed in a non-IPA installation? Is there any documentation about how to compile and configure it (plugin arguments in the cn=ipapwd-extop,cn=pluins,cn=config)? We are using 389DS 1.2.5 in CentOS 5.5 i386. Regards and thanks in advance. From rcritten at redhat.com Fri Aug 31 13:10:37 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 31 Aug 2012 09:10:37 -0400 Subject: [Freeipa-users] Compiling and deploying ipa-pwd-extop in a 389DS In-Reply-To: References: Message-ID: <5040B7CD.5010802@redhat.com> Juan Asensio S?nchez wrote: > Hi all > > First, I am not using FreeIPA, just 389 Directory Server; we have a > large installation and we can not (now) migrate the entire service. > But I would like to use free ipa-pwd-extop plugin to auto-generate the > Samba equivalent passwords (not Kerberos). Is the plugin ready to be > deployed in a non-IPA installation? Is there any documentation about > how to compile and configure it (plugin arguments in the > cn=ipapwd-extop,cn=pluins,cn=config)? > > We are using 389DS 1.2.5 in CentOS 5.5 i386. > > Regards and thanks in advance. AFAIK we've never tried building the plugin outside our source tree. The kerberos code is fairly well embedded. Extracting that would be a bit of a challenge, though it may also mean you could exclude the files from the top-level util subdir. The configuration for the plugin can be found with the source in pwd-extop-conf.ldif. I think this it would take a lot of effort to get this workout outside of IPA and Kerberos. rob From mmercier at gmail.com Fri Aug 31 13:33:37 2012 From: mmercier at gmail.com (Michael Mercier) Date: Fri, 31 Aug 2012 09:33:37 -0400 Subject: [Freeipa-users] HBAC Test - web vs command line - returns different results Message-ID: Hello, I seem to be having a problem with the HBAC test: Versions: [root at ipaserver ipatest]# rpm -qa|grep ^ipa ipa-server-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-python-2.2.0-16.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 On the web console: Browse to HBAC TEST Who: mike Accessing: pix.beta.local Via service: tac_plus From: ipaclient.beta.local (correct me if I am wrong, but I don't believe this has any effect) Rules: tacacs Run Test -> Access Granted with matched rules showing tacacs On the command line: ipa hbactest User name: mike Target Host: pix.beta.local Service: tac_plus --------------------- Access granted: False --------------------- Not matched rules: tacacs tacacs rule: General: Enabled Who: user group: ciscoadmin -> mike is a member accessing: cisco-devices -> pix.beta.local is a member Via Service: tac_plus From: any host NOTE: tacacs is the only enabled rule, allow_all has been disabled (but is still present) Any ideas? Thanks, Mike