Re: [Freeipa-users] How does one authenticate Windows login against IPA
Even if you get that to work, you are still stuck with same issue discussed earlier in this thread -- you need to have a Windows account, either local or AD, to be able to login and grant rights against. pGina just handles the authentication part. The only way to do either a 1-way Kerberos trust (AD->IPA) or pGina is to somehow sync native IPA users to AD (or Samba AD) to create the "shadow account"? Winsync will not do this. On 5/18/16 7:49 PM, Michael ORourke wrote: > What about using the pGina project on the Windows side? > > Reference: > http://blog.zwiegnet.com/linux-server/configure-pgina-windows-7-openldap-authentication/ > > -Mike > > -Original Message- >> From: John Meyers>> Sent: May 18, 2016 5:19 PM >> To: freeipa-users@redhat.com >> Subject: [Freeipa-users] How does one authenticate Windows login against IPA >> >> All, >> >> FreeIPA as we've discovered has some wonderful Windows integration >> capability, but it is all predicated on Windows AD being the >> authoritative source of user information. 2-Way trusts are great, but >> they only work for kerberotized applications, not native Windows rights >> (that would require FreeIPA to act as global catalog as I learned from >> Alexander). The winsync capability does not, as it turns out, sync >> native IPA users to AD. >> >> The million dollar question is if you are 90% Linux shop and FreeIPA is >> your authoritative user repository (AD is a blank slate), how do you >> perform local Windows login authentication for the 10% of Windows >> machines against FreeIPA? >> >> Thank you all! >> >> John >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] AD group membership
Hi, We seem to have some progress, after reading this blog post about sssd performance tuning. https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-ipa-ad-trust-deployments/ So now we see that on the FreeIPA server, everything is stable and always produces the results we expect with regard to users and group membership. It's also a bit speedier, which is nice. Unfortunately, on the clients, we are still seeing groups "disappearing" occasionally, We found this thread from late last year that seemed to state exactly what we are seeing, although our sssd_pac.log is empty. I have just added debug_level = 7 to [pac] in sssd.conf on server and client. https://www.redhat.com/archives/freeipa-users/2015-December/msg00180.html Did anything come of this? Cheers L. -- The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] AD users home directory automount
Ben,First, you will need to create the automount map in FreeIPA.Example of adding automount maps from the CLI on the IPA server:1). Get TGT for admin user (or equivalent) kinit admin2). Create automount mapipa automountmap-add default auto.home3). Add auto.home to auto.masteripa automountkey-add default --key "/home/domain.org" --info auto.home auto.master4). Add key for user accountsipa automountkey-add default --key "*" --info "-fstype=nfs3,rw filer.domain.org:/exports/home/&" auto.home Note: the above command assumes that you have a filer with a FQDN of "filer.domain.org" and NFS exported directory "/exports/home/".5). Then on the filer, you will need to create directories for each user under /exports/home/ and set the ownership and perms.mkdir /exports/home/usernamecp /etc/skel/.* /exports/home/usernamechown -R username:username /exports/home/usernamechmod 770 /exports/home/usernameNote: if you can't login to the filer and run commands, then you might have to manually mount the /exports/home onto a box with "root nosquash" option turned on so that you can create the directories and permissions manually.6). On the client machines, turn off the mkhomedir option (this doesn't work with automounted home dirs).authconfig --disablemkhomedir --update7). Create mount point for home dir on client machines.mkdir /home/domain.org8). On the client machines, turn on the automount option.ipa-client-automount --location=default9). On the client machines, make sure the autofs service is enabled and running.systemctl enable autofssystemctl start autofs10). Test automount by logging into the client.That should do it!-Mike-Original Message- From: "Ben .T.George"Sent: May 18, 2016 10:03 AM To: Michael ORourke Cc: freeipa-users Subject: Re: [Freeipa-users] AD users home directory automount HI,Thanks for the reply.actually i don't want to share from my Trusted AD. My san has cifs and NFS capability.in this case how can i proceed? usually while installing client, i used to give below optionsipa-client-install --server global.ipa.local --domain ipa.local --mkhomedir --fixed-primary so whenever user loggedin, it creates home directory automatically under /home/DOMAIN/user.regards,BenOn Wed, May 18, 2016 at 4:00 PM, Michael ORourke wrote:Yes, because you can point the automount maps to whatever device you want. NFSv4 might be more tricky to setup on a SAN device and may or may not work depending on the software/firmware of the device. NFSv3 is a well supported protocol across SAN vendors and you should not have any problems setting that up. I've used Openfiler on a white-box SAN with home dirs and automount maps which is working fine for us.I wonder if you could do some sort of CIFS home dir automount with a SAN that is joined to an AD domain which is trusted by FreeIPA? Seems like this would be feasible.-Mike-Original Message- From: "Ben .T.George" Sent: May 18, 2016 7:38 AM To: freeipa-users Subject: [Freeipa-users] AD users home directory automount HI LIst,Is it possible to mount home directories of AD authenticated users from external source(like san or fileshare)Regards,Ben -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] How does one authenticate Windows login against IPA
What about using the pGina project on the Windows side? Reference: http://blog.zwiegnet.com/linux-server/configure-pgina-windows-7-openldap-authentication/ -Mike -Original Message- >From: John Meyers>Sent: May 18, 2016 5:19 PM >To: freeipa-users@redhat.com >Subject: [Freeipa-users] How does one authenticate Windows login against IPA > >All, > >FreeIPA as we've discovered has some wonderful Windows integration >capability, but it is all predicated on Windows AD being the >authoritative source of user information. 2-Way trusts are great, but >they only work for kerberotized applications, not native Windows rights >(that would require FreeIPA to act as global catalog as I learned from >Alexander). The winsync capability does not, as it turns out, sync >native IPA users to AD. > >The million dollar question is if you are 90% Linux shop and FreeIPA is >your authoritative user repository (AD is a blank slate), how do you >perform local Windows login authentication for the 10% of Windows >machines against FreeIPA? > >Thank you all! > >John > > >-- >Manage your subscription for the Freeipa-users mailing list: >https://www.redhat.com/mailman/listinfo/freeipa-users >Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] HBAC access denied, all AD groups not detected
> -Original Message- > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- > boun...@redhat.com] On Behalf Of Jakub Hrozek > Sent: Wednesday, 18 May 2016 5:40 PM > To: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] HBAC access denied, all AD groups not detected > > On Wed, May 18, 2016 at 08:35:14AM +1000, Lachlan Musicman wrote: > > Hmmm, I also now see > > > > https://fedorahosted.org/sssd/ticket/2642 > > and > > https://bugzilla.redhat.com/show_bug.cgi?id=1217127 > > > > Versions being run: > > > > sssd-client-1.13.0-40.el7_2.4.x86_64 > > sssd-ad-1.13.0-40.el7_2.4.x86_64 > > sssd-proxy-1.13.0-40.el7_2.4.x86_64 > > sssd-1.13.0-40.el7_2.4.x86_64 > > sssd-common-1.13.0-40.el7_2.4.x86_64 > > sssd-common-pac-1.13.0-40.el7_2.4.x86_64 > > sssd-ipa-1.13.0-40.el7_2.4.x86_64 > > sssd-ldap-1.13.0-40.el7_2.4.x86_64 > > python-sssdconfig-1.13.0-40.el7_2.4.noarch > > sssd-krb5-common-1.13.0-40.el7_2.4.x86_64 > > sssd-krb5-1.13.0-40.el7_2.4.x86_64 > > > > ipa-server-trust-ad-4.2.0-15.0.1.el7.centos.6.1.x86_64 > > The reason I asked about the server versions is > https://bugzilla.redhat.com/show_bug.cgi?id=1304333 > > I'm not too familiar with how the centos versioning works, can you check if > that > bug is mentioned in the rpm changelog? "You are not authorized to access bug #1304333." :( This email (including any attachments or links) may contain confidential and/or legally privileged information and is intended only to be read or used by the addressee. If you are not the intended addressee, any use, distribution, disclosure or copying of this email is strictly prohibited. Confidentiality and legal privilege attached to this email (including any attachments) are not waived or lost by reason of its mistaken delivery to you. If you have received this email in error, please delete it and notify us immediately by telephone or email. Peter MacCallum Cancer Centre provides no guarantee that this transmission is free of virus or that it has not been intercepted or altered and will not be liable for any delay in its receipt. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] want to make new replicas but cert expire
Already change a new cert no.errror prompt when start server. But using ipa-replica install.same error out. So.i.should miss some.folder not yet replace. 2016年5月19日 上午2:01 於 "Rob Crittenden"寫道: > barry...@gmail.com wrote: > >> Hi: >> >> I type ipa-replica-install server --ip 192.168.1.3 >> >> it show my cert expire nwhere location I should input the cert ? >> >> trusted by the user.) >> preparation of replica failed: cannot connect to >> 'https://ipa.cora.nwra.com:9444/ca/ee/ca/profileSubmitSSLClient': [Errno >> -8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been >> marked >> > > You need to sort out your expired certs before you can create a new master. > > Why not just renew the GoDaddy certs? > > rob > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] How does one authenticate Windows login against IPA
Thanks. I've experimented with that as well with vanilla MIT kerberos (prior to using FreeIPA) and I agree it works just fine. However, the limitation I always found was that it is not practical to manually create the "shadow objects" and then keep in them in sync. I was hoping the "winsync" feature would actually be able to handle that part of it, but it only seems to be able to deal with accounts that come from AD initially. On 5/18/16 6:03 PM, Coy Hile wrote: > When I've done this in the past, I used mit directly, not IPA. I set up a one > way trust, then used "shadow objects" for users mapped using > alternateSecurityID. I've setup the same one way trust testing with freeipa, > but unfortunately I had to use kadmin.local to do it. I don't know that > that's actually supported. Simo? > > -c > > Sent from my iPad > >> On May 18, 2016, at 17:19, John Meyerswrote: >> >> All, >> >> FreeIPA as we've discovered has some wonderful Windows integration >> capability, but it is all predicated on Windows AD being the >> authoritative source of user information. 2-Way trusts are great, but >> they only work for kerberotized applications, not native Windows rights >> (that would require FreeIPA to act as global catalog as I learned from >> Alexander). The winsync capability does not, as it turns out, sync >> native IPA users to AD. >> >> The million dollar question is if you are 90% Linux shop and FreeIPA is >> your authoritative user repository (AD is a blank slate), how do you >> perform local Windows login authentication for the 10% of Windows >> machines against FreeIPA? >> >> Thank you all! >> >> John >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] How does one authenticate Windows login against IPA
When I've done this in the past, I used mit directly, not IPA. I set up a one way trust, then used "shadow objects" for users mapped using alternateSecurityID. I've setup the same one way trust testing with freeipa, but unfortunately I had to use kadmin.local to do it. I don't know that that's actually supported. Simo? -c Sent from my iPad > On May 18, 2016, at 17:19, John Meyerswrote: > > All, > > FreeIPA as we've discovered has some wonderful Windows integration > capability, but it is all predicated on Windows AD being the > authoritative source of user information. 2-Way trusts are great, but > they only work for kerberotized applications, not native Windows rights > (that would require FreeIPA to act as global catalog as I learned from > Alexander). The winsync capability does not, as it turns out, sync > native IPA users to AD. > > The million dollar question is if you are 90% Linux shop and FreeIPA is > your authoritative user repository (AD is a blank slate), how do you > perform local Windows login authentication for the 10% of Windows > machines against FreeIPA? > > Thank you all! > > John > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] How does one authenticate Windows login against IPA
All, FreeIPA as we've discovered has some wonderful Windows integration capability, but it is all predicated on Windows AD being the authoritative source of user information. 2-Way trusts are great, but they only work for kerberotized applications, not native Windows rights (that would require FreeIPA to act as global catalog as I learned from Alexander). The winsync capability does not, as it turns out, sync native IPA users to AD. The million dollar question is if you are 90% Linux shop and FreeIPA is your authoritative user repository (AD is a blank slate), how do you perform local Windows login authentication for the 10% of Windows machines against FreeIPA? Thank you all! John -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] want to make new replicas but cert expire
barry...@gmail.com wrote: Hi: I type ipa-replica-install server --ip 192.168.1.3 it show my cert expire nwhere location I should input the cert ? trusted by the user.) preparation of replica failed: cannot connect to 'https://ipa.cora.nwra.com:9444/ca/ee/ca/profileSubmitSSLClient': [Errno -8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked You need to sort out your expired certs before you can create a new master. Why not just renew the GoDaddy certs? rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] LDAP access for user authentication?
Alexander Skwar wrote: Hello Rob 2016-05-18 16:21 GMT+02:00 Rob Crittenden: Alexander Skwar wrote: Hello Rob 2016-05-12 0:06 GMT+02:00 Rob Crittenden : Alexander Skwar wrote: Important parts here: - [USER_AUTH_FAILED_TECH] - javax.naming.AuthenticationNotSupportedException: [LDAP: error code 48 - Inappropriate Authentication] I suppose, the "tech" user doesn't have the sufficient rights. Is your user "tech?" It doesn't appear to be though this logging leaves much to be desired. Well, according to the howto, I created a user with "DN: uid=system,cn=sysaccounts,cn=etc,dc=hydrus,dc=intern". That's also what I configured as the „Technical user DN“ in my appliance (→ uid=system,cn=sysaccounts,cn=etc,dc=hydrus,dc=intern). The password is correct. I double checked. On the IPA server, I can do: local@bbva-auth01-prod ~ % ldapsearch -x -D uid=system,cn=sysaccounts,cn=etc,dc=hydrus,dc=intern -W | head # extended LDIF # # LDAPv3 # base
Re: [Freeipa-users] LDAP access for user authentication?
Hello Rob 2016-05-18 16:21 GMT+02:00 Rob Crittenden: > Alexander Skwar wrote: >> >> Hello Rob >> >> 2016-05-12 0:06 GMT+02:00 Rob Crittenden : >>> >>> >>> Alexander Skwar wrote: >> Important parts here: >> >> - [USER_AUTH_FAILED_TECH] >> - javax.naming.AuthenticationNotSupportedException: [LDAP: error code >> 48 - Inappropriate Authentication] >> >> I suppose, the "tech" user doesn't have the sufficient rights. > > > Is your user "tech?" It doesn't appear to be though this logging leaves much > to be desired. Well, according to the howto, I created a user with "DN: uid=system,cn=sysaccounts,cn=etc,dc=hydrus,dc=intern". That's also what I configured as the „Technical user DN“ in my appliance (→ uid=system,cn=sysaccounts,cn=etc,dc=hydrus,dc=intern). The password is correct. I double checked. On the IPA server, I can do: local@bbva-auth01-prod ~ % ldapsearch -x -D uid=system,cn=sysaccounts,cn=etc,dc=hydrus,dc=intern -W | head # extended LDIF # # LDAPv3 # base
Re: [Freeipa-users] LDAP access for user authentication?
Alexander Skwar wrote: Hello Rob 2016-05-12 0:06 GMT+02:00 Rob Crittenden: Alexander Skwar wrote: The WAF would then send username and password to FreeIPA (using LDAP) and would need to get back, whether the combination was good or not. Is that scenario doable with FreeIPA and LDAP? Would anyone maybe even know of some good howtos or links? Any gotchas, that we'd need to be aware of? Yes it's possible, see http://www.freeipa.org/page/HowTo/LDAP I created the user uid=system as shown in the howto. But my appliance is having issues (so to say). I'm getting errors like this one: […] 2016-05-18 14:55:35,003 +0200 ERROR [CC:Eoyfcf1mV9E$] [RC:7f0100-4094-2016.05.18_1255.33.733-001] audit:writeLog() - [AUDIT] [USER_AUTH_FAILED_TECH] user="ask" logmsg="Authentication failed due to a technical problem. Reason: '[SYSTEM] [ERR_INTERNAL_STATE] Invalid internal state! Reason: 'cn=users,cn=accounts,dc=hydrus,dc=intern@ldaps://192.168.94.147:636' / cn=users,cn=accounts,dc=hydrus,dc=intern@ldaps://192.168.94.147:636 / javax.naming.AuthenticationNotSupportedException: [LDAP: error code 48 - Inappropriate Authentication]'" 2016-05-18 14:55:35,006 +0200 ERROR [CC:Eoyfcf1mV9E$] [RC:7f0100-4094-2016.05.18_1255.33.733-001] exception:logExceptionStackTrace() - [SYSTEM] [ERR_INTERNAL_STATE] Invalid internal state! Reason: 'cn=users,cn=accounts,dc=hydrus,dc=intern@ldaps://192.168.94.147:636' com.usp.sls.toolkit.error.SLSException: [SYSTEM] [ERR_INTERNAL_STATE] Invalid internal state! Reason: 'cn=users,cn=accounts,dc=hydrus,dc=intern@ldaps://192.168.94.147:636' at com.usp.sls.ldap.adapter.LdapUtil.getSLSException(LdapUtil.java:410) at com.usp.sls.ldap.service.LDAPServiceWrapper.openContext(LDAPServiceWrapper.java:203) […] Important parts here: - [USER_AUTH_FAILED_TECH] - javax.naming.AuthenticationNotSupportedException: [LDAP: error code 48 - Inappropriate Authentication] I suppose, the "tech" user doesn't have the sufficient rights. Is your user "tech?" It doesn't appear to be though this logging leaves much to be desired. LDAP err 48 means a bind was tried using a bad mechanism, like trying to do a simple bind when stronger auth is required, for example. Or you try to bind with a user that has no password. What is confusing to me is that the DN doesn't include uid=system, so it may be a configuration error on your part. In the Howto, it says: Note: IPA 4.0 is going to change the default stance on data from nearly everything is readable to nothing is readable, by default. You will eventually need to add some Access Control Instructions (ACI's) to grant read access to the parts of the LDAP tree you will need. What would be good ACIs to grant read access to cn=users,cn=accounts,dc=hydrus,dc=intern to this uid=system user? This is not the problem. rob Thanks again, Alexander -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] AD users home directory automount
I would start by reading the documentation [1]. [1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/automount.html Josh From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Ben .T.George Sent: Wednesday, May 18, 2016 10:04 AM To: Michael ORourkeCc: freeipa-users Subject: Re: [Freeipa-users] AD users home directory automount HI, Thanks for the reply. actually i don't want to share from my Trusted AD. My san has cifs and NFS capability. in this case how can i proceed? usually while installing client, i used to give below options ipa-client-install --server global.ipa.local --domain ipa.local --mkhomedir --fixed-primary so whenever user loggedin, it creates home directory automatically under /home/DOMAIN/user. regards, Ben On Wed, May 18, 2016 at 4:00 PM, Michael ORourke > wrote: Yes, because you can point the automount maps to whatever device you want. NFSv4 might be more tricky to setup on a SAN device and may or may not work depending on the software/firmware of the device. NFSv3 is a well supported protocol across SAN vendors and you should not have any problems setting that up. I've used Openfiler on a white-box SAN with home dirs and automount maps which is working fine for us. I wonder if you could do some sort of CIFS home dir automount with a SAN that is joined to an AD domain which is trusted by FreeIPA? Seems like this would be feasible. -Mike -Original Message- From: "Ben .T.George" Sent: May 18, 2016 7:38 AM To: freeipa-users Subject: [Freeipa-users] AD users home directory automount HI LIst, Is it possible to mount home directories of AD authenticated users from external source(like san or fileshare) Regards, Ben -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] AD users home directory automount
HI, Thanks for the reply. actually i don't want to share from my Trusted AD. My san has cifs and NFS capability. in this case how can i proceed? usually while installing client, i used to give below options ipa-client-install --server global.ipa.local --domain ipa.local --mkhomedir --fixed-primary so whenever user loggedin, it creates home directory automatically under /home/DOMAIN/user. regards, Ben On Wed, May 18, 2016 at 4:00 PM, Michael ORourkewrote: > Yes, because you can point the automount maps to whatever device you > want. NFSv4 might be more tricky to setup on a SAN device and may or may > not work depending on the software/firmware of the device. NFSv3 is a well > supported protocol across SAN vendors and you should not have any problems > setting that up. I've used Openfiler on a white-box SAN with home dirs and > automount maps which is working fine for us. > I wonder if you could do some sort of CIFS home dir automount with a SAN > that is joined to an AD domain which is trusted by FreeIPA? Seems like > this would be feasible. > > -Mike > > -Original Message- > From: "Ben .T.George" > Sent: May 18, 2016 7:38 AM > To: freeipa-users > Subject: [Freeipa-users] AD users home directory automount > > HI LIst, > > Is it possible to mount home directories of AD authenticated users from > external source(like san or fileshare) > > Regards, > Ben > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] LDAP access for user authentication?
Hello Rob 2016-05-12 0:06 GMT+02:00 Rob Crittenden: > > Alexander Skwar wrote: >> The WAF would then send username and password to FreeIPA (using LDAP) >> and would need to get back, whether the combination was good or not. >> >> Is that scenario doable with FreeIPA and LDAP? Would anyone maybe even >> know of some good howtos or links? Any gotchas, that we'd need to be >> aware of? > > > Yes it's possible, see http://www.freeipa.org/page/HowTo/LDAP > I created the user uid=system as shown in the howto. But my appliance is having issues (so to say). I'm getting errors like this one: […] 2016-05-18 14:55:35,003 +0200 ERROR [CC:Eoyfcf1mV9E$] [RC:7f0100-4094-2016.05.18_1255.33.733-001] audit:writeLog() - [AUDIT] [USER_AUTH_FAILED_TECH] user="ask" logmsg="Authentication failed due to a technical problem. Reason: '[SYSTEM] [ERR_INTERNAL_STATE] Invalid internal state! Reason: 'cn=users,cn=accounts,dc=hydrus,dc=intern@ldaps://192.168.94.147:636' / cn=users,cn=accounts,dc=hydrus,dc=intern@ldaps://192.168.94.147:636 / javax.naming.AuthenticationNotSupportedException: [LDAP: error code 48 - Inappropriate Authentication]'" 2016-05-18 14:55:35,006 +0200 ERROR [CC:Eoyfcf1mV9E$] [RC:7f0100-4094-2016.05.18_1255.33.733-001] exception:logExceptionStackTrace() - [SYSTEM] [ERR_INTERNAL_STATE] Invalid internal state! Reason: 'cn=users,cn=accounts,dc=hydrus,dc=intern@ldaps://192.168.94.147:636' com.usp.sls.toolkit.error.SLSException: [SYSTEM] [ERR_INTERNAL_STATE] Invalid internal state! Reason: 'cn=users,cn=accounts,dc=hydrus,dc=intern@ldaps://192.168.94.147:636' at com.usp.sls.ldap.adapter.LdapUtil.getSLSException(LdapUtil.java:410) at com.usp.sls.ldap.service.LDAPServiceWrapper.openContext(LDAPServiceWrapper.java:203) […] Important parts here: - [USER_AUTH_FAILED_TECH] - javax.naming.AuthenticationNotSupportedException: [LDAP: error code 48 - Inappropriate Authentication] I suppose, the "tech" user doesn't have the sufficient rights. In the Howto, it says: Note: IPA 4.0 is going to change the default stance on data from nearly everything is readable to nothing is readable, by default. You will eventually need to add some Access Control Instructions (ACI's) to grant read access to the parts of the LDAP tree you will need. What would be good ACIs to grant read access to cn=users,cn=accounts,dc=hydrus,dc=intern to this uid=system user? Thanks again, Alexander -- =>Google+ => http://plus.skwar.me <== => Chat (Jabber/Google Talk) => a.sk...@gmail.com <== -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] AD users home directory automount
Yes, because you can point the automount maps to whatever device you want. NFSv4 might be more tricky to setup on a SAN device and may or may not work depending on the software/firmware of the device. NFSv3 is a well supported protocol across SAN vendors and you should not have any problems setting that up. I've used Openfiler on a white-box SAN with home dirs and automount maps which is working fine for us.I wonder if you could do some sort of CIFS home dir automount with a SAN that is joined to an AD domain which is trusted by FreeIPA? Seems like this would be feasible.-Mike-Original Message- From: "Ben .T.George"Sent: May 18, 2016 7:38 AM To: freeipa-users Subject: [Freeipa-users] AD users home directory automount HI LIst,Is it possible to mount home directories of AD authenticated users from external source(like san or fileshare)Regards,Ben -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] a user delegated to control a OU and realmd join - how..
On Mon, May 16, 2016 at 09:34:28AM +0100, lejeczek wrote: > > > On 13/05/16 14:14, Sumit Bose wrote: > > On Wed, May 11, 2016 at 05:17:03PM +0100, lejeczek wrote: > > > .. if possible, would you know? > > > hi everybody, > > > I'm trying, and hoping it is possible to realm join an AD but is such a > > > way so I tap my IPA into specific OU within that AD. > > I'm not exactly sure what you mean here. Do you want to join a computer > > which is already a client in an IPA domain to AD as well? If this is the > > case I would recommend to consider the IPA trust feature. Joining 2 > > domain is in general possible with SSSD but has to be done with very > > great care, e.g. by using different keytabs for each domain. > > > > > The thing is - I'm thinking it would make user access control ideal > > > from the start as I need only users from that OU, but also because I'm > > > only granted access to the user/group who has control over that OU. > > > I'm trying that but I see: > > > > > > ! The computer account RIDER already exists, but is not in the desired > > > organizational unit. > > > adcli: joining domain ccc.bb.aa failed: The computer account RIDER > > > already exists, > > Computer account names in AD must be unique even if they are added to > > different OUs. So if there is already a computer called RIDER joined to > > AD and it is not your computer you have to rename your computer to join. > > If it is your computer and you want to create it in a different OU you > > have to delete to old computer object first and then do a fresh join. > hi Sumit, for me it did not work because of this bug: > https://bugzilla.redhat.com/show_bug.cgi?id=1258488 You might want to have a look at the test build at http://koji.fedoraproject.org/koji/taskinfo?taskID=14148923 which includes a patch which should fix for bz1258488. bye, Sumit > > HTH > > > > bye, > > Sumit > > > > > ! Failed to join the domain > > > > > > I'm doing this: > > > $ realm join ccc.bb.aa --user=private-user --computer-ou=private > > > > > > and computer is in OU=private of ccc.bb.aa > > > so is the user private-user > > > > > > many thanks. > > > L##SELECTION_END## > > > -- > > > Manage your subscription for the Freeipa-users mailing list: > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] AD users home directory automount
HI LIst, Is it possible to mount home directories of AD authenticated users from external source(like san or fileshare) Regards, Ben -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] From where can i get repo details for FreeIPA 4.3.1 version
HI All again repo is down. Regards, Ben On Mon, May 2, 2016 at 2:04 PM, Alexander Bokovoywrote: > On Mon, 02 May 2016, Ben .T.George wrote: > >> HI >> >> thanks >> >> yes now it's working and yesterday it was not. >> > COPR service SLA is weaker than primary Fedora repositories. Basically, > we have no promise COPR would be available all the time. > > -- > / Alexander Bokovoy > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] want to make new replicas but cert expire
Hi: I type ipa-replica-install server --ip 192.168.1.3 it show my cert expire nwhere location I should input the cert ? trusted by the user.) preparation of replica failed: cannot connect to 'https://ipa.cora.nwra.com:9444/ca/ee/ca/profileSubmitSSLClient': [Errno -8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked thkx -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Reverse DNS
On 18.05.2016 11:13, Andrew Holway wrote: Hello, I see that our default installation of IdM is working quite well without rdns configured (its on AWS). We're not doing anything complicated with it yet but is there anything that definitely will not work? Cheers, Andrew Hello, IPA services and clients are able to work without reverse DNS if you are using something else in environment, you must find out if reverse records are needed :) Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Advice sought on monitoring freeipa status
Hi I'm trying to set up some monitoring of our freeipa installation. To start with, I'd like to know eg: 1) If replication stopped 2) Whether the ldap datatbases on replicas are inconsistent with each other. We have RHEL7 freeipa servers and RHEL6 and RHEL7 clients, all with latest distribution packages. I see a number of pages at www.ipa.org about monitoring freeipa in various ways, but I'm not sure any were actually implemented yet. Then I found this: https://github.com/peterpakos/ipa_check_consistency which looks useful but seems to require a plain text password for a privileged ldap account to be embedded in a file, which is less than ideal. So, I was wondering, as a stop gap, whether its possible to control the server that the ipa commands talk to at the command line? One could then run a cron job to iterate through the servers and compare various outputs from ipa commands. However, the ipa man page suggests the ipa command will go for either the server explicitly set in /etc/ipa/default.conf or if unavailable use those set in the DNS _SRV_ records. Maybe there is a better way to do this that I missed altogether? Roderick Johnstone -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] a user delegated to control a OU and realmd join - how..
On Wed, 18 May 2016, lejeczek wrote: On Tue, 2016-05-17 at 09:19 -0400, Simo Sorce wrote: On Tue, 2016-05-17 at 09:27 +0100, lejeczek wrote: > On Fri, 2016-05-13 at 15:14 +0200, Sumit Bose wrote: > > On Wed, May 11, 2016 at 05:17:03PM +0100, lejeczek wrote: > > > .. if possible, would you know? > > > hi everybody, > > > I'm trying, and hoping it is possible to realm join an AD but > > > is > > > such a > > > way so I tap my IPA into specific OU within that AD. > > > > I'm not exactly sure what you mean here. Do you want to join a > > computer > > which is already a client in an IPA domain to AD as well? If this > > is > > the > > case I would recommend to consider the IPA trust feature. Joining > > 2 > > domain is in general possible with SSSD but has to be done with > > very > > great care, e.g. by using different keytabs for each domain. > Can IPA domain establish a trust between win AD if IPA admin only > has > admin control over an OU in win AD ? No, you need to be a Domain Admin with full privileges. many thanks Simo, when I try user who only has delegated admin/management over a OU I see: Active Directory domain administrator's password: ipa: ERROR: Insufficient access: CIFS server denied your credentials. That's correct. You need to be a member of Domain Admins group of the forest root domain or a member of Enteprise Admins group in the forest. Would joining an IPA server to winAD with realmd be kind of one way trust? No, not at all. Trust != joining a machine to AD domain. Is it even possible(with no reasons against doing so) to join IPA server/domain to AD? No. A machine in Active Directory can only be a member of a single domain. It cannot be a servant of two masters. I mean I did that and I could get AD users IDs but there was some problem with krb5, config got messed up and daemon would not start. If you like to enjoy broken configurations, it is up to you. There is probably a reason why obvious things don't work. If you want to know more about Active Directory, feel free to read specs at MSDN. Start with MS-ADTS: https://msdn.microsoft.com/en-us/library/cc223122.aspx -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] a user delegated to control a OU and realmd join - how..
On Tue, 2016-05-17 at 09:19 -0400, Simo Sorce wrote: > On Tue, 2016-05-17 at 09:27 +0100, lejeczek wrote: > > On Fri, 2016-05-13 at 15:14 +0200, Sumit Bose wrote: > > > On Wed, May 11, 2016 at 05:17:03PM +0100, lejeczek wrote: > > > > .. if possible, would you know? > > > > hi everybody, > > > > I'm trying, and hoping it is possible to realm join an AD but > > > > is > > > > such a > > > > way so I tap my IPA into specific OU within that AD. > > > > > > I'm not exactly sure what you mean here. Do you want to join a > > > computer > > > which is already a client in an IPA domain to AD as well? If this > > > is > > > the > > > case I would recommend to consider the IPA trust feature. Joining > > > 2 > > > domain is in general possible with SSSD but has to be done with > > > very > > > great care, e.g. by using different keytabs for each domain. > > Can IPA domain establish a trust between win AD if IPA admin only > > has > > admin control over an OU in win AD ? > > No, you need to be a Domain Admin with full privileges. many thanks Simo, when I try user who only has delegated admin/management over a OU I see: Active Directory domain administrator's password: ipa: ERROR: Insufficient access: CIFS server denied your credentials. Would joining an IPA server to winAD with realmd be kind of one way trust? Is it even possible(with no reasons against doing so) to join IPA server/domain to AD? I mean I did that and I could get AD users IDs but there was some problem with krb5, config got messed up and daemon would not start. > > > > I know very little about AD and only started with IPA - I don't suppose > > control of OU delegated to a user makes that user AD admin. > > > > > It doesn't. > > > > > > I guess what I'm thinking, asking, is - what would be the correct > > possible way to plug in, connect IPA domain to win AD when one has > > admin control only over a OU in win AD? > > > > > Not sure you can even do sync, there isn't really much you can do with > those privileges, you are basically just allowed to administer a > "group". > > Simo. > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Reverse DNS
Hello, I see that our default installation of IdM is working quite well without rdns configured (its on AWS). We're not doing anything complicated with it yet but is there anything that definitely will not work? Cheers, Andrew -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Limiting directory listing for all users in self service
On 18.5.2016 10:27, Marc Peiser wrote: > Hi all, > > We're busy rolling out freeipa internally and one thing we would like to > limit is the ability for normal users to view all users in the directory > via the self service portal. We only want the user to see their particular > details. Is this possible? This could theoretically be done using ACI in LDAP but please see https://www.redhat.com/archives/freeipa-users/2016-March/msg00071.html for elaborate discussion. It would have significant consequences. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Limiting directory listing for all users in self service
Hi all, We're busy rolling out freeipa internally and one thing we would like to limit is the ability for normal users to view all users in the directory via the self service portal. We only want the user to see their particular details. Is this possible? Thanks, Marc -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] HBAC access denied, all AD groups not detected
On Wed, 18 May 2016, Jakub Hrozek wrote: On Wed, May 18, 2016 at 08:35:14AM +1000, Lachlan Musicman wrote: Hmmm, I also now see https://fedorahosted.org/sssd/ticket/2642 and https://bugzilla.redhat.com/show_bug.cgi?id=1217127 Versions being run: sssd-client-1.13.0-40.el7_2.4.x86_64 sssd-ad-1.13.0-40.el7_2.4.x86_64 sssd-proxy-1.13.0-40.el7_2.4.x86_64 sssd-1.13.0-40.el7_2.4.x86_64 sssd-common-1.13.0-40.el7_2.4.x86_64 sssd-common-pac-1.13.0-40.el7_2.4.x86_64 sssd-ipa-1.13.0-40.el7_2.4.x86_64 sssd-ldap-1.13.0-40.el7_2.4.x86_64 python-sssdconfig-1.13.0-40.el7_2.4.noarch sssd-krb5-common-1.13.0-40.el7_2.4.x86_64 sssd-krb5-1.13.0-40.el7_2.4.x86_64 ipa-server-trust-ad-4.2.0-15.0.1.el7.centos.6.1.x86_64 The reason I asked about the server versions is https://bugzilla.redhat.com/show_bug.cgi?id=1304333 I'm not too familiar with how the centos versioning works, can you check if that bug is mentioned in the rpm changelog? No, these packages are not at the level where all known membership bugs were fixed. RHEL 7.2 build should be ipa-4.2.0-15.el7_2.15. A corresponding CentOS build is already available in updates and it is ipa-4.2.0-15.el7.centos.15 -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] HBAC access denied, all AD groups not detected
On Wed, May 18, 2016 at 08:35:14AM +1000, Lachlan Musicman wrote: > Hmmm, I also now see > > https://fedorahosted.org/sssd/ticket/2642 > and > https://bugzilla.redhat.com/show_bug.cgi?id=1217127 > > Versions being run: > > sssd-client-1.13.0-40.el7_2.4.x86_64 > sssd-ad-1.13.0-40.el7_2.4.x86_64 > sssd-proxy-1.13.0-40.el7_2.4.x86_64 > sssd-1.13.0-40.el7_2.4.x86_64 > sssd-common-1.13.0-40.el7_2.4.x86_64 > sssd-common-pac-1.13.0-40.el7_2.4.x86_64 > sssd-ipa-1.13.0-40.el7_2.4.x86_64 > sssd-ldap-1.13.0-40.el7_2.4.x86_64 > python-sssdconfig-1.13.0-40.el7_2.4.noarch > sssd-krb5-common-1.13.0-40.el7_2.4.x86_64 > sssd-krb5-1.13.0-40.el7_2.4.x86_64 > > ipa-server-trust-ad-4.2.0-15.0.1.el7.centos.6.1.x86_64 The reason I asked about the server versions is https://bugzilla.redhat.com/show_bug.cgi?id=1304333 I'm not too familiar with how the centos versioning works, can you check if that bug is mentioned in the rpm changelog? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] HBAC access denied, all AD groups not detected
On Wed, May 18, 2016 at 09:46:49AM +1000, Lachlan Musicman wrote: > It's worth noting that, in difference to the bug report: > > 1. We aren't making changes to the overrides. The overrides exist, they > just aren't propagating evenly or consistently. > 2. We are seeing these errors in the various logs: > > > sssd_DOMAIN.log:(Wed May 18 09:00:01 2016) [sssd[be[DOMAIN]]] > [sysdb_delete_group] (0x0400): Error: 2 (No such file or directory) > sssd_DOMAIN.log:(Wed May 18 09:00:01 2016) [sssd[be[DOMAIN]]] > [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) > > > krb5_child.log:(Wed May 18 09:12:30 2016) [[sssd[krb5_child[8929 > [k5c_send_data] (0x0200): Received error code 0 > krb5_child.log:(Wed May 18 09:12:30 2016) [[sssd[krb5_child[8931 > [k5c_send_data] (0x0200): Received error code 1432158214 > > sssd_nss.log:Error: 3, 0, Account info lookup failed > sssd_nss.log:(Wed May 18 09:01:04 2016) [sssd[nss]] [sss_dp_get_reply] > (0x1000): Got reply from Data Provider - DP error code: 3 errno: 22 error > message: Account info lookup failed > sssd_nss.log:Error: 3, 22, Account info lookup failed > sssd_nss.log:(Wed May 18 09:01:04 2016) [sssd[nss]] [sss_dp_get_reply] > (0x1000): Got reply from Data Provider - DP error code: 3 errno: 0 error > message: Account info lookup failed You need to look into the failures in the domain log that happened in the same time as these. Some failures are recoverable, in some other cases we're just reporting failure even if we just didn't match any entry (yes, that a subtle bug we should fix). -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project