Re: [Freeipa-users] Allow IPA users to create SSH tunnel with no shell
Hi, this should work and you don't even have to set the shell to /sbin/nologin (depends on whether you want the users to be able to login to the system by other means or not), as the command directive in authorized_keys takes precedence. The tricky part is escaping the value correctly (there is shell escaping, IPA CSV quote escaping and authorized_keys quote escaping in effect): $ ipa user-mod user --sshpubkey='command=/usr/bin/perl -e '\''$|=1; print \Tunnel created, use your webbrowser to connect to the tool\n\;while(1) { print localtime(time) . \\n\; sleep 60}'\'',permitopen=localhost:8834,no-agent-forwarding,no-X11-forwarding ssh-rsa ...' Honza On 17.12.2012 03:23, Peter Brown wrote: Hi Albert, Have you tried putting that command in the public key for the user in freeipa and setting the user shell to /sbin/nologin or the equivalent? On 15 December 2012 02:09, Albert Adams bite...@gmail.com mailto:bite...@gmail.com wrote: In our environment we have several systems where users require access to the system to setup an SSH tunnel but should not have a shell on the system. Prior to rolling out IPA we accomplished this with the authorized_keys file as follows: command=/usr/bin/perl -e '$|=1; print \Tunnel created, use your webbrowser to connect to the tool\n\;while(1) { print localtime(time) . \\n\; sleep 60}',permitopen=localhost:8834,no-agent-forwarding,no-X11-forwarding Is there a way to accomplish this in IPA? Regards, Albert ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Jan Cholasta ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Allow IPA users to create SSH tunnel with no shell
Thank you for the responses. I was initially attempting to set this value via the web UI and if I entered anything other than the hash value of the user's public key it would get rejected. After thinking about your response I realize that I really need to determine a method of doing this via a HBAC rule. If I accomplish this with authorized_keys then the user is restricted across the board and would not be able to gain a shell on any system whereas HBAC would allow me to restrict thier access as needed. We currently require users to tunnel over SSH to gain access to certain sensitive web apps (like Nessus) but those same users have shell access on a few boxes. Thoughts?? Albert On Mon, Dec 17, 2012 at 4:08 AM, Jan Cholasta jchol...@redhat.com wrote: Hi, this should work and you don't even have to set the shell to /sbin/nologin (depends on whether you want the users to be able to login to the system by other means or not), as the command directive in authorized_keys takes precedence. The tricky part is escaping the value correctly (there is shell escaping, IPA CSV quote escaping and authorized_keys quote escaping in effect): $ ipa user-mod user --sshpubkey='command=/usr/**bin/perl -e '\''$|=1; print \Tunnel created, use your webbrowser to connect to the tool\n\;while(1) { print localtime(time) . \\n\; sleep 60}'\'',permitopen=**localhost:8834,no-agent-**forwarding,no-X11-forwarding ssh-rsa ...' Honza On 17.12.2012 03:23, Peter Brown wrote: Hi Albert, Have you tried putting that command in the public key for the user in freeipa and setting the user shell to /sbin/nologin or the equivalent? On 15 December 2012 02:09, Albert Adams bite...@gmail.com mailto:bite...@gmail.com wrote: In our environment we have several systems where users require access to the system to setup an SSH tunnel but should not have a shell on the system. Prior to rolling out IPA we accomplished this with the authorized_keys file as follows: command=/usr/bin/perl -e '$|=1; print \Tunnel created, use your webbrowser to connect to the tool\n\;while(1) { print localtime(time) . \\n\; sleep 60}',permitopen=localhost:**8834,no-agent-forwarding,no-** X11-forwarding Is there a way to accomplish this in IPA? Regards, Albert __**_ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.**comFreeipa-users@redhat.com https://www.redhat.com/**mailman/listinfo/freeipa-usershttps://www.redhat.com/mailman/listinfo/freeipa-users __**_ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/**mailman/listinfo/freeipa-usershttps://www.redhat.com/mailman/listinfo/freeipa-users -- Jan Cholasta ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] User expiration on a certain date
Hi, Is it possible to lock out an user account on a set date? Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Allow IPA users to create SSH tunnel with no shell
An HBAC extension would certainly be appreciated. I'm not sure how other organizations are setup but in our environment we don't give shell access unless absolutely necessary and we use a lot of SSH tunneling with target services bound to localhost. If I can figure out the correct syntax to get the perl command added to the users public key in IPA (as Honza suggested) then that will provide a work around for the time being. Ultimately it would be awesome to have the same level of granularity that the local authorized_keys file allowed while reaping the benefits of centralized management. Albert On Mon, Dec 17, 2012 at 9:36 AM, Simo Sorce s...@redhat.com wrote: On Mon, 2012-12-17 at 09:07 -0500, Albert Adams wrote: Thank you for the responses. I was initially attempting to set this value via the web UI and if I entered anything other than the hash value of the user's public key it would get rejected. After thinking about your response I realize that I really need to determine a method of doing this via a HBAC rule. If I accomplish this with authorized_keys then the user is restricted across the board and would not be able to gain a shell on any system whereas HBAC would allow me to restrict thier access as needed. We currently require users to tunnel over SSH to gain access to certain sensitive web apps (like Nessus) but those same users have shell access on a few boxes. Thoughts?? One thing you could do is to use the override_shell parameter in sssd. However this one would override the shell for all users so just putting /sbin/nologin there would not work if you need some users to be able to log in (if you care only for root logins it would be enough). However you can still manage to use it to point to a script that would test something like whether the user belongs to a group or not, and if so run either /bin/bash or /bin/nologin This seem like a nice feature request for FreeIPA though, maybe we can extend HBAC to allow a special option to define a shell, maybe creating a special 'shell' service that sssd can properly interpret as a hint to set nologin vs the actual shell. Dmitri, should we open a RFE on this ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] User expiration on a certain date
On Mon, 2012-12-17 at 16:04 +0100, Sigbjorn Lie wrote: Hi, Is it possible to lock out an user account on a set date? You should be able to set the krbPrincipalExpiration attribute to expire an account on a set date. However note this: https://fedorahosted.org/freeipa/ticket/3305 It means ti will work with krb auth but not with ldap binds for now. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] User expiration on a certain date
On Mon, December 17, 2012 18:40, Simo Sorce wrote: On Mon, 2012-12-17 at 16:04 +0100, Sigbjorn Lie wrote: Hi, Is it possible to lock out an user account on a set date? You should be able to set the krbPrincipalExpiration attribute to expire an account on a set date. However note this: https://fedorahosted.org/freeipa/ticket/3305 It means ti will work with krb auth but not with ldap binds for now. Thanks! That worked like a charm!! Is there any active ticket to have this property exposed for editing in the IPA CLI / WEBUI? Rgds, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] User expiration on a certain date
On Mon, 2012-12-17 at 19:08 +0100, Sigbjorn Lie wrote: On Mon, December 17, 2012 18:40, Simo Sorce wrote: On Mon, 2012-12-17 at 16:04 +0100, Sigbjorn Lie wrote: Hi, Is it possible to lock out an user account on a set date? You should be able to set the krbPrincipalExpiration attribute to expire an account on a set date. However note this: https://fedorahosted.org/freeipa/ticket/3305 It means ti will work with krb auth but not with ldap binds for now. Thanks! That worked like a charm!! Is there any active ticket to have this property exposed for editing in the IPA CLI / WEBUI? No, an RFE ticket would be welcome though. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] User expiration on a certain date
On Mon, December 17, 2012 19:32, Simo Sorce wrote: On Mon, 2012-12-17 at 19:08 +0100, Sigbjorn Lie wrote: On Mon, December 17, 2012 18:40, Simo Sorce wrote: On Mon, 2012-12-17 at 16:04 +0100, Sigbjorn Lie wrote: Hi, Is it possible to lock out an user account on a set date? You should be able to set the krbPrincipalExpiration attribute to expire an account on a set date. However note this: https://fedorahosted.org/freeipa/ticket/3305 It means ti will work with krb auth but not with ldap binds for now. Thanks! That worked like a charm!! Is there any active ticket to have this property exposed for editing in the IPA CLI / WEBUI? No, an RFE ticket would be welcome though. Ok, for the record: https://bugzilla.redhat.com/show_bug.cgi?id=887988 Rgds, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] User expiration on a certain date
Is it possible to lock out an user account on a set date? You should be able to set the krbPrincipalExpiration attribute to expire an account on a set date. However note this: https://fedorahosted.org/freeipa/ticket/3305 It means ti will work with krb auth but not with ldap binds for now. Thanks! That worked like a charm!! Is there any active ticket to have this property exposed for editing in the IPA CLI / WEBUI? No, an RFE ticket would be welcome though. Ok, for the record: https://bugzilla.redhat.com/show_bug.cgi?id=887988 Rgds, Siggi It would be better though to have a real account expiration setting in the UI that not only set krbPrincipalExpiration but also locked the ldap user account and any other appropriate actions. Brian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] anyone know how to do sssd filters?
I'm attempting to install Satellite in my IPA domain. There is a ridiculous requirement that the group dba must not already exist prior to installing. Red Hat support wanted me to *remove* the DBA group and then install. Anyway, I'm trying to play around with filter_groups in sssd, and I can't seem to get it to take. The man page isn't exactly clear, but here's what I've tried: filter_groups = dba filter_groups= dba@fqdn In the [domain], [sssd] and [nss] sections of the config file. What's the right syntax? Do I need it in every section? -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] netapp filer AD + ipa: possible?
On Fri, September 7, 2012 16:50, Dmitri Pal wrote: On 09/07/2012 07:33 AM, Ondrej Valousek wrote: That is actually the main benefit of the 'ldap.ADdomain' parameter. It will allow you to simplify configuration and allows easy load balancing/failover functionality. We are paying for NetApp support, too so if anyone is going to bug NetApp about this, I am happy to join you. Ondrej On 09/07/2012 10:07 AM, Sigbjorn Lie wrote: Yes it would be great if NetApp would do that. The ldap.ADdomain option is used to configure the NetApp LDAP client from AD SRV DNS records. It would be great (and should be easy for NetApp) to have an option for ldap.IPAdomain. I don't remember exactly why I did not use this for IPA, as far as I remember most things worked, but I stumbeled across some issue. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users I will. Siggi I will also send you a private email to give you access to the wiki. I don't think I ever posted the wiki link for my details around NetApp configuration in a mixed environment... See below. http://www.freeipa.org/page/NetApp_integration_in_a_mixed_environment ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA and Samba 4
On Mon, 2012-12-17 at 14:58 -0500, Steven Santos wrote: I know this may be a loaded question, but I am asking it anyways. Can anyone tell me what the current status and future plan for IPA / Samba 4 is? We plan to support setting up trusts with Samba4 just like we do with AD when Samba4 will start supporting Cross-forest trusts. It currently doesn't. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] anyone know how to do sssd filters?
On 12/17/2012 03:11 PM, KodaK wrote: I'm attempting to install Satellite in my IPA domain. There is a ridiculous requirement that the group dba must not already exist prior to installing. Red Hat support wanted me to *remove* the DBA group and then install. Anyway, I'm trying to play around with filter_groups in sssd, and I can't seem to get it to take. The man page isn't exactly clear, but here's what I've tried: filter_groups = dba filter_groups= dba@fqdn In the [domain], [sssd] and [nss] sections of the config file. What's the right syntax? Do I need it in every section? Is it a local group or a central group? -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Allow IPA users to create SSH tunnel with no shell
On 12/17/2012 09:36 AM, Simo Sorce wrote: On Mon, 2012-12-17 at 09:07 -0500, Albert Adams wrote: Thank you for the responses. I was initially attempting to set this value via the web UI and if I entered anything other than the hash value of the user's public key it would get rejected. After thinking about your response I realize that I really need to determine a method of doing this via a HBAC rule. If I accomplish this with authorized_keys then the user is restricted across the board and would not be able to gain a shell on any system whereas HBAC would allow me to restrict thier access as needed. We currently require users to tunnel over SSH to gain access to certain sensitive web apps (like Nessus) but those same users have shell access on a few boxes. Thoughts?? One thing you could do is to use the override_shell parameter in sssd. However this one would override the shell for all users so just putting /sbin/nologin there would not work if you need some users to be able to log in (if you care only for root logins it would be enough). However you can still manage to use it to point to a script that would test something like whether the user belongs to a group or not, and if so run either /bin/bash or /bin/nologin This seem like a nice feature request for FreeIPA though, maybe we can extend HBAC to allow a special option to define a shell, maybe creating a special 'shell' service that sssd can properly interpret as a hint to set nologin vs the actual shell. Dmitri, should we open a RFE on this ? Simo. OK , RFE would make sense. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Problem generating Oracle ZFS Storage Appliance host and nfs principals and keys to IPA/Free IPA.
Hi, When trying to generate a host and nfs principal + keys from the Oracle ZFS 7120/7320 Appliance i get the following error message (note that the information pasted are from a simulator but i get exactly the same error from our real Appliances). I can't generate a key on the IPA server and copy it to the Appliance unfortunately it does not support that since it has a specialised webinterface and CLI. The Appliance wants to generate the principals and keys itself after i add the Kerberos information realm/KDC and admin principal. NTP is synced and DNS is working with reverse, no firewalls and SELinux disabled. I have tested on both Red Hat/CentOS 6.3 and fedora 17 as IPA servers with the same results. Any ideas on what is wrong and if it is possible to get it working? An unanticipated system error occurred: failed to create principal 'host/zfs1.home@HOME': libkadm5clnt error: 43787522 (Operation requires ``add'' privilege) Exception type: coXmlrpcFault Native message: failed to create principal 'host/zfs1.home@HOME': libkadm5clnt error: 43787522 (Operation requires ``add'' privilege) Mapped stack trace: Native file: undefined line ? Native stack trace: Message: none Wrapped exception: none Stack trace: none at https://192.168.0.112:215/lib/crazyolait/index.js:370:21 Additional native members: faultCode: 600 faultString: failed to create principal 'host/zfs1.home@HOME': libkadm5clnt error: 43787522 (Operation requires ``add'' privilege) coStack: top.akMulticall(argv:array [object Object], abort:true, func:function function (ret, err, idx) {\n\t\t\tif (err err.faultName !== 'EAK_KRB5_NOENT') {\n\t\t\t\takHandleFault(err, { set: widget.aknsn_vs });\n\t\t\t\treturn;\n\t\t\t}\n\t\t\tcommitprop(callback);\n\t\t}) nasServiceNFS.prototype.commit(callback:function function (err) {\n\t\tif (akHandleFault(err, {\n\t\tset: view.aksvc_current_set\n\t\t})) {\n\t\t\tif (callback)\n\t\t\t\tcallback(true);\n\t\t\tview.changed(true);\n\t\t\treturn;\n\t\t}\n\n\t\t/*\n\n\n\t\t */\n\t\tview.changed(false);\n\n\t\tif (enable === false) {\n\t\t\tif (callback)\n\t\t\t\tcallback();\n\t\t\treturn;\n\t\t}\n\n\t\takService.svc.setCompositeState(view.aksvc_id,\n\t\t akSvc.AK_SVC_STATE_ONLINE, function (ret, err) {\n\t\t\tif (akHandleFault(err)) {\n\t\t\t\tif (callback)\n\t\t\t\t\tcallback(true);\n\t\t\t} else {\n\t\t\t\tif (callback)\n\t\t\t\t\tcallback();\n\t\t\t}\n\t\t});\n\t}) akSvcView.prototype.commitToServer(enable:false, callback:function function (error) {\n\t\t\takStopWaiting(function () {\n\t\t\t\tif (view.aksvc_done !error)\n\t\t\t\t\tview.aksvc_done();\n\t\t\t});\n\t\t}) akSvcView.prototype.commit(callback:null) anonymous(object [object Object], object [object MouseEvent]) anonymous(e:object [object MouseEvent]) [akEventListenerWrap,click,undefined](e:object [object MouseEvent]) faultName: EAK_KADM5 In the kadmind.log on the IPA server i get the following: Dec 17 23:12:05 server.home kadmind[3614](Notice): Request: kadm5_init, admin@HOME, success, client=admin@HOME, service=kadmin/server.home@HOME, addr=192.168.0.112, vers=2, flavor=6 Dec 17 23:12:05 server.home kadmind[3614](Notice): Unauthorized request: kadm5_create_principal, host/zfs1.home@HOME, client=admin@HOME, service=kadmin/server.home@HOME, addr=192.168.0.112 And in the krb5kdc.log: Dec 17 23:15:23 server.home krb5kdc[4015](info): AS_REQ (7 etypes {18 17 16 23 24 3 1}) 192.168.0.112: CLIENT_NOT_FOUND: root/zfs1.home@HOME for krbtgt/HOME@HOME, Client not found in Kerberos database Dec 17 23:15:23 server.home krb5kdc[4016](info): AS_REQ (7 etypes {18 17 16 23 24 3 1}) 192.168.0.112: CLIENT_NOT_FOUND: host/zfs1.home@HOME for krbtgt/HOME@HOME, Client not found in Kerberos database If i add the host in IPA i instead get: Dec 17 23:48:18 server.home krb5kdc[4016](info): ... CONSTRAINED-DELEGATION s4u-client=admin@HOME Dec 17 23:48:35 server.home krb5kdc[4016](info): AS_REQ (7 etypes {18 17 16 23 24 3 1}) 192.168.0.112: NEEDED_PREAUTH: admin@HOME for kadmin/server.home@HOME, Additional pre-authentication required Dec 17 23:48:35 server.home krb5kdc[4015](info): AS_REQ (7 etypes {18 17 16 23 24 3 1}) 192.168.0.112: ISSUE: authtime 1355784515, etypes {rep=18 tkt=18 ses=18}, admin@HOME for kadmin/server.home@HOME ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Problem generating Oracle ZFS Storage Appliance host and nfs principals and keys to IPA/Free IPA.
On 12/17/2012 07:15 PM, Johan Petersson wrote: Hi, When trying to generate a host and nfs principal + keys from the Oracle ZFS 7120/7320 Appliance i get the following error message (note that the information pasted are from a simulator but i get exactly the same error from our real Appliances). I can't generate a key on the IPA server and copy it to the Appliance unfortunately it does not support that since it has a specialised webinterface and CLI. The Appliance wants to generate the principals and keys itself after i add the Kerberos information realm/KDC and admin principal. NTP is synced and DNS is working with reverse, no firewalls and SELinux disabled. I have tested on both Red Hat/CentOS 6.3 and fedora 17 as IPA servers with the same results. Any ideas on what is wrong and if it is possible to get it working? An unanticipated system error occurred: failed to create principal 'host/zfs1.home@HOME': libkadm5clnt error: 43787522 (Operation requires ``add'' privilege) Do you have this principal already precreated? It seems that the client tries to create a principal using its kadmin library. I am not sure it would work. The protocol we use in ipa-getkeytab is not a kadmin protocol. As far as I recall it does an LDAP extended operation. Exception type: coXmlrpcFault Native message: failed to create principal 'host/zfs1.home@HOME': libkadm5clnt error: 43787522 (Operation requires ``add'' privilege) Mapped stack trace: Native file: undefined line ? Native stack trace: Message: none Wrapped exception: none Stack trace: none at https://192.168.0.112:215/lib/crazyolait/index.js:370:21 Additional native members: faultCode: 600 faultString: failed to create principal 'host/zfs1.home@HOME': libkadm5clnt error: 43787522 (Operation requires ``add'' privilege) coStack: top.akMulticall(argv:array [object Object], abort:true, func:function function (ret, err, idx) {\n\t\t\tif (err err.faultName !== 'EAK_KRB5_NOENT') {\n\t\t\t\takHandleFault(err, { set: widget.aknsn_vs });\n\t\t\t\treturn;\n\t\t\t}\n\t\t\tcommitprop(callback);\n\t\t}) nasServiceNFS.prototype.commit(callback:function function (err) {\n\t\tif (akHandleFault(err, {\n\t\tset: view.aksvc_current_set\n\t\t})) {\n\t\t\tif (callback)\n\t\t\t\tcallback(true);\n\t\t\tview.changed(true);\n\t\t\treturn;\n\t\t}\n\n\t\t/*\n\n\n\t\t */\n\t\tview.changed(false);\n\n\t\tif (enable === false) {\n\t\t\tif (callback)\n\t\t\t\tcallback();\n\t\t\treturn;\n\t\t}\n\n\t\takService.svc.setCompositeState(view.aksvc_id,\n\t\t akSvc.AK_SVC_STATE_ONLINE, function (ret, err) {\n\t\t\tif (akHandleFault(err)) {\n\t\t\t\tif (callback)\n\t\t\t\t\tcallback(true);\n\t\t\t} else {\n\t\t\t\tif (callback)\n\t\t\t\t\tcallback();\n\t\t\t}\n\t\t});\n\t}) akSvcView.prototype.commitToServer(enable:false, callback:function function (error) {\n\t\t\takStopWaiting(function () {\n\t\t\t\tif (view.aksvc_done !error)\n\t\t\t\t\tview.aksvc_done();\n\t\t\t});\n\t\t}) akSvcView.prototype.commit(callback:null) anonymous(object [object Object], object [object MouseEvent]) anonymous(e:object [object MouseEvent]) [akEventListenerWrap,click,undefined](e:object [object MouseEvent]) faultName: EAK_KADM5 In the kadmind.log on the IPA server i get the following: Dec 17 23:12:05 server.home kadmind[3614](Notice): Request: kadm5_init, admin@HOME, success, client=admin@HOME, service=kadmin/server.home@HOME, addr=192.168.0.112, vers=2, flavor=6 Dec 17 23:12:05 server.home kadmind[3614](Notice): Unauthorized request: kadm5_create_principal, host/zfs1.home@HOME, client=admin@HOME, service=kadmin/server.home@HOME, addr=192.168.0.112 And in the krb5kdc.log: Dec 17 23:15:23 server.home krb5kdc[4015](info): AS_REQ (7 etypes {18 17 16 23 24 3 1}) 192.168.0.112: CLIENT_NOT_FOUND: root/zfs1.home@HOME for krbtgt/HOME@HOME, Client not found in Kerberos database Dec 17 23:15:23 server.home krb5kdc[4016](info): AS_REQ (7 etypes {18 17 16 23 24 3 1}) 192.168.0.112: CLIENT_NOT_FOUND: host/zfs1.home@HOME for krbtgt/HOME@HOME, Client not found in Kerberos database If i add the host in IPA i instead get: Dec 17 23:48:18 server.home krb5kdc[4016](info): ... CONSTRAINED-DELEGATION s4u-client=admin@HOME Dec 17 23:48:35 server.home krb5kdc[4016](info): AS_REQ (7 etypes {18 17 16 23 24 3 1}) 192.168.0.112: NEEDED_PREAUTH: admin@HOME for kadmin/server.home@HOME, Additional pre-authentication required Dec 17 23:48:35 server.home krb5kdc[4015](info): AS_REQ (7 etypes {18 17 16 23 24 3 1}) 192.168.0.112: ISSUE: authtime 1355784515, etypes {rep=18 tkt=18 ses=18}, admin@HOME for kadmin/server.home@HOME ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs?
Re: [Freeipa-users] Problem generating Oracle ZFS Storage Appliance host and nfs principals and keys to IPA/Free IPA.
On Tue, 2012-12-18 at 00:15 +, Johan Petersson wrote: Hi, Hi Johan, see inline. When trying to generate a host and nfs principal + keys from the Oracle ZFS 7120/7320 Appliance i get the following error message (note that the information pasted are from a simulator but i get exactly the same error from our real Appliances). I can't generate a key on the IPA server and copy it to the Appliance unfortunately it does not support that since it has a specialised webinterface and CLI. The Appliance wants to generate the principals and keys itself after i add the Kerberos information realm/KDC and admin principal. NTP is synced and DNS is working with reverse, no firewalls and SELinux disabled. I have tested on both Red Hat/CentOS 6.3 and fedora 17 as IPA servers with the same results. Any ideas on what is wrong and if it is possible to get it working? An unanticipated system error occurred: failed to create principal 'host/zfs1.home@HOME': libkadm5clnt error: 43787522 (Operation requires ``add'' privilege) we do not allow tools the permissions to perform add operations via the kadmin interface, this is done by explicitly disallowing certin internal DAL operations in out driver, so it is not configurable. This is because that interface is not rich enough to provide all the information we normally associate to principals in LDAP entries. Does the appliance work if you pre-create the principal ? It sounds very odd that these 'appliances' really require you to give them credentials that have very high privileges, so high as to be able to actually add principals into a kerberos database. I would consider that a very serious bug and security issue in the appliance. Note that the kadmin interface can be allowed to change principals, including getting a new keytab. That will require you to manually edit the ACL file that is not normally configured as we do not need to allow modifications via the kadmin interface in normal IPA domains. So if this appliance can deal with just modifying a principal to get a keytab as opposed to try to create one from scratch then you may be able to configure FreeIPA's kadmin to do that. Exception type: coXmlrpcFault Native message: failed to create principal 'host/zfs1.home@HOME': libkadm5clnt error: 43787522 (Operation requires ``add'' privilege) Mapped stack trace: Native file: undefined line ? Native stack trace: Message: none Wrapped exception: none Stack trace: none at https://192.168.0.112:215/lib/crazyolait/index.js:370:21 Additional native members: faultCode: 600 faultString: failed to create principal 'host/zfs1.home@HOME': libkadm5clnt error: 43787522 (Operation requires ``add'' privilege) coStack: top.akMulticall(argv:array [object Object], abort:true, func:function function (ret, err, idx) {\n\t\t\tif (err err.faultName !== 'EAK_KRB5_NOENT') {\n\t\t\t\takHandleFault(err, { set: widget.aknsn_vs });\n\t\t\t\treturn;\n\t\t\t}\n\t\t \tcommitprop(callback);\n\t\t}) nasServiceNFS.prototype.commit(callback:function function (err) {\n \t\tif (akHandleFault(err, {\n\t\tset: view.aksvc_current_set\n\t \t})) {\n\t\t\tif (callback)\n\t\t\t\tcallback(true);\n\t\t \tview.changed(true);\n\t\t\treturn;\n\t\t}\n\n\t\t/*\n\n\n\t\t */\n\t \tview.changed(false);\n\n\t\tif (enable === false) {\n\t\t\tif (callback)\n\t\t\t\tcallback();\n\t\t\treturn;\n\t\t}\n\n\t \takService.svc.setCompositeState(view.aksvc_id,\n\t\t akSvc.AK_SVC_STATE_ONLINE, function (ret, err) {\n\t\t\tif (akHandleFault(err)) {\n\t\t\t\tif (callback)\n\t\t\t\t \tcallback(true);\n\t\t\t} else {\n\t\t\t\tif (callback)\n\t\t\t\t \tcallback();\n\t\t\t}\n\t\t});\n\t}) akSvcView.prototype.commitToServer(enable:false, callback:function function (error) {\n\t\t\takStopWaiting(function () {\n\t\t\t\tif (view.aksvc_done !error)\n\t\t\t\t\tview.aksvc_done();\n\t\t\t});\n \t\t}) akSvcView.prototype.commit(callback:null) anonymous(object [object Object], object [object MouseEvent]) anonymous(e:object [object MouseEvent]) [akEventListenerWrap,click,undefined](e:object [object MouseEvent]) faultName: EAK_KADM5 In the kadmind.log on the IPA server i get the following: Dec 17 23:12:05 server.home kadmind[3614](Notice): Request: kadm5_init, admin@HOME, success, client=admin@HOME, service=kadmin/server.home@HOME, addr=192.168.0.112, vers=2, flavor=6 Dec 17 23:12:05 server.home kadmind[3614](Notice): Unauthorized request: kadm5_create_principal, host/zfs1.home@HOME, client=admin@HOME, service=kadmin/server.home@HOME, addr=192.168.0.112 And in the krb5kdc.log: Dec 17 23:15:23 server.home krb5kdc[4015](info): AS_REQ (7 etypes {18 17 16 23 24 3 1}) 192.168.0.112: CLIENT_NOT_FOUND: root/zfs1.home@HOME for krbtgt/HOME@HOME, Client not found in Kerberos database Dec 17 23:15:23 server.home krb5kdc[4016](info): AS_REQ (7 etypes {18 17 16 23 24 3 1}) 192.168.0.112: CLIENT_NOT_FOUND:
Re: [Freeipa-users] FreeIPA and Samba 4
it does not support that since it has a specialised webinterface and CLI. The Appliance wants to generate the principals and keys itself after i add the Kerberos information realm/KDC and admin principal. NTP is synced and DNS is working with reverse, no firewalls and SELinux disabled. I have tested on both Red Hat/CentOS 6.3 and fedora 17 as IPA servers with the same results. Any ideas on what is wrong and if it is possible to get it working? An unanticipated system error occurred: failed to create principal 'host/zfs1.home@HOME': libkadm5clnt error: 43787522 (Operation requires ``add'' privilege) Do you have this principal already precreated? It seems that the client tries to create a principal using its kadmin library. I am not sure it would work. The protocol we use in ipa-getkeytab is not a kadmin protocol. As far as I recall it does an LDAP extended operation. Exception type: coXmlrpcFault Native message: failed to create principal 'host/zfs1.home@HOME': libkadm5clnt error: 43787522 (Operation requires ``add'' privilege) Mapped stack trace: Native file: undefined line ? Native stack trace: Message: none Wrapped exception: none Stack trace: none at https://192.168.0.112:215/lib/crazyolait/index.js:370:21 Additional native members: faultCode: 600 faultString: failed to create principal 'host/zfs1.home@HOME': libkadm5clnt error: 43787522 (Operation requires ``add'' privilege) coStack: top.akMulticall(argv:array [object Object], abort:true, func:function function (ret, err, idx) {\n\t\t\tif (err err.faultName !== 'EAK_KRB5_NOENT') {\n\t\t\t\takHandleFault(err, { set: widget.aknsn_vs });\n\t\t\t\treturn;\n\t\t\t}\n\t\t\tcommitprop(callback);\n\t\t}) nasServiceNFS.prototype.commit(callback:function function (err) {\n\t\tif (akHandleFault(err, {\n\t\tset: view.aksvc_current_set\n\t\t})) {\n\t\t\tif (callback)\n\t\t\t\tcallback(true);\n\t\t\tview.changed(true);\n\t\t\treturn;\n\t\t}\n\n\t\t/*\n\n\n\t\t */\n\t\tview.changed(false);\n\n\t\tif (enable === false) {\n\t\t\tif (callback)\n\t\t\t\tcallback();\n\t\t\treturn;\n\t\t}\n\n\t\takService.svc.setCompositeState(view.aksvc_id,\n\t\t akSvc.AK_SVC_STATE_ONLINE, function (ret, err) {\n\t\t\tif (akHandleFault(err)) {\n\t\t\t\tif (callback)\n\t\t\t\t\tcallback(true);\n\t\t\t} else {\n\t\t\t\tif (callback)\n\t\t\t\t\tcallback();\n\t\t\t}\n\t\t});\n\t}) akSvcView.prototype.commitToServer(enable:false, callback:function function (error) {\n\t\t\takStopWaiting(function () {\n\t\t\t\tif (view.aksvc_done !error)\n\t\t\t\t\tview.aksvc_done();\n\t\t\t});\n\t\t}) akSvcView.prototype.commit(callback:null) anonymous(object [object Object], object [object MouseEvent]) anonymous(e:object [object MouseEvent]) [akEventListenerWrap,click,undefined](e:object [object MouseEvent]) faultName: EAK_KADM5 In the kadmind.log on the IPA server i get the following: Dec 17 23:12:05 server.home kadmind[3614](Notice): Request: kadm5_init, admin@HOME, success, client=admin@HOME, service=kadmin/server.home@HOME, addr=192.168.0.112, vers=2, flavor=6 Dec 17 23:12:05 server.home kadmind[3614](Notice): Unauthorized request: kadm5_create_principal, host/zfs1.home@HOME, client=admin@HOME, service=kadmin/server.home@HOME, addr=192.168.0.112 And in the krb5kdc.log: Dec 17 23:15:23 server.home krb5kdc[4015](info): AS_REQ (7 etypes {18 17 16 23 24 3 1}) 192.168.0.112: CLIENT_NOT_FOUND: root/zfs1.home@HOME for krbtgt/HOME@HOME, Client not found in Kerberos database Dec 17 23:15:23 server.home krb5kdc[4016](info): AS_REQ (7 etypes {18 17 16 23 24 3 1}) 192.168.0.112: CLIENT_NOT_FOUND: host/zfs1.home@HOME for krbtgt/HOME@HOME, Client not found in Kerberos database If i add the host in IPA i instead get: Dec 17 23:48:18 server.home krb5kdc[4016](info): ... CONSTRAINED-DELEGATION s4u-client=admin@HOME Dec 17 23:48:35 server.home krb5kdc[4016](info): AS_REQ (7 etypes {18 17 16 23 24 3 1}) 192.168.0.112: NEEDED_PREAUTH: admin@HOME for kadmin/server.home@HOME, Additional pre-authentication required Dec 17 23:48:35 server.home krb5kdc[4015](info): AS_REQ (7 etypes {18 17 16 23 24 3 1}) 192.168.0.112: ISSUE: authtime 1355784515, etypes {rep=18 tkt=18 ses=18}, admin@HOME for kadmin/server.home@HOME ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -- next part -- An HTML attachment was scrubbed... URL: https://www.redhat.com/archives/freeipa-users/attachments/20121217/7f262831/attachment.html