Re: [Freeipa-users] IPA 4.2: pki-tomcatd in terrible shape

[Timothy Geier]

> On Feb 9, 2016, at 2:58 AM, Rob Crittenden  wrote:
> 
> Timothy Geier wrote:
>> 
>> 
>> The debug log has a lot of instances of:
>> 
>> Could not connect to LDAP server host xxx. port 636 Error
>> netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1)
>> Internal Database Error encountered: Could not connect to LDAP server
>> host xxx. port 636 Error netscape.ldap.LDAPException: IO Error
>> creating JSS SSL Socket (-1)
> 
> The 389-ds access log may show connection attempts and you might be able to 
> correlate from there.
> 

[09/Feb/2016:12:55:41 -0600] conn=109598 fd=287 slot=287 SSL connection from 
master_ip to master_ip
[09/Feb/2016:12:55:41 -0600] conn=109597 op=0 EXT oid="1.3.6.1.4.1.1466.20037" 
name="startTLS"
[09/Feb/2016:12:55:41 -0600] conn=109597 op=0 RESULT err=0 tag=120 nentries=0 
etime=0
[09/Feb/2016:12:55:41 -0600] conn=109598 Netscape Portable Runtime error -8181 
(Peer's Certificate has expired.); unauthenticated client CN=CA 
Subsystem,O=XXX.NET; issuer CN=Certificate Authority,O=XXX.NET
[09/Feb/2016:12:55:41 -0600] conn=109598 op=-1 fd=287 closed - Peer's 
Certificate has expired.



> 
> Some data is also stored in CS.cfg so you might ensure that the certificates 
> stored there are correct as well.
> 

CS.cfg is correct/restored from backup.

> There are a few entries in ou=People,o=ipaca that need to reflect the current 
> state of certificates as well.
> 

While looking in cn=config for any o=ipaca entries, the following popped up..it 
looks like most of the old replicas and the old master hostnames weren’t 
properly cleaned up and there’s still RUVs for them..nsDS5ReplicaHost and Port 
also seem to be improperly set:

cn=cloneAgreement1-current-master.X.net-pki-tomcat,cn=replica,cn=o\\3Dipaca,cn=mapping
 tree,cn=config
cn: cloneAgreement1-current-master.X.net-pki-tomcat
description: cloneAgreement1-current-master.X.net-pki-tomcat
nsDS5ReplicaBindDN: cn=Replication Manager 
masterAgreement1-current-master.X.net-pki-tomcat,ou=csusers,cn=config
nsDS5ReplicaBindMethod: Simple
nsDS5ReplicaHost: old-master.X.net
nsDS5ReplicaPort: 7389
nsDS5ReplicaRoot: o=ipaca
nsDS5ReplicaTransportInfo: TLS
nsds50ruv: {replicageneration} 5304e0780060
nsds50ruv: {replica 96 ldap://old-master.X.net:7389} 
5304e0840060 561f3e8f00050060
nsds50ruv: {replica 81 ldap://current-master.X.net:389} 
561f361b0051 561f369c0051
nsds50ruv: {replica 86 ldap://old-replica3.X.net:7389} 
53f7b70d0056 5616ad6400090056
nsds50ruv: {replica 91 ldap://old-replica2.X.net:7389} 
53a841e5005b 5616ad5f0005005b
nsds50ruv: {replica 97 ldap://old-replica2.X.net:7389} 
5304e0800061 539b4f9600010061
nsruvReplicaLastModified: {replica 96 ldap://old-master.X.net:7389} 

nsruvReplicaLastModified: {replica 81 ldap://current-master.X.net:389} 

nsruvReplicaLastModified: {replica 86 ldap://old-replica3.X.net:7389} 

nsruvReplicaLastModified: {replica 91 ldap://old-replica2.X.net:7389} 

nsruvReplicaLastModified: {replica 97 ldap://old-replica2.X.net:7389} 

objectClass: top
objectClass: nsds5replicationagreement
nsds5replicareapactive: 0
nsds5replicaLastUpdateStart: 1970010100Z
nsds5replicaLastUpdateEnd: 1970010100Z
nsds5replicaChangesSentSinceStartup:
nsds5replicaLastUpdateStatus: -1 Unable to acquire replicaLDAP error: Can't 
contact LDAP server
nsds5replicaUpdateInProgress: FALSE
nsds5replicaLastInitStart: 1970010100Z
nsds5replicaLastInitEnd: 1970010100Z

cn=replica,cn=o\\3Dipaca,cn=mapping tree,cn=config
cn: replica
nsDS5Flags: 1
nsDS5ReplicaBindDN: cn=Replication Manager 
cloneAgreement1-current-master.X.net-pki-tomcat,ou=csusers,cn=config
nsDS5ReplicaId: 81
nsDS5ReplicaName: 56db714e-72e411e5-87dbe691-e12b51f2
nsDS5ReplicaRoot: o=ipaca
nsDS5ReplicaType: 3
nsState:: UQDkWbdWwCYBAA==
objectClass: top
objectClass: nsDS5Replica
objectClass: extensibleobject
nsds5ReplicaChangeCount: 11463
nsds5replicareapactive: 0

ou=People doesn’t seem to exist in either the main tree or cn=config.

>> 
>>> You mentioned privately that you renamed the IPA host. This is
>>> probably what broke half of the renewals. The hosts and keytabs and
>>> many entries in IPA have the hostname baked in so you can't simply
>>> rename the host.
>>> 
>> 
>> Technically, the host wasn’t renamed; a new CentOS 7 host was added to
>> the existing IPA cluster that had 4 hosts (1 master CA) at CentOS 6
>> (using the documentation at
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html),
>> it was promoted to the master CA, all of the C6 hosts were
>> decommissioned/removed from replication, and then a new set of C7 hosts
>> were created 

[Freeipa-users] Active Directory Trust = filter users

[Winfried de Heiden]

  
  
Hi all,
  
  Using an Active Directory Trust with IPA all works fine but
  there's an disadvantage: it might brong in lots and lots of groups
  I am not interested in since it mainly hit Windows and/or Office
  stuff.
  
  Now, is it possible to filter AD-groups? or: can I use an AD
  search base filter? (something like
  cn=linuxgroups,ou=allgroups,dc=example,dc=com)
  
  On a small scale ID views can be used, but it not a great
  solution. (for all new groups appearing in AD the ID view must be
  modified)
  
  Some sugestions or documentation on filtering AD groups?
  
  Winny
  

  


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA Consistency Checker

[Petr Spacek]

On 8.2.2016 20:38, Peter Pakos wrote:
> Just a quick heads-up,
> 
> The newest version of the ipa_check_consistency script comes with
> Nagios/Opsview plug-in functionality and some further improvements.
> 
> Feel free to take it for a spin!
> 
> https://github.com/peterpakos/ipa_check_consistency

Hi!

This is an interesting script.

BTW an effective way how to count entries in LDAP is to request base entry and
ask for 'numSubordinates' attribute, it contains number of child entries (on
that particular level, it does not count recursively).

Following should work, but I did not test it :-)
ldapsearch -LLLx -h "${server}.${DOMAIN}" \
  -D "$BINDDN" -w "$BINDPW" -b "cn=groups,cn=accounts,${SUFFIX}" -s base \
  "(objectClass=*)" "numSubordinates" 2>/dev/null \

It will be way way way faster and you will be able to eradicate Perl, which is
always a good thing :-)

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA 4.2: pki-tomcatd in terrible shape

[Rob Crittenden]

Timothy Geier wrote:



The debug log has a lot of instances of:

Could not connect to LDAP server host xxx. port 636 Error
netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1)
Internal Database Error encountered: Could not connect to LDAP server
host xxx. port 636 Error netscape.ldap.LDAPException: IO Error
creating JSS SSL Socket (-1)


The 389-ds access log may show connection attempts and you might be able 
to correlate from there.



but nothing else of note other than those errors.

We’ve also noticed lots of 500 errors in
/var/log/pki/pki-tomcat/localhost_access.log
[08/Feb/2016:10:34:29 -0600] "GET
/ca/ee/ca/profileSubmit?profileId=caServerCert_num=5=true=true
HTTP/1.1" 500 2134
[08/Feb/2016:10:34:32 -0600] "GET
/ca/ee/ca/profileSubmit?profileId=caServerCert_num=2=true=true
HTTP/1.1" 500 2134
[08/Feb/2016:10:34:50 -0600] "GET
/ca/ee/ca/profileSubmit?profileId=caServerCert_num=4=true=true
HTTP/1.1" 500 2134

which looks like certmonger is continuously trying to renew the 3 certs.

These dates and times from selftests.log are not accurate and are from
an earlier attempt to renew the certs while time shifted:

0.localhost-startStop-1 - [15/Jan/2016:17:39:34 CST] [20] [1]
SelfTestSubsystem: Initializing self test plugins:
0.localhost-startStop-1 - [15/Jan/2016:17:39:34 CST] [20] [1]
SelfTestSubsystem:  loading all self test plugin logger parameters
0.localhost-startStop-1 - [15/Jan/2016:17:39:34 CST] [20] [1]
SelfTestSubsystem:  loading all self test plugin instances
0.localhost-startStop-1 - [15/Jan/2016:17:39:34 CST] [20] [1]
SelfTestSubsystem:  loading all self test plugin instance parameters
0.localhost-startStop-1 - [15/Jan/2016:17:39:34 CST] [20] [1]
SelfTestSubsystem:  loading self test plugins in on-demand order
0.localhost-startStop-1 - [15/Jan/2016:17:39:34 CST] [20] [1]
SelfTestSubsystem:  loading self test plugins in startup order
0.localhost-startStop-1 - [15/Jan/2016:17:39:34 CST] [20] [1]
SelfTestSubsystem: Self test plugins have been successfully loaded!
0.localhost-startStop-1 - [15/Jan/2016:17:39:38 CST] [20] [1]
SelfTestSubsystem: Running self test plugins specified to be executed at
startup:
0.localhost-startStop-1 - [15/Jan/2016:17:39:38 CST] [20] [1]
CAPresence:  CA is present
0.localhost-startStop-1 - [15/Jan/2016:17:39:38 CST] [20] [1]
SystemCertsVerification: system certs verification success
0.localhost-startStop-1 - [15/Jan/2016:17:39:38 CST] [20] [1]
SelfTestSubsystem: All CRITICAL self test plugins ran SUCCESSFULLY at
startup!

There’s nothing in that log with any February dates, so when we try to
start pki-tomcatd in real time, it's likely not even getting this far.


Some data is also stored in CS.cfg so you might ensure that the 
certificates stored there are correct as well.


There are a few entries in ou=People,o=ipaca that need to reflect the 
current state of certificates as well.





You mentioned privately that you renamed the IPA host. This is
probably what broke half of the renewals. The hosts and keytabs and
many entries in IPA have the hostname baked in so you can't simply
rename the host.



Technically, the host wasn’t renamed; a new CentOS 7 host was added to
the existing IPA cluster that had 4 hosts (1 master CA) at CentOS 6
(using the documentation at
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html),
it was promoted to the master CA, all of the C6 hosts were
decommissioned/removed from replication, and then a new set of C7 hosts
were created and added as replicas.


Ok, you'll need to look at the host keytabs because something seems 
wrong with them. certmonger can't get a ticket using them. This could be 
because IPA isn't fully running but it is worth a look.



Is this the correct procedure to follow when time shifted?

- Stop IPA
- Change the system clock (and the hardware clock) to a point before the
expiration
- Start IPA
- Run getcert resubmit on the appropriate request IDs
- Stop IPA
- Return to real time
- Start IPA

We haven’t tried it this week yet but all attempts at it last week
failed without any indication as to why the certs weren’t renewing; are
there any other logs to check/other steps in the procedure?


Yes, that is correct.

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] PKINIT support in FreeIPA 4.2.0

[Nik Lam]

On Mon, Feb 8, 2016 at 11:53 PM, Sumit Bose  wrote:

> On Thu, Feb 04, 2016 at 07:25:29PM +1100, Nik Lam wrote:
> > On Wed, Feb 3, 2016 at 8:08 PM, Sumit Bose  wrote:
> >
> > > On Wed, Feb 03, 2016 at 10:29:49AM +1100, Nik Lam wrote:
> > > > Hello,
> > > >
> > > > I installed ipa-server on Centos 7.1 and later did and upgrade of the
> > > whole
> > > > system to Centos 7.2.
> > > >
> > > > I think the FreeIPA version changed from 4.1.0 to 4.2.0 between these
> > > > Centos/RHEL minor releases.
> > > >
> > > > We'd now like to try integrating with a 2FA provider via a radius
> proxy
> > > and
> > > > want to use anonymous PKINIT to secure the initial communications
> between
> > > > the client and the KDC.
> > > >
> > > > We've tried following the MIT Kerberos PKINIT configuration
> documentation
> > > >
> > > > http://web.mit.edu/kerberos/krb5-1.14/doc/admin/pkinit.html
> > > >
> > > > generating our own certs manually with openssl but haven't had any
> luck.
> > > > We're seeing this in the kdc log:
> > > >
> > > > preauth pkinit failed to initialize: No realms configured
> correctly
> > > for
> > > > pkinit support
> > >
> > > Which changes did you apply to krb5.conf? Did you use the IPA CA to
> sign
> > > the certificate or some other CA?
> > >
> > > >
> > > > I've noticed there are many new pkinit-related options that have been
> > > added
> > > > to the ipa-server-install script in 4.2.0, so it looks like PKINIT is
> > > > available in this version of FreeIPA. Is that the case?
> > >
> > > Which options are you referring to?
> > >
> > > bye,
> > > Sumit
> > >
> > > >
> > > > And if it is, what is the recommended way to enable it given that it
> > > seems
> > > > to have been disabled in the original install that I did? Or would it
> > > just
> > > > be easier to start from scratch with a 4.2.0 ipa-server-install?
> (It's a
> > > > test instance that doesn't have too much in it - it will take a
> several
> > > > hours to rebuild from scratch.)
> > > >
> > > > Regards,
> > > >
> > > > Nik
> > >
> > >
> > >
> > Thanks Sumit.
> >
> > It sounds like PKINIT is available but clearly I'm doing it wrong.
> >
> >  > Which changes did you apply to krb5.conf? Did you use the IPA CA to
> sign
> > the certificate or some other CA?
> >
> > Actually, I modified the kdc.conf file - placed the kdc.pem, kdckey.pem
> and
> > cacert.pem files in /var/kerberos/krb5kdc/ that I generated via openssl
> > commands in the MIT Kerberos documentation. The only change to kdc.conf
> > file was to append the location of the kdckey.pem file to
> pkinit_identity.
> >
> >   pkinit_identity = FILE:/var/kerberos/krb5kdc/kdc.pem
> >   pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem
> >
> > became
> >
> >   pkinit_identity =
> > FILE:/var/kerberos/krb5kdc/kdc.pem,/var/kerberos/krb5kdc/kdckey.pem
> >   pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem
> >
> > Should I have been modifying krb5.conf instead? It aslo sounds like I
> need
>
> no, kdc.conf is the right place, I actually meant kdc.conf but
> accidentially types krb5.conf.
>
> > to use a certificate signed by the IPAs CA - is this something that
> should
> > be generated using ipa-getcert? Or do I just find the IPA CA's private
> key
> > and use openssl following the MIT Kerberos documentation?
> >
> >  > Which options are you referring to?
> >
> > When I looked at the --help text for 4.1.0 and 4.2.0 versions of
> > ipa-server-install, I noticed that 4.2.0 has these in the "certificate
> > system options":
> >
> > --no-pkinit disables pkinit setup steps
> >
> > --pkinit-cert-file=FILE
> > File containing the Kerberos KDC SSL certificate
> and
> > private key
> >
> > --pkinit-pin=PINThe password to unlock the Kerberos KDC private
> key
> >
> > --pkinit-cert-name=NAME
> > Name of the Kerberos KDC SSL certificate to
> install
> >
> >
> > Seeing that first one, I was a little hopeful that pkinit is enabled by
> > default in 4.2.0 but on a fresh install I just tried, I'm still seeing
> the
>
> no, unfortunately pkinit is currently disabled by default
>
> > following in krb5kdc.log when IPA is started up, so clearly it isn't.
> >
> >   (Error): preauth pkinit failed to initialize: No realms configured
> > correctly for pkinit support
>
> I get the same error when I put the certificate and the key into
> separate files. Can you try to put both into one and use this for the
> pkinit_identity option?
>
> HTH
>
> bye,
> Sumit
>


Thanks Sumit, it did!

I concatenated the cert and the key into a single file and the error has
indeed gone away from krb5kdc.log

The odd thing is that I can't reproduce the error by splitting into two
separate files and restarting ipa.service again.

Ignoring that mystery, how do I go about setting up the WELLKNOWN/ANONYMOUS
principal?

I'm pretty sure it's needed for anonymous pkinit:

$ kinit
kinit: Generic 

Re: [Freeipa-users] PKINIT support in FreeIPA 4.2.0

[Sumit Bose]

On Wed, Feb 10, 2016 at 02:08:55AM +1100, Nik Lam wrote:
> On Mon, Feb 8, 2016 at 11:53 PM, Sumit Bose  wrote:
> 
> > On Thu, Feb 04, 2016 at 07:25:29PM +1100, Nik Lam wrote:
> > > On Wed, Feb 3, 2016 at 8:08 PM, Sumit Bose  wrote:
> > >
> > > > On Wed, Feb 03, 2016 at 10:29:49AM +1100, Nik Lam wrote:
> > > > > Hello,
> > > > >
> > > > > I installed ipa-server on Centos 7.1 and later did and upgrade of the
> > > > whole
> > > > > system to Centos 7.2.
> > > > >
> > > > > I think the FreeIPA version changed from 4.1.0 to 4.2.0 between these
> > > > > Centos/RHEL minor releases.
> > > > >
> > > > > We'd now like to try integrating with a 2FA provider via a radius
> > proxy
> > > > and
> > > > > want to use anonymous PKINIT to secure the initial communications
> > between
> > > > > the client and the KDC.
> > > > >
> > > > > We've tried following the MIT Kerberos PKINIT configuration
> > documentation
> > > > >
> > > > > http://web.mit.edu/kerberos/krb5-1.14/doc/admin/pkinit.html
> > > > >
> > > > > generating our own certs manually with openssl but haven't had any
> > luck.
> > > > > We're seeing this in the kdc log:
> > > > >
> > > > > preauth pkinit failed to initialize: No realms configured
> > correctly
> > > > for
> > > > > pkinit support
> > > >
> > > > Which changes did you apply to krb5.conf? Did you use the IPA CA to
> > sign
> > > > the certificate or some other CA?
> > > >
> > > > >
> > > > > I've noticed there are many new pkinit-related options that have been
> > > > added
> > > > > to the ipa-server-install script in 4.2.0, so it looks like PKINIT is
> > > > > available in this version of FreeIPA. Is that the case?
> > > >
> > > > Which options are you referring to?
> > > >
> > > > bye,
> > > > Sumit
> > > >
> > > > >
> > > > > And if it is, what is the recommended way to enable it given that it
> > > > seems
> > > > > to have been disabled in the original install that I did? Or would it
> > > > just
> > > > > be easier to start from scratch with a 4.2.0 ipa-server-install?
> > (It's a
> > > > > test instance that doesn't have too much in it - it will take a
> > several
> > > > > hours to rebuild from scratch.)
> > > > >
> > > > > Regards,
> > > > >
> > > > > Nik
> > > >
> > > >
> > > >
> > > Thanks Sumit.
> > >
> > > It sounds like PKINIT is available but clearly I'm doing it wrong.
> > >
> > >  > Which changes did you apply to krb5.conf? Did you use the IPA CA to
> > sign
> > > the certificate or some other CA?
> > >
> > > Actually, I modified the kdc.conf file - placed the kdc.pem, kdckey.pem
> > and
> > > cacert.pem files in /var/kerberos/krb5kdc/ that I generated via openssl
> > > commands in the MIT Kerberos documentation. The only change to kdc.conf
> > > file was to append the location of the kdckey.pem file to
> > pkinit_identity.
> > >
> > >   pkinit_identity = FILE:/var/kerberos/krb5kdc/kdc.pem
> > >   pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem
> > >
> > > became
> > >
> > >   pkinit_identity =
> > > FILE:/var/kerberos/krb5kdc/kdc.pem,/var/kerberos/krb5kdc/kdckey.pem
> > >   pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem
> > >
> > > Should I have been modifying krb5.conf instead? It aslo sounds like I
> > need
> >
> > no, kdc.conf is the right place, I actually meant kdc.conf but
> > accidentially types krb5.conf.
> >
> > > to use a certificate signed by the IPAs CA - is this something that
> > should
> > > be generated using ipa-getcert? Or do I just find the IPA CA's private
> > key
> > > and use openssl following the MIT Kerberos documentation?
> > >
> > >  > Which options are you referring to?
> > >
> > > When I looked at the --help text for 4.1.0 and 4.2.0 versions of
> > > ipa-server-install, I noticed that 4.2.0 has these in the "certificate
> > > system options":
> > >
> > > --no-pkinit disables pkinit setup steps
> > >
> > > --pkinit-cert-file=FILE
> > > File containing the Kerberos KDC SSL certificate
> > and
> > > private key
> > >
> > > --pkinit-pin=PINThe password to unlock the Kerberos KDC private
> > key
> > >
> > > --pkinit-cert-name=NAME
> > > Name of the Kerberos KDC SSL certificate to
> > install
> > >
> > >
> > > Seeing that first one, I was a little hopeful that pkinit is enabled by
> > > default in 4.2.0 but on a fresh install I just tried, I'm still seeing
> > the
> >
> > no, unfortunately pkinit is currently disabled by default
> >
> > > following in krb5kdc.log when IPA is started up, so clearly it isn't.
> > >
> > >   (Error): preauth pkinit failed to initialize: No realms configured
> > > correctly for pkinit support
> >
> > I get the same error when I put the certificate and the key into
> > separate files. Can you try to put both into one and use this for the
> > pkinit_identity option?
> >
> > HTH
> >
> > bye,
> > Sumit
> >
> 
> 
> Thanks Sumit, it did!
> 
> I concatenated the cert and the 

[Freeipa-users] sudo runs despite being denied by HBAC rules

[Ian Collier]

Can anyone help me to understand these logs... is there maybe a bug here?

The basic situation is that there is no HBAC rule that would allow
sudo.  When people try it, sss accepts their password but then denies
them access to the sudo command.  But despite this, our logs still
contain some entries indicating that sudo was actually run. Of course
the sudoers file then denied them access and sent the sysadmin an
email.

Here's a journal extract:

Feb 09 11:34:58 hostname sudo[24453]: pam_unix(sudo:auth): authentication 
failure; logname= uid=12113 euid=0 tty=/dev/pts/1 ruser= rhost=  
user=
Feb 09 11:34:58 hostname sudo[24453]: pam_sss(sudo:auth): authentication 
success; logname= uid=12113 euid=0 tty=/dev/pts/1 ruser= rhost= 
user=
Feb 09 11:34:58 hostname audit[24453]:  pid=24453 uid=12113 
auid=12113 ses=54 msg='op=PAM:authentication grantors=pam_succeed_if,pam_sss 
acct="" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 
res=success'
Feb 09 11:34:58 hostname sudo[24453]: pam_sss(sudo:account): Access denied for 
user : 6 (Permission denied)
Feb 09 11:34:58 hostname audit[24453]:  pid=24453 uid=12113 
auid=12113 ses=54 msg='op=PAM:accounting grantors=? acct="" 
exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=failed'
Feb 09 11:35:05 hostname sudo[24453]: pam_sss(sudo:auth): authentication 
success; logname= uid=12113 euid=0 tty=/dev/pts/1 ruser= rhost= 
user=
Feb 09 11:35:05 hostname audit[24453]:  pid=24453 uid=12113 
auid=12113 ses=54 msg='op=PAM:authentication grantors=pam_succeed_if,pam_sss 
acct="" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 
res=success'
Feb 09 11:35:05 hostname sudo[24453]: pam_sss(sudo:account): Access denied for 
user : 6 (Permission denied)
Feb 09 11:35:05 hostname audit[24453]:  pid=24453 uid=12113 
auid=12113 ses=54 msg='op=PAM:accounting grantors=? acct="" 
exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=failed'
Feb 09 11:35:08 hostname sudo[24453]: pam_unix(sudo:auth): auth could not 
identify password for []
Feb 09 11:35:08 hostname sudo[24453]: pam_sss(sudo:auth): authentication 
failure; logname= uid=12113 euid=0 tty=/dev/pts/1 ruser= rhost= 
user=
Feb 09 11:35:08 hostname sudo[24453]: pam_sss(sudo:auth): received for user 
: 7 (Authentication failure)
Feb 09 11:35:08 hostname audit[24453]:  pid=24453 uid=12113 
auid=12113 ses=54 msg='op=PAM:authentication grantors=? acct="" 
exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=failed'
Feb 09 11:35:08 hostname audit[24453]:  pid=24453 uid=12113 
auid=12113 ses=54 msg='cwd=2F6175xxx cmd=617074xxx terminal=pts/1 res=failed'
Feb 09 11:35:08 hostname audit[24453]:  pid=24453 uid=12113 
auid=12113 ses=54 msg='cwd=2F6175xxx cmd=617074xxx terminal=pts/1 res=failed'
Feb 09 11:35:08 hostname sudo[24453]:   : user NOT in sudoers ; TTY=pts/1 ; 
PWD=/x ; USER=root ; COMMAND=x
Feb 09 11:35:09 hostname sSMTP[24463]: Sent mail for r...@cs.ox.ac.uk (221 
mail.cs.ox.ac.uk closing connection) uid=0 =root outbytes=607

What this seems to say:

 1. pam_unix failed the password (expected because passwords are managed by IPA)
 2. pam_sss accepted the password
 3. pam_sss denied access to sudo:account

 Presumably sudo asked the user to try again and they re-typed the password

 4. pam_sss accepted the password
 5. pam_sss denied access to sudo:account

 6. Three seconds later pam_unix said it "could not identify password" (?)
 7. This time pam_sss failed the password and returned 7 (Authentication 
failure)
 8. sudo ran anyway!

I can't duplicate this behaviour myself but looking through the logs in
our computer lab there are a few of these.  See for instance the following
which appears to deny access three times and then just run it anyway:

Feb 02 10:31:12 hostname2 sudo[24468]: pam_unix(sudo:auth): authentication 
failure; logname=xyyx uid=12106 euid=0 tty=/dev/pts/1 ruser=xyyx rhost=  
user=xyyx
Feb 02 10:31:14 hostname2 sudo[24468]: pam_sss(sudo:auth): authentication 
success; logname=xyyx uid=12106 euid=0 tty=/dev/pts/1 ruser=xyyx rhost= 
user=xyyx
Feb 02 10:31:14 hostname2 audit[24468]:  pid=24468 uid=12106 
auid=12106 ses=39 msg='op=PAM:authentication grantors=pam_succeed_if,pam_sss 
acct="xyyx" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 
res=success'
Feb 02 10:31:15 hostname2 sudo[24468]: pam_sss(sudo:account): Access denied for 
user xyyx: 6 (Permission denied)
Feb 02 10:31:15 hostname2 audit[24468]:  pid=24468 uid=12106 
auid=12106 ses=39 msg='op=PAM:accounting grantors=? acct="xyyx" 
exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=failed'
Feb 02 10:31:26 hostname2 sudo[24468]: pam_sss(sudo:auth): authentication 
success; logname=xyyx uid=12106 euid=0 tty=/dev/pts/1 ruser=xyyx rhost= 
user=xyyx
Feb 02 10:31:26 hostname2 audit[24468]:  pid=24468 uid=12106 
auid=12106 ses=39 msg='op=PAM:authentication grantors=pam_succeed_if,pam_sss 
acct="xyyx" 

[Freeipa-users] Migrating NIS host to freeIPA host with smart card

[Michael Rainey (Contractor)]

Greetings,

I have a question about migrating a system from NIS to freeIPA.  In my 
efforts of setting up a host on freeIPA I would normally use a fresh 
install to setup the system.  I'm now at a point where I'm moving 
existing systems from an NIS domain to a freeIPA domain.  Is it 
recommended to perform a clean install for every new host added to the 
domain?


During my testing, I have found running the ipa-client-install command 
does a great job of adding the host to the domain, but when I try to use 
the smart card it is never recognized by gdm.  I tried tweaking some of 
the configurations to get GDM to recognize the card with no luck.  Is 
there a checklist available that I could follow to make sure everything 
is configured properly?  All configurations work when using a username 
and password.

--
*Michael Rainey*
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] PKINIT support in FreeIPA 4.2.0

[Nik Lam]

On Wed, Feb 10, 2016 at 3:04 AM, Sumit Bose  wrote:

> On Wed, Feb 10, 2016 at 02:08:55AM +1100, Nik Lam wrote:
> > On Mon, Feb 8, 2016 at 11:53 PM, Sumit Bose  wrote:
> >
> > > On Thu, Feb 04, 2016 at 07:25:29PM +1100, Nik Lam wrote:
> > > > On Wed, Feb 3, 2016 at 8:08 PM, Sumit Bose  wrote:
> > > >
> > > > > On Wed, Feb 03, 2016 at 10:29:49AM +1100, Nik Lam wrote:
> > > > > > Hello,
> > > > > >
> > > > > > I installed ipa-server on Centos 7.1 and later did and upgrade
> of the
> > > > > whole
> > > > > > system to Centos 7.2.
> > > > > >
> > > > > > I think the FreeIPA version changed from 4.1.0 to 4.2.0 between
> these
> > > > > > Centos/RHEL minor releases.
> > > > > >
> > > > > > We'd now like to try integrating with a 2FA provider via a radius
> > > proxy
> > > > > and
> > > > > > want to use anonymous PKINIT to secure the initial communications
> > > between
> > > > > > the client and the KDC.
> > > > > >
> > > > > > We've tried following the MIT Kerberos PKINIT configuration
> > > documentation
> > > > > >
> > > > > > http://web.mit.edu/kerberos/krb5-1.14/doc/admin/pkinit.html
> > > > > >
> > > > > > generating our own certs manually with openssl but haven't had
> any
> > > luck.
> > > > > > We're seeing this in the kdc log:
> > > > > >
> > > > > > preauth pkinit failed to initialize: No realms configured
> > > correctly
> > > > > for
> > > > > > pkinit support
> > > > >
> > > > > Which changes did you apply to krb5.conf? Did you use the IPA CA to
> > > sign
> > > > > the certificate or some other CA?
> > > > >
> > > > > >
> > > > > > I've noticed there are many new pkinit-related options that have
> been
> > > > > added
> > > > > > to the ipa-server-install script in 4.2.0, so it looks like
> PKINIT is
> > > > > > available in this version of FreeIPA. Is that the case?
> > > > >
> > > > > Which options are you referring to?
> > > > >
> > > > > bye,
> > > > > Sumit
> > > > >
> > > > > >
> > > > > > And if it is, what is the recommended way to enable it given
> that it
> > > > > seems
> > > > > > to have been disabled in the original install that I did? Or
> would it
> > > > > just
> > > > > > be easier to start from scratch with a 4.2.0 ipa-server-install?
> > > (It's a
> > > > > > test instance that doesn't have too much in it - it will take a
> > > several
> > > > > > hours to rebuild from scratch.)
> > > > > >
> > > > > > Regards,
> > > > > >
> > > > > > Nik
> > > > >
> > > > >
> > > > >
> > > > Thanks Sumit.
> > > >
> > > > It sounds like PKINIT is available but clearly I'm doing it wrong.
> > > >
> > > >  > Which changes did you apply to krb5.conf? Did you use the IPA CA
> to
> > > sign
> > > > the certificate or some other CA?
> > > >
> > > > Actually, I modified the kdc.conf file - placed the kdc.pem,
> kdckey.pem
> > > and
> > > > cacert.pem files in /var/kerberos/krb5kdc/ that I generated via
> openssl
> > > > commands in the MIT Kerberos documentation. The only change to
> kdc.conf
> > > > file was to append the location of the kdckey.pem file to
> > > pkinit_identity.
> > > >
> > > >   pkinit_identity = FILE:/var/kerberos/krb5kdc/kdc.pem
> > > >   pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem
> > > >
> > > > became
> > > >
> > > >   pkinit_identity =
> > > > FILE:/var/kerberos/krb5kdc/kdc.pem,/var/kerberos/krb5kdc/kdckey.pem
> > > >   pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem
> > > >
> > > > Should I have been modifying krb5.conf instead? It aslo sounds like I
> > > need
> > >
> > > no, kdc.conf is the right place, I actually meant kdc.conf but
> > > accidentially types krb5.conf.
> > >
> > > > to use a certificate signed by the IPAs CA - is this something that
> > > should
> > > > be generated using ipa-getcert? Or do I just find the IPA CA's
> private
> > > key
> > > > and use openssl following the MIT Kerberos documentation?
> > > >
> > > >  > Which options are you referring to?
> > > >
> > > > When I looked at the --help text for 4.1.0 and 4.2.0 versions of
> > > > ipa-server-install, I noticed that 4.2.0 has these in the
> "certificate
> > > > system options":
> > > >
> > > > --no-pkinit disables pkinit setup steps
> > > >
> > > > --pkinit-cert-file=FILE
> > > > File containing the Kerberos KDC SSL
> certificate
> > > and
> > > > private key
> > > >
> > > > --pkinit-pin=PINThe password to unlock the Kerberos KDC
> private
> > > key
> > > >
> > > > --pkinit-cert-name=NAME
> > > > Name of the Kerberos KDC SSL certificate to
> > > install
> > > >
> > > >
> > > > Seeing that first one, I was a little hopeful that pkinit is enabled
> by
> > > > default in 4.2.0 but on a fresh install I just tried, I'm still
> seeing
> > > the
> > >
> > > no, unfortunately pkinit is currently disabled by default
> > >
> > > > following in krb5kdc.log when IPA is started up, so clearly it isn't.
> > > >
> > > >   (Error): 

[Freeipa-users] Where should I create my Linux and Mac users in a AD IPA trust?

[Supratik Goswami]

I am currently running IPA server 4.2 in RHEL 7.2 and I have created a
two-way trust between
my Windows AD and IPA server.

I have a heterogeneous environment where I have Windows, Linux and Mac
clients.

The Windows users are present in AD and they can access the resources under
IPA through the trust relationship.

What are the pros and cons

1. When I create Linux and Mac users in the AD.

2. When I create Linux and Mac users in IPA



-- 
Warm Regards

Supratik
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project