date:20190308

[Freeipa-users] Re: freeipa client on Ubuntu SSH fails

2019-03-08 Thread Alex Georgopoulos via FreeIPA-users

Also make sure your pam configs are sorted and using sssd

grep -R sss /etc/pam.d/
/etc/pam.d/common-password:password sufficient  
pam_sss.so use_authtok
/etc/pam.d/common-auth:auth [success=1 default=ignore]  pam_sss.so 
use_first_pass
/etc/pam.d/common-account:account   [default=bad success=ok 
user_unknown=ignore]pam_sss.so 
/etc/pam.d/common-session:session   optional
pam_sss.so 

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: freeipa client on Ubuntu SSH fails

2019-03-08 Thread Alex Georgopoulos via FreeIPA-users

I forgot we configured or /etc/ssh/sshd_config as well.  You need to have the 
authorizedkeys command.  Here is what ours looks like.


AcceptEnv LANG LC_*
AuthorizedKeysCommandUser nobody
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
Banner /etc/issue.net
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
HostbasedAuthentication no
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
IgnoreRhosts yes
KerberosAuthentication no
KeyRegenerationInterval 3600
LoginGraceTime 120
LogLevel INFO
MaxSessions 50
MaxStartups 50:30:60
PasswordAuthentication no
PermitEmptyPasswords no
PermitRootLogin no
Port 22
PrintLastLog yes
PrintMotd no
Protocol 2
PubkeyAuthentication yes
RhostsRSAAuthentication no
RSAAuthentication yes
ServerKeyBits 1024
StrictModes yes
Subsystem sftp /usr/lib/openssh/sftp-server
SyslogFacility AUTH
TCPKeepAlive yes
UseDNS no
UsePAM yes
UsePrivilegeSeparation yes
X11DisplayOffset 10
X11Forwarding yes
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: freeipa client on Ubuntu SSH fails

2019-03-08 Thread Will Kay via FreeIPA-users

Thanks for the tip.   I made the nsswitch.conf just like yours.  I also look at 
the files on a CentOS7 client and make changes on the Ubuntu.  But it is still 
no good.   As more suggestion?

The test user ID are on the system, I can su to them. However I cant' ssh it.  
I also notice when I try `passwd dummy1`, I got 
passwd: Authentication token manipulation error
passwd: password unchanged

I can't run `sudo -l` either. It is something with passwd? (which is right 
login the CentOS 7 VM)

root@test02:~# id -a dummy1
uid=35221(dummy1) gid=35221(dummy1) groups=35221(dummy1)
root@test02:~# su - dummy1
dummy1@ny4test02:~$ sudo -l dummy1
[sudo] password for dummy1: 
Sorry, try again.
[sudo] password for dummy1: 




1) I made nsswitch just like yours

2) My ipa.default
[global]
basedn = dc=x,dc=local
realm = X.LOCAL
domain = x.local
server = ipa1.x.local
host = test02.x.local
xmlrpc_uri = https://ipa1.x.local/ipa/xml
enable_ra = True

3) my krb5.conf

includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
  default_realm = X.LOCAL
  dns_lookup_realm = true
  dns_lookup_kdc = truee
  rdns = false
  dns_canonicalize_hostname = false
  ticket_lifetime = 24h
  forwardable = true
  udp_preference_limit = 0
  default_ccache_name = KEYRING:persistent:%{uid}


[realms]
  X.LOCAL = {
kdc = ipa1.x.local:88
master_kdc = ipa1.x.local:88
admin_server = ipa1.x.local:749
kpasswd_server = ipa1.x.local:464
default_domain = x.local
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
  }

[domain_realm]
  .x.local = X.LOCAL
  x.local = X.LOCAL
  test02.x.local = X.LOCAL

4) My ldap.conf

TLS_CACERT /etc/ipa/ca.crt # modified by IPA
URI ldaps://ipa1.x.local
BASE dc=x,dc=local

5) My sssd.conf
[sssd]
services = nss, sudo, pam, ssh
domains = x.local

[domain/x.local]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = x.local
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = test02.x.local
chpass_provider = ipa
dyndns_update = True
ipa_server = _srv_, ipa1.x.local
dyndns_iface = ens3
ldap_tls_cacert = /etc/ipa/ca.crt

[nss]
homedir_substring = /home
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] IPA install with custom CA fails at SSL: CERTIFICATE_VERIFY_FAILED

2019-03-08 Thread Jonny McCullagh via FreeIPA-users

I can install freeipa with ipa-server-install and no parameters fine. However I 
want to be able to use IPA as a sub-CA. I have created root and intermediate 
CAs using openssl and attempt to install ipa server with:

/usr/sbin/ipa-server-install 
--external-cert-file=/root/thisserver.domain.dev.cert.pem \
--external-cert-file=/root/intermediate.cert.pem \
--external-cert-file=/root/root-ca.cert.pem \
--external-ca -n domain.dev -r DOMAIN.DEV \
--hostname="thisserver.domain.dev" \
--subject="O=Acme Inc, L=Springfield, ST=Ohio, C=US" \
--ds-password=topsecret --admin-password=opensesame

It stops at step 24 with the following message:

  [20/28]: Configure HTTP to proxy connections
  [21/28]: restarting certificate server
  [22/28]: updating IPA configuration
  [23/28]: enabling CA instance
  [24/28]: migrating certificate profiles to LDAP
  [error] NetworkError: cannot connect to 
'https://thisserver.domain.dev:8443/ca/rest/account/login': [SSL: 
CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)
ipapython.admintool: ERRORcannot connect to 
'https://thisserver.domain.dev:8443/ca/rest/account/login': [SSL: 
CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)
ipapython.admintool: ERRORThe ipa-server-install command failed. See 
/var/log/ipaserver-install.log for more information

If I visit the address on port 8443 I do get an error I believe due to an empty 
certificate. My browser shows: 

Certificate path length constraint is invalid. Error code: 
SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID 

So I have a few questions if anyone can guide me:
1. Can I resume the install to complete the last 4 installation steps?
2. How can I get the install to use a self-signed cert for the http/ldap 
service OR can I supply a signed cert for that purpose?

Thanks in advance. 

IPA version: 4.6.4-10.el7.centos.2.x86_64
OS: CentOS 7.6
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: OTP + SSHKey/Certificate Authentication

2019-03-08 Thread Alexander Bokovoy via FreeIPA-users


On pe, 08 maalis 2019, Callum Smith via FreeIPA-users wrote:

Dear FreeIPA Gurus,

I was wondering if it's possible to configure `sshd` such that for OTP
based authentication the first factor could be passed as a ssh key or
certificate.

So specifically: The user's password would not be required for auth,
only the key and OTP token. Is there a magic combination of
AuthenticationMethods for `sshd_config` that would allow this to work?

Yes and no.

You can use multiple authentication methods, as you noted, but they are
fully independent of each other. The decision making is done within
sshd, not outside of it.

If you set 


 AuthenticationMethods publickey,keyboard-interactive:pam

both a public key and a full authentication through PAM stack would be
required. Unfortunately, the latter one cannot allow you to enter only a
second factor. Any PAM module taking up the authentication request would
have no knowledge of the prior authentication by the public key because
this is sshd's internal knowledge not passed through anywhere else.
There are also no mechanism to pass that through anyhow.


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] OTP + SSHKey/Certificate Authentication

2019-03-08 Thread Callum Smith via FreeIPA-users

Dear FreeIPA Gurus,

I was wondering if it's possible to configure `sshd` such that for OTP based 
authentication the first factor could be passed as a ssh key or certificate.

So specifically: The user's password would not be required for auth, only the 
key and OTP token. Is there a magic combination of AuthenticationMethods for 
`sshd_config` that would allow this to work?

Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. cal...@well.ox.ac.uk

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: replace ipa-server and relink clients on same realm

2019-03-08 Thread François Cami via FreeIPA-users

On Fri, Mar 8, 2019 at 4:48 PM Rob van Halteren via FreeIPA-users
 wrote:
>
> Oke may have found a probable cause for the stall of the the applications.
>
> I have 1 fileserver that has a ipa-client installed and is enroled on the 
> ipa-server. It serves 3 nfs shares, one of them are home-directories.
> In the logs at times that the old replica is switched off , I see al lot of:
>   kernel: lockd: cannot monitor client.local.ourdomain.example  Messages.
>
> On the ipa-server I see a lot of:
>  named-pkcs11[1718]: network unreachable resolving 
> 'ns-1471.some.domain//IN': 2001:500:e::1#53  kind of messages.

So either there used to be an additional DNS zone in your old IPA
instance that you didn't replicate on the new one (or the DNS
configuration does not match exactly), or there is some stale data in
the client or nfs servers.

You might want to list the dns zones in your soon-to-be-retired IPA replica.
Otherwise, I would shut down that old replica again and
wireshark/tcpdump that network traffic to determine what is going on.

> In named.conf
> // turns on IPv6 for port 53
> listen-on-v6 {any;};
> dnssec-enable yes;
> dnssec-validation yes;
>
> Wonder if it could be helpfull to change the config  to force ipv4 only.
>
> any help appreciated.
>
>
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] list all users and their password expiration date?

2019-03-08 Thread Anthony Jarvis-Clark via FreeIPA-users

Hello Everyone,

Is there a command line method to get a list of users and their password
expiration date?

Thanks!

-Anthony
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: replace ipa-server and relink clients on same realm

2019-03-08 Thread Rob van Halteren via FreeIPA-users

Oke may have found a probable cause for the stall of the the applications.

I have 1 fileserver that has a ipa-client installed and is enroled on the 
ipa-server. It serves 3 nfs shares, one of them are home-directories. 
In the logs at times that the old replica is switched off , I see al lot of:
  kernel: lockd: cannot monitor client.local.ourdomain.example  Messages.

On the ipa-server I see a lot of:
 named-pkcs11[1718]: network unreachable resolving 
'ns-1471.some.domain//IN': 2001:500:e::1#53  kind of messages.

In named.conf 
// turns on IPv6 for port 53
listen-on-v6 {any;};
dnssec-enable yes;
dnssec-validation yes;

Wonder if it could be helpfull to change the config  to force ipv4 only.

any help appreciated.


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Unable to login via ssh with AD credentials after upgrade FreeIPA

2019-03-08 Thread Sumit Bose via FreeIPA-users

On Thu, Mar 07, 2019 at 04:10:09PM +0100, Morgan Marodin wrote:
> Another strange behaviour ...
> 
> From 1st IPA server:
> 
> 
> *[root@mlv-ipa01 ~]# id morgan.maro...@mydomain.com
> uid=1143802726(morgan.maro...@mydomain.com
> ) gid=1143802726(morgan.maro...@mydomain.com
> )
> groups=1143802726(morgan.maro...@mydomain.com
> ),1147803679(aaa local proxy
> exclus...@mydomain.com ),1147802790(mysite
> signature pe...@mydomain.com ),1147801237(mysite
> us...@mydomain.com ),1147862761(ipa adm...@mydomain.com
> ),1147801336(mysite i...@mydomain.com
> ),1147800813(domain us...@mydomain.com
> )*

Getting the group memberships of a user is a multi step process and SSSD
on the IPA server currently saves the memberships it got for the user
from AD into the cache before it tries to lookup the memberships in IPA
groups from the IPA server. If there is an issue during this step the
user will only have the AD memberships.

Are the IPA groups always missing on this server? If there already is a
higher debug_level set in the [domain/..] section on this server please
send the SSSD logs. If not please add debug_level=9 at least to the
[domain/...] section and restart SSSD. The run the id command again on
the server. If the IPA group is still missing please send the logs
directly. Otherwise please wait until the group got lost.

You might be able to trigger the loss by invalidation the cache with
'sss_cache -E' and running lookups for this group with 'getent group
ad_ipa_admins' or id lookups for other member of this groups.

bye,
Sumit

> From 2nd IPA server:
> 
> 
> *[root@mlv-ipa02 ~]# id morgan.maro...@mydomain.com
> uid=1143802726(morgan.maro...@mydomain.com
> ) gid=1143802726(morgan.maro...@mydomain.com
> )
> groups=1143802726(morgan.maro...@mydomain.com
> ),1147803679(aaa local proxy
> exclus...@mydomain.com ),1147802790(mysite
> signature pe...@mydomain.com ),1147801237(mysite
> us...@mydomain.com ),1147862761(ipa adm...@mydomain.com
> ),1147801336(mysite i...@mydomain.com
> ),1147800813(domain us...@mydomain.com
> ),217403007(ad_ipa_admins)*
> From the test IPA client:
> 
> 
> *[root@mlv-testipa01 ~]# id morgan.maro...@mydomain.com
>  uid=1143802726(morgan.maro...@mydomain.com
> ) gid=1143802726(morgan.maro...@mydomain.com
> )
> groups=1143802726(morgan.maro...@mydomain.com
> ),1147803679(aaa local proxy
> exclus...@mydomain.com ),1147802790(mysite
> signature pe...@mydomain.com ),1147801237(mysite
> us...@mydomain.com ),1147862761(ipa adm...@mydomain.com
> ),1147801336(mysite i...@mydomain.com
> ),1147800813(domain us...@mydomain.com
> ),217403007(ad_ipa_admins)*
> From another IPA client (with the same issue):
> 
> *[root@mlv-box02 ~]# id morgan.maro...@mydomain.com
> uid=1143802726(morgan.maro...@mydomain.com
> ) gid=1143802726(morgan.maro...@mydomain.com
> )
> groups=1143802726(morgan.maro...@mydomain.com
> ),1147803679(aaa local proxy
> exclus...@mydomain.com ),1147802790(mysite
> signature pe...@mydomain.com ),1147801237(mysite
> us...@mydomain.com ),1147862761(ipa adm...@mydomain.com
> ),1147801336(mysite i...@mydomain.com
> ),1147800813(domain us...@mydomain.com
> )*
> 
> As you can see the *217403007(ad_ipa_admins)* is given back only from some
> server, not all, and the match is done via HBAC in that group.
> 
> Bye
> 
> Il giorno gio 7 mar 2019 alle ore 15:38 Morgan Marodin 
> ha scritto:
> 
> > Hi.
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > *[root@mlv-testipa01 ~]# host -t SRV _kerberos._udp.IPA.MYDOMAIN.COM
> > _kerberos._udp.IPA.MYDOMAIN.COM
> >  has SRV record 0 100 88
> > mlv-ipa01.ipa.mydomain.com
> > ._kerberos._udp.IPA.MYDOMAIN.COM
> >  has SRV record 0 100 88
> > mlv-ipa02.ipa.mydomain.com
> > .[root@mlv-testipa01 ~]# host -t SRV
> > _kerberos._tcp.IPA.MYDOMAIN.COM
> > _kerberos._tcp.IPA.MYDOMAIN.COM
> >  has SRV record 0 100 88
> > mlv-ipa02.ipa.mydomain.com
> > ._kerberos._tcp.IPA.MYDOMAIN.COM
> >  has SRV record 0 100 88
> > mlv-ipa01.ipa.mydomain.com
> > .[root@mlv-testipa01 ~]# host -t any
> > mlv-ipa01.ipa.mydomain.com
> > mlv-ipa01.ipa.mydomain.com
> >  has address
> > 192.168.0.65[root@mlv-testipa01 ~]# host -t any mlv-ipa02.ipa.mydomain.com
> > mlv-ipa02.ipa.mydomain.com
> >  has address
> > 192.168.0.66mlv-ipa02.ipa.mydomain.com 
> > has SSHFP record 1 1
> > 1A1F9D66E9B156AA14A6739C46252814163D7DB2mlv-ipa02.ipa.mydomain.com
> >  has SSHFP record 1 2
> > 7BCDACE8C28B624E938D646791734C740F0833A0221E1B573D323EC4
> >

[Freeipa-users] Re: Multiple dot in hostname - DNS error

2019-03-08 Thread François Cami via FreeIPA-users

Hi Vivek,

On Fri, Mar 8, 2019 at 9:09 AM Vivek Aggarwal via FreeIPA-users
 wrote:
>
> ok thanks but we're kind of new to  DNS zone deployment . Though i will 
> search on google but thought of getting any direct pointers from your end 
> that how to configure/setup

There is the upstream documentation page at:
https://www.freeipa.org/page/Deployment_Recommendations

Please also see the caveats listed at:
https://www.freeipa.org/page/DNS#Caveats

Regards,
François

> Many thanks for responding & helping us...it means a lot.
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] 3rd pary Certificate for HTTP and LDAP

2019-03-08 Thread Ronald Wimmer via FreeIPA-users

Today I was reading the documentation on 
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP


Is the Prerequisite step necessary if the CA (Digicert) is already 
trusted by the OS?


Regards,
Ronald
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: freeipa client on Ubuntu SSH fails

[Freeipa-users] Re: freeipa client on Ubuntu SSH fails

[Freeipa-users] Re: freeipa client on Ubuntu SSH fails

[Freeipa-users] IPA install with custom CA fails at SSL: CERTIFICATE_VERIFY_FAILED

[Freeipa-users] Re: OTP + SSHKey/Certificate Authentication

[Freeipa-users] OTP + SSHKey/Certificate Authentication

[Freeipa-users] Re: replace ipa-server and relink clients on same realm

[Freeipa-users] list all users and their password expiration date?

[Freeipa-users] Re: replace ipa-server and relink clients on same realm

[Freeipa-users] Re: Unable to login via ssh with AD credentials after upgrade FreeIPA

[Freeipa-users] Re: Multiple dot in hostname - DNS error

[Freeipa-users] 3rd pary Certificate for HTTP and LDAP

12 matches

Site Navigation

Mail list logo

Footer information