Re: [Freeipa-users] exporting ldap certificate
Hello, On 04/26/2013 07:22 AM, Peter Brown wrote: Hi everyone. I am attempting to get Google Apps to sync with FreeIPA and I am having problems getting the sync utility to talk to freeipa. It complains about the ssl cert. I have it setup so it only accepts ssl or tls encrypted connections and I don't want to turn that off. I have imported the ca cert using the jre's keytool but it still refuses to connect. I am getting the impression I need to import the ssl cert for the ldap server into it as well. The CA cert (/etc/ipa/ca.crt) should be enough, it signs all the other certs. Make sure you import it with the right trust level (SSL certificate signing). Unfortunately I don't know about jre's keytool so I can't be more specific. I have no idea which certificate that is and I have no idea how to export it. Do not do this. You should only explicitly trust the CA cert. For example, if you trust the certs explicitly you'd have to re-import them one by one when they are renewed. Can someone please tell me how to do this? If you really want to: There are two certs, one for httpd (Web UI, XMLRPC JSON APIs), and one for the LDAP server. To export the httpd server certificate (to PEM): $ certutil -L -d /etc/httpd/alias -n Server-Cert -a To export the directory server certificate (to PEM): $ certutil -L -d /etc/dirsrv/slapd-$INSTANCE_NAME/ -n Server-Cert -a But again, you don't need this for what you're trying to do. -- Petr³ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Freeipa -ssh keys
On Fri, 26 Apr 2013, naresh reddy wrote: Hi Alex I had tried tshoot and so i have changed GSSAPIAuthentication to no because i was getting debug1: Unspecified GSS failure. Minor code may provide more information Ticket expired ^^^ Ticket expired means your ticket on the machine from which you are trying to connect to ssh server. You need to maintain actual credentials: [client]$ kinit n...@eng.switchlab.net Password: ... [client]$ ssh -K -l n...@eng.switchlab.net ldap1.eng.switchlab.net You can read basics about Kerberos here: http://www.kerberos.org/software/tutorial.html -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Kerberos delegation error on replica
Hi. I have two IPA servers in a multi master setup, running IPA 3.0. They've been working fine for the last ~16 months and started life as 2.2 servers. Recently the follow error started showing up, I'm not sure when exactly since I only discovered it when I was checking the status of an account the other day. ipa1: ~ ipa user-status user --- Account disabled: False --- Server: ipa1.domain.tld Failed logins: 0 Last successful authentication: 2013-04-26T11:20:06Z Last failed authentication: 2013-04-26T08:44:08Z Time now: 2013-04-26T11:20:06Z Server: ipa2.domain.tld failed: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (KDC returned error string: NOT_ALLOWED_TO_DELEGATE) Number of entries returned 2 The same exact thing happens on the other replica. Everything else works as far as I can tell, replication is fine and either one will issue TGT's and so forth. Basically aside from the above I can't find anything wrong. The following shows up in the krb5kdc.log on the both the servers: Apr 26 13:37:09 ipa1.domain.tld krb5kdc[26612](info): TGS_REQ (4 etypes {18 17 16 23}) x.x.x.x: NOT_ALLOWED_TO_DELEGATE: authtime 0, HTTP/ipa1.domain@domain.tld for ldap/ipa2.domain@domain.tld, No such file or directory Apr 26 13:37:09 ipa1.domain.tld krb5kdc[26612](info): TGS_REQ (4 etypes {18 17 16 23}) x.x.x.x: NOT_ALLOWED_TO_DELEGATE: authtime 0, HTTP/ipa1.domain@domain.tld for ldap/ipa2.domain@domain.tld, No such file or directory Any help would be appreciated. Regards Johan Sunnerstig ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Freeipa -ssh keys
On Fri, 26 Apr 2013, naresh reddy wrote: Hi Alexander Thank you very much it worked. its fantastic and I really appreciate your help. but this scenario is to use the kerboros ticket for each time to login what we are trying to establish is users will have priviate and public ssh keys public sssh keys will be updated to the freeipa server and then users will connect to the remotes servers via the private ssh keys, remote servers need to authenticate via the keys recieved from the freeipa server but the present working condition doesn't satisfy this as user needs to get the kerborse ticket every life time. I think you mix two different approaches. In your debug log below: debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password This means public key can be used to authenticate, along with GSSAPI and plain password. However, your issue is in the fact that you did not set up sshd to use sss_ssh_authorizedkeys properly -- you missed the fact that both AuthorizedKeysCommand and AuthorizedKeysCommandUser should be configured and AuthorizedKeysCommand should only get the path to the sss_ssh_authorizedkeys utility. Add AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys AuthorizedKeysCommandUser nobody And it should work, works for me on Fedora 19. There is one issue that 'AuthorizedKeysCommandUser' is a new option in recent OpenSSH (6.2) and did not exist before. We have patch to support it already but not merged yet. In OpenSSH before 6.2 there was no support for AuthorizedKeys and there was Fedora/RHEL patch to add it. As the patch evolved, first user under which the command is run was separated to AuthorizedKeysCommandRunAs option and later upstream changed it to AuthorizedKeysCommandUser. Thus, we have three different types of OpenSSH versions and a bit of configuration mess. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Freeipa -ssh keys
Hi Alexander Thank you very much it worked. its fantastic and I really appreciate your help. but this scenario is to use the kerboros ticket for each time to login what we are trying to establish is users will have priviate and public ssh keys public sssh keys will be updated to the freeipa server and then users will connect to the remotes servers via the private ssh keys, remote servers need to authenticate via the keys recieved from the freeipa server but the present working condition doesn't satisfy this as user needs to get the kerborse ticket every life time. remote server getting the keys from free ipa [root@ldap1-eng-switchlab-net ipa]# /usr/bin/sss_ssh_authorizedkeys np ssh-rsa B3NzaC1yc2EBIwAAAQEAxOZ37IUe5gvlhO1i+bMhj8vhwlKZN6OKeMW6AM37aJhd7jxhz1R+Cod18YTB+gHkrfwe75kkEKfVyvTjpp9j5DRPeTyGMyWt4VbbyYq1Po4BZT7wOtUjwFq320QD5QnNKU6nbQKsB61xCMQy1Peu0nV/33dQTWHzlGi4uV0MN/KBvaWHmTwN6ZJ34uyEQ8kQ+fStd9XNFREw0iYglk42mNd/SA35njqNlsUbtBAR9ZokruAwAVVZqrfQw== n...@ldap.eng.switchlab.net ssh-rsa B3NzaC1yc2EDAQABAAABAQCxxxDS69+CH89z5ftzZZCmohY89y2AsJXfA0piHxg2XE+n np@ubuntu ssh-rsa B3NzaC1yc2EDAQABAAABAQDFyO8uMLGVqIwR8Ps5m6sYsB/hx3gm2fIoKq6fm0g976L26oAmclDi12CpVFYbI/osIjsq6mIpr9de5Qus/n9kIoxTZLHTRuoCEj7xc4PSPG78oE7JoWKLMvBDiwyhXNa+O9X1RgYhfYmS2m+1nGJYC9DG4xo7K60nO6WogBg3T+EwuDjYrVIfB5Rfe4D8iWKqOTNlJ+MzK4Dk8W8hqSJvuQFq5155DsbeqDy00EY1dMaGYVUq81lHEM91oz n...@ldap0.eng.switchlab.net [root@ldap1-eng-switchlab-net ipa]# debug log of present ssh session debug2: key: /home/np/.ssh/id_rsa (0x7f495ef25d60) debug2: key: /home/np/.ssh/id_dsa ((nil)) debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup gssapi-keyex debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-keyex debug1: Next authentication method: gssapi-keyex debug1: No valid Key exchange context debug2: we did not send a packet, disable method debug3: authmethod_lookup gssapi-with-mic debug3: remaining preferred: publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-with-mic debug1: Next authentication method: gssapi-with-mic debug2: we sent a gssapi-with-mic packet, wait for reply debug1: Delegating credentials debug1: Delegating credentials debug1: Authentication succeeded (gssapi-with-mic). Nareshchandra Paturi 14, St. Augustine’s Court, Mornington Road, london. E11 3BQ. Mob:0746001,07856918100 Ph:02082579579 From: Alexander Bokovoy aboko...@redhat.com To: naresh reddy nareshbt...@yahoo.com Cc: Jan Cholasta jchol...@redhat.com; freeipa-users@redhat.com freeipa-users@redhat.com Sent: Friday, April 26, 2013 11:44 AM Subject: Re: [Freeipa-users] Freeipa -ssh keys On Fri, 26 Apr 2013, naresh reddy wrote: Hi Alex I had tried tshoot and so i have changed GSSAPIAuthentication to no because i was getting debug1: Unspecified GSS failure. Minor code may provide more information Ticket expired ^^^ Ticket expired means your ticket on the machine from which you are trying to connect to ssh server. You need to maintain actual credentials: [client]$ kinit n...@eng.switchlab.net Password: ... [client]$ ssh -K -l n...@eng.switchlab.net ldap1.eng.switchlab.net You can read basics about Kerberos here: http://www.kerberos.org/software/tutorial.html -- / Alexander Bokovoy___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Freeipa -ssh keys
Hi Alex I had tried tshoot and so i have changed GSSAPIAuthentication to no because i was getting debug1: Unspecified GSS failure. Minor code may provide more information Ticket expired debug1: Unspecified GSS failure. Minor code may provide more information Ticket expired debug1: Unspecified GSS failure. Minor code may provide more information debug1: Unspecified GSS failure. Minor code may provide more information Matching credential not found now i uninstalled the ipa client and reinstlled it and joined the ipa domain and now sshd config is to its default Please suggest [root@ldap1-eng-switchlab-net ipa]# ipa-client-install --hostname=ldap1.eng.switchlab.net WARNING: ntpd timedate synchronization service will not be configured as conflicting service (chronyd) is enabled Use --force-ntpd option to disable it and force configuration of ntpd DNS discovery failed to determine your DNS domain Provide the domain name of your IPA server (ex: example.com): eng.switchlab.net Provide your IPA server name (ex: ipa.example.com): ldap0.eng.switchlab.net The failure to use DNS to find your IPA server indicates that your resolv.conf file is not properly configured. Autodiscovery of servers for failover cannot work with this configuration. If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure. Proceed with fixed values and no DNS discovery? [no]: yes Hostname: ldap1.eng.switchlab.net Realm: ENG.SWITCHLAB.NET DNS Domain: eng.switchlab.net IPA Server: ldap0.eng.switchlab.net BaseDN: dc=eng,dc=switchlab,dc=net Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admin Synchronizing time with KDC... Password for ad...@eng.switchlab.net: Enrolled in IPA realm ENG.SWITCHLAB.NET Created /etc/ipa/default.conf New SSSD config will be created Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm ENG.SWITCHLAB.NET trying https://ldap0.eng.switchlab.net/ipa/xml Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Forwarding 'host_mod' to server u'https://ldap0.eng.switchlab.net/ipa/xml' Could not update DNS SSHFP records. SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Client configuration complete. [root@ldap1-eng-switchlab-net ipa]# cat Configured /etc/ssh/sshd_config cat: Configured: No such file or directory # $OpenBSD: sshd_config,v 1.87 2012/07/10 02:19:15 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/local/bin:/usr/bin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options override the # default value. # If you want to change the port on a SELinux system, you have to tell # SELinux about this change. # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER # Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: # The default requires explicit activation of protocol 1 #Protocol 2 # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 1024 # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH SyslogFacility AUTHPRIV #LogLevel INFO # Authentication: #LoginGraceTime 2m #PermitRootLogin yes #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 #RSAAuthentication yes #PubkeyAuthentication yes # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 # but this is overridden so installations will only check .ssh/authorized_keys AuthorizedKeysFile .ssh/authorized_keys #AuthorizedKeysCommand none #AuthorizedKeysCommandUser nobody #AuthorizedPrincipalsFile none # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no PasswordAuthentication yes # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes ChallengeResponseAuthentication no # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no #KerberosUseKuserok yes # GSSAPI options
Re: [Freeipa-users] Kerberos delegation error on replica
Johan Sunnerstig wrote: Hi. I have two IPA servers in a multi master setup, running IPA 3.0. They've been working fine for the last ~16 months and started life as 2.2 servers. Recently the follow error started showing up, I'm not sure when exactly since I only discovered it when I was checking the status of an account the other day. ipa1: ~ ipa user-status user --- Account disabled: False --- Server: ipa1.domain.tld Failed logins: 0 Last successful authentication: 2013-04-26T11:20:06Z Last failed authentication: 2013-04-26T08:44:08Z Time now: 2013-04-26T11:20:06Z Server: ipa2.domain.tld failed: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (KDC returned error string: NOT_ALLOWED_TO_DELEGATE) Number of entries returned 2 The same exact thing happens on the other replica. Everything else works as far as I can tell, replication is fine and either one will issue TGT's and so forth. Basically aside from the above I can't find anything wrong. The following shows up in the krb5kdc.log on the both the servers: Apr 26 13:37:09 ipa1.domain.tld krb5kdc[26612](info): TGS_REQ (4 etypes {18 17 16 23}) x.x.x.x: NOT_ALLOWED_TO_DELEGATE: authtime 0, HTTP/ipa1.domain@domain.tld for ldap/ipa2.domain@domain.tld, No such file or directory Apr 26 13:37:09 ipa1.domain.tld krb5kdc[26612](info): TGS_REQ (4 etypes {18 17 16 23}) x.x.x.x: NOT_ALLOWED_TO_DELEGATE: authtime 0, HTTP/ipa1.domain@domain.tld for ldap/ipa2.domain@domain.tld, No such file or directory One of the servers must be missing from the s4u2proxy delegation list. Are all the servers in here? # ldapsearch -x -b cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=example,dc=com and # ldapsearch -x -b cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=example,dc=com I'm guessing that it is missing one or more memberPrincipal. The format is be memberPrincipal: service/$FQDN@$REALM rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users