[Freeipa-users] Re: Changing case of user attributes fails

2017-09-06 Thread Fraser Tweedale via FreeIPA-users 
On Wed, Sep 06, 2017 at 02:05:56PM -0400, Anthony Clark via FreeIPA-users wrote:
> It may possibly be related to this, but this is marked as fixed for 4.3:
> https://pagure.io/freeipa/issue/5456
> 
> I'm on 4.4.0-14.el7.centos.7
> 
> A user had their lastname entry added with the wrong case.  I attempted to
> update it by changing the case, got an error like this:
> 
> [Wed Sep 06 17:46:08.010202 2017] [:error] [pid 15253] ipa: INFO:
> [jsonserver_session] acl...@dev.redacted.net: user_mod/1(u'pboppe',
> sn=u'Boppe', version=u'2.213'): DatabaseError
> 
> I changed it to something else entirely, then changed it to the correct
> case.
> 
> This happened on attributes: "lastname", "fullname", "displayname",
> "initials", "gecos".  I didn't test it elsewhere.
> 
> Is there a ticket already for this or should I create a new one?  I don't
> want to create work for the IPA devs :)
> 
> Thanks,
> 
> Anthony Clark
>
This is expected behaviour.  In the IETF spec for user schema, the
'sn' attribute[1], which is based on the 'name' attribute[2], uses
the `caseIgnoreMatch' equality rule.  So the LDAP server correctly
determines that there is no change to perform.

[1] https://tools.ietf.org/html/rfc4519#section-2.32
[2] https://tools.ietf.org/html/rfc4519#section-2.18

Arguably we should detect this in IPA and reject the change without
contacting the database, but the failure is expected, so feel free
to file a ticket anyway.

Cheers,
Fraser
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Changing case of user attributes fails

2017-09-06 Thread Anthony Clark via FreeIPA-users 
It may possibly be related to this, but this is marked as fixed for 4.3:
https://pagure.io/freeipa/issue/5456

I'm on 4.4.0-14.el7.centos.7

A user had their lastname entry added with the wrong case.  I attempted to
update it by changing the case, got an error like this:

[Wed Sep 06 17:46:08.010202 2017] [:error] [pid 15253] ipa: INFO:
[jsonserver_session] acl...@dev.redacted.net: user_mod/1(u'pboppe',
sn=u'Boppe', version=u'2.213'): DatabaseError

I changed it to something else entirely, then changed it to the correct
case.

This happened on attributes: "lastname", "fullname", "displayname",
"initials", "gecos".  I didn't test it elsewhere.

Is there a ticket already for this or should I create a new one?  I don't
want to create work for the IPA devs :)

Thanks,

Anthony Clark
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Kvno error on validating one-way trust: "kvno: Decrypt integrity check failed while getting credentials"

2017-09-06 Thread Alexander Bokovoy via FreeIPA-users 

On ke, 06 syys 2017, Bart J via FreeIPA-users wrote:

Thank you. I checked in my test environment and setting trust with 
administrative credentials works.

I got mixed results for Windows 2012 and Windows 2008 R2 because I
previously had set up trust using administrative credentials for
Windows 2012. Later, even though I deleted it on FreeIPA's side,
setting up trust with a pre-shared key just worked. The same scenario
repeated for Windows 2008 R2.

You did explicit 'ipa trust-del ...'? That only deletes the records on
IPA side, AD doesn't know about that. Now, if you'd try to add a trust
again with a shared secret, we are not going to be creating anything on
AD side either (that's the purpose of a shared secret). So AD would
think trust continues to exist and if you set the same secret there, it
would just work.

--
/ Alexander Bokovoy
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Find IPA user or computer account from windows

2017-09-06 Thread Alexander Bokovoy via FreeIPA-users 

On ti, 05 syys 2017, Ronald Wimmer via FreeIPA-users wrote:
Is it possible to find an IPA user or computer account from a windows 
(AD) machine [trust between ipa and ad domain is set up]? If I try 
that, all i get is a message that no object can be found.

Not supported yet.

--
/ Alexander Bokovoy
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Kvno error on validating one-way trust: "kvno: Decrypt integrity check failed while getting credentials"

2017-09-06 Thread Bart J via FreeIPA-users 
Thank you. I checked in my test environment and setting trust with 
administrative credentials works.

I got mixed results for Windows 2012 and Windows 2008 R2 because I previously 
had set up trust using administrative credentials for Windows 2012. Later, even 
though I deleted it on FreeIPA's side, setting up trust with a pre-shared key 
just worked. The same scenario repeated for Windows 2008 R2.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: "Clock skew too great" when mounting NFS with krb

2017-09-06 Thread Tony Brian Albers via FreeIPA-users 
If you have VM's in the mix, and use ntp,  usetinker panic 0  in 
their ntp.conf files.

/tony

On 09/06/2017 11:41 AM, Troels Hansen via FreeIPA-users wrote:
> Hmm..
> 
> Found the error.   It appear its the hardwaretime that's used for 
> kerberos and as the hardware apparently is ~ 6 minutes off... well
> 
> 
> - On Sep 6, 2017, at 9:50 AM, Troels Hansen via FreeIPA-users 
>  wrote:
> 
> Hi
> 
> We have set up IPA with AD trust on RHEL and this Works fine.
> 
> Running IPA 4.5
> 
> However, sometimes we are unable to mount home (with autofs).
> 
> I have fount that the KDC claims "Clock skew too great" however, I
> cannot see any problems.
> 
> kinit works fine and I have a kerberos TGT:
> 
>   klist
> Ticket cache: KEYRING:persistent:0:0
> Default principal: USER@REALM
> 
> Valid starting   Expires  Service principal
> 09/06/2017 09:40:00  09/06/2017 19:40:00  krbtgt/REALM@REALM
>  renew until 09/07/2017 09:39:54
> 
> 
> 
> To test. Manually mounting fails:
> 
> mount.nfs4 -v -s -o rw,nodev,nosuid,hard,sec=krb5p
> profil01.domain:/var/nfs/profil/user/mnt/
> mount.nfs4: timeout set for Wed Sep  6 09:42:29 2017
> mount.nfs4: trying text-based options
> 'hard,sec=krb5p,sloppy,addr=10.101.173.91,clientaddr=10.101.11.195'
> mount.nfs4: mount(2): Permission denied
> mount.nfs4: access denied by server while mounting
> profil01.domain:/var/nfs/profil/user
> 
> 
> krb5kdc.log in IPA shows:
> 
> Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): TGS_REQ (6 etypes
> {18 17 16 23 25 26}) 10.101.11.195: PROCESS_TGS: authtime 0, 
> host/oas08d.domain@REALM for nfs/profil01.domain@REALM, Clock skew
> too great
> Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): closing down fd 11
> Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): TGS_REQ (4 etypes
> {18 17 16 23}) 10.101.11.195: PROCESS_TGS: authtime 0, 
> host/oas08d.domain@REALM for nfs/profil01.domain@REALM, Clock skew
> too great
> Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): closing down fd 11
> 
> 
> However, the time between ipa, client and nfs server is within 1
> second (and same timezone).
> 
> 
> I'm unsure on how to debug further as everything seems fine so any
> help would be appreciated.
> 
> 
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to
> freeipa-users-le...@lists.fedorahosted.org
> 
> 
> -- 
> 
> Med venlig hilsen
> 
> *Troels Hansen*
> 
> Senior Linux Engineer
> 
> Casalogic A/S
> 
> T  (+45) 70 20 10 63
> 
> M (+45) 22 43 71 57
> 
>  
>  
> Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, 
> Sophos og meget mere.
> 
> 
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> 


-- 
Tony Albers
Systems administrator, IT-development
Royal Danish Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
Tel: +45 2566 2383 / +45 8946 2316
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: "Clock skew too great" when mounting NFS with krb

2017-09-06 Thread Troels Hansen via FreeIPA-users 
Hmm.. 

Found the error. It appear its the hardwaretime that's used for kerberos 
and as the hardware apparently is ~ 6 minutes off... well 

- On Sep 6, 2017, at 9:50 AM, Troels Hansen via FreeIPA-users 
 wrote: 

> Hi

> We have set up IPA with AD trust on RHEL and this Works fine.

> Running IPA 4.5

> However, sometimes we are unable to mount home (with autofs).

> I have fount that the KDC claims "Clock skew too great" however, I cannot see
> any problems.

> kinit works fine and I have a kerberos TGT:

> klist
> Ticket cache: KEYRING:persistent:0:0
> Default principal: USER@REALM

> Valid starting Expires Service principal
> 09/06/2017 09:40:00 09/06/2017 19:40:00 krbtgt/REALM@REALM
> renew until 09/07/2017 09:39:54

> To test. Manually mounting fails:

> mount.nfs4 -v -s -o rw,nodev,nosuid,hard,sec=krb5p
> profil01.domain:/var/nfs/profil/user/mnt/
> mount.nfs4: timeout set for Wed Sep 6 09:42:29 2017
> mount.nfs4: trying text-based options
> 'hard,sec=krb5p,sloppy,addr=10.101.173.91,clientaddr=10.101.11.195'
> mount.nfs4: mount(2): Permission denied
> mount.nfs4: access denied by server while mounting
> profil01.domain:/var/nfs/profil/user

> krb5kdc.log in IPA shows:

> Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): TGS_REQ (6 etypes {18 17 16 
> 23
> 25 26}) 10.101.11.195: PROCESS_TGS: authtime 0, host/oas08d.domain@REALM for
> nfs/profil01.domain@REALM, Clock skew too great
> Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): closing down fd 11
> Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): TGS_REQ (4 etypes {18 17 16
> 23}) 10.101.11.195: PROCESS_TGS: authtime 0, host/oas08d.domain@REALM for
> nfs/profil01.domain@REALM, Clock skew too great
> Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): closing down fd 11

> However, the time between ipa, client and nfs server is within 1 second (and
> same timezone).

> I'm unsure on how to debug further as everything seems fine so any help would 
> be
> appreciated.

> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

-- 

Med venlig hilsen 

Troels Hansen 

Senior Linux Engineer 

Casalogic A/S 

T (+45) 70 20 10 63 

M (+45) 22 43 71 57 

Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og 
meget mere. 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] "Clock skew too great" when mounting NFS with krb

2017-09-06 Thread Troels Hansen via FreeIPA-users 
Hi 

We have set up IPA with AD trust on RHEL and this Works fine. 

Running IPA 4.5 

However, sometimes we are unable to mount home (with autofs). 

I have fount that the KDC claims "Clock skew too great" however, I cannot see 
any problems. 

kinit works fine and I have a kerberos TGT: 



klist 
Ticket cache: KEYRING:persistent:0:0 
Default principal: USER@REALM 

Valid starting Expires Service principal 
09/06/2017 09:40:00 09/06/2017 19:40:00 krbtgt/REALM@REALM 
renew until 09/07/2017 09:39:54 







To test. Manually mounting fails: 


mount.nfs4 -v -s -o rw,nodev,nosuid,hard,sec=krb5p 
profil01.domain:/var/nfs/profil/user/mnt/ 
mount.nfs4: timeout set for Wed Sep 6 09:42:29 2017 
mount.nfs4: trying text-based options 
'hard,sec=krb5p,sloppy,addr=10.101.173.91,clientaddr=10.101.11.195' 
mount.nfs4: mount(2): Permission denied 
mount.nfs4: access denied by server while mounting 
profil01.domain:/var/nfs/profil/user 




krb5kdc.log in IPA shows: 


Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): TGS_REQ (6 etypes {18 17 16 
23 25 26}) 10.101.11.195: PROCESS_TGS: authtime 0, host/oas08d.domain@REALM for 
nfs/profil01.domain@REALM, Clock skew too great 
Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): closing down fd 11 
Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): TGS_REQ (4 etypes {18 17 16 
23}) 10.101.11.195: PROCESS_TGS: authtime 0, host/oas08d.domain@REALM for 
nfs/profil01.domain@REALM, Clock skew too great 
Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): closing down fd 11 




However, the time between ipa, client and nfs server is within 1 second (and 
same timezone). 





I'm unsure on how to debug further as everything seems fine so any help would 
be appreciated. 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org