[Freeipa-users] ipa-client-install: please look for SELINUX=disabled

2017-05-12 Thread Harald Dunkel
Hi folks,

RHEL 7.3, sssd 1.14.0:

If /etc/selinux/config says "SELINUX=disabled", then pam seems to fail
(without telling why) and users cannot login. *Extremely* painful.

Do you think ipa-client-install could add

selinux_provider = none

to the generated sssd.conf file, if selinux is disabled?

Another option might be to check at runtime.


Thanx in advance
Harri

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


[Freeipa-users] Timing behavior on access to AD groups

2017-05-12 Thread Dan Dietterich
I have noticed this behavior when setting up an external AD group:

1.   create trust

2.   create external group

3.   add Group@Domain to external group - FAILS: "trusted domain object not 
found"

4.   retry: add Group@Domain to external group - SUCCESS

Two questions:

1.   Is this expected behavior?

2.   Is there something I can do - short of sleep-retry - to make this 
reliably succeed?

Thank you!

Dan

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Fresh Install of FreeIPA-Server - CentOS7

2017-05-12 Thread Rob Crittenden
Robert L. Harris wrote:
> 
> Hmmm
> 
> {0}:/var/log>ls
> anaconda  btmp  dmesg  grubby  maillog   pppsecure  
> tallylog  wtmp
> audit cron  dmesg.old  grubby_prune_debug  messages  rhsm   spooler
>  tuned yum.log
> boot.log  cups  firewalld  lastlog ntpstats  samba  sssd
> vmware-vmsvc.log
> 
> 
> root@ipa
> {1}:/var/log>rpm -q -l http
> package http is not installed
> 
> root@ipa
> {1}:/var/log>rpm -q -a | grep -i http
> perl-HTTP-Tiny-0.033-3.el7.noarch
> 
> root@ipa
> {0}:/var/log>rpm -q -a | grep -i tomcat
> 
> 
> Doesn't look like an httpd was installed as a dependancy?

I find this very hard to believe given that it go so far as to configure
things in Apache, restart it, etc. What version of [free]ipa-server is
installed? How did you install it and from what repo?

rob

> 
> 
> 
> 
> 
> On Fri, May 12, 2017 at 1:17 AM Martin Bašti  > wrote:
> 
> That's weird, it should be super fast, anything in
> /var/log/httpd/error_log?
> 
> 
> On 11.05.2017 22:23, Robert L. Harris wrote:
>>
>> Odd, must have clicked reply instead of reply-all.
>>
>> Anyway, I did the revert and re-install.  Actual install went
>> through fine then the "ipa-server-install" ran until this:
>>
>>   [8/9]: restoring configuration
>>   [9/9]: starting directory server
>> Done.
>> Restarting the directory server
>> Restarting the KDC
>> Please add records in this file to your DNS system:
>> /tmp/ipa.system.records.v5Jwrt.db
>> Restarting the web server
>> Configuring client side components
>> Using existing certificate '/etc/ipa/ca.crt'.
>> Client hostname: ipa.rdlg.net 
>> Realm: RDLG.NET 
>> DNS Domain: rdlg.net 
>> IPA Server: ipa.rdlg.net 
>> BaseDN: dc=rdlg,dc=net
>>
>> Skipping synchronizing time with NTP server.
>> New SSSD config will be created
>> Configured sudoers in /etc/nsswitch.conf
>> Configured /etc/sssd/sssd.conf
>> trying https://ipa.rdlg.net/ipa/json
>> Forwarding 'schema' to json server 'https://ipa.rdlg.net/ipa/json'
>>
>>
>> It's been sitting there for a while ( 4 hours? )  I don't see
>> anyting in the ipaserver-install.log, but it's here:
>>  https://pastebin.com/biK1Dmv7
>>
>>
>>
>> On Thu, May 11, 2017 at 8:12 AM Martin Bašti > > wrote:
>>
>> Please keep freeipa-users in CC
>>
>> Snapshot is always better, so I suggest to use it. Otherwise
>> there is an option --ignore-last-of-role to unblock
>> uninstallation.
>>
>> Martin
>>
>>
>> On 11.05.2017 16:00, Robert L. Harris wrote:
>>>
>>> Looks like you hit it, apache didn't have a group:
>>>
>>> -- Logs begin at Wed 2017-05-10 19:56:27 MDT, end at Thu
>>> 2017-05-11 07:48:27 MDT. --
>>> May 10 20:36:00 ipa.rdlg.net 
>>> systemd[1]: Starting The Apache HTTP Server...
>>> May 10 20:36:00 ipa.rdlg.net 
>>> ipa-httpd-kdcproxy[28808]: ipa : INFO KDC proxy
>>> enabled
>>> May 10 20:36:00 ipa.rdlg.net 
>>> httpd[28809]: AH00544: httpd: bad group name apache
>>> May 10 20:36:00 ipa.rdlg.net 
>>> systemd[1]: httpd.service: main process exited, code=exited,
>>> status=1/FAILURE
>>> May 10 20:36:00 ipa.rdlg.net 
>>> kill[28812]: kill: cannot find process ""
>>> May 10 20:36:00 ipa.rdlg.net 
>>> systemd[1]: httpd.service: control process exited,
>>> code=exited status=1
>>> May 10 20:36:00 ipa.rdlg.net 
>>> systemd[1]: Failed to start The Apache HTTP Server.
>>> May 10 20:36:00 ipa.rdlg.net 
>>> systemd[1]: Unit httpd.service entered failed state.
>>> May 10 20:36:00 ipa.rdlg.net 
>>> systemd[1]: httpd.service failed.
>>>
>>> Thanks, didn't know that command.  I tried to continue the
>>> process:
>>>
>>> {0}:/root>ipa-server-install
>>>
>>> The log file for this installation can be found in
>>> /var/log/ipaserver-install.log
>>> ipa.ipapython.install.cli.install_tool(Server): ERRORIPA
>>> server is already configured on this system.
>>> If you want to reinstall the IPA server, please uninstall it
>>> first using 'ipa-server-install --uninstall'.
>>> ipa.ipapython.install.cli.install_tool(Server): ERRORThe
>>> ipa-server-install command failed. See
>>> /var/log/ipaserver-install.log for more information
>>>
>>> root@ipa
>>> {1}:/root>ipa-server-install  --uninstall
>>>
>>>  

Re: [Freeipa-users] Fresh Install of FreeIPA-Server - CentOS7

2017-05-12 Thread Robert L. Harris
Hmmm

{0}:/var/log>ls
anaconda  btmp  dmesg  grubby  maillog   pppsecure
tallylog  wtmp
audit cron  dmesg.old  grubby_prune_debug  messages  rhsm   spooler
 tuned yum.log
boot.log  cups  firewalld  lastlog ntpstats  samba  sssd
vmware-vmsvc.log


root@ipa
{1}:/var/log>rpm -q -l http
package http is not installed

root@ipa
{1}:/var/log>rpm -q -a | grep -i http
perl-HTTP-Tiny-0.033-3.el7.noarch

root@ipa
{0}:/var/log>rpm -q -a | grep -i tomcat


Doesn't look like an httpd was installed as a dependancy?





On Fri, May 12, 2017 at 1:17 AM Martin Bašti  wrote:

> That's weird, it should be super fast, anything in
> /var/log/httpd/error_log?
>
> On 11.05.2017 22:23, Robert L. Harris wrote:
>
>
> Odd, must have clicked reply instead of reply-all.
>
> Anyway, I did the revert and re-install.  Actual install went through fine
> then the "ipa-server-install" ran until this:
>
>   [8/9]: restoring configuration
>   [9/9]: starting directory server
> Done.
> Restarting the directory server
> Restarting the KDC
> Please add records in this file to your DNS system:
> /tmp/ipa.system.records.v5Jwrt.db
> Restarting the web server
> Configuring client side components
> Using existing certificate '/etc/ipa/ca.crt'.
> Client hostname: ipa.rdlg.net
> Realm: RDLG.NET
> DNS Domain: rdlg.net
> IPA Server: ipa.rdlg.net
> BaseDN: dc=rdlg,dc=net
>
> Skipping synchronizing time with NTP server.
> New SSSD config will be created
> Configured sudoers in /etc/nsswitch.conf
> Configured /etc/sssd/sssd.conf
> trying https://ipa.rdlg.net/ipa/json
> Forwarding 'schema' to json server 'https://ipa.rdlg.net/ipa/json'
>
>
> It's been sitting there for a while ( 4 hours? )  I don't see anyting in
> the ipaserver-install.log, but it's here:  https://pastebin.com/biK1Dmv7
>
>
>
> On Thu, May 11, 2017 at 8:12 AM Martin Bašti  wrote:
>
>> Please keep freeipa-users in CC
>>
>> Snapshot is always better, so I suggest to use it. Otherwise there is an
>> option --ignore-last-of-role to unblock uninstallation.
>>
>> Martin
>>
>> On 11.05.2017 16:00, Robert L. Harris wrote:
>>
>>
>> Looks like you hit it, apache didn't have a group:
>>
>> -- Logs begin at Wed 2017-05-10 19:56:27 MDT, end at Thu 2017-05-11
>> 07:48:27 MDT. --
>> May 10 20:36:00 ipa.rdlg.net systemd[1]: Starting The Apache HTTP
>> Server...
>> May 10 20:36:00 ipa.rdlg.net ipa-httpd-kdcproxy[28808]: ipa :
>> INFO KDC proxy enabled
>> May 10 20:36:00 ipa.rdlg.net httpd[28809]: AH00544: httpd: bad group
>> name apache
>> May 10 20:36:00 ipa.rdlg.net systemd[1]: httpd.service: main process
>> exited, code=exited, status=1/FAILURE
>> May 10 20:36:00 ipa.rdlg.net kill[28812]: kill: cannot find process ""
>> May 10 20:36:00 ipa.rdlg.net systemd[1]: httpd.service: control process
>> exited, code=exited status=1
>> May 10 20:36:00 ipa.rdlg.net systemd[1]: Failed to start The Apache HTTP
>> Server.
>> May 10 20:36:00 ipa.rdlg.net systemd[1]: Unit httpd.service entered
>> failed state.
>> May 10 20:36:00 ipa.rdlg.net systemd[1]: httpd.service failed.
>>
>> Thanks, didn't know that command.  I tried to continue the process:
>>
>> {0}:/root>ipa-server-install
>>
>> The log file for this installation can be found in
>> /var/log/ipaserver-install.log
>> ipa.ipapython.install.cli.install_tool(Server): ERRORIPA server is
>> already configured on this system.
>> If you want to reinstall the IPA server, please uninstall it first using
>> 'ipa-server-install --uninstall'.
>> ipa.ipapython.install.cli.install_tool(Server): ERRORThe
>> ipa-server-install command failed. See /var/log/ipaserver-install.log for
>> more information
>>
>> root@ipa
>> {1}:/root>ipa-server-install  --uninstall
>>
>> This is a NON REVERSIBLE operation and will delete all data and
>> configuration!
>>
>> Are you sure you want to continue with the uninstall procedure? [no]: yes
>> ipa : ERRORServer removal aborted: Deleting this server is
>> not allowed as it would leave your installation without a CA..
>>
>>
>>
>> This is a VM and I took a snapshot right before I started the install, so
>> I can revert, just make sure ti add the apache user before starting the
>> install.  Or if you have a better command to continue the
>> clean-up/install.
>>
>>
>> On Thu, May 11, 2017 at 2:19 AM Martin Bašti  wrote:
>>
>>> Hello,
>>>
>>> comments inline
>>>
>>> On 11.05.2017 06:06, Robert L. Harris wrote:
>>>
>>>
>>> Sigh... Sorry, it's been a long day, I thought I put that log in the
>>> first pastebin.  It's in this one:  https://pastebin.com/18PAXXNS
>>>
>>>
>>> Could you please provide journalctl -u httpd and
>>> /var/log/httpd/error_log ?
>>>
>>>
>>>
>>>
>>> Also,
>>>Anyone else get the constant spam when mailing this list?  Got an
>>> address to block for it?
>>>
>>>
>>> Sorry for that, there is a bot mining public archives. We plan to
>>> resolve this issue but it may take time as we are 

Re: [Freeipa-users] How do you allow Active Directory Users to login to the webgui

2017-05-12 Thread Alexander Bokovoy

On pe, 12 touko 2017, Tym Rehm wrote:

So I'm testing a new freeipa 4.x setup that has a one-way trust to Active
Directory. I have been able to define user groups to access the AD groups
and configure the groups to work with HBAC rules. So my AD users are able
to ssh into the client machines if HBAC allows them to.

The issue I'm having is that I would like to allow the AD users to login to
the webgui. I currently have the users in the defined in the ID views
(Default Trust View). I'm only setting the Home Directory at present,
should I add to the ID view?

As Flo pointed out, login to web UI as AD user only works in FreeIPA
4.5.1+. If you have 4.4, you can only get AD users to access IPA CLI. To
do that you only need to create ID override as admin:

ipa idoverrideuser-add 'Default Trust View' u...@ad.test

Just creating an ID override without anything else is enough.

Web UI support for AD users' self-service is only in 4.5.1+ which is
currently not packaged anywhere, I guess.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] How do you allow Active Directory Users to login to the webgui

2017-05-12 Thread Florence Blanc-Renaud

On 05/12/2017 04:09 PM, Tym Rehm wrote:

So I'm testing a new freeipa 4.x setup that has a one-way trust to
Active Directory. I have been able to define user groups to access the
AD groups and configure the groups to work with HBAC rules. So my AD
users are able to ssh into the client machines if HBAC allows them to.

The issue I'm having is that I would like to allow the AD users to login
to the webgui. I currently have the users in the defined in the ID views
(Default Trust View). I'm only setting the Home Directory at present,
should I add to the ID view?

Thanks

--
--
Do not meddle in the affairs of dragons cause you are crunchy and good
with ketchup.




Hi Tym,

this feature is available since FreeIPA 4.5.1 (see ticket 3242 [1]). You 
need to define a idoverrideuser for each AD user with:

$ ipa idoverrideuser-add 'Default Trust View' adu...@ad-domain.com

HTH,
Flo.

[1] https://pagure.io/freeipa/issue/3242

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] Fwd: DNS update failing

2017-05-12 Thread Jason Sherrill
I apologize, nsupdate is working as intended, I was attempting to update a
client from the host ipa. I've a separate issue from clients when running

testbook3:etc jsherrill$ kinit -kt /etc/krb5.keytab


Thanks again!

On Fri, May 12, 2017 at 10:34 AM, Jason Sherrill 
wrote:

> The following log entry from *named-pkcs11* coincides with update
> attempts via nsupdate:
>
>
> May 12 10:07:49 ipa-1.int.dplcl.com named-pkcs11[1350]: client
> 10.0.1.5#47261/key host/ipa-1.int.dplcl.com\@INT.DPLCL.COM: updating zone
> 'int.dplcl.com/IN': update failed: rejected by secure update (REFUSED)
>
> The client is running macos X with network services configured to use
> 10.0.1.5 and the following /etc/resolv.conf:
>
> search int.dplcl.com
>
> nameserver 10.0.1.5
>
> nameserver 8.8.8.8
>
>
> Thanks!
>
>
> On Fri, May 12, 2017 at 9:27 AM, Martin Bašti  wrote:
>
>> Hello, could you check journalctl -u named-pkcs11 on server, there might
>> be more detailed description why it failed. What do you have configured in
>> /etc/resolv.conf on client side, is there directly IP address of the server?
>>
>> On 12.05.2017 15:04, Jason Sherrill wrote:
>>
>> Mistakenly failed to post to freeipa-users.
>>
>> -- Forwarded message --
>> From: Jason Sherrill 
>> Date: Thu, May 11, 2017 at 9:16 AM
>> Subject: Re: [Freeipa-users] DNS update failing
>> To: Martin Bašti 
>>
>>
>> Thank you for the assistance, Martin. The reverse zone is working because
>> of a policy I'd added: grant * tcp-self *. The same entry did for the the
>> forward zone did not work. I ran the manual update as described and was
>> refused. It seems GSS-TSIG is working, but the update is still refused:
>>
>> [root@ipa-1 jsherrill]# kinit -kt /etc/krb5.keytab
>>
>> [root@ipa-1 jsherrill]# nsupdate -g
>>
>> > debug
>>
>> > update add testbook3.int.dplcl.com. 86400 a 10.0.1.36
>>
>> >
>>
>> Reply from SOA query:
>>
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  45996
>>
>> ;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>>
>> ;; QUESTION SECTION:
>>
>> ;testbook3.int.dplcl.com. IN SOA
>>
>> ;; AUTHORITY SECTION:
>>
>> int.dplcl.com. 3600 IN SOA ipa-1.int.dplcl.com. hostmaster.int.dplcl.com.
>> 1494432187 3600 900 1209600 3600
>>
>> Found zone name: int.dplcl.com
>>
>> The master is: ipa-1.int.dplcl.com
>>
>> start_gssrequest
>>
>> Found realm from ticket: INT.DPLCL.COM
>>
>> send_gssrequest
>>
>> Outgoing update query:
>>
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  23945
>>
>> ;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>>
>> ;; QUESTION SECTION:
>>
>> ;3601322568.sig-ipa-1.int.dplcl.com. ANY TKEY
>>
>> ;; ADDITIONAL SECTION:
>>
>> 3601322568.sig-ipa-1.int.dplcl.com. 0 ANY TKEY gss-tsig. 
>>
>> recvmsg reply from GSS-TSIG query
>>
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  23945
>>
>> ;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>>
>> ;; QUESTION SECTION:
>>
>> ;3601322568.sig-ipa-1.int.dplcl.com. ANY TKEY
>>
>> ;; ANSWER SECTION:
>>
>> 3601322568.sig-ipa-1.int.dplcl.com. 0 ANY TKEY gss-tsig. 
>>
>> Sending update to 10.0.1.5#53
>>
>> Outgoing update query:
>>
>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  13230
>>
>> ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
>>
>> ;; UPDATE SECTION:
>>
>> testbook3.int.dplcl.com. 86400 IN A 10.0.1.36
>>
>> ;; TSIG PSEUDOSECTION:
>>
>> 3601322568.sig-ipa-1.int.dplcl.com. 0 ANY TSIG gss-tsig.  13230
>> NOERROR 0
>>
>>
>> Reply from update query:
>>
>> ;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id:  13230
>>
>> ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
>>
>> ;; ZONE SECTION:
>>
>> ;int.dplcl.com. IN SOA
>>
>> ;; TSIG PSEUDOSECTION:
>>
>> 3601322568.sig-ipa-1.int.dplcl.com. 0 ANY TSIG gss-tsig. 13230
>> NOERROR 0
>>
>>
>> On Thu, May 11, 2017 at 4:09 AM, Martin Bašti  wrote:
>>
>>>
>>>
>>> On 10.05.2017 18:38, Jason Sherrill wrote:
>>>
>>> Hello,
>>>
>>> I've recently implemented freeIPA in a mixed environment of Mac OS 10.12
>>> and Windows 10 with limited issues!
>>>
>>> One issue is that updating the reverse zone via nsupdate works without
>>> issue, updating to the forward zone results in a REFUSED status. Below is
>>> my zone config, named.conf, and an example of client-side behavior.  I'm
>>> new to nearly all systems involved- misconfiguration is likely. Thanks!
>>>
>>>
>>> From freeIPA server:
>>>
>>> #  ipa dnszone-show int.dplcl.com --all
>>>
>>>
>>>  dn: idnsname=int.dplcl.com.,cn=dns,dc=int,dc=dplcl,dc=com
>>>
>>>  Zone name: int.dplcl.com.
>>>
>>>  Active zone: TRUE
>>>
>>>  Authoritative nameserver: ipa-1.int.dplcl.com.
>>>
>>>  Administrator e-mail address: hostmaster.int.dplcl.com.
>>>
>>>  SOA serial: 1494344164
>>>
>>>  SOA refresh: 3600
>>>
>>>  SOA retry: 900
>>>
>>>  SOA expire: 1209600
>>>
>>>  SOA minimum: 3600
>>>
>>>  BIND update policy: 

Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1

2017-05-12 Thread wouter.hummelink
Krb5kdc issues tickets on correct passwords, and errors out on incorrect ones.

syslog didn’t reveal any clear hints except “failed password for ” from 
SSH
Is there any way for AIX native auth to be more verbose?


From: Iulian Roman [mailto:iulian.ro...@gmail.com]
Sent: vrijdag 12 mei 2017 16:35
To: Hummelink, Wouter
Cc: luiz.via...@tivit.com.br; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1



On Fri, May 12, 2017 at 4:03 PM, 
> wrote:
Yes, kinit works with IPA users. GSSAPI authentication is not keeping it 
simple, since we want passwords to work before trying TGS based logins over 
GSSAPI.
The keytab works sinds lsuser is still able to get user data. (Documentation 
specifies that enabling krb5 in ldap.cfg makes the bind user and password moot, 
secldapclntd uses krb5 to identify itself to IPA)

Also we are able to kinit 
host/aixlpar.example@example.org
 -kt /etc/krb5/krb5.keytab
If your kerberos client works (and it looks like it works as long as you can 
properly kinit)  the only option you have is to check the /var/log/krb5kdc.log 
on the IPA and /var/log/messages or whatever you have configured in syslog for 
auth. on the AIX client.

We van try using su from an unprivileged user, but su has some different issues 
altogether, it doesn’t like @ in usernames which we need at the next stage 
(integrating AD Trust)


From: Iulian Roman 
[mailto:iulian.ro...@gmail.com]
Sent: vrijdag 12 mei 2017 15:56
To: Hummelink, Wouter
Cc: luiz.via...@tivit.com.br; 
freeipa-users@redhat.com
Subject: Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1



On Fri, May 12, 2017 at 3:31 PM, 
> wrote:
The shell is shown correctly as ksh in lsuser, so that doesnt appear to be an 
issue for the ID view.

My advice would be to start simple ,prove that your authentication works and 
you can develop a more elaborated setup afterwards. If you combine them all 
together it will be a trial and error which eventually will work at some point.
Do you have the correct keytabs in /etc/krb5/krb5.keytab ? can you run kinit 
(with password and with the keytab) from aix and get a ticket from Kerberos ? 
can you su to an IPA account ? do you have GSSAPIAuthentication enabled in 
sshd_config  ?
From what you've described i would suspect that your keytab is not correct , 
but that should be confirmed only by answering the questions above.



Verzonden vanaf mijn Samsung-apparaat


 Oorspronkelijk bericht 
Van: Luiz Fernando Vianna da Silva 
>
Datum: 12-05-17 15:03 (GMT+01:00)
Aan: "Hummelink, Wouter" 
>, 
freeipa-users@redhat.com
Onderwerp: Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1


Hello Wouter.

It may seem silly, but try installing bash on one AIX server and test 
authenticating against that one.

Its a single rpm with no dependencies. For me it did the trick and I ended up 
doing that on all my AIX servers.

Let me know how it goes or if you have any issues.
Best Regards
__
Luiz Fernando Vianna da Silva

Em 12-05-2017 09:47, wouter.hummel...@kpn.com 
escreveu:
Hi All,

We’re running a POC to integrate IPA and AIX using AIX KRB5LDAP compound module.
All the moving parts seem to be working on their own, however logging in 
doesn’t work with SSH on AIX reporting Failed password for user 

We’re using ID views to overwrite the user shell and home dirs. (Since AIX will 
refuse a login with a nonexisting shell (like bash))
AIXs lsuser command is able to find all of the users it’s supposed to and su to 
IPA users works.
Also when a user tries to log in I can see a successful Kerberos conversation 
to our IPA server.

Tips for troubleshooting would be much appreciated, increasing SSH log level 
did not produce any meaningful logging.

=== Configuration Excerpt 

/etc/security/ldap/ldap.cfg:
ldapservers:ipaserver.example.org
binddn:uid=srvc-aixservice,cn=users,cn=accounts,dc=example,dc=org
bindpwd:{DESv2}
authtype:ldap_auth
useSSL:TLS
ldapsslkeyf:/etc/security/ldap/example.kdb
ldapsslkeypwd:{DESv2}4688216124E33174C03FBBB420 88FA8 
932F219867AA7C2C552A12BEEC0CC67
useKRB5:yes
krbprincipal:host/aixlpar.example.org
krbkeypath:/etc/krb5/krb5.keytab
userattrmappath:/etc/security/ldap/2307user.map
groupattrmappath:/etc/security/ldap/2307group.map
userbasedn:cn=users,cn=aixtest,cn=views,cn=compat,dc=example,dc=org

Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1

2017-05-12 Thread Iulian Roman
On Fri, May 12, 2017 at 4:03 PM,  wrote:

> Yes, kinit works with IPA users. GSSAPI authentication is not keeping it
> simple, since we want passwords to work before trying TGS based logins over
> GSSAPI.
>
> The keytab works sinds lsuser is still able to get user data.
> (Documentation specifies that enabling krb5 in ldap.cfg makes the bind user
> and password moot, secldapclntd uses krb5 to identify itself to IPA)
>
>
>
> Also we are able to kinit host/aixlpar.example@example.org -kt
> /etc/krb5/krb5.keytab
>
If your kerberos client works (and it looks like it works as long as you
can properly kinit)  the only option you have is to check the
/var/log/krb5kdc.log on the IPA and /var/log/messages or whatever you have
configured in syslog for auth. on the AIX client.

>
>
> We van try using su from an unprivileged user, but su has some different
> issues altogether, it doesn’t like @ in usernames which we need at the next
> stage (integrating AD Trust)
>
>
>
>
>
> *From:* Iulian Roman [mailto:iulian.ro...@gmail.com]
> *Sent:* vrijdag 12 mei 2017 15:56
> *To:* Hummelink, Wouter
> *Cc:* luiz.via...@tivit.com.br; freeipa-users@redhat.com
> *Subject:* Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1
>
>
>
>
>
>
>
> On Fri, May 12, 2017 at 3:31 PM,  wrote:
>
> The shell is shown correctly as ksh in lsuser, so that doesnt appear to be
> an issue for the ID view.
>
>
>
> My advice would be to start simple ,prove that your authentication works
> and you can develop a more elaborated setup afterwards. If you combine them
> all together it will be a trial and error which eventually will work at
> some point.
>
> Do you have the correct keytabs in /etc/krb5/krb5.keytab ? can you run
> kinit (with password and with the keytab) from aix and get a ticket from
> Kerberos ? can you su to an IPA account ? do you have GSSAPIAuthentication
> enabled in sshd_config  ?
>
> From what you've described i would suspect that your keytab is not correct
> , but that should be confirmed only by answering the questions above.
>
>
>
>
>
>
>
> Verzonden vanaf mijn Samsung-apparaat
>
>
>
>  Oorspronkelijk bericht 
> Van: Luiz Fernando Vianna da Silva 
> Datum: 12-05-17 15:03 (GMT+01:00)
> Aan: "Hummelink, Wouter" ,
> freeipa-users@redhat.com
> Onderwerp: Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1
>
>
>
> Hello Wouter.
>
> It may seem silly, but try installing bash on one AIX server and test
> authenticating against that one.
>
> Its a single rpm with no dependencies. For me it did the trick and I ended
> up doing that on all my AIX servers.
>
> Let me know how it goes or if you have any issues.
>
> Best Regards
>
> *__*
>
> *Luiz Fernando Vianna da Silva*
>
>
>
> Em 12-05-2017 09:47, wouter.hummel...@kpn.com escreveu:
>
> Hi All,
>
>
>
> We’re running a POC to integrate IPA and AIX using AIX KRB5LDAP compound
> module.
>
> All the moving parts seem to be working on their own, however logging in
> doesn’t work with SSH on AIX reporting Failed password for user 
>
>
>
> We’re using ID views to overwrite the user shell and home dirs. (Since AIX
> will refuse a login with a nonexisting shell (like bash))
>
> AIXs lsuser command is able to find all of the users it’s supposed to and
> su to IPA users works.
>
> Also when a user tries to log in I can see a successful Kerberos
> conversation to our IPA server.
>
>
>
> Tips for troubleshooting would be much appreciated, increasing SSH log
> level did not produce any meaningful logging.
>
>
>
> === Configuration Excerpt ==
> ==
>
> /etc/security/ldap/ldap.cfg:
>
> ldapservers:ipaserver.example.org
>
> binddn:uid=srvc-aixservice,cn=users,cn=accounts,dc=example,dc=org
>
> bindpwd:{DESv2}
>
> authtype:ldap_auth
>
> useSSL:TLS
>
> ldapsslkeyf:/etc/security/ldap/example.kdb
>
> ldapsslkeypwd:{DESv2}4688216124E33174C03FBBB420 88FA8
> 932F219867AA7C2C552A12BEEC0CC67
>
> useKRB5:yes
>
> krbprincipal:host/aixlpar.example.org
>
> krbkeypath:/etc/krb5/krb5.keytab
>
> userattrmappath:/etc/security/ldap/2307user.map
>
> groupattrmappath:/etc/security/ldap/2307group.map
>
> userbasedn:cn=users,cn=aixtest,cn=views,cn=compat,dc=example,dc=org
>
> groupbasedn:cn=groups,cn=aixtest,cn=views,cn=compat,dc=example,dc=org
>
> netgroupbasedn:cn=ng,cn=compat,dc=example,dc=org
>
> automountbasedn:cn=default,cn=automount,dc=example,dc=org
>
> etherbasedn:cn=computers,cn=accounts,dc=example,dc=org
>
> userclasses:posixaccount,account,shadowaccount
>
> groupclasses:posixgroup
>
> ldapport:389
>
> searchmode:ALL
>
> defaultentrylocation:LDAP
>
>
>
> /etc/security/user default:
>
> SYSTEM = KRB5LDAP or compat
>
> */etc/methods.cfg*
>
> LDAP:
>
>program = /usr/lib/security/LDAP
>
>program_64 =/usr/lib/security/LDAP64
>
> NIS:
>
>program = /usr/lib/security/NIS
>

[Freeipa-users] How do you allow Active Directory Users to login to the webgui

2017-05-12 Thread Tym Rehm
So I'm testing a new freeipa 4.x setup that has a one-way trust to Active
Directory. I have been able to define user groups to access the AD groups
and configure the groups to work with HBAC rules. So my AD users are able
to ssh into the client machines if HBAC allows them to.

The issue I'm having is that I would like to allow the AD users to login to
the webgui. I currently have the users in the defined in the ID views
(Default Trust View). I'm only setting the Home Directory at present,
should I add to the ID view?

Thanks

-- 
--
Do not meddle in the affairs of dragons cause you are crunchy and good with
ketchup.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1

2017-05-12 Thread wouter.hummelink
Yes, kinit works with IPA users. GSSAPI authentication is not keeping it 
simple, since we want passwords to work before trying TGS based logins over 
GSSAPI.
The keytab works sinds lsuser is still able to get user data. (Documentation 
specifies that enabling krb5 in ldap.cfg makes the bind user and password moot, 
secldapclntd uses krb5 to identify itself to IPA)

Also we are able to kinit 
host/aixlpar.example@example.org
 -kt /etc/krb5/krb5.keytab

We van try using su from an unprivileged user, but su has some different issues 
altogether, it doesn’t like @ in usernames which we need at the next stage 
(integrating AD Trust)


From: Iulian Roman [mailto:iulian.ro...@gmail.com]
Sent: vrijdag 12 mei 2017 15:56
To: Hummelink, Wouter
Cc: luiz.via...@tivit.com.br; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1



On Fri, May 12, 2017 at 3:31 PM, 
> wrote:
The shell is shown correctly as ksh in lsuser, so that doesnt appear to be an 
issue for the ID view.

My advice would be to start simple ,prove that your authentication works and 
you can develop a more elaborated setup afterwards. If you combine them all 
together it will be a trial and error which eventually will work at some point.
Do you have the correct keytabs in /etc/krb5/krb5.keytab ? can you run kinit 
(with password and with the keytab) from aix and get a ticket from Kerberos ? 
can you su to an IPA account ? do you have GSSAPIAuthentication enabled in 
sshd_config  ?
From what you've described i would suspect that your keytab is not correct , 
but that should be confirmed only by answering the questions above.



Verzonden vanaf mijn Samsung-apparaat


 Oorspronkelijk bericht 
Van: Luiz Fernando Vianna da Silva 
>
Datum: 12-05-17 15:03 (GMT+01:00)
Aan: "Hummelink, Wouter" 
>, 
freeipa-users@redhat.com
Onderwerp: Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1


Hello Wouter.

It may seem silly, but try installing bash on one AIX server and test 
authenticating against that one.

Its a single rpm with no dependencies. For me it did the trick and I ended up 
doing that on all my AIX servers.

Let me know how it goes or if you have any issues.
Best Regards
__
Luiz Fernando Vianna da Silva

Em 12-05-2017 09:47, wouter.hummel...@kpn.com 
escreveu:
Hi All,

We’re running a POC to integrate IPA and AIX using AIX KRB5LDAP compound module.
All the moving parts seem to be working on their own, however logging in 
doesn’t work with SSH on AIX reporting Failed password for user 

We’re using ID views to overwrite the user shell and home dirs. (Since AIX will 
refuse a login with a nonexisting shell (like bash))
AIXs lsuser command is able to find all of the users it’s supposed to and su to 
IPA users works.
Also when a user tries to log in I can see a successful Kerberos conversation 
to our IPA server.

Tips for troubleshooting would be much appreciated, increasing SSH log level 
did not produce any meaningful logging.

=== Configuration Excerpt 

/etc/security/ldap/ldap.cfg:
ldapservers:ipaserver.example.org
binddn:uid=srvc-aixservice,cn=users,cn=accounts,dc=example,dc=org
bindpwd:{DESv2}
authtype:ldap_auth
useSSL:TLS
ldapsslkeyf:/etc/security/ldap/example.kdb
ldapsslkeypwd:{DESv2}4688216124E33174C03FBBB420 88FA8 
932F219867AA7C2C552A12BEEC0CC67
useKRB5:yes
krbprincipal:host/aixlpar.example.org
krbkeypath:/etc/krb5/krb5.keytab
userattrmappath:/etc/security/ldap/2307user.map
groupattrmappath:/etc/security/ldap/2307group.map
userbasedn:cn=users,cn=aixtest,cn=views,cn=compat,dc=example,dc=org
groupbasedn:cn=groups,cn=aixtest,cn=views,cn=compat,dc=example,dc=org
netgroupbasedn:cn=ng,cn=compat,dc=example,dc=org
automountbasedn:cn=default,cn=automount,dc=example,dc=org
etherbasedn:cn=computers,cn=accounts,dc=example,dc=org
userclasses:posixaccount,account,shadowaccount
groupclasses:posixgroup
ldapport:389
searchmode:ALL
defaultentrylocation:LDAP

/etc/security/user default:
SYSTEM = KRB5LDAP or compat
/etc/methods.cfg

LDAP:

   program = /usr/lib/security/LDAP

   program_64 =/usr/lib/security/LDAP64

NIS:

   program = /usr/lib/security/NIS

   program_64 = /usr/lib/security/NIS_64

DCE:

   program = /usr/lib/security/DCE

KRB5:

   program = /usr/lib/security/KRB5

   program_64 = /usr/lib/security/KRB5_64

   options = 
authonly,is_kadmind_compat=no,tgt_verify=yes,kadmind=no,keep_creds=yes,allow_expired_pwd=no



KRB5LDAP:

   options = auth=KRB5,db=LDAP


Met vriendelijke groet,
Wouter Hummelink
Technical 

Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1

2017-05-12 Thread Iulian Roman
On Fri, May 12, 2017 at 3:31 PM,  wrote:

> The shell is shown correctly as ksh in lsuser, so that doesnt appear to be
> an issue for the ID view.
>

My advice would be to start simple ,prove that your authentication works
and you can develop a more elaborated setup afterwards. If you combine them
all together it will be a trial and error which eventually will work at
some point.
Do you have the correct keytabs in /etc/krb5/krb5.keytab ? can you run
kinit (with password and with the keytab) from aix and get a ticket from
Kerberos ? can you su to an IPA account ? do you have GSSAPIAuthentication
enabled in sshd_config  ?

>From what you've described i would suspect that your keytab is not correct
, but that should be confirmed only by answering the questions above.

>
>
>
> Verzonden vanaf mijn Samsung-apparaat
>
>
>  Oorspronkelijk bericht 
> Van: Luiz Fernando Vianna da Silva 
> Datum: 12-05-17 15:03 (GMT+01:00)
> Aan: "Hummelink, Wouter" ,
> freeipa-users@redhat.com
> Onderwerp: Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1
>
> Hello Wouter.
>
> It may seem silly, but try installing bash on one AIX server and test
> authenticating against that one.
>
> Its a single rpm with no dependencies. For me it did the trick and I ended
> up doing that on all my AIX servers.
>
> Let me know how it goes or if you have any issues.
>
> Best Regards
>
> *__*
>
> *Luiz Fernando Vianna da Silva*
>
>
> Em 12-05-2017 09:47, wouter.hummel...@kpn.com escreveu:
>
> Hi All,
>
>
>
> We’re running a POC to integrate IPA and AIX using AIX KRB5LDAP compound
> module.
>
> All the moving parts seem to be working on their own, however logging in
> doesn’t work with SSH on AIX reporting Failed password for user 
>
>
>
> We’re using ID views to overwrite the user shell and home dirs. (Since AIX
> will refuse a login with a nonexisting shell (like bash))
>
> AIXs lsuser command is able to find all of the users it’s supposed to and
> su to IPA users works.
>
> Also when a user tries to log in I can see a successful Kerberos
> conversation to our IPA server.
>
>
>
> Tips for troubleshooting would be much appreciated, increasing SSH log
> level did not produce any meaningful logging.
>
>
>
> === Configuration Excerpt ==
> ==
>
> /etc/security/ldap/ldap.cfg:
>
> ldapservers:ipaserver.example.org
>
> binddn:uid=srvc-aixservice,cn=users,cn=accounts,dc=example,dc=org
>
> bindpwd:{DESv2}
>
> authtype:ldap_auth
>
> useSSL:TLS
>
> ldapsslkeyf:/etc/security/ldap/example.kdb
>
> ldapsslkeypwd:{DESv2}4688216124E33174C03FBBB420 88FA8
> 932F219867AA7C2C552A12BEEC0CC67
>
> useKRB5:yes
>
> krbprincipal:host/aixlpar.example.org
>
> krbkeypath:/etc/krb5/krb5.keytab
>
> userattrmappath:/etc/security/ldap/2307user.map
>
> groupattrmappath:/etc/security/ldap/2307group.map
>
> userbasedn:cn=users,cn=aixtest,cn=views,cn=compat,dc=example,dc=org
>
> groupbasedn:cn=groups,cn=aixtest,cn=views,cn=compat,dc=example,dc=org
>
> netgroupbasedn:cn=ng,cn=compat,dc=example,dc=org
>
> automountbasedn:cn=default,cn=automount,dc=example,dc=org
>
> etherbasedn:cn=computers,cn=accounts,dc=example,dc=org
>
> userclasses:posixaccount,account,shadowaccount
>
> groupclasses:posixgroup
>
> ldapport:389
>
> searchmode:ALL
>
> defaultentrylocation:LDAP
>
>
>
> /etc/security/user default:
>
> SYSTEM = KRB5LDAP or compat
>
> */etc/methods.cfg*
>
> LDAP:
>
>program = /usr/lib/security/LDAP
>
>program_64 =/usr/lib/security/LDAP64
>
> NIS:
>
>program = /usr/lib/security/NIS
>
>program_64 = /usr/lib/security/NIS_64
>
> DCE:
>
>program = /usr/lib/security/DCE
>
> KRB5:
>
>program = /usr/lib/security/KRB5
>
>program_64 = /usr/lib/security/KRB5_64
>
>options = authonly,is_kadmind_compat=no,tgt_verify=yes,kadmind=no,
> keep_creds=yes,allow_expired_pwd=no
>
>
>
> KRB5LDAP:
>
>options = auth=KRB5,db=LDAP
>
>
>
>
>
> Met vriendelijke groet,
>
> Wouter Hummelink
>
> Technical Consultant - Enterprise Webhosting / Tooling & Automation
>
> T: +31-6-12882447 <+31%206%2012882447>
>
> E: wouter.hummel...@kpn.com
>
>
>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1

2017-05-12 Thread wouter.hummelink
The shell is shown correctly as ksh in lsuser, so that doesnt appear to be an 
issue for the ID view.



Verzonden vanaf mijn Samsung-apparaat


 Oorspronkelijk bericht 
Van: Luiz Fernando Vianna da Silva 
Datum: 12-05-17 15:03 (GMT+01:00)
Aan: "Hummelink, Wouter" , freeipa-users@redhat.com
Onderwerp: Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1


Hello Wouter.

It may seem silly, but try installing bash on one AIX server and test 
authenticating against that one.

Its a single rpm with no dependencies. For me it did the trick and I ended up 
doing that on all my AIX servers.

Let me know how it goes or if you have any issues.
Best Regards
__
Luiz Fernando Vianna da Silva

Em 12-05-2017 09:47, wouter.hummel...@kpn.com 
escreveu:
Hi All,

We’re running a POC to integrate IPA and AIX using AIX KRB5LDAP compound module.
All the moving parts seem to be working on their own, however logging in 
doesn’t work with SSH on AIX reporting Failed password for user 

We’re using ID views to overwrite the user shell and home dirs. (Since AIX will 
refuse a login with a nonexisting shell (like bash))
AIXs lsuser command is able to find all of the users it’s supposed to and su to 
IPA users works.
Also when a user tries to log in I can see a successful Kerberos conversation 
to our IPA server.

Tips for troubleshooting would be much appreciated, increasing SSH log level 
did not produce any meaningful logging.

=== Configuration Excerpt 

/etc/security/ldap/ldap.cfg:
ldapservers:ipaserver.example.org
binddn:uid=srvc-aixservice,cn=users,cn=accounts,dc=example,dc=org
bindpwd:{DESv2}
authtype:ldap_auth
useSSL:TLS
ldapsslkeyf:/etc/security/ldap/example.kdb
ldapsslkeypwd:{DESv2}4688216124E33174C03FBBB420 88FA8 
932F219867AA7C2C552A12BEEC0CC67
useKRB5:yes
krbprincipal:host/aixlpar.example.org
krbkeypath:/etc/krb5/krb5.keytab
userattrmappath:/etc/security/ldap/2307user.map
groupattrmappath:/etc/security/ldap/2307group.map
userbasedn:cn=users,cn=aixtest,cn=views,cn=compat,dc=example,dc=org
groupbasedn:cn=groups,cn=aixtest,cn=views,cn=compat,dc=example,dc=org
netgroupbasedn:cn=ng,cn=compat,dc=example,dc=org
automountbasedn:cn=default,cn=automount,dc=example,dc=org
etherbasedn:cn=computers,cn=accounts,dc=example,dc=org
userclasses:posixaccount,account,shadowaccount
groupclasses:posixgroup
ldapport:389
searchmode:ALL
defaultentrylocation:LDAP

/etc/security/user default:
SYSTEM = KRB5LDAP or compat
/etc/methods.cfg

LDAP:

   program = /usr/lib/security/LDAP

   program_64 =/usr/lib/security/LDAP64

NIS:

   program = /usr/lib/security/NIS

   program_64 = /usr/lib/security/NIS_64

DCE:

   program = /usr/lib/security/DCE

KRB5:

   program = /usr/lib/security/KRB5

   program_64 = /usr/lib/security/KRB5_64

   options = 
authonly,is_kadmind_compat=no,tgt_verify=yes,kadmind=no,keep_creds=yes,allow_expired_pwd=no



KRB5LDAP:

   options = auth=KRB5,db=LDAP


Met vriendelijke groet,
Wouter Hummelink
Technical Consultant - Enterprise Webhosting / Tooling & Automation
T: +31-6-12882447
E: wouter.hummel...@kpn.com


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1

2017-05-12 Thread Luiz Fernando Vianna da Silva
"Why don't you just use the /bin/sh as default shell in IPA  ? In aix /bin/sh 
is the same as /bin/ksh and in linux it is a symlink to /bin/bash ."

Wow, never thought of that, very elegant solution!
Atenciosamente/Best Regards
__
Luiz Fernando Vianna da Silva
Em 12-05-2017 10:27, Iulian Roman escreveu:


On Fri, May 12, 2017 at 2:32 PM, 
> wrote:
Hi All,

We’re running a POC to integrate IPA and AIX using AIX KRB5LDAP compound module.
All the moving parts seem to be working on their own, however logging in 
doesn’t work with SSH on AIX reporting Failed password for user 

We’re using ID views to overwrite the user shell and home dirs. (Since AIX will 
refuse a login with a nonexisting shell (like bash))

Why don't you just use the /bin/sh as default shell in IPA  ? In aix /bin/sh is 
the same as /bin/ksh and in linux it is a symlink to /bin/bash .

AIXs lsuser command is able to find all of the users it’s supposed to and su to 
IPA users works.
Also when a user tries to log in I can see a successful Kerberos conversation 
to our IPA server.

Tips for troubleshooting would be much appreciated, increasing SSH log level 
did not produce any meaningful logging.

=== Configuration Excerpt 

/etc/security/ldap/ldap.cfg:
ldapservers:ipaserver.example.org
binddn:uid=srvc-aixservice,cn=users,cn=accounts,dc=example,dc=org
bindpwd:{DESv2}
authtype:ldap_auth
useSSL:TLS
ldapsslkeyf:/etc/security/ldap/example.kdb
ldapsslkeypwd:{DESv2}4688216124E33174C03FBBB420 88FA8 
932F219867AA7C2C552A12BEEC0CC67
useKRB5:yes
krbprincipal:host/aixlpar.example.org
krbkeypath:/etc/krb5/krb5.keytab
userattrmappath:/etc/security/ldap/2307user.map
groupattrmappath:/etc/security/ldap/2307group.map
userbasedn:cn=users,cn=aixtest,cn=views,cn=compat,dc=example,dc=org
groupbasedn:cn=groups,cn=aixtest,cn=views,cn=compat,dc=example,dc=org
netgroupbasedn:cn=ng,cn=compat,dc=example,dc=org
automountbasedn:cn=default,cn=automount,dc=example,dc=org
etherbasedn:cn=computers,cn=accounts,dc=example,dc=org
userclasses:posixaccount,account,shadowaccount
groupclasses:posixgroup
ldapport:389
searchmode:ALL
defaultentrylocation:LDAP

/etc/security/user default:
SYSTEM = KRB5LDAP or compat

I am using the following settings in in /etc/security/user:
SYSTEM = KRB5LDAP
registry = KRB5LDAP
it works for AIX5,6 and 7 in my setup.

/etc/methods.cfg

LDAP:

   program = /usr/lib/security/LDAP

   program_64 =/usr/lib/security/LDAP64

NIS:

   program = /usr/lib/security/NIS

   program_64 = /usr/lib/security/NIS_64

DCE:

   program = /usr/lib/security/DCE

KRB5:

   program = /usr/lib/security/KRB5

   program_64 = /usr/lib/security/KRB5_64

   options = 
authonly,is_kadmind_compat=no,tgt_verify=yes,kadmind=no,keep_creds=yes,allow_expired_pwd=no



KRB5LDAP:

   options = auth=KRB5,db=LDAP


Met vriendelijke groet,
Wouter Hummelink
Technical Consultant - Enterprise Webhosting / Tooling & Automation
T: +31-6-12882447
E: wouter.hummel...@kpn.com


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Authenticate on GNOME display manager with freeipa

2017-05-12 Thread Sumit Bose
On Fri, May 12, 2017 at 03:00:42PM +0200, tuxderlinuxfuch...@gmail.com wrote:
> It worked with pam_mkhomedir. So I don't see anything left to do at the
> moment
> 

ah, I thought ...

> 
> On 12-May-17 12:52 PM, Sumit Bose wrote:
> > On Fri, May 12, 2017 at 12:11:28PM +0200, tuxderlinuxfuch...@gmail.com 
> > wrote:
> >> The directory didn't exist

... meant that pam_mkhomedir didn't create the directory properly. Glad
it works for you now.

bye,
Sumit

> > Then I guess that the process doesn't has the needed permissions during
> > the session phase anymore. Please try to replace pam_mkhomedir by
> > pam_oddjob_mkhomedir. This will try to create the directory via oddjobd
> > which runs with higher privileges.
> >
> > HTH
> >
> > bye,
> > Sumit
> >
> >>
> >> On 12-May-17 11:48 AM, Sumit Bose wrote:
> >>> On Fri, May 12, 2017 at 11:25:04AM +0200, tuxderlinuxfuch...@gmail.com 
> >>> wrote:
>  Thanks!
> 
>  I followed this manual:
>  https://help.ubuntu.com/lts/serverguide/sssd-ad.html#sssd-ad-mkhomedir
> 
>  added the line
> 
>  sessionrequiredpam_mkhomedir.so skel=/etc/skel/ umask=0022
> 
>  to the file /etc/pam.d/common-session (find attached)
> 
> 
> >>> Have you checked if /home/vmuser1 exists and has the right permissions
> >>> so that the user can create files in the directory?
> >>>
> >>> bye,
> >>> Sumit
> >>>
> >> -- 
> >> Manage your subscription for the Freeipa-users mailing list:
> >> https://www.redhat.com/mailman/listinfo/freeipa-users
> >> Go to http://freeipa.org for more info on the project
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1

2017-05-12 Thread Iulian Roman
On Fri, May 12, 2017 at 2:32 PM,  wrote:

> Hi All,
>
>
>
> We’re running a POC to integrate IPA and AIX using AIX KRB5LDAP compound
> module.
>
> All the moving parts seem to be working on their own, however logging in
> doesn’t work with SSH on AIX reporting Failed password for user 
>
>
>
> We’re using ID views to overwrite the user shell and home dirs. (Since AIX
> will refuse a login with a nonexisting shell (like bash))
>

Why don't you just use the /bin/sh as default shell in IPA  ? In aix
/bin/sh is the same as /bin/ksh and in linux it is a symlink to /bin/bash
.

AIXs lsuser command is able to find all of the users it’s supposed to and
> su to IPA users works.
>
> Also when a user tries to log in I can see a successful Kerberos
> conversation to our IPA server.
>

>
> Tips for troubleshooting would be much appreciated, increasing SSH log
> level did not produce any meaningful logging.
>
>
>
> === Configuration Excerpt ==
> ==
>
> /etc/security/ldap/ldap.cfg:
>
> ldapservers:ipaserver.example.org
>
> binddn:uid=srvc-aixservice,cn=users,cn=accounts,dc=example,dc=org
>
> bindpwd:{DESv2}
>
> authtype:ldap_auth
>
> useSSL:TLS
>
> ldapsslkeyf:/etc/security/ldap/example.kdb
>
> ldapsslkeypwd:{DESv2}4688216124E33174C03FBBB420 88FA8
> 932F219867AA7C2C552A12BEEC0CC67
>
> useKRB5:yes
>
> krbprincipal:host/aixlpar.example.org
>
> krbkeypath:/etc/krb5/krb5.keytab
>
> userattrmappath:/etc/security/ldap/2307user.map
>
> groupattrmappath:/etc/security/ldap/2307group.map
>
> userbasedn:cn=users,cn=aixtest,cn=views,cn=compat,dc=example,dc=org
>
> groupbasedn:cn=groups,cn=aixtest,cn=views,cn=compat,dc=example,dc=org
>
> netgroupbasedn:cn=ng,cn=compat,dc=example,dc=org
>
> automountbasedn:cn=default,cn=automount,dc=example,dc=org
>
> etherbasedn:cn=computers,cn=accounts,dc=example,dc=org
>
> userclasses:posixaccount,account,shadowaccount
>
> groupclasses:posixgroup
>
> ldapport:389
>
> searchmode:ALL
>
> defaultentrylocation:LDAP
>
>
>
> /etc/security/user default:
>
> SYSTEM = KRB5LDAP or compat
>

I am using the following settings in in /etc/security/user:
SYSTEM = KRB5LDAP
registry = KRB5LDAP
it works for AIX5,6 and 7 in my setup.


> */etc/methods.cfg*
>
> LDAP:
>
>program = /usr/lib/security/LDAP
>
>program_64 =/usr/lib/security/LDAP64
>
> NIS:
>
>program = /usr/lib/security/NIS
>
>program_64 = /usr/lib/security/NIS_64
>
> DCE:
>
>program = /usr/lib/security/DCE
>
> KRB5:
>
>program = /usr/lib/security/KRB5
>
>program_64 = /usr/lib/security/KRB5_64
>
>options = authonly,is_kadmind_compat=no,tgt_verify=yes,kadmind=no,
> keep_creds=yes,allow_expired_pwd=no
>
>
>
> KRB5LDAP:
>
>options = auth=KRB5,db=LDAP
>
>
>
>
>
> Met vriendelijke groet,
>
> Wouter Hummelink
>
> Technical Consultant - Enterprise Webhosting / Tooling & Automation
>
> T: +31-6-12882447
>
> E: wouter.hummel...@kpn.com
>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1

2017-05-12 Thread Luiz Fernando Vianna da Silva
Hello Wouter.

It may seem silly, but try installing bash on one AIX server and test 
authenticating against that one.

Its a single rpm with no dependencies. For me it did the trick and I ended up 
doing that on all my AIX servers.

Let me know how it goes or if you have any issues.
Best Regards
__
Luiz Fernando Vianna da Silva

Em 12-05-2017 09:47, wouter.hummel...@kpn.com 
escreveu:
Hi All,

We’re running a POC to integrate IPA and AIX using AIX KRB5LDAP compound module.
All the moving parts seem to be working on their own, however logging in 
doesn’t work with SSH on AIX reporting Failed password for user 

We’re using ID views to overwrite the user shell and home dirs. (Since AIX will 
refuse a login with a nonexisting shell (like bash))
AIXs lsuser command is able to find all of the users it’s supposed to and su to 
IPA users works.
Also when a user tries to log in I can see a successful Kerberos conversation 
to our IPA server.

Tips for troubleshooting would be much appreciated, increasing SSH log level 
did not produce any meaningful logging.

=== Configuration Excerpt 

/etc/security/ldap/ldap.cfg:
ldapservers:ipaserver.example.org
binddn:uid=srvc-aixservice,cn=users,cn=accounts,dc=example,dc=org
bindpwd:{DESv2}
authtype:ldap_auth
useSSL:TLS
ldapsslkeyf:/etc/security/ldap/example.kdb
ldapsslkeypwd:{DESv2}4688216124E33174C03FBBB420 88FA8 
932F219867AA7C2C552A12BEEC0CC67
useKRB5:yes
krbprincipal:host/aixlpar.example.org
krbkeypath:/etc/krb5/krb5.keytab
userattrmappath:/etc/security/ldap/2307user.map
groupattrmappath:/etc/security/ldap/2307group.map
userbasedn:cn=users,cn=aixtest,cn=views,cn=compat,dc=example,dc=org
groupbasedn:cn=groups,cn=aixtest,cn=views,cn=compat,dc=example,dc=org
netgroupbasedn:cn=ng,cn=compat,dc=example,dc=org
automountbasedn:cn=default,cn=automount,dc=example,dc=org
etherbasedn:cn=computers,cn=accounts,dc=example,dc=org
userclasses:posixaccount,account,shadowaccount
groupclasses:posixgroup
ldapport:389
searchmode:ALL
defaultentrylocation:LDAP

/etc/security/user default:
SYSTEM = KRB5LDAP or compat
/etc/methods.cfg

LDAP:

   program = /usr/lib/security/LDAP

   program_64 =/usr/lib/security/LDAP64

NIS:

   program = /usr/lib/security/NIS

   program_64 = /usr/lib/security/NIS_64

DCE:

   program = /usr/lib/security/DCE

KRB5:

   program = /usr/lib/security/KRB5

   program_64 = /usr/lib/security/KRB5_64

   options = 
authonly,is_kadmind_compat=no,tgt_verify=yes,kadmind=no,keep_creds=yes,allow_expired_pwd=no



KRB5LDAP:

   options = auth=KRB5,db=LDAP


Met vriendelijke groet,
Wouter Hummelink
Technical Consultant - Enterprise Webhosting / Tooling & Automation
T: +31-6-12882447
E: wouter.hummel...@kpn.com


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Fwd: DNS update failing

2017-05-12 Thread Jason Sherrill
Mistakenly failed to post to freeipa-users.

-- Forwarded message --
From: Jason Sherrill 
Date: Thu, May 11, 2017 at 9:16 AM
Subject: Re: [Freeipa-users] DNS update failing
To: Martin Bašti 


Thank you for the assistance, Martin. The reverse zone is working because
of a policy I'd added: grant * tcp-self *. The same entry did for the the
forward zone did not work. I ran the manual update as described and was
refused. It seems GSS-TSIG is working, but the update is still refused:

[root@ipa-1 jsherrill]# kinit -kt /etc/krb5.keytab

[root@ipa-1 jsherrill]# nsupdate -g

> debug

> update add testbook3.int.dplcl.com. 86400 a 10.0.1.36

>

Reply from SOA query:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  45996

;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:

;testbook3.int.dplcl.com. IN SOA

;; AUTHORITY SECTION:

int.dplcl.com. 3600 IN SOA ipa-1.int.dplcl.com. hostmaster.int.dplcl.com.
1494432187 3600 900 1209600 3600

Found zone name: int.dplcl.com

The master is: ipa-1.int.dplcl.com

start_gssrequest

Found realm from ticket: INT.DPLCL.COM

send_gssrequest

Outgoing update query:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  23945

;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:

;3601322568.sig-ipa-1.int.dplcl.com. ANY TKEY

;; ADDITIONAL SECTION:

3601322568.sig-ipa-1.int.dplcl.com. 0 ANY TKEY gss-tsig. 

recvmsg reply from GSS-TSIG query

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  23945

;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:

;3601322568.sig-ipa-1.int.dplcl.com. ANY TKEY

;; ANSWER SECTION:

3601322568.sig-ipa-1.int.dplcl.com. 0 ANY TKEY gss-tsig. 

Sending update to 10.0.1.5#53

Outgoing update query:

;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  13230

;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1

;; UPDATE SECTION:

testbook3.int.dplcl.com. 86400 IN A 10.0.1.36

;; TSIG PSEUDOSECTION:

3601322568.sig-ipa-1.int.dplcl.com. 0 ANY TSIG gss-tsig.  13230 NOERROR
0


Reply from update query:

;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id:  13230

;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1

;; ZONE SECTION:

;int.dplcl.com. IN SOA

;; TSIG PSEUDOSECTION:

3601322568.sig-ipa-1.int.dplcl.com. 0 ANY TSIG gss-tsig. 13230 NOERROR
0



On Thu, May 11, 2017 at 4:09 AM, Martin Bašti  wrote:

>
>
> On 10.05.2017 18:38, Jason Sherrill wrote:
>
> Hello,
>
> I've recently implemented freeIPA in a mixed environment of Mac OS 10.12
> and Windows 10 with limited issues!
>
> One issue is that updating the reverse zone via nsupdate works without
> issue, updating to the forward zone results in a REFUSED status. Below is
> my zone config, named.conf, and an example of client-side behavior.  I'm
> new to nearly all systems involved- misconfiguration is likely. Thanks!
>
>
> From freeIPA server:
>
> #  ipa dnszone-show int.dplcl.com --all
>
>
>  dn: idnsname=int.dplcl.com.,cn=dns,dc=int,dc=dplcl,dc=com
>
>  Zone name: int.dplcl.com.
>
>  Active zone: TRUE
>
>  Authoritative nameserver: ipa-1.int.dplcl.com.
>
>  Administrator e-mail address: hostmaster.int.dplcl.com.
>
>  SOA serial: 1494344164
>
>  SOA refresh: 3600
>
>  SOA retry: 900
>
>  SOA expire: 1209600
>
>  SOA minimum: 3600
>
>  BIND update policy: grant INT.DPLCL.COM krb5-self * A; grant
> INT.DPLCL.COM krb5-self * ; grant INT.DPLCL.COM krb5-self *
>
>  SSHFP;
>
>  Dynamic update: TRUE
>
>  Allow query: any;
>
>  Allow transfer: none;
>
>  Allow PTR sync: TRUE
>
>  Allow in-line DNSSEC signing: FALSE
>
>  nsrecord: ipa-1.int.dplcl.com.
>
>  objectclass: idnszone, top, idnsrecord, ipadnszone
>
> /etc/named.conf from IPA server:
>
> options {
>
>// turns on IPv6 for port 53, IPv4 is on by default for all ifaces
>
>listen-on-v6 {any;};
>
>// Put files that named is allowed to write in the data/ directory:
>
>directory "/var/named"; // the default
>
>dump-file   "data/cache_dump.db";
>
>statistics-file "data/named_stats.txt";
>
>memstatistics-file  "data/named_mem_stats.txt";
>
>// Any host is permitted to issue recursive queries
>
>allow-recursion { any; };
>
>tkey-gssapi-keytab "/etc/named.keytab";
>
>pid-file "/run/named/named.pid";
>
>dnssec-enable no;
>
>dnssec-validation no;
>
>/* Path to ISC DLV key */
>
>bindkeys-file "/etc/named.iscdlv.key";
>
>managed-keys-directory "/var/named/dynamic";
>
> };
>
> /* If you want to enable debugging, eg. using the 'rndc trace' command,
>
> * By default, SELinux policy does not allow named to modify the /var/named
> directory,
>
> * so put the default debug log file in data/ :
>
> */
>
> logging {
>
>channel default_debug {
>
>file 

Re: [Freeipa-users] Authenticate on GNOME display manager with freeipa

2017-05-12 Thread tuxderlinuxfuch...@gmail.com
It worked with pam_mkhomedir. So I don't see anything left to do at the
moment


On 12-May-17 12:52 PM, Sumit Bose wrote:
> On Fri, May 12, 2017 at 12:11:28PM +0200, tuxderlinuxfuch...@gmail.com wrote:
>> The directory didn't exist
> Then I guess that the process doesn't has the needed permissions during
> the session phase anymore. Please try to replace pam_mkhomedir by
> pam_oddjob_mkhomedir. This will try to create the directory via oddjobd
> which runs with higher privileges.
>
> HTH
>
> bye,
> Sumit
>
>>
>> On 12-May-17 11:48 AM, Sumit Bose wrote:
>>> On Fri, May 12, 2017 at 11:25:04AM +0200, tuxderlinuxfuch...@gmail.com 
>>> wrote:
 Thanks!

 I followed this manual:
 https://help.ubuntu.com/lts/serverguide/sssd-ad.html#sssd-ad-mkhomedir

 added the line

 sessionrequiredpam_mkhomedir.so skel=/etc/skel/ umask=0022

 to the file /etc/pam.d/common-session (find attached)


>>> Have you checked if /home/vmuser1 exists and has the right permissions
>>> so that the user can create files in the directory?
>>>
>>> bye,
>>> Sumit
>>>
>> -- 
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


[Freeipa-users] IPA Compat + ID Views + AIX 7.1

2017-05-12 Thread wouter.hummelink
Hi All,

We're running a POC to integrate IPA and AIX using AIX KRB5LDAP compound module.
All the moving parts seem to be working on their own, however logging in 
doesn't work with SSH on AIX reporting Failed password for user 

We're using ID views to overwrite the user shell and home dirs. (Since AIX will 
refuse a login with a nonexisting shell (like bash))
AIXs lsuser command is able to find all of the users it's supposed to and su to 
IPA users works.
Also when a user tries to log in I can see a successful Kerberos conversation 
to our IPA server.

Tips for troubleshooting would be much appreciated, increasing SSH log level 
did not produce any meaningful logging.

=== Configuration Excerpt 

/etc/security/ldap/ldap.cfg:
ldapservers:ipaserver.example.org
binddn:uid=srvc-aixservice,cn=users,cn=accounts,dc=example,dc=org
bindpwd:{DESv2}
authtype:ldap_auth
useSSL:TLS
ldapsslkeyf:/etc/security/ldap/example.kdb
ldapsslkeypwd:{DESv2}4688216124E33174C03FBBB420 88FA8 
932F219867AA7C2C552A12BEEC0CC67
useKRB5:yes
krbprincipal:host/aixlpar.example.org
krbkeypath:/etc/krb5/krb5.keytab
userattrmappath:/etc/security/ldap/2307user.map
groupattrmappath:/etc/security/ldap/2307group.map
userbasedn:cn=users,cn=aixtest,cn=views,cn=compat,dc=example,dc=org
groupbasedn:cn=groups,cn=aixtest,cn=views,cn=compat,dc=example,dc=org
netgroupbasedn:cn=ng,cn=compat,dc=example,dc=org
automountbasedn:cn=default,cn=automount,dc=example,dc=org
etherbasedn:cn=computers,cn=accounts,dc=example,dc=org
userclasses:posixaccount,account,shadowaccount
groupclasses:posixgroup
ldapport:389
searchmode:ALL
defaultentrylocation:LDAP

/etc/security/user default:
SYSTEM = KRB5LDAP or compat
/etc/methods.cfg

LDAP:

   program = /usr/lib/security/LDAP

   program_64 =/usr/lib/security/LDAP64

NIS:

   program = /usr/lib/security/NIS

   program_64 = /usr/lib/security/NIS_64

DCE:

   program = /usr/lib/security/DCE

KRB5:

   program = /usr/lib/security/KRB5

   program_64 = /usr/lib/security/KRB5_64

   options = 
authonly,is_kadmind_compat=no,tgt_verify=yes,kadmind=no,keep_creds=yes,allow_expired_pwd=no



KRB5LDAP:

   options = auth=KRB5,db=LDAP


Met vriendelijke groet,
Wouter Hummelink
Technical Consultant - Enterprise Webhosting / Tooling & Automation
T: +31-6-12882447
E: wouter.hummel...@kpn.com

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Authenticate on GNOME display manager with freeipa

2017-05-12 Thread Sumit Bose
On Fri, May 12, 2017 at 12:11:28PM +0200, tuxderlinuxfuch...@gmail.com wrote:
> The directory didn't exist

Then I guess that the process doesn't has the needed permissions during
the session phase anymore. Please try to replace pam_mkhomedir by
pam_oddjob_mkhomedir. This will try to create the directory via oddjobd
which runs with higher privileges.

HTH

bye,
Sumit

> 
> 
> On 12-May-17 11:48 AM, Sumit Bose wrote:
> > On Fri, May 12, 2017 at 11:25:04AM +0200, tuxderlinuxfuch...@gmail.com 
> > wrote:
> >> Thanks!
> >>
> >> I followed this manual:
> >> https://help.ubuntu.com/lts/serverguide/sssd-ad.html#sssd-ad-mkhomedir
> >>
> >> added the line
> >>
> >> sessionrequiredpam_mkhomedir.so skel=/etc/skel/ umask=0022
> >>
> >> to the file /etc/pam.d/common-session (find attached)
> >>
> >>
> > Have you checked if /home/vmuser1 exists and has the right permissions
> > so that the user can create files in the directory?
> >
> > bye,
> > Sumit
> >
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] Authenticate on GNOME display manager with freeipa

2017-05-12 Thread tuxderlinuxfuch...@gmail.com
The directory didn't exist


On 12-May-17 11:48 AM, Sumit Bose wrote:
> On Fri, May 12, 2017 at 11:25:04AM +0200, tuxderlinuxfuch...@gmail.com wrote:
>> Thanks!
>>
>> I followed this manual:
>> https://help.ubuntu.com/lts/serverguide/sssd-ad.html#sssd-ad-mkhomedir
>>
>> added the line
>>
>> sessionrequiredpam_mkhomedir.so skel=/etc/skel/ umask=0022
>>
>> to the file /etc/pam.d/common-session (find attached)
>>
>>
> Have you checked if /home/vmuser1 exists and has the right permissions
> so that the user can create files in the directory?
>
> bye,
> Sumit
>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] Fresh Install of FreeIPA-Server - CentOS7

2017-05-12 Thread Martin Bašti

That's weird, it should be super fast, anything in /var/log/httpd/error_log?


On 11.05.2017 22:23, Robert L. Harris wrote:


Odd, must have clicked reply instead of reply-all.

Anyway, I did the revert and re-install.  Actual install went through 
fine then the "ipa-server-install" ran until this:


  [8/9]: restoring configuration
  [9/9]: starting directory server
Done.
Restarting the directory server
Restarting the KDC
Please add records in this file to your DNS system: 
/tmp/ipa.system.records.v5Jwrt.db

Restarting the web server
Configuring client side components
Using existing certificate '/etc/ipa/ca.crt'.
Client hostname: ipa.rdlg.net 
Realm: RDLG.NET 
DNS Domain: rdlg.net 
IPA Server: ipa.rdlg.net 
BaseDN: dc=rdlg,dc=net

Skipping synchronizing time with NTP server.
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
trying https://ipa.rdlg.net/ipa/json
Forwarding 'schema' to json server 'https://ipa.rdlg.net/ipa/json'


It's been sitting there for a while ( 4 hours? )  I don't see anyting 
in the ipaserver-install.log, but it's here: https://pastebin.com/biK1Dmv7




On Thu, May 11, 2017 at 8:12 AM Martin Bašti > wrote:


Please keep freeipa-users in CC

Snapshot is always better, so I suggest to use it. Otherwise there
is an option --ignore-last-of-role to unblock uninstallation.

Martin


On 11.05.2017 16:00, Robert L. Harris wrote:


Looks like you hit it, apache didn't have a group:

-- Logs begin at Wed 2017-05-10 19:56:27 MDT, end at Thu
2017-05-11 07:48:27 MDT. --
May 10 20:36:00 ipa.rdlg.net  systemd[1]:
Starting The Apache HTTP Server...
May 10 20:36:00 ipa.rdlg.net 
ipa-httpd-kdcproxy[28808]: ipa : INFO KDC proxy enabled
May 10 20:36:00 ipa.rdlg.net  httpd[28809]:
AH00544: httpd: bad group name apache
May 10 20:36:00 ipa.rdlg.net  systemd[1]:
httpd.service: main process exited, code=exited, status=1/FAILURE
May 10 20:36:00 ipa.rdlg.net  kill[28812]:
kill: cannot find process ""
May 10 20:36:00 ipa.rdlg.net  systemd[1]:
httpd.service: control process exited, code=exited status=1
May 10 20:36:00 ipa.rdlg.net  systemd[1]:
Failed to start The Apache HTTP Server.
May 10 20:36:00 ipa.rdlg.net  systemd[1]:
Unit httpd.service entered failed state.
May 10 20:36:00 ipa.rdlg.net  systemd[1]:
httpd.service failed.

Thanks, didn't know that command.  I tried to continue the process:

{0}:/root>ipa-server-install

The log file for this installation can be found in
/var/log/ipaserver-install.log
ipa.ipapython.install.cli.install_tool(Server): ERRORIPA
server is already configured on this system.
If you want to reinstall the IPA server, please uninstall it
first using 'ipa-server-install --uninstall'.
ipa.ipapython.install.cli.install_tool(Server): ERRORThe
ipa-server-install command failed. See
/var/log/ipaserver-install.log for more information

root@ipa
{1}:/root>ipa-server-install  --uninstall

This is a NON REVERSIBLE operation and will delete all data and
configuration!

Are you sure you want to continue with the uninstall procedure?
[no]: yes
ipa : ERRORServer removal aborted: Deleting this
server is not allowed as it would leave your installation without
a CA..



This is a VM and I took a snapshot right before I started the
install, so I can revert, just make sure ti add the apache user
before starting the install. Or if you have a better command to
continue the clean-up/install.


On Thu, May 11, 2017 at 2:19 AM Martin Bašti > wrote:

Hello,

comments inline


On 11.05.2017 06:06, Robert L. Harris wrote:


Sigh... Sorry, it's been a long day, I thought I put that
log in the first pastebin.  It's in this one:
https://pastebin.com/18PAXXNS


Could you please provide journalctl -u httpd and
/var/log/httpd/error_log ?





Also,
   Anyone else get the constant spam when mailing this
list?  Got an address to block for it?


Sorry for that, there is a bot mining public archives. We
plan to resolve this issue but it may take time as we are not
maintaining our mailman.

Martin




Robert




On Wed, May 10, 2017 at 9:56 PM Lachlan Musicman
> wrote:

Robert, did you look in /var/log/ipaserver-install.log
as it says?

Was there any other 

Re: [Freeipa-users] k5login loophole even account is disabled on FreeIPA

2017-05-12 Thread Sumit Bose
On Fri, May 12, 2017 at 08:41:07AM +0200, Sumit Bose wrote:
> On Fri, May 12, 2017 at 09:35:40AM +0300, Alexander Bokovoy wrote:
> > On pe, 12 touko 2017, Thomas Lau wrote:
> > > Folks,
> > > 
> > > let's say I am user thomas, and user "temp1" already marked as "disabled"
> > > on FreeIPA, but tho...@domain.com is on /home/temp1/.k5login list, how 
> > > come
> > > I could still "sudo su - temp1"? It seems skip the checking on FreeIPA 
> > > even
> > > account is disabled. Did I miss any setting or it's normal?
> > This is normal.
> > 
> > sudo brings you to root. PAM module for su (/etc/pam.d/su) has this:
> > 
> >  auth   sufficient  pam_rootok.so
> > 
> > E.g. if su is executed as root, it is enough, no other authentication
> > checks are done.
> 
> And no authorization checks either becasue there is 
> 
> account sufficient  pam_succeed_if.so uid = 0 use_uid quiet

and btw, this is completely unrelated to .k5login, even if you remove
tho...@domain.com from the file it would still work.

bye,
Sumit

> 
> > 
> > -- 
> > / Alexander Bokovoy
> > 
> > -- 
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] k5login loophole even account is disabled on FreeIPA

2017-05-12 Thread Sumit Bose
On Fri, May 12, 2017 at 09:35:40AM +0300, Alexander Bokovoy wrote:
> On pe, 12 touko 2017, Thomas Lau wrote:
> > Folks,
> > 
> > let's say I am user thomas, and user "temp1" already marked as "disabled"
> > on FreeIPA, but tho...@domain.com is on /home/temp1/.k5login list, how come
> > I could still "sudo su - temp1"? It seems skip the checking on FreeIPA even
> > account is disabled. Did I miss any setting or it's normal?
> This is normal.
> 
> sudo brings you to root. PAM module for su (/etc/pam.d/su) has this:
> 
>  auth sufficient  pam_rootok.so
> 
> E.g. if su is executed as root, it is enough, no other authentication
> checks are done.

And no authorization checks either becasue there is 

account sufficient  pam_succeed_if.so uid = 0 use_uid quiet

bye,
Sumit

> 
> -- 
> / Alexander Bokovoy
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] k5login loophole even account is disabled on FreeIPA

2017-05-12 Thread Alexander Bokovoy

On pe, 12 touko 2017, Thomas Lau wrote:

Folks,

let's say I am user thomas, and user "temp1" already marked as "disabled"
on FreeIPA, but tho...@domain.com is on /home/temp1/.k5login list, how come
I could still "sudo su - temp1"? It seems skip the checking on FreeIPA even
account is disabled. Did I miss any setting or it's normal?

This is normal.

sudo brings you to root. PAM module for su (/etc/pam.d/su) has this:

 auth   sufficient  pam_rootok.so

E.g. if su is executed as root, it is enough, no other authentication
checks are done.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] Authenticate on GNOME display manager with freeipa

2017-05-12 Thread Sumit Bose
On Fri, May 12, 2017 at 12:50:08AM +0200, tuxderlinuxfuch...@gmail.com wrote:
> I have attached the syslog with gdm debug mode enabled
> 
> 
> On 11-May-17 1:54 PM, Sumit Bose wrote:
> > On Thu, May 11, 2017 at 01:29:33PM +0200, tuxderlinuxfuch...@gmail.com 
> > wrote:
> >> Hello,
> >>
> >> I have attached the requested files.
> > The logs indicate that access was granted by SSSD and that gdm even
> > called pam_open_session.
> >
> > Did gdm login worked with the 'allow all' rule? Are there any other
> > hints in the system or gdm logs with gdm might have failed?
> >
> > bye,
> > Sumit
> >
> >> Thanks in advance!
> >>
> >> On 10-May-17 9:42 PM, Sumit Bose wrote:
> >>> On Tue, May 09, 2017 at 11:12:13PM +0200, tuxderlinuxfuch...@gmail.com 
> >>> wrote:
>  Hello everyone,
> 
>  I set up my freeIPA instance and it works very well for my client
>  computers (Ubuntu Desktop 16.04.2 LTS), I can login via SSH using a
>  freeIPA managed user account.
> 
>  My own HBAC rule also works for that. I disabled the "allow all" rule
>  and created my own one. Works fine for SSH.
> 
>  But I cannot login to the GNOME 3 Desktop on the client. I used the
>  netinstall ISO image of Ubuntu. During installation, I have chose
>  "Ubuntu GNOME Desktop" as the only desktop.
> 
>  So my display manager is gdm3.
> 
>  I added the "gdm" and "gdm-password" services to my HBAC rule. To be on
>  the safe side, I rebooted the client machine. But I still can't login to
>  the GNOME Desktop with an account that can login via SSH.
> 
>  So the services in my rule are
> 
>  login, gdm, gdm-password
> 
>  If you need any logs or other information, I will provide them.
> >>> Please send sssd_pam.log and sssd_domain.name.log with debug_level=10 in
> >>> the [pam] and [domain/...] section of sssd.conf.
> >>>
> >>> bye,
> >>> Sumit
> >>>
>  Thanks in advance!
> 
> 
> 
> 
>  -- 
>  Manage your subscription for the Freeipa-users mailing list:
>  https://www.redhat.com/mailman/listinfo/freeipa-users
>  Go to http://freeipa.org for more info on the project
> 

> 

> May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) This device 
> may have been added with another device file.
> May 11 23:41:55 ubugdm gdm-x-session: Running session message bus
> May 11 23:41:55 ubugdm gdm3: GdmManager: trying to register new display
> May 11 23:41:55 ubugdm gdm3: GdmSession: Setting display device: /dev/tty2
> May 11 23:41:55 ubugdm gdm3: using ut_user vmuser1
> May 11 23:41:55 ubugdm gdm3: Writing login record
> May 11 23:41:55 ubugdm gdm3: using ut_type USER_PROCESS
> May 11 23:41:55 ubugdm gdm3: using ut_tv time 1494538915
> May 11 23:41:55 ubugdm gdm3: using ut_pid 1741
> May 11 23:41:55 ubugdm gdm3: using ut_host :1
> May 11 23:41:55 ubugdm gdm3: using ut_line tty2
> May 11 23:41:55 ubugdm gdm3: Writing wtmp session record to /var/log/wtmp
> May 11 23:41:55 ubugdm gdm3: Adding or updating utmp record for login
> May 11 23:41:55 ubugdm gdm3: GdmLocalDisplayFactory: display status changed: 2
> May 11 23:41:55 ubugdm gdm-x-session: Running X session
> May 11 23:41:55 ubugdm gdm-x-session: Trying script /etc/gdm3/Prime/:1
> May 11 23:41:55 ubugdm gdm-x-session: script /etc/gdm3/Prime/:1 not found; 
> skipping
> May 11 23:41:55 ubugdm gdm-x-session: Trying script /etc/gdm3/Prime/Default
> May 11 23:41:55 ubugdm gdm-x-session: Running process: /etc/gdm3/Prime/Default
> May 11 23:41:55 ubugdm gdm-x-session: GdmSlave: script environment: DISPLAY=:1
> May 11 23:41:55 ubugdm gdm-x-session: GdmSlave: script environment: 
> SHELL=/bin/sh
> May 11 23:41:55 ubugdm gdm-x-session: GdmSlave: script environment: 
> XAUTHORITY=/run/user/12644/gdm/Xauthority
> May 11 23:41:55 ubugdm gdm-x-session: GdmSlave: script environment: 
> RUNNING_UNDER_GDM=true
> May 11 23:41:55 ubugdm gdm-x-session: GdmSlave: script environment: HOME=/
> May 11 23:41:55 ubugdm gdm-x-session: GdmSlave: script environment: PWD=/
> May 11 23:41:55 ubugdm gdm-x-session: GdmSlave: script environment: 
> PATH=/usr/local/bin:/usr/bin:/bin:/usr/games
> May 11 23:41:55 ubugdm gdm-x-session: Process exit status: 0
> May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: /etc/gdm3/Xsession: 
> Beginning session setup...
> May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: /etc/gdm3/Xsession: 
> line 41: /dev/stderr: No such device or address
> May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: localuser:vmuser1 
> being added to access control list
> May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: localuser:vmuser1 
> being added to access control list
> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: Can't create dir 
> /home/vmuser1/Desktop
> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: Can't create dir 
> /home/vmuser1/Downloads
> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: Can't create dir 
> 

[Freeipa-users] k5login loophole even account is disabled on FreeIPA

2017-05-12 Thread Thomas Lau
Folks,

let's say I am user thomas, and user "temp1" already marked as "disabled"
on FreeIPA, but tho...@domain.com is on /home/temp1/.k5login list, how come
I could still "sudo su - temp1"? It seems skip the checking on FreeIPA even
account is disabled. Did I miss any setting or it's normal?
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project