Re: [Freeipa-users] Allow IPA users to create SSH tunnel with no shell
Hi,
this should work and you don't even have to set the shell to
/sbin/nologin (depends on whether you want the users to be able to login
to the system by other means or not), as the command directive in
authorized_keys takes precedence.
The tricky part is escaping the value correctly (there is shell
escaping, IPA CSV quote escaping and authorized_keys quote escaping in
effect):
$ ipa user-mod user --sshpubkey='command=/usr/bin/perl -e '\''$|=1;
print \Tunnel created, use your webbrowser to connect to the
tool\n\;while(1) { print localtime(time) . \\n\; sleep
60}'\'',permitopen=localhost:8834,no-agent-forwarding,no-X11-forwarding
ssh-rsa ...'
Honza
On 17.12.2012 03:23, Peter Brown wrote:
Hi Albert,
Have you tried putting that command in the public key for the user in
freeipa and setting the user shell to /sbin/nologin or the equivalent?
On 15 December 2012 02:09, Albert Adams bite...@gmail.com
mailto:bite...@gmail.com wrote:
In our environment we have several systems where users require
access to the system to setup an SSH tunnel but should not have a
shell on the system. Prior to rolling out IPA we accomplished this
with the authorized_keys file as follows:
command=/usr/bin/perl -e '$|=1; print \Tunnel created, use your
webbrowser to connect to the tool\n\;while(1) { print
localtime(time) . \\n\; sleep
60}',permitopen=localhost:8834,no-agent-forwarding,no-X11-forwarding
Is there a way to accomplish this in IPA?
Regards,
Albert
___
Freeipa-users mailing list
Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
--
Jan Cholasta
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Allow IPA users to create SSH tunnel with no shell
Thank you for the responses. I was initially attempting to set this value
via the web UI and if I entered anything other than the hash value of the
user's public key it would get rejected. After thinking about your
response I realize that I really need to determine a method of doing this
via a HBAC rule. If I accomplish this with authorized_keys then the user
is restricted across the board and would not be able to gain a shell on any
system whereas HBAC would allow me to restrict thier access as needed. We
currently require users to tunnel over SSH to gain access to certain
sensitive web apps (like Nessus) but those same users have shell access on
a few boxes. Thoughts??
Albert
On Mon, Dec 17, 2012 at 4:08 AM, Jan Cholasta jchol...@redhat.com wrote:
Hi,
this should work and you don't even have to set the shell to /sbin/nologin
(depends on whether you want the users to be able to login to the system by
other means or not), as the command directive in authorized_keys takes
precedence.
The tricky part is escaping the value correctly (there is shell escaping,
IPA CSV quote escaping and authorized_keys quote escaping in effect):
$ ipa user-mod user --sshpubkey='command=/usr/**bin/perl -e '\''$|=1;
print \Tunnel created, use your webbrowser to connect to the
tool\n\;while(1) { print localtime(time) . \\n\; sleep
60}'\'',permitopen=**localhost:8834,no-agent-**forwarding,no-X11-forwarding
ssh-rsa ...'
Honza
On 17.12.2012 03:23, Peter Brown wrote:
Hi Albert,
Have you tried putting that command in the public key for the user in
freeipa and setting the user shell to /sbin/nologin or the equivalent?
On 15 December 2012 02:09, Albert Adams bite...@gmail.com
mailto:bite...@gmail.com wrote:
In our environment we have several systems where users require
access to the system to setup an SSH tunnel but should not have a
shell on the system. Prior to rolling out IPA we accomplished this
with the authorized_keys file as follows:
command=/usr/bin/perl -e '$|=1; print \Tunnel created, use your
webbrowser to connect to the tool\n\;while(1) { print
localtime(time) . \\n\; sleep
60}',permitopen=localhost:**8834,no-agent-forwarding,no-**
X11-forwarding
Is there a way to accomplish this in IPA?
Regards,
Albert
__**_
Freeipa-users mailing list
Freeipa-users@redhat.com
mailto:Freeipa-users@redhat.**comFreeipa-users@redhat.com
https://www.redhat.com/**mailman/listinfo/freeipa-usershttps://www.redhat.com/mailman/listinfo/freeipa-users
__**_
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/**mailman/listinfo/freeipa-usershttps://www.redhat.com/mailman/listinfo/freeipa-users
--
Jan Cholasta
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] User expiration on a certain date
Hi, Is it possible to lock out an user account on a set date? Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Allow IPA users to create SSH tunnel with no shell
An HBAC extension would certainly be appreciated. I'm not sure how other organizations are setup but in our environment we don't give shell access unless absolutely necessary and we use a lot of SSH tunneling with target services bound to localhost. If I can figure out the correct syntax to get the perl command added to the users public key in IPA (as Honza suggested) then that will provide a work around for the time being. Ultimately it would be awesome to have the same level of granularity that the local authorized_keys file allowed while reaping the benefits of centralized management. Albert On Mon, Dec 17, 2012 at 9:36 AM, Simo Sorce s...@redhat.com wrote: On Mon, 2012-12-17 at 09:07 -0500, Albert Adams wrote: Thank you for the responses. I was initially attempting to set this value via the web UI and if I entered anything other than the hash value of the user's public key it would get rejected. After thinking about your response I realize that I really need to determine a method of doing this via a HBAC rule. If I accomplish this with authorized_keys then the user is restricted across the board and would not be able to gain a shell on any system whereas HBAC would allow me to restrict thier access as needed. We currently require users to tunnel over SSH to gain access to certain sensitive web apps (like Nessus) but those same users have shell access on a few boxes. Thoughts?? One thing you could do is to use the override_shell parameter in sssd. However this one would override the shell for all users so just putting /sbin/nologin there would not work if you need some users to be able to log in (if you care only for root logins it would be enough). However you can still manage to use it to point to a script that would test something like whether the user belongs to a group or not, and if so run either /bin/bash or /bin/nologin This seem like a nice feature request for FreeIPA though, maybe we can extend HBAC to allow a special option to define a shell, maybe creating a special 'shell' service that sssd can properly interpret as a hint to set nologin vs the actual shell. Dmitri, should we open a RFE on this ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] User expiration on a certain date
On Mon, 2012-12-17 at 16:04 +0100, Sigbjorn Lie wrote: Hi, Is it possible to lock out an user account on a set date? You should be able to set the krbPrincipalExpiration attribute to expire an account on a set date. However note this: https://fedorahosted.org/freeipa/ticket/3305 It means ti will work with krb auth but not with ldap binds for now. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] User expiration on a certain date
On Mon, December 17, 2012 18:40, Simo Sorce wrote: On Mon, 2012-12-17 at 16:04 +0100, Sigbjorn Lie wrote: Hi, Is it possible to lock out an user account on a set date? You should be able to set the krbPrincipalExpiration attribute to expire an account on a set date. However note this: https://fedorahosted.org/freeipa/ticket/3305 It means ti will work with krb auth but not with ldap binds for now. Thanks! That worked like a charm!! Is there any active ticket to have this property exposed for editing in the IPA CLI / WEBUI? Rgds, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] User expiration on a certain date
On Mon, 2012-12-17 at 19:08 +0100, Sigbjorn Lie wrote: On Mon, December 17, 2012 18:40, Simo Sorce wrote: On Mon, 2012-12-17 at 16:04 +0100, Sigbjorn Lie wrote: Hi, Is it possible to lock out an user account on a set date? You should be able to set the krbPrincipalExpiration attribute to expire an account on a set date. However note this: https://fedorahosted.org/freeipa/ticket/3305 It means ti will work with krb auth but not with ldap binds for now. Thanks! That worked like a charm!! Is there any active ticket to have this property exposed for editing in the IPA CLI / WEBUI? No, an RFE ticket would be welcome though. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] User expiration on a certain date
On Mon, December 17, 2012 19:32, Simo Sorce wrote: On Mon, 2012-12-17 at 19:08 +0100, Sigbjorn Lie wrote: On Mon, December 17, 2012 18:40, Simo Sorce wrote: On Mon, 2012-12-17 at 16:04 +0100, Sigbjorn Lie wrote: Hi, Is it possible to lock out an user account on a set date? You should be able to set the krbPrincipalExpiration attribute to expire an account on a set date. However note this: https://fedorahosted.org/freeipa/ticket/3305 It means ti will work with krb auth but not with ldap binds for now. Thanks! That worked like a charm!! Is there any active ticket to have this property exposed for editing in the IPA CLI / WEBUI? No, an RFE ticket would be welcome though. Ok, for the record: https://bugzilla.redhat.com/show_bug.cgi?id=887988 Rgds, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] User expiration on a certain date
Is it possible to lock out an user account on a set date? You should be able to set the krbPrincipalExpiration attribute to expire an account on a set date. However note this: https://fedorahosted.org/freeipa/ticket/3305 It means ti will work with krb auth but not with ldap binds for now. Thanks! That worked like a charm!! Is there any active ticket to have this property exposed for editing in the IPA CLI / WEBUI? No, an RFE ticket would be welcome though. Ok, for the record: https://bugzilla.redhat.com/show_bug.cgi?id=887988 Rgds, Siggi It would be better though to have a real account expiration setting in the UI that not only set krbPrincipalExpiration but also locked the ldap user account and any other appropriate actions. Brian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] anyone know how to do sssd filters?
I'm attempting to install Satellite in my IPA domain. There is a ridiculous requirement that the group dba must not already exist prior to installing. Red Hat support wanted me to *remove* the DBA group and then install. Anyway, I'm trying to play around with filter_groups in sssd, and I can't seem to get it to take. The man page isn't exactly clear, but here's what I've tried: filter_groups = dba filter_groups= dba@fqdn In the [domain], [sssd] and [nss] sections of the config file. What's the right syntax? Do I need it in every section? -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] netapp filer AD + ipa: possible?
On Fri, September 7, 2012 16:50, Dmitri Pal wrote: On 09/07/2012 07:33 AM, Ondrej Valousek wrote: That is actually the main benefit of the 'ldap.ADdomain' parameter. It will allow you to simplify configuration and allows easy load balancing/failover functionality. We are paying for NetApp support, too so if anyone is going to bug NetApp about this, I am happy to join you. Ondrej On 09/07/2012 10:07 AM, Sigbjorn Lie wrote: Yes it would be great if NetApp would do that. The ldap.ADdomain option is used to configure the NetApp LDAP client from AD SRV DNS records. It would be great (and should be easy for NetApp) to have an option for ldap.IPAdomain. I don't remember exactly why I did not use this for IPA, as far as I remember most things worked, but I stumbeled across some issue. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users I will. Siggi I will also send you a private email to give you access to the wiki. I don't think I ever posted the wiki link for my details around NetApp configuration in a mixed environment... See below. http://www.freeipa.org/page/NetApp_integration_in_a_mixed_environment ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA and Samba 4
On Mon, 2012-12-17 at 14:58 -0500, Steven Santos wrote: I know this may be a loaded question, but I am asking it anyways. Can anyone tell me what the current status and future plan for IPA / Samba 4 is? We plan to support setting up trusts with Samba4 just like we do with AD when Samba4 will start supporting Cross-forest trusts. It currently doesn't. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] anyone know how to do sssd filters?
On 12/17/2012 03:11 PM, KodaK wrote: I'm attempting to install Satellite in my IPA domain. There is a ridiculous requirement that the group dba must not already exist prior to installing. Red Hat support wanted me to *remove* the DBA group and then install. Anyway, I'm trying to play around with filter_groups in sssd, and I can't seem to get it to take. The man page isn't exactly clear, but here's what I've tried: filter_groups = dba filter_groups= dba@fqdn In the [domain], [sssd] and [nss] sections of the config file. What's the right syntax? Do I need it in every section? Is it a local group or a central group? -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Allow IPA users to create SSH tunnel with no shell
On 12/17/2012 09:36 AM, Simo Sorce wrote: On Mon, 2012-12-17 at 09:07 -0500, Albert Adams wrote: Thank you for the responses. I was initially attempting to set this value via the web UI and if I entered anything other than the hash value of the user's public key it would get rejected. After thinking about your response I realize that I really need to determine a method of doing this via a HBAC rule. If I accomplish this with authorized_keys then the user is restricted across the board and would not be able to gain a shell on any system whereas HBAC would allow me to restrict thier access as needed. We currently require users to tunnel over SSH to gain access to certain sensitive web apps (like Nessus) but those same users have shell access on a few boxes. Thoughts?? One thing you could do is to use the override_shell parameter in sssd. However this one would override the shell for all users so just putting /sbin/nologin there would not work if you need some users to be able to log in (if you care only for root logins it would be enough). However you can still manage to use it to point to a script that would test something like whether the user belongs to a group or not, and if so run either /bin/bash or /bin/nologin This seem like a nice feature request for FreeIPA though, maybe we can extend HBAC to allow a special option to define a shell, maybe creating a special 'shell' service that sssd can properly interpret as a hint to set nologin vs the actual shell. Dmitri, should we open a RFE on this ? Simo. OK , RFE would make sense. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Problem generating Oracle ZFS Storage Appliance host and nfs principals and keys to IPA/Free IPA.
Hi,
When trying to generate a host and nfs principal + keys from the Oracle ZFS
7120/7320 Appliance i get the following error message (note that the
information pasted are from a simulator but i get exactly the same error from
our real Appliances).
I can't generate a key on the IPA server and copy it to the Appliance
unfortunately it does not support that since it has a specialised webinterface
and CLI.
The Appliance wants to generate the principals and keys itself after i add the
Kerberos information realm/KDC and admin principal.
NTP is synced and DNS is working with reverse, no firewalls and SELinux
disabled.
I have tested on both Red Hat/CentOS 6.3 and fedora 17 as IPA servers with the
same results.
Any ideas on what is wrong and if it is possible to get it working?
An unanticipated system error occurred:
failed to create principal 'host/zfs1.home@HOME': libkadm5clnt error: 43787522
(Operation requires ``add'' privilege)
Exception type: coXmlrpcFault
Native message: failed to create principal 'host/zfs1.home@HOME': libkadm5clnt
error: 43787522 (Operation requires ``add'' privilege)
Mapped stack trace:
Native file: undefined line ?
Native stack trace:
Message: none
Wrapped exception: none
Stack trace:
none
at https://192.168.0.112:215/lib/crazyolait/index.js:370:21
Additional native members:
faultCode: 600
faultString: failed to create principal 'host/zfs1.home@HOME': libkadm5clnt
error: 43787522 (Operation requires ``add'' privilege)
coStack: top.akMulticall(argv:array [object Object], abort:true,
func:function function (ret, err, idx) {\n\t\t\tif (err err.faultName !==
'EAK_KRB5_NOENT') {\n\t\t\t\takHandleFault(err, { set: widget.aknsn_vs
});\n\t\t\t\treturn;\n\t\t\t}\n\t\t\tcommitprop(callback);\n\t\t})
nasServiceNFS.prototype.commit(callback:function function (err) {\n\t\tif
(akHandleFault(err, {\n\t\tset: view.aksvc_current_set\n\t\t}))
{\n\t\t\tif
(callback)\n\t\t\t\tcallback(true);\n\t\t\tview.changed(true);\n\t\t\treturn;\n\t\t}\n\n\t\t/*\n\n\n\t\t
*/\n\t\tview.changed(false);\n\n\t\tif (enable === false) {\n\t\t\tif
(callback)\n\t\t\t\tcallback();\n\t\t\treturn;\n\t\t}\n\n\t\takService.svc.setCompositeState(view.aksvc_id,\n\t\t
akSvc.AK_SVC_STATE_ONLINE, function (ret, err) {\n\t\t\tif
(akHandleFault(err)) {\n\t\t\t\tif
(callback)\n\t\t\t\t\tcallback(true);\n\t\t\t} else {\n\t\t\t\tif
(callback)\n\t\t\t\t\tcallback();\n\t\t\t}\n\t\t});\n\t})
akSvcView.prototype.commitToServer(enable:false, callback:function function
(error) {\n\t\t\takStopWaiting(function () {\n\t\t\t\tif (view.aksvc_done
!error)\n\t\t\t\t\tview.aksvc_done();\n\t\t\t});\n\t\t})
akSvcView.prototype.commit(callback:null)
anonymous(object [object Object], object [object MouseEvent])
anonymous(e:object [object MouseEvent])
[akEventListenerWrap,click,undefined](e:object [object MouseEvent])
faultName: EAK_KADM5
In the kadmind.log on the IPA server i get the following:
Dec 17 23:12:05 server.home kadmind[3614](Notice): Request: kadm5_init,
admin@HOME, success, client=admin@HOME, service=kadmin/server.home@HOME,
addr=192.168.0.112, vers=2, flavor=6
Dec 17 23:12:05 server.home kadmind[3614](Notice): Unauthorized request:
kadm5_create_principal, host/zfs1.home@HOME, client=admin@HOME,
service=kadmin/server.home@HOME, addr=192.168.0.112
And in the krb5kdc.log:
Dec 17 23:15:23 server.home krb5kdc[4015](info): AS_REQ (7 etypes {18 17 16 23
24 3 1}) 192.168.0.112: CLIENT_NOT_FOUND: root/zfs1.home@HOME for
krbtgt/HOME@HOME, Client not found in Kerberos database
Dec 17 23:15:23 server.home krb5kdc[4016](info): AS_REQ (7 etypes {18 17 16 23
24 3 1}) 192.168.0.112: CLIENT_NOT_FOUND: host/zfs1.home@HOME for
krbtgt/HOME@HOME, Client not found in Kerberos database
If i add the host in IPA i instead get:
Dec 17 23:48:18 server.home krb5kdc[4016](info): ... CONSTRAINED-DELEGATION
s4u-client=admin@HOME
Dec 17 23:48:35 server.home krb5kdc[4016](info): AS_REQ (7 etypes {18 17 16 23
24 3 1}) 192.168.0.112: NEEDED_PREAUTH: admin@HOME for kadmin/server.home@HOME,
Additional pre-authentication required
Dec 17 23:48:35 server.home krb5kdc[4015](info): AS_REQ (7 etypes {18 17 16 23
24 3 1}) 192.168.0.112: ISSUE: authtime 1355784515, etypes {rep=18 tkt=18
ses=18}, admin@HOME for kadmin/server.home@HOME
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Problem generating Oracle ZFS Storage Appliance host and nfs principals and keys to IPA/Free IPA.
On 12/17/2012 07:15 PM, Johan Petersson wrote:
Hi,
When trying to generate a host and nfs principal + keys from the
Oracle ZFS 7120/7320 Appliance i get the following error message (note
that the information pasted are from a simulator but i get exactly the
same error from our real Appliances).
I can't generate a key on the IPA server and copy it to the Appliance
unfortunately it does not support that since it has a specialised
webinterface and CLI.
The Appliance wants to generate the principals and keys itself after i
add the Kerberos information realm/KDC and admin principal.
NTP is synced and DNS is working with reverse, no firewalls and
SELinux disabled.
I have tested on both Red Hat/CentOS 6.3 and fedora 17 as IPA servers
with the same results.
Any ideas on what is wrong and if it is possible to get it working?
An unanticipated system error occurred:
failed to create principal 'host/zfs1.home@HOME': libkadm5clnt error:
43787522 (Operation requires ``add'' privilege)
Do you have this principal already precreated?
It seems that the client tries to create a principal using its kadmin
library. I am not sure it would work.
The protocol we use in ipa-getkeytab is not a kadmin protocol. As far as
I recall it does an LDAP extended operation.
Exception type: coXmlrpcFault
Native message: failed to create principal 'host/zfs1.home@HOME':
libkadm5clnt error: 43787522 (Operation requires ``add'' privilege)
Mapped stack trace:
Native file: undefined line ?
Native stack trace:
Message: none
Wrapped exception: none
Stack trace:
none
at https://192.168.0.112:215/lib/crazyolait/index.js:370:21
Additional native members:
faultCode: 600
faultString: failed to create principal 'host/zfs1.home@HOME':
libkadm5clnt error: 43787522 (Operation requires ``add'' privilege)
coStack: top.akMulticall(argv:array [object Object],
abort:true, func:function function (ret, err, idx) {\n\t\t\tif (err
err.faultName !== 'EAK_KRB5_NOENT') {\n\t\t\t\takHandleFault(err, {
set: widget.aknsn_vs
});\n\t\t\t\treturn;\n\t\t\t}\n\t\t\tcommitprop(callback);\n\t\t})
nasServiceNFS.prototype.commit(callback:function function (err)
{\n\t\tif (akHandleFault(err, {\n\t\tset:
view.aksvc_current_set\n\t\t})) {\n\t\t\tif
(callback)\n\t\t\t\tcallback(true);\n\t\t\tview.changed(true);\n\t\t\treturn;\n\t\t}\n\n\t\t/*\n\n\n\t\t
*/\n\t\tview.changed(false);\n\n\t\tif (enable === false) {\n\t\t\tif
(callback)\n\t\t\t\tcallback();\n\t\t\treturn;\n\t\t}\n\n\t\takService.svc.setCompositeState(view.aksvc_id,\n\t\t
akSvc.AK_SVC_STATE_ONLINE, function (ret, err) {\n\t\t\tif
(akHandleFault(err)) {\n\t\t\t\tif
(callback)\n\t\t\t\t\tcallback(true);\n\t\t\t} else {\n\t\t\t\tif
(callback)\n\t\t\t\t\tcallback();\n\t\t\t}\n\t\t});\n\t})
akSvcView.prototype.commitToServer(enable:false, callback:function
function (error) {\n\t\t\takStopWaiting(function () {\n\t\t\t\tif
(view.aksvc_done
!error)\n\t\t\t\t\tview.aksvc_done();\n\t\t\t});\n\t\t})
akSvcView.prototype.commit(callback:null)
anonymous(object [object Object], object [object MouseEvent])
anonymous(e:object [object MouseEvent])
[akEventListenerWrap,click,undefined](e:object [object MouseEvent])
faultName: EAK_KADM5
In the kadmind.log on the IPA server i get the following:
Dec 17 23:12:05 server.home kadmind[3614](Notice): Request:
kadm5_init, admin@HOME, success, client=admin@HOME,
service=kadmin/server.home@HOME, addr=192.168.0.112, vers=2, flavor=6
Dec 17 23:12:05 server.home kadmind[3614](Notice): Unauthorized
request: kadm5_create_principal, host/zfs1.home@HOME,
client=admin@HOME, service=kadmin/server.home@HOME, addr=192.168.0.112
And in the krb5kdc.log:
Dec 17 23:15:23 server.home krb5kdc[4015](info): AS_REQ (7 etypes {18
17 16 23 24 3 1}) 192.168.0.112: CLIENT_NOT_FOUND: root/zfs1.home@HOME
for krbtgt/HOME@HOME, Client not found in Kerberos database
Dec 17 23:15:23 server.home krb5kdc[4016](info): AS_REQ (7 etypes {18
17 16 23 24 3 1}) 192.168.0.112: CLIENT_NOT_FOUND: host/zfs1.home@HOME
for krbtgt/HOME@HOME, Client not found in Kerberos database
If i add the host in IPA i instead get:
Dec 17 23:48:18 server.home krb5kdc[4016](info): ...
CONSTRAINED-DELEGATION s4u-client=admin@HOME
Dec 17 23:48:35 server.home krb5kdc[4016](info): AS_REQ (7 etypes {18
17 16 23 24 3 1}) 192.168.0.112: NEEDED_PREAUTH: admin@HOME for
kadmin/server.home@HOME, Additional pre-authentication required
Dec 17 23:48:35 server.home krb5kdc[4015](info): AS_REQ (7 etypes {18
17 16 23 24 3 1}) 192.168.0.112: ISSUE: authtime 1355784515, etypes
{rep=18 tkt=18 ses=18}, admin@HOME for kadmin/server.home@HOME
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
---
Looking to carve out IT costs?
Re: [Freeipa-users] Problem generating Oracle ZFS Storage Appliance host and nfs principals and keys to IPA/Free IPA.
On Tue, 2012-12-18 at 00:15 +, Johan Petersson wrote:
Hi,
Hi Johan,
see inline.
When trying to generate a host and nfs principal + keys from the
Oracle ZFS 7120/7320 Appliance i get the following error message (note
that the information pasted are from a simulator but i get exactly the
same error from our real Appliances).
I can't generate a key on the IPA server and copy it to the Appliance
unfortunately it does not support that since it has a specialised
webinterface and CLI.
The Appliance wants to generate the principals and keys itself after i
add the Kerberos information realm/KDC and admin principal.
NTP is synced and DNS is working with reverse, no firewalls and
SELinux disabled.
I have tested on both Red Hat/CentOS 6.3 and fedora 17 as IPA servers
with the same results.
Any ideas on what is wrong and if it is possible to get it working?
An unanticipated system error occurred:
failed to create principal 'host/zfs1.home@HOME': libkadm5clnt error:
43787522 (Operation requires ``add'' privilege)
we do not allow tools the permissions to perform add operations via the
kadmin interface, this is done by explicitly disallowing certin internal
DAL operations in out driver, so it is not configurable.
This is because that interface is not rich enough to provide all the
information we normally associate to principals in LDAP entries.
Does the appliance work if you pre-create the principal ?
It sounds very odd that these 'appliances' really require you to give
them credentials that have very high privileges, so high as to be able
to actually add principals into a kerberos database.
I would consider that a very serious bug and security issue in the
appliance.
Note that the kadmin interface can be allowed to change principals,
including getting a new keytab. That will require you to manually edit
the ACL file that is not normally configured as we do not need to allow
modifications via the kadmin interface in normal IPA domains.
So if this appliance can deal with just modifying a principal to get a
keytab as opposed to try to create one from scratch then you may be able
to configure FreeIPA's kadmin to do that.
Exception type: coXmlrpcFault
Native message: failed to create principal 'host/zfs1.home@HOME':
libkadm5clnt error: 43787522 (Operation requires ``add'' privilege)
Mapped stack trace:
Native file: undefined line ?
Native stack trace:
Message: none
Wrapped exception: none
Stack trace:
none
at https://192.168.0.112:215/lib/crazyolait/index.js:370:21
Additional native members:
faultCode: 600
faultString: failed to create principal 'host/zfs1.home@HOME':
libkadm5clnt error: 43787522 (Operation requires ``add'' privilege)
coStack: top.akMulticall(argv:array [object Object],
abort:true, func:function function (ret, err, idx) {\n\t\t\tif (err
err.faultName !== 'EAK_KRB5_NOENT') {\n\t\t\t\takHandleFault(err,
{ set: widget.aknsn_vs });\n\t\t\t\treturn;\n\t\t\t}\n\t\t
\tcommitprop(callback);\n\t\t})
nasServiceNFS.prototype.commit(callback:function function (err) {\n
\t\tif (akHandleFault(err, {\n\t\tset: view.aksvc_current_set\n\t
\t})) {\n\t\t\tif (callback)\n\t\t\t\tcallback(true);\n\t\t
\tview.changed(true);\n\t\t\treturn;\n\t\t}\n\n\t\t/*\n\n\n\t\t */\n\t
\tview.changed(false);\n\n\t\tif (enable === false) {\n\t\t\tif
(callback)\n\t\t\t\tcallback();\n\t\t\treturn;\n\t\t}\n\n\t
\takService.svc.setCompositeState(view.aksvc_id,\n\t\t
akSvc.AK_SVC_STATE_ONLINE, function (ret, err) {\n\t\t\tif
(akHandleFault(err)) {\n\t\t\t\tif (callback)\n\t\t\t\t
\tcallback(true);\n\t\t\t} else {\n\t\t\t\tif (callback)\n\t\t\t\t
\tcallback();\n\t\t\t}\n\t\t});\n\t})
akSvcView.prototype.commitToServer(enable:false, callback:function
function (error) {\n\t\t\takStopWaiting(function () {\n\t\t\t\tif
(view.aksvc_done !error)\n\t\t\t\t\tview.aksvc_done();\n\t\t\t});\n
\t\t})
akSvcView.prototype.commit(callback:null)
anonymous(object [object Object], object [object
MouseEvent])
anonymous(e:object [object MouseEvent])
[akEventListenerWrap,click,undefined](e:object [object
MouseEvent])
faultName: EAK_KADM5
In the kadmind.log on the IPA server i get the following:
Dec 17 23:12:05 server.home kadmind[3614](Notice): Request:
kadm5_init, admin@HOME, success, client=admin@HOME,
service=kadmin/server.home@HOME, addr=192.168.0.112, vers=2, flavor=6
Dec 17 23:12:05 server.home kadmind[3614](Notice): Unauthorized
request: kadm5_create_principal, host/zfs1.home@HOME,
client=admin@HOME, service=kadmin/server.home@HOME, addr=192.168.0.112
And in the krb5kdc.log:
Dec 17 23:15:23 server.home krb5kdc[4015](info): AS_REQ (7 etypes {18
17 16 23 24 3 1}) 192.168.0.112: CLIENT_NOT_FOUND: root/zfs1.home@HOME
for krbtgt/HOME@HOME, Client not found in Kerberos database
Dec 17 23:15:23 server.home krb5kdc[4016](info): AS_REQ (7 etypes {18
17 16 23 24 3 1}) 192.168.0.112: CLIENT_NOT_FOUND:
Re: [Freeipa-users] FreeIPA and Samba 4
it does not support that since it has a specialised
webinterface and CLI.
The Appliance wants to generate the principals and keys itself after i
add the Kerberos information realm/KDC and admin principal.
NTP is synced and DNS is working with reverse, no firewalls and
SELinux disabled.
I have tested on both Red Hat/CentOS 6.3 and fedora 17 as IPA servers
with the same results.
Any ideas on what is wrong and if it is possible to get it working?
An unanticipated system error occurred:
failed to create principal 'host/zfs1.home@HOME': libkadm5clnt error:
43787522 (Operation requires ``add'' privilege)
Do you have this principal already precreated?
It seems that the client tries to create a principal using its kadmin
library. I am not sure it would work.
The protocol we use in ipa-getkeytab is not a kadmin protocol. As far as
I recall it does an LDAP extended operation.
Exception type: coXmlrpcFault
Native message: failed to create principal 'host/zfs1.home@HOME':
libkadm5clnt error: 43787522 (Operation requires ``add'' privilege)
Mapped stack trace:
Native file: undefined line ?
Native stack trace:
Message: none
Wrapped exception: none
Stack trace:
none
at https://192.168.0.112:215/lib/crazyolait/index.js:370:21
Additional native members:
faultCode: 600
faultString: failed to create principal 'host/zfs1.home@HOME':
libkadm5clnt error: 43787522 (Operation requires ``add'' privilege)
coStack: top.akMulticall(argv:array [object Object],
abort:true, func:function function (ret, err, idx) {\n\t\t\tif (err
err.faultName !== 'EAK_KRB5_NOENT') {\n\t\t\t\takHandleFault(err, {
set: widget.aknsn_vs
});\n\t\t\t\treturn;\n\t\t\t}\n\t\t\tcommitprop(callback);\n\t\t})
nasServiceNFS.prototype.commit(callback:function function (err)
{\n\t\tif (akHandleFault(err, {\n\t\tset:
view.aksvc_current_set\n\t\t})) {\n\t\t\tif
(callback)\n\t\t\t\tcallback(true);\n\t\t\tview.changed(true);\n\t\t\treturn;\n\t\t}\n\n\t\t/*\n\n\n\t\t
*/\n\t\tview.changed(false);\n\n\t\tif (enable === false) {\n\t\t\tif
(callback)\n\t\t\t\tcallback();\n\t\t\treturn;\n\t\t}\n\n\t\takService.svc.setCompositeState(view.aksvc_id,\n\t\t
akSvc.AK_SVC_STATE_ONLINE, function (ret, err) {\n\t\t\tif
(akHandleFault(err)) {\n\t\t\t\tif
(callback)\n\t\t\t\t\tcallback(true);\n\t\t\t} else {\n\t\t\t\tif
(callback)\n\t\t\t\t\tcallback();\n\t\t\t}\n\t\t});\n\t})
akSvcView.prototype.commitToServer(enable:false, callback:function
function (error) {\n\t\t\takStopWaiting(function () {\n\t\t\t\tif
(view.aksvc_done
!error)\n\t\t\t\t\tview.aksvc_done();\n\t\t\t});\n\t\t})
akSvcView.prototype.commit(callback:null)
anonymous(object [object Object], object [object MouseEvent])
anonymous(e:object [object MouseEvent])
[akEventListenerWrap,click,undefined](e:object [object MouseEvent])
faultName: EAK_KADM5
In the kadmind.log on the IPA server i get the following:
Dec 17 23:12:05 server.home kadmind[3614](Notice): Request:
kadm5_init, admin@HOME, success, client=admin@HOME,
service=kadmin/server.home@HOME, addr=192.168.0.112, vers=2, flavor=6
Dec 17 23:12:05 server.home kadmind[3614](Notice): Unauthorized
request: kadm5_create_principal, host/zfs1.home@HOME,
client=admin@HOME, service=kadmin/server.home@HOME, addr=192.168.0.112
And in the krb5kdc.log:
Dec 17 23:15:23 server.home krb5kdc[4015](info): AS_REQ (7 etypes {18
17 16 23 24 3 1}) 192.168.0.112: CLIENT_NOT_FOUND: root/zfs1.home@HOME
for krbtgt/HOME@HOME, Client not found in Kerberos database
Dec 17 23:15:23 server.home krb5kdc[4016](info): AS_REQ (7 etypes {18
17 16 23 24 3 1}) 192.168.0.112: CLIENT_NOT_FOUND: host/zfs1.home@HOME
for krbtgt/HOME@HOME, Client not found in Kerberos database
If i add the host in IPA i instead get:
Dec 17 23:48:18 server.home krb5kdc[4016](info): ...
CONSTRAINED-DELEGATION s4u-client=admin@HOME
Dec 17 23:48:35 server.home krb5kdc[4016](info): AS_REQ (7 etypes {18
17 16 23 24 3 1}) 192.168.0.112: NEEDED_PREAUTH: admin@HOME for
kadmin/server.home@HOME, Additional pre-authentication required
Dec 17 23:48:35 server.home krb5kdc[4015](info): AS_REQ (7 etypes {18
17 16 23 24 3 1}) 192.168.0.112: ISSUE: authtime 1355784515, etypes
{rep=18 tkt=18 ses=18}, admin@HOME for kadmin/server.home@HOME
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-- next part --
An HTML attachment was scrubbed...
URL:
https://www.redhat.com/archives/freeipa-users/attachments/20121217/7f262831/attachment.html
