Re: [Freeipa-users] Timeout (?) issues
On 20.9.2013 01:24, KodaK wrote: This is ridiculous, right? IPA server 1: # for i in $(ls access*); do echo -n $i:\ ;grep err=32 $i | wc -l; done access: 248478 access.20130916-043207: 302774 access.20130916-123642: 272572 access.20130916-201516: 294308 access.20130917-081053: 295060 access.20130917-144559: 284498 access.20130917-231435: 281035 access.20130918-091611: 291165 access.20130918-154945: 275792 access.20130919-014322: 296113 IPA server 2: access: 4313 access.20130909-200216: 4023 access.20130910-200229: 4161 access.20130911-200239: 4182 access.20130912-200249: 5069 access.20130913-200258: 3833 access.20130914-200313: 4208 access.20130915-200323: 4702 access.20130916-200332: 4532 IPA server 3: access: 802 access.20130910-080737: 3876 access.20130911-080748: 3902 access.20130912-080802: 3678 access.20130913-080810: 3765 access.20130914-080826: 3524 access.20130915-080907: 4142 access.20130916-080916: 4930 access.20130917-080926: 4769 access.20130918-081005: 2879 IPA server 4: access: 2812 access.20130910-003051: 4095 access.20130911-003105: 3623 access.20130912-003113: 3606 access.20130913-003125: 3581 access.20130914-003135: 3758 access.20130915-003150: 3935 access.20130916-003159: 4184 access.20130917-003210: 3859 access.20130918-003221: 5110 The vast majority of the err=32 messages are DNS entries. It depends on your setup. Bind-dyndb-ldap does LDAP search for each non-existent name to verify that the name wasn't added to LDAP in meanwhile. If you have clients doing 1M queries for non-existing names per day, then you will see 1M LDAP queries with err=32 per day. Next major version of bind-dyndb-ldap will have reworked internal database and it will support negative caching, so number of err=32 should drop significantly. Here are some samples: [19/Sep/2013:18:19:51 -0500] conn=9 op=169764 SRCH base=idnsName=xxx.com ,idnsname=unix.xxx.com,cn=dns,dc=unix,dc=xxx,dc=com scope=0 filter=(objectClass=idnsRecord) attrs=ALL [19/Sep/2013:18:19:51 -0500] conn=9 op=169764 RESULT err=32 tag=101 nentries=0 etime=0 This is interesting, because this LDAP query is equal to DNS query for xxx.com.unix.xxx.com. Are your clients that crazy? :-) [19/Sep/2013:18:19:51 -0500] conn=9 op=169774 SRCH base=idnsName= slpoxacl01.unix.xxx.com,idnsname=unix.xxx.com,cn=dns,dc=unix,dc=xxx,dc=com scope=0 filter=(objectClass=idnsRecord) attrs=ALL [19/Sep/2013:18:19:51 -0500] conn=9 op=169774 RESULT err=32 tag=101 nentries=0 etime=0 This is equivalent to DNS query for slpoxacl01.unix.xxx.com.unix.xxx.com.. [19/Sep/2013:18:19:51 -0500] conn=9 op=169770 SRCH base=idnsName= sla400q1.unix.xxx.com,idnsname=unix.xxx.com,cn=dns,dc=unix,dc=xxx,dc=com scope=0 filter=(objectClass=idnsRecord) attrs=ALL [19/Sep/2013:18:19:51 -0500] conn=9 op=169770 RESULT err=32 tag=101 nentries=0 etime=0 And this is sla400q1.unix.xxx.com.unix.xxx.com.. [19/Sep/2013:18:19:51 -0500] conn=9 op=169772 SRCH base=idnsName= magellanhealth.com,idnsname=unix.magellanhealth.com,cn=dns,dc=unix,dc=magellanhealth,dc=com scope=0 filter=(objectClass=idnsRecord) attrs=ALL [19/Sep/2013:18:19:51 -0500] conn=9 op=169772 RESULT err=32 tag=101 nentries=0 etime=0 So far today there are over half a million of these. That can't be right. I would recommend you to use network sniffer and check which clients sends these crazy queries. My guess is that your resolver library (libc?) causes this. On my Linux system with glibc-2.17-14.fc19.x86_64 it behaves in this way: client query = nonexistent.example.com. (I used $ ping nonexistent.example.com.) search domain in /etc/resolv.conf = brq.redhat.com. DNS query #1: nonexistent.example.com. = NXDOMAIN DNS query #2: nonexistent.example.com.brq.redhat.com. = NXDOMAIN DNS query #3: nonexistent.example.com.redhat.com. = NXDOMAIN On Thu, Sep 19, 2013 at 3:05 PM, KodaK sako...@gmail.com wrote: I didn't realize that DNS created one connection. I thought it was one connection spanning several days. In theory, there should be 2-4 LDAP connections from each DNS server and those connections should live until DNS or LDAP server restarts/crashes. Petr^2 Spacek On Thu, Sep 19, 2013 at 2:51 PM, Rich Megginson rmegg...@redhat.comwrote: On 09/19/2013 12:57 PM, KodaK wrote: Well, this is awkward: [root@slpidml01 slapd-UNIX-xxx-COM]# grep conn=170902 access* | wc -l 5453936 [root@slpidml01 slapd-UNIX-xxx-COM]# Why is it awkward? On Thu, Sep 19, 2013 at 1:48 PM, KodaK sako...@gmail.com wrote: Thanks. I've been running that against my logs, and this has to be abnormal: err=32 129274No Such Object err=0 10952Successful Operations err=14 536SASL Bind in Progress err=53 39Unwilling To Perform err=493Invalid Credentials (Bad Password) I'm still trying to figure out why there are so many error 32s. Are there any usual suspects I should know about? (That's just the current
[Freeipa-users] Export SSL Cert
Hi, On my ever quest to finally get freeipa working behind a reverse proxy, the final thing was is it possible to export the private key and cert of the freeipa http cert? I would like to put the SSL cert on the reverse proxy but it seems I'm not having any luck getting the private key out from the certdb. Thanks. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Export SSL Cert
On 20.9.2013 10:14, Andrew Lau wrote: Hi, On my ever quest to finally get freeipa working behind a reverse proxy, the final thing was is it possible to export the private key and cert of the freeipa http cert? I would like to put the SSL cert on the reverse proxy but it seems I'm not having any luck getting the private key out from the certdb. Thanks. Hi, you can use pk12util to export it to PKCS#12 file, which contains both the certificate and the private key: # pk12util -o file.p12 -n Server-Cert -d /etc/httpd/alias -k /etc/httpd/alias/pwdfile.txt Honza -- Jan Cholasta ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Export SSL Cert
On Fri, Sep 20, 2013 at 8:48 PM, Jan Cholasta jchol...@redhat.com wrote: On 20.9.2013 10:14, Andrew Lau wrote: Hi, On my ever quest to finally get freeipa working behind a reverse proxy, the final thing was is it possible to export the private key and cert of the freeipa http cert? I would like to put the SSL cert on the reverse proxy but it seems I'm not having any luck getting the private key out from the certdb. Thanks. Hi, you can use pk12util to export it to PKCS#12 file, which contains both the certificate and the private key: # pk12util -o file.p12 -n Server-Cert -d /etc/httpd/alias -k /etc/httpd/alias/pwdfile.txt Honza -- Jan Cholasta Thanks! ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Fwd: Windows, Samba and IPA
Hi, I wonder if it is possible to have Windows clients (member of some domain) to connect to SAMBA shares with an IPA account. I found various howto's voor Kerberized SAMBA but they al use Linux as the client platform. I have tried to set it up using a Red Hat Solution article, but I did not get it to work. Is it possible without using trust or synchronization between AD and IPA? If yes, how? Fred ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Joining a Windows Workstation to an IPA realm (It works better than expected!)
On Fri, 20 Sep 2013, Loris Santamaria wrote: Hi all, yesterday I was going to try puppet on windows, so I fired up a Windows 7 VM, and just for curiosity, instead of joining it to the AD realm, i decided to try the instructions outlined in the wiki to join the machine to the IPA realm: http://www.freeipa.org/page/Windows_authentication_against_FreeIPA So I went with the instructions, on the windows Workstation. ksetup /setdomain [REALM NAME] ksetup /addkdc [REALM NAME] [kdc DNS name] ksetup /addkpassword [REALM NAME] [kdc DNS name] ksetup /setcomputerpassword [MACHINE_PASSWORD] (the one used above) ksetup /mapuser * * Next, the instructions tell you to create Windows local users corresponding to the IPA kerberos realm users, because you know, kerberos only does authentication and it can tell nothing to the windows workstation about the identity of the user... However, just for kicks, I rebooted the VM and _without creating any local user_ I tried to login with myuser@IPA.REALM … And it worked! It created a profile directory, showed my full name on the start menu. Then I tried to browse the web and SSO with squid worked like a charm, SSO with putty worked and I even logged in to the IPA administration page with my ticket. But it wasn't supposed to work without creating a local user... why it was working then? Please notice this, the IPA realm has a trust with the AD realm, so samba 4 is running on the IPA servers and every user in the IPA realm has a SID assigned... and its ticket comes with a PAC, I think that is the important part. Exactly. You actually don't need to create the trust, just run ipa-adtrust-install to make sure IPA's infrastructure is configured to issue SIDs and accept them. Finally, what worked and what don't: * I was able to login on Win 7 with an IPA user and having a local profile created automatically * I was able to perform SSO authentication with IPA services * I was able to add my IPA user to the Administrators group in windows, with the NET LOCALGROUP command. * I couldn't add the IPA admins group to the Administrators group. With NET LOCALGROUP Administrators IPA\admins /add it tells me that it doesn't recognise the IPA\admins group. Right, because it doesn't know where to look up translation between IPA\admins string and SID as you haven't really configured Windows PC to be part of the domain and IPA domain doesn't provide services Windows PC expect to be there by default for resolving user/group to SIDs in Active Directory. * I couldn't add other IPA users to the Administrators group, only my logged in user. Same here. * I can't add IPA users to group with the graphical administration tools, they won't show the IPA realm, only the NET command worked somehow Same here. Windows UIs rely on AD global catalog service which we don't implement. I'm investigating why Windows can't see IPA users and group other than the currently logged in user, but I suspect that is simply because Windows takes the logged in user SID from the PAC and it doesn't really talk to samba4. Yep, only that it doesn't know where to talk as there is no proper service available. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Recomendations on multi-domain environments
On 09/18/2013 07:55 AM, Andrew Lau wrote: On Wed, Sep 18, 2013 at 9:40 PM, Arturo Borrero aborr...@cica.es mailto:aborr...@cica.es wrote: Hi there! This is my situation. I have some users of my main domain cica.es http://cica.es. But I also maintain a database of users of others domain, ie example.es http://example.es. I can apply most of FreeIPA configuration to cica.es http://cica.es users: access to hosts, groups, policies, roles, etc.. But users of example.es http://example.es are dummy users, who just have an LDAP account in order to use virtual mailboxes in Postfix/Dovecot. Do anyone have any advice on how handle this situation? I see some options: * create a second FreeIPA server, each to handle his own domain. * get the main FreeIPA server to handle two complete different LDAP tree (with different root DNs, don't know if possible). * integrate example.es http://example.es users into specific groups, prefix or something each group and user. We are talking of about 2k users in total (main domain + secondary domain). In addition, there is the possibility to have more than two domains. How FreeIPA handles this multi-domain environment? Best regards. -- If your second domain is just for LDAP (this is a little similar to what I did). It's not a fluid as you end up limited to the two domains.. . Keep the FreeIPA for hosting cica.es http://cica.es/ to do your host polices etc. Then on your virtual mailboxes two options we did was either: - Change the default mail atribute in FreeIPA settings so a user would have user.n...@example.es mailto:user.n...@example.es rather than user.dom...@cica.es mailto:user.dom...@cica.es in their mail attribute then have the LDAP config lookup that rather than username - The other simple alternative is simply have LDAP search the username and append @example.es http://example.es/ or not at all. HTH ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users I am not sure that the answer above is 100% relevant to what has been asked. The question was should I merge two domains or keep them separate, and if I merger the users into IPA how should I do it to be able to differentiate users from two different original sources. At least this is how I interpreted the question. I would say it depends. 1) Are the users in two domains are same users? If yes then you should follow advice above and merge. 2) If users are actually different users then I would keep the two namespaces separate and not merge. If you merge you would be able to use groups and prefixes and may be special attributes but would not be able to put users into different sub trees. Well... you can... but the rest of the IPA would not see them if you do it right or might be confused if you do it wrong. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Replica of a Replica and Master Recovery
Trevor T Kates (Services - 6) wrote: I apologize for the weird subject. The problem I'm facing feels a little weird and I could use some help. I'm running IPA in a test environment and trying to find different ways in which I can break it and then repair it. My IPA is running on CentOS 6.4: Linux ipa00.testdomain.com 2.6.32-358.18.1.el6.x86_64 #1 SMP Wed Aug 28 17:19:38 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux bind-9.8.2-0.17.rc1.el6_4.6.x86_64 bind-dyndb-ldap-2.3-2.el6_4.1.x86_64 ipa-server-3.0.0-26.el6_4.4.x86_64 I seem to have created a problem for myself involving the original master server. At the beginning, I created a master IPA server with the dogtag CA and several replicas with replica dogtag CAs. I stored the /root/cacert.p12 file in a backup, reimaged the original master and turned it into a replica. In doing so, I seem to have eliminated my ability to create additional replicas due to not completely backing up everything related to the CA on the master. After preparing a replica on my reimaged master and attemping to install it on a different test server, I ran into the following error: I think some clarification is needed. Every server in IPA is a master, on equal footing with the exception of some optional services like the CA and DNS. The initial CA is also responsible for CRL generation and distributing renewed certificates, but those can be moved. I think we need to know what state the machine is in an how it got there. What does reimaging mean in this case? rob [root@ipa04 ~]# ipa-replica-install --setup-ca -N --setup-dns /var/lib/ipa/replica-info-ipa04.testdomain.com.gpg Directory Manager (existing master) password: Run connection check to master Check connection from replica to remote master 'ipa00.testdomain.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master ad...@testdomain.com password: Execute check on remote master ad...@ipa00.testdomain.com's password: Check connection from master to remote replica 'ipa04.testdomain.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK Connection from master to replica is OK. Connection check OK Configuring directory server for the CA (pkids): Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server Done configuring directory server for the CA (pkids). Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds [1/17]: creating certificate server user [2/17]: creating pki-ca instance [3/17]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname ipa04.testdomain.com -cs_port 9445 -client_certdb_dir /tmp/tmp-krRAM2 -client_certdb_pwd -preop_pin 2e3Wsf8VDR8lEXLi3HyX -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=TESTDOMAIN.COM -ldap_host ipa04.testdomain.com -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TESTDOMAIN.COM -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TESTDOMAIN.COM -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=TESTDOMAIN.COM -ca_server_cert_subject_name CN=ipa04.testdomain.com,O=TESTDOMAIN.COM -ca_audit_signing_cert_subject_name CN=CA Audit,O=TESTDOMAIN.COM -ca_sign_cert_subject_name CN=Certificate Authority,O=TESTDOMAIN.COM -external false -clone true -clone_p12_file ca.p12 -clone_p12_password -sd_hostname ipa00.testdomain.com -sd_admin_port 443 -sd_admin_name admin -sd_admin_password -clone_start_tls true -clone_uri https://ipa00.testdomain.com:443' returned non-zero exit status 255 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Configuration of CA failed ___ /var/log/ipareplica-install.log:
Re: [Freeipa-users] Elliptic curves with the CA
On 09/18/2013 01:53 PM, mees virk wrote: I do not have a valid support contract, or other contracts with RedHat. Doesn't that stop me from opening proper RFE ticket? In any case, my interest was this time solely for evaluation purposes. If I were actively choosing an integrated identity management product, I might not choose Freeipa because it takes the longevity of the product and the development stance (lack of roadmap?) into question. I wonder where the lack of roadmap came from? http://www.freeipa.org/page/Roadmap So the trac system we use gives a good view of the dynamics of the project https://fedorahosted.org/freeipa/roadmap However IMO disconnect in expectations is that support of the ECC is not exactly FreeIPA's problem (yet). It needs to be implemented by the lower levels of the stack first: NSS, Dogtag etc. We have plans for support of the certs for users and we understand that RSA becomes outdated. Your RFE would allow us to track your specific requirements and interest (and make it our problem). Right now the position is that: let the underlying components grow ECC suppoirt and consume this functionality in FreeIPA when it matures. Filing an RFE would change this dynamics and would signal us that there is interest in the community in the actual end point solution, i.e. FreeIPA supporting ECC. Thanks! RSA is slowly getting into slippery slope, because it really isn't about what it's worth today. When you protect something with a cryptographic algorithm you have to take account for how long certain types of data will be stored, and factor that time frame in. Increasing the key sizes will not be solution, because several embedded devices such as VPN products, smartcards and RFID devices will start failing pretty fast after 1024-2048 bit keys. ECC was designed to solve some of these issues; it's important development not mostly because of security today but because it will scale better up (it was designed to be implementable better on hardware), and the key sizes start from nicer point of security vs size. So it's the feature that would future proof the CA. At this moment there is available ECC support on some products on all the areas such as smart cards, so the products not having that option out of the box will start basically losing in the competition. I'm not trying to make a technical point here (if I made some minor error there, sorry) but a managerial, and from product management viewpoint. ECC must be on the feature set, or the CA features will be discarded in the future by potential users. That means the Freeipa as a whole might not be selected for some projects. Plus, it doesn't really hurt having ECC in. :) IPA uses NSS, NSS support of ECC algorithms is very fresh, we have not looked at this area yet. I suspect it would require changes in Dogtag first. Would be best if you can file and RFE ticket, then we would be able to follow up. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client auth with windomain account
On 09/18/2013 11:42 AM, ?? ? wrote: Hi, Do I need network access to ports from the ipa-client to the server- windows for authentication with windomain accounts? ipa-server fedora19 ipa-client fedora19 winserver win2012 the ipa-client is located in another network within the network ipa-server, ipa-client and windows-server authentication works to the ipa-client: #id windomainuser@windomain id: windomainuser@windomain: No such user please tell me what I'm doing wrong ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users We need to understand more about your setup. Are you using trusts? What is your DNS configuration? Generally if you are using trusts than clients should be able to resolve AD server and connect to it. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] slapi-nis bypass Password Policies
Hi Simon, The first option. I would like to be able to continue to authenticate even if the passwords are expired. It sounds crazy but we need to accomplish that just for one service. Thanks in advance! On 09/19/2013 10:28 PM, Simo Sorce wrote: On Wed, 2013-09-18 at 12:00 -0500, cbul...@gmail.com wrote: Hi, We have a client server connected to the IPA server using NIS. It's working well but we have a service running at client server that doesn't handle the password expiration properly. Is it possible to bypass the Password Policies from this client server? I am not sure I understand in what way you'd want to bypass them. You'd like to be able to continue to authenticate even if the passwords are expired ? Or you just want to avoid being sent password expiration messages ? Simo. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Joining a Windows Workstation to an IPA realm (It works better than expected!)
On Fri, 20 Sep 2013, Dmitri Pal wrote: On 09/20/2013 11:01 AM, Alexander Bokovoy wrote: On Fri, 20 Sep 2013, Loris Santamaria wrote: Hi all, yesterday I was going to try puppet on windows, so I fired up a Windows 7 VM, and just for curiosity, instead of joining it to the AD realm, i decided to try the instructions outlined in the wiki to join the machine to the IPA realm: http://www.freeipa.org/page/Windows_authentication_against_FreeIPA So I went with the instructions, on the windows Workstation. ksetup /setdomain [REALM NAME] ksetup /addkdc [REALM NAME] [kdc DNS name] ksetup /addkpassword [REALM NAME] [kdc DNS name] ksetup /setcomputerpassword [MACHINE_PASSWORD] (the one used above) ksetup /mapuser * * Next, the instructions tell you to create Windows local users corresponding to the IPA kerberos realm users, because you know, kerberos only does authentication and it can tell nothing to the windows workstation about the identity of the user... However, just for kicks, I rebooted the VM and _without creating any local user_ I tried to login with myuser@IPA.REALM … And it worked! It created a profile directory, showed my full name on the start menu. Then I tried to browse the web and SSO with squid worked like a charm, SSO with putty worked and I even logged in to the IPA administration page with my ticket. But it wasn't supposed to work without creating a local user... why it was working then? Please notice this, the IPA realm has a trust with the AD realm, so samba 4 is running on the IPA servers and every user in the IPA realm has a SID assigned... and its ticket comes with a PAC, I think that is the important part. Exactly. You actually don't need to create the trust, just run ipa-adtrust-install to make sure IPA's infrastructure is configured to issue SIDs and accept them. Finally, what worked and what don't: * I was able to login on Win 7 with an IPA user and having a local profile created automatically * I was able to perform SSO authentication with IPA services * I was able to add my IPA user to the Administrators group in windows, with the NET LOCALGROUP command. * I couldn't add the IPA admins group to the Administrators group. With NET LOCALGROUP Administrators IPA\admins /add it tells me that it doesn't recognise the IPA\admins group. Right, because it doesn't know where to look up translation between IPA\admins string and SID as you haven't really configured Windows PC to be part of the domain and IPA domain doesn't provide services Windows PC expect to be there by default for resolving user/group to SIDs in Active Directory. * I couldn't add other IPA users to the Administrators group, only my logged in user. Same here. * I can't add IPA users to group with the graphical administration tools, they won't show the IPA realm, only the NET command worked somehow Same here. Windows UIs rely on AD global catalog service which we don't implement. I'm investigating why Windows can't see IPA users and group other than the currently logged in user, but I suspect that is simply because Windows takes the logged in user SID from the PAC and it doesn't really talk to samba4. Yep, only that it doesn't know where to talk as there is no proper service available. Loris, This is a great input! Thanks for investigation, it is really helpful! Alexander, So when we add GC support in IPA how would the picture change? For AD domains trusted by IPA, this would solve all problems stated above (they are the same for both in-domain and out-of-domain Windows PCs). For out-of-domain Windows PC I'd like to see some network traces to identify whether it tries to search for a GC server associated with the Kerberos domain or not. If it does, we can be closer to the solution. If not, then a local mapping will have to happen somehow. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Joining a Windows Workstation to an IPA realm (It works better than expected!)
On 09/20/2013 11:01 AM, Alexander Bokovoy wrote: On Fri, 20 Sep 2013, Loris Santamaria wrote: Hi all, yesterday I was going to try puppet on windows, so I fired up a Windows 7 VM, and just for curiosity, instead of joining it to the AD realm, i decided to try the instructions outlined in the wiki to join the machine to the IPA realm: http://www.freeipa.org/page/Windows_authentication_against_FreeIPA So I went with the instructions, on the windows Workstation. ksetup /setdomain [REALM NAME] ksetup /addkdc [REALM NAME] [kdc DNS name] ksetup /addkpassword [REALM NAME] [kdc DNS name] ksetup /setcomputerpassword [MACHINE_PASSWORD] (the one used above) ksetup /mapuser * * Next, the instructions tell you to create Windows local users corresponding to the IPA kerberos realm users, because you know, kerberos only does authentication and it can tell nothing to the windows workstation about the identity of the user... However, just for kicks, I rebooted the VM and _without creating any local user_ I tried to login with myuser@IPA.REALM … And it worked! It created a profile directory, showed my full name on the start menu. Then I tried to browse the web and SSO with squid worked like a charm, SSO with putty worked and I even logged in to the IPA administration page with my ticket. But it wasn't supposed to work without creating a local user... why it was working then? Please notice this, the IPA realm has a trust with the AD realm, so samba 4 is running on the IPA servers and every user in the IPA realm has a SID assigned... and its ticket comes with a PAC, I think that is the important part. Exactly. You actually don't need to create the trust, just run ipa-adtrust-install to make sure IPA's infrastructure is configured to issue SIDs and accept them. Finally, what worked and what don't: * I was able to login on Win 7 with an IPA user and having a local profile created automatically * I was able to perform SSO authentication with IPA services * I was able to add my IPA user to the Administrators group in windows, with the NET LOCALGROUP command. * I couldn't add the IPA admins group to the Administrators group. With NET LOCALGROUP Administrators IPA\admins /add it tells me that it doesn't recognise the IPA\admins group. Right, because it doesn't know where to look up translation between IPA\admins string and SID as you haven't really configured Windows PC to be part of the domain and IPA domain doesn't provide services Windows PC expect to be there by default for resolving user/group to SIDs in Active Directory. * I couldn't add other IPA users to the Administrators group, only my logged in user. Same here. * I can't add IPA users to group with the graphical administration tools, they won't show the IPA realm, only the NET command worked somehow Same here. Windows UIs rely on AD global catalog service which we don't implement. I'm investigating why Windows can't see IPA users and group other than the currently logged in user, but I suspect that is simply because Windows takes the logged in user SID from the PAC and it doesn't really talk to samba4. Yep, only that it doesn't know where to talk as there is no proper service available. Loris, This is a great input! Thanks for investigation, it is really helpful! Alexander, So when we add GC support in IPA how would the picture change? -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] slapi-nis bypass Password Policies
Is your client simply using LDAP to bind and authenticate your service? If so, you may be able to create a special dedicated sysaccount in: cn=sysaccounts,cn=etc,dc=domain,dc=com This account could be used to bind your service without having it be a member of the standard users database subjected to Password Policy expirations etc. You cannot hope to secure that which you do not first understand ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ On Sep 18, 2013, at 10:00 AM, cbul...@gmail.commailto:cbul...@gmail.com wrote: Hi, We have a client server connected to the IPA server using NIS. It's working well but we have a service running at client server that doesn't handle the password expiration properly. Is it possible to bypass the Password Policies from this client server? Thanks! ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Elliptic curves with the CA
As a partial answer to this, work has been ongoing to fully support ECC in Dogtag. Attached is a most likely out-of-date wiki page detailing ECC support in Dogtag. https://pki.fedoraproject.org/wiki/ECC_in_Dogtag If I recall correctly, we are somewhere around phase 3. Ade On Fri, 2013-09-20 at 11:48 -0400, Dmitri Pal wrote: On 09/18/2013 01:53 PM, mees virk wrote: I do not have a valid support contract, or other contracts with RedHat. Doesn't that stop me from opening proper RFE ticket? In any case, my interest was this time solely for evaluation purposes. If I were actively choosing an integrated identity management product, I might not choose Freeipa because it takes the longevity of the product and the development stance (lack of roadmap?) into question. I wonder where the lack of roadmap came from? http://www.freeipa.org/page/Roadmap So the trac system we use gives a good view of the dynamics of the project https://fedorahosted.org/freeipa/roadmap However IMO disconnect in expectations is that support of the ECC is not exactly FreeIPA's problem (yet). It needs to be implemented by the lower levels of the stack first: NSS, Dogtag etc. We have plans for support of the certs for users and we understand that RSA becomes outdated. Your RFE would allow us to track your specific requirements and interest (and make it our problem). Right now the position is that: let the underlying components grow ECC suppoirt and consume this functionality in FreeIPA when it matures. Filing an RFE would change this dynamics and would signal us that there is interest in the community in the actual end point solution, i.e. FreeIPA supporting ECC. Thanks! RSA is slowly getting into slippery slope, because it really isn't about what it's worth today. When you protect something with a cryptographic algorithm you have to take account for how long certain types of data will be stored, and factor that time frame in. Increasing the key sizes will not be solution, because several embedded devices such as VPN products, smartcards and RFID devices will start failing pretty fast after 1024-2048 bit keys. ECC was designed to solve some of these issues; it's important development not mostly because of security today but because it will scale better up (it was designed to be implementable better on hardware), and the key sizes start from nicer point of security vs size. So it's the feature that would future proof the CA. At this moment there is available ECC support on some products on all the areas such as smart cards, so the products not having that option out of the box will start basically losing in the competition. I'm not trying to make a technical point here (if I made some minor error there, sorry) but a managerial, and from product management viewpoint. ECC must be on the feature set, or the CA features will be discarded in the future by potential users. That means the Freeipa as a whole might not be selected for some projects. Plus, it doesn't really hurt having ECC in. :) IPA uses NSS, NSS support of ECC algorithms is very fresh, we have not looked at this area yet. I suspect it would require changes in Dogtag first. Would be best if you can file and RFE ticket, then we would be able to follow up. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Fwd: Windows, Samba and IPA
On 09/20/2013 07:33 AM, Fred van Zwieten wrote: Hi, I wonder if it is possible to have Windows clients (member of some domain) to connect to SAMBA shares with an IPA account. I found various howto's voor Kerberized SAMBA but they al use Linux as the client platform. I have tried to set it up using a Red Hat Solution article, but I did not get it to work. Is it possible without using trust or synchronization between AD and IPA? If yes, how? Fred ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users So the setup is: AD and IPA not in trust or sync There is an IPA user logging into Windows client in AD domain and trying to access Samba share in which domain? I mean is Samba a member server in AD domain or IPA? Anyways it would not work. What should work is: * User from AD accessing a samba share in AD domain (this is the setup in the documentation that you refer to). * User from IPA accessing samba share in IPA domain using Linux client (I think that has been possible in the past) Other scenarios would not work yet AFAIU because: 1) IPA does not provide global catalog yet 2) Samba FS and IPA integration as a member server in trust setup is not ready to serve users from a trusted domains. There is some work to be done there. Both are on the roadmap but not available right now. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Replica of a Replica and Master Recovery
On 09/17/2013 03:40 PM, Trevor T Kates (Services - 6) wrote: I apologize for the weird subject. The problem I'm facing feels a little weird and I could use some help. I'm running IPA in a test environment and trying to find different ways in which I can break it and then repair it. My IPA is running on CentOS 6.4: Linux ipa00.testdomain.com 2.6.32-358.18.1.el6.x86_64 #1 SMP Wed Aug 28 17:19:38 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux bind-9.8.2-0.17.rc1.el6_4.6.x86_64 bind-dyndb-ldap-2.3-2.el6_4.1.x86_64 ipa-server-3.0.0-26.el6_4.4.x86_64 I seem to have created a problem for myself involving the original master server. At the beginning, I created a master IPA server with the dogtag CA and several replicas with replica dogtag CAs. I stored the /root/cacert.p12 file in a backup, reimaged the original master and turned it into a replica. In doing so, I seem to have eliminated my ability to create additional replicas due to not completely backing up everything related to the CA on the master. After preparing a replica on my reimaged master and attemping to install it on a different test server, I ran into the following error: [root@ipa04 ~]# ipa-replica-install --setup-ca -N --setup-dns /var/lib/ipa/replica-info-ipa04.testdomain.com.gpg Directory Manager (existing master) password: Run connection check to master Check connection from replica to remote master 'ipa00.testdomain.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master ad...@testdomain.com password: Execute check on remote master ad...@ipa00.testdomain.com's password: Check connection from master to remote replica 'ipa04.testdomain.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK Connection from master to replica is OK. Connection check OK Configuring directory server for the CA (pkids): Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server Done configuring directory server for the CA (pkids). Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds [1/17]: creating certificate server user [2/17]: creating pki-ca instance [3/17]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname ipa04.testdomain.com -cs_port 9445 -client_certdb_dir /tmp/tmp-krRAM2 -client_certdb_pwd -preop_pin 2e3Wsf8VDR8lEXLi3HyX -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=TESTDOMAIN.COM -ldap_host ipa04.testdomain.com -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TESTDOMAIN.COM -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TESTDOMAIN.COM -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=TESTDOMAIN.COM -ca_server_cert_subject_name CN=ipa04.testdomain.com,O=TESTDOMAIN.COM -ca_audit_signing_cert_subject_name CN=CA Audit,O=TESTDOMAIN.COM -ca_sign_cert_subject_name CN=Certificate Authority,O=TESTDOMAIN.COM -external false -clone true -clone_p12_file ca.p12 -clone_p12_password -sd_hostname ipa00.testdomain.com -sd_admin_port 443 -sd_admin_name admin -sd_admin_password -clone_start_tls true -clone_uri https://ipa00.testdomain.com:443' returned non-zero exit status 255 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Configuration of CA failed ___ /var/log/ipareplica-install.log: # Attempting to connect to: ipa04.testdomain.com:9445 Connected. Posting Query = https://ipa04.testdomain.com:9445//ca/admin/console/config/wi zard?p=5subsystem=CAsession_id=-4262354986382644304xml=true RESPONSE STATUS: HTTP/1.1 200 OK RESPONSE HEADER: