Re: [Freeipa-users] Can I migrate group password hashes from NIS?

[Rob Crittenden]

Joanna Delaporte wrote:

I have successfully migrated some user password hashes from an NIS
domain. I am wondering if there is a similar method for migrating group
passwords. I haven't found any discussion or documentation on it.


You do it the same way as users. Note that there are no IPA commands to 
manage a group password and group passwords are completely untested (the 
attribute is available though).


rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] k5login not working?

[Jeffery Harrell]

Oh wow, I see. I did some playing around with
/var/lib/sss/pubconf/krb5.include.d/localauth_plugin in search of a
minimum-change scenario and found that this:

[plugins]
 localauth = {
  module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so
#  enable_only = sssd
 }

seems to get me where I need to be. Adding that one character seems to be
enough to make .k5login work as expected.

Specifically:

Take a brand new IPA client, created with “ipa-client-install” and
accepting the defaults.

Edit /var/lib/sss/pubconf/krb5.include.d/localauth_plugin to comment out
the enable_only line as above.

cat <<'EOF' > /root/.k5loginyourusern...@yourdomain.com
EOF

>From another computer anywhere in the domain:

kinit yourusern...@yourdomain.com

Then:

ssh -K root@wherever

This works for me. I’ve got all my servers under Salt config management
anyway, so it’s not *that* big a deal to add that one byte to each of them.

Thank you very, very much for the help.




On July 6, 2016 at 1:00:53 PM, Sumit Bose (sb...@redhat.com) wrote:

On Wed, Jul 06, 2016 at 03:30:56PM -0400, Jeffery Harrell wrote:
> I must be missing something really obvious.
>
> Our IPA server is set up in the usual way on CentOS 7.2, just a “yum
> install ipa-server” and then an “ipa-server-install.” DNS is set up
> correctly and is working.
>
> I’ve got a handful of CentOS 7.2 servers configured as IPA clients — “yum
> install ipa-client”, “ipa-client-install.” Auto-detection of the realm,
> domain and server were normal.
>
> But k5login is not working as expected. If I have this .k5login file in
the
> admin user’s home directory on server A:
>
> alice@charlietango.com...@charlietango.com
>
> I would expect to be able to do this:
>
> kinit al...@charlietango.com
> ssh -K admin@serverA
>
> from anywhere in the Kerberos realm. Instead my credentials get rejected
> and I’m asked for the admin user’s password.
>
> It feels like sshd on the server isn’t even looking at k5login. (I also
> tried k5users; same result.)
>
> The permissions on .k5login are correct. I tried it with SELinux off as
> well just in case that was it.
>
> What blindingly obvious thing have I overlooked?

I guess you have an issue similar to
https://bugzilla.redhat.com/show_bug.cgi?id=1297462 . The localauth
plugin provided by SSSD has too stricts default settings. One is the
'enable_only = sssd' option in the config snippet. The other is that it
acts authoritative for SSSD users. A fix for both was just pushed
upstream today.

If you currently do not need the localauth plugin you can disable it by
creating an empty /var/lib/sss/pubconf/krb5.include.d/localauth_plugin
file and make it unmodifiable with

chattr +i /var/lib/sss/pubconf/krb5.include.d/localauth_plugin

This should allow the default methods including k5login again. Please
note that you might need to add the old RULE based mapping as described
in
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-ssh.html
or add .k5login files for every user to make GSSAPI authentication work
smoothly.

As an alternative we hope to release the next SSSD version including the
patches anytime soon and later on there might be build for 7.2
available.

HTH

bye,
Sumit

>
> Thanks.

> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] NFS automount - doesn't update UID/GID info on client after chown on nfs server

[Joanna Delaporte]

Hi there,

I am still working on migrating my users from NIS to IPA. I have a lot of
it working. However, the issue I am dealing with now is that NFS UID
ownership on nfs/ipa-client machine is not updating when I change the
owner's UID and update the files ownership on the NFS server.

I refreshed the sssd cache and restarted nfs-idmapd before changing owner
on the NFS server, to make sure I had the most up-to-date info from the IPA
server. The user (20182) correctly owns the files on the NFS server.

I refreshed the sssd cache on the nfs/ipa-client. I also tried restarting
nfs-client.target and relogging. No dice. My user files are still owned by
old UID (20114) on the client, even though they are automounted from the
NFS server. The user entity is correct on the client (UID 20182).

How do I get the file ownership info to update correctly on the nfs client?

-- 


Joanna Delaporte
Linux Systems Administrator | Parkland College
joannadelapo...@gmail.com
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] k5login not working?

[Sumit Bose]

On Wed, Jul 06, 2016 at 03:30:56PM -0400, Jeffery Harrell wrote:
> I must be missing something really obvious.
> 
> Our IPA server is set up in the usual way on CentOS 7.2, just a “yum
> install ipa-server” and then an “ipa-server-install.” DNS is set up
> correctly and is working.
> 
> I’ve got a handful of CentOS 7.2 servers configured as IPA clients — “yum
> install ipa-client”, “ipa-client-install.” Auto-detection of the realm,
> domain and server were normal.
> 
> But k5login is not working as expected. If I have this .k5login file in the
> admin user’s home directory on server A:
> 
> alice@charlietango.com...@charlietango.com
> 
> I would expect to be able to do this:
> 
> kinit al...@charlietango.com
> ssh -K admin@serverA
> 
> from anywhere in the Kerberos realm. Instead my credentials get rejected
> and I’m asked for the admin user’s password.
> 
> It feels like sshd on the server isn’t even looking at k5login. (I also
> tried k5users; same result.)
> 
> The permissions on .k5login are correct. I tried it with SELinux off as
> well just in case that was it.
> 
> What blindingly obvious thing have I overlooked?

I guess you have an issue similar to
https://bugzilla.redhat.com/show_bug.cgi?id=1297462 . The localauth
plugin provided by SSSD has too stricts default settings. One is the
'enable_only = sssd' option in the config snippet. The other is that it
acts authoritative for SSSD users. A fix for both was just pushed
upstream today.

If you currently do not need the localauth plugin you can disable it by
creating an empty /var/lib/sss/pubconf/krb5.include.d/localauth_plugin
file and make it unmodifiable with 

chattr +i /var/lib/sss/pubconf/krb5.include.d/localauth_plugin

This should allow the default methods including k5login again. Please
note that you might need to add the old RULE based mapping as described
in
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-ssh.html
or add .k5login files for every user to make GSSAPI authentication work
smoothly.

As an alternative we hope to release the next SSSD version including the
patches anytime soon and later on there might be build for 7.2
available.

HTH

bye,
Sumit

> 
> Thanks.

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] k5login not working?

[Jeffery Harrell]

I must be missing something really obvious.

Our IPA server is set up in the usual way on CentOS 7.2, just a “yum
install ipa-server” and then an “ipa-server-install.” DNS is set up
correctly and is working.

I’ve got a handful of CentOS 7.2 servers configured as IPA clients — “yum
install ipa-client”, “ipa-client-install.” Auto-detection of the realm,
domain and server were normal.

But k5login is not working as expected. If I have this .k5login file in the
admin user’s home directory on server A:

alice@charlietango.com...@charlietango.com

I would expect to be able to do this:

kinit al...@charlietango.com
ssh -K admin@serverA

from anywhere in the Kerberos realm. Instead my credentials get rejected
and I’m asked for the admin user’s password.

It feels like sshd on the server isn’t even looking at k5login. (I also
tried k5users; same result.)

The permissions on .k5login are correct. I tried it with SELinux off as
well just in case that was it.

What blindingly obvious thing have I overlooked?

Thanks.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA 4.2.0 and Windows XP

[Alexander Bokovoy]

On Wed, 06 Jul 2016, Konstantin M. Khankin wrote:

Yes, I had a look at the eventlog, but there are no failures and no events
at all related to failed login. Maybe I can increase verbosity level
somehow?

Try to intercept network traffic between Windows XP and IPA master.
May be it tries to use DCE RPC over SMB as well?
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA 4.2.0 and Windows XP

[Konstantin M. Khankin]

Yes, I had a look at the eventlog, but there are no failures and no events
at all related to failed login. Maybe I can increase verbosity level
somehow?

2016-07-06 20:58 GMT+03:00 Alexander Bokovoy :

> On Wed, 06 Jul 2016, Konstantin M. Khankin wrote:
>
>> Hi!
>>
>> I'm trying to set up Windows XP to get a Kerberos ticket for the user on
>> login using the following docs:
>>
>> * http://www.freeipa.org/page/Windows_authentication_against_FreeIPA
>> *
>>
>> http://www.freeipa.org/page/Implementing_FreeIPA_in_a_mixed_Environment_(Windows/Linux)_-_Step_by_step
>> * Discussion at
>> https://www.redhat.com/archives/freeipa-users/2008-November/msg00063.html
>>
>> I can obtain kerberos ticket using kinit from JRE (for some reasons I
>> can't
>> find other kinit in Windows), but I can't logon. I tried the following:
>> 1) ksetup /mapuser * *
>> 2) ksetup /mapuser * 
>> 3) ksetup /mapuser user@DOMAIN user
>> 4) logging not into Kerberos realm, but into local computer using
>> user@DOMAIN login
>> 5) logging into Kerberos realm using "user" login
>> 6) logging into Kerberos realm using user@DOMAIN login
>>
>> With any of these I see successful attempts in krb5kdc.log (so the user
>> passes pre-auth against kdc), but Windows keep saying that the username or
>> password is not correct.
>>
>> I also tried to reset user's password in freeipa and then login - windows
>> asked to change password and successfully changed it, but still doesn't
>> let
>> the user in
>>
>> I have no problems with this setup on 2 computers with Windows 7. Haven't
>> tried other computers running Windows XP though
>>
>> What am I doing wrong?
>>
> No idea. We don't support this setup at all so your mileage indeed
> varies a lot.
>
> Did you look at the eventlog on Windows XP?
>
> --
> / Alexander Bokovoy
>



-- 
Ханкин Константин
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA 4.2.0 and Windows XP

[Alexander Bokovoy]

On Wed, 06 Jul 2016, Konstantin M. Khankin wrote:

Hi!

I'm trying to set up Windows XP to get a Kerberos ticket for the user on
login using the following docs:

* http://www.freeipa.org/page/Windows_authentication_against_FreeIPA
*
http://www.freeipa.org/page/Implementing_FreeIPA_in_a_mixed_Environment_(Windows/Linux)_-_Step_by_step
* Discussion at
https://www.redhat.com/archives/freeipa-users/2008-November/msg00063.html

I can obtain kerberos ticket using kinit from JRE (for some reasons I can't
find other kinit in Windows), but I can't logon. I tried the following:
1) ksetup /mapuser * *
2) ksetup /mapuser * 
3) ksetup /mapuser user@DOMAIN user
4) logging not into Kerberos realm, but into local computer using
user@DOMAIN login
5) logging into Kerberos realm using "user" login
6) logging into Kerberos realm using user@DOMAIN login

With any of these I see successful attempts in krb5kdc.log (so the user
passes pre-auth against kdc), but Windows keep saying that the username or
password is not correct.

I also tried to reset user's password in freeipa and then login - windows
asked to change password and successfully changed it, but still doesn't let
the user in

I have no problems with this setup on 2 computers with Windows 7. Haven't
tried other computers running Windows XP though

What am I doing wrong?

No idea. We don't support this setup at all so your mileage indeed
varies a lot.

Did you look at the eventlog on Windows XP?

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] FreeIPA 4.2.0 and Windows XP

[Konstantin M. Khankin]

Hi!

I'm trying to set up Windows XP to get a Kerberos ticket for the user on
login using the following docs:

* http://www.freeipa.org/page/Windows_authentication_against_FreeIPA
*
http://www.freeipa.org/page/Implementing_FreeIPA_in_a_mixed_Environment_(Windows/Linux)_-_Step_by_step
* Discussion at
https://www.redhat.com/archives/freeipa-users/2008-November/msg00063.html

I can obtain kerberos ticket using kinit from JRE (for some reasons I can't
find other kinit in Windows), but I can't logon. I tried the following:
1) ksetup /mapuser * *
2) ksetup /mapuser * 
3) ksetup /mapuser user@DOMAIN user
4) logging not into Kerberos realm, but into local computer using
user@DOMAIN login
5) logging into Kerberos realm using "user" login
6) logging into Kerberos realm using user@DOMAIN login

With any of these I see successful attempts in krb5kdc.log (so the user
passes pre-auth against kdc), but Windows keep saying that the username or
password is not correct.

I also tried to reset user's password in freeipa and then login - windows
asked to change password and successfully changed it, but still doesn't let
the user in

I have no problems with this setup on 2 computers with Windows 7. Haven't
tried other computers running Windows XP though

What am I doing wrong?

Thanks!

-- 
Konstantin Khankin
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Can I migrate group password hashes from NIS?

[Joanna Delaporte]

I have successfully migrated some user password hashes from an NIS domain.
I am wondering if there is a similar method for migrating group passwords.
I haven't found any discussion or documentation on it.

Thanks!
Joanna

-- 


Joanna Delaporte
Linux Systems Administrator | Parkland College
joannadelapo...@gmail.com
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Deny bind for external LDAP if password is expired

[Prashant Bapat]

Hi,

We are using FreeIPA's LDAP as the base for user authentication in a
different application. So far I have created a sysaccount which does the
lookup etc for a user and things are working as expected. I'm even able to
use OTP from the external app.

One problem I'm struggling to fix is the expired passwords. Is there a way
to deny bind to LDAP only from this application? Obviously the user would
need to go to IPA's web UI and reset his password there.

I came across this ticket https://fedorahosted.org/freeipa/ticket/1539 but
looks like this is an old one.

Thanks.
--Prashant
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Freeipa and sudo

[Danila Ladner]

Yeah, please enable logging in [sudo] section of sssd.

On Wed, Jul 6, 2016 at 11:03 AM, Jakub Hrozek  wrote:

> On Wed, Jul 06, 2016 at 03:22:34PM +0200, Tomas Simecek wrote:
> > Hi Danila and other freeipa gurus,
> > sorry for my late answer, there is a bank holiday in CZ and I am off work
> > these two days.
> > Yes, /etc/nsswitch.conf is fine, see:
> >
> > [root@spcss-2t-www ~]# cat /etc/nsswitch.conf |grep sudo
> > sudoers: files sss
> >
> > I think it is set up as part of freeipa-client package.
> > I went through this guide:
> > https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO
>
> We also need to see sssd_sudo.log and the log from the sudo itself
> (configured in /etc/sudo.conf)
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Freeipa and sudo

[Jakub Hrozek]

On Wed, Jul 06, 2016 at 03:22:34PM +0200, Tomas Simecek wrote:
> Hi Danila and other freeipa gurus,
> sorry for my late answer, there is a bank holiday in CZ and I am off work
> these two days.
> Yes, /etc/nsswitch.conf is fine, see:
> 
> [root@spcss-2t-www ~]# cat /etc/nsswitch.conf |grep sudo
> sudoers: files sss
> 
> I think it is set up as part of freeipa-client package.
> I went through this guide:
> https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO

We also need to see sssd_sudo.log and the log from the sudo itself
(configured in /etc/sudo.conf)

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Replace with 3rd part certificates

[Andreas Ladanyi]

Hi Rob,

Hi,

is it possible that ipa-server-certinstall couldnt handle private keys
without password ?


You can file an RFE at https://fedorahosted.org/freeipa/newticket
It seems that ipa-server-certinstall couldnt handle private keys with 
passwort, too. See my result below.





i would test it with a self-signed certificate and test private key file
secured with password, but i dont know whats happen after entering a
valid private key unlock password. Could i stop the certificate import
process at this point, so no change will happen to my productive ipa
server ?


I would not recommend experimenting with random certificates.

It should be possible to add a password to your private key. A quick 
google found 
http://security.stackexchange.com/questions/59136/can-i-add-a-password-to-an-existing-private-key

Thats a great idea. I have done so and tested again:

openssl rsa -des3 -in private.key -out private_key_with_pw.key

ipa-server-certinstall -w certificate.pem private_key_with_pw.key

After entering the password to unlock private key i get the message:

Insufficient access:  Invalid credentials



Andreas

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] dns zone forward - no valid signature found

[lejeczek]

hi everybody

I think this was working some time ago, but for while 
queries IPA's DNS forwards wound up like this:


validating @0x7f85dc00f9a0: swir.my.dom A: no valid 
signature found
validating @0x7f85dc00f9a0: swir.my.dom A: bad cache hit 
(swir.my.dom/DS)
error (broken trust chain) resolving 'swir.my.dom/A/IN': 
192.168.2.100#53


dig at IPA DNS and nothing, logs:

  validating @0x7f85e0134880: my.dom SOA: no valid 
signature found
  validating @0x7f85e0134880: my.dom NSEC: no valid 
signature found
  validating @0x7f85e0134880: swir.my.dom NSEC: no valid 
signature found
  validating @0x7f85e0134880: swir.my.dom NSEC: bad cache 
hit (swir.my.dom/DS)


I dig +dnssec directly at the receiving server and result 
seems normal, no errors.


IPA's dns is not dnsseced, is this the root of the problem? 
Or what else might be?


bw.

L


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Freeipa and sudo

[Tomas Simecek]

Hi Danila and other freeipa gurus,
sorry for my late answer, there is a bank holiday in CZ and I am off work
these two days.
Yes, /etc/nsswitch.conf is fine, see:

[root@spcss-2t-www ~]# cat /etc/nsswitch.conf |grep sudo
sudoers: files sss

I think it is set up as part of freeipa-client package.
I went through this guide:
https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO

so I guess things are set right.
When I try to sudo as domain user, sssd_linuxdomain.cz.log says followng:
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sbus_message_handler] (0x2000): Received SBUS method
org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sbus_message_handler] (0x2000): Received SBUS method
org.freedesktop.sssd.dataprovider.sudoHandler on path
/org/freedesktop/sssd/dataprovider
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [be_sudo_handler]
(0x0400): Entering be_sudo_handler()
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_sudo_handler]
(0x0400): Issuing a refresh of specific sudo rules
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_sudo_refresh_connect_done] (0x0400): SUDO LDAP connection successful
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_sudo_load_sudoers_next_base] (0x0400): Searching for sudo rules with
base [ou=sudoers,dc=linuxdomain,dc=cz]
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server]
(0x2000): Searching 10.1.123.103
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(&(objectClass=sudoRole)(|(cn=Pokusne)))(|(!(sudoHost=*))(sudoHost=ALL)(sudoHost=
spcss-2t-www.linuxdomain.cz
)(sudoHost=spcss-2t-www)(sudoHost=10.1.62.88)(sudoHost=
10.1.62.0/24)(sudoHost=+*)(|(sudoHost=*\\*)(sudoHost=*?*)(sudoHost=*\2A*)(sudoHost=*[*]*][ou=sudoers,dc=linuxdomain,dc=cz
].
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoCommand]
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoHost]
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoUser]
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoOption]
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoRunAs]
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoRunAsUser]
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoRunAsGroup]
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoNotBefore]
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoNotAfter]
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoOrder]
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN]
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 6
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add]
(0x2000): New operation 6 timeout 6
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7f23893178c0], connected[1], ops[0x7f23893168e0],
ldap[0x7f2389333ff0]
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry]
(0x1000): OriginalDN: [cn=Pokusne,ou=sudoers,dc=linuxdomain,dc=cz].
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectClass]
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [sudoCommand]
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [sudoHost]
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [sudoUser]
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [entryUSN]
(Wed 

Re: [Freeipa-users] ipa server(master) and alternative name

[lejeczek]

On 06/07/16 13:57, Rob Crittenden wrote:

lejeczek wrote:

hi users,

I'd like to ask if it possible to add (after deployment 
is finished) an

AltSubjectName to fIPA master?


I don't see why not, they are just certs after all. You 
would need to be careful to get the certmonger tracking 
right but it should be doable.


I shall say what I'm hoping to achieve - having 3 servers 
I hope to have
in IPA's DNS a host, A record that will be resolving to 
three server's

IPs. Like eg. ipa-ca which seems to hold all servers IPs.

I started with:

$ ipa dnsrecord-add private.my.dom.priv linux --a-ip-address
10.5.6.100(which is master's IP)


For what purpose, to make it easier for users to find the 
IPA server?
not, IPA, simplest thing I'd like have to use same apache 
IPA on all serves use  - a local yum repos to be served 
from/via dns roundrobin.


but I feel I got of the wrong foot there, I see with ipa 
command:


ipa: ERROR: cert validation failed for...

((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer 
has been marked

as not trusted by the user.)


I assume you've already played with the certificates? The 
DNS change you made wouldn't cause this error.


no, actually I have not, I did not add a host nor a service 
nor a cert, there is no trace of "linux" anywhere, only dns 
A record - to get rid of the error I have to remove that new 
host & restart IPA.

rob



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install --ssh-trust-dns and user ssh key query

[Rob Crittenden]

Neal Harrington | i-Neda Ltd wrote:

Hi Rob,


Thank you very much for your message. Unfortunately/fortunately after
rebooting or restarting the ssh server this morning it is all working as
I would expect. I'm not sure what I was missing yesterday but suspect a
combination of sssd caching may have been confusing me as I'm sure
I'd already tried this several times.


Very strange indeed. The sssd cache is persistent so rebooting shouldn't 
have affected it at all.


rob




Thanks again,
Neal.

*From:* Rob Crittenden 
*Sent:* 05 July 2016 18:01
*To:* Neal Harrington | i-Neda Ltd; freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] ipa-client-install --ssh-trust-dns and
user ssh key query
Neal Harrington | i-Neda Ltd wrote:

Hi,


I have successfully installed FreeIPA server version 4.2.0 on CentOS
7.2, including replication between servers. I have a few
dozen Ubuntu 14.04 servers joined into IPA for authentication with
various user groups controlling access, sudo permissions etc and overall
I'm very happy.


I have however managed to trip myself up by installing the
Ubuntu clients with the --ssh-trust-dns option and now my users ssh keys
are not trusted and ssh login falls back to password based on the Ubuntu
clients.


If I uninstall a client, reboot and then reinstall without the
--ssh-trust-dns option then the users ssh key I imported into the web
interface is used and login is automatic over ssh.


I've looked through all the obvious places (/etc/ssh, sss, pam, etc) and
can't see anything to control this. Most of my online searches cover
other aspects of ssh host keys in DNS. If I've missed anything obvious
then please point me in the right direction.


I have a reasonable number of servers to make this change on and ideally
I'd like to push out the change to a config file and maybe restart a
service. Is this behaviour easy to configure or would it be easier to go
through the uninstall/reboot/reinstall loop? Luckily these are all
testing servers so not a show stopper but I'd prefer to learn what is
actually controlling this.


As far as I can tell this option sets this in sshd.conf:

VerifyHostKeyDNS = yes
HostKeyAlgorithms = ssh-rsa,ssh-dss

I assume your DNS doesn't contain the SSHFP entries?

rob




--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Replace with 3rd part certificates

[Rob Crittenden]

Andreas Ladanyi wrote:

Hi,

is it possible that ipa-server-certinstall couldnt handle private keys
without password ?


You can file an RFE at https://fedorahosted.org/freeipa/newticket


i would test it with a self-signed certificate and test private key file
secured with password, but i dont know whats happen after entering a
valid private key unlock password. Could i stop the certificate import
process at this point, so no change will happen to my productive ipa
server ?


I would not recommend experimenting with random certificates.

It should be possible to add a password to your private key. A quick 
google found 
http://security.stackexchange.com/questions/59136/can-i-add-a-password-to-an-existing-private-key


rob



regards,
Andreas

Hi,

i try to replace the self signed certificate from the ipa installation
with this description:

http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP

ipa-server-certinstall -w -d mysite.key mysite.crt

The tool ask for the private key unlock passwort. The private key was
generated without passwort. I tried out to press only the enter key, but
it doesnt help. So iam confused. The certificate and keyfile are in PEM
format.

For testing I converted the private key with:

openssl rsa -in -out

because i want to know if openssl ask me for a password, but it doesnt.

My version number is FreeIPA 4.1.


regards,
Andreas









--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa server(master) and alternative name

[Rob Crittenden]

lejeczek wrote:

hi users,

I'd like to ask if it possible to add (after deployment is finished) an
AltSubjectName to fIPA master?


I don't see why not, they are just certs after all. You would need to be 
careful to get the certmonger tracking right but it should be doable.



I shall say what I'm hoping to achieve - having 3 servers I hope to have
in IPA's DNS a host, A record that will be resolving to three server's
IPs. Like eg. ipa-ca which seems to hold all servers IPs.

I started with:

$ ipa dnsrecord-add private.my.dom.priv linux --a-ip-address
10.5.6.100(which is master's IP)


For what purpose, to make it easier for users to find the IPA server?


but I feel I got of the wrong foot there, I see with ipa command:

ipa: ERROR: cert validation failed for...

((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked
as not trusted by the user.)


I assume you've already played with the certificates? The DNS change you 
made wouldn't cause this error.


rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Using 3rd party certificates for HTTP/LDAP (again) (SOLVED)

[Bjarne Blichfeldt]

The solution was to add to root certificate to tomcat:  
/var/lib/pki/pki-tomcat/alias/
Now everything seems to work.


Regards
Bjarne



From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Bjarne Blichfeldt
Sent: 23. juni 2016 13:40
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Using 3rd party certificates for HTTP/LDAP (again)

Following this thread from January:
https://www.redhat.com/archives/freeipa-users/2016-January/msg00223.html
I am trying to accomplish the same, but seems to be stuck.

My environment is:
# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.2 (Maipo)

# ipa ping
---
IPA server version 4.2.0. API version 2.156
---
# rpm -qa | grep ipa-server
ipa-server-4.2.0-15.el7_2.15.x86_64


As the OP I have both a RootCA and a subCA. But I can't figure out how to 
install them. ipa-cacert-manage does not work, known bug.

I am testing by changing the server certificate for ldaps on an ipa replica and 
then run "ldapwhoami" and "ipa-replica-manage -v list" from the master ipa 
against the replica, but the replica server certificate is never accepted due 
to missing root certificate.

The problem is how to install the root certificates.
I have tried:
Copy the root certificates to /etc/pki/ca-trust/source/anchors and run 
update-ca-trust - no go.

Installed the root Ca's in all the nssdb I could think of:
DIR="/etc/httpd/alias  /etc/dirsrv/slapd-DNREST-DCBSYS-NET /etc/ipa/nssdb  
/etc/pki/nssdb"
for dir in $DIR ; do
certutil -d $dir -A -n ECBsubCA  -i subCA-sha256.pem  -t CT,T,T
certutil -d $dir -A -n ECBrootCA  -i rootCA-sha256.pem -t CT,T,T
done

Also no go.

I am out of ideas now.


--
Regards,
Bjarne

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install --ssh-trust-dns and user ssh key query

[Neal Harrington | i-Neda Ltd]

Hi Rob,


Thank you very much for your message. Unfortunately/fortunately after rebooting 
or restarting the ssh server this morning it is all working as I would expect. 
I'm not sure what I was missing yesterday but suspect a combination of sssd 
caching may have been confusing me as I'm sure I'd already tried this several 
times.

Thanks again,
Neal.

From: Rob Crittenden 
Sent: 05 July 2016 18:01
To: Neal Harrington | i-Neda Ltd; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client-install --ssh-trust-dns and user ssh 
key query

Neal Harrington | i-Neda Ltd wrote:
> Hi,
>
>
> I have successfully installed FreeIPA server version 4.2.0 on CentOS
> 7.2, including replication between servers. I have a few
> dozen Ubuntu 14.04 servers joined into IPA for authentication with
> various user groups controlling access, sudo permissions etc and overall
> I'm very happy.
>
>
> I have however managed to trip myself up by installing the
> Ubuntu clients with the --ssh-trust-dns option and now my users ssh keys
> are not trusted and ssh login falls back to password based on the Ubuntu
> clients.
>
>
> If I uninstall a client, reboot and then reinstall without the
> --ssh-trust-dns option then the users ssh key I imported into the web
> interface is used and login is automatic over ssh.
>
>
> I've looked through all the obvious places (/etc/ssh, sss, pam, etc) and
> can't see anything to control this. Most of my online searches cover
> other aspects of ssh host keys in DNS. If I've missed anything obvious
> then please point me in the right direction.
>
>
> I have a reasonable number of servers to make this change on and ideally
> I'd like to push out the change to a config file and maybe restart a
> service. Is this behaviour easy to configure or would it be easier to go
> through the uninstall/reboot/reinstall loop? Luckily these are all
> testing servers so not a show stopper but I'd prefer to learn what is
> actually controlling this.

As far as I can tell this option sets this in sshd.conf:

VerifyHostKeyDNS = yes
HostKeyAlgorithms = ssh-rsa,ssh-dss

I assume your DNS doesn't contain the SSHFP entries?

rob


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Replace with 3rd part certificates

[Andreas Ladanyi]

Hi,

is it possible that ipa-server-certinstall couldnt handle private keys 
without password ?


i would test it with a self-signed certificate and test private key file 
secured with password, but i dont know whats happen after entering a 
valid private key unlock password. Could i stop the certificate import 
process at this point, so no change will happen to my productive ipa 
server ?


regards,
Andreas

Hi,

i try to replace the self signed certificate from the ipa installation
with this description:

http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP

ipa-server-certinstall -w -d mysite.key mysite.crt

The tool ask for the private key unlock passwort. The private key was
generated without passwort. I tried out to press only the enter key, but
it doesnt help. So iam confused. The certificate and keyfile are in PEM
format.

For testing I converted the private key with:

openssl rsa -in -out

because i want to know if openssl ask me for a password, but it doesnt.

My version number is FreeIPA 4.1.


regards,
Andreas





-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] how to make fIPA stick to only...

[lejeczek]

On 05/07/16 18:20, Rob Crittenden wrote:

Alexander Bokovoy wrote:

On Mon, 04 Jul 2016, lejeczek wrote:



On 04/07/16 07:59, Petr Spacek wrote:

On 1.7.2016 16:29, lejeczek wrote:


On 01/07/16 12:41, Petr Vobornik wrote:

On 06/30/2016 04:56 PM, lejeczek wrote:

... its own FQHN and its IP ?

hi users,

I'm fiddling with rewrites but being an amateur 
cannot figure it out,

it's on a multi/home-IP box. Is it possible?

many thanks,

L.


Hi L.

Could you describe your environment and use case in 
more details.

It is
not clear to me what you are trying to achieve or 
what doesn't work

for you.

Thank you
gee, I though my scenario would be quite common among 
users,
take a box with more then one net ifs, or even 
multiple IPs - what

would be
nice to have is fIPA webui resides/runs only on that 
FQHN and that

IP to which
hostname resolves. Eg, here is one single system:
box1.my.dom.local 10.10.1.1 (eg, I go to 
https://10.10.1.1/)

ipa.my.dom.local 10.10.1.2
currently I get fIPA's webui everywhere, but I'd like 
it to be only at
ipa.my.dom.local 10.10.1.2 (either if I URL via 
hostname or IP)

I think it would be great to have included (maybe as
comments/options) this in
Apache's configs of IPA furure releases, if possible.
Is it possible to construct such rules? Or there is 
different,

simpler way?
I'm still trying to understand your use-case. Why 
exactly you need to

limit
the web UI to one 'host name' while keeping it on the 
same box?


I'm sorry I cannot explain this better, I my mind it's 
really simple,
if I installed an instance of IPA on a ipa.my.dom.local 
and the system
is a multi-homed/IP host I'd like webui to run only on 
that host/IP
This should not even be a matter of "image a situation 
where" but
rather assume that IPA's are deployed on such 
installations and then -
why would fIPA have to monopolize all the IP's/IFs there 
are?
Me, I'd like to be able to use httpd under a root of 
host's other

FQHN/IPs with other things.

Your IPA masters hold passwords and keys to your company's
infrastructure. We recommend to avoid sharing the servers 
used for
running IPA masters with any other applications because 
any compromise
of those applications can and will be used for taking 
over your
infrastructure as you have so nicely given the keys to 
its heart by

co-sharing the same system.

It is up to you on how you make up your system defense. 
We as FreeIPA
upstream developers put considerate effort in ensuring 
our default setup
is secure enough to avoid such breaches. If you want to 
co-locate other
applications, you need to understand what you are doing 
and how that
affects your security. Effectively, you are on your own 
on this path.




FTR, I think this is mostly controlled in 
ipa-rewrite.conf. If the requested host is not the IPA 
host or the port is not 443 or the request is for / then 
ALL requests are redirected to the https://IPAHOST/ipa/ui


This file should have enough comments to figure out what 
part is doing what if you wanted to tweak it. I have to 
agree with Alexander though. Running multiple services on 
what should be the core of your infrastructure isn't 
recommended.


rob
I know chaps, yes, safety is when paranoia next to it, 
together does look like normal wording, I understand.
yes, that I think is the config and seems that to control 
this behaviour is that one rewrite rule.
However, you must also realize that fIPA admins rarely do 
install on a separate, dedicated boxes, instead I believe 
these are "heavy, bulky" and fast and multi-role/connected 
systems. So having an easy way to control fIPA webui config 
as an option(if not as default) is great, and it seems it's 
there.

thanks.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ipa server(master) and alternative name

[lejeczek]

hi users,

I'd like to ask if it possible to add (after deployment is 
finished) an AltSubjectName to fIPA master?


I shall say what I'm hoping to achieve - having 3 servers I 
hope to have in IPA's DNS a host, A record that will be 
resolving to three server's IPs. Like eg. ipa-ca which seems 
to hold all servers IPs.


I started with:

$ ipa dnsrecord-add private.my.dom.priv linux --a-ip-address 
10.5.6.100(which is master's IP)


but I feel I got of the wrong foot there, I see with ipa 
command:


ipa: ERROR: cert validation failed for...

((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has 
been marked as not trusted by the user.)


can this be done?

many thanks,

L

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] +dnssec in vendor repos - when?

[lejeczek]

seems like official repos, centos at least lags a bit 
behind, currently it's 4.2.0 - question - does this support 
fully secure dns ?


if not would devel know when we might be able to feed 
new/latest stable off the official repos?


many thanks,

L

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] AD PDC change

[Alexander Bokovoy]

On Wed, 06 Jul 2016, Lachlan Musicman wrote:

Can I just confirm - the IT team are about to migrate our PDC across town.

I presume that the trust relationship is with the domain, not the actual
machine itself. So our IPA server will just see the new PDC and everything
will be smooth?

No need to change any config or create a new trust?

Correct. The information about trust relationship is stored in AD LDAP
and as such replicated across all domain controllers.

There might be a period of outage when PDC is not online yet but already
announced in the DNS records. At this time SSSD would ideally switch to
another DC.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] AD PDC change

[Lachlan Musicman]

Can I just confirm - the IT team are about to migrate our PDC across town.

I presume that the trust relationship is with the domain, not the actual
machine itself. So our IPA server will just see the new PDC and everything
will be smooth?

No need to change any config or create a new trust?

Cheers
L.






--
The most dangerous phrase in the language is, "We've always done it this
way."

- Grace Hopper
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project