Hello,
I am using freeipa 4.5.0.21 (full details below) and I noticed a weird behaviour. When getting informations about a server with a regular user, it won't show the server roles while these roles will be given when checking the server roles themselves. In this case the roles are of 'configured' status instead of 'enabled' (which is probably what would be expected). As it's not documented in the official Guide and I didn't find anything in the mail archive, I believe some clarification is needed. Should server roles be found through some commands but not others ? Is there any security issue of showing them always ?
(user) # ipa server-show srv3.idm.local --all dn: cn=srv3.idm.local,cn=masters,cn=ipa,cn=etc,dc=idm,dc=local Server name: srv3.idm.local Enabled server roles: objectclass: top, nsContainer, ipaReplTopoManagedServer, ipaConfigObject, ipaSupportedDomainLevelConfig
(user) # ipa server-role-show srv3.idm.local 'NTP server' Server name: srv3.idm.local Role name: NTP server Role status: configured
(admin) # ipa server-show srv3.idm.local --all dn: cn=srv3.idm.local,cn=masters,cn=ipa,cn=etc,dc=idm,dc=local Server name: srv3.idm.local Managed suffixes: domain, ca Min domain level: 0 Max domain level: 1 Enabled server roles: CA server, DNS server, NTP server objectclass: top, nsContainer, ipaReplTopoManagedServer, ipaConfigObject, ipaSupportedDomainLevelConfig
# yum info ipa-server -v Loading "fastestmirror" plugin Config time: 0.008 Yum version: 3.4.3 rpmdb time: 0.000 Setting up Package Sacks Loading mirror speeds from cached hostfile pkgsack time: 0.004 Installed Packages Name : ipa-server Arch : x86_64 Version : 4.5.0 Release : 21.el7.centos.2.2 Size : 1.0 M Repo : installed From repo : ipa Committer : Johnny Hughes johnny@centos.org Committime : Thu Oct 19 14:00:00 2017 Buildtime : Thu Oct 19 22:52:09 2017 Install time: Mon Sep 23 21:46:46 2019 Installed by: root <root> Changed by : System <unset> Summary : The IPA authentication server URL : http://www.freeipa.org/ Licence : GPLv3+ Description : IPA is an integrated solution to provide centrally managed Identity (users, : hosts, services), Authentication (SSO, 2FA), and Authorization : (host access control, SELinux user roles, services). The solution provides : features for further integration with Linux based clients (SUDO, automount) : and integration with Active Directory based infrastructures (Trusts). : If you are installing an IPA server, you need to install this package.
# cat /etc/*release* CentOS Linux release 7.4.1708 (Core) Derived from Red Hat Enterprise Linux 7.4 (Source) NAME="CentOS Linux" VERSION="7 (Core)" ID="centos" ID_LIKE="rhel fedora" VERSION_ID="7" PRETTY_NAME="CentOS Linux 7 (Core)" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:centos:centos:7" HOME_URL="https://www.centos.org/" BUG_REPORT_URL="https://bugs.centos.org/"
CENTOS_MANTISBT_PROJECT="CentOS-7" CENTOS_MANTISBT_PROJECT_VERSION="7" REDHAT_SUPPORT_PRODUCT="centos" REDHAT_SUPPORT_PRODUCT_VERSION="7"
CentOS Linux release 7.4.1708 (Core) CentOS Linux release 7.4.1708 (Core) cpe:/o:centos:centos:7
Best regards Eugene
Eugène Adell via FreeIPA-users wrote:
Hello,
I am using freeipa 4.5.0.21 (full details below) and I noticed a weird behaviour. When getting informations about a server with a regular user, it won't show the server roles while these roles will be given when checking the server roles themselves. In this case the roles are of 'configured' status instead of 'enabled' (which is probably what would be expected). As it's not documented in the official Guide and I didn't find anything in the mail archive, I believe some clarification is needed. Should server roles be found through some commands but not others ? Is there any security issue of showing them always ?
I think it may have been fixed as part of https://pagure.io/freeipa/issue/7566 in 4.6.5. It was fixed in the 4.5 branch but a new release hasn't been made on that branch, and may never be.
rob
(user) # ipa server-show srv3.idm.local --all dn: cn=srv3.idm.local,cn=masters,cn=ipa,cn=etc,dc=idm,dc=local Server name: srv3.idm.local Enabled server roles: objectclass: top, nsContainer, ipaReplTopoManagedServer, ipaConfigObject, ipaSupportedDomainLevelConfig
(user) # ipa server-role-show srv3.idm.local 'NTP server' Server name: srv3.idm.local Role name: NTP server Role status: configured
(admin) # ipa server-show srv3.idm.local --all dn: cn=srv3.idm.local,cn=masters,cn=ipa,cn=etc,dc=idm,dc=local Server name: srv3.idm.local Managed suffixes: domain, ca Min domain level: 0 Max domain level: 1 Enabled server roles: CA server, DNS server, NTP server objectclass: top, nsContainer, ipaReplTopoManagedServer, ipaConfigObject, ipaSupportedDomainLevelConfig
# yum info ipa-server -v Loading "fastestmirror" plugin Config time: 0.008 Yum version: 3.4.3 rpmdb time: 0.000 Setting up Package Sacks Loading mirror speeds from cached hostfile pkgsack time: 0.004 Installed Packages Name : ipa-server Arch : x86_64 Version : 4.5.0 Release : 21.el7.centos.2.2 Size : 1.0 M Repo : installed From repo : ipa Committer : Johnny Hughes johnny@centos.org Committime : Thu Oct 19 14:00:00 2017 Buildtime : Thu Oct 19 22:52:09 2017 Install time: Mon Sep 23 21:46:46 2019 Installed by: root <root> Changed by : System <unset> Summary : The IPA authentication server URL : http://www.freeipa.org/ Licence : GPLv3+ Description : IPA is an integrated solution to provide centrally managed Identity (users, : hosts, services), Authentication (SSO, 2FA), and Authorization : (host access control, SELinux user roles, services). The solution provides : features for further integration with Linux based clients (SUDO, automount) : and integration with Active Directory based infrastructures (Trusts). : If you are installing an IPA server, you need to install this package.
# cat /etc/*release* CentOS Linux release 7.4.1708 (Core) Derived from Red Hat Enterprise Linux 7.4 (Source) NAME="CentOS Linux" VERSION="7 (Core)" ID="centos" ID_LIKE="rhel fedora" VERSION_ID="7" PRETTY_NAME="CentOS Linux 7 (Core)" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:centos:centos:7" HOME_URL="https://www.centos.org/" BUG_REPORT_URL="https://bugs.centos.org/"
CENTOS_MANTISBT_PROJECT="CentOS-7" CENTOS_MANTISBT_PROJECT_VERSION="7" REDHAT_SUPPORT_PRODUCT="centos" REDHAT_SUPPORT_PRODUCT_VERSION="7"
CentOS Linux release 7.4.1708 (Core) CentOS Linux release 7.4.1708 (Core) cpe:/o:centos:centos:7
Best regards Eugene _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Hello,
I installed a CentOS 7.7 which comes with freeipa 4.6.5.11 and I confirm the issue is no longer here. Thanks
E.A.
Le mer. 25 sept. 2019 à 01:57, Rob Crittenden rcritten@redhat.com a écrit :
Eugène Adell via FreeIPA-users wrote:
Hello,
I am using freeipa 4.5.0.21 (full details below) and I noticed a weird behaviour. When getting informations about a server with a regular user, it won't show the server roles while these roles will be given when checking the server roles themselves. In this case the roles are of 'configured' status instead of 'enabled' (which is probably what would be expected). As it's not documented in the official Guide and I didn't find anything in the mail archive, I believe some clarification is needed. Should server roles be found through some commands but not others ? Is there any security issue of showing them always ?
I think it may have been fixed as part of https://pagure.io/freeipa/issue/7566 in 4.6.5. It was fixed in the 4.5 branch but a new release hasn't been made on that branch, and may never be.
rob
(user) # ipa server-show srv3.idm.local --all dn: cn=srv3.idm.local,cn=masters,cn=ipa,cn=etc,dc=idm,dc=local Server name: srv3.idm.local Enabled server roles: objectclass: top, nsContainer, ipaReplTopoManagedServer, ipaConfigObject, ipaSupportedDomainLevelConfig
(user) # ipa server-role-show srv3.idm.local 'NTP server' Server name: srv3.idm.local Role name: NTP server Role status: configured
(admin) # ipa server-show srv3.idm.local --all dn: cn=srv3.idm.local,cn=masters,cn=ipa,cn=etc,dc=idm,dc=local Server name: srv3.idm.local Managed suffixes: domain, ca Min domain level: 0 Max domain level: 1 Enabled server roles: CA server, DNS server, NTP server objectclass: top, nsContainer, ipaReplTopoManagedServer, ipaConfigObject, ipaSupportedDomainLevelConfig
# yum info ipa-server -v Loading "fastestmirror" plugin Config time: 0.008 Yum version: 3.4.3 rpmdb time: 0.000 Setting up Package Sacks Loading mirror speeds from cached hostfile pkgsack time: 0.004 Installed Packages Name : ipa-server Arch : x86_64 Version : 4.5.0 Release : 21.el7.centos.2.2 Size : 1.0 M Repo : installed From repo : ipa Committer : Johnny Hughes johnny@centos.org Committime : Thu Oct 19 14:00:00 2017 Buildtime : Thu Oct 19 22:52:09 2017 Install time: Mon Sep 23 21:46:46 2019 Installed by: root <root> Changed by : System <unset> Summary : The IPA authentication server URL : http://www.freeipa.org/ Licence : GPLv3+ Description : IPA is an integrated solution to provide centrally managed Identity (users, : hosts, services), Authentication (SSO, 2FA), and Authorization : (host access control, SELinux user roles, services). The solution provides : features for further integration with Linux based clients (SUDO, automount) : and integration with Active Directory based infrastructures (Trusts). : If you are installing an IPA server, you need to install this package.
# cat /etc/*release* CentOS Linux release 7.4.1708 (Core) Derived from Red Hat Enterprise Linux 7.4 (Source) NAME="CentOS Linux" VERSION="7 (Core)" ID="centos" ID_LIKE="rhel fedora" VERSION_ID="7" PRETTY_NAME="CentOS Linux 7 (Core)" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:centos:centos:7" HOME_URL="https://www.centos.org/" BUG_REPORT_URL="https://bugs.centos.org/"
CENTOS_MANTISBT_PROJECT="CentOS-7" CENTOS_MANTISBT_PROJECT_VERSION="7" REDHAT_SUPPORT_PRODUCT="centos" REDHAT_SUPPORT_PRODUCT_VERSION="7"
CentOS Linux release 7.4.1708 (Core) CentOS Linux release 7.4.1708 (Core) cpe:/o:centos:centos:7
Best regards Eugene _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org