Re: [Freeipa-users] New User - Possible to point authentication to external KDC
On Tue, Feb 26, 2013 at 1:18 PM, Dmitri Pal wrote: > On 02/26/2013 01:31 AM, Trey Dockendorf wrote: > > > On Feb 25, 2013 1:23 AM, "Dmitri Pal" wrote: >> >> On 02/23/2013 10:33 PM, Trey Dockendorf wrote: >> > I just begun evaluating FreeIPA, after having successfully used 389ds >> > for a few months. The move from 389 ds to FreeIPA is to leverage the >> > authorization for host logins and also for simpler management. The >> > University I am deploying at has a campus wide KDC and for security >> > and audit reasons I prefer to point my authentication services at that >> > Kerberos realm rather than storing passwords. I have successfully >> > implemented this using the 389 ds pam pass through authentication >> > plug-in , but have not found any documentation on how to do this same >> > thing with FreeIPA. >> > >> > The complication with doing this is I do not have even a 1 way trust >> > with the KDC. Getting a trust (even 1-way) is very difficult if not >> > impossible, but so far I've been able to make PAM work with that >> > situation both using local authentication and now 389 ds, both through >> > PAM. Is it possible to have FreeIPA query a remote KDC while still >> > being able to fallback to the local password store (ie external users >> > not in campus domain). >> >> IPA uses the 389 DS so it might be possible to configure PAM pass >> through but there might be implications because if users are not in IPA >> you would not get a ticket and since you cant get a ticket you can't use >> UI and CLI. You can still bind using LDAP though as you do with the 389. >> So to manage IPA you would still have to have a user in IPA. However you >> will have two KDCs and I do not know what implications there would be >> for the clients, they might be confused. >> Frankly you are better off with 389 now untill we make setting up trusts >> with other IPAs or MIT KDCs simple. We did that for AD but it requires a >> clean DNS setup. I suspect DNS setup will be an issue in any case. >> >> > >> > Thanks >> > - Trey >> > >> > ___ >> > Freeipa-users mailing list >> > Freeipa-users@redhat.com >> > https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager for IdM portfolio >> Red Hat Inc. >> >> >> --- >> Looking to carve out IT costs? >> www.redhat.com/carveoutcosts/ >> >> >> >> ___ >> Freeipa-users mailing list >> Freeipa-users@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > Thanks for the response! I do plan to have all my users in freeIPA. My > goal is to have my freeIPA install just attempt a password authentication > against external KDC via pam on the IPA server before trying the local > password store. With my current 389 setup, clients are unaware of our > campus KDC, the authentication is handled my 389 server and currently users > in my LDAP who have campus accounts get their password verified via PAM and > others in my LDAP use the local password stored in 389. > > The aspects of IPA aside from 389 are where my uncertainty lies. For > example, if I have LDAP authenticate against an external KDC via PAM, can > the user still get a ticket from my IPA? > > Also getting a trust may not be possible even if freeipa makes the process > easier. This is a politics issue with our campus' main IT group and > something I've worked around thus far. > > Is there anything in changes of the stock 389 that would prevent this from > working in IPA? Also is there a preferred method for enabling plugins in > IPA? Also how could I test this? Would a client machine joined to my IPA > install be the best method? > > Thanks > - Trey > > If you hit IPA with a kerberos authentication to the best of my knowledge > KDC will read the data from LDAP and use it for authentication. It would not > do PAM proxy in this case. The pam proxy would be possible only for the LDAP > binds so I am not sure whether things would work for you. > > I see that you try to augment the existing infrastructure but I am not sure > I have a clear picture in my mind of the architecture you envision. > Is there any chance that you can put together a diagram? > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > --- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > Is the pam proxy for LDAP binds you mentioned using the method documented here, http://directory.fedoraproject.org/wiki/Howto:PAM_Pass_Through ? That is what I have working currently with 389 by itself. Do any diagrams exist of the existing infrastructure design for FreeIPA? I could augment an existing one to better illustrate my intended usage. A plain text example of what I do now , and wish to do with FreeIPA is something like this... Client login (SSH, or LDAP from web app, anything that que
Re: [Freeipa-users] Solaris 10 problem using netgroups
Have you considered using allowgroups in sshd_config for restricting ssh logins instead? By using allowgroups you could use the same user group for ssh access to Solaris and for Linux hosts using sssd and hbac. Regards Siggi "Eli J. Elliott" wrote: >I have a problem with Solaris 10 and netgroups with IPA. > >I am able to login to the Solaris 10 server with IPA users as long as I >am >not using netgroups. As soon as I add a netgroup I can no longer >authenticate. > >I have updated nsswitch.conf: > >#passwd: files ldap > >passwd: compat > >passwd_compat: files ldap > >group: files ldap > > >And then added the netgroup to /etc/passwd: > >+@MYHOST:x: > >And used pwconv to get the netgroup into /etc/shadow: > >+@MYHOST:x:15765:: > >I am able to see the user in getent (and none of the users I want >restricted show up, only the user I want which is great): > >-bash-3.2# getent passwd testuser > >testuser:x:3713:3713:Test User:/export/home/testuser:/bin/bash > >** ** > >I am also able to su to testuser as root: > >-bash-3.2# su - testuser > >Oracle Corporation SunOS 5.10 Generic Patch January >2005 > >-bash-3.2$ id > >uid=3713(testuser) gid=3713(testgroup) > > >I cannot su to the user from another user, it appears to be the >password >that is the problem. I can successfully change passwords using kpasswd >from >the Solaris 10 host. > > >I've enabled Pam debugging: > > >Mar 1 12:54:04 MYHOST sshd[3928]: [ID 228857 auth.debug] PAM[3928]: >pam_start(sshd-kbdint,testuser,80a98a8:80c8b18) - debug = 1 > >Mar 1 12:54:04 MYHOST sshd[3928]: [ID 224148 auth.debug] PAM[3928]: >pam_set_item(80c8b18:service) > >Mar 1 12:54:04 MYHOST sshd[3928]: [ID 224148 auth.debug] PAM[3928]: >pam_set_item(80c8b18:user) > >Mar 1 12:54:04 MYHOST sshd[3928]: [ID 224148 auth.debug] PAM[3928]: >pam_set_item(80c8b18:conv) > >Mar 1 12:54:04 MYHOST sshd[3928]: [ID 224148 auth.debug] PAM[3928]: >pam_set_item(80c8b18:rhost) > >Mar 1 12:54:04 MYHOST sshd[3928]: [ID 224148 auth.debug] PAM[3928]: >pam_set_item(80c8b18:tty) > >Mar 1 12:54:04 MYHOST sshd[3928]: [ID 122435 auth.debug] PAM[3928]: >pam_authenticate(80c8b18, 1) > >Mar 1 12:54:04 MYHOST sshd[3928]: [ID 746646 auth.debug] PAM[3928]: >load_modules(80c8b18, >pam_sm_authenticate)=/usr/lib/security/pam_authtok_get.so.1 > >Mar 1 12:54:04 MYHOST sshd[3928]: [ID 586621 auth.debug] PAM[3928]: >load_function: successful load of pam_sm_authenticate > >Mar 1 12:54:04 MYHOST sshd[3928]: [ID 746646 auth.debug] PAM[3928]: >load_modules(80c8b18, >pam_sm_authenticate)=/usr/lib/security/pam_dhkeys.so.1 > > >Mar 1 12:54:04 MYHOST sshd[3928]: [ID 586621 auth.debug] PAM[3928]: >load_function: successful load of pam_sm_authenticate > >Mar 1 12:54:04 MYHOST sshd[3928]: [ID 746646 auth.debug] PAM[3928]: >load_modules(80c8b18, >pam_sm_authenticate)=/usr/lib/security/pam_unix_cred.so.1 > >Mar 1 12:54:04 MYHOST sshd[3928]: [ID 586621 auth.debug] PAM[3928]: >load_function: successful load of pam_sm_authenticate > >Mar 1 12:54:04 MYHOST sshd[3928]: [ID 746646 auth.debug] PAM[3928]: >load_modules(80c8b18, >pam_sm_authenticate)=/usr/lib/security/pam_unix_auth.so.1 > >Mar 1 12:54:04 MYHOST sshd[3928]: [ID 586621 auth.debug] PAM[3928]: >load_function: successful load of pam_sm_authenticate > >Mar 1 12:54:04 MYHOST sshd[3928]: [ID 746646 auth.debug] PAM[3928]: >load_modules(80c8b18, >pam_sm_authenticate)=/usr/lib/security/pam_ldap.so.1** >** > >Mar 1 12:54:04 MYHOST sshd[3928]: [ID 586621 auth.debug] PAM[3928]: >load_function: successful load of pam_sm_authenticate > >Mar 1 12:54:04 MYHOST sshd[3928]: [ID 425581 auth.debug] PAM[3928]: >pam_get_user(80c8b18, 80c8b18, NULL) > >Mar 1 12:54:07 MYHOST sshd[3928]: [ID 224148 auth.debug] PAM[3928]: >pam_set_item(80c8b18:authtok) > >Mar 1 12:54:07 MYHOST last message repeated 1 time > >Mar 1 12:54:07 MYHOST sshd[3928]: [ID 117705 auth.debug] PAM[3928]: >pam_authenticate(80c8b18, 1): error Authentication failed > >Mar 1 12:54:08 MYHOST sshd[3928]: [ID 224148 auth.debug] PAM[3928]: >pam_set_item(80c8b18:authtok) > >Mar 1 12:54:08 MYHOST sshd[3928]: [ID 800047 auth.info] >Keyboard-interactive (PAM) userauth failed[9] while authenticating: >Authentication failed > >Mar 1 12:54:08 MYHOST sshd[3928]: [ID 800047 auth.notice] Failed >keyboard-interactive for testuser from 30.241.208.21 port 4469 ssh2 > >Mar 1 12:54:08 MYHOST sshd[3928]: [ID 224148 auth.debug] PAM[3928]: >pam_set_item(80c8b18:conv) > >Mar 1 12:54:08 MYHOST sshd[3928]: [ID 185624 auth.debug] PAM[3928]: >pam_end(80c8b18): status = Authentication failed > >Mar 1 12:54:08 MYHOST sshd[3928]: [ID 228857 auth.debug] PAM[3928]: >pam_start(sshd-kbdint,testuser,80a98a8:80c8b18) - debug = 1 > >Mar 1 12:54:08 MYHOST sshd[3928]: [ID 224148 auth.debug] PAM[3928]: >pam_set_item(80c8b18:service) > >Mar 1 12:54:08 MYHOST sshd[3928]: [ID
Re: [Freeipa-users] What does the "u" mean in IPA messages?
On 03/01/2013 04:01 PM, John Dennis wrote: On 03/01/2013 03:17 PM, KodaK wrote: On Thu, Feb 28, 2013 at 5:01 PM, John Dennis wrote: On 02/28/2013 05:34 PM, KodaK wrote: BTW, why are you parsing diagnostic output? I haven't actually started yet, I was just getting my bearings. I was going to wrap the commands in some scripts so I can do things like allow an auditor to view the results of an HBAC test without being able to modify them. Among other things. Is there a way to turn off the diagnostic messages? They appear to be on by default. INFO messages are output when the verbose flag is enabled DEBUG messages are output when the debug flag is enabled Those flags can either be set in a config file (/etc/ipa/default.conf or ~/.ipa/default.con) or via a command line argument. If you haven't passed the verbose flag to the command then it must be set in one of the config files. Petr Viktorin recently cleaned up how messages are managed in the command line tools (I don't think this has made it out into a public release yet). So there may be changes coming you'll want to be aware of, perhaps Petr might fill us in on what's different. I think we had some client tools that forced verbose to be enabled when it should have respected a command line option and/or config option. I think that's some of what Petr fixed. Here is the design document for the work Petr did, HTH http://freeipa.org/page/V3/Logging_and_output -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] What does the "u" mean in IPA messages?
On 03/01/2013 03:17 PM, KodaK wrote: On Thu, Feb 28, 2013 at 5:01 PM, John Dennis wrote: On 02/28/2013 05:34 PM, KodaK wrote: BTW, why are you parsing diagnostic output? I haven't actually started yet, I was just getting my bearings. I was going to wrap the commands in some scripts so I can do things like allow an auditor to view the results of an HBAC test without being able to modify them. Among other things. Is there a way to turn off the diagnostic messages? They appear to be on by default. INFO messages are output when the verbose flag is enabled DEBUG messages are output when the debug flag is enabled Those flags can either be set in a config file (/etc/ipa/default.conf or ~/.ipa/default.con) or via a command line argument. If you haven't passed the verbose flag to the command then it must be set in one of the config files. Petr Viktorin recently cleaned up how messages are managed in the command line tools (I don't think this has made it out into a public release yet). So there may be changes coming you'll want to be aware of, perhaps Petr might fill us in on what's different. I think we had some client tools that forced verbose to be enabled when it should have respected a command line option and/or config option. I think that's some of what Petr fixed. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] What does the "u" mean in IPA messages?
On Thu, Feb 28, 2013 at 5:01 PM, John Dennis wrote: > On 02/28/2013 05:34 PM, KodaK wrote: > BTW, why are you parsing diagnostic output? I haven't actually started yet, I was just getting my bearings. I was going to wrap the commands in some scripts so I can do things like allow an auditor to view the results of an HBAC test without being able to modify them. Among other things. Is there a way to turn off the diagnostic messages? They appear to be on by default. -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] What does the "u" mean in IPA messages?
nick hatch wrote: On Thu, Feb 28, 2013 at 3:01 PM, John Dennis wrote: BTW, why are you parsing diagnostic output? They are not part of the official API. We do not have any consistency rules for INFO and DEBUG messages, they can change at any time and often do. On the other hand command output is fairly consistent and not subject to the capricious whims of developers. Not the original poster, but parsing log events is commonly done prior to saving them in a structured data store as a transitional measure while efforts like CEE and Project Lumberjack [1] stabilize. For example, the popular Logstash project provides a library of patterns for common services [2]. For users who parse FreeIPA logs, frequent log formatting changes could be disruptive. -n [1] https://fedorahosted.org/lumberjack/ [2] http://logstash.net/docs/1.1.9/filters/grok That's a good point. What John is talking about though are informative messages output by the client tool, not something that would end up in a log. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] What does the "u" mean in IPA messages?
On Thu, Feb 28, 2013 at 3:01 PM, John Dennis wrote: > BTW, why are you parsing diagnostic output? They are not part of the > official API. We do not have any consistency rules for INFO and DEBUG > messages, they can change at any time and often do. On the other hand > command output is fairly consistent and not subject to the capricious whims > of developers. Not the original poster, but parsing log events is commonly done prior to saving them in a structured data store as a transitional measure while efforts like CEE and Project Lumberjack [1] stabilize. For example, the popular Logstash project provides a library of patterns for common services [2]. For users who parse FreeIPA logs, frequent log formatting changes could be disruptive. -n [1] https://fedorahosted.org/lumberjack/ [2] http://logstash.net/docs/1.1.9/filters/grok ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Solaris 10 problem using netgroups
I have a problem with Solaris 10 and netgroups with IPA. I am able to login to the Solaris 10 server with IPA users as long as I am not using netgroups. As soon as I add a netgroup I can no longer authenticate. I have updated nsswitch.conf: #passwd: files ldap passwd: compat passwd_compat: files ldap group: files ldap And then added the netgroup to /etc/passwd: +@MYHOST:x: And used pwconv to get the netgroup into /etc/shadow: +@MYHOST:x:15765:: I am able to see the user in getent (and none of the users I want restricted show up, only the user I want which is great): -bash-3.2# getent passwd testuser testuser:x:3713:3713:Test User:/export/home/testuser:/bin/bash ** ** I am also able to su to testuser as root: -bash-3.2# su - testuser Oracle Corporation SunOS 5.10 Generic Patch January 2005 -bash-3.2$ id uid=3713(testuser) gid=3713(testgroup) I cannot su to the user from another user, it appears to be the password that is the problem. I can successfully change passwords using kpasswd from the Solaris 10 host. I've enabled Pam debugging: Mar 1 12:54:04 MYHOST sshd[3928]: [ID 228857 auth.debug] PAM[3928]: pam_start(sshd-kbdint,testuser,80a98a8:80c8b18) - debug = 1 Mar 1 12:54:04 MYHOST sshd[3928]: [ID 224148 auth.debug] PAM[3928]: pam_set_item(80c8b18:service) Mar 1 12:54:04 MYHOST sshd[3928]: [ID 224148 auth.debug] PAM[3928]: pam_set_item(80c8b18:user) Mar 1 12:54:04 MYHOST sshd[3928]: [ID 224148 auth.debug] PAM[3928]: pam_set_item(80c8b18:conv) Mar 1 12:54:04 MYHOST sshd[3928]: [ID 224148 auth.debug] PAM[3928]: pam_set_item(80c8b18:rhost) Mar 1 12:54:04 MYHOST sshd[3928]: [ID 224148 auth.debug] PAM[3928]: pam_set_item(80c8b18:tty) Mar 1 12:54:04 MYHOST sshd[3928]: [ID 122435 auth.debug] PAM[3928]: pam_authenticate(80c8b18, 1) Mar 1 12:54:04 MYHOST sshd[3928]: [ID 746646 auth.debug] PAM[3928]: load_modules(80c8b18, pam_sm_authenticate)=/usr/lib/security/pam_authtok_get.so.1 Mar 1 12:54:04 MYHOST sshd[3928]: [ID 586621 auth.debug] PAM[3928]: load_function: successful load of pam_sm_authenticate Mar 1 12:54:04 MYHOST sshd[3928]: [ID 746646 auth.debug] PAM[3928]: load_modules(80c8b18, pam_sm_authenticate)=/usr/lib/security/pam_dhkeys.so.1 Mar 1 12:54:04 MYHOST sshd[3928]: [ID 586621 auth.debug] PAM[3928]: load_function: successful load of pam_sm_authenticate Mar 1 12:54:04 MYHOST sshd[3928]: [ID 746646 auth.debug] PAM[3928]: load_modules(80c8b18, pam_sm_authenticate)=/usr/lib/security/pam_unix_cred.so.1 Mar 1 12:54:04 MYHOST sshd[3928]: [ID 586621 auth.debug] PAM[3928]: load_function: successful load of pam_sm_authenticate Mar 1 12:54:04 MYHOST sshd[3928]: [ID 746646 auth.debug] PAM[3928]: load_modules(80c8b18, pam_sm_authenticate)=/usr/lib/security/pam_unix_auth.so.1 Mar 1 12:54:04 MYHOST sshd[3928]: [ID 586621 auth.debug] PAM[3928]: load_function: successful load of pam_sm_authenticate Mar 1 12:54:04 MYHOST sshd[3928]: [ID 746646 auth.debug] PAM[3928]: load_modules(80c8b18, pam_sm_authenticate)=/usr/lib/security/pam_ldap.so.1** ** Mar 1 12:54:04 MYHOST sshd[3928]: [ID 586621 auth.debug] PAM[3928]: load_function: successful load of pam_sm_authenticate Mar 1 12:54:04 MYHOST sshd[3928]: [ID 425581 auth.debug] PAM[3928]: pam_get_user(80c8b18, 80c8b18, NULL) Mar 1 12:54:07 MYHOST sshd[3928]: [ID 224148 auth.debug] PAM[3928]: pam_set_item(80c8b18:authtok) Mar 1 12:54:07 MYHOST last message repeated 1 time Mar 1 12:54:07 MYHOST sshd[3928]: [ID 117705 auth.debug] PAM[3928]: pam_authenticate(80c8b18, 1): error Authentication failed Mar 1 12:54:08 MYHOST sshd[3928]: [ID 224148 auth.debug] PAM[3928]: pam_set_item(80c8b18:authtok) Mar 1 12:54:08 MYHOST sshd[3928]: [ID 800047 auth.info] Keyboard-interactive (PAM) userauth failed[9] while authenticating: Authentication failed Mar 1 12:54:08 MYHOST sshd[3928]: [ID 800047 auth.notice] Failed keyboard-interactive for testuser from 30.241.208.21 port 4469 ssh2 Mar 1 12:54:08 MYHOST sshd[3928]: [ID 224148 auth.debug] PAM[3928]: pam_set_item(80c8b18:conv) Mar 1 12:54:08 MYHOST sshd[3928]: [ID 185624 auth.debug] PAM[3928]: pam_end(80c8b18): status = Authentication failed Mar 1 12:54:08 MYHOST sshd[3928]: [ID 228857 auth.debug] PAM[3928]: pam_start(sshd-kbdint,testuser,80a98a8:80c8b18) - debug = 1 Mar 1 12:54:08 MYHOST sshd[3928]: [ID 224148 auth.debug] PAM[3928]: pam_set_item(80c8b18:service) Mar 1 12:54:08 MYHOST sshd[3928]: [ID 224148 auth.debug] PAM[3928]: pam_set_item(80c8b18:user) Mar 1 12:54:08 MYHOST sshd[3928]: [ID 224148 auth.debug] PAM[3928]: pam_set_item(80c8b18:conv) Mar 1 12:54:08 MYHOST sshd[3928]: [ID 224148 auth.debug] PAM[3928]: pam_set_item(80c8b18:rhost) Mar 1 12:54:08 MYHOST sshd[3928]: [ID 224148 auth.debug] PAM[3928]: pam_set_item(80c8b18:tty) Mar 1 12:54:08 MYHOST sshd[3928]: [ID 1
Re: [Freeipa-users] Cannot obtain CA Certificate
On Wed, Feb 27, 2013 at 11:52:42AM +0100, Petr Spacek wrote: > On 27.2.2013 11:34, Jan-Frode Myklebust wrote: > > > >I have a similar problem getting a couple of RHEL 6.4 clients working > >with a 6.3 server (ipa-server-2.2.0-17.el6_3.1.x86_64). When doing the > >ipa-client-install I get: > > > > * gss_init_sec_context() failed: : Request is a replay< > > WWW-Authenticate: Negotiate > This is very suspicious. Could you double check time on all servers > and the client? The cause of this problem was that the router ACL was dropping the kerberos return traffic from the ipa server. We had opening from client to ipa-server port 88/udp, but not from ipa-server 88/udp to client high port. -jf ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users