[Freeipa-users] Re: Hardship setting up samba share that depends on IPA trust with AD

[Alexander Bokovoy via FreeIPA-users]

On to, 14 kesä 2018, Николай Савельев wrote:



Date: Wed, 13 Jun 2018 22:11:23 +0300
From: Alexander Bokovoy 
Subject: [Freeipa-users] Re: Hardship setting up samba share that
depends on IPA trust with AD

Yes, it is not supported right now.



Hi, Alexander.
I write article for russian it portal about freeipa.
I want to say about samba, ipa with ad trust and problems.
May I use your phrases in sthis mail list as an expert opinion?
I want to caution other peoples from troubles with ipa.

It is all written on the wiki:
https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA


NOTE: Only Kerberos authentication will work when accessing Samba shares
using this method. This means that Windows clients not joined to Active
Directory forest trusted by IPA would not be able to access the shares.
This is related to SSSD not yet being able to handle NTLMSSP
authentication.

NOTE: When a Windows client accesses shares, Windows UI will need to be
able to resolve SIDs in access control lists. Inability to do so will
affect user experience and the way how applications are expected to work
with the share. A set of experiments in 2017 have demonstrated that
Microsoft does not test various fall backs around this behavior and only
consider the path used by Windows UI to communicate with a Global
Catalog service. It is also a 'client-specific' behavior and thus is not
subject of a protocol interoperability or being documented anywhere.
While for some applications/use cases it may work, it will not work for
many others, thus we cannot really qualify it as a supported solution
from FreeIPA side.


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/GKWWLX2T55RYWOUCPL3IBFXH3EIX2CMY/

[Freeipa-users] Re: Hardship setting up samba share that depends on IPA trust with AD

[Николай Савельев via FreeIPA-users]

> Date: Wed, 13 Jun 2018 22:11:23 +0300
> From: Alexander Bokovoy 
> Subject: [Freeipa-users] Re: Hardship setting up samba share that
> depends on IPA trust with AD
>
> Yes, it is not supported right now.
>
> --
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
>
> --
>
> Subject: Digest Footer
>
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: ${hyperkitty_url}
>
> --
>
> End of FreeIPA-users Digest, Vol 14, Issue 14
> *

Hi, Alexander.
I write article for russian it portal about freeipa.
I want to say about samba, ipa with ad trust and problems.
May I use your phrases in sthis mail list as an expert opinion?
I want to caution other peoples from troubles with ipa.


-- 
С уважением, Николай.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/NRADMGMHUV4FXQQPFLSEKHI7RP2F3VJH/

[Freeipa-users] Re: Hardship setting up samba share that depends on IPA trust with AD

[Alexander Bokovoy via FreeIPA-users]

On ke, 13 kesä 2018, William Muriithi via FreeIPA-users wrote:

Hello everyone,


I am attempting to setup a samba file server that uses IPA as a proxy
to authentication AD users.  I am using the document below as a
template but its not working as currently documented. I am wondering
if something has changed on the code since that time but the doc
hasn't had any update.

https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA

For the samba client, this is the version of binaries that I am using:

[root@samba4 ~]# rpm -qa | grep samba
samba-common-tools-4.7.1-6.el7.x86_64
samba-common-libs-4.7.1-6.el7.x86_64
samba-common-4.7.1-6.el7.noarch
samba-4.7.1-6.el7.x86_64
samba-client-libs-4.7.1-6.el7.x86_64
samba-client-4.7.1-6.el7.x86_64
samba-libs-4.7.1-6.el7.x86_64

For IPA server, this is the version I am running:

ipa-server-4.5.4-10.el7_5.1.x86_64

There is a trust relationship between the IPA and the Active
directory.  The AD is on corp.example.com domain and the IPA is on
eng.example.com.  When I point any of the IPA clients to
\\samba4.eng.example.com, all works as expected.   However, when I
point any of the AD clients (Windows 10) to \\samba4.eng.example.com,
I am not having any joy.  After parsing the logs, the section below
looks like the most relevant part of the logs.  What would cause this
issue?  Any pointer on how to overcome it would be highly appreciated.

Yes, it is not supported right now.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/NBWGJLRSU4N4Z2IRLJT34JO573J7LKF4/

[Freeipa-users] Hardship setting up samba share that depends on IPA trust with AD

[William Muriithi via FreeIPA-users]

Hello everyone,


I am attempting to setup a samba file server that uses IPA as a proxy
to authentication AD users.  I am using the document below as a
template but its not working as currently documented. I am wondering
if something has changed on the code since that time but the doc
hasn't had any update.

https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA

For the samba client, this is the version of binaries that I am using:

[root@samba4 ~]# rpm -qa | grep samba
samba-common-tools-4.7.1-6.el7.x86_64
samba-common-libs-4.7.1-6.el7.x86_64
samba-common-4.7.1-6.el7.noarch
samba-4.7.1-6.el7.x86_64
samba-client-libs-4.7.1-6.el7.x86_64
samba-client-4.7.1-6.el7.x86_64
samba-libs-4.7.1-6.el7.x86_64

For IPA server, this is the version I am running:

ipa-server-4.5.4-10.el7_5.1.x86_64

There is a trust relationship between the IPA and the Active
directory.  The AD is on corp.example.com domain and the IPA is on
eng.example.com.  When I point any of the IPA clients to
\\samba4.eng.example.com, all works as expected.   However, when I
point any of the AD clients (Windows 10) to \\samba4.eng.example.com,
I am not having any joy.  After parsing the logs, the section below
looks like the most relevant part of the logs.  What would cause this
issue?  Any pointer on how to overcome it would be highly appreciated.


Another odd thing is, if I enroll a RHEL 7 system to AD, and then
attempt to browse the samba share, everything works fine.


I have shared the full logs on the following link too.


https://pastebin.com/wrycv1UR


Regards,

William




[2018/06/13 13:42:20.963867,  5, pid=14330, effective(0, 0), real(0,
0)] ../auth/gensec/gensec_start.c:739(gensec_start_mech)

  Starting GENSEC mechanism spnego

[2018/06/13 13:42:20.963942,  5, pid=14330, effective(0, 0), real(0,
0)] ../auth/gensec/gensec_start.c:739(gensec_start_mech)

  Starting GENSEC submechanism gse_krb5

[2018/06/13 13:42:20.964334, 10, pid=14330, effective(0, 0), real(0,
0)] ../lib/krb5_wrap/krb5_samba.c:1326(smb_krb5_kt_open_relative)

  smb_krb5_open_keytab: resolving: FILE:/etc/samba/samba.keytab

[2018/06/13 13:42:20.965559, 10, pid=14330, effective(0, 0), real(0,
0)] ../source3/smbd/smb2_server.c:3011(smbd_smb2_request_done_ex)

  smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_OK] body[64]
dyn[yes:96] at ../source3/smbd/smb2_negprot.c:657

[2018/06/13 13:42:20.965625, 10, pid=14330, effective(0, 0), real(0,
0)] ../source3/smbd/smb2_server.c:923(smb2_set_operation_credit)

  smb2_set_operation_credit: requested 1, charge 1, granted 1, current
possible/max 512/512, total granted/max/low/range 1/8192/2/1

[2018/06/13 13:42:35.997960, 10, pid=14330, effective(0, 0), real(0,
0)] ../source3/smbd/smb2_server.c:1080(smbd_server_connection_terminate_ex)

  smbd_server_connection_terminate_ex: conn[ipv4:192.168.11.108:61944]
reason[NT_STATUS_CONNECTION_RESET] at
../source3/smbd/smb2_server.c:3935

[2018/06/13 13:42:35.998102,  4, pid=14330, effective(0, 0), real(0,
0)] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)

  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0

[2018/06/13 13:42:35.998142,  5, pid=14330, effective(0, 0), real(0,
0)] ../libcli/security/security_token.c:53(security_token_debug)

  Security token: (NULL)

[2018/06/13 13:42:35.998174,  5, pid=14330, effective(0, 0), real(0,
0)] ../source3/auth/token_util.c:651(debug_unix_user_token)

  UNIX token of user 0
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/5C5ECQ6BSTDTGDK646KQYN5AJYL3OBFB/

[Freeipa-users] Re: freeIPA backup

[Alfredo De Luca via FreeIPA-users]

Thanks Tony. Appreciated.

I will soon do that.
Cheers


On Wed, Jun 13, 2018 at 11:10 AM Tony Brian Albers via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> Hi Alfredo,
>
> As Peter says, use ipa-backup. I suggest running it twice a day, but
> that depends on how many changes you make in FreeIPA.
>
> Then, get your backup software to backup /var/lib/ipa/backup some time
> after you've run ipa-backup. Or, get your backup software to run
> ipa-backup for you and then back up the destination folder.
>
> It's always easier to restore a system from a full backup, but it takes
> time and demands many full backups which are large in size, demands a
> lot of storage and stresses your network.
>
> I'd run a full backup of the FreeIPA server weekly and incrementals
> twice a day, all of them right after running ipa-backup.
>
> HTH
>
> /tony
>
>
> On 13/06/18 10:07, Alfredo De Luca via FreeIPA-users wrote:
> > thanks Peter.
> > I know that having only one server it's not good thats' why for now I
> just want to implement a backup/restore  process then one/multiple replicas.
> >
> > About a retore... is it better to restore from a full backup rather than
> only data backup?
> >
> >
> > Cheers
> > ___
> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > To unsubscribe send an email to
> freeipa-users-le...@lists.fedorahosted.org
> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/ZQODAMCETRGPFZXWHDAMV3C2ASSQIEDS/
> >
>
>
> --
> Tony Albers
> Systems administrator, IT-development
> Royal Danish Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
> Tel: +45 2566 2383 / +45 8946 2316
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/XVJJI4RT4TSPGNTOTAP2Z56JNVLP4MES/
>


-- 
*Alfredo*
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/JEX2SN2BLATKFESDTRSUDNWEW4TPSOWV/

[Freeipa-users] Re: AD admin account I use for trust setup is getting audited - what specific permissions does the AD user need to have for trust setup?

[Chris Dagdigian via FreeIPA-users]

Just replying to say 'thanks' to Alexander and the list in general. This 
was exactly what I needed. The tech answers and signal:noise ratio in 
this list is pretty fantastic.


-Chris



Alexander Bokovoy 
June 13, 2018 at 7:33 AM

What do you use this 'idmbind' account for?

If you are using it to establish trust to AD which is a one-time
operation, then by Microsoft's own requirements that account should be a
member of Enterprise Admin group in the AD forest _or_ a member of
Domain Admins group in the forest root domain for AD forest.

https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups#bkmk-entadmins 

https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups#bkmk-domainadmins 



See details at 
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc773178(v=ws.10) 




To create a forest trust, the administrator creating the trust must be a
member of the Domain Admins group (in the forest root domain) or the
Enterprise Admins group in Active Directory. Each trust is assigned a
password that the administrators in both forests must know. Members of
Enterprise Admins in both forests can create the trusts in both forests
at once and, in this scenario, a password that is cryptographically
random is automatically generated and written for both forests.

Members of the Incoming Forest Trust Builders group can create one-way,
incoming forest trusts. For example, members of this group residing in
Forest A can create a one-way, incoming forest trust from Forest B. This
one-way, incoming forest trust allows users in Forest A to access
resources located in Forest B. Members of this group are granted the
permission Create Inbound Forest Trust on the forest root domain. This
group has no default members.


As you can see, for one-way trust there is another group that could be
used but we never tested whether those permissions would be enough.




___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/HDDJE3W5DK5KVWYW5GKHG4KIBHPVMTHQ/

[Freeipa-users] Re: AD admin account I use for trust setup is getting audited - what specific permissions does the AD user need to have for trust setup?

[Alexander Bokovoy via FreeIPA-users]

On ti, 12 kesä 2018, Chris Dagdigian via FreeIPA-users wrote:

Hi folks,

Tried to find this in the FreeIPA and RHEL IDM docs but could not find 
my answer with any specificity ...


I have a user account called "idmbind" inside an AD controller for a 
domain that we integrate with our linux fleet in AWS


Because this domain is non-essential and we had full control we got 
lazy and just made the "idmbind" account as privileged as possible -- 
it's currently part of the "Domain Admin" and "Enterprise Admin" 
groups


Now that crunch time is over we are auditing all our AD user accounts. 
I've been specifically asked:


"Does your idmbind user really need Enterprise Admin group membership?"

"Does your idmbind user really need Domain Admin group membership?"

Is there a concise answer somewhere on what permissions/roles the 
local AD user account needs to have when we use that username and 
password to set up 1-way and 2-way trusts with FreeIPA? The docs and 
screenshots show the words "domain administrator" but I'm wondering if 
the requirements are more specific.


I figure "Domain Admin yes, Enterprise Admin no" may be the proper 
answer but looking for a more authoritative voice, thanks!

What do you use this 'idmbind' account for?

If you are using it to establish trust to AD which is a one-time
operation, then by Microsoft's own requirements that account should be a
member of Enterprise Admin group in the AD forest _or_ a member of
Domain Admins group in the forest root domain for AD forest.

https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups#bkmk-entadmins
https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups#bkmk-domainadmins

See details at 
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc773178(v=ws.10)


To create a forest trust, the administrator creating the trust must be a
member of the Domain Admins group (in the forest root domain) or the
Enterprise Admins group in Active Directory. Each trust is assigned a
password that the administrators in both forests must know. Members of
Enterprise Admins in both forests can create the trusts in both forests
at once and, in this scenario, a password that is cryptographically
random is automatically generated and written for both forests.

Members of the Incoming Forest Trust Builders group can create one-way,
incoming forest trusts. For example, members of this group residing in
Forest A can create a one-way, incoming forest trust from Forest B. This
one-way, incoming forest trust allows users in Forest A to access
resources located in Forest B. Members of this group are granted the
permission Create Inbound Forest Trust on the forest root domain. This
group has no default members.


As you can see, for one-way trust there is another group that could be
used but we never tested whether those permissions would be enough.


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/EQZ4RLMTMVVHDNDGKQZIPK6ZLKX2SC5F/

[Freeipa-users] Re: freeIPA backup

[Tony Brian Albers via FreeIPA-users]

Hi Alfredo,

As Peter says, use ipa-backup. I suggest running it twice a day, but 
that depends on how many changes you make in FreeIPA.

Then, get your backup software to backup /var/lib/ipa/backup some time 
after you've run ipa-backup. Or, get your backup software to run 
ipa-backup for you and then back up the destination folder.

It's always easier to restore a system from a full backup, but it takes 
time and demands many full backups which are large in size, demands a 
lot of storage and stresses your network.

I'd run a full backup of the FreeIPA server weekly and incrementals 
twice a day, all of them right after running ipa-backup.

HTH

/tony


On 13/06/18 10:07, Alfredo De Luca via FreeIPA-users wrote:
> thanks Peter.
> I know that having only one server it's not good thats' why for now I just 
> want to implement a backup/restore  process then one/multiple replicas.
> 
> About a retore... is it better to restore from a full backup rather than only 
> data backup?
> 
> 
> Cheers
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/ZQODAMCETRGPFZXWHDAMV3C2ASSQIEDS/
> 


-- 
Tony Albers
Systems administrator, IT-development
Royal Danish Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
Tel: +45 2566 2383 / +45 8946 2316
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/XVJJI4RT4TSPGNTOTAP2Z56JNVLP4MES/

[Freeipa-users] Re: freeIPA backup

[Alfredo De Luca via FreeIPA-users]

thanks Peter. 
I know that having only one server it's not good thats' why for now I just want 
to implement a backup/restore  process then one/multiple replicas. 

About a retore... is it better to restore from a full backup rather than only 
data backup? 


Cheers
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/ZQODAMCETRGPFZXWHDAMV3C2ASSQIEDS/