[Freeipa-users] Re: Plugin to add host to user view
Thank you for explanation Alexsander Let see what I learnt and let you know if I was able to write plugin correctly. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: FreeIPA server + Replica - HBAC rules not matching
Finn Fysj via FreeIPA-users wrote: >> I'm setting up a server + replica and I've migrated data from an old IPA >> server >> using ipa migrate-ds. >> I experience problems with SSH into my IPA servers, even though I have HBAC >> rules to allow >> this: >> >> >> $ssh test_alice(a)ipa-test.example.com -i test_alice >> Connection closed by 192.168.10.24 port 22 >> >> $ssh test_alice(a)ipa-test.example.com >> (test_alice(a)ipa-test.example.com) Password: >> >> [usr@ipa-test ~]$ ipa hbactest --user=test_alice --host=ipa-test.example.com >> --service=ssh >> >> Access granted: True >> >> Matched rules: allow_alice >> >> >> [usr@ipa-test ~]$ ipa hbacrule-find test_alice --all >> --- >> 1 HBAC rule matched >> --- >> dn: >> ipaUniqueID=20f8f500-73d8-11ee-ac02-020017010d22,cn=hbac,dc=example,dc=com >> Rule name: allow_alice >> Host category: all >> Service category: all >> Enabled: True >> Users: test_alice >> accessruletype: allow >> >> >> [usr@ipa-test ~]$ ipa user-find test_alice --all >> -- >> 1 user matched >> -- >> dn: uid=test_alice,cn=users,cn=accounts,dc=example,dc=com >> User login: test_alice >> First name: Alice >> Last name: Test >> Full name: Alice Test >> Display name: Alice Test >> Initials: AT >> Home directory: /home/test_alice >> GECOS: Alice Test >> Login shell: /bin/sh >> Principal name: test_alice(a)EXAMPLE.COM >> Principal alias: test_alice(a)EXAMPLE.COM >> Email address: test_alice(a)example.com >> UID: 5002 >> GID: 5002 >> SSH public key: ssh-rsa >> B3N... >> test_alice >> >> >> >> Previsouly using FreeIPA I have been able to find "denying access" in log >> files >> because of not matching HBAC rules. Now I can't find any trace of this, even >> with >> debug_level = 10 in /etc/sssd/sssd.conf (domain, ssh, pam, sssd section). > > Turns I have Anonymous Permissions that messes up this. > Removing the following permissions I can successfully SSH using test_alice > $ ipa permission-find Anonymous > Permission name: Anonymous Group > Granted rights: read, search > Effective attributes: member, memberof > Bind rule type: anonymous > Subtree: dc=example,dc=com > Permission flags: SYSTEM, V2 > > Permission name: Anonymous User > Granted rights: read, search > Effective attributes: memberof > Bind rule type: anonymous > Subtree: dc=example,dc=com > Permission flags: SYSTEM, V2 > > > I have a third one, but that isn't causing issues: > Permission name: Anonymous PubKey > Granted rights: read > Effective attributes: ipasshpubkey > Bind rule type: anonymous > Subtree: dc=example,dc=com > Permission flags: SYSTEM, V2 Seems unlikely that anonymous ACI's would prevent HBAC from working. Especially ACIs that don't apply to the bound dn. These ACIs also apply very broadly across the server. For example, the user and group ACIs overlap with memberof. You probably want to use a different subtree, say the user container for the first and last, and the group container for that one. rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] unable to Authenticate users from Ubuntu Desktops
Hi Everyone, got an issue with our ipa server, users cannot login into there ipa account. failed to initialize credentials using keytab [MEMORY:/ETC/KRB5.KEYTAB]: cannot contact any kdc for realm 'ABC.COM' unable to create GSSAPI-encrypted ldap connection kerberos 5 kdc service status krb5kdc.service - Kerberos 5 KDC Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled; vendor preset: disabled) Active: active (running) since Thu 2023-10-26 14:40:05 UTC; 2h 27min ago Process: 927 ExecStart=/usr/sbin/krb5kdc -P /run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=0/SUCCESS) Main PID: 928 (krb5kdc) Tasks: 3 (limit: 9191) Memory: 11.4M CPU: 9.916s CGroup: /system.slice/krb5kdc.service ├─928 /usr/sbin/krb5kdc -P /run/krb5kdc.pid -w 2 ├─929 /usr/sbin/krb5kdc -P /run/krb5kdc.pid -w 2 └─930 /usr/sbin/krb5kdc -P /run/krb5kdc.pid -w 2 Oct 26 14:40:05 ipa.zerodha.com systemd[1]: Starting Kerberos 5 KDC... Oct 26 14:40:05 ipa.zerodha.com systemd[1]: krb5kdc.service: Can't open PID file /run/krb5kdc.pid (yet?) after start: Operation not permitted Oct 26 14:40:05 ipa.zerodha.com systemd[1]: Started Kerberos 5 KDC. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] unable to Authenticate users from Ubuntu Desktops
Hi Everyone, got an issue with our ipa server, users cannot login into there ipa account. failed to initialize credentials using keytab [MEMORY:/ETC/KRB5.KEYTAB]: cannot contact any kdc for realm 'ABC.COM' unable to create GSSAPI-encrypted ldap connection kerberos 5 kdc service status krb5kdc.service - Kerberos 5 KDC Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled; vendor preset: disabled) Active: active (running) since Thu 2023-10-26 14:40:05 UTC; 2h 27min ago Process: 927 ExecStart=/usr/sbin/krb5kdc -P /run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=0/SUCCESS) Main PID: 928 (krb5kdc) Tasks: 3 (limit: 9191) Memory: 11.4M CPU: 9.916s CGroup: /system.slice/krb5kdc.service ├─928 /usr/sbin/krb5kdc -P /run/krb5kdc.pid -w 2 ├─929 /usr/sbin/krb5kdc -P /run/krb5kdc.pid -w 2 └─930 /usr/sbin/krb5kdc -P /run/krb5kdc.pid -w 2 Oct 26 14:40:05 ipa.zerodha.com systemd[1]: Starting Kerberos 5 KDC... Oct 26 14:40:05 ipa.zerodha.com systemd[1]: krb5kdc.service: Can't open PID file /run/krb5kdc.pid (yet?) after start: Operation not permitted Oct 26 14:40:05 ipa.zerodha.com systemd[1]: Started Kerberos 5 KDC. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] unable to Authenticate users from Ubuntu Desktops
Hi Everyone, got an issue with our ipa server, users cannot login into there ipa account. failed to initialize credentials using keytab [MEMORY:/ETC/KRB5.KEYTAB]: cannot contact any kdc for realm 'ABC.COM' unable to create GSSAPI-encrypted ldap connection kerberos 5 kdc service status krb5kdc.service - Kerberos 5 KDC Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled; vendor preset: disabled) Active: active (running) since Thu 2023-10-26 14:40:05 UTC; 2h 27min ago Process: 927 ExecStart=/usr/sbin/krb5kdc -P /run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=0/SUCCESS) Main PID: 928 (krb5kdc) Tasks: 3 (limit: 9191) Memory: 11.4M CPU: 9.916s CGroup: /system.slice/krb5kdc.service ├─928 /usr/sbin/krb5kdc -P /run/krb5kdc.pid -w 2 ├─929 /usr/sbin/krb5kdc -P /run/krb5kdc.pid -w 2 └─930 /usr/sbin/krb5kdc -P /run/krb5kdc.pid -w 2 Oct 26 14:40:05 ipa.zerodha.com systemd[1]: Starting Kerberos 5 KDC... Oct 26 14:40:05 ipa.zerodha.com systemd[1]: krb5kdc.service: Can't open PID file /run/krb5kdc.pid (yet?) after start: Operation not permitted Oct 26 14:40:05 ipa.zerodha.com systemd[1]: Started Kerberos 5 KDC. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] unable to Authenticate users from Ubuntu Desktops
Hi Everyone, got an issue with our ipa server, users cannot login into there ipa account. failed to initialize credentials using keytab [MEMORY:/ETC/KRB5.KEYTAB]: cannot contact any kdc for realm 'ABC.COM' unable to create GSSAPI-encrypted ldap connection kerberos 5 kdc service status krb5kdc.service - Kerberos 5 KDC Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled; vendor preset: disabled) Active: active (running) since Thu 2023-10-26 14:40:05 UTC; 2h 27min ago Process: 927 ExecStart=/usr/sbin/krb5kdc -P /run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=0/SUCCESS) Main PID: 928 (krb5kdc) Tasks: 3 (limit: 9191) Memory: 11.4M CPU: 9.916s CGroup: /system.slice/krb5kdc.service ├─928 /usr/sbin/krb5kdc -P /run/krb5kdc.pid -w 2 ├─929 /usr/sbin/krb5kdc -P /run/krb5kdc.pid -w 2 └─930 /usr/sbin/krb5kdc -P /run/krb5kdc.pid -w 2 Oct 26 14:40:05 ipa.zerodha.com systemd[1]: Starting Kerberos 5 KDC... Oct 26 14:40:05 ipa.zerodha.com systemd[1]: krb5kdc.service: Can't open PID file /run/krb5kdc.pid (yet?) after start: Operation not permitted Oct 26 14:40:05 ipa.zerodha.com systemd[1]: Started Kerberos 5 KDC. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] unable to Authenticate users from Ubuntu Desktops
Hi Everyone, got an issue with our ipa server, users cannot login into there ipa account. failed to initialize credentials using keytab [MEMORY:/ETC/KRB5.KEYTAB]: cannot contact any kdc for realm 'ABC.COM' unable to create GSSAPI-encrypted ldap connection kerberos 5 kdc service status krb5kdc.service - Kerberos 5 KDC Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled; vendor preset: disabled) Active: active (running) since Thu 2023-10-26 14:40:05 UTC; 2h 27min ago Process: 927 ExecStart=/usr/sbin/krb5kdc -P /run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=0/SUCCESS) Main PID: 928 (krb5kdc) Tasks: 3 (limit: 9191) Memory: 11.4M CPU: 9.916s CGroup: /system.slice/krb5kdc.service ├─928 /usr/sbin/krb5kdc -P /run/krb5kdc.pid -w 2 ├─929 /usr/sbin/krb5kdc -P /run/krb5kdc.pid -w 2 └─930 /usr/sbin/krb5kdc -P /run/krb5kdc.pid -w 2 Oct 26 14:40:05 ipa.zerodha.com systemd[1]: Starting Kerberos 5 KDC... Oct 26 14:40:05 ipa.zerodha.com systemd[1]: krb5kdc.service: Can't open PID file /run/krb5kdc.pid (yet?) after start: Operation not permitted Oct 26 14:40:05 ipa.zerodha.com systemd[1]: Started Kerberos 5 KDC. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] unable to Authenticate users from Ubuntu Desktops
Hi Everyone, got an issue with our ipa server, users cannot login into there ipa account. failed to initialize credentials using keytab [MEMORY:/ETC/KRB5.KEYTAB]: cannot contact any kdc for realm 'ABC.COM' unable to create GSSAPI-encrypted ldap connection kerberos 5 kdc service status krb5kdc.service - Kerberos 5 KDC Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled; vendor preset: disabled) Active: active (running) since Thu 2023-10-26 14:40:05 UTC; 2h 27min ago Process: 927 ExecStart=/usr/sbin/krb5kdc -P /run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=0/SUCCESS) Main PID: 928 (krb5kdc) Tasks: 3 (limit: 9191) Memory: 11.4M CPU: 9.916s CGroup: /system.slice/krb5kdc.service ├─928 /usr/sbin/krb5kdc -P /run/krb5kdc.pid -w 2 ├─929 /usr/sbin/krb5kdc -P /run/krb5kdc.pid -w 2 └─930 /usr/sbin/krb5kdc -P /run/krb5kdc.pid -w 2 Oct 26 14:40:05 ipa.zerodha.com systemd[1]: Starting Kerberos 5 KDC... Oct 26 14:40:05 ipa.zerodha.com systemd[1]: krb5kdc.service: Can't open PID file /run/krb5kdc.pid (yet?) after start: Operation not permitted Oct 26 14:40:05 ipa.zerodha.com systemd[1]: Started Kerberos 5 KDC. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] unable to Authenticate users from Ubuntu Desktops
Hi Everyone, got an issue with our ipa server, users cannot login into there ipa account. failed to initialize credentials using keytab [MEMORY:/ETC/KRB5.KEYTAB]: cannot contact any kdc for realm 'ABC.COM' unable to create GSSAPI-encrypted ldap connection kerberos 5 kdc service status krb5kdc.service - Kerberos 5 KDC Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled; vendor preset: disabled) Active: active (running) since Thu 2023-10-26 14:40:05 UTC; 2h 27min ago Process: 927 ExecStart=/usr/sbin/krb5kdc -P /run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=0/SUCCESS) Main PID: 928 (krb5kdc) Tasks: 3 (limit: 9191) Memory: 11.4M CPU: 9.916s CGroup: /system.slice/krb5kdc.service ├─928 /usr/sbin/krb5kdc -P /run/krb5kdc.pid -w 2 ├─929 /usr/sbin/krb5kdc -P /run/krb5kdc.pid -w 2 └─930 /usr/sbin/krb5kdc -P /run/krb5kdc.pid -w 2 Oct 26 14:40:05 ipa.zerodha.com systemd[1]: Starting Kerberos 5 KDC... Oct 26 14:40:05 ipa.zerodha.com systemd[1]: krb5kdc.service: Can't open PID file /run/krb5kdc.pid (yet?) after start: Operation not permitted Oct 26 14:40:05 ipa.zerodha.com systemd[1]: Started Kerberos 5 KDC. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: ipa CLI doesn't work due to revoked TGT following S4U2PROXY_NO_HEADER_PAC
On Чцв, 26 кас 2023, Kroon PC, Peter wrote: Hi Alexander and Rob, many thanks for your prompt responses :) I made a new lxc machine and restored a backup so at least I have a working environment again. I kept the borken one for further investigation which I'll use to provide more information. I'm not super comfortable using mailing lists, and I'm not sure whether my mail client (outlook) will mangle my inline responses. Peter Van: Alexander Bokovoy Verzonden: woensdag 25 oktober 2023 20:49 Aan: Rob Crittenden CC: FreeIPA users list; Kroon PC, Peter Onderwerp: Re: [Freeipa-users] Re: ipa CLI doesn't work due to revoked TGT following S4U2PROXY_NO_HEADER_PAC On ���, 25 ��� 2023, Rob Crittenden wrote: Alexander Bokovoy via FreeIPA-users wrote: On ���, 25 ��� 2023, Kroon PC, Peter via FreeIPA-users wrote: Hi all, After upgrading to Rocky linux 9.2 I'm running into issues with my IPA server (4.10.1-9.el9_2). In particular, my IPA CLI seems FUBARred: $ kinit admin Password for ad...@example.com: $ ipa show-user admin ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI Error: No credentials were supplied, or the credentials were unavailable or inaccessible (Credential cache is empty) /var/log/krb5kdc.log: okt 24 16:17:48 freeipa.example.com krb5kdc[10493]: TGS_REQ (4 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes128-cts-hmac-sha1-96(17)}) 192.168.12.57: S4U2PROXY_NO_HEADER_PAC: authtime 0, etypes {rep=UNSUPPORTED:(0)} HTTP/freeipa.example@example.com for ldap/freeipa.example@example.com, TGT has been revoked As the log shows, the KDC states there is no PAC, and therefore revokes the TGT (note, I had to RTFS to decipher the S4U2PROXY_NO_HEADER_PAC). Because of this, the web gui also doesn't work. That is correct description of the reason why it does not work. $ ldapsearch -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=nl "ipaNTSecurityIdentifier=*" uid ipaNTSecurityIdentifier SASL/GSSAPI authentication started SASL username: ad...@example.com SASL SSF: 256 SASL data security layer installed. # extended LDIF # # LDAPv3 # base with scope subtree # filter: ipaNTSecurityIdentifier=* # requesting: uid ipaNTSecurityIdentifier # # admin, users, accounts, example.com dn: uid=admin,cn=users,cn=accounts,dc=example,dc=com uid: admin ipaNTSecurityIdentifier: S-1-5-21-3777974847-1414448952-306354440-500 # search result search: 4 result: 0 Success # numResponses: 2 # numEntries: 1 Out of the ~200 or so users only the admin user has a ipaNTSecurityIdentifier, but I don't know if it's correct... I can't run `ipa config-mod --enable-sid --add-sids`, since my ipa CLI is broken. I do still have LDAP access fortunately. You can run it, see below. If you'd run, do you have any error messages in the dirsrv errors log related to sidgen plugin? I tried to set `disable_pac = true` in /var/kerberos/krb5kdc/kdc.conf, but that results in the exact same error. Setting ipaKrbAuthzData=None in cn=ipaConfig also has no effect. No, one cannot disable PAC globally in FreeIPA. S4U operations require PAC presence since last year, so for any real Kerberos service that uses S4U (like IPA API or web UI) one cannot disable PAC enforcement. This is useful information :) Look at your ID range and SID configuration. You can avoid admin issue currently by running 'ipa' tool on IPA server as root with '-e in_server=true' option. This will force the tool to simulate direct access (as if it is running within httpd) and talk directly to LDAPI socket. Something like below: # KRB5CACHE=/dev/null ipa -e in_server=true trustconfig-show ipa: WARNING: API Version number was not sent, forward compatibility not guaranteed. Assuming server's API version, 2.253 Domain: ipa1.test Security Identifier: S-1-5-21-790702333-3825749031-3739951824 NetBIOS name: IPA1 Domain GUID: 529fcbe9-3e34-436d-a541-6ffa88e7dac1 Fallback primary group: Default SMB Group IPA AD trust agents: master1.ipa1.test IPA AD trust controllers: master1.ipa1.test KRB5CACHE=/dev/null ipa -e in_server=true trustconfig-show ipa: ERROR: : trust configuration not found Ok, let's try differently. Can you provide output of # ldapsearch -Y EXTERNAL -H ldapi://%2Frun%2Fslapd-EXAMPLE-COM.socket \ -b cn=ad,cn=etc,dc=example,dc=com (replace EXAMPLE-COM and dc=example,dc=com by your domain data) # KRB5CACHE=/dev/null ipa -e in_server=true idrange-find ipa: WARNING: API Version number was not sent, forward compatibility not guaranteed. Assuming server's API version, 2.253 5 ranges matched Range name: IPA1.TEST_id_range First Posix ID of the range: 105560 Number of IDs in the range: 20 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 1 Range type: local domain range ... [ skip ] ... ipa: WARNING: API Version number was not
[Freeipa-users] Re: ipa CLI doesn't work due to revoked TGT following S4U2PROXY_NO_HEADER_PAC
Kroon PC, Peter wrote: > Hi Alexander and Rob, > > many thanks for your prompt responses :) > I made a new lxc machine and restored a backup so at least I have a working > environment again. I kept the borken one for further investigation which I'll > use to provide more information. > I'm not super comfortable using mailing lists, and I'm not sure whether my > mail client (outlook) will mangle my inline responses. > > Peter > > > Van: Alexander Bokovoy > Verzonden: woensdag 25 oktober 2023 20:49 > Aan: Rob Crittenden > CC: FreeIPA users list; Kroon PC, Peter > Onderwerp: Re: [Freeipa-users] Re: ipa CLI doesn't work due to revoked TGT > following S4U2PROXY_NO_HEADER_PAC > > On Срд, 25 кас 2023, Rob Crittenden wrote: >> Alexander Bokovoy via FreeIPA-users wrote: >>> On Срд, 25 кас 2023, Kroon PC, Peter via FreeIPA-users wrote: Hi all, After upgrading to Rocky linux 9.2 I'm running into issues with my IPA server (4.10.1-9.el9_2). In particular, my IPA CLI seems FUBARred: $ kinit admin Password for ad...@example.com: $ ipa show-user admin ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI Error: No credentials were supplied, or the credentials were unavailable or inaccessible (Credential cache is empty) /var/log/krb5kdc.log: okt 24 16:17:48 freeipa.example.com krb5kdc[10493]: TGS_REQ (4 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes128-cts-hmac-sha1-96(17)}) 192.168.12.57: S4U2PROXY_NO_HEADER_PAC: authtime 0, etypes {rep=UNSUPPORTED:(0)} HTTP/freeipa.example@example.com for ldap/freeipa.example@example.com, TGT has been revoked As the log shows, the KDC states there is no PAC, and therefore revokes the TGT (note, I had to RTFS to decipher the S4U2PROXY_NO_HEADER_PAC). Because of this, the web gui also doesn't work. >>> >>> That is correct description of the reason why it does not work. >>> $ ldapsearch -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=nl "ipaNTSecurityIdentifier=*" uid ipaNTSecurityIdentifier SASL/GSSAPI authentication started SASL username: ad...@example.com SASL SSF: 256 SASL data security layer installed. # extended LDIF # # LDAPv3 # base with scope subtree # filter: ipaNTSecurityIdentifier=* # requesting: uid ipaNTSecurityIdentifier # # admin, users, accounts, example.com dn: uid=admin,cn=users,cn=accounts,dc=example,dc=com uid: admin ipaNTSecurityIdentifier: S-1-5-21-3777974847-1414448952-306354440-500 # search result search: 4 result: 0 Success # numResponses: 2 # numEntries: 1 Out of the ~200 or so users only the admin user has a ipaNTSecurityIdentifier, but I don't know if it's correct... I can't run `ipa config-mod --enable-sid --add-sids`, since my ipa CLI is broken. I do still have LDAP access fortunately. >>> >>> You can run it, see below. If you'd run, do you have any error messages in >>> the dirsrv errors log related to sidgen plugin? >>> I tried to set `disable_pac = true` in /var/kerberos/krb5kdc/kdc.conf, but that results in the exact same error. Setting ipaKrbAuthzData=None in cn=ipaConfig also has no effect. >>> >>> No, one cannot disable PAC globally in FreeIPA. S4U operations >>> require PAC presence since last year, so for any real Kerberos service >>> that uses S4U (like IPA API or web UI) one cannot disable PAC >>> enforcement. > > This is useful information :) > >>> >>> Look at your ID range and SID configuration. You can avoid admin issue >>> currently by running 'ipa' tool on IPA server as root with '-e >>> in_server=true' option. This will force the tool to simulate direct >>> access (as if it is running within httpd) and talk directly to LDAPI >>> socket. >>> >>> Something like below: >>> >>> # KRB5CACHE=/dev/null ipa -e in_server=true trustconfig-show >>> ipa: WARNING: API Version number was not sent, forward compatibility not >>> guaranteed. Assuming server's API version, 2.253 >>> Domain: ipa1.test >>> Security Identifier: S-1-5-21-790702333-3825749031-3739951824 >>> NetBIOS name: IPA1 >>> Domain GUID: 529fcbe9-3e34-436d-a541-6ffa88e7dac1 >>> Fallback primary group: Default SMB Group >>> IPA AD trust agents: master1.ipa1.test >>> IPA AD trust controllers: master1.ipa1.test > > KRB5CACHE=/dev/null ipa -e in_server=true trustconfig-show > ipa: ERROR: : trust configuration not found > > >>> >>> # KRB5CACHE=/dev/null ipa -e in_server=true idrange-find >>> ipa: WARNING: API Version number was not sent, forward compatibility not >>> guaranteed. Assuming server's API version, 2.253 >>> >>> 5 ranges matched >>> >>> Range name: IPA1.TEST_id_range >>> First Posix ID of the range: 105560 >>>
[Freeipa-users] Re: ipa CLI doesn't work due to revoked TGT following S4U2PROXY_NO_HEADER_PAC
Hi Alexander and Rob, many thanks for your prompt responses :) I made a new lxc machine and restored a backup so at least I have a working environment again. I kept the borken one for further investigation which I'll use to provide more information. I'm not super comfortable using mailing lists, and I'm not sure whether my mail client (outlook) will mangle my inline responses. Peter Van: Alexander Bokovoy Verzonden: woensdag 25 oktober 2023 20:49 Aan: Rob Crittenden CC: FreeIPA users list; Kroon PC, Peter Onderwerp: Re: [Freeipa-users] Re: ipa CLI doesn't work due to revoked TGT following S4U2PROXY_NO_HEADER_PAC On Срд, 25 кас 2023, Rob Crittenden wrote: >Alexander Bokovoy via FreeIPA-users wrote: >> On Срд, 25 кас 2023, Kroon PC, Peter via FreeIPA-users wrote: >>> Hi all, >>> >>> After upgrading to Rocky linux 9.2 I'm running into issues with my IPA >>> server (4.10.1-9.el9_2). In particular, my IPA CLI seems FUBARred: >>> >>> $ kinit admin >>> Password for ad...@example.com: >>> $ ipa show-user admin >>> ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI >>> Error: No credentials were supplied, or the credentials were >>> unavailable or inaccessible (Credential cache is empty) >>> >>> /var/log/krb5kdc.log: >>> okt 24 16:17:48 freeipa.example.com krb5kdc[10493]: TGS_REQ (4 etypes >>> {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), >>> aes128-cts-hmac-sha256-128(19), aes128-cts-hmac-sha1-96(17)}) >>> 192.168.12.57: S4U2PROXY_NO_HEADER_PAC: authtime 0, etypes >>> {rep=UNSUPPORTED:(0)} HTTP/freeipa.example@example.com for >>> ldap/freeipa.example@example.com, TGT has been revoked >>> >>> As the log shows, the KDC states there is no PAC, and therefore revokes >>> the TGT (note, I had to RTFS to decipher the S4U2PROXY_NO_HEADER_PAC). >>> Because of this, the web gui also doesn't work. >> >> That is correct description of the reason why it does not work. >> >>> >>> $ ldapsearch -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=nl >>> "ipaNTSecurityIdentifier=*" uid ipaNTSecurityIdentifier >>> SASL/GSSAPI authentication started >>> SASL username: ad...@example.com >>> SASL SSF: 256 >>> SASL data security layer installed. >>> # extended LDIF >>> # >>> # LDAPv3 >>> # base with scope subtree >>> # filter: ipaNTSecurityIdentifier=* >>> # requesting: uid ipaNTSecurityIdentifier >>> # >>> >>> # admin, users, accounts, example.com >>> dn: uid=admin,cn=users,cn=accounts,dc=example,dc=com >>> uid: admin >>> ipaNTSecurityIdentifier: S-1-5-21-3777974847-1414448952-306354440-500 >>> >>> # search result >>> search: 4 >>> result: 0 Success >>> >>> # numResponses: 2 >>> # numEntries: 1 >>> >>> Out of the ~200 or so users only the admin user has a >>> ipaNTSecurityIdentifier, but I don't know if it's correct... >>> I can't run `ipa config-mod --enable-sid --add-sids`, since my ipa CLI >>> is broken. I do still have LDAP access fortunately. >> >> You can run it, see below. If you'd run, do you have any error messages in >> the dirsrv errors log related to sidgen plugin? >> >>> >>> I tried to set `disable_pac = true` in /var/kerberos/krb5kdc/kdc.conf, >>> but that results in the exact same error. Setting ipaKrbAuthzData=None >>> in cn=ipaConfig also has no effect. >> >> No, one cannot disable PAC globally in FreeIPA. S4U operations >> require PAC presence since last year, so for any real Kerberos service >> that uses S4U (like IPA API or web UI) one cannot disable PAC >> enforcement. This is useful information :) >> >> Look at your ID range and SID configuration. You can avoid admin issue >> currently by running 'ipa' tool on IPA server as root with '-e >> in_server=true' option. This will force the tool to simulate direct >> access (as if it is running within httpd) and talk directly to LDAPI >> socket. >> >> Something like below: >> >> # KRB5CACHE=/dev/null ipa -e in_server=true trustconfig-show >> ipa: WARNING: API Version number was not sent, forward compatibility not >> guaranteed. Assuming server's API version, 2.253 >> Domain: ipa1.test >> Security Identifier: S-1-5-21-790702333-3825749031-3739951824 >> NetBIOS name: IPA1 >> Domain GUID: 529fcbe9-3e34-436d-a541-6ffa88e7dac1 >> Fallback primary group: Default SMB Group >> IPA AD trust agents: master1.ipa1.test >> IPA AD trust controllers: master1.ipa1.test KRB5CACHE=/dev/null ipa -e in_server=true trustconfig-show ipa: ERROR: : trust configuration not found >> >> # KRB5CACHE=/dev/null ipa -e in_server=true idrange-find >> ipa: WARNING: API Version number was not sent, forward compatibility not >> guaranteed. Assuming server's API version, 2.253 >> >> 5 ranges matched >> >> Range name: IPA1.TEST_id_range >> First Posix ID of the range: 105560 >> Number of IDs in the range: 20 >> First RID of the corresponding RID range: 1000 >> First RID of the secondary RID range: 1 >> Range type: local domain range >> >>
[Freeipa-users] Re: FreeIPA server + Replica - HBAC rules not matching
> I'm setting up a server + replica and I've migrated data from an old IPA > server > using ipa migrate-ds. > I experience problems with SSH into my IPA servers, even though I have HBAC > rules to allow > this: > > > $ssh test_alice(a)ipa-test.example.com -i test_alice > Connection closed by 192.168.10.24 port 22 > > $ssh test_alice(a)ipa-test.example.com > (test_alice(a)ipa-test.example.com) Password: > > [usr@ipa-test ~]$ ipa hbactest --user=test_alice --host=ipa-test.example.com > --service=ssh > > Access granted: True > > Matched rules: allow_alice > > > [usr@ipa-test ~]$ ipa hbacrule-find test_alice --all > --- > 1 HBAC rule matched > --- > dn: > ipaUniqueID=20f8f500-73d8-11ee-ac02-020017010d22,cn=hbac,dc=example,dc=com > Rule name: allow_alice > Host category: all > Service category: all > Enabled: True > Users: test_alice > accessruletype: allow > > > [usr@ipa-test ~]$ ipa user-find test_alice --all > -- > 1 user matched > -- > dn: uid=test_alice,cn=users,cn=accounts,dc=example,dc=com > User login: test_alice > First name: Alice > Last name: Test > Full name: Alice Test > Display name: Alice Test > Initials: AT > Home directory: /home/test_alice > GECOS: Alice Test > Login shell: /bin/sh > Principal name: test_alice(a)EXAMPLE.COM > Principal alias: test_alice(a)EXAMPLE.COM > Email address: test_alice(a)example.com > UID: 5002 > GID: 5002 > SSH public key: ssh-rsa > B3N... > test_alice > > > > Previsouly using FreeIPA I have been able to find "denying access" in log > files > because of not matching HBAC rules. Now I can't find any trace of this, even > with > debug_level = 10 in /etc/sssd/sssd.conf (domain, ssh, pam, sssd section). Turns I have Anonymous Permissions that messes up this. Removing the following permissions I can successfully SSH using test_alice $ ipa permission-find Anonymous Permission name: Anonymous Group Granted rights: read, search Effective attributes: member, memberof Bind rule type: anonymous Subtree: dc=example,dc=com Permission flags: SYSTEM, V2 Permission name: Anonymous User Granted rights: read, search Effective attributes: memberof Bind rule type: anonymous Subtree: dc=example,dc=com Permission flags: SYSTEM, V2 I have a third one, but that isn't causing issues: Permission name: Anonymous PubKey Granted rights: read Effective attributes: ipasshpubkey Bind rule type: anonymous Subtree: dc=example,dc=com Permission flags: SYSTEM, V2 ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Smartcard login issues
Dear all, I am having a bit of a broad issue, so I am not sure how and where to write, but maybe someone can point me into the right direction. I have a usecase where I got some Gemalto eToken 5110 which are quite properitary, but work with their own libraries in accordance with pam_pkcs11 (not with opensc in any way or form). The system this is being worked on is a Debian 12 machine, included into our freeIPA. The certificates configured on these eTokens have a UPN username / X509v3 Subject Alternative Name for Windows Login. The certificates are from another authority and are unknown to our freeIPA - and we cannot reach the other authority. To still use them, we included pam_pkcs11 with check for the root CA, signature and CRL, which all work. To login the users, I took the pam_pkcs11 with the generic mapper and map the UPN name to one of our freeIPA usernames, which have been logged into the Debian 12 system beforehand. This works very well, meaning that all our eTokens (basically subscribing to the same UPN username, but still being different certs) are mapped to this one internal user which has been created on the freeIPA. Thanks to this rework, any member can take his/her eToken and successfully log into the system. However, it does not trigger the generation of the Kerberos Ticket for the freeIPA user that its logged into. This is the final step I would need for this to work, as this Kerberos Ticket is the key to all the applications needed to run. Any idea how I can solve this? Thanks so much! ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] FreeIPA server + Replica - HBAC rules not matching
I'm setting up a server + replica and I've migrated data from an old IPA server using ipa migrate-ds. I experience problems with SSH into my IPA servers, even though I have HBAC rules to allow this: $ssh test_al...@ipa-test.example.com -i test_alice Connection closed by 192.168.10.24 port 22 $ssh test_al...@ipa-test.example.com (test_al...@ipa-test.example.com) Password: [usr@ipa-test ~]$ ipa hbactest --user=test_alice --host=ipa-test.example.com --service=ssh Access granted: True Matched rules: allow_alice [usr@ipa-test ~]$ ipa hbacrule-find test_alice --all --- 1 HBAC rule matched --- dn: ipaUniqueID=20f8f500-73d8-11ee-ac02-020017010d22,cn=hbac,dc=example,dc=com Rule name: allow_alice Host category: all Service category: all Enabled: True Users: test_alice accessruletype: allow [usr@ipa-test ~]$ ipa user-find test_alice --all -- 1 user matched -- dn: uid=test_alice,cn=users,cn=accounts,dc=example,dc=com User login: test_alice First name: Alice Last name: Test Full name: Alice Test Display name: Alice Test Initials: AT Home directory: /home/test_alice GECOS: Alice Test Login shell: /bin/sh Principal name: test_al...@example.com Principal alias: test_al...@example.com Email address: test_al...@example.com UID: 5002 GID: 5002 SSH public key: ssh-rsa B3N... test_alice Previsouly using FreeIPA I have been able to find "denying access" in log files because of not matching HBAC rules. Now I can't find any trace of this, even with debug_level = 10 in /etc/sssd/sssd.conf (domain, ssh, pam, sssd section). ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue