[Freeipa-users] Re: FreeIPA-users Digest, Vol 7, Issue 22

[Николай Савельев via FreeIPA-users]

>
> I think the better reference in the documentation is
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/trust-legacy
>
> If there is a trust to an AD forest and 'ipa-adtrust-install
> --enable-compat' was called. there will be a special sub-tree in
> FreeIPA's LDAP tree cn=compat,dc=ipa,dc=domain. AD user can be searched
> in this sub-tree and if the user was found you can the the DN of the
> user to bind to FreeIPA's LDAP server with the AD password.
>
> Btw, I guess Owncloud supports PAM authentication as well, in this case
> you can just configure Owncloud's PAM module to use SSSD on an IPA
> client and SSSD will do the authentication of AD users for you.
>
> HTH
>
> bye,
> Sumit
>
>>  rob


I did   'ipa-adtrust-install --enable-compat'
But in cn=compat,dc=test,dc=loc are only IPA users
How can I insert AD users in cn=compat,dc=test,dc=loc?

-- 
С уважением, Николай.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Expired passwords and generating an OTP token

[Aaron Hicks via FreeIPA-users]

Hi the list.

 

.I'd consider createing a permission with permission-add, but there is no
token object type.

 

[hicksaw@hpch2fa02 ~]$ ipa permission-add mangage-otptoken --right=all
--bindtype=permission --type=token

ipa: ERROR: invalid 'type': "token" is not an object type

 

Even though ipatoken is a valid objectclass

 

Regards,

 

Aaron

 

From: Aaron Hicks [mailto:aaron.hi...@nesi.org.nz] 
Sent: Wednesday, 22 November 2017 5:16 PM
To: 'freeipa-users@lists.fedorahosted.org'

Subject: RE: Expired passwords and generating an OTP token

 

Hello the List,

 

This turned out to be a workflow issue, we still have a problem but this
first use case works.

 

In the case of a user with an invalid password (none or expired) with no OTP
token they can reset their password and ask IPA to create an OTP token for
them.

 

1.  Helpdesk agent uses FreeIPA API passwd method to issue a temporary
password and pass it to the user
2.  User uses ssh to login to 2FA host
3.  SSH forces user through the reset password process and closes
connection
4.  User is not able to login without a OTP Token. A correct result.
5.  User uses FreeIPA API otptoken-add method with new password to
generate & receive OTP token
6.  User is now able to SSH with password + OTP token.

 

What isn't working is the case where a user has an invalid token (non,
expired, or just reset) and a valid OTP token.

 

1.  (Optional, but puts user into required state) Helpdesk agent uses
FreeIPA API passwd method to issue a temporary password and pass it to the
user
2.  User uses ssh to login to 2FA host, which asks for temporary
password.
3.  SSH forces user through reser password process and closes
connection.
4.  User is now able to SSH with password + OTP poken

 

In this case step 2 fails. The reset password process looks like this:

 

login as: username

Using keyboard-interactive authentication.

Password:

Access denied 

Using keyboard-interactive authentication.

Password:

Using keyboard-interactive authentication.

Password expired. Change your password now. 

Current Password:

Access denied 

 

The change password process fails.

 

However, if we disable or delete their OTP token (which requires FreeIPA
admin, not helpdesk role) they're able to reset their password. We don't
want to have to give admin rights to the helpdesk agent for this.

 

This is also complicated by that the FreeIPA API changes behaviour:

*   With an expired/password user can not connect to the API, even to do
passwd to reset password
*   With an OTP token, users have to use passwordOTPCODE to access the
API, which means they can't manage their otptoken if they've lost it or want
to disable it so they can reset their password because they forgot it,  or
delete it.

 

Is there a way of allowing users in the helpdesk group/role to be able to
disable/enable or delete OTP tokens? They don't need to see the content,
just allow users to restart the password and token request process.

 

Is there a fix for the above workflow to allow a user with an OTP token to
reset their password?

 

Regards,

 

Aaron Hicks

 

From: Aaron Hicks [mailto:aaron.hi...@nesi.org.nz] 
Sent: Tuesday, 21 November 2017 6:22 PM
To: freeipa-users@lists.fedorahosted.org
 
Subject: Expired passwords and generating an OTP token

 

Hello the list,

 

I think this is the last thing to make our terrible user management model
work.

 

With a helpdesk role via the REST API we can reset a users password, which
is expired, because this is the right thing to do.

 

These users are expected to log into a node with 2FA using an OTP token
generated by FreeIPA. This works if a user has a valid password and a token.
This is the only machine they have access to, as it's they lander node. They
can not reach the FreeIPA web interface. They can use the FreeIPA API via
our customer management system (CMS) either as them self or as a helpdek
agent on their behalf. The CMS auth is SAML via federated shibboleth, so
does not use our FreeIPA credentials.

 

However, we have few use cases we need to work: 

 

Can a user generate an OTP token when their password is expired?

 

Can a a user reset their password when they do not have an OTP token?

 

Can a user reset their password when they can't log in to get the secret
from thier OTP token?

 

I think the shortest routes would be:

 

- if a user could reset an expired password via the FreeIPA API, then use
the otptoken_add method to create one all via our CMS.

 

- if a user could reset thier password at the ssh login prompt if they have
no token or don't have thier token. Then add a token via our CMS.

 

 

Regards,

 

Aaron

 

Get Outlook for iOS  

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to 

[Freeipa-users] Re: Expired passwords and generating an OTP token

[Aaron Hicks via FreeIPA-users]

Hello the List,

 

This turned out to be a workflow issue, we still have a problem but this
first use case works.

 

In the case of a user with an invalid password (none or expired) with no OTP
token they can reset their password and ask IPA to create an OTP token for
them.

 

1.  Helpdesk agent uses FreeIPA API passwd method to issue a temporary
password and pass it to the user
2.  User uses ssh to login to 2FA host
3.  SSH forces user through the reset password process and closes
connection
4.  User is not able to login without a OTP Token. A correct result.
5.  User uses FreeIPA API otptoken-add method with new password to
generate & receive OTP token
6.  User is now able to SSH with password + OTP token.

 

What isn't working is the case where a user has an invalid token (non,
expired, or just reset) and a valid OTP token.

 

1.  (Optional, but puts user into required state) Helpdesk agent uses
FreeIPA API passwd method to issue a temporary password and pass it to the
user
2.  User uses ssh to login to 2FA host, which asks for temporary
password.
3.  SSH forces user through reser password process and closes
connection.
4.  User is now able to SSH with password + OTP poken

 

In this case step 2 fails. The reset password process looks like this:

 

login as: username

Using keyboard-interactive authentication.

Password:

Access denied 

Using keyboard-interactive authentication.

Password:

Using keyboard-interactive authentication.

Password expired. Change your password now. 

Current Password:

Access denied 

 

The change password process fails.

 

However, if we disable or delete their OTP token (which requires FreeIPA
admin, not helpdesk role) they're able to reset their password. We don't
want to have to give admin rights to the helpdesk agent for this.

 

This is also complicated by that the FreeIPA API changes behaviour:

*   With an expired/password user can not connect to the API, even to do
passwd to reset password
*   With an OTP token, users have to use passwordOTPCODE to access the
API, which means they can't manage their otptoken if they've lost it or want
to disable it so they can reset their password because they forgot it,  or
delete it.

 

Is there a way of allowing users in the helpdesk group/role to be able to
disable/enable or delete OTP tokens? They don't need to see the content,
just allow users to restart the password and token request process.

 

Is there a fix for the above workflow to allow a user with an OTP token to
reset their password?

 

Regards,

 

Aaron Hicks

 

From: Aaron Hicks [mailto:aaron.hi...@nesi.org.nz] 
Sent: Tuesday, 21 November 2017 6:22 PM
To: freeipa-users@lists.fedorahosted.org
Subject: Expired passwords and generating an OTP token

 

Hello the list,

 

I think this is the last thing to make our terrible user management model
work.

 

With a helpdesk role via the REST API we can reset a users password, which
is expired, because this is the right thing to do.

 

These users are expected to log into a node with 2FA using an OTP token
generated by FreeIPA. This works if a user has a valid password and a token.
This is the only machine they have access to, as it's they lander node. They
can not reach the FreeIPA web interface. They can use the FreeIPA API via
our customer management system (CMS) either as them self or as a helpdek
agent on their behalf. The CMS auth is SAML via federated shibboleth, so
does not use our FreeIPA credentials.

 

However, we have few use cases we need to work: 

 

Can a user generate an OTP token when their password is expired?

 

Can a a user reset their password when they do not have an OTP token?

 

Can a user reset their password when they can't log in to get the secret
from thier OTP token?

 

I think the shortest routes would be:

 

- if a user could reset an expired password via the FreeIPA API, then use
the otptoken_add method to create one all via our CMS.

 

- if a user could reset thier password at the ssh login prompt if they have
no token or don't have thier token. Then add a token via our CMS.

 

 

Regards,

 

Aaron

 

Get Outlook for iOS  

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: adding puppet to FreeIPA

[Andrew Meyer via FreeIPA-users]

Excellent, Thank you for the help. 

On Tuesday, November 21, 2017 3:01 PM, Rob Crittenden via FreeIPA-users 
 wrote:
 

 Andrew Meyer via FreeIPA-users wrote:
> Ok now I am trying to add puppet to my FreeIPA environment.  Following
> the instructions
> from: https://www.freeipa.org/page/Howto/Using_FreeIPA_CA_for_Puppet

Sadly most instructions don't include the versions(s) they were intended
for but Fedora 19 had IPA 3.2.x

> I am getting the following error:
> 
> [root@asm-automation01 ~]# ipa service-add
> puppetmaster/asm-automation01.mgt.asm.borg.local
> ipa: ERROR: Host 'asm-automation01.mgt.asm.borg.local' does not have
> corresponding DNS A/ record
> [root@asm-automation01 ~]# ipa service-add
> puppetmaster/asm-automation01.mgt.asm.borg.local --force
> ipa: ERROR: service with name
> "puppetmaster/asm-automation01.mgt.asm.borg.local@MEYER.LOCAL" already
> exists

Which just means you already created the service.

> [root@asm-automation01 ~]# sudo vi /etc/puppetlabs/puppet/puppet.conf

Uh, ok.

> [root@asm-automation01 ~]# ipa-getcert request -K
> puppetmaster/asm-automation01.mgt.asm.borg.local -d /etc/httpd/alias -n
> puppetmaster/asm-automation01.mgt.asm.borg.local
> Certificate at same location is already used by request with nickname
> "20171116140630".

Again, means you already did it.

> [root@asm-automation01 ~]# puppet master --configprint hostcert
> /var/lib/puppet/ssl/certs/asm-automation01.mgt.asm.borg.local.pem
> /etc/puppetlabs/puppet/ssl/certs/asm-automation01.mgt.asm.borg.local.pem
> [root@asm-automation01 ~]# puppet master --configprint hostprivkey
> /var/lib/puppet/ssl/private_keys/asm-automation01.mgt.asm.borg.local.pem
> /etc/puppetlabs/puppet/ssl/private_keys/asm-automation01.mgt.asm.borg.local.pem
> [root@asm-automation01 ~]# puppet master --configprint localcacert
> /var/lib/puppet/ssl/certs/ca.pem
> /etc/puppetlabs/puppet/ssl/certs/ca.pem
> 
> 
> 
> [root@asm-automation01 ~]# certutil -L -d /etc/pki/nssdb -a -n "IPA
> Machine Certificate - asm-automation01.mgt.asm.borg.local" >
> /var/lib/puppet/ssl/certs/asm-automation01.mgt.asm.borg.local
> certutil: Could not find cert: IPA Machine Certificate -
> asm-automation01.mgt.asm.borg.local
> : PR_FILE_NOT_FOUND_ERROR: File not found
> [root@asm-automation01 ~]# puppet master --configprint localcacert
> /var/lib/puppet/ssl/certs/ca.pem
> /etc/puppetlabs/puppet/ssl/certs/ca.pem
> [root@asm-automation01 ~]# certutil -L -d /etc/pki/nssdb -a -n "IPA
> Machine Certificate - asm-automation01.mgt.asm.borg.local" >
> /var/lib/puppet/ssl/certs/asm-automation01.mgt.asm.borg.local
> certutil: Could not find cert: IPA Machine Certificate -
> asm-automation01.mgt.asm.borg.local
> : PR_FILE_NOT_FOUND_ERROR: File not found
> [root@asm-automation01 ~]#

3.2 still generated a machine cert and this stopped happening early in
the 4.x installs.

The directions are flatly wrong. It first generates a cert stored in
/etc/httpd/alias and then instructs to get the cert of of /etc/pki/nssdb.

If you need a pem cert then get one. Don't mess around with converting
from an NSS database because in 2 years it expire and puppet will blow
up. Use this instead:

# ipa-getcert request -K puppetmaster/puppetmaster.example.com -f
var/lib/puppet/ssl/certs/asm-automation01.mgt.asm.borg.local.pem -k
/var/lib/puppet/ssl/private_keys/asm-automation01.mgt.asm.borg.local.pem


rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


   ___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] DNS fails to reply the ipa zone records

[Raul Dias via FreeIPA-users]

Bind seems to work fine.
When queried about a record it logs the answer fine (even for external domains).
However it fails to answer any ipa local zone request.

e.g. resolve it own host query:
-- 8< --
21-Nov-2017 13:52:06.419 client: debug 3: client 127.0.0.1#58281: UDP request
21-Nov-2017 13:52:06.419 security: debug 3: client 127.0.0.1#58281: request is 
not signed
21-Nov-2017 13:52:06.419 security: debug 3: client 127.0.0.1#58281: recursion 
available
21-Nov-2017 13:52:06.419 client: debug 3: client 127.0.0.1#58281: query
21-Nov-2017 13:52:06.420 queries: info: client 127.0.0.1#58281 
(freeipa.base.foo.com): query: freeipa.base.foo.com IN A +E (10.10.24.9)
21-Nov-2017 13:52:06.420 security: debug 3: client 127.0.0.1#58281 
(freeipa.base.foo.com): query (cache) 'freeipa.base.foo.com/A/IN' approved
21-Nov-2017 13:52:06.420 client: debug 3: client 127.0.0.1#58281 
(freeipa.base.foo.com): send
21-Nov-2017 13:52:06.420 client: debug 3: client 127.0.0.1#58281 
(freeipa.base.foo.com): sendto
21-Nov-2017 13:52:06.420 client: debug 3: client 127.0.0.1#58281 
(freeipa.base.foo.com): senddone
21-Nov-2017 13:52:06.420 client: debug 3: client 127.0.0.1#58281 
(freeipa.base.foo.com): next
21-Nov-2017 13:52:06.420 client: debug 3: client 127.0.0.1#58281 
(freeipa.base.foo.com): endrequest
-- >8 
$ dig @localhost freeipa.base.foo.com

; <<>> DiG 9.11.1-P3-RedHat-9.11.1-8.P3.fc27 <<>> @localhost 
freeipa.base.foo.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 16172
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 5c26280e126505660dd1745d5a145292345cd82b68103795 (good)
;; QUESTION SECTION:
;freeipa.base.foo.com.IN  A

;; Query time: 2190 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Nov 21 16:21:38 UTC 2017
;; MSG SIZE  rcvd: 83
-- 8< --

It only happens to the ldap records.
So, what can I do to debug this further?


-rsd
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Autentification in application with freeipa

[Rob Crittenden via FreeIPA-users]

Николай Савельев via FreeIPA-users wrote:
> Hi.
> I asked about Owncloud, Zimbra, etc autentification in freeipa with AD trust.
> I was offered to use SAML.
> But I dont undestand SAML. It very dificult for me.
> I only want use LDAP for autentification as in this artikle 
> https://www.freeipa.org/page/Owncloud_Authentication_against_FreeIPA
> Or this 
> https://www.freeipa.org/page/Zimbra_Collaboration_Server_7.2_Authentication_and_GAL_lookups_against_FreeIPA
> 
> Articles work fine but only for freeipa users. It dont work for AD users from 
> trusted domain.
> 
> I found Red Hat documentation for sinchronising AD with IPA 
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/active-directory
> 
> If i do it i can see AD user in ldap requests for ipa server?
> 

If you do winsync instead of AD trust then yes, the AD entries will
reside in the IPA LDAP server.

For passwords to work you'll need to install the passsync service on
every AD DC and any AD user that you want to authenticate will need to
reset their password for it work work when authenticating against IPA.

I agree that SAML can be confusing and difficult but IMHO it is a far,
far better path than co-mingling your AD and IPA entries using winsync.
winsync is not recommended.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: upgrade to ubuntu 17.10 fails

[David Harvey via FreeIPA-users]

Hoi,

Anyone out there with experience of whether or not adding a replica of more
recent version (4.4.4 and 389 dir 1.3.7.5-1 up from 4.4.3 with 389
dir 1.3.5.15-2)  would impact the existing servers in terms of schema or
similar?
I'm still trying to find a safe way to upgrade safely without going past a
point of no return...

Kind regards,

David

On 17 November 2017 at 15:10, David Harvey 
wrote:

> Hi again,
>
> No joy yet with spotting CA anomalies. Any additional tips there Rob?
>
> Gentle bump Simon, are you confident that building a new replica won't
> fall foul of the below from the upgrade page (the schema part):
>
> Words of caution
>
>- Note that the server is in a *maintenance mode* during upgrade and
>does not respond to requests!
>- Schema or Directory Server
> database object
>changes done during the upgrade are replicated to *all FreeIPA masters*
>
>
> Thanks again for the support,
>
> David
>
> On 15 November 2017 at 16:52, David Harvey 
> wrote:
>
>> Thanks Rob, Simon,
>>
>> Rob, will check, but thought my cert system was healthy before. It's
>> relatively new (6months or less), and no sub-ca's involved.. Any specifics
>> on how to invoke the selftests in some manner that might provide digestible
>> output? Or could it be my dirty hack of cloning and isolation and I should
>> do as Simon suggested :)?
>>
>> Simon. WRT spinning up a replica. I was under the impression that all
>> running servers had to be of the same version, am I mistaken with that?
>> I had avoided what you were suggesting as I feared the new server might
>> update the schema on the existing ones!
>>
>> Thanks again, appreciate the steering!
>>
>>
>> On 15 Nov 2017 14:34, "Rob Crittenden"  wrote:
>>
>> David Harvey via FreeIPA-users wrote:
>> > Sorry for the dump size, but not sure if the below from
>> > /var/log/pki/pki-tomcat/localhost.date.log helps:
>>
>> Looks like the selftests are failing. I'd check that your CA subsystem
>> certificates are not expired, etc.
>>
>> rob
>>
>> >
>> > 15-Nov-2017 12:14:50.557 SEVERE [localhost-startStop-1]
>> > org.apache.catalina.core.ApplicationContext.log
>> StandardWrapper.Throwable
>> >  java.lang.NullPointerException
>> > at
>> > com.netscape.cmscore.selftests.SelfTestSubsystem.shutdown(Se
>> lfTestSubsystem.java:1886)
>> > at
>> > com.netscape.cmscore.apps.CMSEngine.shutdownSubsystems(CMSEn
>> gine.java:2118)
>> > at com.netscape.cmscore.apps.CMSEngine.shutdown(CMSEngine.java:2013)
>> > at com.netscape.certsrv.apps.CMS.shutdown(CMS.java:234)
>> > at com.netscape.certsrv.apps.CMS.start(CMS.java:1630)
>> > at
>> > com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartS
>> ervlet.java:114)
>> > at javax.servlet.GenericServlet.init(GenericServlet.java:158)
>> > at
>> > org.apache.catalina.core.StandardWrapper.initServlet(Standar
>> dWrapper.java:1227)
>> > at
>> > org.apache.catalina.core.StandardWrapper.loadServlet(Standar
>> dWrapper.java:1140)
>> > at org.apache.catalina.core.StandardWrapper.load(StandardWrappe
>> r.java:1027)
>> > at
>> > org.apache.catalina.core.StandardContext.loadOnStartup(Stand
>> ardContext.java:5038)
>> > at
>> > org.apache.catalina.core.StandardContext.startInternal(Stand
>> ardContext.java:5348)
>> > at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145)
>> > at
>> > org.apache.catalina.core.ContainerBase.addChildInternal(Cont
>> ainerBase.java:753)
>> > at org.apache.catalina.core.ContainerBase.addChild(ContainerBas
>> e.java:729)
>> > at org.apache.catalina.core.StandardHost.addChild(StandardHost.
>> java:717)
>> > at
>> > org.apache.catalina.startup.HostConfig.deployDescriptor(Host
>> Config.java:621)
>> > at
>> > org.apache.catalina.startup.HostConfig$DeployDescriptor.run(
>> HostConfig.java:1835)
>> > at java.util.concurrent.Executors$RunnableAdapter.call(Executor
>> s.java:511)
>> > at java.util.concurrent.FutureTask.run(FutureTask.java:266)
>> > at
>> > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>> Executor.java:1149)
>> > at
>> > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>> lExecutor.java:624)
>> > at java.lang.Thread.run(Thread.java:748)
>> >
>> > 15-Nov-2017 12:14:50.558 SEVERE [localhost-startStop-1]
>> > org.apache.catalina.core.StandardContext.loadOnStartup Servlet
>> [castart]
>> > in web application [/ca] threw load() exception
>> >  java.lang.NullPointerException
>> > at
>> > com.netscape.cmscore.selftests.SelfTestSubsystem.shutdown(Se
>> lfTestSubsystem.java:1886)
>> > at
>> > com.netscape.cmscore.apps.CMSEngine.shutdownSubsystems(CMSEn
>> gine.java:2118)
>> > at com.netscape.cmscore.apps.CMSEngine.shutdown(CMSEngine.java:2013)
>> > at com.netscape.certsrv.apps.CMS.shutdown(CMS.java:234)
>> > at com.netscape.certsrv.apps.CMS.start(CMS.java:1630)
>> > at
>> > com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartS
>> 

[Freeipa-users] Re: Unexpected ipa usa behaviour

[Jakub Hrozek via FreeIPA-users]

On Tue, Nov 21, 2017 at 09:05:29AM +0100, Ronald Wimmer via FreeIPA-users wrote:
> Hi,
> 
> in IPA I defined a user called isomeuser. This username does definitely not
> exist on the AD side.
> 
> When I log in as root to an IPA client and issue the su command, I am
> isomeuser@ad.domain. If I do "su isomeuser@ipa.domain" I am
> isomeuser@ad.domain. The uid and gid are exactly the same.
> 
> Why can I be isomeuser@ad.domain if that user does not exist?

I agree this sounds strange.

Do you use the domain lookup order or some options like default_domain_suffix?

Can you show the sssd_nss.log from the IPA client?
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Invalid ticket for NFS4 mount

[Jakub Hrozek via FreeIPA-users]

On Tue, Nov 21, 2017 at 08:36:16AM +0100, Ray via FreeIPA-users wrote:
> Hi,
> 
> yesterday I noticed a strange issue on a Centos 7 client running
> ipa-client-4.5.0-21.el7.centos.2.2.x86_64:
> 
> My daughter tried to log in to the machine and was kicked out again after
> GNOME failed to load (/home on kerberized NFS4). Closer inspection showed
> that she had no permission to access her home directory, so GNOME was unable
> to read its settings.
> 
> This worked before.
> 
> I asked her to log into a text console. She got / as her home directory, as
> again, she was unable to access her actual home directory.
> 
> I checked with klist that she got a ticket. All seemed fine there (TGT
> present).
> 
> Tried 'cd' again: Permission denied.
> 
> Then I asked her to kinit once more. She hacken in her password again and
> got a new ticket.
> 
> Tried 'cd' again, et voila!: It cding to her NFS4 home directory worked
> immediately.
> 
> 
> Questions:
>   - What could be the reason for this behaviour? The box was freshly booted
> and I don't see what might have been wrong with the first ticket.
>   - Where should I look (which logs, etc.) to investigate this further?

Does the faulty user account come from the IPA domain or a trusted AD domain?
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org