Re: [Freeipa-users] Can freeIPA work without Kerberos and DNS

[Andrew Holway]

Hi,

As far as I understand it Kerberos service tickets are granted for a user
to access a particular principle (host/service@REALM) and cannot be reused.
Kerberos uses symmetric key cryptography so, if someone were able to access
the memory of the machine, then they may indeed be able to snoop your user
password although I am quite sure passwords are kept hashed in the Keytab.

If you are so worried that someone would go to the trouble hack the
virtualisation layer and copy chunks of memory then you should really be
reconsidering your use of cloud services. People hacking kerberos will be
the least of your problems if you have data that is that sensitive on there.

If you could point me to some documentation on the specific attack you are
trying to mitigate that would be nice.

Thanks,

Andrew


On 30 March 2015 at 04:27, Gokulnath gokulna...@gmail.com wrote:

 Thanks for getting back.

 1. As security Kerberos can ticket and in memory can be taken and that
 session key
 Can be used to gain access every where. Primarily this because the plan is
 to use the solution in cloud.

 2. Can I disable DNS as well? And have IPA to run only ldap, ssh key
 rotation and pki ?

 3. As during the install, DNS and Kerberos are getting installed and
 configured.

 I would really appreciate if you can get back.

 Thank you
 Gokul
 Sent from iPhone

  On Mar 29, 2015, at 8:44 PM, Dmitri Pal d...@redhat.com wrote:
 
  On 03/29/2015 11:50 AM, Gokul wrote:
  Hi,
 
  I am tried to run some of my user cases with FreeIPA.
 
  Have FreeIPA to do only SSH key management in LDAP and PKI management.
 
  The understand that every request is kerberized and it has the DNS is
 must configuration.
 
  Can I have FreeIPA to run only SSH Key management with LDAP and a PKI
 server with dogtag?
 
  Thank you
  Gokul
  You can't turn off Kerberos. You would need Kerberos for administration.
  But other clients can take advantage of LDAP and SSH only.
  However you are significantly limiting your functionality and
 capabilities.
  Kerberos is really the key of the solution.
 
  What is the reason you try to avoid using it?
 
 
  --
  Thank you,
  Dmitri Pal
 
  Sr. Engineering Manager IdM portfolio
  Red Hat, Inc.
  --
  Manage your subscription for the Freeipa-users mailing list:
  https://www.redhat.com/mailman/listinfo/freeipa-users
  Go to http://freeipa.org for more info on the project

 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Can freeIPA work without Kerberos and DNS

[Petr Spacek]

On 30.3.2015 09:28, Andrew Holway wrote:
 Hi,
 
 As far as I understand it Kerberos service tickets are granted for a user
 to access a particular principle (host/service@REALM) and cannot be reused.
 Kerberos uses symmetric key cryptography so, if someone were able to access
 the memory of the machine, then they may indeed be able to snoop your user
 password although I am quite sure passwords are kept hashed in the Keytab.
 
 If you are so worried that someone would go to the trouble hack the
 virtualisation layer and copy chunks of memory then you should really be
 reconsidering your use of cloud services. People hacking kerberos will be
 the least of your problems if you have data that is that sensitive on there.
 
 If you could point me to some documentation on the specific attack you are
 trying to mitigate that would be nice.
 
 Thanks,
 
 Andrew
 
 
 On 30 March 2015 at 04:27, Gokulnath gokulna...@gmail.com wrote:
 
 Thanks for getting back.

 1. As security Kerberos can ticket and in memory can be taken and that
 session key
 Can be used to gain access every where. Primarily this because the plan is
 to use the solution in cloud.

 2. Can I disable DNS as well? And have IPA to run only ldap, ssh key
 rotation and pki ?

 3. As during the install, DNS and Kerberos are getting installed and
 configured.

Let me add that DNS server is an optional component and will not be installed
if you do not specify --setup-dns option. In that case you have to add
necessary DNS records by hand to make FreeIPA fully functional.

Petr^2 Spacek

 I would really appreciate if you can get back.

 Thank you
 Gokul
 Sent from iPhone

 On Mar 29, 2015, at 8:44 PM, Dmitri Pal d...@redhat.com wrote:

 On 03/29/2015 11:50 AM, Gokul wrote:
 Hi,

 I am tried to run some of my user cases with FreeIPA.

 Have FreeIPA to do only SSH key management in LDAP and PKI management.

 The understand that every request is kerberized and it has the DNS is
 must configuration.

 Can I have FreeIPA to run only SSH Key management with LDAP and a PKI
 server with dogtag?

 Thank you
 Gokul
 You can't turn off Kerberos. You would need Kerberos for administration.
 But other clients can take advantage of LDAP and SSH only.
 However you are significantly limiting your functionality and
 capabilities.
 Kerberos is really the key of the solution.

 What is the reason you try to avoid using it?

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Can freeIPA work without Kerberos and DNS

[Martin Basti]

On 30/03/15 04:27, Gokulnath wrote:

Thanks for getting back.

1. As security Kerberos can ticket and in memory can be taken and that session 
key
Can be used to gain access every where. Primarily this because the plan is to 
use the solution in cloud.

2. Can I disable DNS as well? And have IPA to run only ldap, ssh key rotation 
and pki ?
IPA clients require properly configured DNS, if you plan to use only 
server IMO it should work.


3. As during the install, DNS and Kerberos are getting installed and configured.

DNS is optional part of installation, by default DNS is not installed.


I would really appreciate if you can get back.

Thank you
Gokul
Sent from iPhone


On Mar 29, 2015, at 8:44 PM, Dmitri Pal d...@redhat.com wrote:


On 03/29/2015 11:50 AM, Gokul wrote:
Hi,

I am tried to run some of my user cases with FreeIPA.

Have FreeIPA to do only SSH key management in LDAP and PKI management.

The understand that every request is kerberized and it has the DNS is must 
configuration.

Can I have FreeIPA to run only SSH Key management with LDAP and a PKI server 
with dogtag?

Thank you
Gokul

You can't turn off Kerberos. You would need Kerberos for administration.
But other clients can take advantage of LDAP and SSH only.
However you are significantly limiting your functionality and capabilities.
Kerberos is really the key of the solution.

What is the reason you try to avoid using it?


--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project



--
Martin Basti

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA Client using Source Code

[Jakub Hrozek]

On Mon, Mar 30, 2015 at 02:18:00PM +0530, Yogesh Sharma wrote:
 Hi List,
 
 We have trying to install IPA-Client using source code.

Why?

 While installing we
 are seeing many error out of which most are resolved but stuck at below
 while doing make.
 
 Is there any suggestion to get out of it. I will update if I found anything.
 
 gcc -DHAVE_CONFIG_H -I. -I. -I. -DPREFIX=\/usr/local\
 -DBINDIR=\/usr/local/bin\ -DLIBDIR=\/usr/local/lib\
 -DLIBEXECDIR=\/usr/local/libexec\ -DDATADIR=\/usr/local/share\
 -I/usr/include/mozldap -I/usr/include/nspr4 -I/usr/include/nss3
 -DWITH_MOZLDAP-g -O2 -MT ipa-getkeytab.o -MD -MP -MF
 .deps/ipa-getkeytab.Tpo -c -o ipa-getkeytab.o ipa-getkeytab.c
 ipa-getkeytab.c:41:18: fatal error: popt.h: No such file or directory
  #include popt.h
   ^

libpopt-devel is missing. The easiest way to fetch them all is with
yum-builddeps. 

 compilation terminated.
 make[2]: *** [ipa-getkeytab.o] Error 1
 make[2]: Leaving directory `/root/freeipa-1.2.1/ipa-client'
 make[1]: *** [all-recursive] Error 1
 make[1]: Leaving directory `/root/freeipa-1.2.1/ipa-client'
~
Whoa, are you sure? ipa 1.x?

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA Client using Source Code

[Jakub Hrozek]

On Mon, Mar 30, 2015 at 02:53:39PM +0530, Yogesh Sharma wrote:
 Hi Jakub:
 
 FreeIPA package is not available in Amazon Linux running on EC2 Instance.
 We tried to install individually packages but it is breaking at many place.
 
 It is not 1.x. We had a directory with this name and I extracted the tar in
 same folder hence showing like this :).
 We are using 3.0.2 as of now.

Then I wonder if it would be more useful to add a repo that already
contains the package, from CentOS maybe? You'll get the updates for
free..

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-cliebt-automount problem

[Günther J . Niederwimmer]

Hello,

Am Sonntag, 29. März 2015, 22:25:07 schrieb Rob Crittenden:
 Dmitri Pal wrote:
  On 03/29/2015 06:00 PM, Günther J. Niederwimmer wrote:
  Hello,
  
  My automount is not working correct?
  
  I have a centos 7 with cr Update, this is IPA 4.1 and sssd 1.12
  
  I have this Error in the logs
  
  automount[1899]: lookup_read_map: lookup(sss): getautomntent_r: No
  such file or
  directory
  
  Is this correct with IPA 4.1
  
  /etc/sysconfig/autofs and /etc/autofs_ldap_auth.config was not
  configured with
  ipa-client-automount, or have I to do this manual?
  
  Do you have libsss_autofs installed?
 
 The default is to configure automount using SSSD so no configuration in
 those files is expected.
 
 What isn't working?

I mean this Error is not the best Thing ;)

automount[1899]: lookup_read_map: lookup(sss): getautomntent_r: No such file or 
directory


I found this in mount ?

/etc/auto.misc on /misc type autofs 
(rw,relatime,fd=6,pgrp=7198,timeout=300,minproto=5,maxproto=5,indirect)
-hosts on /net type autofs 
(rw,relatime,fd=12,pgrp=7198,timeout=300,minproto=5,maxproto=5,indirect)
auto.daten on /daten type autofs 
(rw,relatime,fd=18,pgrp=7198,timeout=300,minproto=5,maxproto=5,indirect)
auto.home on /home type autofs 
(rw,relatime,fd=24,pgrp=7198,timeout=300,minproto=5,maxproto=5,indirect)

The first, now I found also the local auto.master in the mount?

But the /net mount (nfs4) are not mounted ;) 

Have I to start any nfs Programms for working

-- 
mit freundlichen Grüßen / best Regards,

  Günther J. Niederwimmer

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] AD users and IPA's sudo

[Jakub Hrozek]

On Mon, Mar 30, 2015 at 08:09:43AM +, Alexander Frolushkin wrote:
 Hello everyone.
 We have a IPA 3 and AD domain trust.
 Users from AD successfully logs on to linux servers via ssh and hbac rules 
 works fine with external groups. But not a sudo rules.
 When rule defines as 'who' IPA users rule works well. If it is defines 
 external group for corresponding AD group which is AD user member of, this 
 user gets
 u...@ad.commailto:u...@ad.com is not allowed to run sudo on host.com.  This 
 incident will be reported.
 
 In debug there is a strings
 (Mon Mar 30 13:54:00 2015) [sssd[sudo]] [sysdb_search_group_by_gid] (0x0400): 
 No such entry
 (Mon Mar 30 13:54:00 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] 
 (0x0200): Searching sysdb with 
 [((objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=u...@ad.com)(
 sudoUser=#xx)(sudoUser=%cuted...(sudoUser=%cuted.)(sudoUser=+*))((dataExpireTimestamp=1427702040)))]
 (Mon Mar 30 13:54:00 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] 
 (0x0020): Error looking up SUDO rules(Mon Mar 30 13:54:00 2015) [sssd[sudo]] 
 [sudosrv_get_rules] (0x0020): Unable to retr
 ieve expired sudo rules [5]: Input/output error

Looks suspicious. Is there an corresponding LDAP search in the back end
log as well? Look for sdap_get_generic perhaps..

 
 I've seen a number of closed bugs with similar error message, but at last on 
 this RHEL 6.6 server sssd is fully updated.
 
 And sorry for the huge underlined message, it is generated automatically and 
 I have no rights to avoid it in my mails :(
 
 With best regards,
 Alexander Frolushkin,
 Senior engineer in system administration
 and database management
 MegaFon, Siberian branch
 http://english.corp.megafon.ru/
 Cell  +79232508764
 Phone +79232507764
 
 
 
 
 
 Информация в этом сообщении предназначена исключительно для конкретных лиц, 
 которым она адресована. В сообщении может содержаться конфиденциальная 
 информация, которая не может быть раскрыта или использована кем-либо, кроме 
 адресатов. Если вы не адресат этого сообщения, то использование, 
 переадресация, копирование или распространение содержания сообщения или его 
 части незаконно и запрещено. Если Вы получили это сообщение ошибочно, 
 пожалуйста, незамедлительно сообщите отправителю об этом и удалите со всем 
 содержимым само сообщение и любые возможные его копии и приложения.
 
 The information contained in this communication is intended solely for the 
 use of the individual or entity to whom it is addressed and others authorized 
 to receive it. It may contain confidential or legally privileged information. 
 The contents may not be disclosed or used by anyone other than the addressee. 
 If you are not the intended recipient(s), any use, disclosure, copying, 
 distribution or any action taken or omitted to be taken in reliance on it is 
 prohibited and may be unlawful. If you have received this communication in 
 error please notify us immediately by responding to this email and then 
 delete the e-mail and all attachments and any copies thereof.
 
 (c)20mf50

 -- 
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA Client using Source Code

[Natxo Asenjo]

On Mon, Mar 30, 2015 at 10:48 AM, Yogesh Sharma yks0...@gmail.com wrote:

 Hi List,

 We have trying to install IPA-Client using source code. While installing
 we are seeing many error out of which most are resolved but stuck at below
 while doing make.

 Is there any suggestion to get out of it. I will update if I found
 anything.

 gcc -DHAVE_CONFIG_H -I. -I. -I. -DPREFIX=\/usr/local\
 -DBINDIR=\/usr/local/bin\ -DLIBDIR=\/usr/local/lib\
 -DLIBEXECDIR=\/usr/local/libexec\ -DDATADIR=\/usr/local/share\
 -I/usr/include/mozldap -I/usr/include/nspr4 -I/usr/include/nss3
 -DWITH_MOZLDAP-g -O2 -MT ipa-getkeytab.o -MD -MP -MF
 .deps/ipa-getkeytab.Tpo -c -o ipa-getkeytab.o ipa-getkeytab.c
 ipa-getkeytab.c:41:18: fatal error: popt.h: No such file or directory
  #include popt.h



in fedora I get these results:

$ sudo yum whatprovides */popt.h
Loaded plugins: langpacks
golang-src-1.3.3-1.fc21.noarch : Golang compiler source tree
Repo: fedora
Matched from:
Filename: /usr/lib/golang/src/cmd/gc/popt.h



popt-devel-1.16-5.fc21.i686 : Development files for the popt library
Repo: fedora
Matched from:
Filename: /usr/include/popt.h



popt-devel-1.16-5.fc21.x86_64 : Development files for the popt library
Repo: fedora
Matched from:
Filename: /usr/include/popt.h


HTH,

-- 
regards,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA Client using Source Code

[Yogesh Sharma]

Sure.




*Best Regards,__*

*Yogesh Sharma*
*Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in
http://www.initd.in*

RHCE, VCE-CIA, RackSpace Cloud U
[image: My LinkedIn Profile] http://in.linkedin.com/in/yks


On Mon, Mar 30, 2015 at 3:05 PM, Jakub Hrozek jhro...@redhat.com wrote:

 On Mon, Mar 30, 2015 at 02:53:39PM +0530, Yogesh Sharma wrote:
  Hi Jakub:
 
  FreeIPA package is not available in Amazon Linux running on EC2 Instance.
  We tried to install individually packages but it is breaking at many
 place.
 
  It is not 1.x. We had a directory with this name and I extracted the tar
 in
  same folder hence showing like this :).
  We are using 3.0.2 as of now.

 Then I wonder if it would be more useful to add a repo that already
 contains the package, from CentOS maybe? You'll get the updates for
 free..

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Ubuntu sssd client -- FreeIPA Server fed from AD

[Jakub Hrozek]

On Mon, Mar 30, 2015 at 05:36:00AM +0100, g.fer.or...@unicyber.co.uk wrote:
 
 Hey Guys
 
 Not sure if I am missing any bit but this was the thing in the end:
 
 
 http://generations.menteyarte.org/archives/195-freeipa-server-and-SSSD-on-Ubuntu.html
 
 I managed to have it working and I have documented all those nasty bits
 which might save people's time. The whole weekend gone but for the less has
 been productive.
 
 I am including the SUDO bit which is usually a pain in my experience..
 
 Thanks

Thank you very much for documenting this, but wouldn't it be better to
use id_provider=ipa instead?

Then the configuration would be simpler, less error prone and would
authenticate more securely. You don't need to run ipa-client-install on
the box, you can generate the client keytab elsewhere and transfer it to
the client.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] IPA Client using Source Code

[Yogesh Sharma]

Hi List,

We have trying to install IPA-Client using source code. While installing we
are seeing many error out of which most are resolved but stuck at below
while doing make.

Is there any suggestion to get out of it. I will update if I found anything.

gcc -DHAVE_CONFIG_H -I. -I. -I. -DPREFIX=\/usr/local\
-DBINDIR=\/usr/local/bin\ -DLIBDIR=\/usr/local/lib\
-DLIBEXECDIR=\/usr/local/libexec\ -DDATADIR=\/usr/local/share\
-I/usr/include/mozldap -I/usr/include/nspr4 -I/usr/include/nss3
-DWITH_MOZLDAP-g -O2 -MT ipa-getkeytab.o -MD -MP -MF
.deps/ipa-getkeytab.Tpo -c -o ipa-getkeytab.o ipa-getkeytab.c
ipa-getkeytab.c:41:18: fatal error: popt.h: No such file or directory
 #include popt.h
  ^
compilation terminated.
make[2]: *** [ipa-getkeytab.o] Error 1
make[2]: Leaving directory `/root/freeipa-1.2.1/ipa-client'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/root/freeipa-1.2.1/ipa-client'
make: *** [all] Error 2






*Best Regards,__*

*Yogesh Sharma*
*Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in
http://www.initd.in*

RHCE, VCE-CIA, RackSpace Cloud U
[image: My LinkedIn Profile] http://in.linkedin.com/in/yks
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA Client using Source Code

[Yogesh Sharma]

Hi Jakub:

FreeIPA package is not available in Amazon Linux running on EC2 Instance.
We tried to install individually packages but it is breaking at many place.

It is not 1.x. We had a directory with this name and I extracted the tar in
same folder hence showing like this :).
We are using 3.0.2 as of now.






*Best Regards,__*

*Yogesh Sharma*
*Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in
http://www.initd.in*

RHCE, VCE-CIA, RackSpace Cloud U
[image: My LinkedIn Profile] http://in.linkedin.com/in/yks


On Mon, Mar 30, 2015 at 2:39 PM, Jakub Hrozek jhro...@redhat.com wrote:

 On Mon, Mar 30, 2015 at 02:18:00PM +0530, Yogesh Sharma wrote:
  Hi List,
 
  We have trying to install IPA-Client using source code.

 Why?

  While installing we
  are seeing many error out of which most are resolved but stuck at below
  while doing make.
 
  Is there any suggestion to get out of it. I will update if I found
 anything.
 
  gcc -DHAVE_CONFIG_H -I. -I. -I. -DPREFIX=\/usr/local\
  -DBINDIR=\/usr/local/bin\ -DLIBDIR=\/usr/local/lib\
  -DLIBEXECDIR=\/usr/local/libexec\ -DDATADIR=\/usr/local/share\
  -I/usr/include/mozldap -I/usr/include/nspr4 -I/usr/include/nss3
  -DWITH_MOZLDAP-g -O2 -MT ipa-getkeytab.o -MD -MP -MF
  .deps/ipa-getkeytab.Tpo -c -o ipa-getkeytab.o ipa-getkeytab.c
  ipa-getkeytab.c:41:18: fatal error: popt.h: No such file or directory
   #include popt.h
^

 libpopt-devel is missing. The easiest way to fetch them all is with
 yum-builddeps.

  compilation terminated.
  make[2]: *** [ipa-getkeytab.o] Error 1
  make[2]: Leaving directory `/root/freeipa-1.2.1/ipa-client'
  make[1]: *** [all-recursive] Error 1
  make[1]: Leaving directory `/root/freeipa-1.2.1/ipa-client'
 ~
 Whoa, are you sure? ipa 1.x?

 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Can freeIPA work without Kerberos and DNS

[Dmitri Pal]

On 03/29/2015 10:27 PM, Gokulnath wrote:

Thanks for getting back.

1. As security Kerberos can ticket and in memory can be taken and that session 
key
Can be used to gain access every where. Primarily this because the plan is to 
use the solution in cloud.


You can use Kerberos in the cloud. It is not worse of better than certs.
If you can read memory of a machine you can (potentially) read its keys.
But this is the general risk that you take going into the cloud 
regardless whether you use PKI or Kerberos.


In general you do not want to store long term keys in the images but 
rather add them on the fly when the system is instantiated.

The ipa-client-install with OTP registration code provides this capability.

It seems that you are trying to overcomplicate things with no obvious 
reason.
If you need help with picking a better approach lest us know what 
exactly you are trying to accomplish.




2. Can I disable DNS as well? And have IPA to run only ldap, ssh key rotation 
and pki ?

3. As during the install, DNS and Kerberos are getting installed and configured.

I would really appreciate if you can get back.

Thank you
Gokul
Sent from iPhone


On Mar 29, 2015, at 8:44 PM, Dmitri Pal d...@redhat.com wrote:


On 03/29/2015 11:50 AM, Gokul wrote:
Hi,

I am tried to run some of my user cases with FreeIPA.

Have FreeIPA to do only SSH key management in LDAP and PKI management.

The understand that every request is kerberized and it has the DNS is must 
configuration.

Can I have FreeIPA to run only SSH Key management with LDAP and a PKI server 
with dogtag?

Thank you
Gokul

You can't turn off Kerberos. You would need Kerberos for administration.
But other clients can take advantage of LDAP and SSH only.
However you are significantly limiting your functionality and capabilities.
Kerberos is really the key of the solution.

What is the reason you try to avoid using it?


--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project



--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Additional pre-authentication required, Ticket Wrong ?

[Dmitri Pal]

On 03/29/2015 10:56 PM, Matt . wrote:


Hi,

I just tot home and typing from my cell so i'm suite short in words

Create keytab for ldap-01.domain
Kinit with that to ldap.domain
Curl against ldap.domain
Get a 301 which I manage from curl (goes well)
Get kerberos ticket error

now I don't kinit anymore so re-use my existing ticket and curl 
against ldap-01.domain and I'm accepted and can execute stuff.


My ssl is OK, ticket also it seems.



Hard to say without the logs what is going on. However here is a thought:
If it is trying to get another ticket it might think that the service is 
in a different domain.
Client libraries have a feature to detect which ticket to use depending 
on the realm the resource belongs to.
May be it is thinking that it is a different realm and thus does not use 
the ticket it has.





Thanks M.

Op 30 mrt. 2015 03:50 schreef Dmitri Pal d...@redhat.com 
mailto:d...@redhat.com:


On 03/29/2015 04:47 AM, Matt . wrote:

Hi Guys,

Now my Certification issues are solved for using a loadbalancer in
front of my ipa servers I get the following:

Unable to verify your Kerberos credentials

and in my logs:

Additional pre-authentication required.

This happens when I connect throught my loadbalancers, I see
my server
coming ni with the right IP.

When I access my ipa server directly, not using the
loadbalancer IP
between it, my kerberos Ticket is valid.

I get the feeling that when I use my loadbalancers and because
of that
I get a 301 redirect it needs a preauth. I see some issues on
mailinglists but it doesn't fit my situation.

Why wants it the preauth when I already have a valid ticket and my
redirect is followed by CURL and posted the right way ?


Can you describe the sequence?
What do you do?

From the client you try IPA CLI and this is where you see the
problem even with the valid ticket or is the flow different?

I hope someone has an idea.

Thanks,

Matt



-- 
Thank you,

Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:

https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project




--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Can freeIPA work without Kerberos and DNS

[Gokulnath]

Thanks for the update.

The reason for weigh in the Kerberos option is to have that as an option to 
disable if needed, security is more important. I had to say this because there 
was a question on why I would disable it.

I agree that the otp should definitely provide some additional layer of 
security. 

Let me test and reply back.

Thanks again.

Gokul

Sent from iPhone

 On Mar 30, 2015, at 7:48 AM, Dmitri Pal d...@redhat.com wrote:
 
 On 03/29/2015 10:27 PM, Gokulnath wrote:
 Thanks for getting back.
 
 1. As security Kerberos can ticket and in memory can be taken and that 
 session key
 Can be used to gain access every where. Primarily this because the plan is 
 to use the solution in cloud.
 
 You can use Kerberos in the cloud. It is not worse of better than certs.
 If you can read memory of a machine you can (potentially) read its keys.
 But this is the general risk that you take going into the cloud regardless 
 whether you use PKI or Kerberos.
 
 In general you do not want to store long term keys in the images but rather 
 add them on the fly when the system is instantiated.
 The ipa-client-install with OTP registration code provides this capability.
 
 It seems that you are trying to overcomplicate things with no obvious reason.
 If you need help with picking a better approach lest us know what exactly you 
 are trying to accomplish.
 
 
 2. Can I disable DNS as well? And have IPA to run only ldap, ssh key 
 rotation and pki ?
 
 3. As during the install, DNS and Kerberos are getting installed and 
 configured.
 
 I would really appreciate if you can get back.
 
 Thank you
 Gokul
 Sent from iPhone
 
 On Mar 29, 2015, at 8:44 PM, Dmitri Pal d...@redhat.com wrote:
 
 On 03/29/2015 11:50 AM, Gokul wrote:
 Hi,
 
 I am tried to run some of my user cases with FreeIPA.
 
 Have FreeIPA to do only SSH key management in LDAP and PKI management.
 
 The understand that every request is kerberized and it has the DNS is must 
 configuration.
 
 Can I have FreeIPA to run only SSH Key management with LDAP and a PKI 
 server with dogtag?
 
 Thank you
 Gokul
 You can't turn off Kerberos. You would need Kerberos for administration.
 But other clients can take advantage of LDAP and SSH only.
 However you are significantly limiting your functionality and capabilities.
 Kerberos is really the key of the solution.
 
 What is the reason you try to avoid using it?
 
 
 -- 
 Thank you,
 Dmitri Pal
 
 Sr. Engineering Manager IdM portfolio
 Red Hat, Inc.
 -- 
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project
 
 
 -- 
 Thank you,
 Dmitri Pal
 
 Sr. Engineering Manager IdM portfolio
 Red Hat, Inc.
 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Additional pre-authentication required, Ticket Wrong ?

[Sumit Bose]

On Mon, Mar 30, 2015 at 04:56:11AM +0200, Matt . wrote:
 Hi,
 
 I just tot home and typing from my cell so i'm suite short in words
 
 Create keytab for ldap-01.domain
 Kinit with that to ldap.domain
 Curl against ldap.domain
 Get a 301 which I manage from curl (goes well)
 Get kerberos ticket error
 
 now I don't kinit anymore so re-use my existing ticket and curl against
 ldap-01.domain and I'm accepted and can execute stuff.
 
 My ssl is OK, ticket also it seems.

Maybe the output of

KRB5_TRACE=/dev/sdtout curl -v 

might help to see what is going on? 

bye,
Sumit

 
 Thanks M.
 Op 30 mrt. 2015 03:50 schreef Dmitri Pal d...@redhat.com:
 
  On 03/29/2015 04:47 AM, Matt . wrote:
 
  Hi Guys,
 
  Now my Certification issues are solved for using a loadbalancer in
  front of my ipa servers I get the following:
 
  Unable to verify your Kerberos credentials
 
  and in my logs:
 
  Additional pre-authentication required.
 
  This happens when I connect throught my loadbalancers, I see my server
  coming ni with the right IP.
 
  When I access my ipa server directly, not using the loadbalancer IP
  between it, my kerberos Ticket is valid.
 
  I get the feeling that when I use my loadbalancers and because of that
  I get a 301 redirect it needs a preauth. I see some issues on
  mailinglists but it doesn't fit my situation.
 
  Why wants it the preauth when I already have a valid ticket and my
  redirect is followed by CURL and posted the right way ?
 
 
  Can you describe the sequence?
  What do you do?
 
  From the client you try IPA CLI and this is where you see the problem even
  with the valid ticket or is the flow different?
 
   I hope someone has an idea.
 
  Thanks,
 
  Matt
 
 
 
  --
  Thank you,
  Dmitri Pal
 
  Sr. Engineering Manager IdM portfolio
  Red Hat, Inc.
 
  --
  Manage your subscription for the Freeipa-users mailing list:
  https://www.redhat.com/mailman/listinfo/freeipa-users
  Go to http://freeipa.org for more info on the project
 

 -- 
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Troubleshooting SSO

[Gould, Joshua]

SSO works intermittently. I’m having trouble tracing the issue. Here is what I 
see from /var/log/secure. Where should I look for more detail to figure out why 
the SSO login is failing?

Mar 30 08:47:39 mid-ipa-vp01 sshd[9317]: Starting session: shell on pts/0 for 
root from 10.34.149.105 port 49725
Mar 30 08:47:39 mid-ipa-vp01 sshd[9322]: debug1: Setting controlling tty using 
TIOCSCTTY.
Mar 30 08:47:39 mid-ipa-vp01 sshd[9322]: debug1: PAM: reinitializing credentials
Mar 30 08:47:39 mid-ipa-vp01 sshd[9322]: debug1: permanently_set_uid: 0/0
Mar 30 08:49:05 mid-ipa-vp01 sshd[9317]: debug1: server_input_global_request: 
rtype keepal...@openssh.com want_reply 1
Mar 30 08:50:05 mid-ipa-vp01 sshd[9317]: debug1: server_input_global_request: 
rtype keepal...@openssh.com want_reply 1
Mar 30 08:51:57 mid-ipa-vp01 sshd[9317]: debug1: server_input_global_request: 
rtype keepal...@openssh.com want_reply 1
Mar 30 08:52:57 mid-ipa-vp01 sshd[9317]: debug1: server_input_global_request: 
rtype keepal...@openssh.com want_reply 1
Mar 30 08:53:51 mid-ipa-vp01 sshd[1388]: debug1: Forked child 12621.
Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: Set /proc/self/oom_score_adj to 0
Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: rexec start in 5 out 5 
newsock 5 pipe 7 sock 8
Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: inetd sockets after dupping: 
3, 3
Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: Connection from 10.80.5.239 port 
52982 on 10.127.26.73 port 22
Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: Client protocol version 2.0; 
client software version PuTTY_Release_0.64
Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: no match: PuTTY_Release_0.64
Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: Enabling compatibility mode 
for protocol 2.0
Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: Local version string 
SSH-2.0-OpenSSH_6.6.1
Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: SELinux support enabled 
[preauth]
Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: permanently_set_uid: 74/74 
[preauth]
Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: list_hostkey_types: 
ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: SSH2_MSG_KEXINIT sent 
[preauth]
Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: SSH2_MSG_KEXINIT received 
[preauth]
Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: kex: client-server 
aes256-ctr hmac-sha2-256 none [preauth]
Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: kex: server-client 
aes256-ctr hmac-sha2-256 none [preauth]
Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: kex: 
diffie-hellman-group-exchange-sha256 need=32 dh_need=32 [preauth]
Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: kex: 
diffie-hellman-group-exchange-sha256 need=32 dh_need=32 [preauth]
Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: 
SSH2_MSG_KEX_DH_GEX_REQUEST_OLD received [preauth]
Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: SSH2_MSG_KEX_DH_GEX_GROUP 
sent [preauth]
Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: expecting 
SSH2_MSG_KEX_DH_GEX_INIT [preauth]
Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: SSH2_MSG_KEX_DH_GEX_REPLY 
sent [preauth]
Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: SSH2_MSG_NEWKEYS sent 
[preauth]
Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: expecting SSH2_MSG_NEWKEYS 
[preauth]
Mar 30 08:53:52 mid-ipa-vp01 sshd[12621]: debug1: SSH2_MSG_NEWKEYS received 
[preauth]
Mar 30 08:53:52 mid-ipa-vp01 sshd[12621]: debug1: KEX done [preauth]
Mar 30 08:53:52 mid-ipa-vp01 sshd[12621]: debug1: userauth-request for user 
adm-faru03@test.osuwmc service ssh-connection method none [preauth]
Mar 30 08:53:52 mid-ipa-vp01 sshd[12621]: debug1: attempt 0 failures 0 [preauth]
Mar 30 08:53:53 mid-ipa-vp01 sshd[12621]: debug1: PAM: initializing for 
adm-faru03@test.osuwmc
Mar 30 08:53:53 mid-ipa-vp01 sshd[12621]: debug1: PAM: setting PAM_RHOST to 
svr-addc-vt01.test.osuwmc
Mar 30 08:53:53 mid-ipa-vp01 sshd[12621]: debug1: PAM: setting PAM_TTY to ssh
Mar 30 08:53:53 mid-ipa-vp01 sshd[12621]: debug1: userauth-request for user 
adm-faru03@test.osuwmc service ssh-connection method gssapi-with-mic [preauth]
Mar 30 08:53:53 mid-ipa-vp01 sshd[12621]: debug1: attempt 1 failures 0 [preauth]
Mar 30 08:53:53 mid-ipa-vp01 sshd[12621]: Postponed gssapi-with-mic for 
adm-faru03@test.osuwmc from 10.80.5.239 port 52982 ssh2 [preauth]
Mar 30 08:53:58 mid-ipa-vp01 sshd[12621]: debug1: userauth-request for user 
adm-faru03@test.osuwmc service ssh-connection method password [preauth]
Mar 30 08:53:58 mid-ipa-vp01 sshd[12621]: debug1: attempt 2 failures 0 [preauth]
Mar 30 08:53:58 mid-ipa-vp01 sshd[12621]: pam_unix(sshd:auth): authentication 
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=svr-addc-vt01.test.osuwmc  
user=adm-faru03@test.osuwmc
Mar 30 08:54:00 mid-ipa-vp01 sshd[12621]: pam_sss(sshd:auth): authentication 
success; logname= uid=0 euid=0 tty=ssh ruser= rhost=svr-addc-vt01.test.osuwmc 
user=adm-faru03@test.osuwmc
Mar 30 08:54:00 

Re: [Freeipa-users] Troubleshooting SSO

[Sumit Bose]

On Mon, Mar 30, 2015 at 09:08:54AM -0400, Gould, Joshua wrote:
 SSO works intermittently. I’m having trouble tracing the issue. Here is what 
 I see from /var/log/secure. Where should I look for more detail to figure out 
 why the SSO login is failing?

assuming you have a valid Kerberos ticket the most probable reason is
that libkrb5 cannot properly relate the Kerberos principal from the
ticket to the local user name you use at the login prompt. With DEBUG3
you should see some messages containing '*userok*'. If you see failures
related to these messages it most probable is this case.

Recent versions of SSSD will configure a plugin for libkrb5 which can
handle this. But for older version you either have to create a .k5login
file in the users home directory containing the Kerberos principal or
use auth_to_local directives in /etc/krb5.conf as described in
http://www.freeipa.org/page/Active_Directory_trust_setup#Edit_.2Fetc.2Fkrb5.conf

HTH

bye,
Sumit

 
 Mar 30 08:47:39 mid-ipa-vp01 sshd[9317]: Starting session: shell on pts/0 for 
 root from 10.34.149.105 port 49725
 Mar 30 08:47:39 mid-ipa-vp01 sshd[9322]: debug1: Setting controlling tty 
 using TIOCSCTTY.
 Mar 30 08:47:39 mid-ipa-vp01 sshd[9322]: debug1: PAM: reinitializing 
 credentials
 Mar 30 08:47:39 mid-ipa-vp01 sshd[9322]: debug1: permanently_set_uid: 0/0
 Mar 30 08:49:05 mid-ipa-vp01 sshd[9317]: debug1: server_input_global_request: 
 rtype keepal...@openssh.com want_reply 1
 Mar 30 08:50:05 mid-ipa-vp01 sshd[9317]: debug1: server_input_global_request: 
 rtype keepal...@openssh.com want_reply 1
 Mar 30 08:51:57 mid-ipa-vp01 sshd[9317]: debug1: server_input_global_request: 
 rtype keepal...@openssh.com want_reply 1
 Mar 30 08:52:57 mid-ipa-vp01 sshd[9317]: debug1: server_input_global_request: 
 rtype keepal...@openssh.com want_reply 1
 Mar 30 08:53:51 mid-ipa-vp01 sshd[1388]: debug1: Forked child 12621.
 Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: Set /proc/self/oom_score_adj to 0
 Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: rexec start in 5 out 5 
 newsock 5 pipe 7 sock 8
 Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: inetd sockets after 
 dupping: 3, 3
 Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: Connection from 10.80.5.239 port 
 52982 on 10.127.26.73 port 22
 Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: Client protocol version 
 2.0; client software version PuTTY_Release_0.64
 Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: no match: PuTTY_Release_0.64
 Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: Enabling compatibility mode 
 for protocol 2.0
 Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: Local version string 
 SSH-2.0-OpenSSH_6.6.1
 Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: SELinux support enabled 
 [preauth]
 Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: permanently_set_uid: 74/74 
 [preauth]
 Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: list_hostkey_types: 
 ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
 Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: SSH2_MSG_KEXINIT sent 
 [preauth]
 Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: SSH2_MSG_KEXINIT received 
 [preauth]
 Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: kex: client-server 
 aes256-ctr hmac-sha2-256 none [preauth]
 Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: kex: server-client 
 aes256-ctr hmac-sha2-256 none [preauth]
 Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: kex: 
 diffie-hellman-group-exchange-sha256 need=32 dh_need=32 [preauth]
 Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: kex: 
 diffie-hellman-group-exchange-sha256 need=32 dh_need=32 [preauth]
 Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: 
 SSH2_MSG_KEX_DH_GEX_REQUEST_OLD received [preauth]
 Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: SSH2_MSG_KEX_DH_GEX_GROUP 
 sent [preauth]
 Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: expecting 
 SSH2_MSG_KEX_DH_GEX_INIT [preauth]
 Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: SSH2_MSG_KEX_DH_GEX_REPLY 
 sent [preauth]
 Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: SSH2_MSG_NEWKEYS sent 
 [preauth]
 Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: expecting SSH2_MSG_NEWKEYS 
 [preauth]
 Mar 30 08:53:52 mid-ipa-vp01 sshd[12621]: debug1: SSH2_MSG_NEWKEYS received 
 [preauth]
 Mar 30 08:53:52 mid-ipa-vp01 sshd[12621]: debug1: KEX done [preauth]
 Mar 30 08:53:52 mid-ipa-vp01 sshd[12621]: debug1: userauth-request for user 
 adm-faru03@test.osuwmc service ssh-connection method none [preauth]
 Mar 30 08:53:52 mid-ipa-vp01 sshd[12621]: debug1: attempt 0 failures 0 
 [preauth]
 Mar 30 08:53:53 mid-ipa-vp01 sshd[12621]: debug1: PAM: initializing for 
 adm-faru03@test.osuwmc
 Mar 30 08:53:53 mid-ipa-vp01 sshd[12621]: debug1: PAM: setting PAM_RHOST to 
 svr-addc-vt01.test.osuwmc
 Mar 30 08:53:53 mid-ipa-vp01 sshd[12621]: debug1: PAM: setting PAM_TTY to 
 ssh
 Mar 30 08:53:53 mid-ipa-vp01 sshd[12621]: debug1: userauth-request for user 
 adm-faru03@test.osuwmc service ssh-connection method gssapi-with-mic 

Re: [Freeipa-users] Troubleshooting SSO

[Gould, Joshua]

I configured the .k5login per the RH docs.

$ cat .k5login
adm-faru03@TEST.OSUWMC
TEST.OSUWMC\adm-faru03
$


I upped the debugging to DEBUG3 but I can¹t make sense of the error. Can
you help? I¹m getting better but I can¹t get this one yet.

Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: Connection from 10.80.5.239 port
50824 on 10.127.26.73 port 22
Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: Client protocol version
2.0; client software version PuTTY_Release_0.64
Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: no match:
PuTTY_Release_0.64
Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: Enabling compatibility
mode for protocol 2.0
Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: Local version string
SSH-2.0-OpenSSH_6.6.1
Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: fd 3 setting O_NONBLOCK
Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: ssh_sandbox_init:
preparing rlimit sandbox
Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: Network child is on pid
12794
Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: preauth child monitor
started
Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: SELinux support enabled
[preauth]
Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3:
ssh_selinux_change_context: setting context from
'system_u:system_r:sshd_t:s0-s0:c0.c1023' to
'system_u:system_r:sshd_net_t:s0-s0:c0.c1023' [preauth]
Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: privsep user:group 74:74
[preauth]
Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: permanently_set_uid:
74/74 [preauth]
Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: list_hostkey_types:
ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: SSH2_MSG_KEXINIT sent
[preauth]
Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: SSH2_MSG_KEXINIT
received [preauth]
Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit:
curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha
2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchan
ge-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth]
Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit:
ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.c
om,aes256-...@openssh.com,chacha20-poly1...@openssh.com,aes128-cbc,3des-cbc
,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysato
r.liu.se [preauth]
Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.c
om,aes256-...@openssh.com,chacha20-poly1...@openssh.com,aes128-cbc,3des-cbc
,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysato
r.liu.se [preauth]
Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit:
hmac-md5-...@openssh.com,hmac-sha1-...@openssh.com,umac-64-...@openssh.com,
umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-sha2-512-etm@op
enssh.com,hmac-ripemd160-...@openssh.com,hmac-sha1-96-...@openssh.com,hmac-
md5-96-...@openssh.com,hmac-md5,hmac-sha1,umac...@openssh.com,umac-128@open
ssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.c
om,hmac-sha1-96,hmac-md5-96 [preauth]
Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit:
hmac-md5-...@openssh.com,hmac-sha1-...@openssh.com,umac-64-...@openssh.com,
umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-sha2-512-etm@op
enssh.com,hmac-ripemd160-...@openssh.com,hmac-sha1-96-...@openssh.com,hmac-
md5-96-...@openssh.com,hmac-md5,hmac-sha1,umac...@openssh.com,umac-128@open
ssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.c
om,hmac-sha1-96,hmac-md5-96 [preauth]
Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit:
none,z...@openssh.com [preauth]
Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit:
none,z...@openssh.com [preauth]
Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit:
[preauth]
Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit:
[preauth]
Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit:
first_kex_follows 0  [preauth]
Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit:
reserved 0  [preauth]
Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,dif
fie-hellman-group14-sha1,diffie-hellman-group1-sha1,rsa2048-sha256,rsa1024-
sha1 [preauth]
Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit:
ssh-rsa,ssh-dss [preauth]
Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit:
aes256-ctr,aes256-cbc,rijndael-...@lysator.liu.se,aes192-ctr,aes192-cbc,aes
128-ctr,aes128-cbc,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,a
rcfour128 [preauth]
Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: 

Re: [Freeipa-users] Ubuntu sssd client -- FreeIPA Server fed from AD

[Lukas Slebodnik]

On (30/03/15 05:36), g.fer.or...@unicyber.co.uk wrote:

Hey Guys

Not sure if I am missing any bit but this was the thing in the end:


http://generations.menteyarte.org/archives/195-freeipa-server-and-SSSD-on-Ubuntu.html

I managed to have it working and I have documented all those nasty bits which
might save people's time. The whole weekend gone but for the less has been
productive.

I am including the SUDO bit which is usually a pain in my experience..

Do you relly have to enabled enumeration?
enumerate = True

It would be good if you could remove it from the post.

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] anonymous binds limits?

[Janelle]

For LDAP-only clients, I see an issue with performance on the dirsrv 
backends, and much of it has to do with 2 things:


1. Anonymous binds (1000's because of 7000+ hosts)
2. unindexed searches -- perhaps the biggest problem and working on 
troubleshooting that and figuring out how to fix it.


Thank you
~J

On 3/29/15 8:38 PM, Dmitri Pal wrote:

On 03/27/2015 08:22 PM, Janelle wrote:

Hello,

Just wondering if there is an easy way to increase anonymous binds on 
the back end for non Kerberos clients?
I have seen some mention of it, and that IPA has limits, can't can't 
find a lot of detail?


Thank you
~J


I am not sure I understand what you are asking.
What do you mean by increase anonymous binds ?
Increase timeout? Or you want to allow anonymous binds?



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA Client using Source Code

[Gokulnath]

Yes that's right, Fedora works great.

Gokul

Sent from iPhone

 On Mar 30, 2015, at 4:35 AM, Jakub Hrozek jhro...@redhat.com wrote:
 
 On Mon, Mar 30, 2015 at 02:53:39PM +0530, Yogesh Sharma wrote:
 Hi Jakub:
 
 FreeIPA package is not available in Amazon Linux running on EC2 Instance.
 We tried to install individually packages but it is breaking at many place.
 
 It is not 1.x. We had a directory with this name and I extracted the tar in
 same folder hence showing like this :).
 We are using 3.0.2 as of now.
 
 Then I wonder if it would be more useful to add a repo that already
 contains the package, from CentOS maybe? You'll get the updates for
 free..
 
 -- 
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Troubleshooting SSO

[Jan Pazdziora]

On Mon, Mar 30, 2015 at 09:08:54AM -0400, Gould, Joshua wrote:
 SSO works intermittently. I’m having trouble tracing the issue. Here is what 
 I see from /var/log/secure. Where should I look for more detail to figure out 
 why the SSO login is failing?

What OS versions is this and how was the machine enrolled --
ipa-client-install, realm join, or some other way?

-- 
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Freeipa Server down !!

[Martin Kosek]

On 03/30/2015 04:23 AM, Rob Crittenden wrote:
 Dmitri Pal wrote:
 On 03/29/2015 06:35 AM, Peter Fern wrote:
 On 29/03/15 05:46, Rob Crittenden wrote:
 Should be back up now.

 rob

 Appears to be dead again.

 It is in fact down again.

 
 The quote is exceeded in the openshift gear. I cleaned up a log file
 which should buy a bit of time.

I got us more space on the OpenShift wiki gear, we should not hit this one
again (in near future).

Sorry for the inconvenience,
Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Troubleshooting SSO

[Sumit Bose]

On Mon, Mar 30, 2015 at 10:09:00AM -0400, Gould, Joshua wrote:
 I configured the .k5login per the RH docs.
 
 $ cat .k5login
 adm-faru03@TEST.OSUWMC
 TEST.OSUWMC\adm-faru03

The second line is not needed. Please note that .k5login must only be
read-writable for the owner.

Can you check by calling klist in a Windows Command window if you got
a proper host/... ticket for the IPA host?

What version of IPA and SSSD are you using.

Can you check if the following works on a IPA host:

kinit adm-faru03@TEST.OSUWMC
kvno host/name.of.the.ipa-client.to.login@IPA.REALM
ssh -v -l adm-faru03@test.osuwmc name.of.the.ipa-client.to.login

The error messages return by the ssh -v output might help to see why
GSSAPI auth failed.

bye,
Sumit

 $
 
 
 I upped the debugging to DEBUG3 but I can¹t make sense of the error. Can
 you help? I¹m getting better but I can¹t get this one yet.
 
 Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: Connection from 10.80.5.239 port
 50824 on 10.127.26.73 port 22
 Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: Client protocol version
 2.0; client software version PuTTY_Release_0.64
 Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: no match:
 PuTTY_Release_0.64
 Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: Enabling compatibility
 mode for protocol 2.0
 Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: Local version string
 SSH-2.0-OpenSSH_6.6.1
 Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: fd 3 setting O_NONBLOCK
 Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: ssh_sandbox_init:
 preparing rlimit sandbox
 Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: Network child is on pid
 12794
 Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: preauth child monitor
 started
 Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: SELinux support enabled
 [preauth]
 Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3:
 ssh_selinux_change_context: setting context from
 'system_u:system_r:sshd_t:s0-s0:c0.c1023' to
 'system_u:system_r:sshd_net_t:s0-s0:c0.c1023' [preauth]
 Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: privsep user:group 74:74
 [preauth]
 Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: permanently_set_uid:
 74/74 [preauth]
 Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: list_hostkey_types:
 ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
 Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: SSH2_MSG_KEXINIT sent
 [preauth]
 Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: SSH2_MSG_KEXINIT
 received [preauth]
 Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit:
 curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha
 2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchan
 ge-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth]
 Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit:
 ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
 Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit:
 aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.c
 om,aes256-...@openssh.com,chacha20-poly1...@openssh.com,aes128-cbc,3des-cbc
 ,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysato
 r.liu.se [preauth]
 Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit:
 aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.c
 om,aes256-...@openssh.com,chacha20-poly1...@openssh.com,aes128-cbc,3des-cbc
 ,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysato
 r.liu.se [preauth]
 Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit:
 hmac-md5-...@openssh.com,hmac-sha1-...@openssh.com,umac-64-...@openssh.com,
 umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-sha2-512-etm@op
 enssh.com,hmac-ripemd160-...@openssh.com,hmac-sha1-96-...@openssh.com,hmac-
 md5-96-...@openssh.com,hmac-md5,hmac-sha1,umac...@openssh.com,umac-128@open
 ssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.c
 om,hmac-sha1-96,hmac-md5-96 [preauth]
 Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit:
 hmac-md5-...@openssh.com,hmac-sha1-...@openssh.com,umac-64-...@openssh.com,
 umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-sha2-512-etm@op
 enssh.com,hmac-ripemd160-...@openssh.com,hmac-sha1-96-...@openssh.com,hmac-
 md5-96-...@openssh.com,hmac-md5,hmac-sha1,umac...@openssh.com,umac-128@open
 ssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.c
 om,hmac-sha1-96,hmac-md5-96 [preauth]
 Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit:
 none,z...@openssh.com [preauth]
 Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit:
 none,z...@openssh.com [preauth]
 Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit:
 [preauth]
 Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit:
 [preauth]
 Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit:
 first_kex_follows 0  [preauth]
 

Re: [Freeipa-users] Troubleshooting SSO

[Gould, Joshua]

It¹s actually my IPA server which is also a client, so both are 7.1. My
memory is fuzzy as far as the client on the server. Isn¹t it setup already
as part of the server install?

On 3/30/15, 10:45 AM, Jan Pazdziora jpazdzi...@redhat.com wrote:

On Mon, Mar 30, 2015 at 09:08:54AM -0400, Gould, Joshua wrote:
 SSO works intermittently. I¹m having trouble tracing the issue. Here is
what I see from /var/log/secure. Where should I look for more detail to
figure out why the SSO login is failing?

What OS versions is this and how was the machine enrolled --
ipa-client-install, realm join, or some other way?

-- 
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Ubuntu sssd client -- FreeIPA Server fed from AD

[Gonzalo Fernandez Ordas]

Hi Jakub

Yes, I can also include that.
The configuration I was showing was a simple one, mainly I focused on 
the library set as it is usually the most problematic part in old 
distributions, but I will also include your comment as indeed makes more 
sense.
As I was suggesting in the post, sssd is flexible enough admit multiple 
configurations, once you get a working one you can work on improving it. 
(Also I wanted to write that asap before I forget any important detail)

Your comment is very much appreciated and I will update accordingly

Thanks

On 30/03/2015 01:16, Jakub Hrozek wrote:

On Mon, Mar 30, 2015 at 05:36:00AM +0100, g.fer.or...@unicyber.co.uk wrote:

Hey Guys

Not sure if I am missing any bit but this was the thing in the end:


http://generations.menteyarte.org/archives/195-freeipa-server-and-SSSD-on-Ubuntu.html

I managed to have it working and I have documented all those nasty bits
which might save people's time. The whole weekend gone but for the less has
been productive.

I am including the SUDO bit which is usually a pain in my experience..

Thanks

Thank you very much for documenting this, but wouldn't it be better to
use id_provider=ipa instead?

Then the configuration would be simpler, less error prone and would
authenticate more securely. You don't need to run ipa-client-install on
the box, you can generate the client keytab elsewhere and transfer it to
the client.



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Ubuntu sssd client -- FreeIPA Server fed from AD

[Gonzalo Fernandez Ordas]

Yes, you are right.
I was using the enumerate on my testing
I forgot to disable the enumerate when I was templating the configuration.

On 30/03/2015 07:21, Lukas Slebodnik wrote:

On (30/03/15 05:36), g.fer.or...@unicyber.co.uk wrote:

Hey Guys

Not sure if I am missing any bit but this was the thing in the end:


http://generations.menteyarte.org/archives/195-freeipa-server-and-SSSD-on-Ubuntu.html

I managed to have it working and I have documented all those nasty bits which
might save people's time. The whole weekend gone but for the less has been
productive.

I am including the SUDO bit which is usually a pain in my experience..


Do you relly have to enabled enumeration?
 enumerate = True

It would be good if you could remove it from the post.

LS



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Troubleshooting SSO

[Gould, Joshua]

Sorry I mis-read your question!

We’re trying SSO from the test domain conroller via ssh (putty) to the
test IPA server.

Unix.test.osuwmc is the IPA realm.
Test.osuwmc is the AD realm.

IPA server is RHEL 7.1
Windows AD DC is Windows Server 2008 R2

They have a two way trust and we’re mapping SID’s. Since most of our SID’s
are in the 300,000, we chose to add 1M to each SID to make mapping them
easy.

Right now I have the allow-all rule configured to allow everyone in on
every service to every host, just to rule that out.

# ipa trust-show
Realm name: TEST.OSUWMC
  Realm name: test.osuwmc
  Domain NetBIOS name: TEST
  Domain Security Identifier: S-1-5-21-226267946-722566613-1883572810
  Trust direction: Two-way trust
  Trust type: Active Directory domain
# ipa idrange-find --all

2 ranges matched

  dn: cn=TEST.OSUWMC_id_range,cn=ranges,cn=etc,dc=unix,dc=test,dc=osuwmc
  Range name: TEST.OSUWMC_id_range
  First Posix ID of the range: 100
  Number of IDs in the range: 90
  First RID of the corresponding RID range: 0
  Domain SID of the trusted domain: S-1-5-21-226267946-722566613-1883572810
  Range type: Active Directory domain range
  iparangetyperaw: ipa-ad-trust
  objectclass: ipatrustedaddomainrange, ipaIDrange

  dn: 
cn=UNIX.TEST.OSUWMC_id_range,cn=ranges,cn=etc,dc=unix,dc=test,dc=osuwmc
  Range name: UNIX.TEST.OSUWMC_id_range
  First Posix ID of the range: 23360
  Number of IDs in the range: 20
  First RID of the corresponding RID range: 1000
  First RID of the secondary RID range: 1
  Range type: local domain range
  iparangetyperaw: ipa-local
  objectclass: top, ipaIDrange, ipaDomainIDRange

Number of entries returned 2

# # id adm-faru03@test.osuwmc
uid=1398410(adm-faru03@test.osuwmc) gid=1398410(adm-faru03@test.osuwmc)
groups=1398410(adm-faru03@test.osuwmc), 23368(citrix_users)
#


On 3/30/15, 10:55 AM, Jan Pazdziora jpazdzi...@redhat.com wrote:

On Mon, Mar 30, 2015 at 10:50:11AM -0400, Gould, Joshua wrote:
 It¹s actually my IPA server which is also a client, so both are 7.1. My
 memory is fuzzy as far as the client on the server. Isn¹t it setup
already
 as part of the server install?

So you are logging in from the server to the server? But you have

   Connection from 10.80.5.239 port 52982 on 10.127.26.73 port 22
   debug1: Client protocol version 2.0; client software version
PuTTY_Release_0.64

in the log -- different IP addresses, and the client looks like Putty,
which would mean you try to log in from a Windows machine ...

So that test.osuwmc realm -- is that your IPA server's realm, or AD
realm?

-- 
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA Client using Source Code

[Gonzalo Fernandez Ordas]

You need the development package.  that should be popt-devel
If you are still using amazon you have to modify the sources to include 
the devel
Otherwise if you feel very crafty you can get to a site such us: 
http://rpm.pbone.net/ and look for the relevant development package 
which got the same version as your existing binaries..


On 30/03/2015 01:48, Yogesh Sharma wrote:

Hi List,

We have trying to install IPA-Client using source code. While 
installing we are seeing many error out of which most are resolved but 
stuck at below while doing make.


Is there any suggestion to get out of it. I will update if I found 
anything.


gcc -DHAVE_CONFIG_H -I. -I. -I. -DPREFIX=\/usr/local\ 
-DBINDIR=\/usr/local/bin\ -DLIBDIR=\/usr/local/lib\ 
-DLIBEXECDIR=\/usr/local/libexec\ -DDATADIR=\/usr/local/share\ 
  -I/usr/include/mozldap -I/usr/include/nspr4 -I/usr/include/nss3   
-DWITH_MOZLDAP  -g -O2 -MT ipa-getkeytab.o -MD -MP -MF 
.deps/ipa-getkeytab.Tpo -c -o ipa-getkeytab.o ipa-getkeytab.c

ipa-getkeytab.c:41:18: fatal error: popt.h: No such file or directory
 #include popt.h
  ^
compilation terminated.
make[2]: *** [ipa-getkeytab.o] Error 1
make[2]: Leaving directory `/root/freeipa-1.2.1/ipa-client'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/root/freeipa-1.2.1/ipa-client'
make: *** [all] Error 2



/
Best Regards,
__
/
/Yogesh Sharma
/
/Email: yks0...@gmail.com mailto:yks0...@gmail.com | Web: 
www.initd.in http://www.initd.in/


RHCE, VCE-CIA, RackSpace Cloud U
My LinkedIn Profile http://in.linkedin.com/in/yks





--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Troubleshooting SSO

[Jan Pazdziora]

On Mon, Mar 30, 2015 at 11:04:58AM -0400, Gould, Joshua wrote:
 
 We’re trying SSO from the test domain conroller via ssh (putty) to the
 test IPA server.
 
 Unix.test.osuwmc is the IPA realm.   Test.osuwmc is the AD realm.
 
 IPA server is RHEL 7.1
 Windows AD DC is Windows Server 2008 R2
 
 They have a two way trust and we’re mapping SID’s. Since most of our SID’s
 are in the 300,000, we chose to add 1M to each SID to make mapping them
 easy.

Can you check that

/etc/krb5.conf

contains line

includedir /var/lib/sss/pubconf/krb5.include.d/

and that

/var/lib/sss/pubconf/krb5.include.d/localauth_plugin

exists and configures

module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so

?

-- 
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Troubleshooting SSO

[Jan Pazdziora]

On Mon, Mar 30, 2015 at 10:50:11AM -0400, Gould, Joshua wrote:
 It¹s actually my IPA server which is also a client, so both are 7.1. My
 memory is fuzzy as far as the client on the server. Isn¹t it setup already
 as part of the server install?

So you are logging in from the server to the server? But you have

Connection from 10.80.5.239 port 52982 on 10.127.26.73 port 22
debug1: Client protocol version 2.0; client software version 
PuTTY_Release_0.64

in the log -- different IP addresses, and the client looks like Putty,
which would mean you try to log in from a Windows machine ...

So that test.osuwmc realm -- is that your IPA server's realm, or AD
realm?

-- 
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] FreeIPA with Active directory Read-only domain controller trust setup

[Srdjan Dutina]

Hi,

I'm testing FreeIPA (v4.1.3, Centos 7) - AD (2012 R2) trust on branch site
where only AD read-only domain controller (RODC) exists.
I'm aware that for initial establishing of trust I need access to writable
domain controller so IPA can add trust to AD domains and trusts.
But after initial setup, can FreeIPA-AD trust continue to function with IPA
access to RODC only? Will Kerberos authentication of AD users on IPA domain
hosts work?
In this case, FreeIPA server should have DNS forward zone configured with
RODC as a forwarder to AD?
AD users have cached passwords on RODC, so authentication is possible in
case of WAN link failure.

Thanks!
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Troubleshooting SSO

[Gould, Joshua]

The include is there:
# head /etc/krb5.conf
includedir /var/lib/sss/pubconf/krb5.include.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = UNIX.TEST.OSUWMC
 dns_lookup_realm = true

# ls -l /var/lib/sss/pubconf/krb5.include.d/localauth_plugin
-rw-r--r--. 1 root root 118 Mar 30 08:46
/var/lib/sss/pubconf/krb5.include.d/localauth_plugin
# grep module  /var/lib/sss/pubconf/krb5.include.d/localauth_plugin
  module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so
#




Different write-ups had slightly different examples for this line. Would
this be the issue?

#  auth_to_local = 
RULE:[1:$1@$0](^.*@TEST.OSUWMC$)s/@TEST.OSUWMC/@test.osuwmc/
  auth_to_local = RULE:[1:$1 $0](^ *
TEST.OSUWMC$)s/@TEST.OSUWMC/@test.osuwmc/



On 3/30/15, 11:08 AM, Jan Pazdziora jpazdzi...@redhat.com wrote:

On Mon, Mar 30, 2015 at 11:04:58AM -0400, Gould, Joshua wrote:
 
 We¹re trying SSO from the test domain conroller via ssh (putty) to the
 test IPA server.
 
 Unix.test.osuwmc is the IPA realm.   Test.osuwmc is the AD realm.
 
 IPA server is RHEL 7.1
 Windows AD DC is Windows Server 2008 R2
 
 They have a two way trust and we¹re mapping SID¹s. Since most of our
SID¹s
 are in the 300,000, we chose to add 1M to each SID to make mapping them
 easy.

Can you check that

   /etc/krb5.conf

contains line

   includedir /var/lib/sss/pubconf/krb5.include.d/

and that

   /var/lib/sss/pubconf/krb5.include.d/localauth_plugin

exists and configures

   module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so

?

-- 
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Centralized logging/audit - looking for use cases or experience

[Martin Kosek]

Hello list!

I have recently started investigating FreeIPA and centralized logging/audit,
capturing, processing and visualization of the logs centrally in an ELK
instance or similar.

This is a pretty loaded topic, audit/centralized log processing is a big task
beyond IPA itself, which is also one of the reasons why IPA does not have it's
A part yet... Before I go further in the investigation, I wanted to check with
you - admins and users of FreeIPA - what would you expect or what are your use
cases for the centralized logging/audit of FreeIPA?

So far, I had following use cases in mind:

* As Admin or Auditor, I want to see all calls to FreeIPA API so that I can
audit administrative changes to FreeIPA servers (source - apache log)

* As Security Administrator, I want to see all logins in the network so that I
can track both successful attempts for audit, but also failed attempts for
brute-force attack detection (source - audit log)

* As Network Administrator, I want to see replication status of all my FreeIPA
replicas so that I can amend the issue in a timely manner and avoid using
out-of-sync data (source - dirsrv errors log)

* As Infrastructure Administrator, I want to see broken AD Trusts so that I can
restore the functionality (source - correlation between different logs,
especially SSSD server mode logs)

Does this make sense to you? Or do you have any more use cases for centralized
FreeIPA logging/audit in mind? Or do you even have some infrastructure in place
that you would like to share?

Any feedback is highly welcome! Thanks for help.

-- 
Martin Kosek mko...@redhat.com
Supervisor, Software Engineering - Identity Management Team
Red Hat Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Troubleshooting SSO

[Gould, Joshua]

On 3/30/15, 11:56 AM, Dmitri Pal d...@redhat.com wrote:

#  auth_to_local =
RULE:[1:$1@$0](^.*@TEST.OSUWMC$)s/@TEST.OSUWMC/@test.osuwmc/
auth_to_local = RULE:[1:$1 $0](^ *
TEST.OSUWMC$)s/@TEST.OSUWMC/@test.osuwmc/
If you use the plugin then this RULE should not be needed.
Have you tried commenting it out and restarting SSSD?

I commented out those lines and restarted SSSD. I still was not able to
get in with SSO.

Mar 30 13:33:35 mid-ipa-vp01 sshd[12789]: debug3: fd 5 is not O_NONBLOCK
Mar 30 13:33:35 mid-ipa-vp01 sshd[12789]: debug1: Forked child 13750.
Mar 30 13:33:35 mid-ipa-vp01 sshd[12789]: debug3: send_rexec_state:
entering fd = 8 config len 899
Mar 30 13:33:35 mid-ipa-vp01 sshd[12789]: debug3: ssh_msg_send: type 0
Mar 30 13:33:35 mid-ipa-vp01 sshd[12789]: debug3: send_rexec_state: done
Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug3: oom_adjust_restore
Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: Set /proc/self/oom_score_adj to 0
Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug1: rexec start in 5 out 5
newsock 5 pipe 7 sock 8
Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug1: inetd sockets after
dupping: 3, 3
Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: Connection from 10.80.5.239 port
65333 on 10.127.26.73 port 22
Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug1: Client protocol version
2.0; client software version PuTTY_Release_0.64
Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug1: no match:
PuTTY_Release_0.64
Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug1: Enabling compatibility
mode for protocol 2.0
Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug1: Local version string
SSH-2.0-OpenSSH_6.6.1
Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug2: fd 3 setting O_NONBLOCK
Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug3: ssh_sandbox_init:
preparing rlimit sandbox
Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug2: Network child is on pid
13751
Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug3: preauth child monitor
started
Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug1: SELinux support enabled
[preauth]
Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug3:
ssh_selinux_change_context: setting context from
'system_u:system_r:sshd_t:s0-s0:c0.c1023' to 'system_u:
system_r:sshd_net_t:s0-s0:c0.c1023' [preauth]
Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug3: privsep user:group 74:74
[preauth]
Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug1: permanently_set_uid:
74/74 [preauth]
Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug1: list_hostkey_types:
ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug1: SSH2_MSG_KEXINIT sent
[preauth]
Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug1: SSH2_MSG_KEXINIT
received [preauth]
Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug2: kex_parse_kexinit:
curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha
2-nistp521
,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,di
ffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth]
Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug2: kex_parse_kexinit:
ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.c
om,aes256-
g...@openssh.com,chacha20-poly1...@openssh.com,aes128-cbc,3des-cbc,blowfish-
cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se
[prea
uth]
Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.c
om,aes256-
g...@openssh.com,chacha20-poly1...@openssh.com,aes128-cbc,3des-cbc,blowfish-
cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se
[prea
uth]
Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug2: kex_parse_kexinit:
hmac-md5-...@openssh.com,hmac-sha1-...@openssh.com,umac-64-...@openssh.com,
umac-128-e
t...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,
hmac-ripemd160-...@openssh.com,hmac-sha1-96-...@openssh.com,hmac-md5-96-etm
@ope
nssh.com,hmac-md5,hmac-sha1,umac...@openssh.com,umac-...@openssh.com,hmac-s
ha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-9
6,hm
ac-md5-96 [preauth]
Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug2: kex_parse_kexinit:
hmac-md5-...@openssh.com,hmac-sha1-...@openssh.com,umac-64-...@openssh.com,
umac-128-e
t...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,
hmac-ripemd160-...@openssh.com,hmac-sha1-96-...@openssh.com,hmac-md5-96-etm
@ope
nssh.com,hmac-md5,hmac-sha1,umac...@openssh.com,umac-...@openssh.com,hmac-s
ha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-9
6,hm
ac-md5-96 [preauth]
Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug2: kex_parse_kexinit:
none,z...@openssh.com [preauth]
Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug2: kex_parse_kexinit:
none,z...@openssh.com [preauth]
Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug2: 

Re: [Freeipa-users] anonymous binds limits?

[Gokulnath]

Perform vlv indexing on those attributes and tune the directory for memory.

Gokul

Sent from iPhone

 On Mar 30, 2015, at 11:02 AM, Rob Crittenden rcrit...@redhat.com wrote:
 
 Dmitri Pal wrote:
 On 03/30/2015 10:15 AM, Janelle wrote:
 For LDAP-only clients, I see an issue with performance on the dirsrv
 backends, and much of it has to do with 2 things:
 
 1. Anonymous binds (1000's because of 7000+ hosts)
 2. unindexed searches -- perhaps the biggest problem and working on
 troubleshooting that and figuring out how to fix it.
 
 For that amount of clients we recommend 2-3 replicas.
 
 There is documentation on how to create indexes.
 https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Indexes-Creating_Indexes.html#Creating_Indexes-Creating_Indexes_from_the_Command_Line
 
 
 I am not a DS guru but AFAIU they need to be created on each replica.
 
 Correct.
 
 
 You need to check what searches are taking long time and then match the
 attributes that you are looking for with the list of the indexed
 attributes. The link about will give you the location where the indexes
 are stored.
 
 logconv.pl will help find unindexed searches.
 
 rob
 
 
 
 Thank you
 ~J
 
 On 3/29/15 8:38 PM, Dmitri Pal wrote:
 On 03/27/2015 08:22 PM, Janelle wrote:
 Hello,
 
 Just wondering if there is an easy way to increase anonymous binds
 on the back end for non Kerberos clients?
 I have seen some mention of it, and that IPA has limits, can't can't
 find a lot of detail?
 
 Thank you
 ~J
 I am not sure I understand what you are asking.
 What do you mean by increase anonymous binds ?
 Increase timeout? Or you want to allow anonymous binds?
 
 -- 
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA Client using Source Code

[Yogesh Sharma]

Thanks Sir.




*Best Regards,__*

*Yogesh Sharma*
*Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in
http://www.initd.in*

RHCE, VCE-CIA, RackSpace Cloud U
[image: My LinkedIn Profile] http://in.linkedin.com/in/yks


On Mon, Mar 30, 2015 at 8:34 PM, Gonzalo Fernandez Ordas 
g.fer.or...@unicyber.co.uk wrote:


 You need the development package.  that should be popt-devel
 If you are still using amazon you have to modify the sources to include
 the devel
 Otherwise if you feel very crafty you can get to a site such us:
 http://rpm.pbone.net/ and look for the relevant development package which
 got the same version as your existing binaries..

 On 30/03/2015 01:48, Yogesh Sharma wrote:

 Hi List,

 We have trying to install IPA-Client using source code. While installing
 we are seeing many error out of which most are resolved but stuck at below
 while doing make.

 Is there any suggestion to get out of it. I will update if I found
 anything.

 gcc -DHAVE_CONFIG_H -I. -I. -I. -DPREFIX=\/usr/local\
 -DBINDIR=\/usr/local/bin\ -DLIBDIR=\/usr/local/lib\
 -DLIBEXECDIR=\/usr/local/libexec\ -DDATADIR=\/usr/local/share\
  -I/usr/include/mozldap -I/usr/include/nspr4 -I/usr/include/nss3
  -DWITH_MOZLDAP  -g -O2 -MT ipa-getkeytab.o -MD -MP -MF
 .deps/ipa-getkeytab.Tpo -c -o ipa-getkeytab.o ipa-getkeytab.c
 ipa-getkeytab.c:41:18: fatal error: popt.h: No such file or directory
  #include popt.h
   ^
 compilation terminated.
 make[2]: *** [ipa-getkeytab.o] Error 1
 make[2]: Leaving directory `/root/freeipa-1.2.1/ipa-client'
 make[1]: *** [all-recursive] Error 1
 make[1]: Leaving directory `/root/freeipa-1.2.1/ipa-client'
 make: *** [all] Error 2



 /
 Best Regards,
 __
 /
 /Yogesh Sharma
 /
 /Email: yks0...@gmail.com mailto:yks0...@gmail.com | Web: www.initd.in
 http://www.initd.in/

 RHCE, VCE-CIA, RackSpace Cloud U
 My LinkedIn Profile http://in.linkedin.com/in/yks





-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Additional pre-authentication required, Ticket Wrong ?

[Matt .]

Hi,

I tried to trace some stuff but this doesn't give me much more info.

What I see at the moment in the /var/log/httpd/acces_log is exactly
what happens but without the info I need to get a better view:

10.10.0.121 - - [30/Mar/2015:22:22:58 +0200] POST /ipa/json HTTP/1.1 301 258
10.10.0.121 - - [30/Mar/2015:22:22:58 +0200] POST /ipa/json HTTP/1.1
301 259 https://ldap.domain.local/ipa/json; -
10.10.0.121 - - [30/Mar/2015:22:22:58 +0200] POST /ipa/json HTTP/1.1 401 1469
10.10.0.121 - - [30/Mar/2015:22:22:59 +0200] POST /ipa/json HTTP/1.1 401 1469

2015-03-30 15:03 GMT+02:00 Sumit Bose sb...@redhat.com:
 On Mon, Mar 30, 2015 at 04:56:11AM +0200, Matt . wrote:
 Hi,

 I just tot home and typing from my cell so i'm suite short in words

 Create keytab for ldap-01.domain
 Kinit with that to ldap.domain
 Curl against ldap.domain
 Get a 301 which I manage from curl (goes well)
 Get kerberos ticket error

 now I don't kinit anymore so re-use my existing ticket and curl against
 ldap-01.domain and I'm accepted and can execute stuff.

 My ssl is OK, ticket also it seems.

 Maybe the output of

 KRB5_TRACE=/dev/sdtout curl -v 

 might help to see what is going on?

 bye,
 Sumit


 Thanks M.
 Op 30 mrt. 2015 03:50 schreef Dmitri Pal d...@redhat.com:

  On 03/29/2015 04:47 AM, Matt . wrote:
 
  Hi Guys,
 
  Now my Certification issues are solved for using a loadbalancer in
  front of my ipa servers I get the following:
 
  Unable to verify your Kerberos credentials
 
  and in my logs:
 
  Additional pre-authentication required.
 
  This happens when I connect throught my loadbalancers, I see my server
  coming ni with the right IP.
 
  When I access my ipa server directly, not using the loadbalancer IP
  between it, my kerberos Ticket is valid.
 
  I get the feeling that when I use my loadbalancers and because of that
  I get a 301 redirect it needs a preauth. I see some issues on
  mailinglists but it doesn't fit my situation.
 
  Why wants it the preauth when I already have a valid ticket and my
  redirect is followed by CURL and posted the right way ?
 
 
  Can you describe the sequence?
  What do you do?
 
  From the client you try IPA CLI and this is where you see the problem even
  with the valid ticket or is the flow different?
 
   I hope someone has an idea.
 
  Thanks,
 
  Matt
 
 
 
  --
  Thank you,
  Dmitri Pal
 
  Sr. Engineering Manager IdM portfolio
  Red Hat, Inc.
 
  --
  Manage your subscription for the Freeipa-users mailing list:
  https://www.redhat.com/mailman/listinfo/freeipa-users
  Go to http://freeipa.org for more info on the project
 

 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] anonymous binds limits?

[Dmitri Pal]

On 03/30/2015 10:15 AM, Janelle wrote:
For LDAP-only clients, I see an issue with performance on the dirsrv 
backends, and much of it has to do with 2 things:


1. Anonymous binds (1000's because of 7000+ hosts)
2. unindexed searches -- perhaps the biggest problem and working on 
troubleshooting that and figuring out how to fix it.


For that amount of clients we recommend 2-3 replicas.

There is documentation on how to create indexes.
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Indexes-Creating_Indexes.html#Creating_Indexes-Creating_Indexes_from_the_Command_Line

I am not a DS guru but AFAIU they need to be created on each replica.

You need to check what searches are taking long time and then match the 
attributes that you are looking for with the list of the indexed 
attributes. The link about will give you the location where the indexes 
are stored.




Thank you
~J

On 3/29/15 8:38 PM, Dmitri Pal wrote:

On 03/27/2015 08:22 PM, Janelle wrote:

Hello,

Just wondering if there is an easy way to increase anonymous binds 
on the back end for non Kerberos clients?
I have seen some mention of it, and that IPA has limits, can't can't 
find a lot of detail?


Thank you
~J


I am not sure I understand what you are asking.
What do you mean by increase anonymous binds ?
Increase timeout? Or you want to allow anonymous binds?






--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Troubleshooting SSO

[Dmitri Pal]

On 03/30/2015 11:17 AM, Gould, Joshua wrote:

The include is there:
# head /etc/krb5.conf
includedir /var/lib/sss/pubconf/krb5.include.d/

[logging]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log

[libdefaults]
  default_realm = UNIX.TEST.OSUWMC
  dns_lookup_realm = true

# ls -l /var/lib/sss/pubconf/krb5.include.d/localauth_plugin
-rw-r--r--. 1 root root 118 Mar 30 08:46
/var/lib/sss/pubconf/krb5.include.d/localauth_plugin
# grep module  /var/lib/sss/pubconf/krb5.include.d/localauth_plugin
   module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so
#




Different write-ups had slightly different examples for this line. Would
this be the issue?

#  auth_to_local =
RULE:[1:$1@$0](^.*@TEST.OSUWMC$)s/@TEST.OSUWMC/@test.osuwmc/
   auth_to_local = RULE:[1:$1 $0](^ *
TEST.OSUWMC$)s/@TEST.OSUWMC/@test.osuwmc/

If you use the plugin then this RULE should not be needed.
Have you tried commenting it out and restarting SSSD?





On 3/30/15, 11:08 AM, Jan Pazdziora jpazdzi...@redhat.com wrote:


On Mon, Mar 30, 2015 at 11:04:58AM -0400, Gould, Joshua wrote:

We¹re trying SSO from the test domain conroller via ssh (putty) to the
test IPA server.

Unix.test.osuwmc is the IPA realm.   Test.osuwmc is the AD realm.

IPA server is RHEL 7.1
Windows AD DC is Windows Server 2008 R2

They have a two way trust and we¹re mapping SID¹s. Since most of our
SID¹s
are in the 300,000, we chose to add 1M to each SID to make mapping them
easy.

Can you check that

/etc/krb5.conf

contains line

includedir /var/lib/sss/pubconf/krb5.include.d/

and that

/var/lib/sss/pubconf/krb5.include.d/localauth_plugin

exists and configures

module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so

?

--
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat






--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] anonymous binds limits?

[Rob Crittenden]

Dmitri Pal wrote:
 On 03/30/2015 10:15 AM, Janelle wrote:
 For LDAP-only clients, I see an issue with performance on the dirsrv
 backends, and much of it has to do with 2 things:

 1. Anonymous binds (1000's because of 7000+ hosts)
 2. unindexed searches -- perhaps the biggest problem and working on
 troubleshooting that and figuring out how to fix it.
 
 For that amount of clients we recommend 2-3 replicas.
 
 There is documentation on how to create indexes.
 https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Indexes-Creating_Indexes.html#Creating_Indexes-Creating_Indexes_from_the_Command_Line
 
 
 I am not a DS guru but AFAIU they need to be created on each replica.

Correct.

 
 You need to check what searches are taking long time and then match the
 attributes that you are looking for with the list of the indexed
 attributes. The link about will give you the location where the indexes
 are stored.

logconv.pl will help find unindexed searches.

rob

 

 Thank you
 ~J

 On 3/29/15 8:38 PM, Dmitri Pal wrote:
 On 03/27/2015 08:22 PM, Janelle wrote:
 Hello,

 Just wondering if there is an easy way to increase anonymous binds
 on the back end for non Kerberos clients?
 I have seen some mention of it, and that IPA has limits, can't can't
 find a lot of detail?

 Thank you
 ~J

 I am not sure I understand what you are asking.
 What do you mean by increase anonymous binds ?
 Increase timeout? Or you want to allow anonymous binds?


 
 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA with Active directory Read-only domain controller trust setup

[Dmitri Pal]

On 03/30/2015 11:12 AM, Srdjan Dutina wrote:

Hi,

I'm testing FreeIPA (v4.1.3, Centos 7) - AD (2012 R2) trust on branch 
site where only AD read-only domain controller (RODC) exists.
I'm aware that for initial establishing of trust I need access to 
writable domain controller so IPA can add trust to AD domains and trusts.
But after initial setup, can FreeIPA-AD trust continue to function 
with IPA access to RODC only?


Should work.


Will Kerberos authentication of AD users on IPA domain hosts work?
In this case, FreeIPA server should have DNS forward zone configured 
with RODC as a forwarder to AD?


Can't help you here. Hopefully somone with DNS knowledge will chime but 
they might be gone for the day.


AD users have cached passwords on RODC, so authentication is possible 
in case of WAN link failure.


Thanks!





--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project