Re: [Freeipa-users] Failed to start pki-tomcatd Service
On Mon, Jun 29, 2015 at 07:37:31PM +0200, Alexandre Ellert wrote: Hello, I have a problem on a replica server running Centos 7.1 and ipa 4.1.0-18.el7.centos.3.x86_64 (last version) Ipa server doesn’t restart correctly (using systemctl restart ipa or reboot the whole server) : # ipactl status Directory Service: STOPPED Directory Service must be running in order to obtain status of other services ipa: INFO: The ipactl command was successful and I have to force the start process : # ipactl start -f Existing service file detected! Assuming stale, cleaning and proceeding Starting Directory Service Starting krb5kdc Service Starting kadmin Service Starting named Service Starting ipa_memcached Service Starting httpd Service Starting pki-tomcatd Service Failed to start pki-tomcatd Service Forced start, ignoring pki-tomcatd Service, continuing normal operation Starting ipa-otpd Service ipa: INFO: The ipactl command was successful But, as you see the pki-tomcatd is unable to start. I started looking at /var/log/pki/pki-tomcat/localhost.2015-06-29.log and found this error : Jun 29, 2015 7:33:12 PM org.apache.catalina.core.StandardWrapperValve invoke SEVERE: Servlet.service() for servlet [caProfileSubmit] in context with path [/ca] threw exception java.io.IOException: CS server is not ready to serve. at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:443) at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) at sun.reflect.GeneratedMethodAccessor32.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at sun.reflect.GeneratedMethodAccessor31.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:249) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) at
Re: [Freeipa-users] Using FreeIPA OTP in a PAM module
On Tue, Jun 30, 2015 at 09:22:13AM +0200, Sumit Bose wrote: On Tue, Jun 30, 2015 at 09:09:19AM +0200, Jakub Hrozek wrote: On Tue, Jun 30, 2015 at 11:34:55AM +0530, Prashant Bapat wrote: Hi, I was able to set this up in a Fedora instance with SSSD and it works as expected. SSHD first uses the public key and then prompts for password which is ofcourse password+OTP. However, having a user enter the password+OTP every time he logs in during the day is kind of inconvenient. Is it possible to make sure the user has to login once and the credentials are cached for say 12/24 hours. I know this is possible just using the password. Question is, is this possible using password+OTP? We have an SSSD feature under review now that would help you: https://fedorahosted.org/sssd/ticket/1807 But to be honest, I'm not sure if we tested the patches with 2FA yet. We should! hm, I agree we should, but I guess we should test that cached authentication does _not_ work with 2FA/OTP. Because it is expected that the OTP token only works once, so that e.g. it can be used in an insecure environment to set up a secure tunnel. Sure, the second factor must not be reused :-) but couldn't we use the cached auth to support cases like this where the second factor is to be used only once per some time and use only the first factor in the meantime? Maybe it would make sense to add a paragraph to https://fedorahosted.org/sssd/wiki/DesignDocs/CachedAuthentication and discuss OTP/2FA usage here or on sssd-devel. Yes, whatever the result it, it should be documented, also in the man pages, because currently it's not clear what happens. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Using FreeIPA OTP in a PAM module
On Tue, Jun 30, 2015 at 11:34:55AM +0530, Prashant Bapat wrote: I was able to set this up in a Fedora instance with SSSD and it works as expected. SSHD first uses the public key and then prompts for password which is ofcourse password+OTP. However, having a user enter the password+OTP every time he logs in during the day is kind of inconvenient. Is it possible to make sure the user has to login once and the credentials are cached for say 12/24 hours. I know The problem is, you don't really know it's the same user, upon that second access. Would Kerberos/GSSAPI perhaps help you, by giving you time-constrained service ticket? -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Using FreeIPA OTP in a PAM module
On Tue, Jun 30, 2015 at 11:34:55AM +0530, Prashant Bapat wrote: Hi, I was able to set this up in a Fedora instance with SSSD and it works as expected. SSHD first uses the public key and then prompts for password which is ofcourse password+OTP. However, having a user enter the password+OTP every time he logs in during the day is kind of inconvenient. Is it possible to make sure the user has to login once and the credentials are cached for say 12/24 hours. I know this is possible just using the password. Question is, is this possible using password+OTP? We have an SSSD feature under review now that would help you: https://fedorahosted.org/sssd/ticket/1807 But to be honest, I'm not sure if we tested the patches with 2FA yet. We should! -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Using FreeIPA OTP in a PAM module
On Tue, Jun 30, 2015 at 09:09:19AM +0200, Jakub Hrozek wrote: On Tue, Jun 30, 2015 at 11:34:55AM +0530, Prashant Bapat wrote: Hi, I was able to set this up in a Fedora instance with SSSD and it works as expected. SSHD first uses the public key and then prompts for password which is ofcourse password+OTP. However, having a user enter the password+OTP every time he logs in during the day is kind of inconvenient. Is it possible to make sure the user has to login once and the credentials are cached for say 12/24 hours. I know this is possible just using the password. Question is, is this possible using password+OTP? We have an SSSD feature under review now that would help you: https://fedorahosted.org/sssd/ticket/1807 But to be honest, I'm not sure if we tested the patches with 2FA yet. We should! hm, I agree we should, but I guess we should test that cached authentication does _not_ work with 2FA/OTP. Because it is expected that the OTP token only works once, so that e.g. it can be used in an insecure environment to set up a secure tunnel. Maybe it would make sense to add a paragraph to https://fedorahosted.org/sssd/wiki/DesignDocs/CachedAuthentication and discuss OTP/2FA usage here or on sssd-devel. bye, Sumit -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Failed to start pki-tomcatd Service
Could you please provide the content of logfile: `/var/log/pki/pki-tomcat/ca/debug', around the time the error occurs? Thanks, Fraser When the pki-tomcatd service is trying to start, I see this message in /var/log/pki/pki-tomcat/ca/debug [30/Jun/2015:10:02:13][localhost-startStop-1]: [30/Jun/2015:10:02:13][localhost-startStop-1]: = DEBUG SUBSYSTEM INITIALIZED === [30/Jun/2015:10:02:13][localhost-startStop-1]: [30/Jun/2015:10:02:13][localhost-startStop-1]: CMSEngine: done init id=debug [30/Jun/2015:10:02:13][localhost-startStop-1]: CMSEngine: initialized debug [30/Jun/2015:10:02:13][localhost-startStop-1]: CMSEngine: initSubsystem id=log [30/Jun/2015:10:02:13][localhost-startStop-1]: CMSEngine: ready to init id=log [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: done init id=log [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: initialized log [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: initSubsystem id=jss [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: ready to init id=jss [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: done init id=jss [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: initialized jss [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: initSubsystem id=dbs [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: ready to init id=dbs [30/Jun/2015:10:02:14][localhost-startStop-1]: DBSubsystem: init() mEnableSerialMgmt=true [30/Jun/2015:10:02:14][localhost-startStop-1]: LdapBoundConnFactory: init [30/Jun/2015:10:02:14][localhost-startStop-1]: LdapBoundConnFactory:doCloning true [30/Jun/2015:10:02:14][localhost-startStop-1]: LdapAuthInfo: init() [30/Jun/2015:10:02:14][localhost-startStop-1]: LdapAuthInfo: init begins [30/Jun/2015:10:02:14][localhost-startStop-1]: LdapAuthInfo: init ends [30/Jun/2015:10:02:14][localhost-startStop-1]: init: before makeConnection errorIfDown is true [30/Jun/2015:10:02:14][localhost-startStop-1]: makeConnection: errorIfDown true [30/Jun/2015:10:02:14][localhost-startStop-1]: LdapJssSSLSocket set client auth cert nicknamesubsystemCert cert-pki-ca [30/Jun/2015:10:02:14][localhost-startStop-1]: CMS:Caught EBaseException Internal Database Error encountered: Could not connect to LDAP server host ipa.mydomain.org port 636 Error netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1) at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:658) at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:934) at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:865) at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:362) at com.netscape.certsrv.apps.CMS.init(CMS.java:189) at com.netscape.certsrv.apps.CMS.start(CMS.java:1585) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:96) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123) at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875) at
Re: [Freeipa-users] Using FreeIPA OTP in a PAM module
On Tue, Jun 30, 2015 at 09:31:55AM +0200, Jakub Hrozek wrote: On Tue, Jun 30, 2015 at 09:22:13AM +0200, Sumit Bose wrote: On Tue, Jun 30, 2015 at 09:09:19AM +0200, Jakub Hrozek wrote: On Tue, Jun 30, 2015 at 11:34:55AM +0530, Prashant Bapat wrote: Hi, I was able to set this up in a Fedora instance with SSSD and it works as expected. SSHD first uses the public key and then prompts for password which is ofcourse password+OTP. However, having a user enter the password+OTP every time he logs in during the day is kind of inconvenient. Is it possible to make sure the user has to login once and the credentials are cached for say 12/24 hours. I know this is possible just using the password. Question is, is this possible using password+OTP? We have an SSSD feature under review now that would help you: https://fedorahosted.org/sssd/ticket/1807 But to be honest, I'm not sure if we tested the patches with 2FA yet. We should! hm, I agree we should, but I guess we should test that cached authentication does _not_ work with 2FA/OTP. Because it is expected that the OTP token only works once, so that e.g. it can be used in an insecure environment to set up a secure tunnel. Sure, the second factor must not be reused :-) but couldn't we use the cached auth to support cases like this where the second factor is to be used only once per some time and use only the first factor in the meantime? I'm a bit reluctant here. If the two factors are intercepted in an insecure environment the attacker will still have a valid password which can be used for some time. Additionally, iirc cached authentication is not aware of the service used. If e.g. OTP was used to just get a response from some unprotected and unprivileged service the intercepted password can be used to log in with ssh as well. So I guess we need a careful discussion here. bye, Sumit Maybe it would make sense to add a paragraph to https://fedorahosted.org/sssd/wiki/DesignDocs/CachedAuthentication and discuss OTP/2FA usage here or on sssd-devel. Yes, whatever the result it, it should be documented, also in the man pages, because currently it's not clear what happens. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Using FreeIPA OTP in a PAM module
HI Simo, Thanks for the reply. Could you please elaborate or point me to some documentation on how to set this up. What I want to be able to achieve is that a user should login with a 2FA once a day and all subsequent logins are allowed thru public key only. Regards. --Prashant On 30 June 2015 at 15:44, Simo Sorce s...@redhat.com wrote: On Tue, 2015-06-30 at 10:06 +0200, Sumit Bose wrote: On Tue, Jun 30, 2015 at 09:31:55AM +0200, Jakub Hrozek wrote: On Tue, Jun 30, 2015 at 09:22:13AM +0200, Sumit Bose wrote: On Tue, Jun 30, 2015 at 09:09:19AM +0200, Jakub Hrozek wrote: On Tue, Jun 30, 2015 at 11:34:55AM +0530, Prashant Bapat wrote: Hi, I was able to set this up in a Fedora instance with SSSD and it works as expected. SSHD first uses the public key and then prompts for password which is ofcourse password+OTP. However, having a user enter the password+OTP every time he logs in during the day is kind of inconvenient. Is it possible to make sure the user has to login once and the credentials are cached for say 12/24 hours. I know this is possible just using the password. Question is, is this possible using password+OTP? We have an SSSD feature under review now that would help you: https://fedorahosted.org/sssd/ticket/1807 But to be honest, I'm not sure if we tested the patches with 2FA yet. We should! hm, I agree we should, but I guess we should test that cached authentication does _not_ work with 2FA/OTP. Because it is expected that the OTP token only works once, so that e.g. it can be used in an insecure environment to set up a secure tunnel. Sure, the second factor must not be reused :-) but couldn't we use the cached auth to support cases like this where the second factor is to be used only once per some time and use only the first factor in the meantime? I'm a bit reluctant here. If the two factors are intercepted in an insecure environment the attacker will still have a valid password which can be used for some time. Additionally, iirc cached authentication is not aware of the service used. If e.g. OTP was used to just get a response from some unprotected and unprivileged service the intercepted password can be used to log in with ssh as well. So I guess we need a careful discussion here. The solution for this environments already exists and it is called GSSAPI. You can obtain a ticket with 2FA and then use your TGT for 10 or more hours. There is no need to invent broken ways to skip two factor auth when we already have a way to make this easy *and* secure. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Using FreeIPA OTP in a PAM module
On Tue, 2015-06-30 at 10:06 +0200, Sumit Bose wrote: On Tue, Jun 30, 2015 at 09:31:55AM +0200, Jakub Hrozek wrote: On Tue, Jun 30, 2015 at 09:22:13AM +0200, Sumit Bose wrote: On Tue, Jun 30, 2015 at 09:09:19AM +0200, Jakub Hrozek wrote: On Tue, Jun 30, 2015 at 11:34:55AM +0530, Prashant Bapat wrote: Hi, I was able to set this up in a Fedora instance with SSSD and it works as expected. SSHD first uses the public key and then prompts for password which is ofcourse password+OTP. However, having a user enter the password+OTP every time he logs in during the day is kind of inconvenient. Is it possible to make sure the user has to login once and the credentials are cached for say 12/24 hours. I know this is possible just using the password. Question is, is this possible using password+OTP? We have an SSSD feature under review now that would help you: https://fedorahosted.org/sssd/ticket/1807 But to be honest, I'm not sure if we tested the patches with 2FA yet. We should! hm, I agree we should, but I guess we should test that cached authentication does _not_ work with 2FA/OTP. Because it is expected that the OTP token only works once, so that e.g. it can be used in an insecure environment to set up a secure tunnel. Sure, the second factor must not be reused :-) but couldn't we use the cached auth to support cases like this where the second factor is to be used only once per some time and use only the first factor in the meantime? I'm a bit reluctant here. If the two factors are intercepted in an insecure environment the attacker will still have a valid password which can be used for some time. Additionally, iirc cached authentication is not aware of the service used. If e.g. OTP was used to just get a response from some unprotected and unprivileged service the intercepted password can be used to log in with ssh as well. So I guess we need a careful discussion here. The solution for this environments already exists and it is called GSSAPI. You can obtain a ticket with 2FA and then use your TGT for 10 or more hours. There is no need to invent broken ways to skip two factor auth when we already have a way to make this easy *and* secure. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] changing the default for changelog trimmimg
Hi, 389-ds allows to configure the max size of the replication changelog either by setting a maximum record number or a maximum age of changes. freeIPA does not use this setting. In the context of ticket https://fedorahosted.org/freeipa/ticket/5086 we are discussing to change the default to enable changelog trimming. Does anyone already use changlog trimming or is there a scenario where you rely on all changes being available ? Thanks for your feedback, Ludwig -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Unfamiliar message and crashes
Thank you for reply. # rpm -q 389-ds-base ipa-server slapi-nis 389-ds-base-1.3.3.1-16.el7_1.x86_64 ipa-server-4.1.0-18.el7_1.3.x86_64 slapi-nis-0.54-3.el7_1.x86_64 Okay, we will try to get it if it will happens again WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Rich Megginson Sent: Tuesday, June 30, 2015 10:23 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Unfamiliar message and crashes On 06/29/2015 10:08 PM, Alexander Frolushkin wrote: Hello. What does message NSMMReplicationPlugin - agmt=cn=cloneAgreement1-host1.domain.com-pki-tomcat (host2:389): Unable to acquire replica: the replica instructed us to go into backoff mode. Will retry later. mean? A lot of these message appeared in error dirsrv log yesterday, and several crashes ns-slapd[31026]: segfault at 25 ip 7f7aa499c800 sp 7f7a4b7e14f0 error 4 in libslapd.so.0.0.0[7f7aa4948000+11c000] also noticed… Any thoughts, what to do? Please provide the versions you are using: # rpm -q 389-ds-base ipa-server slapi-nis Debugging crashes: http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-crashes in addition: # debuginfo-install ipa-server slapi-nis We need to see some stack traces WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 Информация в этом сообщении предназначена исключительно для конкретных лиц, которым она адресована. В сообщении может содержаться конфиденциальная информация, которая не может быть раскрыта или использована кем-либо, кроме адресатов. Если вы не адресат этого сообщения, то использование, переадресация, копирование или распространение содержания сообщения или его части незаконно и запрещено. Если Вы получили это сообщение ошибочно, пожалуйста, незамедлительно сообщите отправителю об этом и удалите со всем содержимым само сообщение и любые возможные его копии и приложения. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 Информация в этом сообщении предназначена исключительно для конкретных лиц, которым она адресована. В сообщении может содержаться конфиденциальная информация, которая не может быть раскрыта или использована кем-либо, кроме адресатов. Если вы не адресат этого сообщения, то использование, переадресация, копирование или распространение содержания сообщения или его части незаконно и запрещено. Если Вы получили это сообщение ошибочно, пожалуйста, незамедлительно сообщите отправителю об этом и удалите со всем содержимым само сообщение и любые возможные его копии и приложения. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA mail object to use in 3rd party tool
Hi Christopher, thanks very much for your help, I appreciate it. I will reconfigure our Jira and see how it works out. -Ursprüngliche Nachricht- Von: Christopher Lamb [mailto:christopher.l...@ch.ibm.com] Gesendet: Montag, 29. Juni 2015 16:08 An: Alexander Bokovoy; Moj, Markus; Martin Kosek Cc: freeipa-users@redhat.com Betreff: Re: [Freeipa-users] FreeIPA mail object to use in 3rd party tool Hi As of a few minutes ago, we can now replicate FreeIPA users to JIRA, including the vital mail attribute! Note there are probably other solutions that work as well, but this is the one that works for us. Key points: a) Integration Style: Internal Directory with LDAP Authentication -- only those users that attempt to login are replicated, useful if your JIRA users are a subset of your FreeIPA users. b) LDAP Type = Generic LDAP -- JIRA does not yet have native FreeIPA Support. c) bind = via user / password -- we first tried anonymous bind (w/o user). While this replicated users and logins worked, the all important mail attribute was not replicated. d) as the password of the bind user is stored in plaintext in the jira db, make sure this is a limited user (member of the default ipa-users group is sufficient). e.g. don't use the Directory Manager user! e) ldap.user.filter=(objectclass=inetorgperson) ensures that replies DO NOT come from the compat tree (no mail attribute). We want replies from cn=users,cn=accounts, which does have the mail attribute Below is the config direct from the Jira database (of course we made the config changes via the Jira admin GUI, which has a nifty Test function. mysql select attribute_name, attribute_value from mysql cwd_directory_attribute where directory_id = 10001; ++-+ | attribute_name | attribute_value | ++-+ | autoAddGroups | jira-users | | crowd.delegated.directory.auto.create.user | true | | crowd.delegated.directory.auto.update.user | true | | crowd.delegated.directory.importGroups | false | | crowd.delegated.directory.type | com.atlassian.crowd.directory.GenericLDAP | | ldap.basedn| dc=my,dc=silly,dc=example,dc=com| | ldap.external.id | uid | | ldap.group.description | description | | ldap.group.dn | | | ldap.group.filter | (objectclass=groupOfUniqueNames)| | ldap.group.name| cn | | ldap.group.objectclass | groupOfUniqueNames | | ldap.group.usernames | uniqueMember | | ldap.nestedgroups.disabled | true | | ldap.pagedresults | false | | ldap.pagedresults.size | 1000 | | ldap.password | x | | ldap.referral | false | | ldap.url | ldap://xxx-ldap.my.silly.example.com:389| | ldap.user.displayname | displayName | | ldap.user.dn | cn=accounts | | ldap.user.email| mail | | ldap.user.filter | (objectclass=inetorgperson) | | ldap.user.firstname| givenName | | ldap.user.group| memberOf | | ldap.user.lastname | sn | | ldap.user.objectclass | inetorgperson | | ldap.user.username | uid | | ldap.user.username.rdn | cn | | ldap.userdn| uid=,cn=users,cn=accounts,dc=my,dc=silly,dc=example,dc=com | | ldap.usermembership.use| false | | ldap.usermembership.use.for.groups | false | ++-+ @Martin K In an earlier thread on FreeIPA / JIRA integration you asked for contributions to a How to Article. I think the solution above could be the basis of such an article. Cheers Chris From: Christopher Lamb/Switzerland/IBM@IBMCH To: Alexander Bokovoy aboko...@redhat.com, markus@mc.ingenico.com Cc: freeipa-users@redhat.com Date: 29.06.2015 11:27 Subject:Re: [Freeipa-users] FreeIPA mail object to use in 3rd party tool Sent by:freeipa-users-boun...@redhat.com Hi all I am fighting this exact problem too. We had setup Jira, integrated to FreeIPA with the option Internal Directory with LDAP Authentication, using anonymous bind. This
[Freeipa-users] ipa-server-4.1.0 ipasam performance issue / strange behaviour
Hi, I’ve started playing around with Samba shared on an IPA server running 4.1.0 (CentOS 7 latest as of 30-06-2015). I’m having an issue with performance - it seems to connect to ldap almost 10 times for every file operation to try lookup a group - and the lookup fails. On another system running IPA 3.0.0 on CentOS 6.6 this runs perfectly, and the lookup succeeds. Everything is setup: yum install ipa-server-trust-ad ipa-adtrust-install Logging level set to : net conf setparm global ‘log level’ 10 Samba share setup to share a /data directory: [Test] path = /data guest ok = no read only = no valid users = @projects Connecting to the share is great - all works fine - but then copying files is somewhat slower than expected. Examining log.workstation I can see that the group lookup for the @projects group is not functioning: [2015/06/30 16:23:18.050664, 5, pid=14801, effective(0, 0), real(0, 0)] ../source3/lib/smbldap.c:1249(smbldap_search_ext) smbldap_search_ext: base = [dc=XXX], filter = [(|((gidNumber=543800010)(objectClass=ipaNTGroupAttrs))((uidNumber=543800010)(objectClass=posixAccount)(objectClass=ipaNTUserAttrs)))], scope = [2] [2015/06/30 16:23:18.051555, 3, pid=14801, effective(0, 0), real(0, 0)] ipa_sam.c:942(ldapsam_gid_to_sid) ERROR: Got 0 entries for gid 543800010, expected at least one This happens almost 10 times per file I copy into the share. Checking dirsrv logs, the query is returning 0 entries - so that confirms what ipasam is reporting. However, running the query manually as root (which connect as Directory Manager as opposed to the cifs service principle) it returns results: [root@ipa02 data]# ldapsearch -H 'ldapi://%2fvar%2frun%2fslapd-XXX.socket' '(|((gidNumber=543800010)(objectClass=ipaNTGroupAttrs))((uidNumber=543800010)(objectClass=posixAccount)))' SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 # extended LDIF # # LDAPv3 # base dc=XXX (default) with scope subtree # filter: (|((gidNumber=543800010)(objectClass=ipaNTGroupAttrs))((uidNumber=543800010)(objectClass=posixAccount))) # requesting: ALL # # projects, groups, accounts, XXX dn: cn=projects,cn=groups,cn=accounts,dc=XXX gidNumber: 543800010 ipaUniqueID: XXX cn: projects description: Projects access objectClass: top objectClass: groupofnames objectClass: nestedgroup objectClass: ipausergroup objectClass: ipaobject objectClass: posixgroup objectClass: ipantgroupattrs ipaNTSecurityIdentifier: XXX member: cn=projects_rw,cn=groups,cn=accounts,dc=XXX # search result search: 3 result: 0 Success # numResponses: 2 # numEntries: 1 If I load the keytab for Samba: kinit -t /etc/samba/samba.keytab cifs/ipa02.XXX@XXX Then run the query using GSSAPI - I get no results! [root@ipa02 data]# ldapsearch -Y GSSAPI -H 'ldapi://%2fvar%2frun%2fslapd-XXX.socket' '(|((gidNumber=543800010)(objectClass=ipaNTGroupAttrs))((uidNumber=543800010)(objectClass=posixAccount)))' SASL/GSSAPI authentication started SASL username: cifs/ipa02.XXX@XXX SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base dc=XXX (default) with scope subtree # filter: (|((gidNumber=543800010)(objectClass=ipaNTGroupAttrs))((uidNumber=543800010)(objectClass=posixAccount))) # requesting: ALL # # search result search: 4 result: 0 Success # numResponses: 1 Even stranger, if I split the OR filter and only run the group part, but still running through GSSAPI - it is successful! [root@ipa02 data]# ldapsearch -Y GSSAPI -H 'ldapi://%2fvar%2frun%2fslapd-XXX.socket' '((gidNumber=543800010)(objectClass=ipaNTGroupAttrs))' SASL/GSSAPI authentication started SASL username: cifs/XXX@XXX SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base dc=XXX (default) with scope subtree # filter: ((gidNumber=543800010)(objectClass=ipaNTGroupAttrs)) # requesting: ALL # # projects, groups, accounts, XXX dn: cn=projects,cn=groups,cn=accounts,dc=XXX gidNumber: 543800010 ipaUniqueID: XXX cn: projects description: Projects access objectClass: top objectClass: groupofnames objectClass: nestedgroup objectClass: ipausergroup objectClass: ipaobject objectClass: posixgroup objectClass: ipantgroupattrs ipaNTSecurityIdentifier: XXX member: cn=projects_rw,cn=groups,cn=accounts,dc=XXX # search result search: 4 result: 0 Success # numResponses: 2 # numEntries: 1 Any ideas what might be happening here? I’ve read something about non-existent attributes can mess with OR queries. But I can’t understand why it would only affect the GSSAPI authenticated user. Regards, Jason Woods signature.asc Description: Message signed with OpenPGP using GPGMail -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Unfamiliar message and crashes
On 06/29/2015 10:08 PM, Alexander Frolushkin wrote: Hello. What does message NSMMReplicationPlugin - agmt=cn=cloneAgreement1-host1.domain.com-pki-tomcat (host2:389): Unable to acquire replica: the replica instructed us to go into backoff mode. Will retry later. mean? A lot of these message appeared in error dirsrv log yesterday, and several crashes ns-slapd[31026]: segfault at 25 ip 7f7aa499c800 sp 7f7a4b7e14f0 error 4 in libslapd.so.0.0.0[7f7aa4948000+11c000] also noticed… Any thoughts, what to do? Please provide the versions you are using: # rpm -q 389-ds-base ipa-server slapi-nis Debugging crashes: http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-crashes in addition: # debuginfo-install ipa-server slapi-nis We need to see some stack traces WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 Информация в этом сообщении предназначена исключительно для конкретных лиц, которым она адресована. В сообщении может содержаться конфиденциальная информация, которая не может быть раскрыта или использована кем-либо, кроме адресатов. Если вы не адресат этого сообщения, то использование, переадресация, копирование или распространение содержания сообщения или его части незаконно и запрещено. Если Вы получили это сообщение ошибочно, пожалуйста, незамедлительно сообщите отправителю об этом и удалите со всем содержимым само сообщение и любые возможные его копии и приложения. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-server-4.1.0 ipasam performance issue / strange behaviour
- Original Message - Hi, I’ve started playing around with Samba shared on an IPA server running 4.1.0 (CentOS 7 latest as of 30-06-2015). I’m having an issue with performance - it seems to connect to ldap almost 10 times for every file operation to try lookup a group - and the lookup fails. On another system running IPA 3.0.0 on CentOS 6.6 this runs perfectly, and the lookup succeeds. Everything is setup: yum install ipa-server-trust-ad ipa-adtrust-install Logging level set to : net conf setparm global ‘log level’ 10 Samba share setup to share a /data directory: [Test] path = /data guest ok = no read only = no valid users = @projects Connecting to the share is great - all works fine - but then copying files is somewhat slower than expected. Examining log.workstation I can see that the group lookup for the @projects group is not functioning: [2015/06/30 16:23:18.050664, 5, pid=14801, effective(0, 0), real(0, 0)] ../source3/lib/smbldap.c:1249(smbldap_search_ext) smbldap_search_ext: base = [dc=XXX], filter = [(|((gidNumber=543800010)(objectClass=ipaNTGroupAttrs))((uidNumber=543800010)(objectClass=posixAccount)(objectClass=ipaNTUserAttrs)))], scope = [2] [2015/06/30 16:23:18.051555, 3, pid=14801, effective(0, 0), real(0, 0)] ipa_sam.c:942(ldapsam_gid_to_sid) ERROR: Got 0 entries for gid 543800010, expected at least one This happens almost 10 times per file I copy into the share. Checking dirsrv logs, the query is returning 0 entries - so that confirms what ipasam is reporting. However, running the query manually as root (which connect as Directory Manager as opposed to the cifs service principle) it returns results: [root@ipa02 data]# ldapsearch -H 'ldapi://%2fvar%2frun%2fslapd-XXX.socket' '(|((gidNumber=543800010)(objectClass=ipaNTGroupAttrs))((uidNumber=543800010)(objectClass=posixAccount)))' SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 # extended LDIF # # LDAPv3 # base dc=XXX (default) with scope subtree # filter: (|((gidNumber=543800010)(objectClass=ipaNTGroupAttrs))((uidNumber=543800010)(objectClass=posixAccount))) # requesting: ALL # # projects, groups, accounts, XXX dn: cn=projects,cn=groups,cn=accounts,dc=XXX gidNumber: 543800010 ipaUniqueID: XXX cn: projects description: Projects access objectClass: top objectClass: groupofnames objectClass: nestedgroup objectClass: ipausergroup objectClass: ipaobject objectClass: posixgroup objectClass: ipantgroupattrs ipaNTSecurityIdentifier: XXX member: cn=projects_rw,cn=groups,cn=accounts,dc=XXX # search result search: 3 result: 0 Success # numResponses: 2 # numEntries: 1 If I load the keytab for Samba: kinit -t /etc/samba/samba.keytab cifs/ipa02.XXX@XXX Then run the query using GSSAPI - I get no results! [root@ipa02 data]# ldapsearch -Y GSSAPI -H 'ldapi://%2fvar%2frun%2fslapd-XXX.socket' '(|((gidNumber=543800010)(objectClass=ipaNTGroupAttrs))((uidNumber=543800010)(objectClass=posixAccount)))' SASL/GSSAPI authentication started SASL username: cifs/ipa02.XXX@XXX SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base dc=XXX (default) with scope subtree # filter: (|((gidNumber=543800010)(objectClass=ipaNTGroupAttrs))((uidNumber=543800010)(objectClass=posixAccount))) # requesting: ALL # # search result search: 4 result: 0 Success # numResponses: 1 Even stranger, if I split the OR filter and only run the group part, but still running through GSSAPI - it is successful! [root@ipa02 data]# ldapsearch -Y GSSAPI -H 'ldapi://%2fvar%2frun%2fslapd-XXX.socket' '((gidNumber=543800010)(objectClass=ipaNTGroupAttrs))' SASL/GSSAPI authentication started SASL username: cifs/XXX@XXX SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base dc=XXX (default) with scope subtree # filter: ((gidNumber=543800010)(objectClass=ipaNTGroupAttrs)) # requesting: ALL # # projects, groups, accounts, XXX dn: cn=projects,cn=groups,cn=accounts,dc=XXX gidNumber: 543800010 ipaUniqueID: XXX cn: projects description: Projects access objectClass: top objectClass: groupofnames objectClass: nestedgroup objectClass: ipausergroup objectClass: ipaobject objectClass: posixgroup objectClass: ipantgroupattrs ipaNTSecurityIdentifier: XXX member: cn=projects_rw,cn=groups,cn=accounts,dc=XXX # search result search: 4 result: 0 Success # numResponses: 2 # numEntries: 1 Any ideas what might be happening here? I’ve read something about non-existent attributes can mess with OR queries. But I can’t understand why it would only affect the GSSAPI authenticated user. This is definitely an issue with ACLs or NACLPlugin. Regarding LDAPI+root and GSSAPI -- the first one maps to cn=Directory Manager, the second one maps to a specific DN. When you are cn=Directory Manager, no ACLs apply to you, so
Re: [Freeipa-users] ipa-server-4.1.0 ipasam performance issue / strange behaviour
- Original Message - On 30 Jun 2015, at 17:29, Alexander Bokovoy aboko...@redhat.com wrote: - Original Message - If I load the keytab for Samba: kinit -t /etc/samba/samba.keytab cifs/ipa02.XXX@XXX Then run the query using GSSAPI - I get no results! [...] Even stranger, if I split the OR filter and only run the group part, but still running through GSSAPI - it is successful! [...] Any ideas what might be happening here? I’ve read something about non-existent attributes can mess with OR queries. But I can’t understand why it would only affect the GSSAPI authenticated user. This is definitely an issue with ACLs or NACLPlugin. Regarding LDAPI+root and GSSAPI -- the first one maps to cn=Directory Manager, the second one maps to a specific DN. When you are cn=Directory Manager, no ACLs apply to you, so the result is expected. I thought it might be. However, the fact that the query works fine without the OR - does that not indicate otherwise? Surely permissions would impact both? To summarise, when using GSSAPI with specific DN, the following returns nothing: (|((gidNumber=543800010)(objectClass=ipaNTGroupAttrs))((uidNumber=543800010)(objectClass=posixAccount))) The following returns one result: ((gidNumber=543800010)(objectClass=ipaNTGroupAttrs)) My understanding would be if it were permissions, both would return nothing. I’ve even tried the uidNumber part with a valid uid and it does actually return something. That's why I'm saying it might be an issue in NACLPlugin. Can you please file a bug about it? -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] keytab issue with service principal
Thank you so much, that was it - just a wrong command. Appreciate the help and quick response. From: Simo Sorce s...@redhat.com To: sipazzo sipa...@yahoo.com Cc: Freeipa-users freeipa-users@redhat.com Sent: Tuesday, June 30, 2015 12:39 PM Subject: Re: [Freeipa-users] keytab issue with service principal On Tue, 2015-06-30 at 19:34 +, sipazzo wrote: Output of klist -kt is KVNO Timestamp Principal - 2 06/30/15 17:12:13 oracledb/oracledbsrvr.example@example.com 2 06/30/15 17:12:13 oracledb/oracledbsrvr.example@example.com 2 06/30/15 17:12:13 oracledb/oracledbsrvr.example@example.com 2 06/30/15 17:12:13 oracledb/oracledbsrvr.example@example.com From: Simo Sorce s...@redhat.com To: sipazzo sipa...@yahoo.com Cc: Freeipa-users freeipa-users@redhat.com Sent: Tuesday, June 30, 2015 11:52 AM Subject: Re: [Freeipa-users] keytab issue with service principal Then the command you want to run is: kinit -kt /opt/oracle/admin/oracledb.keytab oracledb/oracledbsrvr.example.com Note, no -S Simo. On Tue, 2015-06-30 at 18:44 +, sipazzo wrote: I am trying to troubleshoot kerberos authentication for an oracle service (oracledb) and getting the following error when testing the service keytab on the database server (oracledbsrvr): oracle@oracledbsrvr ~]# kinit -kt /opt/oracle/admin/oracledb.keytab -S oracledb/oracledbsrvr.example.com kinit: Keytab contains no suitable keys for host/oracledbsrvr.example@example.com while getting initial credentials When I use a client program like sqlplus on the database server connecting as a freeipa user with valid kerberos ticket it appears to work fine though. I cannot get it working from a remote client however. Is this error a red herring or should I be concerned about this? kvno and klist show same number. What's the output of klist -kt /opt/oracle/admin/oracledb.keytab ? Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] keytab issue with service principal
On Tue, 2015-06-30 at 18:44 +, sipazzo wrote: I am trying to troubleshoot kerberos authentication for an oracle service (oracledb) and getting the following error when testing the service keytab on the database server (oracledbsrvr): oracle@oracledbsrvr ~]# kinit -kt /opt/oracle/admin/oracledb.keytab -S oracledb/oracledbsrvr.example.com kinit: Keytab contains no suitable keys for host/oracledbsrvr.example@example.com while getting initial credentials When I use a client program like sqlplus on the database server connecting as a freeipa user with valid kerberos ticket it appears to work fine though. I cannot get it working from a remote client however. Is this error a red herring or should I be concerned about this? kvno and klist show same number. What's the output of klist -kt /opt/oracle/admin/oracledb.keytab ? Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] keytab issue with service principal
Thank you, I had tried it both ways with same results. Just misunderstood documentation I guess so tried the -S to try to force it to use the service keytab for authentication. kinit -k -t /opt/oracle/admin/oracledb.keytab kinit: Keytab contains no suitable keys for host/oracledbsrvr.example@example.com while getting initial credentials Simo just responded that I had the command wrong. I re-ran it as he indicated and received a service ticket. Thank you both so much. From: Alexander Bokovoy aboko...@redhat.com To: sipazzo sipa...@yahoo.com Cc: Freeipa-users freeipa-users@redhat.com Sent: Tuesday, June 30, 2015 12:16 PM Subject: Re: [Freeipa-users] keytab issue with service principal - Original Message - I am trying to troubleshoot kerberos authentication for an oracle service (oracledb) and getting the following error when testing the service keytab on the database server (oracledbsrvr): oracle@oracledbsrvr ~]# kinit -kt /opt/oracle/admin/oracledb.keytab -S oracledb/oracledbsrvr.example.com kinit: Keytab contains no suitable keys for host/oracledbsrvr.example@example.com while getting initial credentials Remove -S option, just specify your oracledb/`hostname` principal. With -S option your oracledb/`hostname` principal is consumed by the -S option and then default principal is what you are authenticating with. Which means I want to obtain credentials to oracledb/`hostname` service, not krbtgt/example@example.com, but I'll be authenticating as host/`hostname` for that. But when you are using host/`hostname`, your keytab is supposed to contain keys for this principal. kinit doesn't see them there and fails. Why did you choose to use -S option? -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa sudden stop
On (30/06/15 11:17), Umarzuki Mochlis wrote: Every once in a week suddenly IPA service would failed and only realized when zimbra that using authentication with it failed during user log in. So I had to type in below commands one by one each time this happened. systemctl start dirsrv@DOMAIN-COM.service systemctl start krb5kdc.service systemctl start kadmin.service systemctl start ipa_memcached.service systemctl start httpd.service # cat /etc/redhat-release Fedora release 18 (Spherical Cow) End of life for Fedora 18 was 2014-01-14. See https://fedoraproject.org/wiki/End_of_life Could you try to upgrade to recent release (fedora 21)? If you did not want to upgrade very often then it would be better to use distribution with longer support time. RHEL/CentOS LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Using FreeIPA OTP in a PAM module
Hi, I was able to set this up in a Fedora instance with SSSD and it works as expected. SSHD first uses the public key and then prompts for password which is ofcourse password+OTP. However, having a user enter the password+OTP every time he logs in during the day is kind of inconvenient. Is it possible to make sure the user has to login once and the credentials are cached for say 12/24 hours. I know this is possible just using the password. Question is, is this possible using password+OTP? Thanks. --Prashant On 27 June 2015 at 13:06, Prashant Bapat prash...@apigee.com wrote: Aah ok ! Unfortunately I'm using Amazon Linux and it does not support SSSD. I ended up using nss-pam-ldap, nscd and nslcd. However this looks promising. Only for the servers exposed to Internet I could use CentOS/Fedora and this method of authentication. Let me try this and come back to you. Thanks. --Prashant On 27 June 2015 at 10:17, Alexander Bokovoy aboko...@redhat.com wrote: - Original Message - Hi , I'm exploring implementing a 2FA solution to my servers exposed to public. Mainly to secure SSH with 2FA. The SSH keys and users are already in FreeIPA. Is there a way to utilize the OTP inside FreeIPA during a user login to these servers ? A user will have to enter the TOTP code bases on whats configured in FreeIPA. Something along the lines of https://github.com/google/google-authenticator/tree/master/libpam If you are using SSSD (pam_sss), it will automatically accept 2FA. You need to force OpenSSH to combine authentication methods, something like: AuthenticationMethods publickey,password:pam publickey,keyboard-interactive:pam Look into sshd_config manual page for details. This is feature of OpenSSH 6.2 or later. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] DNS forwarder first does not fallback to local
On 29.6.2015 18:33, Matt . wrote: Hi Petr, No problem at all! I can remove/move things easily... but this splitbrain really makes these 2 networks standing on their own, which is what I need. Both are provisioned but not all the same. It gives me the flexibility we need, that's why it's not difficult to move, as it's flexible at the moment. Yeah, you can get most flexibility by using two separate domains for each network, possibly on two separate servers :-) Let us know if you need further assistance. Petr^2 Spacek 2015-06-29 18:26 GMT+02:00 Petr Spacek pspa...@redhat.com: On 29.6.2015 18:22, Matt . wrote: Hi, Because it can happen that hostnames are used twice, but one for each network. This sounds a little bit odd, but it has something todo with hostnames that are needed, public names and internal names. But as both networks have their own DNS servers, some records are just not provisioned so need to be added manually to the non-managed server. Okay, so you basically wants 'DNS views'. There is only once advice about that: Do not do that :-) I would highly recommend you to read and follow following articles: http://www.freeipa.org/page/Deployment_Recommendations#DNS http://www.freeipa.org/page/DNS#Internal-only_domains Sure, in already deployed network it is not easy but be assured that getting rid of DNS views/split-brain DNS it will save you a lot of headaches in the long term. I'm sorry for uncomforting answers... Petr Spacek @ Red Hat 2015-06-29 17:11 GMT+02:00 Petr Spacek pspa...@redhat.com: On 29.6.2015 16:10, Matt . wrote: Hi Petr, Yes I understand why this is not possible. The idea was to have a managed DNS server from scripting and one for other usage by clients who only need to know about the unknown records on Server1, this as it should forward most and only do specific local lookups. Your subdomain solution might be something if I want to go this way. I still do not understand the use case. Why not let scripts to modify records on one single server? -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa sudden stop
2015-07-01 3:51 GMT+08:00 Lukas Slebodnik lsleb...@redhat.com: End of life for Fedora 18 was 2014-01-14. See https://fedoraproject.org/wiki/End_of_life Could you try to upgrade to recent release (fedora 21)? If you did not want to upgrade very often then it would be better to use distribution with longer support time. RHEL/CentOS LS Is it possible to 1- install freeipa on a centos 7 server 2- migrate copy freeipa data over from fedora 18 to centos 7 3- power off freeipa on fedora 18 change IP on centos 7 freeipa to that was used by fedora 18 for as little downtime as possible? I would imagine that this would not be seamless as I need to check that Zimbra accounts properly authenticated with new freeipa. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project