Problem with freeip and samba 4.9
by Николай Савельев
Hi
I updated my samba server to 4.9
After that I had problem with starting samba an found this tred: https://pagure.io/freeipa/issue/7705
I add user mapping net groupmap add sid=S-1-5-32-546 unixgroup=nobody type=builtin and samba works
But now samba is very-very-very slow!
Some operations, like copy big file, ar normal, other - open dirs or create new files - very slow.
Any ideas?
Wat can I do?
--
С уважением, Николай.
4 years, 5 months
cannot create PTR record - too many address components
by Stephen Ingram
I'm trying to setup service discovery for our printers on the network using
a CUPS bonjour tutorial. Specifically the record I'm trying to create is:
_ipp._tcp PTR m477fdw._ipp._tcp.i.example.com.
Every time I try to create this record in IPA I receive the error message:
Invalid 'ptrrecord': Reverse zone in-addr.arpa. requires exactly 4 IP
address components, 5 given
Does IPA DNS just not support service discovery records or do I need to do
something differently?
I'm using CentOS 7.6.1810 and IPA 4.6.4.
Steve
4 years, 5 months
ssh ProxyCommand in ipa-client causes crash of x2goclient
by Kees Bakker
Hey,
With x2go [1] you can start a remote desktop. Going from UNIX (client) to UNIX (server)
it will use SSH behinds the scenes.
However, on a IPA client the x2goclient command fails with a segfault (somewhere in a ssh library).
This is caused by the modified /etc/ssh/ssh_config. More specifically this
ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h
When you disable this line the x2go connection succeeds.
[1] https://wiki.x2go.org/doku.php
--
Kees
4 years, 5 months
Multiple HBAC rules in one Apache config
by Ronald Wimmer
Hi,
is there a way to use multiple HBAC rules in the same "Require
pam-account" line in on and the same Apache config?
Something like
Require pam-account hbacA|hbacB
Cheers,
Ronald
4 years, 5 months
Re: group management on freeipa clients
by Kevin Vasko
So. this is an interesting read thanks for that.
But just a FYI to the OP, if you are using any Ubuntu 18.04 clients (i haven’t tried it with Fedora/CentOS) there is an issue with not having local docker groups on the system.
What ends up happening is on a boot, docker services try starting up, but look for a local docker group when they do. If there is no docker group the service times out. When the machine does finally boot up, DNS resolution for some reason is broken. Networking works fine (e.g can ping 8.8.8.8 or any local ip). But without DNS resolution the machine won’t properly find the IPA server and won’t allow users to login.
Docker made this service change from 16.04 to 18.04.
Here I detailed how I determined what the issue was. I put in another ticket with this information but was told it wasn’t an issue with docker.
https://github.com/docker/libnetwork/issues/2335
-Kevin
> On Oct 24, 2019, at 6:18 PM, Simo Sorce via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org> wrote:
>
> I strongly recommend reading this article:
> https://www.projectatomic.io/blog/2015/08/why-we-dont-let-non-root-users-...
>
> And based on it, I would a) reconsider if using sudo is not a better
> idea, b) recommend, if possible, to create the docker group locally and
> add users explicitly on the specific machines.
>
> I would fallback to a global docker group that basically gives root to
> any user on any machine with docker installed they have access to only
> as a least resort.
>
> Simo.
>
>> On Wed, 2019-10-23 at 19:07 +0000, Jason Dunham via FreeIPA-users
>> wrote:
>> Hi I'm trying to figure out the best practice for groups on my client servers.
>> I have several computation workstation hosts that have been added as freeipa clients, and several engineers who want to run docker on them
>> Members of the 'docker' group (gid=999 on some machines, for example) can run docker without needing sudo, which is what I want to roll out to all machines. Ideally this would be managed from freeipa with LDAP groups, and so anyone in the 'engineers' group should also be a member of the 'docker' group.
>> When I create a 'docker' group on freeIPA it will have some other gid and the client sees that.
>> Should I just delete the original docker group from my hosts and let it get it from ldap, or should I go into /etc/group and change the gid to the one that matches the right ldap gid, or preferably something easier than that?
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>
> --
> Simo Sorce
> RHEL Crypto Team
> Red Hat, Inc
>
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
4 years, 5 months
group management on freeipa clients
by Jason Dunham
Hi I'm trying to figure out the best practice for groups on my client servers.
I have several computation workstation hosts that have been added as freeipa clients, and several engineers who want to run docker on them
Members of the 'docker' group (gid=999 on some machines, for example) can run docker without needing sudo, which is what I want to roll out to all machines. Ideally this would be managed from freeipa with LDAP groups, and so anyone in the 'engineers' group should also be a member of the 'docker' group.
When I create a 'docker' group on freeIPA it will have some other gid and the client sees that.
Should I just delete the original docker group from my hosts and let it get it from ldap, or should I go into /etc/group and change the gid to the one that matches the right ldap gid, or preferably something easier than that?
4 years, 5 months
valid hostname?
by Amos
When enrolling a host, an error was presented:
root : INFO Joining realm failed: RPC failed at server. invalid
'hostname': invalid domain-name: only letters, numbers, '-' are allowed.
DNS label may not start or end with '-'
Where does this error originate from? Is it truly impossible to allow
hosts with "_" in their name?
Amos
4 years, 5 months
ansbile-freeipa client install
by Andrew Meyer
Hello I have setup ansible to use install freeipa client on my CentOS 7/8 machines. I am
able to get the packages installed however when it goes through the configuration I am
getting the following:
TASK [ipaclient : Install - Ensure that IPA client packages are installed]
******************************************************************************************************************************************************************
ok: [10.150.10.15]
TASK [ipaclient : Install - Set ipaclient_servers]
******************************************************************************************************************************************************************************************
skipping: [10.150.10.15]
TASK [ipaclient : Install - Set ipaclient_servers from cluster inventory]
*******************************************************************************************************************************************************************
skipping: [10.150.10.15]
TASK [ipaclient : Install - Check that either principal or keytab is set]
*******************************************************************************************************************************************************************
skipping: [10.150.10.15]
TASK [ipaclient : Install - Set default principal if no keytab is given]
********************************************************************************************************************************************************************
ok: [10.150.10.15]
TASK [ipaclient : Install - IPA client test]
************************************************************************************************************************************************************************************************
ok: [10.150.10.15]
TASK [ipaclient : Install - Cleanup leftover ccache]
****************************************************************************************************************************************************************************************
ok: [10.150.10.15]
TASK [ipaclient : Install - Configure NTP]
**************************************************************************************************************************************************************************************************
changed: [10.150.10.15]
TASK [ipaclient : Install - Disable One-Time Password for on_master]
************************************************************************************************************************************************************************
skipping: [10.150.10.15]
TASK [ipaclient : Install - Test if IPA client has working krb5.keytab]
*********************************************************************************************************************************************************************
ok: [10.150.10.15]
TASK [ipaclient : Install - Disable One-Time Password for client with working krb5.keytab]
**************************************************************************************************************************************************
skipping: [10.150.10.15]
TASK [ipaclient : Install - Keytab or password is required for otp]
*************************************************************************************************************************************************************************
skipping: [10.150.10.15]
TASK [ipaclient : Install - Get One-Time Password for client enrollment]
********************************************************************************************************************************************************************
skipping: [10.150.10.15]
TASK [ipaclient : Install - Report error for OTP generation]
********************************************************************************************************************************************************************************
skipping: [10.150.10.15]
TASK [ipaclient : Install - Store the previously obtained OTP]
******************************************************************************************************************************************************************************
skipping: [10.150.10.15]
TASK [ipaclient : Install - Check if principal and keytab are set]
**************************************************************************************************************************************************************************
skipping: [10.150.10.15]
TASK [ipaclient : Install - Check if one of password or keytabs are set]
********************************************************************************************************************************************************************
fatal: [10.150.10.15]: FAILED! => {"changed": false, "msg":
"At least one of password or keytabs must be specified"}
TASK [ipaclient : Install - Restore original admin password if overwritten by OTP]
**********************************************************************************************************************************************************
skipping: [10.150.10.15]
TASK [ipaclient : Cleanup leftover ccache]
**************************************************************************************************************************************************************************************************
ok: [10.150.10.15]
PLAY RECAP
**********************************************************************************************************************************************************************************************************************************
10.150.10.15 : ok=10 changed=1 unreachable=0 failed=1 skipped=11
rescued=0 ignored=0
I am not sure that I am using the correct variables in ansible-vault for the keytabs:
ipaadmin_password1: password1234
ipadm_password1: password1234
ipaserver_realm1: TEST.EXAMPLE
ipaserver_domain1: test.example
ipaclient_principal1: admin
ipaclient_password1: password1234
Should the variable be 'ipaadmin_principal1:' ? Also should this be the
password?
And I want to skip installing the ntp client would this be the correct way to do it?
ansible-playbook --ask-vault-pass --extra-vars 'ansible/passwd.yml'
ansible-freeipa/playbooks/install-client.yml --limit=10.150.10.15 --user=user123 -e
"ipaclient_no_ntp=no"
4 years, 5 months
using SPAKE
by Charles Hedrick
I’d like to avoid having to use a second cache to armor 2FA requests. My impression was that SPAKE was supposed to fix this. I just installed a new kdc (replica of an old one) in Centos 8. It understands SPAKE, offering it as preauthebtication for normal users. But a user with 2FA is not offered SPAKE preach. I still have to use FAST.
Have I misunderstood, or is extra configuration needed?
4 years, 5 months
is it possible to enable constrained delegation for only some users?
by Charles Hedrick
We have kerberos everywhere, and use it for access to NFS home directories.
So what do we do about cron jobs? We have a solution, but it involves custom code that impersonates the KDC. I’d like to do someone more standard.
Constained delegation seems like a possibility. But I’d need to be able to say “allow cron to get credentials for NFS for a specific group of users.” Since all of our systems run cron, I don’t want to allow any system to be able to get an NFS credential for any user. That would let root on any system see anyone’s files. So the user has to authorize it. Presumably if the user runs his own desktop, he’s willing to allow it to get credentials for himself. But I wouldn’t trust his machine to be able to get mine.
The constrained delegation mechanism seems to handle this, except that I don’t see a way to constrain it to specific users. Am I missing something?
4 years, 5 months