Re: [Freeipa-users] Distributing user keytabs for non-interactive auth question
Matt, Try the following... # Get admin TGT kinit ad...@realm.com # Get keytab for user account ipa-getkeytab -s coipa100 -p cron_run...@realm.com -k ipa_cron_runner.keytab # Clear tickets kdestroy # Request TGT using the keytab kinit -k -t ./cron_runner.keytab cron_run...@realm.com # List tickets klist I recommend including the username somewhere in the name of the keytab file itself which makes it easier to remember. Of course be careful with the permissions on the keytab file, because anyone that has read access to the keytab can get a TGT as that user. -Mike -Original Message- >From: Matthew Sellers>Sent: Sep 25, 2016 8:37 PM >To: freeipa-users@redhat.com >Subject: [Freeipa-users] Distributing user keytabs for non-interactive auth >question > >Hi Guys, > >What is the best way to distribute a 'user' keytab to distribute >keytabs to allow 'system users' to run scripts with non-interactive >auth? Is it possible to use the ipa-getkeytab feature ( with "-r" >option ) to request a keytab for a user principal? I see support for >HOST and SERVICE keytabs, but nothing specific to user keytabs? > >Concept Example: > >ipa-getkeytab -s ipa_server -p cron_run...@realm.com -k ipa_cron.keytab -r >KRB5_KTNAME=ipa_cron.keytab service.py > >Actual Results ( tried with tgt for cron_runner or admin ): > >[sysadmin@01 ~]$ ipa-getkeytab -s coipa100 -p cron_run...@realm.com >-kipa_cron.keytab -r >Failed to parse result: Insufficient access rights > >My only other option is grab the keytab and copy it around after >initial creation ( understanding that each keytab requests bumps the >KVNO ). My goal is to make password-less authentication for automated >processes as easy as possible to setupipa-getkeytab seems like its >almost there? > >Love the work you guys are putting out, its a really cool system. > >Thanks, >Matt > >-- >Manage your subscription for the Freeipa-users mailing list: >https://www.redhat.com/mailman/listinfo/freeipa-users >Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] AD integration and transitive trusts
At my company, we are trying to setup a pilot with FreeIPA and we having some issues. We would like to leverage our corporate AD infrastructure which mainly lives in "somedom2.com", and is a member of "rootdom1.com" forest. Note the different DNS naming between the root domain and the tree. Our FreeIPA domain is lnx.somedom2.com and is joined to rootdom1.com. If we create users in rootdom1.com, we can use those account on servers joined to lnx.somedom2.com, but user accounts under somedom2.com will not work. Could this be a transitive trust issue? Is there something unique we need to setup on the linux servers under lnx.somedom2.com (sssd.conf or krb5.conf) to allow authentication from somedom2.com? rootdom1.com (forest root domain) somedom2.com (main domain tree, users and groups accounts which need access to lnx.somedom2.com) lnx.somedom2.com (freeIPA domain, joined to forest rootdom1.com) -Mike -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] What id my AD domain user password not available
That looks good. I see you are using an external DNS source for the IPA domain, correct? You may need to do some additional steps on the FreeIPA server, because by default it will configure BIND and populate resource records for the IPA domain (for example, SRV records like _ldap_._tcp.kw.example.com). I'm not familiar with setting up FreeIPA with an external DNS, but I'm sure there are some instructions out there.-Mike-Original Message- From: "Ben .T.George" <bentech4...@gmail.com> Sent: May 23, 2016 2:22 PM To: Michael ORourke <mrorou...@earthlink.net> Cc: freeipa-users <freeipa-users@redhat.com> Subject: Re: [Freeipa-users] What id my AD domain user password not available HIin my case i have 2 domainsAD DNS : corp.example.kw.commain DNS ( from appliance) : kw.example.comand all the linux box are pointed to kw.example.com so i put my IPA server hostname as : ipa.kw.example.com and created A & PTR on kw.example.comis that the correct way?Regards,BenOn Mon, May 23, 2016 at 8:20 PM, Michael ORourke <mrorou...@earthlink.net> wrote:Ben,Yes, that is a requirement. Just creating the A & PTR records for you FreeIPA server is not enough. You will need to keep the DNS zones separate too, example:Windows AD Domain: mydomain.comFreeIPA Realm/Domain: subdomain.mydomain.comYou cannot have a cross-forest trust between two domains with the same DNS zone name. So if you have a flat DNS namespace, then you will want to plan accordingly to move all the linux boxes that will participate in the FreeIPA domain into the new DNS zone.-Mike-Original Message- From: "Ben .T.George" Sent: May 23, 2016 10:44 AM To: Michael ORourke Cc: freeipa-users Subject: Re: [Freeipa-users] What id my AD domain user password not available HIyea that GIf screen i shared with him. but that doesn't show how to take shared key.In my case DNS is handled by 3rd party appliances and from their side they created A record for my IPA server. bth forward and reverse is working is this forwader is mandatory thing from DNS side?Regards,benOn Mon, May 23, 2016 at 5:31 PM, Michael ORourke <mrorou...@earthlink.net> wrote:Actually one of his questions doesn't make sense, because last I checked, normal domain users do not have permissions to create a forest trust.I believe the default is a one-way trust, so maybe his concerns about the bi-directional trust is really a non-issue.If he refuses to type in the admin password in a linux console session (extreme paranoia?), then perhaps you could give him a link to the tutorial on using a pre-shared key and have him setup the AD side and give you the key. You don't have to be a Windows expert to do this, just ask your domain admin to do the steps for you. Also, you will need to setup a separate DNS zone and some forwarding rules. Otherwise you are going to have problems.-Mike -Original Message----- From: "Ben .T.George" Sent: May 23, 2016 10:07 AM To: Michael ORourke Cc: freeipa-users Subject: Re: [Freeipa-users] What id my AD domain user password not available HIHe is local only but he is asking so many questions.first of all he is refusing to give domain admin users password .questions he is asking is:Is this trust relationship is two directional? If, yes why IPA require two directional trust?can we build this trust one directional?can we achieve this with normal domain user?and hs is opposing to enter password in command line and i was going though the rust using a pre-shared key and its too hard for me to understand as i have no windows experienceregards,BenOn Mon, May 23, 2016 at 4:22 PM, Michael ORourke <mrorou...@earthlink.net> wrote:A couple of ways to go about this. If he is local to you, you could explain that you need to establish a trust with his domain and you need his assistance for a few minutes while you type the command to join, then have him type in the password. You need to assure that the DNS forward/stub zones are setup and working too. If he is remote, you could use some screen share software and share out your desktop and walk him through the part where he has to type the admin password. There is also a way to create a trust using a pre-shared key. That may be more acceptable to him. -Mike-Original Message- From: "Ben .T.George" Sent: May 23, 2016 8:42 AM To: freeipa-users Subject: [Freeipa-users] What id my AD domain user password not available Hi LIst,my Windows domain Admin is not giving domain admin user password.in this case how can i proceed ipa trust-addregards,Ben -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the
Re: [Freeipa-users] FreeIPA 4.3 with PWM 1.7 ?
Did you try installing PWM on a separate instance, or are you trying to install it on the FreeIPA server? I don't recall any issues with pki-tomcat when I setup PWM (older version), but I installed it on a VM that was joined to FreeIPA. -Mike -Original Message- >From: Zak Wolfinger>Sent: May 23, 2016 1:56 PM >To: freeipa-users@redhat.com >Subject: [Freeipa-users] FreeIPA 4.3 with PWM 1.7 ? > >Does anyone have this combo working? I’m running into problems with >pki-tomcat and tomcat for pwm conflicting and need some pointers. > >Thanks! -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] What id my AD domain user password not available
Ben,Yes, that is a requirement. Just creating the A & PTR records for you FreeIPA server is not enough. You will need to keep the DNS zones separate too, example:Windows AD Domain: mydomain.comFreeIPA Realm/Domain: subdomain.mydomain.comYou cannot have a cross-forest trust between two domains with the same DNS zone name. So if you have a flat DNS namespace, then you will want to plan accordingly to move all the linux boxes that will participate in the FreeIPA domain into the new DNS zone.-Mike-Original Message- From: "Ben .T.George" <bentech4...@gmail.com> Sent: May 23, 2016 10:44 AM To: Michael ORourke <mrorou...@earthlink.net> Cc: freeipa-users <freeipa-users@redhat.com> Subject: Re: [Freeipa-users] What id my AD domain user password not available HIyea that GIf screen i shared with him. but that doesn't show how to take shared key.In my case DNS is handled by 3rd party appliances and from their side they created A record for my IPA server. bth forward and reverse is working is this forwader is mandatory thing from DNS side?Regards,benOn Mon, May 23, 2016 at 5:31 PM, Michael ORourke <mrorou...@earthlink.net> wrote:Actually one of his questions doesn't make sense, because last I checked, normal domain users do not have permissions to create a forest trust.I believe the default is a one-way trust, so maybe his concerns about the bi-directional trust is really a non-issue.If he refuses to type in the admin password in a linux console session (extreme paranoia?), then perhaps you could give him a link to the tutorial on using a pre-shared key and have him setup the AD side and give you the key. You don't have to be a Windows expert to do this, just ask your domain admin to do the steps for you. Also, you will need to setup a separate DNS zone and some forwarding rules. Otherwise you are going to have problems.-Mike -Original Message- From: "Ben .T.George" Sent: May 23, 2016 10:07 AM To: Michael ORourke Cc: freeipa-users Subject: Re: [Freeipa-users] What id my AD domain user password not available HIHe is local only but he is asking so many questions.first of all he is refusing to give domain admin users password .questions he is asking is:Is this trust relationship is two directional? If, yes why IPA require two directional trust?can we build this trust one directional?can we achieve this with normal domain user?and hs is opposing to enter password in command line and i was going though the rust using a pre-shared key and its too hard for me to understand as i have no windows experienceregards,BenOn Mon, May 23, 2016 at 4:22 PM, Michael ORourke <mrorou...@earthlink.net> wrote:A couple of ways to go about this. If he is local to you, you could explain that you need to establish a trust with his domain and you need his assistance for a few minutes while you type the command to join, then have him type in the password. You need to assure that the DNS forward/stub zones are setup and working too. If he is remote, you could use some screen share software and share out your desktop and walk him through the part where he has to type the admin password. There is also a way to create a trust using a pre-shared key. That may be more acceptable to him. -Mike-Original Message- From: "Ben .T.George" Sent: May 23, 2016 8:42 AM To: freeipa-users Subject: [Freeipa-users] What id my AD domain user password not available Hi LIst,my Windows domain Admin is not giving domain admin user password.in this case how can i proceed ipa trust-addregards,Ben -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] What id my AD domain user password not available
Actually one of his questions doesn't make sense, because last I checked, normal domain users do not have permissions to create a forest trust.I believe the default is a one-way trust, so maybe his concerns about the bi-directional trust is really a non-issue.If he refuses to type in the admin password in a linux console session (extreme paranoia?), then perhaps you could give him a link to the tutorial on using a pre-shared key and have him setup the AD side and give you the key. You don't have to be a Windows expert to do this, just ask your domain admin to do the steps for you. Also, you will need to setup a separate DNS zone and some forwarding rules. Otherwise you are going to have problems.-Mike -Original Message- From: "Ben .T.George" <bentech4...@gmail.com> Sent: May 23, 2016 10:07 AM To: Michael ORourke <mrorou...@earthlink.net> Cc: freeipa-users <freeipa-users@redhat.com> Subject: Re: [Freeipa-users] What id my AD domain user password not available HIHe is local only but he is asking so many questions.first of all he is refusing to give domain admin users password .questions he is asking is:Is this trust relationship is two directional? If, yes why IPA require two directional trust?can we build this trust one directional?can we achieve this with normal domain user?and hs is opposing to enter password in command line and i was going though the rust using a pre-shared key and its too hard for me to understand as i have no windows experienceregards,BenOn Mon, May 23, 2016 at 4:22 PM, Michael ORourke <mrorou...@earthlink.net> wrote:A couple of ways to go about this. If he is local to you, you could explain that you need to establish a trust with his domain and you need his assistance for a few minutes while you type the command to join, then have him type in the password. You need to assure that the DNS forward/stub zones are setup and working too. If he is remote, you could use some screen share software and share out your desktop and walk him through the part where he has to type the admin password. There is also a way to create a trust using a pre-shared key. That may be more acceptable to him. -Mike-Original Message- From: "Ben .T.George" Sent: May 23, 2016 8:42 AM To: freeipa-users Subject: [Freeipa-users] What id my AD domain user password not available Hi LIst,my Windows domain Admin is not giving domain admin user password.in this case how can i proceed ipa trust-addregards,Ben -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] What id my AD domain user password not available
A couple of ways to go about this. If he is local to you, you could explain that you need to establish a trust with his domain and you need his assistance for a few minutes while you type the command to join, then have him type in the password. You need to assure that the DNS forward/stub zones are setup and working too. If he is remote, you could use some screen share software and share out your desktop and walk him through the part where he has to type the admin password. There is also a way to create a trust using a pre-shared key. That may be more acceptable to him. -Mike-Original Message- From: "Ben .T.George"Sent: May 23, 2016 8:42 AM To: freeipa-users Subject: [Freeipa-users] What id my AD domain user password not available Hi LIst,my Windows domain Admin is not giving domain admin user password.in this case how can i proceed ipa trust-addregards,Ben -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] AD users home directory automount
Ben,First, you will need to create the automount map in FreeIPA.Example of adding automount maps from the CLI on the IPA server:1). Get TGT for admin user (or equivalent) kinit admin2). Create automount mapipa automountmap-add default auto.home3). Add auto.home to auto.masteripa automountkey-add default --key "/home/domain.org" --info auto.home auto.master4). Add key for user accountsipa automountkey-add default --key "*" --info "-fstype=nfs3,rw filer.domain.org:/exports/home/&" auto.home Note: the above command assumes that you have a filer with a FQDN of "filer.domain.org" and NFS exported directory "/exports/home/".5). Then on the filer, you will need to create directories for each user under /exports/home/ and set the ownership and perms.mkdir /exports/home/usernamecp /etc/skel/.* /exports/home/usernamechown -R username:username /exports/home/usernamechmod 770 /exports/home/usernameNote: if you can't login to the filer and run commands, then you might have to manually mount the /exports/home onto a box with "root nosquash" option turned on so that you can create the directories and permissions manually.6). On the client machines, turn off the mkhomedir option (this doesn't work with automounted home dirs).authconfig --disablemkhomedir --update7). Create mount point for home dir on client machines.mkdir /home/domain.org8). On the client machines, turn on the automount option.ipa-client-automount --location=default9). On the client machines, make sure the autofs service is enabled and running.systemctl enable autofssystemctl start autofs10). Test automount by logging into the client.That should do it!-Mike-Original Message- From: "Ben .T.George" <bentech4...@gmail.com> Sent: May 18, 2016 10:03 AM To: Michael ORourke <mrorou...@earthlink.net> Cc: freeipa-users <freeipa-users@redhat.com> Subject: Re: [Freeipa-users] AD users home directory automount HI,Thanks for the reply.actually i don't want to share from my Trusted AD. My san has cifs and NFS capability.in this case how can i proceed? usually while installing client, i used to give below optionsipa-client-install --server global.ipa.local --domain ipa.local --mkhomedir --fixed-primary so whenever user loggedin, it creates home directory automatically under /home/DOMAIN/user.regards,BenOn Wed, May 18, 2016 at 4:00 PM, Michael ORourke <mrorou...@earthlink.net> wrote:Yes, because you can point the automount maps to whatever device you want. NFSv4 might be more tricky to setup on a SAN device and may or may not work depending on the software/firmware of the device. NFSv3 is a well supported protocol across SAN vendors and you should not have any problems setting that up. I've used Openfiler on a white-box SAN with home dirs and automount maps which is working fine for us.I wonder if you could do some sort of CIFS home dir automount with a SAN that is joined to an AD domain which is trusted by FreeIPA? Seems like this would be feasible.-Mike-Original Message- From: "Ben .T.George" Sent: May 18, 2016 7:38 AM To: freeipa-users Subject: [Freeipa-users] AD users home directory automount HI LIst,Is it possible to mount home directories of AD authenticated users from external source(like san or fileshare)Regards,Ben -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] How does one authenticate Windows login against IPA
What about using the pGina project on the Windows side? Reference: http://blog.zwiegnet.com/linux-server/configure-pgina-windows-7-openldap-authentication/ -Mike -Original Message- >From: John Meyers>Sent: May 18, 2016 5:19 PM >To: freeipa-users@redhat.com >Subject: [Freeipa-users] How does one authenticate Windows login against IPA > >All, > >FreeIPA as we've discovered has some wonderful Windows integration >capability, but it is all predicated on Windows AD being the >authoritative source of user information. 2-Way trusts are great, but >they only work for kerberotized applications, not native Windows rights >(that would require FreeIPA to act as global catalog as I learned from >Alexander). The winsync capability does not, as it turns out, sync >native IPA users to AD. > >The million dollar question is if you are 90% Linux shop and FreeIPA is >your authoritative user repository (AD is a blank slate), how do you >perform local Windows login authentication for the 10% of Windows >machines against FreeIPA? > >Thank you all! > >John > > >-- >Manage your subscription for the Freeipa-users mailing list: >https://www.redhat.com/mailman/listinfo/freeipa-users >Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] AD users home directory automount
Yes, because you can point the automount maps to whatever device you want. NFSv4 might be more tricky to setup on a SAN device and may or may not work depending on the software/firmware of the device. NFSv3 is a well supported protocol across SAN vendors and you should not have any problems setting that up. I've used Openfiler on a white-box SAN with home dirs and automount maps which is working fine for us.I wonder if you could do some sort of CIFS home dir automount with a SAN that is joined to an AD domain which is trusted by FreeIPA? Seems like this would be feasible.-Mike-Original Message- From: "Ben .T.George"Sent: May 18, 2016 7:38 AM To: freeipa-users Subject: [Freeipa-users] AD users home directory automount HI LIst,Is it possible to mount home directories of AD authenticated users from external source(like san or fileshare)Regards,Ben -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Help needed with keytabs
Roderick, Here's how we do it. Create a service account user, for example "svc_useradm". Then generate a keytab for the service account, and store it somewhere secure. ipa-getkeytab -s infrae2u01.lnx.dr.local -p svc_useradm -k /root/svc_useradm.keytab Now we can leverage the keytab for that user principal. Example: [root@infrae2u01 ~]# kdestroy [root@infrae2u01 ~]# kinit -k -t /root/svc_useradm.keytab svc_user...@lnx.dr.LOCAL [root@infrae2u01 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: svc_user...@lnx.dr.LOCAL Valid starting ExpiresService principal 05/05/16 14:24:12 05/06/16 14:24:12 krbtgt/lnx.dr.lo...@lnx.dr.LOCAL [root@infrae2u01 ~]# ipa ping -- IPA server version 3.0.0. API version 2.49 -- If you need to access the service account, then setup a sudo rule to switch user to that account. Example: "sudo su - svc_useradm" -Mike -Original Message- >From: Roderick Johnstone>Sent: May 5, 2016 12:39 PM >To: freeipa-users@redhat.com >Subject: [Freeipa-users] Help needed with keytabs > >Hi > >I need to run some ipa commands in cron jobs. > >The post here: >https://www.redhat.com/archives/freeipa-users/2014-March/msg00044.html >suggests I need to use a keytab file to authenticate kerberos. > >I've tried the prescription there, with variations, without success. > >My current testing framework is to log into the ipa client (RHEL6.7, >ipa-client-3.0.0-47.el6_7.1.x86_64) as a test user, get the keytab, >destroy the current tickets, re-establish a tgt for the user with kinit >using the keytab and try to run an ipa command. The ipa command fails >(just like in my cron jobs which use the same kinit command). > >1) Log into ipa client as user test. > >2) Get the keytab >$ /usr/sbin/ipa-getkeytab -s ipa.example.com -p t...@example.com -k >/home/test/test.keytab -P >New Principal Password: >Verify Principal Password: >Keytab successfully retrieved and stored in: /home/test/test.keytab > >I seem to have to reset the password to what it was in this step, >otherwise it gets set to something random and the user test cannot log >into the ipa client any more. > >3) Log into the ipa client as user test. Then >$ kdestroy >$ klist >klist: No credentials cache found (ticket cache >FILE:/tmp/krb5cc_3395_PWO4wH) > >4) kinit from the keytab: >$ kinit -F t...@example.com -k -t /home/test/test.keytab > >5) Check the tickets >$ klist >Ticket cache: FILE:/tmp/krb5cc_3395_PWO4wH >Default principal: t...@example.com > >Valid starting ExpiresService principal >05/05/16 17:24:44 05/06/16 17:24:44 krbtgt/example@example.com > >6) Run an ipa command: >$ ipa ping >ipa: ERROR: cannot connect to Gettext('any of the configured servers', >domain='ipa', localedir=None): https://ipa1.example.com/ipa/xml, >https://ipa2.example.com/ipa/xml > >Can someone advise what I'm doing wrong in this procedure please (some >strings were changed to anonymize the setting)? > >For completeness of information, the ipa servers are RHEL 7.2, >ipa-server-4.2.0-15.el7_2.6.1.x86_64. > >Thanks > >Roderick Johnstone > >-- >Manage your subscription for the Freeipa-users mailing list: >https://www.redhat.com/mailman/listinfo/freeipa-users >Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] AD Integration - /etc/krb5.conf requirements
I'm just looking for some clarification from the documentation: http://www.freeipa.org/page/Active_Directory_trust_setup In the section that starts with "Edit /etc/krb5.conf", they mention a manual configuration to the krb5.conf file for machines that will be leveraging AD users: [realms] IPA_DOMAIN = { auth_to_local = RULE:[1:$1@$0](^.*@AD_DOMAIN$)s/@AD_DOMAIN/@ad_domain/ auth_to_local = DEFAULT } Is this still required for sssd 1.13.0 and above? Thanks, Mike -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] AD Integration change propagation timing
-Original Message- >From: Michael ORourke <mrorou...@earthlink.net> >Sent: Apr 8, 2016 11:01 AM >To: Sumit Bose <sb...@redhat.com>, freeipa-users@redhat.com >Subject: Re: [Freeipa-users] AD Integration change propagation timing > >-Original Message- >>From: Sumit Bose <sb...@redhat.com> >>Sent: Apr 8, 2016 3:36 AM >>To: freeipa-users@redhat.com >>Subject: Re: [Freeipa-users] AD Integration change propagation timing >> >>On Thu, Apr 07, 2016 at 10:28:22PM -0400, Michael ORourke wrote: >>> I have a question regarding AD Integration with FreeIPA (CentOS 7.1/freeipa >>> 4.2.0) and Windows Server 2008 R2 with a Functional Level forest of 2008 R2. >>> Given a simple scenario of a group in active directory that is mapped to a >>> POSIX group in FreeIPA, if a change is made on the AD side such as adding a >>> user to an AD group, how long should it take on the FreeIPA side before the >>> change would show up? What would the maximum time it could take before the >>> change propagates to a server joined to FreeIPA? What if a user was logged >>> into the server and was waiting on the change (assuming the MS PAC was >>> cached by sssd)? This would be for a simple forest trust with FreeIPA and a >>> medium/small AD environment. Also, assuming that sssd was not restarted >>> and/or the cache flushed. >>> I'm not looking for exact timing, just some estimates. >> >>By default SSSD has a cache timeout of 5400s aka 1.5h, see then >>entry_cache_timeout and following entries in man sssd.conf for details. >>In the worst case on a client you have to add the timeout of the client >>and the server. > >Thanks for the response! > >Here's another scenario... we would like to leverage HBAC rules for users in >AD groups (assigning the rule to a local posix group which maps back to an AD >group). So the AD admins would add users to an AD group, which correlates to >a particular HBAC rule, which grants user access to the host(s). > >Example: AD user tries to login to server joined to IPA, but is denied >(missing HBAC group membership), so the user puts in a request to the local AD >team which gets approved and that user is added to the appropriate AD group. >If the user tries to login to that same server again, it could take up to 1.5h >for the cache to expire before the user is allowed to login? >Or is it not cached at the server, because the user was not granted access to >the server initially? My assumption is that it would only require the Windows >client to refresh their Kerberos tkt to get a new PAC. Which is easy enough >to test out. > >-Mike > *UPDATE* I tried testing the scenario above by first clearing the Kerberos tkt on the client, but access was denied. Then I cleared the cache on the target linux server, sss_cache -E, restarted SSSD, and access was denied. Then I cleared cache on the IPA server, and restarted SSSD, access granted! So I suspect clearing the target server's cache had no impact, but haven't proved that yet. -Mike >> >>If the user logs in the group memberships are updated unconditionally. >>But this won't effect existing session they will always have the same >>group memberships as at login time, i.e. the 'id' command will always >>return the same list of group-memberships even if 'id username' from a >>different session will tell something different. This is a general >>UNIX/Linux feature and can be seen with local groups managed in >>/etc/groups as well. >> >>Another thing to take care of is the PAC. Since the PAC is part of the >>Kerberos ticket it won't change as long as the ticket is valid. E.g. if >>you log in from a Window client to an IPA client with putty using GSSAPI >>authentication you get a service ticket for the IPA client which >>includes the PAC and is stored on the Windows client. If you then change >>the group memberships of the user in AD and make sure the IPA client >>sees the new groups memberships, e.g. by invalidating the cache on the >>client and the server, a fresh login with putty might still show the old >>group memberships again, because the PAC in the valid Kerberos ticket is >>not refreshed and might force the client to use the group-membership >>data from the PAC. In this case you have to call 'klist /purge' on the >>Windows client to remove the tickets to get a fresh PAC. >> >>HTH >> >>bye, >>Sumit >> >>> >>> Thanks, >>> Mike >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >> >>-- >>Manage your subscription for the Freeipa-users mailing list: >>https://www.redhat.com/mailman/listinfo/freeipa-users >>Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] AD Integration change propagation timing
I have a question regarding AD Integration with FreeIPA (CentOS 7.1/freeipa 4.2.0) and Windows Server 2008 R2 with a Functional Level forest of 2008 R2. Given a simple scenario of a group in active directory that is mapped to a POSIX group in FreeIPA, if a change is made on the AD side such as adding a user to an AD group, how long should it take on the FreeIPA side before the change would show up? What would the maximum time it could take before the change propagates to a server joined to FreeIPA? What if a user was logged into the server and was waiting on the change (assuming the MS PAC was cached by sssd)? This would be for a simple forest trust with FreeIPA and a medium/small AD environment. Also, assuming that sssd was not restarted and/or the cache flushed. I'm not looking for exact timing, just some estimates. Thanks, Mike -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] using sudo in ipa
Jeffrey,You will want to use the Sudo Option "!authenticate".-Mike-Original Message- From: "Armstrong, Jeffrey"Sent: Apr 1, 2016 1:14 PM To: "freeipa-users@redhat.com" Subject: [Freeipa-users] using sudo in ipa Hi I would like to know how to configure sudo in the IdM environment. I need to know how to configure sudo access without asking for a password. Jeffrey Armstrong –Senior ECS Engineer ECMS – Application Support Team Office Phone – 770-270-7421 Cell Phone – 404-323-7386 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Service Accounts via IPA
What we do is create a non-posix group in FreeIPA and apply a custom password policy, then join the users to that group. Then login as the service account and reset the account's password to some random string. But if you reset it through the UI, it will set the password to expire in 1 hour. Also, you can "disable" the account from the FreeIPA UI or the command line, which appears to work too. Here is a simple write up of how we setup service accounts in FreeIPA:1. Login to the FreeIPA UI as a user/admin with priviledges to add groups and password policies.2. First we will add a group. Click on Identity --> User Groups, then AddGroup name: svc_accountsDescription: Group used for Service AccountsGroup Type: NormalGID: (this will be blanked out)3. Next, add a new password policy (because you do NOT want to the password on service accounts expiring every 90 days)Policy --> Password Policies, then AddGroup: (select svc_accounts from dropdown box)Priority: 1Then click "Add and Edit", which will allow you more fields to populate.Max lifetime (days): 3650 (which gives you 10 years between password changes)4. Create a new service user account (we choose to use the prefix "svc_" for any new service accounts)Identity --> Users, then AddUser login: svc_testuserFirst Name: TestLast Name: UserNew Password: Foobar1 (easy to remember temp password)Verify Password: Foobar1Click on "Add and Edit", then click on "User Groups", AddAdd this user to the "svc_accounts" group.5. Now login as svc_testuser with temp password "Foobar1".Update the password to some long string of random characters (something you can set and forget).Logout6. Create any necessary sudo rules that allow regular users to switch to the svc_testuser account.7. Disable service account:From the FreeIPA UI, Go to Identity --> Users, then click on the svc_testuser user in the list.Then use the "select action" dropdown box to "Disable" the user account, click Apply.7. Done!-Mike-Original Message- From: "Redmond, Stacy"Sent: Dec 10, 2015 1:24 PM To: "freeipa-users@redhat.com" Subject: [Freeipa-users] Service Accounts via IPA Generally I will lock a service account on linux so that the account cannot login, but users can sudo su – to that user. As I don’t have access to the password field in free ipa, what are my options to set this up as a default for service accounts, or how can I modify individual accounts that need access to a system, but should not be able to login to the system. Any help is appreciated. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA, Windows and Kerberos
What about the pGina project? I haven't tried this personally, but it sounds like it might be something that could work with FreeIPA (using the LDAP plugin). Reference: http://pgina.org/ And this article looks helpful: http://www.freeipa.org/page/Windows_authentication_against_FreeIPA Or perhaps doing something with Samba and FreeIPA. What exactly are you trying to do? When you say, "single sign-on via kerberos", do you have some Linux servers that you want to access from different versions of Windows and you want to be able to authenticate without typing in a password every time (e.g. using PuTTY)? -Mike On 10/23/2015 2:51 PM, Randolph Morgan wrote: We are running a mixed environment network. However, all of our authentication is performed via LDAP, we do not have an AD on our network, nor do we have any Windows servers, all of our servers are running RHEL. We are working on implementing a new authentication server that is running FreeIPA, but would like to do single sign-on via Kerberos. I have been reading posts for the better part of two weeks and can not find instructions that work, on how to get Windows (XP - 10) to authenticate via Kerberos. Here is a list of some of the sites that I have looked at: https://support.microsoft.com/en-us/kb/837361 https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html#id2573486 http://www.freeipa.org/page/Windows_authentication_against_FreeIPA https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Using_Microsoft_Windows.html (This is an older post but I was getting desperate) http://www.freeipa.org/page/Implementing_FreeIPA_in_a_mixed_Environment_%28Windows/Linux%29_-_Step_by_step So here is the problem, when I attempt to set the Realm on the Windows client I receive the following error: C:\Users\randym>ksetup /setrealm CHEM.BYU.EDU Setting Dns Domain Failed to set dns domain info: 0xc022 Failed /SetRealm : 0xc022 I have tried several varieties of this command, including setting the domain instead of the realm and always get the same result. Can someone please put together a step by step process that includes both server side and client side for configuring Kerberos to work with Windows and FreeIPA. Thank You in advance, Randy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Kerberos for cronjoob
What we do in our environment is create "service users" that are designated for certain tasks. Say you need to run a rsync job every night, after the user is created, you will need to create a keytab. Then copy the keytab file over to the box that the cronjob will run on. Then at the top of the script (which is called from the cronjob), add something like this:/usr/kerberos/bin/kdestroy/usr/kerberos/bin/kinit -k -t /home/srv_rsync/srv_rsync.keytab srv_rsync@MYDOMAIN.LOCALAnd you can verify that you have a TGT by using the klist command.-Mike-Original Message-From: Thomas Lau Sent: Nov 6, 2014 8:20 PMTo: freeipa-users Subject: [Freeipa-users] Kerberos for cronjoob Hi, Is it possible to renew ticket once in a while for cronjob to run on certain users? How do you guys run cronjob on Kerberos user without getting ticket expire? Sent from my BlackBerry 10 smartphone. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Bash script to see if user is enabled or disabled?
I wrote a script to query IPA for accounts with passwords that are about to expire (so I can nag them with an email to reset their password), and I also added logic in my script to ignore accounts that are disabled. So I needed a way to query my IPA server for this info. I came up with 2 solutions for checking if the account is disabled.1. Do an LDAP query on the user and check for an attribute called "nsAccountLock". If it is TRUE, then the account is disabled. If it is FALSE or not defined, then the account is enabled.2. On a box with the IPA CLI tools installed, run the following command, "ipa user-status username". However, if you have several replicated IPA servers, you will see the status of the account on each IPA server along with the account status.I hope this helps. -Mike-Original Message- From: Chris WhittleSent: May 12, 2014 10:31 AM To: freeipa-users Subject: [Freeipa-users] Bash script to see if user is enabled or disabled? I am working on my mac setups and am wanting to ping the server every so often and check to see if their user is enabled or disabled. If Disabled then I will show them the login screen, log them out or something else.. What I need is how to check to see if they are enabled or not through bash... Anyone done sometime similar? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Mail Challenge Password Reset
- Original Message - From: Dmitri Pal d...@redhat.com To: freeipa-users@redhat.com Sent: Wednesday, March 20, 2013 7:29 PM Subject: Re: [Freeipa-users] Mail Challenge Password Reset On 03/20/2013 07:23 PM, Michael ORourke wrote: We have a POC with PWM and a testIPA server running freeIPA v2.2.0. It is working very well and we plan to move it into production soon. I haven't written a how-to, but I have several notes on setting this up. What part of PWM are you having trouble with? I would be really awesome if you find a moment to write a HOWTO on the subj. Thanks Dmitri Sure! I was planning on doing that anyways. The only piece which I am having some trouble with is the pwm-proxy-user and the pwm-admin user/group ACL's. The documentation has some general guidelines, but it is not LDAP server specific. For production, you obviously don't want the directory admin user as the pwm-proxy-user. Anyways, I'm pretty close to getting that worked out, then I'll have a usable HOWTO that I can share out. -Mike -Mike - Original Message - From: John Moyer To: freeipa-users@redhat.com Sent: Tuesday, March 19, 2013 4:25 PM Subject: [Freeipa-users] Mail Challenge Password Reset Is there a mail challenge 3rd party tool that allows for users to change their own passwords if they don't know their password? Something like PWM for LDAP? https://code.google.com/p/pwm/ I've been looking around and no one seems to have done this yet, but wanted to yield to this group before giving up hope. Thanks, _ John Moyer ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users - No virus found in this message. Checked by AVG - www.avg.com Version: 2013.0.2904 / Virus Database: 2641/6192 - Release Date: 03/20/13 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Mail Challenge Password Reset
- Original Message - From: KodaK sako...@gmail.com To: Michael ORourke mrorou...@earthlink.net Cc: freeipa-users@redhat.com Sent: Wednesday, March 20, 2013 8:35 PM Subject: Re: [Freeipa-users] Mail Challenge Password Reset On Wed, Mar 20, 2013 at 6:23 PM, Michael ORourke mrorou...@earthlink.net wrote: We have a POC with PWM and a testIPA server running freeIPA v2.2.0. It is working very well and we plan to move it into production soon. I haven't written a how-to, but I have several notes on setting this up. What part of PWM are you having trouble with? It's been a while, but IIRC when a user would request a reset via pwm and then set their password, it would require a further change because changing it through PWM was as-if an admin had done so. Something like that. Like I said, I didn't test that long with it. Like Dmitri said, if you could share your notes or write up a how-to the community would certainly appreciate it. Thanks, --Jason I am not seeing that behaviour (password requiring a change after user just changed it). I'm using PWM v1.6.4 and freeIPA v2.2.0. Perhaps it only shows up in certain environments. -Mike ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Mail Challenge Password Reset
We have a POC with PWM and a testIPA server running freeIPA v2.2.0. It is working very well and we plan to move it into production soon. I haven't written a how-to, but I have several notes on setting this up. What part of PWM are you having trouble with? -Mike - Original Message - From: John Moyer To: freeipa-users@redhat.com Sent: Tuesday, March 19, 2013 4:25 PM Subject: [Freeipa-users] Mail Challenge Password Reset Is there a mail challenge 3rd party tool that allows for users to change their own passwords if they don't know their password? Something like PWM for LDAP? https://code.google.com/p/pwm/ I've been looking around and no one seems to have done this yet, but wanted to yield to this group before giving up hope. Thanks, _ John Moyer ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Solaris Clients
I'm not sure if this will help (not being a Solaris shop), but when we rolled out IPA in our environment, I had some trouble with ssh and kerberos auth working correctly. As it turned out, the fix was adding reverse lookup records (PTR) in the DNS for all the servers. -Mike -Original Message- From: Luke Kearney l...@kearney.jp Sent: Mar 13, 2013 4:39 PM To: Freeipa-users@redhat.com Subject: [Freeipa-users] Solaris Clients Hello, I have recently been working on integrating our solaris 10 fleet with FreeIPA. The first 'test' host went relatively smoothly and we recently created a new test host. Only this time it was more challenging to get the system working. On our original test installation every step went almost exactly as per the documentation [ http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html ] On the second install we found that whilst we were able to retrieve user account information via LDAP we could not login via ssh and kerberos for any amount of trying. This was overcome by inserting the following line into pam.conf other accountsufficient pam_ldap.so.1 Where is had not been needed on test host1. To the extent it works and doesn't break something else this is all fine. I understand why it works as the information in ldap is needed to open the terminal session, why would one need this stanza but not the other? If anyone can shed any light on this I would be most appreciative. Thanks ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Realm distrubuted across data centers
We have a single realm distributed across 2 data centers and 2 offices with 4 replicated IPA servers (2 in each data center). We are running IPA server and client v2.2.0 on all servers and replication appears to be functioning correctly. What I have noticed is that some servers in DC1, have no connectivity to the IPA servers in DC2, and when you try connecting to them from Office1 you sometimes get a long authentication delay. I suspect this is caused by a timeout waiting for an IPA server in DC2 to respond (which it can't). So I guess my question is, is there a 'best practices' approach to this scenario? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users