Re: [Freeipa-users] Distributing user keytabs for non-interactive auth question

2016-09-25 Thread Michael ORourke 
Matt,

Try the following...

# Get admin TGT
kinit ad...@realm.com

# Get keytab for user account
ipa-getkeytab -s coipa100 -p cron_run...@realm.com -k ipa_cron_runner.keytab

# Clear tickets
kdestroy

# Request TGT using the keytab
kinit -k -t ./cron_runner.keytab cron_run...@realm.com

# List tickets
klist

I recommend including the username somewhere in the name of the keytab file 
itself which makes it easier to remember.  Of course be careful with the 
permissions on the keytab file, because anyone that has read access to the 
keytab can get a TGT as that user.

-Mike

-Original Message-
>From: Matthew Sellers 
>Sent: Sep 25, 2016 8:37 PM
>To: freeipa-users@redhat.com
>Subject: [Freeipa-users] Distributing user keytabs for non-interactive auth
>question
>
>Hi Guys,
>
>What is the best way to distribute a 'user' keytab to distribute
>keytabs to allow 'system users' to run scripts with non-interactive
>auth?  Is it possible to use the ipa-getkeytab feature ( with "-r"
>option ) to request a keytab for a user principal?  I see support for
>HOST and SERVICE keytabs, but nothing specific to user  keytabs?
>
>Concept Example:
>
>ipa-getkeytab -s ipa_server -p cron_run...@realm.com -k ipa_cron.keytab -r
>KRB5_KTNAME=ipa_cron.keytab service.py
>
>Actual Results ( tried with tgt for cron_runner or admin ):
>
>[sysadmin@01 ~]$ ipa-getkeytab -s coipa100 -p cron_run...@realm.com
>-kipa_cron.keytab -r
>Failed to parse result: Insufficient access rights
>
>My only other option is grab the keytab and copy it around after
>initial creation ( understanding that each keytab requests bumps the
>KVNO ).  My goal is to make password-less authentication for automated
>processes as easy as possible to setupipa-getkeytab seems like its
>almost there?
>
>Love the work you guys are putting out, its a really cool system.
>
>Thanks,
>Matt
>
>-- 
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
>Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] AD integration and transitive trusts

2016-09-07 Thread Michael ORourke 
At my company, we are trying to setup a pilot with FreeIPA and we having some 
issues.  We would like to leverage our corporate AD infrastructure which mainly 
lives in "somedom2.com", and is a member of "rootdom1.com" forest.  Note the 
different DNS naming between the root domain and the tree.  Our FreeIPA domain 
is lnx.somedom2.com and is joined to rootdom1.com.  If we create users in 
rootdom1.com, we can use those account on servers joined to lnx.somedom2.com, 
but user accounts under somedom2.com will not work.  Could this be a transitive 
trust issue?  Is there something unique we need to setup on the linux servers 
under lnx.somedom2.com (sssd.conf or krb5.conf) to allow authentication from 
somedom2.com?

rootdom1.com  (forest root domain)

somedom2.com  (main domain tree, users and groups accounts which need access to 
lnx.somedom2.com)

lnx.somedom2.com  (freeIPA domain, joined to forest rootdom1.com)

-Mike

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] What id my AD domain user password not available

2016-05-26 Thread Michael ORourke 
That looks good.  I see you are using an external DNS source for the IPA domain, correct?  You may need to do some additional steps on the FreeIPA server, because by default it will configure BIND and populate resource records for the IPA domain (for example, SRV records like _ldap_._tcp.kw.example.com).  I'm not familiar with setting up FreeIPA with an external DNS, but I'm sure there are some instructions out there.-Mike-Original Message-
From: "Ben .T.George" <bentech4...@gmail.com>
Sent: May 23, 2016 2:22 PM
To: Michael ORourke <mrorou...@earthlink.net>
Cc: freeipa-users <freeipa-users@redhat.com>
Subject: Re: [Freeipa-users] What id my AD domain user password not available

HIin my case i have 2 domainsAD DNS : corp.example.kw.commain DNS ( from appliance) : kw.example.comand all the linux box are pointed to kw.example.com so i put my IPA server hostname as : ipa.kw.example.com and created A & PTR on kw.example.comis that the correct way?Regards,BenOn Mon, May 23, 2016 at 8:20 PM, Michael ORourke <mrorou...@earthlink.net> wrote:Ben,Yes, that is a requirement.  Just creating the A & PTR records for you FreeIPA server is not enough.  You will need to keep the DNS zones separate too, example:Windows AD Domain: mydomain.comFreeIPA Realm/Domain: subdomain.mydomain.comYou cannot have a cross-forest trust between two domains with the same DNS zone name.  So if you have a flat DNS namespace, then you will want to plan accordingly to move all the linux boxes that will participate in the FreeIPA domain into the new DNS zone.-Mike-Original Message-
From: "Ben .T.George" 
Sent: May 23, 2016 10:44 AM
To: Michael ORourke 
Cc: freeipa-users 
Subject: Re: [Freeipa-users] What id my AD domain user password not available

HIyea that GIf screen i shared with him. but that doesn't show how to take shared key.In my case DNS is handled by 3rd party appliances and from their side they created A record for my IPA server. bth forward and reverse is working is this forwader is mandatory thing from DNS side?Regards,benOn Mon, May 23, 2016 at 5:31 PM, Michael ORourke <mrorou...@earthlink.net> wrote:Actually one of his questions doesn't make sense, because last I checked, normal domain users do not have permissions to create a forest trust.I believe the default is a one-way trust, so maybe his concerns about the bi-directional trust is really a non-issue.If he refuses to type in the admin password in a linux console session (extreme paranoia?), then perhaps you could give him a link to the tutorial on using a pre-shared key and have him setup the AD side and give you the key.  You don't have to be a Windows expert to do this, just ask your domain admin to do the steps for you.  Also, you will need to setup a separate DNS zone and some forwarding rules.  Otherwise you are going to have problems.-Mike -Original Message-----
From: "Ben .T.George" 
Sent: May 23, 2016 10:07 AM
To: Michael ORourke 
Cc: freeipa-users 
Subject: Re: [Freeipa-users] What id my AD domain user password not available

HIHe is local only but he is asking so many questions.first of all he is refusing to give domain admin users password .questions he is asking is:Is this trust relationship is two directional? If, yes why IPA require two directional trust?can we build this trust one directional?can we achieve this with normal domain user?and hs is opposing to enter password in command line and i was going though the rust using a pre-shared key and its too hard for me to understand as i have no windows experienceregards,BenOn Mon, May 23, 2016 at 4:22 PM, Michael ORourke <mrorou...@earthlink.net> wrote:A couple of ways to go about this.  If he is local to you, you could explain that you need to establish a trust with his domain and you need his assistance for a few minutes while you type the command to join, then have him type in the password.  You need to assure that the DNS forward/stub zones are setup and working too.  If he is remote, you could use some screen share software and share out your desktop and walk him through the part where he has to type the admin password.  There is also a way to create a trust using a pre-shared key.  That may be more acceptable to him.  -Mike-Original Message-
From: "Ben .T.George" 
Sent: May 23, 2016 8:42 AM
To: freeipa-users 
Subject: [Freeipa-users] What id my AD domain user password not available

Hi LIst,my Windows domain Admin is not giving domain admin user password.in this case how can i proceed ipa trust-addregards,Ben


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project




-- 
Manage your subscription for the

Re: [Freeipa-users] FreeIPA 4.3 with PWM 1.7 ?

2016-05-26 Thread Michael ORourke 
Did you try installing PWM on a separate instance, or are you trying to install 
it on the FreeIPA server?  I don't recall any issues with pki-tomcat when I 
setup PWM (older version), but I installed it on a VM that was joined to 
FreeIPA.

-Mike


-Original Message-
>From: Zak Wolfinger 
>Sent: May 23, 2016 1:56 PM
>To: freeipa-users@redhat.com
>Subject: [Freeipa-users] FreeIPA 4.3 with PWM 1.7 ?
>
>Does anyone have this combo working?  I’m running into problems with 
>pki-tomcat and tomcat for pwm conflicting and need some pointers.
>
>Thanks!


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] What id my AD domain user password not available

2016-05-23 Thread Michael ORourke 
Ben,Yes, that is a requirement.  Just creating the A & PTR records for you FreeIPA server is not enough.  You will need to keep the DNS zones separate too, example:Windows AD Domain: mydomain.comFreeIPA Realm/Domain: subdomain.mydomain.comYou cannot have a cross-forest trust between two domains with the same DNS zone name.  So if you have a flat DNS namespace, then you will want to plan accordingly to move all the linux boxes that will participate in the FreeIPA domain into the new DNS zone.-Mike-Original Message-
From: "Ben .T.George" <bentech4...@gmail.com>
Sent: May 23, 2016 10:44 AM
To: Michael ORourke <mrorou...@earthlink.net>
Cc: freeipa-users <freeipa-users@redhat.com>
Subject: Re: [Freeipa-users] What id my AD domain user password not available

HIyea that GIf screen i shared with him. but that doesn't show how to take shared key.In my case DNS is handled by 3rd party appliances and from their side they created A record for my IPA server. bth forward and reverse is working is this forwader is mandatory thing from DNS side?Regards,benOn Mon, May 23, 2016 at 5:31 PM, Michael ORourke <mrorou...@earthlink.net> wrote:Actually one of his questions doesn't make sense, because last I checked, normal domain users do not have permissions to create a forest trust.I believe the default is a one-way trust, so maybe his concerns about the bi-directional trust is really a non-issue.If he refuses to type in the admin password in a linux console session (extreme paranoia?), then perhaps you could give him a link to the tutorial on using a pre-shared key and have him setup the AD side and give you the key.  You don't have to be a Windows expert to do this, just ask your domain admin to do the steps for you.  Also, you will need to setup a separate DNS zone and some forwarding rules.  Otherwise you are going to have problems.-Mike -Original Message-
From: "Ben .T.George" 
Sent: May 23, 2016 10:07 AM
To: Michael ORourke 
Cc: freeipa-users 
Subject: Re: [Freeipa-users] What id my AD domain user password not available

HIHe is local only but he is asking so many questions.first of all he is refusing to give domain admin users password .questions he is asking is:Is this trust relationship is two directional? If, yes why IPA require two directional trust?can we build this trust one directional?can we achieve this with normal domain user?and hs is opposing to enter password in command line and i was going though the rust using a pre-shared key and its too hard for me to understand as i have no windows experienceregards,BenOn Mon, May 23, 2016 at 4:22 PM, Michael ORourke <mrorou...@earthlink.net> wrote:A couple of ways to go about this.  If he is local to you, you could explain that you need to establish a trust with his domain and you need his assistance for a few minutes while you type the command to join, then have him type in the password.  You need to assure that the DNS forward/stub zones are setup and working too.  If he is remote, you could use some screen share software and share out your desktop and walk him through the part where he has to type the admin password.  There is also a way to create a trust using a pre-shared key.  That may be more acceptable to him.  -Mike-Original Message-
From: "Ben .T.George" 
Sent: May 23, 2016 8:42 AM
To: freeipa-users 
Subject: [Freeipa-users] What id my AD domain user password not available

Hi LIst,my Windows domain Admin is not giving domain admin user password.in this case how can i proceed ipa trust-addregards,Ben


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] What id my AD domain user password not available

2016-05-23 Thread Michael ORourke 
Actually one of his questions doesn't make sense, because last I checked, normal domain users do not have permissions to create a forest trust.I believe the default is a one-way trust, so maybe his concerns about the bi-directional trust is really a non-issue.If he refuses to type in the admin password in a linux console session (extreme paranoia?), then perhaps you could give him a link to the tutorial on using a pre-shared key and have him setup the AD side and give you the key.  You don't have to be a Windows expert to do this, just ask your domain admin to do the steps for you.  Also, you will need to setup a separate DNS zone and some forwarding rules.  Otherwise you are going to have problems.-Mike -Original Message-
From: "Ben .T.George" <bentech4...@gmail.com>
Sent: May 23, 2016 10:07 AM
To: Michael ORourke <mrorou...@earthlink.net>
Cc: freeipa-users <freeipa-users@redhat.com>
Subject: Re: [Freeipa-users] What id my AD domain user password not available

HIHe is local only but he is asking so many questions.first of all he is refusing to give domain admin users password .questions he is asking is:Is this trust relationship is two directional? If, yes why IPA require two directional trust?can we build this trust one directional?can we achieve this with normal domain user?and hs is opposing to enter password in command line and i was going though the rust using a pre-shared key and its too hard for me to understand as i have no windows experienceregards,BenOn Mon, May 23, 2016 at 4:22 PM, Michael ORourke <mrorou...@earthlink.net> wrote:A couple of ways to go about this.  If he is local to you, you could explain that you need to establish a trust with his domain and you need his assistance for a few minutes while you type the command to join, then have him type in the password.  You need to assure that the DNS forward/stub zones are setup and working too.  If he is remote, you could use some screen share software and share out your desktop and walk him through the part where he has to type the admin password.  There is also a way to create a trust using a pre-shared key.  That may be more acceptable to him.  -Mike-Original Message-
From: "Ben .T.George" 
Sent: May 23, 2016 8:42 AM
To: freeipa-users 
Subject: [Freeipa-users] What id my AD domain user password not available

Hi LIst,my Windows domain Admin is not giving domain admin user password.in this case how can i proceed ipa trust-addregards,Ben


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] What id my AD domain user password not available

2016-05-23 Thread Michael ORourke 
A couple of ways to go about this.  If he is local to you, you could explain that you need to establish a trust with his domain and you need his assistance for a few minutes while you type the command to join, then have him type in the password.  You need to assure that the DNS forward/stub zones are setup and working too.  If he is remote, you could use some screen share software and share out your desktop and walk him through the part where he has to type the admin password.  There is also a way to create a trust using a pre-shared key.  That may be more acceptable to him.  -Mike-Original Message-
From: "Ben .T.George" 
Sent: May 23, 2016 8:42 AM
To: freeipa-users 
Subject: [Freeipa-users] What id my AD domain user password not available

Hi LIst,my Windows domain Admin is not giving domain admin user password.in this case how can i proceed ipa trust-addregards,Ben


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] AD users home directory automount

2016-05-18 Thread Michael ORourke 
Ben,First, you will need to create the automount map in FreeIPA.Example of adding automount maps from the CLI on the IPA server:1). Get TGT for admin user (or equivalent) kinit admin2). Create automount mapipa automountmap-add default auto.home3). Add auto.home to auto.masteripa automountkey-add default --key "/home/domain.org" --info auto.home auto.master4). Add key for user accountsipa automountkey-add default --key "*" --info "-fstype=nfs3,rw filer.domain.org:/exports/home/&" auto.home Note: the above command assumes that you have a filer with a FQDN of "filer.domain.org" and NFS exported directory "/exports/home/".5). Then on the filer, you will need to create directories for each user under /exports/home/ and set the ownership and perms.mkdir /exports/home/usernamecp /etc/skel/.* /exports/home/usernamechown -R username:username /exports/home/usernamechmod 770 /exports/home/usernameNote: if you can't login to the filer and run commands, then you might have to manually mount the /exports/home onto a box with "root nosquash" option turned on so that you can create the directories and permissions manually.6). On the client machines, turn off the mkhomedir option (this doesn't work with automounted home dirs).authconfig --disablemkhomedir --update7). Create mount point for home dir on client machines.mkdir /home/domain.org8). On the client machines, turn on the automount option.ipa-client-automount --location=default9). On the client machines, make sure the autofs service is enabled and running.systemctl enable autofssystemctl start autofs10). Test automount by logging into the client.That should do it!-Mike-Original Message-
From: "Ben .T.George" <bentech4...@gmail.com>
Sent: May 18, 2016 10:03 AM
To: Michael ORourke <mrorou...@earthlink.net>
Cc: freeipa-users <freeipa-users@redhat.com>
Subject: Re: [Freeipa-users] AD users home directory automount

HI,Thanks for the reply.actually i don't want to share from my Trusted AD. My san has cifs and NFS capability.in this case how can i proceed? usually while installing client, i used to give below optionsipa-client-install --server global.ipa.local  --domain ipa.local --mkhomedir --fixed-primary  so whenever user loggedin, it creates home directory automatically under /home/DOMAIN/user.regards,BenOn Wed, May 18, 2016 at 4:00 PM, Michael ORourke <mrorou...@earthlink.net> wrote:Yes, because you can point the automount maps to whatever device you want.  NFSv4 might be more tricky to setup on a SAN device and may or may not work depending on the software/firmware of the device.  NFSv3 is a well supported protocol across SAN vendors and you should not have any problems setting that up.  I've used Openfiler on a white-box SAN with home dirs and automount maps which is working fine for us.I wonder if you could do some sort of CIFS home dir automount with a SAN that is joined to an AD domain which is trusted by FreeIPA?  Seems like this would be feasible.-Mike-Original Message-
From: "Ben .T.George" 
Sent: May 18, 2016 7:38 AM
To: freeipa-users 
Subject: [Freeipa-users] AD users home directory automount

HI LIst,Is it possible to mount home directories of AD authenticated users from external source(like san or fileshare)Regards,Ben


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How does one authenticate Windows login against IPA

2016-05-18 Thread Michael ORourke 
What about using the pGina project on the Windows side?

Reference:
http://blog.zwiegnet.com/linux-server/configure-pgina-windows-7-openldap-authentication/

-Mike

-Original Message-
>From: John Meyers 
>Sent: May 18, 2016 5:19 PM
>To: freeipa-users@redhat.com
>Subject: [Freeipa-users] How does one authenticate Windows login against IPA
>
>All,
>
>FreeIPA as we've discovered has some wonderful Windows integration
>capability, but it is all predicated on Windows AD being the
>authoritative source of user information.  2-Way trusts are great, but
>they only work for kerberotized applications, not native Windows rights
>(that would require FreeIPA to act as global catalog as I learned from
>Alexander).  The winsync capability does not, as it turns out, sync
>native IPA users to AD.
>
>The million dollar question is if you are 90% Linux shop and FreeIPA is
>your authoritative user repository (AD is a blank slate), how do you
>perform local Windows login authentication for the 10% of Windows
>machines against FreeIPA?
>
>Thank you all!
>
>John
>
>
>-- 
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
>Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] AD users home directory automount

2016-05-18 Thread Michael ORourke 
Yes, because you can point the automount maps to whatever device you want.  NFSv4 might be more tricky to setup on a SAN device and may or may not work depending on the software/firmware of the device.  NFSv3 is a well supported protocol across SAN vendors and you should not have any problems setting that up.  I've used Openfiler on a white-box SAN with home dirs and automount maps which is working fine for us.I wonder if you could do some sort of CIFS home dir automount with a SAN that is joined to an AD domain which is trusted by FreeIPA?  Seems like this would be feasible.-Mike-Original Message-
From: "Ben .T.George" 
Sent: May 18, 2016 7:38 AM
To: freeipa-users 
Subject: [Freeipa-users] AD users home directory automount

HI LIst,Is it possible to mount home directories of AD authenticated users from external source(like san or fileshare)Regards,Ben


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Help needed with keytabs

2016-05-05 Thread Michael ORourke 

Roderick,

Here's how we do it.  
Create a service account user, for example "svc_useradm".
Then generate a keytab for the service account, and store it somewhere secure.
ipa-getkeytab -s infrae2u01.lnx.dr.local -p svc_useradm -k 
/root/svc_useradm.keytab

Now we can leverage the keytab for that user principal.
Example:
[root@infrae2u01 ~]# kdestroy

[root@infrae2u01 ~]# kinit -k -t /root/svc_useradm.keytab 
svc_user...@lnx.dr.LOCAL

[root@infrae2u01 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: svc_user...@lnx.dr.LOCAL

Valid starting ExpiresService principal
05/05/16 14:24:12  05/06/16 14:24:12  krbtgt/lnx.dr.lo...@lnx.dr.LOCAL

[root@infrae2u01 ~]# ipa ping
--
IPA server version 3.0.0. API version 2.49
--

If you need to access the service account, then setup a sudo rule to switch 
user to that account.
Example: "sudo su - svc_useradm"

-Mike

-Original Message-
>From: Roderick Johnstone 
>Sent: May 5, 2016 12:39 PM
>To: freeipa-users@redhat.com
>Subject: [Freeipa-users] Help needed with keytabs
>
>Hi
>
>I need to run some ipa commands in cron jobs.
>
>The post here: 
>https://www.redhat.com/archives/freeipa-users/2014-March/msg00044.html 
>suggests I need to use a keytab file to authenticate kerberos.
>
>I've tried the prescription there, with variations, without success.
>
>My current testing framework is to log into the ipa client (RHEL6.7, 
>ipa-client-3.0.0-47.el6_7.1.x86_64) as a test user, get the keytab, 
>destroy the current tickets, re-establish a tgt for the user with kinit 
>using the keytab and try to run an ipa command. The ipa command fails 
>(just like in my cron jobs which use the same kinit command).
>
>1) Log into ipa client as user test.
>
>2) Get the keytab
>$ /usr/sbin/ipa-getkeytab -s ipa.example.com -p t...@example.com -k 
>/home/test/test.keytab -P
>New Principal Password:
>Verify Principal Password:
>Keytab successfully retrieved and stored in: /home/test/test.keytab
>
>I seem to have to reset the password to what it was in this step, 
>otherwise it gets set to something random and the user test cannot log 
>into the ipa client any more.
>
>3) Log into the ipa client as user test. Then
>$ kdestroy
>$ klist
>klist: No credentials cache found (ticket cache 
>FILE:/tmp/krb5cc_3395_PWO4wH)
>
>4) kinit from the keytab:
>$ kinit -F t...@example.com -k -t /home/test/test.keytab
>
>5) Check the tickets
>$ klist
>Ticket cache: FILE:/tmp/krb5cc_3395_PWO4wH
>Default principal: t...@example.com
>
>Valid starting ExpiresService principal
>05/05/16 17:24:44  05/06/16 17:24:44  krbtgt/example@example.com
>
>6) Run an ipa command:
>$ ipa ping
>ipa: ERROR: cannot connect to Gettext('any of the configured servers', 
>domain='ipa', localedir=None): https://ipa1.example.com/ipa/xml, 
>https://ipa2.example.com/ipa/xml
>
>Can someone advise what I'm doing wrong in this procedure please (some 
>strings were changed to anonymize the setting)?
>
>For completeness of information, the ipa servers are RHEL 7.2, 
>ipa-server-4.2.0-15.el7_2.6.1.x86_64.
>
>Thanks
>
>Roderick Johnstone
>
>-- 
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
>Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] AD Integration - /etc/krb5.conf requirements

2016-04-28 Thread Michael ORourke 
I'm just looking for some clarification from the documentation:
http://www.freeipa.org/page/Active_Directory_trust_setup

In the section that starts with "Edit /etc/krb5.conf", they mention a manual 
configuration to the krb5.conf file for machines that will be leveraging AD 
users:
[realms]
IPA_DOMAIN = {

  auth_to_local = RULE:[1:$1@$0](^.*@AD_DOMAIN$)s/@AD_DOMAIN/@ad_domain/
  auth_to_local = DEFAULT
}

Is this still required for sssd 1.13.0 and above?

Thanks,
Mike

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] AD Integration change propagation timing

2016-04-08 Thread Michael ORourke 



-Original Message-
>From: Michael ORourke <mrorou...@earthlink.net>
>Sent: Apr 8, 2016 11:01 AM
>To: Sumit Bose <sb...@redhat.com>, freeipa-users@redhat.com
>Subject: Re: [Freeipa-users] AD Integration change propagation timing
>
>-Original Message-
>>From: Sumit Bose <sb...@redhat.com>
>>Sent: Apr 8, 2016 3:36 AM
>>To: freeipa-users@redhat.com
>>Subject: Re: [Freeipa-users] AD Integration change propagation timing
>>
>>On Thu, Apr 07, 2016 at 10:28:22PM -0400, Michael ORourke wrote:
>>> I have a question regarding AD Integration with FreeIPA (CentOS 7.1/freeipa
>>> 4.2.0) and Windows Server 2008 R2 with a Functional Level forest of 2008 R2.
>>> Given a simple scenario of a group in active directory that is mapped to a
>>> POSIX group in FreeIPA, if a change is made on the AD side such as adding a
>>> user to an AD group, how long should it take on the FreeIPA side before the
>>> change would show up?  What would the maximum time it could take before the
>>> change propagates to a server joined to FreeIPA?  What if a user was logged
>>> into the server and was waiting on the change (assuming the MS PAC was
>>> cached by sssd)?  This would be for a simple forest trust with FreeIPA and a
>>> medium/small AD environment.  Also, assuming that sssd was not restarted
>>> and/or the cache flushed.
>>> I'm not looking for exact timing, just some estimates.
>>
>>By default SSSD has a cache timeout of 5400s aka 1.5h, see then
>>entry_cache_timeout and following entries in man sssd.conf for details.
>>In the worst case on a client you have to add the timeout of the client
>>and the server.
>
>Thanks for the response!
>
>Here's another scenario... we would like to leverage HBAC rules for users in 
>AD groups (assigning the rule to a local posix group which maps back to an AD 
>group).  So the AD admins would add users to an AD group, which correlates to 
>a particular HBAC rule, which grants user access to the host(s).   
>
>Example: AD user tries to login to server joined to IPA, but is denied 
>(missing HBAC group membership), so the user puts in a request to the local AD 
>team which gets approved and that user is added to the appropriate AD group.  
>If the user tries to login to that same server again, it could take up to 1.5h 
>for the cache to expire before the user is allowed to login?
>Or is it not cached at the server, because the user was not granted access to 
>the server initially?  My assumption is that it would only require the Windows 
>client to refresh their Kerberos tkt to get a new PAC.  Which is easy enough 
>to test out.
>
>-Mike
>

*UPDATE*

I tried testing the scenario above by first clearing the Kerberos tkt on the 
client, but access was denied.  Then I cleared the cache on the target linux 
server, sss_cache -E, restarted SSSD, and access was denied.  Then I cleared 
cache on the IPA server, and restarted SSSD, access granted!  So I suspect 
clearing the target server's cache had no impact, but haven't proved that yet. 

-Mike 



>>
>>If the user logs in the group memberships are updated unconditionally.
>>But this won't effect existing session they will always have the same
>>group memberships as at login time, i.e. the 'id' command will always
>>return the same list of group-memberships even if 'id username' from a
>>different session will tell something different. This is a general
>>UNIX/Linux feature and can be seen with local groups managed in
>>/etc/groups as well.
>>
>>Another thing to take care of is the PAC. Since the PAC is part of the
>>Kerberos ticket it won't change as long as the ticket is valid. E.g. if
>>you log in from a Window client to an IPA client with putty using GSSAPI
>>authentication you get a service ticket for the IPA client which
>>includes the PAC and is stored on the Windows client. If you then change
>>the group memberships of the user in AD and make sure the IPA client
>>sees the new groups memberships, e.g. by invalidating the cache on the
>>client and the server, a fresh login with putty might still show the old
>>group memberships again, because the PAC in the valid Kerberos ticket is
>>not refreshed and might force the client to use the group-membership
>>data from the PAC. In this case you have to call 'klist /purge' on the
>>Windows client to remove the tickets to get a fresh PAC.
>>
>>HTH
>>
>>bye,
>>Sumit
>>
>>> 
>>> Thanks,
>>> Mike
>>> 
>>> -- 
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>>
>>-- 
>>Manage your subscription for the Freeipa-users mailing list:
>>https://www.redhat.com/mailman/listinfo/freeipa-users
>>Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] AD Integration change propagation timing

2016-04-07 Thread Michael ORourke 
I have a question regarding AD Integration with FreeIPA (CentOS 
7.1/freeipa 4.2.0) and Windows Server 2008 R2 with a Functional Level 
forest of 2008 R2.  Given a simple scenario of a group in active 
directory that is mapped to a POSIX group in FreeIPA, if a change is 
made on the AD side such as adding a user to an AD group, how long 
should it take on the FreeIPA side before the change would show up?  
What would the maximum time it could take before the change propagates 
to a server joined to FreeIPA?  What if a user was logged into the 
server and was waiting on the change (assuming the MS PAC was cached by 
sssd)?  This would be for a simple forest trust with FreeIPA and a 
medium/small AD environment.  Also, assuming that sssd was not restarted 
and/or the cache flushed.

I'm not looking for exact timing, just some estimates.

Thanks,
Mike

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] using sudo in ipa

2016-04-01 Thread Michael ORourke 
Jeffrey,You will want to use the Sudo Option "!authenticate".-Mike-Original Message-
From: "Armstrong, Jeffrey" 
Sent: Apr 1, 2016 1:14 PM
To: "freeipa-users@redhat.com" 
Subject: [Freeipa-users] using sudo in ipa














Hi 
 
I would like to know how to configure sudo in the IdM environment. I need to know how to configure sudo access without asking for a password.
 
 
 
 
Jeffrey Armstrong –Senior ECS Engineer
ECMS – Application Support Team
Office Phone – 770-270-7421
Cell Phone – 404-323-7386

 





-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Service Accounts via IPA

2015-12-13 Thread Michael ORourke 
What we do is create a non-posix group in FreeIPA and apply a custom password policy, then join the users to that group.  Then login as the service account and reset the account's password to some random string.  But if you reset it through the UI, it will set the password to expire in 1 hour.  Also, you can "disable" the account from the FreeIPA UI or the command line, which appears to work too.  Here is a simple write up of how we setup service accounts in FreeIPA:1. Login to the FreeIPA UI as a user/admin with priviledges to add groups and password policies.2. First we will add a group. Click on Identity --> User Groups, then AddGroup name: svc_accountsDescription: Group used for Service AccountsGroup Type: NormalGID: (this will be blanked out)3. Next, add a new password policy (because you do NOT want to the password on service accounts expiring every 90 days)Policy --> Password Policies, then AddGroup: (select svc_accounts from dropdown box)Priority: 1Then click "Add and Edit", which will allow you more fields to populate.Max lifetime (days): 3650  (which gives you 10 years between password changes)4. Create a new service user account (we choose to use the prefix "svc_" for any new service accounts)Identity --> Users, then AddUser login: svc_testuserFirst Name: TestLast Name: UserNew Password: Foobar1  (easy to remember temp password)Verify Password: Foobar1Click on "Add and Edit", then click on "User Groups", AddAdd this user to the "svc_accounts" group.5. Now login as svc_testuser with temp password "Foobar1".Update the password to some long string of random characters (something you can set and forget).Logout6. Create any necessary sudo rules that allow regular users to switch to the svc_testuser account.7. Disable service account:From the FreeIPA UI, Go to Identity --> Users, then click on the svc_testuser user in the list.Then use the "select action" dropdown box to "Disable" the user account, click Apply.7. Done!-Mike-Original Message-
From: "Redmond, Stacy" 
Sent: Dec 10, 2015 1:24 PM
To: "freeipa-users@redhat.com" 
Subject: [Freeipa-users] Service Accounts via IPA














Generally I will lock a service account on linux so that the account cannot login, but users can sudo su – to that user.  As I don’t have access to the password field
 in free ipa, what are my options to set this up as a default for service accounts, or how can I modify individual accounts that need access to a system, but should not be able to login to the system.  Any help is appreciated.





-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA, Windows and Kerberos

2015-10-23 Thread Michael ORourke 
What about the pGina project?  I haven't tried this personally, but it 
sounds like it might be something that could work with FreeIPA (using 
the LDAP plugin).

Reference: http://pgina.org/
And this article looks helpful:
http://www.freeipa.org/page/Windows_authentication_against_FreeIPA
Or perhaps doing something with Samba and FreeIPA.

What exactly are you trying to do?  When you say, "single sign-on via 
kerberos", do you have some Linux servers that you want to access from 
different versions of Windows and you want to be able to authenticate 
without typing in a password every time (e.g. using PuTTY)?


-Mike

On 10/23/2015 2:51 PM, Randolph Morgan wrote:
We are running a mixed environment network.  However, all of our 
authentication is performed via LDAP, we do not have an AD on our 
network, nor do we have any Windows servers, all of our servers are 
running RHEL.  We are working on implementing a new authentication 
server that is running FreeIPA, but would like to do single sign-on 
via Kerberos.  I have been reading posts for the better part of two 
weeks and can not find instructions that work, on how to get Windows 
(XP - 10) to authenticate via Kerberos. Here is a list of some of the 
sites that I have looked at:


https://support.microsoft.com/en-us/kb/837361
https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html
https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html#id2573486 


http://www.freeipa.org/page/Windows_authentication_against_FreeIPA
https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Using_Microsoft_Windows.html 
(This is an older post but I was getting desperate)
http://www.freeipa.org/page/Implementing_FreeIPA_in_a_mixed_Environment_%28Windows/Linux%29_-_Step_by_step 



So here is the problem, when I attempt to set the Realm on the Windows 
client I receive the following error:


C:\Users\randym>ksetup /setrealm CHEM.BYU.EDU
Setting Dns Domain
Failed to set dns domain info: 0xc022
Failed /SetRealm : 0xc022

I have tried several varieties of this command, including setting the 
domain instead of the realm and always get the same result. Can 
someone please put together a step by step process that includes both 
server side and client side for configuring Kerberos to work with 
Windows and FreeIPA.


Thank You in advance,

Randy



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Kerberos for cronjoob

2014-11-07 Thread Michael ORourke 
What we do in our environment is create "service users" that are designated for certain tasks. Say you need to run a rsync job every night, after the user is created, you will need to create a keytab. Then copy the keytab file over to the box that the cronjob will run on. Then at the top of the script (which is called from the cronjob), add something like this:/usr/kerberos/bin/kdestroy/usr/kerberos/bin/kinit -k -t /home/srv_rsync/srv_rsync.keytab srv_rsync@MYDOMAIN.LOCALAnd you can verify that you have a TGT by using the klist command.-Mike-Original Message-From: Thomas Lau Sent: Nov 6, 2014 8:20 PMTo: freeipa-users Subject: [Freeipa-users] Kerberos for cronjoob  ‎Hi, Is it possible to renew ticket once in a while for cronjob to run on certain users? How do you guys run cronjob on Kerberos user without getting ticket expire? Sent from my BlackBerry 10 smartphone.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Bash script to see if user is enabled or disabled?

2014-05-12 Thread Michael ORourke 
I wrote a script to query IPA for accounts with passwords that are about to expire (so I can nag them with an email to reset their password), and I also added logic in my script to ignore accounts that are disabled. So I needed a way to query my IPA server for this info. I came up with 2 solutions for checking if the account is disabled.1. Do an LDAP query on the user and check for an attribute called "nsAccountLock". If it is TRUE, then the account is disabled. If it is FALSE or not defined, then the account is enabled.2. On a box with the IPA CLI tools installed, run the following command, "ipa user-status username". However, if you have several replicated IPA servers, you will see the status of the account on each IPA server along with the account status.I hope this helps. -Mike-Original Message-
From: Chris Whittle 
Sent: May 12, 2014 10:31 AM
To: freeipa-users 
Subject: [Freeipa-users] Bash script to see if user is enabled or disabled?

I am working on my mac setups and am wanting to ping the server every so often and check to see if their user is enabled or disabled. If Disabled then I will show them the login screen, log them out or something else.. What I need is how to check to see if they are enabled or not through bash... Anyone done sometime similar? 



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Mail Challenge Password Reset

2013-03-21 Thread Michael ORourke 
- Original Message - 
From: Dmitri Pal d...@redhat.com

To: freeipa-users@redhat.com
Sent: Wednesday, March 20, 2013 7:29 PM
Subject: Re: [Freeipa-users] Mail Challenge Password Reset



On 03/20/2013 07:23 PM, Michael ORourke wrote:

We have a POC with PWM and a testIPA server running freeIPA v2.2.0.
It is working very well and we plan to move it into production soon.
I haven't written a how-to, but I have several notes on setting this up.
What part of PWM are you having trouble with?


I would be really awesome if you find a moment to write a HOWTO on the 
subj.


Thanks
Dmitri

Sure!  I was planning on doing that anyways.  The only piece which I am 
having some trouble with is the pwm-proxy-user and the pwm-admin user/group 
ACL's.  The documentation has some general guidelines, but it is not LDAP 
server specific.  For production, you obviously don't want the directory 
admin user as the pwm-proxy-user.  Anyways, I'm pretty close to getting that 
worked out, then I'll have a usable HOWTO that I can share out.


-Mike



-Mike


- Original Message - From: John Moyer
To: freeipa-users@redhat.com
Sent: Tuesday, March 19, 2013 4:25 PM
Subject: [Freeipa-users] Mail Challenge Password Reset

Is there a mail challenge 3rd party tool that allows for users to
change their own passwords if they don't know their password?
Something like PWM for LDAP?

https://code.google.com/p/pwm/

I've been looking around and no one seems to have done this yet, but
wanted to yield to this group before giving up hope.

Thanks,
_
John Moyer

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



--
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


-
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2013.0.2904 / Virus Database: 2641/6192 - Release Date: 03/20/13



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Mail Challenge Password Reset

2013-03-21 Thread Michael ORourke 
- Original Message - 
From: KodaK sako...@gmail.com

To: Michael ORourke mrorou...@earthlink.net
Cc: freeipa-users@redhat.com
Sent: Wednesday, March 20, 2013 8:35 PM
Subject: Re: [Freeipa-users] Mail Challenge Password Reset



On Wed, Mar 20, 2013 at 6:23 PM, Michael ORourke
mrorou...@earthlink.net wrote:

We have a POC with PWM and a testIPA server running freeIPA v2.2.0.
It is working very well and we plan to move it into production soon.
I haven't written a how-to, but I have several notes on setting this up.
What part of PWM are you having trouble with?


It's been a while, but IIRC when a user would request a reset via pwm
and then set their password, it would require a further change because
changing it through PWM was as-if an admin had done so.  Something
like that.  Like I said, I didn't test that long with it.  Like Dmitri
said, if you could share your notes or write up a how-to the community
would certainly appreciate it.

Thanks,

--Jason


I am not seeing that behaviour (password requiring a change after user just 
changed it).
I'm using PWM v1.6.4 and freeIPA v2.2.0.  Perhaps it only shows up in 
certain environments.


-Mike

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Mail Challenge Password Reset

2013-03-20 Thread Michael ORourke 

We have a POC with PWM and a testIPA server running freeIPA v2.2.0.
It is working very well and we plan to move it into production soon.
I haven't written a how-to, but I have several notes on setting this up.
What part of PWM are you having trouble with?

-Mike


- Original Message - 
From: John Moyer

To: freeipa-users@redhat.com
Sent: Tuesday, March 19, 2013 4:25 PM
Subject: [Freeipa-users] Mail Challenge Password Reset

Is there a mail challenge 3rd party tool that allows for users to change 
their own passwords if they don't know their password?  Something like PWM 
for LDAP?


https://code.google.com/p/pwm/

I've been looking around and no one seems to have done this yet, but wanted 
to yield to this group before giving up hope.


Thanks,
_
John Moyer

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Solaris Clients

2013-03-13 Thread Michael ORourke 
I'm not sure if this will help (not being a Solaris shop), but when we rolled 
out IPA in our environment, I had some trouble with ssh and kerberos auth 
working correctly.  As it turned out, the fix was adding reverse lookup records 
(PTR) in the DNS for all the servers. 

-Mike


-Original Message-
From: Luke Kearney l...@kearney.jp
Sent: Mar 13, 2013 4:39 PM
To: Freeipa-users@redhat.com
Subject: [Freeipa-users] Solaris Clients

Hello,

I have recently been working on integrating our solaris 10 fleet with FreeIPA. 
The first 'test' host went relatively smoothly and we recently created a new 
test host. Only this time it was more challenging to get the system working.

On our original test installation every step went almost exactly as per the 
documentation [ 
http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html
 ] 

On the second install we found that whilst we were able to retrieve user 
account information via LDAP we could not login via ssh and kerberos for any 
amount of trying. This was overcome by inserting the following line into 
pam.conf

other accountsufficient  pam_ldap.so.1

Where is had not been needed on test host1.

To the extent it works and doesn't break something else this is all fine. I 
understand why it works as the information in ldap is needed to open the 
terminal session, why would one need this stanza but not the other?

If anyone can shed any light on this I would be most appreciative.

Thanks

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Realm distrubuted across data centers

2013-03-12 Thread Michael ORourke 
We have a single realm distributed across 2 data centers and 2 offices with 
4 replicated IPA servers (2 in each data center).  We are running IPA server 
and client v2.2.0 on all servers and replication appears to be functioning 
correctly.  What I have noticed is that some servers in DC1, have no 
connectivity to the IPA servers in DC2, and when you try connecting to them 
from Office1 you sometimes get a long authentication delay.  I suspect this 
is caused by a timeout waiting for an IPA server in DC2 to respond (which it 
can't).  So I guess my question is, is there a 'best practices' approach to 
this scenario?


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users