Re: [Freeipa-users] Ghost ipaSshPubKey in sss_ssh_authorizedkeys or 'Error looking up public keys'

2016-07-18 Thread Martin Štefany 



On 7/18/2016 9:50 AM, Sumit Bose wrote:

On Sun, Jul 17, 2016 at 11:21:34PM +0200, Martin Štefany wrote:

On So, 2016-07-16 at 15:37 +0200, Lukas Slebodnik wrote:

On (16/07/16 10:19), Martin Štefany wrote:


Hello Sumit,

seems that upgrade to F24 broke things again. This time no AVCs, empty SSSD
logs, but same problem: 'Error looking up public keys'.

selinux-policy-3.13.1-191.fc24.3.noarch
selinux-policy-targeted-3.13.1-191.fc24.3.noarch
sssd-1.13.4-3.fc24.x86_64


Fedora 23 and fedora 24 has the same version of sssd
and almost the same version of openssh.
I have no idea what coudl broke it it there are not any AVCs.



Using debug_level 0x0250 ::


For troubleshooting, it would be better to see all
debug messages. (debug_level = 0xfff0)


Hello Lukas,

thanks for replying on this, here are debug_level = 0xfff0 messages



...


(Sun Jul 17 23:17:34 2016) [sssd[ssh]] [cert_to_ssh_key] (0x0020):
CERT_VerifyCertificateNow failed [-8179].
(Sun Jul 17 23:17:34 2016) [sssd[ssh]] [decode_and_add_base64_data] (0x0040):
cert_to_ssh_key failed.


-8179 translates to "Peer's certificate issuer is not recognized."
(http://www-archive.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html).
This means the CA certificate which signed the certificate on the
Smartcard is missing in /etc/pki/nssdb which is used by default by SSSD.

Recent version of IPA put IPA CA certificates only in /etc/ipa/nssdb,
this might be the reason why you see this with F24.

To fix this please either add the needed CA certificates to
/etc/pki/nssdb with certutil or add 'ca_db = /etc/ipa/nssdb' to the
[ssh] section of sssd.conf if /etc/ipa/nssdb already has all needed CA
certificates to validate the Smartcard certificate.


Thank you!
Fixed for now by putting 'ca_db = /etc/ipa/nssdb' to the [ssh] section 
of sssd.conf, but CA certificate is actually the one from IPA CA, as 
this SSH key is generated from my userCertificate. Works like a charm.


Kind regards,
Martin



I'm working on a fix for SSSD to handle handle this change
automatically, but unfortunately it is not ready yet.

HTH

bye,
Sumit





$ /usr/bin/sss_ssh_authorizedkeys martin
Error looking up public keys


And try to run strace with sss_ssh_authorizedkeys

LS


Martin


--
--
Martin

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Ghost ipaSshPubKey in sss_ssh_authorizedkeys or 'Error looking up public keys'

2016-07-17 Thread Martin Štefany 
On So, 2016-07-16 at 15:37 +0200, Lukas Slebodnik wrote:
> On (16/07/16 10:19), Martin Štefany wrote:
> > 
> > Hello Sumit,
> > 
> > seems that upgrade to F24 broke things again. This time no AVCs, empty SSSD
> > logs, but same problem: 'Error looking up public keys'.
> > 
> > selinux-policy-3.13.1-191.fc24.3.noarch
> > selinux-policy-targeted-3.13.1-191.fc24.3.noarch
> > sssd-1.13.4-3.fc24.x86_64
> > 
> Fedora 23 and fedora 24 has the same version of sssd
> and almost the same version of openssh.
> I have no idea what coudl broke it it there are not any AVCs.
> 
> > 
> > Using debug_level 0x0250 ::
> > 
> For troubleshooting, it would be better to see all
> debug messages. (debug_level = 0xfff0)

Hello Lukas,

thanks for replying on this, here are debug_level = 0xfff0 messages

(Sun Jul 17 23:17:34 2016) [sssd[ssh]] [get_client_cred] (0x4000): Client creds:
euid[129341] egid[129341] pid[15966].
(Sun Jul 17 23:17:34 2016) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle timer
re-set for client [0x5617ca096280][18]
(Sun Jul 17 23:17:34 2016) [sssd[ssh]] [accept_fd_handler] (0x0400): Client
connected!
(Sun Jul 17 23:17:34 2016) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle timer
re-set for client [0x5617ca096280][18]
(Sun Jul 17 23:17:34 2016) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Received
client version [0].
(Sun Jul 17 23:17:34 2016) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Offered
version [0].
(Sun Jul 17 23:17:34 2016) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle timer
re-set for client [0x5617ca096280][18]
(Sun Jul 17 23:17:34 2016) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle timer
re-set for client [0x5617ca096280][18]
(Sun Jul 17 23:17:34 2016) [sssd[ssh]] [ssh_cmd_parse_request] (0x0400):
Requested domain []
(Sun Jul 17 23:17:34 2016) [sssd[ssh]] [ssh_cmd_parse_request] (0x0400): Parsing
name [martin][]
(Sun Jul 17 23:17:34 2016) [sssd[ssh]] [sss_parse_name_for_domains] (0x0200):
name 'martin' matched without domain, user is martin
(Sun Jul 17 23:17:34 2016) [sssd[ssh]] [sss_ssh_cmd_get_user_pubkeys] (0x0400):
Requesting SSH user public keys for [martin] from []
(Sun Jul 17 23:17:34 2016) [sssd[ssh]] [sss_dp_issue_request] (0x0400): Issuing
request for [0x5617c96301a0:1:mar...@stefany.eu]
(Sun Jul 17 23:17:34 2016) [sssd[ssh]] [sss_dp_get_account_msg] (0x0400):
Creating request for [stefany.eu][0x1][BE_REQ_USER][1][name=martin]
(Sun Jul 17 23:17:34 2016) [sssd[ssh]] [sbus_add_timeout] (0x2000):
0x5617ca09bb60
(Sun Jul 17 23:17:34 2016) [sssd[ssh]] [sss_dp_internal_get_send] (0x0400):
Entering request [0x5617c96301a0:1:mar...@stefany.eu]
(Sun Jul 17 23:17:34 2016) [sssd[ssh]] [sbus_remove_timeout] (0x2000):
0x5617ca09bb60
(Sun Jul 17 23:17:34 2016) [sssd[ssh]] [sbus_dispatch] (0x4000): dbus conn:
0x5617ca09a300
(Sun Jul 17 23:17:34 2016) [sssd[ssh]] [sbus_dispatch] (0x4000): Dispatching.
(Sun Jul 17 23:17:34 2016) [sssd[ssh]] [sss_dp_get_reply] (0x1000): Got reply
from Data Provider - DP error code: 0 errno: 0 error message: Success
(Sun Jul 17 23:17:34 2016) [sssd[ssh]] [ssh_user_pubkeys_search_next] (0x0400):
Requesting SSH user public keys for [mar...@stefany.eu]
(Sun Jul 17 23:17:34 2016) [sssd[ssh]] [ldb] (0x4000): Added timed event
"ltdb_callback": 0x5617ca0a4370
(Sun Jul 17 23:17:34 2016) [sssd[ssh]] [ldb] (0x4000): Added timed event
"ltdb_timeout": 0x5617ca0a4430
(Sun Jul 17 23:17:34 2016) [sssd[ssh]] [ldb] (0x4000): Running timer event
0x5617ca0a4370 "ltdb_callback"
(Sun Jul 17 23:17:34 2016) [sssd[ssh]] [ldb] (0x4000): Destroying timer event
0x5617ca0a4430 "ltdb_timeout"
(Sun Jul 17 23:17:34 2016) [sssd[ssh]] [ldb] (0x4000): Ending timer event
0x5617ca0a4370 "ltdb_callback"
(Sun Jul 17 23:17:34 2016) [sssd[ssh]] [decode_and_add_base64_data] (0x4000):
Mssing element, nothing to do.
(Sun Jul 17 23:17:34 2016) [sssd[ssh]] [decode_and_add_base64_data] (0x4000):
Mssing element, nothing to do.
(Sun Jul 17 23:17:34 2016) [sssd[ssh]] [cert_to_ssh_key] (0x0020):
CERT_VerifyCertificateNow failed [-8179].
(Sun Jul 17 23:17:34 2016) [sssd[ssh]] [decode_and_add_base64_data] (0x0040):
cert_to_ssh_key failed.
(Sun Jul 17 23:17:34 2016) [sssd[ssh]] [ssh_cmd_build_reply] (0x0040):
decode_and_add_base64_data failed.
(Sun Jul 17 23:17:34 2016) [sssd[ssh]] [ssh_cmd_done] (0x0020): Fatal error,
killing connection!
(Sun Jul 17 23:17:34 2016) [sssd[ssh]] [client_destructor] (0x2000): Terminated
client [0x5617ca096280][18]
(Sun Jul 17 23:17:34 2016) [sssd[ssh]] [sss_dp_req_destructor] (0x0400):
Deleting request: [0x5617c96301a0:1:mar...@stefany.eu]

> > 
> > $ /usr/bin/sss_ssh_authorizedkeys martin
> > Error looking up public keys
> > 
> And try to run strace with sss_ssh_authorizedkeys
> 
> LS

Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Ghost ipaSshPubKey in sss_ssh_authorizedkeys or 'Error looking up public keys'

2016-07-16 Thread Martin Štefany 

Hello Sumit,

seems that upgrade to F24 broke things again. This time no AVCs, empty 
SSSD logs, but same problem: 'Error looking up public keys'.


selinux-policy-3.13.1-191.fc24.3.noarch
selinux-policy-targeted-3.13.1-191.fc24.3.noarch
sssd-1.13.4-3.fc24.x86_64

Using debug_level 0x0250 ::

$ /usr/bin/sss_ssh_authorizedkeys martin
Error looking up public keys

==> sssd_ssh.log <==
(Sat Jul 16 10:15:51 2016) [sssd[ssh]] [sss_cmd_get_version] (0x0200): 
Received client version [0].
(Sat Jul 16 10:15:51 2016) [sssd[ssh]] [sss_cmd_get_version] (0x0200): 
Offered version [0].
(Sat Jul 16 10:15:51 2016) [sssd[ssh]] [sss_parse_name_for_domains] 
(0x0200): name 'martin' matched without domain, user is martin


==> sssd_stefany.eu.log <==
(Sat Jul 16 10:15:51 2016) [sssd[be[stefany.eu]]] [be_get_account_info] 
(0x0200): Got request for [0x1][BE_REQ_USER][1][name=martin]


==> sssd_ssh.log <==
(Sat Jul 16 10:15:51 2016) [sssd[ssh]] [decode_and_add_base64_data] 
(0x0040): cert_to_ssh_key failed.
(Sat Jul 16 10:15:51 2016) [sssd[ssh]] [ssh_cmd_build_reply] (0x0040): 
decode_and_add_base64_data failed.



Please, any suggestions?


Martin


On 6/22/2016 5:01 PM, Sumit Bose wrote:

On Tue, Jun 21, 2016 at 01:23:11PM +0200, Martin Štefany wrote:

On 6/21/2016 1:16 PM, Sumit Bose wrote:

On Tue, Jun 21, 2016 at 12:43:23PM +0200, Martin Štefany wrote:

Hello Sumit,

putting SELinux to permissive mode and/or enabling nis_enabled seboolean
seemed not help at all. And you are right, my user has userCertificate
(needed for secure libvirtd connection).


[martin@desk2 ~]$ sss_ssh_authorizedkeys  martin
Error looking up public keys
[martin@desk2 ~]$ sudo setenforce 0
[sudo] password for martin:
[martin@desk2 ~]$ sss_ssh_authorizedkeys  martin
Error looking up public keys
[martin@desk2 ~]$ sudo setsebool nis_enabled on
[martin@desk2 ~]$ sss_ssh_authorizedkeys  martin
Error looking up public keys
[martin@desk2 ~]$ sudo sss_cache -E
[martin@desk2 ~]$ sss_ssh_authorizedkeys martin
Error looking up public keys

[have a coffee... really]

[martin@desk2 ~]$ sss_ssh_authorizedkeys martin
ssh-rsa AAA...
ssh-rsa AAA...
ssh-ed25519 AAA...
ssh-rsa AAA...
ssh-rsa AAA...


If I understand it correctly you get the same result as on CentOS,
including the unexpected key derived from the certificate, after waiting
for some time? Can you send the sssd_ssh.log with the sequence from
above (if you prefer directly to me) so that I can check why it failed
in the first attempt and later succeeds.

bye,
Sumit



Hi,

yes, now the results are the same, including the originally unexpected key
from certificate, and actual SSH pubkey auth finally works.

I would send you sssd_ssh.log, but it's empty - I have turned off
debug_level sooner, sorry. :(

Isn't it the case that sss_cache -E takes few seconds to actually expire the
cache entries?


sss_cache -E itself should be fast, but the next requests like
sss_ssh_authorizedkeys would need a bit longer because SSSD must now
read fresh data from the server. Nevertheless it should take some
seconds, maybe 10-20 with lots of group-memberships, but note as much as
a coffee break.

bye,
Sumit



Thank you.
Martin




RH bug for selinux-policy:
https://bugzilla.redhat.com/show_bug.cgi?id=1348447

Thank you!
Martin


On 6/21/2016 9:43 AM, Sumit Bose wrote:

On Mon, Jun 20, 2016 at 10:46:13PM +0200, Martin Štefany wrote:

Hello all,

I've ran into strange issue with IPA/SSSD/SSH/SELinux which started when I
figured out that I cannot ssh with pubkey auth to Fedora 23 (ipa-client) systems
while I can to CentOS 7.2 (ipa-client and ipa-server) systems within same IPA
domain. I will appreciate any help whatsoever.
IPA servers (and most of the clients) are IPA 4.2.0 on CentOS 7.2 with latest
updates, affected clients are IPA clients 4.2.4 on Fedora 23 with latest
updates.

I started by looking to the journal:
jún 20 13:02:50 desk2.stefany.eu sshd[25162]: Connection
from 144.xxx.xxx.xxx port 22543 on 172.17.100.191 port 22
...
jún 20 13:02:56 desk2.stefany.eu audit[23328]: AVC avc:  denied  { name_connect
} for  pid=23328 comm="sssd_ssh" dest=80 scontext=system_u:system_r:sssd_t:s0
tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=0
jún 20 13:02:56 desk2.stefany.eu audit[23328]: SYSCALL arch=c03e syscall=42
success=no exit=-13 a0=15 a1=7fff145c35b0 a2=10 a3=5614dbbe2a50 items=0
ppid=23316 pid=23328 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0


Does the user by chance have a certificate added to his entry including
a link to an OCSP responder?

Recent version of SSSD have the ability to generate public ssh-keys from
valid certificates added to the user entry to support the ssh Smartcard
feature (see e.g. the -I option in the ssh man page for details or
https://fedorahosted.org/sssd/wiki/DesignDocs/SmartcardAuthenticationStep1#RunningsshclientwithSmartcardsupport)

While trying to validate thecertificate via OCSP sssd_ssh must connect
to a http s

Re: [Freeipa-users] Ghost ipaSshPubKey in sss_ssh_authorizedkeys or 'Error looking up public keys'

2016-06-21 Thread Martin Štefany 

On 6/21/2016 1:16 PM, Sumit Bose wrote:

On Tue, Jun 21, 2016 at 12:43:23PM +0200, Martin Štefany wrote:

Hello Sumit,

putting SELinux to permissive mode and/or enabling nis_enabled seboolean
seemed not help at all. And you are right, my user has userCertificate
(needed for secure libvirtd connection).


[martin@desk2 ~]$ sss_ssh_authorizedkeys  martin
Error looking up public keys
[martin@desk2 ~]$ sudo setenforce 0
[sudo] password for martin:
[martin@desk2 ~]$ sss_ssh_authorizedkeys  martin
Error looking up public keys
[martin@desk2 ~]$ sudo setsebool nis_enabled on
[martin@desk2 ~]$ sss_ssh_authorizedkeys  martin
Error looking up public keys
[martin@desk2 ~]$ sudo sss_cache -E
[martin@desk2 ~]$ sss_ssh_authorizedkeys martin
Error looking up public keys

[have a coffee... really]

[martin@desk2 ~]$ sss_ssh_authorizedkeys martin
ssh-rsa AAA...
ssh-rsa AAA...
ssh-ed25519 AAA...
ssh-rsa AAA...
ssh-rsa AAA...


If I understand it correctly you get the same result as on CentOS,
including the unexpected key derived from the certificate, after waiting
for some time? Can you send the sssd_ssh.log with the sequence from
above (if you prefer directly to me) so that I can check why it failed
in the first attempt and later succeeds.

bye,
Sumit



Hi,

yes, now the results are the same, including the originally unexpected 
key from certificate, and actual SSH pubkey auth finally works.


I would send you sssd_ssh.log, but it's empty - I have turned off 
debug_level sooner, sorry. :(


Isn't it the case that sss_cache -E takes few seconds to actually expire 
the cache entries?


Thank you.
Martin




RH bug for selinux-policy:
https://bugzilla.redhat.com/show_bug.cgi?id=1348447

Thank you!
Martin


On 6/21/2016 9:43 AM, Sumit Bose wrote:

On Mon, Jun 20, 2016 at 10:46:13PM +0200, Martin Štefany wrote:

Hello all,

I've ran into strange issue with IPA/SSSD/SSH/SELinux which started when I
figured out that I cannot ssh with pubkey auth to Fedora 23 (ipa-client) systems
while I can to CentOS 7.2 (ipa-client and ipa-server) systems within same IPA
domain. I will appreciate any help whatsoever.
IPA servers (and most of the clients) are IPA 4.2.0 on CentOS 7.2 with latest
updates, affected clients are IPA clients 4.2.4 on Fedora 23 with latest
updates.

I started by looking to the journal:
jún 20 13:02:50 desk2.stefany.eu sshd[25162]: Connection
from 144.xxx.xxx.xxx port 22543 on 172.17.100.191 port 22
...
jún 20 13:02:56 desk2.stefany.eu audit[23328]: AVC avc:  denied  { name_connect
} for  pid=23328 comm="sssd_ssh" dest=80 scontext=system_u:system_r:sssd_t:s0
tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=0
jún 20 13:02:56 desk2.stefany.eu audit[23328]: SYSCALL arch=c03e syscall=42
success=no exit=-13 a0=15 a1=7fff145c35b0 a2=10 a3=5614dbbe2a50 items=0
ppid=23316 pid=23328 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0


Does the user by chance have a certificate added to his entry including
a link to an OCSP responder?

Recent version of SSSD have the ability to generate public ssh-keys from
valid certificates added to the user entry to support the ssh Smartcard
feature (see e.g. the -I option in the ssh man page for details or
https://fedorahosted.org/sssd/wiki/DesignDocs/SmartcardAuthenticationStep1#RunningsshclientwithSmartcardsupport)

While trying to validate thecertificate via OCSP sssd_ssh must connect
to a http server. To allow this setting the 'nis_enabled' SELinux
boolean to true should help.

Nevertheless, since this should work by default, it would be nice if you
can open a bugzilla ticket for the SELinux policy on F23 to allow this
by default.

HTH

bye,
Sumit


...
jún 20 13:02:56 desk2.stefany.eu audit[23328]: AVC avc:  denied  { name_connect
} for  pid=23328 comm="sssd_ssh" dest=80 scontext=system_u:system_r:sssd_t:s0
tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=0
jún 20 13:02:56 desk2.stefany.eu audit[23328]: SYSCALL arch=c03e syscall=42
success=no exit=-13 a0=15 a1=7fff145c35b0 a2=10 a3=5614dbbe42d0 items=0
ppid=23316 pid=23328 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0
...
jún 20 13:02:56 desk2.stefany.eu sshd[25162]: error: AuthorizedKeysCommand
/usr/bin/sss_ssh_authorizedkeys martin failed, status 1
...
jún 20 13:02:56 desk2.stefany.eu sshd[25162]: Failed publickey for martin
from 144.xxx.xxx.xxx port 22543 ssh2: RSA SHA256:uyzB4[stripped]
...
jún 20 13:02:56 desk2.stefany.eu sshd[25162]: error: Received disconnect
from 144.xxx.xxx.xxx port 22543:14: No supported authentication methods
available [preauth]
jún 20 13:02:56 desk2.stefany.eu sshd[25162]: Disconnected from 144.xxx.xxx.xxx
port 22543 [preauth]

which was weird, because the same key would nicely work elsewhere (on any other
CentOS 7.2 system, while no Fedora 23 system would work as I have figured out)

I have tried putting SELinux into permissive mode, or generating custom module
with custom policy allowing this, but it do

Re: [Freeipa-users] Ghost ipaSshPubKey in sss_ssh_authorizedkeys or 'Error looking up public keys'

2016-06-21 Thread Martin Štefany 

Hello Sumit,

putting SELinux to permissive mode and/or enabling nis_enabled seboolean 
seemed not help at all. And you are right, my user has userCertificate 
(needed for secure libvirtd connection).



[martin@desk2 ~]$ sss_ssh_authorizedkeys  martin
Error looking up public keys
[martin@desk2 ~]$ sudo setenforce 0
[sudo] password for martin:
[martin@desk2 ~]$ sss_ssh_authorizedkeys  martin
Error looking up public keys
[martin@desk2 ~]$ sudo setsebool nis_enabled on
[martin@desk2 ~]$ sss_ssh_authorizedkeys  martin
Error looking up public keys
[martin@desk2 ~]$ sudo sss_cache -E
[martin@desk2 ~]$ sss_ssh_authorizedkeys martin
Error looking up public keys

[have a coffee... really]

[martin@desk2 ~]$ sss_ssh_authorizedkeys martin
ssh-rsa AAA...
ssh-rsa AAA...
ssh-ed25519 AAA...
ssh-rsa AAA...
ssh-rsa AAA...


RH bug for selinux-policy:
https://bugzilla.redhat.com/show_bug.cgi?id=1348447

Thank you!
Martin


On 6/21/2016 9:43 AM, Sumit Bose wrote:

On Mon, Jun 20, 2016 at 10:46:13PM +0200, Martin Štefany wrote:

Hello all,

I've ran into strange issue with IPA/SSSD/SSH/SELinux which started when I
figured out that I cannot ssh with pubkey auth to Fedora 23 (ipa-client) systems
while I can to CentOS 7.2 (ipa-client and ipa-server) systems within same IPA
domain. I will appreciate any help whatsoever.
IPA servers (and most of the clients) are IPA 4.2.0 on CentOS 7.2 with latest
updates, affected clients are IPA clients 4.2.4 on Fedora 23 with latest
updates.

I started by looking to the journal:
jún 20 13:02:50 desk2.stefany.eu sshd[25162]: Connection
from 144.xxx.xxx.xxx port 22543 on 172.17.100.191 port 22
...
jún 20 13:02:56 desk2.stefany.eu audit[23328]: AVC avc:  denied  { name_connect
} for  pid=23328 comm="sssd_ssh" dest=80 scontext=system_u:system_r:sssd_t:s0
tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=0
jún 20 13:02:56 desk2.stefany.eu audit[23328]: SYSCALL arch=c03e syscall=42
success=no exit=-13 a0=15 a1=7fff145c35b0 a2=10 a3=5614dbbe2a50 items=0
ppid=23316 pid=23328 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0


Does the user by chance have a certificate added to his entry including
a link to an OCSP responder?

Recent version of SSSD have the ability to generate public ssh-keys from
valid certificates added to the user entry to support the ssh Smartcard
feature (see e.g. the -I option in the ssh man page for details or
https://fedorahosted.org/sssd/wiki/DesignDocs/SmartcardAuthenticationStep1#RunningsshclientwithSmartcardsupport)

While trying to validate thecertificate via OCSP sssd_ssh must connect
to a http server. To allow this setting the 'nis_enabled' SELinux
boolean to true should help.

Nevertheless, since this should work by default, it would be nice if you
can open a bugzilla ticket for the SELinux policy on F23 to allow this
by default.

HTH

bye,
Sumit


...
jún 20 13:02:56 desk2.stefany.eu audit[23328]: AVC avc:  denied  { name_connect
} for  pid=23328 comm="sssd_ssh" dest=80 scontext=system_u:system_r:sssd_t:s0
tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=0
jún 20 13:02:56 desk2.stefany.eu audit[23328]: SYSCALL arch=c03e syscall=42
success=no exit=-13 a0=15 a1=7fff145c35b0 a2=10 a3=5614dbbe42d0 items=0
ppid=23316 pid=23328 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0
...
jún 20 13:02:56 desk2.stefany.eu sshd[25162]: error: AuthorizedKeysCommand
/usr/bin/sss_ssh_authorizedkeys martin failed, status 1
...
jún 20 13:02:56 desk2.stefany.eu sshd[25162]: Failed publickey for martin
from 144.xxx.xxx.xxx port 22543 ssh2: RSA SHA256:uyzB4[stripped]
...
jún 20 13:02:56 desk2.stefany.eu sshd[25162]: error: Received disconnect
from 144.xxx.xxx.xxx port 22543:14: No supported authentication methods
available [preauth]
jún 20 13:02:56 desk2.stefany.eu sshd[25162]: Disconnected from 144.xxx.xxx.xxx
port 22543 [preauth]

which was weird, because the same key would nicely work elsewhere (on any other
CentOS 7.2 system, while no Fedora 23 system would work as I have figured out)

I have tried putting SELinux into permissive mode, or generating custom module
with custom policy allowing this, but it doesn't help, and even tcpdump capture
doesn't capture anything when such connection to 'somewhere' port 80 is opened.

I moved on to testing the '/usr/bin/sss_ssh_authorizedkeys martin' command.
Fedora 23:
# sss_ssh_authorizedkeys martin
Error looking up public keys

CentOS 7.2:
# sss_ssh_authorizedkeys martin
ssh-rsa AAA...
ssh-rsa AAA...
ssh-ed25519 AAA...
ssh-rsa AAA...
ssh-rsa B3NzaC1yc2EDAQABAAABAQCsox... (???) -->> this is one is not in
LDAP (checked with ldapsearch & ipa user-show martin --all --raw), not present
in dc=stefany,dc=eu tree or in compat tree

So, I have turned on debug_level = 0x0250 in sssd.conf in both Fedora 23 and
CentOS 7.2 and checked the logs. CentOS 7.2 is just fine, Fedora 23 gives these
failures:
==> /var/log/sssd/sssd_ssh.log <==

[Freeipa-users] Ghost ipaSshPubKey in sss_ssh_authorizedkeys or 'Error looking up public keys'

2016-06-20 Thread Martin Štefany 
Hello all,

I've ran into strange issue with IPA/SSSD/SSH/SELinux which started when I
figured out that I cannot ssh with pubkey auth to Fedora 23 (ipa-client) systems
while I can to CentOS 7.2 (ipa-client and ipa-server) systems within same IPA
domain. I will appreciate any help whatsoever.
IPA servers (and most of the clients) are IPA 4.2.0 on CentOS 7.2 with latest
updates, affected clients are IPA clients 4.2.4 on Fedora 23 with latest
updates.

I started by looking to the journal:
jún 20 13:02:50 desk2.stefany.eu sshd[25162]: Connection
from 144.xxx.xxx.xxx port 22543 on 172.17.100.191 port 22
...
jún 20 13:02:56 desk2.stefany.eu audit[23328]: AVC avc:  denied  { name_connect
} for  pid=23328 comm="sssd_ssh" dest=80 scontext=system_u:system_r:sssd_t:s0
tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=0
jún 20 13:02:56 desk2.stefany.eu audit[23328]: SYSCALL arch=c03e syscall=42
success=no exit=-13 a0=15 a1=7fff145c35b0 a2=10 a3=5614dbbe2a50 items=0
ppid=23316 pid=23328 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 
...
jún 20 13:02:56 desk2.stefany.eu audit[23328]: AVC avc:  denied  { name_connect
} for  pid=23328 comm="sssd_ssh" dest=80 scontext=system_u:system_r:sssd_t:s0
tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=0
jún 20 13:02:56 desk2.stefany.eu audit[23328]: SYSCALL arch=c03e syscall=42
success=no exit=-13 a0=15 a1=7fff145c35b0 a2=10 a3=5614dbbe42d0 items=0
ppid=23316 pid=23328 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 
...
jún 20 13:02:56 desk2.stefany.eu sshd[25162]: error: AuthorizedKeysCommand
/usr/bin/sss_ssh_authorizedkeys martin failed, status 1
...
jún 20 13:02:56 desk2.stefany.eu sshd[25162]: Failed publickey for martin
from 144.xxx.xxx.xxx port 22543 ssh2: RSA SHA256:uyzB4[stripped]
...
jún 20 13:02:56 desk2.stefany.eu sshd[25162]: error: Received disconnect
from 144.xxx.xxx.xxx port 22543:14: No supported authentication methods
available [preauth]
jún 20 13:02:56 desk2.stefany.eu sshd[25162]: Disconnected from 144.xxx.xxx.xxx
port 22543 [preauth]

which was weird, because the same key would nicely work elsewhere (on any other
CentOS 7.2 system, while no Fedora 23 system would work as I have figured out)

I have tried putting SELinux into permissive mode, or generating custom module
with custom policy allowing this, but it doesn't help, and even tcpdump capture
doesn't capture anything when such connection to 'somewhere' port 80 is opened.

I moved on to testing the '/usr/bin/sss_ssh_authorizedkeys martin' command.
Fedora 23:
# sss_ssh_authorizedkeys martin
Error looking up public keys

CentOS 7.2:
# sss_ssh_authorizedkeys martin
ssh-rsa AAA...
ssh-rsa AAA...
ssh-ed25519 AAA...
ssh-rsa AAA...
ssh-rsa B3NzaC1yc2EDAQABAAABAQCsox... (???) -->> this is one is not in
LDAP (checked with ldapsearch & ipa user-show martin --all --raw), not present
in dc=stefany,dc=eu tree or in compat tree

So, I have turned on debug_level = 0x0250 in sssd.conf in both Fedora 23 and
CentOS 7.2 and checked the logs. CentOS 7.2 is just fine, Fedora 23 gives these
failures:
==> /var/log/sssd/sssd_ssh.log <==
(Mon Jun 20 21:58:14 2016) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Received
client version [0].
(Mon Jun 20 21:58:14 2016) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Offered
version [0].
(Mon Jun 20 21:58:14 2016) [sssd[ssh]] [sss_parse_name_for_domains] (0x0200):
name 'martin' matched without domain, user is martin

==> /var/log/sssd/sssd_stefany.eu.log <==
(Mon Jun 20 21:58:14 2016) [sssd[be[stefany.eu]]] [be_get_account_info]
(0x0200): Got request for [0x1][BE_REQ_USER][1][name=martin]

==> /var/log/sssd/sssd_ssh.log <==
(Mon Jun 20 21:58:14 2016) [sssd[ssh]] [decode_and_add_base64_data] (0x0040):
cert_to_ssh_key failed.
(Mon Jun 20 21:58:14 2016) [sssd[ssh]] [ssh_cmd_build_reply] (0x0040):
decode_and_add_base64_data failed.

And that's right, the last - ghost - "sshpubkey" is invalid base64 string. So
Fedora 23 fails because of some extra validation in SSSD...

I can't tell where this invalid base64 stuff is coming from, and yes, I have
stopped both IPA servers, run sss_cache -E on both of them and on clients, and
started IPA servers serially one by one, the invalid key is still there.

I have a plan B to delete the account, put it back and see if it cleans up, but
I would prefer to figure out what is actually wrong here and what's introducing
the wrong sshpubkey. And why is sssd_ssh connecting to some port 80 somewhere

Thank you in advance!

Kind regards,
Martin







signature.asc
Description: This is a digitally signed message part
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Dynamic DNS Questions

2016-06-08 Thread Martin Štefany 

Hello Detlev,

FreeIPA/SSSD client use IP address of interface/vlan/subnet which is use 
to communicate (LDAP) with FreeIPA server.


However, if you have dyndns_update set to True in sssd.conf, you can 
also set dyndns_iface to point to correct interface which IP addresses 
will be dynamically updated in DNS, see:


$ man sssd-ipa
[stripped]
   dyndns_iface (string)
   Optional. Applicable only when dyndns_update is true. Choose 
the interface or a list of interfaces whose IP addresses should be used 
for dynamic DNS updates. Special value “*” implies that IPs from all 
interfaces

   should be used.

   NOTE: While it is still possible to use the old 
ipa_dyndns_iface option, users should migrate to using dyndns_iface in 
their config file.


   Default: Use the IP addresses of the interface which is used 
for IPA LDAP connection


   Example: dyndns_iface = em1, vnet1, vnet2
[stripped]

Kind regards,
Martin



On 6/8/2016 1:00 PM, Detlev Habicht wrote:

Hi all,

well, i am really a beginner with IPA and just trying to setup some
test systems. In the moment one IPA server, one NFS/Samba server and a
fedora CLient. I am running IPA 4.2, Scientific Linux 7.2 and Fedora 23.

The most important things are running now.

But i have a problem with DNS entries left. Maybe while installing
IPA i make mistakes with the NFS Server. On this NFS server i have 5
interfaces. 4
of them now as bond interface. So i am running two IPs now: nn.16 and
nn.33.

But while installing IPA (with DNS) it takes the wrong one (16):

2016-05-26T14:08:12Z DEBUG Writing nsupdate commands to
/etc/ipa/.dns_update.txt:
2016-05-26T14:08:12Z DEBUG debug
update delete nnnix.nnn.intern. IN A
show
send
update delete nnnix.nnn.intern. IN 
show
send
update add nnnix.nnn.intern. 1200 IN A nnn.nn.nn.16
show
send
2016-05-26T14:08:12Z DEBUG Starting external process
2016-05-26T14:08:12Z DEBUG args='/usr/bin/nsupdate' '-g'
'/etc/ipa/.dns_update.txt'


I can change the DNS entry on the IPA server to nn.33 at runtime. Then
everything
is ok. But when i boot the NFS server, it is changing the DNS entry on
the IPA Server to nn.16.

What can i do so the IPA client (here my NFS Server) is using the right IP?
I don’t find any conf-File … Is there any point where i can change this IP?

Thanx for any help!

Detlev


--
  Detlev  | Institut fuer Mikroelektronische Systeme
  Habicht | D-30167 Hannover +49 511
76219662 habi...@ims.uni-hannover.de 
  + Handy+49 172 5415752  ---







--
--
Martin

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] DNS SubjectAltName missing in provisioned certificates

2016-03-27 Thread Martin Štefany 
Hello,

I seem to be having some issues with IPA CA feature not generating
certificates with DNS SubjectAltNames.

I'm sure this worked very well under CentOS 7.1 / IPA 4.0, but now under
CentOS 7.2 / IPA 4.2 something's different.

Here are the original steps which worked fine for my first use case ::

$ ipa dnsrecord-add example.com mail --a-ip=172.17.100.25
$ ipa host-add mail.example.com
$ ipa service-add smtp/mail.example.com
$ ipa service-add smtp/mail1.example.com
$ ipa service-add-host smtp/mail.example.com --hosts=mail1.example.com
$ ipa-getcert request -k /etc/pki/tls/private/postfix.key \
                      -f /etc/pki/tls/certs/postfix.pem   \
                      -N CN=mail1.example.com,O=EXAMPLE.COM \
                      -D mail1.example.com -D mail.example.com \
                      -K smtp/mail1.example.com
(and repeat for every next member of the cluster...)

After this, I would get certificate with something like ::
$ sudo ipa-getcert list
Number of certificates and requests being tracked: 3.
Request ID '20150419153933':
status: MONITORING
stuck: no
key pair storage:
type=FILE,location='/etc/pki/tls/private/postfix.key'
certificate: type=FILE,location='/etc/pki/tls/certs/postfix.pem'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=mail1.example.com,O=EXAMPLE.COM
expires: 2017-04-19 15:39:35 UTC
dns: mail1.example.com,mail.example.com
principal name: smtp/mail1.example@example.com
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: 
post-save command: 
track: yes
auto-renew: yes

with Subject line in form of: 'CN=,O=EXAMPLE.COM' and 'dns'
info line present.

Suddenly, in the current setup, after upgrade from 4.0 to 4.2, I'm
getting this ::

$ ipa dnsrecord-add example.com w3 --a-ip=172.17.17.80 --a-create-
reverse
$ ipa host-add w3.example.com
$ ipa service-add HTTP/w3.example.com
$ ipa service-add HTTP/http1.example.com
$ ipa service-add-host HTTP/w3.example.com --hosts=http1.example.com
$ ipa-getcert request -k /etc/pki/tls/private/httpd.key \
                      -f /etc/pki/tls/certs/httpd.pem   \
                      -N CN=http1.example.com,O=EXAMPLE.COM \
                      -D http1.example.com -D w3.example.com \
                      -K HTTP/http1.example.com
$ sudo ipa-getcert list
Number of certificates and requests being tracked: 3.
Request ID '20160327095125':
status: MONITORING
stuck: no
key pair storage:
type=FILE,location='/etc/pki/tls/private/http.key'
certificate: type=FILE,location='/etc/pki/tls/certs/http.pem'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=http1.example.com,OU=pki-ipa,O=IPA
expires: 2018-03-28 09:51:27 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: 
post-save command: 
track: yes
auto-renew: yes

Where's the 'CN=,OU=pki-ipa,O=IPA' coming from instead of
'CN=,O=EXAMPLE.COM' and why are DNS SubjectAltNames missing?

To be clear, if I don't do ::
$ ipa service-add-host HTTP/w3.example.com --hosts=http1.example.com

then certificate is just not issued with 'REJECTED', but once this is
done properly in described steps, DNS SANs are not happening.

I've tried ipa-getcert from both CentOS 7.2 and Fedora 23, but only
against my current IPA 4.2 on CentOS 7.2.

For the actual certificates ::
$ sudo openssl x509 -in /etc/pki/tls/certs/postfix.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 15 (0xf)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=EXAMPLE.COM, CN=Certificate Authority
Validity
Not Before: Apr 19 15:39:35 2015 GMT
Not After : Apr 19 15:39:35 2017 GMT
Subject: O=EXAMPLE.COM, CN=mail1.example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
                    [cut]
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier: 
keyid:[cut]

Authority Information Access: 
OCSP - URI:http://ipa-ca.example.com/ca/ocsp

X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment,
Data Encipherment
X509v3 Extended Key Usage: 
TLS Web Server Authentication, TLS Web Client
Authentication
X509v3 CRL Distribution Points: 

Full Name:
  URI:http://ipa-ca.example.com/ipa/crl/MasterCRL.bin
CRL Issuer:
  DirName: O = ipaca, CN = Certificate Authority

X509v3

Re: [Freeipa-users] Add "mkhomedir" after install

2015-12-13 Thread Martin Štefany 
Hello Ranbir, 

that installation option (as few more) just adjusts parameters passed to 
authconfig utility.

To enable automatic home directory creation later on, just issue:
# authconfig --enablemkhomedir --update

More info is in manual pages of authconfig or use authconfig --help


Kind regards, / S pozdravom,
Martin Štefany


On Dec 9, 2015 7:34 PM, Ranbir <m3fr...@thesandhufamily.ca> wrote:
>
> Hello Everyone, 
>
> I installed a replica without passing the "mkhomedir" option to the 
> install command. Sure enough, when I login to the replica, my home dir 
> isn't created. I _could_ create it manually, but it would be nice if the 
> first login triggered the creation. 
>
> I've been trying to find an answer to this on my own, but so far I've 
> had no luck. 
>
> Thanks in advance! 
>
> -- 
> Ranbir 
>
> -- 
> Manage your subscription for the Freeipa-users mailing list: 
> https://www.redhat.com/mailman/listinfo/freeipa-users 
> Go to http://freeipa.org for more info on the project 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Any recent guides for Postfix and IPA integration?

2015-12-11 Thread Martin Štefany 
Hello Ranbir,

I'm working on this, even today I was putting more things together.
(That DRAFT is really uncommented version of what I currently have). And
I've opened also https://fedorahosted.org/freeipa/ticket/5521 to get a
bit more out of it.

To sum it up what I've put together:
- Postfix for SMTP MTA
- Dovecot for IMAP (no POP3)
- Amavisd-new with ClamAV and SpamAssassin for Antispam / Antivirus /
additional header checks, etc.
- SPF, DKIM, DMARC support for both sending and receiving mail
- setup is HA thanks to DNS records, and 2 separate systems running
almost identical configuration and Dovecot replicates mailboxes using
dsync
- PLAIN / LOGIN / GSSAPI authentication for SSO login thanks to FreeIPA
(integration with Evolution on Fedora/RHEL/CentOS desktop joined to
FreeIPA domain works also great)
- users, of course, stored in FreeIPA, usage granted only to ones with
correct e-mail field, group membership (and enablement of the ID)
- but some pieces are still missing:
  - I'm still reviewing e.g. correct postfix restrictions and
documenting the full setup
  - there's missing support for GUI configuration domain aliases, user
aliases, sender/receiver Bcc support, quota setup, etc. even if
something is managable via ipa-admintools and LDAP attributes

I would like to finish it asap, within a week or two, cause I run this
e-mail system at home (as somebody already mentioned, why not?) and I
don't like it unfinished. ;)

But to give you a good place to start: have a look to iRedMail project, 
http://www.iredmail.org/, ZhangHuangbin's product is great and it helped
me a lot to prepare what I described above. There's no support for 'old-
style' HA, but you can still run it 'HA' on VM with all the benefits,
and there's not direct support for FreeIPA integration, but guideline
for ActiveDirectory integration exists, so you can start there: http://w
ww.iredmail.org/docs/active.directory.html.

As Natxo mentioned, it all depends what kind of integration you want and
what do you expect from mail setup. ;)

Martin




On Pi, 2015-12-11 at 22:13 +0100, Natxo Asenjo wrote:
> hi Ranbir,
> 
> 
> On Fri, Dec 11, 2015 at 9:29 PM, Ranbir 
> wrote:
> > Hi All,
> > 
> > I want to integrate my Postfix server with IPA. I've found a couple
> > of
> > documents on how this can be done, but they don't accomplish the
> > feat
> > the same way (they're also not discussing the exact same end goal).
> > I'm
> > left wondering how exactly to integrate IPA and Postfix.
> > 
> what exactly do you want to achieve? 'Integrate' could mean a couple
> of things, so please specify. 
> 
> --
> Groeten,
> natxo
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

signature.asc
Description: This is a digitally signed message part
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Mixing client and server versions

2015-12-04 Thread Martin Štefany 
Hi Daryl,

IPA client <-> IPA server are both backward and forward compatible, see:

http://www.freeipa.org/page/Client#Compatibility

Note: except ipa-admintools, that one is a (thick) client and is
compatible only forward, see the page for better explanation.

Martin

On Pi, 2015-12-04 at 13:42 -0600, Daryl Fonseca-Holt wrote:
> These has probably been asked before  but I'm new to the list and 
> haven't seen it answered.
> 
> 1) Will an IPA 4.x client work with an IPA 3.0 server?
> 2) Will an IPA 3.0 client work with an IPA 4.x server?
> 
> Thanks, Daryl
> 
> -- 
>   --
>   Daryl Fonseca-Holt
>   IST/CNS/Unix Server Team
>   University of Manitoba
>   204.480.1079
> 

signature.asc
Description: This is a digitally signed message part
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] (no subject)

2015-11-27 Thread Martin Štefany 
Hello,

I remember experiencing this, but I'm not sure of solution. I think it's
related to apache (httpd) and his group.

My notes for IPA installation on CentOS 7.x say:

# groupadd -g 48 apache
# yum -y install ipa-server bind bind-dyndb-ldap
# usermod -g apache apache
# ipa-server-install...

CentOS is somehow not creating group apache for apache user and then
assuming root which is then causing problems with apache later. Pre-
creating such group before installing httpd and then usermod-ing user
apache might solve it.

Did you get any warnings while running:
# yum install -y ipa-server bind bind-dyndb-ldap ?


If possible, try installation from scratch with my notes on fresh
system. If not:

# systemctl stop apache   # if it runs
# groupadd -g 48 apache   # I use 48 as apache's UID tends to be also
48, or use 'groupadd -r apache' instead
# usermod -g apache apache
# ipa-server-install...

M.


On Pi, 2015-11-27 at 23:04 +0100, Daniel Guldberg aaes wrote:
> Hello. I am trying to setup FreeIPA but i am getting the following
> error when i do a ipa-server-install, I am trying to set it up on a
> ESXI 6 VM (The vm is a fresh install of Centos)
> 
> ###Installation
> precedure###
> wget http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.
> noarch.rpm
> rpm -ivh epel-release-7-5.noarch.rpm
> yum install -y haveged
> yum install -y ipa-server bind bind-dyndb-ldap
> ##Version
> 4.1.0, API_VERSION: 2.112 on a CentOs 7.
> Linux version 3.10.0-229.20.1.el7.x86_64 (buil...@kbuilder.dev.centos.
> org) (gcc version 4.8.3 20140911 (Red Hat 4.8.3-9) (GCC) ) #1 SMP Tue
> Nov 3 19:10:07 UTC 2015
> #Error 
> [2/27]: configuring certificate server instance
> ipa : CRITICAL failed to configure ca instance Command
> ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpYbSmkT'' returned non-
> zero exit status 1
>   [error] RuntimeError: Configuration of CA failed
> Configuration of CA failed
> I can't figure out where the error is or what to correct ? The full
> .log is here : https://owncloud.techknight.eu/index.php/s/wH8TATlPvJOD
> Ieo
> 
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

signature.asc
Description: This is a digitally signed message part
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Cockpit with (Free)IPA admin users

2015-10-27 Thread Martin Štefany 
On St, 2015-10-21 at 09:32 +0200, Jakub Hrozek wrote:
> On Tue, Oct 20, 2015 at 11:25:56PM +0200, Martin Štefany wrote:
> > Hello,
> > 
> > did anybody manage to get FreeIPA admin user (member of admins
> > group,
> > full sudo access, etc.) to be also Cockpit user with administrative
> > privileges? I've already figured out that it's closely related to
> > Polkit, but since FreeIPA and Polkit are not fully 'friendly' yet...
> > I
> > was not able to get a working configuration.
> > 
> > Some version / configuration details:
> > $ cat /etc/centos-release
> > CentOS Linux release 7.1.1503 (Core)
> > 
> > $ rpm -q ipa-client
> > ipa-client-4.1.0-18.el7.centos.4.x86_64
> > 
> > $ rpm -q cockpit   # from sgallagh's COPR repository
> > cockpit-0.80-1.el7.centos.x86_64
> > 
> > $ rpm -q polkit
> > polkit-0.112-5.el7.x86_64
> > 
> > $ sudo ls /etc/polkit-1/rules.d/
> > 40-freeipa.rules  49-polkit-pkla-compat.rules  50-default.rules
> > 
> > $ sudo cat /etc/polkit-1/rules.d/40-freeipa.rules
> > polkit.addAdminRule(function(action, subject) {
> > return ["unix-group:admins", "unix-group:wheel"];
> > });
> > 
> > $ sudo ls /etc/polkit-1/localauthority.conf.d/
> > 40-custom.conf
> > 
> > $ sudo cat /etc/polkit-1/localauthority.conf.d/40-custom.conf
> > [Configuration]
> > AdminIdentities=unix-group:admins;unix-group:wheel
> > 
> > $ ipa user-show martin | grep groups
> >   Member of groups: trust admins, ipausers, admins, ...
> > 
> > Cockpit logs me in automatically using Kerberos (GSSAPI), but I
> > can't
> > perform administrative tasks, cannot see journald, etc.
> > 
> > One thing that I thought to cause the issue is that pkexec is asking
> > me
> > select user first, instead of asking/not asking for password:
> > $ pkexec cockpit-bridge
> >  AUTHENTICATING FOR org.freedesktop.policykit.exec ===
> > Authentication is needed to run `/usr/bin/cockpit-bridge' as the
> > super
> > user
> > Multiple identities can be used for authentication:
> >  1.  Martin Štefany (martin)
> >  2.  ...
> >  3.  ...
> > Choose identity to authenticate as (1-3): 1
> > Password: 
> >  AUTHENTICATION COMPLETE ===
> > cockpit-bridge: no option specified
> > 
> > and documentation claims that sudo / pkexec should not ask for
> > password
> > for particular user, but 1. I don't like that idea; 2. I have
> > regular
> > 1000:1000 user in wheel group for whom everything works just fine -
> > sudo
> > and pkexec ask for password as expected, and still in cockpit admin
> > stuff works as expected.
> 
> Can you add the admin user to the wheel group on the Cockpit machine?
> 
> But in general I think you're looking for:
> https://sourceware.org/glibc/wiki/Proposals/GroupMerging
> first round of patches is ready, although it still needs to go through
> upstream review (IIRC).
> 

Hello Jakub,

adding specific user to local wheel group works, thank you. But it also
requires local intervention on the system(s), and on per-user basis.

Only limitation detail I see now with PolicyKit is that user is granted
full admin rights via pkexec either when custom /etc/polkit-1/rules.d/40
-freeipa.rules is defined or when glibc group merging is merged. If I
understand https://fedorahosted.org/freeipa/ticket/5350 correctly, this
will be sort-of addressed based on hostgroups, but it will still give
more control over the system than sudo would do, won't it?

Thank you.
Martin










smime.p7s
Description: S/MIME cryptographic signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Cockpit with (Free)IPA admin users

2015-10-27 Thread Martin Štefany 
On Ut, 2015-10-27 at 15:48 +0100, Petr Spacek wrote:
> On 20.10.2015 23:25, Martin Štefany wrote:
> > Hello,
> > 
> > did anybody manage to get FreeIPA admin user (member of admins
> > group,
> > full sudo access, etc.) to be also Cockpit user with administrative
> > privileges? I've already figured out that it's closely related to
> > Polkit, but since FreeIPA and Polkit are not fully 'friendly' yet...
> > I
> > was not able to get a working configuration.
> > 
> > Some version / configuration details:
> > $ cat /etc/centos-release
> > CentOS Linux release 7.1.1503 (Core)
> > 
> > $ rpm -q ipa-client
> > ipa-client-4.1.0-18.el7.centos.4.x86_64
> > 
> > $ rpm -q cockpit   # from sgallagh's COPR repository
> > cockpit-0.80-1.el7.centos.x86_64
> > 
> > $ rpm -q polkit
> > polkit-0.112-5.el7.x86_64
> > 
> > $ sudo ls /etc/polkit-1/rules.d/
> > 40-freeipa.rules  49-polkit-pkla-compat.rules  50-default.rules
> > 
> > $ sudo cat /etc/polkit-1/rules.d/40-freeipa.rules
> > polkit.addAdminRule(function(action, subject) {
> > return ["unix-group:admins", "unix-group:wheel"];
> > });
> > 
> > $ sudo ls /etc/polkit-1/localauthority.conf.d/
> > 40-custom.conf
> > 
> > $ sudo cat /etc/polkit-1/localauthority.conf.d/40-custom.conf
> > [Configuration]
> > AdminIdentities=unix-group:admins;unix-group:wheel
> > 
> > $ ipa user-show martin | grep groups
> >   Member of groups: trust admins, ipausers, admins, ...
> > 
> > Cockpit logs me in automatically using Kerberos (GSSAPI), but I
> > can't
> > perform administrative tasks, cannot see journald, etc.
> > 
> > One thing that I thought to cause the issue is that pkexec is asking
> > me
> > select user first, instead of asking/not asking for password:
> > $ pkexec cockpit-bridge
> >  AUTHENTICATING FOR org.freedesktop.policykit.exec ===
> > Authentication is needed to run `/usr/bin/cockpit-bridge' as the
> > super
> > user
> > Multiple identities can be used for authentication:
> >  1.  Martin Štefany (martin)
> >  2.  ...
> >  3.  ...
> > Choose identity to authenticate as (1-3): 1
> > Password: 
> >  AUTHENTICATION COMPLETE ===
> > cockpit-bridge: no option specified
> > 
> > and documentation claims that sudo / pkexec should not ask for
> > password
> > for particular user, but 1. I don't like that idea; 2. I have
> > regular
> > 1000:1000 user in wheel group for whom everything works just fine -
> > sudo
> > and pkexec ask for password as expected, and still in cockpit admin
> > stuff works as expected.
> 
> I have seen your answer in the ticket
> https://fedorahosted.org/freeipa/ticket/3203#comment:6
> 
> Could you create a very short and concise how-to to
> http://www.freeipa.org/page/HowTos , please?
> 
> Your Fedora login should allow you to create a new wiki page and to
> link it to
> http://www.freeipa.org/page/HowTos .
> 
> Thank you for your time!
> 

Hello Petr,

sure, done =)

http://www.freeipa.org/page/Howto/FreeIPA_PolicyKit

Thank you!

Martin

smime.p7s
Description: S/MIME cryptographic signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Cockpit with (Free)IPA admin users

2015-10-20 Thread Martin Štefany 
Hello,

did anybody manage to get FreeIPA admin user (member of admins group,
full sudo access, etc.) to be also Cockpit user with administrative
privileges? I've already figured out that it's closely related to
Polkit, but since FreeIPA and Polkit are not fully 'friendly' yet... I
was not able to get a working configuration.

Some version / configuration details:
$ cat /etc/centos-release
CentOS Linux release 7.1.1503 (Core)

$ rpm -q ipa-client
ipa-client-4.1.0-18.el7.centos.4.x86_64

$ rpm -q cockpit   # from sgallagh's COPR repository
cockpit-0.80-1.el7.centos.x86_64

$ rpm -q polkit
polkit-0.112-5.el7.x86_64

$ sudo ls /etc/polkit-1/rules.d/
40-freeipa.rules  49-polkit-pkla-compat.rules  50-default.rules

$ sudo cat /etc/polkit-1/rules.d/40-freeipa.rules
polkit.addAdminRule(function(action, subject) {
return ["unix-group:admins", "unix-group:wheel"];
});

$ sudo ls /etc/polkit-1/localauthority.conf.d/
40-custom.conf

$ sudo cat /etc/polkit-1/localauthority.conf.d/40-custom.conf
[Configuration]
AdminIdentities=unix-group:admins;unix-group:wheel

$ ipa user-show martin | grep groups
  Member of groups: trust admins, ipausers, admins, ...

Cockpit logs me in automatically using Kerberos (GSSAPI), but I can't
perform administrative tasks, cannot see journald, etc.

One thing that I thought to cause the issue is that pkexec is asking me
select user first, instead of asking/not asking for password:
$ pkexec cockpit-bridge
 AUTHENTICATING FOR org.freedesktop.policykit.exec ===
Authentication is needed to run `/usr/bin/cockpit-bridge' as the super
user
Multiple identities can be used for authentication:
 1.  Martin Štefany (martin)
 2.  ...
 3.  ...
Choose identity to authenticate as (1-3): 1
Password: 
 AUTHENTICATION COMPLETE ===
cockpit-bridge: no option specified

and documentation claims that sudo / pkexec should not ask for password
for particular user, but 1. I don't like that idea; 2. I have regular
1000:1000 user in wheel group for whom everything works just fine - sudo
and pkexec ask for password as expected, and still in cockpit admin
stuff works as expected.

Thank you!

Regards,
Martin

smime.p7s
Description: S/MIME cryptographic signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] CentOS7: certmonger not enabled by default?

2015-09-28 Thread Martin Štefany 

Hello all,

I'd to verify with you if certmonger.service should be enabled by 
default after IPA client installation or not. If I remember correctly, 
it used to start by on CentOS6, IPA client ~3.0.0, after ipa-client 
installation and reboots.


The thing is, for first time usage and subsequent certificate renewal 
one needs to start and enable certmonger.service in systemd, right? 
Otherwise all ipa-getcert commands just return error about certmonger 
not running. I mean, is this desired and default behavior?


https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/setting-up-clients.html 
actually claims: 'Enable certmonger, retrieve an SSL server certificate, 
and install the certificate in /etc/pki/nssdb.' so one or the other is 
wrong...


I'm using:

CentOS Linux release 7.1.1503 (Core)

certmonger-0.75.14-3.el7.x86_64
ipa-client-4.1.0-18.el7.centos.4.x86_64
ipa-python-4.1.0-18.el7.centos.4.x86_64
libipa_hbac-1.12.2-58.el7_1.17.x86_64
libipa_hbac-python-1.12.2-58.el7_1.17.x86_64
python-iniparse-0.4-9.el7.noarch
python-ipaddr-2.1.9-5.el7.noarch
sssd-ipa-1.12.2-58.el7_1.17.x86_64

I've tried to search for this on both CentOS and RHEL BugZilla, and 
FreeIPA trac, and Google, but I couldn't find any bug or discussion. 
Sorry if this duplicate.



Thank you.

Martin

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project