Re: [Freeipa-users] login auth fails then success
Thanks, that explains a lot (I didn't catch the difference in auth services). Would this be mitigated by putting sss in front of files in nsswitch.conf)? /etc/nsswitchconf: passwd: files sss shadow: files sss group: files sss Date: Sun, 18 Sep 2016 22:14:59 +0200 From: Jakub Hrozek <jhro...@redhat.com> To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] login auth fails then success Message-ID: <20160918201459.uhijnc4gyfykgzic@hendrix> Content-Type: text/plain; charset=us-ascii On Fri, Sep 16, 2016 at 06:23:03PM +, Larry Rosen wrote: > Sorry I thought I had pasted these previously: > > What other logs do I need to add (maybe from the IPA server)? > > Client system's /var/log/secure: > > Sep 13 19:12:33 il10-app-xfs udcs: pam_unix(login:auth): > authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= > user=il10web Sep 13 19:12:33 il10-app-xfs udcs: pam_sss(login:auth): > authentication success; logname= uid=0 euid=0 tty= ruser= rhost= > user=il10web Sep 13 19:18:11 il10-app-xfs udcs: pam_unix(login:auth): > authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= > user=il10web Sep 13 19:18:11 il10-app-xfs udcs: pam_sss(login:auth): > authentication success; logname= uid=0 euid=0 tty= ruser= rhost= > user=il10web Sep 13 19:22:52 il10-app-xfs udcs: pam_unix(login:auth): > authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= > user=il10web Sep 13 19:22:53 il10-app-xfs udcs: pam_sss(login:auth): > authentication success; logname= uid=0 euid=0 tty= ruser= rhost= > user=il10web Sep 13 19:23:49 il10-app-xfs udcs: pam_unix(login:auth): > authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= > user=il10web Sep 13 19:23:49 il10-app-xfs udcs: pam_sss(login:auth): > authentication success; logname= uid=0 euid=0 tty= ruser= rhost= > user=il10web Sep 13 19:28:24 il10-app-xfs udcs: pam_unix(login:auth): > authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= > user=il10web Sep 13 19:28:24 il10-app-xfs udcs: pam_sss(login:auth): > authentication success; logname= uid=0 euid=0 tty= ruser= rhost= > user=il10web Sep 13 19:29:27 il10-app-xfs udcs: pam_unix(login:auth): > authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= > user=il10web Sep 13 19:29:27 il10-app-xfs udcs: pam_sss(login:auth): > authentication success; logname= uid=0 euid=0 tty= ruser= rhost= > user=il10web I think these are expected. Authentication using pam_unix fails because pam_unix doesn't know this particular users and then pam_sss succeeds. I wonder if the best way to deal with the log messages is just to configure logrotate a bit more aggressively? > > -Original Message----- > From: Rob Crittenden [mailto:rcrit...@redhat.com] > Sent: Friday, September 16, 2016 1:39 PM > To: Larry Rosen <larry.ro...@jdrsolutions.com>; > freeipa-users@redhat.com > Subject: Re: [Freeipa-users] login auth fails then success > > Larry Rosen wrote: > > We have a web app that logs in using a service (automated login > > user, non-expiring, non-failure count) account that leaves these log > > entries all day long. This does not appear to cause any problems, > > it just make my logs grow unnecessarily and creates a lot of "noise" in the > > log. > > > > Any ideas why it initially fails and then works?** > > Logs where? Can we see them? > > rob > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] login auth fails then success
Sorry I thought I had pasted these previously: What other logs do I need to add (maybe from the IPA server)? Client system's /var/log/secure: Sep 13 19:12:33 il10-app-xfs udcs: pam_unix(login:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=il10web Sep 13 19:12:33 il10-app-xfs udcs: pam_sss(login:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost= user=il10web Sep 13 19:18:11 il10-app-xfs udcs: pam_unix(login:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=il10web Sep 13 19:18:11 il10-app-xfs udcs: pam_sss(login:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost= user=il10web Sep 13 19:22:52 il10-app-xfs udcs: pam_unix(login:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=il10web Sep 13 19:22:53 il10-app-xfs udcs: pam_sss(login:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost= user=il10web Sep 13 19:23:49 il10-app-xfs udcs: pam_unix(login:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=il10web Sep 13 19:23:49 il10-app-xfs udcs: pam_sss(login:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost= user=il10web Sep 13 19:28:24 il10-app-xfs udcs: pam_unix(login:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=il10web Sep 13 19:28:24 il10-app-xfs udcs: pam_sss(login:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost= user=il10web Sep 13 19:29:27 il10-app-xfs udcs: pam_unix(login:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=il10web Sep 13 19:29:27 il10-app-xfs udcs: pam_sss(login:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost= user=il10web -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Friday, September 16, 2016 1:39 PM To: Larry Rosen <larry.ro...@jdrsolutions.com>; freeipa-users@redhat.com Subject: Re: [Freeipa-users] login auth fails then success Larry Rosen wrote: > We have a web app that logs in using a service (automated login user, > non-expiring, non-failure count) account that leaves these log entries > all day long. This does not appear to cause any problems, it just make > my logs grow unnecessarily and creates a lot of "noise" in the log. > > Any ideas why it initially fails and then works?** Logs where? Can we see them? rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] login auth fails then success
We have a web app that logs in using a service (automated login user, non-expiring, non-failure count) account that leaves these log entries all day long. This does not appear to cause any problems, it just make my logs grow unnecessarily and creates a lot of "noise" in the log. Any ideas why it initially fails and then works? Larry -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] automated ftp service only accounts and passwords
Why does it (secure log) say: Sep 9 12:04:57 lamp-stor-01 sshd[27950]: pam_sss(sshd:auth): received for user xfseuftp: 13 (User account has expired) User info: [sysadmin@redmine ~]$ ipa pwpolicy-show service_accts Group: service_accts Max lifetime (days): 2 Min lifetime (hours): 0 History size: 0 Character classes: 2 Min length: 8 Priority: 5 Max failures: 0 Failure reset interval: 0 Lockout duration: 0 [sysadmin@redmine ~]$ date Fri Sep 9 11:35:31 EDT 2016 [sysadmin@redmine ~]$ ipa user-show xfseuftp User login: xfseuftp First name: xfs Last name: eur Home directory: /export/xfseur Login shell: /bin/bash Email address: xfseuftp@ipajdr.local UID: 100618 GID: 1333200036 Account disabled: False Password: True Member of groups: service_accts, xfseuftp, uat_info_old, ipausers, info Member of HBAC rule: access_lamp_stor_01_server Kerberos keys available: True [sysadmin@redmine ~]$ ipa hbactest --user=xfseuftp --host=lamp-stor-01.ipajdr.local --service sshd Access granted: True Matched rules: access_lamp_stor_01_server <--- this is the sftp server attempting to access Not matched rules: access_all_servers Not matched rules: access_il09_app_mufg_server Not matched rules: access_ipa_servers Not matched rules: access_lampuat_server Not matched rules: access_ssh_gate_01_server Not matched rules: access_uat_xfs_il10_server Not matched rules: access_xfs_il10_server Not matched rules: dsiroot_access Not matched rules: il10web_access_xfs_il10_server Not matched rules: xfsroot_access ssh/sftp setup: Match User xfseuftp # Force the connection to use the built-in SFTP support. ForceCommand internal-sftp -u 6 # Chroot the connection into the specified directory. ChrootDirectory /export/xfseur # Disable authentication agent forwarding. AllowAgentForwarding no # Disable TCP connection forwarding. AllowTcpForwarding no # Disable X11 remote desktop forwarding. X11Forwarding no When I attempt to change the account's password (I am sure it's the password I set). I've even tried deleting & re-creating the ID from scratch: [sysadmin@redmine ~]$ ipa passwd xfseuftp New Password: Enter New Password again to verify: Changed password for "xfseuftp@IPAJDR.LOCAL" [sysadmin@redmine ~]$ ssh xfseuftp@10.120.97.149 xfseuftp@10.120.97.149's password: Permission denied, please try again. xfseuftp@10.120.97.149's password: Even if I su to the user [root@lamp-stor-01 export]# ipa passwd xfseuftp New Password: Enter New Password again to verify: Changed password for "xfseuftp@IPAJDR.LOCAL" [root@lamp-stor-01 export]# su - xfseuftp Last login: Fri Sep 9 11:57:24 EDT 2016 on pts/1 -bash-4.2$ passwd Changing password for user xfseuftp. Current Password: Password change failed. Server message: Old password not accepted. passwd: Authentication token manipulation error secure log entries when attempted to change password: Sep 9 11:33:15 lamp-stor-01 sshd[26880]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.90.138 user=xfseuftp Sep 9 11:33:15 lamp-stor-01 sshd[26880]: pam_sss(sshd:auth): User info message: Permission denied. Sep 9 11:33:15 lamp-stor-01 sshd[26880]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.90.138 user=xfseuftp Sep 9 11:33:15 lamp-stor-01 sshd[26880]: pam_sss(sshd:auth): received for user xfseuftp: 13 (User account has expired) Sep 9 11:33:16 lamp-stor-01 sshd[26880]: Failed password for xfseuftp from 10.10.90.138 port 33534 ssh2 . Sep 9 11:57:56 lamp-stor-01 su: pam_unix(su-l:session): session closed for user xfseuftp Sep 9 11:58:15 lamp-stor-01 su: pam_unix(su-l:session): session opened for user xfseuftp by root(uid=0) Sep 9 11:58:20 lamp-stor-01 passwd: pam_unix(passwd:chauthtok): user "xfseuftp" does not exist in /etc/passwd Sep 9 11:58:23 lamp-stor-01 passwd: pam_sss(passwd:chauthtok): User info message: Password change failed. Server message: Old password not accepted. Sep 9 11:58:23 lamp-stor-01 passwd: pam_sss(passwd:chauthtok): Authentication failed for user xfseuftp: 4 (System error) Sep 9 11:58:27 lamp-stor-01 su: pam_unix(su-l:session): session closed for user xfseuftp -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Friday, September 09, 2016 9:30 AM To: Larry Rosen <larry.ro...@jdrsolutions.com>; freeipa-users@redhat.com Subject: Re: [Freeipa-users] automated ftp service only accounts and passwords Larry Rosen wrote: > How do I set the password on a chroot jailed sftp id accoun
[Freeipa-users] automated ftp service only accounts and passwords
How do I set the password on a chroot jailed sftp id account that is not allowed a shell to not expire its password after setting it? There's no way to change it to the fixed password I want. I have created a service_account password policy that has no expiration (set to Max lifetime (days) = 2 ). Larry -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Add user fails - automember: Default group for new users is not POSIX
Never mind, I see this is a known bug in 4.2.x fixed in 4.3.1 When I am allowed to upgrade my servers I'll try again. I guess the workaround is to use CLI with -gid (which kind of defeats the the purpose of the autogroup for me) Thanks for listening to my rant! Larry -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Add user fails - automember: Default group for new users is not POSIX
I am trying to create a new automember rule to assign certain user classes into a default group using the web GUI, however it fails with the message FreeIPA, version: 4.2.0 IPA Error 4001: NotFound Default group for new users is not POSIX But it (xfstest) IS a POSIX group and I've disabled UPG: [root@ipa-idm-01 ~]# ipa-managed-entries -e "UPG Definition" status Plugin Disabled What's up with this. Why does nearly every operation I try in this server fail? The Identity Manager Guide really sucks, it has few real world examples to go by. Does the expression have to be an expression rather than a value? Must I create an expression with some sort of pattern matching ( * . + etc.) like ^xfstest_class* ? 1) created a POSIX group Group name xfstest Group Type POSIX GID 100615 2) created automember user group rule Automember Rule xfstest Inclusive Attrib Expression userclass xfstest_class 3) Attempt to add a new user login autotest First name auto Last name test Class xfstest_class No private groupunchecked -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Why is user status different on each master replica?
This user was locked out due to Max Failure policy = 5 If they're supposed to be replicas, why the different status? [root@il10 ~]# ipa user-status lramey --- Account disabled: False --- Server: ipa-idm-01.ipajdr.local Failed logins: 0 Last successful authentication: 20160808191857Z Last failed authentication: 20160808191848Z Time now: 2016-08-09T19:57:20Z Server: ipa-idm-02.ipajdr.local Failed logins: 5 Last successful authentication: 20160809151406Z Last failed authentication: 20160809194741Z Time now: 2016-08-09T19:57:21Z Number of entries returned 2 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Creating roles tutorial/how-to
I want a role the user snapmgr belongs to that can add, delete snapon group member users and reset/change their passwords and unlock their accounts When I login as snapmgr and attempt to reset the password of user snaptestuser1 (member of snapon group), it fails with "Insufficient access: Insufficient access rights". What did I miss? What are the minimum permission effective attribs are needed to be checked? OK, so I created: 1) A user snapmgr to the be group manager, able to reset passwords of snapon users (members of the snapon group) 2) A role named snapon-manage, and assigned user snapmgr as the member user 3) A privilege named snapon_management_privileges 4) A permission named snap_user_passwd, assigned to the snapon_management_privileges privilege, which is assigned to the snapon-manage role PERMISSION SETTINGS: Bind rule type: x permission Granted rights: x read x write x add x delete x all TARGET: Type: user Tagret DN: blank Member of group: snapon Effective attributes: x description x ipasshpubkey x homedirectory x userpassword x krbprincipalname x krblastadminunlock Larry Rosen - Linux System Administrator JDR Solutions, Inc 8606 Allisonville Road, Suite 245 Indianapolis, IN 46250 www.jdrsolutions.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Role to add users fails - IPA Error 2100: ACIError
Will creating a role to add users work? I created a permission to create users, but it will not allow the user to do it. I have disabled UPG Definition plugin. IPA Error 2100: ACIError Insufficient access: Could not read UPG Definition originfilter. Check your permissions. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Creating roles tutorial/how-to
Thanks, I had those parts figured out. I have a basic role/user working. My next questions are: When or why would I need to specify a Target DN or Extra target filter? I don't think any are necessary for this role that has this permission to work since I specified the group (member of group) it can target. -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Friday, July 01, 2016 6:45 PM To: Larry Rosen <larry.ro...@jdrsolutions.com>; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Creating roles tutorial/how-to Larry Rosen wrote: > Are there any tutorials/how to's to guide how to create roles? The > docs simply go through filling out the forms, but is there any > resource about how roles are generally used and the required relationships? > > This is the closest thing I have found: > http://adam.younglogic.com/2012/02/group-managers-in-freeipa/ > > I don't understand how to limit various permissions/privileges to > specific users or groups. > > I want a role to manage only the users of a certain group: i.e. a user > that can add, modify, delete user accounts and set/reset/unlock > passwords for one group. The order of access control looks like permissions -> privileges -> roles. The associated privileges provide a set of permissions (actions a role can take) to the role. Users, groups, hosts, hostgroups and services (depending on version of IPA) can be members of a role, thus having the capabilities of that role. You add the privileges you want that role to have, then you add the groups you want, and that should do it. A permission is a low-level "task". A privilege is usually 1-1 to a permission. It may contain multiple permissions. An example of a privilege with multiple permissions is adding a user, where you need to be able to write the user and set the password. For the permissions shipped with IPA there is always an associated privilege available for that so you typically don't need to mess with these. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Creating roles tutorial/how-to
Are there any tutorials/how to's to guide how to create roles? The docs simply go through filling out the forms, but is there any resource about how roles are generally used and the required relationships? This is the closest thing I have found: http://adam.younglogic.com/2012/02/group-managers-in-freeipa/ I don't understand how to limit various permissions/privileges to specific users or groups. I want a role to manage only the users of a certain group: i.e. a user that can add, modify, delete user accounts and set/reset/unlock passwords for one group. Larry -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project