[Freeipa-users] Need a howto for "Service Account done correctly"
Hi, I'm working on binding a Fortinet FW to FreeIPA LDAP for VPN authentication. I did quite some Google searches and found only a few leads. I want make sure I will do this correctly. 1. Setup a "system account" per this FreeIPA Howto https://www.freeipa.org/page/HowTo/LDAP 2. In the HowTO, "note: IPA 4.0 is goign to change the default stance ... to nothing is readable". I defined the system account per the HowTO with v4.6.4. I assume nothing is readable now. A) How do verify that the system account can't read the user or groups? B) How do I grant permission for the "system account" to read user and groups which I need for FW auth? 3. I ran a test on the Fortigate admin GUI I set Common Name Identifier to "uid", DN to "cn=account,dc=example,dc=com". I was able to test connectivity bind type Simple or Anonymous. I can't see a need for anonymous bind, at least for now. The correct way to disable anonymous bind is modifying nsslapd-allow-anonymous-access ? Thanks W ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: freeipa client on Ubuntu SSH fails
I knew we are close because there wasn't much to check anymore. =) The sshd configuration was updated by the installation. On 18.04, somehow there was only one line in one pam files. I added what Alex suggested and followed up with pam-auth-update. It is good on 18.04 now. 16.04 is also fixed. Thanks Alex W ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: freeipa client on Ubuntu SSH fails
Thanks for the tip. I made the nsswitch.conf just like yours. I also look at the files on a CentOS7 client and make changes on the Ubuntu. But it is still no good. As more suggestion? The test user ID are on the system, I can su to them. However I cant' ssh it. I also notice when I try `passwd dummy1`, I got passwd: Authentication token manipulation error passwd: password unchanged I can't run `sudo -l` either. It is something with passwd? (which is right login the CentOS 7 VM) root@test02:~# id -a dummy1 uid=35221(dummy1) gid=35221(dummy1) groups=35221(dummy1) root@test02:~# su - dummy1 dummy1@ny4test02:~$ sudo -l dummy1 [sudo] password for dummy1: Sorry, try again. [sudo] password for dummy1: 1) I made nsswitch just like yours 2) My ipa.default [global] basedn = dc=x,dc=local realm = X.LOCAL domain = x.local server = ipa1.x.local host = test02.x.local xmlrpc_uri = https://ipa1.x.local/ipa/xml enable_ra = True 3) my krb5.conf includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = X.LOCAL dns_lookup_realm = true dns_lookup_kdc = truee rdns = false dns_canonicalize_hostname = false ticket_lifetime = 24h forwardable = true udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] X.LOCAL = { kdc = ipa1.x.local:88 master_kdc = ipa1.x.local:88 admin_server = ipa1.x.local:749 kpasswd_server = ipa1.x.local:464 default_domain = x.local pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem } [domain_realm] .x.local = X.LOCAL x.local = X.LOCAL test02.x.local = X.LOCAL 4) My ldap.conf TLS_CACERT /etc/ipa/ca.crt # modified by IPA URI ldaps://ipa1.x.local BASE dc=x,dc=local 5) My sssd.conf [sssd] services = nss, sudo, pam, ssh domains = x.local [domain/x.local] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = x.local id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = test02.x.local chpass_provider = ipa dyndns_update = True ipa_server = _srv_, ipa1.x.local dyndns_iface = ens3 ldap_tls_cacert = /etc/ipa/ca.crt [nss] homedir_substring = /home ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] freeipa client on Ubuntu SSH fails
Hi all, Issue: We have freeipa servers set and tests are good with CentOS 7.6 clients. We are trying to test Ubuntu 16.04 and 18.04 clients. After running ipa-client-install, we can't ssh login the Ubuntu's with ipa user accounts. If we login as root, `ipa user-show xxx` looks fine on the Ubuntu's. Where should we start looking from here? Background: One freeipa 4.6.4 master and two replicas setup on CentOS 7.6.1810. All seems to work fine. `ipa user-show xxx` test works across the replicas. I also have two CentOS client installed. SSH login and sudo command group tests are good. We are very happy with the test result so far. we just need to move on to client tests with Ubuntu 16.04, 18.04 and RH7 thanks Wil ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org