from:"Alexander Bokovoy via FreeIPA\-users"

[Freeipa-users] Re: username restrictions

2018-10-10 Thread Alexander Bokovoy via FreeIPA-users

On ke, 10 loka 2018, Winfried de Heiden via FreeIPA-users wrote:

Hi all,

The Red Hat manual is not too clear about this
(https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/linux_domain_identity_authentication_and_policy_guide/#users)

IdM supports user names that can be described by the following regular
expression:

[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?
Note
User names ending with the trailing dollar sign ($) are supported to
enable Samba 3.x machine support.
If you add a user whose user name contains uppercase characters, IdM
automatically converts the name to lowercase when saving it.
Therefore, IdM always requires users to enter their user names all
lowercase when logging in. Additionally, it is not possible to add
users whose user names only differ in letter casing, such as user and
User.

Having co-workers from different countries using different languages
we want to avoid "strange" character from Cyrilic, German, Hindoi etc.
etc.
Reading the docs, it suggest only plain UTF ASCII is supported, no
"strange" characters. Correct? Or else: how to avoid/not allow non
standard ASCII usernames?

ASCII, not UTF(-8). See a good presentation by Paul Gorman on the topic:
https://paulgorman.org/technical/presentations/linux_username_conventions.pdf

While we can store UTF-8 in 'uid' attribute in LDAP, POSIX systems are
what practically limits us here.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: username restrictions

2018-10-10 Thread Alexander Bokovoy via FreeIPA-users

On ke, 10 loka 2018, Winfried de Heiden via FreeIPA-users wrote:

Alexander Bokovoy via FreeIPA-users schreef op 10-10-2018 12:47:

On ke, 10 loka 2018, Winfried de Heiden via FreeIPA-users wrote:

Hi all,

The Red Hat manual is not too clear about this
(https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/linux_domain_identity_authentication_and_policy_guide/#users)

IdM supports user names that can be described by the following
regular expression:

[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?
Note
User names ending with the trailing dollar sign ($) are supported
to enable Samba 3.x machine support.
If you add a user whose user name contains uppercase characters,
IdM automatically converts the name to lowercase when saving it.
Therefore, IdM always requires users to enter their user names all
lowercase when logging in. Additionally, it is not possible to add
users whose user names only differ in letter casing, such as user
and User.

Having co-workers from different countries using different
languages we want to avoid "strange" character from Cyrilic,
German, Hindoi etc. etc.
Reading the docs, it suggest only plain UTF ASCII is supported, no
"strange" characters. Correct? Or else: how to avoid/not allow
non standard ASCII usernames?
ASCII, not UTF(-8). See a good presentation by Paul Gorman on the
topic:

https://paulgorman.org/technical/presentations/linux_username_conventions.pdf

While we can store UTF-8 in 'uid' attribute in LDAP, POSIX systems are
what practically limits us here.

OK, it's stored in UTF-8, which supports an awfull lot of
characters... But IPA seems to protect us:

ipa user-add --first="ßuper" --last="üser" ßuperüser
ipa: ERROR: invalid 'login': may only include letters, numbers, _, -,
. and $

As I said, POSIX systems are the limit, thus IPA limits you to have uid
as POSIX standard requires.

[Freeipa-users] Re: ipa command always takes 30 seconds

2018-10-10 Thread Alexander Bokovoy via FreeIPA-users


On ke, 10 loka 2018, Perry Smith via FreeIPA-users wrote:

I now have two FreeIPA servers set up as tests.  I’m doing cloud stuff so its
easy to do.  One has no DNS and the other has DNS with auto forwarders.

In both cases, its a DNS issue because it is looking for a SRV record
for LDAP over TCP.  In the no DNS case, it never gets a reply.  In the instance
with DNS, named is dying.  I just discovered this late in the day.  So, I’ll 
need to
find out why named is dying.

I have Ubuntu issues.  I have this issue:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1772447 


which I kludged around but then I thought I would get the “staging” update but
something isn’t working with the "add-apt-repository ppa:freeipa/staging”
(which I also discovered late in the day).

Two questions for this group:

1) Is there a way to get it to not look for the SRV record in the first place?

2) On a completely different topic, how do I install the “memberof” plug-in?
At least, I think that’s what I need / want.  I need to do LDAP filter for 
members
of a group and currently my LDAP records do not have memberof but instead have
memberUid (and that is only in compat and not in accounts)

I hope its ok to mix two questions into one email.

It would be if you'd provide more details to allow helping you. How are
you inferring that there is no 'memberof' plugin enabled? FreeIPA does
not allow to retrieve membership information for non-authenticated
connections from the primary subtree (cn=accounts,$SUFFIX). If you are
checking without authentication, that's your problem.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Announcing freeIPA 4.7.1

2018-10-11 Thread Alexander Bokovoy via FreeIPA-users


On to, 11 loka 2018, Levin Stanislav via FreeIPA-users wrote:

Unfortunately, not all messages were landed to release.

msgfmt --statistics ru.po
4460 translated messages, 99 untranslated messages.

The update will happen with 4.7.2 then.

We can plan that somewhere in November, for example.


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: ipa command always takes 30 seconds

2018-10-11 Thread Alexander Bokovoy via FreeIPA-users


On to, 11 loka 2018, Perry Smith wrote:




On Oct 11, 2018, at 12:51 AM, Alexander Bokovoy via FreeIPA-users 
 wrote:

On ke, 10 loka 2018, Perry Smith via FreeIPA-users wrote:

Two questions for this group:

1) Is there a way to get it to not look for the SRV record in the first place?

2) On a completely different topic, how do I install the “memberof” plug-in?
At least, I think that’s what I need / want.  I need to do LDAP filter for 
members
of a group and currently my LDAP records do not have memberof but instead have
memberUid (and that is only in compat and not in accounts)

I hope its ok to mix two questions into one email.

It would be if you'd provide more details to allow helping you. How are
you inferring that there is no 'memberof' plugin enabled? FreeIPA does
not allow to retrieve membership information for non-authenticated
connections from the primary subtree (cn=accounts,$SUFFIX). If you are
checking without authentication, that's your problem.


The DNS issue was hard to solve but I finally managed to get the bind9 and 
freeipa code
from ppa:freeipa/staging so the DNS is working and the ipa command line 
commands no
longer pause 30 seconds.

The LDAP question was solved as Alexander suggested — by authenticating first.  
I’m
curious what the reason is for this?  From the compat entries, one can deduce 
the
members of the groups.

Compat subtree is for legacy clients that do not understand anythin but
RFC2307. One can close down access to the compat tree too but since
entries there are dynamic (they are generated based on a request), it
wasn't big issue.

Primary tree follows an approach taken by many other LDAP deployments.
For example. Active Directory's default behavior is to limit group
membership information to authenticated users as well.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: conflicting hostname requirement from SAP

2018-10-11 Thread Alexander Bokovoy via FreeIPA-users

On to, 11 loka 2018, Dan Haskell via FreeIPA-users wrote:

On 10/10/18 5:03 PM, Dan Haskell via FreeIPA-users wrote:

On 10/10/18 4:10 PM, John Keates wrote:

I’d say: don’t run FreeIPA server on the same install as the SAP server.

So, the fqdn requirement doesn't apply to the client? Awesome. Thank
you very much.

Dan
[snip]

According to the link below, clients *have* to use FQDN. Not just IPA
servers.

https://www.digitalocean.com/community/tutorials/how-to-configure-a-freeipa-client-on-centos-7

So, anyone know a way around this?

Let us step aside and state the problem first.
You want:
- to enroll a machine to IPA realm and use SSSD to provide services on
it?
- to run SAP server on the machine you just enrolled?

The second part requires that SAP server sees a hostname as a
non-qualified one, correct?

If those are two starting points, you can do the following on RHEL 7.5
or similar system (all I care here is a contemporary SSSD and other
tools, with expected configuration paths).

1. Enroll machine into IPA realm

Use fqdn here, as required, but after enrollment is completed, change
SSSD configuration by adding

[domain/example.com]
# the client's FQDN
ipa_hostname = fqdn.example.com

2. Change your hostname back to non-fqdn.
hostnamectl set-hostname non-fqdn

With these changes at least SSSD will be able to perform its duties.

There are practical issues with this approach which I have not verified
yet. For example, SUDO may choke on fqdn versus non-fqdn difference in
its rules. For HBAC rules this shouldn't be a problem because the check
is done by SSSD and we forced SSSD to use fqdn.example.com

[Freeipa-users] Re: Contribute to a HowTO

2018-10-12 Thread Alexander Bokovoy via FreeIPA-users


On pe, 12 loka 2018, Peter Tselios via FreeIPA-users wrote:

Hello,
I have a relatively easy HowTo for Integrating Grafana with FreeIPA as
an Authentication Back-end.  So, can you please allow my account write
access to the Wiki?

What is your account name? I cannot find ptselios in the list.
You first need to login to freeipa.org with your FAS account.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Contribute to a HowTO

2018-10-13 Thread Alexander Bokovoy via FreeIPA-users


On la, 13 loka 2018, Peter Tselios via FreeIPA-users wrote:

I just did.
Thank you.

Done, please link a new How To page at 
https://www.freeipa.org/index.php?title=HowTos
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: sss_ssh_authorizedkeys returns empty list

2018-10-23 Thread Alexander Bokovoy via FreeIPA-users


On ti, 23 loka 2018, Johannes Falke via FreeIPA-users wrote:

For posterity, I had the same issue and fixed it by explicitly setting

   ldap_user_ssh_public_key = ipaSshPubKey

in the domain portion of sssd.conf. Otherwise I assume it looks for the
attribute "sshPublicKey", since that's what it's called in the sssd cache
DB.

ipasshpubkey is the default for 'id_provider = ipa', so you don't need
to change that if you are actually using IPA id provider.


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: can clients or servers be pinned to named Active Directory servers to bypass DNS auto-discovery?

2018-10-24 Thread Alexander Bokovoy via FreeIPA-users


On ke, 24 loka 2018, Chris Dagdigian via FreeIPA-users wrote:
Is it possible to override the AD integration use of DNS queries to 
find AD controllers and replace the auto-discovery with a named list 
of domain controllers?

Where? In 'ipa trust-add' or in SSSD? The former has already a mechanism
by specifying a domain controller to contact.

We've got a setup in an AWS VPC and we've found that out of the 100 or 
so domain controllers in DNS that a few of them refuse to talk to us 
or answer ldaps:// queries. After a lot of nmap and DNS probe work we 
think we've discovered a number of "bad" controllers that may be 
responsible for random password check / login failures in the AWS 
environment


Can the latest sssd/free-ipa be configured to use a list of "known 
good" domain controllers?

SSSD can be pinned down to the specific site and also to specific domain
controllers in 1.16+. Some of the configurations are possible with
earlier versions too, see manual page for sssd-ipa(5), section "Trusted
domains configuration".

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Account creation via API not assigning uidNumber

2018-10-24 Thread Alexander Bokovoy via FreeIPA-users


On ke, 24 loka 2018, Callum Smith via FreeIPA-users wrote:

Dear Rob,

I'm using the python-freeipa library:

(client is initialised and logged in - tested and working with other calls such 
as user_show etc)

client.user_add(
 options.username,
 options.first_name,
 options.last_name,
 options.name,
 mail=options.mail,
 home_directory=options.home_directory,
 uidnumber=options.uid if options.uid else -1,
 gidnumber=options.primary_gid,
 user_password=options.password,
)

Sorry, this is not an API provided by the FreeIPA project. Please
contact authors of python-freeipa (I think it was created by OpenNode
people) and report them bugs you see there.

https://pypi.org/project/python-freeipa/


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Abstracted NTP server configuration

2018-10-24 Thread Alexander Bokovoy via FreeIPA-users


On ke, 24 loka 2018, Rob Crittenden via FreeIPA-users wrote:

Andrey Bychkov via FreeIPA-users wrote:

Hello, I fixed design page.

https://www.freeipa.org/page/V4/NTP_Servers_Configuration


Tibor, do you have any input on this?

As I read this it will be up to the end-user to install their favorite
NTP client package, right? Otherwise installation is going to fail if
none of the supported NTP client packages are installed? Similar to how
DNS is detected?

With 4.7.0 we just got out of the business of running an NTP server on
an IPA master. Is it necessary to add that back?

My five cents on it: I think Andrey's proposal is to make it fully
configurable and it is implemented already, so why not to enable that.

The only missing part (correct me if I wrong) is to have a choice to
completely disable options for NTP server on the master at a platform
level so that we can continue shipping this default in
Fedora/RHEL/CentOS.

Packagers per platform could decide whether to have NTP server support
enabled or not. And if it would be enabled, they would need to make
dependencies right in their packages.

For those who want to override this, it could be achieved with
/etc/ipa/installer.conf (this is the context used by ipa-server-install
and ipa-replica-install). It is initialized way after options parsed but
I guess we could live with that since NTP server installation could be
done after a bootstrap and force changes to options.

If admins chose to override the platform decision with
/etc/ipa/installer.conf, they would be responsible for providing all required
packages themselves. This could be written in the man pages for
ipa-server-install and ipa-replica-install.




rob




19.10.2018 17:11, Rob Crittenden via FreeIPA-users пишет:

Andrey Bychkov via FreeIPA-users wrote:

/->>There is no description about what the abstraction layer should be.
What basic functions are there for an NTP server and how does each
server map into that abstraction? What basic methods are required?/

An abstract module is the parent basentpconf module, which contains the
base ntp classes for the server and the client, from which ntpdlib,
ontpdlib, and chronylib are inherited. The parent client and server
classes contain methods for configuring, synchronizing, and restoring
the initial state of the ntp server. It uses common functions from
ntpmethods. As for ntpdlib, ontpdlib, and chronylib, they contain
classes for configuring their ntp server directly, inherited from
basentpconf, and override the desired properties.

Right, so I realize we sort of backed into this Design document from a
PR. The purpose of the design review is to hash things out before they
are implemented so I'm commenting only on what is in the doc and not in
the PR. There are no details of this abstraction in the design.


/->>Do all servers support the options server and pool?/

All the ntp servers listed here support the server and pool options, the
values of which are written to the configuration file with the
appropriate field.

Ok cool.


/->>How will dependencies be managed? Is there a common way to do this
with both Fedora-like and Debian-like distributions?/

Each package with freeipa ntp lib contains a dependency on the ntp
server that it uses. To use freeipa ntp lib, it is enough to install a
package with an appropriate ntp server.

Right but using what mechanism? rpm has this weak dependencies thing
which I haven't had a chance to look at (and I don't know about other
distros). How is the appropriate time package going to be installed? Are
we relying on the end-user to install the time package they want, so if
they install none then there is no time sync?


/->>Is it an error if no NTP servers are installed? Is this what is
meant by "default ntp configuration"? Is that functionally equivalent to
"no NTP service is configured"?/

If the system does not detect the ntp server, and the user does not use
the option '--no-ntp', then the installation of freeipa will end with
information about this. If the ntp server or ntp pool options are not
specified by the user, then the ntp server is set by default, that is,
configured on the basis of the ntp server that was laid down.

Ok, this is a change in current behavior. Right now just a warning is
displayed if there is no NTP server found.


/->>Could there be service-specific options that would need to be passed
or set?/

You can set options for the ntp service such as ntp pool and ntp server.

But there is no feature that one server provides that others don't, for
example? It's fine to limit it to only pools and servers, I'm just
trying to anticipate future RFEs.


/->>How will this impact testing? Will all possible options need to be
tested or is spot-checking or a single server adequate?/

For testing, it is necessary to start the installation of freeipa both
with the --ntp-server and --ntp-pool options, and without them, on all
supported time servers.

What I mean is there will be say 3 NTP servers suppor

[Freeipa-users] Re: Account creation via API not assigning uidNumber

2018-10-25 Thread Alexander Bokovoy via FreeIPA-users


On to, 25 loka 2018, Callum Smith wrote:

Dear Alexander,

The issue is not with the library (it does no validation of syntax) the
error I have provided is verbose directly from the FreeIPA API
response.


It seems the library puts some defaults that aren't accepted by the
FreeIPA API, unlike a client code we provide. Or may be that's your use
of it. More below.


How would you suggest I re-factor this code so that the error is acceptable?


Looking at the definition of 'uidnumber' parameter to user object, we
can see it has minimal value of '1' and it is optional (? at the end of
the name):

   Int('uidnumber?',
   cli_name='uid',
   label=_('UID'),
   doc=_('User ID Number (system will assign one if not provided)'),
   minvalue=1,
   ),

This means that if you wouldn't provide it in your request, it will be
automatically generated.

So a simple approach would be replace explicit addition of named
arguments by a dict and then adding that dict:

opts = {}
if options.uid:
   opts['uidnumber'] = options.uid
opts['gidnumber'] = options.primary_gid
opts['mail'] = options.mail
opts['home_directory'] = options.home_directory
opts['user_password'] = options.password
...

client.user_add(, **opts)



(client is initialised and logged in - tested and working with other calls such 
as user_show etc)

client.user_add(
   options.username,
   options.first_name,
   options.last_name,
   options.name,
   mail=options.mail,
   home_directory=options.home_directory,
   uidnumber=options.uid if options.uid else -1,
   gidnumber=options.primary_gid,
   user_password=options.password,
)
Sorry, this is not an API provided by the FreeIPA project. Please
contact authors of python-freeipa (I think it was created by OpenNode
people) and report them bugs you see there.

https://pypi.org/project/python-freeipa/


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland



--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Abstracted NTP server configuration

2018-10-25 Thread Alexander Bokovoy via FreeIPA-users


On to, 25 loka 2018, Rob Crittenden wrote:

Alexander Bokovoy wrote:

On ke, 24 loka 2018, Rob Crittenden via FreeIPA-users wrote:

Andrey Bychkov via FreeIPA-users wrote:

Hello, I fixed design page.

https://www.freeipa.org/page/V4/NTP_Servers_Configuration


Tibor, do you have any input on this?

As I read this it will be up to the end-user to install their favorite
NTP client package, right? Otherwise installation is going to fail if
none of the supported NTP client packages are installed? Similar to how
DNS is detected?

With 4.7.0 we just got out of the business of running an NTP server on
an IPA master. Is it necessary to add that back?

My five cents on it: I think Andrey's proposal is to make it fully
configurable and it is implemented already, so why not to enable that.


It is implemented but there are a bunch of holes in it so rather than
picking it apart in a PR I asked that this quite major change in time
handling go through our standard process.


The only missing part (correct me if I wrong) is to have a choice to
completely disable options for NTP server on the master at a platform
level so that we can continue shipping this default in
Fedora/RHEL/CentOS.


IMHO there is still too much hand waving around what packages must be
installed, how available packages are detected, etc.


Packagers per platform could decide whether to have NTP server support
enabled or not. And if it would be enabled, they would need to make
dependencies right in their packages.


Right, he needs to say that in his design so it can be handled somewhere.

There also needs to be some sort of ordering so that one package is
preferred over another, or if some are disallowed for some reason.

It also needs to be decided if NO client is allowed (the equivalent of -N).

I'm not necessarily weighing in on the final answers, just trying to get
the design into shape so these things are considered and not forgotten
once folks start digging into specific code changes.

Yep. All good comments.

Andrey, could you please address them in the design page?





For those who want to override this, it could be achieved with
/etc/ipa/installer.conf (this is the context used by ipa-server-install
and ipa-replica-install). It is initialized way after options parsed but
I guess we could live with that since NTP server installation could be
done after a bootstrap and force changes to options.

If admins chose to override the platform decision with
/etc/ipa/installer.conf, they would be responsible for providing all
required
packages themselves. This could be written in the man pages for
ipa-server-install and ipa-replica-install.




rob




19.10.2018 17:11, Rob Crittenden via FreeIPA-users пишет:

Andrey Bychkov via FreeIPA-users wrote:

/->>There is no description about what the abstraction layer should
be.
What basic functions are there for an NTP server and how does each
server map into that abstraction? What basic methods are required?/

An abstract module is the parent basentpconf module, which contains
the
base ntp classes for the server and the client, from which ntpdlib,
ontpdlib, and chronylib are inherited. The parent client and server
classes contain methods for configuring, synchronizing, and restoring
the initial state of the ntp server. It uses common functions from
ntpmethods. As for ntpdlib, ontpdlib, and chronylib, they contain
classes for configuring their ntp server directly, inherited from
basentpconf, and override the desired properties.

Right, so I realize we sort of backed into this Design document from a
PR. The purpose of the design review is to hash things out before they
are implemented so I'm commenting only on what is in the doc and not in
the PR. There are no details of this abstraction in the design.


/->>Do all servers support the options server and pool?/

All the ntp servers listed here support the server and pool
options, the
values of which are written to the configuration file with the
appropriate field.

Ok cool.


/->>How will dependencies be managed? Is there a common way to do this
with both Fedora-like and Debian-like distributions?/

Each package with freeipa ntp lib contains a dependency on the ntp
server that it uses. To use freeipa ntp lib, it is enough to install a
package with an appropriate ntp server.

Right but using what mechanism? rpm has this weak dependencies thing
which I haven't had a chance to look at (and I don't know about other
distros). How is the appropriate time package going to be installed?
Are
we relying on the end-user to install the time package they want, so if
they install none then there is no time sync?


/->>Is it an error if no NTP servers are installed? Is this what is
meant by "default ntp configuration"? Is that functionally
equivalent to
"no NTP service is configured"?/

If the system does not detect the ntp server, and the user does not
use
the option '--no-ntp', then the installation of freeipa will end with
information about this. If the ntp server or

[Freeipa-users] Re: Is IPA-AD two-way trust really two-way?

2018-10-26 Thread Alexander Bokovoy via FreeIPA-users


On pe, 26 loka 2018, Winfried de Heiden wrote:

Hi all,

Refering to this bit of older post,

What now the difference between a One-way or Two-Way Trust anyway? The docs 
are not too clear abut it:

" Two-way trust enables AD users and groups to access resources in IdM.
However, the two-way trust in IdM does not give the users any additional
rights compared to the one-way trust solution in AD. Both solutions are
considered equally secure because of default cross-forest trust SID
filtering settings"

What a use-case for using a Two-Way Trust? (since Windows cannot use
IPA as a AD replacement)

Originally we implemented two-way trust first because it was easier to
do than one-way trust from technical perspective. It allowed machines
from IPA domain to directly query AD DCs about needed information using
their own host/... Kerberos principals for authentication purposes.

However, a lot of customers were concerned with with AD trusting IPA
because it wasn't how AD domain controllers resolved identities (and ran
authentication proxying) over trust. We implemented one-way trust with a
proper setup and actually moved to always use the credentials
one-way-like in two-way trust too with FreeIPA 4.6/latest SSSD
1.15/1.16.

However, there is one missing part for a one-way trust: a one-way trust
with a shared secret. If you are using a shared secret that is provided
to you by AD admins (as opposed to be generated by 'ipa trust-add'
automatically), one-way trust cannot be established. A long story short,
both FreeIPA and SSSD lacked required logic to allow Windows to
perform validation of the trust in this case from a Windows UI and we
couldn't initiate the validation from IPA side as we didn't have
administrative credentials to AD DCs.

So right now two-way trust with a shared secret is your solution for
this case, although I'd rather suggest to establish a normal one-way
trust with AD admin credentials to get a stronger trust secret generated
for you by 'ipa trust-add'.





Winfried
    
-Oorspronkelijk bericht-
Van: Alexander Bokovoy via FreeIPA-users 
Antwoord-naar: FreeIPA users list 
Aan: FreeIPA users list 
Cc: Michal Sladek , Alexander Bokovoy 
Onderwerp: [Freeipa-users] Re: Is IPA-AD two-way trust really two-way?
Datum: Thu, 23 Aug 2018 12:08:17 +0300

On to, 23 elo 2018, Michal Sladek via FreeIPA-users wrote:
Hello,
I would like to use IPA server in heterogeneous environment with Linux servers 
and Windows workstations.IPA domain would be used as a primary source of users 
and groups.AD domain would be used for management of Widows hosts only (group 
policies etc.).
I have setup a test network with two-trust between AD and IPA domainand 
realized, that IPA domain sees AD users but AD domain doesn't seeIPA users. Am 
I missing something or the two-way trust is not two-wayin fact?It is two-way in 
principle. However, FreeIPA does not implement featuresrequired by AD DC to 
resolve IPA users on Windows workstations. It is onour long term roadmap.
-- / Alexander BokovoySr. Principal Software EngineerSecurity / Identity 
Management EngineeringRed Hat Limited, 
Finland___FreeIPA-users mailing 
list -- freeipa-users@lists.fedorahosted.orgTo unsubscribe send an email to 
freeipa-users-leave@lists.fedorahosted.orgFedora Code of Conduct: 
https://getfedora.org/code-of-conduct.htmlList Guidelines: 
https://fedoraproject.org/wiki/Mailing_list_guidelinesList Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/OJCXN7VI2NZAUWUHVZDKEZB7SF72NSR2/





--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Info - cli - Powershell module for FreeIPA published and available on GitHub

2018-10-29 Thread Alexander Bokovoy via FreeIPA-users


On ma, 29 loka 2018, Lucas Cueff via FreeIPA-users wrote:

Hello FreeIPA world,

First thanks for this great product, I was looking for an Active
Directory 'clone' for the opensource world and I have successfully
tested and deployed a FreeIPA infra, thanks to your great job guys !

Because I am also a Windows admin sys working from Windows platform, I
wanted to keep PowerShell as my main shell and script platform. I have
started to port the Python cli in a Powershell module.

For the Powershell user, my work is available at : 
https://github.com/MS-LUF/Manage-FreeIPA

Thanks, Lucas!

One short comment: since FreeIPA API fully dynamic, it makes sense to
have a client side also dynamically generating the bindings. Is it
possible to achieve that with PowerShell?

I saw too many bindings already that try to hard-code the API calls and options
to them. It doesn't really work in a longer run.

Some of a better bindings provide an auto-generation at a compile (or
packaging) time. They retrieve the metadata from IPA server version they
support and then generate actual bindings. That would work too -- as
long as you don't need to manually update/write code to support specific
calls.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: FreeIPA Plugin Development

2018-10-29 Thread Alexander Bokovoy via FreeIPA-users


On su, 28 loka 2018, Joshua D Doll via FreeIPA-users wrote:

I'm in the same boat. The current documentation leaves a lot to be
desired. Most resources you find are terribly outdated.

There are two sources that stay more or less up to date:

- FreeIPA source code
- My plugins at https://github.com/abbra/

The last is a shameless plug but I try to keep them up to date with the
current state of plugin development and packaging I do as part of my day
to day job.

For the source code, an easy way to explore the documentation we already
have is to start with pydoc:

  pydoc ipalib

this will give you an overview of a plugin infrastructure and
parameters.

All commands that operate on objects in LDAP are built on top of classes
provided by ipaserver.plugins.baseldap, so 'pydoc
ipaserver.plugins.baseldap' would give you a basic view of how it is
structured. Any specific plugin's code in ipaserver/plugins/*.py would
serve as an example.

I'd recommend to look at simple plugins in my github tree to understand
how you can amend some aspects:
https://github.com/abbra/freeipa-userstatus-plugin/

If you want a bit more complex example,
https://github.com/abbra/freeipa-desktop-profile gives a fully working
sample that stores two different objects in LDAP and even has managed
entries plugin integration for bridging them together under specific
complex access controls.

Even more harcode is https://github.com/abbra/freeipa-adusers-admins

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Info - cli - Powershell module for FreeIPA published and available on GitHub

2018-10-29 Thread Alexander Bokovoy via FreeIPA-users


On ma, 29 loka 2018, Lucas Cueff via FreeIPA-users wrote:

Thanks for your prompt feedback and advice.

You are right, sounds a must have for the v1.

Is there some data model published to have link between client version
and api stuff ? I don't know if the API browser for instance can be
requested and sends back some JSON stuff to build all API info on
client side.

Yes, it actually can and it does send it back -- the whole Web UI is a
JavaScript application talking JSON-RPC to the Python-based backend.

See, for example, https://github.com/tehwalris/go-freeipa, which is a
generated Go client based on the API metadata. It doesn't do that at
runtime, though, but is a good example of how compile-time integration
could be done.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Service Account vs System Account vs User Account

2018-10-29 Thread Alexander Bokovoy via FreeIPA-users


On ma, 29 loka 2018, Ryan Slominski via FreeIPA-users wrote:

It is not always clear the best way to create an account for a script
or application to use.  Generally this special type of account has no
password expiration (or a very long expiration window).  For example,
some applications require a bind user to connect to LDAP.  It seems
there are a half a dozen ways to do it.  When should each be used?
Here are the options I'm aware of:

1. Create IPA Service (ipa service-add)

My understanding is an IPA Service cannot reveal the plaintext password
(keytab only) and must be tied to a single host.  This doesn't work
when the bind user password plaintext must be known (unless I missed
that somewhere).  Also, you can't assign a service to the "admins" user
group, which is a special user group - so if you want a "root-like"
service you can't use an IPA service (maybe you could cobble together
some roles that mostly did what admins members get).

All of the above is not true with FreeIPA 4.7.0.

https://pagure.io/freeipa/issue/7513 allows to have services as group
members for the purpose of role management

https://pagure.io/freeipa/issue/7514 allows to create services detached
from a specific host object.

ipa-getkeytab also allows to force a specific plaintext password instead
of a randomly generated one.



2. Create IPA User (ipa user-add)

There are few ways to make a special password expiration (not clear which is 
best):
A. You can use a special password policy where the password doesn't expire for 
a very long time (must be done before setting password).
B. Use kadmin.local to set password expiration to never (or a very long time).
C. Use ldapmodify (dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com) to 
set expiration to a very long time
D. If you never set a password, but execute the ipa getkeytab command then 
there doesn't appear to be any expiration on the user account password (though 
web interface says there is no password so not sure if this is a bug or what)

I think A is best. For D I'd like you to open an issue and describe what
you see and what you expect to see.



3. Create LDAP System Account (ldapmodify - dn: 
uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com)

This seems like a back door and only works if your "application
account" needs LDAP, but not Kerberos.  Account does not show up in the
web interface anywhere.

See: https://www.freeipa.org/page/HowTo/LDAP

The latter (LDAP system account) is not a backdoor. It is rather a
normal behavior for LDAP servers. An LDAP schema allows you to have
bindable objects and aside from some bugs in treating password policies
for them when setting kerberos attributes, they are normal LDAP objects.



4. Create Kerberos Service (kadmin.local addprinc)

Probably no need to ever use kadmin.local to create a service?  Then again, 
maybe there is?

I'd recommend against using kadmin.local in day to day activities. We
have majority of its functions represented through IPA API already.
kadmin.local only can create principals in a default sub-tree (don't
remember which one off the top of my head right now), there is no real
authentication when you run as root and it is easy to wipe the data.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Service Account vs System Account vs User Account

2018-10-30 Thread Alexander Bokovoy via FreeIPA-users


On ti, 30 loka 2018, Ryan Slominski via FreeIPA-users wrote:

As far as option D goes I'm now starting to understand IPA makes a
distinction between a password and Kerberos keys.  If you don't set a
password, but use ipa-getkeytab followed by ipa user-show the "Kerberos
keys available" attribute changes from Fasle to True, but "Password"
remains False.   The web GUI doesn't seem to show whether keys were
deployed for user accounts and I was expecting to see some indication
that I had used ipa-getkeytab, but now see I can only tell using the
command line.  Can a user have a separate random key as well as a known
plain text password simultaneously?   Does the krblastpwdchange apply
to both password and keys or do keys never expire?

I don't think you can have an independent password and a random key.
When a password is set via LDAP, a special plugin will propagate it to
Kerberos attributes (by setting hashes of it using specific algorithms
for those attributes). When a password is updated via Kerberos kadmin
protocol, the same happens for LDAP password too.

When ipa-getkeytab is used to generate a random key the very same plugin
in LDAP server is placing this random key to both the userPassword
attribute and to the Kerberos attributes. So they should be synchronized
all the time.

When password expires is defined by the password policy. At that point
both Kerberos keys and the userPassword in LDAP are expired and unusable
for authentication (other than a request to change the password).

Obviously, you can create a policy that avoids expiring a password and
that would be an equivalent to a never expiring key for a user.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Deployment without CA

2018-10-31 Thread Alexander Bokovoy via FreeIPA-users


On ke, 31 loka 2018, Henrik Johansson via FreeIPA-users wrote:

Hello,

I am looking at using FreeIPA without CA, using external signed
certificates, reading the documentations it looks possible using
—dirsrv-certfile, —http-cert-file and —point-certfile. Should I just
create a CSR for the hostname by by hand and get it signed? Also is
there any good reason for having different certs for http, ldap and
pkinit? Can I just use one certificate for all services and for all
servers and replicas using Subject Alternative Names?

For the latter part, it is better to separate PKINIT cert out. It
requires very specific Kerberos principal name in the certificate.

For HTTP and LDAP you can reuse the same certificate.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Deployment without CA

2018-11-01 Thread Alexander Bokovoy via FreeIPA-users


On to, 01 marras 2018, Henrik Stigendal via FreeIPA-users wrote:



On 1 Nov 2018, at 00:51, Fraser Tweedale  wrote:



Note that you'll have a hard time getting a certificate signed by a
public CA with the approriate Extended Key Usage and Subject
Alternative Name values for a KDC certificate.  If you are getting
certificates from some other internal CA controlled by your
organisation, no worries.  Otherwise, you'll have do make do without
Kerberos PKINIT support.


Thanks, you mean the UPN: kbtgt/domain@domainn.net part?

We have an intetrnal CA, i guess i’ll try to generate a CSR with
certutil and submit it. It will be quite a few UPN/SAN if I want one
certificate for all servers for LDAP/HTTP and PKINI respectability.
Maybe have two per servers and a common name for a load balancer in
each certificate, this is really not my area of expertise, it was so
much easier with the provided CA in IPA :)

If you have an internal CA, it would be much easier to get that CA to
sign IPA CA as a sub-CA. Then clients will trust IPA CA-issued
certificates if they trust internal CA already.


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: sftp file broswer causes 4 (System Error)

2018-11-07 Thread Alexander Bokovoy via FreeIPA-users


On ke, 07 marras 2018, Alfredo De Luca via FreeIPA-users wrote:

Hi all. I wonder who and how this is been resolved?
I have centos 7 where an sftp server is running. Authentication is with
freeIPA 4.5.4.
all the users connect to the sftp server normally but when there are
multiple connections  randomly I got this error

Nov  7 08:30:09 sftp sshd[23487]: pam_sss(sshd:account): Access denied for
user nifi_sftp: 4 (System error)

Not sure why. The same user doesn't have any issue connecting manually but
when different connections from 3 nodes (running a open source sftp client
called NIFI from apache.org) I got that error.
I have to say that I tried to reproduce with a script running multiple
connections at the same time and I get the same errors. If I use
controlmaster mechanism on ssh client I dont' get the error at all.

Any idea?

Use sssd debugging to demonstrate why pam_sss is denying access.
https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html

You'd need logs from the sssd_.log and sssd_pam.log related to
the time when there is an attempt to connect with NIFI. Use
debug_level=9 in domain and pam sections to show all logs and provide
them somewhere we can look up.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: sftp file broswer causes 4 (System Error)

2018-11-08 Thread Alexander Bokovoy via FreeIPA-users


On to, 08 marras 2018, Alfredo De Luca via FreeIPA-users wrote:

Hi alexander. Thanks for your info.
Here are 2 logs. One is the pam.log and the other one is the domain.log at
the time when we got the error below.

Nov  8 17:09:06 sftp-test sshd[25100]: pam_sss(sshd:account): Access denied
for user nifi_sftp: 4 (System error)

The user to search is nifi_sftp.

Thanks heaps and let me know if you need more info

Do you have SELinux enabled? Disabled?

From the looks of sssd_.log you have trouble with setting
SELinux for the user:

Thu Nov  8 17:09:06 2018) [sssd[be[novalocal]]] [selinux_child_done] (0x0020): 
selinux_child_parse_response failed: [22][Invalid argument]

This means that most likely you have SELinux disabled completely yet
SSSD attempts to set up SELinux context and considers its failure a hard
fail.

Setting

selinux_provider = none

in [domain/novalocal] section should help if you are not using SELinux.


Cheers



On Wed, Nov 7, 2018 at 3:49 PM Alexander Bokovoy 
wrote:


On ke, 07 marras 2018, Alfredo De Luca via FreeIPA-users wrote:
>Hi all. I wonder who and how this is been resolved?
>I have centos 7 where an sftp server is running. Authentication is with
>freeIPA 4.5.4.
>all the users connect to the sftp server normally but when there are
>multiple connections  randomly I got this error
>
>Nov  7 08:30:09 sftp sshd[23487]: pam_sss(sshd:account): Access denied for
>user nifi_sftp: 4 (System error)
>
>Not sure why. The same user doesn't have any issue connecting manually but
>when different connections from 3 nodes (running a open source sftp client
>called NIFI from apache.org) I got that error.
>I have to say that I tried to reproduce with a script running multiple
>connections at the same time and I get the same errors. If I use
>controlmaster mechanism on ssh client I dont' get the error at all.
>
>Any idea?
Use sssd debugging to demonstrate why pam_sss is denying access.
https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html

You'd need logs from the sssd_.log and sssd_pam.log related to
the time when there is an attempt to connect with NIFI. Use
debug_level=9 in domain and pam sections to show all logs and provide
them somewhere we can look up.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland




--
*Alfredo*



--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: LDAP - Zammad -> not offering all fields

2018-11-12 Thread Alexander Bokovoy via FreeIPA-users


On ma, 12 marras 2018, Tobi Berninger via FreeIPA-users wrote:

Hey,
i have an freeipa 4.5.4 on an Centos 7 up and running.
I allready binded that ipa trough an ldap on an nextcloud installation.
Now i try to do the same with an zammad. Sadly it doesnt offers me the
right fields (first name, last name, mail and many more are missing)
I set up an extra ldap sysaccount just for that reason, as it was described
here: https://www.freeipa.org/page/HowTo/LDAP

Any ideas what i was doing wrong?

Others users in the zammad forum told me that zammad is offering them the
fields i need, so i am quite convinced that the error is in an
missconfiguration on my side. Sadly i didnt set the server up, i just try
to keep it running.

It would be good to see what you did exactly.

Can you show which fields you are trying to access and what is the
sysaccount entry?

Can you show what searches are done by zammad in the
/var/log/dirsrv/slapd-/access log? You can find them by
the connection which starts by binding as your sysaccount. It should
look something like below. I used admin user to do the search but it
should not matter in terms of how things a logged. You need logs for the
same connection (conn=).

[12/Nov/2018:10:51:11.951508884 +0200] conn=1098 fd=93 slot=93 SSL connection 
from 192.168.100.180 to 192.168.100.180
[12/Nov/2018:10:51:11.959543784 +0200] conn=1098 TLS1.3 128-bit AES-GCM
[12/Nov/2018:10:51:11.959795901 +0200] conn=1098 op=0 BIND 
dn="uid=admin,cn=users,cn=accounts,dc=h,dc=example,dc=com" method=128 version=3
[12/Nov/2018:10:51:12.034886792 +0200] conn=1098 op=0 RESULT err=0 tag=97 nentries=0 
etime=0.1916669164 dn="uid=admin,cn=users,cn=accounts,dc=example,dc=com"
[12/Nov/2018:10:51:12.035585653 +0200] conn=1098 op=1 SRCH base="dc=h,dc=example,dc=com" 
scope=2 filter="(uid=admin)" attrs=ALL
[12/Nov/2018:10:51:12.037307748 +0200] conn=1098 op=1 RESULT err=0 tag=101 
nentries=1 etime=0.0001826480
[12/Nov/2018:10:51:12.039934460 +0200] conn=1098 op=2 UNBIND
[12/Nov/2018:10:51:12.039960936 +0200] conn=1098 op=2 fd=93 closed - U1




Thank u all for ur help and i apoligze for my english...



___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org



--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: LDAP - Zammad -> not offering all fields

2018-11-12 Thread Alexander Bokovoy via FreeIPA-users


On ma, 12 marras 2018, Tobi Berninger via FreeIPA-users wrote:

hey,
i just tried to add an new user as described in the howto/ldap from
freeipa. and the console doenst show any errors,
but when i try to use that user as an bind user - it wont work at all.
Maybe something bigger isnt work?
this is the bind settings i use in zammad:
dc=int,dc=asta-frankfurt,dc=de
uid=system4,cn=users,cn=accounts,dc=int,dc=asta-frankfurt,dc=de
this it eh log when i try:
[12/Nov/2018:12:56:12.367897702 +0100] conn=5 op=117374 RESULT err=0
tag=101 nentries=1 etime=0.079172
[12/Nov/2018:12:56:12.368072341 +0100] conn=5 op=117375 MOD dn="fqdn=
radius.int.asta-frankfurt.de
,cn=computers,cn=accounts,dc=int,dc=asta-frankfurt,dc=de"
[12/Nov/2018:12:56:12.370654530 +0100] conn=5 op=117375 RESULT err=0
tag=103 nentries=0 etime=0.0002612503 csn=5be96b5fa6f30004
[12/Nov/2018:12:56:12.372265034 +0100] conn=74960 op=1 UNBIND
[12/Nov/2018:12:56:12.372279026 +0100] conn=74960 op=1 fd=146 closed - U1
[12/Nov/2018:12:56:15.498614694 +0100] conn=74961 fd=146 slot=146 SSL
connection from 10.8.0.1 to 10.8.0.6
[12/Nov/2018:12:56:15.531133872 +0100] conn=74961 TLS1.2 256-bit AES-GCM
[12/Nov/2018:12:56:15.558425764 +0100] conn=74961 op=0 BIND
dn="uid=system4,cn=users,cn=accounts,dc=int,dc=asta-frankfurt,dc=de"
method=128 version=3
[12/Nov/2018:12:56:15.558859253 +0100] conn=74961 op=0 RESULT err=48 tag=97
nentries=0 etime=0.0059811400
[12/Nov/2018:12:56:15.586313574 +0100] conn=74961 op=-1 fd=146 closed - B1

with that change in setting binding isnt working at all,
when i change back to the system3 (the account i am also using for
nextcloud) it is working fine, when i try it with an normal user also no
problems

Can you show what attributes it tries to retrieve? I think the core of
the issue is two-fold: there was a regression bug in 389-ds that applied 
anonymous
user rights in doing ACI evaluation sometimes. I need to see what
attributes are requested to see which ACIs are affected.




Am Mo., 12. Nov. 2018 um 09:56 Uhr schrieb Alexander Bokovoy <
aboko...@redhat.com>:


On ma, 12 marras 2018, Tobi Berninger via FreeIPA-users wrote:
>Hey,
>i have an freeipa 4.5.4 on an Centos 7 up and running.
>I allready binded that ipa trough an ldap on an nextcloud installation.
>Now i try to do the same with an zammad. Sadly it doesnt offers me the
>right fields (first name, last name, mail and many more are missing)
>I set up an extra ldap sysaccount just for that reason, as it was
described
>here: https://www.freeipa.org/page/HowTo/LDAP
>
>Any ideas what i was doing wrong?
>
>Others users in the zammad forum told me that zammad is offering them the
>fields i need, so i am quite convinced that the error is in an
>missconfiguration on my side. Sadly i didnt set the server up, i just try
>to keep it running.
It would be good to see what you did exactly.

Can you show which fields you are trying to access and what is the
sysaccount entry?

Can you show what searches are done by zammad in the
/var/log/dirsrv/slapd-/access log? You can find them by
the connection which starts by binding as your sysaccount. It should
look something like below. I used admin user to do the search but it
should not matter in terms of how things a logged. You need logs for the
same connection (conn=).

[12/Nov/2018:10:51:11.951508884 +0200] conn=1098 fd=93 slot=93 SSL
connection from 192.168.100.180 to 192.168.100.180
[12/Nov/2018:10:51:11.959543784 +0200] conn=1098 TLS1.3 128-bit AES-GCM
[12/Nov/2018:10:51:11.959795901 +0200] conn=1098 op=0 BIND
dn="uid=admin,cn=users,cn=accounts,dc=h,dc=example,dc=com" method=128
version=3
[12/Nov/2018:10:51:12.034886792 +0200] conn=1098 op=0 RESULT err=0 tag=97
nentries=0 etime=0.1916669164
dn="uid=admin,cn=users,cn=accounts,dc=example,dc=com"
[12/Nov/2018:10:51:12.035585653 +0200] conn=1098 op=1 SRCH
base="dc=h,dc=example,dc=com" scope=2 filter="(uid=admin)" attrs=ALL
[12/Nov/2018:10:51:12.037307748 +0200] conn=1098 op=1 RESULT err=0 tag=101
nentries=1 etime=0.0001826480
[12/Nov/2018:10:51:12.039934460 +0200] conn=1098 op=2 UNBIND
[12/Nov/2018:10:51:12.039960936 +0200] conn=1098 op=2 fd=93 closed - U1


>
>Thank u all for ur help and i apoligze for my english...

>___
>FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org
>Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
>List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland




___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfed

[Freeipa-users] Re: Trust fails between IPA 4.5.4 and Samba AD DC 4.8.1 (MIT Kerberos) -- CIFS server denied credentials

2018-11-13 Thread Alexander Bokovoy via FreeIPA-users


On ma, 12 marras 2018, Mustafa Karci via FreeIPA-users wrote:

Dear Alexander,

Is this issue still ongoing? Still getting the following error when
freeipa server tries to join a Windows 2019 AD server.

ipa: ERROR: Insufficient access: CIFS server dlp.ipa.srv.world denied
your credentials

Could you please provide more details? The original thread was about
Samba AD and you are talking about Windows 2019 AD server.


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: smartcard auth + kerberos ticket?

2018-11-15 Thread Alexander Bokovoy via FreeIPA-users


On to, 15 marras 2018, Natxo Asenjo via FreeIPA-users wrote:

hi,

I can successfully login using a smartcard (fedora 29 client, centos 7
kdcs, latest patch level).

However, when I try to access a kerberized service, I need to kinit first,
because I don't have a ticket:

$ klist
klist: Credentials cache 'KCM:100601' not found

I already have krb5-pkinit in de client and if I kinit -n I get a
wellknown/anonymous ticket from the kdcs, but this is obviously not what I
had in mind :-)

Am I doing something wrong or is this to be expected?

Enable debug_level=9 in sssd configuration (domain section) and try to
login with smartcard, then provide krb5_child.log to see what's
happening.


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Trust fails between IPA 4.5.4 and Samba AD DC 4.8.1 (MIT Kerberos) -- CIFS server denied credentials

2018-11-15 Thread Alexander Bokovoy via FreeIPA-users


On ti, 13 marras 2018, Mustafa Karci via FreeIPA-users wrote:

Dear Alexander,

The main intention is to setup a freeipa-server with a trust domain to
a Windows 2019 AD server. So for all windows env we would like to use
Windows 2019AD server and for all our Linux based server we would like
to use FreeIPA-server.

From this point we have setup a basic Windows2019 AD domain with the
following realm ad.srv.world And the FreeIPA server has the following
realm ipa.srv.world

The Windowd 2019 server also acts as the DNS server, where the
freeipa-server has his own dns rules and forwarding rule enabled to
zone ad.srv.world (windows 2019 DNS server).


From the ipa-server run the following command

ipa-server-install --realm=AD.SRV.WORLD --domain=ad.srv.domain --ssh-trust-dns 
--setup-dns --forwarder=xxx.xxx.xxx.xxx

All seems working ok on the ipa-server. But when trying to add the
freeipa server to a windows 2019 AD im getting the following error:

ipa trust-add --type=ad ad.srv.world --admin Administrator --password
Active Directory domain administrator's password:
ipa: ERROR: Insufficient access: CIFS server dlp.ipa.srv.world denied your 
credentials

Already tried to change permission on the AD site, but group policy
domain admin should be enough to setup a trused domain between these
two.

No, this is not (at least not yet) an AD side. You need to look into
Samba logs. Your excerpts from the logs below show that Samba is capable
to authenticate the connection from IPA framework properly and
understands that this is a constrained delegation use (HTTP/...
service principal acts on behalf of 'admin' user principal). However, it
is not able to validate that 'admin' user has enough permissions to
perform what is needed:


Successfully validated Kerberos PAC
 pac_data: struct PAC_DATA
 num_buffers  : 0x0005 (5)
 version  : 0x (0)
 buffers: ARRAY(5)
 buffers: struct PAC_BUFFER
 type : PAC_TYPE_LOGON_INFO (1)
 _ndr_size: 0x01a8 (424)
 info : *
 info : union PAC_INFO(case 1)
 logon_info: struct PAC_LOGON_INFO_CTR
 info : *
 info: struct PAC_LOGON_INFO
 info3: struct netr_SamInfo3
 base: struct netr_SamBaseInfo
 logon_time   : NTTIME(0)
 logoff_time  : Thu Jan  1 
01:00:00 AM 1970 CET
 kickoff_time : Thu Jan  1 
01:00:00 AM 1970 CET
 last_password_change : Fri Nov  2 
04:41:05 PM 2018 CET
 allow_password_change: NTTIME(0)
 force_password_change: Thu Jan  1 
01:00:00 AM 1970 CET
 account_name: struct lsa_String
 length   : 0x000a 
(10)
 size : 0x000a 
(10)
 string   : *
 string   : 
'admin'
 full_name: struct lsa_String
 length   : 0x001a 
(26)
 size : 0x001a 
(26)
 string   : *
 string   : 
'Administrator'
 logon_script: struct lsa_String
 length   : 0x 
(0)
 size : 0x 
(0)
 string   : *
 string   : ''
 profile_path: struct lsa_String
 length   : 0x 
(0)
 size : 0x 
(0)
 string   : *
 string   : ''
 home_directory: struct lsa_String
 length   : 0x 
(0)
 size : 0x 
(0)
 string   :

[Freeipa-users] Re: Change IP address of IPA server

2018-11-15 Thread Alexander Bokovoy via FreeIPA-users


On to, 15 marras 2018, John Duino via FreeIPA-users wrote:

Due to some preferred changes in our environment, we would like to change
the IP address of two of our servers. My thinking is that we stop IPA on
those hosts, change their IP and power down, then change the IP in the DNS
of the running IPA's, then bring the two servers up. I am assuming all
associations are done via fqdn and not an IP, is that correct? Is this safe
or am I risking some corruption to the environment?

You are correct. If you have other nodes serving DNS, then changing IP
addresses there should be enough.

Before powering down check that /etc/hosts has been updated with new IP
addresses, if the old ones are there.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: FreeIPA PPC64LE builds

2018-11-15 Thread Alexander Bokovoy via FreeIPA-users

On ti, 13 marras 2018, Pieter Baele via FreeIPA-users wrote:

RHEL is indeed available for Power 8 and Power 9.
But FreeIPA server is not, only the clients / sssd :-(

It takes time and effort to validate those platforms. With RHEL 8 beta
we have full coverage for all RHEL architectures.

I've been pointed out that CentOS c7.1810 has rebuilt IPA packages for
ppc64le: 
https://buildlogs.centos.org/c7.1810.00.ppc64le/ipa/20181105014728/4.6.4-10.el7.centos.ppc64le/
However, nobody did any functional testing of the server packages there
and I don't think CentOS does any real testing of IPA at all. So your
mileage may vary.

If you are interested in giving a feedback on how IPA server works on
the POWER, please try RHEL 8 beta.

On Mon, Nov 12, 2018 at 7:14 PM Rob Crittenden  wrote:

Pieter Baele via FreeIPA-users wrote:
> Seriously? I could not find them in our internal satellite 6 install and
> support was going more into the subject of the IBM acquisition then
> technical stuff

I saw it on access.redhat.com -> Downloads, Red Hat Enterprise Linux for
Power, little endian.

rob

>
> On Mon, 12 Nov 2018, 17:55 Rob Crittenden,  > wrote:
>
> Pieter Baele via FreeIPA-users wrote:
> > Anyone an idea what the timeline/roadmap is for FreeIPA ipa-server
> > PPC64LE build for Centos 7 (or RH IDM on RHEL 7/8)
> >
> > I only see some packages for PowerPC on Fedora and Ubuntu
>
> ppc64le RHEL builds are available for RHEL 7 today (and IdM is part
of
> RHEL).
>
> You'll need to ask CentOS for what they build on/support.
>
> rob
>
>
>
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Export service keytab as Active Directory user

2018-11-23 Thread Alexander Bokovoy via FreeIPA-users

Not possible in centos 7.

Possible in RHEL8 beta.

(Sorry for being short, I'm on the phone)

- Michael Gusek via FreeIPA-users  
wrote:
> Hi,
> 
> we are running FreeIPA 4.5.4 on Centos 7 with a one way trust to an
> Active Directory. We want to allow AD users to retrieve service keytab
> on FreeIPA managed hosts. AD users are linked to a external group, and
> these group to a FreeIPA group.  We've created a service and allowed
> FreeIPA group (for testing external group too) to retrieve keytab. Now
> we logged in with AD credentials to a FreeIPA managed host, got an
> ticket with kinit user@AD-domain and tried to retrieve keytab for
> service, which runs in an error "Failed to parse result: Insufficient
> access rights". With an FreeIPA user, added to FreeIPA group above, it
> works.
> 
> So what we are missing here ? Is it possible to retrieve service keytabs
> as a trusted AD user ?
> 
> Thanks.
> 
> 
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

-- 
/ Alexander Bokovoy
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Web app integration

2018-11-25 Thread Alexander Bokovoy via FreeIPA-users


On Sun, 25 Nov 2018, Alex Corcoles via FreeIPA-users wrote:

Hi,

I've read:

https://www.freeipa.org/page/Web_App_Authentication

, but there is some stuff that is not clear to me.

1) SAML

As I recall, there's Ipsilon and Keycloak. Ipsilon is "dead" and
Keycloak is the way to go, right?

No. Both Ipsilon and Keycloak are healthy and kicking well. Ipsilon is
what Fedora Project's FAS service is built upon.



However, Keycloak setup is not trivial, correct? Running CentOS there
is no straightforward way to install and integrate it with a FreeIPA
domain, correct?

Not correct either. With current Keycloak release there is a detailed
(and fairly simple) instruction: 
https://www.keycloak.org/docs/latest/server_admin/index.html#_sssd

For OpenShift-based deployment Fraser did a blog: 
https://frasertweedale.github.io/blog-redhat/posts/2017-09-04-keycloak-openshift.html




2) SSO

What is the special sauce for users using a browser on an IPA-joined
system to log in to apps without even seeing a login form? SPNEGO?

I'm using mod_auth_gssapi for some apps, having httpd do the
authentication and forward it through REMOTE_USER, but it doesn't do
the magic. There are some hints on mod_auth_gssapi's docs, but nothing
really clear.

Clients need to be configured to accept and allow Negotiate
authentication. My recommendation (and the one we applied to browsers in
Fedora) is to set your
network.negotiate-auth.trusted-uris

to 


  https://

The logic in Firefox is to match a substring from what is in
network.negotiate-auth.trusted-uri setting. Setting it to allow
negotiate on any HTTPS site is enough. If the site offers Negotiate
authentication, browser will attempt to obtain a Kerberos service ticket
to that site. If that is not possible (KDC doesn't know about the host),
Negotiate authentication will not continue and the site will never know
a Negotiate authentication was attempted but failed.


You can achieve the same with Chrome/Chromium.

$ cat /etc/chromium/policies/managed/negotiate.json
{
   "AuthServerWhitelist": "*",
}





3) How should you deliver apps?

Suppose you are a web app developer and you want to deliver a web
application which can easily integrate with FreeIPA. What's the most
comfortable option you can give? (assuming, for instance, that you want
the SSO magic sauce). Is there any difference between apps that will
run on the FreeIPA's domain owner's systems or third party apps?

I don't think there is any difference. From the perspective of a client
browser, authentication happens between the client and the SSO host, not
the web app. So strictly speaking, only SSO host needs to be enrolled. A
client system needs to be able to operate with Kerberos to obtain the
tickets automatically for SSO but it is not necessary as user could
enter his/her credentials instead.

How SSO framework does authenticate the web app is totally separate. For
example, I run HackMD app with authentication handled against my own
FreeIPA via Ipsilon. HackMD uses OAuth OpenID Connect against Ipsilon and is
totally disconnected from FreeIPA view of the users, their
authentication, etc. All it knows is what Ipsilon OAuth OpenID Connect
assertion tells about the user.


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Web app integration

2018-11-25 Thread Alexander Bokovoy via FreeIPA-users

On su, 25 marras 2018, Alex Corcoles via FreeIPA-users wrote:

Hi,

On Sun, 2018-11-25 at 14:48 +0200, Alexander Bokovoy wrote:

1) SAML
>
> As I recall, there's Ipsilon and Keycloak. Ipsilon is "dead" and
> Keycloak is the way to go, right?
No. Both Ipsilon and Keycloak are healthy and kicking well. Ipsilon
is
what Fedora Project's FAS service is built upon.

Oh, but the RHEL 7.5 release notes say:

Red Hat Access plug-in for IdM is discontinued
The Red Hat Access plug-in for Identity Management (IdM) was removed
in Red Hat Enterprise Linux 7.3. During the update, the redhat-
access-plugin-ipa package is automatically uninstalled. Features
previously provided by the plug-in, such as Knowledgebase access and
support case engagement, are still available through the Red Hat
Customer Portal. Red Hat recommends to explore alternatives, such as
the redhat-support-tool tool.
The Ipsilon identity provider service for federated single sign-on
The ipsilon packages were introduced as Technology Preview in Red Hat
Enterprise Linux 7.2. Ipsilon links authentication providers and
applications or utilities to allow for single sign-on (SSO).
Red Hat does not plan to upgrade Ipsilon from Technology Preview to a
fully supported feature. The ipsilon packages will be removed from
Red Hat Enterprise Linux in a future minor release.
Red Hat has released Red Hat Single Sign-On as a web SSO solution
based on the Keycloak community project. Red Hat Single Sign-On
provides greater capabilities than Ipsilon and is designated as the
standard web SSO solution across the Red Hat product portfolio.

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.5_release_notes/chap-red_hat_enterprise_linux-7.5_release_notes-deprecated_functionality

and there have been no commits to the Ipsilon repo in a year...

RHEL is not shipping Ipsilon, that's all what above is explained.

Fedora Project is using it but Fedora's FAS service is deployed on RHEL
and it is rock-solid for the functionality they use.  There are 15 pull
requests open, so clearly some work is ongoing. If you are interested,
talk to ipsilon developers.

> However, Keycloak setup is not trivial, correct? Running CentOS
> there
> is no straightforward way to install and integrate it with a
> FreeIPA
> domain, correct?
Not correct either. With current Keycloak release there is a detailed
(and fairly simple) instruction:
https://www.keycloak.org/docs/latest/server_admin/index.html#_sssd

For OpenShift-based deployment Fraser did a blog:
https://frasertweedale.github.io/blog-redhat/posts/2017-09-04-keycloak-openshift.html

I mean it still requires a sizable amount of elbow grease. I think
there is no systemd unit file, it doesn't come as an RPM which can be
easily upgraded, etc.

I think Java applications have a bit different way of distribution, so
Keycloak is more oriented for that than a pure system service.

Even if Ipsilon is phased out I think I'll try again. IIRC, I had an
issue doing a test run, read about Keycloak being the future and gave
up quickly. RHEL 7 is still good for a few years, so maybe I have an
alternative solution on RHEL 8 when it dies.

Keycloak's benefits are in ability to integrate well with existing
Java-based web applications. It becomes part of the established
infrastructure there and makes SSO screens tuned to the design of the
app, giving better user experience.

> 2) SSO
>
> What is the special sauce for users using a browser on an IPA-
> joined
> system to log in to apps without even seeing a login form? SPNEGO?
>
> I'm using mod_auth_gssapi for some apps, having httpd do the
> authentication and forward it through REMOTE_USER, but it doesn't
> do
> the magic. There are some hints on mod_auth_gssapi's docs, but
> nothing
> really clear.
Clients need to be configured to accept and allow Negotiate
authentication. My recommendation (and the one we applied to browsers
in
Fedora) is to set your
network.negotiate-auth.trusted-uris

to

   https://

The logic in Firefox is to match a substring from what is in
network.negotiate-auth.trusted-uri setting. Setting it to allow
negotiate on any HTTPS site is enough. If the site offers Negotiate
authentication, browser will attempt to obtain a Kerberos service
ticket
to that site. If that is not possible (KDC doesn't know about the
host),
Negotiate authentication will not continue and the site will never
know
a Negotiate authentication was attempted but failed.

That's how my Firefox in FC28-29 was configured OOB, but while it works
perfectly on the IPA web interface, an httpd site which has:

 AuthType GSSAPI
 AuthName "Kerberos Login"
 GssapiCredStore keytab:/etc/xxx.keytab
 GssapiBasicAuth On
 require valid-user

does perfect validation, but no SSO.

mod_auth_gssapi produces a cookie that should be served back to the
client. If client returns the same cookie, mod_auth_gssapi will handle
SSO for the client automatically.

> 3) How should you deliver apps?
>
> Suppose you

[Freeipa-users] Re: Export service keytab as Active Directory user

2018-11-26 Thread Alexander Bokovoy via FreeIPA-users


On ma, 26 marras 2018, Michael Gusek via FreeIPA-users wrote:

Thx a lot. So we will export keytabs for our AD users.

Sorry, how this would help? Your real issue is that you cannot assign
group membership in LDAP to AD users, this is where access rights are
checked.

You can read a basic explanation at
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8-beta/html/installing_identity_management_and_access_control/enabling-ad-user-to-administer-idm-fin-fin

or more details at https://github.com/abbra/freeipa-adusers-admins



Micha


Am 23.11.18 um 16:25 schrieb Alexander Bokovoy via FreeIPA-users:

Not possible in centos 7.

Possible in RHEL8 beta.

(Sorry for being short, I'm on the phone)

- Michael Gusek via FreeIPA-users  
wrote:

Hi,

we are running FreeIPA 4.5.4 on Centos 7 with a one way trust to an
Active Directory. We want to allow AD users to retrieve service keytab
on FreeIPA managed hosts. AD users are linked to a external group, and
these group to a FreeIPA group.  We've created a service and allowed
FreeIPA group (for testing external group too) to retrieve keytab. Now
we logged in with AD credentials to a FreeIPA managed host, got an
ticket with kinit user@AD-domain and tried to retrieve keytab for
service, which runs in an error "Failed to parse result: Insufficient
access rights". With an FreeIPA user, added to FreeIPA group above, it
works.

So what we are missing here ? Is it possible to retrieve service keytabs
as a trusted AD user ?

Thanks.


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

--




*Michael**Gusek*| System Administrator| Webtrekk GmbH |
*t*+49 30 755 415 302| *f *+49 30 755 415 100 | *w *www.webtrekk.com
<https://www.webtrekk.com/?wt_mc=signature.-.-.-.homepageURL>
Amtsgericht/Local Court Berlin, HRB 93435 B | Geschäftsführer/CEO
Christian Sauer und Norman Wahnschaff





___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org



--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: How to add host with subdomain local..de

2018-11-27 Thread Alexander Bokovoy via FreeIPA-users


On ti, 27 marras 2018, 74cmonty via FreeIPA-users wrote:

Hi Florence,

I intend to define a subdomain for each network, e.g.
DMZ = dmz..de (10.0.0.0/24) -> VLAN
LAN = local..de (192.168.1.0/24)
SHZ = smz..de (Smart Home Network) (10.0.10.0/28) -> VLAN

Does this make sense to you?
Or is this an overkill?

There is no specific reason to object here, from FreeIPA point of view,
of course.

Look at ipa-client-install's manual page:
-
  DNS Autodiscovery
  Client installer by default tries to search for _ldap._tcp.DOMAIN
  DNS SRV records for all domains that are parent to its hostname.
  For example, if a client machine has a hostname
  'client1.lab.example.com', the installer will try to retrieve an
  IPA server hostname from _ldap._tcp.lab.example.com,
  _ldap._tcp.example.com and _ldap._tcp.com DNS  SRV  records,
  respectively. The discovered domain is then used to configure
  client components (e.g. SSSD and Kerberos 5 configuration) on the
  machine.

  When  the  client machine hostname is not in a subdomain of an
  IPA server, its domain can be passed with --domain option. In
  that case, both SSSD and Kerberos components have the domain set
  in the configuration files and will use it to autodiscover IPA
  servers.

  Client machine can also be configured without a DNS autodiscovery
  at all. When both --server and --domain options are used, client
  installer will use  the  specified  server  and domain  directly.
  --server option accepts multiple server hostnames which can be
  used for failover mechanism. Without DNS autodiscovery, Kerberos
  is configured with a fixed list of KDC and  Admin servers. SSSD
  is still configured to either try to read domain's SRV records or
  the specified fixed list of servers. When --fixed-primary option
  is  specified,
  SSSD will not try to read DNS SRV record at all (see sssd-ipa(5) for 
details).
-

So it is irrelevant where the client is -- pass --domain 
to ipa-client-install and it will be discovered automatically.


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: LDAP Group Membership puzzle

2018-11-27 Thread Alexander Bokovoy via FreeIPA-users


On ti, 27 marras 2018, Peter Tselios via FreeIPA-users wrote:

Hello,
I have an non-IPA aware application to succssfuly login users from IPA's LDAP.
However, I cannot make it work with group membership. It seems that the LDAP 
filter is not working and using LDAP search proves that the app is not wrong.

So, what I have:
myself (ptselios) member of the group grafana-adms.

The group is stored as:
ldapsearch -x -W -D "uid=nonipaapps,cn=sysaccounts,cn=etc,dc=example,dc=com" -b 
"cn=groups,cn=accounts,dc=example,dc=com" 
"(&(objectClass=groupOfNames)(cn=grafana-adms))" -h localhost -p 389 -s sub

dn: cn=grafana-adms,cn=groups,cn=accounts,dc=example,dc=com
member: uid=ptselios,cn=users,cn=accounts,dc=example,dc=com
member: uid=anotheruser,cn=users,cn=accounts,dc=example,dc=com
ipaNTSecurityIdentifier: S-1-5-21-120251393-583861438-3385547448-1050
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
objectClass: ipausergroup
objectClass: ipaobject
objectClass: posixgroup
objectClass: ipantgroupattrs
cn: grafana-adms
description:: blabla
ipaUniqueID: ccc54368-ce1d-11e8-b523-06db1b82a33a
gidNumber: 690200050

Now, when I search with the memberuid I get an empty response:
ldapsearch -x -W -D "uid=nonipaapps,cn=sysaccounts,cn=etc,dc=example,dc=com" -b 
"cn=groups,cn=accounts,dc=example,dc=com" 
"(&(objectClass=groupOfNames)(memberuid=ptselios))" -h localhost -p 389 -s sub

# search result
search: 2
result: 0 Success

# numResponses: 1

Obviously, the filter is wrong, but what is the correct one?

memberUid is an attribute from RFC2307. Primary tree in FreeIPA is
supporting RFC2307bis schema where there is no memberuid attribute but
rather member attribute is in use. The difference is that 'member'
attribute is a full DN of a member object while memberuid is just a user
name.

memberuid attribute is provided in the compat subtree.

Are you able to modify your application to use RFC2307bis schema?

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: LDAP Group Membership puzzle

2018-11-27 Thread Alexander Bokovoy via FreeIPA-users


On ti, 27 marras 2018, Peter Tselios via FreeIPA-users wrote:

I don't see any option to change the search schema.
Is there any way to get a similar result with the the RFC2307bis schema? Like, 
using a more complex filter?

No.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Issue setting up FreeIPA and Samba

2018-11-29 Thread Alexander Bokovoy via FreeIPA-users


On to, 29 marras 2018, Robert Byrne via FreeIPA-users wrote:

Hi,

I am trying to setup FreeIPA to authenticate users logging into Linux
systems, but would also like to use this to authenticate users
accessing Samba shares from Windows clients. The problem is that I
cannot access the shares at all from Windows clients and when I try to
access a share from a Linux client, the following error message is
printed:

We do not support this yet. Mounting shares from Windows requires
Windows applications to look up user and groups via Global Catalog
service on the side of the domain where share belongs to (IPA). As we do
not provide GC service, Windows clients fail.

As to the other direction, there are known bugs too. I recently outlined
some of them on samba-technical@ -- 
https://lists.samba.org/archive/samba-technical/2018-November/131274.html

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Manage public DNS using FreeIPA, when FreeIPA is on internal network/IPs?

2018-11-30 Thread Alexander Bokovoy via FreeIPA-users


On pe, 30 marras 2018, John Petrini via FreeIPA-users wrote:

Good to know mname override is available in the WebUI. I had no idea.

Just another bit of info you might find useful, if you make the mname
override blank it removes it and you can control the SOA mname per
zone via the Authoritative nameserver option.

John and Johnathan, would you please make a short write up with steps
(screenshots) how to set this up? Markdown would be great and any plain
text is good too.

You can send it to me and I'll add it as a howto on freeipa.org.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Manage public DNS using FreeIPA, when FreeIPA is on internal network/IPs?

2018-11-30 Thread Alexander Bokovoy via FreeIPA-users

On pe, 30 marras 2018, Jonathan Vaughn wrote:

John, thanks for the tip on removing the MNAME to allow the SOA to define
it (changing the SOA was actually the first thing I tried, and when that
didn't work I remembered reading something about fake_mname, which Google
results kept telling me was in named.conf but at some point moved to LDAP
and was accessible via the UI). I might stick with just changing it at the
server level vs SOA level (so that all replicas list themselves in the SOA
and not just the one set on the zone), but it's good to know we have the
option if it turns out to be a better course of action.

Alexander, I can try to write it up when I get the chance. I can't
guarantee any kind of ETA for it though ;)

Thanks. I think we are all moving into traditional festivities and then
our traditional conferences so if there is a chance to get it around
FOSDEM/DevConf.cz in the end of January/beginning of February, that
would be fantastic. If not, later comes spring time and it will also be
comfortable. ;)

On Fri, Nov 30, 2018 at 8:56 AM Alexander Bokovoy 
wrote:

On pe, 30 marras 2018, John Petrini via FreeIPA-users wrote:
>Good to know mname override is available in the WebUI. I had no idea.
>
>Just another bit of info you might find useful, if you make the mname
>override blank it removes it and you can control the SOA mname per
>zone via the Authoritative nameserver option.
John and Johnathan, would you please make a short write up with steps
(screenshots) how to set this up? Markdown would be great and any plain
text is good too.

You can send it to me and I'll add it as a howto on freeipa.org.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Installation Replica reports error: Full PKINIT configuration did not succeed

2018-12-02 Thread Alexander Bokovoy via FreeIPA-users


On su, 02 joulu 2018, 74cmonty via FreeIPA-users wrote:

Hi,
after completing master installation I started setup of replica.
This means I first enrolled the replica server as a client and then executed 
this command:
ipa-replica-install

The installation log reports this error:
Full PKINIT configuration did not succeed
The setup will only install bits essential to the server functionality
You can enable PKINIT after the setup completed using 'ipa-pkinit-manage'

Is this an error or normal behavior of replica installation?
It is a bug tracked at https://pagure.io/freeipa/issue/7200. 


For a solution try to move away both /var/kerberos/krb5kdc/kdc.key and
kdc.crt, then re-run 'ipa-pkinit-manage enable', this is what a pull
request at https://github.com/freeipa/freeipa/pull/2630 is doing.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Installation Replica reports error: Full PKINIT configuration did not succeed

2018-12-02 Thread Alexander Bokovoy via FreeIPA-users


On su, 02 joulu 2018, 74cmonty via FreeIPA-users wrote:

Actually I executed these commands before you replied on the replica server:
[root@ipa-replica ~]# ipa-pkinit-manage status
PKINIT is disabled
The ipa-pkinit-manage command was successful
[root@ipa-replica ~]# ipa-pkinit-manage enable
Configuring Kerberos KDC (krb5kdc)
 [1/1]: installing X509 Certificate for PKINIT
Done configuring Kerberos KDC (krb5kdc).
The ipa-pkinit-manage command was successful
[root@ipa-replica ~]# ipa-pkinit-manage status
PKINIT is enabled
The ipa-pkinit-manage command was successful

This means I didn't delete any kdc.key / kdc.crt file.

Can you show the output of 'getcert list -f /var/kerberos/krb5kdc/kdc.crt'

If you see something like below, then you are OK, if not, then do follow
my suggestion. Your CA must be IPA and issuer must be cn=Certificate
Authority,O=$REALM, principal name must be krbtgt/$REALM@$REALM, as well
as proper key usage and EKUs.

# getcert list -f /var/kerberos/krb5kdc/kdc.crt
Number of certificates and requests being tracked: 10.
Request ID '20181128171106':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=echo.example.com,O=EXAMPLE.COM
expires: 2020-11-28 18:11:07 CET
principal name: krbtgt/example@example.com
key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-pkinit-KPKdc
	pre-save command: 
	post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert

track: yes
auto-renew: yes


The files are different compared to ipa-master.

Should I repeat creating the files on replica server?

Yes, they should be different as they stored and managed by each server
separately (note the subject in each case).

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Installation Replica reports error: Full PKINIT configuration did not succeed

2018-12-02 Thread Alexander Bokovoy via FreeIPA-users


On su, 02 joulu 2018, 74cmonty via FreeIPA-users wrote:

Hi,
this is the output that looks good to me... but I'm not the expert.

It is not good, as I suspected.



[root@ipa-replica ~]# getcert list -f /var/kerberos/krb5kdc/kdc.crt
Number of certificates and requests being tracked: 4.
Request ID '20181202164246':
   status: MONITORING
   stuck: no
   key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
   certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
   CA: IPA
   issuer: CN=ipa-replica.mydomain.de,O=MYDOMAIN.DE

You have wrong issuer here.


   subject: CN=ipa-replica.mydomain.de,O=MYDOMAIN.DE
   expires: 2019-12-02 17:26:59 CET
   principal name: krbtgt/mydomain...@mydomain.de
   certificate template/profile: KDCs_PKINIT_Certs

And no EKUs and usage defined.

Please follow my suggestion to move out the cert/key and try again
'ipa-pkinit-manage enable'
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Installation Replica reports error: Full PKINIT configuration did not succeed

2018-12-03 Thread Alexander Bokovoy via FreeIPA-users


On ma, 03 joulu 2018, 74cmonty via FreeIPA-users wrote:

OK... following your advise and delete the "old" files.
Then run ipa-pkinit-manage enable and get this output:
[root@ipa-replica ~]# rm /var/kerberos/krb5kdc/kdc.crt
rm: reguläre Datei '/var/kerberos/krb5kdc/kdc.crt' entfernen? y
[root@ipa-replica ~]# rm /var/kerberos/krb5kdc/kdc.key
rm: reguläre Datei '/var/kerberos/krb5kdc/kdc.key' entfernen? y
[root@ipa-replica ~]# ipa-pkinit-manage enable
Configuring Kerberos KDC (krb5kdc)
 [1/1]: installing X509 Certificate for PKINIT
PKINIT certificate request failed: Certificate issuance failed (CA_UNREACHABLE: 
Error 7 connecting to 
https://ipa-replica.biszumbitterenen.de:8443/ca/ee/ca/profileSubmitSSLClient: 
Couldn't connect to server.)

As this line says, certmonger was unable to to talk to 
https://ipa-replica.biszumbitterenen.de:8443/ca/ee/ca/profileSubmitSSLClient

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Installation Replica reports error: Full PKINIT configuration did not succeed

2018-12-03 Thread Alexander Bokovoy via FreeIPA-users


On ma, 03 joulu 2018, 74cmonty via FreeIPA-users wrote:

This is true, the connect error is clear.

However, I don't understand why there's a connection error to the
replica-server?  Please note that command ipa-pkinit-manage enable is
executed on the replica-server, means the connection fails to itself.
And there's no instruction to open port 8443 on the server (for
whatever this port is used for).

I guess this is reincarnation of https://pagure.io/freeipa/issue/6016
(fixed in 4.3) as https://pagure.io/freeipa/issue/6878 which is fixed in
4.6.0 and above.  Installers talk to local CA directly on 8443 but
everything else should not. (See last set of comments in latter the ticket).

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Announcing FreeIPA v4.7.2

2018-12-03 Thread Alexander Bokovoy via FreeIPA-users


The FreeIPA team would like to announce FreeIPA 4.7.2 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for
Fedora 29 and Fedora 28 will be available in the official
[https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-7/ COPR
repository] and also published to Fedora 28 and Fedora 29 updates.

== Highlights in 4.7.2 ==

Bugfixes to make FreeIPA 4.7 work well on Fedora 29 and RHEL 8.0 beta.

=== Known Issues ===

=== Bug fixes ===
FreeIPA 4.7.2 is a stabilization release for the features delivered as a
part of 4.7 release series.

There are more than 10 bug-fixes details of which can be seen in
the list of resolved tickets below.

== Upgrading ==
Upgrade instructions are available on [[Upgrade]] page.

== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users mailing
list 
(https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/)
or #freeipa channel on Freenode.


== Resolved tickets ==
* 7779 Update PR-CI definitions to use Fedora 29
* 7776 authselect 1.0.2 fails on unknown feature
* 7772 pylint 2.2.0 violations
* 7769 Installer does not detect that kadmin port 749/UDP is blocked
* 7767 make fasttest errors because of missing python3-lib389
* 7758 pylint-2.1.1 errors on Fedora 29
* 7754 Replace archaic term messagebus with dbus
* 7753 CID 323644: logically dead code in ipaserver.install.adtrust.py
* 7741 Smart card advise script uses hard-coded Python interpreter
* 7729 Bad output on failed client installation rollback
* 7728 RFE: Validation and better error messages when novajoin fails because of 
SSL errors
* 7723 NTP options fails on ipa replica 
* 7671 Remove --no-sssd and --noac options

* 7658 [RFE] sysadm_r should be included in default SELinux user map order
* 7651 ipa-replica-install --setup-kra broken on DL1
* 7408 ipa-replica-install command should display proper message on the console.
* 5378 Incorrect error message at wrong password from private key file
== Detailed changelog since 4.7.1 ==
=== Alexander Bokovoy (6) ===
* Become IPA 4.7.2
* ipa-kdb: reduce LDAP operations timeout to 30 seconds
* ipa-4-7: merge translations from zanata
* ipaserver.install.adtrust: fix CID 323644
* net groupmap: force using empty config when mapping Guests
* adtrust: define Guests mapping after creating cifs/ principal

=== Adam Williamson (1) ===
* Fix authselect invocations to work with 1.0.2

=== Christian Heimes (35) ===
* Update temp commit template to F29
* Increase debugging for blocked port 749 and 464
* Address misc pylint issues in CLI scripts
* pylint: also verify scripts
* pylint: Fix duplicate-string-formatting-argument
* pylint 2.2: Fix unnecessary pass statement
* PR-CI: Restart rpcbind when it blocks kadmin port
* Fix pytest deprecation warning
* certdb: validate server cert signature
* Require pylint 2.1.1-2
* Silence comparison-with-itself in tests
* Fix raising-format-tuple
* Fix various dict related pylint warnings
* Fix Module 'pytest' has no 'config' member
* Fix useless-import-alias
* Fix comparison-with-callable
* Address consider-using-in
* Ignore consider-using-enumerate for now
* Address inconsistent-return-statements
* Address pylint violations in lite-server
* Ignore W504 code style like in travis config
* Fix test_cli_fsencoding on Python 3.7, take 2
* Replace messagebus with modern name dbus
* Copy-paste error in permssions plugin, CID 323649
* Allow ipaapi user to access SSSD's info pipe
* Fix test_cli_fsencoding on Python 3.7
* ipapwd_pre_mod: NULL ptr deref
* ipadb_mspac_get_trusted_domains: NULL ptr deref
* has_krbprincipalkey: avoid double free
* Require Dogtag 10.6.7-3
* Use tasks.install_master() in external_ca tests
* Keep Dogtag's client db in external CA step 1
* Replace hard-coded interpreter with sys.executable
* Don't abuse strncpy() length limitation
* Fix ipadb_multires resource handling

=== François Cami (3) ===
* Add a "Find enabled services" ACI in 20-aci.update so that all users can find 
IPA servers and services. ACI suggested by Christian Heimes.
* Add a shared-vault-retrieve test
* Add sysadm_r to default SELinux user map order

=== Florence Blanc-Renaud (19) ===
* ipatests: add upgrade test for double-encoded cacert
* ipa upgrade: handle double-encoded certificates
* ipatests: add xmlrpc test for user|host-find --certificate
* ipaldap.py: fix method creating a ldap filter for IPACertificate
* ipatests: fix test_replica_uninstall_deletes_ruvs
* ipatests: add test for ipa-replica-install options
* ipa-replica-install: password and admin-password options mutually exclusive
* freeipa.spec.in: add BuildRequires for python3-lib389
* ipatests: add integration test for "Read radius servers" perm
* radiusproxy: add permission for reading radius proxy servers
* tests: add xmlrpc test for ipa user-add --radius-username
* ipa user-add: add optional objectclass for radius-username
* ipatest: add functional test for ipa-backup
* ipa-backup: restart services before compressing

[Freeipa-users] Re: FreeIPA 4.6.4 Web GUI - Login failed due to an unknown reason.

2018-12-03 Thread Alexander Bokovoy via FreeIPA-users


On ti, 04 joulu 2018, Andrey Ptashnik via FreeIPA-users wrote:

Dear FreeIPA Team,

I have an issue with Web GUI throwing error message "Login failed due to an unknown 
reason" when login through Web interface.
Other functionality like directory service, DNS and authentication with 
ipa-clients seems to work fine.

I first spotted this issue in 4.5.0 and tried troubleshooting steps
from previous thread, however that did not help.  Hoping that issue is
solved in higher versions I tried upgrading ipa-server packages via:

# yum upgrade ipa-server
# ipa-server-upgrade

However it did not solve the issue in 4.6.6 and exactly the same
behavior I saw in version 4.5.0

# rpm -q ipa-server.x86_64 krb5-libs.x86_64 krb5-server.x86_64 
cyrus-sasl-gssapi.x86_64 sssd-krb5.x86_64 httpd.x86_64
ipa-server-4.6.4-10.el7.centos.x86_64
krb5-libs-1.15.1-34.el7.x86_64
krb5-server-1.15.1-34.el7.x86_64
cyrus-sasl-gssapi-2.1.26-23.el7.x86_64
sssd-krb5-1.16.2-13.el7.x86_64
httpd-2.4.6-88.el7.centos.x86_64

# cat /etc/*release*
CentOS Linux release 7.4.1708 (Core)

Just a note -- the above is not a CentOS 7.4.1708. If you updated IPA
packages selectively to a version from CentOS 7.6.1810 without updating
whole distribution to that version, there is no guarantee everything is
working.



What could be the next troubleshooting step in my case?

Please show

getcert list -f /var/kerberos/krb5kdc/kdc.crt

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: What is the best way to check that host has joined domain from host itself?

2018-12-03 Thread Alexander Bokovoy via FreeIPA-users


On ti, 04 joulu 2018, d.iskandarov--- via FreeIPA-users wrote:

Hello,

I'm interested if there is good way to check that host has joined IPA domain 
and is in good state, i.e. at least users are fetched from DC.

Real story: I'm registering my nodes with configuration management
system (puppet). Host is auto-registering with IPA domain.  But also
before node is registered with domain I'm creating localhost users.
When I change anything in "users declaration manifest" which triggers
host update and calling usermod, deploy is failing with such error:

Execution of '/usr/sbin/usermod -p !! john' returned 6: usermod: user
'john' does not exist in /etc/passwd


Because obviously during that second run host has already joined domain
and system gets user info from LDAP and not /etc/passwd.

In a typical deployment both local and remote users are resolvable, so
if john exists in /etc/passwd but doesn't exist in FreeIPA, it would
still be accessible for modifications.



I'm creating "flag" file /root/.ipa-registered which prevents further
ipa-client installation and registration steps.  Obviously ipa-client
install quite a few packages on the OS which I can check for existence
and skip run as well.

I'm interested if there is more programmatic way to test that node is
functional in domain, maybe some ipa related tool exists on host which
i can execute and get status. Which will allow me  to judge if I should
touch users on localhost.

You have:
- /etc/ipa/default.conf, which points with xmlrpc_uri to IPA master
  this host is enrolled into. The config is created during
  ipa-client-install
- /etc/krb5.keytab should contain a host/.. key issued in the name of
  this host (klist -k)
- at least one of IPA users should be resolvable, like 'admin' (getent
  passwd admin)

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: FreeIPA 4.6.4 Web GUI - Login failed due to an unknown reason.

2018-12-04 Thread Alexander Bokovoy via FreeIPA-users


On ti, 04 joulu 2018, Andrey Ptashnik wrote:

Alexander,

Thank you for your time,

# getcert list -f /var/kerberos/krb5kdc/kdc.crt
No request found that matched arguments.
#

# ls -la /var/kerberos/krb5kdc/
total 16
drwxr-xr-x. 2 root root   82 Dec  3 22:56 .
drwxr-xr-x. 4 root root   31 Nov  2 11:13 ..
-rwxr-xr-x  1 root root0 Nov 30  2017 cacert.pem
-rw---  1 root root   22 Oct 30 09:40 kadm5.acl
-rwxr-xr-x  1 root root  612 Nov 30  2017 kdc.conf
-rwxr-xr-x  1 root root 1415 Nov 30  2017 kdc.crt
-rwxr-xr-x  1 root root 1708 Nov 30  2017 kdc.key
#

What does 'openssl x509 -text -in /var/kerberos/krb5kdc/kdc.crt' say?

Are you using integrated CA?

If you are using integrated CA, then please move away kdc.crt and
kdc.key and run

ipa-pkinit-manage enable




I used following commands:

# yum upgrade ipa-server
# ipa-server-upgrade

to upgrade packages, and agreed to any proposed dependencies (there were about 
90 of them).

Thanks,
Andrey



On 12/4/18, 01:28, "Alexander Bokovoy"  wrote:



   On ti, 04 joulu 2018, Andrey Ptashnik via FreeIPA-users wrote:
   >Dear FreeIPA Team,
   >
   >I have an issue with Web GUI throwing error message "Login failed due to an 
unknown reason" when login through Web interface.
   >Other functionality like directory service, DNS and authentication with 
ipa-clients seems to work fine.
   >
   >I first spotted this issue in 4.5.0 and tried troubleshooting steps
   >from previous thread, however that did not help.  Hoping that issue is
   >solved in higher versions I tried upgrading ipa-server packages via:
   >
   ># yum upgrade ipa-server
   ># ipa-server-upgrade
   >
   >However it did not solve the issue in 4.6.6 and exactly the same
   >behavior I saw in version 4.5.0
   >
   ># rpm -q ipa-server.x86_64 krb5-libs.x86_64 krb5-server.x86_64 
cyrus-sasl-gssapi.x86_64 sssd-krb5.x86_64 httpd.x86_64
   >ipa-server-4.6.4-10.el7.centos.x86_64
   >krb5-libs-1.15.1-34.el7.x86_64
   >krb5-server-1.15.1-34.el7.x86_64
   >cyrus-sasl-gssapi-2.1.26-23.el7.x86_64
   >sssd-krb5-1.16.2-13.el7.x86_64
   >httpd-2.4.6-88.el7.centos.x86_64
   >
   ># cat /etc/*release*
   >CentOS Linux release 7.4.1708 (Core)
   Just a note -- the above is not a CentOS 7.4.1708. If you updated IPA
   packages selectively to a version from CentOS 7.6.1810 without updating
   whole distribution to that version, there is no guarantee everything is
   working.


   >What could be the next troubleshooting step in my case?
   Please show

   getcert list -f /var/kerberos/krb5kdc/kdc.crt

   --
   / Alexander Bokovoy
   Sr. Principal Software Engineer
   Security / Identity Management Engineering
   Red Hat Limited, Finland




--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Host vs. service certificates

2018-12-04 Thread Alexander Bokovoy via FreeIPA-users


On ti, 04 joulu 2018, Rob Foehl via FreeIPA-users wrote:

On Tue, 4 Dec 2018, Fraser Tweedale wrote:


On Tue, Dec 04, 2018 at 01:49:04AM -0500, Rob Foehl via FreeIPA-users wrote:

Is the service principal necessary just to satisfy this requirement?


It is required, but you can use the host principal, i.e.
"host/foo.example.com@YOUR.REALM".


Ahhh, of course.  Works fine, thanks!

(For what it's worth, every reference I could find for ipa-getcert -K 
explicitly calls it a service principal, while the getcert-request(1) 
man page just says principal name.  I also couldn't find an example of 
how to create a host certificate using ipa-getcert, only via the UI or 
at ipa-client-install time.)

In Kerberos jargon 'service principal' is the one that is built with one
or more components stitched together with '/'. First part is typically a
service name, second is a hostname. There might be three-part service
principals (used by Active Directory) but typically service/host@REALM
is the way to express service principals.

getcert-request(1) talks about a 'principal name' because it is not a
certmonger which is considering the difference, KDC and CA are. FreeIPA
framework makes sure whatever Kerberos principal is added into the
certificate is validated to be allowed to be present there. Since client
certificate can be used to authenticate in lieu of a Kerberos key, the
principal specified in the certificate represents whose identity it
impersonates. You certainly wouldn't expect a regular certificate to
impersonate your 'admin' principal and gain ability to obtain a ticket
granting ticket for 'admin'.

See https://ssimo.org/blog/id_016.html for more details.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: FreeIPA 4.6.4 Web GUI - Login failed due to an unknown reason.

2018-12-04 Thread Alexander Bokovoy via FreeIPA-users


On ti, 04 joulu 2018, Andrey Ptashnik wrote:

Alexander,

Please find output below:

[root@ipa-server-01 ~]# openssl x509 -text -in /var/kerberos/krb5kdc/kdc.crt
Certificate:
   Data:
   Version: 3 (0x2)
   Serial Number: 1 (0x1)
   Signature Algorithm: sha256WithRSAEncryption
   Issuer: O=NIX.MYDOMAIN.COM, CN=ipa-server-01.nix.MYDOMAIN.COM

Yep -- this is self-signed certificate instead of using the right one
from IPA CA.


[root@ipa-server-01 krb5kdc]# rm -f kdc.crt
[root@ipa-server-01 krb5kdc]# rm -f kdc.key
[root@ipa-server-01 krb5kdc]#
[root@ipa-server-01 krb5kdc]# ipa-pkinit-manage enable
Configuring Kerberos KDC (krb5kdc)
 [1/1]: installing X509 Certificate for PKINIT
Done configuring Kerberos KDC (krb5kdc).
The ipa-pkinit-manage command was successful
[root@ipa-server-01 krb5kdc]# ls -la
total 20
drwxr-xr-x. 2 root root   82 Dec  4 08:16 .
drwxr-xr-x. 4 root root   31 Nov  2 11:13 ..
-rw-r--r--  1 root root 1298 Dec  4 08:16 cacert.pem
-rw---  1 root root   22 Oct 30 09:40 kadm5.acl
-rwxr-xr-x  1 root root  612 Nov 30  2017 kdc.conf
-rw-r--r--  1 root root 1667 Dec  4 08:16 kdc.crt
-rw---  1 root root 1704 Dec  4 08:16 kdc.key
[root@ipa-server-01 krb5kdc]#

After certificate update it looks like Web GUI is working.

So, this is another version of https://pagure.io/freeipa/issue/7200

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: SSO issue on one freeipauser

2018-12-05 Thread Alexander Bokovoy via FreeIPA-users


On ke, 05 joulu 2018, tarak sinha via FreeIPA-users wrote:

Hi Guys,

I am having issue to ssh with one host with SSO, all the users are able to
ssh without asking password but only my userid having issue with asking
password, I have tried to do kdestroy and did kinit again with userid along
with REALM but did not work. if you have any suggestions please let me know
to check further.

Here it is output for ssh connection which asking password,
snip

debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
Server not found in Kerberos database

^^ this is your problem.

Can you show output of

kvno -S host mstageegw3.example.com

on your client from where you do SSH?




debug1: Unspecified GSS failure.  Minor code may provide more information
Server not found in Kerberos database
debug1: Unspecified GSS failure.  Minor code may provide more information
Server not found in Kerberos database
debug2: we did not send a packet, disable method
debug1: Next authentication method: publickey
debug1: Offering public key: /uhome/aalevoor/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: /uhome/aalevoor/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
aalev...@mstageegw3.example.com's password:
debug2: we sent a password packet, wait for reply
debug1: Authentication succeeded (password).
debug1: channel 0: new [client-session]
debug2: channel 0: send open
debug1: Entering interactive session.
debug2: callback start
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 0
debug2: channel 0: request shell confirm 0
debug2: fd 4 setting TCP_NODELAY
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel 0: rcvd adjust 2097152
Last login: Wed Dec  5 01:53:06 2018 from 10.22.6.70

--

*Thanks,*

*TS*



___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org



--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: SSO issue on one freeipauser

2018-12-05 Thread Alexander Bokovoy via FreeIPA-users


On ke, 05 joulu 2018, tarak sinha wrote:

Yes, I can. thanks alex for your help. Let me know what needs to be done.

[r...@deploy1.ops tsinha]# kvno -S host mstageegw3.example.com
kvno: invalid option -- S
usage: kvno [-4 | [-c ccache] [-e etype] [-k keytab]] service1 service2 ...
[r...@deploy1.ops tsinha]#

What OS is this?

Anyway, what happens if you get

kvno host/mstageegw3.example.com

Also, please show

ipa host-show --all mstageegw3.example.com





On Wed, Dec 5, 2018 at 4:28 PM Alexander Bokovoy 
wrote:


On ke, 05 joulu 2018, tarak sinha via FreeIPA-users wrote:
>Hi Guys,
>
>I am having issue to ssh with one host with SSO, all the users are able to
>ssh without asking password but only my userid having issue with asking
>password, I have tried to do kdestroy and did kinit again with userid
along
>with REALM but did not work. if you have any suggestions please let me
know
>to check further.
>
>Here it is output for ssh connection which asking password,
>snip
>
>debug1: Authentications that can continue:
>publickey,gssapi-keyex,gssapi-with-mic,password
>debug1: Next authentication method: gssapi-with-mic
>debug1: Unspecified GSS failure.  Minor code may provide more information
>Server not found in Kerberos database
^^ this is your problem.

Can you show output of

kvno -S host mstageegw3.example.com

on your client from where you do SSH?



>debug1: Unspecified GSS failure.  Minor code may provide more information
>Server not found in Kerberos database
>debug1: Unspecified GSS failure.  Minor code may provide more information
>Server not found in Kerberos database
>debug2: we did not send a packet, disable method
>debug1: Next authentication method: publickey
>debug1: Offering public key: /uhome/aalevoor/.ssh/id_rsa
>debug2: we sent a publickey packet, wait for reply
>debug1: Authentications that can continue:
>publickey,gssapi-keyex,gssapi-with-mic,password
>debug1: Trying private key: /uhome/aalevoor/.ssh/id_dsa
>debug2: we did not send a packet, disable method
>debug1: Next authentication method: password
>aalev...@mstageegw3.example.com's password:
>debug2: we sent a password packet, wait for reply
>debug1: Authentication succeeded (password).
>debug1: channel 0: new [client-session]
>debug2: channel 0: send open
>debug1: Entering interactive session.
>debug2: callback start
>debug2: client_session2_setup: id 0
>debug2: channel 0: request pty-req confirm 0
>debug2: channel 0: request shell confirm 0
>debug2: fd 4 setting TCP_NODELAY
>debug2: callback done
>debug2: channel 0: open confirm rwindow 0 rmax 32768
>debug2: channel 0: rcvd adjust 2097152
>Last login: Wed Dec  5 01:53:06 2018 from 10.22.6.70
>
>--
>
>*Thanks,*
>
>*TS*

>___
>FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org
>Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
>List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland




--

*Thanks,*

*Tarak Nath Sinha*

*Mobile: **+91 8197522750*


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Issue setting up FreeIPA and Samba

2018-12-05 Thread Alexander Bokovoy via FreeIPA-users

On ke, 05 joulu 2018, Robert Byrne via FreeIPA-users wrote:

Hi,

A belated thanks for the reply and I seem to have solved the problem. The cause
might have been obvious to others, but I will describe it here briefly in case
it helps others:

- We have a FreeIPA server and this exports a number of directories by Samba.
FreeIPA was setup as described above and Samba as described here
(https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA/NTMLSSP).
- There is no trust with the Windows domain / AD. Some of the users are also
using OSX.
- FreeIPA users were unable to mount the Samba shares if they entered
\\samba.linux.company.local\samba_share_name in e.g. Windows Explorer.
- The issue was that I had changed the users' UIDs and GIDs from those automatically
assigned by the Web UI to their current values to aid migration. The values were then
outside of the local domain range defined in the IPA server > ID ranges tab of the Web
UI. As soon as this range was changed (in my case through reinstalling FreeIPA server with
the option "--idstart=2000") the users could mount the shares from Windows.

A bit frustrating, but still a lot easier than setting up LDAP even without
Samba! :-)

Somewhat off-topic. Does anyone know if the connection between the clients
(Windows or OSX) and the FreeIPA/Samba server is encrypted or how I could find
this out? This is the output of 'net conf list':

[global]
workgroup = LINUX
netbios name = IPA
realm = LINUX.CRELUX.LOCAL
kerberos method = dedicated keytab
dedicated keytab file = /etc/samba/samba.keytab
create krb5 conf = no
security = user
domain master = yes
domain logons = yes
log level = 1
max log size = 10
log file = /var/log/samba/log.%m
passdb backend =
ipasam:ldapi://%2fvar%2frun%2fslapd-LINUX-CRELUX-LOCAL.socket
disable spoolss = yes
ldapsam:trusted = yes
ldap ssl = off
ldap suffix = dc=linux,dc=crelux,dc=local
ldap user suffix = cn=users,cn=accounts
ldap group suffix = cn=groups,cn=accounts
ldap machine suffix = cn=computers,cn=accounts
rpc_server:epmapper = external
rpc_server:lsarpc = external
rpc_server:lsass = external
rpc_server:lsasd = external
rpc_server:samr = external
rpc_server:netlogon = external
rpc_server:tcpip = yes
rpc_daemon:epmd = fork
rpc_daemon:lsasd = fork

I guess from the line 'ldap ssl = off' that the user credentials are being sent
in plain-text. Is this correct?

passdb backend is set to use 'ipasam' module with LDAPI protocol which
is LDAP over Unix domain socket. It doesn't use SSL but instead uses
GSSAPI for authentication and signing. So first, the data is not sent
over network, only between two daemons on the same machine over a UNIX
domain socket. And second, the channel set up with GSSAPI and it is
encrypted even for that UNIX domain socket.

Use of 'ldap ssl = off' is to avoid hitting the code paths in Samba that
require to handle certificate for the case where they are not needed at
all.

Hope this helps.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: SSO issue on one freeipauser

2018-12-05 Thread Alexander Bokovoy via FreeIPA-users


On ke, 05 joulu 2018, tarak sinha wrote:

user not working

[aalev...@deploy1.ops ~]$ kvno host/mstageegw3.example.com
kvno: Server not found in Kerberos database while getting credentials for
host/mstageegw3.example@example.com
[aalev...@deploy1.ops ~]$

*Working user on same host*

tsi...@deploy1.ops ~]$ kvno host/mstageegw3.example.com
host/mstageegw3.example@ipa.example.com: kvno = 1

Any further advice to check

You need to explain how EXAMPLE.COM and IPA.EXAMPLE.COM Kerberos realms
are related to each other.

What is your deployment design?




On Wed, Dec 5, 2018 at 5:44 PM tarak sinha  wrote:


Thanks, I'll check it out.

On Wed, Dec 5, 2018, 5:19 PM Alexander Bokovoy 
On ke, 05 joulu 2018, tarak sinha wrote:
>Yes, I can. thanks alex for your help. Let me know what needs to be done.
>
>[r...@deploy1.ops tsinha]# kvno -S host mstageegw3.example.com
>kvno: invalid option -- S
>usage: kvno [-4 | [-c ccache] [-e etype] [-k keytab]] service1 service2
...
>[r...@deploy1.ops tsinha]#
What OS is this?

Anyway, what happens if you get

kvno host/mstageegw3.example.com

Also, please show

ipa host-show --all mstageegw3.example.com



>
>On Wed, Dec 5, 2018 at 4:28 PM Alexander Bokovoy 
>wrote:
>
>> On ke, 05 joulu 2018, tarak sinha via FreeIPA-users wrote:
>> >Hi Guys,
>> >
>> >I am having issue to ssh with one host with SSO, all the users are
able to
>> >ssh without asking password but only my userid having issue with
asking
>> >password, I have tried to do kdestroy and did kinit again with userid
>> along
>> >with REALM but did not work. if you have any suggestions please let me
>> know
>> >to check further.
>> >
>> >Here it is output for ssh connection which asking password,
>> >snip
>> >
>> >debug1: Authentications that can continue:
>> >publickey,gssapi-keyex,gssapi-with-mic,password
>> >debug1: Next authentication method: gssapi-with-mic
>> >debug1: Unspecified GSS failure.  Minor code may provide more
information
>> >Server not found in Kerberos database
>> ^^ this is your problem.
>>
>> Can you show output of
>>
>> kvno -S host mstageegw3.example.com
>>
>> on your client from where you do SSH?
>>
>>
>>
>> >debug1: Unspecified GSS failure.  Minor code may provide more
information
>> >Server not found in Kerberos database
>> >debug1: Unspecified GSS failure.  Minor code may provide more
information
>> >Server not found in Kerberos database
>> >debug2: we did not send a packet, disable method
>> >debug1: Next authentication method: publickey
>> >debug1: Offering public key: /uhome/aalevoor/.ssh/id_rsa
>> >debug2: we sent a publickey packet, wait for reply
>> >debug1: Authentications that can continue:
>> >publickey,gssapi-keyex,gssapi-with-mic,password
>> >debug1: Trying private key: /uhome/aalevoor/.ssh/id_dsa
>> >debug2: we did not send a packet, disable method
>> >debug1: Next authentication method: password
>> >aalev...@mstageegw3.example.com's password:
>> >debug2: we sent a password packet, wait for reply
>> >debug1: Authentication succeeded (password).
>> >debug1: channel 0: new [client-session]
>> >debug2: channel 0: send open
>> >debug1: Entering interactive session.
>> >debug2: callback start
>> >debug2: client_session2_setup: id 0
>> >debug2: channel 0: request pty-req confirm 0
>> >debug2: channel 0: request shell confirm 0
>> >debug2: fd 4 setting TCP_NODELAY
>> >debug2: callback done
>> >debug2: channel 0: open confirm rwindow 0 rmax 32768
>> >debug2: channel 0: rcvd adjust 2097152
>> >Last login: Wed Dec  5 01:53:06 2018 from 10.22.6.70
>> >
>> >--
>> >
>> >*Thanks,*
>> >
>> >*TS*
>>
>> >___
>> >FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> >To unsubscribe send an email to
>> freeipa-users-le...@lists.fedorahosted.org
>> >Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
>> >List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>> >List Archives:
>>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>>
>>
>> --
>> / Alexander Bokovoy
>> Sr. Principal Software Engineer
>> Security / Identity Management Engineering
>> Red Hat Limited, Finland
>>
>
>
>--
>
>*Thanks,*
>
>*Tarak Nath Sinha*
>
>*Mobile: **+91 8197522750*

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland





--

*Thanks,*

*Tarak Nath Sinha*

*Mobile: **+91 8197522750*


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.

[Freeipa-users] Re: SSO issue on one freeipauser

2018-12-05 Thread Alexander Bokovoy via FreeIPA-users


Please do not drop the public mailing list.

On ke, 05 joulu 2018, tarak sinha wrote:

Hi Alexander,

We recently build new IPA servers in our DC, new IPA server realm name will
be IPA.EXAMPLE.COM and old IPA realm was EXAMPLE.COM.

If you see only one user impacted to do SSO on this host rest of the users
are able to do SSO perfectly with new REALM (IPA.EXAMPLE.COM)


You need to look into that user's environment. Perhaps, the user has own
krb5.conf override by setting KRB5_CONFIG environment variable. 




On Wed, Dec 5, 2018 at 8:27 PM Alexander Bokovoy 
wrote:


On ke, 05 joulu 2018, tarak sinha wrote:
>user not working
>
>[aalev...@deploy1.ops ~]$ kvno host/mstageegw3.example.com
>kvno: Server not found in Kerberos database while getting credentials for
>host/mstageegw3.example@example.com
>[aalev...@deploy1.ops ~]$
>
>*Working user on same host*
>
>tsi...@deploy1.ops ~]$ kvno host/mstageegw3.example.com
>host/mstageegw3.example@ipa.example.com: kvno = 1
>
>Any further advice to check
You need to explain how EXAMPLE.COM and IPA.EXAMPLE.COM Kerberos realms
are related to each other.

What is your deployment design?


>
>On Wed, Dec 5, 2018 at 5:44 PM tarak sinha 
wrote:
>
>> Thanks, I'll check it out.
>>
>> On Wed, Dec 5, 2018, 5:19 PM Alexander Bokovoy >
>>> On ke, 05 joulu 2018, tarak sinha wrote:
>>> >Yes, I can. thanks alex for your help. Let me know what needs to be
done.
>>> >
>>> >[r...@deploy1.ops tsinha]# kvno -S host mstageegw3.example.com
>>> >kvno: invalid option -- S
>>> >usage: kvno [-4 | [-c ccache] [-e etype] [-k keytab]] service1
service2
>>> ...
>>> >[r...@deploy1.ops tsinha]#
>>> What OS is this?
>>>
>>> Anyway, what happens if you get
>>>
>>> kvno host/mstageegw3.example.com
>>>
>>> Also, please show
>>>
>>> ipa host-show --all mstageegw3.example.com
>>>
>>>
>>>
>>> >
>>> >On Wed, Dec 5, 2018 at 4:28 PM Alexander Bokovoy 
>>> >wrote:
>>> >
>>> >> On ke, 05 joulu 2018, tarak sinha via FreeIPA-users wrote:
>>> >> >Hi Guys,
>>> >> >
>>> >> >I am having issue to ssh with one host with SSO, all the users are
>>> able to
>>> >> >ssh without asking password but only my userid having issue with
>>> asking
>>> >> >password, I have tried to do kdestroy and did kinit again with
userid
>>> >> along
>>> >> >with REALM but did not work. if you have any suggestions please
let me
>>> >> know
>>> >> >to check further.
>>> >> >
>>> >> >Here it is output for ssh connection which asking password,
>>> >> >snip
>>> >> >
>>> >> >debug1: Authentications that can continue:
>>> >> >publickey,gssapi-keyex,gssapi-with-mic,password
>>> >> >debug1: Next authentication method: gssapi-with-mic
>>> >> >debug1: Unspecified GSS failure.  Minor code may provide more
>>> information
>>> >> >Server not found in Kerberos database
>>> >> ^^ this is your problem.
>>> >>
>>> >> Can you show output of
>>> >>
>>> >> kvno -S host mstageegw3.example.com
>>> >>
>>> >> on your client from where you do SSH?
>>> >>
>>> >>
>>> >>
>>> >> >debug1: Unspecified GSS failure.  Minor code may provide more
>>> information
>>> >> >Server not found in Kerberos database
>>> >> >debug1: Unspecified GSS failure.  Minor code may provide more
>>> information
>>> >> >Server not found in Kerberos database
>>> >> >debug2: we did not send a packet, disable method
>>> >> >debug1: Next authentication method: publickey
>>> >> >debug1: Offering public key: /uhome/aalevoor/.ssh/id_rsa
>>> >> >debug2: we sent a publickey packet, wait for reply
>>> >> >debug1: Authentications that can continue:
>>> >> >publickey,gssapi-keyex,gssapi-with-mic,password
>>> >> >debug1: Trying private key: /uhome/aalevoor/.ssh/id_dsa
>>> >> >debug2: we did not send a packet, disable method
>>> >> >debug1: Next authentication method: password
>>> >> >aalev...@mstageegw3.example.com's password:
>>> >> >debug2: we sent a password packet, wait for reply
>>> >> >debug1: Authentication succeeded (password).
>>> >> >debug1: channel 0: new [client-session]
>>> >> >debug2: channel 0: send open
>>> >> >debug1: Entering interactive session.
>>> >> >debug2: callback start
>>> >> >debug2: client_session2_setup: id 0
>>> >> >debug2: channel 0: request pty-req confirm 0
>>> >> >debug2: channel 0: request shell confirm 0
>>> >> >debug2: fd 4 setting TCP_NODELAY
>>> >> >debug2: callback done
>>> >> >debug2: channel 0: open confirm rwindow 0 rmax 32768
>>> >> >debug2: channel 0: rcvd adjust 2097152
>>> >> >Last login: Wed Dec  5 01:53:06 2018 from 10.22.6.70
>>> >> >
>>> >> >--
>>> >> >
>>> >> >*Thanks,*
>>> >> >
>>> >> >*TS*
>>> >>
>>> >> >___
>>> >> >FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>>> >> >To unsubscribe send an email to
>>> >> freeipa-users-le...@lists.fedorahosted.org
>>> >> >Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
>>> >> >List Guidelines:
>>> https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> >> >List Archives:
>>> >>
>>>
https://lists.fedorahosted.org/archives/li

[Freeipa-users] Re: Samba integration

2018-12-09 Thread Alexander Bokovoy via FreeIPA-users


On ma, 10 joulu 2018, Николай Савельев via FreeIPA-users wrote:

Hello.
I try to set up samba with freeipa.
I use this article 
https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA

But I have strange error:

дек 10 13:48:58 nfs.fs.lan smbd[14242]: [2018/12/10 13:48:58.758419,  0] 
../source3/auth/auth_util.c:1372(make_new_session_info_guest)
дек 10 13:48:58 nfs.fs.lan smbd[14242]:   create_local_token failed: 
NT_STATUS_NO_MEMORY
дек 10 13:48:58 nfs.fs.lan smbd[14242]: [2018/12/10 13:48:58.758577,  0] 
../source3/smbd/server.c:1993(main)
дек 10 13:48:58 nfs.fs.lan smbd[14242]:   ERROR: failed to setup guest info.
дек 10 13:48:58 nfs.fs.lan systemd[1]: smb.service: main process exited, 
code=exited, status=255/n/a
дек 10 13:48:58 nfs.fs.lan systemd[1]: Failed to start Samba SMB Daemon.

What does it mean?

There is a plenty reasons for create_local_token() to return
NT_STATUS_NO_MEMORY:

- actual memory allocation failed
- conversion of SIDs to POSIX IDs failed
- copying some internal structures failed

Can you provide an output with 'log level = 10' set with
 net conf setparm global loglevel 10
?

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: How to prevent non-admin users of FreeIPA from reading the list of users in the web interface?

2018-12-11 Thread Alexander Bokovoy via FreeIPA-users


On ti, 11 joulu 2018, cdknight via FreeIPA-users wrote:

When a user signs in to FreeIPA, I do not want them to be able to view
the list of users in my LDAP server under the "Active users" link. I
still want them to be able to administer self-service, so they can
reset their password, add OTP tokens, etc. How would I go about doing
this? The users will only be able to access the web interface, so it
doesn't matter whether they can access it from other sources.

There is no way to restrict that. We keep getting this question all the
time and we consider it is to be a security through obscurity, not a
real one.

Every enrolled IPA client has to be able to query IPA LDAP for
information about users, groups, hosts, sudo rules, etc. This already
gives users a way to retrieve an information you are trying to hide
in a Web UI.

If user is able to login to web UI, she would be able to use IPA CLI on
the enrolled IPA clients too. Even without IPA CLI on the enrolled
clients, she would be able to issue JSON-RPC commands -- either with
command line from any machine or right from the browser's console.

You can read archives (make sure go through the whole threads): 
https://www.redhat.com/archives/freeipa-users/2016-March/msg00053.html

https://www.redhat.com/archives/freeipa-users/2016-April/msg00118.html

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: FreeIPA ca for kerberos

2018-12-11 Thread Alexander Bokovoy via FreeIPA-users


On ti, 11 joulu 2018, None via FreeIPA-users wrote:

Hello,

if possible i would like to use the FreeIPA ca for Kubernetes. but kubernetes 
has some requirements on the CN and O.

the CN has to match the pattern system:node:$FQDN
and O has to match system:node

also see: 
https://github.com/kelseyhightower/kubernetes-the-hard-way/blob/master/docs/04-certificate-authority.md

is this possible with the FreeIPA CA, or do i need to use another ca for 
Kubernetes?

Did you check https://github.com/zultron/freeipa-cloud-prov? This one
does not employ Node Authorization mode so it doesn't have the same
requirements.

https://github.com/zultron/freeipa-cloud-prov/blob/c33758e80ba09f076b10a341f9dff105b0d5c423/playbooks/roles/ipa-certs/tasks/op-service-certs.yaml
certainly doesn't follow the pattern you describe when requesting
service certificates.

If you still want to use Node Authorization, you can certainly add a
certificate profile that explicitly sets CN to system:node:$FQDN when a
certificate request contains just $FQDN. Same for explicitly adding
O=system:node.

See 
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/certificate-profiles

Also check Fraser's blog:
https://frasertweedale.github.io/blog-redhat/archive.html, there are few
examples on how to create a specialized certificate profile.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: How to prevent non-admin users of FreeIPA from reading the list of users in the web interface?

2018-12-11 Thread Alexander Bokovoy via FreeIPA-users


On ti, 11 joulu 2018, cdknight via FreeIPA-users wrote:

Thanks for the responses. Therefore, I will instead have to restrict
access to the Web UI either by creating an HBAC rule (this is my
understanding of what to do), and instead allowing them access a
secondary self-service UI like https://github.com/ubccr/mokey.  While
this secondary software may not be the most stable, it will have to do
(as long as basic functions work) until FreeIPA implements their own
solution.

There is currently no plan to allow self-service view to be completely
isolated. As explained, it is not practical and not possible in a
typical FreeIPA deployment as the same information is accessible by
other, user-authenticated, means.

Adding an HBAC rule will not help since access to Web UI is not
controlled with HBAC.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Vault feature for AD users

2018-12-20 Thread Alexander Bokovoy via FreeIPA-users


On to, 20 joulu 2018, Ronald Wimmer via FreeIPA-users wrote:

Is it true that this feature is only available to native ipa users?

'ipa help vault' has this description:



Based on the ownership there are three vault categories:
* user/private vault
* service vault
* shared vault

User vaults are vaults owned used by a particular user. Private
vaults are vaults owned the current user. Service vaults are
vaults owned by a service. Shared vaults are owned by the admin
but they can be used by other users or services.



As AD users aren't stored in LDAP, they cannot be made owners.

Could you please file a request asking for this support? I have been
working on ability to manage FreeIPA as an AD user (see
https://github.com/abbra/freeipa-adusers-admins) but it doesn't work
magically on all objects and needs a support for multiple sides. In case
of vaults, there are implicit internal assumptions that if it is not a
service or a shared vault, it is an IPA user.



On 30.11.18 09:42, Ronald Wimmer via FreeIPA-users wrote:
Is there any possibility to use the vault feature for external (AD) 
users?

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to 
freeipa-users-le...@lists.fedorahosted.org

Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: How to restrict access for users to specific hosts

2019-01-07 Thread Alexander Bokovoy via FreeIPA-users


On ma, 07 tammi 2019, 74cmonty via FreeIPA-users wrote:

THX

I have found this howto guide: 
https://www.freeipa.org/page/Howto/HBAC_and_allow_all

Do you know about RHEL Identity Management guides? Because most of your
questions look like you aren't aware of the actual documentation we
have.

Linux Domain Identity, Authentication and Policy guide:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/index

Windows Integration Guide:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/windows_integration_guide/

These are two big sources of information about all aspects of installing
and managing IPA.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Problem running IPA client on IPv6 only connection

2019-01-07 Thread Alexander Bokovoy via FreeIPA-users


On ma, 07 tammi 2019, William Muriithi via FreeIPA-users wrote:

Hello,

I have an IPA clients that has both IPv4 and IPv6 addresses.  One of the
IPA client is in the office and hence can reach the IPA server on both IPv4
and IPv6. However, the client outside the LAN can only reach the IPA server
over IPv6.

I was able to enroll the external client fine over IPv6 and from the logs,
all clean.  However, when I attempted to ssh, its not able to retreave the
user from IPA.  The client in the office works fine.  I can also make for
example LDAP queries and they work over IPv6 fine. It looks like kerberos
is somehow however using IPv4.  I reached this conclusion after taking a
tcpdump when attempting to ssh to the server and the kerberos traffic from
the client to IPA is on IPv4.

What would I need to do on the IPA client for it to prefer IPv6?  I am
aware I could remove IPv4 address from DNS, but that would break any
communication from IPv4 only systems.  Any assistance would be appreaciated.

Check that SSSD-generated kdcinfo has IPv6 only addresses in
/var/lib/sss/pubconf/. If not, you need to set

lookup_family_order = ipv6_only

in the domain section in sssd.conf (it defaults to ipv4_first) and
restart sssd.

SSSD ensures that KDC discovery in libkrb5 is consistent with SSSD settings 
through
a KDC locator plugin. SSSD KDC locator plugin uses common name
resolution settings from SSSD.

See man page sssd.conf for details.


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Samba server on Ubuntu not working

2019-01-08 Thread Alexander Bokovoy via FreeIPA-users


On ti, 08 tammi 2019, Kees Bakker via FreeIPA-users wrote:

Hey,

Is there any chance that the combination FreeIPA + Samba + Ubuntu
is going to work in the near future? So far I haven't been able to.

The main purpose is to give Windows users access to disk space
on our (Ubuntu) servers. And with their IPA credentials.

I don't think it is going to work (ever) with the current state. Nothing
changed since [1] in Ubuntu.

Also, it is confusing -- what do you mean 'to give Windows users access
.. with their IPA credentials'? What do you use?


[1] https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1552249/comments/2
[2] https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC

Running Samba AD DC with MIT Kerberos KDC will not help you to solve
this task.

I'm currently working on enabling to run Samba on IPA client where it
would be a normal domain member talking to IPA master's Samba as its
domain controller. However, this needs a number of fixes both in FreeIPA
and Samba. Also, since you are running IPA master on Ubuntu, it pretty
much out of question for you as Ubuntu Samba (normal one, not AD DC
variant) is compiled against Heimdal so it cannot be used with FreeIPA
to create a needed infrastructure.


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Samba server on Ubuntu not working

2019-01-08 Thread Alexander Bokovoy via FreeIPA-users


On ti, 08 tammi 2019, Kees Bakker via FreeIPA-users wrote:

On 08-01-19 10:18, Alexander Bokovoy wrote:

On ti, 08 tammi 2019, Kees Bakker via FreeIPA-users wrote:

Hey,

Is there any chance that the combination FreeIPA + Samba + Ubuntu
is going to work in the near future? So far I haven't been able to.

The main purpose is to give Windows users access to disk space
on our (Ubuntu) servers. And with their IPA credentials.

I don't think it is going to work (ever) with the current state. Nothing
changed since [1] in Ubuntu.

Also, it is confusing -- what do you mean 'to give Windows users access
.. with their IPA credentials'? What do you use?


Well, nothing special, just connect to a Samba share. This is working
with a Samba server on Centos7 in the same IPA network. Note, (see below)
our IPA masters now run on Centos7.

Ah, OK.


[1] https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1552249/comments/2
[2] https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC

Running Samba AD DC with MIT Kerberos KDC will not help you to solve
this task.

I'm currently working on enabling to run Samba on IPA client where it
would be a normal domain member talking to IPA master's Samba as its
domain controller. However, this needs a number of fixes both in FreeIPA
and Samba. Also, since you are running IPA master on Ubuntu


No I'm not, not anymore. We had a horrible experience of expired certs which
we were never able to resolve. We decided to reinstall the IPA servers on
Centos7. The remainder of the (Linux) systems are Ubuntu as IPA clients.
So far that works well, except the Samba part.

There is a lot missing in Samba integration done the right way. Typical
suggestions you may find on the internet basically tell to run Samba on
IPA client as a standalone server, re-using ipasam module we wrote for
IPA masters. This is not preferred as it requires a domain member (IPA
client) to have access to NT hashes of IPA users. It is a security risk
and thus we don't really recommend it.

Recently I was working on a prototype that allows to use a normal domain
member setup for Samba on IPA client. This means Samba defers
everything to its domain controller (IPA master) in terms of
authenticating users without Kerberos tickets and for resolving SID to
ID and ID to SID. However, it needs a particular setup for a cifs/...
Kerberos principal on this client and also a known machine account
password for the principal which in recent Samba versions one cannot set
offline easily. Offline is a key here as Samba sets it when joining a
domain and we aren't using Samba-based join process here.

I have things mostly working, for both IPA and trusted AD users, but
there are few hack steps that I'd like to turn into a proper supported
commands in 'net' utility in Samba and into a specialized command for
IPA framework. There are also smaller fixes around access controls in
IPA LDAP and changes to ipasam module to get it all working properly.

So the solution as I like to see is finally coming.




, it pretty
much out of question for you as Ubuntu Samba (normal one, not AD DC
variant) is compiled against Heimdal so it cannot be used with FreeIPA
to create a needed infrastructure.



For testing I have installed Centos7 with Samba (in a LXD container). I
can connect shares on this server to Windows clients using my IPA
credential (ke...@ghs.nl).

One of our servers is running Ubuntu with Nextcloud and other stuff. I was
hoping to install Samba as well and then give Windows users access to
certain shares (e.g. home dir). Linux users have better means to access
that server (NFS, SSH, etc).

Ok. Well, it is not something I can help with without heavy patching.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: is anyone running Debian as freeipa-client

2019-01-11 Thread Alexander Bokovoy via FreeIPA-users


On pe, 11 tammi 2019, Timo Aaltonen via FreeIPA-users wrote:

On 10.1.2019 0.14, Eric Engstrom via FreeIPA-users wrote:

one option would be to only build freeipa-client, but that'd leave
anyone using the server out in the cold.


Since some of us are running the server on different distros, what do you see 
as the blockers to getting freeipa-client into debian, presumably without 
-server?

And, in the interest of moving this forward, where should I look to contribute 
to getting freeipa-client up on debian (buster, or ).


Actually, nss-pem got accepted so the last (functional) blocker is now
kinda fixed for the client.

The server is still blocked on other things, like Dogtag being broken
with current java even while everything builds and should work with it..

Timo,

could you describe in more detail what is missing/blocked?

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: fiddling with Win2016 trust - users

2019-01-16 Thread Alexander Bokovoy via FreeIPA-users


On ke, 16 tammi 2019, lejeczek via FreeIPA-users wrote:

hi guys

After a longer break from Windowze, I had Win2012 trust okey in the 
past, now I'm fiddling with Win2016 and have this question:


After trust (one-way coming from AD) established okey should AD's 
users be immediately available to/in IPA?


Usual things such as id, ipa user-show do find them users. I cannot 
remember how it was with my Win2012.

There should be no difference in functional behavior.

Perhaps, you were lucky in terms of establishing trust at a time when
SSSD on IPA master decided to refresh its domain information and
discovering it has new trusted domains to look at.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Ipsilon - Unauthorized

2019-01-17 Thread Alexander Bokovoy via FreeIPA-users


On to, 17 tammi 2019, Ronald Wimmer via FreeIPA-users wrote:
I set up ipsilon on a separate machine as documented in 
https://ipsilon-project.org/doc/quickstart-ipa.html


When I try to log in with the admin user I get the "Unauthorized" 
error. The logs say:


==> ssl_error_log <==
[Thu Jan 17 09:51:45.555163 2019] [authnz_pam:warn] [pid 5977] [client 
10.65.150.250:33802] PAM account validation failed for user admin: 
Permission denied, referer: https://ipa-ipsilon.linux.mydomain.at/idp/login/gssapi/negotiate?ipsilon_transaction_id=ccb72cfc-7db9-4fce-8c9c-ba143c284440

Well, as it says, PAM validation failed. You need to look into sssd logs
to see what was wrong. Most likely you have no HBAC rule that allows to
login to ipsilon for your users. Did you create one? You need to create
HBAC service 'ipsilon' and then an HBAC rule to govern access to this
service on the machine where ipsilon is deployed.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: fiddling with Win2016 trust - users

2019-01-17 Thread Alexander Bokovoy via FreeIPA-users


On to, 17 tammi 2019, lejeczek via FreeIPA-users wrote:

On 16/01/2019 21:17, Alexander Bokovoy wrote:

On ke, 16 tammi 2019, lejeczek via FreeIPA-users wrote:

hi guys

After a longer break from Windowze, I had Win2012 trust okey in 
the past, now I'm fiddling with Win2016 and have this question:


After trust (one-way coming from AD) established okey should AD's 
users be immediately available to/in IPA?


Usual things such as id, ipa user-show do find them users. I 
cannot remember how it was with my Win2012.

There should be no difference in functional behavior.

Perhaps, you were lucky in terms of establishing trust at a time when
SSSD on IPA master decided to refresh its domain information and
discovering it has new trusted domains to look at.


ough... I was not being careful with my typing, it is:

Usual things such as id, ipa user-show do NOT find them users. I 
cannot remember how it was with my Win2012.

ipa user-show should not find any AD users at all, that's as intended.

if `id user@ad.domain` doesn't work, follow SSSD troubleshooting guides
https://docs.pagure.org/sssd.sssd/users/troubleshooting.html

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: fiddling with Win2016 trust - users

2019-01-17 Thread Alexander Bokovoy via FreeIPA-users


On to, 17 tammi 2019, lejeczek via FreeIPA-users wrote:

On 16/01/2019 19:26, John Keates wrote:

There is no enumeration support, but if you want to figure out if your 
connection works, try getent on a group or user (or using id on a group or 
user). If those don’t work the AD Trust might not be working correctly.
I start the trusts on the IPA side and use Domain Admin creds (and not a secret 
or token), that always works for me.

If the trust works but something else is wrong, you can check if the trusts are 
listed and domains can be fetched from the trust. If you don’t even have those, 
the trust doesn’t work at all. If do you have those it’s a different problem.

Does the trust show on the DC in the trust settings?


Trust does show in 2016 DC but because it was started there, that 
trust was set up with a shared secret on 2016 and then finished off on 
IPAs.

Ah. One-way trust with a shared secret is not supported yet. I need to
merge my patches, hopefully, somewhere after devconf/FOSDEM. It requires
changes to Samba (released in 4.7.11+, 4.8.6+), to SSSD (released in
1.16.3+), and to FreeIPA (not merged yet).

The thing is - I do not have(and cannot have) admin access/credentials 
on 2016 AD and in such cases I understand, only shared key is the 
option available. Or nor not?

I have Windows Server 2016 deployment and I have access to admin creds
there without any problems. Unless you are trying to say that your
administrators don't like to give you temporary membership in a 'Domain
Admins' group in the forest root domain or in 'Enterprise Admins' group
to allow creating a forest trust, you should definitely be able to use
admin credentials to establish trust. Windows Server 2016 is no
different from 2012 in this sense.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: fiddling with Win2016 trust - users

2019-01-17 Thread Alexander Bokovoy via FreeIPA-users


On to, 17 tammi 2019, lejeczek via FreeIPA-users wrote:

On 16/01/2019 21:17, Alexander Bokovoy wrote:

On ke, 16 tammi 2019, lejeczek via FreeIPA-users wrote:

hi guys

After a longer break from Windowze, I had Win2012 trust okey in 
the past, now I'm fiddling with Win2016 and have this question:


After trust (one-way coming from AD) established okey should AD's 
users be immediately available to/in IPA?


Usual things such as id, ipa user-show do find them users. I 
cannot remember how it was with my Win2012.

There should be no difference in functional behavior.

Perhaps, you were lucky in terms of establishing trust at a time when
SSSD on IPA master decided to refresh its domain information and
discovering it has new trusted domains to look at.

Do we users/admins have any/some control over those bits, over how 
SSSD refreshes & caches this bits?


I've decided to briefly try with 2016 "lab" type, my own 2016 I 
control. I get users immediately with one-way (full credentials and no 
shared secret) trust but only on the master which established the 
trust, remaining master though they can validate the trust with 
kvno/kinit they at the moment see no AD users with id/getent/ipa user.


Reading docs I could not get this clarified, I suppose but having this 
crystal clear would be best - ipa-adtrust-install is only needed on 
that one master which will establish the trust and does need to be on 
each IPA's master?

Correct, ipa-adtrust-install needs to be run on one master to configure
that one as a trust controller role. Other masters can be designated as
trust agents via re-run of 'ipa-adtrust-install --add-agents' on the
original master. If you want to have more trust controllers, you can
initialize them by runnning ipa-adtrust-install on those masters but
this is not required. This all is described in the documentation.

Unless you designated IPA masters as trust agents or trust controllers,
they will not be able to resolve AD users/groups. It is a security
feature as having access to inter-forest trust credentials allows to
impersonate the whole trust link. Thus, by default the access to these
credentials is limited and have to be granted via 'ipa-adtrust-install
--add-agents' from a master with a trust controller role.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Per-host 2FA and "Second Factor (optional)" message

2019-01-18 Thread Alexander Bokovoy via FreeIPA-users


On pe, 18 tammi 2019, Chris Herdt via FreeIPA-users wrote:

I'd seen previous posts (now a few years old) on enabling per-host 2-factor
authentication with FreeIPA. I'm using FreeIPA 4.6.4 on CentOS 7. I
followed what I think are the correct steps to enable 2FA on a specific
host, but the behavior is a little strange:

User A: enable both Password and Two factor authentication (password +
OTP), and configure a OTP.

User B: enable just the Password option.

Host A: select "otp" under Authentication indicators, ensure the following
lines are present in /etc/ssh/sshd_config and restart sshd:
ChallengeResponseAuthentication yes
AuthenticationMethods keyboard-interactive

Host B: make no changes to Authentication indicators (none selected),  make
the same changes as above to sshd_config.

After these changes:

User A -> Host A
The user sees the following prompts:

First Factor:
Second Factor (optional):

However, the second factor is required (as expected) and the login fails
without it.

User A -> Host B
The user gets the same prompt as above, but the second factor is actually
optional, and the login succeeds without supplying any value.

User B -> Host A
The user gets a regular password prompt, but cannot log in using the
correct password (as expected, since a OTP is required).

User B -> Host B
The user gets a regular password prompt and can log in as expected.

Everything is working more-or-less as expected, but the "Second Factor
(optional)" prompt is a little confusing, particularly in cases where it is
required. Is this due to my specific configuration (or mis-configuration)
or is this the expected behavior?

That's hard-coded in SSSD.

https://pagure.io/SSSD/sssd/issue/3264

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: ManageIQ/Cloudforms integration

2019-01-22 Thread Alexander Bokovoy via FreeIPA-users

On ti, 22 tammi 2019, Sigbjorn Lie-Soland via FreeIPA-users wrote:

You don’t know everything there is to know about IPA? I’m sure that’s
not true….hehe ;)

We do have IPA integrated with Satellite 6. However the integration
capabilities of Satellite 6/The Foreman is limited to creating/removing
IPA host records, and creating/removing DNS forward/reverse records.

I see Ansible modules is available for managing hbacrules and
sudorules. I suppose this may be a possible point of integration for
Cloudforms I could investigate.

Whoever created those Ansible modules and contributed them, certainly
never consulted about that with FreeIPA upstream. So we don't really
have any comments on whether those are usable or useful in all cases.

Thanks.

Regards,
Siggi

On 22 Jan 2019, at 13:15, Rob Crittenden wrote:

Sigbjorn Lie-Soland wrote:

Hi Rob,
Thank you for your reply.
Yes I am aware of the automember functionality. I’ve configured several
automember rules matching the objectclass, which is populated by Satellite with
the Satellite hostgroup, and some automember rules matching the fqdn.
Automember is an awesome functionality! However automember does not cover all
use cases unfortunately.
If I am to understand the response correct, there are currently no publicly
known automate code for ManageIQ/Cloudforms for IPA?

There could be, I don't know everything :-) It is possible they have some
integration they haven't told us about, or it is usable via The Foreman or
something.

rob

Regards,
Siggi

On 14 Jan 2019, at 20:35, Rob Crittenden via FreeIPA-users
wrote:

Sigbjorn Lie-Soland via FreeIPA-users wrote:

Hi list,

Is there a known repository with an existing ManageIQ/Cloudforms
Automate framework for FreeIPA?

I am primarily looking for the ability to create HBAC and SUDO rules as
part of the provisioning process.

You may be able to do it using automember hostgroups:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/automember

If some regular expression is matched when a host is added it can be
added automatically to a hostgroup. You can then define HBAC and SUDO
rules to grant access via that hostgroup.

fqdn was the original idea for the matching rule. The user who
contributed the feature used a specific naming pattern for his hosts
(webserver-1234, mailserver-98aa, etc). So it was straightforward.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: ManageIQ/Cloudforms integration

2019-01-22 Thread Alexander Bokovoy via FreeIPA-users


On ti, 22 tammi 2019, Fabien Dupont via FreeIPA-users wrote:

Are there any plans to see modules created and maintained by FreeIPA 
developers, then ? It would be great :)

At this point we concentrate on making
https://github.com/freeipa/ansible-freeipa a production quality.

These roles are more important at the moment.

For generic management operations, I'm not sure Ansible approach with
manually coded 'modules' of IPA framework-provided commands makes sense
at all. There need to be more work done on making various authentication
methods working (including GSSAPI) first, then ideally there should be a
re-use of IPA framework dynamic metadata discovery and argument checking
to avoid hardcoding various conditions and requirements.

At that point using Python API provided by IPA already is worth more
than an effort to duplicate it without IPA itself.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: fiddling with Win2016 trust - users

2019-01-23 Thread Alexander Bokovoy via FreeIPA-users


On ke, 23 tammi 2019, lejeczek via FreeIPA-users wrote:

On 17/01/2019 11:43, Alexander Bokovoy wrote:

On to, 17 tammi 2019, lejeczek via FreeIPA-users wrote:

On 16/01/2019 19:26, John Keates wrote:

There is no enumeration support, but if you want to figure out if
your connection works, try getent on a group or user (or using id on
a group or user). If those don’t work the AD Trust might not be
working correctly.
I start the trusts on the IPA side and use Domain Admin creds (and
not a secret or token), that always works for me.

If the trust works but something else is wrong, you can check if the
trusts are listed and domains can be fetched from the trust. If you
don’t even have those, the trust doesn’t work at all. If do you have
those it’s a different problem.

Does the trust show on the DC in the trust settings?


Trust does show in 2016 DC but because it was started there, that
trust was set up with a shared secret on 2016 and then finished off
on IPAs.

Ah. One-way trust with a shared secret is not supported yet. I need to
merge my patches, hopefully, somewhere after devconf/FOSDEM. It requires
changes to Samba (released in 4.7.11+, 4.8.6+), to SSSD (released in
1.16.3+), and to FreeIPA (not merged yet).


The thing is - I do not have(and cannot have) admin
access/credentials on 2016 AD and in such cases I understand, only
shared key is the option available. Or nor not?

I have Windows Server 2016 deployment and I have access to admin creds
there without any problems. Unless you are trying to say that your
administrators don't like to give you temporary membership in a 'Domain


How temporary would that have to be?

Is it just for them time when IPA adds a trust and such admin access can
be removed right after that?

Yes, just at that time.


What when one needs to add a controller at later time, and related stuff?

Adding a trust controller is unrelated to adding a trust itself.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: de/selecting AD's users

2019-01-25 Thread Alexander Bokovoy via FreeIPA-users


On to, 24 tammi 2019, lejeczek via FreeIPA-users wrote:

On 23/07/2018 09:33, Alexander Bokovoy wrote:

On ma, 23 heinä 2018, lejeczek via FreeIPA-users wrote:

hi guys

I wonder, and hope you guys could tell if it's possible in IPA, when
there is one-way trust established between AD & IPA, to allow only
certain account to login & access IPA's resources?

An ideal scenario I'm looking for is where all users from AD are
initially disallowed to login & access IPA domain, and then admin can
allow such user on per user or group basis.

Is something like that "built-in" IPA's feature?

HBAC rules were created for that reason -- if you create explicit rules
to allow access where required and then disable 'allow_all' rule, you'd
achieve it. Remember that you need to include a POSIX group your AD users
are member of into HBAC rules because that's how SSSD enforces the
rules on POSIX level.


How could all AD users be caught in one go, or as one group?

I once found a doc talking about a technique(was it with regards to
samba?) where all AD users were "mangled" in one group/gid(and by
default I see each AD user has unique gid in IPA), but I cannot find
this website now. Would that be one way of getting them into HBAC?

Please read the documentation. Also, this topic was raised multiple
times on this list in past.

There is an example for 'catching all' in 


ipa help group

output.


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Centos update breaks access to samba shares

2019-01-25 Thread Alexander Bokovoy via FreeIPA-users


On to, 24 tammi 2019, Jeff Goddard via FreeIPA-users wrote:

Hi everyone,

Yesterday I updated our (Centos 7) Freeipa servers and it seems that now
the samba shares hosted on one of them is no longer accessible. I've done
some reading and see that authentication now requires the winbind package
to be running, and in our case it is, but I'm still not able to
authenticate users on either Windows or Linux. We do not use AD so there
are no trusts to worry about. Has anyone else experienced this and know a
solution?

Please read
https://docs.fedoraproject.org/en-US/fedora/f29/release-notes/sysadmin/File_Servers/
-- I tried to collect there all important changes that happened in Samba
between 4.6 and 4.9. RHEL/CentOS is now at 4.8.

Also, please show exact errors that appear in the logs (and your
configuration). Samba has a multitude of configuration options, it is
impossible to tell 'what is wrong' without more details.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: IPA Infrastructure Design Question with multiple IPA Clusters

2019-01-27 Thread Alexander Bokovoy via FreeIPA-users


On ma, 28 tammi 2019, TomK via FreeIPA-users wrote:

Suppose I have the following scenario:

AD DC Cluster   =   b.a  ( user: b.a\jack )
IPA Cluster 01  = c.b.a
IPA Cluster 02  = d.b.a
IPA Cluster 03  = e.b.a

If I setup all 3 IPA clusters as subdomains of b.a, I know each one 
can establish a trust with the AD DC and I can authenticate as 
'b.a\jack' through servers connected to each cluster.


But if I want to do something like this (just theoretical):

AD DC Cluster   =   b.a  ( user: b.a\jack )
IPA Cluster 01  = c.b.a
IPA Sub Cluster 01  = d.c.b.a
IPA Sub Cluster 02  = e.c.b.a

Meaning only c.b.a has a trust with the AD DC Cluster but d.c.b.a and 
e.c.b.a don't have a direct trust with the AD DC however c.b.a 
forwards anything on 'd' and 'e' over to the sub clusters.

You are using confusing terminology. We don't have 'clusters' and I
suspect you are speaking about IPA realm in each case, so c.b.a,
d.c.b.a, and e.c.b.a are three different IPA deployments, each with its
own Kerberos realm.


Can the IPA Cluster 01 'delegate' the AD DC trust to the sub IPA 
clusters?  I imagine it's not possible.

It cannot, indeed. It is a requirement of forest trust in Active
Directory, forest trust is not transitive (if forest A trusts forest B
and forest B trusts forest C, you need to establish an explicit forest
trust between A and C to make it working).

It doesn't matter where DNS-wise those zones are located, this is about
trust relationship, not DNS zones.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: IPA and legacy systems

2019-01-28 Thread Alexander Bokovoy via FreeIPA-users


On ma, 28 tammi 2019, Ronald Wimmer via FreeIPA-users wrote:
What would be a good solution to add systems where the FQDN cannot be 
changed?


Would it make sense to add a second DNS A Record in the IPA domain for 
each of these systems?


Is there any experience on how to deal with such a situation?

Really depends on where these existing clients are located and what is
their function. Do they belong to some other Kerberos realm already?
Like some Active Directory domain?

Some scenarios are covered by
https://rhelblog.redhat.com/2016/07/13/i-really-cant-rename-my-hosts/
and related articles linked from that blog.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: IPA and legacy systems

2019-01-28 Thread Alexander Bokovoy via FreeIPA-users

On ma, 28 tammi 2019, François Cami wrote:

On Mon, Jan 28, 2019 at 1:02 PM Ronald Wimmer via FreeIPA-users
 wrote:

On 28.01.19 12:42, Alexander Bokovoy wrote:
> On ma, 28 tammi 2019, Ronald Wimmer via FreeIPA-users wrote:
> [...]
>> Is there any experience on how to deal with such a situation?
> Really depends on where these existing clients are located and what is
> their function. Do they belong to some other Kerberos realm already?
> Like some Active Directory domain?
>
> Some scenarios are covered by
> https://rhelblog.redhat.com/2016/07/13/i-really-cant-rename-my-hosts/
> and related articles linked from that blog.

It looks like option 3b from your link would work. I do not care if I
lose Kerberos functionality. What I do care about is if I still have the
possibility to use

- IPA users for logging in on these systems
- users coming form AD
- sudo rules
- HBAC rules

The thing is, if I'm not mistaken Kerberos is required for sudo and
HBAC to work.

No. id_provider=ipa is required but that means SSSD would by default use
host/... Kerberos principal to talk to IPA masters. That's all enabled
and will work just fine if krb5.conf on the client maps to hostname of
this machine to IPA realm. What will not work is Kerberos (GSSAPI)
authentication from Windows clients to these machines because at that
point Windows systems will rely on AD DCs' knowledge of where host/...
belongs to (which realm) and those will see a host from *.mydomain.at
and consider it is only belonging to AD DC. They also will not find the
host in AD (since it is not really enrolled in AD) and thus will deny
any Kerberos service ticket to services hosted on that machine. At no
point they will be considering that this host belongs to some other
realm (IPA).

Cheers,
Ronald
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: IPA and legacy systems

2019-01-29 Thread Alexander Bokovoy via FreeIPA-users


On ti, 29 tammi 2019, Ronald Wimmer via FreeIPA-users wrote:
I sucessfully registered my server server5.mydomain.at. After setting 
up an appropriate HBAC rule as well as setting the default domain in 
the sssd.conf to a.mydomain.at I tried to connect to the server via 
SSH using:


myusern...@mydomain.at

This fails because the UPN seems to be picked:

[sssd[krb5_child[24704]]]: Client 'ronald.wim...@mydomain.at' not 
found in Kerberos database


(After the migration to Office365 the UPN looks like 
name.surn...@mydomain.at.)


On other IPA clients the correct user is taken. 
(employeenum...@a.mydomain.at)


My /etc/krb5.conf looks like this:

I think you need to tune sssd configuration here. Sumit or Jakub may
have more details on what exact options should be used.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: IPA and legacy systems

2019-01-29 Thread Alexander Bokovoy via FreeIPA-users


On ti, 29 tammi 2019, Ronald Wimmer via FreeIPA-users wrote:

On 29.01.19 12:28, Alexander Bokovoy via FreeIPA-users wrote:

[...]
I think you need to tune sssd configuration here. Sumit or Jakub may
have more details on what exact options should be used.


Should I contact them directly or are they gonna read this here anyway?

I think they both read this list.


I tested an IPA user - that worked perfectly.

It is not IPA thing -- supporting AD UPNs a bit more complex than
supporting aliases in IPA case. Unfortunately, I cannot find consistent
user-level documentation for that.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Transitive trust with AD domain that has already a trust with a 3rd domain.

2019-01-30 Thread Alexander Bokovoy via FreeIPA-users


On ke, 30 tammi 2019, SOLER SANGUESA Miguel via FreeIPA-users wrote:

Hello,
I have 2 AD domains on windows 2016 with a forest trust, two-way, and "Selective 
authentication":
mydomain.com <--trust--> other.company.org

Now I have built an IDM instance on RHEL 7.5 and IPA version 4.5.4 on
the subdomain "ipa.mydomain.com". I need to use users from the 2
domains above, to I have created a trust transitive and one way:
ipa.mydomain.com --trust--> mydomain.com



But I can not do the trust between ipa.mydomain.com <--
other.company.org because on AD side there is already a trust between
other.company.org and the root of ipa (mydomain.com).  As the trust is
transitive, in theory users from other.company.org should be allowed on
ipa subdomain because:
ipa.mydomain.com --trust--> mydomain.com <--trust--> other.company.org

This is working as designed.



I can get a kerberos TGT with: "kinit u...@other.company.org"
But I can not do  "id u...@other.company.org" neither I can add it to
an external group, it complains: member group: u...@other.company.org:
invalid 'trusted domain object': domain is not trusted"

Should I change something on the sssd or kerberos configuration for
make the users trusted by my trust work?  Is the "Selective
authentication" configured at AD level the problem?

You have to configure separate forest trusts to both mydomain.com and
other.company.org from IPA side. There is no way around it. Selective
authentication only affects forest trust link between the two forests.

This is a fundamental design decision in Active Directory architecture,
nothing specific to FreeIPA. 


See section 'Forest trusts' in the following document:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc773178(v=ws.10)

--
A forest trust can be created only between a forest root domain in one
Windows Server 2003 forest and a forest root domain in another Windows
Server 2003 forest. Forest trusts can be created between two forests
only and cannot be implicitly extended to a third forest. This means
that if a forest trust is created between Forest 1 and Forest 2, and
another forest trust is created between Forest 2 and Forest 3, Forest 1
does not have an implicit trust with Forest 3. 
--






--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Transitive trust with AD domain that has already a trust with a 3rd domain.

2019-01-31 Thread Alexander Bokovoy via FreeIPA-users


On to, 31 tammi 2019, SOLER SANGUESA Miguel wrote:

Hello and thanks for your time,



My first approach was to create 2 trust:

ipa.mydomain.com --trust--> mydomain.com (already DONE)

ipa.mydomain.com --trust--> other.company.org  (not possible)



When I try to do the second one, I have the error:

# ipa trust-add --type=ad other.company.org  --range-type=ipa-ad-trust --all 
--external=true

Active Directory domain administrator: ad_ADMIN

Active Directory domain administrator's password:

ipa: ERROR: CIFS server communication error: code "-1073741771", message "The object name 
already exists." (both may be "None")



checking on the http error log with samba debug =100,  we have:
result   : NT_STATUS_OBJECT_NAME_COLLISION




On AD side we have:
"a trust relationship with the domain you specified already exist"

[cid:image001.jpg@01D4B960.B4CA41E0]



That is because we already have a transitive trust between
other.company.org  and mydomain.com, so *.mydomain.com (in our case
ipa.mydomain.com) already has a trust with other.company.org on AD
side.

Correct, the issue here is not ipa.mydomain.com but that the trust
between mydomain.com and other.company.org does not have an exclusion
entry for ipa.mydomain.com. You should be able to add one on
other.company.org side for a trust to mydomain.com.



Then, the only way I see is using the transitivity for making users
from other.company.org, login on ipa.mydomain.com services. Is that
possible?

It is possible, if you arrange it properly.


That's the reason because I'm thinking that "Selective authentication"
can be de problem.

Nope.

Add an exclusion entry on mydomain.com trust at other.company.org that
tells that 'ipa.mydomain.com' is excluded from that trust.

Then add a trust between ipa.mydomain.com and other.company.org. You
don't need to use --external trust flag (better not to).


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: light sub-cas crl / ocsp urls

2019-01-31 Thread Alexander Bokovoy via FreeIPA-users


On to, 31 tammi 2019, Natxo Asenjo via FreeIPA-users wrote:

hi,

at work I am testing using a light sub-ca with openvpn to limit the scope
of hosts that can auto request a certificate.

So far so good, really impressed with how well it works.

The question I cannot answer is: are there specific urls for crl/ocsp for
sub-cas, or do the 'generic' crl/ocsp url apply to sub-cas as well?

There is no CRL support for subCAs. OCSP should work just fine.

See https://bugzilla.redhat.com/show_bug.cgi?id=1478394 for details.


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Log into web UI with AD user?

2019-02-07 Thread Alexander Bokovoy via FreeIPA-users


On ke, 06 helmi 2019, Charles Ulrich via FreeIPA-users wrote:

Hello,

I'm setting up a test instance of FreeIPA with a one-way trust to the
organization's AD. So far, that all appears to be working. I can run
LDAP queries to look up users, I can log into the test instance via
Kerberos, it's all golden. What I would like to next is to add certain
external AD users to the "admins" FreeIPA group so that these users can
log into the FreeIPA web UI and perform administrative actions the same
as the built-in "admin" user can. So far I spent about a day reading
docs, googling, and trying things out but haven't yet made this work.
Here is what I've done so far:

This is not supported in anything but RHEL 8.0 beta when you install

yum module enable idm:DL1
yum module install idm:DL1/adtrust

and then set things up for the trust to use as documented at
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8-beta/html/installing_identity_management_and_access_control/enabling-ad-user-to-administer-idm-fin-fin

No other distribution has experimental support to manage IPA as Active
Directory user. It is experimental because a number of things still
don't work.


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: AD Trust: Add "mail" user attribute to AD -> IPA transfer

2019-02-08 Thread Alexander Bokovoy via FreeIPA-users


On Fri, 07 Dec 2018, Lenhardt, Matthias via FreeIPA-users wrote:

Hi,

we have an IPA 4.6.4 environment with an AD Trust configured and everything's 
working perfectly.

My question is: Is it possible to configure, that extra AD user
attributes are transfered? I would need the AD user attribute "mail"
with the users email address.

This question came up, after I tried to connect GitLab to IPA and
authentication with an AD users fails, because IPA doesn't have the
"mail" attribute of the user, so logging is denied. (Authentication on
Linux systems is working).

There are so many assumptions in my answer below because you didn't
really tell what you do.

I assume you are talking about use of the Compat tree to connect your
GitLab instance via LDAP to IPA. I assume you are searching for both AD
and IPA users in the cn=compat,$SUFFIX.

If that's correct assumption, there is nothing to help here. Compat tree
is populated using two sources:

- for IPA users it picks up details from the cn=accounts,$SUFFIX
- for AD users it queries SSSD on IPA master using a specialized API
 that only returns details of POSIX attributes

There is no such thing as 'mail' in POSIX attributes and we cannot
really retrieve it via existing API.

I think a better approach would actually be to get GitLab and similar
solutions to move on to use SAML2 or OpenID Connect connectors instead
of looking up everything in LDAP directly. This is GitLab EE feature but
it is really meant to solve this kind of problem. See
https://docs.gitlab.com/ee/integration/saml.html for details. If you'd
use Keycloak or Ipsilon with SSSD backend as an IdP, you will get all
those details and more available to GitLab.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Add a picture to freeipa user

2019-02-08 Thread Alexander Bokovoy via FreeIPA-users


On Fri, 08 Feb 2019, Rufa Rufa via FreeIPA-users wrote:

Hello,

Can someone please help me to add a picture to the freeipa user, i did
the following steps:


first, you don't need to add any additional attributes. jpegPhoto
attribute is already in a default 389-ds set of LDAP schemes, since it
is part of RFC 2798 for inetOrgPerson object class. It is a binary
attribute, so the data is stored in LDAP rather than specifying an
external path.

Since any IPA user has inetOrgPerson object class set by default, just
adding jpegPhoto to the list of attributes returned by default would
make it visible via IPA API. But it is a binary data, so to get ability
to add it from a file needs a change in a client-side API override to
replace binary data with a file-based object. Finally, to get it
displayed in the Web UI you need to create a JavaScript plugin.

I'd suggest you too look into sample plugins I did that demonstrate how
all this can be done, for example, with
https://github.com/abbra/freeipa-userstatus-plugin/tree/master/plugin
you can get a base setup.

All you need to do is to create a definition of a photo-based parameter:


from ipaserver.plugins.user import user
from ipalib.parameters import Bytes
from ipalib import _

user.takes_params += (
Bytes('jpegphoto',
  cli_name='photo',
   label=_('User photo'),
),
)

user.default_attributes.append('jpegphoto')
---

This is a basic setup for a server-side plugin
(that would be a plugin/ipaserver/plugins/userphoto.py in the terms of
the structure defined in my sample plugins it the plugin is called
'userphoto').

To be able to supply a file through the client (ipa user-mod foo
--photo=/some/path/to/file.jpg), you need to override a client side to
say that you accept file instead of Bytes. I copied the following from
freeipa-desktop-profile plugin which does the same for FleetCommander
integration (https://github.com/abbra/freeipa-desktop-profile):


from ipaclient.frontend import MethodOverride
from ipalib.parameters import File
from ipalib.plugable import Registry

register = Registry()


@register(override=True, no_fail=True)
class baseuser_add(MethodOverride):
   def get_options(self):
   for opt in super(baseuser_add, self).get_options():
   if opt.name == 'jpegphoto' and self.env.interactive:
   opt = opt.clone_retype(opt.name, File)
   yield opt


@register(override=True, no_fail=True)
class baseuser_mod(MethodOverride):
   def get_options(self):
   for opt in super(baseuser_mod, self).get_options():
   if opt.name == 'jpegphoto' and self.env.interactive:
   opt = opt.clone_retype(opt.name, File)
   yield opt


That should go into plugin/ipaclient/plugins/userphoto.py

Finally, for Web UI, you need to just add a div that has your photo
displayed, pretty much like userstatus sample plugin adds its own UI
elements into the misc section.

See
https://github.com/abbra/freeipa-userstatus-plugin/blob/master/plugin/ui/userstatus.js
for details on that. We push a radio box there but you'd need to create
a class derived from IPA.field that shows a picture and also provides an
input field to upload a jpeg
file. See Web UI API at https://pvoborni.fedorapeople.org/api/#!/api/IPA.field
and you need to learn a bit more from the FreeIPA source code in 
freeipa/install/ui/src/freeipa/

If you are interested in getting this work done, make sure to subscribe to 
freeipa-devel@ and discuss it there.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Add a picture to freeipa user

2019-02-11 Thread Alexander Bokovoy via FreeIPA-users


On ma, 11 helmi 2019, Boudjoudad Abdelkader wrote:

Hello Alexander and thank you for the quick reply,

Our goal to add a picture to freeipa authentication is to increase the
security and to be able to access to the user's picture when needed, i
don't know if we can do that with a binary file ?

From FreeIPA plugin development point of view it does not matter whether
you are storing a path to file or a content of a file at all. All it
changes is how that content (= file path or a binary picture) gets into
the LDAP store.

The rest stays the same and you need to develop a plugin along those
instructions.


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Map local user to kerberos

2019-02-12 Thread Alexander Bokovoy via FreeIPA-users

On ke, 13 helmi 2019, Николай Савельев via FreeIPA-users wrote:

Hi.
I want to config some app (1c enterprise) for authentication via freeipa.
This app uses mapping local user usr1cv8 to kerberos user,
usr1cv8@KERBEROS.DOMAIN

All manuals - about mapping with Active Directory user. Russian -
https://its.1c.ru/db/metod8dev#content:2799:hdoc English -
https://1c-dn.com/library/Kerberos_authentification_setup_example_for_Linux_version_of_1c_enterprise_server/

What have to I change for freeipa?
Can I create service usr1cv8/host@IPA.DOMAIN?
Or how can I map local user to ipa user?

You don't need to do anything like that. The documentation 1C provides
really boils down to (on the machine where 1C is deployed):

kinit -k
ipa service-add usr1cv81/`hostname`
ipa-getkeytab -p usr1cv81/`hostname` -k /opt/1C/v8.1/i386/usr1cv81.keytab

That's all. The host/... principal on each enrolled host is allowed to
create services on the same host so 'ipa service-add' works just fine.
ipa-getkeytab is what asks IPA to create a key for this Kerberos
principal and then store it locally in the keytab where 1C expects it to
find.

[Freeipa-users] Re: getent group doesn't show private group on one IPA server, but does on another.

2019-02-17 Thread Alexander Bokovoy via FreeIPA-users


On Sun, 17 Feb 2019, TomK via FreeIPA-users wrote:

Hey All,

Scenario:

Two IPA clusters, both with a unique trust to the same AD DC.  One 
picks up the private group, the other doesn't.  I can login with the 
AD user to both:



IPA Cluster 1 (ipa01, ipa02) - a.abc.123
# getent group alex@abc.123
alex@abc.123:*:155601104:
#


IPA Cluster 2 (ipa03, ipa04) - b.abc.123
# getent group alex@abc.123
#

Curious if anyone ran into the above before and is willing to throw in 
a hint or two?  Would be appreciated.

You need to start with standard debugging technique for this case:
- get SSSD debug level set for a domain and nss section on IPA master used
  for resolution requests
- issue your request
- collect sssd logs and see what happens

If you have it working on IPA master but not on IPA client, gather the
same amount of logs on both IPA client and IPA master from the same time
frame.

SSSD troubleshooting page is 
https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Certificate operation cannot be completed: Unable to communicate with CMS (Comment not terminated, line 2, column 1)

2019-02-19 Thread Alexander Bokovoy via FreeIPA-users


On Tue, 19 Feb 2019, Adrian Villwock via FreeIPA-users wrote:

Hi,

thank you for your hint. I tried to delete the files and re-run the
"ipa-pkinit-manage enable". Unfortunately, it still seemed to get
stuck.

---

I found some valuable information then in the "/var/log/messages":
certmonger: 2019-02-19 02:29:18 [14377] Error 7 connecting to 
https://:8443/ca/ee/ca/profileSubmitSSLClient: Couldn't connect 
to server.
...

Well, there is no CA on this host (and 8443 is not listening). However, I tried to 
install the replica with the "--setup-ca" argument once and this may be an 
issue.
This lead me to issue 7795: https://pagure.io/freeipa/issue/7795

---

I tried to apply the patch you submitted at
https://pagure.io/freeipa/c/778521053336a4ba09923b4b1f9cac0dff72f634 to
the /usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py.
Since the package "ipaserver.masters" is not part of my release
version, I simply set localhost_has_ca to False.

---

After re-running the approach above (rm key/crt and ipa-pkinit-manage enable), 
we now get in log/messages:
...
certmonger: Request for certificate to be stored in file 
"/var/kerberos/krb5kdc/kdc.crt" rejected by CA.
...

I tried kdestroy / kinit admin to make sure, the new IPA has valid tickets - 
didn't change the situation.

---

So, I check the logs on the IPA master:

/var/log/httpd/error_log:
[:error] [pid 23785] ipa: INFO: [xmlserver] host/@: cert_request(u'', 
profile_id=u'KDCs_PKINIT_Certs', principal=u'krbtgt/@', add=True, 
version=u'2.51'): ACIError

I looked for some log files processed by the CA on port 8443, but nothing 
seemed suspicious there (e.g. /var/log/pki/pki-tomcat/ca/debug).



This is a correct answer here -- FreeIPA 4.4 does not support PKINIT so
it will not be able to issue a proper PKINIT certificate.

I think your option is to upgrade 4.4 to 4.5 first or install 4.5 with
--setup-ca and decommission 4.4 master.

See https://www.freeipa.org/page/V4/Kerberos_PKINIT, in particular,
Upgrade section. 


---

Right now:
openssl x509 -noout -text -in /var/kerberos/krb5kdc/kdc.crt | grep Issuer
   Issuer: O=DE.BIGDATA.DIR, CN=

That is not the CA.

---

I will try the Replication on a fresh host tomorrow.

Kind regards
Adrian
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: ipaclient user unable to ssh with ProxyCommand

2019-02-21 Thread Alexander Bokovoy via FreeIPA-users


On to, 21 helmi 2019, Albert Szostkiewicz via FreeIPA-users wrote:

Hi,

I have decided to install freeIPA on my already fully working, small
home network.  After I have installed freeIpa Client on one of
workstations, that client immediately was unable to ssh anywhere (not
even its own host)
Initially I've created bug report (with logs) here:
https://pagure.io/freeipa/issue/7869.

While googling around i found that somebody had similar issue here in
2016:
https://www.redhat.com/archives/freeipa-users/2016-January/msg00277.html

While disabling ProxyCommand DID "fix" my issue and i can ssh without
issues, but afaik "proxy is needed for SSSD SSH integration (public
keys and fingerprints)", therefore it does not sound like a solution.

$ ssh 10.0.3.30 -v
.
enssh.com,chacha20-poly1...@openssh.com,aes256-ctr,aes256-cbc,aes128-...@openssh.com,aes128-ctr,aes128-cbc
debug1: ssh_exchange_identification: penssh.com,hmac-sha2-512
ssh_exchange_identification: Connection closed by remote host

$ cat sssd_ssh.log
[sssd[ssh]] [sysdb_update_ssh_known_host_expire] (0x0400): Updating known_hosts 
expire time of host ipaserver.home.mydomain.com
[sssd[ssh]] [sysdb_merge_res_ts_attrs] (0x2000): TS cache doesn't handle this 
DN type, skipping
[sssd[ssh]] [sysdb_search_ssh_hosts] (0x0400): No such host
[sssd[ssh]] [sss_domain_get_state] (0x1000): Domain home.mydomain.com is Active
[sssd[ssh]] [sysdb_merge_res_ts_attrs] (0x2000): TS cache doesn't handle this 
DN type, skipping
[sssd[ssh]] [unique_filename_destructor] (0x2000): Unlinking 
[/var/lib/sss/pubconf/.known_hosts.5fwN98]
[sssd[ssh]] [unlink_dbg] (0x2000): File already removed: 
[/var/lib/sss/pubconf/.known_hosts.5fwN98]
[sssd[ssh]] [client_idle_handler] (0x2000): Terminating idle client 
[0x55cb9d414d30][23]
[sssd[ssh]] [client_close_fn] (0x2000): Terminated client [0x55cb9d414d30][23]

Can you please provide sssd_.log output for the time when you
tried to access the system?


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Recreating a VM with same host name and re-registering it with FreeIPA

2019-02-22 Thread Alexander Bokovoy via FreeIPA-users


On Fri, 22 Feb 2019, TomK via FreeIPA-users wrote:

On 2/20/2019 10:58 PM, TomK wrote:

On 2/20/2019 10:13 PM, Rob Crittenden via FreeIPA-users wrote:

TomK via FreeIPA-users wrote:

Hey All,

Getting a scenario where the hostname doesn't resolve to the new IP if
the VM is recreated multiple times against an IPA server.

I've tried clearing the caches on the clients but no luck.?? I have to
allow a specific amount of time to pass before I can use the DNS name
that now points to a different (new) IP that was assigned via DHCP.

This apparently also impacts the automounter and it won't work until
much later either.?? I won't be able to use the NFS mount configured
until then.?? On initial login users need to wait about 5 minutes before
they can login with home folder set to / instead as a result:

Using username "abc.123\sam".
Using keyboard-interactive authentication.
Password:
Creating home directory for abc.123\sam.
Last login: Wed Feb 20 02:39:18 2019 from 192.168.0.76
Could not chdir to home directory /n/abc.123/sam: No such file 
or directory

-sh-4.2$

Has anyone seen this scenario before and have a general high level idea
where I could start to poke??? Seems to me like a DNS Cache Refresh or
Timeout but not sure about the specifics.

/n/abc.123/sam exists and mount works off of other hosts that have been
around for a while.



I'd guess it is the DNS TTL. You'd need to lower that in the DNS server.

I assume this is some sort of dev or qe box that is re-provisioned
frequently?


That's correct.


Fixed.  At least the above immediate issue.  Ended up restarting the 
client and the NFS services on the NFS cluster one by one.


I notice now as well that the ID assigned to AD users has changed in 
the latest versions of SSSD / IPA.  The UNIX Attributes that were 
always set in the AD DC are now being respected:


OLD SSSD / IPA:

# id sam@abc.123
uid=155601104(sam@abc.123) / gid=155601107(nixgrp@abc.123)

NEW SSSD / IPA:
# id sam@abc.123
uid=1(sam@abc.123) / gid=1(nixgrp@abc.123)
@abc.123)

This is probably due to you not forcing a specific ID range type when
creating the trust so it picked up what was able to autodetect, eg.
posix attributes in AD.

Would the ID's on the old IPA / SSSD setup be retained if the old IPA 
cluster were to be upgraded?

The change only applies when you are removing trust to AD and existing
ID ranges. Otherwise it should not change at all.

Show your 'ipa idrange-find' output.



--
Cheers,
Tom K.






rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to 
freeipa-users-le...@lists.fedorahosted.org

Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org







___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Recreating a VM with same host name and re-registering it with FreeIPA

2019-02-24 Thread Alexander Bokovoy via FreeIPA-users


On la, 23 helmi 2019, TomK via FreeIPA-users wrote:

On 2/22/2019 9:51 AM, Alexander Bokovoy via FreeIPA-users wrote:

On Fri, 22 Feb 2019, TomK via FreeIPA-users wrote:

On 2/20/2019 10:58 PM, TomK wrote:

On 2/20/2019 10:13 PM, Rob Crittenden via FreeIPA-users wrote:

TomK via FreeIPA-users wrote:

Hey All,

Getting a scenario where the hostname doesn't resolve to the new IP if
the VM is recreated multiple times against an IPA server.

I've tried clearing the caches on the clients but no luck.?? I have to
allow a specific amount of time to pass before I can use the DNS name
that now points to a different (new) IP that was assigned via DHCP.

This apparently also impacts the automounter and it won't work until
much later either.?? I won't be able to use the NFS mount configured
until then.?? On initial login users need to wait about 5 
minutes before

they can login with home folder set to / instead as a result:

Using username "abc.123\sam".
Using keyboard-interactive authentication.
Password:
Creating home directory for abc.123\sam.
Last login: Wed Feb 20 02:39:18 2019 from 192.168.0.76
Could not chdir to home directory /n/abc.123/sam: No such 
file or directory

-sh-4.2$

Has anyone seen this scenario before and have a general high 
level idea

where I could start to poke??? Seems to me like a DNS Cache Refresh or
Timeout but not sure about the specifics.

/n/abc.123/sam exists and mount works off of other hosts 
that have been

around for a while.



I'd guess it is the DNS TTL. You'd need to lower that in the 
DNS server.


I assume this is some sort of dev or qe box that is re-provisioned
frequently?


That's correct.


Fixed.  At least the above immediate issue.  Ended up restarting 
the client and the NFS services on the NFS cluster one by one.


I notice now as well that the ID assigned to AD users has changed 
in the latest versions of SSSD / IPA.  The UNIX Attributes that 
were always set in the AD DC are now being respected:


OLD SSSD / IPA:

# id sam@abc.123
uid=155601104(sam@abc.123) / gid=155601107(nixgrp@abc.123)

NEW SSSD / IPA:
# id sam@abc.123
uid=1(sam@abc.123) / gid=1(nixgrp@abc.123)
@abc.123)

This is probably due to you not forcing a specific ID range type when
creating the trust so it picked up what was able to autodetect, eg.
posix attributes in AD.

Would the ID's on the old IPA / SSSD setup be retained if the old 
IPA cluster were to be upgraded?

The change only applies when you are removing trust to AD and existing
ID ranges. Otherwise it should not change at all.

Show your 'ipa idrange-find' output.


Yes.  Different ranges exist:

[root@ipa03 ~]# ipa idrange-find

2 ranges matched

 Range name: ABC.123_id_range
 First Posix ID of the range: 1
 Number of IDs in the range: 20
 Domain SID of the trusted domain: 
S-1-5-21-1803828911-4163023034-2461700517

 Range type: Active Directory trust range with POSIX attributes

 Range name: B.ABC.123_id_range
 First Posix ID of the range: 116340
 Number of IDs in the range: 20
 First RID of the corresponding RID range: 1000
 First RID of the secondary RID range: 1
 Range type: local domain range

Number of entries returned 2

[root@ipa03 ~]#


Older cluster:


[root@ipa01 ~]# ipa idrange-find

2 ranges matched

 Range name: ABC.123_id_range
 First Posix ID of the range: 15560
 Number of IDs in the range: 20
 First RID of the corresponding RID range: 0
 Domain SID of the trusted domain: 
S-1-5-21-1803828911-4163023034-2461700517

 Range type: Active Directory domain range

 Range name: A.ABC.123_id_range
 First Posix ID of the range: 174660
 Number of IDs in the range: 20
 First RID of the corresponding RID range: 1000
 First RID of the secondary RID range: 1
 Range type: local domain range

Number of entries returned 2

[root@ipa01 ~]#

I did try to modify the baseID using:

ipa idrange-mod ABC.123_id_range --base-id 15560

and

[root@ipa03 ~]# ldapmodify -H 
ldapi://%2fvar%2frun%2fslapd-B-ABC-123.socket << EOF

dn: cn=ABC.123_id_range,cn=ranges,cn=etc,dc=b,dc=abc,dc=123
changetype: modify
replace: ipabaserid
ipabaserid: 15560
-
replace: ipaBaseID
ipaBaseID: 15560
-
replace: ipaIDRangeSize
ipaIDRangeSize: 20
-
replace: ipaNTTrustedDomainSID
ipaNTTrustedDomainSID: S-1-5-21-1803828911-4163023034-2461700517
-
replace: ipaRangeType
ipaRangeType: ipa-ad-trust-posix
-
EOF

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=ABC.123_id_range,cn=ranges,cn=etc,dc=b,dc=abc,dc=123"
[root@ipa03 ~]#


but even though the number changed, it still shows the earlier 1 
ID for sam@abc.123.  So I'm missing something.  Checked the above

[Freeipa-users] Re: Ad user password authentication doesn't work

2019-02-24 Thread Alexander Bokovoy via FreeIPA-users


On su, 24 helmi 2019, Patrick Irish via FreeIPA-users wrote:

I've been fighting with this for 2 months.  I've rebuilt both the ad
and ip server twice. Currently ipa and ad only contain a single unique
user.  AD and ipa are on separate dns domains (ad.domain.com and
int.domain.com respectively).  AD domain has windows pc joined to it.
IPA server has linux server joined to it.  Any help is greatly
appreciated.

Can you show your sssd configuration? There is something fishy in that
SSSD is not splitting apart your AD user name and is asking AD DCs with
a fully-qualified name (ad.u...@ad.domain.com) instead of just ad.user.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Recreating a VM with same host name and re-registering it with FreeIPA

2019-02-24 Thread Alexander Bokovoy via FreeIPA-users


On su, 24 helmi 2019, TomK wrote:

On 2/24/2019 4:53 AM, Alexander Bokovoy via FreeIPA-users wrote:

On la, 23 helmi 2019, TomK via FreeIPA-users wrote:

On 2/22/2019 9:51 AM, Alexander Bokovoy via FreeIPA-users wrote:

On Fri, 22 Feb 2019, TomK via FreeIPA-users wrote:

On 2/20/2019 10:58 PM, TomK wrote:

On 2/20/2019 10:13 PM, Rob Crittenden via FreeIPA-users wrote:

TomK via FreeIPA-users wrote:

Hey All,

Getting a scenario where the hostname doesn't resolve to 
the new IP if

the VM is recreated multiple times against an IPA server.

I've tried clearing the caches on the clients but no 
luck.?? I have to
allow a specific amount of time to pass before I can use 
the DNS name

that now points to a different (new) IP that was assigned via DHCP.

This apparently also impacts the automounter and it won't work until
much later either.?? I won't be able to use the NFS mount configured
until then.?? On initial login users need to wait about 
5 minutes before

they can login with home folder set to / instead as a result:

Using username "abc.123\sam".
Using keyboard-interactive authentication.
Password:
Creating home directory for abc.123\sam.
Last login: Wed Feb 20 02:39:18 2019 from 192.168.0.76
Could not chdir to home directory /n/abc.123/sam: No 
such file or directory

-sh-4.2$

Has anyone seen this scenario before and have a general 
high level idea
where I could start to poke??? Seems to me like a DNS 
Cache Refresh or

Timeout but not sure about the specifics.

/n/abc.123/sam exists and mount works off of other hosts 
that have been

around for a while.



I'd guess it is the DNS TTL. You'd need to lower that in 
the DNS server.


I assume this is some sort of dev or qe box that is re-provisioned
frequently?


That's correct.


Fixed.  At least the above immediate issue.  Ended up 
restarting the client and the NFS services on the NFS cluster 
one by one.


I notice now as well that the ID assigned to AD users has 
changed in the latest versions of SSSD / IPA.  The UNIX 
Attributes that were always set in the AD DC are now being 
respected:


OLD SSSD / IPA:

# id sam@abc.123
uid=155601104(sam@abc.123) / gid=155601107(nixgrp@abc.123)

NEW SSSD / IPA:
# id sam@abc.123
uid=1(sam@abc.123) / gid=1(nixgrp@abc.123)
@abc.123)

This is probably due to you not forcing a specific ID range type when
creating the trust so it picked up what was able to autodetect, eg.
posix attributes in AD.

Would the ID's on the old IPA / SSSD setup be retained if the 
old IPA cluster were to be upgraded?

The change only applies when you are removing trust to AD and existing
ID ranges. Otherwise it should not change at all.

Show your 'ipa idrange-find' output.


Yes.  Different ranges exist:

[root@ipa03 ~]# ipa idrange-find

2 ranges matched

 Range name: ABC.123_id_range
 First Posix ID of the range: 1
 Number of IDs in the range: 20
 Domain SID of the trusted domain: 
S-1-5-21-1803828911-4163023034-2461700517

 Range type: Active Directory trust range with POSIX attributes

 Range name: B.ABC.123_id_range
 First Posix ID of the range: 116340
 Number of IDs in the range: 20
 First RID of the corresponding RID range: 1000
 First RID of the secondary RID range: 1
 Range type: local domain range

Number of entries returned 2

[root@ipa03 ~]#


Older cluster:


[root@ipa01 ~]# ipa idrange-find

2 ranges matched

 Range name: ABC.123_id_range
 First Posix ID of the range: 15560
 Number of IDs in the range: 20
 First RID of the corresponding RID range: 0
 Domain SID of the trusted domain: 
S-1-5-21-1803828911-4163023034-2461700517

 Range type: Active Directory domain range

 Range name: A.ABC.123_id_range
 First Posix ID of the range: 174660
 Number of IDs in the range: 20
 First RID of the corresponding RID range: 1000
 First RID of the secondary RID range: 1
 Range type: local domain range

Number of entries returned 2

[root@ipa01 ~]#

I did try to modify the baseID using:

ipa idrange-mod ABC.123_id_range --base-id 15560

and

[root@ipa03 ~]# ldapmodify -H 
ldapi://%2fvar%2frun%2fslapd-B-ABC-123.socket << EOF

dn: cn=ABC.123_id_range,cn=ranges,cn=etc,dc=b,dc=abc,dc=123
changetype: modify
replace: ipabaserid
ipabaserid: 15560
-
replace: ipaBaseID
ipaBaseID: 15560
-
replace: ipaIDRangeSize
ipaIDRangeSize: 20
-
replace: ipaNTTrustedDomainSID
ipaNTTrustedDomainSID: S-1-5-21-1803828911-4163023034-2461700517
-
replace: ipaRangeType
ipaRangeType: ipa-ad-trust-posix
-
EOF

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=ABC.123_id_range,cn=ranges,cn=etc,dc=b,dc=abc,dc=123"
[root@ipa03 ~]#


but even though the number ch

[Freeipa-users] Re: how to deal with an existing user before client installation

2019-02-24 Thread Alexander Bokovoy via FreeIPA-users


On su, 24 helmi 2019, Albert Szostkiewicz via FreeIPA-users wrote:

Hi,

So I do have an user on my laptop with same username as IPA user. I've
noticed that after installing client, this existing user is still being
authenticated by it's original password and is with its original UID.
What is the best procedure in such cases? Should I remove existing
users and just keep root before installation ? is there a way to sync
existing users towards ipa users?

It all depends on the order of PAM modules. Typically, pam_unix is the
first and if it finds a user in /etc/passwd, it is used for
authentication. 


You probably want to remove that entry from /etc/passwd if you already
have the user migrated to IPA.

A 'sync' is a variation of a process described in https://www.redhat.com/archives/freeipa-users/2010-September/msg00105.html and 
https://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords



--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Two distinct IPA server clusters:

2019-02-25 Thread Alexander Bokovoy via FreeIPA-users


On ma, 25 helmi 2019, TomK via FreeIPA-users wrote:

Hey All,

Given that I have two separate IPA clusters on the same subnet but two 
different domains, is there any chance that the IPA servers can issue 
identical UID / GID numbers thereby causing conflicts on the setup? 
When setting up the IPA servers, is there a change the same ID range 
can be given to each separate IPA cluster?


The two IPA clusters are independent of each other (not replicas of 
each other) and are only authoritative for their two separate domains.

There is always a chance to get an overlap, of course. In practice I
don't think you'll get that too often. In your example the ranges aren't
overlapping at all.




Example ID ranges of off the primaries of the two clusters:



Cluster A [ ipa01 / 02 ]

# ipa idrange-find

2 ranges matched

 Range name: ABC.123_id_range
 First Posix ID of the range: 15560
 Number of IDs in the range: 20
 First RID of the corresponding RID range: 15560
 Domain SID of the trusted domain: 
S-1-5-21-1803828911-4163023034-2461700517

 Range type: Active Directory domain range

 Range name: A.ABC.123_id_range
 First Posix ID of the range: 174660
 Number of IDs in the range: 20
 First RID of the corresponding RID range: 1000
 First RID of the secondary RID range: 1
 Range type: local domain range

Number of entries returned 2

#




Cluster B [ ipa03 / 04 ]

# ipa idrange-find

2 ranges matched

 Range name: ABC.123_id_range
 First Posix ID of the range: 15560
 Number of IDs in the range: 20
 First RID of the corresponding RID range: 0
 Domain SID of the trusted domain: 
S-1-5-21-1803828911-4163023034-2461700517

 Range type: Active Directory domain range

 Range name: B.ABC.123_id_range
 First Posix ID of the range: 116340
 Number of IDs in the range: 20
 First RID of the corresponding RID range: 1000
 First RID of the secondary RID range: 1
 Range type: local domain range

Number of entries returned 2

#


--
Cheers,
Tom K.
-

Living on earth is expensive, but it includes a free trip around the sun.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

1 2 3 4 5 6 7 8 9 10 >

1 - 100 of 1701 matches

Mail list logo