[Freeipa-users] not login users AD (2008R2 ) on linux
hi i install CentOS 6.5 and IPA 3.0.0..37 and Trust with Windows 2008 R2 everyting OK and user AD Login on Linux but i install replicator ipa three week ago and two days User AD can not login on Linux but User IPA can Login on Linux ===Error on '/var/log/secure Aug 17 14:48:20 dwn1 sshd[51694]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost= rdpadmin_34.infotechpsp.net user=abagh...@infotechpsp.net Aug 17 14:48:20 dwn1 sshd[51694]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost= rdpadmin_34.infotechpsp.net user=abagh...@infotechpsp.net Aug 17 14:48:20 dwn1 sshd[51694]: pam_sss(sshd:auth): received for user abagh...@infotechpsp.net: 4 (System error) Aug 17 14:48:22 dwn1 sshd[51694]: Failed password for abagh...@infotechpsp.net from 172.26.26.34 port 51168 ssh2 = and configure sssd not change -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa v4 on CentOS6
On (17/08/15 14:37), Alexander Bokovoy wrote: On Mon, 17 Aug 2015, Ramy Allam wrote: Hello, I'm running ipa-server-4.1.0-18.el7.centos.4.x86_64 on a CentoOS 7 machine. And need to setup ipa-4.1.0 on a CentOS 6 machine. CentOS 6 repo has ipa-client-3 available. Where can i find v4 for CentOS 6 please ? Nowhere. Read this thread: https://www.redhat.com/archives/freeipa-users/2014-February/msg00255.html The reason i need to setup ipa-clientv4 on CentOS6 is clientv3 doesn't support OTP authentication. Regardless of IPA version, the lack of OTP authentication will not be fixed with a backport of IPA4. OTP authentication needs newer Kerberos library with changed ABI so it will not appear on RHEL6/CentOS6. Ideally you need newer SSSD which understands newer Kerberos API for pre-auth conversations and may be even more. This is definitely going outside of any sensible support scope, upstream or downstream. rhel6.7 already contains sufficient version of sssd sssd-1.12.4-4x.el6 It just does not contain separate prompting for password and token. https://fedorahosted.org/sssd/ticket/2335 I'm also not aware of dependency on special feature from libkrb5 on sssd side. At least, we do not detect it at compile time. SSSD is not a blocker for rhel6 client with ipa-server-4.1. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ipa v4 on CentOS6
Hello, I'm running ipa-server-4.1.0-18.el7.centos.4.x86_64 on a CentoOS 7 machine. And need to setup ipa-4.1.0 on a CentOS 6 machine. CentOS 6 repo has ipa-client-3 available. Where can i find v4 for CentOS 6 please ? The reason i need to setup ipa-clientv4 on CentOS6 is clientv3 doesn't support OTP authentication. I tried to install ipa-client from source but it raises that error root@client [/usr/local/src/freeipa-4.1.4/ipa-client]# make install Making install in ../asn1 make[1]: Entering directory `/usr/local/src/freeipa-4.1.4/asn1' Making install in asn1c make[2]: Entering directory `/usr/local/src/freeipa-4.1.4/asn1/asn1c' make[3]: Entering directory `/usr/local/src/freeipa-4.1.4/asn1/asn1c' make[3]: Nothing to be done for `install-exec-am'. /bin/mkdir -p '.' /usr/bin/install -c -m 644 Int32.h GetKeytabControl.h GKNewKeys.h GKCurrentKeys.h GKReply.h KrbKey.h TypeValuePair.h '.' /usr/bin/install: `Int32.h' and `./Int32.h' are the same file /usr/bin/install: `GetKeytabControl.h' and `./GetKeytabControl.h' are the same file /usr/bin/install: `GKNewKeys.h' and `./GKNewKeys.h' are the same file /usr/bin/install: `GKCurrentKeys.h' and `./GKCurrentKeys.h' are the same file /usr/bin/install: `GKReply.h' and `./GKReply.h' are the same file /usr/bin/install: `KrbKey.h' and `./KrbKey.h' are the same file /usr/bin/install: `TypeValuePair.h' and `./TypeValuePair.h' are the same file make[3]: *** [install-IPAASN1HEADERS] Error 1 make[3]: Leaving directory `/usr/local/src/freeipa-4.1.4/asn1/asn1c' make[2]: *** [install-am] Error 2 make[2]: Leaving directory `/usr/local/src/freeipa-4.1.4/asn1/asn1c' make[1]: *** [install-recursive] Error 1 make[1]: Leaving directory `/usr/local/src/freeipa-4.1.4/asn1' make: *** [install-recursive] Error 1 Waiting your kind reply. Best Regards, -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa v4 on CentOS6
On Mon, 17 Aug 2015, Ramy Allam wrote: Hello, I'm running ipa-server-4.1.0-18.el7.centos.4.x86_64 on a CentoOS 7 machine. And need to setup ipa-4.1.0 on a CentOS 6 machine. CentOS 6 repo has ipa-client-3 available. Where can i find v4 for CentOS 6 please ? Nowhere. Read this thread: https://www.redhat.com/archives/freeipa-users/2014-February/msg00255.html The reason i need to setup ipa-clientv4 on CentOS6 is clientv3 doesn't support OTP authentication. Regardless of IPA version, the lack of OTP authentication will not be fixed with a backport of IPA4. OTP authentication needs newer Kerberos library with changed ABI so it will not appear on RHEL6/CentOS6. Ideally you need newer SSSD which understands newer Kerberos API for pre-auth conversations and may be even more. This is definitely going outside of any sensible support scope, upstream or downstream. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa v4 on CentOS6
On Mon, 17 Aug 2015, Lukas Slebodnik wrote: On (17/08/15 14:37), Alexander Bokovoy wrote: On Mon, 17 Aug 2015, Ramy Allam wrote: Hello, I'm running ipa-server-4.1.0-18.el7.centos.4.x86_64 on a CentoOS 7 machine. And need to setup ipa-4.1.0 on a CentOS 6 machine. CentOS 6 repo has ipa-client-3 available. Where can i find v4 for CentOS 6 please ? Nowhere. Read this thread: https://www.redhat.com/archives/freeipa-users/2014-February/msg00255.html The reason i need to setup ipa-clientv4 on CentOS6 is clientv3 doesn't support OTP authentication. Regardless of IPA version, the lack of OTP authentication will not be fixed with a backport of IPA4. OTP authentication needs newer Kerberos library with changed ABI so it will not appear on RHEL6/CentOS6. Ideally you need newer SSSD which understands newer Kerberos API for pre-auth conversations and may be even more. This is definitely going outside of any sensible support scope, upstream or downstream. rhel6.7 already contains sufficient version of sssd sssd-1.12.4-4x.el6 It just does not contain separate prompting for password and token. https://fedorahosted.org/sssd/ticket/2335 I'm also not aware of dependency on special feature from libkrb5 on sssd side. At least, we do not detect it at compile time. SSSD is not a blocker for rhel6 client with ipa-server-4.1. See krb5_responder_otp_*(), the API is available in MIT Kerberos 1.11+ CentOS 6 has 1.10.3 at most, it doesn't have API needed for OTP conversations, I don't see it backported in 1.10.3-42.el6 either. I wonder how src/providers/krb5/krb5_child.c is compiled with the absence of these functions? -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ipa v4 on CentOS6
Hello, I'm running ipa-server-4.1.0-18.el7.centos.4.x86_64 on a CentoOS 7 machine. And need to setup ipa-4.1.0 on a CentOS *6* machine. CentOS 6 repo has ipa-client-3 available. Where can i find v4 for CentOS 6 please ? The reason i need to setup ipa-clientv4 on CentOS6 is clientv3 doesn't support OTP authentication. I tried to install ipa-client from source but it raises that error root@client [/usr/local/src/freeipa-4.1.4/ipa-client]# make install Making install in ../asn1 make[1]: Entering directory `/usr/local/src/freeipa-4.1.4/asn1' Making install in asn1c make[2]: Entering directory `/usr/local/src/freeipa-4.1.4/asn1/asn1c' make[3]: Entering directory `/usr/local/src/freeipa-4.1.4/asn1/asn1c' make[3]: Nothing to be done for `install-exec-am'. /bin/mkdir -p '.' /usr/bin/install -c -m 644 Int32.h GetKeytabControl.h GKNewKeys.h GKCurrentKeys.h GKReply.h KrbKey.h TypeValuePair.h '.' /usr/bin/install: `Int32.h' and `./Int32.h' are the same file /usr/bin/install: `GetKeytabControl.h' and `./GetKeytabControl.h' are the same file /usr/bin/install: `GKNewKeys.h' and `./GKNewKeys.h' are the same file /usr/bin/install: `GKCurrentKeys.h' and `./GKCurrentKeys.h' are the same file /usr/bin/install: `GKReply.h' and `./GKReply.h' are the same file /usr/bin/install: `KrbKey.h' and `./KrbKey.h' are the same file /usr/bin/install: `TypeValuePair.h' and `./TypeValuePair.h' are the same file make[3]: *** [install-IPAASN1HEADERS] Error 1 make[3]: Leaving directory `/usr/local/src/freeipa-4.1.4/asn1/asn1c' make[2]: *** [install-am] Error 2 make[2]: Leaving directory `/usr/local/src/freeipa-4.1.4/asn1/asn1c' make[1]: *** [install-recursive] Error 1 make[1]: Leaving directory `/usr/local/src/freeipa-4.1.4/asn1' make: *** [install-recursive] Error 1 Waiting your kind reply. Best Regards, -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa v4 on CentOS6
On Mon, 17 Aug 2015, Alexander Bokovoy wrote: On Mon, 17 Aug 2015, Lukas Slebodnik wrote: On (17/08/15 14:37), Alexander Bokovoy wrote: On Mon, 17 Aug 2015, Ramy Allam wrote: Hello, I'm running ipa-server-4.1.0-18.el7.centos.4.x86_64 on a CentoOS 7 machine. And need to setup ipa-4.1.0 on a CentOS 6 machine. CentOS 6 repo has ipa-client-3 available. Where can i find v4 for CentOS 6 please ? Nowhere. Read this thread: https://www.redhat.com/archives/freeipa-users/2014-February/msg00255.html The reason i need to setup ipa-clientv4 on CentOS6 is clientv3 doesn't support OTP authentication. Regardless of IPA version, the lack of OTP authentication will not be fixed with a backport of IPA4. OTP authentication needs newer Kerberos library with changed ABI so it will not appear on RHEL6/CentOS6. Ideally you need newer SSSD which understands newer Kerberos API for pre-auth conversations and may be even more. This is definitely going outside of any sensible support scope, upstream or downstream. rhel6.7 already contains sufficient version of sssd sssd-1.12.4-4x.el6 It just does not contain separate prompting for password and token. https://fedorahosted.org/sssd/ticket/2335 I'm also not aware of dependency on special feature from libkrb5 on sssd side. At least, we do not detect it at compile time. SSSD is not a blocker for rhel6 client with ipa-server-4.1. See krb5_responder_otp_*(), the API is available in MIT Kerberos 1.11+ CentOS 6 has 1.10.3 at most, it doesn't have API needed for OTP conversations, I don't see it backported in 1.10.3-42.el6 either. I wonder how src/providers/krb5/krb5_child.c is compiled with the absence of these functions? We cleared this with Lukas -- the code has conditional checks for HAVE_KRB5_GET_INIT_CREDS_OPT_SET_RESPONDER which allow it being compiled against older libkrb5 at the cost of not supporting OTP conversations. Rebuilding newer libkrb5 for RHEL6 is something that would be left for those who want it to support. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] first time web UI access?
I had issues on fedora with main screen crashing in various way. Going into specific subsystem directly works. There was no such problem when building package on debian and running it there, though. 2015-08-17 19:04 GMT+02:00 Janelle janellenicol...@gmail.com: Hi, Apparently no one has ever seen this? :-( ~J On 8/14/15 6:37 AM, Janelle wrote: I am curious if anyone else ever sees a problem with first time IPA WEB UI access and the full screen not loading. It requires a reload sometimes once or twice to get it to load properly. Has anyone seen this before? thank you Janelle -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] first time web UI access?
Hi, Apparently no one has ever seen this? :-( ~J On 8/14/15 6:37 AM, Janelle wrote: I am curious if anyone else ever sees a problem with first time IPA WEB UI access and the full screen not loading. It requires a reload sometimes once or twice to get it to load properly. Has anyone seen this before? thank you Janelle -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] HBAC rules not applying to Solaris clients
Ok thanks all. I will look into pam_list, integrating with the Solaris RBAC is probably beyond me as I am not that Solaris savvy and there is no documentation on using it with freeipa that I see. I tried using AllowGroups in sshd_config on Solaris to restrict access but it only seems to work with primary group membership. Is this expected? From reading documentation it should work with secondary/supplementary documentation as well. Let me know if you have found a way around that please. From: Bob harv...@gmail.com To: Natxo Asenjo natxo.ase...@gmail.com Cc: Freeipa-users freeipa-users@redhat.com Sent: Saturday, August 15, 2015 10:46 AM Subject: Re: [Freeipa-users] HBAC rules not applying to Solaris clients For Solaris we are using the pam_list module to control which LDAP users can have system access. The pam_list module allow netgroups to be listed in a user.allow file. On Sat, Aug 15, 2015 at 1:05 PM, Natxo Asenjo natxo.ase...@gmail.com wrote: On Sat, Aug 15, 2015 at 5:24 PM, Rob Crittenden rcrit...@redhat.com wrote: sipazzo wrote: and my users are able to authenticate to the directory but the hbac rules are not being applied. Any user whether given access or not can login to the Solaris systems. The allow-all rule has been disabled, my nsswitch.conf file looks good and I have tried different configs of pam.d, including the provided example to try to resolve the issue. Am I missing some steps? HBAC enforcement is provided by sssd so doesn't work in Solaris. one might try using solaris' RBAC system: http://www.oracle.com/technetwork/systems/security/custom-roles-rbac-jsp-140865.html You would have to distribute your changes to all solaris systems. There is a RBAC ldap schema http://docs.oracle.com/cd/E19455-01/806-5580/6jej518q5/index.html for solaris, but I have never tried using it with freeipa. -- Groeten, natxo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] not login users AD (2008R2 ) on linux
On Mon, Aug 17, 2015 at 03:32:03AM -0700, alireza baghery wrote: hi i install CentOS 6.5 and IPA 3.0.0..37 centos 6.5 is quite old, 6.7 was released just some time ago. Please upgrade. and Trust with Windows 2008 R2 I would also sugguest to go with RHEL-7 based server.. everyting OK and user AD Login on Linux but i install replicator ipa three week ago and two days User AD can not login on Linux but User IPA can Login on Linux ===Error on '/var/log/secure Aug 17 14:48:20 dwn1 sshd[51694]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost= rdpadmin_34.infotechpsp.net user=abagh...@infotechpsp.net Aug 17 14:48:20 dwn1 sshd[51694]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost= rdpadmin_34.infotechpsp.net user=abagh...@infotechpsp.net Aug 17 14:48:20 dwn1 sshd[51694]: pam_sss(sshd:auth): received for user abagh...@infotechpsp.net: 4 (System error) Aug 17 14:48:22 dwn1 sshd[51694]: Failed password for abagh...@infotechpsp.net from 172.26.26.34 port 51168 ssh2 = and configure sssd not change Please follow: https://fedorahosted.org/sssd/wiki/Troubleshooting -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IDM/ipa slow login
Hi John, Jakub, I added selinux_provider = none to the sssd.conf (as recommended by john) and then restarted the service and it seems to solve the problem (almost) !!! Logins are near as fast as when using local users. What are the consequences when I add this line concerning security ? Jakub, you're talking about a bug, is there's a patch to remove it or do I have to wait for an sssd/ipa upgrade ? Maybe I'll try to understand why is it complaining Could not parse domain SID from [(null)] and looking for groups that does not exist in the ldap database. Anyway, thanks a lot for your time and help ! seli On Sun, Aug 16, 2015 at 6:09 PM, Jakub Hrozek jhro...@redhat.com wrote: On 13 Aug 2015, at 22:57, John Obaterspok john.obaters...@gmail.com wrote: Hi Seli, In /etc/sssd/sssd.conf add below: selinux_provider=none Hmm, good idea. I forgot the version OP was using, but yet -- at one point we had a bug where the selinux_child would be invoked even if the context didn't change which would be slow. We fixed that error since, but chances are Seli is still running the affected version. to the domain section. Then restart sssd. -- john 2015-08-13 16:23 GMT+02:00 seli irithyl seli.irit...@gmail.com: Here's the sssd_domain log part during an ssh (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [be_get_account_info] (0x0200): Got request for [0x3][1][name=test] (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [be_req_set_domain] (0x0400): Changing request domain from [bioinf.local] to [bioinf.local] (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=bioinf,dc=local] (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [((uid=test)(objectclass=posixAccount)((uidNumber=*)(!(uidNumber=0][cn=accounts,dc=bioinf,dc=local]. (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] (0x0400): Save user (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_primary_name] (0x0400): Processing object test (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] (0x0400): Processing user test (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] (0x0400): Adding original memberOf attributes to [test]. (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] (0x0400): Adding user principal [test@BIOINF.LOCAL] to attributes of [test]. (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] (0x0400): Storing info for user test (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_primary_name] (0x0400): Processing object test (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [((|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=ipausers,cn=groups,cn=accounts,dc=bioinf,dc=local]. (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [((|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=bioinfo,cn=groups,cn=accounts,dc=bioinf,dc=local]. (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_primary_name] (0x0400): Processing object ipausers (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_primary_name] (0x0400): Processing object bioinfo (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [cn=accounts,dc=bioinf,dc=local] (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
Re: [Freeipa-users] ipa-replica-prepare failing
On 08/06/2015 04:10 PM, David Dejaeghere wrote: Hello Guys, I was able to resolve this today. My webserver and dirsrv certificate were expired yesterday and trying to replace them gave me the same error ERROR: (SEC_ERROR_LIBRARY_FAILURE) security library failure. So I tried some things to resolve this. The trick was to replace /etc/ipa/ca.crt with the godaddy file gdig2 which only has 1 certificare. This file you can get while downloading your certificate from godaddy. Then I had to add the bundle from godaddy, file gd_bundle-g2-g1 into my server cert. This made both the command ipa-server-certinstall and ipa-replicate-prepare finish as expected! Hope this helps. I saw somebody else with a very similar issue. Kind Regards, D Yeah, the source of this issue appears to be a wrong /etc/ipa/ca.crt created during ipa-server-install. I was able to work around it with: ipa-certupdate Which wrote out a correct /etc/ipa/ca.crt. See https://fedorahosted.org/freeipa/ticket/5117#comment:16 -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 http://www.nwra.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IDM/ipa slow login
On Mon, Aug 17, 2015 at 09:57:00AM +0200, seli irithyl wrote: Hi John, Jakub, I added selinux_provider = none to the sssd.conf (as recommended by john) and then restarted the service and it seems to solve the problem (almost) !!! John, thank you very much for suggesting this option. Logins are near as fast as when using local users. What are the consequences when I add this line concerning security ? The SELinux usermap set on the IPA server would not be reflected on the IPA client. Jakub, you're talking about a bug, is there's a patch to remove it or do I have to wait for an sssd/ipa upgrade ? I don't follow, there is a bug in the code, so yes, it needs to be fixed by SSSD update. The bug was fixed in 6.7 already: https://bugzilla.redhat.com/show_bug.cgi?id=1211728 but in the RHEL-7 stream, it's so far only planned for 7.2: https://bugzilla.redhat.com/show_bug.cgi?id=1210854 Feel free to raise the RHEL-7 bug with RH support if you need it released sooner.. Maybe I'll try to understand why is it complaining Could not parse domain SID from [(null)] and looking for groups that does not exist in the ldap database. That's fine, we should probably fix the debug message, but it's expected that IPA users don't have a SID. Anyway, thanks a lot for your time and help ! seli On Sun, Aug 16, 2015 at 6:09 PM, Jakub Hrozek jhro...@redhat.com wrote: On 13 Aug 2015, at 22:57, John Obaterspok john.obaters...@gmail.com wrote: Hi Seli, In /etc/sssd/sssd.conf add below: selinux_provider=none Hmm, good idea. I forgot the version OP was using, but yet -- at one point we had a bug where the selinux_child would be invoked even if the context didn't change which would be slow. We fixed that error since, but chances are Seli is still running the affected version. to the domain section. Then restart sssd. -- john 2015-08-13 16:23 GMT+02:00 seli irithyl seli.irit...@gmail.com: Here's the sssd_domain log part during an ssh (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [be_get_account_info] (0x0200): Got request for [0x3][1][name=test] (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [be_req_set_domain] (0x0400): Changing request domain from [bioinf.local] to [bioinf.local] (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=bioinf,dc=local] (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [((uid=test)(objectclass=posixAccount)((uidNumber=*)(!(uidNumber=0][cn=accounts,dc=bioinf,dc=local]. (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] (0x0400): Save user (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_primary_name] (0x0400): Processing object test (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] (0x0400): Processing user test (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] (0x0400): Adding original memberOf attributes to [test]. (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] (0x0400): Adding user principal [test@BIOINF.LOCAL] to attributes of [test]. (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] (0x0400): Storing info for user test (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_primary_name] (0x0400): Processing object test (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [((|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=ipausers,cn=groups,cn=accounts,dc=bioinf,dc=local]. (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [((|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=bioinfo,cn=groups,cn=accounts,dc=bioinf,dc=local]. (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_op_finished] (0x0400): Search