[Freeipa-users] Re: Plugin to add host to user view
Thank you for explanation Alexsander Let see what I learnt and let you know if I was able to write plugin correctly. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: FreeIPA server + Replica - HBAC rules not matching
Finn Fysj via FreeIPA-users wrote: >> I'm setting up a server + replica and I've migrated data from an old IPA >> server >> using ipa migrate-ds. >> I experience problems with SSH into my IPA servers, even though I have HBAC >> rules to allow >> this: >> >> >> $ssh test_alice(a)ipa-test.example.com -i test_alice >> Connection closed by 192.168.10.24 port 22 >> >> $ssh test_alice(a)ipa-test.example.com >> (test_alice(a)ipa-test.example.com) Password: >> >> [usr@ipa-test ~]$ ipa hbactest --user=test_alice --host=ipa-test.example.com >> --service=ssh >> >> Access granted: True >> >> Matched rules: allow_alice >> >> >> [usr@ipa-test ~]$ ipa hbacrule-find test_alice --all >> --- >> 1 HBAC rule matched >> --- >> dn: >> ipaUniqueID=20f8f500-73d8-11ee-ac02-020017010d22,cn=hbac,dc=example,dc=com >> Rule name: allow_alice >> Host category: all >> Service category: all >> Enabled: True >> Users: test_alice >> accessruletype: allow >> >> >> [usr@ipa-test ~]$ ipa user-find test_alice --all >> -- >> 1 user matched >> -- >> dn: uid=test_alice,cn=users,cn=accounts,dc=example,dc=com >> User login: test_alice >> First name: Alice >> Last name: Test >> Full name: Alice Test >> Display name: Alice Test >> Initials: AT >> Home directory: /home/test_alice >> GECOS: Alice Test >> Login shell: /bin/sh >> Principal name: test_alice(a)EXAMPLE.COM >> Principal alias: test_alice(a)EXAMPLE.COM >> Email address: test_alice(a)example.com >> UID: 5002 >> GID: 5002 >> SSH public key: ssh-rsa >> B3N... >> test_alice >> >> >> >> Previsouly using FreeIPA I have been able to find "denying access" in log >> files >> because of not matching HBAC rules. Now I can't find any trace of this, even >> with >> debug_level = 10 in /etc/sssd/sssd.conf (domain, ssh, pam, sssd section). > > Turns I have Anonymous Permissions that messes up this. > Removing the following permissions I can successfully SSH using test_alice > $ ipa permission-find Anonymous > Permission name: Anonymous Group > Granted rights: read, search > Effective attributes: member, memberof > Bind rule type: anonymous > Subtree: dc=example,dc=com > Permission flags: SYSTEM, V2 > > Permission name: Anonymous User > Granted rights: read, search > Effective attributes: memberof > Bind rule type: anonymous > Subtree: dc=example,dc=com > Permission flags: SYSTEM, V2 > > > I have a third one, but that isn't causing issues: > Permission name: Anonymous PubKey > Granted rights: read > Effective attributes: ipasshpubkey > Bind rule type: anonymous > Subtree: dc=example,dc=com > Permission flags: SYSTEM, V2 Seems unlikely that anonymous ACI's would prevent HBAC from working. Especially ACIs that don't apply to the bound dn. These ACIs also apply very broadly across the server. For example, the user and group ACIs overlap with memberof. You probably want to use a different subtree, say the user container for the first and last, and the group container for that one. rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] unable to Authenticate users from Ubuntu Desktops
Hi Everyone, got an issue with our ipa server, users cannot login into there ipa account. failed to initialize credentials using keytab [MEMORY:/ETC/KRB5.KEYTAB]: cannot contact any kdc for realm 'ABC.COM' unable to create GSSAPI-encrypted ldap connection kerberos 5 kdc service status krb5kdc.service - Kerberos 5 KDC Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled; vendor preset: disabled) Active: active (running) since Thu 2023-10-26 14:40:05 UTC; 2h 27min ago Process: 927 ExecStart=/usr/sbin/krb5kdc -P /run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=0/SUCCESS) Main PID: 928 (krb5kdc) Tasks: 3 (limit: 9191) Memory: 11.4M CPU: 9.916s CGroup: /system.slice/krb5kdc.service ├─928 /usr/sbin/krb5kdc -P /run/krb5kdc.pid -w 2 ├─929 /usr/sbin/krb5kdc -P /run/krb5kdc.pid -w 2 └─930 /usr/sbin/krb5kdc -P /run/krb5kdc.pid -w 2 Oct 26 14:40:05 ipa.zerodha.com systemd[1]: Starting Kerberos 5 KDC... Oct 26 14:40:05 ipa.zerodha.com systemd[1]: krb5kdc.service: Can't open PID file /run/krb5kdc.pid (yet?) after start: Operation not permitted Oct 26 14:40:05 ipa.zerodha.com systemd[1]: Started Kerberos 5 KDC. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] unable to Authenticate users from Ubuntu Desktops
Hi Everyone, got an issue with our ipa server, users cannot login into there ipa account. failed to initialize credentials using keytab [MEMORY:/ETC/KRB5.KEYTAB]: cannot contact any kdc for realm 'ABC.COM' unable to create GSSAPI-encrypted ldap connection kerberos 5 kdc service status krb5kdc.service - Kerberos 5 KDC Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled; vendor preset: disabled) Active: active (running) since Thu 2023-10-26 14:40:05 UTC; 2h 27min ago Process: 927 ExecStart=/usr/sbin/krb5kdc -P /run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=0/SUCCESS) Main PID: 928 (krb5kdc) Tasks: 3 (limit: 9191) Memory: 11.4M CPU: 9.916s CGroup: /system.slice/krb5kdc.service ├─928 /usr/sbin/krb5kdc -P /run/krb5kdc.pid -w 2 ├─929 /usr/sbin/krb5kdc -P /run/krb5kdc.pid -w 2 └─930 /usr/sbin/krb5kdc -P /run/krb5kdc.pid -w 2 Oct 26 14:40:05 ipa.zerodha.com systemd[1]: Starting Kerberos 5 KDC... Oct 26 14:40:05 ipa.zerodha.com systemd[1]: krb5kdc.service: Can't open PID file /run/krb5kdc.pid (yet?) after start: Operation not permitted Oct 26 14:40:05 ipa.zerodha.com systemd[1]: Started Kerberos 5 KDC. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] unable to Authenticate users from Ubuntu Desktops
Hi Everyone, got an issue with our ipa server, users cannot login into there ipa account. failed to initialize credentials using keytab [MEMORY:/ETC/KRB5.KEYTAB]: cannot contact any kdc for realm 'ABC.COM' unable to create GSSAPI-encrypted ldap connection kerberos 5 kdc service status krb5kdc.service - Kerberos 5 KDC Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled; vendor preset: disabled) Active: active (running) since Thu 2023-10-26 14:40:05 UTC; 2h 27min ago Process: 927 ExecStart=/usr/sbin/krb5kdc -P /run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=0/SUCCESS) Main PID: 928 (krb5kdc) Tasks: 3 (limit: 9191) Memory: 11.4M CPU: 9.916s CGroup: /system.slice/krb5kdc.service ├─928 /usr/sbin/krb5kdc -P /run/krb5kdc.pid -w 2 ├─929 /usr/sbin/krb5kdc -P /run/krb5kdc.pid -w 2 └─930 /usr/sbin/krb5kdc -P /run/krb5kdc.pid -w 2 Oct 26 14:40:05 ipa.zerodha.com systemd[1]: Starting Kerberos 5 KDC... Oct 26 14:40:05 ipa.zerodha.com systemd[1]: krb5kdc.service: Can't open PID file /run/krb5kdc.pid (yet?) after start: Operation not permitted Oct 26 14:40:05 ipa.zerodha.com systemd[1]: Started Kerberos 5 KDC. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] unable to Authenticate users from Ubuntu Desktops
Hi Everyone, got an issue with our ipa server, users cannot login into there ipa account. failed to initialize credentials using keytab [MEMORY:/ETC/KRB5.KEYTAB]: cannot contact any kdc for realm 'ABC.COM' unable to create GSSAPI-encrypted ldap connection kerberos 5 kdc service status krb5kdc.service - Kerberos 5 KDC Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled; vendor preset: disabled) Active: active (running) since Thu 2023-10-26 14:40:05 UTC; 2h 27min ago Process: 927 ExecStart=/usr/sbin/krb5kdc -P /run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=0/SUCCESS) Main PID: 928 (krb5kdc) Tasks: 3 (limit: 9191) Memory: 11.4M CPU: 9.916s CGroup: /system.slice/krb5kdc.service ├─928 /usr/sbin/krb5kdc -P /run/krb5kdc.pid -w 2 ├─929 /usr/sbin/krb5kdc -P /run/krb5kdc.pid -w 2 └─930 /usr/sbin/krb5kdc -P /run/krb5kdc.pid -w 2 Oct 26 14:40:05 ipa.zerodha.com systemd[1]: Starting Kerberos 5 KDC... Oct 26 14:40:05 ipa.zerodha.com systemd[1]: krb5kdc.service: Can't open PID file /run/krb5kdc.pid (yet?) after start: Operation not permitted Oct 26 14:40:05 ipa.zerodha.com systemd[1]: Started Kerberos 5 KDC. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] unable to Authenticate users from Ubuntu Desktops
Hi Everyone, got an issue with our ipa server, users cannot login into there ipa account. failed to initialize credentials using keytab [MEMORY:/ETC/KRB5.KEYTAB]: cannot contact any kdc for realm 'ABC.COM' unable to create GSSAPI-encrypted ldap connection kerberos 5 kdc service status krb5kdc.service - Kerberos 5 KDC Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled; vendor preset: disabled) Active: active (running) since Thu 2023-10-26 14:40:05 UTC; 2h 27min ago Process: 927 ExecStart=/usr/sbin/krb5kdc -P /run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=0/SUCCESS) Main PID: 928 (krb5kdc) Tasks: 3 (limit: 9191) Memory: 11.4M CPU: 9.916s CGroup: /system.slice/krb5kdc.service ├─928 /usr/sbin/krb5kdc -P /run/krb5kdc.pid -w 2 ├─929 /usr/sbin/krb5kdc -P /run/krb5kdc.pid -w 2 └─930 /usr/sbin/krb5kdc -P /run/krb5kdc.pid -w 2 Oct 26 14:40:05 ipa.zerodha.com systemd[1]: Starting Kerberos 5 KDC... Oct 26 14:40:05 ipa.zerodha.com systemd[1]: krb5kdc.service: Can't open PID file /run/krb5kdc.pid (yet?) after start: Operation not permitted Oct 26 14:40:05 ipa.zerodha.com systemd[1]: Started Kerberos 5 KDC. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] unable to Authenticate users from Ubuntu Desktops
Hi Everyone, got an issue with our ipa server, users cannot login into there ipa account. failed to initialize credentials using keytab [MEMORY:/ETC/KRB5.KEYTAB]: cannot contact any kdc for realm 'ABC.COM' unable to create GSSAPI-encrypted ldap connection kerberos 5 kdc service status krb5kdc.service - Kerberos 5 KDC Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled; vendor preset: disabled) Active: active (running) since Thu 2023-10-26 14:40:05 UTC; 2h 27min ago Process: 927 ExecStart=/usr/sbin/krb5kdc -P /run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=0/SUCCESS) Main PID: 928 (krb5kdc) Tasks: 3 (limit: 9191) Memory: 11.4M CPU: 9.916s CGroup: /system.slice/krb5kdc.service ├─928 /usr/sbin/krb5kdc -P /run/krb5kdc.pid -w 2 ├─929 /usr/sbin/krb5kdc -P /run/krb5kdc.pid -w 2 └─930 /usr/sbin/krb5kdc -P /run/krb5kdc.pid -w 2 Oct 26 14:40:05 ipa.zerodha.com systemd[1]: Starting Kerberos 5 KDC... Oct 26 14:40:05 ipa.zerodha.com systemd[1]: krb5kdc.service: Can't open PID file /run/krb5kdc.pid (yet?) after start: Operation not permitted Oct 26 14:40:05 ipa.zerodha.com systemd[1]: Started Kerberos 5 KDC. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] unable to Authenticate users from Ubuntu Desktops
Hi Everyone, got an issue with our ipa server, users cannot login into there ipa account. failed to initialize credentials using keytab [MEMORY:/ETC/KRB5.KEYTAB]: cannot contact any kdc for realm 'ABC.COM' unable to create GSSAPI-encrypted ldap connection kerberos 5 kdc service status krb5kdc.service - Kerberos 5 KDC Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled; vendor preset: disabled) Active: active (running) since Thu 2023-10-26 14:40:05 UTC; 2h 27min ago Process: 927 ExecStart=/usr/sbin/krb5kdc -P /run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=0/SUCCESS) Main PID: 928 (krb5kdc) Tasks: 3 (limit: 9191) Memory: 11.4M CPU: 9.916s CGroup: /system.slice/krb5kdc.service ├─928 /usr/sbin/krb5kdc -P /run/krb5kdc.pid -w 2 ├─929 /usr/sbin/krb5kdc -P /run/krb5kdc.pid -w 2 └─930 /usr/sbin/krb5kdc -P /run/krb5kdc.pid -w 2 Oct 26 14:40:05 ipa.zerodha.com systemd[1]: Starting Kerberos 5 KDC... Oct 26 14:40:05 ipa.zerodha.com systemd[1]: krb5kdc.service: Can't open PID file /run/krb5kdc.pid (yet?) after start: Operation not permitted Oct 26 14:40:05 ipa.zerodha.com systemd[1]: Started Kerberos 5 KDC. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: ipa CLI doesn't work due to revoked TGT following S4U2PROXY_NO_HEADER_PAC
On Чцв, 26 кас 2023, Kroon PC, Peter wrote:
Hi Alexander and Rob,
many thanks for your prompt responses :)
I made a new lxc machine and restored a backup so at least I have a working
environment again. I kept the borken one for further investigation which I'll
use to provide more information.
I'm not super comfortable using mailing lists, and I'm not sure whether my mail
client (outlook) will mangle my inline responses.
Peter
Van: Alexander Bokovoy
Verzonden: woensdag 25 oktober 2023 20:49
Aan: Rob Crittenden
CC: FreeIPA users list; Kroon PC, Peter
Onderwerp: Re: [Freeipa-users] Re: ipa CLI doesn't work due to revoked TGT
following S4U2PROXY_NO_HEADER_PAC
On ���, 25 ��� 2023, Rob Crittenden wrote:
Alexander Bokovoy via FreeIPA-users wrote:
On ���, 25 ��� 2023, Kroon PC, Peter via FreeIPA-users wrote:
Hi all,
After upgrading to Rocky linux 9.2 I'm running into issues with my IPA
server (4.10.1-9.el9_2). In particular, my IPA CLI seems FUBARred:
$ kinit admin
Password for ad...@example.com:
$ ipa show-user admin
ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI
Error: No credentials were supplied, or the credentials were
unavailable or inaccessible (Credential cache is empty)
/var/log/krb5kdc.log:
okt 24 16:17:48 freeipa.example.com krb5kdc[10493]: TGS_REQ (4 etypes
{aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20),
aes128-cts-hmac-sha256-128(19), aes128-cts-hmac-sha1-96(17)})
192.168.12.57: S4U2PROXY_NO_HEADER_PAC: authtime 0, etypes
{rep=UNSUPPORTED:(0)} HTTP/freeipa.example@example.com for
ldap/freeipa.example@example.com, TGT has been revoked
As the log shows, the KDC states there is no PAC, and therefore revokes
the TGT (note, I had to RTFS to decipher the S4U2PROXY_NO_HEADER_PAC).
Because of this, the web gui also doesn't work.
That is correct description of the reason why it does not work.
$ ldapsearch -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=nl
"ipaNTSecurityIdentifier=*" uid ipaNTSecurityIdentifier
SASL/GSSAPI authentication started
SASL username: ad...@example.com
SASL SSF: 256
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: ipaNTSecurityIdentifier=*
# requesting: uid ipaNTSecurityIdentifier
#
# admin, users, accounts, example.com
dn: uid=admin,cn=users,cn=accounts,dc=example,dc=com
uid: admin
ipaNTSecurityIdentifier: S-1-5-21-3777974847-1414448952-306354440-500
# search result
search: 4
result: 0 Success
# numResponses: 2
# numEntries: 1
Out of the ~200 or so users only the admin user has a
ipaNTSecurityIdentifier, but I don't know if it's correct...
I can't run `ipa config-mod --enable-sid --add-sids`, since my ipa CLI
is broken. I do still have LDAP access fortunately.
You can run it, see below. If you'd run, do you have any error messages in
the dirsrv errors log related to sidgen plugin?
I tried to set `disable_pac = true` in /var/kerberos/krb5kdc/kdc.conf,
but that results in the exact same error. Setting ipaKrbAuthzData=None
in cn=ipaConfig also has no effect.
No, one cannot disable PAC globally in FreeIPA. S4U operations
require PAC presence since last year, so for any real Kerberos service
that uses S4U (like IPA API or web UI) one cannot disable PAC
enforcement.
This is useful information :)
Look at your ID range and SID configuration. You can avoid admin issue
currently by running 'ipa' tool on IPA server as root with '-e
in_server=true' option. This will force the tool to simulate direct
access (as if it is running within httpd) and talk directly to LDAPI
socket.
Something like below:
# KRB5CACHE=/dev/null ipa -e in_server=true trustconfig-show
ipa: WARNING: API Version number was not sent, forward compatibility not
guaranteed. Assuming server's API version, 2.253
Domain: ipa1.test
Security Identifier: S-1-5-21-790702333-3825749031-3739951824
NetBIOS name: IPA1
Domain GUID: 529fcbe9-3e34-436d-a541-6ffa88e7dac1
Fallback primary group: Default SMB Group
IPA AD trust agents: master1.ipa1.test
IPA AD trust controllers: master1.ipa1.test
KRB5CACHE=/dev/null ipa -e in_server=true trustconfig-show
ipa: ERROR: : trust configuration not found
Ok, let's try differently. Can you provide output of
# ldapsearch -Y EXTERNAL -H ldapi://%2Frun%2Fslapd-EXAMPLE-COM.socket \
-b cn=ad,cn=etc,dc=example,dc=com
(replace EXAMPLE-COM and dc=example,dc=com by your domain data)
# KRB5CACHE=/dev/null ipa -e in_server=true idrange-find
ipa: WARNING: API Version number was not sent, forward compatibility not
guaranteed. Assuming server's API version, 2.253
5 ranges matched
Range name: IPA1.TEST_id_range
First Posix ID of the range: 105560
Number of IDs in the range: 20
First RID of the corresponding RID range: 1000
First RID of the secondary RID range: 1
Range type: local domain range
... [ skip ] ...
ipa: WARNING: API Version number was not
[Freeipa-users] Re: ipa CLI doesn't work due to revoked TGT following S4U2PROXY_NO_HEADER_PAC
Kroon PC, Peter wrote:
> Hi Alexander and Rob,
>
> many thanks for your prompt responses :)
> I made a new lxc machine and restored a backup so at least I have a working
> environment again. I kept the borken one for further investigation which I'll
> use to provide more information.
> I'm not super comfortable using mailing lists, and I'm not sure whether my
> mail client (outlook) will mangle my inline responses.
>
> Peter
>
>
> Van: Alexander Bokovoy
> Verzonden: woensdag 25 oktober 2023 20:49
> Aan: Rob Crittenden
> CC: FreeIPA users list; Kroon PC, Peter
> Onderwerp: Re: [Freeipa-users] Re: ipa CLI doesn't work due to revoked TGT
> following S4U2PROXY_NO_HEADER_PAC
>
> On Срд, 25 кас 2023, Rob Crittenden wrote:
>> Alexander Bokovoy via FreeIPA-users wrote:
>>> On Срд, 25 кас 2023, Kroon PC, Peter via FreeIPA-users wrote:
Hi all,
After upgrading to Rocky linux 9.2 I'm running into issues with my IPA
server (4.10.1-9.el9_2). In particular, my IPA CLI seems FUBARred:
$ kinit admin
Password for ad...@example.com:
$ ipa show-user admin
ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI
Error: No credentials were supplied, or the credentials were
unavailable or inaccessible (Credential cache is empty)
/var/log/krb5kdc.log:
okt 24 16:17:48 freeipa.example.com krb5kdc[10493]: TGS_REQ (4 etypes
{aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20),
aes128-cts-hmac-sha256-128(19), aes128-cts-hmac-sha1-96(17)})
192.168.12.57: S4U2PROXY_NO_HEADER_PAC: authtime 0, etypes
{rep=UNSUPPORTED:(0)} HTTP/freeipa.example@example.com for
ldap/freeipa.example@example.com, TGT has been revoked
As the log shows, the KDC states there is no PAC, and therefore revokes
the TGT (note, I had to RTFS to decipher the S4U2PROXY_NO_HEADER_PAC).
Because of this, the web gui also doesn't work.
>>>
>>> That is correct description of the reason why it does not work.
>>>
$ ldapsearch -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=nl
"ipaNTSecurityIdentifier=*" uid ipaNTSecurityIdentifier
SASL/GSSAPI authentication started
SASL username: ad...@example.com
SASL SSF: 256
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: ipaNTSecurityIdentifier=*
# requesting: uid ipaNTSecurityIdentifier
#
# admin, users, accounts, example.com
dn: uid=admin,cn=users,cn=accounts,dc=example,dc=com
uid: admin
ipaNTSecurityIdentifier: S-1-5-21-3777974847-1414448952-306354440-500
# search result
search: 4
result: 0 Success
# numResponses: 2
# numEntries: 1
Out of the ~200 or so users only the admin user has a
ipaNTSecurityIdentifier, but I don't know if it's correct...
I can't run `ipa config-mod --enable-sid --add-sids`, since my ipa CLI
is broken. I do still have LDAP access fortunately.
>>>
>>> You can run it, see below. If you'd run, do you have any error messages in
>>> the dirsrv errors log related to sidgen plugin?
>>>
I tried to set `disable_pac = true` in /var/kerberos/krb5kdc/kdc.conf,
but that results in the exact same error. Setting ipaKrbAuthzData=None
in cn=ipaConfig also has no effect.
>>>
>>> No, one cannot disable PAC globally in FreeIPA. S4U operations
>>> require PAC presence since last year, so for any real Kerberos service
>>> that uses S4U (like IPA API or web UI) one cannot disable PAC
>>> enforcement.
>
> This is useful information :)
>
>>>
>>> Look at your ID range and SID configuration. You can avoid admin issue
>>> currently by running 'ipa' tool on IPA server as root with '-e
>>> in_server=true' option. This will force the tool to simulate direct
>>> access (as if it is running within httpd) and talk directly to LDAPI
>>> socket.
>>>
>>> Something like below:
>>>
>>> # KRB5CACHE=/dev/null ipa -e in_server=true trustconfig-show
>>> ipa: WARNING: API Version number was not sent, forward compatibility not
>>> guaranteed. Assuming server's API version, 2.253
>>> Domain: ipa1.test
>>> Security Identifier: S-1-5-21-790702333-3825749031-3739951824
>>> NetBIOS name: IPA1
>>> Domain GUID: 529fcbe9-3e34-436d-a541-6ffa88e7dac1
>>> Fallback primary group: Default SMB Group
>>> IPA AD trust agents: master1.ipa1.test
>>> IPA AD trust controllers: master1.ipa1.test
>
> KRB5CACHE=/dev/null ipa -e in_server=true trustconfig-show
> ipa: ERROR: : trust configuration not found
>
>
>>>
>>> # KRB5CACHE=/dev/null ipa -e in_server=true idrange-find
>>> ipa: WARNING: API Version number was not sent, forward compatibility not
>>> guaranteed. Assuming server's API version, 2.253
>>>
>>> 5 ranges matched
>>>
>>> Range name: IPA1.TEST_id_range
>>> First Posix ID of the range: 105560
>>>
[Freeipa-users] Re: ipa CLI doesn't work due to revoked TGT following S4U2PROXY_NO_HEADER_PAC
Hi Alexander and Rob,
many thanks for your prompt responses :)
I made a new lxc machine and restored a backup so at least I have a working
environment again. I kept the borken one for further investigation which I'll
use to provide more information.
I'm not super comfortable using mailing lists, and I'm not sure whether my mail
client (outlook) will mangle my inline responses.
Peter
Van: Alexander Bokovoy
Verzonden: woensdag 25 oktober 2023 20:49
Aan: Rob Crittenden
CC: FreeIPA users list; Kroon PC, Peter
Onderwerp: Re: [Freeipa-users] Re: ipa CLI doesn't work due to revoked TGT
following S4U2PROXY_NO_HEADER_PAC
On Срд, 25 кас 2023, Rob Crittenden wrote:
>Alexander Bokovoy via FreeIPA-users wrote:
>> On Срд, 25 кас 2023, Kroon PC, Peter via FreeIPA-users wrote:
>>> Hi all,
>>>
>>> After upgrading to Rocky linux 9.2 I'm running into issues with my IPA
>>> server (4.10.1-9.el9_2). In particular, my IPA CLI seems FUBARred:
>>>
>>> $ kinit admin
>>> Password for ad...@example.com:
>>> $ ipa show-user admin
>>> ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI
>>> Error: No credentials were supplied, or the credentials were
>>> unavailable or inaccessible (Credential cache is empty)
>>>
>>> /var/log/krb5kdc.log:
>>> okt 24 16:17:48 freeipa.example.com krb5kdc[10493]: TGS_REQ (4 etypes
>>> {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20),
>>> aes128-cts-hmac-sha256-128(19), aes128-cts-hmac-sha1-96(17)})
>>> 192.168.12.57: S4U2PROXY_NO_HEADER_PAC: authtime 0, etypes
>>> {rep=UNSUPPORTED:(0)} HTTP/freeipa.example@example.com for
>>> ldap/freeipa.example@example.com, TGT has been revoked
>>>
>>> As the log shows, the KDC states there is no PAC, and therefore revokes
>>> the TGT (note, I had to RTFS to decipher the S4U2PROXY_NO_HEADER_PAC).
>>> Because of this, the web gui also doesn't work.
>>
>> That is correct description of the reason why it does not work.
>>
>>>
>>> $ ldapsearch -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=nl
>>> "ipaNTSecurityIdentifier=*" uid ipaNTSecurityIdentifier
>>> SASL/GSSAPI authentication started
>>> SASL username: ad...@example.com
>>> SASL SSF: 256
>>> SASL data security layer installed.
>>> # extended LDIF
>>> #
>>> # LDAPv3
>>> # base with scope subtree
>>> # filter: ipaNTSecurityIdentifier=*
>>> # requesting: uid ipaNTSecurityIdentifier
>>> #
>>>
>>> # admin, users, accounts, example.com
>>> dn: uid=admin,cn=users,cn=accounts,dc=example,dc=com
>>> uid: admin
>>> ipaNTSecurityIdentifier: S-1-5-21-3777974847-1414448952-306354440-500
>>>
>>> # search result
>>> search: 4
>>> result: 0 Success
>>>
>>> # numResponses: 2
>>> # numEntries: 1
>>>
>>> Out of the ~200 or so users only the admin user has a
>>> ipaNTSecurityIdentifier, but I don't know if it's correct...
>>> I can't run `ipa config-mod --enable-sid --add-sids`, since my ipa CLI
>>> is broken. I do still have LDAP access fortunately.
>>
>> You can run it, see below. If you'd run, do you have any error messages in
>> the dirsrv errors log related to sidgen plugin?
>>
>>>
>>> I tried to set `disable_pac = true` in /var/kerberos/krb5kdc/kdc.conf,
>>> but that results in the exact same error. Setting ipaKrbAuthzData=None
>>> in cn=ipaConfig also has no effect.
>>
>> No, one cannot disable PAC globally in FreeIPA. S4U operations
>> require PAC presence since last year, so for any real Kerberos service
>> that uses S4U (like IPA API or web UI) one cannot disable PAC
>> enforcement.
This is useful information :)
>>
>> Look at your ID range and SID configuration. You can avoid admin issue
>> currently by running 'ipa' tool on IPA server as root with '-e
>> in_server=true' option. This will force the tool to simulate direct
>> access (as if it is running within httpd) and talk directly to LDAPI
>> socket.
>>
>> Something like below:
>>
>> # KRB5CACHE=/dev/null ipa -e in_server=true trustconfig-show
>> ipa: WARNING: API Version number was not sent, forward compatibility not
>> guaranteed. Assuming server's API version, 2.253
>> Domain: ipa1.test
>> Security Identifier: S-1-5-21-790702333-3825749031-3739951824
>> NetBIOS name: IPA1
>> Domain GUID: 529fcbe9-3e34-436d-a541-6ffa88e7dac1
>> Fallback primary group: Default SMB Group
>> IPA AD trust agents: master1.ipa1.test
>> IPA AD trust controllers: master1.ipa1.test
KRB5CACHE=/dev/null ipa -e in_server=true trustconfig-show
ipa: ERROR: : trust configuration not found
>>
>> # KRB5CACHE=/dev/null ipa -e in_server=true idrange-find
>> ipa: WARNING: API Version number was not sent, forward compatibility not
>> guaranteed. Assuming server's API version, 2.253
>>
>> 5 ranges matched
>>
>> Range name: IPA1.TEST_id_range
>> First Posix ID of the range: 105560
>> Number of IDs in the range: 20
>> First RID of the corresponding RID range: 1000
>> First RID of the secondary RID range: 1
>> Range type: local domain range
>>
>>
[Freeipa-users] Re: FreeIPA server + Replica - HBAC rules not matching
> I'm setting up a server + replica and I've migrated data from an old IPA > server > using ipa migrate-ds. > I experience problems with SSH into my IPA servers, even though I have HBAC > rules to allow > this: > > > $ssh test_alice(a)ipa-test.example.com -i test_alice > Connection closed by 192.168.10.24 port 22 > > $ssh test_alice(a)ipa-test.example.com > (test_alice(a)ipa-test.example.com) Password: > > [usr@ipa-test ~]$ ipa hbactest --user=test_alice --host=ipa-test.example.com > --service=ssh > > Access granted: True > > Matched rules: allow_alice > > > [usr@ipa-test ~]$ ipa hbacrule-find test_alice --all > --- > 1 HBAC rule matched > --- > dn: > ipaUniqueID=20f8f500-73d8-11ee-ac02-020017010d22,cn=hbac,dc=example,dc=com > Rule name: allow_alice > Host category: all > Service category: all > Enabled: True > Users: test_alice > accessruletype: allow > > > [usr@ipa-test ~]$ ipa user-find test_alice --all > -- > 1 user matched > -- > dn: uid=test_alice,cn=users,cn=accounts,dc=example,dc=com > User login: test_alice > First name: Alice > Last name: Test > Full name: Alice Test > Display name: Alice Test > Initials: AT > Home directory: /home/test_alice > GECOS: Alice Test > Login shell: /bin/sh > Principal name: test_alice(a)EXAMPLE.COM > Principal alias: test_alice(a)EXAMPLE.COM > Email address: test_alice(a)example.com > UID: 5002 > GID: 5002 > SSH public key: ssh-rsa > B3N... > test_alice > > > > Previsouly using FreeIPA I have been able to find "denying access" in log > files > because of not matching HBAC rules. Now I can't find any trace of this, even > with > debug_level = 10 in /etc/sssd/sssd.conf (domain, ssh, pam, sssd section). Turns I have Anonymous Permissions that messes up this. Removing the following permissions I can successfully SSH using test_alice $ ipa permission-find Anonymous Permission name: Anonymous Group Granted rights: read, search Effective attributes: member, memberof Bind rule type: anonymous Subtree: dc=example,dc=com Permission flags: SYSTEM, V2 Permission name: Anonymous User Granted rights: read, search Effective attributes: memberof Bind rule type: anonymous Subtree: dc=example,dc=com Permission flags: SYSTEM, V2 I have a third one, but that isn't causing issues: Permission name: Anonymous PubKey Granted rights: read Effective attributes: ipasshpubkey Bind rule type: anonymous Subtree: dc=example,dc=com Permission flags: SYSTEM, V2 ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Smartcard login issues
Dear all, I am having a bit of a broad issue, so I am not sure how and where to write, but maybe someone can point me into the right direction. I have a usecase where I got some Gemalto eToken 5110 which are quite properitary, but work with their own libraries in accordance with pam_pkcs11 (not with opensc in any way or form). The system this is being worked on is a Debian 12 machine, included into our freeIPA. The certificates configured on these eTokens have a UPN username / X509v3 Subject Alternative Name for Windows Login. The certificates are from another authority and are unknown to our freeIPA - and we cannot reach the other authority. To still use them, we included pam_pkcs11 with check for the root CA, signature and CRL, which all work. To login the users, I took the pam_pkcs11 with the generic mapper and map the UPN name to one of our freeIPA usernames, which have been logged into the Debian 12 system beforehand. This works very well, meaning that all our eTokens (basically subscribing to the same UPN username, but still being different certs) are mapped to this one internal user which has been created on the freeIPA. Thanks to this rework, any member can take his/her eToken and successfully log into the system. However, it does not trigger the generation of the Kerberos Ticket for the freeIPA user that its logged into. This is the final step I would need for this to work, as this Kerberos Ticket is the key to all the applications needed to run. Any idea how I can solve this? Thanks so much! ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] FreeIPA server + Replica - HBAC rules not matching
I'm setting up a server + replica and I've migrated data from an old IPA server using ipa migrate-ds. I experience problems with SSH into my IPA servers, even though I have HBAC rules to allow this: $ssh test_al...@ipa-test.example.com -i test_alice Connection closed by 192.168.10.24 port 22 $ssh test_al...@ipa-test.example.com (test_al...@ipa-test.example.com) Password: [usr@ipa-test ~]$ ipa hbactest --user=test_alice --host=ipa-test.example.com --service=ssh Access granted: True Matched rules: allow_alice [usr@ipa-test ~]$ ipa hbacrule-find test_alice --all --- 1 HBAC rule matched --- dn: ipaUniqueID=20f8f500-73d8-11ee-ac02-020017010d22,cn=hbac,dc=example,dc=com Rule name: allow_alice Host category: all Service category: all Enabled: True Users: test_alice accessruletype: allow [usr@ipa-test ~]$ ipa user-find test_alice --all -- 1 user matched -- dn: uid=test_alice,cn=users,cn=accounts,dc=example,dc=com User login: test_alice First name: Alice Last name: Test Full name: Alice Test Display name: Alice Test Initials: AT Home directory: /home/test_alice GECOS: Alice Test Login shell: /bin/sh Principal name: test_al...@example.com Principal alias: test_al...@example.com Email address: test_al...@example.com UID: 5002 GID: 5002 SSH public key: ssh-rsa B3N... test_alice Previsouly using FreeIPA I have been able to find "denying access" in log files because of not matching HBAC rules. Now I can't find any trace of this, even with debug_level = 10 in /etc/sssd/sssd.conf (domain, ssh, pam, sssd section). ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
