[Freeipa-users] Re: Cannot log in as an AD user to FreeIPA client but can log in to server
Thank you Jakub for your hints. I created a brand new instance of FreeIPA client and connected it to the existing servers. Now I cannot resolve anytthing on a client (getent group $group, getent passwd $user yield no results). For the same exact users/groups I tested on the client, they get resolved on the server. Awkwardly, in the sssd log files on the client I can see that the corresponding user/group entries are present. When I issue getent passwd ad_user@ad.domain on a client (I sanitized names in the log file), entries for that user and his groups are present (Received [144] groups from the IPA server). Is there anything wrong in this log file from the client host? (Thu Jun 7 13:28:23 2018) [sssd[be[ipa.domain]]] [dp_get_account_info_handler] (0x0200): Got request for [0x1][BE_REQ_USER][name=ad_user@ad.domain] (Thu Jun 7 13:28:23 2018) [sssd[be[ipa.domain]]] [dp_attach_req] (0x0400): DP Request [Account #1]: New request. Flags [0x0001]. (Thu Jun 7 13:28:23 2018) [sssd[be[ipa.domain]]] [dp_attach_req] (0x0400): Number of active DP request: 1 (Thu Jun 7 13:28:23 2018) [sssd[be[ipa.domain]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaUserOverride)(uid=ad_user))][cn=Default Trust View,cn=views,cn=accounts,dc=ipa,dc=domain]. (Thu Jun 7 13:28:23 2018) [sssd[be[ipa.domain]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 7 13:28:23 2018) [sssd[be[ipa.domain]]] [ipa_s2n_get_acct_info_send] (0x0400): Sending request_type: [REQ_FULL_WITH_MEMBERS] for trust user [ad_user] to IPA server (Thu Jun 7 13:28:23 2018) [sssd[be[ipa.domain]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation (Thu Jun 7 13:28:29 2018) [sssd[be[ipa.domain]]] [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result: Success(0), (null). (Thu Jun 7 13:28:29 2018) [sssd[be[ipa.domain]]] [ipa_s2n_get_user_done] (0x0400): Received [144] groups in group list from IPA Server (Thu Jun 7 13:28:29 2018) [sssd[be[ipa.domain]]] [ipa_s2n_get_user_done] (0x0400): [ad_user@ad.domain]. (Thu Jun 7 13:28:29 2018) [sssd[be[ipa.domain]]] [ipa_s2n_get_user_done] (0x0400): [group1@ad.domain]. (Thu Jun 7 13:28:29 2018) [sssd[be[ipa.domain]]] [ipa_s2n_get_user_done] (0x0400): [group2@ad.domain]. (...) sanitized other groups out of 144 groups returned (...) (Thu Jun 7 13:28:29 2018) [sssd[be[ipa.domain]]] [ipa_s2n_get_user_done] (0x0400): [ad_admins@ipa.domain]. (Thu Jun 7 13:28:29 2018) [sssd[be[ipa.domain]]] [sysdb_search_by_name] (0x0400): No such entry (Thu Jun 7 13:28:29 2018) [sssd[be[ipa.domain]]] [sysdb_search_by_name] (0x0400): No such entry (Thu Jun 7 13:28:29 2018) [sssd[be[ipa.domain]]] [sysdb_search_by_name] (0x0400): No such entry (Thu Jun 7 13:28:29 2018) [sssd[be[ipa.domain]]] [sysdb_search_by_name] (0x0400): No such entry (Thu Jun 7 13:28:29 2018) [sssd[be[ipa.domain]]] [sysdb_search_by_name] (0x0400): No such entry (Thu Jun 7 13:28:29 2018) [sssd[be[ipa.domain]]] [sysdb_search_by_name] (0x0400): No such entry (Thu Jun 7 13:28:29 2018) [sssd[be[ipa.domain]]] [sysdb_search_by_name] (0x0400): No such entry (Thu Jun 7 13:28:29 2018) [sssd[be[ipa.domain]]] [sysdb_search_by_name] (0x0400): No such entry (Thu Jun 7 13:28:29 2018) [sssd[be[ipa.domain]]] [sysdb_search_by_name] (0x0400): No such entry (Thu Jun 7 13:28:29 2018) [sssd[be[ipa.domain]]] [sysdb_search_by_name] (0x0400): No such entry (Thu Jun 7 13:28:29 2018) [sssd[be[ipa.domain]]] [sysdb_search_by_name] (0x0400): No such entry (Thu Jun 7 13:28:29 2018) [sssd[be[ipa.domain]]] [sysdb_search_by_name] (0x0400): No such entry (Thu Jun 7 13:28:29 2018) [sssd[be[ipa.domain]]] [sysdb_search_by_name] (0x0400): No such entry (Thu Jun 7 13:28:29 2018) [sssd[be[ipa.domain]]] [sysdb_search_by_name] (0x0400): No such entry (Thu Jun 7 13:28:29 2018) [sssd[be[ipa.domain]]] [sysdb_search_by_name] (0x0400): No such entry (Thu Jun 7 13:28:29 2018) [sssd[be[ipa.domain]]] [sysdb_search_by_name] (0x0400): No such entry (Thu Jun 7 13:28:29 2018) [sssd[be[ipa.domain]]] [sysdb_search_by_name] (0x0400): No such entry (Thu Jun 7 13:28:29 2018) [sssd[be[ipa.domain]]] [sysdb_search_by_name] (0x0400): No such entry (Thu Jun 7 13:28:29 2018) [sssd[be[ipa.domain]]] [sysdb_search_by_name] (0x0400): No such entry (Thu Jun 7 13:28:29 2018) [sssd[be[ipa.domain]]] [sysdb_search_by_name] (0x0400): No such entry (Thu Jun 7 13:28:29 2018) [sssd[be[ipa.domain]]] [sysdb_search_by_name] (0x0400): No such entry (Thu Jun 7 13:28:29 2018) [sssd[be[ipa.domain]]] [sysdb_search_by_name] (0x0400): No such entry (Thu Jun 7 13:28:29 2018) [sssd[be[ipa.domain]]] [sysdb_search_by_name] (0x0400): No such entry (Thu Jun 7 13:28:29 2018) [sssd[be[ipa.domain]]] [sysdb_search_by_name] (0x0400): No such entry (Thu Jun 7 13:28:29 2018) [sssd[be[ipa.domain]]] [sysdb_search_by_name] (0x0400): No such entry (Thu Jun 7 13:28:29 2018) [sssd[be[ipa.domain]]]
[Freeipa-users] Re: Announcing SSSD 1.16.1
How do I report a suspected Bug against sssd? I have a problem with sssd 1.14 1.15 1.16 but not 1.13. The problem is with small tree of files that is created on /tmp/adcli-krb5-X every 5 minutes. The problem might be connected to adcli 0.8.1 and not 0.7.5 Thanks in advance, Avigdor Finkelstein On Fri, Mar 9, 2018 at 2:29 PM Jakub Hrozek via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > SSSD 1.16.1 > === > > The SSSD team is proud to announce the release of version 1.16.1 of the > System Security Services Daemon. > > The tarball can be downloaded from https://releases.pagure.org/SSSD/sssd/ > > RPM packages will be made available for Fedora shortly. > > Feedback > > Please provide comments, bugs and other feedback > via the sssd-devel or sssd-users mailing lists: >https://lists.fedorahosted.org/mailman/listinfo/sssd-devel >https://lists.fedorahosted.org/mailman/listinfo/sssd-users > > Highlights > — > > New Features > > * A new option ``auto_private_groups`` was added. If this option is > enabled, SSSD will automatically create user private groups based on > user's UID number. The GID number is ignored in this case. Please > see > https://docs.pagure.org/SSSD.sssd/design_pages/auto_private_groups.html > for more details on the feature. > > * The SSSD smart card integration now supports a special type of PAM > conversation implemented by GDM which allows the user to select the > appropriate smrt card certificate in GDM. Please refer to > > https://docs.pagure.org/SSSD.sssd/design_pages/smartcard_multiple_certificates.html > for more details about this feature. > > * A new API for accessing user and group information was added. This API > is similar to the tradiional Name Service Switch API, but allows > the consumer to talk to SSSD directly as well as to fine-tune > the query with e.g. how cache should be evaluated. Please see > https://docs.pagure.org/SSSD.sssd/design_pages/enhanced_nss_api.html > for more information on the new API. > > * The ``sssctl`` command line tool gained a new command > ``access-report``, > which can generate who can access the client machine. Currently only > generating > the report on an IPA client based on HBAC rules is supported. Please > see > https://docs.pagure.org/SSSD.sssd/design_pages/attestation_report.html > for more information about this new feature. > > * The ``hostid`` provider was moved from the IPA specific code to the > generic > LDAP code. This allows SSH host keys to be access by the generic LDAP > provider > as well. See the ``ldap_host_*`` options in the ``sssd-ldap`` manual > page > for more details. > > * Setting the ``memcache_timeout`` option to 0 disabled creating the > memory cache files altogether. This can be useful in cases there is a > bug in the memory cache that needs working around. > > Performance enhancements > > * Several internal changes to how objects are stored in the cache improve > SSSD performance in environments with large number of objects of the > same > type (e.g. many users, many groups). In particular, several useless > indexes > were removed and the most common object types no longer use the indexed > ``objectClass`` attribute, but use unindexed ``objectCategory`` instead > (#3503) > > * In setups with ``id_provider=ad`` that use POSIX attributes which > are replicated to the Global Catalog, SSSD uses the Global Catalog to > determine which domain should be contacted for a by-ID lookup instead > of iterating over all domains. More details about this feature can > be found at > > https://docs.pagure.org/SSSD.sssd/design_pages/uid_negative_global_catalog.html > > Notable bug fixes > ^ > * A crash in ``sssd_nss`` that might have happened if a list of domains >was refreshed while a NSS lookup using this request was fixed (#3551) > > * A potential crash in ``sssd_nss`` during netgroup lookup in case the >netgroup object kept in memory was already freed (#3523) > > * Fixed a potential crash of ``sssd_be`` with two concurrent sudo > refreshes >in case one of them failed (#3562) > > * A memory growth issue in ``sssd_nss`` that occured when an entry was >removed from the memory cache was fixed (#3588) > > * Two potential memory growth issues in the ``sssd_be`` process that could >have hit configurations with ``id_provider=ad`` were fixed (#3639) > > * The ``selinux_child`` process no longer crashes on a system where SSSD >is compiled with SELinux support, but at the same time, the SELinux > policy >is not even installed on the machine (#3618) > > * The memory cache consistency detection logic was fixed. This would > prevent >printing false positive memory cache corruption messages (#3571) > > * SSSD now remembers the last successfuly discovered AD site and
[Freeipa-users] Re: Announcing SSSD 1.16.1
AvigdorFin via FreeIPA-users wrote: > How do I report a suspected Bug against sssd? > I have a problem with sssd 1.14 1.15 1.16 but not 1.13. > > The problem is with small tree of files that is created on > /tmp/adcli-krb5-X every 5 minutes. > The problem might be connected to adcli 0.8.1 and not 0.7.5 https://docs.pagure.org/SSSD.sssd/users/reporting_bugs.html rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/VMTYRFTGRP7NFWRQ5GTH6GM5OY6PG63I/
[Freeipa-users] Re: Announcing SSSD 1.16.1
On Thu, Jun 07, 2018 at 04:39:09PM +0300, AvigdorFin via FreeIPA-users wrote: > How do I report a suspected Bug against sssd? > I have a problem with sssd 1.14 1.15 1.16 but not 1.13. > > The problem is with small tree of files that is created on > /tmp/adcli-krb5-X every 5 minutes. > The problem might be connected to adcli 0.8.1 and not 0.7.5 SSSD uses adcli to renew the most password on the AD DC. If the temporary files are not remove after adcli is run adcli most probably run into an error which prevented to check when the password was last changed on AD. If you want to disable the whole feature please set 'ad_maximum_machine_account_password_age = 0' in sssd.conf (see man sssd-ad for details). If you are interested why adcli fails please set debug_level=9 in the [domain/...] section of sssd.conf, restart SSSD and check the SSSD logs for the adcli debug output. See the troubleshooting page Rob sent for details. HTH bye, Sumit > > Thanks in advance, > Avigdor Finkelstein > > > On Fri, Mar 9, 2018 at 2:29 PM Jakub Hrozek via FreeIPA-users < > freeipa-users@lists.fedorahosted.org> wrote: > > > SSSD 1.16.1 > > === > > > > The SSSD team is proud to announce the release of version 1.16.1 of the > > System Security Services Daemon. > > > > The tarball can be downloaded from https://releases.pagure.org/SSSD/sssd/ > > > > RPM packages will be made available for Fedora shortly. > > > > Feedback > > > > Please provide comments, bugs and other feedback > > via the sssd-devel or sssd-users mailing lists: > >https://lists.fedorahosted.org/mailman/listinfo/sssd-devel > >https://lists.fedorahosted.org/mailman/listinfo/sssd-users > > > > Highlights > > — > > > > New Features > > > > * A new option ``auto_private_groups`` was added. If this option is > > enabled, SSSD will automatically create user private groups based on > > user's UID number. The GID number is ignored in this case. Please > > see > > https://docs.pagure.org/SSSD.sssd/design_pages/auto_private_groups.html > > for more details on the feature. > > > > * The SSSD smart card integration now supports a special type of PAM > > conversation implemented by GDM which allows the user to select the > > appropriate smrt card certificate in GDM. Please refer to > > > > https://docs.pagure.org/SSSD.sssd/design_pages/smartcard_multiple_certificates.html > > for more details about this feature. > > > > * A new API for accessing user and group information was added. This API > > is similar to the tradiional Name Service Switch API, but allows > > the consumer to talk to SSSD directly as well as to fine-tune > > the query with e.g. how cache should be evaluated. Please see > > https://docs.pagure.org/SSSD.sssd/design_pages/enhanced_nss_api.html > > for more information on the new API. > > > > * The ``sssctl`` command line tool gained a new command > > ``access-report``, > > which can generate who can access the client machine. Currently only > > generating > > the report on an IPA client based on HBAC rules is supported. Please > > see > > https://docs.pagure.org/SSSD.sssd/design_pages/attestation_report.html > > for more information about this new feature. > > > > * The ``hostid`` provider was moved from the IPA specific code to the > > generic > > LDAP code. This allows SSH host keys to be access by the generic LDAP > > provider > > as well. See the ``ldap_host_*`` options in the ``sssd-ldap`` manual > > page > > for more details. > > > > * Setting the ``memcache_timeout`` option to 0 disabled creating the > > memory cache files altogether. This can be useful in cases there is a > > bug in the memory cache that needs working around. > > > > Performance enhancements > > > > * Several internal changes to how objects are stored in the cache improve > > SSSD performance in environments with large number of objects of the > > same > > type (e.g. many users, many groups). In particular, several useless > > indexes > > were removed and the most common object types no longer use the indexed > > ``objectClass`` attribute, but use unindexed ``objectCategory`` instead > > (#3503) > > > > * In setups with ``id_provider=ad`` that use POSIX attributes which > > are replicated to the Global Catalog, SSSD uses the Global Catalog to > > determine which domain should be contacted for a by-ID lookup instead > > of iterating over all domains. More details about this feature can > > be found at > > > > https://docs.pagure.org/SSSD.sssd/design_pages/uid_negative_global_catalog.html > > > > Notable bug fixes > > ^ > > * A crash in ``sssd_nss`` that might have happened if a list of domains > >was refreshed while a NSS lookup using this request was fixed (#3551) > > > > * A potential crash in ``sssd_nss`` during netgroup lookup in case the > >
[Freeipa-users] Re: Cannot log in as an AD user to FreeIPA client but can log in to server
Thank you Alexander, that was the root cause. I added optimizations to my setup that you together with Jakub described in this article: https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-ipa-ad-trust-deployments/ and things started working on the client side. There is a one small glitch though. Upon a first getent passwd for a new user (one that I didn't issue getent before) executed on a client it most likely still times out. I can see that there is some communication on FreeIPA servers going on (judging by the log file /var/log/sssd/sssd_ipa.domain.log). getent command times out but entries in the log file keep on being added. When the log entries stop from being added anymore and I issue the same getent command then it succeeds. Could you please point me to the timeout parameter that would allow to fix this, if there is any? For a reference I paste my client/server sssd configs: server: [domain/ipa.domain] debug_level = 9 id_provider = ipa ipa_server_mode = True ipa_server = ipa-server.ipa.domain ipa_domain = ipa.domain ipa_hostname = ipa-server.ipa.domain auth_provider = ipa chpass_provider = ipa access_provider = ipa cache_credentials = True ldap_tls_cacert = /etc/ipa/ca.crt krb5_store_password_if_offline = True enumerate = False subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout ignore_group_members = True ldap_purge_cache_timeout = 0 [sssd] services = nss, pam, ifp, ssh, sudo ignore_group_members=True domains = ipa.domain enumerate = False ldap_use_tokengroups = false [nss] homedir_substring = /home memcache_timeout = 600 [pam] [sudo] [autofs] [ssh] [pac] [ifp] [secrets] [session_recording] client: [domain/ipa.domain] enumerate = False debug_level=9 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = ipa.domain id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = ipa-client-centos6.shec.hrs.cc chpass_provider = ipa ipa_server = ipa-server.ipa.domain ldap_tls_cacert = /etc/ipa/ca.crt krb5_auth_timeout = 3600 [sssd] services = nss, sudo, pam, ssh domains = ipa.domain [nss] homedir_substring = /home [pam] pam_id_timeout = 3600 [sudo] [autofs] [ssh] [pac] [ifp] ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/LJGAGZ4FAAKIFJD723NBFCKZNBADEBL4/
[Freeipa-users] Re: Announcing SSSD 1.16.1
Yes, I tried this option in sssd.conf, it didn't help. Please see Bug 1588596 that I opened with more information. Thanks, On Thu, Jun 7, 2018 at 5:50 PM Sumit Bose via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > On Thu, Jun 07, 2018 at 04:39:09PM +0300, AvigdorFin via FreeIPA-users > wrote: > > How do I report a suspected Bug against sssd? > > I have a problem with sssd 1.14 1.15 1.16 but not 1.13. > > > > The problem is with small tree of files that is created on > > /tmp/adcli-krb5-X every 5 minutes. > > The problem might be connected to adcli 0.8.1 and not 0.7.5 > > SSSD uses adcli to renew the most password on the AD DC. If the > temporary files are not remove after adcli is run adcli most probably > run into an error which prevented to check when the password was last > changed on AD. > > If you want to disable the whole feature please set > 'ad_maximum_machine_account_password_age = 0' in sssd.conf (see man > sssd-ad for details). > > If you are interested why adcli fails please set debug_level=9 in the > [domain/...] section of sssd.conf, restart SSSD and check the SSSD logs > for the adcli debug output. See the troubleshooting page Rob sent for > details. > > HTH > > bye, > Sumit > > > > > Thanks in advance, > > Avigdor Finkelstein > > > > > > On Fri, Mar 9, 2018 at 2:29 PM Jakub Hrozek via FreeIPA-users < > > freeipa-users@lists.fedorahosted.org> wrote: > > > > > SSSD 1.16.1 > > > === > > > > > > The SSSD team is proud to announce the release of version 1.16.1 of the > > > System Security Services Daemon. > > > > > > The tarball can be downloaded from > https://releases.pagure.org/SSSD/sssd/ > > > > > > RPM packages will be made available for Fedora shortly. > > > > > > Feedback > > > > > > Please provide comments, bugs and other feedback > > > via the sssd-devel or sssd-users mailing lists: > > >https://lists.fedorahosted.org/mailman/listinfo/sssd-devel > > >https://lists.fedorahosted.org/mailman/listinfo/sssd-users > > > > > > Highlights > > > — > > > > > > New Features > > > > > > * A new option ``auto_private_groups`` was added. If this option is > > > enabled, SSSD will automatically create user private groups based > on > > > user's UID number. The GID number is ignored in this case. Please > > > see > > > > https://docs.pagure.org/SSSD.sssd/design_pages/auto_private_groups.html > > > for more details on the feature. > > > > > > * The SSSD smart card integration now supports a special type of PAM > > > conversation implemented by GDM which allows the user to select the > > > appropriate smrt card certificate in GDM. Please refer to > > > > > > > https://docs.pagure.org/SSSD.sssd/design_pages/smartcard_multiple_certificates.html > > > for more details about this feature. > > > > > > * A new API for accessing user and group information was added. This > API > > > is similar to the tradiional Name Service Switch API, but allows > > > the consumer to talk to SSSD directly as well as to fine-tune > > > the query with e.g. how cache should be evaluated. Please see > > > > https://docs.pagure.org/SSSD.sssd/design_pages/enhanced_nss_api.html > > > for more information on the new API. > > > > > > * The ``sssctl`` command line tool gained a new command > > > ``access-report``, > > > which can generate who can access the client machine. Currently > only > > > generating > > > the report on an IPA client based on HBAC rules is supported. > Please > > > see > > > > https://docs.pagure.org/SSSD.sssd/design_pages/attestation_report.html > > > for more information about this new feature. > > > > > > * The ``hostid`` provider was moved from the IPA specific code to the > > > generic > > > LDAP code. This allows SSH host keys to be access by the generic > LDAP > > > provider > > > as well. See the ``ldap_host_*`` options in the ``sssd-ldap`` > manual > > > page > > > for more details. > > > > > > * Setting the ``memcache_timeout`` option to 0 disabled creating the > > > memory cache files altogether. This can be useful in cases there > is a > > > bug in the memory cache that needs working around. > > > > > > Performance enhancements > > > > > > * Several internal changes to how objects are stored in the cache > improve > > > SSSD performance in environments with large number of objects of > the > > > same > > > type (e.g. many users, many groups). In particular, several useless > > > indexes > > > were removed and the most common object types no longer use the > indexed > > > ``objectClass`` attribute, but use unindexed ``objectCategory`` > instead > > > (#3503) > > > > > > * In setups with ``id_provider=ad`` that use POSIX attributes which > > > are replicated to the Global Catalog, SSSD uses the Global Catalog > to > > > determine which domain should be contacted for a by-ID lookup > instead >
[Freeipa-users] Re: keycloak
Andrew Meyer via FreeIPA-users wrote: > what is the difference between keycloak and freeipa? They are apples and oranges. IPA is an Identity Management system and keycloak is an IdP (for SAML2, OAuth, etc). > Is there a free version of this? Is that what ipsilon is? If not is > there a repo for this? Free version of what, Keycloak? I don't know, probably. Ipsilon is also an IdP, they are not the same code. I don't know where Keycloak upstream is. rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/2LTSYHQ7RQRROZUZVIWKAATJ4YECL7LY/
[Freeipa-users] Re: Cannot log in as an AD user to FreeIPA client but can log in to server
On Thu, Jun 07, 2018 at 03:48:16PM -, Bart via FreeIPA-users wrote: > Thank you Alexander, that was the root cause. I added optimizations to my > setup that you together with Jakub described in this article: > https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-ipa-ad-trust-deployments/ > and things started working on the client side. This still points to a performance-like issue. From some related customer cases I've been working on lately I remember that increasing the negative timeout (entry_negative_timeout, set this to minutes or even hours) and also the cache_first=true options made a difference. There's a tradeoff though with these options, please see the man pages. > > There is a one small glitch though. Upon a first getent passwd for a new user > (one that I didn't issue getent before) executed on a client it most likely > still times out. I can see that there is some communication on FreeIPA > servers going on (judging by the log file /var/log/sssd/sssd_ipa.domain.log). > getent command times out but entries in the log file keep on being added. > When the log entries stop from being added anymore and I issue the same > getent command then it succeeds. > > Could you please point me to the timeout parameter that would allow to fix > this, if there is any? > For a reference I paste my client/server sssd configs: > > server: > > [domain/ipa.domain] > debug_level = 9 > id_provider = ipa > ipa_server_mode = True > ipa_server = ipa-server.ipa.domain > ipa_domain = ipa.domain > ipa_hostname = ipa-server.ipa.domain > auth_provider = ipa > chpass_provider = ipa > access_provider = ipa > cache_credentials = True > ldap_tls_cacert = /etc/ipa/ca.crt > krb5_store_password_if_offline = True > > enumerate = False > subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout > ignore_group_members = True > ldap_purge_cache_timeout = 0 > > [sssd] > services = nss, pam, ifp, ssh, sudo > ignore_group_members=True > > domains = ipa.domain > enumerate = False > ldap_use_tokengroups = false Please don't disable tokengroups unless you have a verified reason to do so (this is just a general warning, I'm not even sure if disabling tokengroups in the main domain section would disable them for the AD subdomain). > [nss] > homedir_substring = /home > memcache_timeout = 600 > > [pam] > > [sudo] > > [autofs] > > [ssh] > > [pac] > > [ifp] > > [secrets] > > [session_recording] > > > client: > > [domain/ipa.domain] > enumerate = False > debug_level=9 > cache_credentials = True > krb5_store_password_if_offline = True > > ipa_domain = ipa.domain > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ipa_hostname = ipa-client-centos6.shec.hrs.cc > chpass_provider = ipa > ipa_server = ipa-server.ipa.domain > ldap_tls_cacert = /etc/ipa/ca.crt > krb5_auth_timeout = 3600 > [sssd] > services = nss, sudo, pam, ssh > > domains = ipa.domain > [nss] > homedir_substring = /home > > [pam] > pam_id_timeout = 3600 > > [sudo] > > [autofs] > > [ssh] > > [pac] > > [ifp] > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/LJGAGZ4FAAKIFJD723NBFCKZNBADEBL4/ ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/VDWTJCFA3SMAWERJQPRLF62ONGPB5XAC/
[Freeipa-users] double domain?
hi Where would be a good place to look in either sssd or somewhere in the system if we are seeing a mixture of UserID lookups in this format: usern...@domain.example.com <--- this makes sense BUT - also seeing: usern...@domain.example.com@domain.eexample.com <--- This does not?? I am very confused as to how this might be getting sent to PAM for the lookups and because of it we see random PAM "System Error"s I do have in krb5.conf [domain_realm] .domain.example.com = DOMAIN.EXAMPLE.COM domain.example.com = DOMAIN.EXAMPLE.COM prodhost1.domain.example.com = DOMAIN.EXAMPLE.COM But this seems to have been set after the ipa-client-install - so I am a little confused? Any suggestions? Kat ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/FZJTATOSN3CXH7WRYEIYVAJVZKEBV35P/
[Freeipa-users] keycloak
what is the difference between keycloak and freeipa? Is there a free version of this? Is that what ipsilon is? If not is there a repo for this?___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/4H7YVHCDSZ4W3J5ETHETY3P7LJKPDUXX/
[Freeipa-users] Re: double domain?
On Thu, Jun 07, 2018 at 12:33:56PM -0500, Kat via FreeIPA-users wrote: > hi > > Where would be a good place to look in either sssd or somewhere in the > system if we are seeing a mixture of UserID lookups in this format: > > usern...@domain.example.com <--- this makes sense > > BUT - also seeing: > > usern...@domain.example.com@domain.eexample.com <--- This does not?? Where do you see these? In some logs? > > I am very confused as to how this might be getting sent to PAM for the > lookups and because of it we see random PAM "System Error"s > > I do have in krb5.conf > > [domain_realm] > .domain.example.com = DOMAIN.EXAMPLE.COM > domain.example.com = DOMAIN.EXAMPLE.COM > prodhost1.domain.example.com = DOMAIN.EXAMPLE.COM > > But this seems to have been set after the ipa-client-install - so I am a > little confused? > > Any suggestions? > Kat > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/FZJTATOSN3CXH7WRYEIYVAJVZKEBV35P/ ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/DUFVCZEFYNDHP722GUFNA2EA34MVMK4H/
[Freeipa-users] Setting up fileserver using Samba shares and FreeIPA
I am trying to get a file server set up using RHEL 7.5, Samba, and Red Hat IdM 4.5.0 I have an older file server that works and hav been using it as a template for build this new one from scratch. However, right now I can't get smb to start. I keep getting errors about ipasam.c in journalctl: Jun 06 13:53:30 fileserver1.cpms.byu.edu smbd[11624]: kerberos error: code=-1765328203, message=Keytab contains no suitable keys for cifs/ fileserver1.cpms.byu@cpms.byu.edu Jun 06 13:53:31 fileserver1.cpms.byu.edu smbd[11624]: [2018/06/06 13:53:31.815713, 0] ipa_sam.c:4245(bind_callback_cleanup) Jun 06 15:26:05 fileserver1.cpms.byu.edu smbd[12372]: Failed to get base DN. I have made sure that the cifs service is set up in IPA for fileserver1 and did an ipa-getkeytab to get a keytab for the service on fileserver1 as well which is why a was surprised to see a message about the keytab in the journal. A little earlier in the journal it also talks about being unable to do an anonymous bind to LDAP. It doesn't surprise me that it failed, but I tried supplying the LDAP bind creds using smbpasswd and that didn't seem to make any difference. It still tries an anonymous bind anyway which will never work. I have also already set up a role for giving fileserver1 the permissions necessary to allow it to read the ipaNTHash. P.S.: Before I sent this email to the list I upgraded one of my IPA servers to the new kernel in RHEL 7.5 and smb broke in what looks like the same way on that machine as well. It makes me wonder if this isn't a kernel problem rather than an IPA problem. The errors I got on that machine before rolling back to a working snapshot are below: Jun 06 16:27:05 ipa1.cpms.byu.edu smbd[12179]: kerberos error: code=-1765328360, message=Preauthentication failed Jun 06 16:27:06 ipa1.cpms.byu.edu smbd[12179]: [2018/06/06 16:27:06.332266, 0] ipa_sam.c:4556(pdb_init_ipasam) Jun 06 16:27:06 ipa1.cpms.byu.edu smbd[12179]: Failed to get base DN. Jun 06 16:27:06 ipa1.cpms.byu.edu smbd[12179]: [2018/06/06 16:27:06.332318, 0] ../source3/passdb/pdb_interface.c:180(make_pdb_method_name) Jun 06 16:27:06 ipa1.cpms.byu.edu smbd[12179]: pdb backend ipasam:ldapi://%2fvar%2frun%2fslapd-CPMS-BYU-EDU.socket did not correctly init -- Kristian Petersen System Administrator BYU Dept. of Chemistry and Biochemistry ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/XEBQTP2FXMKMNKDKX63HB6OYVXQQAFW7/
[Freeipa-users] Re: keycloak
On 06/07/2018 02:22 PM, Andrew Meyer via FreeIPA-users wrote: what is the difference between keycloak and freeipa? Is there a free version of this? Is that what ipsilon is? If not is there a repo for this? All 3 are IdP's (Identity Providers) of some ilk. FreeIPA is based on Kerberos and includes support for a lot of other features (user management, host based RBAC, PKI Certificate Authority, tight integration with SSSD for offline authentication, PAM integration, DNS support, key and secret management, Active Directory integration, etc.) FreeIPA's authentication is done with Kerberos, it doesn't support other authentication protocols directly. FreeIPA has both a rich command line interface and web admin console. Keycloak is a pure IdP. It supports oauth, openidc, and SAML protocols and can be federated to use other IdP's (sources of identity). Ipsilon is also a pure IdP much like Keycloak supporting the same protocols. All 3 are open source. FreeIPA and Keycloak both have commercial versions with support (named IPA and RH-SSO respectively). All have public repositories. The repo for ipsilon is hosted on pagure: https://pagure.io/ipsilon -- John Dennis ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/WSCPPDQD5SJUCA22A2ROMMLZ6QYBZZPF/
[Freeipa-users] Re: keycloak
Rob Crittenden via FreeIPA-users writes: > I don't know where Keycloak upstream is. Look at http://www.keycloak.org Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/46G7R54DGCO4PTA4S65EMTDJ5HB7BH3B/
[Freeipa-users] Re: keycloak
Thanks for the clarification! On Thursday, June 7, 2018 2:32 PM, Jochen Hein via FreeIPA-users wrote: Rob Crittenden via FreeIPA-users writes: > I don't know where Keycloak upstream is. Look at http://www.keycloak.org Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/46G7R54DGCO4PTA4S65EMTDJ5HB7BH3B/ ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/I6TASNHUKVRXWPKL3H4LGSESIW54UR56/
[Freeipa-users] Re: Setting up fileserver using Samba shares and FreeIPA
On to, 07 kesä 2018, Kristian Petersen via FreeIPA-users wrote: I am trying to get a file server set up using RHEL 7.5, Samba, and Red Hat IdM 4.5.0 I have an older file server that works and hav been using it as a template for build this new one from scratch. However, right now I can't get smb to start. I keep getting errors about ipasam.c in journalctl: Jun 06 13:53:30 fileserver1.cpms.byu.edu smbd[11624]: kerberos error: code=-1765328203, message=Keytab contains no suitable keys for cifs/ fileserver1.cpms.byu@cpms.byu.edu Jun 06 13:53:31 fileserver1.cpms.byu.edu smbd[11624]: [2018/06/06 13:53:31.815713, 0] ipa_sam.c:4245(bind_callback_cleanup) Jun 06 15:26:05 fileserver1.cpms.byu.edu smbd[12372]: Failed to get base DN. I have made sure that the cifs service is set up in IPA for fileserver1 and did an ipa-getkeytab to get a keytab for the service on fileserver1 as well which is why a was surprised to see a message about the keytab in the journal. What keytab file do you use? Please provide you smb.conf/testparm -s output. The message is very clear: it cannot find the key in the keytab file but where does it look for it? A little earlier in the journal it also talks about being unable to do an anonymous bind to LDAP. It doesn't surprise me that it failed, but I tried supplying the LDAP bind creds using smbpasswd and that didn't seem to make any difference. It still tries an anonymous bind anyway which will never work. Ignore "anonymous bind" in that message. Samba's libsmbldap code checks if it has DN to bind and if not, says 'anonymous bind' in the logs. For GSSAPI authentication there is no explicit bind DN provided, thus this message. I have also already set up a role for giving fileserver1 the permissions necessary to allow it to read the ipaNTHash. P.S.: Before I sent this email to the list I upgraded one of my IPA servers to the new kernel in RHEL 7.5 and smb broke in what looks like the same way on that machine as well. It makes me wonder if this isn't a kernel problem rather than an IPA problem. The errors I got on that machine before rolling back to a working snapshot are below: Jun 06 16:27:05 ipa1.cpms.byu.edu smbd[12179]: kerberos error: code=-1765328360, message=Preauthentication failed Jun 06 16:27:06 ipa1.cpms.byu.edu smbd[12179]: [2018/06/06 16:27:06.332266, 0] ipa_sam.c:4556(pdb_init_ipasam) Jun 06 16:27:06 ipa1.cpms.byu.edu smbd[12179]: Failed to get base DN. Jun 06 16:27:06 ipa1.cpms.byu.edu smbd[12179]: [2018/06/06 16:27:06.332318, 0] ../source3/passdb/pdb_interface.c:180(make_pdb_method_name) Jun 06 16:27:06 ipa1.cpms.byu.edu smbd[12179]: pdb backend ipasam:ldapi://%2fvar%2frun%2fslapd-CPMS-BYU-EDU.socket did not correctly init This is, by what I can see, is an issue with a keytab here. Can you do two things below, showing output of these commands 1. - kinit admin - kvno -S cifs ipa1.cpms.byu.edu 2. - kinit -kt /path/to/cifs.keytab cifs/ipa1.cpms.byu@cpms.byu.edu - klist -k /path/to/cifs.keytab -e - klist I suspect that you messed up with kerberos keys by running ipa-getkeytab, so now you have one version of the key at the KDC side and a different one in the keytab file. And for the first part you seems to be using a totally wrong keytab file. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/WENPGSZFG5VZWLAO2FBQAM362AYXILUL/
[Freeipa-users] DNS A Record Disappears after IPA Server reboot
Hi all, Whenever I have to reboot my IPA server I loose one of my IPA client's DNS A Record. Curiously all of the IPA client related SSHFP records are intact as well as the reverse lookup record. The only thing that was slightly different about this client is at some point the IP address was changed. I did however change the IP address on a different client with no problems. Thanks, -Mark ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/63GA6YY2XHBSXI6DVFQBSM2NWO4YX3JH/
[Freeipa-users] Re: Setting up fileserver using Samba shares and FreeIPA
I would have sworn my keytab was OK, but it wasn't and after re-doing that, it all came up like magic. I feel kinda dumb, but thanks for the pointers, Alexander. On Thu, Jun 7, 2018 at 3:47 PM, Alexander Bokovoy wrote: > On to, 07 kesä 2018, Kristian Petersen via FreeIPA-users wrote: > >> I am trying to get a file server set up using RHEL 7.5, Samba, and Red Hat >> IdM 4.5.0 I have an older file server that works and hav been using it as >> a template for build this new one from scratch. However, right now I >> can't >> get smb to start. I keep getting errors about ipasam.c in journalctl: >> >> Jun 06 13:53:30 fileserver1.cpms.byu.edu smbd[11624]: kerberos error: >> code=-1765328203, message=Keytab contains no suitable keys for cifs/ >> fileserver1.cpms.byu@cpms.byu.edu >> Jun 06 13:53:31 fileserver1.cpms.byu.edu smbd[11624]: [2018/06/06 >> 13:53:31.815713, 0] ipa_sam.c:4245(bind_callback_cleanup) >> Jun 06 15:26:05 fileserver1.cpms.byu.edu smbd[12372]: Failed to get >> base >> DN. >> >> I have made sure that the cifs service is set up in IPA for fileserver1 >> and >> did an ipa-getkeytab to get a keytab for the service on fileserver1 as >> well >> which is why a was surprised to see a message about the keytab in the >> journal. >> > What keytab file do you use? Please provide you smb.conf/testparm -s > output. > > The message is very clear: it cannot find the key in the keytab file but > where does it look for it? > > >> A little earlier in the journal it also talks about being unable to do an >> anonymous bind to LDAP. It doesn't surprise me that it failed, but I >> tried >> supplying the LDAP bind creds using smbpasswd and that didn't seem to make >> any difference. It still tries an anonymous bind anyway which will never >> work. >> > Ignore "anonymous bind" in that message. Samba's libsmbldap code checks > if it has DN to bind and if not, says 'anonymous bind' in the logs. For > GSSAPI authentication there is no explicit bind DN provided, thus this > message. > > >> I have also already set up a role for giving fileserver1 the permissions >> necessary to allow it to read the ipaNTHash. >> >> P.S.: Before I sent this email to the list I upgraded one of my IPA >> servers >> to the new kernel in RHEL 7.5 and smb broke in what looks like the same >> way >> on that machine as well. It makes me wonder if this isn't a kernel >> problem >> rather than an IPA problem. The errors I got on that machine before >> rolling back to a working snapshot are below: >> >> Jun 06 16:27:05 ipa1.cpms.byu.edu smbd[12179]: kerberos error: >> code=-1765328360, message=Preauthentication failed >> Jun 06 16:27:06 ipa1.cpms.byu.edu smbd[12179]: [2018/06/06 >> 16:27:06.332266, 0] ipa_sam.c:4556(pdb_init_ipasam) >> Jun 06 16:27:06 ipa1.cpms.byu.edu smbd[12179]: Failed to get base DN. >> Jun 06 16:27:06 ipa1.cpms.byu.edu smbd[12179]: [2018/06/06 >> 16:27:06.332318, 0] >> ../source3/passdb/pdb_interface.c:180(make_pdb_method_name) >> Jun 06 16:27:06 ipa1.cpms.byu.edu smbd[12179]: pdb backend >> ipasam:ldapi://%2fvar%2frun%2fslapd-CPMS-BYU-EDU.socket did not correctly >> init >> > This is, by what I can see, is an issue with a keytab here. > > Can you do two things below, showing output of these commands > 1. > - kinit admin > - kvno -S cifs ipa1.cpms.byu.edu > > 2. > - kinit -kt /path/to/cifs.keytab cifs/ipa1.cpms.byu@cpms.byu.edu > - klist -k /path/to/cifs.keytab -e > - klist > > I suspect that you messed up with kerberos keys by running > ipa-getkeytab, so now you have one version of the key at the KDC side > and a different one in the keytab file. And for the first part you seems > to be using a totally wrong keytab file. > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > -- Kristian Petersen System Administrator BYU Dept. of Chemistry and Biochemistry ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/3ED6VNIJ4QUDCBBZMZMESLHP5MQTXNJG/
