[Freeipa-users] Web App and Kerberos Delegation

[Dmitry Perets via FreeIPA-users]

Hi,

My Web Server is enrolled in the FreeIPA domain, but the clients are external. 
So login is done via a custom login form - part of the Web Application.
In this setup, I know how to authenticate the clients to the Web Application 
using FreeIPA as a backend - I can use mod_intercept_form_submit, and it works 
just fine.

But what if I need to obtain Kerberos credentials on behalf of the current 
user? (I believe, smart people call it "delegation" in Kerberos world).

To be more specific - suppose that the Web Application features personal secret 
vaults, and it uses FreeIPA Vaults as a backend. So, a user X logs in, he wants 
to see his personal vaults - the Web Application must obtain Kerberos 
credentials on his behalf (not on HTTP/ service behalf, because I don't 
want to make it owner of all vaults). 

Or another example - suppose that the Web Application manages my 
infrastructure. So a user X (who is infra-admin) logs in and requests to add a 
new host to the domain. The Web Application must then go and execute some 
privileged FreeIPA calls (like host_add etc.). Again, I'd like it to 
authenticate on behalf of this user X, instead of making the HTTP/... service 
infra-admin by itself. This way I don't need to store any passwords or keytabs 
with such sensitive credentials (the infra-admin will always come in person and 
type his password).

Can you please point me to the right direction?
Thanks.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: freeipa client on Ubuntu SSH fails

[Will Kay via FreeIPA-users]

I knew we are close because there wasn't much to check anymore. =)

The sshd configuration was updated by the installation.  On 18.04, somehow 
there was only one line in one pam files.  I added what Alex suggested and 
followed up with pam-auth-update.  It is good on 18.04 now.  16.04 is also 
fixed.

Thanks Alex
W
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Sub-zone client fails to install, GSS authentication pre-auth issues

[Alexander Bokovoy via FreeIPA-users]

On ma, 11 maalis 2019, Callum Smith wrote:

Dear Alexander,

Some more (hopefully) helpful information with a KRB5_TRACE on while
running ipa-client install:

Thanks, I just sent a request for basically the same. ;)


ipa-client-install
WARNING: ntpd time synchronization service will not be configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and force configuration of ntpd

Discovery was successful!
Client hostname: virt-test.virt.in.bmrc.ox.ac.uk
Realm: IN.BMRC.OX.AC.UK
DNS Domain: virt.in.bmrc.ox.ac.uk
IPA Server: ipa-b.virt.in.bmrc.ox.ac.uk
BaseDN: dc=in,dc=bmrc,dc=ox,dc=ac,dc=uk

Continue to configure the system with these values? [no]: yes
Skipping synchronizing time with NTP server.
User authorized to enroll computers: admin
Password for ad...@in.bmrc.ox.ac.uk:
[7792] 1552322394.293495: ccselect module realm chose cache FILE:/tmp/krbccQ6OHiN/ccache 
with client principal ad...@in.bmrc.ox.ac.uk for 
server principal 
ldap/ipa-b.virt.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk
[7792] 1552322394.293496: Getting credentials 
ad...@in.bmrc.ox.ac.uk -> 
ldap/ipa-b.virt.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk
 using ccache FILE:/tmp/krbccQ6OHiN/ccache
[7792] 1552322394.293497: Retrieving 
ad...@in.bmrc.ox.ac.uk -> 
ldap/ipa-b.virt.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk
 from FILE:/tmp/krbccQ6OHiN/ccache with result: -1765328243/Matching credential not found 
(filename: /tmp/krbccQ6OHiN/ccache)
[7792] 1552322394.293498: Retrieving 
ad...@in.bmrc.ox.ac.uk -> 
krbtgt/in.bmrc.ox.ac...@in.bmrc.ox.ac.uk
 from FILE:/tmp/krbccQ6OHiN/ccache with result: 0/Success
[7792] 1552322394.293499: Starting with TGT for client realm: 
ad...@in.bmrc.ox.ac.uk -> 
krbtgt/in.bmrc.ox.ac...@in.bmrc.ox.ac.uk
[7792] 1552322394.293500: Requesting tickets for 
ldap/ipa-b.virt.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk,
 referrals on
[7792] 1552322394.293501: Generated subkey for TGS request: aes256-cts/6474
[7792] 1552322394.293502: etypes requested in TGS request: aes256-cts, 
aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, 
camellia256-cts
[7792] 1552322394.293504: Encoding request body and padata into FAST request
[7792] 1552322394.293505: Sending request (985 bytes) to IN.BMRC.OX.AC.UK
[7792] 1552322394.293506: Resolving hostname ipa-b.virt.in.bmrc.ox.ac.uk
[7792] 1552322394.293507: Initiating TCP connection to stream 10.141.31.252:88
[7792] 1552322394.293508: Sending TCP request to stream 10.141.31.252:88
[7792] 1552322394.293509: Received answer (883 bytes) from stream 
10.141.31.252:88
[7792] 1552322394.293510: Terminating TCP connection to stream 10.141.31.252:88
[7792] 1552322394.293511: Response was from master KDC
[7792] 1552322394.293512: Decoding FAST response
[7792] 1552322394.293513: FAST reply key: aes256-cts/7B54
[7792] 1552322394.293514: TGS reply is for 
ad...@in.bmrc.ox.ac.uk -> 
ldap/ipa-b.virt.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk
 with session key aes256-cts/0013
[7792] 1552322394.293515: TGS request result: 0/Success
[7792] 1552322394.293516: Received creds for desired service 
ldap/ipa-b.virt.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk
[7792] 1552322394.293517: Storing ad...@in.bmrc.ox.ac.uk 
-> 
ldap/ipa-b.virt.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk
 in FILE:/tmp/krbccQ6OHiN/ccache
[7792] 1552322394.293519: Creating authenticator for 
ad...@in.bmrc.ox.ac.uk -> 
ldap/ipa-b.virt.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk,
 seqnum 27249405, subkey aes256-cts/2328, session key aes256-cts/0013
Unable to download CA cert from LDAP.


Ok, so the client actually asks for the ldap/ipa-b.virt.$domain already,
good. It means the server is only knowing about the key for
ldap/ipa-b.$domain.

An option would be to turn ldap/ipa-b.virt.$domain into a service
principal alias of ldap/ipa-b.$domain.

You would need to delete ldap/ipa-b.virt.$domain principal first.

ipa service-del ldap/ipa-b.virt.$domain

and then add it as an alias for ldap/ipa-b.$domain:

ipa service-add-principal ldap/ipa-b.$domain ldap/ipa-b.virt.$domain

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland

[Freeipa-users] Re: Sub-zone client fails to install, GSS authentication pre-auth issues

[Alexander Bokovoy via FreeIPA-users]

On ma, 11 maalis 2019, Callum Smith wrote:

Dear Alexander,

We're wondering that too, there's obviously a disparity between the
domain that either end is issuing the LDAP ticket for, and the SRV
records for the `virt.in.bmrc.ox.ac.uk` domain all point to the LDAP
endpoint. Do i need specific SRV records for ldaps and not ldap? I
earlier attached a screenshot of our domain setup for the VIRT
subdomain.

I fear the opposite may be the case and the client is requesting the
correct one but the ldap server is defaulting to the root domain not
the subdomain.

Well, the server is doing the right thing as it doesn't know anything
about the subdomain's hostname. Kernel has only a single hostname.

Can you do a check like this from the client:

export KRB5_TRACE=/dev/stderr
kinit admin
ldapsearch -Y GSSAPI -h ipa-b.virt.in.bmrc.ox.ac.uk -b 
dc=in,dc=bmrc,dc=ox,dc=ac,dc=uk -s base



Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. cal...@well.ox.ac.uk

On 11 Mar 2019, at 16:19, Alexander Bokovoy 
mailto:aboko...@redhat.com>> wrote:

On ma, 11 maalis 2019, Callum Smith wrote:
Locally on the IPA server I note that doing an ldapsearch using GSSAPI works, 
if i use the ldap host:
ldaps://ipa-b.in.bmrc.ox.ac.uk/
but not:
ldaps://ipa-b.virt.in.bmrc.ox.ac.uk/

Since the client can only access the network that is
ipa-b.virt.in.bmrc.ox.ac.uk it needs to be able to communicate to LDAP
via that hostname. Is this actually possible, since the TGT is _always_
going to be on ipa-b.$domain because of the nsslapd-localhost entry?
Question I have is why the client actually chooses ldap/ipa-b.$domain
itself? This is probably the easiest place to change since it is driven
by the DNS discovery so you can influence by whatever is put in the DNS
SRV records.


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland



--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Sub-zone client fails to install, GSS authentication pre-auth issues

[Callum Smith via FreeIPA-users]

Dear Alexander,

Some more (hopefully) helpful information with a KRB5_TRACE on while running 
ipa-client install:

ipa-client-install
WARNING: ntpd time synchronization service will not be configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and force configuration of ntpd

Discovery was successful!
Client hostname: virt-test.virt.in.bmrc.ox.ac.uk
Realm: IN.BMRC.OX.AC.UK
DNS Domain: virt.in.bmrc.ox.ac.uk
IPA Server: ipa-b.virt.in.bmrc.ox.ac.uk
BaseDN: dc=in,dc=bmrc,dc=ox,dc=ac,dc=uk

Continue to configure the system with these values? [no]: yes
Skipping synchronizing time with NTP server.
User authorized to enroll computers: admin
Password for ad...@in.bmrc.ox.ac.uk:
[7792] 1552322394.293495: ccselect module realm chose cache 
FILE:/tmp/krbccQ6OHiN/ccache with client principal 
ad...@in.bmrc.ox.ac.uk for server principal 
ldap/ipa-b.virt.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk
[7792] 1552322394.293496: Getting credentials 
ad...@in.bmrc.ox.ac.uk -> 
ldap/ipa-b.virt.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk
 using ccache FILE:/tmp/krbccQ6OHiN/ccache
[7792] 1552322394.293497: Retrieving 
ad...@in.bmrc.ox.ac.uk -> 
ldap/ipa-b.virt.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk
 from FILE:/tmp/krbccQ6OHiN/ccache with result: -1765328243/Matching credential 
not found (filename: /tmp/krbccQ6OHiN/ccache)
[7792] 1552322394.293498: Retrieving 
ad...@in.bmrc.ox.ac.uk -> 
krbtgt/in.bmrc.ox.ac...@in.bmrc.ox.ac.uk
 from FILE:/tmp/krbccQ6OHiN/ccache with result: 0/Success
[7792] 1552322394.293499: Starting with TGT for client realm: 
ad...@in.bmrc.ox.ac.uk -> 
krbtgt/in.bmrc.ox.ac...@in.bmrc.ox.ac.uk
[7792] 1552322394.293500: Requesting tickets for 
ldap/ipa-b.virt.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk,
 referrals on
[7792] 1552322394.293501: Generated subkey for TGS request: aes256-cts/6474
[7792] 1552322394.293502: etypes requested in TGS request: aes256-cts, 
aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, 
camellia256-cts
[7792] 1552322394.293504: Encoding request body and padata into FAST request
[7792] 1552322394.293505: Sending request (985 bytes) to IN.BMRC.OX.AC.UK
[7792] 1552322394.293506: Resolving hostname ipa-b.virt.in.bmrc.ox.ac.uk
[7792] 1552322394.293507: Initiating TCP connection to stream 10.141.31.252:88
[7792] 1552322394.293508: Sending TCP request to stream 10.141.31.252:88
[7792] 1552322394.293509: Received answer (883 bytes) from stream 
10.141.31.252:88
[7792] 1552322394.293510: Terminating TCP connection to stream 10.141.31.252:88
[7792] 1552322394.293511: Response was from master KDC
[7792] 1552322394.293512: Decoding FAST response
[7792] 1552322394.293513: FAST reply key: aes256-cts/7B54
[7792] 1552322394.293514: TGS reply is for 
ad...@in.bmrc.ox.ac.uk -> 
ldap/ipa-b.virt.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk
 with session key aes256-cts/0013
[7792] 1552322394.293515: TGS request result: 0/Success
[7792] 1552322394.293516: Received creds for desired service 
ldap/ipa-b.virt.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk
[7792] 1552322394.293517: Storing 
ad...@in.bmrc.ox.ac.uk -> 
ldap/ipa-b.virt.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk
 in FILE:/tmp/krbccQ6OHiN/ccache
[7792] 1552322394.293519: Creating authenticator for 
ad...@in.bmrc.ox.ac.uk -> 
ldap/ipa-b.virt.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk,
 seqnum 27249405, subkey aes256-cts/2328, session key aes256-cts/0013
Unable to download CA cert from LDAP.


Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. cal...@well.ox.ac.uk

On 11 Mar 2019, at 16:19, Alexander Bokovoy 
mailto:aboko...@redhat.com>> wrote:

On ma, 11 maalis 2019, Callum Smith wrote:
Locally on the IPA server I note that doing an ldapsearch using GSSAPI works, 
if i use the ldap host:
ldaps://ipa-b.in.bmrc.ox.ac.uk/
but not:
ldaps://ipa-b.virt.in.bmrc.ox.ac.uk/

Since the client can only access the network that is
ipa-b.virt.in.bmrc.ox.ac.uk it needs to be able to communicate to LDAP
via that hostname. Is this actually possible, since the TGT is _always_
going to be on ipa-b.$domain because of the nsslapd-localhost entry?
Question I 

[Freeipa-users] Re: Sub-zone client fails to install, GSS authentication pre-auth issues

[Callum Smith via FreeIPA-users]

Dear Alexander,

We're wondering that too, there's obviously a disparity between the domain that 
either end is issuing the LDAP ticket for, and the SRV records for the 
`virt.in.bmrc.ox.ac.uk` domain all point to the LDAP endpoint. Do i need 
specific SRV records for ldaps and not ldap? I earlier attached a screenshot of 
our domain setup for the VIRT subdomain.

I fear the opposite may be the case and the client is requesting the correct 
one but the ldap server is defaulting to the root domain not the subdomain.

Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. cal...@well.ox.ac.uk

On 11 Mar 2019, at 16:19, Alexander Bokovoy 
mailto:aboko...@redhat.com>> wrote:

On ma, 11 maalis 2019, Callum Smith wrote:
Locally on the IPA server I note that doing an ldapsearch using GSSAPI works, 
if i use the ldap host:
ldaps://ipa-b.in.bmrc.ox.ac.uk/
but not:
ldaps://ipa-b.virt.in.bmrc.ox.ac.uk/

Since the client can only access the network that is
ipa-b.virt.in.bmrc.ox.ac.uk it needs to be able to communicate to LDAP
via that hostname. Is this actually possible, since the TGT is _always_
going to be on ipa-b.$domain because of the nsslapd-localhost entry?
Question I have is why the client actually chooses ldap/ipa-b.$domain
itself? This is probably the easiest place to change since it is driven
by the DNS discovery so you can influence by whatever is put in the DNS
SRV records.


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Sub-zone client fails to install, GSS authentication pre-auth issues

[Alexander Bokovoy via FreeIPA-users]

On ma, 11 maalis 2019, Callum Smith wrote:

Locally on the IPA server I note that doing an ldapsearch using GSSAPI works, 
if i use the ldap host:
ldaps://ipa-b.in.bmrc.ox.ac.uk/
but not:
ldaps://ipa-b.virt.in.bmrc.ox.ac.uk/

Since the client can only access the network that is
ipa-b.virt.in.bmrc.ox.ac.uk it needs to be able to communicate to LDAP
via that hostname. Is this actually possible, since the TGT is _always_
going to be on ipa-b.$domain because of the nsslapd-localhost entry?

Question I have is why the client actually chooses ldap/ipa-b.$domain
itself? This is probably the easiest place to change since it is driven
by the DNS discovery so you can influence by whatever is put in the DNS
SRV records.


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Sub-zone client fails to install, GSS authentication pre-auth issues

[Callum Smith via FreeIPA-users]

Locally on the IPA server I note that doing an ldapsearch using GSSAPI works, 
if i use the ldap host:
ldaps://ipa-b.in.bmrc.ox.ac.uk/
but not:
ldaps://ipa-b.virt.in.bmrc.ox.ac.uk/

Since the client can only access the network that is 
ipa-b.virt.in.bmrc.ox.ac.uk it needs to be able to communicate to LDAP via that 
hostname. Is this actually possible, since the TGT is _always_ going to be on 
ipa-b.$domain because of the nsslapd-localhost entry?

Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. cal...@well.ox.ac.uk

On 11 Mar 2019, at 15:58, Alexander Bokovoy 
mailto:aboko...@redhat.com>> wrote:

On ma, 11 maalis 2019, Callum Smith via FreeIPA-users wrote:
Dear Alexander,

klist -kt /etc/dirsrv/ds.keytab
Keytab name: FILE:/etc/dirsrv/ds.keytab
KVNO Timestamp Principal
 - 
 1 02/11/18 12:09:17 
ldap/ipa-b.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk
 1 02/11/18 12:09:17 
ldap/ipa-b.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk
 3 08/03/19 16:11:12 
ldap/ipa-b.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk
 3 08/03/19 16:11:12 
ldap/ipa-b.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk
 4 08/03/19 16:11:44 
ldap/ipa-b.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk
 4 08/03/19 16:11:44 
ldap/ipa-b.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk
 4 08/03/19 16:25:20 
ldap/ipa-b.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk
 4 08/03/19 16:25:20 
ldap/ipa-b.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk
 1 11/03/19 10:50:01 
ldap/ipa-b.virt.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk
 1 11/03/19 10:50:01 
ldap/ipa-b.virt.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk
 2 11/03/19 10:50:17 
ldap/ipa-b.cloud.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk
 2 11/03/19 10:50:17 
ldap/ipa-b.cloud.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk
 2 11/03/19 10:50:22 
ldap/ipa-b.hpc.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk
 2 11/03/19 10:50:22 
ldap/ipa-b.hpc.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk

This is a bit non-standard i understand, but so far this configuration
is working ok. I guess the issue is that the ticket is being issued for
the wrong domain.
[cid:F8DF5B93-5D52-46D5-88AC-E9BEA54760FD@in.bmrc.ox.ac.uk]

I've attached a screenshot of the DNS configuration for the sub-zone.

Our intention here is to ensure that the DNS entry and host for the IPA
server within a different sub-zone and subnet resolves to a single IP
for speed. So a "host" has been created for each of the interfaces, all
of the respective kerberos principals for the host services (ldap in
this case) and then a new certificate issued with the alt names on it
to allow for LDAPS. This works well, right up until the point of GSSAPI
getting involved. There must be a piece of the puzzle we're missing
here!
Can you check in cn=config which value is set for nsslapd-localhost
attribute? This is the hostname value used by the LDAP server when it
initializes own TGT from the keytab.

It should be ipa-b.$domain to make sure that both the client
and the server are utilizing the same service principal. I suspect it is
set to ipa-b.virt.$domain and thus the issue.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 

[Freeipa-users] FreeIPA causing issues with SMB shares

[Kristian Petersen via FreeIPA-users]

We have been using IPA with a number of Ubuntu workstations, but have had
to remove freeipa-client from them because something that happens when
enrolling them prevents them from mounting SMB shares from our fileserver.
Is there a simple expanation as to why this happens?  The shares work fine
before enrollment and after removing freeipa-client.

-- 
Kristian Petersen
System Administrator
BYU Dept. of Chemistry and Biochemistry
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Sub-zone client fails to install, GSS authentication pre-auth issues

[Callum Smith via FreeIPA-users]

>From dse.ldiff
nsslapd-localhost: ipa-b.in.bmrc.ox.ac.uk

Fairly sure this is representative of the current running configuration, as the 
node was rebooted only hours ago.

Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. cal...@well.ox.ac.uk

On 11 Mar 2019, at 15:58, Alexander Bokovoy 
mailto:aboko...@redhat.com>> wrote:

On ma, 11 maalis 2019, Callum Smith via FreeIPA-users wrote:
Dear Alexander,

klist -kt /etc/dirsrv/ds.keytab
Keytab name: FILE:/etc/dirsrv/ds.keytab
KVNO Timestamp Principal
 - 
 1 02/11/18 12:09:17 
ldap/ipa-b.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk
 1 02/11/18 12:09:17 
ldap/ipa-b.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk
 3 08/03/19 16:11:12 
ldap/ipa-b.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk
 3 08/03/19 16:11:12 
ldap/ipa-b.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk
 4 08/03/19 16:11:44 
ldap/ipa-b.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk
 4 08/03/19 16:11:44 
ldap/ipa-b.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk
 4 08/03/19 16:25:20 
ldap/ipa-b.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk
 4 08/03/19 16:25:20 
ldap/ipa-b.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk
 1 11/03/19 10:50:01 
ldap/ipa-b.virt.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk
 1 11/03/19 10:50:01 
ldap/ipa-b.virt.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk
 2 11/03/19 10:50:17 
ldap/ipa-b.cloud.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk
 2 11/03/19 10:50:17 
ldap/ipa-b.cloud.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk
 2 11/03/19 10:50:22 
ldap/ipa-b.hpc.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk
 2 11/03/19 10:50:22 
ldap/ipa-b.hpc.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk

This is a bit non-standard i understand, but so far this configuration
is working ok. I guess the issue is that the ticket is being issued for
the wrong domain.
[cid:F8DF5B93-5D52-46D5-88AC-E9BEA54760FD@in.bmrc.ox.ac.uk]

I've attached a screenshot of the DNS configuration for the sub-zone.

Our intention here is to ensure that the DNS entry and host for the IPA
server within a different sub-zone and subnet resolves to a single IP
for speed. So a "host" has been created for each of the interfaces, all
of the respective kerberos principals for the host services (ldap in
this case) and then a new certificate issued with the alt names on it
to allow for LDAPS. This works well, right up until the point of GSSAPI
getting involved. There must be a piece of the puzzle we're missing
here!
Can you check in cn=config which value is set for nsslapd-localhost
attribute? This is the hostname value used by the LDAP server when it
initializes own TGT from the keytab.

It should be ipa-b.$domain to make sure that both the client
and the server are utilizing the same service principal. I suspect it is
set to ipa-b.virt.$domain and thus the issue.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: IPA install with custom CA fails at SSL: CERTIFICATE_VERIFY_FAILED

[Jonny McCullagh via FreeIPA-users]

Thank you Fraser - you hit the nail on the head! 
I had used openssl to create my Root CA and then an Intermediate CA following 
the guides at: https://jamielinux.com/docs/openssl-certificate-authority/ 
In that guide the extension for the intermediate is for pathlen:0 so I either 
need to change that to 1 or to sign the FreeIPA CSR using the Root certificate 
I generated with openssl.
basicConstraints = critical, CA:true, pathlen:0

Many thanks for your help and I hope this questions helps someone in future. 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: FreeIPA-users Digest, Vol 23, Issue 8

[Rob Crittenden via FreeIPA-users]

Julian Gethmann via FreeIPA-users wrote:
> Hello Anthony,
> 
> I don't know if there is an official tool for that, but since I once
> wrote a similar script, you might be happy with that. It requires that
> your Python 3 installation has got the IPA libraries installed and you
> have got a valid Kerberos ticket. I have tested it only on Fedora so far.
> 
> I hope it's useful for you and you can modify it to your needs.

It is probably easier to just do an ldapsearch for this.

% kinit someuser
% ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=com
uid krbpasswordexpiration

Note that IPA imposes a set of search and time limits on searches which
is lower than the 389-ds default limits. If you have a lot of users
you'll bump into this.

rob

> 
> Regards,
> Julian
> 
> On 09/03/2019 05.03, freeipa-users-requ...@lists.fedorahosted.org wrote:
>> Date: Fri, 8 Mar 2019 11:50:55 -0500
>> From: Anthony Jarvis-Clark
>> Subject: [Freeipa-users] list all users and their password expiration
>> date?
>> To: FreeIPA users list
>> Message-ID:
>> 
>> Content-Type: multipart/alternative;
>> boundary="6d0281058398074b"
>>
>> --6d0281058398074b
>> Content-Type: text/plain; charset="UTF-8"
>>
>> Hello Everyone,
>>
>> Is there a command line method to get a list of users and their password
>> expiration date?
>>
>> Thanks!
>>
>> -Anthony
>>
>> --6d0281058398074b
>> Content-Type: text/html; charset="UTF-8"
>>
>> Hello Everyone,Is there a command
>> line method to get a list of users and their password expiration
>> date?Thanks!-Anthony
>>
>>
>> --6d0281058398074b--
> 
> 
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Sub-zone client fails to install, GSS authentication pre-auth issues

[Alexander Bokovoy via FreeIPA-users]

On ma, 11 maalis 2019, Alexander Bokovoy via FreeIPA-users wrote:

On ma, 11 maalis 2019, Callum Smith via FreeIPA-users wrote:

Dear Alexander,

Sorry, yes indeed using ipa-client-install. The ipaclient-install.log
should be attached, I can upload to dropbox if needed. Discovery
happens succesfully, but LDAP GSSAPI authentication is failing for some
reason.

Sorry! I didn't check the attachments, this was my fault!

I'll look later tonight.

.. I think the issue is that your configuration is definitely broken.

in ipaclient-install.log we can see DNS SRV record that has weird name 
ipa-a.virt.in.bmrc.ox.ac.uk.virt.in.bmrc.ox.ac.uk.

2019-03-11T12:30:58Z DEBUG Search DNS for SRV record of 
_kerberos._udp.virt.in.bmrc.ox.ac.uk
2019-03-11T12:30:58Z DEBUG DNS record found: 0 100 88 
ipa-a.virt.in.bmrc.ox.ac.uk.virt.in.bmrc.ox.ac.uk.
2019-03-11T12:30:58Z DEBUG DNS record found: 0 100 88 
ipa-b.virt.in.bmrc.ox.ac.uk.

For LDAP discovery then we are OK:

2019-03-11T12:30:58Z DEBUG Start searching for LDAP SRV record in 
"virt.in.bmrc.ox.ac.uk" (Validating DNS Discovery) and its sub-domains
2019-03-11T12:30:58Z DEBUG Search DNS for SRV record of 
_ldap._tcp.virt.in.bmrc.ox.ac.uk
2019-03-11T12:30:58Z DEBUG DNS record found: 0 100 389 
ipa-a.virt.in.bmrc.ox.ac.uk.
2019-03-11T12:30:58Z DEBUG DNS record found: 0 100 389 
ipa-b.virt.in.bmrc.ox.ac.uk.
2019-03-11T12:30:58Z DEBUG DNS validated, enabling discovery

However, there seem to be some issue with DNS setup foor
ipa-b.virt.$domain machine -- is this a CNAME?

In the ipaclient-install.log we see that admin user can get an initial
ticket granting ticket just fine:

2019-03-11T12:31:04Z DEBUG Initializing principal ad...@in.bmrc.ox.ac.uk using 
password
2019-03-11T12:31:04Z DEBUG Starting external process
2019-03-11T12:31:04Z DEBUG args=/usr/bin/kinit ad...@in.bmrc.ox.ac.uk -c 
/tmp/krbccEqCmTM/ccache
2019-03-11T12:31:04Z DEBUG Process finished, return code=0
2019-03-11T12:31:04Z DEBUG stdout=Password for ad...@in.bmrc.ox.ac.uk:

2019-03-11T12:31:04Z DEBUG stderr=

But when trying to authenticate to LDAP with SASL GSSAPI we fail:

2019-03-11T12:31:04Z DEBUG trying to retrieve CA cert via LDAP from 
ipa-b.virt.in.bmrc.ox.ac.uk
2019-03-11T12:31:04Z DEBUG get_ca_certs_from_ldap() error: Insufficient access: 
 Invalid credentials
2019-03-11T12:31:04Z DEBUG Insufficient access:  Invalid credentials

In KDC logs we see that we requested a service ticket for
ldap/ipa-b.in.bmrc.ox.ac.uk rather than for ldap/ipa-b.virt.in.bmrc.ox.ac.uk: 


Mar 11 12:31:06 ipa-b.in.bmrc.ox.ac.uk krb5kdc[5701](info): TGS_REQ (8
etypes {18 17 20 19 16 23 25 26}) 10.141.248.2: ISSUE: authtime
1552307464, etypes {rep=18 tkt=18 ses=18}, +ad...@in.bmrc.ox.ac.uk for
ldap/ipa-b.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk

Note that ldap/ipa-b.$domain looks like a correct Kerberos service
principal because KDC knows about it. However, this is definitely not
the same principal as used by the LDAP server itself as LDAP server
cannot use own key to decode the service ticket sent by the client, thus
resulting in 'Invalid credentials'.

So, you need to look at what you have define as a service principal
ldap/* and what you have defined in DNS for that LDAP server.

Can you also look at /etc/dirsrv/ds.keytab on ipa-b server? Use 'klist
-kt /etc/dirsrv/ds.keytab'.



--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Sub-zone client fails to install, GSS authentication pre-auth issues

[Alexander Bokovoy via FreeIPA-users]

On ma, 11 maalis 2019, Callum Smith via FreeIPA-users wrote:

Dear Alexander,

Sorry, yes indeed using ipa-client-install. The ipaclient-install.log
should be attached, I can upload to dropbox if needed. Discovery
happens succesfully, but LDAP GSSAPI authentication is failing for some
reason.

Sorry! I didn't check the attachments, this was my fault!

I'll look later tonight.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Sub-zone client fails to install, GSS authentication pre-auth issues

[Callum Smith via FreeIPA-users]

Dear Alexander,

Sorry, yes indeed using ipa-client-install. The ipaclient-install.log should be 
attached, I can upload to dropbox if needed. Discovery happens succesfully, but 
LDAP GSSAPI authentication is failing for some reason.

Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. cal...@well.ox.ac.uk

On 11 Mar 2019, at 14:27, Alexander Bokovoy 
mailto:aboko...@redhat.com>> wrote:

On ma, 11 maalis 2019, Callum Smith via FreeIPA-users wrote:
Dear IPA Gurus

I have a client that's incapable of joining the FreeIPA realm, it's in
a different DNS sub-zone but is in the same realm. I get the feeling
that there's a kerberos principal missing somewhere to get this all to
work, but I can't quite see where it might be. Simple authentication
ldapsearch using cn=Directory Manager functions perfectly well to the
ipa host in question, however anonymous binds are disabled. I'm not
clear why this wouldn't be working.
>From the above it is unclear what your problem is.

Can you show what exactly is failing? ipa-client-install is failing?
Show logs from /var/log/ipaclient-install.log. You aren't using FreeIPA
enrollment? How exactly did you try to enroll that client? Show sequence
of commands you ran.

It is not easy to help with no logs and exact steps tried.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Sub-zone client fails to install, GSS authentication pre-auth issues

[Alexander Bokovoy via FreeIPA-users]

On ma, 11 maalis 2019, Callum Smith via FreeIPA-users wrote:

Dear IPA Gurus

I have a client that's incapable of joining the FreeIPA realm, it's in
a different DNS sub-zone but is in the same realm. I get the feeling
that there's a kerberos principal missing somewhere to get this all to
work, but I can't quite see where it might be. Simple authentication
ldapsearch using cn=Directory Manager functions perfectly well to the
ipa host in question, however anonymous binds are disabled. I'm not
clear why this wouldn't be working.

From the above it is unclear what your problem is.

Can you show what exactly is failing? ipa-client-install is failing?
Show logs from /var/log/ipaclient-install.log. You aren't using FreeIPA
enrollment? How exactly did you try to enroll that client? Show sequence
of commands you ran.

It is not easy to help with no logs and exact steps tried.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Web app integration

[Alex Corcoles via FreeIPA-users]

Well, looking at it I think it's already well documented at:

https://www.freeipa.org/page/Web_App_Authentication#Kerberos

So maybe it doesn't need any change, although a link to the RFC and being
more explicit about the HTTP/ thing would be better, I guess... but now I
feel that the documentation is OK and I was just dumb :-p

On Mon, Mar 11, 2019 at 11:22 AM Alexander Bokovoy 
wrote:

> On ma, 11 maalis 2019, Alex Corcoles via FreeIPA-users wrote:
> >On Sun, Mar 10, 2019 at 7:25 PM Alexander Bokovoy 
> >wrote:
> >
> >>
> >> Yes, the naming of Kerberos principals is more or less historical. All
> >> browsers only request service tickets to HTTP/ principal. If
> >> you expect browsers to utilize GSSAPI, your target Kerberos service
> >> principal must be HTTP/..  according to
> >> https://tools.ietf.org/html/rfc4559 section 4.1.
> >>
> >Ah, thanks Alexander, that is actually very useful, as now I would like to
> >get the negotiation working across a reverse proxy (which I think is not
> >possible in the way I'd like to- I took it to
> >https://github.com/modauthgssapi/mod_auth_gssapi/issues/201 , but I'm not
> >sure that's the best place).
> >
> >BTW, I think this tidbit is not mentioned in the howtos in the wiki. I
> >think the wiki is not publicly editable, right? Could someone make a
> >visible note about that (the link to the RFC is quite interesting)?
> Can you point me to a page where you want it added?
>
> --
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
>


-- 
   ___
 {~._.~}
  ( Y )
 ()~*~()  mail: alex at corcoles dot net
 (_)-(_)  http://alex.corcoles.net/
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Web app integration

[Alexander Bokovoy via FreeIPA-users]

On ma, 11 maalis 2019, Alex Corcoles via FreeIPA-users wrote:

On Sun, Mar 10, 2019 at 7:25 PM Alexander Bokovoy 
wrote:



Yes, the naming of Kerberos principals is more or less historical. All
browsers only request service tickets to HTTP/ principal. If
you expect browsers to utilize GSSAPI, your target Kerberos service
principal must be HTTP/..  according to
https://tools.ietf.org/html/rfc4559 section 4.1.


Ah, thanks Alexander, that is actually very useful, as now I would like to
get the negotiation working across a reverse proxy (which I think is not
possible in the way I'd like to- I took it to
https://github.com/modauthgssapi/mod_auth_gssapi/issues/201 , but I'm not
sure that's the best place).

BTW, I think this tidbit is not mentioned in the howtos in the wiki. I
think the wiki is not publicly editable, right? Could someone make a
visible note about that (the link to the RFC is quite interesting)?

Can you point me to a page where you want it added?

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Web app integration

[Alex Corcoles via FreeIPA-users]

On Sun, Mar 10, 2019 at 7:25 PM Alexander Bokovoy 
wrote:

>
> Yes, the naming of Kerberos principals is more or less historical. All
> browsers only request service tickets to HTTP/ principal. If
> you expect browsers to utilize GSSAPI, your target Kerberos service
> principal must be HTTP/..  according to
> https://tools.ietf.org/html/rfc4559 section 4.1.
>
Ah, thanks Alexander, that is actually very useful, as now I would like to
get the negotiation working across a reverse proxy (which I think is not
possible in the way I'd like to- I took it to
https://github.com/modauthgssapi/mod_auth_gssapi/issues/201 , but I'm not
sure that's the best place).

BTW, I think this tidbit is not mentioned in the howtos in the wiki. I
think the wiki is not publicly editable, right? Could someone make a
visible note about that (the link to the RFC is quite interesting)?

Cheers,

Álex
-- 
   ___
 {~._.~}
  ( Y )
 ()~*~()  mail: alex at corcoles dot net
 (_)-(_)  http://alex.corcoles.net/
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: FreeIPA-users Digest, Vol 23, Issue 8

[Julian Gethmann via FreeIPA-users]

Hello Anthony,

I don't know if there is an official tool for that, but since I once 
wrote a similar script, you might be happy with that. It requires that 
your Python 3 installation has got the IPA libraries installed and you 
have got a valid Kerberos ticket. I have tested it only on Fedora so far.


I hope it's useful for you and you can modify it to your needs.

Regards,
Julian

On 09/03/2019 05.03, freeipa-users-requ...@lists.fedorahosted.org wrote:

Date: Fri, 8 Mar 2019 11:50:55 -0500
From: Anthony Jarvis-Clark
Subject: [Freeipa-users] list all users and their password expiration
date?
To: FreeIPA users list
Message-ID:

Content-Type: multipart/alternative;
boundary="6d0281058398074b"

--6d0281058398074b
Content-Type: text/plain; charset="UTF-8"

Hello Everyone,

Is there a command line method to get a list of users and their password
expiration date?

Thanks!

-Anthony

--6d0281058398074b
Content-Type: text/html; charset="UTF-8"

Hello Everyone,Is there a command line method to get a list of users and their password expiration 
date?Thanks!-Anthony

--6d0281058398074b--
#!/usr/bin/env python3
# -*- coding: utf-8 -*-

"""
   Export the IPA users in the YAML format.

   You need to have a valid Kerberos ticket (e. g. `kinit -f ad...@example.com`)

   :Authors: Julian Gethmann
   :Contact: free...@gethmann.org
"""
from ipalib import api, cli
import datetime

# https://www.redhat.com/archives/freeipa-users/2012-June/msg00334.html +
# https://www.redhat.com/archives/freeipa-devel/2015-June/msg00478.html +
# https://www.redhat.com/archives/freeipa-users/2016-May/msg00141.html
# use the API overview in the web based backend and use `bash $ ipa console`
#
# mailing list:
# $ ipa console
# (Custom IPA interactive Python console)
# >>> len(api.Command.user_find()['result'][0])
# 11
# >>> len(api.Command.user_find(all=True)['result'][0])
#
def bootstrap():
 """
 Bootstrap the script.
 I hope that all of this stuff is re-entrant.
 Also, api is defined in __init__.py.
 """
 api.bootstrap_with_global_options(context='cli')
 api.finalize()
 api.Backend.rpcclient.connect()

def main():
bootstrap()
api.Command.user_show(u'admin')
users = api.Command.user_find()['result']
print('\n'.join((
'''  - firstname: {fname}
name: {name}
uid: {uid}
state: {state}
expiration: {expire}
'''.format(
name=user['uid'][0],
fname=user.get('givenname', '-')[0],
uid=user['uidnumber'][0],
# This is the line you are interested in
expire=api.Command.user_show(user['uid'][0], all=True)["result"].get("krbpasswordexpiration",
(datetime.datetime(1970, 1, 1),))[0],
state={False: 'enabled', True: 'disabled'}[user['nsaccountlock']]
) for user in users))
)

if __name__ == "__main__":
import sys
if len(sys.argv) > 1:
print(__doc__)
sys.exit(0)
main()
# vim: tabstop=4 expandtab shiftwidth=4 softtabstop=4
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: sss_ssh_authorizedkeys returns nothing on client

[Sumit Bose via FreeIPA-users]

On Thu, Mar 07, 2019 at 05:24:10PM -, Charles Ulrich via FreeIPA-users 
wrote:
> For what it's worth, I have verified that I can run this on the client and it 
> returns the override object immediately:
> 
> ldapsearch -x -H ldaps://arb-01.engipa.example.com -D 'cn=Directory Manager ' 
> -W -b 'cn=Default Trust 
> View,cn=views,cn=accounts,dc=engipa,dc=example,dc=com' -s sub 
> "(ipaOriginalUid=my.n...@example.com)"

Hi,

you can check the SSSD's cache with the ldbsearch commands from the
ldb-tools packages if the key is already stored locally. Additionally
you can check the sssd_ssh.log file after adding debug_level=9 to the
[ssh] section of sssd.conf and restaring SSSD.

bye,
Sumit

> 
> Thanks,
> Charles
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Ad user password authentication doesn't work

[Sumit Bose via FreeIPA-users]

On Sun, Mar 10, 2019 at 05:28:15AM -, Patrick Irish via FreeIPA-users wrote:
> I was following the documentation here 
> https://www.freeipa.org/page/Active_Directory_trust_setup  Is there a 
> different doc I should have followed?

Ok, thanks. The checks in this document are just trying to make sure
that the basics are working. A AD DNS server should have the _gc SRV entries
by default and so for a typically setup it should be sufficient to check
just one type of SRV records. Are you using an external DNS server where
you have to add the DNS records manually?

bye,
Sumit

> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org