[Freeipa-users] gssapi sasl error - only picking up short hostname when running ipa-client-install (and failing)
Hi,
Recently installed freeipa on two servers in multi-master mode. We want to have
a central authentication system for many hosts. Environment is RHEL 6.4 for
servers, RHEL 6.1 for the first client host, standard rpm packages used -
ipa-server-3.0.0-26.el6_4.4.x86_64 and ipa-client-3.0.0-37.el6.x86_64.
I am now trying to add the first linux host to freeipa via ipa-client-install.
When I run ipa-client-install on a host in debug mode it fails with errors
below (I have changed hostnames and ip's, freeipa-1.mydomain.com 192.168.1.22
and freeipa-2.mydomain.com 192.168.1.23, host client - host1 192.168.1.15)
trying to retrieve CA cert via LDAP from ldap://freeipa-1.mydomain.com
get_ca_cert_from_ldap() error: Local error SASL(-1): generic failure: GSSAPI
Error: Unspecified GSS failure. Minor code may provide more information
(Server ldap/freeip...@mydomain.com not found in Kerberos database)
{'info': 'SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.
Minor code may provide more information (Server ldap/freeip...@mydomain.com not
found in Kerberos database)', 'desc': 'Local error'}
The Kerberos logs on the server (free-ipa-1) show
Nov 29 01:46:14 freeipa-1.mydomain.com krb5kdc[1616](info): TGS_REQ (4 etypes
{18 17 16 23}) 192.168.1.15: UNKNOWN_SERVER: authtime 0, admin@ MYDOMAIN.COM
for HTTP/ freeip...@mydomain.com, Server not found in Kerberos database
The logs indicate that the service name is being used with the short hostname
(HTTP/ freeip...@mydomain.commailto:freeip...@mydomain.com). The FreeIPA
server has records for HTTP/
freeipa-1.mydomain@mydomain.commailto:freeipa-1.mydomain@mydomain.com.
I can see these in the web interface. I believe this is where it is stumbling.
I've been banging my head against the wall on this one for a couple of days.
Everything I've found says make sure you have working dns, make sure you can
reverse lookup ip's, make sure hostnames are fqdn, make sure /etc/hosts on
server has ip's for servers listed with fqdn first and shortname second. I've
done all that.
I am using external dns (not integrated with freeipa), and have populated all
records required as per sample config files provided during install. My time
servers are other servers too, but that shouldn't matter, everything is in sync.
; for Kerberos Auto Discovery
; ldap servers
_ldap._tcp IN SRV 0 100 389freeipa-1.mydomain.com.
_ldap._tcp IN SRV 0 100 389freeipa-2.mydomain.com.
;kerberos realm
_kerberos IN TXT MYDOMAIN.COM
; kerberos servers
_kerberos._tcp IN SRV 0 100 88 freeipa-1.mydomain.com.
_kerberos._tcp IN SRV 0 100 88 freeipa-2.mydomain.com.
_kerberos._udp IN SRV 0 100 88 freeipa-1.mydomain.com.
_kerberos._ucp IN SRV 0 100 88 freeipa-2.mydomain.com.
_kerberos-master._tcp IN SRV 0 100 88 freeipa-1.mydomain.com.
_kerberos-master._tcp IN SRV 0 100 88 freeipa-2.mydomain.com.
_kerberos-master._udp IN SRV 0 100 88 freeipa-1.mydomain.com.
_kerberos-master._udp IN SRV 0 100 88 freeipa-2.mydomain.com.
_kpasswd._tcp IN SRV 0 100 464freeipa-1.mydomain.com.
_kpasswd._tcp IN SRV 0 100 464freeipa-2.mydomain.com.
_kpasswd._udp IN SRV 0 100 464freeipa-1.mydomain.com.
_kpasswd._udp IN SRV 0 100 464freeipa-2.mydomain.com.
;ntp server
_ntp._udp IN SRV 0 100 123ntp1.mydomain.com.
_ntp._udp IN SRV 0 100 123ntp2.mydomain.com.
Reverse dns entries are also available and both freeipa servers and the host I
am trying to configure ipa-client on can do lookups and receive fqdn's. They
can all do reverse lookups that resolve correctly.
I have read that when using SASL/GSSAPI (Kerberos) authentication, its possible
that the service provider sets the principal name (SPN) to ldap/servername in
the TGS_REQ based on a dns query of the PTR record. I do have PTR's configured,
and they have FQDN's. Is it true that this happens with GSSAPI? If so how can I
get around that?
Reverse Zone File for 192.168.1
22 PTR freeipa-1.mydomain.com.
23 PTR freeipa-2.mydomain.com.
Nslookup results for each IP:
22.1.168.192.in-addr.arpa name = freeipa-1.mydomain.com.
23.1.168.192.in-addr.arpa name = freeipa-2.mydomain.com.
I can authenticate using kinit before running the script and it still doesn't
work.
The short version of running the install shows:
Discovery was successful!
Hostname: host1.mydomain.com
Realm: MYDOMAIN.COM
DNS Domain: mydomain.com
IPA Server: freeipa-1.mydomain.com
BaseDN: dc=mydomain,dc=com
It authenticates correctly with the admin user for enrolling the host, but
joining the realm fails.
I've tried everything I can think of.
Please help.
Thanks,
Les
___
Freeipa-users mailing list
Freeipa-users@redhat.com
Re: [Freeipa-users] gssapi sasl error - only picking up short hostname when running ipa-client-install (and failing)
On 11/29/2013 09:16 AM, Les Stott wrote:
Hi,
Recently installed freeipa on two servers in multi-master mode. We want to
have a central authentication system for many hosts. Environment is RHEL 6.4
for servers, RHEL 6.1 for the first client host, standard rpm packages used -
ipa-server-3.0.0-26.el6_4.4.x86_64 and ipa-client-3.0.0-37.el6.x86_64.
I am now trying to add the first linux host to freeipa via ipa-client-install.
When I run ipa-client-install on a host in debug mode it fails with errors
below (I have changed hostnames and ip's, freeipa-1.mydomain.com
192.168.1.22 and freeipa-2.mydomain.com 192.168.1.23, host client - host1
192.168.1.15)
trying to retrieve CA cert via LDAP from ldap://freeipa-1.mydomain.com
get_ca_cert_from_ldap() error: Local error SASL(-1): generic failure: GSSAPI
Error: Unspecified GSS failure. Minor code may provide more information
(Server ldap/freeip...@mydomain.com not found in Kerberos database)
{'info': 'SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.
Minor code may provide more information (Server ldap/freeip...@mydomain.com
not found in Kerberos database)', 'desc': 'Local error'}
The Kerberos logs on the server (free-ipa-1) show
Nov 29 01:46:14 freeipa-1.mydomain.com krb5kdc[1616](info): TGS_REQ (4 etypes
{18 17 16 23}) 192.168.1.15: UNKNOWN_SERVER: authtime 0, admin@ MYDOMAIN.COM
for HTTP/ freeip...@mydomain.com, Server not found in Kerberos database
The logs indicate that the service name is being used with the short hostname
(HTTP/ freeip...@mydomain.commailto:freeip...@mydomain.com). The FreeIPA
server has records for HTTP/
freeipa-1.mydomain@mydomain.commailto:freeipa-1.mydomain@mydomain.com.
I can see these in the web interface. I believe this is where it is
stumbling.
I've been banging my head against the wall on this one for a couple of days.
Everything I've found says make sure you have working dns, make sure you can
reverse lookup ip's, make sure hostnames are fqdn, make sure /etc/hosts on
server has ip's for servers listed with fqdn first and shortname second. I've
done all that.
What about /etc/hosts on the clients? Do they also have FQDN first in case they
have server IP in there?
Martin
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] postfix ipa
hi, just came accross Erinn Looney-Triggs's excellent writeup on using kerberos voor relaying e-mail (https://stomp.colorado.edu/blog/blog/2013/07/09/on-freeipa-postfix-and-a-relaying-smtp-client/) and have a question. Would it not be possibly easier to just use the host's keytab (/etc/krb5.keytab) instead of just deploying a new service principal to every smtp client? I ask this because I am in the point of deploying something similar and would rather not need to have to deploy another set of keytabs everywhere unless this is a security malpractice, of course. TIA, -- Groeten, natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] postfix ipa
On 11/29/2013 11:27 AM, Natxo Asenjo wrote: hi, just came accross Erinn Looney-Triggs's excellent writeup on using kerberos voor relaying e-mail (https://stomp.colorado.edu/blog/blog/2013/07/09/on-freeipa-postfix-and-a-relaying-smtp-client/) and have a question. Would it not be possibly easier to just use the host's keytab (/etc/krb5.keytab) instead of just deploying a new service principal to every smtp client? I ask this because I am in the point of deploying something similar and would rather not need to have to deploy another set of keytabs everywhere unless this is a security malpractice, of course. TIA, -- Groeten, natxo Easier? Yes. More secure? Probably not. Kerberos experts may correct me, but from my POV, it is better to separate these privileges. It postfix works on host/`hostname`@REALM, it could act as a host identity. For example, attacker could change host's SSH public keys in FreeIPA host entry in LDAP if it takes control over the mail service. Or it could unenroll the host entirely from FreeIPA. If it run's on own keytab and thus an own identity, it can only act on behalf it. Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] postfix ipa
On Fri, Nov 29, 2013 at 12:03:58PM +0100, Martin Kosek wrote: On 11/29/2013 11:27 AM, Natxo Asenjo wrote: hi, just came accross Erinn Looney-Triggs's excellent writeup on using kerberos voor relaying e-mail (https://stomp.colorado.edu/blog/blog/2013/07/09/on-freeipa-postfix-and-a-relaying-smtp-client/) and have a question. Would it not be possibly easier to just use the host's keytab (/etc/krb5.keytab) instead of just deploying a new service principal to every smtp client? I ask this because I am in the point of deploying something similar and would rather not need to have to deploy another set of keytabs everywhere unless this is a security malpractice, of course. TIA, -- Groeten, natxo Easier? Yes. More secure? Probably not. Kerberos experts may correct me, but from my POV, it is better to separate these privileges. It postfix works on host/`hostname`@REALM, it could act as a host identity. For example, attacker could change host's SSH public keys in FreeIPA host entry in LDAP if it takes control over the mail service. Or it could unenroll the host entirely from FreeIPA. If it run's on own keytab and thus an own identity, it can only act on behalf it. yes, reusing keytabs is like giving all users the same password and making them aware of it. bye, Sumit Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] local root can su to any IPA user
Hi, When being root on an ipa-client, I can su to any IPA user. This is somewhat unexptected behaviour in comparison to Windows. If I am local administrator in a windows AD member server, I cannot become a domain user. I need to be domain administrator for that. Is it possible to have this feature disabled somehow? Fred ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] local root can su to any IPA user
On Fri, 29 Nov 2013, Fred van Zwieten wrote: Hi, When being root on an ipa-client, I can su to any IPA user. This is somewhat unexptected behaviour in comparison to Windows. If I am local administrator in a windows AD member server, I cannot become a domain user. I need to be domain administrator for that. Is it possible to have this feature disabled somehow? root user on Linux systems by default has CAP_SETUID capability which allows to change process uid to a different user. If the capability is there, the only way to reduce transition from a specific user to another one is by confining it via appropriate security module, for example, through properly defined SELinux policy that prevents a root to transition to the context of an IPA user. Someone needs to write this policy and deploy at IPA clients first. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] gssapi sasl error - only picking up short hostname when running ipa-client-install (and failing)
Martin,
there is no entries in /etc/hosts for the freeipa servers on the client.
the clients hosts own entry is there with fqdn first.
Because you mentioned it, i added the hostname of both freeipa server to the
hosts file on the client. It actually ran and setup the client. However it did
get the following errors at the end after it did kerberos config
===
Configured /etc/krb5.conf for IPA realm MYDOMAIN.COM
Traceback (most recent call last):
File /usr/sbin/ipa-client-install, line 2377, in module
sys.exit(main())
File /usr/sbin/ipa-client-install, line 2363, in main
rval = install(options, env, fstore, statestore)
File /usr/sbin/ipa-client-install, line 2135, in install
delete_persistent_client_session_data(host_principal)
File /usr/lib/python2.6/site-packages/ipalib/rpc.py, line 124, in
delete_persistent_client_session_data
kernel_keyring.del_key(keyname)
File /usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py, line 99,
in del_key
real_key = get_real_key(key)
File /usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py, line 45,
in get_real_key
(stdout, stderr, rc) = run(['keyctl', 'search', KEYRING, KEYTYPE, key],
raiseonerr=False)
File /usr/lib/python2.6/site-packages/ipapython/ipautil.py, line 295, in run
close_fds=True, env=env, cwd=cwd)
File /usr/lib64/python2.6/subprocess.py, line 639, in __init__
errread, errwrite)
File /usr/lib64/python2.6/subprocess.py, line 1220, in _execute_child
raise child_exception
OSError: [Errno 2] No such file or directory
===
Is that normal?
Do i need to add entries to the hosts file on every client?
Regards,
Les
From: Martin Kosek [mko...@redhat.com]
Sent: Friday, November 29, 2013 8:49 PM
To: Les Stott; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] gssapi sasl error - only picking up short hostname
when running ipa-client-install (and failing)
On 11/29/2013 09:16 AM, Les Stott wrote:
Hi,
Recently installed freeipa on two servers in multi-master mode. We want to
have a central authentication system for many hosts. Environment is RHEL 6.4
for servers, RHEL 6.1 for the first client host, standard rpm packages used -
ipa-server-3.0.0-26.el6_4.4.x86_64 and ipa-client-3.0.0-37.el6.x86_64.
I am now trying to add the first linux host to freeipa via ipa-client-install.
When I run ipa-client-install on a host in debug mode it fails with errors
below (I have changed hostnames and ip's, freeipa-1.mydomain.com
192.168.1.22 and freeipa-2.mydomain.com 192.168.1.23, host client - host1
192.168.1.15)
trying to retrieve CA cert via LDAP from ldap://freeipa-1.mydomain.com
get_ca_cert_from_ldap() error: Local error SASL(-1): generic failure: GSSAPI
Error: Unspecified GSS failure. Minor code may provide more information
(Server ldap/freeip...@mydomain.com not found in Kerberos database)
{'info': 'SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.
Minor code may provide more information (Server ldap/freeip...@mydomain.com
not found in Kerberos database)', 'desc': 'Local error'}
The Kerberos logs on the server (free-ipa-1) show
Nov 29 01:46:14 freeipa-1.mydomain.com krb5kdc[1616](info): TGS_REQ (4 etypes
{18 17 16 23}) 192.168.1.15: UNKNOWN_SERVER: authtime 0, admin@ MYDOMAIN.COM
for HTTP/ freeip...@mydomain.com, Server not found in Kerberos database
The logs indicate that the service name is being used with the short hostname
(HTTP/ freeip...@mydomain.commailto:freeip...@mydomain.com). The FreeIPA
server has records for HTTP/
freeipa-1.mydomain@mydomain.commailto:freeipa-1.mydomain@mydomain.com.
I can see these in the web interface. I believe this is where it is
stumbling.
I've been banging my head against the wall on this one for a couple of days.
Everything I've found says make sure you have working dns, make sure you can
reverse lookup ip's, make sure hostnames are fqdn, make sure /etc/hosts on
server has ip's for servers listed with fqdn first and shortname second. I've
done all that.
What about /etc/hosts on the clients? Do they also have FQDN first in case they
have server IP in there?
Martin
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] gssapi sasl error - only picking up short hostname when running ipa-client-install (and failing)
On 29.11.2013 14:20, Les Stott wrote:
Martin,
there is no entries in /etc/hosts for the freeipa servers on the client.
the clients hosts own entry is there with fqdn first.
Because you mentioned it, i added the hostname of both freeipa server to the
hosts file on the client. It actually ran and setup the client. However it did
get the following errors at the end after it did kerberos config
===
Configured /etc/krb5.conf for IPA realm MYDOMAIN.COM
Traceback (most recent call last):
File /usr/sbin/ipa-client-install, line 2377, in module
sys.exit(main())
File /usr/sbin/ipa-client-install, line 2363, in main
rval = install(options, env, fstore, statestore)
File /usr/sbin/ipa-client-install, line 2135, in install
delete_persistent_client_session_data(host_principal)
File /usr/lib/python2.6/site-packages/ipalib/rpc.py, line 124, in
delete_persistent_client_session_data
kernel_keyring.del_key(keyname)
File /usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py, line
99, in del_key
real_key = get_real_key(key)
File /usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py, line
45, in get_real_key
(stdout, stderr, rc) = run(['keyctl', 'search', KEYRING, KEYTYPE, key],
raiseonerr=False)
File /usr/lib/python2.6/site-packages/ipapython/ipautil.py, line 295, in
run
close_fds=True, env=env, cwd=cwd)
File /usr/lib64/python2.6/subprocess.py, line 639, in __init__
errread, errwrite)
File /usr/lib64/python2.6/subprocess.py, line 1220, in _execute_child
raise child_exception
OSError: [Errno 2] No such file or directory
===
Is that normal?
No, absolutely not. I will let people knowledgeable about kernel keyrings to
chime in.
Do i need to add entries to the hosts file on every client?
Could you try this?
0) Restore your original /etc/hosts file (i.e. delete the line for IPA servers).
1) Run command tcpdump -s 65535 -w /tmp/some_writeable_file -i any on the
client.
2) Run ipa-client-install
3) Stop tcpdump and send us the /tmp/some_writeable_file file. You can do it
privately (for example to me or mkosek).
The network capture will not contain any password but it will reveal domain
names and IP addresses. Your problem is most probably related to name
resolution but I can't see where the problem is from your description, I hope
that the network trace will reveal it.
Note: If you have some local caching DNS resolver *on the client* (unbound,
BIND etc.), please flush it's caches before you start.
Petr^2 Spacek
From: Martin Kosek [mko...@redhat.com]
Sent: Friday, November 29, 2013 8:49 PM
To: Les Stott; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] gssapi sasl error - only picking up short hostname
when running ipa-client-install (and failing)
On 11/29/2013 09:16 AM, Les Stott wrote:
Hi,
Recently installed freeipa on two servers in multi-master mode. We want to have
a central authentication system for many hosts. Environment is RHEL 6.4 for
servers, RHEL 6.1 for the first client host, standard rpm packages used -
ipa-server-3.0.0-26.el6_4.4.x86_64 and ipa-client-3.0.0-37.el6.x86_64.
I am now trying to add the first linux host to freeipa via ipa-client-install.
When I run ipa-client-install on a host in debug mode it fails with errors
below (I have changed hostnames and ip's, freeipa-1.mydomain.com 192.168.1.22
and freeipa-2.mydomain.com 192.168.1.23, host client - host1 192.168.1.15)
trying to retrieve CA cert via LDAP from ldap://freeipa-1.mydomain.com
get_ca_cert_from_ldap() error: Local error SASL(-1): generic failure: GSSAPI
Error: Unspecified GSS failure. Minor code may provide more information
(Server ldap/freeip...@mydomain.com not found in Kerberos database)
{'info': 'SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.
Minor code may provide more information (Server ldap/freeip...@mydomain.com not
found in Kerberos database)', 'desc': 'Local error'}
The Kerberos logs on the server (free-ipa-1) show
Nov 29 01:46:14 freeipa-1.mydomain.com krb5kdc[1616](info): TGS_REQ (4 etypes
{18 17 16 23}) 192.168.1.15: UNKNOWN_SERVER: authtime 0, admin@ MYDOMAIN.COM
for HTTP/ freeip...@mydomain.com, Server not found in Kerberos database
The logs indicate that the service name is being used with the short hostname (HTTP/
freeip...@mydomain.commailto:freeip...@mydomain.com). The FreeIPA server has
records for HTTP/
freeipa-1.mydomain@mydomain.commailto:freeipa-1.mydomain@mydomain.com. I
can see these in the web interface. I believe this is where it is stumbling.
I've been banging my head against the wall on this one for a couple of days.
Everything I've found says make sure you have working dns, make sure you can
reverse lookup ip's, make sure hostnames are fqdn, make sure /etc/hosts on
server has ip's for servers listed with fqdn first and shortname second. I've
done all that.
What about /etc/hosts on the
Re: [Freeipa-users] gssapi sasl error - only picking up short hostname when running ipa-client-install (and failing)
On 11/29/2013 02:20 PM, Les Stott wrote: Martin, there is no entries in /etc/hosts for the freeipa servers on the client. the clients hosts own entry is there with fqdn first. Because you mentioned it, i added the hostname of both freeipa server to the hosts file on the client. It actually ran and setup the client. However it did get the following errors at the end after it did kerberos config I checked the spec file for RHEL-6.4 and this is a bug (already fixed in current upstream version). It does not include keyutils dependency. Thus, the dependency may be missing in some super minimal RHELs and cause this error. If you manuall install keyutils, this error should vanish. # yum install keyutils === Configured /etc/krb5.conf for IPA realm MYDOMAIN.COM Traceback (most recent call last): File /usr/sbin/ipa-client-install, line 2377, in module sys.exit(main()) File /usr/sbin/ipa-client-install, line 2363, in main rval = install(options, env, fstore, statestore) File /usr/sbin/ipa-client-install, line 2135, in install delete_persistent_client_session_data(host_principal) File /usr/lib/python2.6/site-packages/ipalib/rpc.py, line 124, in delete_persistent_client_session_data kernel_keyring.del_key(keyname) File /usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py, line 99, in del_key real_key = get_real_key(key) File /usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py, line 45, in get_real_key (stdout, stderr, rc) = run(['keyctl', 'search', KEYRING, KEYTYPE, key], raiseonerr=False) File /usr/lib/python2.6/site-packages/ipapython/ipautil.py, line 295, in run close_fds=True, env=env, cwd=cwd) File /usr/lib64/python2.6/subprocess.py, line 639, in __init__ errread, errwrite) File /usr/lib64/python2.6/subprocess.py, line 1220, in _execute_child raise child_exception OSError: [Errno 2] No such file or directory === Is that normal? No. Do i need to add entries to the hosts file on every client? By all means no, you should not need to do that if your DNS is sane and working. But if the addition to /etc/hosts helped, there must be something wrong with the DNS. Maybe there are wrong DNS PTR records cached? Do you have nscd daemon running? Are you 100% sure that the software on the client machine resolves the FQDN of the server when doing a reverse search? $ host $IPA_SERVER_IP HTH, Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] local root can su to any IPA user
Jakub, Yes, I could do this. But then the local root account cannot su to local users (without password). But that is actually a normal use-case. I just think local root should not be allowed to transition to a domain user, by default. Fred On Fri, Nov 29, 2013 at 2:48 PM, Jakub Hrozek jhro...@redhat.com wrote: On Fri, Nov 29, 2013 at 03:11:01PM +0200, Alexander Bokovoy wrote: On Fri, 29 Nov 2013, Fred van Zwieten wrote: Hi, When being root on an ipa-client, I can su to any IPA user. This is somewhat unexptected behaviour in comparison to Windows. If I am local administrator in a windows AD member server, I cannot become a domain user. I need to be domain administrator for that. Is it possible to have this feature disabled somehow? root user on Linux systems by default has CAP_SETUID capability which allows to change process uid to a different user. If the capability is there, the only way to reduce transition from a specific user to another one is by confining it via appropriate security module, for example, through properly defined SELinux policy that prevents a root to transition to the context of an IPA user. Someone needs to write this policy and deploy at IPA clients first. I think Fred is actually referring to the pam_rootok.so module that always returns PAM_SUCCESS if the caller has UID 0. Fred, if you comment out the line with pam_rootok.so in the file /etc/pam.d/su can you still log in as any user from root? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] local root can su to any IPA user
On Fri, Nov 29, 2013 at 03:08:44PM +0100, Fred van Zwieten wrote: Jakub, Yes, I could do this. But then the local root account cannot su to local users (without password). But that is actually a normal use-case. I just think local root should not be allowed to transition to a domain user, by default. Fred Ah, in that case I'm not sure if there's an easy solution, at least I don't know any off hand. I think Alexander is right that SELinux would be a good choice. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] local root can su to any IPA user
On 11/29/2013 03:17 PM, Jakub Hrozek wrote: On Fri, Nov 29, 2013 at 03:08:44PM +0100, Fred van Zwieten wrote: Jakub, Yes, I could do this. But then the local root account cannot su to local users (without password). But that is actually a normal use-case. I just think local root should not be allowed to transition to a domain user, by default. Fred Ah, in that case I'm not sure if there's an easy solution, at least I don't know any off hand. I think Alexander is right that SELinux would be a good choice. Right. Root could uncomment the pam_rootok.so line anyway if he wanted to access other user's account again. Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Dogtag not working?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/28/2013 03:50 PM, Erinn Looney-Triggs wrote: In the process of prepping a replication host for changing over the CA I had to use certmonger to generate another certificate on my secondary IPA server. Unfortunately it seems to fail every single time. Here is what I am running and here is what I am getting: ipa-getcert request -k private/ipa2.abaqis.com.key -f certs/ipa2.abaqis.com.crt -g 2048 The request appears to work, however when checking the list I receive the following: ipa-getcert list -r Number of certificates and requests being tracked: 9. Request ID '20131128202128': status: CA_UNREACHABLE ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: FAILURE (Authentication Error)). stuck: yes key pair storage: type=FILE,location='/etc/pki/tls/private/ipa2.abaqis.com.key' certificate: type=FILE,location='/etc/pki/tls/certs/ipa2.abaqis.com.crt' CA: IPA issuer: subject: expires: unknown pre-save command: post-save command: track: yes auto-renew: yes Fine, I check the http logs and get about the same: [Thu Nov 28 22:03:06 2013] [error] ipa: ERROR: ipaserver.plugins.dogtag.ra.request_certificate(): FAILURE (Authentication Error) Now as I understand it ipa-getcert is going to theserver listed in /etc/ipa/default.conf, which in this case is ipa2.abaqis.com (the request is coming from the same host). The host principle in /etc/krb5.keytab is used for authentication. I have tested against the primary ipa server and everything works as it should. However, any requests going against ipa2 for certificates are failing. At this point I am stuck, so any suggestions are welcome. -Erinn Replying to myself here, and narrowing this down a bit further this seems to be a straight auth problem against my secondary ipa server. All command work against the primary, all certificate commands against the secondary fail. It appears to be confined to dogtag (other commands like ipa user-show work), but how exactly dogtag handles auth I am not clear on. It appears as though mod_auth_kerb handles most things and that is definitely working. However any access against dogtag components is failing, so dogtag must/should/may be handling auth internally in a way that is failing. Anyway, suggestions are still welcome, - -Erinn -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iQEcBAEBAgAGBQJSmPqdAAoJENetaK3v/E7PxzkIAIJ6PbRoyZZBz1JBLP/iD20v L/Knolw1w9ZVUXlqFjsw8ZmSXZ15d6aSB5FBBM3mFeYK4XH/e3PEKAw3H51uxw/p 3WNQ8UmFH9/RowMwkK91DTMvim6KC7rAReQVJQ9PbMb/6Koyqceaiklf+RauTW79 t0Ls8l+ywk+oF/IeAQqk5ZkCS4gLRLJ8UgO/XkoG9vI755TAO9GGii52MDRmnShI mB+ojJZaKIKkD3Xe37VmiIw51+XeD98Tkzg9Ytommw7LDoYk4QCeaxa8+0jx2i3/ rlFMUtGW3E9gwLbjTGH6xX62lwqWCvjk6lnCl0oSdH/hmEQX78Sfno3XDltTjXs= =NEc+ -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
