[Freeipa-users] IPA DNS response issue

[David]

Hi all - 


We have an installation of FreeIPA (through CentOS 6.5) that's exhibiting some
odd behavior with respect to serving DNS.  Periodically (interval at random)
named running on a replica will stop serving requests from the LDAP server but
continue to respond with recursive requests.  This type of failure causes us
problems, as you could imagine.  (It doesn't fail cleanly so it won't request
from another server.)  We've adjusted the amount of connections each named
makes to 389, but it doesn't seem to make a difference.  We're not seeing
anything in the logs so troubleshooting this is becoming a bit of a
(high-visibility) puzzle to us.

I do happen to have a core file that I grabbed last night before sending a
SIGKILL to named and restarting.  (A SIGTERM has no effect.)

Hopefully there's an easy answer here that we can get rolled into the
environment quickly.  FreeIPA has treated us extraordinarily well so far!

David



About our configuration:

OS: CentOS 6.5, x86_64

Packages:
bind-9.8.2-0.23.rc1.el6_5.1.x86_64
bind-dyndb-ldap-2.3-5.el6.x86_64
ipa-server-3.0.0-37.el6.x86_64


Configuration:

bind-dyndb-ldap is used in conjunction with IPA 3.0.0-37.

The version of bind is 9.8.2-0.23.rc1

Our dynamic-db section of named.conf is as follows:


dynamic-db "ipa" {
  library "ldap.so";
  arg "uri ldapi://%2fvar%2frun%2fslapd-XXX-XXX.socket";
  arg "connections 10";
  arg "base cn=dns, dc=XXX,dc=XXX";
  arg "fake_mname XXX.ipa.hosted.zone.";
  arg "auth_method sasl";
  arg "sasl_mech GSSAPI";
  arg "sasl_user DNS/XXX.ipa.hosted.zone";
  arg "zone_refresh 0";
  arg "psearch yes";
  arg "serial_autoincrement yes";
  arg "verbose_checks yes";
};


We do not have any text based or DLZ zones configured.

We do not have any global forwarders configured.

We do not have any settings in the global configuration object in LDAP.


$ ldapsearch -Y GSSAPI -b 'cn=dns,dc=XXX,dc=XXX' 
'(objectClass=idnsConfigObject)'
SASL/GSSAPI authentication started

...

# dns, XXX.XXX
dn: cn=dns,dc=XXX,dc=XXX
objectClass: idnsConfigObject
objectClass: nsContainer
objectClass: top
cn: dns

# search result
search: 4
result: 0 Success

# numResponses: 2
# numEntries: 1


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] IPA DNS response issue

[David]

On Wed, Mar 19, 2014 at 01:57:24PM +0100, Petr Spacek wrote:

On 18.3.2014 15:26, David wrote:

We have an installation of FreeIPA (through CentOS 6.5) that's exhibiting some
odd behavior with respect to serving DNS.  Periodically (interval at random)
named running on a replica will stop serving requests from the LDAP server but
continue to respond with recursive requests.  This type of failure causes us
problems, as you could imagine.  (It doesn't fail cleanly so it won't request
from another server.)  We've adjusted the amount of connections each named
makes to 389, but it doesn't seem to make a difference.  We're not seeing
anything in the logs so troubleshooting this is becoming a bit of a
(high-visibility) puzzle to us.

I do happen to have a core file that I grabbed last night before sending a
SIGKILL to named and restarting.  (A SIGTERM has no effect.)

Hopefully there's an easy answer here that we can get rolled into the
environment quickly.  FreeIPA has treated us extraordinarily well so far!





Note that David (I guess :-) added logs to the ticket
https://fedorahosted.org/bind-dyndb-ldap/ticket/131
and I'm looking into it.


Actually, that's not me!  I don't have anywhere near as much logging...
At least I'm not alone...

Our failures also seem to happen around log rotation time.

The Kerberos ticket expiring is interesting.  I'll poke around on my
installation and see what I see on this side.

If you need any other information, please let me know.

David

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Fedora 15 IPA Server Upgrade Broke LDAP

[David]

After upgrading the IPA server on a Fedora 15 host to 
freeipa-server-2.1.4-3.fc15.x86_64 along with the LDAP dependency of 
389-ds-base-1.2.10.2-1.fc15.x86_64, the IPA server fails to start due to 
the following error:


Failed to read data from Directory Service: Failed to get list of 
services to probe status!
Configured hostname 'ipa01.ourdomain.net' does not match any master 
server in LDAP:
No master found because of error: {'matched': 'dc=ourdomain,dc=net', 
'desc': 'No such object'}


and IPA shuts down.

Using dbscan to view 
/var/lib/dirsrv/slapd-OURDOMAIN-NET/db/userRoot/id2entry.db4 I can see 
the data is still "there".


Has anyone run into this issue and if so what needs to be done to 
correct it?





___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] BIND named.conf

[david]

One thing to be aware of, you may see some performance hits if the master
for that zone is setup for dynamic updates. A dynamic zone cannot send IXFR
and so any time the slave receives notification, he will ask for an IXFR and
will instead receive an AXFR. If the zones are small, this is not a big
deal, but a busy dynamic zone with a hundred thousand records with just a
couple of slaves (6 in the case I am thinking of), the master server was
brought to his knees just from zone transfers. As you can imagine, this is
also extremely stressful on the slave servers, receiving and processing the
full AXFR every time there is a single record change. If your master for
myzone.tld uses standard bind zone files, then this is not a big deal. 


 -DTK

-Original Message-
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Michael Mercier
Sent: Friday, July 13, 2012 8:21 PM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] BIND named.conf

I will try to be more clear...

My IPA zone is named intranet.local running on ipaserver1 and ipaserver2.
I have another zone (call it "myzone.tld") hosted on some other systems.  I
would like ipaserver1 and ipaserver2 to both be a slave for this zone (not
use a forwarder for the zone).

Considering that ipaserver1 and ipaserver2 use the dynamic-db entry in
named.conf, is there anything that I should be concerned about if I were to
add:

zone "myzone.tld" {
  type slave;
  file "slave/myzone.db"
  masters { u.x.y.z;  w.x.y.z; };
  allow-notify { u.x.y.z;  w.x.y.z; };
  also-notify { ipaserver2 };
};

to ipaserver1?

I had considered adding the zone via 'ipa dnszone-add
ipaserver1.intranet.local' but I did not find anything specific in the
documentation describing how to configure the new zone as a slave of another
system.  Also, the number of entries in the zone is large and there are a
many updates per day and I was uncertain of the type of performance I could
expect.

Thanks,
Mike
On 13-Jul-12, at 7:10 PM, Dmitri Pal wrote:

> On 07/13/2012 07:04 PM, Michael Mercier wrote:
>> Hello,
>>
>> I am by no means an expert either, but I believe what you are 
>> recommending would forward requests for "myzone.tld" to the
>> ip.of.forwarder1 etc.
>> I want ipaserver1 to actually be a slave (do AXFR / IXFR -- hold all 
>> the data) of "myzone.tld", and have ipaserver2 slave this data from 
>> ipaserver1.
>>
>
> The replicas in IPA do not need to be specially configured to be 
> slaves of each other. They have the same data which is replicated by 
> LDAP back end so it is not clear why you are trying to configure the 
> replicas to be in master-slave relation.
>
>
>> Thanks,
>> Mike
>>
>> On 13-Jul-12, at 5:11 PM, KodaK wrote:
>>
>>> On Fri, Jul 13, 2012 at 3:13 PM, Michael Mercier 
>>> 
>>> wrote:
 Hello,

 When using IPA 2.2.0 with DNS setup (--setup-dns), is there any 
 issues with adding slaves to the named.conf file?

 example on ipaserver1:

 zone "myzone.tld" {
   type slave;
   file "slave/myzone.db"
   masters { u.x.y.z;  w.x.y.z; };
   allow-notify { u.x.y.z;  w.x.y.z; };
   also-notify { ipaserver2 };
 };
>>>
>>>
>>> I'm no expert, but I think you'd want to use the command line option
>>> dnsconfig-mod:
>>>
>>> ipa dnsconfig-mod --forwarder=ip.of.forwarder1;ip.of.forwarder2
>>> myzone.tld
>>>
>>>
>>> --
>>> The government is going to read our mail anyway, might as well make 
>>> it tough for them.  GPG Public key ID:  B6A1A7C6
>>
>> ___
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio Red Hat Inc.
>
>
> ---
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] BIND named.conf

[david]

Sorry, I was unclear. The problem is not dynamic in terms of "nsupdate"
versus manually editing zonefiles, but rather backed by a dynamic source,
such as a database, directory, etc. For a DLZ-backed zone, there is no
straightforward way for the server responding to the IXFR request to know
which records are new with certainty, so he just ships out the whole zone.
Last time I saw this was on a BIND9+DLZ+database solution. 


 -DTK

-Original Message-
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Petr Spacek
Sent: Monday, July 16, 2012 3:04 AM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] BIND named.conf

Hello,

AFAIK there were some issues with IXFR till BIND 8.2.3, but BIND 9 should
work with Dynamic update and IXFR well.

Combination of IXFR & manual change to zone text file needs special
attention (for dynamic zones):
You need to run rndc freeze && "modify zone" && rndc thaw. If you have
"ixfr-from-differences yes" configured in /etc/named.conf, then IXFR should
work.

This detail should be only "hard part", if I didn't miss something.

Petr^2 Spacek


On 07/16/2012 01:31 AM, david wrote:
>
> One thing to be aware of, you may see some performance hits if the 
> master for that zone is setup for dynamic updates. A dynamic zone 
> cannot send IXFR and so any time the slave receives notification, he 
> will ask for an IXFR and will instead receive an AXFR. If the zones 
> are small, this is not a big deal, but a busy dynamic zone with a 
> hundred thousand records with just a couple of slaves (6 in the case I 
> am thinking of), the master server was brought to his knees just from 
> zone transfers. As you can imagine, this is also extremely stressful 
> on the slave servers, receiving and processing the full AXFR every 
> time there is a single record change. If your master for myzone.tld uses
standard bind zone files, then this is not a big deal.
>
>
>   -DTK
>
> -Original Message-
> From: freeipa-users-boun...@redhat.com 
> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Michael Mercier
> Sent: Friday, July 13, 2012 8:21 PM
> To: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] BIND named.conf
>
> I will try to be more clear...
>
> My IPA zone is named intranet.local running on ipaserver1 and ipaserver2.
> I have another zone (call it "myzone.tld") hosted on some other 
> systems.  I would like ipaserver1 and ipaserver2 to both be a slave 
> for this zone (not use a forwarder for the zone).
>
> Considering that ipaserver1 and ipaserver2 use the dynamic-db entry in 
> named.conf, is there anything that I should be concerned about if I 
> were to
> add:
>
> zone "myzone.tld" {
>type slave;
>file "slave/myzone.db"
>masters { u.x.y.z;  w.x.y.z; };
>allow-notify { u.x.y.z;  w.x.y.z; };
>also-notify { ipaserver2 };
> };
>
> to ipaserver1?
>
> I had considered adding the zone via 'ipa dnszone-add 
> ipaserver1.intranet.local' but I did not find anything specific in the 
> documentation describing how to configure the new zone as a slave of 
> another system.  Also, the number of entries in the zone is large and 
> there are a many updates per day and I was uncertain of the type of 
> performance I could expect.
>
> Thanks,
> Mike
> On 13-Jul-12, at 7:10 PM, Dmitri Pal wrote:
>
>> On 07/13/2012 07:04 PM, Michael Mercier wrote:
>>> Hello,
>>>
>>> I am by no means an expert either, but I believe what you are 
>>> recommending would forward requests for "myzone.tld" to the
>>> ip.of.forwarder1 etc.
>>> I want ipaserver1 to actually be a slave (do AXFR / IXFR -- hold all 
>>> the data) of "myzone.tld", and have ipaserver2 slave this data from 
>>> ipaserver1.
>>>
>>
>> The replicas in IPA do not need to be specially configured to be 
>> slaves of each other. They have the same data which is replicated by 
>> LDAP back end so it is not clear why you are trying to configure the 
>> replicas to be in master-slave relation.
>>
>>
>>> Thanks,
>>> Mike
>>>
>>> On 13-Jul-12, at 5:11 PM, KodaK wrote:
>>>
>>>> On Fri, Jul 13, 2012 at 3:13 PM, Michael Mercier 
>>>> 
>>>> wrote:
>>>>> Hello,
>>>>>
>>>>> When using IPA 2.2.0 with DNS setup (--setup-dns), is there any 
>>>>> issues with adding slaves to the named.conf file?
>>>>>
>>>>> example on ipaserver1:
>>>>>
>>>>> zone "myzone.

[Freeipa-users] Password failing for sudo-ldap authentication only from one host

[David Sastre]

Hello,

I'm experiencing an issue with sudo-ldap:
I have some commands defined in a rule, have granted permissions to my user
to execute them via sudo following the docs:


   1. # ipa sudorule-show networking-commands
   2.   Rule name: networking-commands
   3.   Enabled: TRUE
   4.   Users: dsastrem
   5.   Host Groups: des
   6.   Sudo Allow Command Groups: networking
   7.
   8. # ipa sudocmdgroup-show networking
   9.   Sudo Command Group: networking
   10.   Description: commands for network configuration and troubleshooting
   11.   Member Sudo commands: /sbin/route, /sbin/ifconfig,
/sbin/iptables, /sbin/mii-tool, /sbin/ethtool, /sbin/ip
   12.
   13. /etc/nsswitch.conf
   14. ==
   15. passwd: files sss
   16. shadow: files sss
   17. group:  files sss
   18. hosts:  files dns
   19. bootparams: nisplus [NOTFOUND=return] files
   20. ethers: files
   21. netmasks:   files
   22. networks:   files
   23. protocols:  files
   24. rpc:files
   25. services:   files sss
   26. netgroup:   files sss
   27. publickey:  nisplus
   28. automount:  files
   29. aliases:files nisplus
   30. sudoers:files ldap sss
   31.
   32. /etc/sudo-ldap.conf
   33. ===
   34. uri ldap://panoramix.some.domain.com
   35. sudoers_base ou=SUDOers,dc=some,dc=domain,dc=com
   36. bind_timelimit 5
   37. timelimit 15
   38. binddn uid=sudo,cn=sysaccounts,cn=etc,dc=some,dc=domain,dc=com
   39. bindpw secret
   40. ssl start_tls
   41. tls_cacertfile /etc/ipa/ca.crt
   42. tls_checkpeer yes
   43.
   44. /etc/rc.local
   45. =
   46. touch /var/lock/subsys/local
   47. nisdomainname some.domain.com

 All three config files are equal in several hosts, but sudo is failing
from one hosts in this way:
Pam_tally2 count gets increased with failed attempts, but the password is
(obviously) the same (my kerberos passwd)


   1. dsastrem@obelix ~
   2. $ sudo ip addr show
   3. LDAP Config Summary
   4. ===
   5. uri  ldap://panoramix.some.domain.com
   6. ldap_version 3
   7. sudoers_base ou=SUDOers,dc=some,dc=domain,dc=com
   8. binddn   uid=sudo,cn=sysaccounts,cn=etc,dc=some,dc=domain,dc=com
   9. bindpw   secret
   10. bind_timelimit   5000
   11. timelimit15
   12. ssl  start_tls
   13. tls_checkpeer(yes)
   14. tls_cacertfile   /etc/ipa/ca.crt
   15. ===
   16. sudo: ldap_set_option: debug -> 0
   17. sudo: ldap_set_option: tls_checkpeer -> 1
   18. sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt
   19. sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt
   20. sudo: ldap_initialize(ld, ldap://panoramix.some.domain.com)
   21. sudo: ldap_set_option: ldap_version -> 3
   22. sudo: ldap_set_option: timelimit -> 15
   23. sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5)
   24. sudo: ldap_start_tls_s() ok
   25. sudo: ldap_sasl_bind_s() ok
   26. sudo: no default options found in ou=SUDOers,dc=some,dc=domain,dc=com
   27. sudo: ldap search
'(|(sudoUser=dsastrem)(sudoUser=%dsastrem)(sudoUser=%admins)(sudoUser=ALL))'
   28. sudo: found:cn=networking-commands,ou=sudoers,dc=some,dc=domain,dc=com
   29. sudo: ldap sudoHost '+des' ... MATCH!
   30. sudo: ldap sudoCommand '/sbin/route' ... not
   31. sudo: ldap sudoCommand '/sbin/ifconfig' ... not
   32. sudo: ldap sudoCommand '/sbin/iptables' ... not
   33. sudo: ldap sudoCommand '/sbin/mii-tool' ... not
   34. sudo: ldap sudoCommand '/sbin/ethtool' ... not
   35. sudo: ldap sudoCommand '/sbin/ip' ... MATCH!
   36. sudo: Command allowed
   37. sudo: user_matches=1
   38. sudo: host_matches=1
   39. sudo: sudo_ldap_lookup(0)=0x02
   40. [sudo] password for dsastrem:
   41. Sorry, try again.
   42. [sudo] password for dsastrem:
   43. sudo: 1 incorrect password attempt
   44.
   45. # pam_tally2 -u dsastrem
   46. Login   Failures Latest failure From
   47. dsastrem209/26/12 17:22:54  /dev/pts/1

 Any idea of what could be wrong? Thanks in advance.
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Password failing for sudo-ldap authentication only from one host

[David Sastre]

On Wed, Sep 26, 2012 at 11:08 PM, David Sastre Medina <
d.sastre.med...@gmail.com> wrote:

> On Wed, Sep 26, 2012 at 03:06:40PM -0400, Rob Crittenden wrote:
> > David Sastre wrote:
> > > [big snip]
> > Does sssd work on this machine otherwise? getent passwd , you
> > can log into the console as the user, or perhaps kinit to the user?
>

It looks like sssd is operating correctly
$ getent passwd dsastrem
dsastrem:*:154341:154341:David Sastre
Medina:/home/dsastrem:/bin/rbash

I can also kinit w/o problems:
$ klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_500)

$ kinit dsastrem
Password for dsast...@some.domain.com:

$ klist
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: dsast...@some.domain.com

I can log in using ssh, and the log shows:
debug1: Authentication succeeded (gssapi-with-mic).

Valid starting ExpiresService principal
09/27/12 07:59:36  09/28/12 07:59:36  krbtgt/some.domain@some.domain.com
renew until 09/28/12 08:01:20

Yet, sudo fails to authenticate me:
dsastrem@obelix ~
$ sudo ip addr show
[sudo] password for dsastrem:
Sorry, try again.
[sudo] password for dsastrem:
Sorry, try again.
[sudo] password for dsastrem:
sudo: 2 incorrect password attempts
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] clients very slow

[David Fitzgerald]

From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal
Sent: Thursday, September 13, 2012 6:50 PM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] clients very slow

On 09/13/2012 09:54 AM, David Fitzgerald wrote:
Hello Everyone,

I work at a small university and I deployed freeIPA on my Linux network over 
the summer break with no (known) problems,  and everything worked as expected.  
However, now that the semester has started and the Linux system is under a much 
higher load, I am noticing that my client machines will randomly slow to a 
crawl.  For example, I have a lab of 25 machines.  The students can log in ok, 
but after a time, a few of the machines will freeze so that the users on those 
machines cannot do anything.  After a few minutes, the frozen machines will 
unfreeze, but other machines will freeze up.  I can't see any pattern to what 
machines freeze up.  I did not have this problem when running NIS, so I suspect 
it is something in freeIPA but I am not sure what to look for to solve the 
problem.  Probably a setting somewhere needs tweaked but I don't know.  The 
server and clients all run Scientific Linux 6.2.

Can anyone help me troubleshoot this?

Do you use SSSD as a client or something else?

If SSSD we would need the nsswitch, pam, krb5.conf, sssd.conf configuration 
files and SSSD logs set to debug_level=8 or 9.

What operation they are freezing on? Is it login/authentication or just 
suddenly, which probably indicates identity lookup.
So freezes might be related to the DNS or name resolution lookups that those 
machines do. They might be accessing a DNS server that is down or misconfigured 
before failing over to a correct one.

So resolve.conf, /etc/hosts would be helpful.
But you might need to check the DNS configuration yourself.


HTH


We do use SSSD as a client.  The freeze occurs suddenly, after the user logs 
in.  One process that always is at the top of 'top' when the systems freeze is 
'xxx.xxx.xxx.xxx-ma', where the xxx's are the ip address of my freeIPA server.  
Watching the network during these freezes show that the clients are attempting 
to contact the freeIPA server but we don't see a reply.  Is there a limit on 
the number of connections the server can handle?

Thanks!

Dave

+++
David Fitzgerald
Department of Earth Sciences
Millersville University
Millersville, PA 17551

Phone: 717-871-2394





___

Freeipa-users mailing list

Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>

https://www.redhat.com/mailman/listinfo/freeipa-users




--

Thank you,

Dmitri Pal



Sr. Engineering Manager for IdM portfolio

Red Hat Inc.





---

Looking to carve out IT costs?

www.redhat.com/carveoutcosts/<http://www.redhat.com/carveoutcosts/>




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Password failing for sudo-ldap authentication only from one host

[David Sastre]

On Thu, Sep 27, 2012 at 10:53 AM, David Sastre wrote:

> On Thu, Sep 27, 2012 at 10:01 AM, Jakub Hrozek wrote:
>
>> On Thu, Sep 27, 2012 at 08:18:21AM +0200, David Sastre wrote:
>> > On Wed, Sep 26, 2012 at 11:08 PM, David Sastre Medina wrote:
>> > > On Wed, Sep 26, 2012 at 03:06:40PM -0400, Rob Crittenden wrote:
>> > > > David Sastre wrote:
>> > > > > [big snip]
>> > > > Does sssd work on this machine otherwise? getent passwd , you
>> > > > can log into the console as the user, or perhaps kinit to the user?
>> > >
>> > It looks like sssd is operating correctly
>> > I can also kinit w/o problems:
>>
>> kinit bypasses the SSSD and talks to the KDC directly.
>>  ...however, the ssh should go through the SSSD...
>>
>> Can you check the messages that appear in /var/log/secure during the
>> sudo auth attempt? You should see pam_sss being contacted, what does it
>> say? Is there any error?
>>
>
> Jakub,
>
> Does your comment mean ssh/sshd is misbehaving or bad configured?
>
> There are, indeed, errors regarding pam_sss in /var/log/secure.
>
> This is a successful login+sudo+logout in a host:
>
> Sep 27 10:29:56 panoramix sshd[12913]: Authorized to dsastrem, krb5
> principal dsast...@some.domain.com (krb5_kuserok)
> Sep 27 10:29:56 panoramix sshd[12913]: Accepted gssapi-with-mic for
> dsastrem from 172.26.130.101 port 58678 ssh2
> Sep 27 10:29:56 panoramix sshd[12913]: pam_unix(sshd:session): session
> opened for user dsastrem by (uid=0)
> Sep 27 10:30:13 panoramix sudo: pam_unix(sudo:auth): authentication
> failure; logname=dsastrem uid=0 euid=0 tty=/dev/pts/2 ruser=dsastrem
> rhost=  user=dsastrem
> Sep 27 10:30:13 panoramix sudo: pam_sss(sudo:auth): authentication
> success; logname=dsastrem uid=0 euid=0 tty=/dev/pts/2 ruser=dsastrem rhost=
> user=dsastrem
> Sep 27 10:30:13 panoramix sudo: dsastrem : TTY=pts/2 ; PWD=/home/dsastrem
> ; USER=root ; COMMAND=/sbin/ip addr show
> Sep 27 10:30:32 panoramix sshd[12942]: Received disconnect from
> 172.26.130.101: 11: disconnected by user
> Sep 27 10:30:32 panoramix sshd[12913]: pam_unix(sshd:session): session
> closed for user dsastrem
>
> This one a failed attempt to do the same in another host:
>
> Sep 27 10:32:27 obelix sshd[5242]: Authorized to dsastrem, krb5 principal
> dsast...@some.domain.com (krb5_kuserok)
> Sep 27 10:32:27 obelix sshd[5242]: Accepted gssapi-with-mic for dsastrem
> from 172.26.130.101 port 38276 ssh2
> Sep 27 10:32:27 obelix sshd[5242]: pam_unix(sshd:session): session opened
> for user dsastrem by (uid=0)
> Sep 27 10:32:50 obelix sudo: pam_unix(sudo:auth): authentication failure;
> logname=dsastrem uid=0 euid=0 tty=/dev/pts/1 ruser=dsastrem rhost=
> user=dsastrem
> Sep 27 10:32:50 obelix sudo: pam_sss(sudo:auth): system info: [Permission
> denied]
> Sep 27 10:32:50 obelix sudo: pam_sss(sudo:auth): authentication failure;
> logname=dsastrem uid=0 euid=0 tty=/dev/pts/1 ruser=dsastrem rhost=
> user=dsastrem
> Sep 27 10:32:50 obelix sudo: pam_sss(sudo:auth): received for user
> dsastrem: 4 (System error)
> Sep 27 10:33:13 obelix sudo: pam_unix(sudo:auth): conversation failed
> Sep 27 10:33:13 obelix sudo: pam_unix(sudo:auth): auth could not identify
> password for [dsastrem]
> Sep 27 10:33:13 obelix sudo: pam_sss(sudo:auth): system info: [Cannot read
> password]
> Sep 27 10:33:13 obelix sudo: pam_sss(sudo:auth): authentication failure;
> logname=dsastrem uid=0 euid=0 tty=/dev/pts/1 ruser=dsastrem rhost=
> user=dsastrem
> Sep 27 10:33:13 obelix sudo: pam_sss(sudo:auth): received for user
> dsastrem: 4 (System error)
> Sep 27 10:33:13 obelix sudo: dsastrem : 1 incorrect password attempt ;
> TTY=pts/1 ; PWD=/home/dsastrem ; USER=root ; COMMAND=/sbin/ip addr show
> Sep 27 10:33:21 obelix sshd[5281]: Received disconnect from 172.26.130.101:
> 11: disconnected by user
> Sep 27 10:33:21 obelix sshd[5242]: pam_unix(sshd:session): session closed
> for user dsastrem
>
> I can see now where it is failing, but I can't understand why (yet), is
> this PAM related?
>

For the record, and just in case it's useful for others, I solved this.
These were the steps taken:

- add debug_level = 10 to /etc/sssd/sssd.config
- ssh to user and issue a sudo command
- /var/log/sssd/krb5_child.log snippet:

 1 (Tue Oct  2 10:13:07 2012) [[sssd[krb5_child[28605
[krb5_child_setup] (0x1000): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME]
from environment.
  2 (Tue Oct  2 10:13:07 2012) [[sssd[krb5_child[28605
[krb5_child_setup] (0x1000): Cannot read [SSSD_KRB5_LIFETIME] from
environment.
  3 (Tue Oct  2 10:13:07 2012) [[sssd[krb5_child[28605
[krb5_child_setup] (0x4000): Not using FAST.
  4 (T

[Freeipa-users] RHEL5 IPA client for RHEL6.3 IPA server?

[David Summers]

I have looked back through the last year of mail archives for this list 
and haven't yet found anything on this.


I spent a day or so trying to get a RHEL6.3 server set up with several 
clients,


Clients:
RHEL 6.3 32-bit
RHEL 6.3 64-bit
RHEL 5.8 32-bit
RHEL 5.8 64-bit

So far I've been able to get the RHEL 6.3 clients to register and setup 
up as a client for RHEL 6.3 IPA server but whenever I try to install the 
ipa-client on RHEL 5.8 I just get the following error:


[root@rh5 ~]# ipa-client-install
Discovery was successful!
Hostname: rh5.summersoft
Realm: SUMMERSOFT
DNS Domain: summersoft
IPA Server: ipaserver.summersoft
BaseDN: dc=summersoft


Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync.
Password for admin@SUMMERSOFT:

Joining realm failed: SASL Bind failed Local error (-2) !
child exited with 9
Installation failed. Rolling back changes.
IPA client is not configured on this system.

In the install log:

2012-10-16 23:16:34,410 DEBUG stderr=
2012-10-16 23:16:35,032 DEBUG args=/usr/sbin/ipa-join -s 
ipaserver.summersoft -b

 dc=summersoft
2012-10-16 23:16:35,032 DEBUG stdout=
2012-10-16 23:16:35,032 DEBUG stderr=SASL Bind failed Local error (-2) !
child exited with 9


Is RHEL 5.8 a supported client for RHEL 6.3 IPA server?

If so, what am I doing wrong?  I tried following both the RHEL 5.8 and 
RHEL 6.3 install instructions but

nothing I have tried is working so far!

Thanks in advance for any help or pointers you can provide.

   - David Summers

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] RHEL5 IPA client for RHEL6.3 IPA server?

[David Summers]

On 10/17/2012 7:49 AM, Rob Crittenden wrote:

David Summers wrote:


I have looked back through the last year of mail archives for this list
and haven't yet found anything on this.

I spent a day or so trying to get a RHEL6.3 server set up with several
clients,

Clients:
RHEL 6.3 32-bit
RHEL 6.3 64-bit
RHEL 5.8 32-bit
RHEL 5.8 64-bit

So far I've been able to get the RHEL 6.3 clients to register and setup
up as a client for RHEL 6.3 IPA server but whenever I try to install the
ipa-client on RHEL 5.8 I just get the following error:

[root@rh5 ~]# ipa-client-install
Discovery was successful!
Hostname: rh5.summersoft
Realm: SUMMERSOFT
DNS Domain: summersoft
IPA Server: ipaserver.summersoft
BaseDN: dc=summersoft


Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync.
Password for admin@SUMMERSOFT:

Joining realm failed: SASL Bind failed Local error (-2) !
child exited with 9
Installation failed. Rolling back changes.
IPA client is not configured on this system.

In the install log:

2012-10-16 23:16:34,410 DEBUG stderr=
2012-10-16 23:16:35,032 DEBUG args=/usr/sbin/ipa-join -s
ipaserver.summersoft -b
  dc=summersoft
2012-10-16 23:16:35,032 DEBUG stdout=
2012-10-16 23:16:35,032 DEBUG stderr=SASL Bind failed Local error (-2) !
child exited with 9


Is RHEL 5.8 a supported client for RHEL 6.3 IPA server?

If so, what am I doing wrong?  I tried following both the RHEL 5.8 and
RHEL 6.3 install instructions but
nothing I have tried is working so far!

Thanks in advance for any help or pointers you can provide.

    - David Summers


What is the version of the 5.8 ipa-client package? You want 
ipa-client-2.1.3-2.el5_8


rob



Yes, I have ipa-client-2.1.3-2.el5_8 but I have not been able to get it 
to join the IPA server.

I've turned off all firewalls.

I am running IPv6, does that make a difference?

Any ideas?

   - Thanks
   - David Summers

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Backup and Restore procedures for IPA 2.2.0?

[David Copperfield]

Hi all,

  Is the backup and restore procedure for IPA available now? It's rumored 
months back that some one was working on it but not sure what is the progress 
on it. Please shed a light if you have any ideas. 

 I'm running the default latest 2.2.0 IPA on Redhat/Centos 6.3.

Thanks.
David
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Backup and Restore procedures for IPA 2.2.0?

[David Copperfield]

Got it.

 Is there any IPA resources on market we can hire for a backup/restoration 
solution? Our company is at Bay Area. Thanks.

--David





 From: Dmitri Pal 
To: freeipa-users@redhat.com 
Sent: Tuesday, December 18, 2012 10:42 AM
Subject: Re: [Freeipa-users] Backup and Restore procedures for IPA 2.2.0?
 

On 12/18/2012 01:39 PM, David Copperfield wrote: 
Hi all,
>
>  Is the backup and restore procedure for IPA available now?
It's rumored months back that some one was working on it but not
sure what is the progress on it. Please shed a light if you have
any ideas. 
>
> I'm running the default latest 2.2.0 IPA on Redhat/Centos 6.3.
>

Yes there is a simmering effort. But there are unfortunately no
results we can share yet.



>Thanks.
>David
>
>
>
>___
Freeipa-users mailing list Freeipa-users@redhat.com 
https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal Sr. Engineering Manager for IdM portfolio
Red Hat Inc. ---
Looking to carve out IT costs? www.redhat.com/carveoutcosts/ 
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Any way to delegate subordinate account management to managers?

[David Copperfield]

Hi all,

 Just wonder whether there is a way to delegate to managers the 
authority/permissions to manage his/her subordinate user accounts? Similar to 
host/services delegation. Please elaborate if there is a way to reach this or 
similar.

Let's say, we create a user group of subordinate employee accounts, then let 
the particular manager to do the management work for the group, like:

1, reset passwords for the subordinates (main work)
2, change/update some attributes of the subordinates.
3, if possible, remove one or more subordinate accounts.

Thanks.

--Guolin___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] IPA 2.2.0-16 still needs CLEANRUV and CLEANALLRUV

[David Copperfield]

Hi howdy,

 This is trying to confirm whether we still need to perform the steps of 
cleaning RUV records, when a freeIPA master, or a replica is removed. Months 
back it was rumored that some work was being done on underlying 389 LDAP and 
the RNV cleaning steps would be obsoleted when IPA Master&replica servers were 
removed, or removed and added back. The RUV staff could be found 
at http://directory.fedoraproject.org/wiki/Howto:CLEANRUV.

 Some one familiar with this topic please elaborate/confirm. Thanks a lot.

--David___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] two questions on IPA usage

[David Copperfield]

Hi Howdy,

 Two questions on IPA usage are listed below. Please help.

 1, How to reset a normal IPA user's password through web interface when the 
password is expired? 


 when the normal user's password is close to expiration but still not expired, 
he/she can change it by self through the web interface https://ipaserver/. 
Otherwise he/she has to do ssh/kinit to update his/her password. But the 
problem is: quite some users are non tech-savy -- managers, marketing, sales -- 
and they have no ideas of Linux or Kerberos, what they can do is accessing a 
web interface and filling HTML forms.

 2, When the freeIPA 3.0 and 3.1 series RPM will be available on Redhat 6? does 
IPA version 3.0/3.1 has backup/restore solutions, and merged CA LDAP instance 
and IPA LDAP instance? 


  Presently the IPA version on redhat 6.3 is 2.2.0, I can wait if IPA 3.0 or 
3.1 will comes out soon for redhat 6 and have the cool features.

Thanks a lot.


--Guolin
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Any way to delegate subordinate account management to managers?

[David Copperfield]

Thanks a lot, Dmitri. That's exactly I am looking for.

--David.





 From: Dmitri Pal 
To: freeipa-users@redhat.com 
Sent: Wednesday, December 19, 2012 2:58 PM
Subject: Re: [Freeipa-users] Any way to delegate subordinate account management 
to managers?
 

On 12/19/2012 05:11 PM, David Copperfield wrote: 

>
>Hi all,
>
>
> Just wonder whether there is a way to delegate to managers the 
>authority/permissions to manage his/her subordinate user accounts? Similar to 
>host/services delegation. Please elaborate if there is a way to reach this or 
>similar.
>
>
>Let's say, we create a user group of subordinate employee accounts, then let 
>the particular manager to do the management work for the group, like:
>
>
>1, reset passwords for the subordinates (main work)
>2, change/update some attributes of the subordinates.
>3, if possible, remove one or more subordinate accounts.
>
>
>Thanks.
>
>
I think you need to look at the Delegated administration capabilities of IPA.
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html-single/Identity_Management_Guide/index.html#delegating-users




>
>
>
>___
Freeipa-users mailing list Freeipa-users@redhat.com 
https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal Sr. Engineering Manager for IdM portfolio
Red Hat Inc. ---
Looking to carve out IT costs? www.redhat.com/carveoutcosts/ 
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] freeIPA 3.1.0 for Redhat Enterprise 6.3?

[David Copperfield]

Hi Rob and all,

Can FreeIPA be compiled and installed on Redhat Enterprise 6.3?  Or I have to 
upgrade/install some underlying packages first? Thanks.

--David



 From: Johan Petersson 
To: Sigbjorn Lie  
Cc: "freeipa-users@redhat.com"  
Sent: Thursday, December 20, 2012 10:03 AM
Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
 
Hi,

Thank you for the tip about NFSMAPID_DOMAIN

It was not set properly.
sharectl get nfs 

nfsmapid_domain=

And by using:
sharectl set -p nfsmapid_domain=servername nfs

It was properly set.
I must add that i prefer editing files instead of sharectl,svccfg and so on. :)

I also made a auto.home map in IPA Server to set the homedirectory automounts 
right.

And i almost forgot my Solaris version is 11 11/11.

Regards,
Johan.

From: Sigbjorn Lie [sigbj...@nixtra.com]
Sent: Thursday, December 20, 2012 15:20
To: Johan Petersson
Cc: freeipa-users@redhat.com
Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server?

Thanks.

I'm guessing it's taking such a long time because it's looking trough the 
entire LDAP server for
your automount maps. The automountmap rules in the DUA profile will help with 
that. You'll also
run into issues if you attempt to have several automount locations without 
having specified which
one to use with a automountmap rule for auto master.

If you are using NFS4 you should add the _nfsv4idmapdomain dns TXT record to 
your DNS or set
NFSMAPID_DOMAIN in /etc/default/nfs to the same value as the domain id used on 
your NFS server to
get rid of the nobody:nobody default mapping and enable mapping between the NFS 
server and the
client.



Regards,
Siggi




On Thu, December 20, 2012 13:40, Johan Petersson wrote:
> Hi,
>
>
> Here is my pam.conf cleaned up a bit.
>
>
> login   auth requisite          pam_authtok_get.so.1 login   auth required
> pam_dhkeys.so.1 login   auth sufficient         pam_krb5.so.1 try_first_pass 
> login   auth required
> pam_unix_cred.so.1 login   auth required           pam_unix_auth.so.1 login   
> auth required
> pam_dial_auth.so.1
>
> gdm-autologin auth  required    pam_unix_cred.so.1 gdm-autologin auth  
> sufficient  pam_allow.so.1
>
> other   auth requisite          pam_authtok_get.so.1 other   auth required
> pam_dhkeys.so.1 other   auth required           pam_unix_cred.so.1 other   
> auth sufficient
> pam_krb5.so.1 other   auth required           pam_unix_auth.so.1
>
> passwd  auth required           pam_passwd_auth.so.1
>
> gdm-autologin account  sufficient  pam_allow.so.1
>
> other   account requisite       pam_roles.so.1 other   account required
> pam_unix_account.so.1 other   account required        pam_krb5.so.1
>
> other   session required        pam_unix_session.so.1
>
> other   password required       pam_dhkeys.so.1 other   password requisite
> pam_authtok_get.so.1
>
> other   password requisite      pam_authtok_check.so.1 force_check other   
> password sufficient
> pam_krb5.so.1 other   password required       pam_authtok_store.so.1
>
> I am getting one error and it is for autofs.
>
>
> /var/adm/messages:
> Dec 20 12:56:58 servername automount[1651]: [ID 754625 daemon.error] Object 
> not found
>
>
> /var/svc/log/system.filesystem-autofs:default.log:
> [ Dec 20 12:24:22 Executing start method ("/lib/svc/method/svc-autofs 
> start"). ]
> automount: /net mounted
> automount: /nfs4 mounted
> automount: no unmounts
> [ Dec 20 12:24:22 Method "start" exited with status 0. ]
>
>
> ldapclient list NS_LDAP_FILE_VERSION= 2.0
> NS_LDAP_SERVERS= servername
> NS_LDAP_SEARCH_BASEDN= dc=home
> NS_LDAP_AUTH= none
> NS_LDAP_SEARCH_REF= TRUE
> NS_LDAP_SEARCH_TIME= 15
> NS_LDAP_PROFILE= default
> NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=home
> NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=home
> NS_LDAP_BIND_TIME= 5
> NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount
>
>
> Thinking it has to do with missing automountmap in default DUAProfile.
> Automount still works though but takes time during login and everything is 
> nobody:nobody :)
>
>
> 
> From: Sigbjorn Lie [sigbj...@nixtra.com]
> Sent: Thursday, December 20, 2012 10:13
> To: Johan Petersson
> Cc: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
>
>
> Hi,
>
>
> This is interesting. When I tested Solaris 11 ssh worked, and su - testuser 
> worked. However
> console login did not work giving some PAM errors.
>
> Could you please share your entire pam.conf file?
>
>
> Is this Solaris 11 or Solaris 11.1?
>
>

[Freeipa-users] delegation questions: how to reset password for subordinate?

[David Copperfield]

Hi all,

 What are the user attributes that A manager should be granted with read&write 
permissions to reset passwords for subordinate employees? The typical 
implementation case: managers need to take care of password reset requests for 
their subordinate employees.

 I select 'userpassword' field the first time but it fails, then combine it 
with other a few krb* fields but those don't help neither.

 If you have the minimum field combinations to make the 'password changing' 
delegation work, please feel free to post your results here. Presently I just 
select ALL fields with read&right permissions to make it work, but that 
definitely is a over kill and hurts privacy potentially.

Thanks.

--David
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] getent netgroup doesn't work on centos 6, but works on centos 5

[David Copperfield]

Hi howdy,

 I've migrated some NIS netgroups from my old openLDAP to IPA 2.2.0, it 
imported all the old data without prompting problems. But now the issues are at 
the client side:

 redhat 5.8 clients can see all host netgroups and user netgroups without 
problems.
while redhat 6.3 clients can only see all host based netgroups. user netgroups 
can not be seen.

But when I create new user netgroups directly through web UI, both types of 
clients have no problems to see.

Any one knows what could be the issue? if my importing/migration script have 
issues, then both types of clients will report problems at the same time, not 
5.8 works while 6.3 fails, right? Any one has encountered same issue? Please 
shed a light here.

Thanks.

--David
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] delegation questions: how to reset password for subordinate?

[David Copperfield]

Hi Simo,

 That works perfectly. Thanks a lot.

--David





 From: Simo Sorce 
To: David Copperfield  
Cc: "freeipa-users@redhat.com"  
Sent: Friday, December 28, 2012 5:51 AM
Subject: Re: [Freeipa-users] delegation questions: how to reset password for 
subordinate?
 
On Wed, 2012-12-26 at 15:57 -0800, David Copperfield wrote:
> Hi all,
> 
> 
>  What are the user attributes that A manager should be granted with
> read&write permissions to reset passwords for subordinate employees?
> The typical implementation case: managers need to take care of
> password reset requests for their subordinate employees.
> 
> 
>  I select 'userpassword' field the first time but it fails, then
> combine it with other a few krb* fields but those don't help neither.
> 
> 
>  If you have the minimum field combinations to make the 'password
> changing' delegation work, please feel free to post your results here.
> Presently I just select ALL fields with read&right permissions to make
> it work, but that definitely is a over kill and hurts privacy
> potentially.

You need write access to at least userPassword and krbPrincipalKey.

Simo.

P.S. David, please do not start a new thread by replying to old mails.

-- 
Simo Sorce * Red Hat, Inc * New York___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] replication procedure and status check?

[David Copperfield]

Hi howdy,

 Is there a nagios check for replication check among IPA servers and replicas? 
If not, is there a way to test the replica status through some files or 
underlying LDAP command outputs?

I have one test environment with a IPA server on a Vmware instance, two IPA 
replicas created from the server, and a few IPA clients which talks to 
replicas. 


I shutdown IPA server from time to time for whole machine level backups. after 
IPA server boots back up again, some times it fails 'IPA user-find' command.  I 
am not sure:

  1, how long does it take for the IPA server to replicate/sync from changes on 
IPA replicas during the server's down time?
  2, How to check the replication/sync processes?
  3, are the IPA commands failed as a protection because the IPA server is 
still in replication/sync waiting/doing process?

Thanks.

--David.
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] AD permissions needed for setting up AD trusts

[David Juran]

On fre, 2013-01-04 at 19:04 +0100, Ana Krivokapic wrote:
> On 01/03/2013 12:28 PM, Petr Spacek wrote:
> > On 12/21/2012 01:19 PM, Sumit Bose wrote:
> >> On Fri, Dec 21, 2012 at 12:30:33PM +0100, James Findley wrote:
> >>> Hi
> >>>
> >>> What permission level is needed for the AD user when creating an AD 
> >>> trust?  Can a regular domain user account do it, or is a domain 
> >>> admin needed?
> >>
> >> The account used here must be a member of the Domain Admins group.
> >>
> >>>
> >>> If write access to the AD server is needed, then could someone 
> >>> please tell me what the command will actually change in the AD server?
> >>>
> >>
> >> 'ipa trust-add' will only use LSA calls on the AD server. The most
> >> important one is CreateTrustedDomainEx2
> >> (http://msdn.microsoft.com/en-us/library/cc234380.aspx) to create the
> >> trust between the two domains. Additionally QueryTrustedDomainInfoByName
> >> (http://msdn.microsoft.com/en-us/library/cc234376.aspx) to check if the
> >> trust is already added and SetInformationTrustedDomain
> >> (http://msdn.microsoft.com/en-us/library/cc234385.aspx) to tell the AD
> >> server that the IPA server can handled AES encryption are used.
> >
> > Should we add this information to AD trusts documentation?
> >
> >>> The windows team at my place of work will want to know exactly what 
> >>> the tool will do before they grant permission.
> >
> I have added this information to the AD trusts wiki page:
> http://www.freeipa.org/page/IPAv3_AD_trust_setup#Add_trust_with_AD_domain

That link only gets me to an empty wiki page...


-- 
David Juran
Sr. Consultant
Red Hat
+46-725-345801


signature.asc
Description: This is a digitally signed message part
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] ipa-* tools throws errors

[David Fitzgerald]

Hello everyone,

I have been running a freeIPA server on Scientific Linux 6.2 for about a year.  
Yesterday I  started not being able to run any "ipa-" commands.  Running kinit 
admin gives me the proper tickets, but when I run any ipa- command I get the 
following error:

ipa: ERROR: Kerberos error: Service u'h...@cyclone.esci.millersville.edu' not 
found in Kerberos database/.

I have no idea where the cyclone.esci.millersville.edu is coming from, as that 
used to be a Windows Domain server that was decommissioned years ago and is no 
longer in DNS, nor in /etc/hosts.  I even grep -R  all of the files in /etc and 
none refer to cyclone.  I checked the ipa config and krb5.conf files and they 
are pointing at the proper ipa server.

Checking log files I get these messages when I try to run ipa commands:

/var/log/httpd/error log:
Tue Mar 05 08:57:54 2013] [error] ipa: ERROR: 500 Internal Server Error: 
xmlserver.__call__: KRB5CCNAME not defined in HTTP request environment

/var/log/ipa
Mar 05 09:57:00 aurora.esci.millersville.edu krb5kdc[12534](info): TGS_REQ (4 
etypes {18 17 16 23}) 166.66.65.39: ISSUE: authtime 1362491436, etypes {rep=18 
tkt=18 ses=18}, admin@LINUX.DIRSRV.LOCAL for 
krbtgt/LINUX.DIRSRV.LOCAL@LINUX.DIRSRV.LOCAL
Mar 05 09:57:00 aurora.esci.millersville.edu krb5kdc[12534](info): TGS_REQ (4 
etypes {18 17 16 23}) 166.66.65.39: UNKNOWN_SERVER: authtime 0,  
admin@LINUX.DIRSRV.LOCAL for 
HTTP/cyclone.esci.millersville.edu@LINUX.DIRSRV.LOCAL, Server not found in 
Kerberos database

I Googled these error messages, but none of the results seemed to apply to my 
situation or didn't solve the problem  Can anyone point me in the right 
direction? Any help is greatly appreciated.

For what they are worth, here are my /etc/krb5.conf and /etc/ipa/default.conf 
files:

/etc/krb5.conf:

includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = LINUX.DIRSRV.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes

[realms]
LINUX.DIRSRV.LOCAL = {
  kdc = aurora.esci.millersville.edu:88
  admin_server = aurora.esci.millersville.edu:749
  default_domain = esci.millersville.edu
  pkinit_anchors = FILE:/etc/ipa/ca.crt
}

[domain_realm]
.esci.millersville.edu = LINUX.DIRSRV.LOCAL
esci.millersville.edu = LINUX.DIRSRV.LOCAL

[dbmodules]
#  LINUX.DIRSRV.LOCAL = {
#db_library = kldap
#ldap_servers = ldapi://%2fvar%2frun%2fslapd-LINUX-DIRSRV-LOCAL.socket
#ldap_kerberos_container_dn = cn=kerberos,dc=linux,dc=dirsrv,dc=local
#ldap_kdc_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=linux,dc=dirsrv,dc=local
#ldap_kadmind_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=linux,dc=dirsrv,dc=local
#ldap_service_password_file = /var/kerberos/krb5kdc/ldappwd
#  }

  LINUX.DIRSRV.LOCAL = {
db_library = ipadb.so
  }

/etc/ipa/default.conf

[global]
host=aurora.esci.millersville.edu
basedn=dc=linux,dc=dirsrv,dc=local
realm=LINUX.DIRSRV.LOCAL
domain=esci.millersville.edu
xmlrpc_uri=https://aurora.esci.millersville.edu/ipa/xml
ldap_uri=ldapi://%2fvar%2frun%2fslapd-LINUX-DIRSRV-LOCAL.socket
enable_ra=True
ra_plugin=dogtag
mode=production


+++
David Fitzgerald
Department of Earth Sciences
Millersville University
Millersville, PA 17551

Phone: 717-871-2394

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa-* tools throws errors

[David Fitzgerald]

The host command returns the correct name:
#host 166.66.65.39
39.65.66.166.in-addr.arpa domain name pointer aurora.esci.millersville.edu.

-Original Message-
From: Martin Kosek [mailto:mko...@redhat.com] 
Sent: Tuesday, March 05, 2013 10:26 AM
To: David Fitzgerald
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-* tools throws errors

On 03/05/2013 04:21 PM, David Fitzgerald wrote:
> Hello everyone,
> 
>  
> 
> I have been running a freeIPA server on Scientific Linux 6.2 for about a 
> year. 
> Yesterday I  started not being able to run any "ipa-" commands.  
> Running kinit admin gives me the proper tickets, but when I run any 
> ipa- command I get the following error:
> 
>  
> 
> ipa: ERROR: Kerberos error: Service 
> u'h...@cyclone.esci.millersville.edu' not found in Kerberos database/.
> 
>  
> 
> I have no idea where the cyclone.esci.millersville.edu is coming from, 
> as that used to be a Windows Domain server that was decommissioned 
> years ago and is no longer in DNS, nor in /etc/hosts.  I even grep -R  
> all of the files in /etc and none refer to cyclone.  I checked the ipa 
> config and krb5.conf files and they are pointing at the proper ipa server.
> 
>  
> 
> Checking log files I get these messages when I try to run ipa commands:
> 
>  
> 
> /var/log/httpd/error log:  
> 
> Tue Mar 05 08:57:54 2013] [error] ipa: ERROR: 500 Internal Server Error:
> xmlserver.__call__: KRB5CCNAME not defined in HTTP request environment
> 
>  
> 
> /var/log/ipa
> 
> Mar 05 09:57:00 aurora.esci.millersville.edu krb5kdc[12534](info): 
> TGS_REQ (4 etypes {18 17 16 23}) 166.66.65.39: ISSUE: authtime 
> 1362491436, etypes {rep=18
> tkt=18 ses=18}, admin@LINUX.DIRSRV.LOCAL for 
> krbtgt/LINUX.DIRSRV.LOCAL@LINUX.DIRSRV.LOCAL
> 
> Mar 05 09:57:00 aurora.esci.millersville.edu krb5kdc[12534](info): 
> TGS_REQ (4 etypes {18 17 16 23}) 166.66.65.39: UNKNOWN_SERVER: 
> authtime 0, admin@LINUX.DIRSRV.LOCAL for 
> HTTP/cyclone.esci.millersville.edu@LINUX.DIRSRV.LOCAL, Server not 
> found in Kerberos database
> 
>  
> 
> I Googled these error messages, but none of the results seemed to 
> apply to my situation or didn't solve the problem  Can anyone point me 
> in the right direction? Any help is greatly appreciated.
> 
>  
> 
> For what they are worth, here are my /etc/krb5.conf and 
> /etc/ipa/default.conf
> files:
> 
>  
> 
> /etc/krb5.conf:
> 
>  
> 
> includedir /var/lib/sss/pubconf/krb5.include.d/
> 
> [logging]
> 
> default = FILE:/var/log/krb5libs.log
> 
> kdc = FILE:/var/log/krb5kdc.log
> 
> admin_server = FILE:/var/log/kadmind.log
> 
>  
> 
> [libdefaults]
> 
> default_realm = LINUX.DIRSRV.LOCAL
> 
> dns_lookup_realm = false
> 
> dns_lookup_kdc = false
> 
> rdns = false
> 
> ticket_lifetime = 24h
> 
> forwardable = yes
> 
>  
> 
> [realms]
> 
> LINUX.DIRSRV.LOCAL = {
> 
>   kdc = aurora.esci.millersville.edu:88
> 
>   admin_server = aurora.esci.millersville.edu:749
> 
>   default_domain = esci.millersville.edu
> 
>   pkinit_anchors = FILE:/etc/ipa/ca.crt
> 
> }
> 
>  
> 
> [domain_realm]
> 
> .esci.millersville.edu = LINUX.DIRSRV.LOCAL
> 
> esci.millersville.edu = LINUX.DIRSRV.LOCAL
> 
>  
> 
> [dbmodules]
> 
> #  LINUX.DIRSRV.LOCAL = {
> 
> #db_library = kldap
> 
> #ldap_servers = ldapi://%2fvar%2frun%2fslapd-LINUX-DIRSRV-LOCAL.socket
> 
> #ldap_kerberos_container_dn = cn=kerberos,dc=linux,dc=dirsrv,dc=local
> 
> #ldap_kdc_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=linux,dc=dirsrv,dc=local
> 
> #ldap_kadmind_dn = 
> uid=kdc,cn=sysaccounts,cn=etc,dc=linux,dc=dirsrv,dc=local
> 
> #ldap_service_password_file = /var/kerberos/krb5kdc/ldappwd
> 
> #  }
> 
>  
> 
>   LINUX.DIRSRV.LOCAL = {
> 
> db_library = ipadb.so
> 
>   }
> 
>  
> 
> /etc/ipa/default.conf
> 
>  
> 
> [global]
> 
> host=aurora.esci.millersville.edu
> 
> basedn=dc=linux,dc=dirsrv,dc=local
> 
> realm=LINUX.DIRSRV.LOCAL
> 
> domain=esci.millersville.edu
> 
> xmlrpc_uri=https://aurora.esci.millersville.edu/ipa/xml
> 
> ldap_uri=ldapi://%2fvar%2frun%2fslapd-LINUX-DIRSRV-LOCAL.socket
> 
> enable_ra=True
> 
> ra_plugin=dogtag
> 
> mode=production
> 
>  
> 
>  
> 
> +++
> 
> David Fitzgerald
> 
> Department of Earth Sciences
> 
> Millersville University
> 
> Millersville, PA 17551
> 
>  
> 
> Phone: 717-871-2394
> 
>  

Hello David,

I suspect this is caused by broken DNS reverse resoltion as Keberos client 
software often use the result of reverse record (PTR RR) resolution as a 
hostname and not the actual hostname configured on your system.

What does "host $IP_ADDRESS_OF_YOUR_HOST" returns? Does it return the correct 
hostname?

Martin

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa-* tools throws errors

[David Fitzgerald]

Thanks for getting back to me!

I don't think the problem has anything to do with DNS.  I (finally) ran an ipa 
command with the verbose flags -vv and found that it IS trying to contact 
aurora.esci.millersville.edu, it fails then tries to contact 
cyclone.esci.millersville.edu (still don't know where that comes from).   I am 
getting an 'Internal Server Error' in the output when connecting to aurora.  
Here is the output:

% ipa -vv passwd
ipa: INFO: trying https://aurora.esci.millersville.edu/ipa/xml
send: u'POST /ipa/xml HTTP/1.0\r\nHost: 
aurora.esci.millersville.edu\r\nAccept-Language: en-us\r\nReferer:  
https://aurora.esci.millersville.edu/ipa/xml\r\nAuthorization: negotiate
  ...
send: "\n\nping\n\n\n\n"
reply: 'HTTP/1.1 500 Internal Server Error\r\n'
header: Date: Fri, 08 Mar 2013 16:52:48 GMT
header: Server: Apache/2.2.15 (Scientific Linux)
header: WWW-Authenticate: Negotiate 
YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvjoEMIFJxPVNU4jtl/7S+eC6fM0rlJWpV1fJdhoVTKwiR2pa2OHQWRtCjQDfz

pBNwNBpt1fMY7M4Bfrqs860toAT6jMfS8Jkqh3Aj9OeuEmpEVHys5pbErjj14OPHxbxTmLdPxFE8eV4ZIDQg40a8
header: Content-Length: 311
header: Connection: close
header: Content-Type: text/html; charset=utf-8
ipa: INFO: trying https://cyclone.esci.millersville.edu/ipa/xml
ipa: ERROR: Kerberos error: Service 
u'h...@cyclone.esci.millersville.edu' not found in Kerberos database/

The apache error log gives this:  
 Fri Mar 08 11:52:48 2013] [error] ipa: ERROR: 500 Internal Server 
Error: xmlserver.__call__: KRB5CCNAME not defined in HTTP request environment.

I have no idea what that means.  Can you help?

-Original Message-
From: Martin Kosek [mailto:mko...@redhat.com] 
Sent: Wednesday, March 06, 2013 3:05 AM
To: David Fitzgerald
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-* tools throws errors

Ok. Can you try if this hostname is not returned in a SRV DNS record discovery 
run on the host where you execute the ipa commands?

# dig -t srv _ldap._tcp.esci.millersville.edu

Does it return the right results?

Martin

On 03/05/2013 07:26 PM, David Fitzgerald wrote:
> The host command returns the correct name:
> #host 166.66.65.39
> 39.65.66.166.in-addr.arpa domain name pointer aurora.esci.millersville.edu.
> 
> -Original Message-
> From: Martin Kosek [mailto:mko...@redhat.com]
> Sent: Tuesday, March 05, 2013 10:26 AM
> To: David Fitzgerald
> Cc: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] ipa-* tools throws errors
> 
> On 03/05/2013 04:21 PM, David Fitzgerald wrote:
>> Hello everyone,
>>
>>  
>>
>> I have been running a freeIPA server on Scientific Linux 6.2 for about a 
>> year. 
>> Yesterday I  started not being able to run any "ipa-" commands.  
>> Running kinit admin gives me the proper tickets, but when I run any
>> ipa- command I get the following error:
>>
>>  
>>
>> ipa: ERROR: Kerberos error: Service
>> u'h...@cyclone.esci.millersville.edu' not found in Kerberos database/.
>>
>>  
>>
>> I have no idea where the cyclone.esci.millersville.edu is coming 
>> from, as that used to be a Windows Domain server that was 
>> decommissioned years ago and is no longer in DNS, nor in /etc/hosts.  
>> I even grep -R all of the files in /etc and none refer to cyclone.  I 
>> checked the ipa config and krb5.conf files and they are pointing at the 
>> proper ipa server.
>>
>>  
>>
>> Checking log files I get these messages when I try to run ipa commands:
>>
>>  
>>
>> /var/log/httpd/error log:  
>>
>> Tue Mar 05 08:57:54 2013] [error] ipa: ERROR: 500 Internal Server Error:
>> xmlserver.__call__: KRB5CCNAME not defined in HTTP request 
>> environment
>>
>>  
>>
>> /var/log/ipa
>>
>> Mar 05 09:57:00 aurora.esci.millersville.edu krb5kdc[12534](info): 
>> TGS_REQ (4 etypes {18 17 16 23}) 166.66.65.39: ISSUE: authtime 
>> 1362491436, etypes {rep=18
>> tkt=18 ses=18}, admin@LINUX.DIRSRV.LOCAL for 
>> krbtgt/LINUX.DIRSRV.LOCAL@LINUX.DIRSRV.LOCAL
>>
>> Mar 05 09:57:00 aurora.esci.millersville.edu krb5kdc[12534](info): 
>> TGS_REQ (4 etypes {18 17 16 23}) 166.66.65.39: UNKNOWN_SERVER: 
>> authtime 0, admin@LINUX.DIRSRV.LOCAL for 
>> HTTP/cyclone.esci.millersville.edu@LINUX.DIRSRV.LOCAL, Server not 
>> found in Kerberos database
>>
>>  
>>
>> I Googled these error messages, but none of the results seemed to 
>> apply to my situation or didn't solve the problem  Can anyone point 
>> me in the ri

Re: [Freeipa-users] ipa-* tools throws errors

[David Fitzgerald]

Here is the output of the dig command.  Cyclone does show up here , but our 
networking people say there are no srv records in our current db.  I still 
think the trouble I am having has to do with the Internal Server Error I get 
when I run ipa commands.


; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6.3 <<>> -t srv 
_ldap._tcp.esci.millersville.edu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27213
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;_ldap._tcp.esci.millersville.edu. IN   SRV

;; ANSWER SECTION:
_ldap._tcp.esci.millersville.edu. 600 IN SRV0 100 389 
cyclone.esci.millersville.edu.

;; AUTHORITY SECTION:
_tcp.esci.millersville.edu. 3600 IN NS  corsair.millersville.edu.
_tcp.esci.millersville.edu. 3600 IN NS  garfield.millersville.edu.

;; ADDITIONAL SECTION:
corsair.millersville.edu. 3600  IN  A   192.206.29.2
garfield.millersville.edu. 3600 IN  A   166.66.86.144

;; Query time: 1 msec
;; SERVER: 166.66.86.144#53(166.66.86.144)
;; WHEN: Mon Mar 11 13:55:36 2013
;; MSG SIZE  rcvd: 176

-Original Message-
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of David Fitzgerald
Sent: Friday, March 08, 2013 12:04 PM
To: Martin Kosek
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-* tools throws errors

Thanks for getting back to me!

I don't think the problem has anything to do with DNS.  I (finally) ran an ipa 
command with the verbose flags -vv and found that it IS trying to contact 
aurora.esci.millersville.edu, it fails then tries to contact 
cyclone.esci.millersville.edu (still don't know where that comes from).   I am 
getting an 'Internal Server Error' in the output when connecting to aurora.  
Here is the output:

% ipa -vv passwd
ipa: INFO: trying https://aurora.esci.millersville.edu/ipa/xml
send: u'POST /ipa/xml HTTP/1.0\r\nHost: 
aurora.esci.millersville.edu\r\nAccept-Language: en-us\r\nReferer:  
https://aurora.esci.millersville.edu/ipa/xml\r\nAuthorization: negotiate
  ...
send: "\n\nping\n\n\n\n"
reply: 'HTTP/1.1 500 Internal Server Error\r\n'
header: Date: Fri, 08 Mar 2013 16:52:48 GMT
header: Server: Apache/2.2.15 (Scientific Linux)
header: WWW-Authenticate: Negotiate 
YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvjoEMIFJxPVNU4jtl/7S+eC6fM0rlJWpV1fJdhoVTKwiR2pa2OHQWRtCjQDfz

pBNwNBpt1fMY7M4Bfrqs860toAT6jMfS8Jkqh3Aj9OeuEmpEVHys5pbErjj14OPHxbxTmLdPxFE8eV4ZIDQg40a8
header: Content-Length: 311
header: Connection: close
header: Content-Type: text/html; charset=utf-8
ipa: INFO: trying https://cyclone.esci.millersville.edu/ipa/xml
ipa: ERROR: Kerberos error: Service 
u'h...@cyclone.esci.millersville.edu' not found in Kerberos database/

The apache error log gives this:  
 Fri Mar 08 11:52:48 2013] [error] ipa: ERROR: 500 Internal Server 
Error: xmlserver.__call__: KRB5CCNAME not defined in HTTP request environment.

I have no idea what that means.  Can you help?

-Original Message-
From: Martin Kosek [mailto:mko...@redhat.com]
Sent: Wednesday, March 06, 2013 3:05 AM
To: David Fitzgerald
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-* tools throws errors

Ok. Can you try if this hostname is not returned in a SRV DNS record discovery 
run on the host where you execute the ipa commands?

# dig -t srv _ldap._tcp.esci.millersville.edu

Does it return the right results?

Martin

On 03/05/2013 07:26 PM, David Fitzgerald wrote:
> The host command returns the correct name:
> #host 166.66.65.39
> 39.65.66.166.in-addr.arpa domain name pointer aurora.esci.millersville.edu.
> 
> -Original Message-
> From: Martin Kosek [mailto:mko...@redhat.com]
> Sent: Tuesday, March 05, 2013 10:26 AM
> To: David Fitzgerald
> Cc: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] ipa-* tools throws errors
> 
> On 03/05/2013 04:21 PM, David Fitzgerald wrote:
>> Hello everyone,
>>
>>  
>>
>> I have been running a freeIPA server on Scientific Linux 6.2 for about a 
>> year. 
>> Yesterday I  started not being able to run any "ipa-" commands.  
>> Running kinit admin gives me the proper tickets, but when I run any
>> ipa- command I get the following error:
>>
>>  
>>
>> ipa: ERROR: Kerberos error: Service
>> u'h...@cyclone.esci.millersville.edu' not found in Kerberos database/.
>>
>>  
>>
>> I have no idea where the cyclone.esci.millersville.edu is coming 
>> from, as that used to be a Windows Domain server that was 
>> decommissioned years ago and is no longer in DNS, nor in /

[Freeipa-users] kinit seg-fault for Solaris 9

[David Redmond]

Hi,

I've setup FreeIPA for the first time and am using it successfully with
Linux and Solaris 10 clients. On 8 separate Solaris 9 clients I'm running
into an issue where 'kinit USER', for any user, fails with a segmentation
fault after prompting for a password. On the client side there are no log
entries. On the server side the "Additional pre-authentication required"
entry is written to the log. When I execute 'kinit -k' everything works
normally. I've verified that the keytabs for the Solaris 9 clients use only
des-cbc-crc encryption and that allow_weak_crypto = true is set on the
server side. Running 'truss kinit USER' on the Solaris 9 clients end with:
Incurred fault #6, FLTBOUNDS  %pc = 0xFF3582E4
  siginfo: SIGSEGV SEGV_MAPERR addr=0x0004
Received signal #11, SIGSEGV (default)
  siginfo: SIGSEGV SEGV_MAPERR addr=0x0004

I've been fighting this for a while and have ensured that my Solaris 9
boxes are running the latest patches. Kerberos on the clients is the
standard one that comes with Solaris. I've installed no additional kerberos
components or packages.

I'm hoping someone has seen this before or can point me in a new direction.
At this point I've pretty much reached the end of my rope and am looking at
using local passwords (blech!) on my Solaris 9 clients.

Thanks in advance,
Dave
~""~
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] kinit seg-fault for Solaris 9

[David Redmond]

Hi again,

I've got a bit more information. I've found that I can successfully kinit
on the Solaris 9 clients if, on the server, I change the user's password by:

ipa-getkeytab -s SERVER -p USER@REALM -k krb5.keytab -P

This works even if I delete the resulting keytab file. However, kinit on
the Solaris 9 client seg-faults if I set the user's password using the web
gui, the 'passwd' or 'kpasswd' commands, or even the `ipa user-mod
--password` command.

There must be something different about how the ipa-getkeytab command
stores the password. Any help would be greatly appreciated.

Thanks,
Dave
~""~

On Tue, Mar 26, 2013 at 4:05 PM, Rob Crittenden  wrote:

> David Redmond wrote:
>
>> Hi,
>>
>> I've setup FreeIPA for the first time and am using it successfully with
>> Linux and Solaris 10 clients. On 8 separate Solaris 9 clients I'm
>> running into an issue where 'kinit USER', for any user, fails with a
>> segmentation fault after prompting for a password. On the client side
>> there are no log entries. On the server side the "Additional
>> pre-authentication required" entry is written to the log. When I execute
>> 'kinit -k' everything works normally. I've verified that the keytabs for
>> the Solaris 9 clients use only des-cbc-crc encryption and that
>> allow_weak_crypto = true is set on the server side. Running 'truss kinit
>> USER' on the Solaris 9 clients end with:
>> Incurred fault #6, FLTBOUNDS  %pc = 0xFF3582E4
>>siginfo: SIGSEGV SEGV_MAPERR addr=0x0004
>> Received signal #11, SIGSEGV (default)
>>siginfo: SIGSEGV SEGV_MAPERR addr=0x0004
>>
>> I've been fighting this for a while and have ensured that my Solaris 9
>> boxes are running the latest patches. Kerberos on the clients is the
>> standard one that comes with Solaris. I've installed no additional
>> kerberos components or packages.
>>
>> I'm hoping someone has seen this before or can point me in a new
>> direction. At this point I've pretty much reached the end of my rope and
>> am looking at using local passwords (blech!) on my Solaris 9 clients.
>>
>>
> I don't have a very helpful answer, but if memory serves my Sparc 9
> install exhibits the same behavior. I don't have access to the latest
> updates though so I assumed it was related to that.
>
> rob
>
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] kinit seg-fault for Solaris 9

[David Redmond]

I run the ipa-getkeytab command as the user I'm changing the password for.

New info: On the server, in my /etc/krb5.conf file I have
"allow_weak_crypto = true". If I remove that from the file, changing the
password via ipa-getkeytab no longer works. The kinit command on the
Solaris client results in a segmentation fault. When I put
"allow_weak_crypto = true" back into the krb5.conf file and change the
password via ipa-getkeytab the kinit command on the Solaris client works
normally.

The ipa-getkeytab command must somehow be referencing "allow_weak_crypto"
and storing the password differently depending on it.

On Wed, Mar 27, 2013 at 5:51 AM, Simo Sorce  wrote:

> On Wed, 2013-03-27 at 12:23 +0100, Sumit Bose wrote:
> > >
> > > I did (as admin@REALM user). But we hardcode root/admin@REALM if
> > this is
> > > administrative change:
> > >
> > > ipapwd_chpwop():
> > > ...
> > > if (pwdata.changetype == IPA_CHANGETYPE_NORMAL) {
> > > principal = slapi_entry_attr_get_charptr(pwdata.target,
> > >
> > "krbPrincipalName");
> > > } else {
> > > principal = slapi_ch_smprintf("root/admin@%s",
> > krbcfg->realm);
> > > }
> > > ...
> > >
> > > Maybe the root cause of the crash is that we place there a principal
> > > (root/admin@REALM) which does not exist. But this is just a
> > speculation.
> >
> > ok, the principal is odd, and I guess this should be fixed, but maybe
> > Simo knows some more history here. But nevertheless I think it is
> > unrelated to the crash, becaus afaik this information is not send to
> > the
> > client and only used for book-keeing and auditing on the server side.
> >
> I don't recall the root/admin story, looks odd to me, but nothing of
> this matter to a *client* segfaulting.
>
> Clients do not get access to this data this is purely internal metadata
> used by kadmin and the KDC.
>
> What I wonder is if the client is segfaulting when the password is
> expired due to a bug in handling the request to immediately change the
> password ?
>
> David,
> if you kinit on a Linux machine and make sure you properly change the
> password of the user (as the user no as an admin), and then kinit again
> with the new credentials on Solaris, does it 'solve' your segfault
> issue ?
>
> In any case a segfault in a client command is something you need to
> report to your OS vendor, even if it is indirectly caused by the server
> it shows a potential attack vector and it is particularly worrying in
> something like kinit that may be run as root on a box.
>
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] kinit seg-fault for Solaris 9

[David Redmond]

I've done 1,2,3 many times. 4 always fails.

I realize you didn't ask for the info about allow_weak_crypto. I included
it because it seems to me that it's a telling bit of info.

On Wed, Mar 27, 2013 at 9:50 AM, Simo Sorce  wrote:

> I didn't ask to run ipa-getkeytab,
> can you do the following:
>
> 1. login to a linux client
> 2. change the user password as an admin
> 3. kinit as the user (and perform the password change as it will be
> requested)
> 4. go to the solaris box and now try the kinit using the new password
>
> Does step 4 work if you do 1,2,3 ?
> Or does it keep segfaulting ?
>
>
>
> The difference when allow_weak_crypto is false is that des keys are not
> produced, so an AS REQ reply will return to the client with a list of
> encryption types that do not include des as a valid algorithm.
>
> Maybe your kinit client is choking on that ?
>
> You can change the default encryption types used to generate new
> password, (changing allow_weak_crypto is not sufficient for that) in
> FreeIPA by adding the desired enctypes in the krbDefaultEncSaltTypes
> multivalued attribute in entry named:
> cn=,cn=Kerberos,
>
> The current defaults for new installs do *not* include DES as it is a
> broken algorithm for security at this point.
>
>
> Simo.
>
> On Wed, 2013-03-27 at 09:36 -0700, David Redmond wrote:
> > I run the ipa-getkeytab command as the user I'm changing the password
> > for.
> >
> > New info: On the server, in my /etc/krb5.conf file I have
> > "allow_weak_crypto = true". If I remove that from the file, changing
> > the password via ipa-getkeytab no longer works. The kinit command on
> > the Solaris client results in a segmentation fault. When I put
> > "allow_weak_crypto = true" back into the krb5.conf file and change the
> > password via ipa-getkeytab the kinit command on the Solaris client
> > works normally.
> >
> > The ipa-getkeytab command must somehow be referencing
> > "allow_weak_crypto" and storing the password differently depending on
> > it.
> >
> > On Wed, Mar 27, 2013 at 5:51 AM, Simo Sorce  wrote:
> > On Wed, 2013-03-27 at 12:23 +0100, Sumit Bose wrote:
> > > >
> > > > I did (as admin@REALM user). But we hardcode
> > root/admin@REALM if
> > > this is
> > > > administrative change:
> > > >
> > > > ipapwd_chpwop():
> > > > ...
> > > > if (pwdata.changetype == IPA_CHANGETYPE_NORMAL) {
> > > > principal =
> > slapi_entry_attr_get_charptr(pwdata.target,
> > > >
> > > "krbPrincipalName");
> > > > } else {
> > > > principal = slapi_ch_smprintf("root/admin@%s",
> > > krbcfg->realm);
> > > > }
> > > > ...
> > > >
> > > > Maybe the root cause of the crash is that we place there a
> > principal
> > > > (root/admin@REALM) which does not exist. But this is just
> > a
> > > speculation.
> > >
> > > ok, the principal is odd, and I guess this should be fixed,
> > but maybe
> > > Simo knows some more history here. But nevertheless I think
> > it is
> > > unrelated to the crash, becaus afaik this information is not
> > send to
> > > the
> > > client and only used for book-keeing and auditing on the
> > server side.
> > >
> >
> > I don't recall the root/admin story, looks odd to me, but
> > nothing of
> > this matter to a *client* segfaulting.
> >
> > Clients do not get access to this data this is purely internal
> > metadata
> > used by kadmin and the KDC.
> >
> > What I wonder is if the client is segfaulting when the
> > password is
> > expired due to a bug in handling the request to immediately
> > change the
> > password ?
> >
> > David,
> > if you kinit on a Linux machine and make sure you properly
> > change the
> > password of the user (as the user no as an admin), and then
> > kinit again
> > with the new credentials on Solaris, does it 'solve' your
> > segfault
> > issue ?
> >
> > In any case a segfault in a client command is something you
> > need to
> > report to your OS vendor, even if it is indirectly caused by
> > the server
> > it shows a potential attack vector and it is particularly
> > worrying in
> > something like kinit that may be run as root on a box.
> >
> > Simo.
> >
> > --
> > Simo Sorce * Red Hat, Inc * New York
> >
> >
>
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Sudo rule still working after deactivation

[David Kreuter]

During our evaluation phase we're facing following problem. One particular user 
were granted sudo permission with the help of a sudo rule. The user can 
successfully access the host via SSH and switched to user root by using the 
sudo command, which was enabled for the user with the sudo rule. After that the 
sudo rule was disabled and the user tried to login again and switching to root 
was still possible.

After deleting the SSSD cache files and restarting the service sudo did not 
work anymore, as excepted.

How long does it take until the sudo rules are refreshed in SSSD cache? I know 
that there are three different refresh mechanism (full, smart, rule). Full and 
smart refresh mechanism are performed periodically dependent on the settings in 
SSSD configuration file and rule method should refresh the users's specific 
rules after each login, what apparently was not the case for my test scenario. 
Please correct me if i'm wrong. Of course I can set the interval for smart 
refresh to a minimum of 10 seconds, but this would cause a lot of traffic.

How can I configure SSSD to update the rules during each login of the user?

Following components are used:
- FreeIPA server freeipa-server.x86_64 3.3.2-1.fc19
- FreeIPA client on CentosOS ipa-client.x86_64 3.0.0-26.el6_4.4
- SSSD sudo integration

--- /etc/sssd/sssd.conf ---

[domain/example.info]
debug_level = 0xFFF0
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = example.info
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = chef01.example.info
chpass_provider = ipa
ipa_server = _srv_, ipa01.example.info
ldap_tls_cacert = /etc/ipa/ca.crt

sudo_provider = ldap
ldap_uri = ldap://ipa01.example.info
ldap_sudo_search_base = ou=sudoers,dc=example,dc=info
ldap_schema=IPA
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/chef01.example.info
ldap_sasl_realm = EXAMPLE.INFO
krb5_server = ipa01.example.info

[sssd]
debug_level = 0x0400
services = nss, pam, ssh, sudo
config_file_version = 2
domains = example.info
[nss]
[pam]
[sudo]
debug_level = 0xFFF0
[autofs]
[ssh]
[pac]

--- /etc/sssd/sssd.conf ---

I tested the test scenario with very small intervals and the rules were 
properly updated.

ldap_sudo_full_refresh_interval = 30
ldap_sudo_smart_refresh_interval = 15

Is this a proper solution or can configure SSSD in a way that rules were 
updated during each uses's login?

I appreciate any help and thanking you in advance.

Cheers,
David

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Sudo rule still working after deactivation

[David Kreuter]

Thanks for the fast reply and great support.

The usage of 'entry_cache_sudo_timeout' parameter does the trick.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] SSS for sudoers confusion

[David Taylor]

Hi all,
   I'm in the process of testing IPA server for centralised
authentication of our linux hosts. We run CentOS 6.5 and it's all new so
we have no legacy issues.

In the lab I've set up an IPA server with the yum install and used a local
bind instance which all seems to be working correctly. Where the issues
begin is with the sudoers functionality. After reading the manual and
consulting Google sensei I found a number of resources that talk about
setting up ldap either natively in the nsswitch.conf file or via sssd,
I've tried a number of slightly different configurations on the client
side with little effect. So the question is "what is the process for
configuring an IPA system to handle sudo functionality".

Any help is greatly appreciated.

--nssswitch.conf--
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Valid entries include:
#
#   nisplus Use NIS+ (NIS version 3)
#   nis Use NIS (NIS version 2), also called YP
#   dns Use DNS (Domain Name Service)
#   files   Use the local files
#   db  Use the local database (.db) files
#   compat  Use NIS on compat mode
#   hesiod  Use Hesiod for user lookups
#   [NOTFOUND=return]   Stop searching if not found so far
#

# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd:db files nisplus nis
#shadow:db files nisplus nis
#group: db files nisplus nis

passwd: files sss
shadow: files sss
group:  files sss

#hosts: db files nisplus nis dns
hosts:  files dns

# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers: files
netmasks:   files
networks:   files
protocols:  files
rpc:files
services:   files sss
sudoers:files sss
netgroup:   files sss

publickey:  nisplus

automount:  files sss
aliases:files nisplus

--
-
---
sssd.conf-
---
[domain/test.example.net]

cache_credentials = True
krb5_store_password_if_offline = True
krb5_realm = TEST.EXAMPLE.NET
krb5_server = ipa-server-1.test.example.net
ipa_domain = test.example.net
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipa-server-1.test.example.net
chpass_provider = ipa
ipa_dyndns_update = True
ipa_server = _srv_, ipa-server-1.test.example.net
ldap_tls_cacert = /etc/ipa/ca.crt
ldap_uri = ldap://ipa-server-1.test.example.net

[sssd]
services = nss, pam, ssh, sudo
config_file_version = 2
sudo_provider = ldap
ldap_sudo_search_base = ou=sudoers,dc=test,dc=example,dc=net
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/ipa-client.test.example.net
ldap_sasl_realm = TEST.EXAMPLE.NET

domains = test.example.net
[nss]

[pam]

[sudo]

[autofs]

[ssh]

[pac]
--
---

Best regards
David Taylor

David Taylor
Head of Engineering - SpeedCast Pacific



Level 1, Unit 4F
12 Lord St, Botany
NSW, Australia, 2019
Office  +61 2 9531 7555
Direct:   +61 2 9086 2787
Mobile:  +61 4 3131 1146
24x7 Helpdesk   +61 2 9016 3222
Web:http://www.example.com / www.speedcast.com

To strengthen our corporate identity in target markets worldwide,
effective 18th January, we have commenced operating under the SpeedCast
name. Read More

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] SSS for sudoers confusion

[David Taylor]

@Dmitri - Thank you for your reply, that is actually one of the documents
I read, however there seem to be some steps missing as with the
configuration elements in place sudo doesn't work

dtaylor is not allowed to run sudo on ipa-client.  This incident will be
reported.

There is some note about configuring a password on the ldap user however
following the suggestions I found didn't actually work.


Best regards
David Taylor


-Original Message-
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal
Sent: Tuesday, 11 March 2014 10:49 AM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] SSS for sudoers confusion

On 03/10/2014 07:34 PM, David Taylor wrote:
> Hi all,
> I'm in the process of testing IPA server for centralised
> authentication of our linux hosts. We run CentOS 6.5 and it's all new
> so we have no legacy issues.
>
> In the lab I've set up an IPA server with the yum install and used a
> local bind instance which all seems to be working correctly. Where the
> issues begin is with the sudoers functionality. After reading the
> manual and consulting Google sensei I found a number of resources that
> talk about setting up ldap either natively in the nsswitch.conf file
> or via sssd, I've tried a number of slightly different configurations
> on the client side with little effect. So the question is "what is the
> process for configuring an IPA system to handle sudo functionality".
>
> Any help is greatly appreciated.

http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf

>
> --nssswitch.conf--
> 
> #
> # /etc/nsswitch.conf
> #
> # An example Name Service Switch config file. This file should be #
> sorted with the most-used services at the beginning.
> #
> # The entry '[NOTFOUND=return]' means that the search for an # entry
> should stop if the search in the previous entry turned # up nothing.
> Note that if the search failed due to some other reason # (like no NIS
> server responding) then the search continues with the # next entry.
> #
> # Valid entries include:
> #
> #   nisplus Use NIS+ (NIS version 3)
> #   nis Use NIS (NIS version 2), also called YP
> #   dns Use DNS (Domain Name Service)
> #   files   Use the local files
> #   db  Use the local database (.db) files
> #   compat  Use NIS on compat mode
> #   hesiod  Use Hesiod for user lookups
> #   [NOTFOUND=return]   Stop searching if not found so far
> #
>
> # To use db, put the "db" in front of "files" for entries you want to
> be # looked up first in the databases # # Example:
> #passwd:db files nisplus nis
> #shadow:db files nisplus nis
> #group: db files nisplus nis
>
> passwd: files sss
> shadow: files sss
> group:  files sss
>
> #hosts: db files nisplus nis dns
> hosts:  files dns
>
> # Example - obey only what nisplus tells us...
> #services:   nisplus [NOTFOUND=return] files
> #networks:   nisplus [NOTFOUND=return] files
> #protocols:  nisplus [NOTFOUND=return] files
> #rpc:nisplus [NOTFOUND=return] files
> #ethers: nisplus [NOTFOUND=return] files
> #netmasks:   nisplus [NOTFOUND=return] files
>
> bootparams: nisplus [NOTFOUND=return] files
>
> ethers: files
> netmasks:   files
> networks:   files
> protocols:  files
> rpc:files
> services:   files sss
> sudoers:files sss
> netgroup:   files sss
>
> publickey:  nisplus
>
> automount:  files sss
> aliases:files nisplus
>
> --
> 
> -
> ---
> sssd.conf-
> 
> ---
> [domain/test.example.net]
>
> cache_credentials = True
> krb5_store_password_if_offline = True
> krb5_realm = TEST.EXAMPLE.NET
> krb5_server = ipa-server-1.test.example.net ipa_domain =
> test.example.net id_provider = ipa auth_provider = ipa access_provider
> = ipa ipa_hostname = ipa-server-1.test.example.net chpass_provider =
> ipa ipa_dyndns_update = True ipa_server = _srv_,
> ipa-server-1.test.example.net ldap_tls_cacert = /etc/ipa/ca.crt
> ldap_uri = ldap://ipa-server-1.test.example.net
>
> [sssd]
> services = nss, pam, ssh, sudo
> config_file_version = 2
> sudo_provider = ldap
> ldap_sudo_search_base = ou=sudoers,dc=test,dc=example,dc=net
> ldap_sasl_mech = GSSAPI
> ldap_sasl_authid = host/ipa-c

[Freeipa-users] FW: SSS for sudoers confusion (Solved)

[David Taylor]

Ok here is the info that finally made it all work

https://www.redhat.com/archives/freeipa-users/2013-June/msg00064.html

I seem to have had all the elements in there already so I suspect it was a
statement order issue

Best regards
David Taylor

-Original Message-
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal
Sent: Tuesday, 11 March 2014 10:49 AM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] SSS for sudoers confusion

On 03/10/2014 07:34 PM, David Taylor wrote:
> Hi all,
> I'm in the process of testing IPA server for centralised
> authentication of our linux hosts. We run CentOS 6.5 and it's all new
> so we have no legacy issues.
>
> In the lab I've set up an IPA server with the yum install and used a
> local bind instance which all seems to be working correctly. Where the
> issues begin is with the sudoers functionality. After reading the
> manual and consulting Google sensei I found a number of resources that
> talk about setting up ldap either natively in the nsswitch.conf file
> or via sssd, I've tried a number of slightly different configurations
> on the client side with little effect. So the question is "what is the
> process for configuring an IPA system to handle sudo functionality".
>
> Any help is greatly appreciated.

http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf

>
> --nssswitch.conf--
> 
> #
> # /etc/nsswitch.conf
> #
> # An example Name Service Switch config file. This file should be #
> sorted with the most-used services at the beginning.
> #
> # The entry '[NOTFOUND=return]' means that the search for an # entry
> should stop if the search in the previous entry turned # up nothing.
> Note that if the search failed due to some other reason # (like no NIS
> server responding) then the search continues with the # next entry.
> #
> # Valid entries include:
> #
> #   nisplus Use NIS+ (NIS version 3)
> #   nis Use NIS (NIS version 2), also called YP
> #   dns Use DNS (Domain Name Service)
> #   files   Use the local files
> #   db  Use the local database (.db) files
> #   compat  Use NIS on compat mode
> #   hesiod  Use Hesiod for user lookups
> #   [NOTFOUND=return]   Stop searching if not found so far
> #
>
> # To use db, put the "db" in front of "files" for entries you want to
> be # looked up first in the databases # # Example:
> #passwd:db files nisplus nis
> #shadow:db files nisplus nis
> #group: db files nisplus nis
>
> passwd: files sss
> shadow: files sss
> group:  files sss
>
> #hosts: db files nisplus nis dns
> hosts:  files dns
>
> # Example - obey only what nisplus tells us...
> #services:   nisplus [NOTFOUND=return] files
> #networks:   nisplus [NOTFOUND=return] files
> #protocols:  nisplus [NOTFOUND=return] files
> #rpc:nisplus [NOTFOUND=return] files
> #ethers: nisplus [NOTFOUND=return] files
> #netmasks:   nisplus [NOTFOUND=return] files
>
> bootparams: nisplus [NOTFOUND=return] files
>
> ethers: files
> netmasks:   files
> networks:   files
> protocols:  files
> rpc:files
> services:   files sss
> sudoers:files sss
> netgroup:   files sss
>
> publickey:  nisplus
>
> automount:  files sss
> aliases:files nisplus
>
> --
> 
> -
> ---
> sssd.conf-
> 
> ---
> [domain/test.example.net]
>
> cache_credentials = True
> krb5_store_password_if_offline = True
> krb5_realm = TEST.EXAMPLE.NET
> krb5_server = ipa-server-1.test.example.net ipa_domain =
> test.example.net id_provider = ipa auth_provider = ipa access_provider
> = ipa ipa_hostname = ipa-server-1.test.example.net chpass_provider =
> ipa ipa_dyndns_update = True ipa_server = _srv_,
> ipa-server-1.test.example.net ldap_tls_cacert = /etc/ipa/ca.crt
> ldap_uri = ldap://ipa-server-1.test.example.net
>
> [sssd]
> services = nss, pam, ssh, sudo
> config_file_version = 2
> sudo_provider = ldap
> ldap_sudo_search_base = ou=sudoers,dc=test,dc=example,dc=net
> ldap_sasl_mech = GSSAPI
> ldap_sasl_authid = host/ipa-client.test.example.net ldap_sasl_realm =
> TEST.EXAMPLE.NET
>
> domains = test.example.net
> [nss]
>
> [pam]
>
> [sudo]
>
> [autofs]
>
> [ssh]
>
> [pac]

[Freeipa-users] Problem using IPA for Apache LDAP Auth

[David Taylor]

Hi All,

I'm having some issues with setting up ldap auth for an apache 
webserver. In short I have an IPA server that seems to be working correctly, it 
is currently acting and a central authentication server for our Linux server 
environment. What I'm trying to do is get LDAP Auth up for our web based 
services.

The test environment is all CentOS 6.5 with the following config



IPA server with an LDAP bind user set up as per 
http://www.freeipa.org/page/Apache_Group_Based_Authorization without the 
kerberos component.

There is a single web directory /var/www/html/webtest with a single index.htlm 
file and a .htaccess file with the following contents.



# Make sure you're using HTTPS, or anyone can read your LDAP password.

# SSLRequireSSL

Order deny,allow

Deny from All

AuthName "Example Authorisation"

AuthType Basic

AuthBasicProvider ldap

AuthzLDAPAuthoritative on

AuthLDAPUrl "ldaps://ipa.example.com:636/dc=example,dc=com?uid"

AuthLDAPBindDN "uid=webapps,cn=sysaccounts,cn=etc, dc=example,dc=com"

AuthLDAPBindPassword ""

Require valid-user

Satisfy any



---

When I try to access the web page I get a basic auth prompt and in the ipa 
server logs I get the following



[03/Apr/2014:12:26:22 +1100] conn=1689 fd=83 slot=83 SSL connection from 
10.0.0.11 to 10.0.0.3

[03/Apr/2014:12:26:22 +1100] conn=1689 SSL 256-bit AES

[03/Apr/2014:12:26:22 +1100] conn=1689 op=0 BIND 
dn="uid=webapps,cn=sysaccounts,cn=etc,dc=example,dc=com" method=128 version=3

[03/Apr/2014:12:26:22 +1100] conn=1689 op=0 RESULT err=0 tag=97 nentries=0 
etime=0 dn="uid=webapps,cn=sysaccounts,cn=etc, dc=example,dc=com"

[03/Apr/2014:12:26:22 +1100] conn=1689 op=1 SRCH base=" dc=example,dc=com" 
scope=2 filter="(&(objectClass=*)(uid=dtaylor))" attrs="uid"

[03/Apr/2014:12:26:22 +1100] conn=1689 op=1 RESULT err=0 tag=101 nentries=1 
etime=0 notes=U



---



Any help is greatly appreciated.



Best regards

David Taylor



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] PasswordAuthentication option for SSH

[David Kreuter]

Hi, 


Today I faced the issue that Kerberos authentication stopped working after 
disabling PasswordAuthentication in /etc/ssh/sshd_config on a FreeIPA client. 
The deactivation of this option was done due to security issues. 


Is it really necessary to have this option set to yes when using Keberos 
authentication? 


IPA client 3.0.0 
IPA server 3.3.2 


Thanking you in advance. 


David ___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] PasswordAuthentication option for SSH

[David Kreuter]

On client side the valid Kerberos ticket is present. The following SSH 
configuration is used on the machine where the IPA client is running: 


/etc/ssh/sshd_config 
---cut--- 
PasswordAuthentication yes 

KerberosAuthentication no 
PubkeyAuthentication yes 
UsePAM yes 
GSSAPIAuthentication yes 
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys 
---cut--- 


Just checked the machine again, password authentication is used as fallback, 
because the Keberos setup on this machine seems to be messed up. I have tried 
to uninstall the client and reinstalled it. During the installation I'm getting 
following message: 


"A RA is not configured on the server. Not requesting host certificate." 


Trying to request the certificate manually leads in: 


ipa-getcert request -d /etc/pki/nssdb -n Server-Cert -K HOST/ -N 
'CN=,O=EXAMPLE.INFO' -v 


Error org.fedorahosted.certmonger.duplicate: Certificate at same location is 
already used by request with nickname "20140416200517" 


So to certificate is already there. Do you have some hints? 



- Original Message -----

From: "Simo Sorce"  
To: "David Kreuter"  
Cc: freeipa-users@redhat.com 
Sent: Wednesday, 16 April, 2014 8:50:39 PM 
Subject: Re: [Freeipa-users] PasswordAuthentication option for SSH 

On Wed, 2014-04-16 at 20:08 +0200, David Kreuter wrote: 
> Hi, 
> 
> 
> Today I faced the issue that Kerberos authentication stopped working 
> after disabling PasswordAuthentication in /etc/ssh/sshd_config on a 
> FreeIPA client. The deactivation of this option was done due to 
> security issues. 
> 
> 
> Is it really necessary to have this option set to yes when using 
> Keberos authentication? 

No, GSSAPI authentication does not need PasswordAuthentication, of 
course it requires valid kerberos credentials on the client and a valid 
keytab on the server. 

Simo. 

-- 
Simo Sorce * Red Hat, Inc * New York 


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Keberos authentication - Unspecified GSS failure

[David Kreuter]

Yesterday I installed the FreeIPA client on machine and after the installation 
the login with password worked fine. After that I tried to login with a valid 
Kerberos ticket and it failed. First i traced the ssh login: 


ssh -vvv da...@test.example.com 

---cut--- 
debug2: key: /home/david/.ssh/id_rsa (0x7f2ad3112d80), 
debug2: key: /home/david/.ssh/id_dsa ((nil)), 
debug2: key: /home/david/.ssh/id_ecdsa ((nil)), 
debug1: Authentications that can continue: 
publickey,gssapi-keyex,gssapi-with-mic 
debug3: start over, passed a different list 
publickey,gssapi-keyex,gssapi-with-mic 
debug3: preferred 
gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password 
debug3: authmethod_lookup gssapi-keyex 
debug3: remaining preferred: 
gssapi-with-mic,publickey,keyboard-interactive,password 
debug3: authmethod_is_enabled gssapi-keyex 
debug1: Next authentication method: gssapi-keyex 
debug1: No valid Key exchange context 
debug2: we did not send a packet, disable method 
debug3: authmethod_lookup gssapi-with-mic 
debug3: remaining preferred: publickey,keyboard-interactive,password 
debug3: authmethod_is_enabled gssapi-with-mic 
debug1: Next authentication method: gssapi-with-mic 
debug2: we sent a gssapi-with-mic packet, wait for reply 
debug1: Authentications that can continue: 
publickey,gssapi-keyex,gssapi-with-mic 
debug2: we sent a gssapi-with-mic packet, wait for reply 
debug1: Authentications that can continue: 
publickey,gssapi-keyex,gssapi-with-mic 
debug2: we sent a gssapi-with-mic packet, wait for reply 
debug1: Authentications that can continue: 
publickey,gssapi-keyex,gssapi-with-mic 
debug2: we sent a gssapi-with-mic packet, wait for reply 
debug1: Authentications that can continue: 
publickey,gssapi-keyex,gssapi-with-mic 
debug2: we did not send a packet, disable method 
debug3: authmethod_lookup publickey 
debug3: remaining preferred: keyboard-interactive,password 
debug3: authmethod_is_enabled publickey 
debug1: Next authentication method: publickey 
debug1: Offering RSA public key: /home/david/.ssh/id_rsa 
debug3: send_pubkey_test 
debug2: we sent a publickey packet, wait for reply 
debug1: Authentications that can continue: 
publickey,gssapi-keyex,gssapi-with-mic 
debug1: Trying private key: /home/david/.ssh/id_dsa 
debug3: no such identity: /home/david/.ssh/id_dsa: No such file or directory 
debug1: Trying private key: /home/david/.ssh/id_ecdsa 
debug3: no such identity: /home/david/.ssh/id_ecdsa: No such file or directory 
debug2: we did not send a packet, disable method 
debug1: No more authentication methods to try. 
Permission denied (publickey,gssapi-keyex,gssapi-with-mic). 
---cut--- 


Then I enabled the log for SSH on the IPA client machine and faced following 
error: 


---cut--- 

Apr 16 23:43:18 infra01 sshd[9941]: debug1: attempt 0 failures 0 
Apr 16 23:43:18 infra01 sshd[9940]: debug1: PAM: initializing for "david" 
Apr 16 23:43:18 infra01 sshd[9940]: debug1: PAM: setting PAM_RHOST to 
"10.100.3.2" 
Apr 16 23:43:18 infra01 sshd[9940]: debug1: PAM: setting PAM_TTY to "ssh" 
Apr 16 23:43:18 infra01 sshd[9941]: debug1: userauth-request for user david 
service ssh-connection method gssapi-with-mic 
Apr 16 23:43:18 infra01 sshd[9941]: debug1: attempt 1 failures 0 
Apr 16 23:43:18 infra01 sshd[9940]: debug1: Unspecified GSS failure. Minor code 
may provide more information\nNo key table entry found matching host/infra01@\n 
---cut--- 


Unspecified GSS failure. Minor code may provide more information.No key table 
entry found matching host/infra01@\n. 


After that I tried to receive a ticket on the IPA client machine and everything 
worked fine: 


kinit  
klist 

Ticket cache: FILE:/tmp/krb5cc_0 
Default principal: david@.INFO 


Valid starting Expires Service principal 
04/16/14 23:24:51 04/17/14 23:24:47 krbtgt/... 
04/16/14 23:25:51 04/17/14 23:24:47 host/... 



kvno -k /etc/krb5.keytab host/... 
host/...: kvno = 1, keytab entry valid 


So the Kerberos setup on the machine seems to be fine, but still the login SSH 
using Keberos is not working. GSSAPI is correctly enabled in the sshd 
configuration file. Any hint is highly appreciated. Thanks. 


David 

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Keberos authentication - Unspecified GSS failure

[David Kreuter]

klist -kt /etc/krb5.keytab showing me the right principals: 



KVNO Timestamp Principal 
 -  
1 04/16/14 23:12:58 host/@ 
1 04/16/14 23:12:58 host/@ 1 04/16/14 23:12:58 
host/@ 1 04/16/14 23:12:58 host/@ 


The principal for the machine are displayed with the right FQDN. Also the 
machine has the right hostname containing the right domain and the machine can 
be resolved correctly via DNS. 


I have added the mentioned option to kerberos configuration and the login with 
Kerberos authentication is working now: 



[libdefaults] 
ignore_acceptor_hostname = true 


I'm still wondering what is wrong with the machine's configuration. 

- Original Message -

From: "Rob Crittenden"  
To: "David Kreuter" , freeipa-users@redhat.com 
Sent: Thursday, 17 April, 2014 12:13:48 AM 
Subject: Re: [Freeipa-users] Keberos authentication - Unspecified GSS failure 

David Kreuter wrote: 
> Yesterday I installed the FreeIPA client on machine and after the 
> installation the login with password worked fine. After that I tried to 
> login with a valid Kerberos ticket and it failed. First i traced the ssh 
> login: 
> 
> ssh -vvv da...@test.example.com 
> ---cut--- 
> debug2: key: /home/david/.ssh/id_rsa (0x7f2ad3112d80), 
> debug2: key: /home/david/.ssh/id_dsa ((nil)), 
> debug2: key: /home/david/.ssh/id_ecdsa ((nil)), 
> debug1: Authentications that can continue: 
> publickey,gssapi-keyex,gssapi-with-mic 
> debug3: start over, passed a different list 
> publickey,gssapi-keyex,gssapi-with-mic 
> debug3: preferred 
> gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password 
> debug3: authmethod_lookup gssapi-keyex 
> debug3: remaining preferred: 
> gssapi-with-mic,publickey,keyboard-interactive,password 
> debug3: authmethod_is_enabled gssapi-keyex 
> debug1: Next authentication method: gssapi-keyex 
> debug1: No valid Key exchange context 
> debug2: we did not send a packet, disable method 
> debug3: authmethod_lookup gssapi-with-mic 
> debug3: remaining preferred: publickey,keyboard-interactive,password 
> debug3: authmethod_is_enabled gssapi-with-mic 
> debug1: Next authentication method: gssapi-with-mic 
> debug2: we sent a gssapi-with-mic packet, wait for reply 
> debug1: Authentications that can continue: 
> publickey,gssapi-keyex,gssapi-with-mic 
> debug2: we sent a gssapi-with-mic packet, wait for reply 
> debug1: Authentications that can continue: 
> publickey,gssapi-keyex,gssapi-with-mic 
> debug2: we sent a gssapi-with-mic packet, wait for reply 
> debug1: Authentications that can continue: 
> publickey,gssapi-keyex,gssapi-with-mic 
> debug2: we sent a gssapi-with-mic packet, wait for reply 
> debug1: Authentications that can continue: 
> publickey,gssapi-keyex,gssapi-with-mic 
> debug2: we did not send a packet, disable method 
> debug3: authmethod_lookup publickey 
> debug3: remaining preferred: keyboard-interactive,password 
> debug3: authmethod_is_enabled publickey 
> debug1: Next authentication method: publickey 
> debug1: Offering RSA public key: /home/david/.ssh/id_rsa 
> debug3: send_pubkey_test 
> debug2: we sent a publickey packet, wait for reply 
> debug1: Authentications that can continue: 
> publickey,gssapi-keyex,gssapi-with-mic 
> debug1: Trying private key: /home/david/.ssh/id_dsa 
> debug3: no such identity: /home/david/.ssh/id_dsa: No such file or directory 
> debug1: Trying private key: /home/david/.ssh/id_ecdsa 
> debug3: no such identity: /home/david/.ssh/id_ecdsa: No such file or 
> directory 
> debug2: we did not send a packet, disable method 
> debug1: No more authentication methods to try. 
> Permission denied (publickey,gssapi-keyex,gssapi-with-mic). 
> ---cut--- 
> 
> Then I enabled the log for SSH on the IPA client machine and faced 
> following error: 
> 
> ---cut--- 
> Apr 16 23:43:18 infra01 sshd[9941]: debug1: attempt 0 failures 0 
> Apr 16 23:43:18 infra01 sshd[9940]: debug1: PAM: initializing for "david" 
> Apr 16 23:43:18 infra01 sshd[9940]: debug1: PAM: setting PAM_RHOST to 
> "10.100.3.2" 
> Apr 16 23:43:18 infra01 sshd[9940]: debug1: PAM: setting PAM_TTY to "ssh" 
> Apr 16 23:43:18 infra01 sshd[9941]: debug1: userauth-request for user 
> david service ssh-connection method gssapi-with-mic 
> Apr 16 23:43:18 infra01 sshd[9941]: debug1: attempt 1 failures 0 
> Apr 16 23:43:18 infra01 sshd[9940]: debug1: Unspecified GSS failure. 
> Minor code may provide more information\nNo key table entry found 
> matching host/infra01@\n 
> ---cut--- 
> 
> Unspecified GSS failure. Minor code may provide more information.No key 
> table entry found matching host/infra01@\n. 
> 
> After that I tried to r

Re: [Freeipa-users] Keberos authentication - Unspecified GSS failure

[David Kreuter]

Exactly, this was the issue. After fixing the etc hosts configuration kerberos  
authentication works fine for this machine without having this special krb 
option set. Thanks!

On 18 April 2014 15:49:50 CEST, Simo Sorce  wrote:
>On Fri, 2014-04-18 at 10:14 +0200, David Kreuter wrote:
>> klist -kt /etc/krb5.keytab showing me the right principals: 
>> 
>> 
>> 
>> KVNO Timestamp Principal 
>>  -
> 
>> 1 04/16/14 23:12:58 host/@ 
>> 1 04/16/14 23:12:58 host/@ 1 04/16/14 23:12:58
>host/@ 1 04/16/14 23:12:58 host/@realm> 
>> 
>> 
>> The principal for the machine are displayed with the right FQDN. Also
>the machine has the right hostname containing the right domain and the
>machine can be resolved correctly via DNS. 
>> 
>> 
>> I have added the mentioned option to kerberos configuration and the
>login with Kerberos authentication is working now: 
>> 
>> 
>> 
>> [libdefaults] 
>> ignore_acceptor_hostname = true 
>> 
>> 
>> I'm still wondering what is wrong with the machine's configuration. 
>
>Do you have the shortname as first entry in /etc/hosts ?
>If so put it second or remove it.
>
>Simo.
>
>
>> - Original Message -
>> 
>> From: "Rob Crittenden"  
>> To: "David Kreuter" ,
>freeipa-users@redhat.com 
>> Sent: Thursday, 17 April, 2014 12:13:48 AM 
>> Subject: Re: [Freeipa-users] Keberos authentication - Unspecified GSS
>failure 
>> 
>> David Kreuter wrote: 
>> > Yesterday I installed the FreeIPA client on machine and after the 
>> > installation the login with password worked fine. After that I
>tried to 
>> > login with a valid Kerberos ticket and it failed. First i traced
>the ssh 
>> > login: 
>> > 
>> > ssh -vvv da...@test.example.com 
>> > ---cut--- 
>> > debug2: key: /home/david/.ssh/id_rsa (0x7f2ad3112d80), 
>> > debug2: key: /home/david/.ssh/id_dsa ((nil)), 
>> > debug2: key: /home/david/.ssh/id_ecdsa ((nil)), 
>> > debug1: Authentications that can continue: 
>> > publickey,gssapi-keyex,gssapi-with-mic 
>> > debug3: start over, passed a different list 
>> > publickey,gssapi-keyex,gssapi-with-mic 
>> > debug3: preferred 
>> >
>gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password 
>> > debug3: authmethod_lookup gssapi-keyex 
>> > debug3: remaining preferred: 
>> > gssapi-with-mic,publickey,keyboard-interactive,password 
>> > debug3: authmethod_is_enabled gssapi-keyex 
>> > debug1: Next authentication method: gssapi-keyex 
>> > debug1: No valid Key exchange context 
>> > debug2: we did not send a packet, disable method 
>> > debug3: authmethod_lookup gssapi-with-mic 
>> > debug3: remaining preferred:
>publickey,keyboard-interactive,password 
>> > debug3: authmethod_is_enabled gssapi-with-mic 
>> > debug1: Next authentication method: gssapi-with-mic 
>> > debug2: we sent a gssapi-with-mic packet, wait for reply 
>> > debug1: Authentications that can continue: 
>> > publickey,gssapi-keyex,gssapi-with-mic 
>> > debug2: we sent a gssapi-with-mic packet, wait for reply 
>> > debug1: Authentications that can continue: 
>> > publickey,gssapi-keyex,gssapi-with-mic 
>> > debug2: we sent a gssapi-with-mic packet, wait for reply 
>> > debug1: Authentications that can continue: 
>> > publickey,gssapi-keyex,gssapi-with-mic 
>> > debug2: we sent a gssapi-with-mic packet, wait for reply 
>> > debug1: Authentications that can continue: 
>> > publickey,gssapi-keyex,gssapi-with-mic 
>> > debug2: we did not send a packet, disable method 
>> > debug3: authmethod_lookup publickey 
>> > debug3: remaining preferred: keyboard-interactive,password 
>> > debug3: authmethod_is_enabled publickey 
>> > debug1: Next authentication method: publickey 
>> > debug1: Offering RSA public key: /home/david/.ssh/id_rsa 
>> > debug3: send_pubkey_test 
>> > debug2: we sent a publickey packet, wait for reply 
>> > debug1: Authentications that can continue: 
>> > publickey,gssapi-keyex,gssapi-with-mic 
>> > debug1: Trying private key: /home/david/.ssh/id_dsa 
>> > debug3: no such identity: /home/david/.ssh/id_dsa: No such file or
>directory 
>> > debug1: Trying private key: /home/david/.ssh/id_ecdsa 
>> > debug3: no such identity: /home/david/.ssh/id_ecdsa: No such file
>or 
>> > directory 
>> &

[Freeipa-users] ipa 3.0 expired cert renewal

[David Fitzgerald]

Hello,

My Freeipa server stopped working over the weekend due to what looks like 
expired certificates.  I am running ipa-server 3.0 and thought these certs were 
automatically renewed.  I am no expert at KDC / IPA and any help you can give 
is greatly appreciated.

When I try to start the ipa service on my server I get:

root@aurora ~]# /sbin/service ipa start
Starting Directory Service
Starting dirsrv:
LINUX-DIRSRV-LOCAL...[28/May/2014:10:23:33 -0400] - SSL alert: 
CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of 
family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 - 
Peer's Certificate has expired.)
   [  OK  ]
PKI-IPA...[28/May/2014:10:23:34 -0400] - SSL alert: 
CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of 
family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 - 
Peer's Certificate has expired.)
   [  OK  ]
Starting KDC Service
Starting Kerberos 5 KDC:   [  OK  ]
Starting KPASSWD Service
Starting Kerberos 5 Admin Server:  [  OK  ]
Starting MEMCACHE Service
Starting ipa_memcached:[  OK  ]
Starting HTTP Service
Starting httpd: [Wed May 28 10:23:36 2014] [warn] _default_ VirtualHost overlap 
on port 443, the first has precedence
   [FAILED]
Failed to start HTTP Service
Shutting down
Stopping Kerberos 5 KDC:   [  OK  ]
Stopping Kerberos 5 Admin Server:  [  OK  ]
Stopping ipa_memcached:[  OK  ]
Stopping httpd:[FAILED]
Stopping pki-ca:   [  OK  ]
Shutting down dirsrv:
LINUX-DIRSRV-LOCAL...  [  OK  ]
PKI-IPA... [  OK  ]
Aborting ipactl

Of course kinit also fails with: kinit: Cannot contact any KDC for realm 
'LINUX.DIRSRV.LOCAL' while getting initial credentials

Can someone help me get back on my feet?  Luckily there are not many students 
around in the summer so I just have 20 annoyed faculty instead of 200 annoyed 
students to placate.

Thanks!



---
David Fitzgerald
Adjunct Professor
Department of Earth Sciences
Millersville University
Millersville, PA 17551

E-mail: david.fitzger...@millersville.edu
PH: 717-871-2394

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa 3.0 expired cert renewal

[David Fitzgerald]

From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal
Sent: Wednesday, May 28, 2014 8:51 PM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa 3.0 expired cert renewal

On 05/28/2014 10:40 AM, David Fitzgerald wrote:
Hello,

My Freeipa server stopped working over the weekend due to what looks like 
expired certificates.  I am running ipa-server 3.0 and thought these certs were 
automatically renewed.  I am no expert at KDC / IPA and any help you can give 
is greatly appreciated.

When I try to start the ipa service on my server I get:

root@aurora ~]# /sbin/service ipa start
Starting Directory Service
Starting dirsrv:
LINUX-DIRSRV-LOCAL...[28/May/2014:10:23:33 -0400] - SSL alert: 
CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of 
family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 - 
Peer's Certificate has expired.)
   [  OK  ]
PKI-IPA...[28/May/2014:10:23:34 -0400] - SSL alert: 
CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of 
family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 - 
Peer's Certificate has expired.)
   [  OK  ]
Starting KDC Service
Starting Kerberos 5 KDC:   [  OK  ]
Starting KPASSWD Service
Starting Kerberos 5 Admin Server:  [  OK  ]
Starting MEMCACHE Service
Starting ipa_memcached:[  OK  ]
Starting HTTP Service
Starting httpd: [Wed May 28 10:23:36 2014] [warn] _default_ VirtualHost overlap 
on port 443, the first has precedence
   [FAILED]
Failed to start HTTP Service
Shutting down
Stopping Kerberos 5 KDC:   [  OK  ]
Stopping Kerberos 5 Admin Server:  [  OK  ]
Stopping ipa_memcached:[  OK  ]
Stopping httpd:[FAILED]
Stopping pki-ca:   [  OK  ]
Shutting down dirsrv:
LINUX-DIRSRV-LOCAL...  [  OK  ]
PKI-IPA... [  OK  ]
Aborting ipactl

Of course kinit also fails with: kinit: Cannot contact any KDC for realm 
'LINUX.DIRSRV.LOCAL' while getting initial credentials

Can someone help me get back on my feet?  Luckily there are not many students 
around in the summer so I just have 20 annoyed faculty instead of 200 annoyed 
students to placate.

Thanks!

Usually that happens when you do not have the original master any more. Is this 
the case for you?
Have you looked at http://www.freeipa.org/page/IPA_2x_Certificate_Renewal ?


That was the info I needed.  Sorry I didn't check the IPA 2x docs.  It works 
just fine again.
Thank You!



-------
David Fitzgerald
Adjunct Professor
Department of Earth Sciences
Millersville University
Millersville, PA 17551

E-mail: 
david.fitzger...@millersville.edu<mailto:david.fitzger...@millersville.edu>
PH: 717-871-2394




___

Freeipa-users mailing list

Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>

https://www.redhat.com/mailman/listinfo/freeipa-users




--

Thank you,

Dmitri Pal



Sr. Engineering Manager IdM portfolio

Red Hat, Inc.
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Centos IPA Client fails after upgrade to 6.6

[David Taylor]

I just recently updated one of our test servers from CentOS 6.5 to CentOS 6.6, 
after which I noticed that IPA logons were no longer available. From what I can 
see the upgrade includes quite a few changes with regard to sssd.


-  NTP is up and synced on the Auth servers and the client.

-  DNS is working to the IPA servers

-  I can do a kinit for users with no problem

-  I have uninstalled the ipa client, deleted the host profile on the 
IPA server and one a rejoin. The rejoin worked but the problem is the same.

Software versions using

-  rpm -qa | grep -i ipa

-  rpm -qa | grep -i sssd

Software versions before:
libipa_hbac-1.9.2-129.el6_5.4.x86_64
device-mapper-multipath-0.4.9-72.el6_5.4.x86_64
libipa_hbac-python-1.9.2-129.el6_5.4.x86_64
ipa-python-3.0.0-37.el6.x86_64
ipa-client-3.0.0-37.el6.x86_64
device-mapper-multipath-libs-0.4.9-72.el6_5.4.x86_64
sssd-1.9.2-129.el6_5.4.x86_64
sssd-client-1.9.2-129.el6_5.4.x86_64

Software version after:
sssd-ipa-1.11.6-30.el6.x86_64
libipa_hbac-1.11.6-30.el6.x86_64
device-mapper-multipath-libs-0.4.9-80.el6.x86_64
ipa-client-3.0.0-42.el6.centos.x86_64
libipa_hbac-python-1.11.6-30.el6.x86_64
ipa-python-3.0.0-42.el6.centos.x86_64
device-mapper-multipath-0.4.9-80.el6.x86_64
sssd-ldap-1.11.6-30.el6.x86_64
sssd-ad-1.11.6-30.el6.x86_64
python-sssdconfig-1.11.6-30.el6.noarch
sssd-client-1.11.6-30.el6.x86_64
sssd-krb5-common-1.11.6-30.el6.x86_64
sssd-ipa-1.11.6-30.el6.x86_64
sssd-common-1.11.6-30.el6.x86_64
sssd-proxy-1.11.6-30.el6.x86_64
sssd-common-pac-1.11.6-30.el6.x86_64
sssd-krb5-1.11.6-30.el6.x86_64
sssd-1.11.6-30.el6.x86_64
The /var/log/secure logs show the following

Oct 31 10:38:30 test01 sshd[2790]: Invalid user dtaylor from 
Oct 31 10:38:30 test01 sshd[2791]: input_userauth_request: invalid user dtaylor
Oct 31 10:38:30 test01 sshd[2790]: pam_unix(sshd:auth): check pass; user unknown
Oct 31 10:38:30 test01 sshd[2790]: pam_unix(sshd:auth): authentication failure; 
logname= uid=0 euid=0 tty=ssh ruser= rhost=
Oct 31 10:38:30 test01 sshd[2790]: pam_succeed_if(sshd:auth): error retrieving 
information about user dtaylor

The /var/log/audit/audit.log logs show the following

type=CRYPTO_KEY_USER msg=audit(1414715857.270:107): user pid=5831 uid=0 auid=0 
ses=1 msg='op=destroy kind=server 
fp=5e:ee:58:a2:25:ec:16:3e:8c:61:01:e6:de:76:3d:32 direction=? spid=5831 suid=0 
 exe="/usr/sbin/sshd" hostname=? addr= terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1414715857.270:108): user pid=5831 uid=0 auid=0 
ses=1 msg='op=destroy kind=server 
fp=d0:6f:2f:5f:49:44:94:f2:b2:4e:15:43:69:89:9c:1d direction=? spid=5831 suid=0 
 exe="/usr/sbin/sshd" hostname=? addr= terminal=? res=success'
type=CRYPTO_SESSION msg=audit(1414715857.272:109): user pid=5830 uid=0 auid=0 
ses=1 msg='op=start direction=from-client cipher=aes256-ctr ksize=256 spid=5831 
suid=74 rport=44361 laddr= lport=22  exe="/usr/sbin/sshd" 
hostname=? addr= terminal=? res=success'
type=CRYPTO_SESSION msg=audit(1414715857.272:110): user pid=5830 uid=0 auid=0 
ses=1 msg='op=start direction=from-server cipher=aes256-ctr ksize=256 spid=5831 
suid=74 rport=44361 laddr= lport=22  exe="/usr/sbin/sshd" 
hostname=? addr= terminal=? res=success'
type=USER_LOGIN msg=audit(1414715857.310:111): user pid=5830 uid=0 auid=0 ses=1 
msg='op=login acct=28756E6B6E6F776E207573657229 exe="/usr/sbin/sshd" hostname=? 
addr= terminal=ssh res=failed'
type=USER_AUTH msg=audit(1414715859.211:112): user pid=5830 uid=0 auid=0 ses=1 
msg='op=PAM:authentication acct="?" exe="/usr/sbin/sshd" hostname= addr= terminal=ssh res=failed'
type=USER_AUTH msg=audit(1414715859.212:113): user pid=5830 uid=0 auid=0 ses=1 
msg='op=password acct=28696E76616C6964207573657229 exe="/usr/sbin/sshd" 
hostname=? addr= terminal=ssh res=failed'
type=CRYPTO_KEY_USER msg=audit(1414715862.076:114): user pid=5830 uid=0 auid=0 
ses=1 msg='op=destroy kind=session fp=? direction=both spid=5831 suid=74 
rport=44361 laddr= lport=22  exe="/usr/sbin/sshd" hostname=? 
addr= terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1414715862.078:115): user pid=5830 uid=0 auid=0 
ses=1 msg='op=destroy kind=server 
fp=5e:ee:58:a2:25:ec:16:3e:8c:61:01:e6:de:76:3d:32 direction=? spid=5830 suid=0 
 exe="/usr/sbin/sshd" hostname=? addr= terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1414715862.079:116): user pid=5830 uid=0 auid=0 
ses=1 msg='op=destroy kind=server 
fp=d0:6f:2f:5f:49:44:94:f2:b2:4e:15:43:69:89:9c:1d direction=? spid=5830 suid=0 
 exe="/usr/sbin/sshd" hostname=? addr= terminal=? res=success'
type=USER_LOGIN msg=audit(1414715862.079:117): user pid=5830 uid=0 auid=0 ses=1 
msg='op=login acct=28696E76616C6964207573657229 exe="/usr/sbin/sshd" hostname=? 
addr= terminal=ssh res=failed'

The /var/log/sssd/sssd_.log logs show the following

==> /var/log/sssd/sssd_.log <==
(Fri Oct 31 12:13:39 2014) [sssd[be[]]] [sbus_dispatch] 
(0x4000): dbus conn: 0x16699b0
(Fri Oct 31 12:13:39 2014) [sssd[be[]]] [sbus_dispatch] 
(0x400

Re: [Freeipa-users] Centos IPA Client fails after upgrade to 6.6

[David Taylor]

Thanks for the reply. The PAM file is pretty stock for a centos build

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
authrequired  pam_env.so
authsufficientpam_unix.so nullok try_first_pass
authrequisite pam_succeed_if.so uid >= 500 quiet
authsufficientpam_sss.so use_first_pass
authrequired  pam_deny.so

account required  pam_unix.so
account sufficientpam_localuser.so
account sufficientpam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required  pam_permit.so

passwordrequisite pam_cracklib.so try_first_pass retry=3 type=
passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass 
use_authtok
passwordsufficientpam_sss.so use_authtok
passwordrequired  pam_deny.so

session optional  pam_keyinit.so revoke
session required  pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet 
use_uid
session required  pam_unix.so
session optional  pam_sss.so


Best regards
David Taylor


-Original Message-
From: Jakub Hrozek [mailto:jhro...@redhat.com] 
Sent: Friday, 31 October 2014 7:35 PM
To: David Taylor
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Centos IPA Client fails after upgrade to 6.6


> On 31 Oct 2014, at 02:23, David Taylor  wrote:
> 
> I just recently updated one of our test servers from CentOS 6.5 to CentOS 
> 6.6, after which I noticed that IPA logons were no longer available. From 
> what I can see the upgrade includes quite a few changes with regard to sssd.
>  
> -  NTP is up and synced on the Auth servers and the client.
> -  DNS is working to the IPA servers
> -  I can do a kinit for users with no problem
> -  I have uninstalled the ipa client, deleted the host profile on the 
> IPA server and one a rejoin. The rejoin worked but the problem is the same.
>  
> Software versions using 
> -  rpm -qa | grep -i ipa
> -  rpm -qa | grep -i sssd
>  
> Software versions before:
> libipa_hbac-1.9.2-129.el6_5.4.x86_64
> device-mapper-multipath-0.4.9-72.el6_5.4.x86_64
> libipa_hbac-python-1.9.2-129.el6_5.4.x86_64
> ipa-python-3.0.0-37.el6.x86_64
> ipa-client-3.0.0-37.el6.x86_64
> device-mapper-multipath-libs-0.4.9-72.el6_5.4.x86_64
> sssd-1.9.2-129.el6_5.4.x86_64
> sssd-client-1.9.2-129.el6_5.4.x86_64
>  
> Software version after:
> sssd-ipa-1.11.6-30.el6.x86_64
> libipa_hbac-1.11.6-30.el6.x86_64
> device-mapper-multipath-libs-0.4.9-80.el6.x86_64
> ipa-client-3.0.0-42.el6.centos.x86_64
> libipa_hbac-python-1.11.6-30.el6.x86_64
> ipa-python-3.0.0-42.el6.centos.x86_64
> device-mapper-multipath-0.4.9-80.el6.x86_64
> sssd-ldap-1.11.6-30.el6.x86_64
> sssd-ad-1.11.6-30.el6.x86_64
> python-sssdconfig-1.11.6-30.el6.noarch
> sssd-client-1.11.6-30.el6.x86_64
> sssd-krb5-common-1.11.6-30.el6.x86_64
> sssd-ipa-1.11.6-30.el6.x86_64
> sssd-common-1.11.6-30.el6.x86_64
> sssd-proxy-1.11.6-30.el6.x86_64
> sssd-common-pac-1.11.6-30.el6.x86_64
> sssd-krb5-1.11.6-30.el6.x86_64
> sssd-1.11.6-30.el6.x86_64
> The /var/log/secure logs show the following
>  
> Oct 31 10:38:30 test01 sshd[2790]: Invalid user dtaylor from  removed> Oct 31 10:38:30 test01 sshd[2791]: input_userauth_request: 
> invalid user dtaylor Oct 31 10:38:30 test01 sshd[2790]: 
> pam_unix(sshd:auth): check pass; user unknown Oct 31 10:38:30 test01 
> sshd[2790]: pam_unix(sshd:auth): authentication failure; logname= 
> uid=0 euid=0 tty=ssh ruser= rhost= Oct 31 10:38:30 
> test01 sshd[2790]: pam_succeed_if(sshd:auth): error retrieving 
> information about user dtaylor
>  

Do you also see pam_sss being mentioned at all in your /var/log/secure at all? 
Can you paste your PAM configuration? It’s expected that pam_unix fails to find 
the IPA user, but I would also expect the PAM stack to ask pam_sss next...

> The /var/log/audit/audit.log logs show the following
>  
> type=CRYPTO_KEY_USER msg=audit(1414715857.270:107): user pid=5831 uid=0 
> auid=0 ses=1 msg='op=destroy kind=server 
> fp=5e:ee:58:a2:25:ec:16:3e:8c:61:01:e6:de:76:3d:32 direction=? spid=5831 
> suid=0  exe="/usr/sbin/sshd" hostname=? addr= terminal=? 
> res=success'
> type=CRYPTO_KEY_USER msg=audit(1414715857.270:108): user pid=5831 uid=0 
> auid=0 ses=1 msg='op=destroy kind=server 
> fp=d0:6f:2f:5f:49:44:94:f2:b2:4e:15:43:69:89:9c:1d direction=? spid=5831 
> suid=0  exe="/usr/sbin/sshd" hostname=? addr= terminal=? 
> res=success'
> type=CRYPTO_SESSION msg=audit(1414715857.272:109): user pid=5830 uid=0 auid=0 
> ses=1 msg='op=start direction=from-client cipher=aes256

Re: [Freeipa-users] Centos IPA Client fails after upgrade to 6.6

[David Taylor]

As an add on, I’ve upgraded our Xen template to 6.6 and run up a new VM using 
that and it attaches to the IPA environment perfectly well, so I’m guessing it 
is an issue with the upgrade scripts.


Best regards
David Taylor

From: Michael Lasevich [mailto:mlasev...@gmail.com]
Sent: Friday, 7 November 2014 4:00 PM
To: Jakub Hrozek
Cc: David Taylor; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Centos IPA Client fails after upgrade to 6.6

I am seeing somewhat similar behavior once upgrading from sssd 1.9 to 1.11 
(centos 6.5 to 6.6)

I seem to be able to log in via ssh, but when I use http pam service, I get 
inconsistent behavior - seems like sometimes it works and others it errors out 
(success and failure can happen within a second)

In the logs I see things like:

[sssd[krb5_child[15410]]]: Internal credentials cache error
and
authentication failure; logname= uid=48 euid=48 tty= ruser= rhost= user=username
received for user username: 4 (System error)
Nothing in the audit.log that I can see
I am guessing this is an sssd issue but I am hoping someone here knows how to 
deal with it.
IN case it matters - here is the pam config:
authrequired  pam_env.so
authsufficientpam_sss.so
authrequired  pam_deny.so
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required  pam_permit.so
passwordrequisite pam_cracklib.so try_first_pass retry=3 type=
passwordsufficientpam_sss.so use_authtok
passwordrequired  pam_deny.so

session optional  pam_keyinit.so revoke
session required  pam_limits.so
session optional  pam_oddjob_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet 
use_uid
session optional  pam_sss.so
-M

On Wed, Nov 5, 2014 at 1:05 AM, Jakub Hrozek 
mailto:jhro...@redhat.com>> wrote:
On Wed, Nov 05, 2014 at 02:30:55AM +, David Taylor wrote:
> Thanks for the reply. The PAM file is pretty stock for a centos build
>
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> authrequired  pam_env.so
> authsufficientpam_unix.so nullok try_first_pass
> authrequisite pam_succeed_if.so uid >= 500 quiet
> authsufficientpam_sss.so use_first_pass
> authrequired  pam_deny.so
>
> account required  pam_unix.so
> account sufficientpam_localuser.so
> account sufficientpam_succeed_if.so uid < 500 quiet
> account [default=bad success=ok user_unknown=ignore] pam_sss.so
> account required  pam_permit.so
>
> passwordrequisite pam_cracklib.so try_first_pass retry=3 type=
> passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass 
> use_authtok
> passwordsufficientpam_sss.so use_authtok
> passwordrequired  pam_deny.so
>
> session optional  pam_keyinit.so revoke
> session required  pam_limits.so
> session [success=1 default=ignore] pam_succeed_if.so service in crond 
> quiet use_uid
> session required  pam_unix.so
> session optional  pam_sss.so
>
>
> Best regards
> David Taylor
OK, so pam_sss is there ...

And yet you see no mention of pam_sss.so in /var/log/secure ?

Is this the file that was included from the service-specific PAM
configuration?

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA-Server v3.0 Replication Broken

[David Kupka]

On 01/29/2015 02:43 PM, Auerbach, Steven wrote:

We have a pair of IPA Servers for our network. Our servers  are Oracle Linux 6 
x86_64 with the ipa-server.3.0.X packages [up to date as distributed by Oracle 
Linux].

Recently we noticed that the master (IPA01) is replicating fine to the 
designated replicant. But changes that are made on the replicant do not get 
back to the master.

This is true when ipa-clients register (if the registration script grabs the 
replicant for registration then the host enrollment and DNS will not make it 
back to the master.
This is true when users make a password change. If the password process grabs 
the master then replication to the replicant is fine, but if the change process 
grabs the replicant it will not make it back to the master. Then the user login 
is broken.
This is true when, in the IPA Admin Web Interface we delete a host entry or DNS 
record. If done on the master the change replicates to the replicant. If the 
change is made on the replicant it does not make it to the master.

We have not found anything in the documentation that helps us understand where 
to proceed or what to do to diagnose the replication problem. We have tried 
removing the replicant from the IPA server configuration and powering off the 
box, creating a new server and reconstructing a new replica on that new server. 
The problem persists. We suspect the issue lies in some configuration somewhere 
on the master, but know not where to go next.

Anyone have a similar experience and overcome it? We will take any advice we 
can get!

With appreciation and respect;

Steven Auerbach
Systems Administrator
State University System of Florida
Board of Governors
325 West Gaines Street
Tallahassee, Florida 32399
(850) 245-9592 | Fax (850) 245-0419
www.flbog.edu
[BOG-wordmark-wideFOR EMAIL-color]





Hi,
this looks similar to: 
https://www.redhat.com/archives/freeipa-users/2015-January/msg00331.html 
and https://fedorahosted.org/freeipa/ticket/4807


Did you try to raise the nsslapd-sasl-max-buffer-size?

--
David Kupka

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] ipa group-add mixed case?

[David Dejaeghere]

Hi,

I recently deployed FreeIPA but I stumbled upon a problem with migrating my
groups. The groups in our old system are mixed case. Such as MyGroup. The
application that syncs these groups is case sensitive.  The problem is that
when i create these groups using the webgui or the ipa admin tool it gets
created using lowercase.  I was wondering if there is a way around this?
Even perhaps changing a small part in the code. I tried looking into the
code of the ipa admin tool but could not find the part that change the
group name to lowercase. Any tips or help?

Kind Regards,

David
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] chrony support

[David Kupka]

Hello Bryan,
I'm currently working on this. This feature should be available in 
freeipa-4.2.


--
David Kupka

On 02/13/2015 01:25 PM, Bryan Pearson wrote:

One of our IPA servers, is in a virtualized environment and is continuously
losing time, resulting in invalid credentials and breaking replication.

We are interested in using chrony instead of ntpd, while ipa start up and
use chrony instead of ntp?

Bryan





--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] Typo on Troubleshooting page

[David Little]

Hi there,

There's a typo here -> http://www.freeipa.org/page/Troubleshooting

The word "error" is spell incorrectly in this sentence:

"If changes done on one FreeIPA master are not replicated to another
master, always verify errros log on both master and replica."


Thanks,
Dave
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] question about Active Directory authentication

[David Fitzgerald]

Hello,

I am currently running an IPA 3.3 server on Centos 7.  I have 70 IPA client 
machines running Scientific Linux 6.6 and 150 users.  User directories are 
auto-mounted from a Centos 7 file server.

I have been informed that all computer users on our campus must now 
authenticate off of the University's Active Directory server, including all 
Linux machines.  I have been looking through the IPA documentation and am 
getting myself confused and not completely understanding what needs to be done, 
thus I have some questions.


1.   The docs talk about setting up a trust between the IPA server and the 
AD server.  Will I need to change all of the IPA clients as well as the IPA 
server, or do I only need change the server and not have to touch the clients?



2.   Do I even need to set up a full trust relationship just to 
authenticate my users with AD?


3.   Since I already have 150 users, will I have to delete their IPA 
accounts before setting up the trust?  W

Sorry if my questions are a bit basic, but I need some guidance to get me 
started.

Thanks!

Dave



++
David Fitzgerald
Department of Earth Sciences
Millersville University
Millersville, PA 17551

Phone:  717-871-2394
E-Mail:  david.fitzger...@millersville.edu

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] question about Active Directory authentication

[David Fitzgerald]

Thanks for all the info. I think I will go the trust route with IPA 4.1 and see 
what happens (in a test environment first of course.)

From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Steven Jones
Sent: Tuesday, February 17, 2015 6:25 PM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] question about Active Directory authentication


Ok,



So with winsync I will have the 2000+ users in IPA.



Within IPA I have several high risk/impact groups of servers and many low.



For the low risk/impact servers and most desktops they can trust what AD tells 
them.  For the high risk/impact servers/applications we do not want to reply on 
AD for any authorisation so permissions for these will be isolated from AD 
inside IPA.  The idea is if we lose AD or IPA we should not lose both via any 
cross-linking.



regards

Steven


From: freeipa-users-boun...@redhat.com 
mailto:freeipa-users-boun...@redhat.com>> on 
behalf of Dmitri Pal mailto:d...@redhat.com>>
Sent: Wednesday, 18 February 2015 11:51 a.m.
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] question about Active Directory authentication

On 02/17/2015 05:21 PM, Steven Jones wrote:





***maybe***



c) You might be able to do both winsync and trusts at the same time then that 
is simpler provisioning. ie a user gets created in AD and automatically gets 
created in IPA ready for you to put in the user group you want.

I am not sure this is the best solution really.
Trust and sync do not help each other. The fact that you have trust does not 
help you to provision users the way you describe.


8><--

They achieve different things.   How otherwise do I get 2000+ AD users into 
IPA?   To me winsync allows automated provisioning of users into IPA via AD, 
this greatly reduces manual effort.

That I get. I do not understand how trust helps you in this case.










--

Thank you,

Dmitri Pal



Sr. Engineering Manager IdM portfolio

Red Hat, Inc.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Adding external CA

[David Kupka]

On 03/12/2015 10:37 AM, crony wrote:

Hi FreeIPA Users,
I have a fresh new FreeIPA 4.1 on RHEL7.1 with self-sign CA and I would
like to change the self-sign CA to the external CA

Do you have any step by step document for do it correctly on 4.1 version?

/lm





Hello!

I'm not aware of this being documented but fortunately this can be done 
in 3 easy steps:


1. # ipa-cacert-manage renew --external-ca
2. Let CA of your choice sing the CRL produced in step 1.
3. # ipa-cacert-manage renew 
--external-cert-file=/path/to/signed_certificate 
--external-cert-file=/path/to/external_ca_certificate


--
David Kupka

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] AD integration: Could not convert objectSID to a UNIX ID

[David Guertin]

On 03/17/2015 08:30 PM, Gould, Joshua wrote:

It looks like the range for your AD domain defined in ³ipa idrange-find
‹all² needs to match whats in for your domain in /etc/sssd/sssd.conf.

For your example. Under the [domain/CSNS.MIDDLEBURY.EDU] should have

ldap_idmap_range_min = 182460
ldap_idmap_range_size = 200

Setting these two identically let me resolve AD ID¹s with the id command.
Hopefully this works for you too.
Bingo! Thank you! That was indeed the solution. I needed to set the ID 
range in both places, and now users can log in.


David Guertin

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA and Windows

[David Kreitschmann]

If you use the MSLSA credential cache MIT kerberos works.
kinit -c MSLSA: user@REALM

Not sure about the MIT ticket manager.




Am 11.11.2015 um 01:54 schrieb Loris Santamaria :
> 
> 
> El mar, 10-11-2015 a las 16:15 -0700, Randolph Morgan escribió:
>> Yes they are in the same DNS domain as the IPAserver.  I am able to 
>> resolve the server address.  Which side would you like more
>> information 
>> on the server side or the client side.  We are not running any AD 
>> domains, so this is not a Windows based system.  We are running
>> FreeIPA 
>> 4.2+ on RHEL 7.1 using the stock Samba from RHEL.  On the client side
>> I 
>> am running Windows 10 and I have installed MIT Kerberos version
>> 4.01.  
>> In the MIT ticket manager I show a tgt and it works as it
>> should.  But 
>> from the command prompt in windows if I do a klist it reports:
>>  Current 
>> LogonId is 0:0x6320a
>> 
>>  Cached 
>> Tickets: (0)
>> 
>> So even though MIT Kerberos shows a successful negotiation with IPA
>> and 
>> a ticket is received, windows reports back the above when a klist is 
>> run. 
> 
> I think that is the problem, you shouldn't use MIT kerberos.
> 
> The commands listed on the howto:
> 
> 1. ksetup /setdomain [REALM NAME]
> 2. ksetup /addkdc [REALM NAME] [kdc DNS name]
> 3. ksetup /addkpasswd [REALM NAME] [kdc DNS name]
> 4. ksetup /setcomputerpassword [MACHINE_PASSWORD] (the one used above)
> 5. ksetup /mapuser * *
> 
> are meant to be run with windows native ksetup command. The native
> windows kerberos libraries cannot see tickets obtained with MT
> kerberos.
> 
> Best regards
> 
> 
>>  What I am trying to do is get the two to talk to each other, but I 
>> have not had any success as of yet.  I have edited the krb5.ini with
>> the 
>> correct information, and rebooted the machine multiple times with no 
>> change.  Any help here would be really appreciated, we are taking
>> this 
>> system live over the weekend and would really love to have this part
>> fixed.
>> 
>> Randy
>> 
>> Randy Morgan
>> CSR
>> Department of Chemistry and Biochemistry
>> Brigham Young University
>> 801-422-4100
>> 
>> On 11/10/2015 3:50 PM, Loris Santamaria wrote:
>>> El mar, 10-11-2015 a las 11:51 -0700, Randolph Morgan escribió:
 Ok, that makes sense, but could we not just create the host in
 the
 IPA
 UI as part of the DNS?
>>> That isn't enough, the dns object just maps to an ip address, you
>>> have
>>> to create a "host" object with ipa host-add, that object is needed
>>> to
>>> store kerberos principal and password for the host.
>>> 
 Also we seem to be having some difficulty with
 another part of the process, that is getting the Windows machines
 to
 even acknowledge that they have the ability to talk with the kdc.
 Following the commands yields only that the windows machine is
 unable
 to
 locate the kdc, are we missing something?  Is this one of the
 issues
 related to different versions of Kerberos, e.g. MIT vs Heimdal.
>>> You should check for dns inconsistencies first, are the windows
>>> machines in the same dns domain as windows? Can they solve the
>>> addresses of the ipa servers? If that doesn't help you should post
>>> more
>>> details of your setup...
>>> 
>>> Best regards
>>> 
>>> 
 On 11/10/2015 11:32 AM, Loris Santamaria wrote:
> El mar, 10-11-2015 a las 11:18 -0700, Randolph Morgan escribió:
>> I am certain that everyone gets tired of answering the same
>> questions
>> over and over, so maybe an update to the documentation would
>> be
>> better.
>> I am trying to get my Windows machines to authenticate
>> against a
>> FreeIPA
>> server running IPA 4.2+ on RHEL 7.  I have followed the
>> documentation
>> listed on
>> https://www.freeipa.org/page/Windows_authentication_against_F
>> reeI
>> PA,
>> but
>> there seems to be a few steps missing.
>> 
>> In the Configure FreeIPA you are told to create a keytab for
>> the
>> Windows
>> machine in question.  After creating the keytab, what do you
>> do
>> with
>> it?  It jumps from creating the keytab to configuring Windows
>> but
>> does
>> not say what to do with the keytab and the instructions never
>> reference
>> it again.  Would someone please clarify this and is this
>> something we
>> would need to do for each and every Windows machine on our
>> network?
> Note that the ipa-getkeytab command is called with the -P
> option,
> so it
> asks for a password: that password is used as a password for
> the
> machine principal and is stored in the directory.
> 
> So no, the keytab is not really used anywhere else and can be
> deleted.
> It is the act of generating (with a known password) it that
> needs
> to be
> done for

[Freeipa-users] Purge old entries in /var/lib/dirsrv/slapd-xxx/cldb/xxx.db4 file

[David Goudet]

Hi,

I have multimaster replication environment. On each replica, folder 
/var/lib/dirsrv/slapd-/cldb/ has big size (3~GB) and old entries in 
/var/lib/dirsrv/slapd-xxx/cldb/xxx.db4 have three month year old:

sudo dbscan -f 
/var/lib/dirsrv/slapd-/cldb/ef155b03-dda611e2-a156db20-90xxx06_51c9aed900xx000.db4
 | less
dbid: 56239e5e0004
replgen: 1445174777 Sun Oct 18 15:26:17 2015
csn: 56239e5e0004
uniqueid: e55d5e01-26f211e4-9b60db20-90c3b706
dn: 
operation: modify
krbLastSuccessfulAuth: 20151018132617Z
modifiersname: cn=Directory Manager
modifytimestamp: 20151018132617Z
entryusn: 68030946

My questions are:

a) How to purge old entries in file /var/lib/dirsrv/slapd-xxx/cldb/xxx.db4? 
(what is the procedure)
b) What is the right configuration to limit increase of this file?



This topic has been already talk on 
https://www.redhat.com/archives/freeipa-users/2013-February/msg00433.html or 
https://www.redhat.com/archives/freeipa-users/2015-April/msg00573.html but no 
response work for me.
Response here seems to be not applicable 
https://bugzilla.redhat.com/show_bug.cgi?id=1181341 (Centos 7, Fixed In 
Version: 389-ds-base-1.3.4.0-1.el7)

I used some attributes from the docuementation: 
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Configuration_Command_and_File_Reference/Core_Server_Configuration_Reference.html#cnchangelog5-nsslapd_changelogdir.
 Old entries are not purged and file increase even after restart service 
(service dirvsrv start and service dirvsrv stop).

(This test environment values)
dn: cn=changelog5,cn=config
objectClass: top
objectClass: extensibleobject
cn: changelog5
...
nsslapd-changelogmaxentries: 100
nsslapd-changelogmaxage: 4m

dn: cn=replica,cn=x,cn=mapping tree,cn=config
cn: replica
nsDS5Flags: 1
objectClass: top
objectClass: nsds5replica
objectClass: extensibleobject
nsDS5ReplicaType: 3
nsDS5ReplicaRoot: dc=x
nsds5ReplicaLegacyConsumer: off
nsDS5ReplicaId: 6
nsDS5ReplicaBindDN: cn=replication manager,cn=config
nsDS5ReplicaBindDN: krbprincipalname=ldap/xx
 .LYRA,cn=services,cn=accounts,dc=x
nsState:: x
nsDS5ReplicaName: d9663d08-a80f11e5-aa48d241-0b88f012
nsds5ReplicaTombstonePurgeInterval: 200
nsds5ReplicaPurgeDelay: 200
nsds5ReplicaChangeCount: 3091
nsds5replicareapactive: 0

Hereafter some informations about my environment: 
CentOS release 6.5 (Final)
389-ds-base-libs-1.2.11.15-65.el6_7.x86_64
389-ds-base-1.2.11.15-65.el6_7.x86_64
ipa-client-3.0.0-47.el6.centos.1.x86_64
ipa-server-3.0.0-47.el6.centos.1.x86_64

Thanks for your help!

David

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] GID, groups and ipa group-show

[David Kupka]

On 14/01/16 22:09, Rob Crittenden wrote:

Prasun Gera wrote:

This is an old thread, but I can confirm that this is still an issue on
RHEL 7.2 + 4.2. This creates problems when there are roles associated
with groups, but group membership through GID is broken. I had migrated
all old NIS accounts into ipa. I then added the host enrollment role to
a particular group. Now, unless I add the users to the group explicitly,
they won't get the role, even if their gid is the same as the gid of the
group.


The user GIDNumber just sets the default group for POSIX. If you do
groups on the user I'll bet it shows correctly.

For the purposes of IPA access control, as you've seen, the user must
have a memberOf for a given group, either directly or indirectly.

rob



Exactly, but the question is, shouldn't IPA add this membership 
automatically? (Of course, only in case IPA has group with this GID.)


David


On Mon, Aug 24, 2015 at 5:01 AM, David Kupka mailto:dku...@redhat.com>> wrote:

 On 21/08/15 15:21, bahan w wrote:

 Hello !

 I contact you because I notice something strange with IPA
 environment.

 I created a group :
 ipa group-add g1 --desc="my first group"

 Then I created a user with the GID of g1
 GID1=`ipa group-show g1 | awk '/GID/ {printf("%s",$2)}'`
 ipa user-add --first=u1 --last=u1 --homedir=/home/u1
 --shell=/bin/bash
 --gidnumber=${GID1} u1

 Then when I perform ipa group-show g1 command, I got the
 following result :
 ###
Group name: g1
Description: my first group
GID: 
 ###

 Same for ipa user-show u1 :
 ###
User login: u1
First name: u1
Last name: u1
Home directory: /home/u1
Login shell: /bin/bash
Email address: u1@
UID: 
GID: 
Account disabled: False
Password: False
Member of groups: ipausers
Kerberos keys available: False
 ###

 These 2 commands does not see u1 as a member of g1.
 When I try the command id u1, I can see the group :

 ###
 id u1
 uid=(u1) gid=(g1) groups=(g1)
 ###

 Is it the normal behaviour of these IPA commands ?

 Best regards.

 Bahan



 Hello!

 I'm not sure if this is intended and/or correct behavior or not.
 Looking at /etc/passwd and /etc/group I see it behaves similarly in
 a way.

 You can have following entries in the aforementioned files

 [/etc/group]
 ...
 g1:x::
 ...

 [/etc/passwd]
 ...
 u1:x/home/u1:/bin/bash
 ...

 Looking in /etc/group you can't see user 'u1' is member of group
 'g1' but tools like id, groups, getent shows this information.

 On the other hand it would be useful to show these "implicit"
 members in group-show output.
 Could you please file a ticket
 (https://fedorahosted.org/freeipa/newticket)?

 --
 David Kupka

 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project









--
David Kupka

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How to reference to IPA Server in Multi-Master Setup ?

[David Kupka]

On 25/01/16 12:08, Zeal Vora wrote:

Thanks Petr.

So if the domain is example.com, in DNS, what would be the IP associated
with it ?

As there are 2 master servers, each of them will have different IP address.

On Mon, Jan 25, 2016 at 4:34 PM, Petr Spacek  wrote:


On 25.1.2016 10:47, Zeal Vora wrote:

Hi

I have setup a multi-master IPA and it seems to be working fine.

The clients ( laptops and servers ) are not using the DNS of IPA.

I was wondering, while configuring ipa-client, which server do I

reference

to when it asks the ipa-server hostname ?

Both the master server has different hostnames.

master1.example.com  ( Master 1 )
master2.example.com  ( Master 2 )


Specify only --domain option and do not use --server option at all. In will
enable server auto-detection using DNS SRV records and you will not need to
worry about adding/removing servers because all clients will automatically
pick the new list up.

--
Petr^2 Spacek

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project







The '--domain' parameter is for client installer to form DNS request.
Request that is sent is the same as one sent by this command:
dig -t SRV _ldap._tcp.

It then receiver list of records similar to this one:
100 0 389 
100 0 389 

Installer then goes through the list and checks if it's really FreeIPA 
server and first one that passes is used. When IP address is needed it 
can be resolved from the name included in SRV response.


HTH,
--
David Kupka

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Client-Install failures

[David Zabner]

Hi All,
I am working on automated deployment of ipa clients through a program called 
salt and have been seeing an issue.
Specifically, calls to ipa.server.internal/ipa/json occasionally return a 500 
error. This tends to occur while using ipa-client-install and ipa-dns commands.

I am on free-ipa v 4.2.0 running on Centos 7 and will include the offending 
httpd error log.
Thanks for your help,
David



error_log
Description: error_log
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Purge old entries in /var/lib/dirsrv/slapd-xxx/cldb/xxx.db4 file

[David Goudet]

Hi,

> Hi,

On 12/22/2015 11:43 AM, David Goudet wrote:

>>Hi,

>>I have multimaster replication environment. On each replica, folder 
>> /var/lib/dirsrv/slapd-/cldb/ has big size (3~GB) and old entries in 
>> /var/lib/dirsrv/slapd-xxx/cldb/xxx.db4 have three month year old:

>>sudo dbscan -f 
>> /var/lib/dirsrv/slapd-/cldb/ef155b03-dda611e2-a156db20-90xxx06_51c9aed900xx000.db4
>>  | less
dbid: 56239e5e0004
 replgen: 1445174777 Sun Oct 18 15:26:17 2015
 csn: 56239e5e0004
 uniqueid: e55d5e01-26f211e4-9b60db20-90c3b706
 dn: 
 operation: modify
 krbLastSuccessfulAuth: 20151018132617Z
 modifiersname: cn=Directory Manager
 modifytimestamp: 20151018132617Z
 entryusn: 68030946

>>My questions are:

>>a) How to purge old entries in file 
>> /var/lib/dirsrv/slapd-xxx/cldb/xxx.db4? (what is the procedure)
>>b) What is the right configuration to limit increase of this file?

> setting changelog maxage should be sufficient to trim changes, but the age is 
> not the only condition deciding if a recored in the changelog can be deleted. 
> - for each replicaID the last record will never be deleted, independent of 
> its age, so if you have replicas in your topology which are not (or not 
> frequently) updated directly there will be old changes in the changelog - if 
> the replica where the trimming is run and if it has replication agreements to 
> other replicas, changes which were not yet replicated to the other replica 
> will not be purged. So, if you have some stale agreements to other replicas 
> this could prevent trimming as well.


> Also trimming removes changelog records and frees space internally ro th edb4 
> file to be reused, but it will not shrink the file size

Thank you for your response. I agree with you, to identify where the problem is 
i enabled the errors logs: nsslapd-errorlog-level: 8192

And i found these errors:

[23/Dec/2015:09:46:40 +0100] agmt="cn=meTo" (ds01:389) - load=1 
rec=69 csn=567a5a4300010004
[23/Dec/2015:09:46:40 +0100] NSMMReplicationPlugin - agmt="cn=meTo" (ds01:389): replay_update: Sending modify operation (
dn="fqdn=xxx.xxx.xxx,cn=computers,cn=accounts,dc=xxx,dc=xxx" 
csn=567a5a4300010004)
[23/Dec/2015:09:46:40 +0100] NSMMReplicationPlugin - agmt="cn=meTo" (ds01:389): replay_update: modifys operation (dn="fqd
n=pad01.xxx.xxx.xxx,cn=computers,cn=accounts,dc=xxx,dc=xxx" 
csn=567a5a4300010004) not sent - empty
[23/Dec/2015:09:46:40 +0100] NSMMReplicationPlugin - agmt="cn=meTo" (ds01:389): replay_update: Consumer successfully sent operation with 
csn 567a5a4300010004
[23/Dec/2015:09:46:40 +0100] NSMMReplicationPlugin - agmt="cn=meTo" (ds01:389): Skipping update operation with no message_id (uniqueid 
25791707-b72211e2-a156db20-90c3b706, CSN 567a5a4300010004):
...
23/Dec/2015:09:46:40 +0100] agmt="cn=meTo" (ds01:389) - 
load=1 rec=72 csn=567a5a440004
[23/Dec/2015:09:46:40 +0100] NSMMReplicationPlugin - agmt="cn=meTo" (ds01:389): replay_update: Sending modify operation (dn="fqdn=xxx
x.xxx.xxx,cn=computers,cn=accounts,dc=xxx,dc=xxx" csn=567a5a440004)
[23/Dec/2015:09:46:40 +0100] NSMMReplicationPlugin - agmt="cn=meTo" (ds01:389): replay_update: modifys operation (dn="fqdn=
xxx,cn=computers,cn=accounts,dc=xxx,dc=xxx" csn=567a5a440004) not sent 
- empty
[23/Dec/2015:09:46:40 +0100] NSMMReplicationPlugin - agmt="cn=meTo" (ds01:389): replay_update: Consumer successfully sent operation with 
csn 567a5a440004
[23/Dec/2015:09:46:40 +0100] NSMMReplicationPlugin - agmt="cn=meTo" (ds01:389): Skipping update operation with no message_id (uniqueid 
7cfafb01-7fc711e4-974fdb20-90c3b706, CSN 567a5a440004):

Replication between the two master/master IPA server seems to work well, but we 
can see many skipped requests:

repl-monitor -r -c xxx -w   
   

Enter password for (:): 
Time Lag Legend:



within 5 min

within 60 min

over 60 min

server n/a




Master:  ldap://:389/";>:389




Replica ID: 3
Replica Root: dc=,dc=xxx
Max CSN: 56a8ad1400020003 (01/27/2016 12:42:12 2 0)


Receiver
Time Lag
Max CSN
Last Modify Time
Supplier
Sent/Skipped
Update Status
Update Started
Update Ended
Schedule
SSL?


tr class=bgColor13> 

ldap://:389/";>xxx:389Type: master
- 0:44:30
56a8a2a600010003(01/27/2016 11:57:42 1 
0)
1/27/2016 11:56:01
:389
3429 / 4188985195
0 Replica

Re: [Freeipa-users] Client-Install failures

[David Zabner]

Any guess as what it would be then? 
The location that is “missing a file” is specified by the gssapi config in 
/etc/httpd/conf.d/ipa.conf. So I assumed that this would be a mod_gssapi 
failure…


Thanks for your help,
David
> On Jan 28, 2016, at 5:55 AM, Simo Sorce  wrote:
> 
> Doesn't look related to mod_auth_gssapi, it's past it.
> 
> - Original Message -
>> From: "Martin Kosek" 
>> To: "David Zabner" , freeipa-users@redhat.com, "Simo 
>> Sorce" 
>> Sent: Thursday, January 28, 2016 4:42:57 AM
>> Subject: Re: [Freeipa-users] Client-Install failures
>> 
>> On 01/26/2016 10:20 PM, David Zabner wrote:
>>> Hi All,
>>> I am working on automated deployment of ipa clients through a program
>>> called salt and have been seeing an issue.
>>> Specifically, calls to ipa.server.internal/ipa/json occasionally return a
>>> 500 error. This tends to occur while using ipa-client-install and ipa-dns
>>> commands.
>>> 
>>> I am on free-ipa v 4.2.0 running on Centos 7 and will include the offending
>>> httpd error log.
>>> Thanks for your help,
>>> David
>> 
>> CCing Simo, I wonder if this error could be some problem caused by
>> mod_auth_gssapi?
>> 
>> [Tue Jan 26 20:28:00.456181 2016] [:error] [pid 9535] [remote
>> 10.11.135.180:220] mod_wsgi (pid=9535): Exception occurred processing WSGI
>> script '/usr/share/ipa/wsgi.py'.
>> [Tue Jan 26 20:28:00.456211 2016] [:error] [pid 9535] [remote
>> 10.11.135.180:220] Traceback (most recent call last):
>> [Tue Jan 26 20:28:00.456223 2016] [:error] [pid 9535] [remote
>> 10.11.135.180:220]   File "/usr/share/ipa/wsgi.py", line 49, in application
>> [Tue Jan 26 20:28:00.456245 2016] [:error] [pid 9535] [remote
>> 10.11.135.180:220] return api.Backend.wsgi_dispatch(environ,
>> start_response)
>> [Tue Jan 26 20:28:00.456251 2016] [:error] [pid 9535] [remote
>> 10.11.135.180:220]   File
>> "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py",line 258, in
>> __call__
>> [Tue Jan 26 20:28:00.456263 2016] [:error] [pid 9535] [remote
>> 10.11.135.180:220] return self.route(environ, start_response)
>> [Tue Jan 26 20:28:00.456268 2016] [:error] [pid 9535] [remote
>> 10.11.135.180:220]   File
>> "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py",line 270, in
>> route
>> [Tue Jan 26 20:28:00.456276 2016] [:error] [pid 9535] [remote
>> 10.11.135.180:220] return app(environ, start_response)
>> [Tue Jan 26 20:28:00.456281 2016] [:error] [pid 9535] [remote
>> 10.11.135.180:220]   File
>> "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py",line 447, in
>> __call__
>> [Tue Jan 26 20:28:00.456288 2016] [:error] [pid 9535] [remote
>> 10.11.135.180:220] response = super(jsonserver, self).__call__(environ,
>>  start_response)
>> [Tue Jan 26 20:28:00.456293 2016] [:error] [pid 9535] [remote
>> 10.11.135.180:220]   File
>> "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py",line 647, in
>> __call__
>> [Tue Jan 26 20:28:00.456299 2016] [:error] [pid 9535] [remote
>> 10.11.135.180:220] 'xmlserver', user_ccache, environ, start_response,
>> headers)
>> [Tue Jan 26 20:28:00.456304 2016] [:error] [pid 9535] [remote
>> 10.11.135.180:220]   File
>> "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py",line 593, in
>> finalize_kerberos_acquisition
>> [Tue Jan 26 20:28:00.456310 2016] [:error] [pid 9535] [remote
>> 10.11.135.180:220] session_data['ccache_data'] =
>> load_ccache_data(ccache_name)
>> [Tue Jan 26 20:28:00.456315 2016] [:error] [pid 9535] [remote
>> 10.11.135.180:220]   File
>> "/usr/lib/python2.7/site-packages/ipalib/session.py",
>> line1231, in load_ccache_data
>> [Tue Jan 26 20:28:00.456330 2016] [:error] [pid 9535] [remote
>> 10.11.135.180:220] src = open(name)
>> [Tue Jan 26 20:28:00.456344 2016] [:error] [pid 9535] [remote
>> 10.11.135.180:220] IOError: [Errno 2] No such file or directory:
>> '/var/run/httpd/ipa/   clientcaches/admin@FOO.INTERNAL'
>> 
>> Martin
>> 


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Server error with multiple clients joining domain simultaneously

[David Zabner]

This sounds exactly like the problem I am having. I will attach my error log. 
Is this what yours looks like?


error_log
Description: error_log
On Jan 28, 2016, at 1:10 PM, Izzo, Anthony  wrote:I’m seeing what feels like a concurrency error.  I’m in a cloud environment and launching a group of instances which are all trying to join a domain at about the same time via ipa-client-install.  Some of these operations succeed, and others fail. The error message on those that fail is that they failed to join the domain, and the HTTP response was 500 instead of 200. The Apache error_log file on the server, shows a python stack trace (which unfortunately I can’t reproduce in its entirety here), which culminates in the complaint that a file (/var/run/httpd/ipa/clientcaches/@) was not found.  What it seems like is that multiple attempts to join the domain from different hosts are stepping on one another. I’m wondering if I am trying to do something that is not supported, or if I have something misconfigured.  I’m tempted to catch the error and retry after a random interval (the output of the failing command indicates that it is rolling back to the initial state) – that would be the easiest thing.  But if this is pointing to an underlying error on my part I’d rather fix it if possible. Additional info in case it helps – I’m running RHEL7/FreeIPA4.2 on the servers (two in a replication agreement).  I’m running RHEL6/FreeIPA3.0 on the clients (most recent attempt I tried to launch 7 instances, three of which failed).  Thanks. Tony  -- Manage your subscription for the Freeipa-users mailing list:https://www.redhat.com/mailman/listinfo/freeipa-usersGo to http://freeipa.org for more info on the project-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Server error with multiple clients joining domain simultaneously

[David Zabner]

I was guessing that it was a problem with mod_auth_gssapi and so I tried 
switching the auth method back to mod_auth_kerb which did not work. (although 
it is entirely possible that I did not switch it correctly)

I did it by changing the gssapi settings in /etc/httpd/conf.d/ipa.conf to:

  AuthType Kerberos
  AuthName "Kerberos Login"
  KrbMethodNegotiate on
  KrbMethodK5Passwd off
  KrbServiceName HTTP
  KrbAuthRealms $realm
  Krb5KeyTab /etc/httpd/conf/ipa.keytab
  KrbSaveCredentials on
  KrbConstrainedDelegation on
  Require valid-user
  ErrorDocument 401 /ipa/errors/unauthorized.html

It just seemed to cause other problems...

On Jan 28, 2016, at 1:44 PM, Izzo, Anthony 
mailto:aizz...@harris.com>> wrote:

I should add that some of my team members have tried serializing their instance 
launches, and this problem does not seem to occur under those circumstances.  
(That’s not a solution, just a data point for those interested in this 
behavior).  Thanks.


From: Izzo, Anthony (U.S. Person)
Sent: Thursday, January 28, 2016 1:35 PM
To: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>
Cc: 'David Zabner' mailto:da...@cazena.com>>
Subject: RE: [Freeipa-users] Server error with multiple clients joining domain 
simultaneously

Yes, that’s it!

From: David Zabner [mailto:da...@cazena.com]
Sent: Thursday, January 28, 2016 1:31 PM
To: Izzo, Anthony (U.S. Person) mailto:aizz...@harris.com>>
Cc: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>
Subject: Re: [Freeipa-users] Server error with multiple clients joining domain 
simultaneously

This sounds exactly like the problem I am having. I will attach my error log. 
Is this what yours looks like?
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Server error with multiple clients joining domain simultaneously

[David Zabner]

Any guesses as to why I couldn’t revert to using the mod_auth_kerb library? It 
seems like this is the only place where the library is referenced one way or 
the other…

Thanks for all your help.

> On Jan 29, 2016, at 6:35 AM, Petr Spacek  wrote:
> 
> Interesting, we have to investigate it!
> 
> Here is a ticket:
> https://fedorahosted.org/freeipa/ticket/5653
> 
> You can Cc yourself to it and watch the progress.
> 
> Petr^2 Spacek
> 
> On 28.1.2016 20:17, David Zabner wrote:
>> I was guessing that it was a problem with mod_auth_gssapi and so I tried 
>> switching the auth method back to mod_auth_kerb which did not work. 
>> (although it is entirely possible that I did not switch it correctly)
>> 
>> I did it by changing the gssapi settings in /etc/httpd/conf.d/ipa.conf to:
>> 
>>  AuthType Kerberos
>>  AuthName "Kerberos Login"
>>  KrbMethodNegotiate on
>>  KrbMethodK5Passwd off
>>  KrbServiceName HTTP
>>  KrbAuthRealms $realm
>>  Krb5KeyTab /etc/httpd/conf/ipa.keytab
>>  KrbSaveCredentials on
>>  KrbConstrainedDelegation on
>>  Require valid-user
>>  ErrorDocument 401 /ipa/errors/unauthorized.html
>> 
>> It just seemed to cause other problems...
>> 
>> On Jan 28, 2016, at 1:44 PM, Izzo, Anthony 
>> mailto:aizz...@harris.com>> wrote:
>> 
>> I should add that some of my team members have tried serializing their 
>> instance launches, and this problem does not seem to occur under those 
>> circumstances.  (That’s not a solution, just a data point for those 
>> interested in this behavior).  Thanks.
>> 
>> 
>> From: Izzo, Anthony (U.S. Person)
>> Sent: Thursday, January 28, 2016 1:35 PM
>> To: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>
>> Cc: 'David Zabner' mailto:da...@cazena.com>>
>> Subject: RE: [Freeipa-users] Server error with multiple clients joining 
>> domain simultaneously
>> 
>> Yes, that’s it!
>> 
>> From: David Zabner [mailto:da...@cazena.com]
>> Sent: Thursday, January 28, 2016 1:31 PM
>> To: Izzo, Anthony (U.S. Person) 
>> mailto:aizz...@harris.com>>
>> Cc: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>
>> Subject: Re: [Freeipa-users] Server error with multiple clients joining 
>> domain simultaneously
>> 
>> This sounds exactly like the problem I am having. I will attach my error 
>> log. Is this what yours looks like?
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>> 
>> 
>> 
> 
> 
> -- 
> Petr^2 Spacek
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Server error with multiple clients joining domain simultaneously

[David Zabner]

: 
[jsonserver_kerb] admin@FOO.INTERNAL: dnsrecord_find(, None, idnsname=, structured=False, 
all=False, raw=False, version=u'2.156', pkey_only=False): SUCCESS
[Fri Jan 29 17:08:47.120281 2016] [:error] [pid 11564] SSL Library Error: 
-12268 Cannot connect: SSL is disabled
[Fri Jan 29 17:08:47.801773 2016] [:error] [pid 11566] ipa: INFO: 
[jsonserver_kerb] admin@FOO.INTERNAL: host_add(u'secgw.foo.internal', 
random=False, force=True, no_reverse=False, all=False, raw=False, 
version=u'2.156', no_members=False): SUCCESS
[Fri Jan 29 17:08:54.623020 2016] [:error] [pid 11563] ipa: INFO: 
[jsonserver_kerb] admin@FOO.INTERNAL: host_find(u'test.foo.com', all=False, 
raw=False, version=u'2.156', no_members=False, pkey_only=False): SUCCESS
[Fri Jan 29 17:08:55.465319 2016] [:error] [pid 11562] ipa: INFO: 
[jsonserver_kerb] admin@FOO.INTERNAL: host_add(u'test.foo.com', random=False, 
force=False, no_reverse=False, all=False, raw=False, version=u'2.156', 
no_members=False): SUCCESS
[Fri Jan 29 17:08:56.151143 2016] [:error] [pid 11565] ipa: INFO: 
[jsonserver_kerb] admin@FOO.INTERNAL: host_find(u'test.foo.com', all=False, 
raw=False, version=u'2.156', no_members=False, pkey_only=False): SUCCESS
[Fri Jan 29 17:08:56.932284 2016] [:error] [pid 11772] ipa: INFO: 
[jsonserver_kerb] admin@FOO.INTERNAL: host_add_managedby(u'test.foo.com', 
all=False, raw=False, version=u'2.156', no_members=False, 
host=(u'secgw.foo.internal',)): SUCCESS
[Fri Jan 29 17:08:57.576412 2016] [:error] [pid 11564] SSL Library Error: 
-12268 Cannot connect: SSL is disabled
[Fri Jan 29 17:08:59.249853 2016] [:error] [pid 11566] ipa: INFO: 
[jsonserver_kerb] admin@FOO.INTERNAL: 
service_add(u'SSLVPN/test.foo.com@FOO.INTERNAL', force=False, all=False, 
raw=False, version=u'2.156', no_members=False): SUCCESS
[Fri Jan 29 17:09:00.760791 2016] [:error] [pid 11563] ipa: INFO: 
[jsonserver_kerb] admin@FOO.INTERNAL: cert_request(u'-BEGIN CERTIFICATE 
REQUEST-\\-END CERTIFICATE REQUEST-', 
principal=u'SSLVPN/test.foo.com', request_type=u'pkcs10', add=False, 
version=u'2.156'): NetworkError
[Fri Jan 29 17:09:00.762689 2016] [:error] [pid 11563] [client 
10.11.131.244:45913] mod_wsgi (pid=11563): Exception occurred processing WSGI 
script '/usr/share/ipa/wsgi.py'., referer: https://ipa.foo.internal/ipa/xml
[Fri Jan 29 17:09:00.762751 2016] [:error] [pid 11563] [client 
10.11.131.244:45913] IOError: failed to write data, referer: 
https://ipa.foo.internal/ipa/xml
p11-kit: ipa.p11-kit: x-public-key-info: invalid or unsupported attribute
[Fri Jan 29 17:09:06.875890 2016] [:error] [pid 11562] ipa: INFO: 
[jsonserver_kerb] admin@FOO.INTERNAL: cert_request(u'-BEGIN CERTIFICATE 
REQUEST-\\-END CERTIFICATE REQUEST-', 
principal=u'SSLVPN/test.foo.com', request_type=u'pkcs10', add=False, 
version=u'2.156'): NetworkError
[Fri Jan 29 17:09:06.877909 2016] [:error] [pid 11562] [client 
10.11.131.244:45914] mod_wsgi (pid=11562): Exception occurred processing WSGI 
script '/usr/share/ipa/wsgi.py'., referer: https://ipa.foo.internal/ipa/xml
[Fri Jan 29 17:09:06.877956 2016] [:error] [pid 11562] [client 
10.11.131.244:45914] IOError: failed to write data, referer: 
https://ipa.foo.internal/ipa/xml
[Fri Jan 29 17:09:17.927499 2016] [:error] [pid 11565] ipa: INFO: 
[jsonserver_kerb] admin@FOO.INTERNAL: cert_show(u'1', 
out=u'/etc/openvpn/ca.crt', version=u'2.156'): NetworkError
[Fri Jan 29 17:09:17.929404 2016] [:error] [pid 11565] [client 
10.11.131.244:45915] mod_wsgi (pid=11565): Exception occurred processing WSGI 
script '/usr/share/ipa/wsgi.py'., referer: https://ipa.foo.internal/ipa/xml
[Fri Jan 29 17:09:17.929450 2016] [:error] [pid 11565] [client 
10.11.131.244:45915] IOError: failed to write data, referer: 
https://ipa.foo.internal/ipa/xml
[Fri Jan 29 17:09:23.973680 2016] [:error] [pid 11772] ipa: INFO: 
[jsonserver_kerb] admin@FOO.INTERNAL: cert_show(u'1', 
out=u'/etc/openvpn/ca.crt', version=u'2.156'): NetworkError
[Fri Jan 29 17:09:23.975618 2016] [:error] [pid 11772] [client 
10.11.131.244:45916] mod_wsgi (pid=11772): Exception occurred processing WSGI 
script '/usr/share/ipa/wsgi.py'., referer: https://ipa.foo.internal/ipa/xml
[Fri Jan 29 17:09:23.975684 2016] [:error] [pid 11772] [client 
10.11.131.244:45916] IOError: failed to write data, referer: 
https://ipa.foo.internal/ipa/xml


Thoughts?

ipa.conf for completeness:


ipa.conf
Description: ipa.conf

Realm is replaced with my realm name on the server.

> On Jan 29, 2016, at 11:04 AM, Rob Crittenden  wrote:
> 
> David Zabner wrote:
>> Any guesses as to why I couldn’t revert to using the mod_auth_kerb library? 
>> It seems like this is the only 

Re: [Freeipa-users] Split backup actions in stop - backup - start commands

[David Kupka]

On 16/02/16 20:26, Matt . wrote:

Hi,

I'm fugiring out if it's possible to strip the ipa start and stop from
the backup method and actually do a fullbackup manually started.

Any idea ?

Thanks!

Matt



Hello Matt,
you can perform data only backup where freeipa server is still running 
(ipa-backup --data --online).
But IIUC you want full backup with stopped freeipa sever only want to 
manually run sequence ipactl stop ; ipa-backup ; ipactl start


Could you please explain why do you need such behavior? Honestly, I'm 
unable to find use for this.


There's no way how to do it without touching the code. If you don't mind 
editing code just remove two else branches starting on lines 293[0] and 
316[1] in ipaserver/install/ipa_backup.py (on recent Fedoras located in 
/usr/lib/python2.7/site-packages/).


With this change full backup will be performed on running server unless 
you stopped it before. It can result in inconsistent data in backup archive.


[0] 
https://git.fedorahosted.org/cgit/freeipa.git/tree/ipaserver/install/ipa_backup.py#n293
[1] 
https://git.fedorahosted.org/cgit/freeipa.git/tree/ipaserver/install/ipa_backup.py#n316


--
David Kupka

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Logging configuration for ipa server

[David Kupka]

On 17/02/16 09:36, bahan w wrote:

Hello !

I send you this mail for a question about the kerberos logs on the ipa
server.

On the server, there are two configuration files :
- kdc.conf : for the server
- krb5.conf : for the client

In both of these files, we can put a logging section.
In this section, there is 3 parameters :
- default
- kdc
- admin

May I put the same values for both client and server or is it better to put
different values for the server part ?

BR.

Bahan





Hello Bahan,
looking into krb5.conf man page I don't see any logging section. I think 
it should be enough to configure logging on the server (in kdc.conf).


Example:
User tries to perform kinit with nonexistent principal and receives error
$ kinit nonexistent
kinit: Client 'nonexist...@example.test' not found in Kerberos database 
while getting initial credentials


Then admin can see this event in the kdc log on server:
Feb 17 10:10:35 vm-248.example.test krb5kdc[11350](info): AS_REQ (6 
etypes {18 17 16 23 25 26}) 192.0.2.248: CLIENT_NOT_FOUND: 
nonexist...@example.test for krbtgt/example.t...@example.test, Client 
not found in Kerberos database


--
David Kupka

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Split backup actions in stop - backup - start commands

[David Kupka]

On 17/02/16 10:47, Matt . wrote:

Hi David,

I have tested your way out and it seems to be OK.

The reason why I need this was is so I can perform a stop and
ipa-backup before I start my backup to my backupserver. (pre-command).

If I use ipa-backup directly it errors between the stop of ipa and the
actual ipa backup. I need to check that out further.

An ipactl start is not needed it seems as the ipa-backup command seems
to start ipa at any time again.

Do you understand/agree here ?


Hello Matt,

unfortunately I don't understand. The backup procedure AFAIK should work 
like this:


# ipa-backup && rsync -r /var/lib/ipa/backup/ backup.example.test:/ipa/

You ca run it manually or place it into the crontab or use it in your 
orchestration system.
It will backup the ipa server with necessary stop and start and then 
copy the new backup to the backup server.


Still I don't see the need for stopping the server manually.

ipa-backup calls "ipactl start" [0]. If you remove the else branch it 
will not start the server.


[0 
]https://git.fedorahosted.org/cgit/freeipa.git/tree/ipaserver/install/ipa_backup.py#n316



HTH,
David




2016-02-17 8:00 GMT+01:00 David Kupka :

On 16/02/16 20:26, Matt . wrote:


Hi,

I'm fugiring out if it's possible to strip the ipa start and stop from
the backup method and actually do a fullbackup manually started.

Any idea ?

Thanks!

Matt



Hello Matt,
you can perform data only backup where freeipa server is still running
(ipa-backup --data --online).
But IIUC you want full backup with stopped freeipa sever only want to
manually run sequence ipactl stop ; ipa-backup ; ipactl start

Could you please explain why do you need such behavior? Honestly, I'm unable
to find use for this.

There's no way how to do it without touching the code. If you don't mind
editing code just remove two else branches starting on lines 293[0] and
316[1] in ipaserver/install/ipa_backup.py (on recent Fedoras located in
/usr/lib/python2.7/site-packages/).

With this change full backup will be performed on running server unless you
stopped it before. It can result in inconsistent data in backup archive.

[0]
https://git.fedorahosted.org/cgit/freeipa.git/tree/ipaserver/install/ipa_backup.py#n293
[1]
https://git.fedorahosted.org/cgit/freeipa.git/tree/ipaserver/install/ipa_backup.py#n316

--
David Kupka



--
David Kupka

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Recovering from data-only backup doesn't recover Kerberos keys properly

[David Kupka]

On 23/02/16 20:21, Marat Vyshegorodtsev wrote:

Hi!

I've been doing backups using the tool like this:
ipa-backup --data --online

I didn't want any configuration to be backed up, since it is managed
from a chef recipe.

However, when I tried to recover the backup to a fresh FreeIPA
install, Kerberos (GSSAPI) broke — I can't authenticate myself
anywhere using Kerberos: CLI, HTTP, etc.

LDAP password-based authentication works alright.

After some googling and reading through the mailing list, I followed
this manual and updated all keytabs for all services — dirsrv, httpd,
kadmin: 
http://www.freeipa.org/page/V3/Backup_and_Restore#Backup.2C_uninstall.2C_reinstall.2C_restore_JUST_the_LDAP_server

Then it broke  in a different way: for a correct session it says that
my session is expired or just does nothing, for an incorrect password
it responds with "password incorrect" (see screenshot).
https://yadi.sk/i/WVe8u1_ZpNh3w

For CLI it just says that the credentials are incorrect regardless of
what credentials I provide.

I suppose that all krbPrincipalKey fields are tied to some other
encryption key that is not included in data-only backup.

Could you please let me know how to regenerate krbPrincipalKey for all
users or how to work around this issue?

Best regards,
Marat



Hello Marat,
I would say that this is expected. During freeipa-server installation 
all service and host kerberos keys are generated randomly, stored in 
Directory Server and in keytab accessible to the host/service.
When you reinstall freeipa-server all keys are regenerated and no longer 
matches the ones stored in your backup.


You can use ipa-getkeytab(1) with Directory Manager credentials to 
retrieve new keys but think it's not enough to make it work again.

Hopefully, someone, who understand kerberos better will advice.

--
David Kupka

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Not able to get kerberos ticket from keytab

[David Kupka]

etype aes256-cts, salt
"s`GD^,#=cA:Vr9hD", params ""
[27248] 1456447246.165001: Received cookie: MIT
[27248] 1456447246.165142: Retrieving ttes...@example.my from FILE:keytab
(vno 0, enctype aes256-cts) with result: 0/Success
[27248] 1456447246.165166: AS key obtained for encrypted timestamp:
aes256-cts/0A17
[27248] 1456447246.165210: Encrypted timestamp (for 1456447246.164647):
plain 301AA011180F32303136303232363030343034365AA1050203028327, encrypted
C092E6C29FC1CD794625CF12162D18767A68D1728E6C2ADC1F50492D6605E039B664213C29767715E04B3CA8D97EBD691BBF40B76370C9FA
[27248] 1456447246.165224: Preauth module encrypted_timestamp (2) (real)
returned: 0/Success
[27248] 1456447246.165228: Produced preauth for next request: 133, 2
[27248] 1456447246.165239: Sending request (257 bytes) to EXAMPLE.MY
[27248] 1456447246.165253: Resolving hostname node1.example.my
[27248] 1456447256.178637: Initiating TCP connection to stream
192.168.38.2:88
[27248] 1456447256.179456: Sending TCP request to stream 192.168.38.2:88
[27248] 1456447256.184929: Received answer (167 bytes) from stream
192.168.38.2:88
[27248] 1456447256.184941: Terminating TCP connection to stream
192.168.38.2:88
[27248] 1456447256.185043: Response was from master KDC
[27248] 1456447256.185065: Received error from KDC: -1765328353/Decrypt
integrity check failed
kinit: Password incorrect while getting initial credentials


From the 2 trace I notice the return bytes on return from calling using

keytab is only 167 bytes compare to 722 bytes. Does anybody know the
reasons or could point me to where I could debug further?

Thanks





Hello!

I don't know why it does not work with ktutil but I've find other way 
how to get keytab for a user:


$ kinit ttester
$ ipa-getkeytab -p ttes...@example.test -k ttester.keytab -e 
aes256-cts-hmac-sha1-96

$ kdestroy ttester
$ kinit ttes...@example.test -kt ttester.keytab

HTH,

--
David Kupka

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Not able to get kerberos ticket from keytab

[David Kupka]

On 26/02/16 08:56, David Kupka wrote:

On 26/02/16 02:22, Teik Hooi Beh wrote:

Hi,

I have manged to deployed 1 ipa master and 1 ipa client with success on
centos 7.2 with freeipa v4.2. I also managed to create user and set
sshd-rules to for ttester user and also successfully get krb ticket
using *kinit
ttes...@example.my*. I am trying to deploy password-less SSH login with
kerberos using the following guide  (
https://uz.sns.it/~enrico/wordpress/2014/03/password-less-ssh-login-with-kerberos/)

-

snippet -



*$ ktutil ktutil: add_entry -password -p ttes...@example.my -k 1 -e
aes256-cts-hmac-sha1-96 ktutil: write_kt keytab*

When I tried *kinit -kt keytab ttes...@example.my*, I get *"**kinit:
Password incorrect while getting initial credentials"*
Doing a trace using KRB5_TRACE on both calls

*1. KRB5_TRACE=/dev/stderr kinit ttes...@example.my*
27242] 1456447025.219676: Getting initial credentials for
ttes...@example.my
[27242] 1456447025.222070: Sending request (164 bytes) to EXAMPLE.MY
[27242] 1456447025.23: Resolving hostname node1.example.my
[27242] 1456447035.238004: Initiating TCP connection to stream
192.168.38.2:88
[27242] 1456447035.238675: Sending TCP request to stream 192.168.38.2:88
[27242] 1456447035.241248: Received answer (337 bytes) from stream
192.168.38.2:88
[27242] 1456447035.241257: Terminating TCP connection to stream
192.168.38.2:88
[27242] 1456447035.241377: Response was from master KDC
[27242] 1456447035.241437: Received error from KDC:
-1765328359/Additional
pre-authentication required
[27242] 1456447035.241484: Processing preauth types: 136, 19, 2, 133
[27242] 1456447035.241499: Selected etype info: etype aes256-cts, salt
"s`GD^,#=cA:Vr9hD", params ""
[27242] 1456447035.241504: Received cookie: MIT
Password for ttes...@example.my:
[27242] 1456447062.215750: AS key obtained for encrypted timestamp:
aes256-cts/73C6
[27242] 1456447062.215815: Encrypted timestamp (for 1456447062.215315):
plain 301AA011180F32303136303232363030333734325AA1050203034913, encrypted
F9A2E97E916FC14D141690E151A25DCC00168361179C7F0ACDA94C7F58F3D50429780A5608A6B8623E355F2A5BD676F6FA5272D38FD05C8B

[27242] 1456447062.215942: Preauth module encrypted_timestamp (2) (real)
returned: 0/Success
[27242] 1456447062.215948: Produced preauth for next request: 133, 2
[27242] 1456447062.215965: Sending request (257 bytes) to EXAMPLE.MY
[27242] 1456447062.216010: Resolving hostname node1.example.my
[27242] 1456447072.229254: Initiating TCP connection to stream
192.168.38.2:88
[27242] 1456447072.229655: Sending TCP request to stream 192.168.38.2:88
[27242] 1456447072.236955: Received answer (722 bytes) from stream
192.168.38.2:88
[27242] 1456447072.236974: Terminating TCP connection to stream
192.168.38.2:88
[27242] 1456447072.237080: Response was from master KDC
[27242] 1456447072.237117: Processing preauth types: 19
[27242] 1456447072.237125: Selected etype info: etype aes256-cts, salt
"s`GD^,#=cA:Vr9hD", params ""
[27242] 1456447072.237131: Produced preauth for next request: (empty)
[27242] 1456447072.237140: AS key determined by preauth: aes256-cts/73C6
[27242] 1456447072.237199: Decrypted AS reply; session key is:
aes256-cts/2A71
[27242] 1456447072.237216: FAST negotiation: available
[27242] 1456447072.237236: Initializing KEYRING:persistent:1000:1000 with
default princ ttes...@example.my
[27242] 1456447072.237275: Storing ttes...@example.my ->
krbtgt/example...@example.my in KEYRING:persistent:1000:1000
[27242] 1456447072.237330: Storing config in KEYRING:persistent:1000:1000
for krbtgt/example...@example.my: fast_avail: yes
[27242] 1456447072.237345: Storing ttes...@example.my ->
krb5_ccache_conf_data/fast_avail/krbtgt\/EXAMPLE.MY\@EXAMPLE.MY@X-CACHECONF:

in KEYRING:persistent:1000:1000
[27242] 1456447072.237371: Storing config in KEYRING:persistent:1000:1000
for krbtgt/example...@example.my: pa_type: 2
[27242] 1456447072.237380: Storing ttes...@example.my ->
krb5_ccache_conf_data/pa_type/krbtgt\/EXAMPLE.MY\@EXAMPLE.MY@X-CACHECONF:
in KEYRING:persistent:1000:1000

*2. KRB5_TRACE=/dev/stderr kinit -kt keytab ttes...@example.my*
[27248] 1456447236.144685: Getting initial credentials for
ttes...@example.my
[27248] 1456447236.147107: Looked up etypes in keytab: aes256-cts
[27248] 1456447236.147255: Sending request (164 bytes) to EXAMPLE.MY
[27248] 1456447236.147381: Resolving hostname node1.example.my
[27248] 1456447246.161528: Initiating TCP connection to stream
192.168.38.2:88
[27248] 1456447246.161970: Sending TCP request to stream 192.168.38.2:88
[27248] 1456447246.164772: Received answer (337 bytes) from stream
192.168.38.2:88
[27248] 1456447246.164791: Terminating TCP connection to stream
192.168.38.2:88
[27248] 1456447246.164904: Response was from master KDC
[27248] 1456447246.164943: Received error from KDC:
-1765328359/Additional
pre-authentication required
[27248] 1456447246.164987: Processing preauth types: 136, 19, 2, 133
[27248] 145644724

Re: [Freeipa-users] Purge old entries in /var/lib/dirsrv/slapd-xxx/cldb/xxx.db4 file

[David Goudet]

Hi,

After more investigation i found a solution to fix my problem. Hereafter some 
details.

I think i had two linked problems:
Problem 1: In /var/lib/dirsrv/slapd-xxx/cldb/xxx.db4 there was some old entry 
about ~five months old, it was probably some Tombstone entry. (Replication 
state between two dirvsrv master/master was good and stable).
Problem 2: purge attribute "nsslapd-changelogmaxage" had default value 30 day 
but the volume of data stored in db4 database was greater than ~4 Go which is 
space available on /var/lib/ partition. So partition was filled with entry 
which are prior to 30 days.

Problem 1 was solved by removing db4 database (be carreful of impacts, dirsrv 
replication should work and db well synchronised before do this):
service dirsrv stop && mv /var/lib/dirsrv/slapd-xxx/cldb/xxx.db4 
/var/lib/dirsrv/slapd-xxx/cldb/xxx.db4-old && service dirsrv start

Problem 2 was solved by decreasing purge attribute "nsslapd-changelogmaxage" 
from 30d to 10d (i don't need more data and want to increase partition space).

To know: purge seems to be run every five minutes, so freeing entry is not 
instantaneous, it occurs after ~6 minutes.

I agree, you are right:
> Also trimming removes changelog records and frees space internally ro the db4 
> file  to be reused, but it will not shrink the file size

I think it is not mandatory but i set default value of following purge 
parameters:
nsDS5ReplicaPurgeDelay: 604800
nsDS5ReplicaTombstonePurgeInterval: 86400

I follwed the good documentation:
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html-single/Configuration_Command_and_File_Reference/index.html

Thanks for your help!

David

- Original Message -
From: "Ludwig Krispenz" 
To: "freeipa-users" 
Sent: Tuesday, December 22, 2015 1:55:06 PM
Subject: Re: [Freeipa-users] Purge old entries in 
/var/lib/dirsrv/slapd-xxx/cldb/xxx.db4 file

Hi,

On 12/22/2015 11:43 AM, David Goudet wrote:
> Hi,
>
> I have multimaster replication environment. On each replica, folder 
> /var/lib/dirsrv/slapd-/cldb/ has big size (3~GB) and old entries in 
> /var/lib/dirsrv/slapd-xxx/cldb/xxx.db4 have three month year old:
>
> sudo dbscan -f 
> /var/lib/dirsrv/slapd-/cldb/ef155b03-dda611e2-a156db20-90xxx06_51c9aed900xx000.db4
>  | less
> dbid: 56239e5e0004
>  replgen: 1445174777 Sun Oct 18 15:26:17 2015
>  csn: 56239e5e0004
>  uniqueid: e55d5e01-26f211e4-9b60db20-90c3b706
>  dn: 
>  operation: modify
>  krbLastSuccessfulAuth: 20151018132617Z
>  modifiersname: cn=Directory Manager
>  modifytimestamp: 20151018132617Z
>  entryusn: 68030946
>
> My questions are:
>
> a) How to purge old entries in file /var/lib/dirsrv/slapd-xxx/cldb/xxx.db4? 
> (what is the procedure)
> b) What is the right configuration to limit increase of this file?
setting changelog maxage should be sufficient to trim changes, but the 
age is not the only condition deciding if a recored in the changelog can 
be deleted.
- for each replicaID the last record will never be deleted, independent 
of its age, so if you have replicas in your topology which are not (or 
not frequently) updated directly there will be old changes in the changelog
- if the replica where the trimming is run and if it has replication 
agreements to other replicas, changes which were not yet replicated to 
the other replica will not be purged. So, if you have some stale 
agreements to other replicas this could prevent trimming as well.

Also trimming removes changelog records and frees space internally ro th 
edb4 file  to be reused, but it will not shrink the file size
>
>
>
> This topic has been already talk on 
> https://www.redhat.com/archives/freeipa-users/2013-February/msg00433.html or 
> https://www.redhat.com/archives/freeipa-users/2015-April/msg00573.html but no 
> response work for me.
> Response here seems to be not applicable 
> https://bugzilla.redhat.com/show_bug.cgi?id=1181341 (Centos 7, Fixed In 
> Version: 389-ds-base-1.3.4.0-1.el7)
>
> I used some attributes from the docuementation: 
> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Configuration_Command_and_File_Reference/Core_Server_Configuration_Reference.html#cnchangelog5-nsslapd_changelogdir.
>  Old entries are not purged and file increase even after restart service 
> (service dirvsrv start and service dirvsrv stop).
>
> (This test environment values)
> dn: cn=changelog5,cn=config
> objectClass: top
> objectClass: extensibleobject
> cn: changelog5
> ...
> nsslapd-changelogmaxentries: 100
> nsslapd-changelogmaxage: 4m
>
> dn: cn=replica,cn=x,cn=mapping tree,cn=config
> cn: replica
> nsDS5Fla

Re: [Freeipa-users] freeipa restore backup on a new server

[David Kupka]

On 12/04/16 11:26, Rakesh Rajasekharan wrote:

Hi ,

I am running ipa-server verison 4.2 on AWS,and testing the freeipa backup and
restore .

The restoration works fine if its on the same host, wherin i uninstall freeipa
and then install it back and then do a full restore.

However, if its a new machine with a different ip, the restoration fails.

I am running the restoration from an ansible playbook.. heres the output, that 
I get

Preparing restore from /tmp/ipa/ipa-full-2016-04-12 on
test-ipa-master-int.xyz.com <http://test-ipa-master-int.xyz.com>
Performing FULL restore from FULL backup
Each master will individually need to be re-initialized or
re-created from this one. The replication agreements on
masters running IPA 3.1 or earlier will need to be manually
re-enabled. See the man page for details.
Disabling all replication.
Stopping IPA services
Systemwide CA database updated.
Restoring files
Systemwide CA database updated.
Restoring from userRoot in xyz-COM
Restoring from ipaca in xyz-COM
Starting IPA services
Command ''ipactl' 'start'' returned non-zero exit status 1
stdout: Configuring certmonger to stop tracking system certificates for CA

Is there a limitation that the ip needs to be the same for a restore to happen
or am I missing something.

Thanks,
Rakesh





Hello Rakesh,
it's not possible to determine what happened from information that you 
have sent. Could you please find the service that failed to start and 
send its logs?


I believe that all services in FreeIPA depends on host names and resolve 
IP address from DNS when needed.
But if DNS server is part of FreeIPA server you're trying to restore it 
is holding old records with old IP addresses. Maybe this is the cause 
but it's just wild guess.


--
David Kupka

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA & FreeRadius LDAP auth issue

[David Kreitschmann]

Hi,
you are trying to do different things in both cases. radtest does plain text 
authentication to ldap while your real world example connects as another user 
and tries to compare the MSCHAPv2 hash.

For MSCHAPv2 to work you need:
-mschapv2 hashes in ldap (samba schema or activate AD trust feature)
-your users will probably need to change their password to create the hash
-read access to those fields for freeradius (create ACI)

You can use eapol_test from wpa_supplicant to check if it works, use this 
config:

network={
ssid="example"
key_mgmt=WPA-EAP
eap=PEAP
identity="user@freeipa.local"
anonymous_identity="anonymous"
password="asdfasdf"
    phase2="autheap=MSCHAPV2"
}


Regards,
David

> Am 12.04.2016 um 14:02 schrieb Boris Cheperis :
> 
> Hi,
> 
> I’ve  started using FreeIPA and got  fascinated with it’s capabilities, but 
> recently I tried to configure FreeRadius integration
> for WiFi authentication and ran into some issues.
> 
> I’ve configured ldap integration and when I run a test everything seems fine:
> 
> 
> radtest dmitry.fedorov fedor 127.0.0.1 100 testing123
> Sending Access-Request Id 93 from 0.0.0.0:54153 to 127.0.0.1:1812
>   User-Name = 'dmitry.fedorov'
>   User-Password = 'fedor'
>   NAS-IP-Address = 10.0.0.12
>   NAS-Port = 100
>   Message-Authenticator = 0x00
> Received Access-Accept Id 93 from 127.0.0.1:1812 to 127.0.0.1:54153 length 20
> -
> 
> But when I try to do a real-world test and run authentication on a wifi 
> device I get this:
> 
> ——
> (10)  ERROR: eap : Failed continuing EAP PEAP (25) session. EAP sub-module 
> failed
> (10)  eap : Failed in EAP select
> (10)   [eap] = invalid
> (10)  } #  authenticate = invalid
> (10) Failed to authenticate the user
> (10) Using Post-Auth-Type Reject
> (10) # Executing group from file /etc/raddb/sites-enabled/default
> (10)  Post-Auth-Type REJECT {
> (10)  attr_filter.access_reject : EXPAND %{User-Name}
> (10)  attr_filter.access_reject :--> dmitry.fedorov
> (10)  attr_filter.access_reject : Matched entry DEFAULT at line 11
> (10)   [attr_filter.access_reject] = updated
> (10)  eap : Reply already contained an EAP-Message, not inserting EAP-Failure
> (10)   [eap] = noop
> (10)   remove_reply_message_if_eap remove_reply_message_if_eap {
> (10) if (&reply:EAP-Message && &reply:Reply-Message)
> (10) if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
> (10)else else {
> (10) [noop] = noop
> (10)} # else else = noop
> (10)   } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
> (10)  } # Post-Auth-Type REJECT = updated
> (10) Delaying response for 1 seconds
> Waking up in 0.1 seconds.
> Waking up in 0.6 seconds.
> (10) Sending delayed response
> (10) Sending Access-Reject packet to host 10.0.0.139 port 62980, id=23, 
> length=0
> (10)  EAP-Message = 0x040a0004
> (10)  Message-Authenticator = 0x
> Sending Access-Reject Id 23 from 10.0.0.12:1812 to 10.0.0.139:62980
>   EAP-Message = 0x040a0004
>   Message-Authenticator = 0x000
> ———
> 
> before this I see a couple of other errors in the debug output
> —
> WARNING: mschap : No Cleartext-Password configured.  Cannot create LM-Password
> (9)WARNING: mschap : No Cleartext-Password configured.  Cannot create 
> NT-Password
> (9)mschap : Creating challenge hash with username: dmitry.fedorov
> (9)mschap : Client is using MS-CHAPv2
> (9)ERROR: mschap : FAILED: No NT/LM-Password.  Cannot perform 
> authentication
> (9)ERROR: mschap : MS-CHAP2-Response is incorrect
> (9) [mschap] = reject
> (9)} # Auth-Type MS-CHAP = reject
> —
> 
> and
> 
> ---
> ldap : Processing user attributes
> (2)  WARNING: ldap : No "known good" password added. Ensure the admin user 
> has permission to read the password attribute
> (2)  WARNING: ldap : PAP authentication will *NOT* work with Active Directory 
> (if that is what you were trying to configure)
> rlm_ldap (ldap): Released connection (4)
> (2)   [ldap] = ok
> (2)if ((ok || updated) && User-Password)
> (2)if ((ok || updated) && User-Password)  -> FALSE
> (2)   [expiration] = noop
> (2)   [logintime] = noop
> (2)  WARNING: pap : No "known good" password found for the user.  Not setting 
> Auth-Type
> (2)  WARNING: pap : Authentication will fail unless a "known good" password 
> is available
> (2)   [pap] = noop
> —
> 
> At first I thought the problem was in the "known good” password, b

Re: [Freeipa-users] How To: Create Admin Account with all Permissions but the ability to Delete?

[David Kupka]

On 14/04/16 19:59, Caton, Tina, CYFD wrote:

As a policy we disable accounts, never delete accounts.

We wish to create an Administrator account with Account Creation, Change and
Disable Permissions - No Deletion Permissions. Is that possible? How would one
do it? Thank you.

Regards,
Tina Caton




Hello Tina,

this can be done.

FreeIPA uses RBAC (role based access control). On the lowest level there 
are individual permissions ($ ipa permission-find) which are just 389-ds 
ACIs (access control instructions).
Then there are privileges ($ ipa privilege-find) that hold some set of 
permissions.
Another layer consists of roles ($ ipa role-find) that can hold multiple 
privileges. Users and groups can be assigned a role ($ ipa 
role-add-member  [--user ] [--group ]).


What you need to do is to create a privilege (e.g. "Never delete user 
administrator") similar to "User Administrator" with only difference 
that it won't have "System: Remove Users" permission and then create a 
role very similar to "User Administrator" with privilege "User 
Administrator" replaced with "Never delete user administrator".
Then you can give this role to the any user or group (don't forget to 
remove the origina "User Administrator" role).


Alternatively, if you're sure that no admin user in your deployment will 
ever need to delete user. You can simply remove "System: Remove User" 
permission from "User Administrator" privilege ($ ipa 
privilege-remove-permission "User Administrators" --permissions "System: 
Remove Users").


HTH,
--
David Kupka

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa -v ping lies about the cert database

[David Kupka]

On 15/04/16 11:42, Harald Dunkel wrote:

Hi folks,

If I run "kinit admin; ipa -v ping" as a regular user, then I get

ipa: INFO: trying https://ipa2.example.com/ipa/json
ipa: INFO: Connection to https://ipa2.example.com/ipa/json failed with 
(SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, 
unsupported format.
ipa: INFO: trying https://ipa1.example.com/ipa/json
ipa: INFO: Connection to https://ipa1.example.com/ipa/json failed with 
(SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, 
unsupported format.
ipa: ERROR: cannot connect to 'any of the configured servers': 
https://ipa2.example.com/ipa/json, https://ipa1.example.com/ipa/json

Using root there is no problem. Obviously this is a Unix
access problem, not an old database.

I would like to avoid running maintenance scripts as root,
if possible. The error message doesn't include any path
information, so I wonder how I can fix the access problem
without opening the system too wide?


Every helpful hint is highly appreciated
Harri


Hello Harri,

the FreeIPA certificate database is stored in /etc/ipa/nssdb, by default 
the permissions are set to:


$ ls -dl /etc/ipa/nssdb/
drwxr-xr-x. 2 root root 73 Apr 15 14:00 /etc/ipa/nssdb/

$ ls -l /etc/ipa/nssdb/
total 80
-rw-r--r--. 1 root root 65536 Apr 15 14:00 cert8.db
-rw-r--r--. 1 root root 16384 Apr 15 14:00 key3.db
-rw---. 1 root root40 Apr 15 14:00 pwdfile.txt
-rw-r--r--. 1 root root 16384 Apr 15 14:00 secmod.db

Please check the permission on your system. If it's different and you 
(or system admin) haven't changed it please file a ticket 
(https://fedorahosted.org/freeipa/newticket).


--
David Kupka

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] howto ldapsearch for disabled/enabled users?

[David Kupka]

On 15/04/16 13:31, Harald Dunkel wrote:

Hi folks,

I have no luck with the ipa cli, so I wonder if it is
possible to ldapsearch for disabled or enabled users?
A command line like

ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=com uid=somebody

doesn't show :-(.


Every helpful hint is highly welcome
Harri



Hello Harri,

the attribute you're looking for is 'nsaccountlock'. This command should 
give you uids of all disabled users:


$ ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=test 
"(nsaccountlock=TRUE)" uid


--
David Kupka

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Object class violation

[David Kupka]

On 17/04/16 07:23, Günther J. Niederwimmer wrote:

Hello,
I like to setup / install  a replica for my IPA Server.

Now I have this Error

Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds
   [1/8]: adding sasl mappings to the directory
   [2/8]: configuring KDC
   [3/8]: creating a keytab for the directory
   [4/8]: creating a keytab for the machine
   [5/8]: adding the password extension to the directory
   [6/8]: enable GSSAPI for replication
   [error] OBJECT_CLASS_VIOLATION: {'desc': 'Object class violation'}
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERROR{'desc': 'Object
class violation'}

Have I also to delete the replica on the IPA Server ?

Or can I repair the replica ?





Hello,
the simplest way is to run # ipa-server-install --uninstall -U on 
replica and # ipa-replica-manage del  on master.


But I don't understand why did you get the  "Object class violation" 
error. Have you changed the schema on IPA server? Or done any other changes?
If not could you please file a ticket 
(https://fedorahosted.org/freeipa/newticket) and provide reproducer?


--
David Kupka

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa -v ping lies about the cert database

[David Kupka]

On 15/04/16 15:16, Harald Dunkel wrote:

Hi David,


Hello Harri,

the FreeIPA certificate database is stored in /etc/ipa/nssdb, by default the 
permissions are set to:

$ ls -dl /etc/ipa/nssdb/
drwxr-xr-x. 2 root root 73 Apr 15 14:00 /etc/ipa/nssdb/

$ ls -l /etc/ipa/nssdb/
total 80
-rw-r--r--. 1 root root 65536 Apr 15 14:00 cert8.db
-rw-r--r--. 1 root root 16384 Apr 15 14:00 key3.db
-rw---. 1 root root40 Apr 15 14:00 pwdfile.txt
-rw-r--r--. 1 root root 16384 Apr 15 14:00 secmod.db

Please check the permission on your system. If it's different and you (or 
system admin) haven't changed it please file a ticket 
(https://fedorahosted.org/freeipa/newticket).



Sorry, I should have mentioned that the client runs Debian
with freeipa 4.0.5.

# ls -al /etc/ipa/
total 24
drwxr-xr-x   2 root root  4096 Dec 29 08:32 .
drwxr-xr-x 190 root root 12288 Apr 15 12:44 ..
-rw-r--r--   1 root root  1792 Dec 29 08:32 ca.crt
-rw-r--r--   1 root root   194 Dec 29 08:32 default.conf


No nssdb. AFAICS only the ipa servers in my lan have a
directory /etc/ipa/nssdb (CentOS 7).

On the clients I can see a cert8.db in /etc/pki/nssdb.
Looking at the time stamp it seems to be related to freeipa.

# ls -al /etc/pki/nssdb/
total 76
drwxr-xr-x 2 root root  4096 Dec 29 08:32 .
drwxr-xr-x 3 root root  4096 Dec 28 16:09 ..
-rw--- 1 root root 65536 Dec 29 08:32 cert8.db
-rw--- 1 root root 16384 Dec 29 08:32 key3.db
-rw--- 1 root root 16384 Dec 29 08:32 secmod.db

No pwdfile.txt . I would guess the key database has been created
with --empty-password.

Does this look familiar, or is this misconfigured and weird?


Sorry for asking stupid questions, but the setup in my lan is
all I have. I have never had a chance to see another freeipa
installation. Hope you don't mind?


Regards
Harri



Hello Harri,
actually the version and OS information makes a difference :-)

Older version of FreeIPA client was using NSSDB in /etc/pki/nssdb, I 
don't recall at what version we switched to /etc/ipa/nssdb but it was 
some time ago.


I have reproduced the issue on Debian and after changing the access 
rights (# chmod ga+r /etc/pki/nssdb/*) it works for me. ipa command 
needs to access the IPA CA certificate stored there to verify identity 
of FreeIPA server.


I haven't seen this issue on Fedora so I'm adding Timo who is porting 
FreeIPA on debian. Timo have you met this issue?


--
David Kupka

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA & Yubikey

[David Kreitschmann]

Hi Jeremy,

> Am 22.04.2016 um 22:40 schrieb Jeremy Utley :
> 
> Hello all!
> 
> I'm quite close to reaching the ideal point with our new FreeIPA setup, but 
> one thing that is standing in the way is 2FA.  I know FreeIPA has support for 
> Google Auth, FreeOTP, and Yubikey.  We'd like to go with Yubikeys over the 
> phone-based systems, but a lot of the docs regarding Yubikey seem to either 
> be out-dated, or not real clear (at least to me).  So I'd like to ask a few 
> questions to make sure I'm understanding correctly.
> 
> 1) It looks like the normal setup of a Yubikey is to plug it into a machine 
> and run the "ipa otptoken-add-yubikey" command.  This implies that the 
> machine that sets up the Yubikey needs to be part of the FreeIPA domain, 
> which presents somewhat of a problem for us, as our current IPA setup has no 
> desktops, and is in a remote "lights-out" datacenter an hour's drive from our 
> office.  I did see a post recently in the archives of someone figuring out 
> how to set up a Yubikey via the web interface 
> (https://www.redhat.com/archives/freeipa-users/2016-March/msg00114.html) - 
> would this be viable?

Sure, but you shouldn’t use online base32 converters for that. You can use the 
yubikey personalization tools and the webinterface/API to enroll yubikeys 
manually.

> 
> 2) Does the otptoken-add-yubikey command actually change the programming of 
> the Yubikey, or does it simply read it's configuration?  We have some users 
> who are already using a Yubikey for personal stuff, and we'd like to allow 
> those users to continue to use their existing Yubikey to auth to our IPA 
> domain, but if the add command changes the programming of the key, that may 
> not be possible without using the second slot, and if users are already using 
> the second slot, they are out of luck.

HOTP/TOTP depend on a shared secret between the token and FreeIPA. This needs 
to be stored in one of the two slots of the yubikey.

> 3) Does Yubikey auth require talking to the outside world to function?  Our 
> IPA setup is within a secure zone, with no direct connectivity to the outside 
> world, so if this is necessary, it would be a possible deal-breaker for these.

No, this would only be needed if you would use the factory programmed yubico 
key in slot 1, which is not supported by FreeIPA anyway.


David


signature.asc
Description: Message signed with OpenPGP using GPGMail
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Best practice for requesting a certificate in Kickstart?

[David Kupka]

On 24/04/16 04:46, Anthony Clark wrote:

Hello All,

TL;DR: what's the best way to grab a SSL cert and key during kickstart?

(this is all using CentOS 7.2 latest)

I'm using Foreman to manage my kickstart and Puppet services, and its built-in
FreeIPA client enrollment works just fine.

However I'd like to also request a certificate and key for a Puppet client to
use to authenticate to the Foreman-controlled Puppet server.

If I manually set up a puppet client then it works just fine.  I use something
like this:

# ipa-getcert request -w -r -f /var/lib/puppet/ssl/certs/<%= @host.name
<http://host.name> %>.pem -k /var/lib/puppet/ssl/private_keys/<%= @host.name
<http://host.name> %>.pem
# cp /etc/ipa/ca.crt /var/lib/puppet/ssl/certs/ca.pem

(then setting the correct paths and settings in /etc/puppet/puppet.conf)

I tried to make that work inside the Kickstart process, but as those commands
are running inside a kickstart chroot the certmonger service won't start.

Is there a better method to grab a SSL cert and key for the host during
kickstart?  Or should I just wait until firstboot and perform the steps at that
point?

Many Thanks and FreeIPA is really amazing!

Anthony Clark





Hello Anthony,

TL;DR Set DBUS_SYSTEM_BUS_ADDRESS=unix:path=/dev/null in kickstart 
chroot environment before calling "ipa-getcert request".



The issue is already addressed by BZ1134497 [1]. When getcert detects 
there is no DBus it starts certmonger and communicates over unix socet. 
But in Kickstart environment DBus is available but unusable (BZ1271551, 
[2]). It can be workaround by setting 
DBUS_SYSTEM_BUS_ADDRESS=unix:path=/dev/null (it is described in Doc Text 
of [1]).


You can also run ipa-client-install with --request-cert and it will also 
request certificate for the client. And also require the workaround in 
Kickstart chroot environment. But unlike "ipa-getcert request -w" it 
won't wait for the certificate to be issued and fetched.


The reason is that it can take days for certificate to be issued (some 
CAs require human approval) so ipa-client-install only submit the 
request and doesn't wait for certificate.
After the installation completes and system is started certmonger 
periodically query for the certificate and fetch it when available.


[1] https://bugzilla.redhat.com/show_bug.cgi?id=1134497
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1271551

HTH,
--
David Kupka

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] migration user passwords from openldap to freeipa

[David Kreitschmann]

Are you sure that your bind dn has read access userPassword? A default OpenLDAP 
installation usually has a admin user.
Gosa ACLs are only applied when using the web interface, they are not used for 
direct access via LDAP.


> Am 27.04.2016 um 03:43 schrieb siology.io :
> 
> I'm having issues migrating from an openldap directory (which has gosa 
> schema) to freeipa.
> 
> To migrate i'm doing (and yes, i know);
> 
> ipa migrate-ds ldap://old.server.com:389 --bind-dn 
> "cn=my_user,ou=people,dc=domain,dc=com" --group-objectclass=posixGroup 
> --user-objectclass=inetOrgPerson --group-overwrite-gid 
> --user-ignore-objectclass=gosaAccount 
> --user-ignore-objectclass=gosaMailAccount 
> --user-ignore-attribute=gosaMailDeliveryMode 
> --user-ignore-attribute=gosaMailServer 
> --user-ignore-attribute=gosaSpamSortLevel 
> --user-ignore-attribute=gosaSpamMailbox --user-ignore-objectclass=sshaccount 
> --user-ignore-objectclass=gosaacl --user-ignore-attribute=sshpublickey 
> --user-ignore-attribute=sambaLMPassword 
> --user-ignore-attribute=sambaBadPasswordTime 
> --user-ignore-attribute=gosaaclentry 
> --user-ignore-attribute=sambaBadPasswordCount 
> --user-ignore-attribute=sambaNTPassword 
> --user-ignore-attribute=sambaPwdLastSet
> 
> Which seems to work to import all those users which have posix settings set, 
> however i have two problems:
> 
> - Am i right in thinking there's no way to auto-assign a gid/uid/home dir for 
> the non-posix users at migration time ? That's not a deal breaker per se, but 
> i'd need to spin up a new copy of the old ldap and then add those attributes 
> to every user, then migrate to ipa from that source, which is a real pain.
> 
> - The migration seems to be successful for the users that do have posix 
> attributes, and ends with:
> 
>  Passwords have been migrated in pre-hashed format.
> IPA is unable to generate Kerberos keys unless provided
> with clear text passwords. All migrated users need to
> login at https://your.domain/ipa/migration/ before they
> can use their Kerberos accounts.
> 
> ...but i'm unable to login to that page as any of my migrated users, or bind 
> as them with ldapsearch. It seems like the passwords were not migrated ?
> 
> Because 90% of my ~350 users are only going to be using freeipa insomuch as 
> using services which are making use of the ipa server's ldap i was hoping 
> that i wouldn't need to make kerberos tickets for those users, and hence 
> avoid needing every user to login to the migration page. At the moment 
> however i'm not able to get any migrated users at all to be able to bind to 
> ldap or login to that page.
> 
> Any tips or gotchas i should know ? I've no idea how to begin debugging this.
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project



signature.asc
Description: Message signed with OpenPGP using GPGMail
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] can live turn off nsslapd-security: to off ?

[David Kupka]

On 27/04/16 12:48, barry...@gmail.com wrote:

Hi:

Without restarting dirsrv possible do that ?


thx Regards

barry





Hello Barry,

this ldapsearch should list all attributes that needs restart after 
modification:


$ ldapsearch -D "cn=Directory Manager" -w Secret123 -b cn=config 
nsslapd-requiresrestart


I don't see nsslapd-security listed so it should be possible to change 
it in runtime.


--
David Kupka

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] can live turn off nsslapd-security: to off ?

[David Kupka]

On 27/04/16 13:15, barry...@gmail.com wrote:

Do u meant use ldapmodify?
I tried update the dse.ldif but it will fall back after a while.

2016年4月27日 下午7:10 於 "David Kupka" mailto:dku...@redhat.com>> 寫道：

On 27/04/16 12:48, barry...@gmail.com <mailto:barry...@gmail.com> wrote:

Hi:

Without restarting dirsrv possible do that ?


thx Regards

barry




Hello Barry,

this ldapsearch should list all attributes that needs restart after
modification:

$ ldapsearch -D "cn=Directory Manager" -w Secret123 -b cn=config
nsslapd-requiresrestart

I don't see nsslapd-security listed so it should be possible to change it in
runtime.

--
David Kupka



Yes, I mean ldapmodify.

Editing dse.ldif while dirsrv is running has no effect because it is 
read only at start and written at least before exit.


If you REALLY need to edit dse.ldif be sure to stop dirsrv then edit it 
and start dirsrv again.


--
David Kupka

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great.

[David Kupka]

CA: dogtag-ipa-renew-agent
 issuer: CN=Certificate Authority,O=sample.NET
 subject: CN=RA Subsystem,O=sample.NET
 expires: 2017-10-13 14:09:49 UTC
 eku: id-kp-serverAuth,id-kp-clientAuth
 pre-save command:
 post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
 track: yes
 auto-renew: yes
Request ID '20130519130745':
 status: NEED_CSR_GEN_PIN
 ca-error: Internal error: no response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true";.
 stuck: yes
 key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
 certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
 CA: dogtag-ipa-renew-agent
 issuer: CN=Certificate Authority,O=sample.NET
 subject: CN=test.sample.net <http://test.sample.net>,O=sample.NET
 expires: 2017-10-13 14:09:49 UTC
 eku: id-kp-serverAuth,id-kp-clientAuth
 pre-save command:
 post-save command:
 track: yes
 auto-renew: yes
--

Thanks, Anthony





Hello Anthony!

After stopping NTP (or other time synchronizing service) and setting 
time manually server really don't have a way to determine that its time 
differs from the real one.


I think this might be issue with Kerberos ticket. You can show content 
of root's ticket cache using klist. If there is anything clean it with 
kdestroy and try to resubmit the request again.


--
David Kupka

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Advise for the best way to achieve AD Caching?

[David LeVene]

Hey All,

I'm looking for a bit of direction around the best way to configure/setup an 
on-site cache &/or replica from an AD Server which will be uni-directional (AD 
-> IPA/slapd)

The master are multiple AD Servers located around the place, and we exist in a 
place which is outside of the core network and that network link is a single 
point of failure.

What I want to achieve is in the event we lose connectivity with the world 
users can still authenticate, but if someone is disabled/updated at the top 
level it replicates down. I've got a test AD Server & have been reviewing IPA, 
but have hit an issue in that I can't get software installed on the AD Masters 
for the 389 dir sync software.

Currently I've configured a synchronization based solution with one way 
replication from the AD Masters -> IPA. This works fine and I can see all the 
users being created in IPA - but as the passwords can't be synced without 
installing software I can't use this method.

Another nice thing would be to have a separate domain/tree available so we can 
split up the staff that are from the master servers and some client related 
user/passes that won't be in the Global Directory - but managed from the same 
place.

Are there any other setup's that will achieve what I require? Have seen slapd 
with proxy cache but I'm not sure on this options either and configuring slapd 
with all the ldif files manually seems a little daunting at first sight.

Thanks in advance,
David

This email and any attachments may contain confidential and proprietary 
information of Blackboard that is for the sole use of the intended recipient. 
If you are not the intended recipient, disclosure, copying, re-distribution or 
other use of any of this information is strictly prohibited. Please immediately 
notify the sender and delete this transmission if you received this email in 
error.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Advise for the best way to achieve AD Caching?

[David LeVene]

Hi Petr,

Thanks for the response.

I didn't know about Samba 4, so that's worth some further investigation on my 
part - Thanks.

So from what you've said below it can't run as a standalone, but SSSD does 
allow caching(if a user has authenticated previous).. does IPA have the ability 
to cache credentials for ~1 hour, so if there is a short loss of network 
connectivity users still get the OK from the cache?

I'm still having a look at SyncRepl from slapd for replication, but not sure 
how this will work in the event that the Provider is uncontactable - as long as 
it caches credentials/details for ~ 1 hour that's acceptable.

Regards
David

-Original Message-
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Petr Spacek
Sent: Thursday, May 05, 2016 18:17
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Advise for the best way to achieve AD Caching?

On 5.5.2016 06:28, David LeVene wrote:
> Hey All,
>
> I'm looking for a bit of direction around the best way to
> configure/setup an on-site cache &/or replica from an AD Server which
> will be uni-directional (AD -> IPA/slapd)
>
> The master are multiple AD Servers located around the place, and we exist in 
> a place which is outside of the core network and that network link is a 
> single point of failure.
>
> What I want to achieve is in the event we lose connectivity with the world 
> users can still authenticate, but if someone is disabled/updated at the top 
> level it replicates down. I've got a test AD Server & have been reviewing 
> IPA, but have hit an issue in that I can't get software installed on the AD 
> Masters for the 389 dir sync software.
>
> Currently I've configured a synchronization based solution with one way 
> replication from the AD Masters -> IPA. This works fine and I can see all the 
> users being created in IPA - but as the passwords can't be synced without 
> installing software I can't use this method.

All methods which can work completely off-line will require access to keys on 
AD server. This means either some additional software on AD side OR having 
proper AD server which is hosted locally. This could theoretically be Samba 4 
AD server if you want to try that.

If your clients are sufficiently new you can try to use SSSD everywhere but it 
comes with own limitations, e.g. users who never logged in before will not be 
able to login when the network link is down.

I hope this help.

Petr^2 Spacek


> Another nice thing would be to have a separate domain/tree available so we 
> can split up the staff that are from the master servers and some client 
> related user/passes that won't be in the Global Directory - but managed from 
> the same place.
>
> Are there any other setup's that will achieve what I require? Have seen slapd 
> with proxy cache but I'm not sure on this options either and configuring 
> slapd with all the ldif files manually seems a little daunting at first sight.
>
> Thanks in advance,
> David

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
This email and any attachments may contain confidential and proprietary 
information of Blackboard that is for the sole use of the intended recipient. 
If you are not the intended recipient, disclosure, copying, re-distribution or 
other use of any of this information is strictly prohibited. Please immediately 
notify the sender and delete this transmission if you received this email in 
error.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Advise for the best way to achieve AD Caching?

[David LeVene]

Thanks for the information Petr - As you have recommended another AD server or 
Samba 4 is the best solution.

Cheers
David

-Original Message-
From: Petr Spacek [mailto:pspa...@redhat.com]
Sent: Friday, May 06, 2016 17:27
To: David LeVene ; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Advise for the best way to achieve AD Caching?

On 6.5.2016 02:03, David LeVene wrote:
> Hi Petr,
>
> Thanks for the response.
>
> I didn't know about Samba 4, so that's worth some further investigation on my 
> part - Thanks.
>
> So from what you've said below it can't run as a standalone, but SSSD does 
> allow caching(if a user has authenticated previous).. does IPA have the 
> ability to cache credentials for ~1 hour, so if there is a short loss of 
> network connectivity users still get the OK from the cache?

SSSD's cache will help you only for local authentication on clients (using 
password). It will not help for LDAP BIND or Kerberos authentication.

> I'm still having a look at SyncRepl from slapd for replication, but not sure 
> how this will work in the event that the Provider is uncontactable - as long 
> as it caches credentials/details for ~ 1 hour that's acceptable.

AFAIK SyncRepl is not supported on AD side.


Sorry, but if you are so reliant on AD technology then you probably need to 
either pay for new AD server or use Samba 4.

Petr^2 Spacek

>
> Regards
> David
>
> -Original Message-
> From: freeipa-users-boun...@redhat.com
> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Petr Spacek
> Sent: Thursday, May 05, 2016 18:17
> To: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] Advise for the best way to achieve AD Caching?
>
> On 5.5.2016 06:28, David LeVene wrote:
>> Hey All,
>>
>> I'm looking for a bit of direction around the best way to
>> configure/setup an on-site cache &/or replica from an AD Server which
>> will be uni-directional (AD -> IPA/slapd)
>>
>> The master are multiple AD Servers located around the place, and we exist in 
>> a place which is outside of the core network and that network link is a 
>> single point of failure.
>>
>> What I want to achieve is in the event we lose connectivity with the world 
>> users can still authenticate, but if someone is disabled/updated at the top 
>> level it replicates down. I've got a test AD Server & have been reviewing 
>> IPA, but have hit an issue in that I can't get software installed on the AD 
>> Masters for the 389 dir sync software.
>>
>> Currently I've configured a synchronization based solution with one way 
>> replication from the AD Masters -> IPA. This works fine and I can see all 
>> the users being created in IPA - but as the passwords can't be synced 
>> without installing software I can't use this method.
>
> All methods which can work completely off-line will require access to keys on 
> AD server. This means either some additional software on AD side OR having 
> proper AD server which is hosted locally. This could theoretically be Samba 4 
> AD server if you want to try that.
>
> If your clients are sufficiently new you can try to use SSSD everywhere but 
> it comes with own limitations, e.g. users who never logged in before will not 
> be able to login when the network link is down.
>
> I hope this help.
>
> Petr^2 Spacek
>
>
>> Another nice thing would be to have a separate domain/tree available so we 
>> can split up the staff that are from the master servers and some client 
>> related user/passes that won't be in the Global Directory - but managed from 
>> the same place.
>>
>> Are there any other setup's that will achieve what I require? Have seen 
>> slapd with proxy cache but I'm not sure on this options either and 
>> configuring slapd with all the ldif files manually seems a little daunting 
>> at first sight.
>>
>> Thanks in advance,
>> David
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project This email and
> any attachments may contain confidential and proprietary information of 
> Blackboard that is for the sole use of the intended recipient. If you are not 
> the intended recipient, disclosure, copying, re-distribution or other use of 
> any of this information is strictly prohibited. Please immediately notify the 
> sender and delete this transmission if you received this email in error.
>


--
Petr^2 Spacek
This email and any attachments may contain confidential and proprietary 
information of Blackboard that is fo

Re: [Freeipa-users] mod_nss FreeIPA

[David Kupka]

On 26/05/16 07:42, Günther J. Niederwimmer wrote:

Hello,

can any help to find the correct way to configure a Webserver with IPA.
(mod_nss)

I can't create a correct DB in /etc/httpd/alias

I search on the INet and read the install Log from ipa-server but it is for me
not possible to found a working way :-(.

Thanks for a answer ?



Hello Günther,

I'm not sure if I understand your question. What I take from you message is:

I want a IPA webserver with NSSDB in /etc/httpd/alias.

The answer then is:

ipa-server-install creates that DB for apache and populates it with 
certificates. So there is nothing to do.


From one of my test servers:

# certutil -d /etc/httpd/alias/ -L

Certificate Nickname Trust 
Attributes


SSL,S/MIME,JAR/XPI

ipaCert  u,u,u
Server-Cert  u,u,u
EXAMPLE.TEST IPA CA CT,C,C
Signing-Cert u,u,u


If this is not what you was asking please try to explain what you want 
to achieve with more details.


--
David Kupka

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SSH login to client

[David Kupka]

On 09/06/16 13:18, Pavel Picka wrote:

Hi,

Have anyone experience, when create user on ipa-server, and want to login on 
client with this user I get :

Permission denied, please try again.
Permission denied, please try again.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

(with kinit [1st time change] was password changed to new one)
even with another change with ipa user-mod --password I am getting same result

and on client in /var/log/messages found :

Jun  9 12:36:02 rhel04 [sssd[krb5_child[4635]]]: Decrypt integrity check failed
Jun  9 12:36:02 rhel04 [sssd[krb5_child[4635]]]: Decrypt integrity check failed
Jun  9 12:36:05 rhel04 [sssd[krb5_child[4637]]]: Decrypt integrity check failed
Jun  9 12:36:05 rhel04 [sssd[krb5_child[4637]]]: Decrypt integrity check failed
Jun  9 12:36:28 rhel04 [sssd[krb5_child[4641]]]: Decrypt integrity check failed
Jun  9 12:36:28 rhel04 [sssd[krb5_child[4641]]]: Decrypt integrity check failed



--
Pavel Picka


Hi Pavel!

I have few questions that may help locating the issue:

Are you able to kinit as the user on server and client?
Are you able to ssh to the client as the admin?
What is the output of "id user" on client?

--
David Kupka

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ipa-client-install

[David Zabner]

Occassionally in our system we will see a failure in ipa-client-install script 
and the cleanup will leave around the host in ipa.
This means that all future client installs fail because the host already 
exists. 
Is there any way to make sure that failure’s cause the host to be cleaned up?
Is there a command I can run that will delete the host that does not require 
the client to be installed?

Thanks for the assistance,
David

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] IPA - Password time outs / failures on trusted AD Users

[David Fischer]

(Note: versions below)

All,
I am getting password failures for accounts coming from a sub-ad domain.
I originally was not able to do 'getent' lookups of random users or groups and 
found that it was timing out during ldap scan. I upped the timeout on the 'IPA 
Configuration' tab in the web interface and this solved the 'getent' issue.  
Now I am able to do 'getent' passwd on all users in a sub-ad domain

My new problem is that I am now unable to use password to login.  If I grab a 
kerberos ticket I am able to just ssh into any IPA unix system, but fails when 
trying to do a password lookup.

the layout of systems are as follows:

1) forest domain with no users or groups
2) child domain with all users and groups.
3) IPA Realm/Domain trusted to forest domain

All users are in a sub-OU below the top of the domain in a OU called Users.  
There are about 11K users in this OU. but lookups seam really slow.

I have added to  sssd.conf the following
1) lookup_family_order = ipv4_only
2) ignore_group_members=True
3) ldap_purge_cache_timeout=0
4) subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout
5) debug_level=9

Could anyone help direct me to a place to start looking for why lookups are 
slow and passwords are not being allowed?

Thanks,





#
The information contained in this electronic mail message, including 
attachments, if any, is PetSmart confidential information. It is intended only 
for the use of the person(s) named above. If the reader of this message is not 
the intended recipient, or has received this message in error, you are hereby 
notified that any review, dissemination, distribution or copying of this 
communication is strictly prohibited. If you are not the intended recipient or 
have received this message in error, please notify the sender via e-mail and 
promptly delete the original message.
#

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA - Password time outs / failures on trusted AD Users

[David Fischer]

-Original Message-
From: Alexander Bokovoy 
mailto:alexander%20bokovoy%20%3caboko...@redhat.com%3e>>
To: David Fischer 
mailto:david%20fischer%20%3cdfisc...@petsmart.com%3e>>
Cc: freeipa-users@redhat.com 
mailto:%22freeipa-us...@redhat.com%22%20%3cfreeipa-us...@redhat.com%3e>>
Subject: Re: [Freeipa-users] IPA - Password time outs / failures on trusted AD 
Users
Date: Mon, 13 Jun 2016 12:07:29 -0700


On Mon, 13 Jun 2016, David Fischer wrote:


(Note: versions below)

All,
I am getting password failures for accounts coming from a sub-ad domain.
I originally was not able to do 'getent' lookups of random users or groups and 
found that it was timing out during ldap scan. I upped the timeout on the 'IPA 
Configuration' tab in the web interface and this solved the 'getent' issue.  
Now I am able to do 'getent' passwd on all users in a sub-ad domain

My new problem is that I am now unable to use password to login.  If I grab a 
kerberos ticket I am able to just ssh into any IPA unix system, but fails when 
trying to do a password lookup.

the layout of systems are as follows:

1) forest domain with no users or groups
2) child domain with all users and groups.
3) IPA Realm/Domain trusted to forest domain

All users are in a sub-OU below the top of the domain in a OU called Users.  
There are about 11K users in this OU. but lookups seam really slow.

I have added to  sssd.conf the following
1) lookup_family_order = ipv4_only
2) ignore_group_members=True
3) ldap_purge_cache_timeout=0
4) subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout
5) debug_level=9

Could anyone help direct me to a place to start looking for why lookups are 
slow and passwords are not being allowed?


Start with 
http://scanmail.trustwave.com/?c=6406&d=9ITf1_A7P_gkm18DVpKbEy7lQ6ga7hwK2wRD_04F5w&u=https%3a%2f%2ffedorahosted%2eorg%2fsssd%2fwiki%2fTroubleshooting
<http://scanmail.trustwave.com/?c=6406&d=9ITf1_A7P_gkm18DVpKbEy7lQ6ga7hwK2wRD_04F5w&u=https%3a%2f%2ffedorahosted%2eorg%2fsssd%2fwiki%2fTroubleshooting>


Alexander,

Thanks I am already running through this guild.


One of the things that is happening is I can create a user with min groups and 
that account is able to login.  So i am adding groups that other users have one 
at a time to see what affects this



#
The information contained in this electronic mail message, including 
attachments, if any, is PetSmart confidential information. It is intended only 
for the use of the person(s) named above. If the reader of this message is not 
the intended recipient, or has received this message in error, you are hereby 
notified that any review, dissemination, distribution or copying of this 
communication is strictly prohibited. If you are not the intended recipient or 
have received this message in error, please notify the sender via e-mail and 
promptly delete the original message.
#

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA - Password time outs / failures on trusted AD Users

[David Fischer]

Alexander,
One of the things I am seeing is that our AD has groups that are 5 deep and IPA 
is not able to enumerate all the groups  Is there away to help IPA in search 
depth or scope?

-Original Message-
From: Alexander Bokovoy [mailto:aboko...@redhat.com]
Sent: Monday, June 13, 2016 12:07 PM
To: David Fischer
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] IPA - Password time outs / failures on trusted AD 
Users

On Mon, 13 Jun 2016, David Fischer wrote:
>(Note: versions below)
>
>All,
>I am getting password failures for accounts coming from a sub-ad domain.
>I originally was not able to do 'getent' lookups of random users or groups and 
>found that it was timing out during ldap scan. I upped the timeout on the 'IPA 
>Configuration' tab in the web interface and this solved the 'getent' issue.  
>Now I am able to do 'getent' passwd on all users in a sub-ad domain
>
>My new problem is that I am now unable to use password to login.  If I grab a 
>kerberos ticket I am able to just ssh into any IPA unix system, but fails when 
>trying to do a password lookup.
>
>the layout of systems are as follows:
>
>1) forest domain with no users or groups
>2) child domain with all users and groups.
>3) IPA Realm/Domain trusted to forest domain
>
>All users are in a sub-OU below the top of the domain in a OU called Users.  
>There are about 11K users in this OU. but lookups seam really slow.
>
>I have added to  sssd.conf the following
>1) lookup_family_order = ipv4_only
>2) ignore_group_members=True
>3) ldap_purge_cache_timeout=0
>4) subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout
>5) debug_level=9
>
>Could anyone help direct me to a place to start looking for why lookups are 
>slow and passwords are not being allowed?
Start with 
http://scanmail.trustwave.com/?c=6406&d=9ITf1_A7P_gkm18DVpKbEy7lQ6ga7hwK2wRD_04F5w&u=https%3a%2f%2ffedorahosted%2eorg%2fsssd%2fwiki%2fTroubleshooting
--
/ Alexander Bokovoy

#
The information contained in this electronic mail message, including 
attachments, if any, is PetSmart confidential information.  It is intended only 
for the use of the person(s) named above.  If the reader of this message is not 
the intended recipient, or has received this message in error, you are hereby 
notified that any review, dissemination, distribution or copying of this 
communication is strictly prohibited.  If you are not the intended recipient or 
have received this message in error, please notify the sender via e-mail and 
promptly delete the original message.
#

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA - Password time outs / failures on trusted AD Users

[David Fischer]

Alexander,

I am getting the windows admin to refresh our DR AD setup and I should be able 
to give you an idea on some of our groups layouts.

So a quick understanding is that a single user can have 15-20+ groups those 
groups might have all users in them plus groups. The groups of groups can link 
back to groups that the user may have already assigned.
We do know that we have atleast one circular group in our environment.
I have used the 'ignore_group_members' with some success. Ref: 
https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-ipa-ad-trust-deployments/



-Original Message-
From: Alexander Bokovoy [mailto:aboko...@redhat.com]
Sent: Tuesday, June 14, 2016 1:03 PM
To: David Fischer
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] IPA - Password time outs / failures on trusted AD 
Users

On Tue, 14 Jun 2016, David Fischer wrote:
>Alexander,
>One of the things I am seeing is that our AD has groups that are 5 deep
>and IPA is not able to enumerate all the groups  Is there away to help
>IPA in search depth or scope?
SSSD should be able to handle that. If not, show the logs that demonstrate 
specific issues with a model group.

--
/ Alexander Bokovoy

#
The information contained in this electronic mail message, including 
attachments, if any, is PetSmart confidential information.  It is intended only 
for the use of the person(s) named above.  If the reader of this message is not 
the intended recipient, or has received this message in error, you are hereby 
notified that any review, dissemination, distribution or copying of this 
communication is strictly prohibited.  If you are not the intended recipient or 
have received this message in error, please notify the sender via e-mail and 
promptly delete the original message.
#

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA - Password time outs / failures on trusted AD Users

[David Fischer]

Alexander,

Ok I figured most of my issues were ldap search time out and also 
ldap_idmap_range_size was to small.

So I am left with one last problem is that any new users can login via password 
but existing users passwords do not work but kerberos tickets do.
So is there another setting I am missing. getent and id -a both work fine and 
there are no HBAC.  Any thought would be helpfull.

Thanks

-Original Message-
From: Alexander Bokovoy 
mailto:alexander%20bokovoy%20%3caboko...@redhat.com%3e>>
To: David Fischer 
mailto:david%20fischer%20%3cdfisc...@petsmart.com%3e>>
Cc: freeipa-users@redhat.com 
mailto:%22freeipa-us...@redhat.com%22%20%3cfreeipa-us...@redhat.com%3e>>
Subject: Re: [Freeipa-users] IPA - Password time outs / failures on trusted AD 
Users
Date: Tue, 14 Jun 2016 23:52:36 -0700


On Tue, 14 Jun 2016, David Fischer wrote:


Alexander,

I am getting the windows admin to refresh our DR AD setup and I should
be able to give you an idea on some of our groups layouts.

So a quick understanding is that a single user can have 15-20+ groups
those groups might have all users in them plus groups. The groups of
groups can link back to groups that the user may have already assigned.
We do know that we have atleast one circular group in our environment.
I have used the 'ignore_group_members' with some success. Ref:
http://scanmail.trustwave.com/?c=6406&d=t_vg1_n-LHIZctaFe8SPSnNlXH2FMlsMdw7rWgmT1Q&u=https%3a%2f%2fjhrozek%2ewordpress%2ecom%2f2015%2f08%2f19%2fperformance-tuning-sssd-for-large-ipa-ad-trust-deployments%2f


That article is what Jakub and I wrote. Jakub may have more suggestions
and there are some improvements in recent SSSD releases in RHEL 7.2.4.




#
The information contained in this electronic mail message, including 
attachments, if any, is PetSmart confidential information. It is intended only 
for the use of the person(s) named above. If the reader of this message is not 
the intended recipient, or has received this message in error, you are hereby 
notified that any review, dissemination, distribution or copying of this 
communication is strictly prohibited. If you are not the intended recipient or 
have received this message in error, please notify the sender via e-mail and 
promptly delete the original message.
#

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA - Password time outs / failures on trusted AD Users

[David Fischer]

-Original Message-
From: Alexander Bokovoy 
mailto:alexander%20bokovoy%20%3caboko...@redhat.com%3e>>
To: David Fischer 
mailto:david%20fischer%20%3cdfisc...@petsmart.com%3e>>
Cc: freeipa-users@redhat.com 
mailto:%22freeipa-us...@redhat.com%22%20%3cfreeipa-us...@redhat.com%3e>>
Subject: Re: [Freeipa-users] IPA - Password time outs / failures on trusted AD 
Users
Date: Fri, 17 Jun 2016 05:02:59 -0700


On Thu, 16 Jun 2016, David Fischer wrote:


Alexander,

Ok I figured most of my issues were ldap search time out and also
ldap_idmap_range_size was to small.


Good.



So I am left with one last problem is that any new users can login via
password but existing users passwords do not work but kerberos tickets
do.  So is there another setting I am missing. getent and id -a both
work fine and there are no HBAC.  Any thought would be helpfull.


New users where? In Active Directory or in IPA? In case of
authentication checks you need to look at the SSSD domain log together
with the pam log and krb5_child log.



Sorry, Yes all accounts will live in AD.

So any users that I have created in AD after Trust is create I am able to login 
as, any accounts be fore give password failure.







Thanks

-Original Message-
From: Alexander Bokovoy 
mailto:aboko...@redhat.com><mailto:alexander%20bokovoy%20%3caboko...@redhat.com%3e>>
To: David Fischer 
mailto:dfisc...@petsmart.com><mailto:david%20fischer%20%3cdfisc...@petsmart.com%3e>>
Cc: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> 
mailto:freeipa-users@redhat.com><mailto:%22freeipa-us...@redhat.com%22%20%3cfreeipa-us...@redhat.com<mailto:%22%20%3cfreeipa-us...@redhat.com>%3e>>
Subject: Re: [Freeipa-users] IPA - Password time outs / failures on trusted AD 
Users
Date: Tue, 14 Jun 2016 23:52:36 -0700


On Tue, 14 Jun 2016, David Fischer wrote:


Alexander,

I am getting the windows admin to refresh our DR AD setup and I should
be able to give you an idea on some of our groups layouts.

So a quick understanding is that a single user can have 15-20+ groups
those groups might have all users in them plus groups. The groups of
groups can link back to groups that the user may have already assigned.
We do know that we have atleast one circular group in our environment.
I have used the 'ignore_group_members' with some success. Ref:
http://scanmail.trustwave.com/?c=6406&d=9-bj11grZoCjllgMl1zsg9ScQg5PR0s_OsDSsbiAmg&u=https%3a%2f%2fjhrozek%2ewordpress%2ecom%2f2015%2f08%2f19%2fperformance-tuning-sssd-for-large-ipa-ad-trust-deployments%2f


That article is what Jakub and I wrote. Jakub may have more suggestions
and there are some improvements in recent SSSD releases in RHEL 7.2.4.




#
The information contained in this electronic mail message, including 
attachments, if any, is PetSmart confidential information. It is intended only 
for the use of the person(s) named above. If the reader of this message is not 
the intended recipient, or has received this message in error, you are hereby 
notified that any review, dissemination, distribution or copying of this 
communication is strictly prohibited. If you are not the intended recipient or 
have received this message in error, please notify the sender via e-mail and 
promptly delete the original message.
#

--
Manage your subscription for the Freeipa-users mailing list:
http://scanmail.trustwave.com/?c=6406&d=9-bj11grZoCjllgMl1zsg9ScQg5PR0s_OsXftLjezA&u=https%3a%2f%2fwww%2eredhat%2ecom%2fmailman%2flistinfo%2ffreeipa-users
Go to 
http://scanmail.trustwave.com/?c=6406&d=9-bj11grZoCjllgMl1zsg9ScQg5PR0s_OpOBsbSAyQ&u=http%3a%2f%2ffreeipa%2eorg
 for more info on the project






#
The information contained in this electronic mail message, including 
attachments, if any, is PetSmart confidential information. It is intended only 
for the use of the person(s) named above. If the reader of this message is not 
the intended recipient, or has received this message in error, you are hereby 
notified that any review, dissemination, distribution or copying of this 
communication is strictly prohibited. If you are not the intended recipient or 
have received this message in error, please notify the sender via e-mail and 
promptly delete the original message.
#

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How to unset a user's kerberos principal expiration date?

[David Kupka]

On 29/06/16 19:05, Roderick Johnstone wrote:

Hi

If I set a kerberos principal for a user to expire on a given date using:
ipa user-mod  --principal-expiration=DATE
is it possible to later remove this expiration date rather than just set
it to a time far in the future?

Thanks

Roderick Johnstone



Hello Roderick,
AFAIK the only way to remove principal expiration at the time is remove 
krbPrincipalExpiration attribute from the user entry in DS.


$ kinit admin
Password for ad...@example.org
$ ldapmodify -Y GSSAPI
SASL/GSSAPI authentication started
SASL username: ad...@example.org
SASL SSF: 56
SASL data security layer installed.
dn:uid=tuser,cn=users,cn=accounts,dc=example,dc=org
changetype: modify
delete: krbprincipalexpiration
modifying entry "uid=tuser,cn=users,cn=accounts,dc=example,dc=org"

I think that it makes sense to expose this in API. Could you please file 
RFE (https://fedorahosted.org/freeipa/newticket)?


--
David Kupka

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Replicating users/groups from AD

[Alston, David]

Greetings!

 I realize that FreeIPA is supposed to be setup as master of its own 
domain, but are there any plans to continue the account replication 
functionality that has already been in FreeIPA?  I had heard rumor that it 
would be possible to have FreeIPA and Active Directory coexist in the same 
domain in some release in the future.  Am I waiting for a feature that will 
never come?

--David Alston
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project