Re: [Freeipa-users] IPA 4.2: pki-tomcatd in terrible shape
> On Feb 9, 2016, at 2:58 AM, Rob Crittendenwrote: > > Timothy Geier wrote: >> >> >> The debug log has a lot of instances of: >> >> Could not connect to LDAP server host xxx. port 636 Error >> netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1) >> Internal Database Error encountered: Could not connect to LDAP server >> host xxx. port 636 Error netscape.ldap.LDAPException: IO Error >> creating JSS SSL Socket (-1) > > The 389-ds access log may show connection attempts and you might be able to > correlate from there. > [09/Feb/2016:12:55:41 -0600] conn=109598 fd=287 slot=287 SSL connection from master_ip to master_ip [09/Feb/2016:12:55:41 -0600] conn=109597 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [09/Feb/2016:12:55:41 -0600] conn=109597 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [09/Feb/2016:12:55:41 -0600] conn=109598 Netscape Portable Runtime error -8181 (Peer's Certificate has expired.); unauthenticated client CN=CA Subsystem,O=XXX.NET; issuer CN=Certificate Authority,O=XXX.NET [09/Feb/2016:12:55:41 -0600] conn=109598 op=-1 fd=287 closed - Peer's Certificate has expired. > > Some data is also stored in CS.cfg so you might ensure that the certificates > stored there are correct as well. > CS.cfg is correct/restored from backup. > There are a few entries in ou=People,o=ipaca that need to reflect the current > state of certificates as well. > While looking in cn=config for any o=ipaca entries, the following popped up..it looks like most of the old replicas and the old master hostnames weren’t properly cleaned up and there’s still RUVs for them..nsDS5ReplicaHost and Port also seem to be improperly set: cn=cloneAgreement1-current-master.X.net-pki-tomcat,cn=replica,cn=o\\3Dipaca,cn=mapping tree,cn=config cn: cloneAgreement1-current-master.X.net-pki-tomcat description: cloneAgreement1-current-master.X.net-pki-tomcat nsDS5ReplicaBindDN: cn=Replication Manager masterAgreement1-current-master.X.net-pki-tomcat,ou=csusers,cn=config nsDS5ReplicaBindMethod: Simple nsDS5ReplicaHost: old-master.X.net nsDS5ReplicaPort: 7389 nsDS5ReplicaRoot: o=ipaca nsDS5ReplicaTransportInfo: TLS nsds50ruv: {replicageneration} 5304e0780060 nsds50ruv: {replica 96 ldap://old-master.X.net:7389} 5304e0840060 561f3e8f00050060 nsds50ruv: {replica 81 ldap://current-master.X.net:389} 561f361b0051 561f369c0051 nsds50ruv: {replica 86 ldap://old-replica3.X.net:7389} 53f7b70d0056 5616ad6400090056 nsds50ruv: {replica 91 ldap://old-replica2.X.net:7389} 53a841e5005b 5616ad5f0005005b nsds50ruv: {replica 97 ldap://old-replica2.X.net:7389} 5304e0800061 539b4f9600010061 nsruvReplicaLastModified: {replica 96 ldap://old-master.X.net:7389} nsruvReplicaLastModified: {replica 81 ldap://current-master.X.net:389} nsruvReplicaLastModified: {replica 86 ldap://old-replica3.X.net:7389} nsruvReplicaLastModified: {replica 91 ldap://old-replica2.X.net:7389} nsruvReplicaLastModified: {replica 97 ldap://old-replica2.X.net:7389} objectClass: top objectClass: nsds5replicationagreement nsds5replicareapactive: 0 nsds5replicaLastUpdateStart: 1970010100Z nsds5replicaLastUpdateEnd: 1970010100Z nsds5replicaChangesSentSinceStartup: nsds5replicaLastUpdateStatus: -1 Unable to acquire replicaLDAP error: Can't contact LDAP server nsds5replicaUpdateInProgress: FALSE nsds5replicaLastInitStart: 1970010100Z nsds5replicaLastInitEnd: 1970010100Z cn=replica,cn=o\\3Dipaca,cn=mapping tree,cn=config cn: replica nsDS5Flags: 1 nsDS5ReplicaBindDN: cn=Replication Manager cloneAgreement1-current-master.X.net-pki-tomcat,ou=csusers,cn=config nsDS5ReplicaId: 81 nsDS5ReplicaName: 56db714e-72e411e5-87dbe691-e12b51f2 nsDS5ReplicaRoot: o=ipaca nsDS5ReplicaType: 3 nsState:: UQDkWbdWwCYBAA== objectClass: top objectClass: nsDS5Replica objectClass: extensibleobject nsds5ReplicaChangeCount: 11463 nsds5replicareapactive: 0 ou=People doesn’t seem to exist in either the main tree or cn=config. >> >>> You mentioned privately that you renamed the IPA host. This is >>> probably what broke half of the renewals. The hosts and keytabs and >>> many entries in IPA have the hostname baked in so you can't simply >>> rename the host. >>> >> >> Technically, the host wasn’t renamed; a new CentOS 7 host was added to >> the existing IPA cluster that had 4 hosts (1 master CA) at CentOS 6 >> (using the documentation at >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html), >> it was promoted to the master CA, all of the C6 hosts were >> decommissioned/removed from replication, and then a new set of C7 hosts >> were created
[Freeipa-users] Active Directory Trust = filter users
Hi all, Using an Active Directory Trust with IPA all works fine but there's an disadvantage: it might brong in lots and lots of groups I am not interested in since it mainly hit Windows and/or Office stuff. Now, is it possible to filter AD-groups? or: can I use an AD search base filter? (something like cn=linuxgroups,ou=allgroups,dc=example,dc=com) On a small scale ID views can be used, but it not a great solution. (for all new groups appearing in AD the ID view must be modified) Some sugestions or documentation on filtering AD groups? Winny -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA Consistency Checker
On 8.2.2016 20:38, Peter Pakos wrote: > Just a quick heads-up, > > The newest version of the ipa_check_consistency script comes with > Nagios/Opsview plug-in functionality and some further improvements. > > Feel free to take it for a spin! > > https://github.com/peterpakos/ipa_check_consistency Hi! This is an interesting script. BTW an effective way how to count entries in LDAP is to request base entry and ask for 'numSubordinates' attribute, it contains number of child entries (on that particular level, it does not count recursively). Following should work, but I did not test it :-) ldapsearch -LLLx -h "${server}.${DOMAIN}" \ -D "$BINDDN" -w "$BINDPW" -b "cn=groups,cn=accounts,${SUFFIX}" -s base \ "(objectClass=*)" "numSubordinates" 2>/dev/null \ It will be way way way faster and you will be able to eradicate Perl, which is always a good thing :-) -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA 4.2: pki-tomcatd in terrible shape
Timothy Geier wrote: The debug log has a lot of instances of: Could not connect to LDAP server host xxx. port 636 Error netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1) Internal Database Error encountered: Could not connect to LDAP server host xxx. port 636 Error netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1) The 389-ds access log may show connection attempts and you might be able to correlate from there. but nothing else of note other than those errors. We’ve also noticed lots of 500 errors in /var/log/pki/pki-tomcat/localhost_access.log [08/Feb/2016:10:34:29 -0600] "GET /ca/ee/ca/profileSubmit?profileId=caServerCert_num=5=true=true HTTP/1.1" 500 2134 [08/Feb/2016:10:34:32 -0600] "GET /ca/ee/ca/profileSubmit?profileId=caServerCert_num=2=true=true HTTP/1.1" 500 2134 [08/Feb/2016:10:34:50 -0600] "GET /ca/ee/ca/profileSubmit?profileId=caServerCert_num=4=true=true HTTP/1.1" 500 2134 which looks like certmonger is continuously trying to renew the 3 certs. These dates and times from selftests.log are not accurate and are from an earlier attempt to renew the certs while time shifted: 0.localhost-startStop-1 - [15/Jan/2016:17:39:34 CST] [20] [1] SelfTestSubsystem: Initializing self test plugins: 0.localhost-startStop-1 - [15/Jan/2016:17:39:34 CST] [20] [1] SelfTestSubsystem: loading all self test plugin logger parameters 0.localhost-startStop-1 - [15/Jan/2016:17:39:34 CST] [20] [1] SelfTestSubsystem: loading all self test plugin instances 0.localhost-startStop-1 - [15/Jan/2016:17:39:34 CST] [20] [1] SelfTestSubsystem: loading all self test plugin instance parameters 0.localhost-startStop-1 - [15/Jan/2016:17:39:34 CST] [20] [1] SelfTestSubsystem: loading self test plugins in on-demand order 0.localhost-startStop-1 - [15/Jan/2016:17:39:34 CST] [20] [1] SelfTestSubsystem: loading self test plugins in startup order 0.localhost-startStop-1 - [15/Jan/2016:17:39:34 CST] [20] [1] SelfTestSubsystem: Self test plugins have been successfully loaded! 0.localhost-startStop-1 - [15/Jan/2016:17:39:38 CST] [20] [1] SelfTestSubsystem: Running self test plugins specified to be executed at startup: 0.localhost-startStop-1 - [15/Jan/2016:17:39:38 CST] [20] [1] CAPresence: CA is present 0.localhost-startStop-1 - [15/Jan/2016:17:39:38 CST] [20] [1] SystemCertsVerification: system certs verification success 0.localhost-startStop-1 - [15/Jan/2016:17:39:38 CST] [20] [1] SelfTestSubsystem: All CRITICAL self test plugins ran SUCCESSFULLY at startup! There’s nothing in that log with any February dates, so when we try to start pki-tomcatd in real time, it's likely not even getting this far. Some data is also stored in CS.cfg so you might ensure that the certificates stored there are correct as well. There are a few entries in ou=People,o=ipaca that need to reflect the current state of certificates as well. You mentioned privately that you renamed the IPA host. This is probably what broke half of the renewals. The hosts and keytabs and many entries in IPA have the hostname baked in so you can't simply rename the host. Technically, the host wasn’t renamed; a new CentOS 7 host was added to the existing IPA cluster that had 4 hosts (1 master CA) at CentOS 6 (using the documentation at https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html), it was promoted to the master CA, all of the C6 hosts were decommissioned/removed from replication, and then a new set of C7 hosts were created and added as replicas. Ok, you'll need to look at the host keytabs because something seems wrong with them. certmonger can't get a ticket using them. This could be because IPA isn't fully running but it is worth a look. Is this the correct procedure to follow when time shifted? - Stop IPA - Change the system clock (and the hardware clock) to a point before the expiration - Start IPA - Run getcert resubmit on the appropriate request IDs - Stop IPA - Return to real time - Start IPA We haven’t tried it this week yet but all attempts at it last week failed without any indication as to why the certs weren’t renewing; are there any other logs to check/other steps in the procedure? Yes, that is correct. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] PKINIT support in FreeIPA 4.2.0
On Mon, Feb 8, 2016 at 11:53 PM, Sumit Bosewrote: > On Thu, Feb 04, 2016 at 07:25:29PM +1100, Nik Lam wrote: > > On Wed, Feb 3, 2016 at 8:08 PM, Sumit Bose wrote: > > > > > On Wed, Feb 03, 2016 at 10:29:49AM +1100, Nik Lam wrote: > > > > Hello, > > > > > > > > I installed ipa-server on Centos 7.1 and later did and upgrade of the > > > whole > > > > system to Centos 7.2. > > > > > > > > I think the FreeIPA version changed from 4.1.0 to 4.2.0 between these > > > > Centos/RHEL minor releases. > > > > > > > > We'd now like to try integrating with a 2FA provider via a radius > proxy > > > and > > > > want to use anonymous PKINIT to secure the initial communications > between > > > > the client and the KDC. > > > > > > > > We've tried following the MIT Kerberos PKINIT configuration > documentation > > > > > > > > http://web.mit.edu/kerberos/krb5-1.14/doc/admin/pkinit.html > > > > > > > > generating our own certs manually with openssl but haven't had any > luck. > > > > We're seeing this in the kdc log: > > > > > > > > preauth pkinit failed to initialize: No realms configured > correctly > > > for > > > > pkinit support > > > > > > Which changes did you apply to krb5.conf? Did you use the IPA CA to > sign > > > the certificate or some other CA? > > > > > > > > > > > I've noticed there are many new pkinit-related options that have been > > > added > > > > to the ipa-server-install script in 4.2.0, so it looks like PKINIT is > > > > available in this version of FreeIPA. Is that the case? > > > > > > Which options are you referring to? > > > > > > bye, > > > Sumit > > > > > > > > > > > And if it is, what is the recommended way to enable it given that it > > > seems > > > > to have been disabled in the original install that I did? Or would it > > > just > > > > be easier to start from scratch with a 4.2.0 ipa-server-install? > (It's a > > > > test instance that doesn't have too much in it - it will take a > several > > > > hours to rebuild from scratch.) > > > > > > > > Regards, > > > > > > > > Nik > > > > > > > > > > > Thanks Sumit. > > > > It sounds like PKINIT is available but clearly I'm doing it wrong. > > > > > Which changes did you apply to krb5.conf? Did you use the IPA CA to > sign > > the certificate or some other CA? > > > > Actually, I modified the kdc.conf file - placed the kdc.pem, kdckey.pem > and > > cacert.pem files in /var/kerberos/krb5kdc/ that I generated via openssl > > commands in the MIT Kerberos documentation. The only change to kdc.conf > > file was to append the location of the kdckey.pem file to > pkinit_identity. > > > > pkinit_identity = FILE:/var/kerberos/krb5kdc/kdc.pem > > pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem > > > > became > > > > pkinit_identity = > > FILE:/var/kerberos/krb5kdc/kdc.pem,/var/kerberos/krb5kdc/kdckey.pem > > pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem > > > > Should I have been modifying krb5.conf instead? It aslo sounds like I > need > > no, kdc.conf is the right place, I actually meant kdc.conf but > accidentially types krb5.conf. > > > to use a certificate signed by the IPAs CA - is this something that > should > > be generated using ipa-getcert? Or do I just find the IPA CA's private > key > > and use openssl following the MIT Kerberos documentation? > > > > > Which options are you referring to? > > > > When I looked at the --help text for 4.1.0 and 4.2.0 versions of > > ipa-server-install, I noticed that 4.2.0 has these in the "certificate > > system options": > > > > --no-pkinit disables pkinit setup steps > > > > --pkinit-cert-file=FILE > > File containing the Kerberos KDC SSL certificate > and > > private key > > > > --pkinit-pin=PINThe password to unlock the Kerberos KDC private > key > > > > --pkinit-cert-name=NAME > > Name of the Kerberos KDC SSL certificate to > install > > > > > > Seeing that first one, I was a little hopeful that pkinit is enabled by > > default in 4.2.0 but on a fresh install I just tried, I'm still seeing > the > > no, unfortunately pkinit is currently disabled by default > > > following in krb5kdc.log when IPA is started up, so clearly it isn't. > > > > (Error): preauth pkinit failed to initialize: No realms configured > > correctly for pkinit support > > I get the same error when I put the certificate and the key into > separate files. Can you try to put both into one and use this for the > pkinit_identity option? > > HTH > > bye, > Sumit > Thanks Sumit, it did! I concatenated the cert and the key into a single file and the error has indeed gone away from krb5kdc.log The odd thing is that I can't reproduce the error by splitting into two separate files and restarting ipa.service again. Ignoring that mystery, how do I go about setting up the WELLKNOWN/ANONYMOUS principal? I'm pretty sure it's needed for anonymous pkinit: $ kinit kinit: Generic
Re: [Freeipa-users] PKINIT support in FreeIPA 4.2.0
On Wed, Feb 10, 2016 at 02:08:55AM +1100, Nik Lam wrote: > On Mon, Feb 8, 2016 at 11:53 PM, Sumit Bosewrote: > > > On Thu, Feb 04, 2016 at 07:25:29PM +1100, Nik Lam wrote: > > > On Wed, Feb 3, 2016 at 8:08 PM, Sumit Bose wrote: > > > > > > > On Wed, Feb 03, 2016 at 10:29:49AM +1100, Nik Lam wrote: > > > > > Hello, > > > > > > > > > > I installed ipa-server on Centos 7.1 and later did and upgrade of the > > > > whole > > > > > system to Centos 7.2. > > > > > > > > > > I think the FreeIPA version changed from 4.1.0 to 4.2.0 between these > > > > > Centos/RHEL minor releases. > > > > > > > > > > We'd now like to try integrating with a 2FA provider via a radius > > proxy > > > > and > > > > > want to use anonymous PKINIT to secure the initial communications > > between > > > > > the client and the KDC. > > > > > > > > > > We've tried following the MIT Kerberos PKINIT configuration > > documentation > > > > > > > > > > http://web.mit.edu/kerberos/krb5-1.14/doc/admin/pkinit.html > > > > > > > > > > generating our own certs manually with openssl but haven't had any > > luck. > > > > > We're seeing this in the kdc log: > > > > > > > > > > preauth pkinit failed to initialize: No realms configured > > correctly > > > > for > > > > > pkinit support > > > > > > > > Which changes did you apply to krb5.conf? Did you use the IPA CA to > > sign > > > > the certificate or some other CA? > > > > > > > > > > > > > > I've noticed there are many new pkinit-related options that have been > > > > added > > > > > to the ipa-server-install script in 4.2.0, so it looks like PKINIT is > > > > > available in this version of FreeIPA. Is that the case? > > > > > > > > Which options are you referring to? > > > > > > > > bye, > > > > Sumit > > > > > > > > > > > > > > And if it is, what is the recommended way to enable it given that it > > > > seems > > > > > to have been disabled in the original install that I did? Or would it > > > > just > > > > > be easier to start from scratch with a 4.2.0 ipa-server-install? > > (It's a > > > > > test instance that doesn't have too much in it - it will take a > > several > > > > > hours to rebuild from scratch.) > > > > > > > > > > Regards, > > > > > > > > > > Nik > > > > > > > > > > > > > > > Thanks Sumit. > > > > > > It sounds like PKINIT is available but clearly I'm doing it wrong. > > > > > > > Which changes did you apply to krb5.conf? Did you use the IPA CA to > > sign > > > the certificate or some other CA? > > > > > > Actually, I modified the kdc.conf file - placed the kdc.pem, kdckey.pem > > and > > > cacert.pem files in /var/kerberos/krb5kdc/ that I generated via openssl > > > commands in the MIT Kerberos documentation. The only change to kdc.conf > > > file was to append the location of the kdckey.pem file to > > pkinit_identity. > > > > > > pkinit_identity = FILE:/var/kerberos/krb5kdc/kdc.pem > > > pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem > > > > > > became > > > > > > pkinit_identity = > > > FILE:/var/kerberos/krb5kdc/kdc.pem,/var/kerberos/krb5kdc/kdckey.pem > > > pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem > > > > > > Should I have been modifying krb5.conf instead? It aslo sounds like I > > need > > > > no, kdc.conf is the right place, I actually meant kdc.conf but > > accidentially types krb5.conf. > > > > > to use a certificate signed by the IPAs CA - is this something that > > should > > > be generated using ipa-getcert? Or do I just find the IPA CA's private > > key > > > and use openssl following the MIT Kerberos documentation? > > > > > > > Which options are you referring to? > > > > > > When I looked at the --help text for 4.1.0 and 4.2.0 versions of > > > ipa-server-install, I noticed that 4.2.0 has these in the "certificate > > > system options": > > > > > > --no-pkinit disables pkinit setup steps > > > > > > --pkinit-cert-file=FILE > > > File containing the Kerberos KDC SSL certificate > > and > > > private key > > > > > > --pkinit-pin=PINThe password to unlock the Kerberos KDC private > > key > > > > > > --pkinit-cert-name=NAME > > > Name of the Kerberos KDC SSL certificate to > > install > > > > > > > > > Seeing that first one, I was a little hopeful that pkinit is enabled by > > > default in 4.2.0 but on a fresh install I just tried, I'm still seeing > > the > > > > no, unfortunately pkinit is currently disabled by default > > > > > following in krb5kdc.log when IPA is started up, so clearly it isn't. > > > > > > (Error): preauth pkinit failed to initialize: No realms configured > > > correctly for pkinit support > > > > I get the same error when I put the certificate and the key into > > separate files. Can you try to put both into one and use this for the > > pkinit_identity option? > > > > HTH > > > > bye, > > Sumit > > > > > Thanks Sumit, it did! > > I concatenated the cert and the
[Freeipa-users] sudo runs despite being denied by HBAC rules
Can anyone help me to understand these logs... is there maybe a bug here? The basic situation is that there is no HBAC rule that would allow sudo. When people try it, sss accepts their password but then denies them access to the sudo command. But despite this, our logs still contain some entries indicating that sudo was actually run. Of course the sudoers file then denied them access and sent the sysadmin an email. Here's a journal extract: Feb 09 11:34:58 hostname sudo[24453]: pam_unix(sudo:auth): authentication failure; logname= uid=12113 euid=0 tty=/dev/pts/1 ruser= rhost= user= Feb 09 11:34:58 hostname sudo[24453]: pam_sss(sudo:auth): authentication success; logname= uid=12113 euid=0 tty=/dev/pts/1 ruser= rhost= user= Feb 09 11:34:58 hostname audit[24453]: pid=24453 uid=12113 auid=12113 ses=54 msg='op=PAM:authentication grantors=pam_succeed_if,pam_sss acct="" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success' Feb 09 11:34:58 hostname sudo[24453]: pam_sss(sudo:account): Access denied for user : 6 (Permission denied) Feb 09 11:34:58 hostname audit[24453]: pid=24453 uid=12113 auid=12113 ses=54 msg='op=PAM:accounting grantors=? acct="" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=failed' Feb 09 11:35:05 hostname sudo[24453]: pam_sss(sudo:auth): authentication success; logname= uid=12113 euid=0 tty=/dev/pts/1 ruser= rhost= user= Feb 09 11:35:05 hostname audit[24453]: pid=24453 uid=12113 auid=12113 ses=54 msg='op=PAM:authentication grantors=pam_succeed_if,pam_sss acct="" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success' Feb 09 11:35:05 hostname sudo[24453]: pam_sss(sudo:account): Access denied for user : 6 (Permission denied) Feb 09 11:35:05 hostname audit[24453]: pid=24453 uid=12113 auid=12113 ses=54 msg='op=PAM:accounting grantors=? acct="" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=failed' Feb 09 11:35:08 hostname sudo[24453]: pam_unix(sudo:auth): auth could not identify password for [] Feb 09 11:35:08 hostname sudo[24453]: pam_sss(sudo:auth): authentication failure; logname= uid=12113 euid=0 tty=/dev/pts/1 ruser= rhost= user= Feb 09 11:35:08 hostname sudo[24453]: pam_sss(sudo:auth): received for user : 7 (Authentication failure) Feb 09 11:35:08 hostname audit[24453]: pid=24453 uid=12113 auid=12113 ses=54 msg='op=PAM:authentication grantors=? acct="" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=failed' Feb 09 11:35:08 hostname audit[24453]: pid=24453 uid=12113 auid=12113 ses=54 msg='cwd=2F6175xxx cmd=617074xxx terminal=pts/1 res=failed' Feb 09 11:35:08 hostname audit[24453]: pid=24453 uid=12113 auid=12113 ses=54 msg='cwd=2F6175xxx cmd=617074xxx terminal=pts/1 res=failed' Feb 09 11:35:08 hostname sudo[24453]: : user NOT in sudoers ; TTY=pts/1 ; PWD=/x ; USER=root ; COMMAND=x Feb 09 11:35:09 hostname sSMTP[24463]: Sent mail for r...@cs.ox.ac.uk (221 mail.cs.ox.ac.uk closing connection) uid=0 =root outbytes=607 What this seems to say: 1. pam_unix failed the password (expected because passwords are managed by IPA) 2. pam_sss accepted the password 3. pam_sss denied access to sudo:account Presumably sudo asked the user to try again and they re-typed the password 4. pam_sss accepted the password 5. pam_sss denied access to sudo:account 6. Three seconds later pam_unix said it "could not identify password" (?) 7. This time pam_sss failed the password and returned 7 (Authentication failure) 8. sudo ran anyway! I can't duplicate this behaviour myself but looking through the logs in our computer lab there are a few of these. See for instance the following which appears to deny access three times and then just run it anyway: Feb 02 10:31:12 hostname2 sudo[24468]: pam_unix(sudo:auth): authentication failure; logname=xyyx uid=12106 euid=0 tty=/dev/pts/1 ruser=xyyx rhost= user=xyyx Feb 02 10:31:14 hostname2 sudo[24468]: pam_sss(sudo:auth): authentication success; logname=xyyx uid=12106 euid=0 tty=/dev/pts/1 ruser=xyyx rhost= user=xyyx Feb 02 10:31:14 hostname2 audit[24468]: pid=24468 uid=12106 auid=12106 ses=39 msg='op=PAM:authentication grantors=pam_succeed_if,pam_sss acct="xyyx" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success' Feb 02 10:31:15 hostname2 sudo[24468]: pam_sss(sudo:account): Access denied for user xyyx: 6 (Permission denied) Feb 02 10:31:15 hostname2 audit[24468]: pid=24468 uid=12106 auid=12106 ses=39 msg='op=PAM:accounting grantors=? acct="xyyx" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=failed' Feb 02 10:31:26 hostname2 sudo[24468]: pam_sss(sudo:auth): authentication success; logname=xyyx uid=12106 euid=0 tty=/dev/pts/1 ruser=xyyx rhost= user=xyyx Feb 02 10:31:26 hostname2 audit[24468]: pid=24468 uid=12106 auid=12106 ses=39 msg='op=PAM:authentication grantors=pam_succeed_if,pam_sss acct="xyyx"
[Freeipa-users] Migrating NIS host to freeIPA host with smart card
Greetings, I have a question about migrating a system from NIS to freeIPA. In my efforts of setting up a host on freeIPA I would normally use a fresh install to setup the system. I'm now at a point where I'm moving existing systems from an NIS domain to a freeIPA domain. Is it recommended to perform a clean install for every new host added to the domain? During my testing, I have found running the ipa-client-install command does a great job of adding the host to the domain, but when I try to use the smart card it is never recognized by gdm. I tried tweaking some of the configurations to get GDM to recognize the card with no luck. Is there a checklist available that I could follow to make sure everything is configured properly? All configurations work when using a username and password. -- *Michael Rainey* -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] PKINIT support in FreeIPA 4.2.0
On Wed, Feb 10, 2016 at 3:04 AM, Sumit Bosewrote: > On Wed, Feb 10, 2016 at 02:08:55AM +1100, Nik Lam wrote: > > On Mon, Feb 8, 2016 at 11:53 PM, Sumit Bose wrote: > > > > > On Thu, Feb 04, 2016 at 07:25:29PM +1100, Nik Lam wrote: > > > > On Wed, Feb 3, 2016 at 8:08 PM, Sumit Bose wrote: > > > > > > > > > On Wed, Feb 03, 2016 at 10:29:49AM +1100, Nik Lam wrote: > > > > > > Hello, > > > > > > > > > > > > I installed ipa-server on Centos 7.1 and later did and upgrade > of the > > > > > whole > > > > > > system to Centos 7.2. > > > > > > > > > > > > I think the FreeIPA version changed from 4.1.0 to 4.2.0 between > these > > > > > > Centos/RHEL minor releases. > > > > > > > > > > > > We'd now like to try integrating with a 2FA provider via a radius > > > proxy > > > > > and > > > > > > want to use anonymous PKINIT to secure the initial communications > > > between > > > > > > the client and the KDC. > > > > > > > > > > > > We've tried following the MIT Kerberos PKINIT configuration > > > documentation > > > > > > > > > > > > http://web.mit.edu/kerberos/krb5-1.14/doc/admin/pkinit.html > > > > > > > > > > > > generating our own certs manually with openssl but haven't had > any > > > luck. > > > > > > We're seeing this in the kdc log: > > > > > > > > > > > > preauth pkinit failed to initialize: No realms configured > > > correctly > > > > > for > > > > > > pkinit support > > > > > > > > > > Which changes did you apply to krb5.conf? Did you use the IPA CA to > > > sign > > > > > the certificate or some other CA? > > > > > > > > > > > > > > > > > I've noticed there are many new pkinit-related options that have > been > > > > > added > > > > > > to the ipa-server-install script in 4.2.0, so it looks like > PKINIT is > > > > > > available in this version of FreeIPA. Is that the case? > > > > > > > > > > Which options are you referring to? > > > > > > > > > > bye, > > > > > Sumit > > > > > > > > > > > > > > > > > And if it is, what is the recommended way to enable it given > that it > > > > > seems > > > > > > to have been disabled in the original install that I did? Or > would it > > > > > just > > > > > > be easier to start from scratch with a 4.2.0 ipa-server-install? > > > (It's a > > > > > > test instance that doesn't have too much in it - it will take a > > > several > > > > > > hours to rebuild from scratch.) > > > > > > > > > > > > Regards, > > > > > > > > > > > > Nik > > > > > > > > > > > > > > > > > > > Thanks Sumit. > > > > > > > > It sounds like PKINIT is available but clearly I'm doing it wrong. > > > > > > > > > Which changes did you apply to krb5.conf? Did you use the IPA CA > to > > > sign > > > > the certificate or some other CA? > > > > > > > > Actually, I modified the kdc.conf file - placed the kdc.pem, > kdckey.pem > > > and > > > > cacert.pem files in /var/kerberos/krb5kdc/ that I generated via > openssl > > > > commands in the MIT Kerberos documentation. The only change to > kdc.conf > > > > file was to append the location of the kdckey.pem file to > > > pkinit_identity. > > > > > > > > pkinit_identity = FILE:/var/kerberos/krb5kdc/kdc.pem > > > > pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem > > > > > > > > became > > > > > > > > pkinit_identity = > > > > FILE:/var/kerberos/krb5kdc/kdc.pem,/var/kerberos/krb5kdc/kdckey.pem > > > > pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem > > > > > > > > Should I have been modifying krb5.conf instead? It aslo sounds like I > > > need > > > > > > no, kdc.conf is the right place, I actually meant kdc.conf but > > > accidentially types krb5.conf. > > > > > > > to use a certificate signed by the IPAs CA - is this something that > > > should > > > > be generated using ipa-getcert? Or do I just find the IPA CA's > private > > > key > > > > and use openssl following the MIT Kerberos documentation? > > > > > > > > > Which options are you referring to? > > > > > > > > When I looked at the --help text for 4.1.0 and 4.2.0 versions of > > > > ipa-server-install, I noticed that 4.2.0 has these in the > "certificate > > > > system options": > > > > > > > > --no-pkinit disables pkinit setup steps > > > > > > > > --pkinit-cert-file=FILE > > > > File containing the Kerberos KDC SSL > certificate > > > and > > > > private key > > > > > > > > --pkinit-pin=PINThe password to unlock the Kerberos KDC > private > > > key > > > > > > > > --pkinit-cert-name=NAME > > > > Name of the Kerberos KDC SSL certificate to > > > install > > > > > > > > > > > > Seeing that first one, I was a little hopeful that pkinit is enabled > by > > > > default in 4.2.0 but on a fresh install I just tried, I'm still > seeing > > > the > > > > > > no, unfortunately pkinit is currently disabled by default > > > > > > > following in krb5kdc.log when IPA is started up, so clearly it isn't. > > > > > > > > (Error):
[Freeipa-users] Where should I create my Linux and Mac users in a AD IPA trust?
I am currently running IPA server 4.2 in RHEL 7.2 and I have created a two-way trust between my Windows AD and IPA server. I have a heterogeneous environment where I have Windows, Linux and Mac clients. The Windows users are present in AD and they can access the resources under IPA through the trust relationship. What are the pros and cons 1. When I create Linux and Mac users in the AD. 2. When I create Linux and Mac users in IPA -- Warm Regards Supratik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project