[Freeipa-users] Need a howto for "Service Account done correctly"
Hi, I'm working on binding a Fortinet FW to FreeIPA LDAP for VPN authentication. I did quite some Google searches and found only a few leads. I want make sure I will do this correctly. 1. Setup a "system account" per this FreeIPA Howto https://www.freeipa.org/page/HowTo/LDAP 2. In the HowTO, "note: IPA 4.0 is goign to change the default stance ... to nothing is readable". I defined the system account per the HowTO with v4.6.4. I assume nothing is readable now. A) How do verify that the system account can't read the user or groups? B) How do I grant permission for the "system account" to read user and groups which I need for FW auth? 3. I ran a test on the Fortigate admin GUI I set Common Name Identifier to "uid", DN to "cn=account,dc=example,dc=com". I was able to test connectivity bind type Simple or Anonymous. I can't see a need for anonymous bind, at least for now. The correct way to disable anonymous bind is modifying nsslapd-allow-anonymous-access ? Thanks W ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: freeipa client on Ubuntu SSH fails
I knew we are close because there wasn't much to check anymore. =) The sshd configuration was updated by the installation. On 18.04, somehow there was only one line in one pam files. I added what Alex suggested and followed up with pam-auth-update. It is good on 18.04 now. 16.04 is also fixed. Thanks Alex W ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: freeipa client on Ubuntu SSH fails
Thanks for the tip. I made the nsswitch.conf just like yours. I also look at
the files on a CentOS7 client and make changes on the Ubuntu. But it is still
no good. As more suggestion?
The test user ID are on the system, I can su to them. However I cant' ssh it.
I also notice when I try `passwd dummy1`, I got
passwd: Authentication token manipulation error
passwd: password unchanged
I can't run `sudo -l` either. It is something with passwd? (which is right
login the CentOS 7 VM)
root@test02:~# id -a dummy1
uid=35221(dummy1) gid=35221(dummy1) groups=35221(dummy1)
root@test02:~# su - dummy1
dummy1@ny4test02:~$ sudo -l dummy1
[sudo] password for dummy1:
Sorry, try again.
[sudo] password for dummy1:
1) I made nsswitch just like yours
2) My ipa.default
[global]
basedn = dc=x,dc=local
realm = X.LOCAL
domain = x.local
server = ipa1.x.local
host = test02.x.local
xmlrpc_uri = https://ipa1.x.local/ipa/xml
enable_ra = True
3) my krb5.conf
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = X.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = truee
rdns = false
dns_canonicalize_hostname = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
X.LOCAL = {
kdc = ipa1.x.local:88
master_kdc = ipa1.x.local:88
admin_server = ipa1.x.local:749
kpasswd_server = ipa1.x.local:464
default_domain = x.local
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
[domain_realm]
.x.local = X.LOCAL
x.local = X.LOCAL
test02.x.local = X.LOCAL
4) My ldap.conf
TLS_CACERT /etc/ipa/ca.crt # modified by IPA
URI ldaps://ipa1.x.local
BASE dc=x,dc=local
5) My sssd.conf
[sssd]
services = nss, sudo, pam, ssh
domains = x.local
[domain/x.local]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = x.local
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = test02.x.local
chpass_provider = ipa
dyndns_update = True
ipa_server = _srv_, ipa1.x.local
dyndns_iface = ens3
ldap_tls_cacert = /etc/ipa/ca.crt
[nss]
homedir_substring = /home
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] freeipa client on Ubuntu SSH fails
Hi all, Issue: We have freeipa servers set and tests are good with CentOS 7.6 clients. We are trying to test Ubuntu 16.04 and 18.04 clients. After running ipa-client-install, we can't ssh login the Ubuntu's with ipa user accounts. If we login as root, `ipa user-show xxx` looks fine on the Ubuntu's. Where should we start looking from here? Background: One freeipa 4.6.4 master and two replicas setup on CentOS 7.6.1810. All seems to work fine. `ipa user-show xxx` test works across the replicas. I also have two CentOS client installed. SSH login and sudo command group tests are good. We are very happy with the test result so far. we just need to move on to client tests with Ubuntu 16.04, 18.04 and RH7 thanks Wil ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
