Only users that has 'su-l' service *enabled* can you su - [user] to - This seems backwards ? users with 'su-l' *disabled* can su - [user] that has service enabled ....
by Morgan Cox
Hi.
I have created a HBAC rule for sysadmins.. One that has all services
enabled.
Logically I would expect only users with the service 'su-l' enabled to be
able to su - [user].
However in reality it is working the opposite way ...
i.e I have 2 users - both are allowed on the server I am testing on
user 1 : mcox - this has all services enabled
user 2: mcox3 - this only has sshd enabled
However - user mcox cannot 'su - mcox3', but user mcox3 can 'su - mcox' -
which seems the wrong way round - I would expect only users with 'su-l'
service to be able to su - ??
- mcox -> mcox3 gets 'su: Permission denied'
hbactest shows I should be granted on mcox and fail on mcox3
Is it my understanding of the rule at fault or someone else ?
Note : user mcox can 'su - mcox' also..
Below are the rules
for user : mcox
# ipa hbactest --user mcox --host ipaclient2.cpgbpc.local --service su-l
--------------------
Access granted: True
--------------------
Matched rules: allow_all_sysadmin
Not matched rules: allow_desktop
Not matched rules: allow_ssh_access
-----------
# ipa hbacrule-show allow_all_sysadmin
Rule name: allow_all_sysadmin
Host category: all
Service category: all
Enabled: TRUE
Users: mcox
User Groups: sysadmin
---------------
For user mcox3
# ipa hbactest --user mcox3 --host ipaclient2.cpgbpc.local --service su-l
---------------------
Access granted: False
---------------------
Not matched rules: allow_all_sysadmin
Not matched rules: allow_desktop
Not matched rules: allow_ssh_access
# ipa hbacrule-show allow_ssh_access
Rule name: allow_ssh_access
Enabled: TRUE
Users: mcox2, mcox3
Hosts: ipaclient2.cpgbpc.local
Services: sshd
And if it helps here is sssd_[domain].log
For when mcox tries to su - mcox3 (and fails)
------------------------------------------
Mon Oct 22 17:32:04 2018) [sssd[be[cpgbpc.local]]]
[dp_get_account_info_handler] (0x0200): Got request for
[0x3][BE_REQ_INITGROUPS][name=mcox3(a)cpgbpc.local]
(Mon Oct 22 17:32:04 2018) [sssd[be[cpgbpc.local]]] [sysdb_set_entry_attr]
(0x0200): Entry [name=mcox3(a)cpgbpc.local,cn=users,cn=cpgbpc.local,cn=sysdb]
has set [ts_cache] attrs.
(Mon Oct 22 17:32:04 2018) [sssd[be[cpgbpc.local]]]
[sdap_initgr_nested_search] (0x0040): Search for group
ipaUniqueID=2dabbee6-4872-11e8-b88d-5254008ff913,cn=ng,cn=alt,dc=cpgbpc,dc=local,
returned 0 results. Skipping
(Mon Oct 22 17:32:04 2018) [sssd[be[cpgbpc.local]]]
[sdap_initgr_nested_search] (0x0040): Search for group
ipaUniqueID=44300e26-495b-11e8-8f22-5254008ff913,cn=hbac,dc=cpgbpc,dc=local,
returned 0 results. Skipping
(Mon Oct 22 17:32:04 2018) [sssd[be[cpgbpc.local]]] [sysdb_set_entry_attr]
(0x0200): Entry [name=mcox3(a)cpgbpc.local,cn=users,cn=cpgbpc.local,cn=sysdb]
has set [ts_cache] attrs.
(Mon Oct 22 17:32:04 2018) [sssd[be[cpgbpc.local]]] [dp_pam_handler]
(0x0100): Got request with the following data
(Mon Oct 22 17:32:04 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): command: SSS_PAM_AUTHENTICATE
(Mon Oct 22 17:32:04 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): domain: cpgbpc.local
(Mon Oct 22 17:32:04 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): user: mcox3(a)cpgbpc.local
(Mon Oct 22 17:32:04 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): service: su-l
(Mon Oct 22 17:32:04 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): tty: pts/1
(Mon Oct 22 17:32:04 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): ruser: mcox
(Mon Oct 22 17:32:04 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): rhost:
(Mon Oct 22 17:32:04 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): authtok type: 1
(Mon Oct 22 17:32:04 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): newauthtok type: 0
(Mon Oct 22 17:32:04 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): priv: 0
(Mon Oct 22 17:32:04 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): cli_pid: 2269
(Mon Oct 22 17:32:04 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): logon name: not set
(Mon Oct 22 17:32:04 2018) [sssd[be[cpgbpc.local]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
(Mon Oct 22 17:32:04 2018) [sssd[be[cpgbpc.local]]] [resolve_srv_send]
(0x0200): The status of SRV lookup is resolved
(Mon Oct 22 17:32:04 2018) [sssd[be[cpgbpc.local]]]
[be_resolve_server_process] (0x0200): Found address for server
imd2.cpgbpc.local: [192.168.90.201] TTL 727
(Mon Oct 22 17:32:04 2018) [sssd[be[cpgbpc.local]]] [child_sig_handler]
(0x0100): child [2271] finished successfully.
(Mon Oct 22 17:32:04 2018) [sssd[be[cpgbpc.local]]] [sysdb_set_entry_attr]
(0x0080): Cannot set ts attrs for name=mcox3(a)cpgbpc.local
,cn=users,cn=cpgbpc.local,cn=sysdb
(Mon Oct 22 17:32:04 2018) [sssd[be[cpgbpc.local]]] [sysdb_set_entry_attr]
(0x0200): Entry [name=mcox3(a)cpgbpc.local,cn=users,cn=cpgbpc.local,cn=sysdb]
has set [cache] attrs.
(Mon Oct 22 17:32:04 2018) [sssd[be[cpgbpc.local]]] [sysdb_set_entry_attr]
(0x0080): Cannot set ts attrs for name=mcox3(a)cpgbpc.local
,cn=users,cn=cpgbpc.local,cn=sysdb
(Mon Oct 22 17:32:04 2018) [sssd[be[cpgbpc.local]]] [dp_pam_handler]
(0x0100): Got request with the following data
(Mon Oct 22 17:32:04 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): command: SSS_PAM_ACCT_MGMT
(Mon Oct 22 17:32:04 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): domain: cpgbpc.local
(Mon Oct 22 17:32:04 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): user: mcox3(a)cpgbpc.local
(Mon Oct 22 17:32:04 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): service: su-l
(Mon Oct 22 17:32:04 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): tty: pts/1
(Mon Oct 22 17:32:04 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): ruser: mcox
(Mon Oct 22 17:32:04 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): rhost:
(Mon Oct 22 17:32:04 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): authtok type: 0
(Mon Oct 22 17:32:04 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): newauthtok type: 0
(Mon Oct 22 17:32:04 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): priv: 0
(Mon Oct 22 17:32:04 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): cli_pid: 2269
(Mon Oct 22 17:32:04 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): logon name: not set
(Mon Oct 22 17:32:04 2018) [sssd[be[cpgbpc.local]]]
[ipa_hostgroup_info_done] (0x0200): Dereferenced host group:
ipa-test-clients
(Mon Oct 22 17:32:04 2018) [sssd[be[cpgbpc.local]]] [get_ipa_groupname]
(0x0020): Expected cn in RDN, got uid
(Mon Oct 22 17:32:04 2018) [sssd[be[cpgbpc.local]]]
[hbac_user_attrs_to_rule] (0x0020):
[uid=mcox2,cn=users,cn=accounts,dc=cpgbpc,dc=local] does not map to either
a user or group. Skipping
(Mon Oct 22 17:32:04 2018) [sssd[be[cpgbpc.local]]] [hbac_get_category]
(0x0200): Category is set to 'all'.
(Mon Oct 22 17:32:04 2018) [sssd[be[cpgbpc.local]]] [hbac_get_category]
(0x0200): Category is set to 'all'.
(Mon Oct 22 17:32:04 2018) [sssd[be[cpgbpc.local]]] [hbac_evaluate]
(0x0100): [< hbac_evaluate()
(Mon Oct 22 17:32:04 2018) [sssd[be[cpgbpc.local]]] [hbac_evaluate]
(0x0100): The rule [allow_ssh_access] did not match.
(Mon Oct 22 17:32:04 2018) [sssd[be[cpgbpc.local]]] [hbac_evaluate]
(0x0100): The rule [allow_all_sysadmin] did not match.
(Mon Oct 22 17:32:04 2018) [sssd[be[cpgbpc.local]]] [hbac_evaluate]
(0x0100): hbac_evaluate() >]
(Mon Oct 22 17:32:04 2018) [sssd[be[cpgbpc.local]]]
[ipa_hbac_evaluate_rules] (0x0080): Access denied by HBAC rules
------------------------------------------
And here is the same log from user mcox3 - 'su - mcox' (which works but
shouldn't?)
------------------------------------------
(Mon Oct 22 17:33:37 2018) [sssd[be[cpgbpc.local]]]
[dp_get_account_info_handler] (0x0200): Got request for
[0x3][BE_REQ_INITGROUPS][name=mcox(a)cpgbpc.local]
(Mon Oct 22 17:33:37 2018) [sssd[be[cpgbpc.local]]] [sysdb_set_entry_attr]
(0x0200): Entry [name=mcox(a)cpgbpc.local,cn=users,cn=cpgbpc.local,cn=sysdb]
has set [ts_cache] attrs.
(Mon Oct 22 17:33:37 2018) [sssd[be[cpgbpc.local]]]
[sdap_initgr_nested_search] (0x0040): Search for group
ipaUniqueID=d779890a-4870-11e8-a91e-5254008ff913,cn=ng,cn=alt,dc=cpgbpc,dc=local,
returned 0 results. Skipping
(Mon Oct 22 17:33:37 2018) [sssd[be[cpgbpc.local]]]
[sdap_initgr_nested_search] (0x0040): Search for group
cn=sysadmin,cn=roles,cn=accounts,dc=cpgbpc,dc=local, returned 0 results.
Skipping
(Mon Oct 22 17:33:37 2018) [sssd[be[cpgbpc.local]]]
[sdap_initgr_nested_search] (0x0040): Search for group
ipaUniqueID=e6f310d8-4959-11e8-a91e-5254008ff913,cn=hbac,dc=cpgbpc,dc=local,
returned 0 results. Skipping
(Mon Oct 22 17:33:37 2018) [sssd[be[cpgbpc.local]]] [sysdb_set_entry_attr]
(0x0200): Entry [name=mcox(a)cpgbpc.local,cn=users,cn=cpgbpc.local,cn=sysdb]
has set [ts_cache] attrs.
(Mon Oct 22 17:33:37 2018) [sssd[be[cpgbpc.local]]] [dp_pam_handler]
(0x0100): Got request with the following data
(Mon Oct 22 17:33:37 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): command: SSS_PAM_AUTHENTICATE
(Mon Oct 22 17:33:37 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): domain: cpgbpc.local
(Mon Oct 22 17:33:37 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): user: mcox(a)cpgbpc.local
(Mon Oct 22 17:33:37 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): service: su-l
(Mon Oct 22 17:33:37 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): tty: pts/1
(Mon Oct 22 17:33:37 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): ruser: mcox3
(Mon Oct 22 17:33:37 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): rhost:
(Mon Oct 22 17:33:37 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): authtok type: 1
(Mon Oct 22 17:33:37 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): newauthtok type: 0
(Mon Oct 22 17:33:37 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): priv: 0
(Mon Oct 22 17:33:37 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): cli_pid: 2294
(Mon Oct 22 17:33:37 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): logon name: not set
(Mon Oct 22 17:33:37 2018) [sssd[be[cpgbpc.local]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
(Mon Oct 22 17:33:37 2018) [sssd[be[cpgbpc.local]]] [resolve_srv_send]
(0x0200): The status of SRV lookup is resolved
(Mon Oct 22 17:33:37 2018) [sssd[be[cpgbpc.local]]]
[be_resolve_server_process] (0x0200): Found address for server
imd2.cpgbpc.local: [192.168.90.201] TTL 727
(Mon Oct 22 17:33:37 2018) [sssd[be[cpgbpc.local]]] [child_sig_handler]
(0x0100): child [2296] finished successfully.
(Mon Oct 22 17:33:37 2018) [sssd[be[cpgbpc.local]]] [fo_set_port_status]
(0x0100): Marking port 389 of server 'imd2.cpgbpc.local' as 'working'
(Mon Oct 22 17:33:37 2018) [sssd[be[cpgbpc.local]]]
[set_server_common_status] (0x0100): Marking server 'imd2.cpgbpc.local' as
'working'
(Mon Oct 22 17:33:37 2018) [sssd[be[cpgbpc.local]]] [sysdb_set_entry_attr]
(0x0200): Entry [name=mcox(a)cpgbpc.local,cn=users,cn=cpgbpc.local,cn=sysdb]
has set [ts_cache] attrs.
(Mon Oct 22 17:33:38 2018) [sssd[be[cpgbpc.local]]] [sysdb_set_entry_attr]
(0x0200): Entry [name=mcox(a)cpgbpc.local,cn=users,cn=cpgbpc.local,cn=sysdb]
has set [cache, ts_cache] attrs.
(Mon Oct 22 17:33:38 2018) [sssd[be[cpgbpc.local]]] [dp_pam_handler]
(0x0100): Got request with the following data
(Mon Oct 22 17:33:38 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): command: SSS_PAM_ACCT_MGMT
(Mon Oct 22 17:33:38 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): domain: cpgbpc.local
(Mon Oct 22 17:33:38 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): user: mcox(a)cpgbpc.local
(Mon Oct 22 17:33:38 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): service: su-l
(Mon Oct 22 17:33:38 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): tty: pts/1
(Mon Oct 22 17:33:38 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): ruser: mcox3
(Mon Oct 22 17:33:38 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): rhost:
(Mon Oct 22 17:33:38 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): authtok type: 0
(Mon Oct 22 17:33:38 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): newauthtok type: 0
(Mon Oct 22 17:33:38 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): priv: 0
(Mon Oct 22 17:33:38 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): cli_pid: 2294
(Mon Oct 22 17:33:38 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): logon name: not set
(Mon Oct 22 17:33:38 2018) [sssd[be[cpgbpc.local]]]
[ipa_hostgroup_info_done] (0x0200): Dereferenced host group:
ipa-test-clients
(Mon Oct 22 17:33:38 2018) [sssd[be[cpgbpc.local]]] [get_ipa_groupname]
(0x0020): Expected cn in RDN, got uid
(Mon Oct 22 17:33:38 2018) [sssd[be[cpgbpc.local]]]
[hbac_user_attrs_to_rule] (0x0020):
[uid=mcox2,cn=users,cn=accounts,dc=cpgbpc,dc=local] does not map to either
a user or group. Skipping
(Mon Oct 22 17:33:38 2018) [sssd[be[cpgbpc.local]]] [hbac_get_category]
(0x0200): Category is set to 'all'.
(Mon Oct 22 17:33:38 2018) [sssd[be[cpgbpc.local]]] [hbac_get_category]
(0x0200): Category is set to 'all'.
(Mon Oct 22 17:33:38 2018) [sssd[be[cpgbpc.local]]] [hbac_evaluate]
(0x0100): [< hbac_evaluate()
(Mon Oct 22 17:33:38 2018) [sssd[be[cpgbpc.local]]] [hbac_evaluate]
(0x0100): The rule [allow_ssh_access] did not match.
(Mon Oct 22 17:33:38 2018) [sssd[be[cpgbpc.local]]] [hbac_evaluate]
(0x0100): ALLOWED by rule [allow_all_sysadmin].
(Mon Oct 22 17:33:38 2018) [sssd[be[cpgbpc.local]]] [hbac_evaluate]
(0x0100): hbac_evaluate() >]
(Mon Oct 22 17:33:38 2018) [sssd[be[cpgbpc.local]]]
[ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule
[allow_all_sysadmin]
(Mon Oct 22 17:33:38 2018) [sssd[be[cpgbpc.local]]] [sysdb_set_entry_attr]
(0x0200): Entry [cn=selinux,cn=cpgbpc.local,cn=sysdb] has set [cache] attrs.
(Mon Oct 22 17:33:38 2018) [sssd[be[cpgbpc.local]]] [child_sig_handler]
(0x0100): child [2298] finished successfully.
(Mon Oct 22 17:33:38 2018) [sssd[be[cpgbpc.local]]] [dp_pam_handler]
(0x0100): Got request with the following data
(Mon Oct 22 17:33:38 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): command: SSS_PAM_SETCRED
(Mon Oct 22 17:33:38 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): domain: cpgbpc.local
(Mon Oct 22 17:33:38 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): user: mcox(a)cpgbpc.local
(Mon Oct 22 17:33:38 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): service: su-l
(Mon Oct 22 17:33:38 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): tty: pts/1
(Mon Oct 22 17:33:38 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): ruser: mcox3
(Mon Oct 22 17:33:38 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): rhost:
(Mon Oct 22 17:33:38 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): authtok type: 0
(Mon Oct 22 17:33:38 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): newauthtok type: 0
(Mon Oct 22 17:33:38 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): priv: 0
(Mon Oct 22 17:33:38 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): cli_pid: 2294
(Mon Oct 22 17:33:38 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): logon name: not set
(Mon Oct 22 17:33:38 2018) [sssd[be[cpgbpc.local]]] [dp_pam_handler]
(0x0100): Got request with the following data
(Mon Oct 22 17:33:38 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): command: SSS_PAM_OPEN_SESSION
(Mon Oct 22 17:33:38 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): domain: cpgbpc.local
(Mon Oct 22 17:33:38 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): user: mcox(a)cpgbpc.local
(Mon Oct 22 17:33:38 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): service: su-l
(Mon Oct 22 17:33:38 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): tty: pts/1
(Mon Oct 22 17:33:38 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): ruser: mcox3
(Mon Oct 22 17:33:38 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): rhost:
(Mon Oct 22 17:33:38 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): authtok type: 0
(Mon Oct 22 17:33:38 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): newauthtok type: 0
(Mon Oct 22 17:33:38 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): priv: 0
(Mon Oct 22 17:33:38 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): cli_pid: 2294
(Mon Oct 22 17:33:38 2018) [sssd[be[cpgbpc.local]]] [pam_print_data]
(0x0100): logon name: not set
(Mon Oct 22 17:33:38 2018) [sssd[be[cpgbpc.local]]] [remove_tree_with_ctx]
(0x0020): Cannot open /var/lib/sss/deskprofile/cpgbpc.local/mcox: [2]: No
such file or directory
(Mon Oct 22 17:33:38 2018) [sssd[be[cpgbpc.local]]]
[ipa_pam_session_handler_done] (0x0040): No Desktop Profile rules found
------------------------------------------
So it this not working correctly or is it my understanding of the rule ?
Also one other thing - I seem to not be able to sign up at
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
- I can subscribe to the list but not sign up ...
5 years, 1 month
freeipa in Docker: please help to recover the data.
by skrawczenko@gmail.com
Hello, used to have docker version of freeipa-server, everything went well until some disaster.
While recovering from disaster, i've managed to have dirsrv working but pki-tomcat is not and it doesn't seem to worth to fix it.
The idea is to bring up fresh freeipa-server container and fill it with existing data: only users, groups and passwords are valuable.
Is there any way to do that please?
(backup will not work, as current instance is already recovered from backup and it seems broken).
5 years, 1 month
Re: Export CA from FreeIPA to new FreeIPA
by Ralph Crongeyer
Hi Fraser,
Actually my goal would be to have two identical stand alone servers. For
instance maybe add a server as a replica and then separate them from each
other, or maybe export the CA's and issued certs and then import them to a
new server.But I'm not sure how to do either of those.
I did try to add a server as a replica and then run ipa-replica-manage del
server-name on both, but when I try to delete the master from the replica
it complains that it can't be removed. I tried ipa-replica-manage del
master-server-name --force and that works but then the ipa tools break and
I can no longer login to the web portal. So i know I'm doing something
wrong.
Any advice would be helpful.
Thanks,
Ralph
> On Tue, Oct 16, 2018 at 7:18 PM Fraser Tweedale <ftweedal(a)redhat.com>
> wrote:
>
>> On Tue, Oct 16, 2018 at 01:23:11PM -0400, Ralph Crongeyer via
>> FreeIPA-users wrote:
>> > Hello,
>> > I have a FreeIPA server that is currently running as a CA only, no
>> clients
>> > connect, no LDAP entries have ever been made, no DNS etc... The original
>> > ipa CA is how it was setup during the initial install.
>> > A second CA was created, company.com CA, and certs have been created
>> from
>> > this CA.
>> > I've setup two new freeipa boxes and have them replicated and migrated
>> our
>> > openldap users and groups.
>> >
>> > What we would like to do now is to export the company,com CA from the
>> > "freeipa CA only" and import it into the new freeipa environment.
>> > I haven't been able to find anything about doing this in my web
>> searches so
>> > far.
>> >
>> > Can somebody help me with this?
>> >
>> > Thanks,
>> > Ralph
>>
>> Hi Ralph,
>>
>> It's not clear what you want to accomplish. Do you want to:
>>
>> - Import the company.com CA certificate into FreeIPA so that IPA
>> servers and clients will use it as a trusted CA?
>> (Use `ipa-cacert-manage install` to do this).
>>
>> - Reissue the IPA CA certificate as a subordinate of the company.com
>> CA? You can use `ipa-cacert-manage renew --external-ca` to do
>> this.
>>
>> - Something else?
>>
>> Cheers,
>> Fraser
>>
>
5 years, 1 month
How to delete replica that no longer exists?
by Lachlan Musicman
How do I delete a replica from the master if the replica no longer exists?
The message I get is "Unable to delete replica hostname; cannot connect to
ldaps://hostname:389"
cheers
L.
------
'...postwork futures are dismissed with the claim that "it is not in our
nature to be idle", thereby demonstrating at once an essentialist view of
labor and an impoverished imagination of the possibilities of nonwork.'
Kathi Weeks, *The Problem with Work: Feminism, Marxism, Antiwork Politics
and Postwork Imaginaries*
<https://www.dukeupress.edu/The-Problem-with-Work/>
5 years, 1 month
Password migration
by Marcos Acebes
Hi all.
I´m migrating from LDAP to freeIPA and everything has going well.
I have one server with two replicas and two clients attached to the realm.
I migrated all the user accounts with the ipa migrate-ds command without
issues.
Then I choose the seamlessly password migration using SSSD, but that only
works when the users access the system using one of the clients, no both.
Both clients went attached in the same way and has the same configuration.
The only difference is that the one who doesn’t work has some modifications
in /etc/pam.d/sshd.
Anyone knows if the process runs on the client side or on the server?
Any hints about how to debug this?
Thanks in advance.
Marcos
5 years, 1 month
"message" -> "Insufficient access: Insufficient 'write' privilege to the 'userPassword' attribute
by Thomas Höll
Hi All,
I've been building a password self service application which talks to
the FreeIPA REST API to reset a user's password. This is working
perfectly when I use the 'admin' user to perform the operation, but I
don't want to do that in production because of reasons.
So I've created a dedicated service account and assigned the role
'helpdesk' (I've also tried 'User Administrator'). I can perform
changes like modifying another user's email address, but I can't reset
the password.
The error is:
code=2100
message=Insufficient access: Insufficient 'write' privilege to the 'userPassword' attribute of entry 'uid=XXXXXXXXX'.
data={info=Insufficient 'write' privilege to the 'userPassword' attribute of entry 'uid=tho,cn=users,cn=accounts,dc=ipa,dc=diges,dc=org'.}
name=ACIError
Any ideas?
Regards,
Thomas
5 years, 1 month
ipa.service "fails" to start
by Z D
Hi there,
This is el7.3 running ipa-server 4.4.0 release 12.0.1.el7.
After reboot I couldn't start ipa service via systemctl, hence I run "ipactl start --ignore-service-failures" and this was kind of successful. I still have some discrepancies, and looking for troubleshooting ideas.
1. "systemctl status ipa.service" reads that service failed
2. "systemctl status pki-tomcatd.target" reads that PKI Tomcat Server is running.
3.
# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: STOPPED <---- !!
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
Well, why pki-tomcatd reads 'stopped' and how to make systemctl to recognize that ipa service is running, thanks in advance,
Zarko
5 years, 1 month
Remove a replica without DNS from a master with DNS
by Ralph Crongeyer
Hello List,
I'm trying to remove a replica without the DNS component installed from a
master with the DNS component installed. Every time I remove the replica
from the master (ipa-replica-manage del replica.server.com) I can no longer
log into the web UIof the replica.
Additionally when I try to remove the master from the replica
(ipa-replica-manage del master.server.com) it tells me that it can't remove
the master server because it will leave this server (replica server)
without DNS.
What do I need to do to so that the removed replica can function without
the master for DNS?
Thanks,
Ralph
5 years, 1 month
LDAP replica + Sub-CA on one FreeIPA server
by Dmitry Perets
Hi,
I am considering FreeIPA for a multi-site project, to provide both PKI and LDAP services.
So ideally, I would like to have one separate FreeIPA server on each site + one central FreeIPA server.
And this is what I have in mind:
1. The central FreeIPA server will be my master for LDAP/Kerberos. And each site will have a replica (so that the users can still authenticate, even if the connectivity to the central location is broken).
2. As for PKI - I'd prefer to build a hierarchy: central server would be RootCA and each site would be a separate SubCA (signed by the RootCA).
I tried to implement this, but seems that it is impossible...
I've installed the replica for LDAP/Kerberos successfully, using ipa-replica-install. But now I cannot add a SubCA to it:
$ sudo ipa-ca-install --external-ca --ca-subject="CN=FreeIPA-SubCA,O=WOOF.NET"
--ca-subject cannot be used when installing a CA replica
So looks like on LDAP replica server I can only install CA replica... not a full SubCA...
Is there a way to solve this?
* One way, of course, is to install a separate Dogtag CA on each site, and keep CA-less FreeIPA server just for the LDAP/Kerberos replica...
---
Regards,
Dmitry Perets
5 years, 1 month
New FreeIPA Server Setup
by Ben Archuleta
Hello All,
I am in the process of setting up a FreeIPA server to replace an ancient NIS (last updated in 2013-ish). I can manually recreate the accounts (about 280) for the most part but the issue I can’t seem to work around is migrating the passwords over. From what I can tell there is no way to carry over the hashes as they are and it looks like my only option is to goto each person and have them re-input their password into FreeIPA.
Is there a tool that can help with this issue or any tips from people who have upgraded from a NIS to IPA?
Regards,
Ben Archuleta
IT Services Specialist
5 years, 1 month
