Re: [Freeipa-users] exporting ldap certificate

[Petr Viktorin]

Hello,

On 04/26/2013 07:22 AM, Peter Brown wrote:

Hi everyone.

I am attempting to get Google Apps to sync with FreeIPA and I am having
problems getting the sync utility to talk to freeipa.
It complains about the ssl cert.
I have it setup so it only accepts ssl or tls encrypted connections and
I don't want to turn that off.
I have imported the ca cert using the jre's keytool but it still refuses
to connect.
I am getting the impression I need to import the ssl cert for the ldap
server into it as well.


The CA cert (/etc/ipa/ca.crt) should be enough, it signs all the other 
certs. Make sure you import it with the right trust level (SSL 
certificate signing). Unfortunately I don't know about jre's keytool so 
I can't be more specific.



I have no idea which certificate that is and I have no idea how to
export it.


Do not do this. You should only explicitly trust the CA cert.
For example, if you trust the certs explicitly you'd have to re-import 
them one by one when they are renewed.



Can someone please tell me how to do this?


If you really want to:
There are two certs, one for httpd (Web UI, XMLRPC  JSON APIs), and one 
for the LDAP server.

To export the httpd server certificate (to PEM):
$ certutil -L -d /etc/httpd/alias -n Server-Cert -a
To export the directory server certificate (to PEM):
$ certutil -L -d /etc/dirsrv/slapd-$INSTANCE_NAME/ -n Server-Cert -a
But again, you don't need this for what you're trying to do.

--
Petr³

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Freeipa -ssh keys

[Alexander Bokovoy]

On Fri, 26 Apr 2013, naresh reddy wrote:

Hi Alex 

I had tried tshoot and so i have changed GSSAPIAuthentication to no 
because i was getting
debug1: Unspecified GSS failure.  Minor code may provide more information
Ticket expired

^^^ Ticket expired means your ticket on the machine from which you are
trying to connect to ssh server.

You need to maintain actual credentials:
[client]$ kinit n...@eng.switchlab.net
Password: ...
[client]$ ssh -K -l n...@eng.switchlab.net ldap1.eng.switchlab.net

You can read basics about Kerberos here:
http://www.kerberos.org/software/tutorial.html

--
/ Alexander Bokovoy

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Kerberos delegation error on replica

[Johan Sunnerstig]

Hi.

I have two IPA servers in a multi master setup, running IPA 3.0.
They've been working fine for the last ~16 months and started life as 2.2 
servers.
Recently the follow error started showing up, I'm not sure when exactly since I 
only discovered it when I was checking the status of an account the other day.

ipa1: ~ ipa user-status user
---
Account disabled: False
---
  Server: ipa1.domain.tld
  Failed logins: 0
  Last successful authentication: 2013-04-26T11:20:06Z
  Last failed authentication: 2013-04-26T08:44:08Z
  Time now: 2013-04-26T11:20:06Z

  Server: ipa2.domain.tld failed: Insufficient access: SASL(-1): generic 
failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more 
information (KDC returned error string: NOT_ALLOWED_TO_DELEGATE)

Number of entries returned 2


The same exact thing happens on the other replica.

Everything else works as far as I can tell, replication is fine and either one 
will issue TGT's and so forth. Basically aside from the above I can't find 
anything wrong.
The following shows up in the krb5kdc.log on the both the servers:
Apr 26 13:37:09 ipa1.domain.tld krb5kdc[26612](info): TGS_REQ (4 etypes {18 17 
16 23}) x.x.x.x: NOT_ALLOWED_TO_DELEGATE: authtime 0,  
HTTP/ipa1.domain@domain.tld for ldap/ipa2.domain@domain.tld, No such 
file or directory
Apr 26 13:37:09 ipa1.domain.tld krb5kdc[26612](info): TGS_REQ (4 etypes {18 17 
16 23}) x.x.x.x: NOT_ALLOWED_TO_DELEGATE: authtime 0,  
HTTP/ipa1.domain@domain.tld for ldap/ipa2.domain@domain.tld, No such 
file or directory

Any help would be appreciated.

Regards
Johan Sunnerstig


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Freeipa -ssh keys

[Alexander Bokovoy]

On Fri, 26 Apr 2013, naresh reddy wrote:

Hi Alexander

Thank you very much it worked.
its fantastic and I really appreciate your help.
 
but this scenario is to use the kerboros ticket for each time to login

 what we are trying to establish is 
users will have priviate and public ssh keys
public sssh keys will be updated to the freeipa server and 

then users will connect to the remotes servers via the private ssh
keys, remote servers need to authenticate via the keys recieved from
the freeipa server


but the present working condition doesn't satisfy this as user needs to
get the kerborse ticket every life time.

I think you mix two different approaches.

In your debug log below:

debug1: Authentications that can continue: 
publickey,gssapi-keyex,gssapi-with-mic,password

This means public key can be used to authenticate, along with GSSAPI and
plain password.

However, your issue is in the fact that you did not set up sshd to use
sss_ssh_authorizedkeys properly -- you missed the fact that both
   AuthorizedKeysCommand and AuthorizedKeysCommandUser
should be configured and AuthorizedKeysCommand should only get the path
to the sss_ssh_authorizedkeys utility.

Add

AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser nobody

And it should work, works for me on Fedora 19.

There is one issue that 'AuthorizedKeysCommandUser' is a new option in
recent OpenSSH (6.2) and did not exist before. We have patch to support
it already but not merged yet. In OpenSSH before 6.2 there was no
support for AuthorizedKeys and there was Fedora/RHEL patch to add it. As
the patch evolved, first user under which the command is run was
separated to AuthorizedKeysCommandRunAs option and later upstream changed it
to AuthorizedKeysCommandUser.

Thus, we have three different types of OpenSSH versions and a bit of
configuration mess.

--
/ Alexander Bokovoy

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Freeipa -ssh keys

[naresh reddy]

Hi Alexander

Thank you very much it worked.
its fantastic and I really appreciate your help.
 
but this scenario is to use the kerboros ticket for each time to login

 what we are trying to establish is 
users will have priviate and public ssh keys
public sssh keys will be updated to the freeipa server and 

then users will connect to the remotes servers via the private ssh keys, remote 
servers need to authenticate via the keys recieved from the freeipa server


but the present working condition doesn't satisfy this as user needs to get the 
kerborse ticket every life time.


remote server getting the keys from free ipa
[root@ldap1-eng-switchlab-net ipa]# /usr/bin/sss_ssh_authorizedkeys np
ssh-rsa 
B3NzaC1yc2EBIwAAAQEAxOZ37IUe5gvlhO1i+bMhj8vhwlKZN6OKeMW6AM37aJhd7jxhz1R+Cod18YTB+gHkrfwe75kkEKfVyvTjpp9j5DRPeTyGMyWt4VbbyYq1Po4BZT7wOtUjwFq320QD5QnNKU6nbQKsB61xCMQy1Peu0nV/33dQTWHzlGi4uV0MN/KBvaWHmTwN6ZJ34uyEQ8kQ+fStd9XNFREw0iYglk42mNd/SA35njqNlsUbtBAR9ZokruAwAVVZqrfQw==
 n...@ldap.eng.switchlab.net
ssh-rsa 
B3NzaC1yc2EDAQABAAABAQCxxxDS69+CH89z5ftzZZCmohY89y2AsJXfA0piHxg2XE+n
 np@ubuntu
ssh-rsa 
B3NzaC1yc2EDAQABAAABAQDFyO8uMLGVqIwR8Ps5m6sYsB/hx3gm2fIoKq6fm0g976L26oAmclDi12CpVFYbI/osIjsq6mIpr9de5Qus/n9kIoxTZLHTRuoCEj7xc4PSPG78oE7JoWKLMvBDiwyhXNa+O9X1RgYhfYmS2m+1nGJYC9DG4xo7K60nO6WogBg3T+EwuDjYrVIfB5Rfe4D8iWKqOTNlJ+MzK4Dk8W8hqSJvuQFq5155DsbeqDy00EY1dMaGYVUq81lHEM91oz
 n...@ldap0.eng.switchlab.net
[root@ldap1-eng-switchlab-net ipa]#

debug log of present ssh session

debug2: key: /home/np/.ssh/id_rsa (0x7f495ef25d60)
debug2: key: /home/np/.ssh/id_dsa ((nil))
debug1: Authentications that can continue: 
publickey,gssapi-keyex,gssapi-with-mic,password
debug3: start over, passed a different list 
publickey,gssapi-keyex,gssapi-with-mic,password
debug3: preferred 
gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-keyex
debug3: remaining preferred: 
gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-keyex
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Delegating credentials
debug1: Delegating credentials
debug1: Authentication succeeded (gssapi-with-mic).


Nareshchandra Paturi

14, St. Augustine’s Court, 
Mornington Road,
london.
E11 3BQ.
Mob:0746001,07856918100
Ph:02082579579



 From: Alexander Bokovoy aboko...@redhat.com
To: naresh reddy nareshbt...@yahoo.com 
Cc: Jan Cholasta jchol...@redhat.com; freeipa-users@redhat.com 
freeipa-users@redhat.com 
Sent: Friday, April 26, 2013 11:44 AM
Subject: Re: [Freeipa-users] Freeipa -ssh keys
 

On Fri, 26 Apr 2013, naresh reddy wrote:
Hi Alex 

I had tried tshoot and so i have changed GSSAPIAuthentication to no 
because i was getting
debug1: Unspecified GSS failure.  Minor code may provide more information
Ticket expired
^^^ Ticket expired means your ticket on the machine from which you are
trying to connect to ssh server.

You need to maintain actual credentials:
[client]$ kinit n...@eng.switchlab.net
Password: ...
[client]$ ssh -K -l n...@eng.switchlab.net ldap1.eng.switchlab.net

You can read basics about Kerberos here:
http://www.kerberos.org/software/tutorial.html

-- 
/ Alexander Bokovoy___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Freeipa -ssh keys

[naresh reddy]

Hi Alex 

I had tried tshoot and so i have changed GSSAPIAuthentication to no 
because i was getting
debug1: Unspecified GSS failure.  Minor code may provide more information
Ticket expired
debug1: Unspecified GSS failure.  Minor code may provide more information

Ticket expired
debug1: Unspecified GSS failure.  Minor code may provide more information

debug1: Unspecified GSS failure.  Minor code may provide more information

Matching credential not found
 
now i uninstalled the ipa client and reinstlled it and joined the ipa domain
and now sshd config is to its default 

Please suggest




[root@ldap1-eng-switchlab-net ipa]#  ipa-client-install 
--hostname=ldap1.eng.switchlab.net
WARNING: ntpd timedate synchronization service will not be configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and force configuration of ntpd

DNS discovery failed to determine your DNS domain
Provide the domain name of your IPA server (ex: example.com): eng.switchlab.net
Provide your IPA server name (ex: ipa.example.com): ldap0.eng.switchlab.net
The failure to use DNS to find your IPA server indicates that your resolv.conf 
file is not properly configured.
Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installation, services will be configured to always 
access the discovered server for all operations and will not fail over to other 
servers in case of failure.
Proceed with fixed values and no DNS discovery? [no]: yes
Hostname: ldap1.eng.switchlab.net
Realm: ENG.SWITCHLAB.NET
DNS Domain: eng.switchlab.net
IPA Server: ldap0.eng.switchlab.net
BaseDN: dc=eng,dc=switchlab,dc=net

Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Synchronizing time with KDC...
Password for ad...@eng.switchlab.net:
Enrolled in IPA realm ENG.SWITCHLAB.NET
Created /etc/ipa/default.conf
New SSSD config will be created
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm ENG.SWITCHLAB.NET
trying https://ldap0.eng.switchlab.net/ipa/xml
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Forwarding 'host_mod' to server u'https://ldap0.eng.switchlab.net/ipa/xml'
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Client configuration complete.




[root@ldap1-eng-switchlab-net ipa]# cat Configured /etc/ssh/sshd_config
cat: Configured: No such file or directory
#       $OpenBSD: sshd_config,v 1.87 2012/07/10 02:19:15 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# The default requires explicit activation of protocol 1
#Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile      .ssh/authorized_keys

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

#AuthorizedPrincipalsFile none

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes

# GSSAPI options

Re: [Freeipa-users] Kerberos delegation error on replica

[Rob Crittenden]

Johan Sunnerstig wrote:

Hi.

I have two IPA servers in a multi master setup, running IPA 3.0.
They've been working fine for the last ~16 months and started life as 2.2 
servers.
Recently the follow error started showing up, I'm not sure when exactly since I 
only discovered it when I was checking the status of an account the other day.

ipa1: ~ ipa user-status user
---
Account disabled: False
---
   Server: ipa1.domain.tld
   Failed logins: 0
   Last successful authentication: 2013-04-26T11:20:06Z
   Last failed authentication: 2013-04-26T08:44:08Z
   Time now: 2013-04-26T11:20:06Z

   Server: ipa2.domain.tld failed: Insufficient access: SASL(-1): generic 
failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more 
information (KDC returned error string: NOT_ALLOWED_TO_DELEGATE)

Number of entries returned 2


The same exact thing happens on the other replica.

Everything else works as far as I can tell, replication is fine and either one 
will issue TGT's and so forth. Basically aside from the above I can't find 
anything wrong.
The following shows up in the krb5kdc.log on the both the servers:
Apr 26 13:37:09 ipa1.domain.tld krb5kdc[26612](info): TGS_REQ (4 etypes {18 17 
16 23}) x.x.x.x: NOT_ALLOWED_TO_DELEGATE: authtime 0,  
HTTP/ipa1.domain@domain.tld for ldap/ipa2.domain@domain.tld, No such 
file or directory
Apr 26 13:37:09 ipa1.domain.tld krb5kdc[26612](info): TGS_REQ (4 etypes {18 17 
16 23}) x.x.x.x: NOT_ALLOWED_TO_DELEGATE: authtime 0,  
HTTP/ipa1.domain@domain.tld for ldap/ipa2.domain@domain.tld, No such 
file or directory



One of the servers must be missing from the s4u2proxy delegation list.

Are all the servers in here?

# ldapsearch -x -b 
cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=example,dc=com


and

# ldapsearch -x -b 
cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=example,dc=com


I'm guessing that it is missing one or more memberPrincipal.

The format is be memberPrincipal: service/$FQDN@$REALM

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users