Re: [Freeipa-users] Connection closed by UNKNOWN

2016-02-13 Thread Jakub Hrozek 
On Sat, Feb 13, 2016 at 07:38:16AM +0530, Rakesh Rajasekharan wrote:
> I started up with freeipa and setup a server and a client
> 
> 
> Now when I add a user and try logging in,
> It successfully prompts for the password change and completes setting up
> the new password.
> 
> However, when I gain try to login with the new password, it gives me the
> below error
> 
> "Connection closed by UNKNOWN"
> 
> In /var/log/secure , I see this
> 
> fatal: Access denied for user t-temp by PAM account configuration.
> 
> Any pointers, what I would have done wrong in the setup or if I would have
> missed something.

I would guess HBAC if that message comes from pam_sss.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sudo runs despite being denied by HBAC rules

2016-02-13 Thread Martin Kosek 

On 02/09/2016 05:06 PM, Ian Collier wrote:

Can anyone help me to understand these logs... is there maybe a bug here?

The basic situation is that there is no HBAC rule that would allow
sudo.  When people try it, sss accepts their password but then denies
them access to the sudo command.  But despite this, our logs still
contain some entries indicating that sudo was actually run. Of course
the sudoers file then denied them access and sent the sysadmin an
email.

Here's a journal extract:

Feb 09 11:34:58 hostname sudo[24453]: pam_unix(sudo:auth): authentication 
failure; logname= uid=12113 euid=0 tty=/dev/pts/1 ruser= rhost=  
user=
Feb 09 11:34:58 hostname sudo[24453]: pam_sss(sudo:auth): authentication 
success; logname= uid=12113 euid=0 tty=/dev/pts/1 ruser= rhost= 
user=
Feb 09 11:34:58 hostname audit[24453]:  pid=24453 uid=12113 auid=12113 ses=54 
msg='op=PAM:authentication grantors=pam_succeed_if,pam_sss acct="" 
exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
Feb 09 11:34:58 hostname sudo[24453]: pam_sss(sudo:account): Access denied for 
user : 6 (Permission denied)
Feb 09 11:34:58 hostname audit[24453]:  pid=24453 uid=12113 auid=12113 ses=54 
msg='op=PAM:accounting grantors=? acct="" exe="/usr/bin/sudo" hostname=? addr=? 
terminal=/dev/pts/1 res=failed'
Feb 09 11:35:05 hostname sudo[24453]: pam_sss(sudo:auth): authentication 
success; logname= uid=12113 euid=0 tty=/dev/pts/1 ruser= rhost= 
user=
Feb 09 11:35:05 hostname audit[24453]:  pid=24453 uid=12113 auid=12113 ses=54 
msg='op=PAM:authentication grantors=pam_succeed_if,pam_sss acct="" 
exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
Feb 09 11:35:05 hostname sudo[24453]: pam_sss(sudo:account): Access denied for 
user : 6 (Permission denied)
Feb 09 11:35:05 hostname audit[24453]:  pid=24453 uid=12113 auid=12113 ses=54 
msg='op=PAM:accounting grantors=? acct="" exe="/usr/bin/sudo" hostname=? addr=? 
terminal=/dev/pts/1 res=failed'
Feb 09 11:35:08 hostname sudo[24453]: pam_unix(sudo:auth): auth could not 
identify password for []
Feb 09 11:35:08 hostname sudo[24453]: pam_sss(sudo:auth): authentication 
failure; logname= uid=12113 euid=0 tty=/dev/pts/1 ruser= rhost= 
user=
Feb 09 11:35:08 hostname sudo[24453]: pam_sss(sudo:auth): received for user 
: 7 (Authentication failure)
Feb 09 11:35:08 hostname audit[24453]:  pid=24453 uid=12113 auid=12113 ses=54 
msg='op=PAM:authentication grantors=? acct="" exe="/usr/bin/sudo" hostname=? 
addr=? terminal=/dev/pts/1 res=failed'
Feb 09 11:35:08 hostname audit[24453]:  pid=24453 uid=12113 
auid=12113 ses=54 msg='cwd=2F6175xxx cmd=617074xxx terminal=pts/1 res=failed'
Feb 09 11:35:08 hostname audit[24453]:  pid=24453 uid=12113 
auid=12113 ses=54 msg='cwd=2F6175xxx cmd=617074xxx terminal=pts/1 res=failed'
Feb 09 11:35:08 hostname sudo[24453]:   : user NOT in sudoers ; TTY=pts/1 ; 
PWD=/x ; USER=root ; COMMAND=x
Feb 09 11:35:09 hostname sSMTP[24463]: Sent mail for r...@cs.ox.ac.uk (221 
mail.cs.ox.ac.uk closing connection) uid=0 =root outbytes=607

What this seems to say:

  1. pam_unix failed the password (expected because passwords are managed by 
IPA)
  2. pam_sss accepted the password
  3. pam_sss denied access to sudo:account

  Presumably sudo asked the user to try again and they re-typed the password

  4. pam_sss accepted the password
  5. pam_sss denied access to sudo:account

  6. Three seconds later pam_unix said it "could not identify password" (?)
  7. This time pam_sss failed the password and returned 7 (Authentication 
failure)
  8. sudo ran anyway!

I can't duplicate this behaviour myself but looking through the logs in
our computer lab there are a few of these.  See for instance the following
which appears to deny access three times and then just run it anyway:

Feb 02 10:31:12 hostname2 sudo[24468]: pam_unix(sudo:auth): authentication 
failure; logname=xyyx uid=12106 euid=0 tty=/dev/pts/1 ruser=xyyx rhost=  
user=xyyx
Feb 02 10:31:14 hostname2 sudo[24468]: pam_sss(sudo:auth): authentication 
success; logname=xyyx uid=12106 euid=0 tty=/dev/pts/1 ruser=xyyx rhost= 
user=xyyx
Feb 02 10:31:14 hostname2 audit[24468]:  pid=24468 uid=12106 auid=12106 ses=39 
msg='op=PAM:authentication grantors=pam_succeed_if,pam_sss acct="xyyx" 
exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
Feb 02 10:31:15 hostname2 sudo[24468]: pam_sss(sudo:account): Access denied for 
user xyyx: 6 (Permission denied)
Feb 02 10:31:15 hostname2 audit[24468]:  pid=24468 uid=12106 auid=12106 ses=39 
msg='op=PAM:accounting grantors=? acct="xyyx" exe="/usr/bin/sudo" hostname=? addr=? 
terminal=/dev/pts/1 res=failed'
Feb 02 10:31:26 hostname2 sudo[24468]: pam_sss(sudo:auth): authentication 
success; logname=xyyx uid=12106 euid=0 tty=/dev/pts/1 ruser=xyyx rhost= 
user=xyyx
Feb 02 10:31:26 hostname2 audit[24468]:  pid=24468 uid=12106 auid=12106 ses=39

Re: [Freeipa-users] sudo runs despite being denied by HBAC rules

2016-02-13 Thread Ian Collier 
I wrote...
> Can anyone help me to understand these logs... is there maybe a bug here?

> The basic situation is that there is no HBAC rule that would allow
> sudo.  When people try it, sss accepts their password but then denies
> them access to the sudo command.  But despite this, our logs still
> contain some entries indicating that sudo was actually run. Of course
> the sudoers file then denied them access and sent the sysadmin an
> email.

It turns out I am misinterpreting the logs.  And because the sudoers
file would normally allow me access, testing it with my own account
didn't yield the same results.

Essentially, if sudoers would deny access then it seems that sudo will
log and email the sysadmin even if the user failed to supply a correct
password.

So there isn't a problem here after all.  The user is being told their
password was incorrect and sudo goes no further.  But the email that the
sysadmin receives is the same regardless of whether sudo accepted their
password.

If I try with my account, sudo tells me my password is incorrect but
doesn't email the sysadmin, and it writes "3 incorrect password attempts"
into the log instead of "user NOT in sudoers".  Anyway, now I've added
an HBAC rule that allows the system staff (but not general users) to
run sudo, and this is working too.

Sorry for the false alarm.

Ian Collier.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] [freeipa-users] Configuring Automount on Ubuntu Clients

2016-02-13 Thread Prasun Gera 
Just replying to this thread to express interest in good client support in
Ubuntu. As 16.04 draws close to a release, it would be great if the client
side of things work well out of the box in 16.04 without any 3rd party
ppas. 12.04 was pretty bad, 14.04 was mostly usable with some issues. I'm
hoping that with 16.04, it reaches parity with Fedora based distros. I'll
 be happy to do some preliminary testing if needed.

On Mon, Feb 8, 2016 at 10:56 AM, Timo Aaltonen  wrote:

> 04.02.2016, 19:28, Jon kirjoitti:
> > Is Ubuntu not supported with FreeIPA?  Is there an updated install
> > script?  I installed the freeipa-client from public repos.
> >
> >>> ii  freeipa-client
> >  3.3.4-0ubuntu3.1amd64
> >  FreeIPA centralized identity framework -- client
> >>> ii  python-freeipa
> >  3.3.4-0ubuntu3.1amd64
> >  FreeIPA centralized identity framework -- python modules
>
> The stock packages in 14.04 are rather old, you'd probably be happier with
> the 4.0.5-based client available on the PPA:
>
> https://launchpad.net/~freeipa/+archive/ubuntu/4.0
>
>
>
> --
> t
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] [freeipa-users] Configuring Automount on Ubuntu Clients

2016-02-13 Thread Filip Pytloun 
Hello,

we are using Ubuntu 14.04 on FreeIPA clients and Ubuntu 16.04 on FreeIPA
server for 2 months with no critical issues.

Using newer freeipa-client was not needed, only sssd update from here,
because trusty version is buggy:
https://launchpad.net/~sssd/+archive/ubuntu/updates?field.series_filter=trusty

On server side, it was only needed to fix apparmor policy for bind to
fix FreeIPA DNS zones:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=814314

Maybe someone could be interested in Salt formula we are using to setup
Freeipa server/client: https://github.com/tcpcloud/salt-formula-freeipa

Filip

On 2016/02/13 17:40, Prasun Gera wrote:
> Just replying to this thread to express interest in good client support in
> Ubuntu. As 16.04 draws close to a release, it would be great if the client
> side of things work well out of the box in 16.04 without any 3rd party
> ppas. 12.04 was pretty bad, 14.04 was mostly usable with some issues. I'm
> hoping that with 16.04, it reaches parity with Fedora based distros. I'll
>  be happy to do some preliminary testing if needed.
> 
> On Mon, Feb 8, 2016 at 10:56 AM, Timo Aaltonen  wrote:
> 
> > 04.02.2016, 19:28, Jon kirjoitti:
> > > Is Ubuntu not supported with FreeIPA?  Is there an updated install
> > > script?  I installed the freeipa-client from public repos.
> > >
> > >>> ii  freeipa-client
> > >  3.3.4-0ubuntu3.1amd64
> > >  FreeIPA centralized identity framework -- client
> > >>> ii  python-freeipa
> > >  3.3.4-0ubuntu3.1amd64
> > >  FreeIPA centralized identity framework -- python modules
> >
> > The stock packages in 14.04 are rather old, you'd probably be happier with
> > the 4.0.5-based client available on the PPA:
> >
> > https://launchpad.net/~freeipa/+archive/ubuntu/4.0
> >
> >
> >
> > --
> > t
> >
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
> >

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project



signature.asc
Description: Digital signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project