Re: [Freeipa-users] problems with NFS service principal
On Friday, November 6, 2015 3:24 AM, Alexander Bokovoywrote: > On Thu, 05 Nov 2015, j...@use.startmail.com wrote: >>On Thursday, November 5, 2015 1:54 PM, Rob Crittenden >> wrote: >>> j...@use.startmail.com wrote: Hello everyone, [...] > > Your workflow should be something like this (using IPA CLI as an example > here): > 1. Create a service with 'ipa service-add' > 2. Associate a key with a service with 'ipa-getkeytab' and store it in a >keytab -- either directly on the server where service is running or on >any other IPA client. > 3. Deliver the keytab from step (2) to a server where it should be if >needed. In case of clustered configuration deliver the keytab to all >cluster nodes which will be operating as the service. > >Do not run 'ipa-getkeytab' multiple times as each run invalidates >previously obtained keytab. > > 4. Use the keytab to kinit and obtain initial ticket granting ticket >(TGT) for the service principal periodically. This either has to be >supported by an application itself or run with a wrapper that kinits >periodically. On RHEL 7, CentOS 7, and Fedora use GSS-PROXY to >perform automatic renewal, this is much cleaner way of doing it. > > If your NAS appliance has issues like below it only says that NFS server > side did not accept your configuration. Thus, you need to look into the > NAS appliance logs to say what is wrong there. To eliminate NAS appliance I am following section 16.3.1 https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/kerb-nfs.html#krb-nfs-server literally on a fresh CentOS 7 lab network consisting of one IPA server, one IPA client and a stand alone NFS server. For IPA server I created nfs service using ipa service-add nfs/fds.example.org followed by ipa-getkeytab -s fds.example.org -p nfs/fds.example.org -k /tmp/nfsserverfds.keytab then used ktutil to merge into host keytab. klist -k confirms that host and nfs principals are present. created /etc/exports like /home *(rw,insecure,sec=krb5) and enabled nfs-server service (I also disabled NFSv3) krb5 mount between IPA client and IPA server works without any problems. # mount -vvv -o sec=krb5 fds:/home /mnt mount.nfs: timeout set for Sun Nov 8 10:59:53 2015 mount.nfs: trying text-based options 'sec=krb5,vers=4,addr=192.168.1.3,clientaddr=192.168.1.131' However, when I repeat exactly the same service-add and getkeytab steps for a stand alone NFS server, mount is denied. kinit -k nfs/nfsserver.example.org works (I added default realm in /etc/krb5.conf) Starting gssproxy in debug mode like /usr/sbin/gssproxy -di shows following during mount attempt: Debug Enabled Client connected (fd = 11) (pid = 2157) (uid = 0) (gid = 0) (context = system_u:system_r:kernel_t:s0) gp_rpc_execute: executing 9 (GSSX_ACCEPT_SEC_CONTEXT) for service "nfs-server", euid: 0, socket: /run/gssproxy.sock gp_rpc_execute: executing 9 (GSSX_ACCEPT_SEC_CONTEXT) for service "nfs-server", euid: 0, socket: /run/gssproxy.sock gp_rpc_execute: executing 9 (GSSX_ACCEPT_SEC_CONTEXT) for service "nfs-server", euid: 0, socket: /run/gssproxy.sock gp_rpc_execute: executing 9 (GSSX_ACCEPT_SEC_CONTEXT) for service "nfs-server", euid: 0, socket: /run/gssproxy.sock gp_rpc_execute: executing 9 (GSSX_ACCEPT_SEC_CONTEXT) for service "nfs-server", euid: 0, socket: /run/gssproxy.sock gp_rpc_execute: executing 9 (GSSX_ACCEPT_SEC_CONTEXT) for service "nfs-server", euid: 0, socket: /run/gssproxy.sock /usr/sbin/rpc.gssd -vvv -f shows only beginning poll Does anyone know how to enable more verbosity from NFS components to find out what is missing in stand alone server configuration? Regards, Josh. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] SSO Git http smart server and freeipa group authentication
Hello, Anyone got git-http-backend working with freeipa group auhentication and would like to share their apache .conf file? I've tried this on the IPA server with a dummy git repository setup in /opt/gitrepos/test1.git gitserver.my.lan is a CNAME for ipaserver.my.lan First, "git clone http://gitserver.my.lan/test1.git; prompts (even though I have a ticket) for user+pwd but still fails. Any suggestions are welcome! -- john DocumentRoot /opt/gitrepos # semanage fcontext -a -t git_rw_content_t '/opt/gitrepos(/.*)?' # restorecon -R -v /opt/gitrepos SetEnv GIT_PROJECT_ROOT /opt/gitrepos SetEnv GIT_HTTP_EXPORT_ALL SetEnv REMOTE_USER $REDIRECT_REMOTE_USER ScriptAlias / /usr/libexec/git-core/git-http-backend/ ServerName gitserver.my.lan Options Indexes AllowOverride None Require all granted Options Indexes AllowOverride None Require all granted AuthType Kerberos AuthName "Kerberos Login" KrbAuthRealm MY.LAN Krb5KeyTab /etc/httpd/conf/ipa.keytab KrbMethodNegotiate on KrbMethodK5Passwd off KrbSaveCredentials on KrbVerifyKDC on KrbServiceName HTTP AuthLDAPUrl ldap://ipaserver.my.lan:389/dc=my,dc=lan?krbPrincipalName Require ldap-group cn=ipausers,dc=my,dc=lan # Allow anyone authenticated users that are ina ipausers group to clone ~ ~ ~ -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SSO Git http smart server and freeipa group authentication
On Sun, Nov 08, 2015 at 02:07:23PM +0100, John Obaterspok wrote: > Hello, > > Anyone got git-http-backend working with freeipa group auhentication and > would like to share their apache .conf file? > > > I've tried this on the IPA server with a dummy git repository setup in > /opt/gitrepos/test1.git > gitserver.my.lan is a CNAME for ipaserver.my.lan > > First, "git clone http://gitserver.my.lan/test1.git; prompts (even though I > have a ticket) for user+pwd but still fails. > > Any suggestions are welcome! > > -- john > > > > > DocumentRoot /opt/gitrepos > > # semanage fcontext -a -t git_rw_content_t '/opt/gitrepos(/.*)?' > # restorecon -R -v /opt/gitrepos > > SetEnv GIT_PROJECT_ROOT /opt/gitrepos > SetEnv GIT_HTTP_EXPORT_ALL > SetEnv REMOTE_USER $REDIRECT_REMOTE_USER > ScriptAlias / /usr/libexec/git-core/git-http-backend/ > ServerName gitserver.my.lan > > > Options Indexes > AllowOverride None > Require all granted > > > > Options Indexes > AllowOverride None > Require all granted > > > > AuthType Kerberos > AuthName "Kerberos Login" > KrbAuthRealm MY.LAN > Krb5KeyTab /etc/httpd/conf/ipa.keytab > KrbMethodNegotiate on > KrbMethodK5Passwd off > KrbSaveCredentials on > KrbVerifyKDC on > KrbServiceName HTTP > > AuthLDAPUrl > ldap://ipaserver.my.lan:389/dc=my,dc=lan?krbPrincipalName > Require ldap-group cn=ipausers,dc=my,dc=lan > # Allow anyone authenticated users that are ina ipausers > group to clone > > > ~ > ~ > ~ Hi John, Have a look at this Stack Overflow question: http://stackoverflow.com/questions/32788405/how-to-force-git-2-5-http-transport-prefer-spnego-over-basic-authentication Make sure you provide a (fake) username to trigger the SPNEGO authentication code. If this does not work please run with `GIT_CURL_VERBOSE=1' in environment to reveal what is going on behind the scenes. Cheers, Fraser > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SSO Git http smart server and freeipa group authentication
On 08/11/15 08:07, John Obaterspok wrote: Hello, Anyone got git-http-backend working with freeipa group auhentication and would like to share their apache .conf file? I've tried this on the IPA server with a dummy git repository setup in /opt/gitrepos/test1.git gitserver.my.lan is a CNAME for ipaserver.my.lan First, "git clone http://gitserver.my.lan/test1.git; prompts (even though I have a ticket) for user+pwd but still fails. Any suggestions are welcome! -- john DocumentRoot /opt/gitrepos # semanage fcontext -a -t git_rw_content_t '/opt/gitrepos(/.*)?' # restorecon -R -v /opt/gitrepos SetEnv GIT_PROJECT_ROOT /opt/gitrepos SetEnv GIT_HTTP_EXPORT_ALL SetEnv REMOTE_USER $REDIRECT_REMOTE_USER ScriptAlias / /usr/libexec/git-core/git-http-backend/ ServerName gitserver.my.lan Options Indexes AllowOverride None Require all granted Options Indexes AllowOverride None Require all granted AuthType Kerberos AuthName "Kerberos Login" KrbAuthRealm MY.LAN Krb5KeyTab /etc/httpd/conf/ipa.keytab KrbMethodNegotiate on KrbMethodK5Passwd off KrbSaveCredentials on KrbVerifyKDC on KrbServiceName HTTP AuthLDAPUrl ldap://ipaserver.my.lan:389/dc=my,dc=lan?krbPrincipalName Require ldap-group cn=ipausers,dc=my,dc=lan This should probably be somehting like: cn=ipausers,cn=groups,cn=accounts,dc=my,dc=lan Although you should probably create a git specific group, especially if you want it to be a posix group that can own files (ipausers is not a posix group and we are actually trying to phase it out) Also you are not doing LDAP authentication, you only want to do authorization, and for that you may want to actually use nsswitch based authorization which can be cached by sssd and not a query out to LDAP for each connection. Unfortunately the basic Apache modules do not support system group authentication directly, so what you may do instead is to have a cron job that do the following: getent group git-users | cut -d: -f1,4 |tr ',' ' ' > /my/authorization/file And in apache have set the following directives instead of the above two: AuthGroupFile /my/authorization/file Require group git-users HTH, Simo -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Json Selfsigned certificate
On Fri, Nov 06, 2015 at 01:28:41PM +0100, Matt . wrote: > Hi guys, > > I'm testing out some installation and want to update my docs. > > I'm using a self signed cert and need to talk to the json/api. > > Which certs do I need to combine for my request, as I need an issuer too. > > The /etc/ipa/ca.crt combined with an export of the webcert ? > > Matt > Is the HTTP certificate signed by /etc/ipa/ca.crt? If so, you only need to make sure that /etc/ipa/ca.crt is a trusted root. Cheers, Fraser > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] problems with NFS service principal
On 8.11.2015 17:02, j...@use.startmail.com wrote: > On Friday, November 6, 2015 3:24 AM, Alexander Bokovoy> wrote: >> On Thu, 05 Nov 2015, j...@use.startmail.com wrote: >>> On Thursday, November 5, 2015 1:54 PM, Rob Crittenden >>> wrote: j...@use.startmail.com wrote: > Hello everyone, > [...] >> >> Your workflow should be something like this (using IPA CLI as an example >> here): >> 1. Create a service with 'ipa service-add' >> 2. Associate a key with a service with 'ipa-getkeytab' and store it in a >>keytab -- either directly on the server where service is running or on >>any other IPA client. >> 3. Deliver the keytab from step (2) to a server where it should be if >>needed. In case of clustered configuration deliver the keytab to all >>cluster nodes which will be operating as the service. >> >>Do not run 'ipa-getkeytab' multiple times as each run invalidates >>previously obtained keytab. >> >> 4. Use the keytab to kinit and obtain initial ticket granting ticket >>(TGT) for the service principal periodically. This either has to be >>supported by an application itself or run with a wrapper that kinits >>periodically. On RHEL 7, CentOS 7, and Fedora use GSS-PROXY to >>perform automatic renewal, this is much cleaner way of doing it. >> >> If your NAS appliance has issues like below it only says that NFS server >> side did not accept your configuration. Thus, you need to look into the >> NAS appliance logs to say what is wrong there. > > To eliminate NAS appliance I am following section 16.3.1 > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/kerb-nfs.html#krb-nfs-server > literally on a fresh CentOS 7 lab network consisting of one IPA server, one > IPA client and a stand alone NFS server. > For IPA server I created nfs service using > ipa service-add nfs/fds.example.org > followed by > ipa-getkeytab -s fds.example.org -p nfs/fds.example.org -k > /tmp/nfsserverfds.keytab > then used ktutil to merge into host keytab. > klist -k confirms that host and nfs principals are present. > created /etc/exports like /home *(rw,insecure,sec=krb5) and enabled > nfs-server service > (I also disabled NFSv3) > krb5 mount between IPA client and IPA server works without any problems. > > # mount -vvv -o sec=krb5 fds:/home /mnt > mount.nfs: timeout set for Sun Nov 8 10:59:53 2015 > mount.nfs: trying text-based options > 'sec=krb5,vers=4,addr=192.168.1.3,clientaddr=192.168.1.131' > > However, when I repeat exactly the same service-add and getkeytab steps for a > stand alone NFS server, mount is denied. What do you mean, exactly, by 'stand alone NFS server'? Is it another server which did not executed ipa-client-install? Or something else? Petr^2 Spacek > > kinit -k nfs/nfsserver.example.org > works (I added default realm in /etc/krb5.conf) > > Starting gssproxy in debug mode like > /usr/sbin/gssproxy -di shows following during mount attempt: > > Debug Enabled > Client connected (fd = 11) (pid = 2157) (uid = 0) (gid = 0) (context = > system_u:system_r:kernel_t:s0) > gp_rpc_execute: executing 9 (GSSX_ACCEPT_SEC_CONTEXT) for service > "nfs-server", euid: 0, socket: /run/gssproxy.sock > gp_rpc_execute: executing 9 (GSSX_ACCEPT_SEC_CONTEXT) for service > "nfs-server", euid: 0, socket: /run/gssproxy.sock > gp_rpc_execute: executing 9 (GSSX_ACCEPT_SEC_CONTEXT) for service > "nfs-server", euid: 0, socket: /run/gssproxy.sock > gp_rpc_execute: executing 9 (GSSX_ACCEPT_SEC_CONTEXT) for service > "nfs-server", euid: 0, socket: /run/gssproxy.sock > gp_rpc_execute: executing 9 (GSSX_ACCEPT_SEC_CONTEXT) for service > "nfs-server", euid: 0, socket: /run/gssproxy.sock > gp_rpc_execute: executing 9 (GSSX_ACCEPT_SEC_CONTEXT) for service > "nfs-server", euid: 0, socket: /run/gssproxy.sock > > /usr/sbin/rpc.gssd -vvv -f > shows only > beginning poll > > Does anyone know how to enable more verbosity from NFS components to find out > what is missing in stand alone server configuration? > > Regards, > Josh. > -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project