Re: [Freeipa-users] sudo users
Cool. That solved the problem. Thanks On Thu, Mar 10, 2016 at 9:37 PM, Jakub Hrozek <jhro...@redhat.com> wrote: > On Thu, Mar 10, 2016 at 03:50:08PM +1300, Teik Hooi Beh wrote: > > Hi, > > > > I am trying to deploy sudo rules in FreeIPA 4.2 on Centos 7.2. I have > > created 2 sudo rules, one with sudo options=!authenticate (NOPASSWD) and > > the other sudo options=authenticate (PASSWD) (which I assume requires the > > user to key in the password to run). > > > > The NOPASSWD works but the one with PASSWD kept denying eventhough > password > > seems authenticated (from /var/log/secure) - > > > > Mar 10 02:38:31 node1 sudo: pam_sss(sudo:auth): authentication success; > > logname=ttester uid=5001 euid=0 tty=/dev/pts/1 ruser=ttester rhost= > > user=ttester > > Mar 10 02:38:31 node1 sudo: pam_sss(sudo:account): Access denied for user > > ttester: 6 (Permission denied) > > > > I have followed instructions from here - > > > http://blog.delouw.ch/2013/07/25/centrally-manage-sudoers-rules-with-ipa-part-i-preparation/ > > Looks like HBAC is denying access, please make sure the user is allowed > to access the sudo/sudo-i service. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] sudo users
Hi, I am trying to deploy sudo rules in FreeIPA 4.2 on Centos 7.2. I have created 2 sudo rules, one with sudo options=!authenticate (NOPASSWD) and the other sudo options=authenticate (PASSWD) (which I assume requires the user to key in the password to run). The NOPASSWD works but the one with PASSWD kept denying eventhough password seems authenticated (from /var/log/secure) - Mar 10 02:38:31 node1 sudo: pam_sss(sudo:auth): authentication success; logname=ttester uid=5001 euid=0 tty=/dev/pts/1 ruser=ttester rhost= user=ttester Mar 10 02:38:31 node1 sudo: pam_sss(sudo:account): Access denied for user ttester: 6 (Permission denied) I have followed instructions from here - http://blog.delouw.ch/2013/07/25/centrally-manage-sudoers-rules-with-ipa-part-i-preparation/ -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Not able to get kerberos ticket from keytab
And yes, i also need to include -s ipaserver in the get-ipakeytab command, otherwise it kept giving wrong usage error On Fri, Feb 26, 2016 at 10:29 PM, Teik Hooi Beh <th...@thbeh.com> wrote: > Thanks. It's working now using ipa-getkeytab. > > Correct me if I am wrong (as I am new to freeipa), using ktutil I could > add multiple user in a keytab file (correct???) but in this case using > ipa-getkeytab can I do the same? > > On Fri, Feb 26, 2016 at 9:15 PM, David Kupka <dku...@redhat.com> wrote: > >> On 26/02/16 08:56, David Kupka wrote: >> >>> On 26/02/16 02:22, Teik Hooi Beh wrote: >>> >>>> Hi, >>>> >>>> I have manged to deployed 1 ipa master and 1 ipa client with success on >>>> centos 7.2 with freeipa v4.2. I also managed to create user and set >>>> sshd-rules to for ttester user and also successfully get krb ticket >>>> using *kinit >>>> ttes...@example.my*. I am trying to deploy password-less SSH login with >>>> kerberos using the following guide ( >>>> >>>> https://uz.sns.it/~enrico/wordpress/2014/03/password-less-ssh-login-with-kerberos/ >>>> ) >>>> >>>> - >>>> >>>> snippet - >>>> >>>> >>>> >>>> *$ ktutil ktutil: add_entry -password -p ttes...@example.my -k 1 -e >>>> aes256-cts-hmac-sha1-96 ktutil: write_kt keytab* >>>> >>>> When I tried *kinit -kt keytab ttes...@example.my*, I get *"**kinit: >>>> Password incorrect while getting initial credentials"* >>>> Doing a trace using KRB5_TRACE on both calls >>>> >>>> *1. KRB5_TRACE=/dev/stderr kinit ttes...@example.my* >>>> 27242] 1456447025.219676: Getting initial credentials for >>>> ttes...@example.my >>>> [27242] 1456447025.222070: Sending request (164 bytes) to EXAMPLE.MY >>>> [27242] 1456447025.23: Resolving hostname node1.example.my >>>> [27242] 1456447035.238004: Initiating TCP connection to stream >>>> 192.168.38.2:88 >>>> [27242] 1456447035.238675: Sending TCP request to stream >>>> 192.168.38.2:88 >>>> [27242] 1456447035.241248: Received answer (337 bytes) from stream >>>> 192.168.38.2:88 >>>> [27242] 1456447035.241257: Terminating TCP connection to stream >>>> 192.168.38.2:88 >>>> [27242] 1456447035.241377: Response was from master KDC >>>> [27242] 1456447035.241437: Received error from KDC: >>>> -1765328359/Additional >>>> pre-authentication required >>>> [27242] 1456447035.241484: Processing preauth types: 136, 19, 2, 133 >>>> [27242] 1456447035.241499: Selected etype info: etype aes256-cts, salt >>>> "s`GD^,#=cA:Vr9hD", params "" >>>> [27242] 1456447035.241504: Received cookie: MIT >>>> Password for ttes...@example.my: >>>> [27242] 1456447062.215750: AS key obtained for encrypted timestamp: >>>> aes256-cts/73C6 >>>> [27242] 1456447062.215815: Encrypted timestamp (for 1456447062.215315): >>>> plain 301AA011180F32303136303232363030333734325AA1050203034913, >>>> encrypted >>>> >>>> F9A2E97E916FC14D141690E151A25DCC00168361179C7F0ACDA94C7F58F3D50429780A5608A6B8623E355F2A5BD676F6FA5272D38FD05C8B >>>> >>>> [27242] 1456447062.215942: Preauth module encrypted_timestamp (2) (real) >>>> returned: 0/Success >>>> [27242] 1456447062.215948: Produced preauth for next request: 133, 2 >>>> [27242] 1456447062.215965: Sending request (257 bytes) to EXAMPLE.MY >>>> [27242] 1456447062.216010: Resolving hostname node1.example.my >>>> [27242] 1456447072.229254: Initiating TCP connection to stream >>>> 192.168.38.2:88 >>>> [27242] 1456447072.229655: Sending TCP request to stream >>>> 192.168.38.2:88 >>>> [27242] 1456447072.236955: Received answer (722 bytes) from stream >>>> 192.168.38.2:88 >>>> [27242] 1456447072.236974: Terminating TCP connection to stream >>>> 192.168.38.2:88 >>>> [27242] 1456447072.237080: Response was from master KDC >>>> [27242] 1456447072.237117: Processing preauth types: 19 >>>> [27242] 1456447072.237125: Selected etype info: etype aes256-cts, salt >>>> "s`GD^,#=cA:Vr9hD", params "" >>>> [27242] 1456447072.237131: Produced preauth for next request: (empty) >>>> [27242] 1456447072.237140: AS key determined by preauth: aes256-cts/73C6 >
Re: [Freeipa-users] Not able to get kerberos ticket from keytab
Thanks. It's working now using ipa-getkeytab. Correct me if I am wrong (as I am new to freeipa), using ktutil I could add multiple user in a keytab file (correct???) but in this case using ipa-getkeytab can I do the same? On Fri, Feb 26, 2016 at 9:15 PM, David Kupka <dku...@redhat.com> wrote: > On 26/02/16 08:56, David Kupka wrote: > >> On 26/02/16 02:22, Teik Hooi Beh wrote: >> >>> Hi, >>> >>> I have manged to deployed 1 ipa master and 1 ipa client with success on >>> centos 7.2 with freeipa v4.2. I also managed to create user and set >>> sshd-rules to for ttester user and also successfully get krb ticket >>> using *kinit >>> ttes...@example.my*. I am trying to deploy password-less SSH login with >>> kerberos using the following guide ( >>> >>> https://uz.sns.it/~enrico/wordpress/2014/03/password-less-ssh-login-with-kerberos/ >>> ) >>> >>> - >>> >>> snippet - >>> >>> >>> >>> *$ ktutil ktutil: add_entry -password -p ttes...@example.my -k 1 -e >>> aes256-cts-hmac-sha1-96 ktutil: write_kt keytab* >>> >>> When I tried *kinit -kt keytab ttes...@example.my*, I get *"**kinit: >>> Password incorrect while getting initial credentials"* >>> Doing a trace using KRB5_TRACE on both calls >>> >>> *1. KRB5_TRACE=/dev/stderr kinit ttes...@example.my* >>> 27242] 1456447025.219676: Getting initial credentials for >>> ttes...@example.my >>> [27242] 1456447025.222070: Sending request (164 bytes) to EXAMPLE.MY >>> [27242] 1456447025.23: Resolving hostname node1.example.my >>> [27242] 1456447035.238004: Initiating TCP connection to stream >>> 192.168.38.2:88 >>> [27242] 1456447035.238675: Sending TCP request to stream 192.168.38.2:88 >>> [27242] 1456447035.241248: Received answer (337 bytes) from stream >>> 192.168.38.2:88 >>> [27242] 1456447035.241257: Terminating TCP connection to stream >>> 192.168.38.2:88 >>> [27242] 1456447035.241377: Response was from master KDC >>> [27242] 1456447035.241437: Received error from KDC: >>> -1765328359/Additional >>> pre-authentication required >>> [27242] 1456447035.241484: Processing preauth types: 136, 19, 2, 133 >>> [27242] 1456447035.241499: Selected etype info: etype aes256-cts, salt >>> "s`GD^,#=cA:Vr9hD", params "" >>> [27242] 1456447035.241504: Received cookie: MIT >>> Password for ttes...@example.my: >>> [27242] 1456447062.215750: AS key obtained for encrypted timestamp: >>> aes256-cts/73C6 >>> [27242] 1456447062.215815: Encrypted timestamp (for 1456447062.215315): >>> plain 301AA011180F32303136303232363030333734325AA1050203034913, encrypted >>> >>> F9A2E97E916FC14D141690E151A25DCC00168361179C7F0ACDA94C7F58F3D50429780A5608A6B8623E355F2A5BD676F6FA5272D38FD05C8B >>> >>> [27242] 1456447062.215942: Preauth module encrypted_timestamp (2) (real) >>> returned: 0/Success >>> [27242] 1456447062.215948: Produced preauth for next request: 133, 2 >>> [27242] 1456447062.215965: Sending request (257 bytes) to EXAMPLE.MY >>> [27242] 1456447062.216010: Resolving hostname node1.example.my >>> [27242] 1456447072.229254: Initiating TCP connection to stream >>> 192.168.38.2:88 >>> [27242] 1456447072.229655: Sending TCP request to stream 192.168.38.2:88 >>> [27242] 1456447072.236955: Received answer (722 bytes) from stream >>> 192.168.38.2:88 >>> [27242] 1456447072.236974: Terminating TCP connection to stream >>> 192.168.38.2:88 >>> [27242] 1456447072.237080: Response was from master KDC >>> [27242] 1456447072.237117: Processing preauth types: 19 >>> [27242] 1456447072.237125: Selected etype info: etype aes256-cts, salt >>> "s`GD^,#=cA:Vr9hD", params "" >>> [27242] 1456447072.237131: Produced preauth for next request: (empty) >>> [27242] 1456447072.237140: AS key determined by preauth: aes256-cts/73C6 >>> [27242] 1456447072.237199: Decrypted AS reply; session key is: >>> aes256-cts/2A71 >>> [27242] 1456447072.237216: FAST negotiation: available >>> [27242] 1456447072.237236: Initializing KEYRING:persistent:1000:1000 with >>> default princ ttes...@example.my >>> [27242] 1456447072.237275: Storing ttes...@example.my -> >>> krbtgt/example...@example.my in KEYRING:persistent:1000:1000 >>> [27242] 1456447072.237330: Storing config in KEYRING:persistent:1000:1000 >>> for krbtgt/example...@example.my: fa
[Freeipa-users] Not able to get kerberos ticket from keytab
Hi, I have manged to deployed 1 ipa master and 1 ipa client with success on centos 7.2 with freeipa v4.2. I also managed to create user and set sshd-rules to for ttester user and also successfully get krb ticket using *kinit ttes...@example.my*. I am trying to deploy password-less SSH login with kerberos using the following guide ( https://uz.sns.it/~enrico/wordpress/2014/03/password-less-ssh-login-with-kerberos/) - snippet - *$ ktutil ktutil: add_entry -password -p ttes...@example.my -k 1 -e aes256-cts-hmac-sha1-96 ktutil: write_kt keytab* When I tried *kinit -kt keytab ttes...@example.my*, I get *"**kinit: Password incorrect while getting initial credentials"* Doing a trace using KRB5_TRACE on both calls *1. KRB5_TRACE=/dev/stderr kinit ttes...@example.my* 27242] 1456447025.219676: Getting initial credentials for ttes...@example.my [27242] 1456447025.222070: Sending request (164 bytes) to EXAMPLE.MY [27242] 1456447025.23: Resolving hostname node1.example.my [27242] 1456447035.238004: Initiating TCP connection to stream 192.168.38.2:88 [27242] 1456447035.238675: Sending TCP request to stream 192.168.38.2:88 [27242] 1456447035.241248: Received answer (337 bytes) from stream 192.168.38.2:88 [27242] 1456447035.241257: Terminating TCP connection to stream 192.168.38.2:88 [27242] 1456447035.241377: Response was from master KDC [27242] 1456447035.241437: Received error from KDC: -1765328359/Additional pre-authentication required [27242] 1456447035.241484: Processing preauth types: 136, 19, 2, 133 [27242] 1456447035.241499: Selected etype info: etype aes256-cts, salt "s`GD^,#=cA:Vr9hD", params "" [27242] 1456447035.241504: Received cookie: MIT Password for ttes...@example.my: [27242] 1456447062.215750: AS key obtained for encrypted timestamp: aes256-cts/73C6 [27242] 1456447062.215815: Encrypted timestamp (for 1456447062.215315): plain 301AA011180F32303136303232363030333734325AA1050203034913, encrypted F9A2E97E916FC14D141690E151A25DCC00168361179C7F0ACDA94C7F58F3D50429780A5608A6B8623E355F2A5BD676F6FA5272D38FD05C8B [27242] 1456447062.215942: Preauth module encrypted_timestamp (2) (real) returned: 0/Success [27242] 1456447062.215948: Produced preauth for next request: 133, 2 [27242] 1456447062.215965: Sending request (257 bytes) to EXAMPLE.MY [27242] 1456447062.216010: Resolving hostname node1.example.my [27242] 1456447072.229254: Initiating TCP connection to stream 192.168.38.2:88 [27242] 1456447072.229655: Sending TCP request to stream 192.168.38.2:88 [27242] 1456447072.236955: Received answer (722 bytes) from stream 192.168.38.2:88 [27242] 1456447072.236974: Terminating TCP connection to stream 192.168.38.2:88 [27242] 1456447072.237080: Response was from master KDC [27242] 1456447072.237117: Processing preauth types: 19 [27242] 1456447072.237125: Selected etype info: etype aes256-cts, salt "s`GD^,#=cA:Vr9hD", params "" [27242] 1456447072.237131: Produced preauth for next request: (empty) [27242] 1456447072.237140: AS key determined by preauth: aes256-cts/73C6 [27242] 1456447072.237199: Decrypted AS reply; session key is: aes256-cts/2A71 [27242] 1456447072.237216: FAST negotiation: available [27242] 1456447072.237236: Initializing KEYRING:persistent:1000:1000 with default princ ttes...@example.my [27242] 1456447072.237275: Storing ttes...@example.my -> krbtgt/example...@example.my in KEYRING:persistent:1000:1000 [27242] 1456447072.237330: Storing config in KEYRING:persistent:1000:1000 for krbtgt/example...@example.my: fast_avail: yes [27242] 1456447072.237345: Storing ttes...@example.my -> krb5_ccache_conf_data/fast_avail/krbtgt\/EXAMPLE.MY\@EXAMPLE.MY@X-CACHECONF: in KEYRING:persistent:1000:1000 [27242] 1456447072.237371: Storing config in KEYRING:persistent:1000:1000 for krbtgt/example...@example.my: pa_type: 2 [27242] 1456447072.237380: Storing ttes...@example.my -> krb5_ccache_conf_data/pa_type/krbtgt\/EXAMPLE.MY\@EXAMPLE.MY@X-CACHECONF: in KEYRING:persistent:1000:1000 *2. KRB5_TRACE=/dev/stderr kinit -kt keytab ttes...@example.my* [27248] 1456447236.144685: Getting initial credentials for ttes...@example.my [27248] 1456447236.147107: Looked up etypes in keytab: aes256-cts [27248] 1456447236.147255: Sending request (164 bytes) to EXAMPLE.MY [27248] 1456447236.147381: Resolving hostname node1.example.my [27248] 1456447246.161528: Initiating TCP connection to stream 192.168.38.2:88 [27248] 1456447246.161970: Sending TCP request to stream 192.168.38.2:88 [27248] 1456447246.164772: Received answer (337 bytes) from stream 192.168.38.2:88 [27248] 1456447246.164791: Terminating TCP connection to stream 192.168.38.2:88 [27248] 1456447246.164904: Response was from master KDC [27248] 1456447246.164943: Received error from KDC: -1765328359/Additional pre-authentication required [27248] 1456447246.164987: Processing preauth types: 136, 19, 2, 133 [27248] 1456447246.164997: Selected etype info: etype aes256-cts, salt "s`GD^,#=cA:Vr9hD", params "" [27248] 1456447246.165001: Received cookie: MIT [27248]
