Re: [Freeipa-users] Password Complexity Requirements Seems Insufficient

2016-10-12 Thread Anon Lister 
Unfortunately, policy and regulation often lag behind current theory by
several decades. For what it's worth, I'd second being able to set more
complicated policies as a useful feature.

On Oct 12, 2016 6:38 PM, "Simpson Lachlan" 
wrote:

> > -Original Message-
> > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
> > boun...@redhat.com] On Behalf Of Bennett, Chip
> > Sent: Thursday, 13 October 2016 7:21 AM
> > To: Florence Blanc-Renaud; freeipa-users@redhat.com
> > Subject: Re: [Freeipa-users] Password Complexity Requirements Seems
> > Insufficient
> >
> > Flo,
> >
> > Thanks for getting back to me.  I had seen this in the documentation.
>  I was just
> > hoping that I was missing something.   I guess I'm just surprised that a
> product
> > designed to manage authentication wouldn't have a way to be more
> specific in the
> > complexity requirements.
>
>
> I don't know. Those type of complexity requirements are multifaceted,
> complex and somewhat arbitrary. Given that each then requires regex, I'm
> quite happy that the devs focus on getting other aspects of FreeIPA to work
> over password complexity.
>
> As xkcd noted a couple of years ago, password length is better for
> security than anything else.
>
> Complex arrangements of different character classes is neither human or UX
> friendly nor where contemporary security theory is focused - try 2FA,
> public/private keys, etc. While I understand that large organisations have
> policy that often drags well behind contemporary theory, I don't think it's
> fair to expect software to also allow for that.
>
> Cheers
> L.
>
>
>
>
>
>
> >
> > Thanks again!
> > Chip
> >
> > -Original Message-
> > From: Florence Blanc-Renaud [mailto:f...@redhat.com]
> > Sent: Wednesday, October 12, 2016 3:18 PM
> > To: Bennett, Chip ; freeipa-users@redhat.com
> > Subject: Re: [Freeipa-users] Password Complexity Requirements Seems
> > Insufficient
> >
> > On 10/11/2016 07:36 PM, Bennett, Chip wrote:
> > > I just joined this list, so if this question has been asked before
> > > (and I'll bet it has), I apologize in advance.
> > >
> > >
> > >
> > > A google search was unrevealing, so I'm asking here: we're running
> > > FreeIPA Version 3.0.0 on CentOS 6.6.   It looks like the password
> > > complexity requirements are limited to setting the number of character
> > > classes to require, i.e. setting it to "2" would require your new
> > > password to be any two of the character classes.
> > >
> > >
> > >
> > > What if you wanted new passwords to meet specific class requirements,
> > > i.e. a mix of UL, LC, and numbers.  It looks like you would use a
> > > value of "3" to accomplish this, but that would also allow UC, LC, and
> > > special, or LC, numbers, and special, but you don't want to allow the
> > > those:  how would you specify that?
> > >
> > Hi,
> >
> > as far as I know, it is only possible to specify the number of different
> character
> > classes. The doc chapter "Creating Password Policies in the Web UI" [1]
> describes
> > the following:
> > ---
> > Character classes sets the number of different categories of character
> that must be
> > used in the password. This does not set which classes must be used; it
> sets the
> > number of different (unspecified) classes which must be used in a
> password. For
> > example, a character class can be a number, special character, or
> capital; the
> > complete list of categories is in Table 22.1, "Password Policy
> Settings". This is part
> > of setting the complexity requirements.
> > ---
> >
> > hope this clarifies,
> > Flo
> >
> > [1]
> > https://access.redhat.com/documentation/en-
> > US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_
> Authentication_and_
> > Policy_Guide/Setting_Different_Password_Policies_
> for_Different_User_Groups.ht
> > ml#creating-group-policy-ui
> >
> >
> > >
> > >
> > > Also, what if you had a requirement for more than one of the character
> > > classes, i.e. you want to require two UC characters or two special
> > > characters?
> > >
> > >
> > >
> > > Thanks in advance for the help,
> > >
> > > Chip Bennett
> > >
> > >
> > >
> > >
> > > This message is solely for the intended recipient(s) and may contain
> > > confidential and privileged information. Any unauthorized review, use,
> > > disclosure or distribution is prohibited.
> > >
> > >
> >
> >
> > This message is solely for the intended recipient(s) and may contain
> confidential
> > and privileged information.
> > Any unauthorized review, use, disclosure or distribution is prohibited.
> >
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
> This email (including any attachments or links) may contain
> confidential and/or legally privileged information and is
> intended only to be read or used by the addressee.  If you
> are not

Re: [Freeipa-users] IPA and FIPS 140-2

2016-08-04 Thread Anon Lister 
Sorry, certified openssl implementation*

On Aug 4, 2016 9:38 AM, "Anon Lister" <listera...@gmail.com> wrote:

> I'd also like to throw in that the requirements you are facing are likely
> requiring FIPS Certified, not just compliant, as I'm somewhat familiar with
> them. (800-53 or 800-171)
>
> Essentially it will have to fall back on the FIPS compliant openssl
> implementation, however I believe there are other crypto routines used in
> free IPA that are used to protect the confidentiality of information? Can
> we get a response from devs on that?
>
> The crypto only has to be FIPS if protecting confidentiality is its use.
> Crypto protecting integrity only does not need to be FIPS.
>
> On Aug 4, 2016 9:27 AM, "Michael Sean Conley" <
> michael.sean.con...@raytheon.com> wrote:
>
> Does ANYONE have any experience getting IPA to work with FIPS?
>
> We're trying desperately to get this going, as we have some requirements
> that the Identity Management Tool we choose must be FIPS 140-2 compliant.
>
> GGHHH
>
> *Michael Sean Conley*
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA and FIPS 140-2

2016-08-04 Thread Anon Lister 
I'd also like to throw in that the requirements you are facing are likely
requiring FIPS Certified, not just compliant, as I'm somewhat familiar with
them. (800-53 or 800-171)

Essentially it will have to fall back on the FIPS compliant openssl
implementation, however I believe there are other crypto routines used in
free IPA that are used to protect the confidentiality of information? Can
we get a response from devs on that?

The crypto only has to be FIPS if protecting confidentiality is its use.
Crypto protecting integrity only does not need to be FIPS.

On Aug 4, 2016 9:27 AM, "Michael Sean Conley" <
michael.sean.con...@raytheon.com> wrote:

Does ANYONE have any experience getting IPA to work with FIPS?

We're trying desperately to get this going, as we have some requirements
that the Identity Management Tool we choose must be FIPS 140-2 compliant.

GGHHH

*Michael Sean Conley*

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Account/password expirations

2016-04-29 Thread Anon Lister 
Yep sorry I missed that. You need to put your public keys in IPA.
On Apr 29, 2016 3:32 AM, "Jakub Hrozek"  wrote:

On Thu, Apr 28, 2016 at 09:14:48PM -0400, Prasun Gera wrote:
> >
> > Your can still authenticate with SSH keys, but to access any NFS 4
shares
> > they will need a Kerberos ticket, which can be obtained via a 'kinit'
after
> > logging in.
> >
>
> Then how does the key authentication work if the .ssh directory on nfs4 is
> not accessible ?  Doesn't the key authentication process rely on
> .ssh/authorized keys being readable by the authentication module ?

SSSD can fetch the authorized keys from IPA, see man
sss_ssh_authorizedkeys(1)
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Account/password expirations

2016-04-28 Thread Anon Lister 
Your can still authenticate with SSH keys, but to access any NFS 4 shares
they will need a Kerberos ticket, which can be obtained via a 'kinit' after
logging in. I forget what the default timeout is but they do expire, and at
that point access to those shares (by a user or process acting as that
user) will not be allowed. You may increase the timeout to something
comfortable. We have a solution where we have tickets set at a day and a
login script prompts for the password ( actually just runs kint ) for the
user if their ticket is expired, which covers interactive login, however it
does break scp unless they login first. For us it hasn't come up enough to
warrent coming up with another solution.

Note this is for sec=krb*, you can do nfs4 sec=sys and get no extra
security but other features of v4, and mount as normal.

-Anon
On Apr 28, 2016 5:09 PM, "Prasun Gera"  wrote:

>
>
>> Moreover, if you login through an SSH key, you don't get a ticket on
>> login and you can't kinit, so you can't access any network resources
>> anyway..
>>
>>
> A bit off topic, but a related question:
> How does nfsv4 work with ssh keys ? Does it mean that you can't use ssh
> keys if /home is nfsv4 mounted ? I had tried nfsv4 briefly, but had some
> issues, and didn't look it in too much detail. Also, is it possible to use
> nfsv4 home in an HPC cluster environment where something like torque or
> slurm schedules jobs ? For nfsv3, I suppose the workload manager runs as
> the user, and hence it can read/write to the user's directory. Would it
> still be possible to do that in an nfsv4 system ? How would renewals happen
> for long running jobs without any user interaction ?
>
>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] [requirements gathering] Notification system / hooks

2016-03-10 Thread Anon Lister 
I would like an alert when my IPA servers successfully establish a
bidirectional trust with mutual authentication with our AD server
Actually I could even skip the alert ;)
On Mar 9, 2016 11:27 AM, "Petr Spacek"  wrote:

> Dear users,
>
> FreeIPA team is thinking about adding notification system (or 'hooks') to
> various parts of FreeIPA.
>
> If you happen to know about a use-case for hook or an event you want to
> react
> to please let us know.
>
> Example:
> - As admin, I want to call my custom script when a host is deleted. (E.g.
> to
> to do cleanup in our other internal systems.)
> - As user, I want to get a notification when ...
>
> Be creative and let us know as soon as you find the use-case.
>
> Thank you very much!
>
>
> BTW design page is on:
> http://www.freeipa.org/page/V4/Notification_system
> (but it is mostly empty at the moment).
>
> --
> Petr^2 Spacek
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Fwd: Creating Trusts with AD - (RH#878168, FIPA#3266)

2016-01-20 Thread Anon Lister 
So I had the same problem. For me it ended up being that some attribute was
not created correctly in 389 using the instructions in the guide. I don't
remember what it was off the top of my head. Something about a default user
or group SID I think. Had to turn samba logging up. Eventually it shows the
attribute it is failing on. I ended up manually adding it with vildap and
it worked fine after that. If noone else gets it I'll poke around and see
if I can find what it was, took me several hours to debug due to the
somewhat misleading error message.
On Jan 19, 2016 1:37 PM, "Jon"  wrote:

> Hello,
>
> While following the guide on setting up FreeIPA with AD
> , I got to the
> step where I'm adding the AD trust to FreeIPA but I receive an error:
>
>   >> Active Directory domain administrator's password:
>   >> ipa: ERROR: CIFS server communication error: code "-1073741801",
>   >> message "Memory allocation error" (both may be "None")
>
> Thinking that the error was what was stated (my VM at the time only had
> 1GB of ram), I shutdown my VM (memory hot add was not enabled in VMware, it
> is now), bumped the RAM to 4GB, and booted the VM.
>
> Upon running the same command after reboot I received an error:
>
>   >> ipa: ERROR: did not receive Kerberos credentials
>
> kinit admin is also reporting an error:
>
>   >>  kinit: Cannot contact any KDC for realm 'myrealm'  while getting
> initial credentials
>
> trying to start FreeIPA in debug mode identified the samba service as at
> fault.
>
>   >> Jan 19 10:19:50 myfreeipaserver smbd[3676]:   kerberos error:
> code=-1765328203, message=Keytab contains no suitable keys for cifs/
> myfreeipaser...@sub.domain.mydomain.com
>   >> Jan 19 10:19:51 myfreeipaserver smbd[3676]: [2016/01/19
> 10:19:51.261648,  0] ipa_sam.c:4520(pdb_init_ipasam)
>   >> Jan 19 10:19:51 myfreeipaserver smbd[3676]:   Failed to get base DN.
>   >> Jan 19 10:19:51 myfreeipaserver smbd[3676]: [2016/01/19
> 10:19:51.262675,  0]
> ../source3/passdb/pdb_interface.c:179(make_pdb_method_name)
>   >> Jan 19 10:19:51 myfreeipaserver smbd[3676]:   pdb backend
> ipasam:ldapi://%2fvar%2frun%2fslapd-SUB-DOMAIN-MYDOMAIN-COM.socket did not
> correctly init (error was NT_STATUS_UNSUCCESSFUL)
>
> Googling for these errors turned up a few similar threads but none of the
> solutions seemed to work and all signs pointed to AD integration as the
> culprit...
>
> So I did what any good sysadmin would do and forced freeipa to start while
> ignoring any failures.  Every service except samba starts without issue.
>
> So I tried my trust connection again, and received the same error,
>
>   >> Active Directory domain administrator's password:
>   >> ipa: ERROR: CIFS server communication error: code "-1073741801",
>   >> message "Memory allocation error" (both may be "None")
>
> Which brought me to googling two bug reports opened on this exact issue:
>
> >> https://bugzilla.redhat.com/show_bug.cgi?id=878168
> >> https://fedorahosted.org/freeipa/ticket/3266
>
> Both of these bug reports indicate there's an upstream bug in Samba, the
> bug has been closed and reopened at least once.  I did add the AD servers
> to /etc/hosts and rebooted the server.  I have to go through the same
> process of forcing freeipa to start after the server rebooted... However, I
> received the same error message.
>
> While the bug report is currently closed, I seem to be experiencing the
> same issues...
>
> Given this bug report, can you please answer me these questions three:
>
> 1)  Given the issues with Samba starting after reboot, is this bug report
> actually what's wrong or is the error message when trying to create a trust
> a red herring and it's actually samba that's the problem?
> 2)  Does this bug report mean that trusts between FreeIPA and AD are
> broken and can not be established until the upstream bug in Samba is fixed?
> 3)  Is there a workaround?  (as adding the domain controllers to
> /etc/hosts with IPv4 address does not appear to work)
>
> System Stats:
> - AD Server:  Win2k8R2
> - FreeIPA server:
>
> >> CentOS Linux release 7.2.1511 (Core)
>
>
> >> # uname -a
> >> Linux myserver 3.10.0-327.4.4.el7.x86_64 #1 SMP Tue Jan 5 16:07:00 UTC
> 2016 x86_64 x86_64 x86_64 GNU/Linux
>
> >> # rpm -qa | grep ipa
> >> python-libipa_hbac-1.13.0-40.el7_2.1.x86_64
> >> ipa-server-4.2.0-15.el7.centos.3.x86_64
> >> ipa-server-dns-4.2.0-15.el7.centos.3.x86_64
> >> python-iniparse-0.4-9.el7.noarch
> >> libipa_hbac-1.13.0-40.el7_2.1.x86_64
> >> sssd-ipa-1.13.0-40.el7_2.1.x86_64
> >> ipa-python-4.2.0-15.el7.centos.3.x86_64
> >> ipa-client-4.2.0-15.el7.centos.3.x86_64
> >> ipa-server-trust-ad-4.2.0-15.el7.centos.3.x86_64
> >> ipa-admintools-4.2.0-15.el7.centos.3.x86_64
>
>
> I appreciate any help.  I've been trying to get FreeIPA going for a couple
> of weeks now and have run into nothing but frustrations.  The funny thing
> is, I've never

[Freeipa-users] Bi directional login with AD trusts

2015-12-30 Thread Anon Lister 
Hello,

New to list. This is kind of a followup to the post here:
https://www.redhat.com/archives/freeipa-users/2015-January/msg00351.html

We are one of the odder shops that runs almost entirely linux, but the need
to support some windows stuff that requires AD has come up. We have things
setup as domain.com (NetBIOS name: DOM), with ipa.domain.com and
ipa-replica.domain.com.

We just added win.domain.com with a windows DC on ad.win.domain.com (NB
Name: WIN).

We are running EL 6.7/ipa 3.0.0. we got the trust setup working, can
confirm we can mount (tesT) shares from IPA to windows domain, can login to
the linux boxes with windows user credentials, but have been unable to
figure out how to login to the windows boxes with ipa credentials (this was
really our primary use case, as everything is managed in IPA and hits it
for authentication, we were hoping to not have to manage 2 sets of accounts
for the people needing windows, two places to update passwords, etc.).

Is there support for bidirectional login in newer FreeIPA? I found the
above thread that seemed to suggest you could not use IPA credentials for
logging into the windows domain. Has this changed at all? We would be
willing to look at upgrading to EL7 (or, id rather not, but even Fedora
Server, if we can get this feature). If not is it down the pipeline?

Thanks!
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project