[Freeipa-users] SSH GSSAPI + FreeIPA with Windows 2008 Trust
Hi All, we have setup FreeIPA 4.1 (Centos 7) Trust with Windows 2008R2. All (HBAC, SUDO) works pretty well except SSH SSO using GSSAPI from Windows AD clients (ex. putty) to Linux client machines (Centos 6). Password authentication works, just gssapi fails. Actually, there is one scenario where SSH GSSAPI authentication works - when connecting to FreeIPA master or replica (trust were established here), but not to FreeIPA host clients. Important sections of configuration files (servers/clients): /etc/ssh/sshd_config: GSSAPIAuthentication yes KerberosAuthentication yes /etc/krb5.conf: auth_to_local = RULE:[1:$1 at $0](^.* at WINDOWS.DOMAIN$)s/ at WINDOWS.DOMAIN/ at windows.domain/ auth_to_local = DEFAULT BTW. after I log in by password to linux client machine I can use gssapi within the same host by ssh-ing in a loop to the localhost, so locally GSSAPI works here. Is there something I missed? Any help would be greatly appreciated. /lm -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Web interface session timeout
Hi All, Is there any way we can change web interface session timeout? I am using form based auth. /lm -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Adding external CA
Hi FreeIPA Users, I have a fresh new FreeIPA 4.1 on RHEL7.1 with self-sign CA and I would like to change the self-sign CA to the external CA Do you have any step by step document for do it correctly on 4.1 version? /lm -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Adding external CA
Thank you David, I'll check it out. 2015-03-12 12:36 GMT+01:00 David Kupka dku...@redhat.com: On 03/12/2015 10:37 AM, crony wrote: Hi FreeIPA Users, I have a fresh new FreeIPA 4.1 on RHEL7.1 with self-sign CA and I would like to change the self-sign CA to the external CA Do you have any step by step document for do it correctly on 4.1 version? /lm Hello! I'm not aware of this being documented but fortunately this can be done in 3 easy steps: 1. # ipa-cacert-manage renew --external-ca 2. Let CA of your choice sing the CRL produced in step 1. 3. # ipa-cacert-manage renew --external-cert-file=/path/to/signed_certificate --external-cert-file=/path/to/external_ca_certificate -- David Kupka -- Pozdrawiam Leszek Miś www: http://cronylab.pl www: http://emerge.pl Nothing is secure, paranoia is your friend. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] AD Cross Realm Trust + AIX
Hi All, can I ask you for some advice? My setup is: - updated RHEL7 as IPA server (UX.EXAMPLE.COM) in trust with Active Directory 2008R2 domain (EXAMPLE.COM) - AIX 7 as IPA client I'm using compat tree for connecting AIX as client. A lot of things work correctly: # /usr/krb5/bin/kinit leszek Password for ad_u...@example.com: # /usr/krb5/bin/klist Ticket cache: FILE:/var/krb5/security/creds/krb5cc_0 Default principal: ad_u...@example.com Valid starting ExpiresService principal 02/12/15 15:46:23 02/13/15 01:46:31 krbtgt/example@example.com Renew until 02/13/15 01:46:23 # lsldap -a passwd ad_u...@example.com dn: uid=ad_u...@example.com,cn=users,cn=compat,dc=ux,dc=example,dc=com objectClass: posixAccount objectClass: extensibleObject objectClass: top gecos: ad_user cn: ad_user uidNumber: 1036620735 gidNumber: 1036620735 homeDirectory: /home/example.com/ad_user ipaNTSecurityIdentifier: S-1-5-21--X-XX uid: ad_u...@example.com # id ad_u...@example.com uid=1036620735(ad_u...@example.com) gid=1036620735(ad_u...@example.com) groups=1036620733(another_gr...@example.com) Here I found the first problem: # su - ad_u...@example.com 3004-614 Unable to change directory to . You are in /home/guest instead. $ id uid=1036620735(ad_u...@example.com) gid=1036620735(ad_u...@example.com) groups=1036620733(another_gr...@example.com) The 3004-614 Unable to change directory to . appears after I added to /etc/methods.cfg: KRB5A: program = /usr/lib/security/KRB5A program_64 = /usr/lib/security/KRB5A_64 options = authonly LDAP: program = /usr/lib/security/LDAP program_64 =/usr/lib/security/LDAP64 Without these lines there is no error about change to home directory, su from root works smoothly and entered the user to the homedirectory. But now I can't ssh to the system, because I have no correct registry. - I made another test: if I can log in by just IPA user, ex. admin. There is no such problem: # id admin uid=3(admin) gid=3(admins) # su - admin -bash-3.2$ pwd /export/home/admin -bash-3.2$ id uid=3(admin) gid=3(admins) # ssh admin@localhost admin@localhost's password: *** * * * * * Welcome to AIX Version 7.1!* * * * * * Please see the README file in /usr/lpp/bos for information pertinent to* * this release of the AIX Operating System. * * * * * *** -bash-3.2$ id uid=3(admin) gid=3(admins) Any idea what is wrong? I have already changed the AIX max_logname from 8 to 40 characters. Maybe the @ character in login name is a problem? Thank you in advance. -- /lm -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] IPA with Cross Realm Trust + AIX/Solaris/HPUX
Hi List! Our setup is: • 2 domain controllers with Windows 2008 R2 AD DC • 2x RHEL7 as IPA server with domain: linux.acme.example.com • example.com as Forest Root Domain and acme.example.com as transitive child domain We have established a cross realm trust between linux.acme.example.com and acme.example.com. It works great on RHEL 6 clients with SSSD1.9.X. The user groups are assigned correctly and that is fine. The question is : What about integration Unix systems like AIX6/7, Solaris 10/11 oraz HPUXv3 as IPA clients in such configuration? I found ex. here: http://docs.fedoraproject.org/en-US/Fedora/15/html-single/FreeIPA_Guide/#Configuring_an_IPA_Client_on_AIX that it is possible, but will it work with cross realm? We will not find there a modern sssd daemon. Have you got any experience? /l -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA 3.3.3 and sssd segfault
Hi, I have a FreeIPA 3.3.3 in transitive trust with AD2008. Today I saw a lot of sssd segfaults on the server side: [ 420.412011] sssd_be[734]: segfault at 8 ip 7fa54fa73334 sp 7fff62b2ec40 error 4 in libldb.so.1.1.16[7fa54fa66000+2c000] [ 421.763035] sssd_be[2666]: segfault at 8 ip 7f9c5b7ff334 sp 7fff2efadb00 error 4 in libldb.so.1.1.16[7f9c5b7f2000+2c000] [ 494.926197] sssd_be[2668]: segfault at 8 ip 7f0e26194334 sp 7fffd5906140 error 4 in libldb.so.1.1.16[7f0e26187000+2c000] [ 496.247496] sssd_be[2702]: segfault at 8 ip 7feeb5b91334 sp 7fff16a94720 error 4 in libldb.so.1.1.16[7feeb5b84000+2c000] [ 552.856890] sssd_be[2704]: segfault at 8 ip 7f411fafe334 sp 7fff4d551360 error 4 in libldb.so.1.1.16[7f411faf1000+2c000] [ 554.191542] sssd_be[2712]: segfault at 8 ip 7ff55bde7334 sp 7fb0d590 error 4 in libldb.so.1.1.16[7ff55bdda000+2c000] [ 558.502357] sssd_be[2714]: segfault at 8 ip 7f811e75d334 sp 7fff5b624090 error 4 in libldb.so.1.1.16[7f811e75+2c000] [ 572.932207] sssd_be[2717]: segfault at 8 ip 7ff89398e334 sp 7fffa43f6d90 error 4 in libldb.so.1.1.16[7ff893981000+2c000] [ 2148.965812] sssd_be[2797]: segfault at 8 ip 7fc06f51e334 sp 7fff14f8c8a0 error 4 in libldb.so.1.1.16[7fc06f511000+2c000] [ 2150.310849] sssd_be[2907]: segfault at 8 ip 7f9fafdef334 sp 7fff29862f10 error 4 in libldb.so.1.1.16[7f9fafde2000+2c000] [ 2323.836156] sssd_be[2909]: segfault at 8 ip 7f8d6648e334 sp 71249fa0 error 4 in libldb.so.1.1.16[7f8d66481000+2c000] [ 2325.158687] sssd_be[2917]: segfault at 8 ip 7fb8554ff334 sp 7fffb5f073a0 error 4 in libldb.so.1.1.16[7fb8554f2000+2c000] [ 2329.361081] sssd_be[2920]: segfault at 8 ip 7fe333e40334 sp 7fffab520290 error 4 in libldb.so.1.1.16[7fe333e33000+2c000] [ 2343.681005] sssd_be[2922]: segfault at 8 ip 7f0ff5612334 sp 7fff351c9090 error 4 in libldb.so.1.1.16[7f0ff5605000+2c000] [ 3249.456297] sssd_be[2975]: segfault at 8 ip 7f225d9bb334 sp 7fff43002c80 error 4 in libldb.so.1.1.16[7f225d9ae000+2c000] [ 3250.661605] sssd_be[2990]: segfault at 8 ip 7fce9bda9334 sp 7fff80076090 error 4 in libldb.so.1.1.16[7fce9bd9c000+2c000] After the segfault appears, I can not longer login to any ipa client machine. RHEL7 - kernel 3.10.0-123.8.1.el7.x86_64, ipa-python-3.3.3-28.el7_0.1.x86_64 python-iniparse-0.4-9.el7.noarch ipa-client-3.3.3-28.el7_0.1.x86_64 libipa_hbac-python-1.11.2-68.el7_0.5.x86_64 iniparser-3.1-5.el7.x86_64 ipa-admintools-3.3.3-28.el7_0.1.x86_64 ipa-server-trust-ad-3.3.3-28.el7_0.1.x86_64 sssd-ipa-1.11.2-68.el7_0.5.x86_64 libipa_hbac-1.11.2-68.el7_0.5.x86_64 ipa-server-3.3.3-28.el7_0.1.x86_64 Any idea? The segfault appears in exactly moment of logging to the ipa client. /lm -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] IPA 3.3.3 in transitive trust and random group assignment
Hi List, On IPA server I added one external group for AD group. When I log in to IPA client I can see that group: 97687(trustlinuxgroup_from_ad2posix) but also I see few different groups came directly from Active Directory like 127310615(trustlinuxgr...@acme.example.com) or 127200513(domain us...@acme.example.com): Afer clearing the cache, the group assignment looks different, few more or less groups showed by id command. Do you know the reason? I have no idea what to do with this. /lm -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA 3.3.3 and sssd segfault
Already sent directly to your email. /lm 2014-10-23 13:45 GMT+02:00 Lukas Slebodnik lsleb...@redhat.com: On (23/10/14 12:23), crony wrote: Hi, I have a FreeIPA 3.3.3 in transitive trust with AD2008. Today I saw a lot of sssd segfaults on the server side: [ 420.412011] sssd_be[734]: segfault at 8 ip 7fa54fa73334 sp 7fff62b2ec40 error 4 in libldb.so.1.1.16[7fa54fa66000+2c000] Could you provide coredump (backtrace) or at least log files with higher debug_level? If you have enabled abrt then coredump should be in /var/tmp/abrt/ccpp-* LS -- Pozdrawiam Leszek Miś www: http://cronylab.pl www: http://emerge.pl Nothing is secure, paranoia is your friend. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] IPA+AD (transitive trust) - s2n exop request failed
Hi All, I've found another problem with my setup: What could be the reason of such errors on FreeIPA client side: /var/log/sssd/sssd_linux.acme.example.com.log:(Thu Oct 23 09:49:23 2014) [sssd[be[linux.acme.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. /var/log/sssd/sssd_linux.acme.example.com.log:(Thu Oct 23 09:50:03 2014) [sssd[be[linux.acme.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. /var/log/sssd/sssd_linux.acme.example.com.log:(Thu Oct 23 09:50:04 2014) [sssd[be[linux.acme.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. /var/log/sssd/sssd_linux.acme.example.com.log:(Thu Oct 23 09:50:06 2014) [sssd[be[linux.acme.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. /var/log/sssd/sssd_linux.acme.example.com.log:(Thu Oct 23 09:50:06 2014) [sssd[be[linux.acme.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. /var/log/sssd/sssd_linux.acme.example.com.log:(Thu Oct 23 09:50:07 2014) [sssd[be[linux.acme.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. /var/log/sssd/sssd_linux.acme.example.com.log:(Thu Oct 23 09:50:07 2014) [sssd[be[linux.acme.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. /var/log/sssd/sssd_linux.acme.example.com.log:(Thu Oct 23 09:50:08 2014) [sssd[be[linux.acme.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. /var/log/sssd/sssd_linux.acme.example.com.log:(Thu Oct 23 09:50:08 2014) [sssd[be[linux.acme.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. /var/log/sssd/sssd_linux.acme.example.com.log:(Thu Oct 23 09:50:17 2014) [sssd[be[linux.acme.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. /var/log/sssd/sssd_linux.acme.example.com.log:(Thu Oct 23 09:52:05 2014) [sssd[be[linux.acme.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. /var/log/sssd/sssd_linux.acme.example.com.log:(Thu Oct 23 09:52:08 2014) [sssd[be[linux.acme.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. /var/log/sssd/sssd_linux.acme.example.com.log:(Thu Oct 23 09:52:18 2014) [sssd[be[linux.acme.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. /var/log/sssd/sssd_linux.acme.example.com.log:(Thu Oct 23 09:57:12 2014) [sssd[be[linux.acme.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. /var/log/sssd/sssd_linux.acme.example.com.log:(Thu Oct 23 09:57:15 2014) [sssd[be[linux.acme.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. /var/log/sssd/sssd_linux.acme.example.com.log:(Thu Oct 23 09:58:29 2014) [sssd[be[linux.acme.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. /var/log/sssd/sssd_linux.acme.example.com.log:(Thu Oct 23 09:58:34 2014) [sssd[be[linux.acme.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. /var/log/sssd/sssd_linux.acme.example.com.log:(Thu Oct 23 10:02:10 2014) [sssd[be[linux.acme.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. /var/log/sssd/sssd_linux.acme.example.com.log:(Thu Oct 23 10:02:13 2014) [sssd[be[linux.acme.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. IPA 3.3.3 + RHEL7 and IPA clients: RHEL 6.4 and RHEL 6.6 - the same situation. /lm -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA+AD (transitive trust) - s2n exop request failed
Probable yes. 2014-10-23 15:59 GMT+02:00 Sumit Bose sb...@redhat.com: On Thu, Oct 23, 2014 at 03:47:31PM +0200, crony wrote: Hi All, I've found another problem with my setup: What could be the reason of such errors on FreeIPA client side: /var/log/sssd/sssd_linux.acme.example.com.log:(Thu Oct 23 09:49:23 2014) [sssd[be[linux.acme.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. /var/log/sssd/sssd_linux.acme.example.com.log:(Thu Oct 23 09:50:03 2014) [sssd[be[linux.acme.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. /var/log/sssd/sssd_linux.acme.example.com.log:(Thu Oct 23 09:50:04 2014) [sssd[be[linux.acme.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. /var/log/sssd/sssd_linux.acme.example.com.log:(Thu Oct 23 09:50:06 2014) [sssd[be[linux.acme.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. /var/log/sssd/sssd_linux.acme.example.com.log:(Thu Oct 23 09:50:06 2014) [sssd[be[linux.acme.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. /var/log/sssd/sssd_linux.acme.example.com.log:(Thu Oct 23 09:50:07 2014) [sssd[be[linux.acme.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. /var/log/sssd/sssd_linux.acme.example.com.log:(Thu Oct 23 09:50:07 2014) [sssd[be[linux.acme.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. /var/log/sssd/sssd_linux.acme.example.com.log:(Thu Oct 23 09:50:08 2014) [sssd[be[linux.acme.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. /var/log/sssd/sssd_linux.acme.example.com.log:(Thu Oct 23 09:50:08 2014) [sssd[be[linux.acme.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. /var/log/sssd/sssd_linux.acme.example.com.log:(Thu Oct 23 09:50:17 2014) [sssd[be[linux.acme.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. /var/log/sssd/sssd_linux.acme.example.com.log:(Thu Oct 23 09:52:05 2014) [sssd[be[linux.acme.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. /var/log/sssd/sssd_linux.acme.example.com.log:(Thu Oct 23 09:52:08 2014) [sssd[be[linux.acme.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. /var/log/sssd/sssd_linux.acme.example.com.log:(Thu Oct 23 09:52:18 2014) [sssd[be[linux.acme.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. /var/log/sssd/sssd_linux.acme.example.com.log:(Thu Oct 23 09:57:12 2014) [sssd[be[linux.acme.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. /var/log/sssd/sssd_linux.acme.example.com.log:(Thu Oct 23 09:57:15 2014) [sssd[be[linux.acme.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. /var/log/sssd/sssd_linux.acme.example.com.log:(Thu Oct 23 09:58:29 2014) [sssd[be[linux.acme.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. /var/log/sssd/sssd_linux.acme.example.com.log:(Thu Oct 23 09:58:34 2014) [sssd[be[linux.acme.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. /var/log/sssd/sssd_linux.acme.example.com.log:(Thu Oct 23 10:02:10 2014) [sssd[be[linux.acme.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. /var/log/sssd/sssd_linux.acme.example.com.log:(Thu Oct 23 10:02:13 2014) [sssd[be[linux.acme.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. This typically indicates that the user or group lookup failed in the server side. Maybe this is related to the segfaults you are seeing on the server side. bye, Sumit IPA 3.3.3 + RHEL7 and IPA clients: RHEL 6.4 and RHEL 6.6 - the same situation. /lm -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Pozdrawiam Leszek Miś www: http://cronylab.pl www: http://emerge.pl Nothing is secure, paranoia is your friend. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA 3.3.3 and sssd segfault
yes, sure, it would be great to see if it works in upstream version. thank you 2014-10-23 16:10 GMT+02:00 Lukas Slebodnik lsleb...@redhat.com: On (23/10/14 14:44), crony wrote: Already sent directly to your email. Thank you for coredump. It is a known bug (https://fedorahosted.org/sssd/ticket/2391) Bug is fixed in sssd upstream sh$ git tag --contains 895f045dd4aad7f5857826cc1496cfa048a790dd sssd-1_11_7 sh$ git tag --contains 82347f452febe3cbffc36b0a3308ffb462515442 sssd-1_12_1 sssd-1_12_2 If you want I can prepare you test package for epel7 in COPR, which will be equivalent to sssd in fedora 20 (sssd-1.11.7-2.fc20) LS -- Pozdrawiam Leszek Miś www: http://cronylab.pl www: http://emerge.pl Nothing is secure, paranoia is your friend. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA 3.3.3 and sssd segfault
Thank you! Error: Package: sssd-client-1.11.7-2.el7.centos.x86_64 (lslebodn-sssd-1-11) Requires: libc.so.6(GLIBC_2.14)(64bit) Error: Package: python-sssdconfig-1.11.7-2.el7.centos.noarch (lslebodn-sssd-1-11) Requires: python(abi) = 2.7 Installed: python-2.6.6-52.el6.x86_64 (@updates) python(abi) = 2.6 Available: python-2.6.6-51.el6.x86_64 (base) python(abi) = 2.6 Should I change the default python from RHEL7 for dependencies? It could be destructive for my system ;-) 2014-10-23 17:09 GMT+02:00 Lukas Slebodnik lsleb...@redhat.com: On (23/10/14 16:31), crony wrote: yes, sure, it would be great to see if it works in upstream version. thank you Here you are https://copr.fedoraproject.org/coprs/lslebodn/sssd-1-11/ LS -- Pozdrawiam Leszek Miś www: http://cronylab.pl www: http://emerge.pl Nothing is secure, paranoia is your friend. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA 3.3.3 and sssd segfault
Oh, sorry Lukas, now its my mistake + tiredness.. I was testing on the wrong machine.Thank you. /lm 2014-10-23 18:30 GMT+02:00 Lukas Slebodnik lsleb...@redhat.com: On (23/10/14 18:12), crony wrote: Thank you! I prepared repo for epel6, epel7 and fedora 19 Error: Package: sssd-client-1.11.7-2.el7.centos.x86_64 (lslebodn-sssd-1-11) Requires: libc.so.6(GLIBC_2.14)(64bit) Error: Package: python-sssdconfig-1.11.7-2.el7.centos.noarch you want to install package from epel7 (lslebodn-sssd-1-11) Requires: python(abi) = 2.7 Installed: python-2.6.6-52.el6.x86_64 (@updates) ^^^ and machine is rhel6 (centos6) python(abi) = 2.6 Available: python-2.6.6-51.el6.x86_64 (base) python(abi) = 2.6 Should I change the default python from RHEL7 for dependencies? It could be destructive for my system ;-) Are you sure you are using RHEL7 and not RHEL6? LS -- Pozdrawiam Leszek Miś www: http://cronylab.pl www: http://emerge.pl Nothing is secure, paranoia is your friend. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] IPA Trust AD and Illegal cross-realm ticket
Hi, I've been following the AD integration guide for IPAv3: http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup My setup is: • 5 domain controllers with Windows 2008 R2 AD DC - example.com as Forest Root Domain and acme.example.com as transitive child domain • RHEL7 as IPA server with domain: linux.acme.example.com • RHEL6.5 as IPA client server ipatst03.linux.acme.example.com Everything works correctly around IPA Server, but the problem is within IPA Client. I can not login by SSH or by su -: [leszek@ipatst03 ~]$ su - us...@acme.example.com Password: su: incorrect password I found this error in /var/log/sssd/krb5_child.log : (Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880 [validate_tgt] (0x0020): TGT failed verification using key for [host/ ipatst03.linux.acme.example@linux.acme.example.com]. (Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880 [get_and_save_tgt] (0x0020): 988: [-1765328341][Illegal cross-realm ticket] (Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880 [map_krb5_error] (0x0020): 1043: [-1765328341][Illegal cross-realm ticket] (Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880 [k5c_send_data] (0x0200): Received error code 1432158209 (Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880 [pack_response_packet] (0x2000): response packet size: [20] (Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880 [k5c_send_data] (0x4000): Response sent. (Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880 [main] (0x0400): krb5_child completed successfully From that IPA client I can run: [root@ipatst03 ~]$ getent passwd us...@acme.example.com us...@acme.example.com:*:127283727:127283727:user1:/home/ acme.example.com/user1: Do you know what is wrong with my setup? After adding krb5_validate = false to sssd.conf on IPA client ipatst03 I can login by su/ssh but without kerberos principals and without groups assigned: [leszek@ipatst03 ~]$ su - us...@acme.example.com Password: -sh-4.1$ id uid=127283727(us...@acme.example.com) gid=127283727(us...@acme.example.com) groups=127283727(us...@acme.example.com) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 -sh-4.1$ klist klist: No credentials cache found while retrieving principal name Below you can find setup information from IPA Server where everything looks good: [root@ipa1 ~]# kinit admin Password for ad...@linux.acme.example.com: [root@ipa1 ~]# klist Ticket cache: KEYRING:persistent:0:0 Default principal: ad...@linux.acme.example.com Valid starting Expires Service principal 10/15/2014 14:02:29 10/16/2014 14:02:25 krbtgt/ linux.acme.example@linux.acme.example.com [root@ipa1 ~]# getent passwd us...@acme.example.com us...@acme.example.com:*:127283727:127283727:user1:/home/ acme.example.com/user1: [root@ipa1 ~]# su - us...@acme.example.com Last login: Wed Oct 15 13:05:11 CEST 2014 from 10.9.79.93 on pts/4 -sh-4.2$ id uid=127283727(us...@acme.example.com) gid=127283727(us...@acme.example.com) groups=127283727(us...@acme.example.com),127200513(domain us...@acme.example.com) -sh-4.2$ klist Ticket cache: KEYRING:persistent:127283727:krb_ccache_Aablt0q Default principal: us...@acme.example.com Valid starting Expires Service principal 10/15/2014 13:05:22 10/15/2014 21:26:29 host/ ipatst03.linux.acme.example@linux.acme.example.com renew until 10/16/2014 11:26:29 10/15/2014 13:05:20 10/15/2014 21:26:29 krbtgt/ linux.acme.example@example.com renew until 10/16/2014 11:26:29 10/15/2014 13:05:20 10/15/2014 21:26:29 krbtgt/ example@acme.example.com renew until 10/16/2014 11:26:29 10/15/2014 11:26:29 10/15/2014 21:26:29 krbtgt/ acme.example@acme.example.com renew until 10/16/2014 11:26:29 [leszek@ipa1 ~]$ su - us...@acme.example.com Hasło: -sh-4.2$ klist Ticket cache: KEYRING:persistent:127283727:krb_ccache_Aablt0q Default principal: us...@acme.example.com Valid starting Expires Service principal 10/15/2014 14:43:00 10/16/2014 00:43:00 krbtgt/ acme.example@acme.example.com renew until 10/16/2014 14:43:00 Everything looks good. [root@ipa1 ipa trustdomain-find example.com Domain name: example.com Domain NetBIOS name: EXAMPLE Domain Security Identifier: S-1-5-21-827937240-19931235763-83952325 Domain enabled: True Domain name: acme.example.com Domain NetBIOS name: ACME Domain Security Identifier: S-1-5-21-107454117-223899964-1235820382 Domain enabled: True Number of entries returned 2 Any suggestions for help? Thanks. -- http://cronylab.pl http://emerge.pl -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Trust AD and Illegal cross-realm ticket
Alex, thank you. Now it works, but not completely: 1. [leszek@ipa1 ~]$ ssh ipatst03.linux.acme.example.com -l us...@acme.example.com Password: Last login: Wed Oct 15 16:11:27 2014 -sh-4.1$ id uid=127283727(us...@acme.example.com) gid=127283727(us...@acme.example.com) grupy=127283727(us...@acme.example.com),127292838( linuxgr...@acme.example.com) I can't see all my groups. User1 is a member of 15 different groups at AD side, not one as above: linuxgr...@acme.example.com Could it be related? I can see all these membership groups at IPA Server (id us...@acme.example.com) 2. After login ssh ipatst03.linux.acme.example.com -l us...@acme.example.com -sh-4.1$ klist klist: Included profile file could not be read while initializing krb5 Even kinit not works: -sh-4.1$ kinit us...@acme.example.com kinit: Included profile file could not be read while initializing Kerberos 5 library What about that? I didn't see this error before. Related? I have another, but related question, If you don't mind: What if I would like to connect RHEL5 IPA client to my IPA Server AD Trust Setup? Do you think it is real and could it work? Thank you in advanced 2014-10-15 15:50 GMT+02:00 Alexander Bokovoy aboko...@redhat.com: On Wed, 15 Oct 2014, crony wrote: Hi, I've been following the AD integration guide for IPAv3: http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup My setup is: • 5 domain controllers with Windows 2008 R2 AD DC - example.com as Forest Root Domain and acme.example.com as transitive child domain • RHEL7 as IPA server with domain: linux.acme.example.com • RHEL6.5 as IPA client server ipatst03.linux.acme.example.com Everything works correctly around IPA Server, but the problem is within IPA Client. I can not login by SSH or by su -: [leszek@ipatst03 ~]$ su - us...@acme.example.com Password: su: incorrect password I found this error in /var/log/sssd/krb5_child.log : (Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880 [validate_tgt] (0x0020): TGT failed verification using key for [host/ ipatst03.linux.acme.example@linux.acme.example.com]. (Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880 [get_and_save_tgt] (0x0020): 988: [-1765328341][Illegal cross-realm ticket] (Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880 [map_krb5_error] (0x0020): 1043: [-1765328341][Illegal cross-realm ticket] (Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880 [k5c_send_data] (0x0200): Received error code 1432158209 (Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880 [pack_response_packet] (0x2000): response packet size: [20] (Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880 [k5c_send_data] (0x4000): Response sent. (Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880 [main] (0x0400): krb5_child completed successfully Yes, this is known issue for transitive trusts. MIT Kerberos requires for non-hierarchical trusts that [capaths] section contains proper map of relationships between the realms. We've got an API to manage this map from IPA KDC driver and we also write it down on the IPA masters with the help of SSSD for KDC to use but on IPA clients it is not generated as we hoped that receiving referrals from KDC would be enough. You can see that this is the issue by copying /var/lib/sss/pubconf/krb5conf.d/domain_realm_linux_acme_example_com to your client and placing it as /var/lib/sss/pubconf/krb5conf.d/domain_realm_linux_acme_ example_com_capaths On next authentication attempt things will work. -- / Alexander Bokovoy -- Pozdrawiam Leszek Miś www: http://cronylab.pl www: http://emerge.pl Nothing is secure, paranoia is your friend. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
