Re: [Freeipa-users] Can I migrate group password hashes from NIS?
Joanna Delaporte wrote: I have successfully migrated some user password hashes from an NIS domain. I am wondering if there is a similar method for migrating group passwords. I haven't found any discussion or documentation on it. You do it the same way as users. Note that there are no IPA commands to manage a group password and group passwords are completely untested (the attribute is available though). rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] k5login not working?
Oh wow, I see. I did some playing around with /var/lib/sss/pubconf/krb5.include.d/localauth_plugin in search of a minimum-change scenario and found that this: [plugins] localauth = { module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so # enable_only = sssd } seems to get me where I need to be. Adding that one character seems to be enough to make .k5login work as expected. Specifically: Take a brand new IPA client, created with “ipa-client-install” and accepting the defaults. Edit /var/lib/sss/pubconf/krb5.include.d/localauth_plugin to comment out the enable_only line as above. cat <<'EOF' > /root/.k5loginyourusern...@yourdomain.com EOF >From another computer anywhere in the domain: kinit yourusern...@yourdomain.com Then: ssh -K root@wherever This works for me. I’ve got all my servers under Salt config management anyway, so it’s not *that* big a deal to add that one byte to each of them. Thank you very, very much for the help. On July 6, 2016 at 1:00:53 PM, Sumit Bose (sb...@redhat.com) wrote: On Wed, Jul 06, 2016 at 03:30:56PM -0400, Jeffery Harrell wrote: > I must be missing something really obvious. > > Our IPA server is set up in the usual way on CentOS 7.2, just a “yum > install ipa-server” and then an “ipa-server-install.” DNS is set up > correctly and is working. > > I’ve got a handful of CentOS 7.2 servers configured as IPA clients — “yum > install ipa-client”, “ipa-client-install.” Auto-detection of the realm, > domain and server were normal. > > But k5login is not working as expected. If I have this .k5login file in the > admin user’s home directory on server A: > > alice@charlietango.com...@charlietango.com > > I would expect to be able to do this: > > kinit al...@charlietango.com > ssh -K admin@serverA > > from anywhere in the Kerberos realm. Instead my credentials get rejected > and I’m asked for the admin user’s password. > > It feels like sshd on the server isn’t even looking at k5login. (I also > tried k5users; same result.) > > The permissions on .k5login are correct. I tried it with SELinux off as > well just in case that was it. > > What blindingly obvious thing have I overlooked? I guess you have an issue similar to https://bugzilla.redhat.com/show_bug.cgi?id=1297462 . The localauth plugin provided by SSSD has too stricts default settings. One is the 'enable_only = sssd' option in the config snippet. The other is that it acts authoritative for SSSD users. A fix for both was just pushed upstream today. If you currently do not need the localauth plugin you can disable it by creating an empty /var/lib/sss/pubconf/krb5.include.d/localauth_plugin file and make it unmodifiable with chattr +i /var/lib/sss/pubconf/krb5.include.d/localauth_plugin This should allow the default methods including k5login again. Please note that you might need to add the old RULE based mapping as described in https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-ssh.html or add .k5login files for every user to make GSSAPI authentication work smoothly. As an alternative we hope to release the next SSSD version including the patches anytime soon and later on there might be build for 7.2 available. HTH bye, Sumit > > Thanks. > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] NFS automount - doesn't update UID/GID info on client after chown on nfs server
Hi there, I am still working on migrating my users from NIS to IPA. I have a lot of it working. However, the issue I am dealing with now is that NFS UID ownership on nfs/ipa-client machine is not updating when I change the owner's UID and update the files ownership on the NFS server. I refreshed the sssd cache and restarted nfs-idmapd before changing owner on the NFS server, to make sure I had the most up-to-date info from the IPA server. The user (20182) correctly owns the files on the NFS server. I refreshed the sssd cache on the nfs/ipa-client. I also tried restarting nfs-client.target and relogging. No dice. My user files are still owned by old UID (20114) on the client, even though they are automounted from the NFS server. The user entity is correct on the client (UID 20182). How do I get the file ownership info to update correctly on the nfs client? -- Joanna Delaporte Linux Systems Administrator | Parkland College joannadelapo...@gmail.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] k5login not working?
On Wed, Jul 06, 2016 at 03:30:56PM -0400, Jeffery Harrell wrote: > I must be missing something really obvious. > > Our IPA server is set up in the usual way on CentOS 7.2, just a “yum > install ipa-server” and then an “ipa-server-install.” DNS is set up > correctly and is working. > > I’ve got a handful of CentOS 7.2 servers configured as IPA clients — “yum > install ipa-client”, “ipa-client-install.” Auto-detection of the realm, > domain and server were normal. > > But k5login is not working as expected. If I have this .k5login file in the > admin user’s home directory on server A: > > alice@charlietango.com...@charlietango.com > > I would expect to be able to do this: > > kinit al...@charlietango.com > ssh -K admin@serverA > > from anywhere in the Kerberos realm. Instead my credentials get rejected > and I’m asked for the admin user’s password. > > It feels like sshd on the server isn’t even looking at k5login. (I also > tried k5users; same result.) > > The permissions on .k5login are correct. I tried it with SELinux off as > well just in case that was it. > > What blindingly obvious thing have I overlooked? I guess you have an issue similar to https://bugzilla.redhat.com/show_bug.cgi?id=1297462 . The localauth plugin provided by SSSD has too stricts default settings. One is the 'enable_only = sssd' option in the config snippet. The other is that it acts authoritative for SSSD users. A fix for both was just pushed upstream today. If you currently do not need the localauth plugin you can disable it by creating an empty /var/lib/sss/pubconf/krb5.include.d/localauth_plugin file and make it unmodifiable with chattr +i /var/lib/sss/pubconf/krb5.include.d/localauth_plugin This should allow the default methods including k5login again. Please note that you might need to add the old RULE based mapping as described in https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-ssh.html or add .k5login files for every user to make GSSAPI authentication work smoothly. As an alternative we hope to release the next SSSD version including the patches anytime soon and later on there might be build for 7.2 available. HTH bye, Sumit > > Thanks. > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] k5login not working?
I must be missing something really obvious. Our IPA server is set up in the usual way on CentOS 7.2, just a “yum install ipa-server” and then an “ipa-server-install.” DNS is set up correctly and is working. I’ve got a handful of CentOS 7.2 servers configured as IPA clients — “yum install ipa-client”, “ipa-client-install.” Auto-detection of the realm, domain and server were normal. But k5login is not working as expected. If I have this .k5login file in the admin user’s home directory on server A: alice@charlietango.com...@charlietango.com I would expect to be able to do this: kinit al...@charlietango.com ssh -K admin@serverA from anywhere in the Kerberos realm. Instead my credentials get rejected and I’m asked for the admin user’s password. It feels like sshd on the server isn’t even looking at k5login. (I also tried k5users; same result.) The permissions on .k5login are correct. I tried it with SELinux off as well just in case that was it. What blindingly obvious thing have I overlooked? Thanks. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA 4.2.0 and Windows XP
On Wed, 06 Jul 2016, Konstantin M. Khankin wrote: Yes, I had a look at the eventlog, but there are no failures and no events at all related to failed login. Maybe I can increase verbosity level somehow? Try to intercept network traffic between Windows XP and IPA master. May be it tries to use DCE RPC over SMB as well? -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA 4.2.0 and Windows XP
Yes, I had a look at the eventlog, but there are no failures and no events at all related to failed login. Maybe I can increase verbosity level somehow? 2016-07-06 20:58 GMT+03:00 Alexander Bokovoy: > On Wed, 06 Jul 2016, Konstantin M. Khankin wrote: > >> Hi! >> >> I'm trying to set up Windows XP to get a Kerberos ticket for the user on >> login using the following docs: >> >> * http://www.freeipa.org/page/Windows_authentication_against_FreeIPA >> * >> >> http://www.freeipa.org/page/Implementing_FreeIPA_in_a_mixed_Environment_(Windows/Linux)_-_Step_by_step >> * Discussion at >> https://www.redhat.com/archives/freeipa-users/2008-November/msg00063.html >> >> I can obtain kerberos ticket using kinit from JRE (for some reasons I >> can't >> find other kinit in Windows), but I can't logon. I tried the following: >> 1) ksetup /mapuser * * >> 2) ksetup /mapuser * >> 3) ksetup /mapuser user@DOMAIN user >> 4) logging not into Kerberos realm, but into local computer using >> user@DOMAIN login >> 5) logging into Kerberos realm using "user" login >> 6) logging into Kerberos realm using user@DOMAIN login >> >> With any of these I see successful attempts in krb5kdc.log (so the user >> passes pre-auth against kdc), but Windows keep saying that the username or >> password is not correct. >> >> I also tried to reset user's password in freeipa and then login - windows >> asked to change password and successfully changed it, but still doesn't >> let >> the user in >> >> I have no problems with this setup on 2 computers with Windows 7. Haven't >> tried other computers running Windows XP though >> >> What am I doing wrong? >> > No idea. We don't support this setup at all so your mileage indeed > varies a lot. > > Did you look at the eventlog on Windows XP? > > -- > / Alexander Bokovoy > -- Ханкин Константин -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA 4.2.0 and Windows XP
On Wed, 06 Jul 2016, Konstantin M. Khankin wrote: Hi! I'm trying to set up Windows XP to get a Kerberos ticket for the user on login using the following docs: * http://www.freeipa.org/page/Windows_authentication_against_FreeIPA * http://www.freeipa.org/page/Implementing_FreeIPA_in_a_mixed_Environment_(Windows/Linux)_-_Step_by_step * Discussion at https://www.redhat.com/archives/freeipa-users/2008-November/msg00063.html I can obtain kerberos ticket using kinit from JRE (for some reasons I can't find other kinit in Windows), but I can't logon. I tried the following: 1) ksetup /mapuser * * 2) ksetup /mapuser * 3) ksetup /mapuser user@DOMAIN user 4) logging not into Kerberos realm, but into local computer using user@DOMAIN login 5) logging into Kerberos realm using "user" login 6) logging into Kerberos realm using user@DOMAIN login With any of these I see successful attempts in krb5kdc.log (so the user passes pre-auth against kdc), but Windows keep saying that the username or password is not correct. I also tried to reset user's password in freeipa and then login - windows asked to change password and successfully changed it, but still doesn't let the user in I have no problems with this setup on 2 computers with Windows 7. Haven't tried other computers running Windows XP though What am I doing wrong? No idea. We don't support this setup at all so your mileage indeed varies a lot. Did you look at the eventlog on Windows XP? -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA 4.2.0 and Windows XP
Hi! I'm trying to set up Windows XP to get a Kerberos ticket for the user on login using the following docs: * http://www.freeipa.org/page/Windows_authentication_against_FreeIPA * http://www.freeipa.org/page/Implementing_FreeIPA_in_a_mixed_Environment_(Windows/Linux)_-_Step_by_step * Discussion at https://www.redhat.com/archives/freeipa-users/2008-November/msg00063.html I can obtain kerberos ticket using kinit from JRE (for some reasons I can't find other kinit in Windows), but I can't logon. I tried the following: 1) ksetup /mapuser * * 2) ksetup /mapuser * 3) ksetup /mapuser user@DOMAIN user 4) logging not into Kerberos realm, but into local computer using user@DOMAIN login 5) logging into Kerberos realm using "user" login 6) logging into Kerberos realm using user@DOMAIN login With any of these I see successful attempts in krb5kdc.log (so the user passes pre-auth against kdc), but Windows keep saying that the username or password is not correct. I also tried to reset user's password in freeipa and then login - windows asked to change password and successfully changed it, but still doesn't let the user in I have no problems with this setup on 2 computers with Windows 7. Haven't tried other computers running Windows XP though What am I doing wrong? Thanks! -- Konstantin Khankin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Can I migrate group password hashes from NIS?
I have successfully migrated some user password hashes from an NIS domain. I am wondering if there is a similar method for migrating group passwords. I haven't found any discussion or documentation on it. Thanks! Joanna -- Joanna Delaporte Linux Systems Administrator | Parkland College joannadelapo...@gmail.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Deny bind for external LDAP if password is expired
Hi, We are using FreeIPA's LDAP as the base for user authentication in a different application. So far I have created a sysaccount which does the lookup etc for a user and things are working as expected. I'm even able to use OTP from the external app. One problem I'm struggling to fix is the expired passwords. Is there a way to deny bind to LDAP only from this application? Obviously the user would need to go to IPA's web UI and reset his password there. I came across this ticket https://fedorahosted.org/freeipa/ticket/1539 but looks like this is an old one. Thanks. --Prashant -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Freeipa and sudo
Yeah, please enable logging in [sudo] section of sssd. On Wed, Jul 6, 2016 at 11:03 AM, Jakub Hrozekwrote: > On Wed, Jul 06, 2016 at 03:22:34PM +0200, Tomas Simecek wrote: > > Hi Danila and other freeipa gurus, > > sorry for my late answer, there is a bank holiday in CZ and I am off work > > these two days. > > Yes, /etc/nsswitch.conf is fine, see: > > > > [root@spcss-2t-www ~]# cat /etc/nsswitch.conf |grep sudo > > sudoers: files sss > > > > I think it is set up as part of freeipa-client package. > > I went through this guide: > > https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO > > We also need to see sssd_sudo.log and the log from the sudo itself > (configured in /etc/sudo.conf) > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Freeipa and sudo
On Wed, Jul 06, 2016 at 03:22:34PM +0200, Tomas Simecek wrote: > Hi Danila and other freeipa gurus, > sorry for my late answer, there is a bank holiday in CZ and I am off work > these two days. > Yes, /etc/nsswitch.conf is fine, see: > > [root@spcss-2t-www ~]# cat /etc/nsswitch.conf |grep sudo > sudoers: files sss > > I think it is set up as part of freeipa-client package. > I went through this guide: > https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO We also need to see sssd_sudo.log and the log from the sudo itself (configured in /etc/sudo.conf) -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Replace with 3rd part certificates
Hi Rob, Hi, is it possible that ipa-server-certinstall couldnt handle private keys without password ? You can file an RFE at https://fedorahosted.org/freeipa/newticket It seems that ipa-server-certinstall couldnt handle private keys with passwort, too. See my result below. i would test it with a self-signed certificate and test private key file secured with password, but i dont know whats happen after entering a valid private key unlock password. Could i stop the certificate import process at this point, so no change will happen to my productive ipa server ? I would not recommend experimenting with random certificates. It should be possible to add a password to your private key. A quick google found http://security.stackexchange.com/questions/59136/can-i-add-a-password-to-an-existing-private-key Thats a great idea. I have done so and tested again: openssl rsa -des3 -in private.key -out private_key_with_pw.key ipa-server-certinstall -w certificate.pem private_key_with_pw.key After entering the password to unlock private key i get the message: Insufficient access: Invalid credentials Andreas -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] dns zone forward - no valid signature found
hi everybody I think this was working some time ago, but for while queries IPA's DNS forwards wound up like this: validating @0x7f85dc00f9a0: swir.my.dom A: no valid signature found validating @0x7f85dc00f9a0: swir.my.dom A: bad cache hit (swir.my.dom/DS) error (broken trust chain) resolving 'swir.my.dom/A/IN': 192.168.2.100#53 dig at IPA DNS and nothing, logs: validating @0x7f85e0134880: my.dom SOA: no valid signature found validating @0x7f85e0134880: my.dom NSEC: no valid signature found validating @0x7f85e0134880: swir.my.dom NSEC: no valid signature found validating @0x7f85e0134880: swir.my.dom NSEC: bad cache hit (swir.my.dom/DS) I dig +dnssec directly at the receiving server and result seems normal, no errors. IPA's dns is not dnsseced, is this the root of the problem? Or what else might be? bw. L -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Freeipa and sudo
Hi Danila and other freeipa gurus, sorry for my late answer, there is a bank holiday in CZ and I am off work these two days. Yes, /etc/nsswitch.conf is fine, see: [root@spcss-2t-www ~]# cat /etc/nsswitch.conf |grep sudo sudoers: files sss I think it is set up as part of freeipa-client package. I went through this guide: https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO so I guess things are set right. When I try to sudo as domain user, sssd_linuxdomain.cz.log says followng: (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.sudoHandler on path /org/freedesktop/sssd/dataprovider (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [be_sudo_handler] (0x0400): Entering be_sudo_handler() (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_sudo_handler] (0x0400): Issuing a refresh of specific sudo rules (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_sudo_refresh_connect_done] (0x0400): SUDO LDAP connection successful (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_sudo_load_sudoers_next_base] (0x0400): Searching for sudo rules with base [ou=sudoers,dc=linuxdomain,dc=cz] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] (0x2000): Searching 10.1.123.103 (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(&(objectClass=sudoRole)(|(cn=Pokusne)))(|(!(sudoHost=*))(sudoHost=ALL)(sudoHost= spcss-2t-www.linuxdomain.cz )(sudoHost=spcss-2t-www)(sudoHost=10.1.62.88)(sudoHost= 10.1.62.0/24)(sudoHost=+*)(|(sudoHost=*\\*)(sudoHost=*?*)(sudoHost=*\2A*)(sudoHost=*[*]*][ou=sudoers,dc=linuxdomain,dc=cz ]. (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoCommand] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoHost] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoUser] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoOption] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoRunAs] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoRunAsUser] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoRunAsGroup] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoNotBefore] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoNotAfter] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoOrder] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 6 (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] (0x2000): New operation 6 timeout 6 (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f23893178c0], connected[1], ops[0x7f23893168e0], ldap[0x7f2389333ff0] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=Pokusne,ou=sudoers,dc=linuxdomain,dc=cz]. (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [sudoCommand] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [sudoHost] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [sudoUser] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [entryUSN] (Wed
Re: [Freeipa-users] ipa server(master) and alternative name
On 06/07/16 13:57, Rob Crittenden wrote: lejeczek wrote: hi users, I'd like to ask if it possible to add (after deployment is finished) an AltSubjectName to fIPA master? I don't see why not, they are just certs after all. You would need to be careful to get the certmonger tracking right but it should be doable. I shall say what I'm hoping to achieve - having 3 servers I hope to have in IPA's DNS a host, A record that will be resolving to three server's IPs. Like eg. ipa-ca which seems to hold all servers IPs. I started with: $ ipa dnsrecord-add private.my.dom.priv linux --a-ip-address 10.5.6.100(which is master's IP) For what purpose, to make it easier for users to find the IPA server? not, IPA, simplest thing I'd like have to use same apache IPA on all serves use - a local yum repos to be served from/via dns roundrobin. but I feel I got of the wrong foot there, I see with ipa command: ipa: ERROR: cert validation failed for... ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.) I assume you've already played with the certificates? The DNS change you made wouldn't cause this error. no, actually I have not, I did not add a host nor a service nor a cert, there is no trace of "linux" anywhere, only dns A record - to get rid of the error I have to remove that new host & restart IPA. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-client-install --ssh-trust-dns and user ssh key query
Neal Harrington | i-Neda Ltd wrote: Hi Rob, Thank you very much for your message. Unfortunately/fortunately after rebooting or restarting the ssh server this morning it is all working as I would expect. I'm not sure what I was missing yesterday but suspect a combination of sssd caching may have been confusing me as I'm sure I'd already tried this several times. Very strange indeed. The sssd cache is persistent so rebooting shouldn't have affected it at all. rob Thanks again, Neal. *From:* Rob Crittenden*Sent:* 05 July 2016 18:01 *To:* Neal Harrington | i-Neda Ltd; freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] ipa-client-install --ssh-trust-dns and user ssh key query Neal Harrington | i-Neda Ltd wrote: Hi, I have successfully installed FreeIPA server version 4.2.0 on CentOS 7.2, including replication between servers. I have a few dozen Ubuntu 14.04 servers joined into IPA for authentication with various user groups controlling access, sudo permissions etc and overall I'm very happy. I have however managed to trip myself up by installing the Ubuntu clients with the --ssh-trust-dns option and now my users ssh keys are not trusted and ssh login falls back to password based on the Ubuntu clients. If I uninstall a client, reboot and then reinstall without the --ssh-trust-dns option then the users ssh key I imported into the web interface is used and login is automatic over ssh. I've looked through all the obvious places (/etc/ssh, sss, pam, etc) and can't see anything to control this. Most of my online searches cover other aspects of ssh host keys in DNS. If I've missed anything obvious then please point me in the right direction. I have a reasonable number of servers to make this change on and ideally I'd like to push out the change to a config file and maybe restart a service. Is this behaviour easy to configure or would it be easier to go through the uninstall/reboot/reinstall loop? Luckily these are all testing servers so not a show stopper but I'd prefer to learn what is actually controlling this. As far as I can tell this option sets this in sshd.conf: VerifyHostKeyDNS = yes HostKeyAlgorithms = ssh-rsa,ssh-dss I assume your DNS doesn't contain the SSHFP entries? rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Replace with 3rd part certificates
Andreas Ladanyi wrote: Hi, is it possible that ipa-server-certinstall couldnt handle private keys without password ? You can file an RFE at https://fedorahosted.org/freeipa/newticket i would test it with a self-signed certificate and test private key file secured with password, but i dont know whats happen after entering a valid private key unlock password. Could i stop the certificate import process at this point, so no change will happen to my productive ipa server ? I would not recommend experimenting with random certificates. It should be possible to add a password to your private key. A quick google found http://security.stackexchange.com/questions/59136/can-i-add-a-password-to-an-existing-private-key rob regards, Andreas Hi, i try to replace the self signed certificate from the ipa installation with this description: http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP ipa-server-certinstall -w -d mysite.key mysite.crt The tool ask for the private key unlock passwort. The private key was generated without passwort. I tried out to press only the enter key, but it doesnt help. So iam confused. The certificate and keyfile are in PEM format. For testing I converted the private key with: openssl rsa -in -out because i want to know if openssl ask me for a password, but it doesnt. My version number is FreeIPA 4.1. regards, Andreas -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa server(master) and alternative name
lejeczek wrote: hi users, I'd like to ask if it possible to add (after deployment is finished) an AltSubjectName to fIPA master? I don't see why not, they are just certs after all. You would need to be careful to get the certmonger tracking right but it should be doable. I shall say what I'm hoping to achieve - having 3 servers I hope to have in IPA's DNS a host, A record that will be resolving to three server's IPs. Like eg. ipa-ca which seems to hold all servers IPs. I started with: $ ipa dnsrecord-add private.my.dom.priv linux --a-ip-address 10.5.6.100(which is master's IP) For what purpose, to make it easier for users to find the IPA server? but I feel I got of the wrong foot there, I see with ipa command: ipa: ERROR: cert validation failed for... ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.) I assume you've already played with the certificates? The DNS change you made wouldn't cause this error. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Using 3rd party certificates for HTTP/LDAP (again) (SOLVED)
The solution was to add to root certificate to tomcat: /var/lib/pki/pki-tomcat/alias/ Now everything seems to work. Regards Bjarne From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Bjarne Blichfeldt Sent: 23. juni 2016 13:40 To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Using 3rd party certificates for HTTP/LDAP (again) Following this thread from January: https://www.redhat.com/archives/freeipa-users/2016-January/msg00223.html I am trying to accomplish the same, but seems to be stuck. My environment is: # cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.2 (Maipo) # ipa ping --- IPA server version 4.2.0. API version 2.156 --- # rpm -qa | grep ipa-server ipa-server-4.2.0-15.el7_2.15.x86_64 As the OP I have both a RootCA and a subCA. But I can't figure out how to install them. ipa-cacert-manage does not work, known bug. I am testing by changing the server certificate for ldaps on an ipa replica and then run "ldapwhoami" and "ipa-replica-manage -v list" from the master ipa against the replica, but the replica server certificate is never accepted due to missing root certificate. The problem is how to install the root certificates. I have tried: Copy the root certificates to /etc/pki/ca-trust/source/anchors and run update-ca-trust - no go. Installed the root Ca's in all the nssdb I could think of: DIR="/etc/httpd/alias /etc/dirsrv/slapd-DNREST-DCBSYS-NET /etc/ipa/nssdb /etc/pki/nssdb" for dir in $DIR ; do certutil -d $dir -A -n ECBsubCA -i subCA-sha256.pem -t CT,T,T certutil -d $dir -A -n ECBrootCA -i rootCA-sha256.pem -t CT,T,T done Also no go. I am out of ideas now. -- Regards, Bjarne -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-client-install --ssh-trust-dns and user ssh key query
Hi Rob, Thank you very much for your message. Unfortunately/fortunately after rebooting or restarting the ssh server this morning it is all working as I would expect. I'm not sure what I was missing yesterday but suspect a combination of sssd caching may have been confusing me as I'm sure I'd already tried this several times. Thanks again, Neal. From: Rob CrittendenSent: 05 July 2016 18:01 To: Neal Harrington | i-Neda Ltd; freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client-install --ssh-trust-dns and user ssh key query Neal Harrington | i-Neda Ltd wrote: > Hi, > > > I have successfully installed FreeIPA server version 4.2.0 on CentOS > 7.2, including replication between servers. I have a few > dozen Ubuntu 14.04 servers joined into IPA for authentication with > various user groups controlling access, sudo permissions etc and overall > I'm very happy. > > > I have however managed to trip myself up by installing the > Ubuntu clients with the --ssh-trust-dns option and now my users ssh keys > are not trusted and ssh login falls back to password based on the Ubuntu > clients. > > > If I uninstall a client, reboot and then reinstall without the > --ssh-trust-dns option then the users ssh key I imported into the web > interface is used and login is automatic over ssh. > > > I've looked through all the obvious places (/etc/ssh, sss, pam, etc) and > can't see anything to control this. Most of my online searches cover > other aspects of ssh host keys in DNS. If I've missed anything obvious > then please point me in the right direction. > > > I have a reasonable number of servers to make this change on and ideally > I'd like to push out the change to a config file and maybe restart a > service. Is this behaviour easy to configure or would it be easier to go > through the uninstall/reboot/reinstall loop? Luckily these are all > testing servers so not a show stopper but I'd prefer to learn what is > actually controlling this. As far as I can tell this option sets this in sshd.conf: VerifyHostKeyDNS = yes HostKeyAlgorithms = ssh-rsa,ssh-dss I assume your DNS doesn't contain the SSHFP entries? rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Replace with 3rd part certificates
Hi, is it possible that ipa-server-certinstall couldnt handle private keys without password ? i would test it with a self-signed certificate and test private key file secured with password, but i dont know whats happen after entering a valid private key unlock password. Could i stop the certificate import process at this point, so no change will happen to my productive ipa server ? regards, Andreas Hi, i try to replace the self signed certificate from the ipa installation with this description: http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP ipa-server-certinstall -w -d mysite.key mysite.crt The tool ask for the private key unlock passwort. The private key was generated without passwort. I tried out to press only the enter key, but it doesnt help. So iam confused. The certificate and keyfile are in PEM format. For testing I converted the private key with: openssl rsa -in -out because i want to know if openssl ask me for a password, but it doesnt. My version number is FreeIPA 4.1. regards, Andreas -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] how to make fIPA stick to only...
On 05/07/16 18:20, Rob Crittenden wrote: Alexander Bokovoy wrote: On Mon, 04 Jul 2016, lejeczek wrote: On 04/07/16 07:59, Petr Spacek wrote: On 1.7.2016 16:29, lejeczek wrote: On 01/07/16 12:41, Petr Vobornik wrote: On 06/30/2016 04:56 PM, lejeczek wrote: ... its own FQHN and its IP ? hi users, I'm fiddling with rewrites but being an amateur cannot figure it out, it's on a multi/home-IP box. Is it possible? many thanks, L. Hi L. Could you describe your environment and use case in more details. It is not clear to me what you are trying to achieve or what doesn't work for you. Thank you gee, I though my scenario would be quite common among users, take a box with more then one net ifs, or even multiple IPs - what would be nice to have is fIPA webui resides/runs only on that FQHN and that IP to which hostname resolves. Eg, here is one single system: box1.my.dom.local 10.10.1.1 (eg, I go to https://10.10.1.1/) ipa.my.dom.local 10.10.1.2 currently I get fIPA's webui everywhere, but I'd like it to be only at ipa.my.dom.local 10.10.1.2 (either if I URL via hostname or IP) I think it would be great to have included (maybe as comments/options) this in Apache's configs of IPA furure releases, if possible. Is it possible to construct such rules? Or there is different, simpler way? I'm still trying to understand your use-case. Why exactly you need to limit the web UI to one 'host name' while keeping it on the same box? I'm sorry I cannot explain this better, I my mind it's really simple, if I installed an instance of IPA on a ipa.my.dom.local and the system is a multi-homed/IP host I'd like webui to run only on that host/IP This should not even be a matter of "image a situation where" but rather assume that IPA's are deployed on such installations and then - why would fIPA have to monopolize all the IP's/IFs there are? Me, I'd like to be able to use httpd under a root of host's other FQHN/IPs with other things. Your IPA masters hold passwords and keys to your company's infrastructure. We recommend to avoid sharing the servers used for running IPA masters with any other applications because any compromise of those applications can and will be used for taking over your infrastructure as you have so nicely given the keys to its heart by co-sharing the same system. It is up to you on how you make up your system defense. We as FreeIPA upstream developers put considerate effort in ensuring our default setup is secure enough to avoid such breaches. If you want to co-locate other applications, you need to understand what you are doing and how that affects your security. Effectively, you are on your own on this path. FTR, I think this is mostly controlled in ipa-rewrite.conf. If the requested host is not the IPA host or the port is not 443 or the request is for / then ALL requests are redirected to the https://IPAHOST/ipa/ui This file should have enough comments to figure out what part is doing what if you wanted to tweak it. I have to agree with Alexander though. Running multiple services on what should be the core of your infrastructure isn't recommended. rob I know chaps, yes, safety is when paranoia next to it, together does look like normal wording, I understand. yes, that I think is the config and seems that to control this behaviour is that one rewrite rule. However, you must also realize that fIPA admins rarely do install on a separate, dedicated boxes, instead I believe these are "heavy, bulky" and fast and multi-role/connected systems. So having an easy way to control fIPA webui config as an option(if not as default) is great, and it seems it's there. thanks. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ipa server(master) and alternative name
hi users, I'd like to ask if it possible to add (after deployment is finished) an AltSubjectName to fIPA master? I shall say what I'm hoping to achieve - having 3 servers I hope to have in IPA's DNS a host, A record that will be resolving to three server's IPs. Like eg. ipa-ca which seems to hold all servers IPs. I started with: $ ipa dnsrecord-add private.my.dom.priv linux --a-ip-address 10.5.6.100(which is master's IP) but I feel I got of the wrong foot there, I see with ipa command: ipa: ERROR: cert validation failed for... ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.) can this be done? many thanks, L -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] +dnssec in vendor repos - when?
seems like official repos, centos at least lags a bit behind, currently it's 4.2.0 - question - does this support fully secure dns ? if not would devel know when we might be able to feed new/latest stable off the official repos? many thanks, L -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] AD PDC change
On Wed, 06 Jul 2016, Lachlan Musicman wrote: Can I just confirm - the IT team are about to migrate our PDC across town. I presume that the trust relationship is with the domain, not the actual machine itself. So our IPA server will just see the new PDC and everything will be smooth? No need to change any config or create a new trust? Correct. The information about trust relationship is stored in AD LDAP and as such replicated across all domain controllers. There might be a period of outage when PDC is not online yet but already announced in the DNS records. At this time SSSD would ideally switch to another DC. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] AD PDC change
Can I just confirm - the IT team are about to migrate our PDC across town. I presume that the trust relationship is with the domain, not the actual machine itself. So our IPA server will just see the new PDC and everything will be smooth? No need to change any config or create a new trust? Cheers L. -- The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project