Re: [Freeipa-users] SSSD Cache and Service Tickets

[Jakub Hrozek]

First, I'm sorry if this mail is not helpful enough, I'm really just replying
to the part I'm familiar with

On Mon, May 15, 2017 at 03:54:22PM +0200, Ronald Wimmer wrote:
> Hi,
> 
> I am confronted with a behaviour for which I do not have an explanation for.
> 
> I am using NFS4 Kerberos automounted homeshares and and recently I got a
> permission denied (reproducible when I restart autofs on the server I want
> to connect to) from the Windows Domain. So here's what I tried:
> 
> 1) Connected via PuTTY from a Windows Machine in the windows domain
> Kerberos-based login works but I get a "Permission Denied" on my home
> directory; klist shows no tickets

No tickets at all? Not even an expired ticket?

Does running klist in cmd.exe show anything?

> 
> 2) I try to connect form a Linux machine belonging to the IPA domain
> Kerberos-based login works, I can also access my home directory;
> klist shows nfs/ipanfs.ipadomain...@ipadomain.at and the krbtgt for the
> windows domain
> 
> 3) Now - of course - using the homeshares works from both domains windows
> and ipa
> 
> 4) When I do a kdestroy on the machine, using the homeshare when logged in
> from windows still works -
> My question is WHY? Does SSSD cache the NFS ticket?

It does not. The only code in SSSD that caches anything Kerberos related
is the KRB5CCNAME variable value.

> (and why don't I get an nfs ticket when coming from the windows domain?)

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Any passwd vault examples?

[Tomas Krizek]

On 05/15/2017 02:26 PM, Kat wrote:
> Hi  all --
>
> Just wondering if there are any good examples of using the vault
> features to secure store, use passwords? I have devs that like to
> store them in git and well, I will discipline them appropriately, but
> I wante to see about using the vault. Is it as simple as it appears to
> be? Just wondering if I am missing something?
>
> Mostly it would be for application management/startup, etc.
>
> Thanks
>
> K
>
Hello,

you should be able to find the information you're looking for in our
Password Vault documentation on the FreeIPA wiki [1]. I think you'd
probably be most interested in the Vault Management chapters in the
Implementation documents.

[1] - https://www.freeipa.org/page/V4/Password_Vault

-- 
Tomas Krizek

PGP: 4A8B A48C 2AED 933B D495  C509 A1FB A5F7 EF8C 4869




signature.asc
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] is ipa-cert-manage safe to use?

[Rob Crittenden]

Harald Dunkel wrote:
> Hi folks,
> 
> I have to renew (or replace) the externally signed certificate
> on my ipa servers using a new ca. Apparently the tool of choice
> is ipa-cacert-manage.
> 
> Of course I found https://www.freeipa.org/page/Howto/CA_Certificate_Renewal.
> Problem is, I cannot estimate the risk and if its worth the effort.
> What happens to freeipa if ipa-cacert-manage fails miserably? Does it
> affect the LDAP database or Kerberos? Will it break the connection
> between my ipa servers or between servers and clients?
> 
> Would you suggest to forget all the "CA stuff" in freeipa and manage
> the certificates externally?
> 
> The platform of the ipa servers is Centos 7.3. There are 100+
> Debian and RedHat clients using freeipa 4.4.3 and 4.0.5 and 3.0.2.
> 
> I am highly concerned. Every helpful comment is appreciated.

I'm confused. You mention replacing some "externally signed certificate"
and yet then ask switching to externally signed certificates. What is
the current configuration? What is signing the existing server certs? Or
do you have an external CA signing the IPA CA?

ipa-cacert-manage is for managing the CA certificate, not service
certificates.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] SSSD Cache and Service Tickets

[Ronald Wimmer]

Hi,

I am confronted with a behaviour for which I do not have an explanation for.

I am using NFS4 Kerberos automounted homeshares and and recently I got a 
permission denied (reproducible when I restart autofs on the server I 
want to connect to) from the Windows Domain. So here's what I tried:


1) Connected via PuTTY from a Windows Machine in the windows domain
Kerberos-based login works but I get a "Permission Denied" on my 
home directory; klist shows no tickets


2) I try to connect form a Linux machine belonging to the IPA domain
Kerberos-based login works, I can also access my home directory;
klist shows nfs/ipanfs.ipadomain...@ipadomain.at and the krbtgt for 
the windows domain


3) Now - of course - using the homeshares works from both domains 
windows and ipa


4) When I do a kdestroy on the machine, using the homeshare when logged 
in from windows still works -

My question is WHY? Does SSSD cache the NFS ticket?
(and why don't I get an nfs ticket when coming from the windows 
domain?)


Regards

Ronald


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Any passwd vault examples?

[Kat]

Hi  all --

Just wondering if there are any good examples of using the vault 
features to secure store, use passwords? I have devs that like to store 
them in git and well, I will discipline them appropriately, but I wante 
to see about using the vault. Is it as simple as it appears to be? Just 
wondering if I am missing something?


Mostly it would be for application management/startup, etc.

Thanks

K

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] is ipa-cert-manage safe to use?

[Harald Dunkel]

Hi folks,

I have to renew (or replace) the externally signed certificate
on my ipa servers using a new ca. Apparently the tool of choice
is ipa-cacert-manage.

Of course I found https://www.freeipa.org/page/Howto/CA_Certificate_Renewal.
Problem is, I cannot estimate the risk and if its worth the effort.
What happens to freeipa if ipa-cacert-manage fails miserably? Does it
affect the LDAP database or Kerberos? Will it break the connection
between my ipa servers or between servers and clients?

Would you suggest to forget all the "CA stuff" in freeipa and manage
the certificates externally?

The platform of the ipa servers is Centos 7.3. There are 100+
Debian and RedHat clients using freeipa 4.4.3 and 4.0.5 and 3.0.2.

I am highly concerned. Every helpful comment is appreciated.

Harri

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install: please look for SELINUX=disabled

[Lukas Slebodnik]

On (13/05/17 06:52), Harald Dunkel wrote:
>Hi folks,
>
>RHEL 7.3, sssd 1.14.0:
>
>If /etc/selinux/config says "SELINUX=disabled", then pam seems to fail
>(without telling why) and users cannot login. *Extremely* painful.
>
>Do you think ipa-client-install could add
>
>   selinux_provider = none
>
This is just a temporary workaround and not a solution.
And it is already fixed in upstream
https://pagure.io/SSSD/sssd/issue/3297

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Freeipa and squid's helper

[Николай Савельев]

Hi.
I used 3 servers with freipa. Replica worked fine. Autentication also
But today I configured squid and looked errors.
I used ext_kerberos_ldap_group_acl -g domainusers@ -D SOME.LAN -S dc1
user_in_domainusers
ERR

Next ext_kerberos_ldap_group_acl -g domainusers@ -D SOME.LAN -S dc2
Ok

First server always give ERR. Other servers always give right value.
Why?

First server was create whith migration from open-ldap. Other servers - 
replicas from first.


-- 
С уважением, Николай.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Replica cannot be reinitialized after upgrade

[Ludwig Krispenz]

The messages you see could be transient messages, and if replication is 
working than this seems to be the case. If not we would need more data 
to investigate: deployment info, relicaIDs of all servers, ruvs, logs,.


Here is some background info: there are some scenarios where a csn could 
not be found in the changelog, eg if updates were aplied on the supplier 
during a total init, they could be part of the data and database ruv, 
but not in the changelog of the initialized replica.
ds did try to use an alternative csn in cases where it could not be 
found, but this had the risk of missing updates, so we decided to change 
it and make this misssing csn a non fatal error, backoff and retry, if 
another supplier would have updated the replica in between, the starting 
csn could have changed and be found. so if the reported missing csns 
change and replication continues everything is ok, although I think the 
messages should stop at some point.


There is a configuration parameter for a replciation agreement to 
trigger the previous behaviour of picking an alternative csn:


nsds5ReplicaIgnoreMissingChange

with potential values "once", "always".

where "once" just tries to kickstart replication by using another csn 
and "always" changes the default behaviour



On 05/11/2017 06:53 PM, Goran Marik wrote:

Hi,

After an upgrade to Centos 7.3.1611 with “yum update", we started seeing the 
following messages in the logs:
“””
May  9 21:58:28 inf01 ns-slapd[4323]: [09/May/2017:21:58:28.519724479 +] 
NSMMReplicationPlugin - changelog program - 
agmt="cn=cloneAgreement1-inf02.dev.ecobee.com-pki-tomcat" (inf02:389): CSN 
576b34e8000a050f not found, we aren't as up to date, or we purged
May  9 21:58:28 inf01 ns-slapd[4323]: [09/May/2017:21:58:28.550459233 +] 
NSMMReplicationPlugin - 
agmt="cn=cloneAgreement1-inf02.dev.ecobee.com-pki-tomcat" (inf02:389): Data 
required to update replica has been purged from the changelog. The replica must be 
reinitialized.
May  9 21:58:32 inf01 ns-slapd[4323]: [09/May/2017:21:58:32.588245476 +] 
agmt="cn=cloneAgreement1-inf02.dev.ecobee.com-pki-tomcat" (inf02:389) - Can't 
locate CSN 576b34e8000a050f in the changelog (DB rc=-30988). If replication stops, 
the consumer may need to be reinitialized.
May  9 21:58:32 inf01 ns-slapd[4323]: [09/May/2017:21:58:32.611400689 +] 
NSMMReplicationPlugin - changelog program - 
agmt="cn=cloneAgreement1-inf02.dev.ecobee.com-pki-tomcat" (inf02:389): CSN 
576b34e8000a050f not found, we aren't as up to date, or we purged
May  9 21:58:32 inf01 ns-slapd[4323]: [09/May/2017:21:58:32.642226385 +] 
NSMMReplicationPlugin - 
agmt="cn=cloneAgreement1-inf02.dev.ecobee.com-pki-tomcat" (inf02:389): Data 
required to update replica has been purged from the changelog. The replica must be 
reinitialized.
“””

The log messages are pretty frequently, every few seconds, and report few 
different CSN numbers that cannot be located.

This happens only on one replica out of 4. We’ve tried "ipa-replica-manage 
re-initialize —from” and “ipa-csreplica-manage re-initialize —from” several times, 
but while both commands report success, the log messages continue to happen. The 
server was rebooted and “systemctl restart ipa” was done few times as well.

The replica seems to be working fine despite the errors, but I’m worried that 
the logs indicate underlaying problem we are not fully detecting. I would like 
to understand better what is triggering this behaviour and how to fix it, and 
if someone else saw them after a recent upgrades.

The software versions are 389-ds-base-1.3.5.10-20.el7_3.x86_64 and 
ipa-server-4.4.0-14.el7.centos.7.x86_64

Thanks,
Goran

--
Goran Marik
Senior Systems Developer

ecobee
250 University Ave, Suite 400
Toronto, ON M5H 3E5





--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric 
Shander

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Replica cannot be reinitialized after upgrade

[Maciej Drobniuch]

Hi Goran

Exact same issue here with the same troubleshooting steps taken(I've tried
to reinitialize the replicas with success msg) - no luck so far.

I've additionally have run ipa_check_consistency script:
FreeIPA servers:ipa1  ipa2  ipa3STATE
===
Active Users373737OK
Stage Users 0 0 0 OK
Preserved Users 0 0 0 OK
User Groups 101010OK
Hosts   696969OK
Host Groups 7 7 7 OK
HBAC Rules  111111OK
SUDO Rules  1 1 1 OK
DNS Zones   8 8 8 OK
LDAP Conflicts  YES   YES   YES   FAIL
Ghost Replicas  NONONOOK
Anonymous BIND  YES   YES   YES   OK
Replication Status  ipa2 18   ipa1 0ipa1 0
ipa3 0
===

Besides of this the ipa master named-pkcs is sometimes crashing and ipa
fails to start.
I've rolled a backup from 1week ago and it's starting but I don't know how
long it will last.

IPA team please help.


# ipa --version
VERSION: 4.4.0, API_VERSION: 2.213

-- 
Best regards

Maciej Drobniuch
Network Security Engineer
Collective-Sense,LLC


On Thu, May 11, 2017 at 6:53 PM, Goran Marik  wrote:

> Hi,
>
> After an upgrade to Centos 7.3.1611 with “yum update", we started seeing
> the following messages in the logs:
> “””
> May  9 21:58:28 inf01 ns-slapd[4323]: [09/May/2017:21:58:28.519724479
> +] NSMMReplicationPlugin - changelog program - agmt="cn=cloneAgreement1-
> inf02.dev.ecobee.com-pki-tomcat" (inf02:389): CSN 576b34e8000a050f
> not found, we aren't as up to date, or we purged
> May  9 21:58:28 inf01 ns-slapd[4323]: [09/May/2017:21:58:28.550459233
> +] NSMMReplicationPlugin - agmt="cn=cloneAgreement1-
> inf02.dev.ecobee.com-pki-tomcat" (inf02:389): Data required to update
> replica has been purged from the changelog. The replica must be
> reinitialized.
> May  9 21:58:32 inf01 ns-slapd[4323]: [09/May/2017:21:58:32.588245476
> +] agmt="cn=cloneAgreement1-inf02.dev.ecobee.com-pki-tomcat"
> (inf02:389) - Can't locate CSN 576b34e8000a050f in the changelog (DB
> rc=-30988). If replication stops, the consumer may need to be reinitialized.
> May  9 21:58:32 inf01 ns-slapd[4323]: [09/May/2017:21:58:32.611400689
> +] NSMMReplicationPlugin - changelog program - agmt="cn=cloneAgreement1-
> inf02.dev.ecobee.com-pki-tomcat" (inf02:389): CSN 576b34e8000a050f
> not found, we aren't as up to date, or we purged
> May  9 21:58:32 inf01 ns-slapd[4323]: [09/May/2017:21:58:32.642226385
> +] NSMMReplicationPlugin - agmt="cn=cloneAgreement1-
> inf02.dev.ecobee.com-pki-tomcat" (inf02:389): Data required to update
> replica has been purged from the changelog. The replica must be
> reinitialized.
> “””
>
> The log messages are pretty frequently, every few seconds, and report few
> different CSN numbers that cannot be located.
>
> This happens only on one replica out of 4. We’ve tried "ipa-replica-manage
> re-initialize —from” and “ipa-csreplica-manage re-initialize —from” several
> times, but while both commands report success, the log messages continue to
> happen. The server was rebooted and “systemctl restart ipa” was done few
> times as well.
>
> The replica seems to be working fine despite the errors, but I’m worried
> that the logs indicate underlaying problem we are not fully detecting. I
> would like to understand better what is triggering this behaviour and how
> to fix it, and if someone else saw them after a recent upgrades.
>
> The software versions are 389-ds-base-1.3.5.10-20.el7_3.x86_64 and
> ipa-server-4.4.0-14.el7.centos.7.x86_64
>
> Thanks,
> Goran
>
> --
> Goran Marik
> Senior Systems Developer
>
> ecobee
> 250 University Ave, Suite 400
> Toronto, ON M5H 3E5
>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Authenticate on GNOME display manager with freeipa

[Timo Aaltonen]

On 12.05.2017 12:25, tuxderlinuxfuch...@gmail.com wrote:
> Thanks!
> 
> I followed this manual:
> https://help.ubuntu.com/lts/serverguide/sssd-ad.html#sssd-ad-mkhomedir
> 
> added the line
> 
> sessionrequiredpam_mkhomedir.so skel=/etc/skel/ umask=0022
> 
> to the file /etc/pam.d/common-session (find attached)

Don't add it manually, it'll get removed next time pam-auth-update is
run. Instead run pam-auth-update yourself and enable "create home
directory on login".


-- 
t

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Easier management of trusted AD users from web UI

[Alexander Bokovoy]

On su, 14 touko 2017, Patrick Hemmer wrote:

I'm exploring using AD trusts, and am trying to find a good way to get
better management of trusted objects within FreeIPA.

One example, I add an AD user to an external group, and then add that
group to a POSIX group. When I want to view all the members of the POSIX
group, I can only see the native FreeIPA users. I have to manually go
into each nested group, and view all the external members to determine
who is in the top group. But from the command line a `getent group FOO`
shows nested members fine.

This is due to how AD users represented in IPA. They aren't real LDAP
objects so membership plugin is not creating backlinks between groups
and their members. Resolution of external members happens at the place
which evaluates them, e.g. SSSD or an HBAC test tool.


Another example, I see an external user in a group, and I want more
information about this user. Their name, department, etc. I can't get
it. I have to go into AD to find out who this user is. It would be nice
if I could see this info from within FreeIPA.

Yes, you need to go to the place where this user is defined, e.g. Active
Directory. We do not maintain information about AD users that belongs to
AD. You can only manage overrides for them and even that is optional if
you are using POSIX attributes in AD LDAP.


Or if I want to add an external user to a group, I have to know that
user's exact AD logon name. If I only have their real name, or other
information, I can't search for them and then add them to the group.

Sorry, that's not possible. We are able to address users only by their
samAccountName, their UPN, or directly by their SID. The rest is not
possible to retrieve in general case when there are more than one domain
in AD forest arranged in a complex topology. Their other properties
aren't guaranteed to be defined or unique.



Is there any way to make these types of management tasks simpler? If
not, is such a thing on the road map?
No for both, so far. 


Or as an alternative, is it possible to use the winsync plugin to pull
users from AD, but whenever such a user tries to authenticate, the
authentication is performed against AD? So that FreeIPA is used for
authorization, but not authentication?

No, this is not possible.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project