Re: [Freeipa-users] SSSD Cache and Service Tickets
First, I'm sorry if this mail is not helpful enough, I'm really just replying to the part I'm familiar with On Mon, May 15, 2017 at 03:54:22PM +0200, Ronald Wimmer wrote: > Hi, > > I am confronted with a behaviour for which I do not have an explanation for. > > I am using NFS4 Kerberos automounted homeshares and and recently I got a > permission denied (reproducible when I restart autofs on the server I want > to connect to) from the Windows Domain. So here's what I tried: > > 1) Connected via PuTTY from a Windows Machine in the windows domain > Kerberos-based login works but I get a "Permission Denied" on my home > directory; klist shows no tickets No tickets at all? Not even an expired ticket? Does running klist in cmd.exe show anything? > > 2) I try to connect form a Linux machine belonging to the IPA domain > Kerberos-based login works, I can also access my home directory; > klist shows nfs/ipanfs.ipadomain...@ipadomain.at and the krbtgt for the > windows domain > > 3) Now - of course - using the homeshares works from both domains windows > and ipa > > 4) When I do a kdestroy on the machine, using the homeshare when logged in > from windows still works - > My question is WHY? Does SSSD cache the NFS ticket? It does not. The only code in SSSD that caches anything Kerberos related is the KRB5CCNAME variable value. > (and why don't I get an nfs ticket when coming from the windows domain?) -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Any passwd vault examples?
On 05/15/2017 02:26 PM, Kat wrote: > Hi all -- > > Just wondering if there are any good examples of using the vault > features to secure store, use passwords? I have devs that like to > store them in git and well, I will discipline them appropriately, but > I wante to see about using the vault. Is it as simple as it appears to > be? Just wondering if I am missing something? > > Mostly it would be for application management/startup, etc. > > Thanks > > K > Hello, you should be able to find the information you're looking for in our Password Vault documentation on the FreeIPA wiki [1]. I think you'd probably be most interested in the Vault Management chapters in the Implementation documents. [1] - https://www.freeipa.org/page/V4/Password_Vault -- Tomas Krizek PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869 signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] is ipa-cert-manage safe to use?
Harald Dunkel wrote: > Hi folks, > > I have to renew (or replace) the externally signed certificate > on my ipa servers using a new ca. Apparently the tool of choice > is ipa-cacert-manage. > > Of course I found https://www.freeipa.org/page/Howto/CA_Certificate_Renewal. > Problem is, I cannot estimate the risk and if its worth the effort. > What happens to freeipa if ipa-cacert-manage fails miserably? Does it > affect the LDAP database or Kerberos? Will it break the connection > between my ipa servers or between servers and clients? > > Would you suggest to forget all the "CA stuff" in freeipa and manage > the certificates externally? > > The platform of the ipa servers is Centos 7.3. There are 100+ > Debian and RedHat clients using freeipa 4.4.3 and 4.0.5 and 3.0.2. > > I am highly concerned. Every helpful comment is appreciated. I'm confused. You mention replacing some "externally signed certificate" and yet then ask switching to externally signed certificates. What is the current configuration? What is signing the existing server certs? Or do you have an external CA signing the IPA CA? ipa-cacert-manage is for managing the CA certificate, not service certificates. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] SSSD Cache and Service Tickets
Hi, I am confronted with a behaviour for which I do not have an explanation for. I am using NFS4 Kerberos automounted homeshares and and recently I got a permission denied (reproducible when I restart autofs on the server I want to connect to) from the Windows Domain. So here's what I tried: 1) Connected via PuTTY from a Windows Machine in the windows domain Kerberos-based login works but I get a "Permission Denied" on my home directory; klist shows no tickets 2) I try to connect form a Linux machine belonging to the IPA domain Kerberos-based login works, I can also access my home directory; klist shows nfs/ipanfs.ipadomain...@ipadomain.at and the krbtgt for the windows domain 3) Now - of course - using the homeshares works from both domains windows and ipa 4) When I do a kdestroy on the machine, using the homeshare when logged in from windows still works - My question is WHY? Does SSSD cache the NFS ticket? (and why don't I get an nfs ticket when coming from the windows domain?) Regards Ronald -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Any passwd vault examples?
Hi all -- Just wondering if there are any good examples of using the vault features to secure store, use passwords? I have devs that like to store them in git and well, I will discipline them appropriately, but I wante to see about using the vault. Is it as simple as it appears to be? Just wondering if I am missing something? Mostly it would be for application management/startup, etc. Thanks K -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] is ipa-cert-manage safe to use?
Hi folks, I have to renew (or replace) the externally signed certificate on my ipa servers using a new ca. Apparently the tool of choice is ipa-cacert-manage. Of course I found https://www.freeipa.org/page/Howto/CA_Certificate_Renewal. Problem is, I cannot estimate the risk and if its worth the effort. What happens to freeipa if ipa-cacert-manage fails miserably? Does it affect the LDAP database or Kerberos? Will it break the connection between my ipa servers or between servers and clients? Would you suggest to forget all the "CA stuff" in freeipa and manage the certificates externally? The platform of the ipa servers is Centos 7.3. There are 100+ Debian and RedHat clients using freeipa 4.4.3 and 4.0.5 and 3.0.2. I am highly concerned. Every helpful comment is appreciated. Harri -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-client-install: please look for SELINUX=disabled
On (13/05/17 06:52), Harald Dunkel wrote: >Hi folks, > >RHEL 7.3, sssd 1.14.0: > >If /etc/selinux/config says "SELINUX=disabled", then pam seems to fail >(without telling why) and users cannot login. *Extremely* painful. > >Do you think ipa-client-install could add > > selinux_provider = none > This is just a temporary workaround and not a solution. And it is already fixed in upstream https://pagure.io/SSSD/sssd/issue/3297 LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Freeipa and squid's helper
Hi. I used 3 servers with freipa. Replica worked fine. Autentication also But today I configured squid and looked errors. I used ext_kerberos_ldap_group_acl -g domainusers@ -D SOME.LAN -S dc1 user_in_domainusers ERR Next ext_kerberos_ldap_group_acl -g domainusers@ -D SOME.LAN -S dc2 Ok First server always give ERR. Other servers always give right value. Why? First server was create whith migration from open-ldap. Other servers - replicas from first. -- С уважением, Николай. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Replica cannot be reinitialized after upgrade
The messages you see could be transient messages, and if replication is working than this seems to be the case. If not we would need more data to investigate: deployment info, relicaIDs of all servers, ruvs, logs,. Here is some background info: there are some scenarios where a csn could not be found in the changelog, eg if updates were aplied on the supplier during a total init, they could be part of the data and database ruv, but not in the changelog of the initialized replica. ds did try to use an alternative csn in cases where it could not be found, but this had the risk of missing updates, so we decided to change it and make this misssing csn a non fatal error, backoff and retry, if another supplier would have updated the replica in between, the starting csn could have changed and be found. so if the reported missing csns change and replication continues everything is ok, although I think the messages should stop at some point. There is a configuration parameter for a replciation agreement to trigger the previous behaviour of picking an alternative csn: nsds5ReplicaIgnoreMissingChange with potential values "once", "always". where "once" just tries to kickstart replication by using another csn and "always" changes the default behaviour On 05/11/2017 06:53 PM, Goran Marik wrote: Hi, After an upgrade to Centos 7.3.1611 with “yum update", we started seeing the following messages in the logs: “”” May 9 21:58:28 inf01 ns-slapd[4323]: [09/May/2017:21:58:28.519724479 +] NSMMReplicationPlugin - changelog program - agmt="cn=cloneAgreement1-inf02.dev.ecobee.com-pki-tomcat" (inf02:389): CSN 576b34e8000a050f not found, we aren't as up to date, or we purged May 9 21:58:28 inf01 ns-slapd[4323]: [09/May/2017:21:58:28.550459233 +] NSMMReplicationPlugin - agmt="cn=cloneAgreement1-inf02.dev.ecobee.com-pki-tomcat" (inf02:389): Data required to update replica has been purged from the changelog. The replica must be reinitialized. May 9 21:58:32 inf01 ns-slapd[4323]: [09/May/2017:21:58:32.588245476 +] agmt="cn=cloneAgreement1-inf02.dev.ecobee.com-pki-tomcat" (inf02:389) - Can't locate CSN 576b34e8000a050f in the changelog (DB rc=-30988). If replication stops, the consumer may need to be reinitialized. May 9 21:58:32 inf01 ns-slapd[4323]: [09/May/2017:21:58:32.611400689 +] NSMMReplicationPlugin - changelog program - agmt="cn=cloneAgreement1-inf02.dev.ecobee.com-pki-tomcat" (inf02:389): CSN 576b34e8000a050f not found, we aren't as up to date, or we purged May 9 21:58:32 inf01 ns-slapd[4323]: [09/May/2017:21:58:32.642226385 +] NSMMReplicationPlugin - agmt="cn=cloneAgreement1-inf02.dev.ecobee.com-pki-tomcat" (inf02:389): Data required to update replica has been purged from the changelog. The replica must be reinitialized. “”” The log messages are pretty frequently, every few seconds, and report few different CSN numbers that cannot be located. This happens only on one replica out of 4. We’ve tried "ipa-replica-manage re-initialize —from” and “ipa-csreplica-manage re-initialize —from” several times, but while both commands report success, the log messages continue to happen. The server was rebooted and “systemctl restart ipa” was done few times as well. The replica seems to be working fine despite the errors, but I’m worried that the logs indicate underlaying problem we are not fully detecting. I would like to understand better what is triggering this behaviour and how to fix it, and if someone else saw them after a recent upgrades. The software versions are 389-ds-base-1.3.5.10-20.el7_3.x86_64 and ipa-server-4.4.0-14.el7.centos.7.x86_64 Thanks, Goran -- Goran Marik Senior Systems Developer ecobee 250 University Ave, Suite 400 Toronto, ON M5H 3E5 -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Replica cannot be reinitialized after upgrade
Hi Goran Exact same issue here with the same troubleshooting steps taken(I've tried to reinitialize the replicas with success msg) - no luck so far. I've additionally have run ipa_check_consistency script: FreeIPA servers:ipa1 ipa2 ipa3STATE === Active Users373737OK Stage Users 0 0 0 OK Preserved Users 0 0 0 OK User Groups 101010OK Hosts 696969OK Host Groups 7 7 7 OK HBAC Rules 111111OK SUDO Rules 1 1 1 OK DNS Zones 8 8 8 OK LDAP Conflicts YES YES YES FAIL Ghost Replicas NONONOOK Anonymous BIND YES YES YES OK Replication Status ipa2 18 ipa1 0ipa1 0 ipa3 0 === Besides of this the ipa master named-pkcs is sometimes crashing and ipa fails to start. I've rolled a backup from 1week ago and it's starting but I don't know how long it will last. IPA team please help. # ipa --version VERSION: 4.4.0, API_VERSION: 2.213 -- Best regards Maciej Drobniuch Network Security Engineer Collective-Sense,LLC On Thu, May 11, 2017 at 6:53 PM, Goran Marikwrote: > Hi, > > After an upgrade to Centos 7.3.1611 with “yum update", we started seeing > the following messages in the logs: > “”” > May 9 21:58:28 inf01 ns-slapd[4323]: [09/May/2017:21:58:28.519724479 > +] NSMMReplicationPlugin - changelog program - agmt="cn=cloneAgreement1- > inf02.dev.ecobee.com-pki-tomcat" (inf02:389): CSN 576b34e8000a050f > not found, we aren't as up to date, or we purged > May 9 21:58:28 inf01 ns-slapd[4323]: [09/May/2017:21:58:28.550459233 > +] NSMMReplicationPlugin - agmt="cn=cloneAgreement1- > inf02.dev.ecobee.com-pki-tomcat" (inf02:389): Data required to update > replica has been purged from the changelog. The replica must be > reinitialized. > May 9 21:58:32 inf01 ns-slapd[4323]: [09/May/2017:21:58:32.588245476 > +] agmt="cn=cloneAgreement1-inf02.dev.ecobee.com-pki-tomcat" > (inf02:389) - Can't locate CSN 576b34e8000a050f in the changelog (DB > rc=-30988). If replication stops, the consumer may need to be reinitialized. > May 9 21:58:32 inf01 ns-slapd[4323]: [09/May/2017:21:58:32.611400689 > +] NSMMReplicationPlugin - changelog program - agmt="cn=cloneAgreement1- > inf02.dev.ecobee.com-pki-tomcat" (inf02:389): CSN 576b34e8000a050f > not found, we aren't as up to date, or we purged > May 9 21:58:32 inf01 ns-slapd[4323]: [09/May/2017:21:58:32.642226385 > +] NSMMReplicationPlugin - agmt="cn=cloneAgreement1- > inf02.dev.ecobee.com-pki-tomcat" (inf02:389): Data required to update > replica has been purged from the changelog. The replica must be > reinitialized. > “”” > > The log messages are pretty frequently, every few seconds, and report few > different CSN numbers that cannot be located. > > This happens only on one replica out of 4. We’ve tried "ipa-replica-manage > re-initialize —from” and “ipa-csreplica-manage re-initialize —from” several > times, but while both commands report success, the log messages continue to > happen. The server was rebooted and “systemctl restart ipa” was done few > times as well. > > The replica seems to be working fine despite the errors, but I’m worried > that the logs indicate underlaying problem we are not fully detecting. I > would like to understand better what is triggering this behaviour and how > to fix it, and if someone else saw them after a recent upgrades. > > The software versions are 389-ds-base-1.3.5.10-20.el7_3.x86_64 and > ipa-server-4.4.0-14.el7.centos.7.x86_64 > > Thanks, > Goran > > -- > Goran Marik > Senior Systems Developer > > ecobee > 250 University Ave, Suite 400 > Toronto, ON M5H 3E5 > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Authenticate on GNOME display manager with freeipa
On 12.05.2017 12:25, tuxderlinuxfuch...@gmail.com wrote: > Thanks! > > I followed this manual: > https://help.ubuntu.com/lts/serverguide/sssd-ad.html#sssd-ad-mkhomedir > > added the line > > sessionrequiredpam_mkhomedir.so skel=/etc/skel/ umask=0022 > > to the file /etc/pam.d/common-session (find attached) Don't add it manually, it'll get removed next time pam-auth-update is run. Instead run pam-auth-update yourself and enable "create home directory on login". -- t -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Easier management of trusted AD users from web UI
On su, 14 touko 2017, Patrick Hemmer wrote: I'm exploring using AD trusts, and am trying to find a good way to get better management of trusted objects within FreeIPA. One example, I add an AD user to an external group, and then add that group to a POSIX group. When I want to view all the members of the POSIX group, I can only see the native FreeIPA users. I have to manually go into each nested group, and view all the external members to determine who is in the top group. But from the command line a `getent group FOO` shows nested members fine. This is due to how AD users represented in IPA. They aren't real LDAP objects so membership plugin is not creating backlinks between groups and their members. Resolution of external members happens at the place which evaluates them, e.g. SSSD or an HBAC test tool. Another example, I see an external user in a group, and I want more information about this user. Their name, department, etc. I can't get it. I have to go into AD to find out who this user is. It would be nice if I could see this info from within FreeIPA. Yes, you need to go to the place where this user is defined, e.g. Active Directory. We do not maintain information about AD users that belongs to AD. You can only manage overrides for them and even that is optional if you are using POSIX attributes in AD LDAP. Or if I want to add an external user to a group, I have to know that user's exact AD logon name. If I only have their real name, or other information, I can't search for them and then add them to the group. Sorry, that's not possible. We are able to address users only by their samAccountName, their UPN, or directly by their SID. The rest is not possible to retrieve in general case when there are more than one domain in AD forest arranged in a complex topology. Their other properties aren't guaranteed to be defined or unique. Is there any way to make these types of management tasks simpler? If not, is such a thing on the road map? No for both, so far. Or as an alternative, is it possible to use the winsync plugin to pull users from AD, but whenever such a user tries to authenticate, the authentication is performed against AD? So that FreeIPA is used for authorization, but not authentication? No, this is not possible. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project