[Freeipa-users] Re: KDE administration not working for freeipa user
For some reason it is trying to use a local user as the username... But the UID is correct. brianw@fenix:~$ tail -n3 /var/log/auth.log Apr 18 14:40:02 fenix polkit-agent-helper-1[2907]: pam_unix(polkit-1:auth): authentication failure; logname= uid=38690 euid=0 tty= ruser=ladmin rhost= user=ladmin Apr 18 14:40:02 fenix polkit-agent-helper-1[2907]: pam_sss(polkit-1:auth): authentication failure; logname= uid=38690 euid=0 tty= ruser=ladmin rhost= user=ladmin Apr 18 14:40:02 fenix polkit-agent-helper-1[2907]: pam_sss(polkit-1:auth): received for user ladmin: 10 (User not known to the underlying authentication module) ~ Brian Watson | Have a great day! On Tue, Apr 16, 2019 at 11:29 PM Sumit Bose via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > On Tue, Apr 16, 2019 at 07:49:40PM -0700, Brian Watson | Watsontech.net > via FreeIPA-users wrote: > > Hello, > > > > I have freeipa server (centos7) setup. I installed freeipa-client on my > KDE > > Neon laptop. I can sign in with my freeipa user and am able to use sudo. > > But when asked for password whilst doing KDE administration, it does not > > work. > > > > Any logs I should check? > > Hi, > > maybe you can check if there PAM related messages in /var/log/secure or > the journal around the time you are giving the password for KDE > administration. If e.g. a special PAM service is used by KDE and you are > using HBAC you might need to add this service to a rule which allows > access. > > HTH > > bye, > Sumit > > > ___ > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > > To unsubscribe send an email to > freeipa-users-le...@lists.fedorahosted.org > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Scripting host certificate creation
On 4/18/19 3:42 PM, Rob Crittenden wrote: The cert should be added to the entry automatically by ipa cert-request. Aha! Looks like it actually was added. It just doesn't show up in the web UI immediately. (I'm not sure if it takes a certain amount of time or a log out/log in, but it's there now.) Thanks! -- Ian Pilcher arequip...@gmail.com "I grew up before Mark Zuckerberg invented friendship" ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Scripting host certificate creation
Ian Pilcher via FreeIPA-users wrote: > I am trying to script the creation of a bunch of host certificates. > > Unlike the web UI, the CLI seems to require two separate steps to do > this. (Please correct me if I'm wrong about this.) > > After I generate a key and CSR, I create a certificate with > 'ipa cert-request'. I am using host/${HOSTNAME}@${REALM} as the > principal, and I am saving the certificate with the --certificate-out > option. > > Now I apparently need to use 'ipa host-add-cert' to add the certificate > to the host, but this requires that the certificate be passed in base64 > format on the command line. I'm sure I can figure out how to do this > with some combination of sed, tr, etc., but this seems excessively > painful. Is there really not a way to do this in a single step or feed > a PEM-encoded certificate to 'ipa host-add-cert'? > The cert should be added to the entry automatically by ipa cert-request. Sadly the UI for adding a cert is a bit lacking. This should work: $ ipa host-mod --certificate="`cat /tmp/cert.pem | grep -v ^\-`" test.example.test rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Scripting host certificate creation
I am trying to script the creation of a bunch of host certificates. Unlike the web UI, the CLI seems to require two separate steps to do this. (Please correct me if I'm wrong about this.) After I generate a key and CSR, I create a certificate with 'ipa cert-request'. I am using host/${HOSTNAME}@${REALM} as the principal, and I am saving the certificate with the --certificate-out option. Now I apparently need to use 'ipa host-add-cert' to add the certificate to the host, but this requires that the certificate be passed in base64 format on the command line. I'm sure I can figure out how to do this with some combination of sed, tr, etc., but this seems excessively painful. Is there really not a way to do this in a single step or feed a PEM-encoded certificate to 'ipa host-add-cert'? -- Ian Pilcher arequip...@gmail.com "I grew up before Mark Zuckerberg invented friendship" ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Logon returns Insufficient system resources exist to complete the requested service.
Thank you for that information! I'll look forward to this feature sometime in the future. I believe it will be awesome for both projects. I really appreciate your work on this! On Thu, Apr 18, 2019, 12:19 AM Alexander Bokovoy wrote: > On ke, 17 huhti 2019, Vex Mage via FreeIPA-users wrote: > >Hello, > > > > I've personally been using FreeIPA for some time and I love it > >immensely. I thought I'd start a post here due to the direction my > >troubleshooting has gone instead of the Samba mailing list. Allow me to > >explain what I've done, why I've done it and then the problem I'm having. > > > > I just recently started working for a school and the school has some > >Windows labs. A problem that has come to my attention is that the OpenLDAP > >to Samba3 NT4 domain they've been using for years is no longer compatible > >with Windows 10. To dispel any illusion, I'm not trying to get the NT4 > >domain working nice with Windows 10. Additionally Samba4 has changed its > >design structure such that OpenLDAP, or really any LDAP server except > >Samba4's internal LDAP server, will no longer work for the Active > Directory. > > > > The school would like the Windows machines in the labs to > authenticate > >students via their OpenLDAP credentials. I am open to alternatives but the > >closest thing I found was adding local users on each Windows workstation > >and having them authenticate to the FreeIPA server. The problem here is > >that users will continually be added and deleted. The Samba project would > >have us go all in with Samba4's internal LDAP server. While I'm not > >directly knocking that, since from my testing it seems to be quite > >functional, the upheaval would be tremendous. Fortunately we were already > >looking into switching to 389 before I came on so I've been touting the > >possibility of replacing OpenLDAP with FreeIPA before this Samba4 issue. A > >solution I thought should work is to use a trust between a FreeIPA (IPA) > >and a Samba4 Active Directory (AD). I've since configured both and have > >created that trust. > > > > I have a Windows 10 machine connected to the Samba4 domain. When I > >attempt to logon with an account from the IPA domain I am presented with > >"Insufficient system resources exist to complete the requested service." > At > >first I took this message at face value and increased the memory of the > >workstation from which I'm trying to logon. There are few results from a > >Google search about this error without focusing on local memory. After > >reading and troubleshooting I believe this is a failure may be in the > >Kerberos InitializeSecurityContext function that's producing > >SEC_E_INSUFFICIENT_MEMORY, specifically on the Windows workstation and > >seemingly not coming from Samba4 AD. > FreeIPA users cannot login to Windows boxes at this time. This is > unsupported and never was. See my talk at SambaXP 2017: > > https://sambaxp.org/archive_data/SambaXP2017-SLIDES/Day3/Track2/Global%20Catalog%20implementation%20in%20FreeIPA%20-%20Alexander%20Bokovoy.pdf > > I had hoped to implement Global Catalog service and other quirks to > allow this but unfortunately other tasks took over. Recently I got a fix > to allow AD DCs to talk to IPA DC over SMB for some requests so some > issues might be mitigated but Windows clients do talk to Global Catalog > unconditionally and, as you can see in my talk at SambaXP, they don't > really test fallbacks from GC operations so it might be a luck at some > point and a fail in other cases. > > Hopefully, once I'll finish most of efforts to enable Samba operations on > the domain member, > https://github.com/abbra/freeipa/tree/samba-domain-member, > I'll be able to return back to Global Catalog work. > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: AD Trust Integration Issue
FWIW on your EL7 ipa-server you can find the krb-ad stuff under /var/lib/sss/pubconf/ and /var/lib/sss/pubconf/krb5.include.d/. Like Alexander says, this config should be reflected in the ipa client's krb config. HTH D ‐‐‐ Original Message ‐‐‐ On Thursday, April 18, 2019 8:23 AM, Alexander Bokovoy via FreeIPA-users wrote: > On to, 18 huhti 2019, Henry Pelke via FreeIPA-users wrote: > > > Good morning, > > I have recently setup an environment with FreeIPA 4.6.4-10 using CentOS 7 > > as the IPA Master. After setting up I joined the IPA master to the local AD > > and everything seemed to work fine. > > The issue I'm facing is that after adding the external and POSIX group's I > > can authenticate to the IPA Master as an AD user but the server with the > > IPA client doesn't appear to be able to authenticate AD users. > > The client server is unable to run getent or kinit against any ad user and > > returns 'Cannot find KDC for realm ""...' > > Make sure your clients have Kerberos configuration (in krb5.conf or > /etc/krb5.conf.d/) that defines AD realms or allows to discover AD > realms from DNS. > > > > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] docker-compose and unnatended install
Hi, does somebody know how can I do unnatended ipa-server-install with docker-compose ? I tried to add file ipa-server-install-options in /data (/var/lib/ipa-data) with this options: --realm=EXAMPLE.TEST --ds-password=The-directory-server-password --admin-password=The-admin-password as I saw here, but without success. https://hub.docker.com/r/freeipa/freeipa-server/ If someone do that before please can share info :) Thanks. *—* *Petar Kozić* ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: AD Trust Integration Issue
On to, 18 huhti 2019, Henry Pelke via FreeIPA-users wrote: Good morning, I have recently setup an environment with FreeIPA 4.6.4-10 using CentOS 7 as the IPA Master. After setting up I joined the IPA master to the local AD and everything seemed to work fine. The issue I'm facing is that after adding the external and POSIX group's I can authenticate to the IPA Master as an AD user but the server with the IPA client doesn't appear to be able to authenticate AD users. The client server is unable to run getent or kinit against any ad user and returns 'Cannot find KDC for realm ""...' Make sure your clients have Kerberos configuration (in krb5.conf or /etc/krb5.conf.d/) that defines AD realms or allows to discover AD realms from DNS. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] AD Trust Integration Issue
Good morning, I have recently setup an environment with FreeIPA 4.6.4-10 using CentOS 7 as the IPA Master. After setting up I joined the IPA master to the local AD and everything seemed to work fine. The issue I'm facing is that after adding the external and POSIX group's I can authenticate to the IPA Master as an AD user but the server with the IPA client doesn't appear to be able to authenticate AD users. The client server is unable to run getent or kinit against any ad user and returns 'Cannot find KDC for realm ""...' >From the krb5kdc log I can see what looks to be an issue with the TGS request, and the errors TGS_REQ ISSUE: authtime as well as AS_REQ: NEEDED_PREAUTH additional preauth required. I have enabled debug logs for SSSD but nothing except sigterms has been logged so far. Please let me know if I can send any logs. Kind regards, HP ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Logon returns Insufficient system resources exist to complete the requested service.
On ke, 17 huhti 2019, Vex Mage via FreeIPA-users wrote: Hello, I've personally been using FreeIPA for some time and I love it immensely. I thought I'd start a post here due to the direction my troubleshooting has gone instead of the Samba mailing list. Allow me to explain what I've done, why I've done it and then the problem I'm having. I just recently started working for a school and the school has some Windows labs. A problem that has come to my attention is that the OpenLDAP to Samba3 NT4 domain they've been using for years is no longer compatible with Windows 10. To dispel any illusion, I'm not trying to get the NT4 domain working nice with Windows 10. Additionally Samba4 has changed its design structure such that OpenLDAP, or really any LDAP server except Samba4's internal LDAP server, will no longer work for the Active Directory. The school would like the Windows machines in the labs to authenticate students via their OpenLDAP credentials. I am open to alternatives but the closest thing I found was adding local users on each Windows workstation and having them authenticate to the FreeIPA server. The problem here is that users will continually be added and deleted. The Samba project would have us go all in with Samba4's internal LDAP server. While I'm not directly knocking that, since from my testing it seems to be quite functional, the upheaval would be tremendous. Fortunately we were already looking into switching to 389 before I came on so I've been touting the possibility of replacing OpenLDAP with FreeIPA before this Samba4 issue. A solution I thought should work is to use a trust between a FreeIPA (IPA) and a Samba4 Active Directory (AD). I've since configured both and have created that trust. I have a Windows 10 machine connected to the Samba4 domain. When I attempt to logon with an account from the IPA domain I am presented with "Insufficient system resources exist to complete the requested service." At first I took this message at face value and increased the memory of the workstation from which I'm trying to logon. There are few results from a Google search about this error without focusing on local memory. After reading and troubleshooting I believe this is a failure may be in the Kerberos InitializeSecurityContext function that's producing SEC_E_INSUFFICIENT_MEMORY, specifically on the Windows workstation and seemingly not coming from Samba4 AD. FreeIPA users cannot login to Windows boxes at this time. This is unsupported and never was. See my talk at SambaXP 2017: https://sambaxp.org/archive_data/SambaXP2017-SLIDES/Day3/Track2/Global%20Catalog%20implementation%20in%20FreeIPA%20-%20Alexander%20Bokovoy.pdf I had hoped to implement Global Catalog service and other quirks to allow this but unfortunately other tasks took over. Recently I got a fix to allow AD DCs to talk to IPA DC over SMB for some requests so some issues might be mitigated but Windows clients do talk to Global Catalog unconditionally and, as you can see in my talk at SambaXP, they don't really test fallbacks from GC operations so it might be a luck at some point and a fail in other cases. Hopefully, once I'll finish most of efforts to enable Samba operations on the domain member, https://github.com/abbra/freeipa/tree/samba-domain-member, I'll be able to return back to Global Catalog work. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org