Re: [Freeipa-users] interesting Kerberos issue
On 5/5/15 6:47 AM, Dmitri Pal wrote: On 05/04/2015 09:38 PM, Janelle wrote: On 5/4/15 6:06 PM, Nathaniel McCallum wrote: On Mon, 2015-05-04 at 08:49 -0700, Janelle wrote: Happy Star Wars Day! May the Fourth be with you! So I have a strange Kerberos problem trying to figure out. On a CLIENT, (CentOS 7.1) if I login to account usera they get a ticket as expected. However, if I login to a 6.6 client, it doesn't seem to work. Both were enrolled the same, obviously one is newer. Now, it gets stranger. The servers are CentOS 7.1 also. If I login as root, bypassing kerberos, and then do kinit admin it works just fine. But if I do kinit usera I get: kinit: Generic preauthentication failure while getting initial credentials Which makes no sense. The account works with a 7.1 client but not a 6.x client?? And yet admin works, no matter what. What am I missing here? If I had to guess, usera is enabled for OTP-only login. Is that correct? If so, clients require RHEL 7.1 for OTP support. Also, the error you are getting is the result of not enabling FAST support for OTP authentication (see the -T option). Nathaniel Ok, this did give me an idea (Thanks Nathaniel) -- the account was set for BOTH password and OTP. Apparently setting both does nothing. Yes a user can login with their password-only, but trying to use kinit does not work. I am not sure I understand where the FAST support or the -T option is to be applied. On kinit? That does not seem correct. Perhaps I am misunderstanding this option? ~J If the user is enabled for OTP his credential are sent differently than in the case when it is not enabled. Effectively instead of using encrypted timestamp the password and OTP are sent to the server as data. But they can't be sent in clear. You need to encrypt the data. To encrypt it you need another key - the host key. The encryption of the data in this context is called tunneling . FAST is the Kerberos protocol feature to provide tunneling of the data sent over the wire. To use FAST one needs to use -T on the kinit command line. Does this help? It helps -- thank you. Now allow me to add a little more fun, and there may not be a solution. From OS X (Yosemite) I am able to kinit --kdc-hostname=IPA-server principal and it works, gives me a ticket, and if I attempt to login to the web interface, since I already have my ticket - boom, works fine. Now, I enable 2FA and setup a token and change my account to OTP (with TOTP). But as previously discussed, can't seem to specify a -T option from OS X. I know this sounds tricky -- Any ideas? Thank you Janelle -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Removing REALM requirement and home directory location
On Wed, May 06, 2015 at 06:53:49PM +, Redmond, Stacy wrote: That's great, I got it all working, perhaps you can answer one last question, although not sure this is going to be fixable or not. Anyway to get rid of the realm when using id, as you can see below, kinda messy. [root@linuxtest1 home]# su - aduser1 -sh-4.1$ id uid=1989603105(aduser1@sbx.localmailto:aduser1@sbx.local) gid=1989603105(aduser1@sbx.localmailto:aduser1@sbx.local) groups=1989603105(aduser1@sbx.localmailto:aduser1@sbx.local) -sh-4.1$ pwd /home/aduser1 -sh-4.1$ ls -l /home/ total 4 drwxr-xr-x 2 aduser1@sbx.localmailto:aduser1@sbx.local aduser1@sbx.localmailto:aduser1@sbx.local 4096 May 5 09:38 aduser1 -sh-4.1$ On the clients you may experiment with default_domain_suffix and setting the full_name_format to just %1$s but on the server, this format is mandatory. The extdom plugin is only able to parse input in the name@domain form.. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] External DNS
On Thu, May 07, 2015 at 01:07:58PM -0400, Dmitri Pal wrote: On 05/07/2015 04:37 AM, Petr Spacek wrote: On 7.5.2015 09:31, Winfried de Heiden wrote: Hi all, One of the nice FreeIPA features is a host will be added to DNS automatically when the client is installed. However, in some situations using an other, external, DNS server is prefered. Now, this is possible but hosts have to added manually to this other DNS-server. Is it possible to handle DNS records by IPA on an external DNS server? Any future plans for this? This automatic update is handled by SSSD and uses standard DNS update protocol. I.e. it should work as long as your 'external' DNS server is configured to accept updates from clients. This is the update not the creation. Will the update create both A/ and PTR record? It should also create the record (although I haven't tested right now). SSSD would so far only create the address family that is used to connect to the server. We have an RFE open to update both: https://fedorahosted.org/sssd/ticket/2120 and also update the address on startup, not on going offline, which might be too late in some cases: https://fedorahosted.org/sssd/ticket/1926 But what I see as a potentially more important blocker is that SSSD always use the GSSAPI credentials of the joined realm. If the external DNS server requires different authentication, the update wouldn't succeed. I thought that it will just update IP but not create these records. If I am correct then the question is valid and we need to have a way to create entries in an external data store. Sounds like another use case for the notification system. And for that we do not have firm plans yet but we are collecting the use cases to justify the effort. Martin do you think it is worth opening a ticket? Please refer to documentation to your DNS server for further information and let us know if you encounter some problem. Have a nice day! -- Thank you, Dmitri Pal Director of Engineering for IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa-samba integration and windows clients
On Thu, May 07, 2015 at 03:30:06PM +0100, Dylan Evans wrote: By coincidence I posted a very similar question yesterday - https://www.redhat.com/archives/freeipa-users/2015-May/msg00103.html. +1 for the necessary support for out-of-domain Windows clients and NTLMSSP. Is there a time-table for this? It is a nice-to-have feature for the next SSSD version (1.13, this summber), but my hopes are not high that we're going to make it. I think 1.14 is more realistic. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] External DNS
On Sun, May 10, 2015 at 06:53:47PM +0200, Jakub Hrozek wrote: SSSD would so far only create the address family that is used to connect to the server. We have an RFE open to update both: https://fedorahosted.org/sssd/ticket/2120 and also update the address on startup, not on going offline, which ~ Shoud be going online of course.. might be too late in some cases: https://fedorahosted.org/sssd/ticket/1926 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project