Re: [Freeipa-users] [QUERY] CentOS 7 repo for FreeIPA 4.2.0 testing
On 07/16/2015 09:58 AM, Alexander Bokovoy wrote: Hello! FreeIPA team has recently released 4.2.0 version[1] which adds a number of features community members were asking for: - User certificates - Vault to store user secrets - One-way trust to Active Directory - User life-cycle management for integration with external process workflows - [many other enhancements and improvements] Development of these features required coordinating changes across multiple projects. We have provided the packages for Fedora through our COPR repository[2]. The repository includes multiple packages, and relies on multiple others updated in Fedora repositories since Fedora 22. FreeIPA and other teams at Red Hat are currently working on integrating FreeIPA 4.2 release into Red Hat Enterprise Linux 7 update. While traditionally CentOS users had to wait for a Red Hat Enterprise Linux release, in time for 7.1 update we tried something new with a COPR repository providing FreeIPA 4.1 for CentOS before Red Hat Enterprise Linux 7.1 was released. The repository proved to be a success -- both for quality of bug reports we've got and ability to reach out to you. With COPR repository for CentOS 7 we've also got experience to manage expectations of support and maintenance for the FreeIPA 4.1 packages in the view of upcoming Red Hat Enterprise Linux release. The packages in the COPR repository would expire when the Red Hat Enterprise Linux update comes to CentOS and to people who used the repository it would mean a need to handle upgrades. We are considering to repeat COPR experiment with FreeIPA 4.2 for CentOS 7. However, this time we also are relying on updated packages which are beyond the maintenance of FreeIPA, SSSD, Dogtag, and 389-ds teams. Some of the updates in those packages include ABI changes. Maintaining our own rebuilds of these packages in the COPR repository would put additional burden on the upstream developers and later on you -- when CentOS 7 updated versions of those packages would come through the official channels. Thus, we would like to ask you, whether having a separate COPR repository for FreeIPA 4.2 would make sense for CentOS 7 users. The repository will expire with the release of CentOS 7 updates and no upgrade path would be provided for the bits. Of course, FreeIPA replication should work and to move forward you would need to deploy replicas with formal CentOS bits into the same environment and phase out the replicas running bits coming from the COPR repository. This path is intended but not guaranteed. It might happen that further development would reveal issues and bugs that might make such migration path broken and impossible to fix. In this case upstream will make reasonable efforts but would provide no guarantee that the issue will be addressed. Does it make sense and worth proceeding with creating a CentOS COPR repo with upstream bits? Tell us! [1] http://www.freeipa.org/page/Releases/4.2.0 [2] https://copr.fedoraproject.org/coprs/mkosek/freeipa-4.2 I apologize for not responding sooner. Yes, this would be of great interest to me, but I can accept if there is no other demand and I need to wait for the official release. -- Dan Mossor, RHCSA Systems Engineer Fedora Server WG | Fedora KDE WG | Fedora QA Team Fedora Infrastructure Apprentice FAS: dmossor IRC: danofsatx San Antonio, Texas, USA -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Setting up Active Directory trusts in a secure environment
On 07/31/2015 02:52 AM, Sumit Bose wrote: Thank you for the detailed analysis. I guess the 'server was inaccessible' error is due to the fact that currently FreeIPA does not have a global catalog, because Windows typically tries to get SIDs from remote objects from the Global Catalog. So, to those of y'all that operate in secure environments, what trick do you use to fully integrate IPA and Active Directory? With FreeIPA-4.2 the one-way trust feature is introduced. The main difference to the current scheme is that with one-way trust the FreeIPA server does not use its host credentials (host keytab) from the IPA domain to access the AD DC but uses the trusted domain user (IPADOM$@AD.DOMAIN) to access the AD DC. Since this is an object from the AD domain it should be possible to assign the needed permissions to this object. Currently I have no idea how this can be solved with older version. Maybe there is a toll on the Windows side which lets you add SIDs manually into the Access this computer from the network policy? If there is one you can try to add IPA-SID-515 (where you have to replace IPA-SID by the IPA domain SID). HTH bye, Sumit I didn't think the SID was even being evaluated - the authentication being attempted was through Kerberos, which I uderstand only uses host keytabs, not SIDs. Am I correct in this situation? Dan -- Dan Mossor, RHCSA Systems Engineer Fedora Server WG | Fedora KDE WG | Fedora QA Team Fedora Infrastructure Apprentice FAS: dmossor IRC: danofsatx San Antonio, Texas, USA -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Setting up Active Directory trusts in a secure environment
On 07/31/2015 10:08 AM, Sumit Bose wrote: On Fri, Jul 31, 2015 at 09:23:53AM -0500, Dan Mossor wrote: On 07/31/2015 02:52 AM, Sumit Bose wrote: Thank you for the detailed analysis. I guess the 'server was inaccessible' error is due to the fact that currently FreeIPA does not have a global catalog, because Windows typically tries to get SIDs from remote objects from the Global Catalog. So, to those of y'all that operate in secure environments, what trick do you use to fully integrate IPA and Active Directory? With FreeIPA-4.2 the one-way trust feature is introduced. The main difference to the current scheme is that with one-way trust the FreeIPA server does not use its host credentials (host keytab) from the IPA domain to access the AD DC but uses the trusted domain user (IPADOM$@AD.DOMAIN) to access the AD DC. Since this is an object from the AD domain it should be possible to assign the needed permissions to this object. Currently I have no idea how this can be solved with older version. Maybe there is a toll on the Windows side which lets you add SIDs manually into the Access this computer from the network policy? If there is one you can try to add IPA-SID-515 (where you have to replace IPA-SID by the IPA domain SID). HTH bye, Sumit I didn't think the SID was even being evaluated - the authentication being attempted was through Kerberos, which I uderstand only uses host keytabs, not SIDs. Am I correct in this situation? yes and no :-) The keytab is used to get a TGT and then a cross-realm TGT from the IPA KDC. The IPA KDC will add a PAC to the TGTs which contains additional authorization data including SIDs. The PAC is then used on the Windows side to evaluate if access is granted or not. bye, Sumit Building on what you said regarding the one-way trust, I already have an IPA user in Active Directory that I created when I was initially setting this up as a synchronized domain instead of a trust. There are two ways I can go here - I can either revert back to the password sync and replication, or somehow convince IPA to use that user for the trust relationship. I suspect it will impossible without a patch to use a user account instead of Kerberos for the trust, so that leaves going back to the replication setup. Our ultimate goal in the environment is single sign on - when our users log into their Windows 7 workstations, they shouldn't then have to log into the chat server, the wiki, and mercurial; all those extra services running on Linux should be able to accept the Active Directory credentials. One final option I have, since this is a very small network, is to just join my Linux servers to the Active Directory domain, and not use the FreeIPA intermediary. -- Dan Mossor, RHCSA Systems Engineer Fedora Server WG | Fedora KDE WG | Fedora QA Team Fedora Infrastructure Apprentice FAS: dmossor IRC: danofsatx San Antonio, Texas, USA -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Setting up Active Directory trusts in a secure environment
Greetings, folks. So, I've been fighting with getting a trust set up between FreeIPA 4.1 on CentOS 7.1 and Windows Server 2008r2 for nearly a week. Today I finally came to a conclusion as to what my issue is. I operate a secure network in which we have configuration guidlines for securing Windows that we have to meet in order to recieve what's known as an Authority to Operate, or ATO. A lot of this configuration is done in the Global Policies. Today I stumbled across one error buried in the Windows Security event log, and when correllated with the errors I was seeing from FreeIPA led me to our policy. The error that popped up in the event log was The user has not been granted the requested logon type at this machine. The logon type was 3, which is network, and the Logon Process and Authorization Package were both Kerberos. Cross referenced with the error on the IPA server: WARNING: Search on AD DC WINSRV.ad.domain.net:3268 failed with: Insufficient access: 8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 569, v1db1 Invalid Credentials Digging into our Domain Controller policy, I found that Access this computer from the network is restricted to Domain Users, Domain Controllers, Domain Computers, Domain Admins, and BUILTIN\Administrators. I attempted to add a context that would allow the IPA server to log on, and got so far through the wizard that it let me select the trusted domain to search and returned a list of security contexts, but when I attempted to add one (Authenticated Users), I recieved the error that it couldn't be found because the server was inaccessable. I saw no errors on the IPA side during this transaction. So, to those of y'all that operate in secure environments, what trick do you use to fully integrate IPA and Active Directory? -- Dan Mossor, RHCSA Systems Engineer Fedora Server WG | Fedora KDE WG | Fedora QA Team Fedora Infrastructure Apprentice FAS: dmossor IRC: danofsatx San Antonio, Texas, USA -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Slow logins on FreeIPA 4.1.2 (F21)
On 04/07/2015 03:05 AM, Jakub Hrozek wrote: On Mon, Apr 06, 2015 at 08:01:46PM -0500, Dan Mossor wrote: On 04/05/2015 12:51 PM, Dmitri Pal wrote: Several tips. Please check your DNS configuration. Such delay is usually caused by the DNS lookups timing out. That means that the servers probably trying to resolve names against an old DNS server that is not around. Look at resolve.conf and make sure only valid DNS servers are there and they are in the proper order. If this does not help please turn on SSSD debug_level to 10, sanitize and send the SSSD domain logs and sssd.conf to the list. More hints can be found here: https://fedorahosted.org/sssd/wiki/Troubleshooting DNS lookups are good - 'dig' and 'dig -x' return instantaneous forward and reverse lookups on the IPA server, the target server, and the client. The only DNS server configured is the IPA server. I did catch some sssd logs. I set logging to 0x0450 instead of 10, and I didn't have time to compare if any different information was caught. If you still need me to specify log level 10 or some other setting, let me know. The login that these logs are for took 15.371 seconds (checked via 'time ssh danofs...@yoda.example.lcl exit' selinux_child.log: http://fpaste.org/207805/ sssd_sudo.log: http://fpaste.org/207806/ sssd_pac.log: http://fpaste.org/207807/ sssd_pam.log: http://fpaste.org/207808/67775142/ sssd_nss.log: http://fpaste.org/207809/ sssd.log: http://fpaste.org/207810/ sssd_example.lcl.log: http://fpaste.org/207811/36832514/ We've recently found a performance problem in the SELinux code. Can you check if setting: selinux_provider = none improves the performance anyhow? Adding selinux_provider = none to the domain section of /etc/sssd/sssd.conf seems to have drastically improved ssh logins. The Apache authentications are faster, but we're still hitting a performance issue somewhere in that chain. It may be with Apache itself, so stand by...but otherwise, I'm calling this fixed. Thanks! -- Dan Mossor Systems Engineer at Large Fedora KDE WG | Fedora QA Team | Fedora Server SIG Fedora Infrastructure Apprentice FAS: dmossor IRC: danofsatx San Antonio, Texas, USA -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Slow logins on FreeIPA 4.1.2 (F21)
On 04/05/2015 12:51 PM, Dmitri Pal wrote: On 04/05/2015 12:10 AM, Dan Mossor wrote: I've recently deployed a new domain based on 4.1.2 in F21. We've noticed an issue and can't quite seem to nail it down. The problem is that logins are taking an inordinate amount of time to complete - the fastest logon we can get using LDAP credentials is 8 seconds. During our testing, even logons to the IPA server itself took over 30 seconds to complete. I've narrowed this down to sssd, but that is as far as I can get. When cranking up debugging for sshd and PAM, I see a minimum 2 second delay between ssh handing off the authentication request to sssd and the reply back. The only troubleshooting I've done is with ssh, but the area that causes the most grief is Apache logins. We configured Apache to use PAM for auth through IPA, vice directly calling IPA itself. Logging in to our Redmine site takes users a minimum of 34 seconds to complete. Following this, a simple webpage containing two hyperlinks and two small thumbnail images takes over a minute to load on a gigabit network. The *only* thing changed in this environment was the IPA server. We moved the Redmine from our old network that was using IPA 3.x (F20 branch) to the new one. My initial reaction was that it was the VM that was hosting Redmine, but we've run these tests against bare metal machines in the same network and have the same issue. It appears that sssd is taking a very, very long time to talk to FreeIPA - even on the IPA server itself. However, Kerberos logins into the IPA web GUI are near instantaneous, while Username/Password logins take more than a few seconds. I need to get this solved. My developers don't appreciate the glory days of XP taking 5 minutes to log into an IIS 2.1 web server on the local network. I don't have the budget to keep them at the coffee pot waiting on the network. So, what further information do you need from me to track this one down? Dan Several tips. Please check your DNS configuration. Such delay is usually caused by the DNS lookups timing out. That means that the servers probably trying to resolve names against an old DNS server that is not around. Look at resolve.conf and make sure only valid DNS servers are there and they are in the proper order. If this does not help please turn on SSSD debug_level to 10, sanitize and send the SSSD domain logs and sssd.conf to the list. More hints can be found here: https://fedorahosted.org/sssd/wiki/Troubleshooting DNS lookups are good - 'dig' and 'dig -x' return instantaneous forward and reverse lookups on the IPA server, the target server, and the client. The only DNS server configured is the IPA server. I did catch some sssd logs. I set logging to 0x0450 instead of 10, and I didn't have time to compare if any different information was caught. If you still need me to specify log level 10 or some other setting, let me know. The login that these logs are for took 15.371 seconds (checked via 'time ssh danofs...@yoda.example.lcl exit' selinux_child.log: http://fpaste.org/207805/ sssd_sudo.log: http://fpaste.org/207806/ sssd_pac.log: http://fpaste.org/207807/ sssd_pam.log: http://fpaste.org/207808/67775142/ sssd_nss.log: http://fpaste.org/207809/ sssd.log: http://fpaste.org/207810/ sssd_example.lcl.log: http://fpaste.org/207811/36832514/ -- Dan Mossor Systems Engineer at Large Fedora KDE WG | Fedora QA Team | Fedora Server SIG Fedora Infrastructure Apprentice FAS: dmossor IRC: danofsatx San Antonio, Texas, USA -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Slow logins on FreeIPA 4.1.2 (F21)
I've recently deployed a new domain based on 4.1.2 in F21. We've noticed an issue and can't quite seem to nail it down. The problem is that logins are taking an inordinate amount of time to complete - the fastest logon we can get using LDAP credentials is 8 seconds. During our testing, even logons to the IPA server itself took over 30 seconds to complete. I've narrowed this down to sssd, but that is as far as I can get. When cranking up debugging for sshd and PAM, I see a minimum 2 second delay between ssh handing off the authentication request to sssd and the reply back. The only troubleshooting I've done is with ssh, but the area that causes the most grief is Apache logins. We configured Apache to use PAM for auth through IPA, vice directly calling IPA itself. Logging in to our Redmine site takes users a minimum of 34 seconds to complete. Following this, a simple webpage containing two hyperlinks and two small thumbnail images takes over a minute to load on a gigabit network. The *only* thing changed in this environment was the IPA server. We moved the Redmine from our old network that was using IPA 3.x (F20 branch) to the new one. My initial reaction was that it was the VM that was hosting Redmine, but we've run these tests against bare metal machines in the same network and have the same issue. It appears that sssd is taking a very, very long time to talk to FreeIPA - even on the IPA server itself. However, Kerberos logins into the IPA web GUI are near instantaneous, while Username/Password logins take more than a few seconds. I need to get this solved. My developers don't appreciate the glory days of XP taking 5 minutes to log into an IIS 2.1 web server on the local network. I don't have the budget to keep them at the coffee pot waiting on the network. So, what further information do you need from me to track this one down? Dan -- Dan Mossor Systems Engineer at Large Fedora KDE WG | Fedora QA Team | Fedora Server SIG Fedora Infrastructure Apprentice FAS: dmossor IRC: danofsatx San Antonio, Texas, USA -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Web UI Authentication errors - revisited
On Fri, Mar 6, 2015 at 1:53 PM, Martin Kosek mko...@redhat.com wrote: On 03/06/2015 05:59 PM, Dan Mossor wrote: IT WORKS! WOOT! In the steps of researching a small issue on another hypervisor, I discovered that my underlying network, while operational, was not properly configured. The IPA server and my workstation were supposed to be talking in VLAN 100 and 110, respectively. The network is temporarily configured to route every packet it receives to the proper VLAN, no matter where it originates. My workstation is indeed on VLAN 110, and is tagging the packets appropriately. The server, however, due to a bridge misconfiguration on the host, was on VLAN 1 and not sending tagged packets at all. But as the router is configured to route all appropriate packets it appeared to be operating normally. I blew away the network configuration on the host and rebuilt it again, this time ensuring that VLAN 1 was not available on that switch port, and that the packets leaving the host were tagged with VLAN 100. I brought the IPA server back up and was able to log in. So, chalk this one up to misrouted packets. I didn't even think to look there, the 401 error gave no clue that networking may be the issue. Regards, Dan Mossor Ugh, that one was nasty, I am glad you figured it out. Now, when you know what was the problem, would you maybe have some general Troubleshooting advice to http://www.freeipa.org/page/Troubleshooting#Cannot_authenticate_to_Web_UI that would help people like you uncover the root cause easier? Thanks, Martin Martin, I would love to. Let me think on an effective method to target networking issues, and I'll write something up for the wiki. Regards, Dan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Web UI Authentication errors - revisited
On Fri, Mar 6, 2015 at 1:28 AM, Martin Kosek mko...@redhat.com wrote: On 03/06/2015 02:38 AM, Dan Mossor wrote: On Thu, Mar 5, 2015 at 7:21 PM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: http://i.imgur.com/mhX86Ng.png It should show up if you do not have a ticket. Destroy the ticket on the client and try to access the server via browser, you should be redirected. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. Ok then, that is the page that keeps returning. I've tried from this workstation using Konquerer, which does not support Kerberos, I've from from Internet Explorer on a Windows 7 Professional desktop, and I've tried from a Fedora 21 system that is not enrolled in the domain. I get the exact same response with every attempt. One additional step I attempted to take was to change the admin password on the IPA server. I am getting a ldap_sasl_interactive_bind_s: Unknown authentication method (-6) error back. I think this installation is hosed. I am ready to wipe and start over from scratch tomorrow. I've already wasted 16 hours on it. Sorry to hear that. But I think you should start taking gradual steps in your testing and trying to make Web UI over GSSAPI work. I would suggest this procedure: 1) Can I kinit admin and run CLI command (ipa user-show admin)? If yes, basic FreeIPA is functioning. Run kdestroy to get rid of Kerberos. 2) Can I login with form basic auth to my FreeIPA? If not, did you verify all the items in http://www.freeipa.org/page/Troubleshooting#Cannot_ authenticate_to_Web_UI ? Did you try logging with form based auth in FreeIPA public demo for example (user admin, password Secret123): https://ipa.demo1.freeipa.org/ipa/ui/ If not, we can dig further. If yes, you can continue with kinit + SSO for the Web UI. Martin, Dmitri, Thanks for your help, but I've taken every step available on the page you linked. I just checked this morning before I started over, and on the server I can kinit as admin and run ipa user-show admin. The ipa tools are not on my workstation. I then ran kdestroy on both the server and workstation, and the error remains when logging in to the web UI - it returns me to the screen I showed above in the link to the screenshot. Regards, Dan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Web UI Authentication errors - revisited
On Fri, Mar 6, 2015 at 9:43 AM, Dmitri Pal d...@redhat.com wrote: On 03/06/2015 10:35 AM, Dan Mossor wrote: On Fri, Mar 6, 2015 at 9:21 AM, Dmitri Pal d...@redhat.com wrote: From your workstation can you use the demo instance https://ipa.demo1.freeipa.org/ipa/ui/ or it returns the same error? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. Oh, sorry, I didn't realize I was supposed to check that. For the record, yes - I can log into the demo instance on Firefox from my workstation. For the sake of completeness, I checked with Konquerer also and can log in to the demo instance. Regards, Dan OK, so it seems that something is really broken on that server. May be it is easier to start over - up to you. If you want to continue troubleshooting we are here to help. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. IT WORKS! WOOT! In the steps of researching a small issue on another hypervisor, I discovered that my underlying network, while operational, was not properly configured. The IPA server and my workstation were supposed to be talking in VLAN 100 and 110, respectively. The network is temporarily configured to route every packet it receives to the proper VLAN, no matter where it originates. My workstation is indeed on VLAN 110, and is tagging the packets appropriately. The server, however, due to a bridge misconfiguration on the host, was on VLAN 1 and not sending tagged packets at all. But as the router is configured to route all appropriate packets it appeared to be operating normally. I blew away the network configuration on the host and rebuilt it again, this time ensuring that VLAN 1 was not available on that switch port, and that the packets leaving the host were tagged with VLAN 100. I brought the IPA server back up and was able to log in. So, chalk this one up to misrouted packets. I didn't even think to look there, the 401 error gave no clue that networking may be the issue. Regards, Dan Mossor -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Web UI Authentication errors - revisited
On Fri, Mar 6, 2015 at 9:21 AM, Dmitri Pal d...@redhat.com wrote: From your workstation can you use the demo instance https://ipa.demo1.freeipa.org/ipa/ui/ or it returns the same error? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. Oh, sorry, I didn't realize I was supposed to check that. For the record, yes - I can log into the demo instance on Firefox from my workstation. For the sake of completeness, I checked with Konquerer also and can log in to the demo instance. Regards, Dan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Web UI Authentication errors - revisited
On Thu, Mar 5, 2015 at 4:55 PM, Dmitri Pal d...@redhat.com wrote: On 03/05/2015 05:51 PM, Dan Mossor wrote: As an additional test, I created a new user on my workstation and switched to it. the first thing I did was kinit as admin, then started Firefox, went through the browser configuration provided by the IPA server, and attempted to log in. I received the same error[1]. [1]http://i.imgur.com/mhX86Ng.png Have you checked times and time zones on the client and on the server? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. The server is set for GMT time, whereas the client is set for local time, US Central Standard Time. Except for that difference, they are within 1 second of each other. Dan -- Dan Mossor, RHCSA Systems Engineer at Large Fedora Plasma Product WG | Fedora QA Team | Fedora Server WG Fedora Infrastructure Apprentice FAS: dmossor IRC: danofsatx San Antonio, Texas, USA -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Web UI Authentication errors - revisited
On Thu, Mar 5, 2015 at 5:17 PM, Dan Mossor danofs...@gmail.com wrote:
On Thu, Mar 5, 2015 at 4:55 PM, Dmitri Pal d...@redhat.com wrote:
On 03/05/2015 05:51 PM, Dan Mossor wrote:
As an additional test, I created a new user on my workstation and
switched to it. the first thing I did was kinit as admin, then started
Firefox, went through the browser configuration provided by the IPA server,
and attempted to log in. I received the same error[1].
[1]http://i.imgur.com/mhX86Ng.png
Have you checked times and time zones on the client and on the server?
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
The server is set for GMT time, whereas the client is set for local time,
US Central Standard Time. Except for that difference, they are within 1
second of each other.
Dan
As an experiment after this email exchange, I switched the server to
Central Standard Time using timedatctl. I then ran kinit again, and
attempted to log into the GUI. There was no change - I still cannot access
the GUI. Here is the krb5kdc.log from the period:
Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.1.15: NEEDED_PREAUTH: host/dmfedora.rez@rez.lcl for
krbtgt/rez@rez.lcl, Additional pre-authentication required
Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.1.15: ISSUE: authtime 1425601734, etypes {rep=18 tkt=18
ses=18}, host/dmfedora.rez@rez.lcl for krbtgt/rez@rez.lcl
Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): TGS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.1.15: ISSUE: authtime 1425601734, etypes {rep=18 tkt=18
ses=18}, host/dmfedora.rez@rez.lcl for ldap/vader.rez@rez.lcl
Mar 05 18:29:20 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.1.15: NEEDED_PREAUTH: ad...@rez.lcl for
krbtgt/rez@rez.lcl, Additional pre-authentication required
Mar 05 18:29:25 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.1.15: ISSUE: authtime 1425601765, etypes {rep=18 tkt=18
ses=18}, ad...@rez.lcl for krbtgt/rez@rez.lcl
Mar 05 18:29:26 vader.rez.lcl krb5kdc[1073](info): DISPATCH: repeated
(retransmitted?) request from 10.1.1.15, resending previous response
Mar 05 18:29:26 vader.rez.lcl krb5kdc[1073](info): closing down fd 12
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.0.1: NEEDED_PREAUTH: HTTP/vader.rez@rez.lcl for
krbtgt/rez@rez.lcl, Additional pre-authentication required
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.0.1: ISSUE: authtime 1425601784, etypes {rep=18 tkt=18
ses=18}, HTTP/vader.rez@rez.lcl for krbtgt/rez@rez.lcl
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.0.1: NEEDED_PREAUTH: ad...@rez.lcl for
krbtgt/rez@rez.lcl, Additional pre-authentication required
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.0.1: ISSUE: authtime 1425601784, etypes {rep=18 tkt=18
ses=18}, ad...@rez.lcl for krbtgt/rez@rez.lcl
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): TGS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.1.15: ISSUE: authtime 1425601765, etypes {rep=18 tkt=18
ses=18}, ad...@rez.lcl for HTTP/vader.rez@rez.lcl
One thing I did determine is the authtime in the krb5kdc log is epoch time.
I checked it, and it translates directly to the standard time.
Dan
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Web UI Authentication errors - revisited
On Thu, Mar 5, 2015 at 4:59 PM, Rob Crittenden rcrit...@redhat.com wrote: Dan Mossor wrote: On Thu, Mar 5, 2015 at 4:34 PM, Dan Mossor danofs...@gmail.com mailto:danofs...@gmail.com wrote: As an additional test, I created a new user on my workstation and switched to it. the first thing I did was kinit as admin, then started Firefox, went through the browser configuration provided by the IPA server, and attempted to log in. I received the same error[1]. [1]http://i.imgur.com/mhX86Ng.png I'd look for SELinux errors: ausearch -m AVC -ts recent Perhaps we can't create a login session for some reason. rob I checked the /var/log/audit/audit.log, and selinux is not reporting anything during the time I am attempting to access the gui. But, for the sake of thoroughness: [root@vader ipa]# ausearch -m AVC -ts recent no matches [root@vader ipa]# Dan -- Dan Mossor, RHCSA Systems Engineer at Large Fedora Plasma Product WG | Fedora QA Team | Fedora Server WG Fedora Infrastructure Apprentice FAS: dmossor IRC: danofsatx San Antonio, Texas, USA -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Web UI Authentication errors - revisited
On Thu, Mar 5, 2015 at 7:21 PM, Dmitri Pal d...@redhat.com wrote: http://i.imgur.com/mhX86Ng.png It should show up if you do not have a ticket. Destroy the ticket on the client and try to access the server via browser, you should be redirected. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. Ok then, that is the page that keeps returning. I've tried from this workstation using Konquerer, which does not support Kerberos, I've from from Internet Explorer on a Windows 7 Professional desktop, and I've tried from a Fedora 21 system that is not enrolled in the domain. I get the exact same response with every attempt. One additional step I attempted to take was to change the admin password on the IPA server. I am getting a ldap_sasl_interactive_bind_s: Unknown authentication method (-6) error back. I think this installation is hosed. I am ready to wipe and start over from scratch tomorrow. I've already wasted 16 hours on it. Dan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Web UI Authentication errors - revisited
On Thu, Mar 5, 2015 at 6:44 PM, Dmitri Pal d...@redhat.com wrote:
On 03/05/2015 07:36 PM, Dan Mossor wrote:
On Thu, Mar 5, 2015 at 5:17 PM, Dan Mossor danofs...@gmail.com wrote:
On Thu, Mar 5, 2015 at 4:55 PM, Dmitri Pal d...@redhat.com wrote:
On 03/05/2015 05:51 PM, Dan Mossor wrote:
As an additional test, I created a new user on my workstation and
switched to it. the first thing I did was kinit as admin, then started
Firefox, went through the browser configuration provided by the IPA server,
and attempted to log in. I received the same error[1].
[1]http://i.imgur.com/mhX86Ng.png
Have you checked times and time zones on the client and on the server?
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
The server is set for GMT time, whereas the client is set for local
time, US Central Standard Time. Except for that difference, they are within
1 second of each other.
Dan
As an experiment after this email exchange, I switched the server to
Central Standard Time using timedatctl. I then ran kinit again, and
attempted to log into the GUI. There was no change - I still cannot access
the GUI. Here is the krb5kdc.log from the period:
Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.1.15: NEEDED_PREAUTH: host/dmfedora.rez@rez.lcl
for krbtgt/rez@rez.lcl, Additional pre-authentication required
Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.1.15: ISSUE: authtime 1425601734, etypes {rep=18
tkt=18 ses=18}, host/dmfedora.rez@rez.lcl for krbtgt/rez@rez.lcl
Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): TGS_REQ (6 etypes {18
17 16 23 25 26}) 10.1.1.15: ISSUE: authtime 1425601734, etypes {rep=18
tkt=18 ses=18}, host/dmfedora.rez@rez.lcl for
ldap/vader.rez@rez.lcl
Mar 05 18:29:20 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.1.15: NEEDED_PREAUTH: ad...@rez.lcl for
krbtgt/rez@rez.lcl, Additional pre-authentication required
Mar 05 18:29:25 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.1.15: ISSUE: authtime 1425601765, etypes {rep=18
tkt=18 ses=18}, ad...@rez.lcl for krbtgt/rez@rez.lcl
Mar 05 18:29:26 vader.rez.lcl krb5kdc[1073](info): DISPATCH: repeated
(retransmitted?) request from 10.1.1.15, resending previous response
Mar 05 18:29:26 vader.rez.lcl krb5kdc[1073](info): closing down fd 12
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.0.1: NEEDED_PREAUTH: HTTP/vader.rez@rez.lcl for
krbtgt/rez@rez.lcl, Additional pre-authentication required
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.0.1: ISSUE: authtime 1425601784, etypes {rep=18 tkt=18
ses=18}, HTTP/vader.rez@rez.lcl for krbtgt/rez@rez.lcl
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.0.1: NEEDED_PREAUTH: ad...@rez.lcl for
krbtgt/rez@rez.lcl, Additional pre-authentication required
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.0.1: ISSUE: authtime 1425601784, etypes {rep=18 tkt=18
ses=18}, ad...@rez.lcl for krbtgt/rez@rez.lcl
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): TGS_REQ (6 etypes {18
17 16 23 25 26}) 10.1.1.15: ISSUE: authtime 1425601765, etypes {rep=18
tkt=18 ses=18}, ad...@rez.lcl for HTTP/vader.rez@rez.lcl
One thing I did determine is the authtime in the krb5kdc log is epoch
time. I checked it, and it translates directly to the standard time.
Dan
Hm. OK.
I do not think there was ever mentioned which version of the server and
client you are running but based on the UI it seems like the latest.
Also you are trying to log in after using kinit. Can you log using forms
based authentication or it does not work too?
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
I can't seem to locate the form based authentication for 4.1.2-1 - I was
going to try that in order to add the information to this thread, but I can
find no reference as to where it is and I can't find it manually on the
file system. Can you give me the default URL for it?
freeipa-server-4.1.2-1.fc21.x86_64
freeipa-client-4.1.2-1.fc21.x86_64
Dan
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
[Freeipa-users] WebUI authentication problems
I just installed a new server on Fedora 21 Server, using the rolekit deployment tool. Everything was installed and configured (I hope) properly, but I'm running into a problem. The version is freeipa-server-4.1.2-1.fc21.x86_64, and I can connect to the WebUI only after a restart of ipa.service. After approximately 15 minutes, I am kicked out of the active session - while in the middle of using it - and cannot log back in. Login was attempted from 4 browsers across two machines, and every time the login screen returns with Your session has expired. Please re-login. /var/log/httpd/errors is showing the following: [Fri Feb 20 00:37:03.972736 2015] [auth_kerb:error] [pid 1158] [client 10.1.0.15:54958] gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, ASN.1 structure is missing a required field), referer: https://vader.dom.net/ipa/ui/index.html [Fri Feb 20 00:37:34.300510 2015] [auth_kerb:error] [pid 1173] [client 10.1.0.15:54961] gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, ASN.1 structure is missing a required field), referer: https://vader.dom.net/ipa/ui/index.html [Fri Feb 20 00:37:34.406615 2015] [auth_kerb:error] [pid 1616] [client 10.1.0.15:54965] gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, ASN.1 structure is missing a required field), referer: https://vader.dom.net/ipa/ui/index.html [Fri Feb 20 00:37:50.356014 2015] [auth_kerb:error] [pid 1161] [client 10.1.0.15:54966] gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, ASN.1 structure is missing a required field), referer: https://vader.dom.net/ipa/ui/index.html [Fri Feb 20 00:37:52.263088 2015] [auth_kerb:error] [pid 1417] [client 10.1.0.15:54968] gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, ASN.1 structure is missing a required field), referer: https://vader.dom.net/ipa/ui/index.html [Fri Feb 20 00:37:52.327075 2015] [auth_kerb:error] [pid 1168] [client 10.1.0.15:54967] gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, ASN.1 structure is missing a required field), referer: https://vader.dom.net/ipa/ui/index.html [Fri Feb 20 00:45:35.603016 2015] [auth_kerb:error] [pid 1173] [client 10.1.1.17:54157] gss_accept_sec_context() failed: An unsupported mechanism was requested (, Unknown error), referer: https://vader.dom.net/ipa/ui/ Restarting httpd, I can log in, and am immediately logged out again with the above errors. Restarting ipa.service, I was able to log in with my user account, and was notified that my password expires in 0 days - even though it was just created less than an hour ago. Is this a known issue, or is there a hidden problem with the rolekit deployment that I need to track down? -- Dan Mossor, RHCSA Systems Engineer at Large Fedora Plasma Product WG | Fedora QA Team | Fedora Server WG Fedora Infrastructure Apprentice FAS: dmossor IRC: danofsatx San Antonio, Texas, USA -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Minimum Disk Size
What would be the minimum recommended disk size for a virtual FreeIPA server on a network consisting of less than 30 users and 100 hosts? Regards, Dan -- Dan Mossor Systems Engineer at Large Fedora KDE WG | Fedora QA Team | Fedora Server SIG Fedora Infrastructure Apprentice FAS: dmossor IRC: danofsatx San Antonio, Texas, USA -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Suggested Upgrade Path
Good day, folks. I am curious what the suggested upgrade path is for FreeIPA. Currently, I am running freeipa-server-3.3.5-1.fc20.x86_64 on a virtual Fedora 20 server and am planning my upgrade to FreeIPA 4.0.3 on Fedora 21 Server. My current thought is to just build the F21 server and set it up as a replication server, then destroy the F20 VM. Will that be a seamless migration, or am I missing something? -- Dan Mossor, RHCSA Systems Engineer at Large Fedora KDE WG | Fedora QA Team | Fedora Server SIG Fedora Infrastructure Apprentice FAS: dmossor IRC: danofsatx San Antonio, Texas, USA -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Kerberized NFS and automount
I have been fighting with getting my NFS servers kerberized since I first installed FreeIPA back in April - I still cannot create a secured NFS mount, and have exhausted all my resources in troublshooting, so I am reaching out to the list since I see many of you have it working. The next step in the puzzle will be to make this work with automount - which again, I can't get this working either. I am missing one key step here, but I can't find it. The documentation for both issues is confusing, especially to someone new to FreeIPA. So first, let's tackle the Kerberized NFS mounts. On the server doing the exporting, here are the pertinent files. /etc/sysconfig/nfs: RPCNFSDARGS= RPCNFSDCOUNT=8 RPCMOUNTDOPTS=--debug all STATDARG= RPCIDMAPDARGS= RPCGSSDARGS=--debug all GSS_USE_PROXY=no RPCSVCGSSDARGS= My last attempt at an /etc/exports file before I gave up: /home/repo gss/krb5p(rw,no_root_squash,subtree_check,fsid=0) What other information do y'all need to help me get this working? -- Dan Mossor Systems Engineer at Large Fedora QA Team | Fedora KDE SIG | Fedora Server SIG Fedora Infrastructure Apprentice FAS: dmossor IRC: danofsatx San Antonio, Texas, USA -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
