[Freeipa-users] Password issues
Strange behavior now with our passwords (and we still haven't solved our problem with the "ipa" command, but at least with script, we have a workaround): I noticed yesterday morning that my password, which has the following policy, was going to expire in 3 days so I changed it. Max lifetime (days) : 0 Min lifetime (hours) : 0 History size (number of passwords): 0 Character classes: 2 Min length: 8 Max failures: 4 Failure reset interval (seconds): 60 Lockout duration (seconds): 60 The IPA web UI immediately began reporting in red that "Your password expires in -1 days." This morning, I ran "kinit": $ kinit Password for br...@damascusgrp.com: Password expired. You must change it now. Enter new password: Enter it again: Warning: Your password wille xpire in less than one hour on Thu 06 Mar 2014 06:45:48 AM EST $ What's up? I'd like to solve this before it bites any of my users, though most have a policy that looks more like this: Max lifetime (days) : 180 Min lifetime (hours) : 1 History size (number of passwords): 0 Character classes: 2 Min length: 8 Max failures: 6 Failure reset interval (seconds): 60 Lockout duration (seconds): 600 -- Bret Wortman http://damascusgrp.com/ http://about.me/wortmanbret smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Password issues
On Thu, Mar 06, 2014 at 07:39:15AM -0500, Bret Wortman wrote: Strange behavior now with our passwords (and we still haven't solved our problem with the ipa command, but at least with script, we have a workaround): I noticed yesterday morning that my password, which has the following policy, was going to expire in 3 days so I changed it. Max lifetime (days) : 0 I think the behaviour is expected with this maximal lifetime. bye, Sumit Min lifetime (hours) : 0 History size (number of passwords): 0 Character classes: 2 Min length: 8 Max failures: 4 Failure reset interval (seconds): 60 Lockout duration (seconds): 60 The IPA web UI immediately began reporting in red that Your password expires in -1 days. This morning, I ran kinit: $ kinit Password for br...@damascusgrp.com: Password expired. You must change it now. Enter new password: Enter it again: Warning: Your password wille xpire in less than one hour on Thu 06 Mar 2014 06:45:48 AM EST $ What's up? I'd like to solve this before it bites any of my users, though most have a policy that looks more like this: Max lifetime (days) : 180 Min lifetime (hours) : 1 History size (number of passwords): 0 Character classes: 2 Min length: 8 Max failures: 6 Failure reset interval (seconds): 60 Lockout duration (seconds): 600 -- *Bret Wortman* http://damascusgrp.com/ http://about.me/wortmanbret ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Password issues
Is there a way to set a password to not expire? I thought I read somewhere that 0 did that, but apparently not. On 03/06/2014 07:55 AM, Sumit Bose wrote: On Thu, Mar 06, 2014 at 07:39:15AM -0500, Bret Wortman wrote: Strange behavior now with our passwords (and we still haven't solved our problem with the ipa command, but at least with script, we have a workaround): I noticed yesterday morning that my password, which has the following policy, was going to expire in 3 days so I changed it. Max lifetime (days) : 0 I think the behaviour is expected with this maximal lifetime. bye, Sumit Min lifetime (hours) : 0 History size (number of passwords): 0 Character classes: 2 Min length: 8 Max failures: 4 Failure reset interval (seconds): 60 Lockout duration (seconds): 60 The IPA web UI immediately began reporting in red that Your password expires in -1 days. This morning, I ran kinit: $ kinit Password for br...@damascusgrp.com: Password expired. You must change it now. Enter new password: Enter it again: Warning: Your password wille xpire in less than one hour on Thu 06 Mar 2014 06:45:48 AM EST $ What's up? I'd like to solve this before it bites any of my users, though most have a policy that looks more like this: Max lifetime (days) : 180 Min lifetime (hours) : 1 History size (number of passwords): 0 Character classes: 2 Min length: 8 Max failures: 6 Failure reset interval (seconds): 60 Lockout duration (seconds): 600 -- *Bret Wortman* http://damascusgrp.com/ http://about.me/wortmanbret ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Password issues
Just found with some fresh Googling an email from Rob recommending setting the max to 5000. I'll try that. On 03/06/2014 08:08 AM, Bret Wortman wrote: Is there a way to set a password to not expire? I thought I read somewhere that 0 did that, but apparently not. On 03/06/2014 07:55 AM, Sumit Bose wrote: On Thu, Mar 06, 2014 at 07:39:15AM -0500, Bret Wortman wrote: Strange behavior now with our passwords (and we still haven't solved our problem with the ipa command, but at least with script, we have a workaround): I noticed yesterday morning that my password, which has the following policy, was going to expire in 3 days so I changed it. Max lifetime (days) : 0 I think the behaviour is expected with this maximal lifetime. bye, Sumit Min lifetime (hours) : 0 History size (number of passwords): 0 Character classes: 2 Min length: 8 Max failures: 4 Failure reset interval (seconds): 60 Lockout duration (seconds): 60 The IPA web UI immediately began reporting in red that Your password expires in -1 days. This morning, I ran kinit: $ kinit Password for br...@damascusgrp.com: Password expired. You must change it now. Enter new password: Enter it again: Warning: Your password wille xpire in less than one hour on Thu 06 Mar 2014 06:45:48 AM EST $ What's up? I'd like to solve this before it bites any of my users, though most have a policy that looks more like this: Max lifetime (days) : 180 Min lifetime (hours) : 1 History size (number of passwords): 0 Character classes: 2 Min length: 8 Max failures: 6 Failure reset interval (seconds): 60 Lockout duration (seconds): 600 -- *Bret Wortman* http://damascusgrp.com/ http://about.me/wortmanbret ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Propose FreeIPA theses for the next year
Hello, now it is the right time to propose topics for theses in the next university year. If you know about some interesting area or feature we don't have time to implement - propose it! Current topics are listed on https://thesis-managementsystem.rhcloud.com/topic/list?filter.categories.id=129 Please change e-mail subject for discussion about each topic and start sub-thread by replying to this message so it will be easy to follow only one thread or so. -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Propose FreeIPA theses: IPA support for sites
On 6.3.2014 14:32, Petr Spacek wrote: now it is the right time to propose topics for theses in the next university year. I propose [RFE] IPA should support and manage DNS sites https://fedorahosted.org/freeipa/ticket/2008 It is rotting in the backlog and we are not going to touch it any time soon. There is very low amount of 'theory' behind it but IMHO it is complex enough: - Some theoretical analysis of our proposal sounds like a good idea. We don't know if it is the best way or not. - Some testing with various *real* non-SSSD clients will be helpful. - Analysis how this can work with DNSSEC will be helpful. - This feature needs API/CLI/UI design. It is not clear how the workflow should look like etc. - Support for roaming clients (in bind-dyndb-ldap) is missing. The scope can be changed as necessary. -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] incompatibility Operative systems
I have a conflict with a configuration of free-ipa. The problem is an incompatibility between the client operating system with fedora 19 and the ipa server with Red hat 6.4 operating system. When executing the command: ipa add-service cifs/ipaserver.example.com Generates the error: ipa: ERROR: Unknown option: no_members For this reason I would like to know if there is a specific configuration or patch that solution problem. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] scripting ipa commands
Once again, I'm probably missing something that's well documented. I promise I searched. We have a daily termination list that needs to be enforced at 5:00 PM every day. I can script it up just fine, but sometimes I like to sneak out early. I tried to use at, but since I'm logged out when the job runs there's no ticket and the ipa commands fail. ex: echo sh terminate | at 5:00 PM Friday works if I'm logged in with a ticket (terminate contains the ipa command to disable / delete users.) Is there some way to automate this? I can leave a terminal open on a VM as a work-around, but I'd like to be cleaner if I can. --Jason ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] scripting ipa commands
If you don't find an answer for doing it -minus- a ticket, here is what I would suggest. Create a service user who's only role permissions give them the ability to delete users. Then perform a getkeytab for the user: ipa-getkeytab -s ipa.example.com -p user name to export@EXAMPLE.COM -k /path/to/username.keytab Then associate the following along with your cron. I would also recommend a kdestroy -after- the task is run. #!/bin/bash ### # Auto Kinit /usr/kerberos/bin/klist -s EXITCODE=$? if [ $EXITCODE != 0 ] ; then /usr/kerberos/bin/kdestroy /dev/null 21 /usr/kerberos/bin/kinit -F usern...@example.com -k -t /path/to/username.keytab fi On Mar 6, 2014, at 8:48 AM, KodaK sako...@gmail.com wrote: Once again, I'm probably missing something that's well documented. I promise I searched. We have a daily termination list that needs to be enforced at 5:00 PM every day. I can script it up just fine, but sometimes I like to sneak out early. I tried to use at, but since I'm logged out when the job runs there's no ticket and the ipa commands fail. ex: echo sh terminate | at 5:00 PM Friday works if I'm logged in with a ticket (terminate contains the ipa command to disable / delete users.) Is there some way to automate this? I can leave a terminal open on a VM as a work-around, but I'd like to be cleaner if I can. --Jason ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users signature.asc Description: Message signed with OpenPGP using GPGMail ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] scripting ipa commands [solved]
That's pretty much exactly what I was looking for. Thanks JR. --Jason On Thu, Mar 6, 2014 at 11:23 AM, JR Aquino jr.aqu...@citrix.com wrote: If you don't find an answer for doing it -minus- a ticket, here is what I would suggest. Create a service user who's only role permissions give them the ability to delete users. Then perform a getkeytab for the user: ipa-getkeytab -s ipa.example.com -p user name to export@EXAMPLE.COM -k /path/to/username.keytab Then associate the following along with your cron. I would also recommend a kdestroy -after- the task is run. #!/bin/bash ### # Auto Kinit /usr/kerberos/bin/klist -s EXITCODE=$? if [ $EXITCODE != 0 ] ; then /usr/kerberos/bin/kdestroy /dev/null 21 /usr/kerberos/bin/kinit -F usern...@example.com -k -t /path/to/username.keytab fi On Mar 6, 2014, at 8:48 AM, KodaK sako...@gmail.com wrote: Once again, I'm probably missing something that's well documented. I promise I searched. We have a daily termination list that needs to be enforced at 5:00 PM every day. I can script it up just fine, but sometimes I like to sneak out early. I tried to use at, but since I'm logged out when the job runs there's no ticket and the ipa commands fail. ex: echo sh terminate | at 5:00 PM Friday works if I'm logged in with a ticket (terminate contains the ipa command to disable / delete users.) Is there some way to automate this? I can leave a terminal open on a VM as a work-around, but I'd like to be cleaner if I can. --Jason ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Patch for ipa-sam: ipa-server-trust-ad samba server valid users =@groupname
Hi all,
I am quite aware that installing ipa-server-trust-ad and using the samba as a
file server is as unsupported as one can get... but I really needed a Samba
server integrated with IPA (damn Mac OS and Windows). I don't actually have a
Windows environment but this seemed to bootstrap enough of the requirements to
get it working
Bit of a story for those who have time to read and maybe battling similiar, or
just skip to after the log for the fix+patch :)
* ipaNTSecurityIdentifier ended up missing because I didn't use --setsid and NT
hash missing because I did not do a ipa passwd reset
* As a result, experienced user not found or invalid password, and after debug
level 5 I had about 500M of core dumps (sorry don't have them anymore)
* Ran ipa-adtrust-install again with --setsid and reset some passwords and
things started looking better, could connect, all good, NT hash was there and
ipaNTSecurityIdentifier there (ldapsearch 3)
* Then next problem was when I added valid users = @groupname to share
config. No longer could connect even if member of the group!
* Turned out ipNTGroupAttr was missing from some groups - thus had to register
the ldif for the ipa-setsid task
Still had problems even after ipa-setsid, and ldapsearch showed all correct.
Here is a snippet from the logs at debug level 10.
[2014/03/06 15:32:55.658567, 4, pid=28139, effective(0, 0), real(0, 0)]
../source3/smbd/sec_ctx.c:316(set_sec_ctx)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2014/03/06 15:32:55.658601, 5, pid=28139, effective(0, 0), real(0, 0)]
../libcli/security/security_token.c:53(security_token_debug)
Security token: (NULL)
[2014/03/06 15:32:55.658634, 5, pid=28139, effective(0, 0), real(0, 0)]
../source3/auth/token_util.c:528(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2014/03/06 15:32:55.658691, 5, pid=28139, effective(0, 0), real(0, 0)]
../source3/lib/smbldap.c:1249(smbldap_search_ext)
smbldap_search_ext: base = [dc=local,dc=othermedia,dc=com], filter =
[((ipaNTSecurityIdentifier=S-1-5-21-2563482189-1697247676-1628377611-1005)(|(objectClass=ipaNTGroupAttrs)(objectClass=ipaNTUserAttrs)))],
scope = [2]
[2014/03/06 15:32:55.659599, 10, pid=28139, effective(0, 0), real(0, 0)]
ipa_sam.c:309(get_single_attribute)
Attribute [uidNumber] not found.
[2014/03/06 15:32:55.659667, 1, pid=28139, effective(0, 0), real(0, 0)]
ipa_sam.c:717(ldapsam_sid_to_id)
Could not find uidNumber in
cn=filestore_archive,cn=groups,cn=accounts,dc=local,dc=othermedia,dc=com
[2014/03/06 15:32:55.659716, 4, pid=28139, effective(0, 0), real(0, 0)]
../source3/smbd/sec_ctx.c:424(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2014/03/06 15:32:55.659758, 10, pid=28139, effective(0, 0), real(0, 0)]
../source3/passdb/lookup_sid.c:1121(legacy_sid_to_unixid)
LEGACY: mapping failed for sid
S-1-5-21-2563482189-1697247676-1628377611-1005
[2014/03/06 15:32:55.659796, 4, pid=28139, effective(0, 0), real(0, 0)]
../source3/smbd/sec_ctx.c:216(push_sec_ctx)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
I noticed the Could not find uidNumber - turns out ipa-sam was being asked to
turn SID into ID and was successfully finding it but needed to work out whether
it was a group or a user. To do this, it searches the objectClass for
ipNTGroupAttr - if it finds it, it looks for gidNumber, otherwise it looks
for uidNumber. However, the objectClass added by ipa-setsid is ipntgroupattr
and ipa-sam was using strncmp.
I've fixed this with a patch to use strncasecmp. Might not be the best fix...
maybe ipa-sam should be modified to have the attributes lower case for
comparison? But this was simplest patch. Comments/feedback welcome and maybe
I'll have time to do alternative fix if felt better?
Versions:
RHEL 6.4 3.0.0-37
Code in master branch appears to show the same issue
References:
freeipa/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h
around line 54-55: lowercase objectClass addition
freeipa/daemons/ipa-sam/ipa_sam.c
around line 688: case sensitive comparison to ipaNTGroupAttrs
Patch for master branch:
diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index 1ca504d..c5e8b39 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -750,7 +750,7 @@ static bool ldapsam_sid_to_id(struct pdb_methods *methods,
}
for (c = 0; values[c] != NULL; c++) {
- if (strncmp(LDAP_OBJ_GROUPMAP, values[c]-bv_val,
+ if (strncasecmp(LDAP_OBJ_GROUPMAP, values[c]-bv_val,
values[c]-bv_len) == 0) {
break;
}
Patch for RHEL 6.5 3.0.0-37:
--- a/daemons/ipa-sam/ipa_sam.c 2014-03-06 19:30:15.994792879 +
+++ b/daemons/ipa-sam/ipa_sam.c 2014-03-06 19:35:34.966791637 +
@@ -685,7 +685,7 @@
}
for (c = 0; values[c] != NULL; c++) {
- if
Re: [Freeipa-users] Patch for ipa-sam: ipa-server-trust-ad samba server valid users =@groupname
On Thu, 06 Mar 2014, Jason Woods wrote:
Hi all,
I am quite aware that installing ipa-server-trust-ad and using the
samba as a file server is as unsupported as one can get... but I really
needed a Samba server integrated with IPA (damn Mac OS and Windows). I
don't actually have a Windows environment but this seemed to bootstrap
enough of the requirements to get it working
Bit of a story for those who have time to read and maybe battling
similiar, or just skip to after the log for the fix+patch :)
* ipaNTSecurityIdentifier ended up missing because I didn't use
--setsid and NT hash missing because I did not do a ipa passwd reset
* As a result, experienced user not found or invalid password, and
after debug level 5 I had about 500M of core dumps (sorry don't have
them anymore)
* Ran ipa-adtrust-install again with --setsid and reset some passwords
and things started looking better, could connect, all good, NT hash was
there and ipaNTSecurityIdentifier there (ldapsearch 3)
* Then next problem was when I added valid users = @groupname to
share config. No longer could connect even if member of the group!
* Turned out ipNTGroupAttr was missing from some groups - thus had to
register the ldif for the ipa-setsid task
For the record, it is ipa-adtrust-install --add-sids and the task is
called sidgen task.
I noticed the Could not find uidNumber - turns out ipa-sam was being
asked to turn SID into ID and was successfully finding it but needed to
work out whether it was a group or a user. To do this, it searches the
objectClass for ipNTGroupAttr - if it finds it, it looks for
gidNumber, otherwise it looks for uidNumber. However, the objectClass
added by ipa-setsid is ipntgroupattr and ipa-sam was using strncmp.
I've fixed this with a patch to use strncasecmp. Might not be the best
fix... maybe ipa-sam should be modified to have the attributes lower
case for comparison? But this was simplest patch. Comments/feedback
welcome and maybe I'll have time to do alternative fix if felt better?
You are absolutely on spot here, thanks!
Since we are comparing values of the attribute, we are on our own and
cannot rely on attribute name canonicalization here. This means
strncasecmp() is for the job. I've looked at other options like using
ber_bvcmp() macro but we are really can't guarantee that objectClass
attribute values are in any specific string case because the only
matching rule defined for them is objectIdentifierMatch -- we would have
to turn the value to oid first and then compare which is probably too
much for this specific case.
Versions:
RHEL 6.4 3.0.0-37
Code in master branch appears to show the same issue
References:
freeipa/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h
around line 54-55: lowercase objectClass addition
freeipa/daemons/ipa-sam/ipa_sam.c
around line 688: case sensitive comparison to ipaNTGroupAttrs
Patch for master branch:
diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index 1ca504d..c5e8b39 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -750,7 +750,7 @@ static bool ldapsam_sid_to_id(struct pdb_methods *methods,
}
for (c = 0; values[c] != NULL; c++) {
- if (strncmp(LDAP_OBJ_GROUPMAP, values[c]-bv_val,
+ if (strncasecmp(LDAP_OBJ_GROUPMAP, values[c]-bv_val,
values[c]-bv_len) == 0) {
break;
}
Patch for RHEL 6.5 3.0.0-37:
--- a/daemons/ipa-sam/ipa_sam.c 2014-03-06 19:30:15.994792879 +
+++ b/daemons/ipa-sam/ipa_sam.c 2014-03-06 19:35:34.966791637 +
@@ -685,7 +685,7 @@
}
for (c = 0; values[c] != NULL; c++) {
- if (strncmp(LDAP_OBJ_GROUPMAP, values[c]-bv_val,
+ if (strncasecmp(LDAP_OBJ_GROUPMAP, values[c]-bv_val,
values[c]-bv_len) == 0) {
break;
}
This is valid bug. Could you please raise it in bugzilla.redhat.com or,
alternatively, at FreeIPA's trac?
--
/ Alexander Bokovoy
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Using external KDC
On 03/05/2014 06:24 PM, Trey Dockendorf wrote: Correction from my email, the condition that sets if a 389DS user is proxied to pam_krb5 is the pamFilter, sorry. On Wed, Mar 5, 2014 at 5:22 PM, Trey Dockendorftreyd...@gmail.com wrote: On Mon, Mar 3, 2014 at 7:29 PM, Dmitri Pald...@redhat.com wrote: On 03/03/2014 07:47 PM, Simo Sorce wrote: On Mon, 2014-03-03 at 18:42 -0600, Trey Dockendorf wrote: Is it possible with FreeIPA to use an external KDC or pass some or all authentication to an external KDC? The KDC at our University may give me a one way trust if I describe my implementation plan for FreeIPA. Currently I use 389DS with PAM pass through using untrusted pam_krb5. I'd like to fully utilize FreeIPA without managing passwords since all my users already have University accounts. I just want to manage authorization for my systems, not authentication. You could set up a kerberos trust manually but at the moment we do not support it in the code or the utilities. SSSD in particular will have no place to find identity information if all you have is a kerberos trust, you'd need also an external identity store to point to, but there is no builtin code in SSSD to link the 2 domain at this point. We are planning on working on IPA-to-IPA trust, and possibly IPA-to-*other* so any requirements you can throw at us will be made part of the consideration and planning to add this kind of functionality in the future. NM B HTH, Simo. Can you describe your workflows because I have some idea in mind? Right now the workflow I have with 389ds using PAM Pass Through Auth is the following: For users with the proper attribute defined in 'pamIDAttr' client --- 389DS --- 389DS server's pam_krb5 --- Campus KDC For users lacking the attribute for 'pamIDAttr' client --- 389DS The Kerberos setup currently on the 389DS server is untrusted (no krb5.keytab). The ideal workflow with FreeIPA would be client IPA --- Campus KDC Would you be OK if your accounts would be in IPA but the authentication would be proxied out? This is fine with me. Does the idea you describe allow for some authentication (ie system accounts or internal accounts) to be handled by FreeIPA? That's the benefit to us when using PAM Pass Through Auth, is that we can conditionally proxy out the authentication. The idea is that you can use OTP RADIUS capability to proxy passwords to your main KDC. client ---OTP--- IPA --- OTP Proxy --- RADIUS --- Your KDC Disclaimer: that would defeat the purpose of Kerberos and the password will be sent over the wire but it seems that you are already in this setup. Would you be interested to give it a try? Absolutely. Right now I need to contact our campus IT group and let them know what I require to make our setup work. I have been told a one way trust is the most I can get. Will that facilitate what you described? You do not need trust for that setup. Any user account (i am not sure about special system accounts that are not created in cn=users) would be able to go to external RADIUS server. Would require latest SSSD and kerberos library on the client though but would work with LDAP binds too. Latest SSSD and Kerberos that's available in EL6, or latest upstream? Upstream. Please take a look at the design page: http://www.freeipa.org/page/V3/OTP - that will give you an idea about the internals. Latest upstream UI should be able to allow to configure external RADIUS servers and then change per user policy to proxy via RADIUS. Then you can try binding with LDAP to IPA using password from your main KDC. Then you can use SSSD on the same system to try to authenticate using Kerberos. You will create a new user, set him to use RADIUS server for authentication and then try to su to this user or ssh into the box as that user. It should work and klist should report a TGT for this user on the box. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Password issues
On 03/06/2014 08:10 AM, Bret Wortman wrote: Just found with some fresh Googling an email from Rob recommending setting the max to 5000. I'll try that. Just make sure it is not after 2038 because Kerberos uses 32 bit time that rolls over in Feb of 2038. On 03/06/2014 08:08 AM, Bret Wortman wrote: Is there a way to set a password to not expire? I thought I read somewhere that 0 did that, but apparently not. On 03/06/2014 07:55 AM, Sumit Bose wrote: On Thu, Mar 06, 2014 at 07:39:15AM -0500, Bret Wortman wrote: Strange behavior now with our passwords (and we still haven't solved our problem with the ipa command, but at least with script, we have a workaround): I noticed yesterday morning that my password, which has the following policy, was going to expire in 3 days so I changed it. Max lifetime (days) : 0 I think the behaviour is expected with this maximal lifetime. bye, Sumit Min lifetime (hours) : 0 History size (number of passwords): 0 Character classes: 2 Min length: 8 Max failures: 4 Failure reset interval (seconds): 60 Lockout duration (seconds): 60 The IPA web UI immediately began reporting in red that Your password expires in -1 days. This morning, I ran kinit: $ kinit Password for br...@damascusgrp.com: Password expired. You must change it now. Enter new password: Enter it again: Warning: Your password wille xpire in less than one hour on Thu 06 Mar 2014 06:45:48 AM EST $ What's up? I'd like to solve this before it bites any of my users, though most have a policy that looks more like this: Max lifetime (days) : 180 Min lifetime (hours) : 1 History size (number of passwords): 0 Character classes: 2 Min length: 8 Max failures: 6 Failure reset interval (seconds): 60 Lockout duration (seconds): 600 -- *Bret Wortman* http://damascusgrp.com/ http://about.me/wortmanbret ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Password issues
In 26 years, I guarantee this will be someone else's problem. Bret Wortman http://bretwortman.com/ http://twitter.com/BretWortman On Mar 6, 2014, at 8:25 PM, Dmitri Pal d...@redhat.com wrote: On 03/06/2014 08:10 AM, Bret Wortman wrote: Just found with some fresh Googling an email from Rob recommending setting the max to 5000. I'll try that. Just make sure it is not after 2038 because Kerberos uses 32 bit time that rolls over in Feb of 2038. On 03/06/2014 08:08 AM, Bret Wortman wrote: Is there a way to set a password to not expire? I thought I read somewhere that 0 did that, but apparently not. On 03/06/2014 07:55 AM, Sumit Bose wrote: On Thu, Mar 06, 2014 at 07:39:15AM -0500, Bret Wortman wrote: Strange behavior now with our passwords (and we still haven't solved our problem with the ipa command, but at least with script, we have a workaround): I noticed yesterday morning that my password, which has the following policy, was going to expire in 3 days so I changed it. Max lifetime (days) : 0 I think the behaviour is expected with this maximal lifetime. bye, Sumit Min lifetime (hours) : 0 History size (number of passwords): 0 Character classes: 2 Min length: 8 Max failures: 4 Failure reset interval (seconds): 60 Lockout duration (seconds): 60 The IPA web UI immediately began reporting in red that Your password expires in -1 days. This morning, I ran kinit: $ kinit Password for br...@damascusgrp.com: Password expired. You must change it now. Enter new password: Enter it again: Warning: Your password wille xpire in less than one hour on Thu 06 Mar 2014 06:45:48 AM EST $ What's up? I'd like to solve this before it bites any of my users, though most have a policy that looks more like this: Max lifetime (days) : 180 Min lifetime (hours) : 1 History size (number of passwords): 0 Character classes: 2 Min length: 8 Max failures: 6 Failure reset interval (seconds): 60 Lockout duration (seconds): 600 -- *Bret Wortman* http://damascusgrp.com/ http://about.me/wortmanbret ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users smime.p7s Description: S/MIME cryptographic signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
