Re: [Freeipa-users] Can freeIPA work without Kerberos and DNS
Hi, As far as I understand it Kerberos service tickets are granted for a user to access a particular principle (host/service@REALM) and cannot be reused. Kerberos uses symmetric key cryptography so, if someone were able to access the memory of the machine, then they may indeed be able to snoop your user password although I am quite sure passwords are kept hashed in the Keytab. If you are so worried that someone would go to the trouble hack the virtualisation layer and copy chunks of memory then you should really be reconsidering your use of cloud services. People hacking kerberos will be the least of your problems if you have data that is that sensitive on there. If you could point me to some documentation on the specific attack you are trying to mitigate that would be nice. Thanks, Andrew On 30 March 2015 at 04:27, Gokulnath gokulna...@gmail.com wrote: Thanks for getting back. 1. As security Kerberos can ticket and in memory can be taken and that session key Can be used to gain access every where. Primarily this because the plan is to use the solution in cloud. 2. Can I disable DNS as well? And have IPA to run only ldap, ssh key rotation and pki ? 3. As during the install, DNS and Kerberos are getting installed and configured. I would really appreciate if you can get back. Thank you Gokul Sent from iPhone On Mar 29, 2015, at 8:44 PM, Dmitri Pal d...@redhat.com wrote: On 03/29/2015 11:50 AM, Gokul wrote: Hi, I am tried to run some of my user cases with FreeIPA. Have FreeIPA to do only SSH key management in LDAP and PKI management. The understand that every request is kerberized and it has the DNS is must configuration. Can I have FreeIPA to run only SSH Key management with LDAP and a PKI server with dogtag? Thank you Gokul You can't turn off Kerberos. You would need Kerberos for administration. But other clients can take advantage of LDAP and SSH only. However you are significantly limiting your functionality and capabilities. Kerberos is really the key of the solution. What is the reason you try to avoid using it? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Can freeIPA work without Kerberos and DNS
On 30.3.2015 09:28, Andrew Holway wrote: Hi, As far as I understand it Kerberos service tickets are granted for a user to access a particular principle (host/service@REALM) and cannot be reused. Kerberos uses symmetric key cryptography so, if someone were able to access the memory of the machine, then they may indeed be able to snoop your user password although I am quite sure passwords are kept hashed in the Keytab. If you are so worried that someone would go to the trouble hack the virtualisation layer and copy chunks of memory then you should really be reconsidering your use of cloud services. People hacking kerberos will be the least of your problems if you have data that is that sensitive on there. If you could point me to some documentation on the specific attack you are trying to mitigate that would be nice. Thanks, Andrew On 30 March 2015 at 04:27, Gokulnath gokulna...@gmail.com wrote: Thanks for getting back. 1. As security Kerberos can ticket and in memory can be taken and that session key Can be used to gain access every where. Primarily this because the plan is to use the solution in cloud. 2. Can I disable DNS as well? And have IPA to run only ldap, ssh key rotation and pki ? 3. As during the install, DNS and Kerberos are getting installed and configured. Let me add that DNS server is an optional component and will not be installed if you do not specify --setup-dns option. In that case you have to add necessary DNS records by hand to make FreeIPA fully functional. Petr^2 Spacek I would really appreciate if you can get back. Thank you Gokul Sent from iPhone On Mar 29, 2015, at 8:44 PM, Dmitri Pal d...@redhat.com wrote: On 03/29/2015 11:50 AM, Gokul wrote: Hi, I am tried to run some of my user cases with FreeIPA. Have FreeIPA to do only SSH key management in LDAP and PKI management. The understand that every request is kerberized and it has the DNS is must configuration. Can I have FreeIPA to run only SSH Key management with LDAP and a PKI server with dogtag? Thank you Gokul You can't turn off Kerberos. You would need Kerberos for administration. But other clients can take advantage of LDAP and SSH only. However you are significantly limiting your functionality and capabilities. Kerberos is really the key of the solution. What is the reason you try to avoid using it? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Can freeIPA work without Kerberos and DNS
On 30/03/15 04:27, Gokulnath wrote: Thanks for getting back. 1. As security Kerberos can ticket and in memory can be taken and that session key Can be used to gain access every where. Primarily this because the plan is to use the solution in cloud. 2. Can I disable DNS as well? And have IPA to run only ldap, ssh key rotation and pki ? IPA clients require properly configured DNS, if you plan to use only server IMO it should work. 3. As during the install, DNS and Kerberos are getting installed and configured. DNS is optional part of installation, by default DNS is not installed. I would really appreciate if you can get back. Thank you Gokul Sent from iPhone On Mar 29, 2015, at 8:44 PM, Dmitri Pal d...@redhat.com wrote: On 03/29/2015 11:50 AM, Gokul wrote: Hi, I am tried to run some of my user cases with FreeIPA. Have FreeIPA to do only SSH key management in LDAP and PKI management. The understand that every request is kerberized and it has the DNS is must configuration. Can I have FreeIPA to run only SSH Key management with LDAP and a PKI server with dogtag? Thank you Gokul You can't turn off Kerberos. You would need Kerberos for administration. But other clients can take advantage of LDAP and SSH only. However you are significantly limiting your functionality and capabilities. Kerberos is really the key of the solution. What is the reason you try to avoid using it? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Martin Basti -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Client using Source Code
On Mon, Mar 30, 2015 at 02:18:00PM +0530, Yogesh Sharma wrote: Hi List, We have trying to install IPA-Client using source code. Why? While installing we are seeing many error out of which most are resolved but stuck at below while doing make. Is there any suggestion to get out of it. I will update if I found anything. gcc -DHAVE_CONFIG_H -I. -I. -I. -DPREFIX=\/usr/local\ -DBINDIR=\/usr/local/bin\ -DLIBDIR=\/usr/local/lib\ -DLIBEXECDIR=\/usr/local/libexec\ -DDATADIR=\/usr/local/share\ -I/usr/include/mozldap -I/usr/include/nspr4 -I/usr/include/nss3 -DWITH_MOZLDAP-g -O2 -MT ipa-getkeytab.o -MD -MP -MF .deps/ipa-getkeytab.Tpo -c -o ipa-getkeytab.o ipa-getkeytab.c ipa-getkeytab.c:41:18: fatal error: popt.h: No such file or directory #include popt.h ^ libpopt-devel is missing. The easiest way to fetch them all is with yum-builddeps. compilation terminated. make[2]: *** [ipa-getkeytab.o] Error 1 make[2]: Leaving directory `/root/freeipa-1.2.1/ipa-client' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/root/freeipa-1.2.1/ipa-client' ~ Whoa, are you sure? ipa 1.x? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Client using Source Code
On Mon, Mar 30, 2015 at 02:53:39PM +0530, Yogesh Sharma wrote: Hi Jakub: FreeIPA package is not available in Amazon Linux running on EC2 Instance. We tried to install individually packages but it is breaking at many place. It is not 1.x. We had a directory with this name and I extracted the tar in same folder hence showing like this :). We are using 3.0.2 as of now. Then I wonder if it would be more useful to add a repo that already contains the package, from CentOS maybe? You'll get the updates for free.. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-cliebt-automount problem
Hello, Am Sonntag, 29. März 2015, 22:25:07 schrieb Rob Crittenden: Dmitri Pal wrote: On 03/29/2015 06:00 PM, Günther J. Niederwimmer wrote: Hello, My automount is not working correct? I have a centos 7 with cr Update, this is IPA 4.1 and sssd 1.12 I have this Error in the logs automount[1899]: lookup_read_map: lookup(sss): getautomntent_r: No such file or directory Is this correct with IPA 4.1 /etc/sysconfig/autofs and /etc/autofs_ldap_auth.config was not configured with ipa-client-automount, or have I to do this manual? Do you have libsss_autofs installed? The default is to configure automount using SSSD so no configuration in those files is expected. What isn't working? I mean this Error is not the best Thing ;) automount[1899]: lookup_read_map: lookup(sss): getautomntent_r: No such file or directory I found this in mount ? /etc/auto.misc on /misc type autofs (rw,relatime,fd=6,pgrp=7198,timeout=300,minproto=5,maxproto=5,indirect) -hosts on /net type autofs (rw,relatime,fd=12,pgrp=7198,timeout=300,minproto=5,maxproto=5,indirect) auto.daten on /daten type autofs (rw,relatime,fd=18,pgrp=7198,timeout=300,minproto=5,maxproto=5,indirect) auto.home on /home type autofs (rw,relatime,fd=24,pgrp=7198,timeout=300,minproto=5,maxproto=5,indirect) The first, now I found also the local auto.master in the mount? But the /net mount (nfs4) are not mounted ;) Have I to start any nfs Programms for working -- mit freundlichen Grüßen / best Regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] AD users and IPA's sudo
On Mon, Mar 30, 2015 at 08:09:43AM +, Alexander Frolushkin wrote: Hello everyone. We have a IPA 3 and AD domain trust. Users from AD successfully logs on to linux servers via ssh and hbac rules works fine with external groups. But not a sudo rules. When rule defines as 'who' IPA users rule works well. If it is defines external group for corresponding AD group which is AD user member of, this user gets u...@ad.commailto:u...@ad.com is not allowed to run sudo on host.com. This incident will be reported. In debug there is a strings (Mon Mar 30 13:54:00 2015) [sssd[sudo]] [sysdb_search_group_by_gid] (0x0400): No such entry (Mon Mar 30 13:54:00 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [((objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=u...@ad.com)( sudoUser=#xx)(sudoUser=%cuted...(sudoUser=%cuted.)(sudoUser=+*))((dataExpireTimestamp=1427702040)))] (Mon Mar 30 13:54:00 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0020): Error looking up SUDO rules(Mon Mar 30 13:54:00 2015) [sssd[sudo]] [sudosrv_get_rules] (0x0020): Unable to retr ieve expired sudo rules [5]: Input/output error Looks suspicious. Is there an corresponding LDAP search in the back end log as well? Look for sdap_get_generic perhaps.. I've seen a number of closed bugs with similar error message, but at last on this RHEL 6.6 server sssd is fully updated. And sorry for the huge underlined message, it is generated automatically and I have no rights to avoid it in my mails :( With best regards, Alexander Frolushkin, Senior engineer in system administration and database management MegaFon, Siberian branch http://english.corp.megafon.ru/ Cell +79232508764 Phone +79232507764 Информация в этом сообщении предназначена исключительно для конкретных лиц, которым она адресована. В сообщении может содержаться конфиденциальная информация, которая не может быть раскрыта или использована кем-либо, кроме адресатов. Если вы не адресат этого сообщения, то использование, переадресация, копирование или распространение содержания сообщения или его части незаконно и запрещено. Если Вы получили это сообщение ошибочно, пожалуйста, незамедлительно сообщите отправителю об этом и удалите со всем содержимым само сообщение и любые возможные его копии и приложения. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Client using Source Code
On Mon, Mar 30, 2015 at 10:48 AM, Yogesh Sharma yks0...@gmail.com wrote: Hi List, We have trying to install IPA-Client using source code. While installing we are seeing many error out of which most are resolved but stuck at below while doing make. Is there any suggestion to get out of it. I will update if I found anything. gcc -DHAVE_CONFIG_H -I. -I. -I. -DPREFIX=\/usr/local\ -DBINDIR=\/usr/local/bin\ -DLIBDIR=\/usr/local/lib\ -DLIBEXECDIR=\/usr/local/libexec\ -DDATADIR=\/usr/local/share\ -I/usr/include/mozldap -I/usr/include/nspr4 -I/usr/include/nss3 -DWITH_MOZLDAP-g -O2 -MT ipa-getkeytab.o -MD -MP -MF .deps/ipa-getkeytab.Tpo -c -o ipa-getkeytab.o ipa-getkeytab.c ipa-getkeytab.c:41:18: fatal error: popt.h: No such file or directory #include popt.h in fedora I get these results: $ sudo yum whatprovides */popt.h Loaded plugins: langpacks golang-src-1.3.3-1.fc21.noarch : Golang compiler source tree Repo: fedora Matched from: Filename: /usr/lib/golang/src/cmd/gc/popt.h popt-devel-1.16-5.fc21.i686 : Development files for the popt library Repo: fedora Matched from: Filename: /usr/include/popt.h popt-devel-1.16-5.fc21.x86_64 : Development files for the popt library Repo: fedora Matched from: Filename: /usr/include/popt.h HTH, -- regards, natxo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Client using Source Code
Sure. *Best Regards,__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in* RHCE, VCE-CIA, RackSpace Cloud U [image: My LinkedIn Profile] http://in.linkedin.com/in/yks On Mon, Mar 30, 2015 at 3:05 PM, Jakub Hrozek jhro...@redhat.com wrote: On Mon, Mar 30, 2015 at 02:53:39PM +0530, Yogesh Sharma wrote: Hi Jakub: FreeIPA package is not available in Amazon Linux running on EC2 Instance. We tried to install individually packages but it is breaking at many place. It is not 1.x. We had a directory with this name and I extracted the tar in same folder hence showing like this :). We are using 3.0.2 as of now. Then I wonder if it would be more useful to add a repo that already contains the package, from CentOS maybe? You'll get the updates for free.. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Ubuntu sssd client -- FreeIPA Server fed from AD
On Mon, Mar 30, 2015 at 05:36:00AM +0100, g.fer.or...@unicyber.co.uk wrote: Hey Guys Not sure if I am missing any bit but this was the thing in the end: http://generations.menteyarte.org/archives/195-freeipa-server-and-SSSD-on-Ubuntu.html I managed to have it working and I have documented all those nasty bits which might save people's time. The whole weekend gone but for the less has been productive. I am including the SUDO bit which is usually a pain in my experience.. Thanks Thank you very much for documenting this, but wouldn't it be better to use id_provider=ipa instead? Then the configuration would be simpler, less error prone and would authenticate more securely. You don't need to run ipa-client-install on the box, you can generate the client keytab elsewhere and transfer it to the client. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] IPA Client using Source Code
Hi List, We have trying to install IPA-Client using source code. While installing we are seeing many error out of which most are resolved but stuck at below while doing make. Is there any suggestion to get out of it. I will update if I found anything. gcc -DHAVE_CONFIG_H -I. -I. -I. -DPREFIX=\/usr/local\ -DBINDIR=\/usr/local/bin\ -DLIBDIR=\/usr/local/lib\ -DLIBEXECDIR=\/usr/local/libexec\ -DDATADIR=\/usr/local/share\ -I/usr/include/mozldap -I/usr/include/nspr4 -I/usr/include/nss3 -DWITH_MOZLDAP-g -O2 -MT ipa-getkeytab.o -MD -MP -MF .deps/ipa-getkeytab.Tpo -c -o ipa-getkeytab.o ipa-getkeytab.c ipa-getkeytab.c:41:18: fatal error: popt.h: No such file or directory #include popt.h ^ compilation terminated. make[2]: *** [ipa-getkeytab.o] Error 1 make[2]: Leaving directory `/root/freeipa-1.2.1/ipa-client' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/root/freeipa-1.2.1/ipa-client' make: *** [all] Error 2 *Best Regards,__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in* RHCE, VCE-CIA, RackSpace Cloud U [image: My LinkedIn Profile] http://in.linkedin.com/in/yks -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Client using Source Code
Hi Jakub: FreeIPA package is not available in Amazon Linux running on EC2 Instance. We tried to install individually packages but it is breaking at many place. It is not 1.x. We had a directory with this name and I extracted the tar in same folder hence showing like this :). We are using 3.0.2 as of now. *Best Regards,__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in* RHCE, VCE-CIA, RackSpace Cloud U [image: My LinkedIn Profile] http://in.linkedin.com/in/yks On Mon, Mar 30, 2015 at 2:39 PM, Jakub Hrozek jhro...@redhat.com wrote: On Mon, Mar 30, 2015 at 02:18:00PM +0530, Yogesh Sharma wrote: Hi List, We have trying to install IPA-Client using source code. Why? While installing we are seeing many error out of which most are resolved but stuck at below while doing make. Is there any suggestion to get out of it. I will update if I found anything. gcc -DHAVE_CONFIG_H -I. -I. -I. -DPREFIX=\/usr/local\ -DBINDIR=\/usr/local/bin\ -DLIBDIR=\/usr/local/lib\ -DLIBEXECDIR=\/usr/local/libexec\ -DDATADIR=\/usr/local/share\ -I/usr/include/mozldap -I/usr/include/nspr4 -I/usr/include/nss3 -DWITH_MOZLDAP-g -O2 -MT ipa-getkeytab.o -MD -MP -MF .deps/ipa-getkeytab.Tpo -c -o ipa-getkeytab.o ipa-getkeytab.c ipa-getkeytab.c:41:18: fatal error: popt.h: No such file or directory #include popt.h ^ libpopt-devel is missing. The easiest way to fetch them all is with yum-builddeps. compilation terminated. make[2]: *** [ipa-getkeytab.o] Error 1 make[2]: Leaving directory `/root/freeipa-1.2.1/ipa-client' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/root/freeipa-1.2.1/ipa-client' ~ Whoa, are you sure? ipa 1.x? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Can freeIPA work without Kerberos and DNS
On 03/29/2015 10:27 PM, Gokulnath wrote: Thanks for getting back. 1. As security Kerberos can ticket and in memory can be taken and that session key Can be used to gain access every where. Primarily this because the plan is to use the solution in cloud. You can use Kerberos in the cloud. It is not worse of better than certs. If you can read memory of a machine you can (potentially) read its keys. But this is the general risk that you take going into the cloud regardless whether you use PKI or Kerberos. In general you do not want to store long term keys in the images but rather add them on the fly when the system is instantiated. The ipa-client-install with OTP registration code provides this capability. It seems that you are trying to overcomplicate things with no obvious reason. If you need help with picking a better approach lest us know what exactly you are trying to accomplish. 2. Can I disable DNS as well? And have IPA to run only ldap, ssh key rotation and pki ? 3. As during the install, DNS and Kerberos are getting installed and configured. I would really appreciate if you can get back. Thank you Gokul Sent from iPhone On Mar 29, 2015, at 8:44 PM, Dmitri Pal d...@redhat.com wrote: On 03/29/2015 11:50 AM, Gokul wrote: Hi, I am tried to run some of my user cases with FreeIPA. Have FreeIPA to do only SSH key management in LDAP and PKI management. The understand that every request is kerberized and it has the DNS is must configuration. Can I have FreeIPA to run only SSH Key management with LDAP and a PKI server with dogtag? Thank you Gokul You can't turn off Kerberos. You would need Kerberos for administration. But other clients can take advantage of LDAP and SSH only. However you are significantly limiting your functionality and capabilities. Kerberos is really the key of the solution. What is the reason you try to avoid using it? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Additional pre-authentication required, Ticket Wrong ?
On 03/29/2015 10:56 PM, Matt . wrote: Hi, I just tot home and typing from my cell so i'm suite short in words Create keytab for ldap-01.domain Kinit with that to ldap.domain Curl against ldap.domain Get a 301 which I manage from curl (goes well) Get kerberos ticket error now I don't kinit anymore so re-use my existing ticket and curl against ldap-01.domain and I'm accepted and can execute stuff. My ssl is OK, ticket also it seems. Hard to say without the logs what is going on. However here is a thought: If it is trying to get another ticket it might think that the service is in a different domain. Client libraries have a feature to detect which ticket to use depending on the realm the resource belongs to. May be it is thinking that it is a different realm and thus does not use the ticket it has. Thanks M. Op 30 mrt. 2015 03:50 schreef Dmitri Pal d...@redhat.com mailto:d...@redhat.com: On 03/29/2015 04:47 AM, Matt . wrote: Hi Guys, Now my Certification issues are solved for using a loadbalancer in front of my ipa servers I get the following: Unable to verify your Kerberos credentials and in my logs: Additional pre-authentication required. This happens when I connect throught my loadbalancers, I see my server coming ni with the right IP. When I access my ipa server directly, not using the loadbalancer IP between it, my kerberos Ticket is valid. I get the feeling that when I use my loadbalancers and because of that I get a 301 redirect it needs a preauth. I see some issues on mailinglists but it doesn't fit my situation. Why wants it the preauth when I already have a valid ticket and my redirect is followed by CURL and posted the right way ? Can you describe the sequence? What do you do? From the client you try IPA CLI and this is where you see the problem even with the valid ticket or is the flow different? I hope someone has an idea. Thanks, Matt -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Can freeIPA work without Kerberos and DNS
Thanks for the update. The reason for weigh in the Kerberos option is to have that as an option to disable if needed, security is more important. I had to say this because there was a question on why I would disable it. I agree that the otp should definitely provide some additional layer of security. Let me test and reply back. Thanks again. Gokul Sent from iPhone On Mar 30, 2015, at 7:48 AM, Dmitri Pal d...@redhat.com wrote: On 03/29/2015 10:27 PM, Gokulnath wrote: Thanks for getting back. 1. As security Kerberos can ticket and in memory can be taken and that session key Can be used to gain access every where. Primarily this because the plan is to use the solution in cloud. You can use Kerberos in the cloud. It is not worse of better than certs. If you can read memory of a machine you can (potentially) read its keys. But this is the general risk that you take going into the cloud regardless whether you use PKI or Kerberos. In general you do not want to store long term keys in the images but rather add them on the fly when the system is instantiated. The ipa-client-install with OTP registration code provides this capability. It seems that you are trying to overcomplicate things with no obvious reason. If you need help with picking a better approach lest us know what exactly you are trying to accomplish. 2. Can I disable DNS as well? And have IPA to run only ldap, ssh key rotation and pki ? 3. As during the install, DNS and Kerberos are getting installed and configured. I would really appreciate if you can get back. Thank you Gokul Sent from iPhone On Mar 29, 2015, at 8:44 PM, Dmitri Pal d...@redhat.com wrote: On 03/29/2015 11:50 AM, Gokul wrote: Hi, I am tried to run some of my user cases with FreeIPA. Have FreeIPA to do only SSH key management in LDAP and PKI management. The understand that every request is kerberized and it has the DNS is must configuration. Can I have FreeIPA to run only SSH Key management with LDAP and a PKI server with dogtag? Thank you Gokul You can't turn off Kerberos. You would need Kerberos for administration. But other clients can take advantage of LDAP and SSH only. However you are significantly limiting your functionality and capabilities. Kerberos is really the key of the solution. What is the reason you try to avoid using it? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Additional pre-authentication required, Ticket Wrong ?
On Mon, Mar 30, 2015 at 04:56:11AM +0200, Matt . wrote: Hi, I just tot home and typing from my cell so i'm suite short in words Create keytab for ldap-01.domain Kinit with that to ldap.domain Curl against ldap.domain Get a 301 which I manage from curl (goes well) Get kerberos ticket error now I don't kinit anymore so re-use my existing ticket and curl against ldap-01.domain and I'm accepted and can execute stuff. My ssl is OK, ticket also it seems. Maybe the output of KRB5_TRACE=/dev/sdtout curl -v might help to see what is going on? bye, Sumit Thanks M. Op 30 mrt. 2015 03:50 schreef Dmitri Pal d...@redhat.com: On 03/29/2015 04:47 AM, Matt . wrote: Hi Guys, Now my Certification issues are solved for using a loadbalancer in front of my ipa servers I get the following: Unable to verify your Kerberos credentials and in my logs: Additional pre-authentication required. This happens when I connect throught my loadbalancers, I see my server coming ni with the right IP. When I access my ipa server directly, not using the loadbalancer IP between it, my kerberos Ticket is valid. I get the feeling that when I use my loadbalancers and because of that I get a 301 redirect it needs a preauth. I see some issues on mailinglists but it doesn't fit my situation. Why wants it the preauth when I already have a valid ticket and my redirect is followed by CURL and posted the right way ? Can you describe the sequence? What do you do? From the client you try IPA CLI and this is where you see the problem even with the valid ticket or is the flow different? I hope someone has an idea. Thanks, Matt -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Troubleshooting SSO
SSO works intermittently. I’m having trouble tracing the issue. Here is what I see from /var/log/secure. Where should I look for more detail to figure out why the SSO login is failing? Mar 30 08:47:39 mid-ipa-vp01 sshd[9317]: Starting session: shell on pts/0 for root from 10.34.149.105 port 49725 Mar 30 08:47:39 mid-ipa-vp01 sshd[9322]: debug1: Setting controlling tty using TIOCSCTTY. Mar 30 08:47:39 mid-ipa-vp01 sshd[9322]: debug1: PAM: reinitializing credentials Mar 30 08:47:39 mid-ipa-vp01 sshd[9322]: debug1: permanently_set_uid: 0/0 Mar 30 08:49:05 mid-ipa-vp01 sshd[9317]: debug1: server_input_global_request: rtype keepal...@openssh.com want_reply 1 Mar 30 08:50:05 mid-ipa-vp01 sshd[9317]: debug1: server_input_global_request: rtype keepal...@openssh.com want_reply 1 Mar 30 08:51:57 mid-ipa-vp01 sshd[9317]: debug1: server_input_global_request: rtype keepal...@openssh.com want_reply 1 Mar 30 08:52:57 mid-ipa-vp01 sshd[9317]: debug1: server_input_global_request: rtype keepal...@openssh.com want_reply 1 Mar 30 08:53:51 mid-ipa-vp01 sshd[1388]: debug1: Forked child 12621. Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: Set /proc/self/oom_score_adj to 0 Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8 Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: inetd sockets after dupping: 3, 3 Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: Connection from 10.80.5.239 port 52982 on 10.127.26.73 port 22 Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: Client protocol version 2.0; client software version PuTTY_Release_0.64 Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: no match: PuTTY_Release_0.64 Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: Enabling compatibility mode for protocol 2.0 Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: Local version string SSH-2.0-OpenSSH_6.6.1 Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: SELinux support enabled [preauth] Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: permanently_set_uid: 74/74 [preauth] Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: list_hostkey_types: ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: SSH2_MSG_KEXINIT sent [preauth] Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: SSH2_MSG_KEXINIT received [preauth] Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: kex: client-server aes256-ctr hmac-sha2-256 none [preauth] Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: kex: server-client aes256-ctr hmac-sha2-256 none [preauth] Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: kex: diffie-hellman-group-exchange-sha256 need=32 dh_need=32 [preauth] Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: kex: diffie-hellman-group-exchange-sha256 need=32 dh_need=32 [preauth] Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: SSH2_MSG_KEX_DH_GEX_REQUEST_OLD received [preauth] Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent [preauth] Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT [preauth] Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent [preauth] Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: SSH2_MSG_NEWKEYS sent [preauth] Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: expecting SSH2_MSG_NEWKEYS [preauth] Mar 30 08:53:52 mid-ipa-vp01 sshd[12621]: debug1: SSH2_MSG_NEWKEYS received [preauth] Mar 30 08:53:52 mid-ipa-vp01 sshd[12621]: debug1: KEX done [preauth] Mar 30 08:53:52 mid-ipa-vp01 sshd[12621]: debug1: userauth-request for user adm-faru03@test.osuwmc service ssh-connection method none [preauth] Mar 30 08:53:52 mid-ipa-vp01 sshd[12621]: debug1: attempt 0 failures 0 [preauth] Mar 30 08:53:53 mid-ipa-vp01 sshd[12621]: debug1: PAM: initializing for adm-faru03@test.osuwmc Mar 30 08:53:53 mid-ipa-vp01 sshd[12621]: debug1: PAM: setting PAM_RHOST to svr-addc-vt01.test.osuwmc Mar 30 08:53:53 mid-ipa-vp01 sshd[12621]: debug1: PAM: setting PAM_TTY to ssh Mar 30 08:53:53 mid-ipa-vp01 sshd[12621]: debug1: userauth-request for user adm-faru03@test.osuwmc service ssh-connection method gssapi-with-mic [preauth] Mar 30 08:53:53 mid-ipa-vp01 sshd[12621]: debug1: attempt 1 failures 0 [preauth] Mar 30 08:53:53 mid-ipa-vp01 sshd[12621]: Postponed gssapi-with-mic for adm-faru03@test.osuwmc from 10.80.5.239 port 52982 ssh2 [preauth] Mar 30 08:53:58 mid-ipa-vp01 sshd[12621]: debug1: userauth-request for user adm-faru03@test.osuwmc service ssh-connection method password [preauth] Mar 30 08:53:58 mid-ipa-vp01 sshd[12621]: debug1: attempt 2 failures 0 [preauth] Mar 30 08:53:58 mid-ipa-vp01 sshd[12621]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=svr-addc-vt01.test.osuwmc user=adm-faru03@test.osuwmc Mar 30 08:54:00 mid-ipa-vp01 sshd[12621]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=svr-addc-vt01.test.osuwmc user=adm-faru03@test.osuwmc Mar 30 08:54:00
Re: [Freeipa-users] Troubleshooting SSO
On Mon, Mar 30, 2015 at 09:08:54AM -0400, Gould, Joshua wrote: SSO works intermittently. I’m having trouble tracing the issue. Here is what I see from /var/log/secure. Where should I look for more detail to figure out why the SSO login is failing? assuming you have a valid Kerberos ticket the most probable reason is that libkrb5 cannot properly relate the Kerberos principal from the ticket to the local user name you use at the login prompt. With DEBUG3 you should see some messages containing '*userok*'. If you see failures related to these messages it most probable is this case. Recent versions of SSSD will configure a plugin for libkrb5 which can handle this. But for older version you either have to create a .k5login file in the users home directory containing the Kerberos principal or use auth_to_local directives in /etc/krb5.conf as described in http://www.freeipa.org/page/Active_Directory_trust_setup#Edit_.2Fetc.2Fkrb5.conf HTH bye, Sumit Mar 30 08:47:39 mid-ipa-vp01 sshd[9317]: Starting session: shell on pts/0 for root from 10.34.149.105 port 49725 Mar 30 08:47:39 mid-ipa-vp01 sshd[9322]: debug1: Setting controlling tty using TIOCSCTTY. Mar 30 08:47:39 mid-ipa-vp01 sshd[9322]: debug1: PAM: reinitializing credentials Mar 30 08:47:39 mid-ipa-vp01 sshd[9322]: debug1: permanently_set_uid: 0/0 Mar 30 08:49:05 mid-ipa-vp01 sshd[9317]: debug1: server_input_global_request: rtype keepal...@openssh.com want_reply 1 Mar 30 08:50:05 mid-ipa-vp01 sshd[9317]: debug1: server_input_global_request: rtype keepal...@openssh.com want_reply 1 Mar 30 08:51:57 mid-ipa-vp01 sshd[9317]: debug1: server_input_global_request: rtype keepal...@openssh.com want_reply 1 Mar 30 08:52:57 mid-ipa-vp01 sshd[9317]: debug1: server_input_global_request: rtype keepal...@openssh.com want_reply 1 Mar 30 08:53:51 mid-ipa-vp01 sshd[1388]: debug1: Forked child 12621. Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: Set /proc/self/oom_score_adj to 0 Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8 Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: inetd sockets after dupping: 3, 3 Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: Connection from 10.80.5.239 port 52982 on 10.127.26.73 port 22 Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: Client protocol version 2.0; client software version PuTTY_Release_0.64 Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: no match: PuTTY_Release_0.64 Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: Enabling compatibility mode for protocol 2.0 Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: Local version string SSH-2.0-OpenSSH_6.6.1 Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: SELinux support enabled [preauth] Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: permanently_set_uid: 74/74 [preauth] Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: list_hostkey_types: ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: SSH2_MSG_KEXINIT sent [preauth] Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: SSH2_MSG_KEXINIT received [preauth] Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: kex: client-server aes256-ctr hmac-sha2-256 none [preauth] Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: kex: server-client aes256-ctr hmac-sha2-256 none [preauth] Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: kex: diffie-hellman-group-exchange-sha256 need=32 dh_need=32 [preauth] Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: kex: diffie-hellman-group-exchange-sha256 need=32 dh_need=32 [preauth] Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: SSH2_MSG_KEX_DH_GEX_REQUEST_OLD received [preauth] Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent [preauth] Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT [preauth] Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent [preauth] Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: SSH2_MSG_NEWKEYS sent [preauth] Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: expecting SSH2_MSG_NEWKEYS [preauth] Mar 30 08:53:52 mid-ipa-vp01 sshd[12621]: debug1: SSH2_MSG_NEWKEYS received [preauth] Mar 30 08:53:52 mid-ipa-vp01 sshd[12621]: debug1: KEX done [preauth] Mar 30 08:53:52 mid-ipa-vp01 sshd[12621]: debug1: userauth-request for user adm-faru03@test.osuwmc service ssh-connection method none [preauth] Mar 30 08:53:52 mid-ipa-vp01 sshd[12621]: debug1: attempt 0 failures 0 [preauth] Mar 30 08:53:53 mid-ipa-vp01 sshd[12621]: debug1: PAM: initializing for adm-faru03@test.osuwmc Mar 30 08:53:53 mid-ipa-vp01 sshd[12621]: debug1: PAM: setting PAM_RHOST to svr-addc-vt01.test.osuwmc Mar 30 08:53:53 mid-ipa-vp01 sshd[12621]: debug1: PAM: setting PAM_TTY to ssh Mar 30 08:53:53 mid-ipa-vp01 sshd[12621]: debug1: userauth-request for user adm-faru03@test.osuwmc service ssh-connection method gssapi-with-mic
Re: [Freeipa-users] Troubleshooting SSO
I configured the .k5login per the RH docs. $ cat .k5login adm-faru03@TEST.OSUWMC TEST.OSUWMC\adm-faru03 $ I upped the debugging to DEBUG3 but I can¹t make sense of the error. Can you help? I¹m getting better but I can¹t get this one yet. Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: Connection from 10.80.5.239 port 50824 on 10.127.26.73 port 22 Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: Client protocol version 2.0; client software version PuTTY_Release_0.64 Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: no match: PuTTY_Release_0.64 Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: Enabling compatibility mode for protocol 2.0 Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: Local version string SSH-2.0-OpenSSH_6.6.1 Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: fd 3 setting O_NONBLOCK Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: ssh_sandbox_init: preparing rlimit sandbox Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: Network child is on pid 12794 Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: preauth child monitor started Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: SELinux support enabled [preauth] Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: ssh_selinux_change_context: setting context from 'system_u:system_r:sshd_t:s0-s0:c0.c1023' to 'system_u:system_r:sshd_net_t:s0-s0:c0.c1023' [preauth] Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: privsep user:group 74:74 [preauth] Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: permanently_set_uid: 74/74 [preauth] Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: list_hostkey_types: ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: SSH2_MSG_KEXINIT sent [preauth] Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: SSH2_MSG_KEXINIT received [preauth] Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit: curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha 2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchan ge-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth] Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit: ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.c om,aes256-...@openssh.com,chacha20-poly1...@openssh.com,aes128-cbc,3des-cbc ,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysato r.liu.se [preauth] Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.c om,aes256-...@openssh.com,chacha20-poly1...@openssh.com,aes128-cbc,3des-cbc ,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysato r.liu.se [preauth] Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit: hmac-md5-...@openssh.com,hmac-sha1-...@openssh.com,umac-64-...@openssh.com, umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-sha2-512-etm@op enssh.com,hmac-ripemd160-...@openssh.com,hmac-sha1-96-...@openssh.com,hmac- md5-96-...@openssh.com,hmac-md5,hmac-sha1,umac...@openssh.com,umac-128@open ssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.c om,hmac-sha1-96,hmac-md5-96 [preauth] Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit: hmac-md5-...@openssh.com,hmac-sha1-...@openssh.com,umac-64-...@openssh.com, umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-sha2-512-etm@op enssh.com,hmac-ripemd160-...@openssh.com,hmac-sha1-96-...@openssh.com,hmac- md5-96-...@openssh.com,hmac-md5,hmac-sha1,umac...@openssh.com,umac-128@open ssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.c om,hmac-sha1-96,hmac-md5-96 [preauth] Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit: none,z...@openssh.com [preauth] Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit: none,z...@openssh.com [preauth] Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit: [preauth] Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit: [preauth] Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit: first_kex_follows 0 [preauth] Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit: reserved 0 [preauth] Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,dif fie-hellman-group14-sha1,diffie-hellman-group1-sha1,rsa2048-sha256,rsa1024- sha1 [preauth] Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit: ssh-rsa,ssh-dss [preauth] Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit: aes256-ctr,aes256-cbc,rijndael-...@lysator.liu.se,aes192-ctr,aes192-cbc,aes 128-ctr,aes128-cbc,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,a rcfour128 [preauth] Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2:
Re: [Freeipa-users] Ubuntu sssd client -- FreeIPA Server fed from AD
On (30/03/15 05:36), g.fer.or...@unicyber.co.uk wrote: Hey Guys Not sure if I am missing any bit but this was the thing in the end: http://generations.menteyarte.org/archives/195-freeipa-server-and-SSSD-on-Ubuntu.html I managed to have it working and I have documented all those nasty bits which might save people's time. The whole weekend gone but for the less has been productive. I am including the SUDO bit which is usually a pain in my experience.. Do you relly have to enabled enumeration? enumerate = True It would be good if you could remove it from the post. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] anonymous binds limits?
For LDAP-only clients, I see an issue with performance on the dirsrv backends, and much of it has to do with 2 things: 1. Anonymous binds (1000's because of 7000+ hosts) 2. unindexed searches -- perhaps the biggest problem and working on troubleshooting that and figuring out how to fix it. Thank you ~J On 3/29/15 8:38 PM, Dmitri Pal wrote: On 03/27/2015 08:22 PM, Janelle wrote: Hello, Just wondering if there is an easy way to increase anonymous binds on the back end for non Kerberos clients? I have seen some mention of it, and that IPA has limits, can't can't find a lot of detail? Thank you ~J I am not sure I understand what you are asking. What do you mean by increase anonymous binds ? Increase timeout? Or you want to allow anonymous binds? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Client using Source Code
Yes that's right, Fedora works great. Gokul Sent from iPhone On Mar 30, 2015, at 4:35 AM, Jakub Hrozek jhro...@redhat.com wrote: On Mon, Mar 30, 2015 at 02:53:39PM +0530, Yogesh Sharma wrote: Hi Jakub: FreeIPA package is not available in Amazon Linux running on EC2 Instance. We tried to install individually packages but it is breaking at many place. It is not 1.x. We had a directory with this name and I extracted the tar in same folder hence showing like this :). We are using 3.0.2 as of now. Then I wonder if it would be more useful to add a repo that already contains the package, from CentOS maybe? You'll get the updates for free.. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Troubleshooting SSO
On Mon, Mar 30, 2015 at 09:08:54AM -0400, Gould, Joshua wrote: SSO works intermittently. I’m having trouble tracing the issue. Here is what I see from /var/log/secure. Where should I look for more detail to figure out why the SSO login is failing? What OS versions is this and how was the machine enrolled -- ipa-client-install, realm join, or some other way? -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Freeipa Server down !!
On 03/30/2015 04:23 AM, Rob Crittenden wrote: Dmitri Pal wrote: On 03/29/2015 06:35 AM, Peter Fern wrote: On 29/03/15 05:46, Rob Crittenden wrote: Should be back up now. rob Appears to be dead again. It is in fact down again. The quote is exceeded in the openshift gear. I cleaned up a log file which should buy a bit of time. I got us more space on the OpenShift wiki gear, we should not hit this one again (in near future). Sorry for the inconvenience, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Troubleshooting SSO
On Mon, Mar 30, 2015 at 10:09:00AM -0400, Gould, Joshua wrote: I configured the .k5login per the RH docs. $ cat .k5login adm-faru03@TEST.OSUWMC TEST.OSUWMC\adm-faru03 The second line is not needed. Please note that .k5login must only be read-writable for the owner. Can you check by calling klist in a Windows Command window if you got a proper host/... ticket for the IPA host? What version of IPA and SSSD are you using. Can you check if the following works on a IPA host: kinit adm-faru03@TEST.OSUWMC kvno host/name.of.the.ipa-client.to.login@IPA.REALM ssh -v -l adm-faru03@test.osuwmc name.of.the.ipa-client.to.login The error messages return by the ssh -v output might help to see why GSSAPI auth failed. bye, Sumit $ I upped the debugging to DEBUG3 but I can¹t make sense of the error. Can you help? I¹m getting better but I can¹t get this one yet. Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: Connection from 10.80.5.239 port 50824 on 10.127.26.73 port 22 Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: Client protocol version 2.0; client software version PuTTY_Release_0.64 Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: no match: PuTTY_Release_0.64 Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: Enabling compatibility mode for protocol 2.0 Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: Local version string SSH-2.0-OpenSSH_6.6.1 Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: fd 3 setting O_NONBLOCK Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: ssh_sandbox_init: preparing rlimit sandbox Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: Network child is on pid 12794 Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: preauth child monitor started Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: SELinux support enabled [preauth] Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: ssh_selinux_change_context: setting context from 'system_u:system_r:sshd_t:s0-s0:c0.c1023' to 'system_u:system_r:sshd_net_t:s0-s0:c0.c1023' [preauth] Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: privsep user:group 74:74 [preauth] Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: permanently_set_uid: 74/74 [preauth] Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: list_hostkey_types: ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: SSH2_MSG_KEXINIT sent [preauth] Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: SSH2_MSG_KEXINIT received [preauth] Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit: curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha 2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchan ge-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth] Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit: ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.c om,aes256-...@openssh.com,chacha20-poly1...@openssh.com,aes128-cbc,3des-cbc ,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysato r.liu.se [preauth] Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.c om,aes256-...@openssh.com,chacha20-poly1...@openssh.com,aes128-cbc,3des-cbc ,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysato r.liu.se [preauth] Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit: hmac-md5-...@openssh.com,hmac-sha1-...@openssh.com,umac-64-...@openssh.com, umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-sha2-512-etm@op enssh.com,hmac-ripemd160-...@openssh.com,hmac-sha1-96-...@openssh.com,hmac- md5-96-...@openssh.com,hmac-md5,hmac-sha1,umac...@openssh.com,umac-128@open ssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.c om,hmac-sha1-96,hmac-md5-96 [preauth] Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit: hmac-md5-...@openssh.com,hmac-sha1-...@openssh.com,umac-64-...@openssh.com, umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-sha2-512-etm@op enssh.com,hmac-ripemd160-...@openssh.com,hmac-sha1-96-...@openssh.com,hmac- md5-96-...@openssh.com,hmac-md5,hmac-sha1,umac...@openssh.com,umac-128@open ssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.c om,hmac-sha1-96,hmac-md5-96 [preauth] Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit: none,z...@openssh.com [preauth] Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit: none,z...@openssh.com [preauth] Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit: [preauth] Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit: [preauth] Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit: first_kex_follows 0 [preauth]
Re: [Freeipa-users] Troubleshooting SSO
It¹s actually my IPA server which is also a client, so both are 7.1. My memory is fuzzy as far as the client on the server. Isn¹t it setup already as part of the server install? On 3/30/15, 10:45 AM, Jan Pazdziora jpazdzi...@redhat.com wrote: On Mon, Mar 30, 2015 at 09:08:54AM -0400, Gould, Joshua wrote: SSO works intermittently. I¹m having trouble tracing the issue. Here is what I see from /var/log/secure. Where should I look for more detail to figure out why the SSO login is failing? What OS versions is this and how was the machine enrolled -- ipa-client-install, realm join, or some other way? -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Ubuntu sssd client -- FreeIPA Server fed from AD
Hi Jakub Yes, I can also include that. The configuration I was showing was a simple one, mainly I focused on the library set as it is usually the most problematic part in old distributions, but I will also include your comment as indeed makes more sense. As I was suggesting in the post, sssd is flexible enough admit multiple configurations, once you get a working one you can work on improving it. (Also I wanted to write that asap before I forget any important detail) Your comment is very much appreciated and I will update accordingly Thanks On 30/03/2015 01:16, Jakub Hrozek wrote: On Mon, Mar 30, 2015 at 05:36:00AM +0100, g.fer.or...@unicyber.co.uk wrote: Hey Guys Not sure if I am missing any bit but this was the thing in the end: http://generations.menteyarte.org/archives/195-freeipa-server-and-SSSD-on-Ubuntu.html I managed to have it working and I have documented all those nasty bits which might save people's time. The whole weekend gone but for the less has been productive. I am including the SUDO bit which is usually a pain in my experience.. Thanks Thank you very much for documenting this, but wouldn't it be better to use id_provider=ipa instead? Then the configuration would be simpler, less error prone and would authenticate more securely. You don't need to run ipa-client-install on the box, you can generate the client keytab elsewhere and transfer it to the client. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Ubuntu sssd client -- FreeIPA Server fed from AD
Yes, you are right. I was using the enumerate on my testing I forgot to disable the enumerate when I was templating the configuration. On 30/03/2015 07:21, Lukas Slebodnik wrote: On (30/03/15 05:36), g.fer.or...@unicyber.co.uk wrote: Hey Guys Not sure if I am missing any bit but this was the thing in the end: http://generations.menteyarte.org/archives/195-freeipa-server-and-SSSD-on-Ubuntu.html I managed to have it working and I have documented all those nasty bits which might save people's time. The whole weekend gone but for the less has been productive. I am including the SUDO bit which is usually a pain in my experience.. Do you relly have to enabled enumeration? enumerate = True It would be good if you could remove it from the post. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Troubleshooting SSO
Sorry I mis-read your question! We’re trying SSO from the test domain conroller via ssh (putty) to the test IPA server. Unix.test.osuwmc is the IPA realm. Test.osuwmc is the AD realm. IPA server is RHEL 7.1 Windows AD DC is Windows Server 2008 R2 They have a two way trust and we’re mapping SID’s. Since most of our SID’s are in the 300,000, we chose to add 1M to each SID to make mapping them easy. Right now I have the allow-all rule configured to allow everyone in on every service to every host, just to rule that out. # ipa trust-show Realm name: TEST.OSUWMC Realm name: test.osuwmc Domain NetBIOS name: TEST Domain Security Identifier: S-1-5-21-226267946-722566613-1883572810 Trust direction: Two-way trust Trust type: Active Directory domain # ipa idrange-find --all 2 ranges matched dn: cn=TEST.OSUWMC_id_range,cn=ranges,cn=etc,dc=unix,dc=test,dc=osuwmc Range name: TEST.OSUWMC_id_range First Posix ID of the range: 100 Number of IDs in the range: 90 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S-1-5-21-226267946-722566613-1883572810 Range type: Active Directory domain range iparangetyperaw: ipa-ad-trust objectclass: ipatrustedaddomainrange, ipaIDrange dn: cn=UNIX.TEST.OSUWMC_id_range,cn=ranges,cn=etc,dc=unix,dc=test,dc=osuwmc Range name: UNIX.TEST.OSUWMC_id_range First Posix ID of the range: 23360 Number of IDs in the range: 20 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 1 Range type: local domain range iparangetyperaw: ipa-local objectclass: top, ipaIDrange, ipaDomainIDRange Number of entries returned 2 # # id adm-faru03@test.osuwmc uid=1398410(adm-faru03@test.osuwmc) gid=1398410(adm-faru03@test.osuwmc) groups=1398410(adm-faru03@test.osuwmc), 23368(citrix_users) # On 3/30/15, 10:55 AM, Jan Pazdziora jpazdzi...@redhat.com wrote: On Mon, Mar 30, 2015 at 10:50:11AM -0400, Gould, Joshua wrote: It¹s actually my IPA server which is also a client, so both are 7.1. My memory is fuzzy as far as the client on the server. Isn¹t it setup already as part of the server install? So you are logging in from the server to the server? But you have Connection from 10.80.5.239 port 52982 on 10.127.26.73 port 22 debug1: Client protocol version 2.0; client software version PuTTY_Release_0.64 in the log -- different IP addresses, and the client looks like Putty, which would mean you try to log in from a Windows machine ... So that test.osuwmc realm -- is that your IPA server's realm, or AD realm? -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Client using Source Code
You need the development package. that should be popt-devel If you are still using amazon you have to modify the sources to include the devel Otherwise if you feel very crafty you can get to a site such us: http://rpm.pbone.net/ and look for the relevant development package which got the same version as your existing binaries.. On 30/03/2015 01:48, Yogesh Sharma wrote: Hi List, We have trying to install IPA-Client using source code. While installing we are seeing many error out of which most are resolved but stuck at below while doing make. Is there any suggestion to get out of it. I will update if I found anything. gcc -DHAVE_CONFIG_H -I. -I. -I. -DPREFIX=\/usr/local\ -DBINDIR=\/usr/local/bin\ -DLIBDIR=\/usr/local/lib\ -DLIBEXECDIR=\/usr/local/libexec\ -DDATADIR=\/usr/local/share\ -I/usr/include/mozldap -I/usr/include/nspr4 -I/usr/include/nss3 -DWITH_MOZLDAP -g -O2 -MT ipa-getkeytab.o -MD -MP -MF .deps/ipa-getkeytab.Tpo -c -o ipa-getkeytab.o ipa-getkeytab.c ipa-getkeytab.c:41:18: fatal error: popt.h: No such file or directory #include popt.h ^ compilation terminated. make[2]: *** [ipa-getkeytab.o] Error 1 make[2]: Leaving directory `/root/freeipa-1.2.1/ipa-client' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/root/freeipa-1.2.1/ipa-client' make: *** [all] Error 2 / Best Regards, __ / /Yogesh Sharma / /Email: yks0...@gmail.com mailto:yks0...@gmail.com | Web: www.initd.in http://www.initd.in/ RHCE, VCE-CIA, RackSpace Cloud U My LinkedIn Profile http://in.linkedin.com/in/yks -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Troubleshooting SSO
On Mon, Mar 30, 2015 at 11:04:58AM -0400, Gould, Joshua wrote: We’re trying SSO from the test domain conroller via ssh (putty) to the test IPA server. Unix.test.osuwmc is the IPA realm. Test.osuwmc is the AD realm. IPA server is RHEL 7.1 Windows AD DC is Windows Server 2008 R2 They have a two way trust and we’re mapping SID’s. Since most of our SID’s are in the 300,000, we chose to add 1M to each SID to make mapping them easy. Can you check that /etc/krb5.conf contains line includedir /var/lib/sss/pubconf/krb5.include.d/ and that /var/lib/sss/pubconf/krb5.include.d/localauth_plugin exists and configures module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so ? -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Troubleshooting SSO
On Mon, Mar 30, 2015 at 10:50:11AM -0400, Gould, Joshua wrote: It¹s actually my IPA server which is also a client, so both are 7.1. My memory is fuzzy as far as the client on the server. Isn¹t it setup already as part of the server install? So you are logging in from the server to the server? But you have Connection from 10.80.5.239 port 52982 on 10.127.26.73 port 22 debug1: Client protocol version 2.0; client software version PuTTY_Release_0.64 in the log -- different IP addresses, and the client looks like Putty, which would mean you try to log in from a Windows machine ... So that test.osuwmc realm -- is that your IPA server's realm, or AD realm? -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA with Active directory Read-only domain controller trust setup
Hi, I'm testing FreeIPA (v4.1.3, Centos 7) - AD (2012 R2) trust on branch site where only AD read-only domain controller (RODC) exists. I'm aware that for initial establishing of trust I need access to writable domain controller so IPA can add trust to AD domains and trusts. But after initial setup, can FreeIPA-AD trust continue to function with IPA access to RODC only? Will Kerberos authentication of AD users on IPA domain hosts work? In this case, FreeIPA server should have DNS forward zone configured with RODC as a forwarder to AD? AD users have cached passwords on RODC, so authentication is possible in case of WAN link failure. Thanks! -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Troubleshooting SSO
The include is there: # head /etc/krb5.conf includedir /var/lib/sss/pubconf/krb5.include.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = UNIX.TEST.OSUWMC dns_lookup_realm = true # ls -l /var/lib/sss/pubconf/krb5.include.d/localauth_plugin -rw-r--r--. 1 root root 118 Mar 30 08:46 /var/lib/sss/pubconf/krb5.include.d/localauth_plugin # grep module /var/lib/sss/pubconf/krb5.include.d/localauth_plugin module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so # Different write-ups had slightly different examples for this line. Would this be the issue? # auth_to_local = RULE:[1:$1@$0](^.*@TEST.OSUWMC$)s/@TEST.OSUWMC/@test.osuwmc/ auth_to_local = RULE:[1:$1 $0](^ * TEST.OSUWMC$)s/@TEST.OSUWMC/@test.osuwmc/ On 3/30/15, 11:08 AM, Jan Pazdziora jpazdzi...@redhat.com wrote: On Mon, Mar 30, 2015 at 11:04:58AM -0400, Gould, Joshua wrote: We¹re trying SSO from the test domain conroller via ssh (putty) to the test IPA server. Unix.test.osuwmc is the IPA realm. Test.osuwmc is the AD realm. IPA server is RHEL 7.1 Windows AD DC is Windows Server 2008 R2 They have a two way trust and we¹re mapping SID¹s. Since most of our SID¹s are in the 300,000, we chose to add 1M to each SID to make mapping them easy. Can you check that /etc/krb5.conf contains line includedir /var/lib/sss/pubconf/krb5.include.d/ and that /var/lib/sss/pubconf/krb5.include.d/localauth_plugin exists and configures module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so ? -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Centralized logging/audit - looking for use cases or experience
Hello list! I have recently started investigating FreeIPA and centralized logging/audit, capturing, processing and visualization of the logs centrally in an ELK instance or similar. This is a pretty loaded topic, audit/centralized log processing is a big task beyond IPA itself, which is also one of the reasons why IPA does not have it's A part yet... Before I go further in the investigation, I wanted to check with you - admins and users of FreeIPA - what would you expect or what are your use cases for the centralized logging/audit of FreeIPA? So far, I had following use cases in mind: * As Admin or Auditor, I want to see all calls to FreeIPA API so that I can audit administrative changes to FreeIPA servers (source - apache log) * As Security Administrator, I want to see all logins in the network so that I can track both successful attempts for audit, but also failed attempts for brute-force attack detection (source - audit log) * As Network Administrator, I want to see replication status of all my FreeIPA replicas so that I can amend the issue in a timely manner and avoid using out-of-sync data (source - dirsrv errors log) * As Infrastructure Administrator, I want to see broken AD Trusts so that I can restore the functionality (source - correlation between different logs, especially SSSD server mode logs) Does this make sense to you? Or do you have any more use cases for centralized FreeIPA logging/audit in mind? Or do you even have some infrastructure in place that you would like to share? Any feedback is highly welcome! Thanks for help. -- Martin Kosek mko...@redhat.com Supervisor, Software Engineering - Identity Management Team Red Hat Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Troubleshooting SSO
On 3/30/15, 11:56 AM, Dmitri Pal d...@redhat.com wrote: # auth_to_local = RULE:[1:$1@$0](^.*@TEST.OSUWMC$)s/@TEST.OSUWMC/@test.osuwmc/ auth_to_local = RULE:[1:$1 $0](^ * TEST.OSUWMC$)s/@TEST.OSUWMC/@test.osuwmc/ If you use the plugin then this RULE should not be needed. Have you tried commenting it out and restarting SSSD? I commented out those lines and restarted SSSD. I still was not able to get in with SSO. Mar 30 13:33:35 mid-ipa-vp01 sshd[12789]: debug3: fd 5 is not O_NONBLOCK Mar 30 13:33:35 mid-ipa-vp01 sshd[12789]: debug1: Forked child 13750. Mar 30 13:33:35 mid-ipa-vp01 sshd[12789]: debug3: send_rexec_state: entering fd = 8 config len 899 Mar 30 13:33:35 mid-ipa-vp01 sshd[12789]: debug3: ssh_msg_send: type 0 Mar 30 13:33:35 mid-ipa-vp01 sshd[12789]: debug3: send_rexec_state: done Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug3: oom_adjust_restore Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: Set /proc/self/oom_score_adj to 0 Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8 Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug1: inetd sockets after dupping: 3, 3 Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: Connection from 10.80.5.239 port 65333 on 10.127.26.73 port 22 Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug1: Client protocol version 2.0; client software version PuTTY_Release_0.64 Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug1: no match: PuTTY_Release_0.64 Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug1: Enabling compatibility mode for protocol 2.0 Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug1: Local version string SSH-2.0-OpenSSH_6.6.1 Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug2: fd 3 setting O_NONBLOCK Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug3: ssh_sandbox_init: preparing rlimit sandbox Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug2: Network child is on pid 13751 Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug3: preauth child monitor started Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug1: SELinux support enabled [preauth] Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug3: ssh_selinux_change_context: setting context from 'system_u:system_r:sshd_t:s0-s0:c0.c1023' to 'system_u: system_r:sshd_net_t:s0-s0:c0.c1023' [preauth] Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug3: privsep user:group 74:74 [preauth] Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug1: permanently_set_uid: 74/74 [preauth] Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug1: list_hostkey_types: ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug1: SSH2_MSG_KEXINIT sent [preauth] Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug1: SSH2_MSG_KEXINIT received [preauth] Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug2: kex_parse_kexinit: curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha 2-nistp521 ,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,di ffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth] Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug2: kex_parse_kexinit: ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.c om,aes256- g...@openssh.com,chacha20-poly1...@openssh.com,aes128-cbc,3des-cbc,blowfish- cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se [prea uth] Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.c om,aes256- g...@openssh.com,chacha20-poly1...@openssh.com,aes128-cbc,3des-cbc,blowfish- cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se [prea uth] Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug2: kex_parse_kexinit: hmac-md5-...@openssh.com,hmac-sha1-...@openssh.com,umac-64-...@openssh.com, umac-128-e t...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com, hmac-ripemd160-...@openssh.com,hmac-sha1-96-...@openssh.com,hmac-md5-96-etm @ope nssh.com,hmac-md5,hmac-sha1,umac...@openssh.com,umac-...@openssh.com,hmac-s ha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-9 6,hm ac-md5-96 [preauth] Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug2: kex_parse_kexinit: hmac-md5-...@openssh.com,hmac-sha1-...@openssh.com,umac-64-...@openssh.com, umac-128-e t...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com, hmac-ripemd160-...@openssh.com,hmac-sha1-96-...@openssh.com,hmac-md5-96-etm @ope nssh.com,hmac-md5,hmac-sha1,umac...@openssh.com,umac-...@openssh.com,hmac-s ha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-9 6,hm ac-md5-96 [preauth] Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug2: kex_parse_kexinit: none,z...@openssh.com [preauth] Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug2: kex_parse_kexinit: none,z...@openssh.com [preauth] Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug2:
Re: [Freeipa-users] anonymous binds limits?
Perform vlv indexing on those attributes and tune the directory for memory. Gokul Sent from iPhone On Mar 30, 2015, at 11:02 AM, Rob Crittenden rcrit...@redhat.com wrote: Dmitri Pal wrote: On 03/30/2015 10:15 AM, Janelle wrote: For LDAP-only clients, I see an issue with performance on the dirsrv backends, and much of it has to do with 2 things: 1. Anonymous binds (1000's because of 7000+ hosts) 2. unindexed searches -- perhaps the biggest problem and working on troubleshooting that and figuring out how to fix it. For that amount of clients we recommend 2-3 replicas. There is documentation on how to create indexes. https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Indexes-Creating_Indexes.html#Creating_Indexes-Creating_Indexes_from_the_Command_Line I am not a DS guru but AFAIU they need to be created on each replica. Correct. You need to check what searches are taking long time and then match the attributes that you are looking for with the list of the indexed attributes. The link about will give you the location where the indexes are stored. logconv.pl will help find unindexed searches. rob Thank you ~J On 3/29/15 8:38 PM, Dmitri Pal wrote: On 03/27/2015 08:22 PM, Janelle wrote: Hello, Just wondering if there is an easy way to increase anonymous binds on the back end for non Kerberos clients? I have seen some mention of it, and that IPA has limits, can't can't find a lot of detail? Thank you ~J I am not sure I understand what you are asking. What do you mean by increase anonymous binds ? Increase timeout? Or you want to allow anonymous binds? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Client using Source Code
Thanks Sir. *Best Regards,__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in* RHCE, VCE-CIA, RackSpace Cloud U [image: My LinkedIn Profile] http://in.linkedin.com/in/yks On Mon, Mar 30, 2015 at 8:34 PM, Gonzalo Fernandez Ordas g.fer.or...@unicyber.co.uk wrote: You need the development package. that should be popt-devel If you are still using amazon you have to modify the sources to include the devel Otherwise if you feel very crafty you can get to a site such us: http://rpm.pbone.net/ and look for the relevant development package which got the same version as your existing binaries.. On 30/03/2015 01:48, Yogesh Sharma wrote: Hi List, We have trying to install IPA-Client using source code. While installing we are seeing many error out of which most are resolved but stuck at below while doing make. Is there any suggestion to get out of it. I will update if I found anything. gcc -DHAVE_CONFIG_H -I. -I. -I. -DPREFIX=\/usr/local\ -DBINDIR=\/usr/local/bin\ -DLIBDIR=\/usr/local/lib\ -DLIBEXECDIR=\/usr/local/libexec\ -DDATADIR=\/usr/local/share\ -I/usr/include/mozldap -I/usr/include/nspr4 -I/usr/include/nss3 -DWITH_MOZLDAP -g -O2 -MT ipa-getkeytab.o -MD -MP -MF .deps/ipa-getkeytab.Tpo -c -o ipa-getkeytab.o ipa-getkeytab.c ipa-getkeytab.c:41:18: fatal error: popt.h: No such file or directory #include popt.h ^ compilation terminated. make[2]: *** [ipa-getkeytab.o] Error 1 make[2]: Leaving directory `/root/freeipa-1.2.1/ipa-client' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/root/freeipa-1.2.1/ipa-client' make: *** [all] Error 2 / Best Regards, __ / /Yogesh Sharma / /Email: yks0...@gmail.com mailto:yks0...@gmail.com | Web: www.initd.in http://www.initd.in/ RHCE, VCE-CIA, RackSpace Cloud U My LinkedIn Profile http://in.linkedin.com/in/yks -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Additional pre-authentication required, Ticket Wrong ?
Hi, I tried to trace some stuff but this doesn't give me much more info. What I see at the moment in the /var/log/httpd/acces_log is exactly what happens but without the info I need to get a better view: 10.10.0.121 - - [30/Mar/2015:22:22:58 +0200] POST /ipa/json HTTP/1.1 301 258 10.10.0.121 - - [30/Mar/2015:22:22:58 +0200] POST /ipa/json HTTP/1.1 301 259 https://ldap.domain.local/ipa/json; - 10.10.0.121 - - [30/Mar/2015:22:22:58 +0200] POST /ipa/json HTTP/1.1 401 1469 10.10.0.121 - - [30/Mar/2015:22:22:59 +0200] POST /ipa/json HTTP/1.1 401 1469 2015-03-30 15:03 GMT+02:00 Sumit Bose sb...@redhat.com: On Mon, Mar 30, 2015 at 04:56:11AM +0200, Matt . wrote: Hi, I just tot home and typing from my cell so i'm suite short in words Create keytab for ldap-01.domain Kinit with that to ldap.domain Curl against ldap.domain Get a 301 which I manage from curl (goes well) Get kerberos ticket error now I don't kinit anymore so re-use my existing ticket and curl against ldap-01.domain and I'm accepted and can execute stuff. My ssl is OK, ticket also it seems. Maybe the output of KRB5_TRACE=/dev/sdtout curl -v might help to see what is going on? bye, Sumit Thanks M. Op 30 mrt. 2015 03:50 schreef Dmitri Pal d...@redhat.com: On 03/29/2015 04:47 AM, Matt . wrote: Hi Guys, Now my Certification issues are solved for using a loadbalancer in front of my ipa servers I get the following: Unable to verify your Kerberos credentials and in my logs: Additional pre-authentication required. This happens when I connect throught my loadbalancers, I see my server coming ni with the right IP. When I access my ipa server directly, not using the loadbalancer IP between it, my kerberos Ticket is valid. I get the feeling that when I use my loadbalancers and because of that I get a 301 redirect it needs a preauth. I see some issues on mailinglists but it doesn't fit my situation. Why wants it the preauth when I already have a valid ticket and my redirect is followed by CURL and posted the right way ? Can you describe the sequence? What do you do? From the client you try IPA CLI and this is where you see the problem even with the valid ticket or is the flow different? I hope someone has an idea. Thanks, Matt -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] anonymous binds limits?
On 03/30/2015 10:15 AM, Janelle wrote: For LDAP-only clients, I see an issue with performance on the dirsrv backends, and much of it has to do with 2 things: 1. Anonymous binds (1000's because of 7000+ hosts) 2. unindexed searches -- perhaps the biggest problem and working on troubleshooting that and figuring out how to fix it. For that amount of clients we recommend 2-3 replicas. There is documentation on how to create indexes. https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Indexes-Creating_Indexes.html#Creating_Indexes-Creating_Indexes_from_the_Command_Line I am not a DS guru but AFAIU they need to be created on each replica. You need to check what searches are taking long time and then match the attributes that you are looking for with the list of the indexed attributes. The link about will give you the location where the indexes are stored. Thank you ~J On 3/29/15 8:38 PM, Dmitri Pal wrote: On 03/27/2015 08:22 PM, Janelle wrote: Hello, Just wondering if there is an easy way to increase anonymous binds on the back end for non Kerberos clients? I have seen some mention of it, and that IPA has limits, can't can't find a lot of detail? Thank you ~J I am not sure I understand what you are asking. What do you mean by increase anonymous binds ? Increase timeout? Or you want to allow anonymous binds? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Troubleshooting SSO
On 03/30/2015 11:17 AM, Gould, Joshua wrote: The include is there: # head /etc/krb5.conf includedir /var/lib/sss/pubconf/krb5.include.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = UNIX.TEST.OSUWMC dns_lookup_realm = true # ls -l /var/lib/sss/pubconf/krb5.include.d/localauth_plugin -rw-r--r--. 1 root root 118 Mar 30 08:46 /var/lib/sss/pubconf/krb5.include.d/localauth_plugin # grep module /var/lib/sss/pubconf/krb5.include.d/localauth_plugin module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so # Different write-ups had slightly different examples for this line. Would this be the issue? # auth_to_local = RULE:[1:$1@$0](^.*@TEST.OSUWMC$)s/@TEST.OSUWMC/@test.osuwmc/ auth_to_local = RULE:[1:$1 $0](^ * TEST.OSUWMC$)s/@TEST.OSUWMC/@test.osuwmc/ If you use the plugin then this RULE should not be needed. Have you tried commenting it out and restarting SSSD? On 3/30/15, 11:08 AM, Jan Pazdziora jpazdzi...@redhat.com wrote: On Mon, Mar 30, 2015 at 11:04:58AM -0400, Gould, Joshua wrote: We¹re trying SSO from the test domain conroller via ssh (putty) to the test IPA server. Unix.test.osuwmc is the IPA realm. Test.osuwmc is the AD realm. IPA server is RHEL 7.1 Windows AD DC is Windows Server 2008 R2 They have a two way trust and we¹re mapping SID¹s. Since most of our SID¹s are in the 300,000, we chose to add 1M to each SID to make mapping them easy. Can you check that /etc/krb5.conf contains line includedir /var/lib/sss/pubconf/krb5.include.d/ and that /var/lib/sss/pubconf/krb5.include.d/localauth_plugin exists and configures module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so ? -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] anonymous binds limits?
Dmitri Pal wrote: On 03/30/2015 10:15 AM, Janelle wrote: For LDAP-only clients, I see an issue with performance on the dirsrv backends, and much of it has to do with 2 things: 1. Anonymous binds (1000's because of 7000+ hosts) 2. unindexed searches -- perhaps the biggest problem and working on troubleshooting that and figuring out how to fix it. For that amount of clients we recommend 2-3 replicas. There is documentation on how to create indexes. https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Indexes-Creating_Indexes.html#Creating_Indexes-Creating_Indexes_from_the_Command_Line I am not a DS guru but AFAIU they need to be created on each replica. Correct. You need to check what searches are taking long time and then match the attributes that you are looking for with the list of the indexed attributes. The link about will give you the location where the indexes are stored. logconv.pl will help find unindexed searches. rob Thank you ~J On 3/29/15 8:38 PM, Dmitri Pal wrote: On 03/27/2015 08:22 PM, Janelle wrote: Hello, Just wondering if there is an easy way to increase anonymous binds on the back end for non Kerberos clients? I have seen some mention of it, and that IPA has limits, can't can't find a lot of detail? Thank you ~J I am not sure I understand what you are asking. What do you mean by increase anonymous binds ? Increase timeout? Or you want to allow anonymous binds? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA with Active directory Read-only domain controller trust setup
On 03/30/2015 11:12 AM, Srdjan Dutina wrote: Hi, I'm testing FreeIPA (v4.1.3, Centos 7) - AD (2012 R2) trust on branch site where only AD read-only domain controller (RODC) exists. I'm aware that for initial establishing of trust I need access to writable domain controller so IPA can add trust to AD domains and trusts. But after initial setup, can FreeIPA-AD trust continue to function with IPA access to RODC only? Should work. Will Kerberos authentication of AD users on IPA domain hosts work? In this case, FreeIPA server should have DNS forward zone configured with RODC as a forwarder to AD? Can't help you here. Hopefully somone with DNS knowledge will chime but they might be gone for the day. AD users have cached passwords on RODC, so authentication is possible in case of WAN link failure. Thanks! -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project