Re: [Freeipa-users] FreeIPA manual PAM setup help
小龙 陈 wrote: Hi, I've been working on porting the FreeIPA client to Arch Linux lately and I'm now to the last step of the puzzle. Everything works the way it should, except for PAM, which I don't know how to setup. I must admit that I'm very confused my the PAM configuration (which PAM module does what, the order of the modules, etc). What I'm trying to find out is where the pam_sss.so lines should go. Here's a copy of the /etc/pam.d/ directory in Arch Linux: http://ompldr.org/vZ2hxcw/pam.d.tar.bz2 I'd greatly appreciate it if someone could help me out :) Thanks! I gather that this is due to a lack of authconfig. Timo Aaltonen has been working on ipa-client (and server!) for Ubuntu and he ran into similar problems but I'm not sure what solution he came up with. I'll find someone with more PAM experience to try to give you more practical help. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ttl settings for host records
On 11/29/2012 01:16 PM, James Hogarth wrote: I'm not entirely sure where that 86400 came from. When we do a dynamic update the TTL is hardcoded to 1200. There is a ticket to make this configurable, https://fedorahosted.org/__freeipa/ticket/3031 https://fedorahosted.org/freeipa/ticket/3031 The patch I submitted on the SSSD side has actually been committed in 1.10 ... The report and patch I had there was about getting ipa-client-install to configure sssd.conf appropriately for sssd ... rather than changing the TTL after the system was first registered... Still trying to find time to work on the TTL this side within IPA GUI rather than just CLI (have it exposed in IPA... working on modifying it at the moment but still have one TTL per primary key rather than split it out entirely). I'm not sure if I understood your intention correctly, but current IPA LDAP schema can't handle more than single TTL value per DNS name. I.e. all records under single name (e.g. machine.example.com) has to have same TTL value. -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA manual PAM setup help
On Thu, Nov 29, 2012 at 10:26:00AM -0500, Rob Crittenden wrote: 小龙 陈 wrote: Hi, I've been working on porting the FreeIPA client to Arch Linux lately and I'm now to the last step of the puzzle. Everything works the way it should, except for PAM, which I don't know how to setup. I must admit that I'm very confused my the PAM configuration (which PAM module does what, the order of the modules, etc). What I'm trying to find out is where the pam_sss.so lines should go. Here's a copy of the /etc/pam.d/ directory in Arch Linux: http://ompldr.org/vZ2hxcw/pam.d.tar.bz2 I'd greatly appreciate it if someone could help me out :) Thanks! I gather that this is due to a lack of authconfig. Timo Aaltonen has been working on ipa-client (and server!) for Ubuntu and he ran into similar problems but I'm not sure what solution he came up with. I'll find someone with more PAM experience to try to give you more practical help. rob Hi, the PAM config files on Arch Linux are a little bit different than what Fedora/RHEL uses. It seems that the per-service config files (such as /etc/pam.d/su for logging in with su) directly include the PAM modules, in your case pam_unix.so only. On Fedora/RHEL, the per-service files usually include a more generic file called something like system-auth. Either way works, but if you'd like to configure more services in a similar way, then including a common file might save you some edits. This document is a little outdated but provides a nice intro into configuring PAM: http://tldp.org/HOWTO/User-Authentication-HOWTO/x115.html In general you there are fours stacks in PAM, each of them controls one step in the auth process. I think you'll want to use both pam_unix and pam_sss in all the stacks -- pam_sss is needed for users coming in from the SSSD to log in and you'll also want to keep pam_unix around so that local users (at least root) can log in too. Here is what my PAM config on Fedora 18 looks like: authrequired pam_env.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid = 1000 quiet_success authsufficientpam_sss.so use_first_pass authrequired pam_deny.so account required pam_unix.so broken_shadow account sufficientpam_localuser.so account sufficientpam_succeed_if.so uid 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so passwordoptional pam_pwquality.so try_first_pass retry=3 type= passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass use_authtok passwordsufficientpam_sss.so use_authtok passwordrequired pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_oddjob_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so If Arch Linux ships the same modules as Fedora, the you should be able to simply copy and use the PAM config we use.. I've put Honza to CC, I know he runs Arch Linux as well and might have some insights into how PAM is configured on Arch. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA manual PAM setup help
Date: Thu, 29 Nov 2012 10:26:00 -0500 From: rcrit...@redhat.com To: chillermillerl...@hotmail.com CC: freeipa-users@redhat.com; tjaal...@ubuntu.com Subject: Re: [Freeipa-users] FreeIPA manual PAM setup help 小龙 陈 wrote: Hi, I've been working on porting the FreeIPA client to Arch Linux lately and I'm now to the last step of the puzzle. Everything works the way it should, except for PAM, which I don't know how to setup. I must admit that I'm very confused my the PAM configuration (which PAM module does what, the order of the modules, etc). What I'm trying to find out is where the pam_sss.so lines should go. Here's a copy of the /etc/pam.d/ directory in Arch Linux: http://ompldr.org/vZ2hxcw/pam.d.tar.bz2 I'd greatly appreciate it if someone could help me out :) Thanks! I gather that this is due to a lack of authconfig. Timo Aaltonen has been working on ipa-client (and server!) for Ubuntu and he ran into similar problems but I'm not sure what solution he came up with. I'll find someone with more PAM experience to try to give you more practical help. rob Hi Rob, Thanks a lot for your reply! You;re right that this is due to the lack or authconfig (or any other tool to manage the PAM settings). I took a look at Ubuntu's packaging and it seems that Ubuntu's PAM is similar to Fedora's. Fedora uses a common /etc/pam.d/system-auth file and Ubuntu uses a common /etc/pam.d/common-auth file. Arch doesn't have a common PAM configuration file, so I'll need to change every file for every service that I want to authenticate with sssd. I didn't know that ipa-server is now working in Ubuntu. That's really great news! Best regards, Xiao-Long Chen ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA manual PAM setup help
Date: Thu, 29 Nov 2012 16:56:08 +0100 From: jhro...@redhat.com To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FreeIPA manual PAM setup help On Thu, Nov 29, 2012 at 10:26:00AM -0500, Rob Crittenden wrote: 小龙 陈 wrote: Hi, I've been working on porting the FreeIPA client to Arch Linux lately and I'm now to the last step of the puzzle. Everything works the way it should, except for PAM, which I don't know how to setup. I must admit that I'm very confused my the PAM configuration (which PAM module does what, the order of the modules, etc). What I'm trying to find out is where the pam_sss.so lines should go. Here's a copy of the /etc/pam.d/ directory in Arch Linux: http://ompldr.org/vZ2hxcw/pam.d.tar.bz2 I'd greatly appreciate it if someone could help me out :) Thanks! I gather that this is due to a lack of authconfig. Timo Aaltonen has been working on ipa-client (and server!) for Ubuntu and he ran into similar problems but I'm not sure what solution he came up with. I'll find someone with more PAM experience to try to give you more practical help. rob Hi, the PAM config files on Arch Linux are a little bit different than what Fedora/RHEL uses. It seems that the per-service config files (such as /etc/pam.d/su for logging in with su) directly include the PAM modules, in your case pam_unix.so only. On Fedora/RHEL, the per-service files usually include a more generic file called something like system-auth. Either way works, but if you'd like to configure more services in a similar way, then including a common file might save you some edits. This document is a little outdated but provides a nice intro into configuring PAM: http://tldp.org/HOWTO/User-Authentication-HOWTO/x115.html In general you there are fours stacks in PAM, each of them controls one step in the auth process. I think you'll want to use both pam_unix and pam_sss in all the stacks -- pam_sss is needed for users coming in from the SSSD to log in and you'll also want to keep pam_unix around so that local users (at least root) can log in too. Here is what my PAM config on Fedora 18 looks like: authrequired pam_env.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid = 1000 quiet_success authsufficientpam_sss.so use_first_pass authrequired pam_deny.so account required pam_unix.so broken_shadow account sufficientpam_localuser.so account sufficientpam_succeed_if.so uid 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so passwordoptional pam_pwquality.so try_first_pass retry=3 type= passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass use_authtok passwordsufficientpam_sss.so use_authtok passwordrequired pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_oddjob_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so If Arch Linux ships the same modules as Fedora, the you should be able to simply copy and use the PAM config we use.. I've put Honza to CC, I know he runs Arch Linux as well and might have some insights into how PAM is configured on Arch. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Hi, Thanks a lot for your reply! I'll be sure to read up on the link. The per-service config files are a bit annoying in Arch. I'm not sure if it's possible, but maybe I can create a /etc/pam.d/sssd that can be included in the other files? I'm guessing that the order of the PAM modules matters, so I'm not sure that that would work. I'll try adding pam_sss to each file, based on Fedora's system-auth, and see how that goes. Best Regards, Xiao-Long Chen ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] FreeIPA status on Debian Ubuntu (was: Re: FreeIPA manual PAM setup help)
29.11.2012 21:30, Jakub Hrozek kirjoitti: On Thu, Nov 29, 2012 at 01:56:24PM -0500, 小龙 陈 wrote: I didn't know that ipa-server is now working in Ubuntu. That's really great news! Best regards, Xiao-Long Chen I could be wrong, but I don't think the IPA server is working in Ubuntu..I know the client bits are and there was an effort to package the server as well, but I don't think it's finished yet. right, the server isn't ready, client is limping along though not seen an update in a while. Timo would know better, though. here's a short summary: - 389ds is packaged and included in Debian Ubuntu - Dogtag 9 is packaged in git and worked the last time I tried, not pushed to either distros, since.. - Dogtag 10 is close(?) and I'd rather skip the transition if possible, then again.. - D10 needs RESTEasy, which in turn depends on nearly 50 new bits of software that needs to be packaged, mostly java/maven based (and there's a helper that should automate most of the packaging, haven't tried it yet though) - IPA server still needs the platform code rework, and I still need to rework the first patch to meet the review notes so not quite there yet :) t ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA status on Debian Ubuntu (was: Re: FreeIPA manual PAM setup help)
Date: Thu, 29 Nov 2012 23:41:03 +0200 From: tjaal...@ubuntu.com To: jhro...@redhat.com CC: freeipa-users@redhat.com Subject: [Freeipa-users] FreeIPA status on Debian Ubuntu (was: Re: FreeIPA manual PAM setup help) 29.11.2012 21:30, Jakub Hrozek kirjoitti: On Thu, Nov 29, 2012 at 01:56:24PM -0500, 小龙 陈 wrote: I didn't know that ipa-server is now working in Ubuntu. That's really great news! Best regards, Xiao-Long Chen I could be wrong, but I don't think the IPA server is working in Ubuntu..I know the client bits are and there was an effort to package the server as well, but I don't think it's finished yet. right, the server isn't ready, client is limping along though not seen an update in a while. Timo would know better, though. here's a short summary: - 389ds is packaged and included in Debian Ubuntu - Dogtag 9 is packaged in git and worked the last time I tried, not pushed to either distros, since.. - Dogtag 10 is close(?) and I'd rather skip the transition if possible, then again.. - D10 needs RESTEasy, which in turn depends on nearly 50 new bits of software that needs to be packaged, mostly java/maven based (and there's a helper that should automate most of the packaging, haven't tried it yet though) - IPA server still needs the platform code rework, and I still need to rework the first patch to meet the review notes so not quite there yet :) t ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Could you post a link to the git repo (if it's public)? I'd like to test out the work in progress :) ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] RHEL6.3 Install Problem with IPA
I have a weird ipa-replica-install problem that I have not been able to work around. I have managed to successfully reproduce and identify the root cause of my pain, but I don't understand why its coming up... My install fails with: Starting httpd: (98)Address already in use: make_sock: could not bind to address 0.0.0.0:80 After much head scratching, I finally was able to reproduce the problem: If you start httpd as the install script does, it gives the following: service httpd start Starting httpd: Please enter password for internal token: This process doesn't create the pidfile and essentially hangs httpd on 80 and 443 When the restart process is later called, you get the message that the installer is throwing: service httpd restart Stopping httpd:[FAILED] Starting httpd: (98)Address already in use: make_sock: could not bind to address 0.0.0.0:80 no listening sockets available, shutting down Unable to open logs [FAILED] I've verified that the content of /etc/httpd/conf/password.conf is valid and will 'authenticate' if passed to that internal token prompt... mod_nss is clearly the piece that is causing the prompting but I'm not sure what is breaking here or how I can work around it. Can someone help? Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GIAC Exploit Researcher and Advanced Penetration Tester | GIAC Certified Incident Handler | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] One time passwords - 2 factor
Hi, Is it possible to use the freeipa API and and external program to do one time passwords? (password is sent by the external app, sms to smartphone). regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] RHEL6.3 Install Problem with IPA
JR Aquino wrote: I have a weird ipa-replica-install problem that I have not been able to work around. I have managed to successfully reproduce and identify the root cause of my pain, but I don't understand why its coming up... My install fails with: Starting httpd: (98)Address already in use: make_sock: could not bind to address 0.0.0.0:80 After much head scratching, I finally was able to reproduce the problem: If you start httpd as the install script does, it gives the following: service httpd start Starting httpd: Please enter password for internal token: This process doesn't create the pidfile and essentially hangs httpd on 80 and 443 When the restart process is later called, you get the message that the installer is throwing: service httpd restart Stopping httpd:[FAILED] Starting httpd: (98)Address already in use: make_sock: could not bind to address 0.0.0.0:80 no listening sockets available, shutting down Unable to open logs [FAILED] I've verified that the content of /etc/httpd/conf/password.conf is valid and will 'authenticate' if passed to that internal token prompt... mod_nss is clearly the piece that is causing the prompting but I'm not sure what is breaking here or how I can work around it. Can someone help? What version of mod_nss is this? Can you see if there are SELinux or permission errors? Maybe password.conf can't be read. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] One time passwords - 2 factor
Steven Jones wrote: Hi, Is it possible to use the freeipa API and and external program to do one time passwords? (password is sent by the external app, sms to smartphone). Not yet. The problem is lack of support in the KDC and this is being actively worked on. We did a proof-of-concept at the Red Hat Summit a couple of years ago using a Yubikey as the OTP source. It was, as they say in New England, wicked cool. It was very much hardcoded though. AFAIK they are working on a plugin interface to make this much easier to do. A lot of the work is being done here: https://fedorahosted.org/AuthHub/ rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA manual PAM setup help
On Thu, 2012-11-29 at 20:55 -0500, 小龙 陈 wrote: And PAM is working! Excellent! I've just finished a helper for setting up NSS and PAM for sssd. It basically does the following: 1. Looks for 'passwd', 'shadow', 'group', 'services', 'netgroup', and 'automount' in /etc/nsswitch.conf and adds 'sss' to it. SSSD does not provide a shadow map so you shouldn't ad sss to shadow. It will do no harm though, it will just be a noop. 2. Looks for pam_unix.so in every file in /etc/pam.d/, changes 'required' to 'sufficient', and adds an 'include' line for 'sss' right below itq. /etc/pam.d/sss contains the pam_sss.so lines. So far, I've tested sudo and su, and both are working :) Here's a link to the script: https://github.com/chenxiaolong/ArchLinux-Packages/blob/master/freeipa/sss-auth-setup.py If someone is bored, I'd appreciate it if he/she would take a look at it for glaring issues. Cool stuff, I do not know Arch Linux default PAm stack configuration so I can;t tell with certainty that the replace you make is perfect, but I do not see anything stunningly bad. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] One time passwords - 2 factor
On 30 November 2012 11:43, Rob Crittenden rcrit...@redhat.com wrote: Steven Jones wrote: Hi, Is it possible to use the freeipa API and and external program to do one time passwords? (password is sent by the external app, sms to smartphone). Not yet. The problem is lack of support in the KDC and this is being actively worked on. We did a proof-of-concept at the Red Hat Summit a couple of years ago using a Yubikey as the OTP source. It was, as they say in New England, wicked cool. It was very much hardcoded though. AFAIK they are working on a plugin interface to make this much easier to do. A lot of the work is being done here: https://fedorahosted.org/**AuthHub/https://fedorahosted.org/AuthHub/ Awesome! Looking forward to that. If I had some spare time I could contribute... rob __**_ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/**mailman/listinfo/freeipa-usershttps://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users