Re: [Freeipa-users] IPA weirdness with Samba, Dovecot IMAP and SSHD
hi, Qing On Sat, Nov 17, 2012 at 8:20 PM, Qing Chang qch...@sri.utoronto.ca wrote: 2, Dovecot + IPA: it is not an IPA issue but sss cache timeout issue, I read it's 90 min? When a user changes his/her password, the cache usually is not updated, hence problem checking IMAP email with new password. Fix/workaround: \rm /var/lib/sss/db/cache_sri.utoronto.ca.ldb service sssd restart This is really heavy handed, but I can not find the sss_cache utility any where for RHEL 6.3! Question: is there a way to shorten the timeout period? Where can I find sss_cache? last week I asked a similar question :-). In the man page of sssd.conf look for 'timeoute'. There are quite a few settings you can change about the sss_cache. the sss_cache is in a package called sssd-tools now, in the next release it will be part of the sssd main package I have great confidence in IPA now, big part of it is because of this list!! Me too. -- groet, natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] DNSSEC DNS zone spoofing (was: Problem adding DNS Zones)
Hello, On 11/16/2012 04:11 PM, Bret Wortman wrote: Using FreeIPA on a private network (where it's easier to just alias our own servers to these names than to edit config file after config file). Any idea what I'm doing wrong here? # ipa dnszone-add 0.pool.ntp.org http://0.pool.ntp.org --name-server=dns.project.net http://dns.project.net --admin-email=r...@project.net mailto:r...@project.net I should mention another thing: Resolution of spoofed zones could become broken when DNSSEC comes into the game. NTP pool is not the case now, but please remember that possibility. -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] IPA'd users not going through .bashrc
I've noticed that my users who are provided identities through IPA aren't having their .bashrc and other login profile files run when they log in. I tried googling this issue but haven't found anything. Has anyone else encountered this? Puppet 3.0.1 from puppetlabs' repos on F17. -- Bret Wortman The Damascus Group Fairfax, VA http://bretwortman.com/ http://twitter.com/BretWortman ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA'd users not going through .bashrc
Never mind. Had the default shell set to /bin/sh. On Mon, Nov 19, 2012 at 10:22 AM, Bret Wortman bret.wort...@damascusgrp.com wrote: I've noticed that my users who are provided identities through IPA aren't having their .bashrc and other login profile files run when they log in. I tried googling this issue but haven't found anything. Has anyone else encountered this? Puppet 3.0.1 from puppetlabs' repos on F17. -- Bret Wortman The Damascus Group Fairfax, VA http://bretwortman.com/ http://twitter.com/BretWortman -- Bret Wortman The Damascus Group Fairfax, VA http://bretwortman.com/ http://twitter.com/BretWortman ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Problem with password reset on ubuntu 12.04 (lightdm)
On 11/19/2012 04:37 AM, Marc Grimme wrote: (Mon Nov 19 10:33:33 2012) [[sssd[krb5_child[19943 [krb5_child_setup] (0x4000): Not using FAST. (Mon Nov 19 10:33:33 2012) [[sssd[krb5_child[19943 [changepw_child] (0x0020): krb5_change_password failed [2][Server error]. (Mon Nov 19 10:33:33 2012) [[sssd[krb5_child[19943 [changepw_child] (0x0020): krb5_change_password failed [2][Password not changed.]. Have you looked at the server Kerberos log? Do you see an attempt there? If not there might be a problem accessing kadmin process on the server. Might be a firewall issue then. But let us start with the server side. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA weirdness with Samba, Dovecot IMAP and SSHD
On 19/11/2012 3:33 AM, Natxo Asenjo wrote: hi, Qing On Sat, Nov 17, 2012 at 8:20 PM, Qing Chang qch...@sri.utoronto.ca wrote: 2, Dovecot + IPA: it is not an IPA issue but sss cache timeout issue, I read it's 90 min? When a user changes his/her password, the cache usually is not updated, hence problem checking IMAP email with new password. Fix/workaround: \rm /var/lib/sss/db/cache_sri.utoronto.ca.ldb service sssd restart This is really heavy handed, but I can not find the sss_cache utility any where for RHEL 6.3! Question: is there a way to shorten the timeout period? Where can I find sss_cache? last week I asked a similar question :-). In the man page of sssd.conf look for 'timeoute'. There are quite a few settings you can change about the sss_cache. the sss_cache is in a package called sssd-tools now, in the next release it will be part of the sssd main package I have great confidence in IPA now, big part of it is because of this list!! Me too. thanks, Naxto, I'll do some research on it. Qing ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Problem with password reset on ubuntu 12.04 (lightdm)
This is what the kerberos (kadmin.log) shows on the relevant IPA server. Nov 19 17:29:54 axinfra02-1.cl.atix kadmind[18851](Error): password quality module empty rejected password for tu...@cl.atix: Empty passwords are not allowed Nov 19 17:29:54 axinfra02-1.cl.atix kadmind[18851](Notice): chpw request from 192.168.3.231 for tu...@cl.atix: Password is too short I could only enter the old password the new one was never queried. Any idea? Thanks Marc. Am 19.11.2012 16:57, schrieb Dmitri Pal: On 11/19/2012 04:37 AM, Marc Grimme wrote: (Mon Nov 19 10:33:33 2012) [[sssd[krb5_child[19943 [krb5_child_setup] (0x4000): Not using FAST. (Mon Nov 19 10:33:33 2012) [[sssd[krb5_child[19943 [changepw_child] (0x0020): krb5_change_password failed [2][Server error]. (Mon Nov 19 10:33:33 2012) [[sssd[krb5_child[19943 [changepw_child] (0x0020): krb5_change_password failed [2][Password not changed.]. Have you looked at the server Kerberos log? Do you see an attempt there? If not there might be a problem accessing kadmin process on the server. Might be a firewall issue then. But let us start with the server side. -- Marc Grimme Tel: +49 (0)89 452 35 38-140 Fax: +49 (0)89 452 35 38-290 E-Mail: gri...@atix.de ATIX Informationstechnologie und Consulting AG | Einsteinstrasse 10 | 85716 Unterschleissheim | www.atix.de | www.comoonics.org Registergericht: Amtsgericht Muenchen, Registernummer: HRB 168930, USt.-Id.: DE209485962 | Vorstand: Marc Grimme, Mark Hlawatschek, Thomas Merz (Vors.) | Vorsitzender des Aufsichtsrats: Dr. Martin Buss ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA weirdness with Samba, Dovecot IMAP and SSHD
On 11/17/2012 02:20 PM, Qing Chang wrote: On 16/11/2012 12:11 PM, Dmitri Pal wrote: On 11/16/2012 10:59 AM, Qing Chang wrote: just migrated all my user from OpenLDAP and MIT Kerberos to IPA. Out of more than 400 users, there are around 10 that have problem accessing Samba or Dovecot IMAP or ssh. They never have problem login to ipa/ipa/ui/login.html. For Dovecot IMAP following error is generated: = Nov 16 10:15:03 dovecot2 auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=uesrid rhost=IP user=userid Nov 16 10:15:03 dovecot2 auth: pam_sss(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=userid rhost=IP user=useris Nov 16 10:15:03 dovecot2 auth: pam_sss(dovecot:auth): received for user userid: 4 (System error) Hello Qing There are several things to do: 1) Compare entries of the users that login with no problems and users that have problems. There might be some attributes different (absent/present). That might give a hint of what might be wrong. We have seen some issues in this area related to Samba. 2) Can you please enable the higher debug_level in SSSD and provide the SSSD logs + sssd.conf that would help to see what is going on with the user that is failing. 3) Also if you can describe your environment of how all the parts work together and what are the workflows in which you see the problem/issue. I am personally not familiar with Dovecot in details so I assume that Dovecot is configured to use PAM for the authentication and the snippet above is from that authentication. Is this the correct assumption? Thanks Dmitri Dmitri, appreciate your prompt response. I having being on this thing for past day and a half, I think I now understand the issues and found fix/workaround for them. 1, Samba + IPA: when this attribute sambaPwdLastSet is set to 0, a samba mapping request will cause samba to CLEAR sambaLMPassword and sambaNTPassword attributes, yes, not set password to something, but the attributes are wiped out. This may only apply to my situation because I HAVE to use samba 3.0.23d, a ancient version!! Originally when I migrated users from OpenLDAP, sambaPwdLastSet has a none zero value for every account. As users migrated their password properly, the value was not touch. But, if someone's password has to be reset (too short, forgotten) by us admin user using the UI, sambaPwdLastSet is set to 0. This explains why the problem is not wide spread. Fix/workaround: change sambaPwdLastSet to a sensible value after a password reset by admin. Question: is this a designed behavior for IPA? Or does migrate-mode or not make difference? I think you see this: https://fedorahosted.org/freeipa/ticket/3206 This is exactly the ticket I referred to when said: We have seen some issues in this area related to Samba. It is planned for next big release code name Pilsner barrel. We will start working on this release early next year. 2, Dovecot + IPA: it is not an IPA issue but sss cache timeout issue, I read it's 90 min? When a user changes his/her password, the cache usually is not updated, hence problem checking IMAP email with new password. Fix/workaround: \rm /var/lib/sss/db/cache_sri.utoronto.ca.ldb service sssd restart This is really heavy handed, but I can not find the sss_cache utility any where for RHEL 6.3! Question: is there a way to shorten the timeout period? Where can I find sss_cache? I have great confidence in IPA now, big part of it is because of this list!! Many thanks, Qing = For Samba, it appears that a mapping request never gets to Samba server because nothing is logged for a problematic user ID although I have turned on excessive logging. What is really frustrating is that there is no pattern to be found, even my fellow Sysadmin's ID is also in trouble. Also, in his case, he has no problem with Dovecot. For another user ID Samba works but not Dovecot. It looks to me there might be some problem with sssd on the different servers? BTW, for at least one user, creating a brand new account for samba did not work either, while the trick worked for another user:-(. Please shed some light on this. I don't mind opening a case with RedHat support if necessary. Red Hat Enterprise Linux Server release 6.3 (Santiago) ipa-server.x86_64 2.2.0-16.el6 @rhel-x86_64-server-6 sssd.x86_64 1.8.0-32.el6 @rhel-x86_64-server-6 sssd-client.x86_64 1.8.0-32.el6 @rhel-x86_64-server-6 TIA, Qing ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc.
[Freeipa-users] passwd: Authentication token manipulation error
Hi THis morning I was asked to reset the user password of one of our IPA/LDAP user accounts. After I reset the password I tried to logon to a particular ssh machine . The system asked to cheange the password as expeceted. I entered the NEw Password and the Re enter the the new password after this the system answered with: passwd: Authentication token manipulation error So in order to test this situation I created a new account and I had the same problem with the new account. I try also to reset another user password and I got the same problem. It seems that I'm not be able to reset anybody user password. Any ideas From the krb5kdc.log I get : Nov 19 14:35:31 ldap.webdom.lifesci.ucla.edu krb5kdc[1610](info): AS_REQ (4 etypes {18 17 16 23}) 164.67.110.65: PREAUTH_FAILED: tacco...@myserver.com for kadmin/chang...@myserver.com, Decrypt integrity check failed from the /var/lib/dirsrv/slapd-server.com/errors file I get: ipapwd_setPasswordHistory - [file ipapwd_common.c, line 926]: failed to generate new password history! [19/Nov/2012:14:35:40 -0800] managed-entries-plugin - mep_mod_post_op: Unable to find config for origin entry uid=taccount,cn=users,cn=accounts,dc=myserver,dc=com. Any idea on what's going on? Thank you Marcello___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] passwd: Authentication token manipulation error
On 11/19/2012 05:51 PM, Marcello Giannoni UCLA wrote: Hi THis morning I was asked to reset the user password of one of our IPA/LDAP user accounts. After I reset the password I tried to logon to a particular ssh machine . The system asked to cheange the password as expeceted. I entered the NEw Password and the Re enter the the new password after this the system answered with: passwd: Authentication token manipulation error So in order to test this situation I created a new account and I had the same problem with the new account. I try also to reset another user password and I got the same problem. It seems that I'm not be able to reset anybody user password. Any ideas From the krb5kdc.log I get : Nov 19 14:35:31 ldap.webdom.lifesci.ucla.edu krb5kdc[1610](info): AS_REQ (4 etypes {18 17 16 23}) 164.67.110.65: PREAUTH_FAILED: tacco...@myserver.com mailto:tacco...@myserver.com for kadmin/chang...@myserver.com mailto:kadmin/chang...@myserver.com, Decrypt integrity check failed from the /var/lib/dirsrv/slapd-server.com/errors file I get: ipapwd_setPasswordHistory - [file ipapwd_common.c, line 926]: failed to generate new password history! [19/Nov/2012:14:35:40 -0800] managed-entries-plugin - mep_mod_post_op: Unable to find config for origin entry uid=taccount,cn=users,cn=accounts,dc=myserver,dc=com. Any idea on what's going on? Something is really mis configured on the server. When the user tries to change password his password policy needs to be read from lDAP. Password policy depends on the groups the user is a member of so effectively the policy is merged from different policies. That merge is failing because the DS plugin configuration is missing. Does this happen on all your replicas? If not and other replicas that you have work correctly, I would suggest considering re-installation of the current replica. But to make it work, I suggest you ask JR on #freeipa for exact steps as he has a lot of expertise on recycling replicas. Thank you Marcello ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users