[Freeipa-users] Samba 4.10 and higher doesnt take freeipa groups
Hi.I have samba on centos 7, verion 4.8.3. It set up it with this instruction https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPADifference only - security = user, becose with ads I cant connect.Also I have AD integrations and linux acls on shares, all works fine.Now I want to migrate on Oracle Linux 8. There is samba versions from 4.9.1-8.el8 to 4.16.4-2.0.1.el8.I make same settings on new server.But with versions 4.15 - 4.16 I can't connect to the server from windows clients. And can connect from Linux client (Ubuntu 20.04).With versions 4.9 - 4.14 I can connect to the server from both types clients, but there is strange situation with acls.setfacl -m user:username@ad_domain:rwx -R dir/ - ad user can write,readsetfacl -m group:ipa_group:rwx -R dir/ - ad user can't into directory, from ubuntu doesnt see dir I add AD group wia external group to ipa. With centos 7 all works fine.On the new server I can see ad user into ipa group and ad group. Also, I can work with this dirs via NFS - all works properly for IPA and AD users and groups. Any ideas? What did I miss? -- Best regards, Nik. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: HP LaserJet Pro MFP M428fdw and scan to freeipa samba share
Yes, i tried smbclient -k with this credentials - it worked.Without -k works nothing.Sorry, i know nothing about NTLMSSP. I found some strange solution:on AD controller i made link on share - mklink /d "C:\scan" "\\FILES.FS.LAN\common\scan"and then made share for this directory.Now all works this way. Thanks for helping I would be glad, If you'll make avice for better solution 28.06.2021, 13:25, "Alexander Bokovoy" :On ma, 28 kesä 2021, Николай Савельев via FreeIPA-users wrote: Hello. I have IPA domain with AD integration. Also there is samba share on ipa member. All works fine, but now i want to scan from my network MFP to samba share. I tried all settings, but always had Incorrect credentials. Check your username/password and try again. Any ideas? I think MFP doesnt know about kerberos. Attached some share settings from MFP. P.S.: yes, i have acces with this credentials from linux and windows.Did you try an smbclient access with these credentials? Does it useNTLMSSP? If you'd force NTLMSSP instead of Kerberos, does it work?What OS are you using for that IPA client? --/ Alexander BokovoySr. Principal Software EngineerSecurity / Identity Management EngineeringRed Hat Limited, Finland -- С уважением, Николай. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Different path for kerberos ticket
Hi. I'm twsting ubuntu 20.04 in freeipa domain with smbclient.In some cases it works (fresh installation of xubuntu, for example), in other - dont (upgrade kubuntu from 18.04). Failed to resolve credential cache 'KEYRING:persistent:15000'! (Unknown credential cache type) free(): double free detected in tcache 2Аварийный останов (стек памяти сброшен на диск) In first case i have ticket:Ticket cache: FILE:/tmp/krb5cc_15000 Default principal: myname@mydomainValid starting Expires Service principal03.08.2020 11:00:23 04.08.2020 11:00:20 krbtgt/ In second:icket cache: KEYRING:persistent:15000:krb_ccache_si1oSwz Default principal: myname@mydomainValid starting Expires Service principal03.08.2020 09:18:56 04.08.2020 09:18:56 krbtgt/ Why? I have#default_ccache_name = KEYRING:persistent:%{uid}in krb5.conf -- С уважением, Николай. ___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Problem with freeip and samba 4.9
Thank you for help! I read this documentation, its very intrasted and helpful. But this is a bit complicated for me. In the end I just downgrade mys samba to 4.8 It works fine! Tanks! 28.10.2019, 16:36, "Alexander Bokovoy" : > On ma, 28 loka 2019, Николай Савельев wrote: >> 28.10.2019, 16:05, "Alexander Bokovoy" : >>> On ma, 28 loka 2019, Николай Савельев via FreeIPA-users wrote: >>>> Hi >>>> I updated my samba server to 4.9 >>>> After that I had problem with starting samba an found this tred: >>>> https://pagure.io/freeipa/issue/7705 >>>> I add user mapping net groupmap add sid=S-1-5-32-546 unixgroup=nobody >>>> type=builtin and samba works >>>> >>>> But now samba is very-very-very slow! >>>> >>>> Some operations, like copy big file, ar normal, other - open dirs or >>>> create new files - very slow. >>>> >>>> Any ideas? >>>> Wat can I do? >>> >>> Start by describing you configuration. What did you upgrade, what is >>> your actual set up, then show your logs that demonstrate slowness. There >>> is no way to help without some objective data. >>> >>> In general, upgrading separate components is not really recommended. The >>> issue you pointed to required a number of changes on IPA side as well. >> >> My smb.conf >> >> [global] >> workgroup = FS >> security = user >> realm = FS.LAN >> dedicated keytab file = FILE:/etc/samba/samba.keytab >> kerberos method = dedicated keytab >> log file = /var/log/samba/log.%m >> >> [common] >> comment = Обменник >> browseable = yes >> path = /media/750/common >> guest ok = yes >> create mask = 0666 >> directory mask = 2777 >> read only = no >> >> All packages were update to newest in centos repo. >> >> This server is into ipa domain. >> Ipa version - 4.6.5 >> >> I dont know how can I make log slowness. >> For example, to open dir i should spend about 5 seconds. >> For open or save file - same time. > > So, this is, strictly speaking, is incorrect configuration for anything > enrolled into IPA domain. This is a single server setup, not really > enrolled into anything. It misses idmap configuration, defaulting to > tdbsam use. And I bet that your tdbsam database is empty. > > Also, do you run winbindd? You should be using it for any non-standalone > configuration or otherwise you'll incur a lot of slowdown because Samba > removed all fall back code and now enforces use of winbindd. > > You may want to read > https://github.com/freeipa/freeipa/blob/master/doc/designs/adtrust/samba-domain-member.md > and > https://github.com/freeipa/freeipa/blob/master/doc/designs/adtrust/samba-domain-controller.md > for some details on how Samba domain member would be setup with FreeIPA > 4.8+. This would not work for you fully (there are changes on IPA master > that aren't existing in versions before 4.8.1 yet) but you can pick up the > configuration as described in step (6) of samba-domain-member.md. > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland -- С уважением, Николай. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Problem with freeip and samba 4.9
28.10.2019, 16:05, "Alexander Bokovoy" : > On ma, 28 loka 2019, Николай Савельев via FreeIPA-users wrote: >> Hi >> I updated my samba server to 4.9 >> After that I had problem with starting samba an found this tred: >> https://pagure.io/freeipa/issue/7705 >> I add user mapping net groupmap add sid=S-1-5-32-546 unixgroup=nobody >> type=builtin and samba works >> >> But now samba is very-very-very slow! >> >> Some operations, like copy big file, ar normal, other - open dirs or create >> new files - very slow. >> >> Any ideas? >> Wat can I do? > > Start by describing you configuration. What did you upgrade, what is > your actual set up, then show your logs that demonstrate slowness. There > is no way to help without some objective data. > > In general, upgrading separate components is not really recommended. The > issue you pointed to required a number of changes on IPA side as well. > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland My smb.conf [global] workgroup = FS security = user realm = FS.LAN dedicated keytab file = FILE:/etc/samba/samba.keytab kerberos method = dedicated keytab log file = /var/log/samba/log.%m [common] comment = Обменник browseable = yes path = /media/750/common guest ok = yes create mask = 0666 directory mask = 2777 read only = no All packages were update to newest in centos repo. This server is into ipa domain. Ipa version - 4.6.5 I dont know how can I make log slowness. For example, to open dir i should spend about 5 seconds. For open or save file - same time. -- С уважением, Николай. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Problem with freeip and samba 4.9
Hi I updated my samba server to 4.9 After that I had problem with starting samba an found this tred: https://pagure.io/freeipa/issue/7705 I add user mapping net groupmap add sid=S-1-5-32-546 unixgroup=nobody type=builtin and samba works But now samba is very-very-very slow! Some operations, like copy big file, ar normal, other - open dirs or create new files - very slow. Any ideas? Wat can I do? -- С уважением, Николай. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Freeipa and squid
Hello. There is perfect article about squid and freeipa - https://www.freeipa.org/page/Squid_Integration_with_FreeIPA_using_Single_Sign_On But I want to access in Internet with different rules - some group with full access, some - without sotial networks, an group without access, I use helper ext_kerberos_ldap_group_acl an all works fine. But with AD users it dont work. IPA domain - FS.LAN AD domain - START-LINE.LOCAL kerberos_ldap_group: ERROR: Error while getting tgt : Server krbtgt/start-line.lo...@fs.lan I tried to do debug: kerberos_ldap_group: DEBUG: Get principal name from keytab /etc/krb5.keytab kerberos_ldap_group: DEBUG: Keytab entry has realm name: FS.LAN kerberos_ldap_group: DEBUG: Did not find a principal in keytab for domain START-LINE.LOCAL. kerberos_ldap_group: DEBUG: Try to get principal of trusted domain. kerberos_ldap_group: DEBUG: Keytab entry has principal: host/mail.fs@fs.lan kerberos_ldap_group: ERROR: Error while getting TGT : Server krbtgt/start-line.lo...@fs.lan not found in Kerberos database May I could doing somthing trought manipulation with sssd.conf or krb5.conf? -- С уважением, Николай. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Map local user to kerberos
13.02.2019, 14:23, "Alexander Bokovoy" : > You don't need to do anything like that. The documentation 1C provides > really boils down to (on the machine where 1C is deployed): > > kinit -k > ipa service-add usr1cv81/`hostname` > ipa-getkeytab -p usr1cv81/`hostname` -k /opt/1C/v8.1/i386/usr1cv81.keytab > > That's all. The host/... principal on each enrolled host is allowed to > create services on the same host so 'ipa service-add' works just fine. > ipa-getkeytab is what asks IPA to create a key for this Kerberos > principal and then store it locally in the keytab where 1C expects it to > find. > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland Sorry, I used wrong word - create service means service-add, of course. Thank you for answer. -- С уважением, Николай. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Map local user to kerberos
Hi. I want to config some app (1c enterprise) for authentication via freeipa. This app uses mapping local user usr1cv8 to kerberos user, usr1cv8@KERBEROS.DOMAIN All manuals - about mapping with Active Directory user. Russian - https://its.1c.ru/db/metod8dev#content:2799:hdoc English - https://1c-dn.com/library/Kerberos_authentification_setup_example_for_Linux_version_of_1c_enterprise_server/ What have to I change for freeipa? Can I create service usr1cv8/host@IPA.DOMAIN? Or how can I map local user to ipa user? -- С уважением, Николай. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] SSO
I'm planning use SSO with freeipa and choosing provider between ipsilon-project and keycloack. I tried ipsilon about year ago, there were some bugs. And I see that project almost die. Just 2 commits during the year. But keycloack seems very big and dificult to me. I'm terrified. What do you think? What should I use? -- С уважением, Николай. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Samba integration
10.12.2018, 14:13, "Alexander Bokovoy" : > On ma, 10 joulu 2018, Николай Савельев via FreeIPA-users wrote: >> Hello. >> I try to set up samba with freeipa. >> I use this article >> https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA >> >> But I have strange error: >> >> дек 10 13:48:58 nfs.fs.lan smbd[14242]: [2018/12/10 13:48:58.758419, 0] >> ../source3/auth/auth_util.c:1372(make_new_session_info_guest) >> дек 10 13:48:58 nfs.fs.lan smbd[14242]: create_local_token failed: >> NT_STATUS_NO_MEMORY >> дек 10 13:48:58 nfs.fs.lan smbd[14242]: [2018/12/10 13:48:58.758577, 0] >> ../source3/smbd/server.c:1993(main) >> дек 10 13:48:58 nfs.fs.lan smbd[14242]: ERROR: failed to setup guest info. >> дек 10 13:48:58 nfs.fs.lan systemd[1]: smb.service: main process exited, >> code=exited, status=255/n/a >> дек 10 13:48:58 nfs.fs.lan systemd[1]: Failed to start Samba SMB Daemon. >> >> What does it mean? > > There is a plenty reasons for create_local_token() to return > NT_STATUS_NO_MEMORY: > > - actual memory allocation failed > - conversion of SIDs to POSIX IDs failed > - copying some internal structures failed > > Can you provide an output with 'log level = 10' set with > net conf setparm global loglevel 10 > ? > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland Sorry, Alexander, I didn't install sssd-libwbclient and it made this error. But I have another problem. If I set security = ads, I have smbclient -k -L nfs.fs.lan session setup failed: NT_STATUS_ACCESS_DENIED I tried security = user and samba worked fine. Why? -- С уважением, Николай. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Samba integration
Hello. I try to set up samba with freeipa. I use this article https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA But I have strange error: дек 10 13:48:58 nfs.fs.lan smbd[14242]: [2018/12/10 13:48:58.758419, 0] ../source3/auth/auth_util.c:1372(make_new_session_info_guest) дек 10 13:48:58 nfs.fs.lan smbd[14242]: create_local_token failed: NT_STATUS_NO_MEMORY дек 10 13:48:58 nfs.fs.lan smbd[14242]: [2018/12/10 13:48:58.758577, 0] ../source3/smbd/server.c:1993(main) дек 10 13:48:58 nfs.fs.lan smbd[14242]: ERROR: failed to setup guest info. дек 10 13:48:58 nfs.fs.lan systemd[1]: smb.service: main process exited, code=exited, status=255/n/a дек 10 13:48:58 nfs.fs.lan systemd[1]: Failed to start Samba SMB Daemon. What does it mean? -- С уважением, Николай. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: AD and IPA integration
>22.07.2018, 12:56, "Alexander Bokovoy" : > When you are using trust to AD *all* authentication of AD users is > performed by AD DCs. IPA masters are not involved at all. So you need to > look at AD side for that. > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland Sorry, I don't undestend wat's going on. I can login ad computers with new password. And i also can login on one ipa client - a new member of ipa domen. But whan I try login by ssh on old ipa members and ipa controllers, i see: Password: Password: Passwors: start-line\savelev@192.168.2.21's password: I enter password 4 times, and after that i can login. When i root, I can doing su aduser@ad_domain. And then I can kinit and get kerberos ticket. But if I another user, I must tape password after su ad_user@ad_domain and get error Password: su: Authentication failure because su wanted password just one time. -- С уважением, Николай. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/DER4O77JJ7HJEVAMAM4YEY64CQ5VLPAD/
[Freeipa-users] Re: AD and IPA integration
> From: Jakub Hrozek > > Are you sure sssd is not logging you offline? > > sssctl domain-status can tell you the status of the domains.. > > -- Yes, I sure. I tried to login in ipa server and client. I could with old password, but coludn't with new. sssctl domain-status start-line.local Online status: Online Active servers: AD Global Catalog: ad.start-line.local AD Domain Controller: ad2.start-line.local IPA: dc.fs.lan Discovered AD Global Catalog servers: - ad.start-line.local - ad2.start-line.local Discovered AD Domain Controller servers: - ad2.start-line.local - ad.start-line.local Discovered IPA servers: - dc.fs.lan -- С уважением, Николай. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/345ATNIO7RIODLOQNU4PW2VLCL45LW7P/
[Freeipa-users] Re: FreeIPA-users Digest, Vol 15, Issue 18
> From: Jakub Hrozek >> Are you sure sssd is not logging you offline?>> sssctl domain-status can tell you the status of the domains..>> -- Yes, I sure.I tried to login in ipa server and client.I could with old password, but coludn't with new. sssctl domain-status start-line.localOnline status: Online Active servers:AD Global Catalog: ad.start-line.localAD Domain Controller: ad2.start-line.localIPA: dc.fs.lan Discovered AD Global Catalog servers:- ad.start-line.local- ad2.start-line.local Discovered AD Domain Controller servers:- ad2.start-line.local- ad.start-line.local Discovered IPA servers:- dc.fs.lan -- С уважением, Николай. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/62WZ7AS46ISZKJPWQQIOYV2WX3W5EQS6/
[Freeipa-users] AD and IPA integration
I changed password AD users. I can't login on ipa servers with new password, but can - with old. Why? I tried restart ipa services and reinitializing trust. but it didn't help. -- С уважением, Николай. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/6XK72VVN6L57NSW6TH3J2GHA5CC5MRNM/
[Freeipa-users] Re: Hardship setting up samba share that depends on IPA trust with AD
> Date: Wed, 13 Jun 2018 22:11:23 +0300
> From: Alexander Bokovoy
> Subject: [Freeipa-users] Re: Hardship setting up samba share that
> depends on IPA trust with AD
>
> Yes, it is not supported right now.
>
> --
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
>
> --
>
> Subject: Digest Footer
>
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: ${hyperkitty_url}
>
> --
>
> End of FreeIPA-users Digest, Vol 14, Issue 14
> *
Hi, Alexander.
I write article for russian it portal about freeipa.
I want to say about samba, ipa with ad trust and problems.
May I use your phrases in sthis mail list as an expert opinion?
I want to caution other peoples from troubles with ipa.
--
С уважением, Николай.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/NRADMGMHUV4FXQQPFLSEKHI7RP2F3VJH/
[Freeipa-users] Re: freeipa and saml
08.02.2018, 13:29, "Alexander Bokovoy" <aboko...@redhat.com>: > On to, 08 helmi 2018, Николай Савельев via FreeIPA-users wrote: >> 07.02.2018, 22:20, "Rob Crittenden" <rcrit...@redhat.com>: >>> Николай Савельев via FreeIPA-users wrote: >>>> Hi. >>>> I have freeipa with AD trust. >>>> I want to setup Nextcloud with ipa and ad users. >>>> Ldap in cn=compat,dc=dom,dc=lan doesnt have memberOf atribute. >>>> I setup ipsilon (https://ipsilon-project.org/) for SSO and SAML >>>> autentification. >>>> Autentification with login and password works >>>> But i have local domain for ipsilon and nextcloud and kerberos DOM.LAN >>>> and internet domain domain.ru >>>> So, when I go to nextcloud with my kerberos tiket, i get 500 internal >>>> error. >>>> >>>> Maybe anybody knows how correct this mistake? >>> >>> Is there an option to use uniqueMember for groups instead in nextcloud? >>> That should be available in cn=compat. >>> >>> As for the 500 error there isn't enough information on where that was >>> thrown. I assume that on that machine there should be additional logging >>> explaining the failure. >>> >>> rob >> >> How I can use uniqueMember, if nextcloud says: "The group box was disabled, >> because the LDAP / AD server does not support memberOf."? >> >> And I found strange thing - if i use ldapsearch for some user in compat >> tree, there appears second user with same uid! >> ldapsearch give 2 users! >> Also if I open IPA user in web UI, in compat tree appers 2 users whith same >> uid. >> Autentification via ldap (e.g openfire or nextcloud) doesn't work >> Its a bug& > > https://pagure.io/freeipa/issue/7170 which so far neither Thierry nor me > are able to reproduce ourselves. > > -- > / Alexander Bokovoy https://pagure.io/freeipa/issue/7170#comment-492865 I wrote the way how you can reproduce it. -- С уважением, Николай. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: freeipa and saml
07.02.2018, 22:20, "Rob Crittenden" <rcrit...@redhat.com>: > Николай Савельев via FreeIPA-users wrote: >> Hi. >> I have freeipa with AD trust. >> I want to setup Nextcloud with ipa and ad users. >> Ldap in cn=compat,dc=dom,dc=lan doesnt have memberOf atribute. >> I setup ipsilon (https://ipsilon-project.org/) for SSO and SAML >> autentification. >> Autentification with login and password works >> But i have local domain for ipsilon and nextcloud and kerberos DOM.LAN and >> internet domain domain.ru >> So, when I go to nextcloud with my kerberos tiket, i get 500 internal error. >> >> Maybe anybody knows how correct this mistake? > > Is there an option to use uniqueMember for groups instead in nextcloud? > That should be available in cn=compat. > > As for the 500 error there isn't enough information on where that was > thrown. I assume that on that machine there should be additional logging > explaining the failure. > > rob How I can use uniqueMember, if nextcloud says: "The group box was disabled, because the LDAP / AD server does not support memberOf."? And I found strange thing - if i use ldapsearch for some user in compat tree, there appears second user with same uid! ldapsearch give 2 users! Also if I open IPA user in web UI, in compat tree appers 2 users whith same uid. Autentification via ldap (e.g openfire or nextcloud) doesn't work Its a bug& -- С уважением, Николай. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] freeipa and saml
Hi. I have freeipa with AD trust. I want to setup Nextcloud with ipa and ad users. Ldap in cn=compat,dc=dom,dc=lan doesnt have memberOf atribute. I setup ipsilon (https://ipsilon-project.org/) for SSO and SAML autentification. Autentification with login and password works But i have local domain for ipsilon and nextcloud and kerberos DOM.LAN and internet domain domain.ru So, when I go to nextcloud with my kerberos tiket, i get 500 internal error. Maybe anybody knows how correct this mistake? -- С уважением, Николай. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Nextcloud with Freeipa and AD
I have Freeipa with AD trust. All works fine. I want Nextcloud with all users - AD and IPA. I set up Nextcloud for this article: https://www.freeipa.org/page/Owncloud_Authentication_against_FreeIPA But I want restrict users for only one group. When I open User Filter tab I get message: The group box was disabled, because the LDAP / AD server does not support memberOf. I waches ldap tree: cn=users,cn=account,dc=domain,dc=lan - there are users have memberof attribute, there are тщ AD users cn=users,cn=compat,dc=domain,dc=lan - there are AD users, but there ar users don't have memberof attribute. What's wrong? --- С уважением, Николай. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: AD trust and SAMBA
When I connected to samba shares from windows AD users I had errors in samba logs : FAILED with error NT_STATUS_NO_LOGON_SERVERS I found why. I have separate DNS server, not in IPA. There weren't this records: kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs SRV 0 100 88 freeipa _kerberos._tcp.dc._msdcs SRV 0 100 88 freeipa _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs SRV 0 100 88 freeipa _kerberos._udp.dc._msdcs SRV 0 100 88 freeipa _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs SRV 0 100 389 freeipa _ldap._tcp.dc._msdcs SRV 0 100 389 freeipa I added it in DNS and SAMBA works normaly. -- С уважением, Николай. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] AD trust and SAMBA
I have IPA domain with AD trust. AD userc can login in IPA computers. getent passwd ad_user@ad_domain and id ad_user@ad_domain I can login via ssh with kerberos ticket for ad_user@ad_domain I setup SAMBA for this article https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA kinit ad_user@ad_domain smbclient -k -L sambatest.ipa.domain smbclient -k //sambatest.ipa.domain It works. \\sambatest.ipa.domain from AD domain controllers works. But from other AD domain server (not controller) - not works. There are login and password request If i use ad_user@ad_domain and his password i get "There are currently no logon servers available to service the logon request" In samba logs: name_resolve_bcast: Attempting broadcast lookup for name IPA<0x1c> [2018/01/10 00:02:34.419279, 4] ../source3/libsmb/namequery.c:3193(get_dc_list) get_dc_list: no servers found [2018/01/10 00:02:34.419330, 3] ../source3/libsmb/namequery_dc.c:175(rpc_dc_name) Could not look up dc's for domain IPA [2018/01/10 00:02:34.419340, 5] ../source3/auth/auth_domain.c:298(check_ntdomain_security) check_ntdomain_security: unable to locate a DC for domain [2018/01/10 00:02:34.419349, 5] ../source3/auth/auth.c:252(auth_check_ntlm_password) check_ntlm_password: winbind authentication for user [ad_user@ad_domain] FAILED with error NT_STATUS_NO_L OGON_SERVERS [2018/01/10 00:02:34.419360, 2] ../source3/auth/auth.c:315(auth_check_ntlm_password) check_ntlm_password: Authentication for user [ad_user@ad_domain] -> [ad_user@ad_domain] FAI LED with error NT_STATUS_NO_LOGON_SERVERS [2018/01/10 00:02:34.419370, 5] ../source3/auth/auth_ntlmssp.c:188(auth3_check_password) Checking NTLMSSP password for \ad_user@ad_domain failed: NT_STATUS_NO_LOGON_SERVERS [2018/01/10 00:02:34.419392, 5] ../auth/ntlmssp/ntlmssp_server.c:737(ntlmssp_server_check_password) ../auth/ntlmssp/ntlmssp_server.c:737: Checking NTLMSSP password for \ad_user@ad_domain failed: NT_STATUS_ NO_LOGON_SERVERS [2018/01/10 00:02:34.419405, 2] ../auth/gensec/spnego.c:768(gensec_spnego_server_negTokenTarg) SPNEGO login failed: NT_STATUS_NO_LOGON_SERVERS Aftrer AD controller reboot \\sambatest.ipa.domain stops work on controller When i check relationship in Domain and Trust it works again. IPA server name is DC AD controller name is AD What's wrong? -- С уважением, Николай. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: AD Trust
I have ipa domain with AD trust. id ad_users@ad_domain works. su
ad_users@ad_domain works.
kinit ad_users@ad_domain don't works in ubuntu but works in centos 7
What?
/etc/krb5.conf is the same.
ipa servers work on centos 7. Ipa client work on ubuntu 14.04 or 16.04.
I also can't get access from AD member windos to SAMBA shares on IPA members
linux,
What can i do?
Oh, I forgot to say about error!
For kinit AD user i get:
kinit: KDC reply did not match expectations while getting initial credentials
My krb5.conf:
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = FS.LAN
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
dns_canonicalize_hostname = false
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
FS.LAN = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.fs.lan = FS.LAN
fs.lan = FS.LAN
--
С уважением, Николай.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] AD trust
Hello. I'm setting up AD trust by this article https://www.freeipa.org/page/Active_Directory_trust_setup I don't undestend one moment. I must run ipa-adtrust-install --netbios-name=ipa_netbios -a mypassword1 and ipa trust-add --type=ad ad_domain --admin Administrator --password on every ipa server or not? -- С уважением, Николай. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: FreeIPA-users Digest, Vol 7, Issue 22
> > I think the better reference in the documentation is > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/trust-legacy > > If there is a trust to an AD forest and 'ipa-adtrust-install > --enable-compat' was called. there will be a special sub-tree in > FreeIPA's LDAP tree cn=compat,dc=ipa,dc=domain. AD user can be searched > in this sub-tree and if the user was found you can the the DN of the > user to bind to FreeIPA's LDAP server with the AD password. > > Btw, I guess Owncloud supports PAM authentication as well, in this case > you can just configure Owncloud's PAM module to use SSSD on an IPA > client and SSSD will do the authentication of AD users for you. > > HTH > > bye, > Sumit > >> rob I did 'ipa-adtrust-install --enable-compat' But in cn=compat,dc=test,dc=loc are only IPA users How can I insert AD users in cn=compat,dc=test,dc=loc? -- С уважением, Николай. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: AD trust and external services
Can I get AD users from ipa wia ldap? 15.11.2017, 17:13, "Alexander Bokovoy" <aboko...@redhat.com>: > On ke, 15 marras 2017, Николай Савельев via FreeIPA-users wrote: >> Hello. >> >> I install AD trust. It works normally. >> >> I setup owcloud by this docs >> http://www.freeipa.org/page/Owncloud_Authentication_against_FreeIPA >> >> But i dont undestand how get all users from freeipa and ad for owncloud. >> >> By instructions i getting only ipa users. I also can get only AD users. >> >> How can I get all users together? >> >> Same situation is whith openfire, zimbra > > Basically, you need to avoid using LDAP directly and instead start using > an Identity Provider like ipsilon or Keycloak (RH SSO). Owncloud and > NextCloud both have support for SAML-based authentication which both > ipsilon and Keycloak provide. > > I know that Zimbra also supports SAML authentication. > > -- > / Alexander Bokovoy -- С уважением, Николай. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] AD trust and external services
Hello. I install AD trust. It works normally. I setup owcloud by this docs http://www.freeipa.org/page/Owncloud_Authentication_against_FreeIPA But i dont undestand how get all users from freeipa and ad for owncloud. By instructions i getting only ipa users. I also can get only AD users. How can I get all users together? Same situation is whith openfire, zimbra -- С уважением, Николай. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] ad trust and external services
Hi I setup zimbra by this docs http://www.freeipa.org/page/Zimbra_Collaboration_Server_7.2_Authentication_and_GAL_lookups_against_FreeIPA I also use AD trust. But i dont undestand why get all users from freeipa and ad for zimbra By instructions i getting only ipa users. I can get only AD users. But I can get it together& -- С уважением, Николай. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Migration from freeipa to samba-ad
I create a trust, but I don't want to support 2 systems.I want to move all users from freeipa to AD and then remove IPA servers. 19.06.2017, 22:00, "Paessens, Daniel" <daniel.paess...@hpe.com>:No, you can create a trust between AD and IPA, in this way both users (if desired) can log into Linux systems.Thus in fact by using this trust, you can work with AD credentials in both environments. Regards, Daniel From: Николай Савельев via FreeIPA-users <freeipa-users@lists.fedorahosted.org>Sent: Monday, June 19, 2017 4:49:33 PMTo: freeipa-usersCc: Николай СавельевSubject: [Freeipa-users] Migration from freeipa to samba-ad Hello.I have about 60 linux clients in free-ipa and about 20 clients in AD.I want to use only one system for users identication. Freeipa can't identication and autentication windows client.So I shoud to use AD.For migration I should only deleting freeipa-client from host and then registering that hosts in AD?Best regards, Nik.___FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.orgTo unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org -- С уважением, Николай. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Migration from freeipa to samba-ad
Hello. I have about 60 linux clients in free-ipa and about 20 clients in AD. I want to use only one system for users identication. Freeipa can't identication and autentication windows client. So I shoud to use AD. For migration I should only deleting freeipa-client from host and then registering that hosts in AD? Best regards, Nik. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
