Re: [Freeipa-users] Woes adding a samba server to the ipa domain
On 10/20/2014 09:15 AM, Loris Santamaria wrote: Hi all, I wanted to install a samba server (or more precisely a winbind server for pptp authentication) in a IPA domain which trusts an AD domain. I know that this configuration is not supported but since it works with plain samba or samba+ldap I wanted to get it a shot to see how far one could get. First step, added a group for Domain Computers in ipa, with SID S-1--515: dn: cn=domaincomputers,cn=groups,cn=accounts,YYY ipaNTSecurityIdentifier: S-1-5-21-XX-515 objectClass: top objectClass: groupofnames objectClass: nestedgroup objectClass: ipausergroup objectClass: ipaobject objectClass: posixgroup objectClass: ipantgroupattrs cn: domaincomputers description: domain computers ipaUniqueID: 5916daa0-57cd-11e4-a15b-000d3a7004fb gidNumber: 1870500500 Second step, added posix attributes to the ipa host object where samba would be installed, added SID information, and made it a member of the domain computers group: dn: fqdn=gcentralproxy.,cn=computers,cn=accounts, displayName: gcentralproxy sn: proxy givenName: gcentral gecos: gcentralproxy uidNumber: 1870400015 gidNumber: 1870500500 homeDirectory: /dev/null loginShell: /sbin/nologin uid: gcentralproxy$ ipaNTSecurityIdentifier: S-1-5-21-1967106394-3235870896-3821617943-14301 cn: gcentralproxy.cosmeticosgenesis.com objectClass: ipaobject objectClass: nshost objectClass: ipahost objectClass: pkiuser objectClass: ipaservice objectClass: krbprincipalaux objectClass: krbprincipal objectClass: ieee802device objectClass: ipasshhost objectClass: top objectClass: ipaSshGroupOfPubKeys objectClass: ipantuserattrs objectClass: posixAccount objectClass: inetorgperson objectClass: organizationalPerson objectClass: person fqdn: gcentralproxy.Y krbPrincipalName: host/gcentralproxy.cosmeticosgenesis.com@ serverHostName: gcentralproxy Third step, I added a cifs service for the host in ipa, and exported the keytab on the samba server. Fourth step, added a simple samba configuration file on the future samba server: [global] workgroup = realm = dedicated keytab file = FILE:/etc/samba/samba.keytab kerberos method = dedicated keytab log file = /var/log/samba/log.%m max log size = 10 security = domain Trying to join the server to the domain (net rpc join -U domainadmin -S ipaserver) fails, and it causes a samba crash on the ipa server. Investigating the cause of the crash I found that pdbedit crashes as well (backtrace attached). I couldn't get a meaningful backtrace from the samba crash however I attached it as well. Seems to me that the samba ipasam backend on ipa doesn't like something in the host or the "domain computers" group object in ldap, but I cannot see what could be the problem. Perhaps someone more familiar with the ipasam code can spot it quickly. Best regards Do I get it right that you really looking for https://fedorahosted.org/sssd/ticket/1588 that was just released upstream? It would be cool if you can try using SSSD 1.12.1 under Samba FS in the use case you have and provide feedback on how it works for you. AFAIU you install Samba FS and then use ipa-client to configure SSSD under it and it should work. If not we probably should document it (but I do not see any special design page which leads me to the above expectation). -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Woes adding a samba server to the ipa domain
Hi all, I wanted to install a samba server (or more precisely a winbind server for pptp authentication) in a IPA domain which trusts an AD domain. I know that this configuration is not supported but since it works with plain samba or samba+ldap I wanted to get it a shot to see how far one could get. First step, added a group for Domain Computers in ipa, with SID S-1--515: dn: cn=domaincomputers,cn=groups,cn=accounts,YYY ipaNTSecurityIdentifier: S-1-5-21-XX-515 objectClass: top objectClass: groupofnames objectClass: nestedgroup objectClass: ipausergroup objectClass: ipaobject objectClass: posixgroup objectClass: ipantgroupattrs cn: domaincomputers description: domain computers ipaUniqueID: 5916daa0-57cd-11e4-a15b-000d3a7004fb gidNumber: 1870500500 Second step, added posix attributes to the ipa host object where samba would be installed, added SID information, and made it a member of the domain computers group: dn: fqdn=gcentralproxy.,cn=computers,cn=accounts, displayName: gcentralproxy sn: proxy givenName: gcentral gecos: gcentralproxy uidNumber: 1870400015 gidNumber: 1870500500 homeDirectory: /dev/null loginShell: /sbin/nologin uid: gcentralproxy$ ipaNTSecurityIdentifier: S-1-5-21-1967106394-3235870896-3821617943-14301 cn: gcentralproxy.cosmeticosgenesis.com objectClass: ipaobject objectClass: nshost objectClass: ipahost objectClass: pkiuser objectClass: ipaservice objectClass: krbprincipalaux objectClass: krbprincipal objectClass: ieee802device objectClass: ipasshhost objectClass: top objectClass: ipaSshGroupOfPubKeys objectClass: ipantuserattrs objectClass: posixAccount objectClass: inetorgperson objectClass: organizationalPerson objectClass: person fqdn: gcentralproxy.Y krbPrincipalName: host/gcentralproxy.cosmeticosgenesis.com@ serverHostName: gcentralproxy Third step, I added a cifs service for the host in ipa, and exported the keytab on the samba server. Fourth step, added a simple samba configuration file on the future samba server: [global] workgroup = realm = dedicated keytab file = FILE:/etc/samba/samba.keytab kerberos method = dedicated keytab log file = /var/log/samba/log.%m max log size = 10 security = domain Trying to join the server to the domain (net rpc join -U domainadmin -S ipaserver) fails, and it causes a samba crash on the ipa server. Investigating the cause of the crash I found that pdbedit crashes as well (backtrace attached). I couldn't get a meaningful backtrace from the samba crash however I attached it as well. Seems to me that the samba ipasam backend on ipa doesn't like something in the host or the "domain computers" group object in ldap, but I cannot see what could be the problem. Perhaps someone more familiar with the ipasam code can spot it quickly. Best regards -- Loris Santamaria linux user #70506 xmpp:lo...@lgs.com.ve Links Global Services, C.A.http://www.lgs.com.ve Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:1...@lgs.com.ve "If I'd asked my customers what they wanted, they'd have said a faster horse" - Henry Ford [New LWP 2559] [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". Failed to read a valid object file image from memory. Core was generated by `/usr/sbin/smbd'. Program terminated with signal 6, Aborted. #0 0x7fe01c9f15c9 in __GI_raise (sig=6, sig@entry=) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 56return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig); Core was generated by `pdbedit -L gcentralproxy$'. Program terminated with signal 11, Segmentation fault. #0 0x7faea177db5b in _IO_vfprintf_internal (s=s@entry=0x74db20d0, format=, format@entry=0x7faea1d09718 "talloc: access after free error - first free may be at %s\n", ap=ap@entry=0x74db2260) at vfprintf.c:1635 1635 process_string_arg (((struct printf_spec *) NULL)); (gdb) bt #0 0x7faea177db5b in _IO_vfprintf_internal (s=s@entry=0x74db20d0, format=, format@entry=0x7faea1d09718 "talloc: access after free error - first free may be at %s\n", ap=ap@entry=0x74db2260) at vfprintf.c:1635 #1 0x7faea18401b5 in ___vsnprintf_chk (s=s@entry=0x74db225f "", maxlen=, maxlen@entry=1, flags=flags@entry=1, slen=slen@entry=1, format=format@entry=0x7faea1d09718 "talloc: access after free error - first free may be at %s\n", args=args@entry=0x74db2260) at vsnprintf_chk.c:63 #2 0x7faea1d055c5 in vsnprintf (__ap=0x74db2260, __fmt=, __n=1, __s=0x74db225f "") at /usr/include/bits/stdio2.h:77 #3 talloc_vasprintf (t=t@entry=0x0, fmt=fmt@entry=0x7faea1d09718 "talloc: access after free error - first free may be at %s\n", ap=ap@entry=0x74db22c0) at ../talloc.c:2223 #4 0x7faea1d02c89 in talloc_log (fmt=fmt@entry=0x7faea1d09718 "talloc: access after free error - first fre
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
OK, Lukas, I did as you say: 1) reset my pam.d -> login to its defaul state 2) added to my pam.d -> system: "account required /usr/local/lib/pam_sss.so ignore_unknown_user ignore_authinfo_unavail"; 3) commented out "enumerate = True" in my /usr/local/etc/sssd/sssd.conf. Now I cannot locally login as either root or IPA user. Seems like we built our SSSDs differently or from different ports. Would you be so kind to share info about your choices when building SSSD? You're right, I'm a newbie in FreeIPA setups. But I've worked with pam stack before, when configuring OpenLDAP on servers. That knowledge of pam let me solve the problem of local logins with sssd by adding the appropriate line in pam.d -> login instead of pam.d -> system. This setup works fine for me; another setup, which you and FreeBSD forums suppose, doesn't work. Did you check everything on a blank FreeBSD 10 setup? There are indeed nuances that the post at FreeBSD forums didn't address: 1) what choices should be made when building SSSD and other ports - VERY IMPORTANT, but missing information; 2) how ldap.conf should be configured on a FreeBSD client for ldapsearch to work; 3) how krb5.conf should be configured on a FreeBSD client; 4) how SSH files should be configured on a FreeBSD client for single sign-on to behave properly (GSS-API part); 5) how cron script file's executability, IPA user's shell and automatic creation of home directories should be considered - there are some caveats for newbies; 6) why a user can't initially SSH or locally login to a FreeBSD client even with correct configuration files (password change problem); 7) how to setup SSSD so that it doesn't cache information too long (this is not what we always want, right?). In short: a person who posted the info on FreeBSD - FreeIPA integration at FreeBSD forums shared a lot of info, but at the same time he didn't share other very important pieces of information, and this can cause great frustration to people trying to follow his post. And although you recommend me not to share my experience of setting up FreeBSD - FreeIPA integration, I just want people to get a REALLY WORKING HowTo. I've already tested HBAC, centralized sudo and other things in my setup, and everything is working fine. So in near future I plan to make a REAL, DETAILED HowTo on this subject, and I think that at least some pieces of information in it will help people to avoid great deal of frustration. 20-Oct-14 13:01, Lukas Slebodnik пишет: On (19/10/14 08:45), Orkhan Gasimov wrote: 2. About my pam.d files - please read carefully my previous posts. I commented > out the line in pam.d -> system and added it explicitly to You didn't have "account required /usr/local/lib/pam_sss.so ignore_unknown_user" in pam.d/system. The line is commented out, but there *IS NOT* argument ignore_unknown_use Howto on FreeBSD forum[1] has argument ignore_unknown_user on the lines starting with account in both pam configuration files (system, sshd) pam.d -> login because otherwise I get locked out from the machine. I sent I didn't touch "pam.d/login". I put "account .. pam_sss.so ignore_unknown_user" into "pam.d/system" (the same as in [1]) and I can login as sssd user and local user. I know that pam configuration isn't the easiest think for newbies, but your post will be even more confusing for others. Please do not give advices if you do not understand where is the problem and why it works with that change. you the WORKING configuration and not the one which was recommended at FreeBSD posts (and also by you). And yes, in pam.d -> system there's no "ignore bla bla bla part" because in that file the line "account required /usr/local/lib/pam_sss.so" just doesn't work, with or without that part. I don't know what you did wrong, but it *works* with argument ignore_unknown_user How did you test? LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
On (19/10/14 08:45), Orkhan Gasimov wrote: > 2. About my pam.d files - please read carefully my previous posts. > I commented > out the line in pam.d -> system and added it explicitly to You didn't have "account required /usr/local/lib/pam_sss.so ignore_unknown_user" in pam.d/system. The line is commented out, but there *IS NOT* argument ignore_unknown_use Howto on FreeBSD forum[1] has argument ignore_unknown_user on the lines starting with account in both pam configuration files (system, sshd) > pam.d -> login because otherwise I get locked out from the machine. I sent I didn't touch "pam.d/login". I put "account .. pam_sss.so ignore_unknown_user" into "pam.d/system" (the same as in [1]) and I can login as sssd user and local user. I know that pam configuration isn't the easiest think for newbies, but your post will be even more confusing for others. Please do not give advices if you do not understand where is the problem and why it works with that change. > you the WORKING configuration and not the one which was recommended at > FreeBSD posts (and also by you). And yes, in pam.d -> system there's no > "ignore bla bla bla part" because in that file the line > "account required /usr/local/lib/pam_sss.so" just doesn't work, with or > without that part. I don't know what you did wrong, but it *works* with argument ignore_unknown_user How did you test? LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project