[Freeipa-users] any reference for HA solution and backup /restore

[barrykfl--- via FreeIPA-users]

Hi all:

setup two servers replicas want make HA and backup / restore ..any where
have reference especially backup / restore is necessary.


Regards

Barry
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Expired passwords and generating an OTP token

[Aaron Hicks via FreeIPA-users]

Hello the list,

 

The next bit of information is that the passwd command itself is broken when
a user has a OTP token set.

 

$ passwd

Changing password for user otpuser1.

Current Password:

passwd: Authentication token manipulation error

$ passwd

Changing password for user otpuser1.

Current Password:

passwd: Authentication token manipulation error

$ passwd

Changing password for user otpuser1.

Current Password:

passwd: Authentication token manipulation error

$ passwd

Changing password for user otpuser1.

Current Password:

passwd: Authentication token manipulation error

 

These were with the user's valid-not-expired password, and with
passwordOTPCODE

 

The Current Password: prompt fails.

 

 

Regards,

 

Aaron

 

 

From: Aaron Hicks [mailto:aaron.hi...@nesi.org.nz] 
Sent: Thursday, 23 November 2017 3:44 PM
To: 'FreeIPA users list' 
Cc: 'Sumit Bose' 
Subject: RE: [Freeipa-users] Re: Expired passwords and generating an OTP
token

 

Hello the list,

 

We've kept at this today and this is what we think we are seeing:

 

*   Preauth is detecting that a user has an expired password and a
token, so discards the token and just asks for password
*   Password check succeeds and hands to the password change process
(maybe using /etc/pam.d/passwd and /etc/pam.d/system-auth)
*   BUT the Current Password: check fails because it doesn't preauth to
check if the password is expired
*   AND because the password is expired passwordOTPCODE is not valid
either

 

Similarly, accounts with expired passwords can't authenticate against the
API because their password is expired. Which would at least allow our
customer management system to disable or delete their OTP token so they can
reset their passwords.

 

In addition to this, users are not able to reset passwords at the ssh login
on hosts where 2FA is not enabled either! So this seems to be narrowing down
on the bits of pam and sssd uset to authenticate the password change
process.

 

An interesting note is, kinit does not require OTPCODE.

 

Finally, no users do not have access to the FreeIPA web interface or a host
without 2FA. The 2FA secured host is to be their lander node into our
network.

 

Regards,

 

Aaron

From: Aaron Hicks [mailto:aaron.hi...@nesi.org.nz] 
Sent: Thursday, 23 November 2017 10:33 AM
To: 'FreeIPA users list'  >
Cc: 'Sumit Bose'  >
Subject: RE: [Freeipa-users] Re: Expired passwords and generating an OTP
token

 

Hello the List,

 

A couple of new things to this problem, when a user has an expired password
and a valid OTP token, the password reset process is broken on all machines
at the ssh prompt. Even the ones that do not require 2FA.

 

Feedback so far form Sumit indicates this is incorrect behaviour.

 

As an attempt to get around this, I've tried adding a permission to the
helpdesk role that would allow them to manage OTP tokens. I'll submit
another thread on that.

 

Regards,

 

Aaron

 

From: Aaron Hicks [mailto:aaron.hi...@nesi.org.nz] 
Sent: Thursday, 23 November 2017 6:31 AM
To: Sumit Bose  >
Cc: 'FreeIPA users list'  >; 'Sumit Bose'
 >
Subject: Re: [Freeipa-users] Re: Expired passwords and generating an OTP
token

 

Hi Sumit,

 

I sent those to you directly as I wasn't comfortable posting them to the
list.

 

Regards,

 

Aaron

 

Get Outlook for iOS  

  _  

From: Sumit Bose  >
Sent: Wednesday, November 22, 2017 10:19:34 PM
To: Aaron Hicks
Cc: 'FreeIPA users list'; 'Sumit Bose'
Subject: Re: [Freeipa-users] Re: Expired passwords and generating an OTP
token 

 

On Wed, Nov 22, 2017 at 09:21:52PM +1300, Aaron Hicks wrote:
> Hi Sumit,
> 
> Here is /etc/pam.d/password-auth I missed that it was an include, an that
you wanted it too, again it's as installed bt CentOS 7.4 and
ipa-client-install
> 

ok, the PAM configuration looks good. Can you send me the PAM related
messages form /var/log/secure or the journal which cover the failed
attempt? And additionally the SSSD logs with debug_level=9 from the same
time. Most important would be sssd_pam.log, sssd_domain.name.log and
krb5_child-log.

bye,
Sumit

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Creating a permission to manage OTP Tokens

[Aaron Hicks via FreeIPA-users]

Sadly no, another person had been creating OTP tokens with the helpagent.

 

These were tokens owned by the helpagent, but with other user's names.

 

From: Aaron Hicks [mailto:aaron.hi...@nesi.org.nz] 
Sent: Thursday, 23 November 2017 4:00 PM
To: 'freeipa-users@lists.fedorahosted.org'

Subject: RE: Creating a permission to manage OTP Tokens

 

Hello the list,

 

After ignoring things, this now _works_

 

$kinit helpagent

Password for helpag...@test.org  :

$ ipa otptoken-find



2 OTP tokens matched



  Unique ID: otpuser1

  Type: TOTP

  Owner: otpuser1

 

  Unique ID: otpuser2

  Type: TOTP

  Owner: otpuser2



Number of entries returned 2



 

From: Aaron Hicks [mailto:aaron.hi...@nesi.org.nz] 
Sent: Thursday, 23 November 2017 10:45 AM
To: 'freeipa-users@lists.fedorahosted.org'
 >
Subject: Creating a permission to manage OTP Tokens

 

Hello the list,

 

We'd like to grant users with the helpdesk role the ability to manipulate
other user's OTP tokens. The minimum would be to add them, delete them, and
enable/disable them.

 

This is currently possible if an admin  sets a token's managedBy attribute
to the helpdesk user's DN. We don't want to grant our helpdesk agents admin
privileges.

 

So, this is the permission I created:

 

$ ipa permission-show 'Manage OTP Tokens' --all --raw

  dn: cn=Manage OTP Tokens,cn=permissions,cn=pbac,dc=test,dc=org

  cn: Manage OTP Tokens

  ipapermright: all

  ipapermincludedattr: ipatokenOwner

  ipapermincludedattr: ipatokenUniqueID

  ipapermincludedattr: ipatokenOTPdigits

  ipapermincludedattr: ipatokenOTPkey

  ipapermincludedattr: ipatokenTOTPclockOffset

  ipapermincludedattr: ipatokenTOTPtimeStep

  ipapermbindruletype: permission

  ipapermlocation: cn=otp,dc=test,dc=org

  ipapermtargetfilter: (objectclass=ipaToken)

  ipapermissiontype: SYSTEM

  ipapermissiontype: V2

  aci: (targetattr = "ipatokenOTPdigits || ipatokenOTPkey || ipatokenOwner
|| ipatokenTOTPclockOffset || ipatokenTOTPtimeStep ||
ipatokenUniqueID")(targetfilter = "(objectclass=ipaToken)")(version 3.0;acl
"permission:Manage OTP Tokens";allow (all) groupdn = "ldap:///cn=Manage OTP
Tokens,cn=permissions,cn=pbac,dc=test,dc=org";)

  member: cn=Manage OTP Token,cn=privileges,cn=pbac,dc=test,dc=org

  memberindirect: cn=helpdesk,cn=roles,cn=accounts,dc=test,dc=org

  memberindirect: uid=helpagent,cn=users,cn=accounts,dc=test,dc=org

  objectclass: top

  objectclass: groupofnames

  objectclass: ipapermission

  objectclass: ipapermissionv2

 

However this does not work:

 

$ kinit helpagent

Password for helpag...@test.org  :

$ ipa otptoken-find



0 OTP tokens matched





Number of entries returned 0

 

Is there something happening in the back end preventing these permissions
from workin?

 

Any suggestions?

 

Regards,

 

Aaron

 

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Expired passwords and generating an OTP token

[Aaron Hicks via FreeIPA-users]

Hello the list,

 

We've kept at this today and this is what we think we are seeing:

 

*   Preauth is detecting that a user has an expired password and a
token, so discards the token and just asks for password
*   Password check succeeds and hands to the password change process
(maybe using /etc/pam.d/passwd and /etc/pam.d/system-auth)
*   BUT the Current Password: check fails because it doesn't preauth to
check if the password is expired
*   AND because the password is expired passwordOTPCODE is not valid
either

 

Similarly, accounts with expired passwords can't authenticate against the
API because their password is expired. Which would at least allow our
customer management system to disable or delete their OTP token so they can
reset their passwords.

 

In addition to this, users are not able to reset passwords at the ssh login
on hosts where 2FA is not enabled either! So this seems to be narrowing down
on the bits of pam and sssd uset to authenticate the password change
process.

 

An interesting note is, kinit does not require OTPCODE.

 

Finally, no users do not have access to the FreeIPA web interface or a host
without 2FA. The 2FA secured host is to be their lander node into our
network.

 

Regards,

 

Aaron

From: Aaron Hicks [mailto:aaron.hi...@nesi.org.nz] 
Sent: Thursday, 23 November 2017 10:33 AM
To: 'FreeIPA users list' 
Cc: 'Sumit Bose' 
Subject: RE: [Freeipa-users] Re: Expired passwords and generating an OTP
token

 

Hello the List,

 

A couple of new things to this problem, when a user has an expired password
and a valid OTP token, the password reset process is broken on all machines
at the ssh prompt. Even the ones that do not require 2FA.

 

Feedback so far form Sumit indicates this is incorrect behaviour.

 

As an attempt to get around this, I've tried adding a permission to the
helpdesk role that would allow them to manage OTP tokens. I'll submit
another thread on that.

 

Regards,

 

Aaron

 

From: Aaron Hicks [mailto:aaron.hi...@nesi.org.nz] 
Sent: Thursday, 23 November 2017 6:31 AM
To: Sumit Bose  >
Cc: 'FreeIPA users list'  >; 'Sumit Bose'
 >
Subject: Re: [Freeipa-users] Re: Expired passwords and generating an OTP
token

 

Hi Sumit,

 

I sent those to you directly as I wasn't comfortable posting them to the
list.

 

Regards,

 

Aaron

 

Get Outlook for iOS  

  _  

From: Sumit Bose  >
Sent: Wednesday, November 22, 2017 10:19:34 PM
To: Aaron Hicks
Cc: 'FreeIPA users list'; 'Sumit Bose'
Subject: Re: [Freeipa-users] Re: Expired passwords and generating an OTP
token 

 

On Wed, Nov 22, 2017 at 09:21:52PM +1300, Aaron Hicks wrote:
> Hi Sumit,
> 
> Here is /etc/pam.d/password-auth I missed that it was an include, an that
you wanted it too, again it's as installed bt CentOS 7.4 and
ipa-client-install
> 

ok, the PAM configuration looks good. Can you send me the PAM related
messages form /var/log/secure or the journal which cover the failed
attempt? And additionally the SSSD logs with debug_level=9 from the same
time. Most important would be sssd_pam.log, sssd_domain.name.log and
krb5_child-log.

bye,
Sumit

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Is it possible to put all replicas in a LAN (use mesh VPN) and selectively expose some nodes to internet?

[James Swineson via FreeIPA-users]

Thanks. So I guess it is assumed safe to expose FreeIPA to Internet? This
would make everything easier.

2017-11-22 22:42 GMT+08:00 Michael ORourke via FreeIPA-users <
freeipa-users@lists.fedorahosted.org>:

> What I would do is perhaps replicate the zones onto dedicated DNS servers
> (not FreeIPA), or run a "split-brain" DNS which has dedicated DNS servers
> that has a smaller subset of records that are exposed to the Internet.
>
> -Mike
>
> On 11/22/2017 4:21 AM, James Swineson via FreeIPA-users wrote:
>
> Hi,
>
> I'm planning a FreeIPA fresh installation across multiple datacenters and
> offices. Concerned about the risk of DNS DDoS, I wanted to make most nodes
> in a mesh VPN so they can replicate without exposing ports to internet.
> However, I still need some services over internet. So can I set up every
> node just using IP addresses defined in VPN, but leave some nodes open on
> Internet? Will it work? Is there any hostname based check? And if it works,
> do I need to set up completely different 2 sets of DNS records used in LAN
> and WAN?
>
> Thanks,
> James Swineson
>
>
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>
>
>
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Expired passwords and generating an OTP token

[Aaron Hicks via FreeIPA-users]

Hello the List,

 

A couple of new things to this problem, when a user has an expired password
and a valid OTP token, the password reset process is broken on all machines
at the ssh prompt. Even the ones that do not require 2FA.

 

Feedback so far form Sumit indicates this is incorrect behaviour.

 

As an attempt to get around this, I've tried adding a permission to the
helpdesk role that would allow them to manage OTP tokens. I'll submit
another thread on that.

 

Regards,

 

Aaron

 

From: Aaron Hicks [mailto:aaron.hi...@nesi.org.nz] 
Sent: Thursday, 23 November 2017 6:31 AM
To: Sumit Bose 
Cc: 'FreeIPA users list' ; 'Sumit
Bose' 
Subject: Re: [Freeipa-users] Re: Expired passwords and generating an OTP
token

 

Hi Sumit,

 

I sent those to you directly as I wasn't comfortable posting them to the
list.

 

Regards,

 

Aaron

 

Get Outlook for iOS  

  _  

From: Sumit Bose  >
Sent: Wednesday, November 22, 2017 10:19:34 PM
To: Aaron Hicks
Cc: 'FreeIPA users list'; 'Sumit Bose'
Subject: Re: [Freeipa-users] Re: Expired passwords and generating an OTP
token 

 

On Wed, Nov 22, 2017 at 09:21:52PM +1300, Aaron Hicks wrote:
> Hi Sumit,
> 
> Here is /etc/pam.d/password-auth I missed that it was an include, an that
you wanted it too, again it's as installed bt CentOS 7.4 and
ipa-client-install
> 

ok, the PAM configuration looks good. Can you send me the PAM related
messages form /var/log/secure or the journal which cover the failed
attempt? And additionally the SSSD logs with debug_level=9 from the same
time. Most important would be sssd_pam.log, sssd_domain.name.log and
krb5_child-log.

bye,
Sumit

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: upgrade to ubuntu 17.10 fails

[David Harvey via FreeIPA-users]

For anyone interested, I think I have it working properly after the
following:

Edit /etc/pki/pki.version to remove +12 (confused the postinstall script).

Ensure you have kinit admin from the root session you're using to upgrade.

If like me you find the rest API on 8443 dies when being hit and gives a
501 or internal server error (in the IPA server install log)
Install libtomcat8.0-java (which removes libtomcat8-java).
Then the really weird bit.
Kill the process you find with (ps aux | grep tomcat).
Launch it again using the full command line ps aux gave you.
Then running ipa-server-upgrade continues..

Not sure why tomcat is more resilient when launched as root, but the pki
seems to work ok at issuing certs after the above and a reboot for good
measure.

Hope this is of some help to someone! Typed with thumbs so excuse typos and
memory fails.

David


On 21 Nov 2017 13:10, "Rob Crittenden"  wrote:

> David Harvey wrote:
> > Hoi,
> >
> > Anyone out there with experience of whether or not adding a replica of
> > more recent version (4.4.4 and 389 dir 1.3.7.5-1 up from 4.4.3 with 389
> > dir 1.3.5.15-2)  would impact the existing servers in terms of schema or
> > similar?
> > I'm still trying to find a safe way to upgrade safely without going past
> > a point of no return...
>
> Yes, creating a replica with a newer version can add schema and modify
> existing LDAP entries (like ACIs).
>
> rob
>
> >
> > Kind regards,
> >
> > David
> >
> > On 17 November 2017 at 15:10, David Harvey  > > wrote:
> >
> > Hi again,
> >
> > No joy yet with spotting CA anomalies. Any additional tips there Rob?
> >
> > Gentle bump Simon, are you confident that building a new replica
> > won't fall foul of the below from the upgrade page (the schema part):
> >
> > Words of caution
> >
> >   * Note that the server is in a *maintenance mode* during upgrade
> > and does not respond to requests!
> >   * Schema or Directory Server
> >  database object
> > changes done during the upgrade are replicated to *all FreeIPA
> > masters*
> >
> > *
> > *
> > Thanks again for the support,
> >
> > David
> >
> > On 15 November 2017 at 16:52, David Harvey
> > >
> > wrote:
> >
> > Thanks Rob, Simon,
> >
> > Rob, will check, but thought my cert system was healthy before.
> > It's relatively new (6months or less), and no sub-ca's
> > involved.. Any specifics on how to invoke the selftests in some
> > manner that might provide digestible output? Or could it be my
> > dirty hack of cloning and isolation and I should do as Simon
> > suggested :)?
> >
> > Simon. WRT spinning up a replica. I was under the impression
> > that all running servers had to be of the same version, am I
> > mistaken with that?
> > I had avoided what you were suggesting as I feared the new
> > server might update the schema on the existing ones!
> >
> > Thanks again, appreciate the steering!
> >
> >
> > On 15 Nov 2017 14:34, "Rob Crittenden"  > > wrote:
> >
> > David Harvey via FreeIPA-users wrote:
> > > Sorry for the dump size, but not sure if the below from
> > > /var/log/pki/pki-tomcat/localhost.date.log helps:
> >
> > Looks like the selftests are failing. I'd check that your CA
> > subsystem
> > certificates are not expired, etc.
> >
> > rob
> >
> > >
> > > 15-Nov-2017 12:14:50.557 SEVERE [localhost-startStop-1]
> > > org.apache.catalina.core.ApplicationContext.log
> > StandardWrapper.Throwable
> > >  java.lang.NullPointerException
> > > at
> > >
> > com.netscape.cmscore.selftests.SelfTestSubsystem.
> shutdown(SelfTestSubsystem.java:1886)
> > > at
> > >
> > com.netscape.cmscore.apps.CMSEngine.shutdownSubsystems(
> CMSEngine.java:2118)
> > > at
> > com.netscape.cmscore.apps.CMSEngine.shutdown(CMSEngine.
> java:2013)
> > > at com.netscape.certsrv.apps.CMS.shutdown(CMS.java:234)
> > > at com.netscape.certsrv.apps.CMS.start(CMS.java:1630)
> > > at
> > >
> > com.netscape.cms.servlet.base.CMSStartServlet.init(
> CMSStartServlet.java:114)
> > > at javax.servlet.GenericServlet.
> init(GenericServlet.java:158)
> > > at
> > >
> > org.apache.catalina.core.StandardWrapper.initServlet(
> StandardWrapper.java:1227)
> > > at
> > >
> > 

[Freeipa-users] Re: Expired passwords and generating an OTP token

[Aaron Hicks via FreeIPA-users]

Hi Sumit,

I sent those to you directly as I wasn’t comfortable posting them to the list.

Regards,

Aaron

Get Outlook for iOS

From: Sumit Bose 
Sent: Wednesday, November 22, 2017 10:19:34 PM
To: Aaron Hicks
Cc: 'FreeIPA users list'; 'Sumit Bose'
Subject: Re: [Freeipa-users] Re: Expired passwords and generating an OTP token

On Wed, Nov 22, 2017 at 09:21:52PM +1300, Aaron Hicks wrote:
> Hi Sumit,
>
> Here is /etc/pam.d/password-auth I missed that it was an include, an that you 
> wanted it too, again it's as installed bt CentOS 7.4 and ipa-client-install
>

ok, the PAM configuration looks good. Can you send me the PAM related
messages form /var/log/secure or the journal which cover the failed
attempt? And additionally the SSSD logs with debug_level=9 from the same
time. Most important would be sssd_pam.log, sssd_domain.name.log and
krb5_child-log.

bye,
Sumit
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Is it possible to put all replicas in a LAN (use mesh VPN) and selectively expose some nodes to internet?

[Michael ORourke via FreeIPA-users]

What I would do is perhaps replicate the zones onto dedicated DNS 
servers (not FreeIPA), or run a "split-brain" DNS which has dedicated 
DNS servers that has a smaller subset of records that are exposed to the 
Internet.


-Mike


On 11/22/2017 4:21 AM, James Swineson via FreeIPA-users wrote:

Hi,

I'm planning a FreeIPA fresh installation across multiple datacenters 
and offices. Concerned about the risk of DNS DDoS, I wanted to make 
most nodes in a mesh VPN so they can replicate without exposing ports 
to internet. However, I still need some services over internet. So can 
I set up every node just using IP addresses defined in VPN, but leave 
some nodes open on Internet? Will it work? Is there any hostname based 
check? And if it works, do I need to set up completely different 2 
sets of DNS records used in LAN and WAN?


Thanks,
James Swineson


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Is it possible to put all replicas in a LAN (use mesh VPN) and selectively expose some nodes to internet?

[James Swineson via FreeIPA-users]

Hi,

I'm planning a FreeIPA fresh installation across multiple datacenters and
offices. Concerned about the risk of DNS DDoS, I wanted to make most nodes
in a mesh VPN so they can replicate without exposing ports to internet.
However, I still need some services over internet. So can I set up every
node just using IP addresses defined in VPN, but leave some nodes open on
Internet? Will it work? Is there any hostname based check? And if it works,
do I need to set up completely different 2 sets of DNS records used in LAN
and WAN?

Thanks,
James Swineson
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Expired passwords and generating an OTP token

[Sumit Bose via FreeIPA-users]

On Wed, Nov 22, 2017 at 09:21:52PM +1300, Aaron Hicks wrote:
> Hi Sumit,
> 
> Here is /etc/pam.d/password-auth I missed that it was an include, an that you 
> wanted it too, again it's as installed bt CentOS 7.4 and ipa-client-install
> 

ok, the PAM configuration looks good. Can you send me the PAM related
messages form /var/log/secure or the journal which cover the failed
attempt? And additionally the SSSD logs with debug_level=9 from the same
time. Most important would be sssd_pam.log, sssd_domain.name.log and
krb5_child-log.

bye,
Sumit
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: FreeIPA-users Digest, Vol 7, Issue 22

[Alexander Bokovoy via FreeIPA-users]

On ke, 22 marras 2017, Николай Савельев via FreeIPA-users wrote:


I think the better reference in the documentation is
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/trust-legacy

If there is a trust to an AD forest and 'ipa-adtrust-install
--enable-compat' was called. there will be a special sub-tree in
FreeIPA's LDAP tree cn=compat,dc=ipa,dc=domain. AD user can be searched
in this sub-tree and if the user was found you can the the DN of the
user to bind to FreeIPA's LDAP server with the AD password.

Btw, I guess Owncloud supports PAM authentication as well, in this case
you can just configure Owncloud's PAM module to use SSSD on an IPA
client and SSSD will do the authentication of AD users for you.

HTH

bye,
Sumit


 rob



I did   'ipa-adtrust-install --enable-compat'
But in cn=compat,dc=test,dc=loc are only IPA users
How can I insert AD users in cn=compat,dc=test,dc=loc?

By using LDAP queries as described in RFC2307. AD users should be
specified in fully-qualified name format.

--
/ Alexander Bokovoy
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Expired passwords and generating an OTP token

[Aaron Hicks via FreeIPA-users]

Hi Sumit,

Here is /etc/pam.d/password-auth I missed that it was an include, an that you 
wanted it too, again it's as installed bt CentOS 7.4 and ipa-client-install

[root@hpch2fa01 pam.d]# cat password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
authrequired  pam_env.so
authrequired  pam_faildelay.so delay=200
auth[default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 
quiet
auth[default=1 ignore=ignore success=ok] pam_localuser.so
authsufficientpam_unix.so nullok try_first_pass
authrequisite pam_succeed_if.so uid >= 1000 quiet_success
authsufficientpam_sss.so forward_pass
authrequired  pam_deny.so

account required  pam_unix.so
account sufficientpam_localuser.so
account sufficientpam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required  pam_permit.so

passwordrequisite pam_pwquality.so try_first_pass local_users_only 
retry=3 authtok_type=
passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass 
use_authtok
passwordsufficientpam_sss.so use_authtok


passwordrequired  pam_deny.so

session optional  pam_keyinit.so revoke
session required  pam_limits.so
-session optional  pam_systemd.so
session optional  pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet 
use_uid
session required  pam_unix.so
session optional  pam_sss.so

-Original Message-
From: Aaron Hicks [mailto:aaron.hi...@nesi.org.nz] 
Sent: Wednesday, 22 November 2017 9:19 PM
To: 'FreeIPA users list' 
Cc: 'Sumit Bose' 
Subject: RE: [Freeipa-users] Re: Expired passwords and generating an OTP token

Hi Sumit,

The pam.d configuration is as configured by the CentOS 7.4 install and running 
ipa-client-install. 

Here's the content of /etc/pam.d/sshd

[root@hpch2fa01 ~]# cd /etc/pam.d
[root@hpch2fa01 pam.d]# cat sshd
#%PAM-1.0
auth   required pam_sepermit.so
auth   substack password-auth
auth   include  postlogin
# Used with polkit to reauthorize users in remote sessions
-auth  optional pam_reauthorize.so prepare
accountrequired pam_nologin.so
accountinclude  password-auth
password   include  password-auth
# pam_selinux.so close should be the first session rule
sessionrequired pam_selinux.so close
sessionrequired pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the 
user context
sessionrequired pam_selinux.so open env_params
sessionrequired pam_namespace.so
sessionoptional pam_keyinit.so force revoke
sessioninclude  password-auth
sessioninclude  postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional pam_reauthorize.so prepare

We also added one line to /etc/ssh/sshd, otherwise it's as configured by the 
CentOS 7.4 install and running ipa-client-install

AuthenticationMethods keyboard-interactive

It'd be nice if there's a simple config fix for this, and I recommend it's 
worked into the ipa-client-install helper script or authconfig.

Regards,

Aaron

-Original Message-
From: Sumit Bose via FreeIPA-users [mailto:freeipa-users@lists.fedorahosted.org]
Sent: Wednesday, 22 November 2017 8:11 PM
To: freeipa-users@lists.fedorahosted.org
Cc: Sumit Bose 
Subject: [Freeipa-users] Re: Expired passwords and generating an OTP token

On Wed, Nov 22, 2017 at 05:16:05PM +1300, Aaron Hicks via FreeIPA-users wrote:
> Hello the List,
> 
>  
> 
> This turned out to be a workflow issue, we still have a problem but 
> this first use case works.
> 
>  
> 
> In the case of a user with an invalid password (none or expired) with 
> no OTP token they can reset their password and ask IPA to create an 
> OTP token for them.
> 
>  
> 
> 1.Helpdesk agent uses FreeIPA API passwd method to issue a temporary
> password and pass it to the user
> 2.User uses ssh to login to 2FA host
> 3.SSH forces user through the reset password process and closes
> connection
> 4.User is not able to login without a OTP Token. A correct result.
> 5.User uses FreeIPA API otptoken-add method with new password to
> generate & receive OTP token
> 6.User is now able to SSH with password + OTP token.
> 
>  
> 
> What isn't working is the case where a user has an invalid token (non, 
> expired, or just reset) and a valid OTP token.
> 
>  
> 
> 1.(Optional, but puts user into required state) Helpdesk agent uses
> FreeIPA API passwd method to issue a temporary password and pass it to 
> the user
> 2.User uses ssh to login to 2FA host, which asks for temporary
> password.
> 3.SSH forces user 

[Freeipa-users] Re: Expired passwords and generating an OTP token

[Aaron Hicks via FreeIPA-users]

Hi Sumit,

The pam.d configuration is as configured by the CentOS 7.4 install and running 
ipa-client-install. 

Here's the content of /etc/pam.d/sshd

[root@hpch2fa01 ~]# cd /etc/pam.d
[root@hpch2fa01 pam.d]# cat sshd
#%PAM-1.0
auth   required pam_sepermit.so
auth   substack password-auth
auth   include  postlogin
# Used with polkit to reauthorize users in remote sessions
-auth  optional pam_reauthorize.so prepare
accountrequired pam_nologin.so
accountinclude  password-auth
password   include  password-auth
# pam_selinux.so close should be the first session rule
sessionrequired pam_selinux.so close
sessionrequired pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the 
user context
sessionrequired pam_selinux.so open env_params
sessionrequired pam_namespace.so
sessionoptional pam_keyinit.so force revoke
sessioninclude  password-auth
sessioninclude  postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional pam_reauthorize.so prepare

We also added one line to /etc/ssh/sshd, otherwise it's as configured by the 
CentOS 7.4 install and running ipa-client-install

AuthenticationMethods keyboard-interactive

It'd be nice if there's a simple config fix for this, and I recommend it's 
worked into the ipa-client-install helper script or authconfig.

Regards,

Aaron

-Original Message-
From: Sumit Bose via FreeIPA-users 
[mailto:freeipa-users@lists.fedorahosted.org] 
Sent: Wednesday, 22 November 2017 8:11 PM
To: freeipa-users@lists.fedorahosted.org
Cc: Sumit Bose 
Subject: [Freeipa-users] Re: Expired passwords and generating an OTP token

On Wed, Nov 22, 2017 at 05:16:05PM +1300, Aaron Hicks via FreeIPA-users wrote:
> Hello the List,
> 
>  
> 
> This turned out to be a workflow issue, we still have a problem but 
> this first use case works.
> 
>  
> 
> In the case of a user with an invalid password (none or expired) with 
> no OTP token they can reset their password and ask IPA to create an 
> OTP token for them.
> 
>  
> 
> 1.Helpdesk agent uses FreeIPA API passwd method to issue a temporary
> password and pass it to the user
> 2.User uses ssh to login to 2FA host
> 3.SSH forces user through the reset password process and closes
> connection
> 4.User is not able to login without a OTP Token. A correct result.
> 5.User uses FreeIPA API otptoken-add method with new password to
> generate & receive OTP token
> 6.User is now able to SSH with password + OTP token.
> 
>  
> 
> What isn't working is the case where a user has an invalid token (non, 
> expired, or just reset) and a valid OTP token.
> 
>  
> 
> 1.(Optional, but puts user into required state) Helpdesk agent uses
> FreeIPA API passwd method to issue a temporary password and pass it to 
> the user
> 2.User uses ssh to login to 2FA host, which asks for temporary
> password.
> 3.SSH forces user through reser password process and closes
> connection.
> 4.User is now able to SSH with password + OTP poken
> 
>  
> 
> In this case step 2 fails. The reset password process looks like this:

How does your sshd PAM configuration looks like, e.g. /etc/pam.d/sshd (and 
included files).

bye,
Sumit

> 
>  
> 
> login as: username
> 
> Using keyboard-interactive authentication.
> 
> Password:
> 
> Access denied
> 
> Using keyboard-interactive authentication.
> 
> Password:
> 
> Using keyboard-interactive authentication.
> 
> Password expired. Change your password now. 
> 
> Current Password:
> 
> Access denied
> 
>  
> 
> The change password process fails.
> 
>  
> 
> However, if we disable or delete their OTP token (which requires 
> FreeIPA admin, not helpdesk role) they're able to reset their 
> password. We don't want to have to give admin rights to the helpdesk agent 
> for this.
> 
>  
> 
> This is also complicated by that the FreeIPA API changes behaviour:
> 
> * With an expired/password user can not connect to the API, even to do
> passwd to reset password
> * With an OTP token, users have to use passwordOTPCODE to access the
> API, which means they can't manage their otptoken if they've lost it 
> or want to disable it so they can reset their password because they 
> forgot it,  or delete it.
> 
>  
> 
> Is there a way of allowing users in the helpdesk group/role to be able 
> to disable/enable or delete OTP tokens? They don't need to see the 
> content, just allow users to restart the password and token request process.
> 
>  
> 
> Is there a fix for the above workflow to allow a user with an OTP 
> token to reset their password?
> 
>  
> 
> Regards,
> 
>  
> 
> Aaron Hicks
> 
>  
> 
> From: Aaron Hicks [mailto:aaron.hi...@nesi.org.nz]
> Sent: Tuesday, 21 November 2017 6:22 PM
> To: freeipa-users@lists.fedorahosted.org
> Subject: Expired passwords and generating an OTP token
> 
>  
> 
> Hello the list,
> 
>