Re: [Freeipa-users] Add user - custom script
Sigbjorn Lie wrote: On Fri, September 16, 2011 23:18, Rob Crittenden wrote: Sigbjorn Lie wrote: On 09/16/2011 10:29 AM, Alexander Bokovoy wrote: On Fri, 16 Sep 2011, Dmitri Pal wrote: On 09/15/2011 04:14 PM, Sigbjorn Lie wrote: On 09/15/2011 09:59 PM, Dmitri Pal wrote: On 09/15/2011 03:45 PM, Sigbjorn Lie wrote: Hi, Is there a custom script hook for when a user account is added using either the cli, webui, or the winsync module? I have a custom script I run when creating a user account, and having this run automatically by IPA would make my life a lot easier. Can you describe what kind of operations you need to do? Have you looked at the automembership plugin? I'm doing a SSH login on to a filer, creating a home folder ZFS dataset for the new user, setting quota and ACL on the newly created dataset, and adding files from a skeleton folder into the home folder. It might be a stupid question but... you seem to do all the operation described above on the filer. I am not quite clear what part of it, if any, needs to be run on the server side, I mean on the IPA. Or you actually want to be able to create an account on the server side and make it trapped and send the event to the filer and run a script there? We can't do it now. AFAIR there was a ticket about something like this in the deferred bucket... Could not find it... But I remember a discussion. We might need to file a ticket to track this but sound like something that will take a lot of time to accomplish. Attached untested patch is a proof of concept. If /etc/ipa/server.conf has following setting: ipa_user_script=/path/to/script then during add/delete/modify of an user, it will be called with add/del/mod as first parameter and user's dn as second. Result of the call is ignored but return from IPA server is blocked by the execution so be quick in ipa_user_script! I got the patch installed OK, env variable set, and the script is being run when do user modifications. Great! :) But the action (add/del/mod) and the dn is not being supplied as arguments. For testing's sake I've made a very simple script just to capture the env variables. Do you have any suggestion to why the arguments is not getting supplied to the script? #!/bin/bash echo a:$1 u:$2 /tmp/ipa_custom_$$ env /tmp/ipa_custom_$$ The ipautil.run invocation should be: ipautil.run([self.api.env.ipa_user_script,add, dn]) In other words, the whole thing needs to be in the list. Note that a cleaner way of adding this without having to modify ipa-provided files would be to write an extension plugin that does this (untested): from ipalib.plugins.user import user_add def script_post_add_callback(inst, ldap, dn, attrs_list, *keys, **options): inst.log.info('User added') if 'ipa_user_script' in inst.api.env: try: ipautil.run([inst.api.env.ipa_user_script,add, dn]) except: pass return dn user_add.register_post_callback(script_post_add_callback) Stick that into a file and drop it into the directory with the other plugins and restart Apache and that should do it. rob I reverted the patched user.py file back to tbe unpatched user.py file. I called the script you provided custom.py, and I've tried copying it to /usr/lib/python2.7/site-packages/ipalib/plugins and /usr/lib/python2.7/site-packages/ipaserver/plugins. Then I restarted httpd and tomcat6. Now the script is not called anymore. Should the script be put anywhere else? Anything I didnt do? It needs to be in ipalib/plugins. Add: from ipapython import ipautil rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client logon
On Mon, 2011-09-19 at 10:10 -0400, Jimmy wrote: I have verified that the password set for the workstation in the kerberos host principal(using ipa-getkeytab) and the password on the host (using ksetup) are the same. I'm still getting the Decrypt integrity check failed errors. I have also verified that the system clock is accurate on both the KDC and the workstation. What else could be causing this? As I have said, this system authenticates flawlessly against other KDC's I have set up. The thing that is failing is your user password does not check with what the KDC thinks is the user's secret. You are not yet to the stage where the machine password is tried. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client logon
On Mon, 2011-09-19 at 10:58 -0400, Jimmy wrote: I think you're on to something here. I just reset the user's password on IPA and get the password expired message but I get that regardless of what I enter for the user's password. I'm confused as to why I can make the user auth work with a normal KDC but I'm having so much trouble with IPA-KDC. Going to wipe the Win7 config and start fresh on that system. Not sure wht you are having trouble, the KDC component of IPA is a stock MIT KDC with LDAP backend. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client logon
I have a WinXP client configured to authenticate now but it looks like FreeIPA is sending the ticket encrypted with AES and XP does not support AES. The user is getting authenticated, just not able to decrypt the ticket. Sep 19 19:50:36 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 192.168.201.150: NEEDED_PREAUTH: o...@pdh.csp for krbtgt/pdh@pdh.csp, Additional pre-authentication required Sep 19 19:50:36 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (1 etypes {23}) 192.168.201.150: ISSUE: authtime 1316461836, etypes {rep=23 tkt=18 ses=23}, o...@pdh.csp for krbtgt/pdh@pdh.csp Sep 19 19:50:37 csp-idm.pdh.csp krb5kdc[1246](info): TGS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 192.168.201.150: ISSUE: authtime 1316461836, etypes {rep=23 tkt=18 ses=23}, o...@pdh.csp for host/crm1.pdh@pdh.csp On Mon, Sep 19, 2011 at 1:32 PM, Simo Sorce s...@redhat.com wrote: On Mon, 2011-09-19 at 13:05 -0400, Jimmy wrote: Once I changed the password for 'admin' I now get this error on the windows system: Insufficient system resources exist to complete the requested service and get this in the log no matter if I use the correct(changed) password or if I use a known bad password: Sep 19 17:01:19 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.201.9: NEEDED_PREAUTH: ad...@pdh.csp for krbtgt/pdh@pdh.csp, Additional pre-authentication required I even deleted the user and all associated profile information on the windows system and still it won't work any more. Ok somehow we generate a key the windows client doesn't like or know how to work with. While MIT's clients are just fine with. The way we generate keys is by setting a special random seed that is handed back to the client when the preauth error is generated, perhaps Windows is not liking what it sees ? Any chance you can try with an older client, I wonder if it is a regression in win7 ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client logon
I wonder if changing the defaults to exclude the use of AES would help in your case. Not ideal, but apparently something funny is going on there. Simo. On Mon, 2011-09-19 at 15:53 -0400, Jimmy wrote: I have a WinXP client configured to authenticate now but it looks like FreeIPA is sending the ticket encrypted with AES and XP does not support AES. The user is getting authenticated, just not able to decrypt the ticket. Sep 19 19:50:36 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 192.168.201.150: NEEDED_PREAUTH: o...@pdh.csp for krbtgt/pdh@pdh.csp, Additional pre-authentication required Sep 19 19:50:36 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (1 etypes {23}) 192.168.201.150: ISSUE: authtime 1316461836, etypes {rep=23 tkt=18 ses=23}, o...@pdh.csp for krbtgt/pdh@pdh.csp Sep 19 19:50:37 csp-idm.pdh.csp krb5kdc[1246](info): TGS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 192.168.201.150: ISSUE: authtime 1316461836, etypes {rep=23 tkt=18 ses=23}, o...@pdh.csp for host/crm1.pdh@pdh.csp On Mon, Sep 19, 2011 at 1:32 PM, Simo Sorce s...@redhat.com wrote: On Mon, 2011-09-19 at 13:05 -0400, Jimmy wrote: Once I changed the password for 'admin' I now get this error on the windows system: Insufficient system resources exist to complete the requested service and get this in the log no matter if I use the correct(changed) password or if I use a known bad password: Sep 19 17:01:19 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.201.9: NEEDED_PREAUTH: ad...@pdh.csp for krbtgt/pdh@pdh.csp, Additional pre-authentication required I even deleted the user and all associated profile information on the windows system and still it won't work any more. Ok somehow we generate a key the windows client doesn't like or know how to work with. While MIT's clients are just fine with. The way we generate keys is by setting a special random seed that is handed back to the client when the preauth error is generated, perhaps Windows is not liking what it sees ? Any chance you can try with an older client, I wonder if it is a regression in win7 ? Simo. -- Simo Sorce * Red Hat, Inc * New York -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client logon
What error exactly do you get on the client side ? Simo. On Mon, 2011-09-19 at 15:53 -0400, Jimmy wrote: I have a WinXP client configured to authenticate now but it looks like FreeIPA is sending the ticket encrypted with AES and XP does not support AES. The user is getting authenticated, just not able to decrypt the ticket. Sep 19 19:50:36 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 192.168.201.150: NEEDED_PREAUTH: o...@pdh.csp for krbtgt/pdh@pdh.csp, Additional pre-authentication required Sep 19 19:50:36 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (1 etypes {23}) 192.168.201.150: ISSUE: authtime 1316461836, etypes {rep=23 tkt=18 ses=23}, o...@pdh.csp for krbtgt/pdh@pdh.csp Sep 19 19:50:37 csp-idm.pdh.csp krb5kdc[1246](info): TGS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 192.168.201.150: ISSUE: authtime 1316461836, etypes {rep=23 tkt=18 ses=23}, o...@pdh.csp for host/crm1.pdh@pdh.csp On Mon, Sep 19, 2011 at 1:32 PM, Simo Sorce s...@redhat.com wrote: On Mon, 2011-09-19 at 13:05 -0400, Jimmy wrote: Once I changed the password for 'admin' I now get this error on the windows system: Insufficient system resources exist to complete the requested service and get this in the log no matter if I use the correct(changed) password or if I use a known bad password: Sep 19 17:01:19 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.201.9: NEEDED_PREAUTH: ad...@pdh.csp for krbtgt/pdh@pdh.csp, Additional pre-authentication required I even deleted the user and all associated profile information on the windows system and still it won't work any more. Ok somehow we generate a key the windows client doesn't like or know how to work with. While MIT's clients are just fine with. The way we generate keys is by setting a special random seed that is handed back to the client when the preauth error is generated, perhaps Windows is not liking what it sees ? Any chance you can try with an older client, I wonder if it is a regression in win7 ? Simo. -- Simo Sorce * Red Hat, Inc * New York -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client logon
Ah stupid me, When using Windows XP you must generate a keytab that does not use the AES enctype. If you include the AES enctype when generating keys for the host, you are telling the KDC that the host knows how to use AES. You should probably just use arcfour only for WinXP as that client only understand RC4 and DES, and DES is not worth using. Simo. On Mon, 2011-09-19 at 15:53 -0400, Jimmy wrote: I have a WinXP client configured to authenticate now but it looks like FreeIPA is sending the ticket encrypted with AES and XP does not support AES. The user is getting authenticated, just not able to decrypt the ticket. Sep 19 19:50:36 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 192.168.201.150: NEEDED_PREAUTH: o...@pdh.csp for krbtgt/pdh@pdh.csp, Additional pre-authentication required Sep 19 19:50:36 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (1 etypes {23}) 192.168.201.150: ISSUE: authtime 1316461836, etypes {rep=23 tkt=18 ses=23}, o...@pdh.csp for krbtgt/pdh@pdh.csp Sep 19 19:50:37 csp-idm.pdh.csp krb5kdc[1246](info): TGS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 192.168.201.150: ISSUE: authtime 1316461836, etypes {rep=23 tkt=18 ses=23}, o...@pdh.csp for host/crm1.pdh@pdh.csp On Mon, Sep 19, 2011 at 1:32 PM, Simo Sorce s...@redhat.com wrote: On Mon, 2011-09-19 at 13:05 -0400, Jimmy wrote: Once I changed the password for 'admin' I now get this error on the windows system: Insufficient system resources exist to complete the requested service and get this in the log no matter if I use the correct(changed) password or if I use a known bad password: Sep 19 17:01:19 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.201.9: NEEDED_PREAUTH: ad...@pdh.csp for krbtgt/pdh@pdh.csp, Additional pre-authentication required I even deleted the user and all associated profile information on the windows system and still it won't work any more. Ok somehow we generate a key the windows client doesn't like or know how to work with. While MIT's clients are just fine with. The way we generate keys is by setting a special random seed that is handed back to the client when the preauth error is generated, perhaps Windows is not liking what it sees ? Any chance you can try with an older client, I wonder if it is a regression in win7 ? Simo. -- Simo Sorce * Red Hat, Inc * New York -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client logon
According to this: http://mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-admin/Supported-Encryption-Types.htmlthere are a ton of encryption options that XP does support, but I always get this error if I define anything specific in the keytab: Sep 19 20:09:30 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 192.168.201.150: NEEDED_PREAUTH: o...@pdh.csp for krbtgt/pdh@pdh.csp, Additional pre-authentication required Sep 19 20:09:30 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (1 etypes {23}) 192.168.201.150: ISSUE: authtime 1316462970, etypes {rep=23 tkt=18 ses=23}, o...@pdh.csp for krbtgt/pdh@pdh.csp Sep 19 20:09:31 csp-idm.pdh.csp krb5kdc[1246](info): TGS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 192.168.201.150: BAD_ENCRYPTION_TYPE: authtime 0, o...@pdh.csp for host/crm1.pdh@pdh.csp, KDC has no support for encryption type There is a fix for Win7. I have a technet article I will post the link as soon as I can. I had the Win7 system working with the freeipa 'admin' user before I changed the admin user password, now it's broken. The MIT KFW client can authenticate and get a ticket, but I need to get the native windows authentication working. Thanks ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client logon
On Mon, 2011-09-19 at 16:17 -0400, Jimmy wrote: According to this: http://mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-admin/Supported-Encryption-Types.html there are a ton of encryption options that XP does support, but I always get this error if I define anything specific in the keytab: I know for a fact that stock WinXp supports only RC4 and DES, no 3DES nor AAES support there. If you create the host keytab with only RC4 you should be able to make WinXp happy. Sep 19 20:09:30 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 192.168.201.150: NEEDED_PREAUTH: o...@pdh.csp for krbtgt/pdh@pdh.csp, Additional pre-authentication required Sep 19 20:09:30 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (1 etypes {23}) 192.168.201.150: ISSUE: authtime 1316462970, etypes {rep=23 tkt=18 ses=23}, o...@pdh.csp for krbtgt/pdh@pdh.csp Sep 19 20:09:31 csp-idm.pdh.csp krb5kdc[1246](info): TGS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 192.168.201.150: BAD_ENCRYPTION_TYPE: authtime 0, o...@pdh.csp for host/crm1.pdh@pdh.csp, KDC has no support for encryption type There is a fix for Win7. I have a technet article I will post the link as soon as I can. Yes please let me know the link, I will try to investigate any Win7/W2K8 issues with AES and random salts asap, but not this week probably. I had the Win7 system working with the freeipa 'admin' user before I changed the admin user password, now it's broken. The MIT KFW client can authenticate and get a ticket, but I need to get the native windows authentication working. Understood. If AES is the issue, you could reconfigure FreeIPA to not allow AES, not ideal, but it would be the fastest solution. Although it will probably require also to change all passwords. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client logon
You are correct. As soon as I set the WinXP machine to arcfour-hmac it's working to authenticate all users against the FreeIPA realm. I just went into gpedit.msc on the Win7 system and ste it to only do rc4-hmac-md5 and maybe that will fix it, too. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client logon
That fixed Win7. Now I'm going to enable AES on Win7 to see if it breaks again. On Mon, Sep 19, 2011 at 4:44 PM, Jimmy g17ji...@gmail.com wrote: You are correct. As soon as I set the WinXP machine to arcfour-hmac it's working to authenticate all users against the FreeIPA realm. I just went into gpedit.msc on the Win7 system and ste it to only do rc4-hmac-md5 and maybe that will fix it, too. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client logon
I can't find the technet article right now, but here's what I did that makes Win7 work. Run gpedit.msc. Under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options open the key called “Network Security: Configure encryption types allowed for Kerberos” unselect everything except RC4_HMAC_MD5 and reboot. Step by step instructions below. AES worked at first for me but that was only for the IPA user `admin` and even that broke after I changed the `admin` password using the windows change password dialog. I will be submitting that tracefile and log to MS to see what might be happening. On FreeIPA: i.create the host principal in the web interface ii. create IPA users to correspond to windows users iii. reset the user's IPA password to a known password using the web interface, the user will be prompted to change at first log in. (is there a default password or is this random? sorry if that's somewhere else in docs and I missed it) iv.on the IPA server run `ipa-getkeytab -s [kdc DNS name] -p host/[machine-name] -e arcfour-hmac -k krb5.keytab.[machine-name] -P configure windows ksetup: i.ksetup /setdomain [REALM NAME] ii.ksetup /addkdc [REALM NAME] [kdc DNS name] iii.ksetup /addkpassword [REALM NAME] [kdc DNS name] iv.ksetup /setcomputerpassword [PASSWORD] v.ksetup /mapuser * * vi. Run gpedit.msc. Under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options open the key called “Network Security: Configure encryption types allowed for Kerberos” unselect everything except RC4_HMAC_MD5 vii.*** REBOOT *** viii. log in as [user]@[REALM] with the initial password, you will be prompted to change the password then logged in. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users