[Freeipa-users] Re: Authentication taking too long

2020-04-23 Thread Raul Dias via FreeIPA-users 
sorry.

It affects all users.
No AD.
I have a basic server with CA, DNS and DS.
Fedora 31.

It happens on Freeipa's web interface, on Nextcloud (integrated thru ldap),
when changing to an user (su - ) (on freeipa's host).
As it is 30s.  It seems to be a hardcoded timeout.

-rsd







Em qui., 23 de abr. de 2020 às 14:41, Rob Crittenden 
escreveu:

> Raul Dias via FreeIPA-users wrote:
> > Hello,
> >
> > Authenticating a user is taking about 30s.
> > This sounds like a dns timeout or something like this.
> > How can I debug where the problem is?
>
> In order to help we need to know what kind of authentication you're
> doing. Is this authenticating an IPA user or a user over AD trust? What
> authentication mechanism? Is it affecting all users? On all hosts?
>
> rob
>
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Samba integration ROLLBACK ?

2020-04-23 Thread Alexander Bokovoy via FreeIPA-users 

On to, 23 huhti 2020, lejeczek via FreeIPA-users wrote:

hi guys,

I year or so ago it was _not_ possible to rollback Samba
integration in official, orderly fashion.
Would you know if it is still the case or maybe IPA
evolution brought some tools for that?


An official answer would be: create new replica without trust controller
role and decomission this one. This is recommended and supported way.


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Samba integration ROLLBACK ?

2020-04-23 Thread lejeczek via FreeIPA-users 
hi guys,

I year or so ago it was _not_ possible to rollback Samba
integration in official, orderly fashion.
Would you know if it is still the case or maybe IPA
evolution brought some tools for that?

many thanks, L.

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Authentication taking too long

2020-04-23 Thread Rob Crittenden via FreeIPA-users 
Raul Dias via FreeIPA-users wrote:
> Hello,
> 
> Authenticating a user is taking about 30s.
> This sounds like a dns timeout or something like this.
> How can I debug where the problem is?

In order to help we need to know what kind of authentication you're
doing. Is this authenticating an IPA user or a user over AD trust? What
authentication mechanism? Is it affecting all users? On all hosts?

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: User private groups

2020-04-23 Thread Rob Crittenden via FreeIPA-users 
Mary Georgiou via FreeIPA-users wrote:
> Hello,
> I'm a bit confused with the private user groups.
> If I set a user's A uidNumber to the gidNumber of another group B (not a 
> private user one) then the user will have the same uidNumber with two groups' 
> gidNumbers the group B and their own private group.
> How does this affect ldapsearch if I'd like to retrieve the group B and not 
> the private group based on gid? Are there going to be other side effects?
> Also, from what I've understood the private user groups are used to manage 
> rights, so I guess we cannot choose to delete them or at least chose to have 
> them created as non POSIX, right?
> Thank you very much,

I'm not going to directly answer your questions but I hope that I can
explain how private groups work and that it will helpful.

POSIX requires a user to have a uid and a gid. You can have some common
gid (say for the group ipausers) but then you can end up with a huge,
unmanageable group (trust me on this one).

Or you can create a group with the same gid as uid and assign only the
user to that. Red Hat-based distros had been doing that for quite some
time before IPA came long.

IPA took a similar route except made it so that these private groups
cannot contain members. And since they can't contain members why show
them by default in group-find? And isn't that sooo much nicer to only
see the groups you really care about and not a bunch of no-member user
groups?

Otherwise private groups aren't used for anything at all. It is just
each individual user's playground.

If you want to make a private group non-private for some reason you can
use the command ipa group-detach. There is no re-attach equivalent so
use this wisely. I have a blog entry on how to do it,
https://rcritten.wordpress.com/2018/09/05/migration-and-user-private-groups/
but I was just curious if it could be done, don't consider this supported.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Authentication taking too long

2020-04-23 Thread Raul Dias via FreeIPA-users 
Hello,

Authenticating a user is taking about 30s.
This sounds like a dns timeout or something like this.
How can I debug where the problem is?

Thank you,
-rsd
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] User private groups

2020-04-23 Thread Mary Georgiou via FreeIPA-users 
Hello,
I'm a bit confused with the private user groups.
If I set a user's A uidNumber to the gidNumber of another group B (not a 
private user one) then the user will have the same uidNumber with two groups' 
gidNumbers the group B and their own private group.
How does this affect ldapsearch if I'd like to retrieve the group B and not the 
private group based on gid? Are there going to be other side effects?
Also, from what I've understood the private user groups are used to manage 
rights, so I guess we cannot choose to delete them or at least chose to have 
them created as non POSIX, right?
Thank you very much,
Mary
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: AD trust nested AD groups

2020-04-23 Thread Natxo Asenjo via FreeIPA-users 
On Thu, 23 Apr 2020 at 12:45, Alexander Bokovoy  wrote:

> On to, 23 huhti 2020, Natxo Asenjo via FreeIPA-users wrote:
> >On Thu, Apr 23, 2020 at 8:47 AM Alexander Bokovoy 
> >wrote:
> >
> >>
> >> Domain local groups are not visible through the forest trust, so they
> >> cannot
> >> be used in FreeIPA for access control means.
> >>
> >> Global groups can be used if they are security groups and not just
> >> distribution groups.
> >>
> >>
> >aha, thanks for this piece of information, I could not find it on the
> >documentation (which is probably  my entire fault ;-) ).
> >
> >Is this the reason why?
> >https://docs.microsoft.com/en-us/windows/win32/ad/group-objects
> >
> >In that document, in the scope part:
> >
> >group scope  group can be assigned
> >permission in
> >
> >-
> >universal   any domain or forest
> >globalMember permissions can
> be
> >assigned in any domain
> >domain local  Member permissions can be
> >assigned only within the same domain as the parent domain local group
> >
> >
> >Is this the technical reason the Idm trusting forest cannot see the domain
> >local groups? So we require global or universal groups?
> >
> >I need to justify some stuff to our AD people, that's why I ask ;-)
>
> It is covered in Microsoft documentation for Active Directory protocols.
>
> MS-AUTHSOD 1.1.1.4.1:
> https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-authsod/597504d8-5408-4629-9d81-aab661e6c953
> MS-KILE
> 
> 3.3.5.7.3:
> https://docs.microsoft.com/en-us/openspecs/windows_protocols/MS-KILE/e55ad922-4940-432d-a253-41919d6efd24
> MS-PAC
> 
> 4.1.2.1:
> https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pac/6dd1b247-2a81-4450-8844-35fd5f3e7ac4
>
> So *any* service ticket towards a service outside of the user's domain
> will not have domain local groups in the PAC record, when issued by AD
> DC. As a result, when SSSD on IPA client would be analyzing the PAC
> record from user's Kerberos ticket, it will not have any domain local
> groups mentioned there and they cannot be used to define access rights
> outside of the domain.
>

Awesome. Thanks for this explanation, it really helps
-- 
--
Groeten,
natxo
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: AD trust nested AD groups

2020-04-23 Thread Alexander Bokovoy via FreeIPA-users 

On to, 23 huhti 2020, Natxo Asenjo via FreeIPA-users wrote:

On Thu, Apr 23, 2020 at 8:47 AM Alexander Bokovoy 
wrote:



Domain local groups are not visible through the forest trust, so they
cannot
be used in FreeIPA for access control means.

Global groups can be used if they are security groups and not just
distribution groups.



aha, thanks for this piece of information, I could not find it on the
documentation (which is probably  my entire fault ;-) ).

Is this the reason why?
https://docs.microsoft.com/en-us/windows/win32/ad/group-objects

In that document, in the scope part:

group scope  group can be assigned
permission in

-
universal   any domain or forest
globalMember permissions can be
assigned in any domain
domain local  Member permissions can be
assigned only within the same domain as the parent domain local group


Is this the technical reason the Idm trusting forest cannot see the domain
local groups? So we require global or universal groups?

I need to justify some stuff to our AD people, that's why I ask ;-)


It is covered in Microsoft documentation for Active Directory protocols.

MS-AUTHSOD 1.1.1.4.1: 
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-authsod/597504d8-5408-4629-9d81-aab661e6c953
MS-KILE 3.3.5.7.3: 
https://docs.microsoft.com/en-us/openspecs/windows_protocols/MS-KILE/e55ad922-4940-432d-a253-41919d6efd24
MS-PAC 4.1.2.1: 
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pac/6dd1b247-2a81-4450-8844-35fd5f3e7ac4

So *any* service ticket towards a service outside of the user's domain
will not have domain local groups in the PAC record, when issued by AD
DC. As a result, when SSSD on IPA client would be analyzing the PAC
record from user's Kerberos ticket, it will not have any domain local
groups mentioned there and they cannot be used to define access rights
outside of the domain.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: AD trust nested AD groups

2020-04-23 Thread Natxo Asenjo via FreeIPA-users 
On Thu, Apr 23, 2020 at 8:47 AM Alexander Bokovoy 
wrote:

>
> Domain local groups are not visible through the forest trust, so they
> cannot
> be used in FreeIPA for access control means.
>
> Global groups can be used if they are security groups and not just
> distribution groups.
>
>
aha, thanks for this piece of information, I could not find it on the
documentation (which is probably  my entire fault ;-) ).

Is this the reason why?
https://docs.microsoft.com/en-us/windows/win32/ad/group-objects

In that document, in the scope part:

group scope  group can be assigned
permission in

-
universal   any domain or forest
globalMember permissions can be
assigned in any domain
domain local  Member permissions can be
assigned only within the same domain as the parent domain local group


Is this the technical reason the Idm trusting forest cannot see the domain
local groups? So we require global or universal groups?

I need to justify some stuff to our AD people, that's why I ask ;-)

Thanks in advance.
--
Groeten,
natxo
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: CSR in PRINTABLESTRING enc when docs says UTF8STRING is default

2020-04-23 Thread Fredrik Arneving via FreeIPA-users 
Hi Fraser,

Thanks for putting time into this matter.

In the back of my head I've started the re-design of my private LAN to avoid 
this problem altogether. I have enough trouble learning the basics of 
certificate handling so first things first...

I'll probably get back to this thread with more "ordinary" questions once my 
actual work starts.

Thanks for now.
/Fredrik
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Replication issue with CSN generator

2020-04-23 Thread Morgan Marodin via FreeIPA-users 
Hi Theirry.

To tell the truth my configuration was already set to on, on both VMs:

*[root@srv01 ~]# ldapsearch -D "cn=Directory Manager" -h localhost -b
"cn=config" -w $PASS | grep
nsslapd-ignore-time-skewnsslapd-ignore-time-skew: on*


*[root@srv02 ~]# ldapsearch -D "cn=Directory Manager" -h localhost -b
"cn=config" -w $PASS | grep
nsslapd-ignore-time-skewnsslapd-ignore-time-skew: on*

Anyway, I tried to set up it to *off* and then to *on* again, but now I
have a new issue into logs of the 2nd server :(

Srv01 logs are similar as before:
*[23/Apr/2020:09:28:45.958922636 +0200] - WARN - csngen_new_csn - Too much
time skew (-22777212 secs). Current seqnum=5ca0*

Srv02 logs now are like these:


*[23/Apr/2020:09:32:14.919328803 +0200] - ERR -
agmt="cn=meTosrv01.ipa.mydomain.com "
(srv01:389) - clcache_load_buffer - Can't locate CSN 5e7cfe0300040003
in the changelog (DB rc=-30988). If replication stops, the consumer may
need to be reinitialized.[23/Apr/2020:09:32:14.920873489 +0200] - ERR -
NSMMReplicationPlugin - changelog program - repl_plugin_name_cl -
agmt="cn=meTosrv01.ipa.mydomain.com "
(srv01:389): CSN 5e7cfe0300040003 not found, we aren't as up to date,
or we purged[23/Apr/2020:09:32:14.922161821 +0200] - ERR -
NSMMReplicationPlugin - send_updates - agmt="cn=meTosrv01.ipa.mydomain.com
" (srv01:389): Data required to update
replica has been purged from the changelog. If the error persists the
replica must be reinitialized.*

I have just tried to force a replica on both sides, without success:








*[root@srv01 ~]# ipa-replica-manage force-sync --from
srv02.ipa.mydomain.com No status yetNo
status yetNo status yet[root@srv02 ~]# ipa-replica-manage force-sync --from
srv01.ipa.mydomain.com No status yetNo
status yetNo status yet*

What could I do now?
Thanks, bye

Il giorno mer 22 apr 2020 alle ore 17:08 thierry bordaz via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> ha scritto:

> Hi Morgan,
>
> Sure. The most immediate and safest action is to do
>
> dn: cn=config
> changetype: modify
> replace: nsslapd-ignore-time-skew
> nsslapd-ignore-time-skew: on
>
>
>
> On all servers in the topology (no need to restart). Then monitor if
> replication is catching up.
> Okay NTP issues is likely the RC of your time skew but there is not easy
> way to prove it if any.
>
> best regards
> theirry
>
>
>
> On 4/22/20 3:16 PM, Morgan Marodin via FreeIPA-users wrote:
>
> Hi.
>
> I don't have access to RedHat portal :(
> There are similar articles in a public forum?
>
> Anyway ... could I stop ipa-server, change the value of
> *nsslapd-ignore-time-skew* into
> */etc/dirsrv/slapd-IPA-MYDOMAIN-COM/dse.ldif* and start again the server?
> Or is more complicated to change the configuration?
>
> VMs are local, but the cluster where the 1st server is running is affected
> by NTP problems ...
> For this reason I want to remove the First Master and install another
> replica in the new cluster.
>
> Thanks, bye.
> Morgan
>
> Il giorno mer 22 apr 2020 alle ore 11:33 thierry bordaz via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org> ha scritto:
>
>> Hi,
>>
>> CSN generator time skew is a pending issue still under investigation.
>>
>> At the moment the way your csn generator is messed up looks not fatal.
>> You can allow replication to continue with the setting of
>> nsslapd-ignore-time-skew on all servers. (
>> https://access.redhat.com/solutions/1162703)
>>
>> If it does not allow replication to continue there is a recovery
>> procedure but I would recommend to first try ignore-time-skew (
>> https://access.redhat.com/solutions/3543811)
>>
>> NTP tuning or specific VMs are suspected to contribute to time skew. What
>> type of VMs are you using (local or cloud (AWS)) ?
>>
>> best regards
>> thierry
>>
>> On 4/21/20 5:42 PM, Morgan Marodin via FreeIPA-users wrote:
>>
>> Hi.
>>
>> Into my environment I have two IPA server, replicating each other.
>> They are both 7.6 OS systems, ipa-server RPM version is
>> 4.6.4-10.0.1.el7_6.2.x86_64.
>>
>> The first server installed was srv01 (many years ago), then I installed
>> the replica into srv02 (like a year later the 1st node).
>> When I had a single server I did also a trust with my corporate Active
>> Directory.
>> VMs are running in 2 different hypervisor clusters.
>>
>> Now the replication doesn't works. Into log files I have this error:
>>
>>
>> *[16/Apr/2020:12:25:36.856632697 +0200] - ERR - csngen_adjust_time -
>> Adjustment limit exceeded; value - 23221226, limit - 86400
>> [16/Apr/2020:12:25:36.857909222 +0200] - ERR - NSMMReplicationPlugin -
>> repl5_inc_run - agmt="cn=meTosrv01.ipa.mydomain.com
>> " (srv01:389): Fatal error - too much
>> time skew between replicas! [16/Apr/2020:12:25:36.862233147 +0200] - ERR -
>> NSMMReplicationPlugin - repl5_inc_run -

[Freeipa-users] Re: AD trust nested AD groups

2020-04-23 Thread Alexander Bokovoy via FreeIPA-users 

On ke, 22 huhti 2020, Natxo Asenjo via FreeIPA-users wrote:

hi,

On Wed, Apr 22, 2020 at 7:26 PM Natxo Asenjo  wrote:



In order to use AD nested groups, do we need to add an external IDM group
for every nested group?

specifically, our AD people have global groups (account groups, they say)

with the user accounts, and the domain local groups (resource groups, they
call them) have these global groups as members.

So, in order to grant the people on the domain local groups which have no
direct user members, should we create both external groups in Idm? Both the
global group and the domain local group?


Domain local groups are not visible through the forest trust, so they cannot
be used in FreeIPA for access control means.

Global groups can be used if they are security groups and not just
distribution groups.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org