Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
On (31/07/15 18:15), Matt . wrote: >Hi Lucas, > >Thank you for this reply. > >In this case it simply should work as it shoul by creating the >symlinks, Or are there other issues we might get ? > 1st problem: current samba version of libwbclient need to be moved ot other place. 2nd problem: manualy created symbolic links will be broken with next update of sssd or samba (e.g. security update) 3rd problem: such changes in might cause troubles for other application they need to be carefully tested (which are not on ubuntu) LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi Lucas, Thank you for this reply. In this case it simply should work as it shoul by creating the symlinks, Or are there other issues we might get ? Thanks, Matt 2015-07-31 17:21 GMT+02:00 Lukas Slebodnik : > On (31/07/15 16:03), Matt . wrote: >>Hi Guys, >> >>I'm really struggeling getting a NON AD Samba server authing against a >>FreeIPA server: >> >>Ubuntu 14.04 -> Samba (no AD) / SSD 1.12.5 >>CentOS 7.1 -> FreeIPA 4.1 >> >>Now this seems to be the way: >> >>https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA >> > As you can see this howto is mainly written for rpm based distributions. > The most important difference between sssd 1.12.5 for ubuntu[1] > and sssd >= 1.12 in fedora[2] is packaging of sssd-libwbclient. > > sssd-libwbclient and libwbclient(from samba) use alternatives > to switch between these libraries. > > > Ubuntu 14.04 > root@48c613c6a3fc:/# ls -l /usr/lib/x86_64-linux-gnu/libwbclient* > lrwxrwxrwx. 1 root root19 Jul 1 15:38 > /usr/lib/x86_64-linux-gnu/libwbclient.so.0 -> libwbclient.so.0.11 > -rw-r--r--. 1 root root 43216 Jul 1 15:38 > /usr/lib/x86_64-linux-gnu/libwbclient.so.0.11 > > root@48c613c6a3fc:/# ls -l /usr/lib/x86_64-linux-gnu/sssd/modules/libwbclient* > lrwxrwxrwx. 1 root root21 Jun 15 18:14 > /usr/lib/x86_64-linux-gnu/sssd/modules/libwbclient.so.0 -> > libwbclient.so.0.12.0 > -rw-r--r--. 1 root root 30800 Jun 15 18:14 > /usr/lib/x86_64-linux-gnu/sssd/modules/libwbclient.so.0.12.0 > > > Fedora 21 > bash-4.3# alternatives --display libwbclient.so.0.11-64 > libwbclient.so.0.11-64 - status is auto. > link currently points to /usr/lib64/samba/wbclient/libwbclient.so.0.11 > /usr/lib64/samba/wbclient/libwbclient.so.0.11 - priority 10 > /usr/lib64/sssd/modules/libwbclient.so.0.12.0 - priority 5 > Current `best' version is /usr/lib64/samba/wbclient/libwbclient.so.0.11. > > > So if you want to use this howto on ubuntu then you need to create > symbolic links on your own. > > > Feel free to update Howto page with additional information > if you manage solve it on ubuntu. > > LS > > [1] https://launchpad.net/~sssd/+archive/ubuntu/updates > [2] https://admin.fedoraproject.org/updates/sssd -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Setting up Active Directory trusts in a secure environment
On 07/31/2015 10:08 AM, Sumit Bose wrote: On Fri, Jul 31, 2015 at 09:23:53AM -0500, Dan Mossor wrote: On 07/31/2015 02:52 AM, Sumit Bose wrote: Thank you for the detailed analysis. I guess the 'server was inaccessible' error is due to the fact that currently FreeIPA does not have a global catalog, because Windows typically tries to get SIDs from remote objects from the Global Catalog. So, to those of y'all that operate in secure environments, what trick do you use to fully integrate IPA and Active Directory? With FreeIPA-4.2 the one-way trust feature is introduced. The main difference to the current scheme is that with one-way trust the FreeIPA server does not use its host credentials (host keytab) from the IPA domain to access the AD DC but uses the trusted domain user (IPADOM$@AD.DOMAIN) to access the AD DC. Since this is an object from the AD domain it should be possible to assign the needed permissions to this object. Currently I have no idea how this can be solved with older version. Maybe there is a toll on the Windows side which lets you add SIDs manually into the "Access this computer from the network" policy? If there is one you can try to add IPA-SID-515 (where you have to replace IPA-SID by the IPA domain SID). HTH bye, Sumit I didn't think the SID was even being evaluated - the authentication being attempted was through Kerberos, which I uderstand only uses host keytabs, not SIDs. Am I correct in this situation? yes and no :-) The keytab is used to get a TGT and then a cross-realm TGT from the IPA KDC. The IPA KDC will add a PAC to the TGTs which contains additional authorization data including SIDs. The PAC is then used on the Windows side to evaluate if access is granted or not. bye, Sumit Building on what you said regarding the one-way trust, I already have an IPA user in Active Directory that I created when I was initially setting this up as a synchronized domain instead of a trust. There are two ways I can go here - I can either revert back to the password sync and replication, or somehow convince IPA to use that user for the trust relationship. I suspect it will impossible without a patch to use a user account instead of Kerberos for the trust, so that leaves going back to the replication setup. Our ultimate goal in the environment is single sign on - when our users log into their Windows 7 workstations, they shouldn't then have to log into the chat server, the wiki, and mercurial; all those extra services running on Linux should be able to accept the Active Directory credentials. One final option I have, since this is a very small network, is to just join my Linux servers to the Active Directory domain, and not use the FreeIPA intermediary. -- Dan Mossor, RHCSA Systems Engineer Fedora Server WG | Fedora KDE WG | Fedora QA Team Fedora Infrastructure Apprentice FAS: dmossor IRC: danofsatx San Antonio, Texas, USA -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
On (31/07/15 16:03), Matt . wrote: >Hi Guys, > >I'm really struggeling getting a NON AD Samba server authing against a >FreeIPA server: > >Ubuntu 14.04 -> Samba (no AD) / SSD 1.12.5 >CentOS 7.1 -> FreeIPA 4.1 > >Now this seems to be the way: > >https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA > As you can see this howto is mainly written for rpm based distributions. The most important difference between sssd 1.12.5 for ubuntu[1] and sssd >= 1.12 in fedora[2] is packaging of sssd-libwbclient. sssd-libwbclient and libwbclient(from samba) use alternatives to switch between these libraries. Ubuntu 14.04 root@48c613c6a3fc:/# ls -l /usr/lib/x86_64-linux-gnu/libwbclient* lrwxrwxrwx. 1 root root19 Jul 1 15:38 /usr/lib/x86_64-linux-gnu/libwbclient.so.0 -> libwbclient.so.0.11 -rw-r--r--. 1 root root 43216 Jul 1 15:38 /usr/lib/x86_64-linux-gnu/libwbclient.so.0.11 root@48c613c6a3fc:/# ls -l /usr/lib/x86_64-linux-gnu/sssd/modules/libwbclient* lrwxrwxrwx. 1 root root21 Jun 15 18:14 /usr/lib/x86_64-linux-gnu/sssd/modules/libwbclient.so.0 -> libwbclient.so.0.12.0 -rw-r--r--. 1 root root 30800 Jun 15 18:14 /usr/lib/x86_64-linux-gnu/sssd/modules/libwbclient.so.0.12.0 Fedora 21 bash-4.3# alternatives --display libwbclient.so.0.11-64 libwbclient.so.0.11-64 - status is auto. link currently points to /usr/lib64/samba/wbclient/libwbclient.so.0.11 /usr/lib64/samba/wbclient/libwbclient.so.0.11 - priority 10 /usr/lib64/sssd/modules/libwbclient.so.0.12.0 - priority 5 Current `best' version is /usr/lib64/samba/wbclient/libwbclient.so.0.11. So if you want to use this howto on ubuntu then you need to create symbolic links on your own. Feel free to update Howto page with additional information if you manage solve it on ubuntu. LS [1] https://launchpad.net/~sssd/+archive/ubuntu/updates [2] https://admin.fedoraproject.org/updates/sssd -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Setting up Active Directory trusts in a secure environment
On Fri, Jul 31, 2015 at 09:23:53AM -0500, Dan Mossor wrote: > On 07/31/2015 02:52 AM, Sumit Bose wrote: > > > >Thank you for the detailed analysis. I guess the 'server was > >inaccessible' error is due to the fact that currently FreeIPA does not > >have a global catalog, because Windows typically tries to get SIDs from > >remote objects from the Global Catalog. > > > >> > >>So, to those of y'all that operate in secure environments, what trick do you > >>use to fully integrate IPA and Active Directory? > > > >With FreeIPA-4.2 the one-way trust feature is introduced. The main > >difference to the current scheme is that with one-way trust the FreeIPA > >server does not use its host credentials (host keytab) from the IPA > >domain to access the AD DC but uses the trusted domain user > >(IPADOM$@AD.DOMAIN) to access the AD DC. Since this is an object from > >the AD domain it should be possible to assign the needed permissions to > >this object. > > > >Currently I have no idea how this can be solved with older version. > >Maybe there is a toll on the Windows side which lets you add SIDs > >manually into the "Access this computer from the network" policy? If > >there is one you can try to add IPA-SID-515 (where you have to replace > >IPA-SID by the IPA domain SID). > > > >HTH > > > >bye, > >Sumit > > > > I didn't think the SID was even being evaluated - the authentication being > attempted was through Kerberos, which I uderstand only uses host keytabs, > not SIDs. Am I correct in this situation? yes and no :-) The keytab is used to get a TGT and then a cross-realm TGT from the IPA KDC. The IPA KDC will add a PAC to the TGTs which contains additional authorization data including SIDs. The PAC is then used on the Windows side to evaluate if access is granted or not. bye, Sumit > > Dan > > -- > Dan Mossor, RHCSA > Systems Engineer > Fedora Server WG | Fedora KDE WG | Fedora QA Team > Fedora Infrastructure Apprentice > FAS: dmossor IRC: danofsatx > San Antonio, Texas, USA -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi, This is nice to have confirmed. Is it possible for you to descrive what you do ? It might be handy to add this to the IPA documentation also with some explanation why... Cheers, Matt 2015-07-31 16:55 GMT+02:00 Christopher Lamb : > Hi > > We use the Samba extensions for FreeIPA. Windows 7 users connect to the > "shares" using their FreeIPA credentials. The only password mgmt problem > that we have is, that the users get no notice of password expiry until > "suddenly" their Samba user (really the FreeIPA user) password is not > accepted when trying to connect to a share. Once the password is reset (via > CLI or FreeIPA WebUi), they can access the shares again. > > Chris > > > > From: Youenn PIOLET > To: "Matt ." > Cc: "freeipa-users@redhat.com" > Date: 31.07.2015 16:21 > Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA > Sent by:freeipa-users-boun...@redhat.com > > > > Hi, > I asked the very same question a few weeks ago, but no answer yet. > http://comments.gmane.org/gmane.linux.redhat.freeipa.user/18174 > > The only method I see is to install samba extensions in FreeIPA's LDAP > directory, and bind samba with LDAP. There may be a lot of difficulties > with password management doing this, that's why I'd like to get a better > solution :) > > Anyone? > > > -- > Youenn Piolet > piole...@gmail.com > > > 2015-07-31 16:03 GMT+02:00 Matt . : > Hi Guys, > > I'm really struggeling getting a NON AD Samba server authing against a > FreeIPA server: > > Ubuntu 14.04 -> Samba (no AD) / SSD 1.12.5 > CentOS 7.1 -> FreeIPA 4.1 > > Now this seems to be the way: > > https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA > > > But as this, which I also found on the mailinglists: > > NOTE: Only Kerberos authentication will work when accessing Samba > shares using this method. This means that Windows clients not joined > to Active Directory forest trusted by IPA would not be able to access > the shares. This is related to SSSD not yet being able to handle > NTLMSSP authentication. > > It might not be that easy to have a Samba Shares only server. > > Any idea here how to accomplish ? > > Cheers, > > Matt > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi We use the Samba extensions for FreeIPA. Windows 7 users connect to the "shares" using their FreeIPA credentials. The only password mgmt problem that we have is, that the users get no notice of password expiry until "suddenly" their Samba user (really the FreeIPA user) password is not accepted when trying to connect to a share. Once the password is reset (via CLI or FreeIPA WebUi), they can access the shares again. Chris From: Youenn PIOLET To: "Matt ." Cc: "freeipa-users@redhat.com" Date: 31.07.2015 16:21 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Sent by:freeipa-users-boun...@redhat.com Hi, I asked the very same question a few weeks ago, but no answer yet. http://comments.gmane.org/gmane.linux.redhat.freeipa.user/18174 The only method I see is to install samba extensions in FreeIPA's LDAP directory, and bind samba with LDAP. There may be a lot of difficulties with password management doing this, that's why I'd like to get a better solution :) Anyone? -- Youenn Piolet piole...@gmail.com 2015-07-31 16:03 GMT+02:00 Matt . : Hi Guys, I'm really struggeling getting a NON AD Samba server authing against a FreeIPA server: Ubuntu 14.04 -> Samba (no AD) / SSD 1.12.5 CentOS 7.1 -> FreeIPA 4.1 Now this seems to be the way: https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA But as this, which I also found on the mailinglists: NOTE: Only Kerberos authentication will work when accessing Samba shares using this method. This means that Windows clients not joined to Active Directory forest trusted by IPA would not be able to access the shares. This is related to SSSD not yet being able to handle NTLMSSP authentication. It might not be that easy to have a Samba Shares only server. Any idea here how to accomplish ? Cheers, Matt -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Setting up Active Directory trusts in a secure environment
On 07/31/2015 02:52 AM, Sumit Bose wrote: Thank you for the detailed analysis. I guess the 'server was inaccessible' error is due to the fact that currently FreeIPA does not have a global catalog, because Windows typically tries to get SIDs from remote objects from the Global Catalog. So, to those of y'all that operate in secure environments, what trick do you use to fully integrate IPA and Active Directory? With FreeIPA-4.2 the one-way trust feature is introduced. The main difference to the current scheme is that with one-way trust the FreeIPA server does not use its host credentials (host keytab) from the IPA domain to access the AD DC but uses the trusted domain user (IPADOM$@AD.DOMAIN) to access the AD DC. Since this is an object from the AD domain it should be possible to assign the needed permissions to this object. Currently I have no idea how this can be solved with older version. Maybe there is a toll on the Windows side which lets you add SIDs manually into the "Access this computer from the network" policy? If there is one you can try to add IPA-SID-515 (where you have to replace IPA-SID by the IPA domain SID). HTH bye, Sumit I didn't think the SID was even being evaluated - the authentication being attempted was through Kerberos, which I uderstand only uses host keytabs, not SIDs. Am I correct in this situation? Dan -- Dan Mossor, RHCSA Systems Engineer Fedora Server WG | Fedora KDE WG | Fedora QA Team Fedora Infrastructure Apprentice FAS: dmossor IRC: danofsatx San Antonio, Texas, USA -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi, I asked the very same question a few weeks ago, but no answer yet. http://comments.gmane.org/gmane.linux.redhat.freeipa.user/18174 The only method I see is to install samba extensions in FreeIPA's LDAP directory, and bind samba with LDAP. There may be a lot of difficulties with password management doing this, that's why I'd like to get a better solution :) Anyone? -- Youenn Piolet piole...@gmail.com 2015-07-31 16:03 GMT+02:00 Matt . : > Hi Guys, > > I'm really struggeling getting a NON AD Samba server authing against a > FreeIPA server: > > Ubuntu 14.04 -> Samba (no AD) / SSD 1.12.5 > CentOS 7.1 -> FreeIPA 4.1 > > Now this seems to be the way: > > https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA > > But as this, which I also found on the mailinglists: > > NOTE: Only Kerberos authentication will work when accessing Samba > shares using this method. This means that Windows clients not joined > to Active Directory forest trusted by IPA would not be able to access > the shares. This is related to SSSD not yet being able to handle > NTLMSSP authentication. > > It might not be that easy to have a Samba Shares only server. > > Any idea here how to accomplish ? > > Cheers, > > Matt > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi Guys, I'm really struggeling getting a NON AD Samba server authing against a FreeIPA server: Ubuntu 14.04 -> Samba (no AD) / SSD 1.12.5 CentOS 7.1 -> FreeIPA 4.1 Now this seems to be the way: https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA But as this, which I also found on the mailinglists: NOTE: Only Kerberos authentication will work when accessing Samba shares using this method. This means that Windows clients not joined to Active Directory forest trusted by IPA would not be able to access the shares. This is related to SSSD not yet being able to handle NTLMSSP authentication. It might not be that easy to have a Samba Shares only server. Any idea here how to accomplish ? Cheers, Matt -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] OT: https://www.freeipa.org missing intermediate certificate
On 07/31/2015 10:10 AM, Natxo Asenjo wrote: Hi, Maybe just one more redirect if people come directly to https://freeipa.org? Right, this is the last missing part. I did not implement it yet as I would first need to set up some own redirecting machine that I could trust and upload FreeIPA HTTPS key there. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] OT: https://www.freeipa.org missing intermediate certificate
Hi, Maybe just one more redirect if people come directly to https://freeipa.org? $ curl -LIv https://freeipa.org * Rebuilt URL to: https://freeipa.org/ * Hostname was NOT found in DNS cache * Trying 209.132.183.105... * Connected to freeipa.org (209.132.183.105) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * Server certificate: * subject: CN=*.redhat.com,OU=Web Operations,O=Red Hat Inc,L=Raleigh,ST=North Carolina,C=US,serialNumber=dmox-zPOCChZGgYyWu9xg8JTHSbjFg9P * start date: Sep 09 18:07:24 2013 GMT * expire date: Dec 12 02:08:43 2015 GMT * common name: *.redhat.com * issuer: CN=GeoTrust SSL CA,O="GeoTrust, Inc.",C=US * NSS error -12276 (SSL_ERROR_BAD_CERT_DOMAIN) * Unable to communicate securely with peer: requested domain name does not match the server's certificate. * Closing connection 0 curl: (51) Unable to communicate securely with peer: requested domain name does not match the server's certificate. $ curl -LIv https://www.freeipa.org * Rebuilt URL to: https://www.freeipa.org/ * Hostname was NOT found in DNS cache * Trying 54.227.25.77... * Connected to www.freeipa.org (54.227.25.77) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * SSL connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 * Server certificate: * subject: CN=www.freeipa.org,O=Red Hat Inc.,L=Raleigh,ST=North Carolina,C=US * start date: Jul 16 00:00:00 2014 GMT * expire date: Jul 19 12:00:00 2016 GMT * common name: www.freeipa.org * issuer: CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US > HEAD / HTTP/1.1 > User-Agent: curl/7.37.0 > Host: www.freeipa.org > Accept: */* > < HTTP/1.1 301 Moved Permanently HTTP/1.1 301 Moved Permanently < Date: Fri, 31 Jul 2015 08:09:29 GMT Date: Fri, 31 Jul 2015 08:09:29 GMT * Server Apache/2.2.15 (Red Hat) is not blacklisted < Server: Apache/2.2.15 (Red Hat) Server: Apache/2.2.15 (Red Hat) < X-Content-Type-Options: nosniff X-Content-Type-Options: nosniff < Vary: Accept-Encoding,Cookie Vary: Accept-Encoding,Cookie < Expires: Thu, 01 Jan 1970 00:00:00 GMT Expires: Thu, 01 Jan 1970 00:00:00 GMT < Cache-Control: private, must-revalidate, max-age=0 Cache-Control: private, must-revalidate, max-age=0 < Last-Modified: Fri, 31 Jul 2015 08:09:29 GMT Last-Modified: Fri, 31 Jul 2015 08:09:29 GMT < Location: https://www.freeipa.org/page/Main_Page Location: https://www.freeipa.org/page/Main_Page < Content-Type: text/html; charset=utf-8 Content-Type: text/html; charset=utf-8 < * Connection #0 to host www.freeipa.org left intact * Issue another request to this URL: 'https://www.freeipa.org/page/Main_Page ' * Found bundle for host www.freeipa.org: 0x1e1d850 * Re-using existing connection! (#0) with host www.freeipa.org * Connected to www.freeipa.org (54.227.25.77) port 443 (#0) > HEAD /page/Main_Page HTTP/1.1 > User-Agent: curl/7.37.0 > Host: www.freeipa.org > Accept: */* > < HTTP/1.1 200 OK HTTP/1.1 200 OK < Date: Fri, 31 Jul 2015 08:09:29 GMT Date: Fri, 31 Jul 2015 08:09:29 GMT * Server Apache/2.2.15 (Red Hat) is not blacklisted < Server: Apache/2.2.15 (Red Hat) Server: Apache/2.2.15 (Red Hat) < X-Content-Type-Options: nosniff X-Content-Type-Options: nosniff < Content-language: en Content-language: en < X-UA-Compatible: IE=Edge X-UA-Compatible: IE=Edge < Vary: Accept-Encoding,Cookie Vary: Accept-Encoding,Cookie < Expires: Thu, 01 Jan 1970 00:00:00 GMT Expires: Thu, 01 Jan 1970 00:00:00 GMT < Cache-Control: private, must-revalidate, max-age=0 Cache-Control: private, must-revalidate, max-age=0 < Last-Modified: Thu, 16 Jul 2015 13:22:10 GMT Last-Modified: Thu, 16 Jul 2015 13:22:10 GMT < Content-Type: text/html; charset=UTF-8 Content-Type: text/html; charset=UTF-8 < * Connection #0 to host www.freeipa.org left intact Thanks! --- regards, natxo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Setting up Active Directory trusts in a secure environment
On Thu, Jul 30, 2015 at 05:35:53PM -0500, Dan Mossor wrote: > Greetings, folks. > > So, I've been fighting with getting a trust set up between FreeIPA 4.1 on > CentOS 7.1 and Windows Server 2008r2 for nearly a week. Today I finally came > to a conclusion as to what my issue is. > > I operate a secure network in which we have configuration guidlines for > securing Windows that we have to meet in order to recieve what's known as an > "Authority to Operate", or ATO. A lot of this configuration is done in the > Global Policies. > > Today I stumbled across one error buried in the Windows Security event log, > and when correllated with the errors I was seeing from FreeIPA led me to our > policy. The error that popped up in the event log was "The user has not been > granted the requested logon type at this machine." The logon type was "3", > which is network, and the Logon Process and Authorization Package were both > Kerberos. > > Cross referenced with the error on the IPA server: > "WARNING: Search on AD DC WINSRV.ad.domain.net:3268 failed with: > Insufficient access: 8009030C: LdapErr: DSID-0C0904DC, comment: > AcceptSecurityContext error, data 569, v1db1 Invalid Credentials" > > Digging into our Domain Controller policy, I found that "Access this > computer from the network" is restricted to Domain Users, Domain > Controllers, Domain Computers, Domain Admins, and BUILTIN\Administrators. I > attempted to add a context that would allow the IPA server to log on, and > got so far through the wizard that it let me select the trusted domain to > search and returned a list of security contexts, but when I attempted to add > one (Authenticated Users), I recieved the error that it couldn't be found > because the server was inaccessable. I saw no errors on the IPA side during > this transaction. Thank you for the detailed analysis. I guess the 'server was inaccessible' error is due to the fact that currently FreeIPA does not have a global catalog, because Windows typically tries to get SIDs from remote objects from the Global Catalog. > > So, to those of y'all that operate in secure environments, what trick do you > use to fully integrate IPA and Active Directory? With FreeIPA-4.2 the one-way trust feature is introduced. The main difference to the current scheme is that with one-way trust the FreeIPA server does not use its host credentials (host keytab) from the IPA domain to access the AD DC but uses the trusted domain user (IPADOM$@AD.DOMAIN) to access the AD DC. Since this is an object from the AD domain it should be possible to assign the needed permissions to this object. Currently I have no idea how this can be solved with older version. Maybe there is a toll on the Windows side which lets you add SIDs manually into the "Access this computer from the network" policy? If there is one you can try to add IPA-SID-515 (where you have to replace IPA-SID by the IPA domain SID). HTH bye, Sumit > > -- > Dan Mossor, RHCSA > Systems Engineer > Fedora Server WG | Fedora KDE WG | Fedora QA Team > Fedora Infrastructure Apprentice > FAS: dmossor IRC: danofsatx > San Antonio, Texas, USA > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-replica-prepare error
On 07/30/2015 05:28 PM, Orion Poplawski wrote:
On 07/28/2015 11:09 PM, Jan Cholasta wrote:
Dne 20.7.2015 v 19:52 Orion Poplawski napsal(a):
On 07/20/2015 12:57 AM, Jan Cholasta wrote:
Dne 15.7.2015 v 20:57 Orion Poplawski napsal(a):
On 07/14/2015 11:53 PM, Jan Cholasta wrote:
# ipa-replica-prepare -v ipa1.nwra.com --dirsrv_pkcs12=nwra.com.p12
--dirsrv_pin=XX --http_pkcs12=nwra.com.p12 --http_pin=XX
Directory Manager (existing master) password:
(SEC_ERROR_LIBRARY_FAILURE) security library failure.
I was able to debug this in gdb and tracked it down to a low entropy
condition. Details noted in https://fedorahosted.org/freeipa/ticket/5117.
Looks like prng_instantiate is being called 2-3 times and there just isn't
enough entropy:
Breakpoint 1, prng_instantiate (rng=0x7fffe5f9d3a0 ,
bytes=bytes@entry=0x7fffc220 "\304(\336\350F8\375㨟\177\325\017+\302
\230\"e\215\bf\201Rw;\300\260\330\366\315\342\235\034]\374J\324&\263",
len=110) at drbg.c:160
160 if (len < PRNG_SEEDLEN) {
1: len = 110
(gdb) c
Continuing.
Breakpoint 1, prng_instantiate (rng=rng@entry=0x7fffe5f9f620 ,
bytes=bytes@entry=0x2153b70
"\216\234\r%u\"\004\371\305y\020\213#y7\024\237,\307\v9\370\356\357\225\f\227Y\374\n\205A\240;\025\002",
len=len@entry=32) at drbg.c:160
160 if (len < PRNG_SEEDLEN) {
1: len = 32
PRNG_SEEDLEN is 55 I think.
Thank you for the thorough investigation! I saw your ticket comment and move it
back to Triage s othat we can keep investigating it.
We already have some code checking available entropy and/or waits for
sufficient entropy in ipa-server-install code. Maybe we will need to do
something also in ipa-replica-prepare, we will see. We can continue with
discussion in the ticket directly.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
