[Freeipa-users] Still trying to implement password expiration warnings
Hello.
Earlier this year I tried to re-implement a "password expiration
warning" email when using IPA 4.x. I hit a wall and ended up deciding to
look at this later. Now is later :)
The plan is to use ldapsearch to check for krbLastPwdChange and compare
it to krbPasswordExpiration, but these attributes seem to be hidden
unless one is authenticating (through Kerberos?).
This is with RHEL 7 and IPA 4.2.0.
I have done:
# ipa service-add PWDREMIND/script.host.fqdn
# ipa-getkeytab -s script.host.fqdn -k /etc/gssproxy/pwdremind.keytab -p
PWDREMIND/script.host.fqdn
...and I have a file /etc/gssproxy/pwdremind.keytab
I added a section to /etc/gssproxy/gssproxy.conf :
[service/PWDREMIND]
mechs = krb5
cred_store = client_keytab:/etc/gssproxy/pwdremind.keytab
cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U
cred_usage = initiate
euid = 0
debug = true
In my "pwdcheck.sh" script I have the following:
#!/bin/bash
export GSS_USE_PROXY="yes"
ldapsearch -z 500 -Y GSSAPI -h ipa.host.fqdn -b
cn=users,cn=accounts,dc=example,dc=net
"(&(!(nsAccountLock=TRUE))(krbLastPwdChange<=$(date +%Y%m%d --date='-1
week')00Z)(krbPasswordExpiration<=$(date +%Y%m%d --date='+1
week')00Z))" uid |grep ^uid|cut -d: -f2 |while read uid
do
ldapsearch -z 500 -Y GSSAPI -h ipa.host.fqdn -b
cn=users,cn=accounts,dc=example,dc=net "uid=${uid}" mail|grep ^mail|cut
-d: -f2 | while read mail
do
echo "password expires in less than a week: username=$uid
mail=$mail"
done
done
Checking the journalctl for gssproxy I get:
Dec 23 11:36:35 script.host.fqdn gssproxy[26977]: (OID: { 1 2 840 113554
1 2 2 }) Unspecified GSS failure. Minor code may provide more
information, No credentials cache found
Dec 23 11:36:35 script.host.fqdn gssproxy[26976]: gssproxy[26977]: (OID:
{ 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may
provide more information, No credentials cache found
Does anyone see where things are going wrong here or have some
suggestions on what I should try?
Regards
Eivind Olsen
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] How to implement password expiration notifications?
Den 2016-06-08 14:00, skrev Alexander Bokovoy: Make a service (ipa service-add), download a keytab with the key for this service and use gss-proxy to provide refreshing credentials based on the keytab to a script that runs periodically. Hm. I like that idea, now I just need to actually make it work here :) I have done: ipa service-add PWDREMIND/script.host.fqdn ipa-getkeytab -s script.host.fqdn -k /etc/gssproxy/pwdremind.keytab -p PWDREMIND/script.host.fqdn ...and I have a file /etc/gssproxy/pwdremind.keytab I added a section to /etc/gssproxy/gssproxy.conf : [service/PWDREMIND] mechs = krb5 cred_store = keytab:/etc/gssproxy/pwdremind.keytab cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U euid = 0 I guess I could run the password reminder script as another user in cron and change the euid line above accordingly. Now I guess the next step is figuring out how to tell "ldapsearch" to work with gssproxy (unless I've made some other glaring mistake already). Regards Eivind Olsen -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] How to implement password expiration notifications?
We have previously used a script to send "password expiration" reminders to our users. The script did this by doing LDAP search and checking krbLastPwdChange and krbPasswordExpiration. This seems to have stopped working, possibly a while ago. It now looks like the script is unable to match anything with the following filter: "(&(!(nsAccountLock=TRUE))(krbLastPwdChange<=$(date +%Y%m%d --date='-1 week')00Z)(krbPasswordExpiration<=$(date +%Y%m%d --date='+1 week')00Z))" ...that is, unless I run it manually and tell ldapsearch I want to use GSSAPI. What's the best / proper way of implementing something like this on a more recent IPA (say, running on RHEL 7.2 with IPA 4.2.0) ? I see some possible methods but none of these feel "right": * I can hardcode an admin user + password in the script, and have it run "kinit" * I can create a keytab file for a user and use that * I can modify ACL/ACIs in 389ds Am I overlooking a nice and obvious solution? :) Regards Eivind Olsen -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Clients in multiple domains, any known issues?
Hello. I have so far been running IPA on RHEL6, with a single domain (and a matching realm). I now have a use-case where it looks like I'll need to set up a new IPA realm, with the IPA servers in one DNS domain and the IPA clients in multiple (2-4) other domains. The servers will be running RHEL6 or RHEL7 with the bundled IPA. The clients are running mainly RHEL5 and RHEL6, and have hostnames that don't exist in DNS. Are there any known issues with this type of setup? I know, it sounds a bit hairy, but apart from that? :) Regards Eivind Olsen -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] The htaccess login pop-up window appears but login never succeeds
Eivind Olsen wrote: > Did you get any closer to finding out what's causing this? I get the same > kind of pop-up window here, but only in some web browsers: I get the > pop-up in MS Internet Explorer and Google Chrome, but not in Firefox. > Opera gives me a "Unknown Error" instead. > (this is on RHEL 6.3 w/IPA 2.2.0-17, btw) Hm, I normally try to not reply to myself, but thought I'd add that after upgrading Opera from 11.x to 12.14 I no longer get the "Unknown Error", but instead I get a login pop-up just like I did with MSIE and Chrome. Regards Eivind Olsen ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] The htaccess login pop-up window appears but login never succeeds
Rajnesh Kumar Siwal wrote: > Thanks, Petr, > > I would like to confirm that I did not manually install any other > application on it. > I will dig further on it , if I could fetch out the reason. Did you get any closer to finding out what's causing this? I get the same kind of pop-up window here, but only in some web browsers: I get the pop-up in MS Internet Explorer and Google Chrome, but not in Firefox. Opera gives me a "Unknown Error" instead. (this is on RHEL 6.3 w/IPA 2.2.0-17, btw) Regards Eivind Olsen ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Strange issue regarding password change
Sumit Bose wrote: > hmm, any chance there is a firewall doing NAT between the client and the > KDC? Kerberos password changes do not work reliable over NAT. Afaik > there is some work in progress to make it possible but for the time > being it will not work. Hm, yes. There seems to be NAT between the kerberos client "libresse" and the KDC, so it's quite likely that you've spotted what's causing my problem. Thanks! Now, to see how I can work around it... :) Regards Eivind Olsen ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Strange issue regarding password change
I wrote: ... > In the /var/log/messages on the server "libresse", I see: > > Sep 28 10:39:15 libresse [sssd[krb5_child[14820]]]: Password has expired > Sep 28 10:39:15 libresse [sssd[krb5_child[14820]]]: Password has expired > Sep 28 10:39:48 libresse [sssd[krb5_child[14830]]]: Password has expired > Sep 28 10:39:48 libresse [sssd[krb5_child[14830]]]: Password has expired > Sep 28 10:39:58 libresse [sssd[krb5_child[14837]]]: Decrypt integrity > check failed > Sep 28 10:40:01 libresse [sssd[krb5_child[14845]]]: Password has expired > Sep 28 10:40:01 libresse [sssd[krb5_child[14845]]]: Decrypt integrity > check failed During the same time, this is what I see in /var/log/secure: Sep 28 10:39:15 libresse sshd[14819]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=host8560.domain.internal user=eolsen Sep 28 10:39:15 libresse sshd[14819]: pam_sss(sshd:auth): system info: [Password has expired] Sep 28 10:39:15 libresse sshd[14819]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=host8560.domain.internal user=eolsen Sep 28 10:39:15 libresse sshd[14819]: pam_sss(sshd:auth): received for user eolsen: 12 (Authentication token is no longer valid; new one required) Sep 28 10:39:15 libresse sshd[14819]: pam_sss(sshd:account): User info message: Password expired. Change your password now. Sep 28 10:39:15 libresse sshd[14819]: pam_unix(sshd:chauthtok): user "eolsen" does not exist in /etc/passwd Sep 28 10:39:28 libresse sshd[14819]: pam_unix(sshd:chauthtok): user "eolsen" does not exist in /etc/passwd Sep 28 10:39:28 libresse sshd[14819]: pam_sss(sshd:chauthtok): system info: [Generic error (see e-text)] Sep 28 10:39:28 libresse sshd[14819]: pam_sss(sshd:chauthtok): User info message: Password change failed. Server message: Failed decrypting request Sep 28 10:39:28 libresse sshd[14819]: pam_sss(sshd:chauthtok): Password change failed for user eolsen: 20 (Authentication token manipulation error) Sep 28 10:39:48 libresse sshd[14824]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=host8560.domain.internal user=eolsen Sep 28 10:39:48 libresse sshd[14824]: pam_sss(sshd:auth): system info: [Password has expired] Sep 28 10:39:48 libresse sshd[14824]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=host8560.domain.internal user=eolsen Sep 28 10:39:48 libresse sshd[14824]: pam_sss(sshd:auth): received for user eolsen: 12 (Authentication token is no longer valid; new one required) Sep 28 10:39:48 libresse sshd[14824]: pam_sss(sshd:account): User info message: Password expired. Change your password now. Sep 28 10:39:48 libresse sshd[14824]: pam_unix(sshd:chauthtok): user "eolsen" does not exist in /etc/passwd Sep 28 10:39:58 libresse sshd[14824]: pam_sss(sshd:chauthtok): system info: [Decrypt integrity check failed] Sep 28 10:39:58 libresse sshd[14824]: pam_sss(sshd:chauthtok): Authentication failed for user eolsen: 4 (System error) Sep 28 10:39:58 libresse sshd[14810]: error: PAM: Authentication token manipulation error for eolsen from host8560.domain.internal Sep 28 10:40:01 libresse sshd[14838]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=host8560.domain.internal user=eolsen Sep 28 10:40:01 libresse sshd[14838]: pam_sss(sshd:auth): system info: [Decrypt integrity check failed] Sep 28 10:40:01 libresse sshd[14838]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=host8560.domain.internal user=eolsen Sep 28 10:40:01 libresse sshd[14838]: pam_sss(sshd:auth): received for user eolsen: 4 (System error) Sep 28 10:40:03 libresse sshd[14810]: error: PAM: Authentication failure for eolsen from host8560.domain.internal Sep 28 10:40:03 libresse sshd[14811]: Connection closed by 10.83.70.15 Regards Eivind Olsen ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Strange issue regarding password change
I've noticed an issue here. It's most likely something I've managed to do the wrong way, or something really obvious I'm missing, but at the moment I can't see what it is (otherwise I'd fix it instead of asking for help here :)) I have a setup with some RHEL 6.3 boxes, using the IPA bundled with that OS (ipa-client-2.2.0-16, and same version of the ipa-server as well). When I create new users, I assign them a password, and they're required to change their password at the first login. My problem is that I can only get this password change to work when I ssh to the KDC/IPA server - it fails if I ssh to one of the clients instead. After I have changed the password on the KDC, I can ssh to the clients. Here's an example of what it looks like when I ssh from a laptop that's not part of the kerberos realm, to one of the clients: [eio@lappy ~]$ ssh eolsen@libresse.domainname Password: Password expired. Change your password now. Current Password: New password: Retype new password: Password change failed. Server message: Failed decrypting request Password: Password expired. Change your password now. Current Password: Password: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive). [eio@lappy ~]$ In the /var/log/messages on the server "libresse", I see: Sep 28 10:39:15 libresse [sssd[krb5_child[14820]]]: Password has expired Sep 28 10:39:15 libresse [sssd[krb5_child[14820]]]: Password has expired Sep 28 10:39:48 libresse [sssd[krb5_child[14830]]]: Password has expired Sep 28 10:39:48 libresse [sssd[krb5_child[14830]]]: Password has expired Sep 28 10:39:58 libresse [sssd[krb5_child[14837]]]: Decrypt integrity check failed Sep 28 10:40:01 libresse [sssd[krb5_child[14845]]]: Password has expired Sep 28 10:40:01 libresse [sssd[krb5_child[14845]]]: Decrypt integrity check failed Here's what it looks like when I ssh to the KDC instead: [eio@lappy ~]$ ssh eolsen@kdc.domainname eolsen@kdc.domainname's password: Password expired. Change your password now. WARNING: Your password has expired. You must change your password now and login again! Changing password for user eolsen. Current Password: New password: Retype new password: passwd: all authentication tokens updated successfully. Connection to kdc.domainname closed. [eio@lappy ~]$ ...and I can now ssh to all the servers just fine: [eio@lappy ~]$ ssh eolsen@libresse.domainname Password: Last login: Fri Sep 28 11:12:28 2012 from Welcome to libresse.domainname (RedHat 6.3 x86_64). [eolsen@libresse ~]$ Some additional information: lappy and libresse are using RFC1918 addresses, and don't have proper reverse DNS. kdc is using official IP address with proper reverse DNS. Are anyone able to see what I've done wrong here, or have suggestions on where I should be digging deeper? Regards Eivind Olsen eiv...@aminor.no ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Slight confusion about groups, netgroups, sudo rules etc.
Sigbjorn Lie wrote: > I have implemented Solaris 10 with IPA with success. AES256 did not come > to Solaris 10 until around update 7 or 8. There is still a bug where the > required crypto provider is not enabled. [etc.. lots of useful information] Thanks! I've postponed using FreeIPA with Solaris so far, due to a lack of time to really dig into these issues. Your answer really helps me get this back on track! :) Regards Eivind Olsen ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Slight confusion about groups, netgroups, sudo rules etc.
Hello. I'm currently looking at implementing IPA in a mixed environment, consisting of RHEL6, RHEL5 and Solaris 10 systems. The IPA server(s) is the most recent one bundled with RHEL 6.2. I have some general rules I'll need to follow as best as I can, but I'm not really sure how to do this in IPA without it seeming like a huge work-around. This seems easy enough had it been for a pure RHEL6 environment, but with Solaris there's no SSSD, I apparantly might need to downgrade the encryption types for "older" Solaris 10, etc. All of this is making my head dizzy, and I'd appreciate any help and pointers to clear my mind :) Examples of the basic rules are (there's more of them, it's not only for the DNS servers for example, but the other cases can be solved in the same way): - all sysadmins should be allowed to log into every system in the realm - all sysadmins should be allowed to run certain commands (or to make it easy, any command) through the use of "sudo", on all systems - some users will be part of certain groups, giving them permission to log into certain servers and run a set of commands through "sudo", for example: members of the dns-managers group should be allowed to ssh into the DNS servers (which consist of both RHEL6 and Solaris 10), and run certain commands through "sudo" - certain other users will be allowed to log into some systems, but without any additional access through "sudo" (the fact that they're allowed to log into system X doesn't mean they should be allowed to become root, etc). I've read a suggestion about making a host group for the Red Hat systems, a netgroup for the Solaris systems, and creating a user group which is added as a member of both the host group and netgroup. But, will I still need to worry about the old issue of Solaris apparantly not coping well with users that have >16 additional groups to their name? I have also read about having to add / change compatibility plugins, having to downgrade the algorithm for the Solaris 10 encryption type for older Solaris 10 releases, etc. And there's probably a few more things I need to watch out for and that aren't directly mentioned in the IPA documentation. Oh, in case it matters - there's no common NFS home directories, so I'll also need to automatically create the home directories (I've got this bit sorted on RHEL6 with help from oddjob-mkhomedir). For Solaris, I've read suggestions about using executable autofs maps to create home directories in /export/home and have tham loopback-mounted to /home so they match the homeDirectory attribute. Regards Eivind "Confused" Olsen ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
