This is not good at all... Firstly old sssd, now crypto issues...
Can you also say, will HBAC and SUDO in IPA work for trusted AD users on RHEL 5 
servers if we will enable vulnerable tls?


WBR,
Alexander Frolushkin
Cell +79232508764
Work +79232507764


-----Original Message-----
From: Alexander Bokovoy [mailto:aboko...@redhat.com]
Sent: Wednesday, June 10, 2015 4:30 PM
To: Alexander Frolushkin (SIB)
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] RHEL 5.11 as IPA client

On Wed, 10 Jun 2015, Alexander Frolushkin wrote:
>Hello.
>We cannot login to our IPA enrolled RHEL 5.11 host using any IPA (4.1) native 
>or AD trusted users.
>Seems like it fails on connection to server. SSSD logs attached.
>Additionally, is it ever possible now to use AD trusted users to ssh RHEL 5 
>servers?
>Logs and sssd config attached.
RHEL5 uses OpenSSL crypto library which doesn't support TLS 1.1+ which is 
required by default by IPA 4.1. Your potential fix would be to allow
tls1.0 use at the server side but you need to know what this leads to:

https://access.redhat.com/articles/1294573

You seem to have issues on RHEL5 with TLS1.0+ configuration which is in use by 
the LDAP server:
(Wed Jun 10 17:05:16 2015) [sssd[be[default]]] [sdap_process_result]
(8): Trace: sh[0x15b01590], connected[1], ops[0x15b01e40], ldap[0x15b019d0] 
(Wed Jun 10 17:05:16 2015) [sssd[be[default]]] [sdap_connect_done] (3):
START TLS result: Success(0), Start TLS request accepted.Server willing to 
negotiate SSL.
(Wed Jun 10 17:05:16 2015) [sssd[be[default]]] [sdap_connect_done] (3):
ldap_install_tls failed: [Connect error] [Start TLS request accepted.Server 
willing to negotiate SSL.] (Wed Jun 10 17:05:16 2015) [sssd[be[default]]] 
[sdap_handle_release]
(8): Trace: sh[0x15b01590], connected[1], ops[(nil)], ldap[0x15b019d0], 
destructor_lock[0], release_memory[0] (Wed Jun 10 17:05:16 2015) 
[sssd[be[default]]] [remove_connection_callback] (9): Successfully removed 
connection callback.
(Wed Jun 10 17:05:16 2015) [sssd[be[default]]] [fo_set_port_status] (4):
Marking port 389 of server 'sib-rhidm01.unix.megafon.ru' as 'not working'
(Wed Jun 10 17:05:16 2015) [sssd[be[default]]] [be_pam_handler_callback]
(4): Backend returned: (3, 4, <NULL>) [Internal Error (System error)] (Wed Jun 
10 17:05:16 2015) [sssd[be[default]]] [be_pam_handler_callback]
(4): Sending result [4][default]
(Wed Jun 10 17:05:16 2015) [sssd[be[default]]] [be_pam_handler_callback]
(4): Sent result [4][default]
(Wed Jun 10 17:05:22 2015) [sssd[be[default]]] [sbus_dispatch] (9): dbus
conn: 15AF0830
(Wed Jun 10 17:05:22 2015) [sssd[be[default]]] [sbus_dispatch] (9):
Dispatching.


--
/ Alexander Bokovoy

________________________________

Информация в этом сообщении предназначена исключительно для конкретных лиц, 
которым она адресована. В сообщении может содержаться конфиденциальная 
информация, которая не может быть раскрыта или использована кем-либо, кроме 
адресатов. Если вы не адресат этого сообщения, то использование, переадресация, 
копирование или распространение содержания сообщения или его части незаконно и 
запрещено. Если Вы получили это сообщение ошибочно, пожалуйста, незамедлительно 
сообщите отправителю об этом и удалите со всем содержимым само сообщение и 
любые возможные его копии и приложения.

The information contained in this communication is intended solely for the use 
of the individual or entity to whom it is addressed and others authorized to 
receive it. It may contain confidential or legally privileged information. The 
contents may not be disclosed or used by anyone other than the addressee. If 
you are not the intended recipient(s), any use, disclosure, copying, 
distribution or any action taken or omitted to be taken in reliance on it is 
prohibited and may be unlawful. If you have received this communication in 
error please notify us immediately by responding to this email and then delete 
the e-mail and all attachments and any copies thereof.

(c)20mf50

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to