Re: [Freeipa-users] sendmail.schema
On 07/09/2015 11:09 AM, Rudolf Gabler wrote: Hi, we are dealing with a huge number of mail aliases which are not purely user aliases but distribution-lists, actions on distribution-list and so on (mailman). There was a former sendmail.schema in fedora-ds (we are using fds 21 at the moment), which is gone (at least I didn’t find it). Is there now a different approach for freeipa to deal with this problem. Regards, Rudi Gabler I would recommend asking on 389-us...@lists.fedoraproject.org if nobody in this list has a good answer. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] services-based authentication
On 07/08/2015 10:11 AM, ilaria cianci wrote: Hi All, I am a new user and I have a question about FreeIPA authentication methods. Can FreeIPA select different auth methods (i.e. otp, password, etc) for the same user based on the service he wants to access? I mean using this user should use otp for the mail service, the password for the server access, etc.. How can I set this ? Thanks a lot in advanced for your answer, Best regards, Ilaria Hello, This does not work yet, although it is something that we crave for! If you are interested, you can subscribe to updates in respective RFE: https://fedorahosted.org/freeipa/ticket/433 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Multiple CA certificates
On 07/09/2015 01:25 PM, Joseph, Matthew (EXP) wrote: Hello, We are currently in the process of replacing our IdM 3.x server with 4.x. There are going to be some major directory changes during the upgrade so I need to keep both the old and new IdM servers up and running separately. This dangerous. I am not sure what platform do you use, but if you are using RHEL or CentOS, the general migration procedure to IdM 4.x (i.e. RHEL-7.0+) is to simply create RHEL-7 replicas for your RHEL-6 servers and deprecate the old ones. In case you do some split brain migration, where old and new IdM live separately, you may hit problems. More info here: https://www.freeipa.org/page/Howto/Migration Part of our configuration is using the password sync between IdM and Active Directory. I can’t find any information on this so I figured I’d ask you guys to see if anyone has done this before. Can I have two CA certificates from 2 IdM servers installed on the Active Directory server? And will this cause any issues with our password sync? Thanks, Matt -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Announcing FreeIPA 4.2.0
The FreeIPA team is proud to announce FreeIPA v4.2.0 release! It can be downloaded from http://www.freeipa.org/page/Downloads. The builds for Fedora 22 and Fedora Rawhide will be available in the official COPR repository https://copr.fedoraproject.org/coprs/mkosek/freeipa-4.2/. This announcement with additional ticket and design page links is available at http://www.freeipa.org/page/Releases/4.2.0. == Highlights in 4.2 == === Enhancements === * Support for multiple certificate profiles, including support for user certificates. The profiles are now replicated between FreeIPA server to have consistent state for all certificate creation request. The certificate submission requests are authorized by the new CA ACL rules * Support One-Way Trust to Active Directory * User life-cycle management management - add inactive stage users using UI or LDAP interface and have them moved to active users by single command. Deleted users can now be also moved - 'preserved' - to special tree and re-activated when user returns, preserving it's UID/GID * Support for Password Vault (KRA) component of PKI for storing user or service secrets. All encrypted with public key cryptography so that even FreeIPA server does not know the secrets! * Datepicker is now used for datetime fields in the Web UI * Upgrade process was overhauled. There is now single upgrade tool ('ipa-server-upgrade') providing simplified interface for upgrading the FreeIPA server. See details in separate subsection. * Service constrained delegation rules can be now added by UI and CLI * FreeIPA Web UI now provides API browser and documentation. See 'IPA Server' - 'API Browser' tab * Access control instructions were updated so that hosts can create their own services * FreeIPA server now offers Kerberos over HTTP (kdcproxy) as a service * FreeIPA Web Server no longer use deprecated 'mod_auth_kerb' but switched to the modern 'mod_auth_gssapi' * New automated migration tool from winsync to 'ID Views' * 'migrate-ds' command can now search the migrated users and groups with different scope * DNSSEC integration was improved and FreeIPA server is configured to do DNSSEC validation by default. This might potentially affect installations which did not follow Deployment_Recommendations#DNS|Deployment Recommendations for DNS. * 'ipa migrate-ds' command can now run with different search scopes * And many other small improvements or bug fixes! === Changes to upgrade === The server still upgrades automatically during RPM update. However, 'ipactl start' now verifies that the server was really upgraded before starting FreeIPA to prevent running upgraded bits on old data when 'ipa-server-upgrade' was not run during RPM update (for example during FedUp Fedora upgrade). Update files (files in '/usr/share/ipa/updates/') format was changed. Namely: * Updates are not merged, update files are applied one at a time * Update entries no longer support CSV - commas can be now freely used in the added attributes * Update can now use base64 values * Update plugins are now not run automatically, but when referenced from update files ('plugin: plugin name') == Upgrading == Upgrade instructions are available on the Upgrade page. == Feedback == Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode. == Detailed Changelog since 4.1 == === Ade Lee (3) === * Add a KRA to IPA * Add man page for ipa-kra-install * Re-enable uninstall feature for ipa-kra-install === Ales 'alich' Marecek (1) === * Ipatests DNS SOA Record Maintenance === Alexander Bokovoy (21) === * Add ipaSshPubkey and gidNumber to the ACI to read ID user overrides * Update slapi-nis dependency to pull 0.54.1 * AD trust: improve trust validation * Support Samba PASSDB 0.2.0 aka interface version 24 * ipa-cldap: support NETLOGON_NT_VERSION_5EX_WITH_IP properly * ipa-kdb: when processing transitions, hand over unknown ones to KDC * ipa-kdb: reject principals from disabled domains as a KDC policy * fix Makefile.am for daemons * slapi-nis: require 0.54.2 for CVE-2015-0283 fixes * ipaserver/dcerpc: Ensure LSA pipe has session key before using it * ipa-kdb: use proper memory chunk size when moving sids * ipa-kdb: filter out group membership from MS-PAC for exact SID matches too * add one-way trust support to ipasam * ipa-adtrust-install: add IPA master host principal to adtrust agents * trusts: pass AD DC hostname if specified explicitly * ipa-sidgen: reduce log level to normal if domain SID is not available * ipa-adtrust-install: allow configuring of trust agents * trusts: add support for one-way trust and switch to it by default * ipa-pwd-extop: expand error message to tell what user is not allowed to fetch keytab * trusts: add ACIs to allow AD trust agents to fetch cross-realm keytabs * trust: support retrieving POSIX IDs with one-way trust during trust-add ===
Re: [Freeipa-users] KRA? 4.2?
On Thu, 2015-07-09 at 17:56 -0700, Janelle wrote: Hello, I see 4.2 is released today with lots of cool new features. I think I understand the new Vault, but am not familiar with KRA? Wondering if there might be some information on what this is? KRA is the name of the Dogtag project component that implements the secure storage for the Vault feature. HTH, Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Announcing FreeIPA 4.2.0
On Fri, Jul 10, 2015 at 10:26:11AM +0200, Petr Vobornik wrote: The FreeIPA team is proud to announce FreeIPA v4.2.0 release! It can be downloaded from http://www.freeipa.org/page/Downloads. The builds for Fedora 22 and Fedora Rawhide will be available in the official COPR repository https://copr.fedoraproject.org/coprs/mkosek/freeipa-4.2/. Are copr builds for RHEL 7 / CentOS 7 planned? -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] KRA? 4.2?
On 07/10/2015 02:56 AM, Janelle wrote: Hello, I see 4.2 is released today with lots of cool new features. I think I understand the new Vault, but am not familiar with KRA? Wondering if there might be some information on what this is? ~Janelle KRA (or DRM) is the Dogtag subsystem we use for Vault :-) There is a lot of Vault related information on https://www.freeipa.org/page/V4/Password_Vault https://www.freeipa.org/page/V4/Password_Vault_Implementation Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Announcing FreeIPA 4.2.0
On Fri, Jul 10, 2015 at 10:26:11AM +0200, Petr Vobornik wrote: The FreeIPA team is proud to announce FreeIPA v4.2.0 release! It can be downloaded from http://www.freeipa.org/page/Downloads. The builds for Fedora 22 and Fedora Rawhide will be available in the official COPR repository https://copr.fedoraproject.org/coprs/mkosek/freeipa-4.2/. Any ETA about the availability of the Fedora 22 bits? I can see https://copr.fedoraproject.org/coprs/mkosek/freeipa-4.2/build/103134/ succeeded but when I try to install with that repo enabled on my Fedora 22, I don't get the 4.2.0 packages. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Announcing FreeIPA 4.2.0
On Fri, Jul 10, 2015 at 02:40:58PM +0200, Jan Pazdziora wrote: On Fri, Jul 10, 2015 at 10:26:11AM +0200, Petr Vobornik wrote: The FreeIPA team is proud to announce FreeIPA v4.2.0 release! It can be downloaded from http://www.freeipa.org/page/Downloads. The builds for Fedora 22 and Fedora Rawhide will be available in the official COPR repository https://copr.fedoraproject.org/coprs/mkosek/freeipa-4.2/. Any ETA about the availability of the Fedora 22 bits? I can see https://copr.fedoraproject.org/coprs/mkosek/freeipa-4.2/build/103134/ succeeded but when I try to install with that repo enabled on my Fedora 22, I don't get the 4.2.0 packages. Hmm, when I run dnf install freeipa-server the 4.1.4-4 from fedora updates repository gets put to the transaction. When I specify dnf install freeipa-server-4.2.0 I get Error: nothing provides 389-ds-base = 1.3.4.0 needed by freeipa-server-4.2.0-0.fc22.x86_64 -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Announcing FreeIPA 4.2.0
On 07/10/2015 02:40 PM, Jan Pazdziora wrote: On Fri, Jul 10, 2015 at 10:26:11AM +0200, Petr Vobornik wrote: The FreeIPA team is proud to announce FreeIPA v4.2.0 release! It can be downloaded from http://www.freeipa.org/page/Downloads. The builds for Fedora 22 and Fedora Rawhide will be available in the official COPR repository https://copr.fedoraproject.org/coprs/mkosek/freeipa-4.2/. Any ETA about the availability of the Fedora 22 bits? I can see https://copr.fedoraproject.org/coprs/mkosek/freeipa-4.2/build/103134/ succeeded but when I try to install with that repo enabled on my Fedora 22, I don't get the 4.2.0 packages. I was able to install freeipa-server-4.2.0-0.fc22.x86_64 using the COPR repository. -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Failed to start pki-tomcatd Service
Le 30 juin 2015 à 10:16, Alexandre Ellert aell...@numeezy.com a écrit : Could you please provide the content of logfile: `/var/log/pki/pki-tomcat/ca/debug', around the time the error occurs? Thanks, Fraser When the pki-tomcatd service is trying to start, I see this message in /var/log/pki/pki-tomcat/ca/debug [30/Jun/2015:10:02:13][localhost-startStop-1]: [30/Jun/2015:10:02:13][localhost-startStop-1]: = DEBUG SUBSYSTEM INITIALIZED === [30/Jun/2015:10:02:13][localhost-startStop-1]: [30/Jun/2015:10:02:13][localhost-startStop-1]: CMSEngine: done init id=debug [30/Jun/2015:10:02:13][localhost-startStop-1]: CMSEngine: initialized debug [30/Jun/2015:10:02:13][localhost-startStop-1]: CMSEngine: initSubsystem id=log [30/Jun/2015:10:02:13][localhost-startStop-1]: CMSEngine: ready to init id=log [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: done init id=log [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: initialized log [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: initSubsystem id=jss [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: ready to init id=jss [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: done init id=jss [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: initialized jss [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: initSubsystem id=dbs [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: ready to init id=dbs [30/Jun/2015:10:02:14][localhost-startStop-1]: DBSubsystem: init() mEnableSerialMgmt=true [30/Jun/2015:10:02:14][localhost-startStop-1]: LdapBoundConnFactory: init [30/Jun/2015:10:02:14][localhost-startStop-1]: LdapBoundConnFactory:doCloning true [30/Jun/2015:10:02:14][localhost-startStop-1]: LdapAuthInfo: init() [30/Jun/2015:10:02:14][localhost-startStop-1]: LdapAuthInfo: init begins [30/Jun/2015:10:02:14][localhost-startStop-1]: LdapAuthInfo: init ends [30/Jun/2015:10:02:14][localhost-startStop-1]: init: before makeConnection errorIfDown is true [30/Jun/2015:10:02:14][localhost-startStop-1]: makeConnection: errorIfDown true [30/Jun/2015:10:02:14][localhost-startStop-1]: LdapJssSSLSocket set client auth cert nicknamesubsystemCert cert-pki-ca [30/Jun/2015:10:02:14][localhost-startStop-1]: CMS:Caught EBaseException Internal Database Error encountered: Could not connect to LDAP server host ipa.mydomain.org http://ipa.mydomain.org/ port 636 Error netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1) at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:658) at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:934) at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:865) at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:362) at com.netscape.certsrv.apps.CMS.init(CMS.java:189) at com.netscape.certsrv.apps.CMS.start(CMS.java:1585) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:96) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123) at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) at java.security.AccessController.doPrivileged(Native Method) at
Re: [Freeipa-users] Announcing FreeIPA 4.2.0
On Fri, Jul 10, 2015 at 04:09:45PM +0200, Petr Vobornik wrote: Some of the dependencies are still in updates-testing repository. They have been added to the COPR repository. Now FreeIPA 4.2 could be installed even with the updates-testing repo disabled. Sorry for your inconvenience. I confirm things work now, I'm able to install and setup FreeIPA 4.2 server on Fedora 22 with the copr repo. Thank you! Any plans for the RHEL/CentOS 7 copr repo? -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ipa client on ubuntu and sudo rules
Hello, I setup an ubuntu client for freeIPA 4.1.4, and sudo rules do not seem to work. I then realized that I used ipa-client-install version 3.3.4. Is this a plausible cause ? And if so, where can I get a more recent version for ubuntu/debian ? Thanks, Karl -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] OT: https://www.freeipa.org missing intermediate certificate
hi, earlier today I was reading a post about the new freeipa version on my mobile device and got plenty of warnings about an invalid certificate. On a fedora laptop no warnings, but this is the problem: $ curl -LIv https://www.freeipa.org * Rebuilt URL to: https://www.freeipa.org/ * Hostname was NOT found in DNS cache * Trying 54.227.25.77... * Connected to www.freeipa.org (54.227.25.77) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * Server certificate: * subject: CN=www.freeipa.org,O=Red Hat Inc.,L=Raleigh,ST=North Carolina,C=US * start date: Jul 16 00:00:00 2014 GMT * expire date: Jul 19 12:00:00 2016 GMT * common name: www.freeipa.org * issuer: CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US * NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER) * Peer's Certificate issuer is not recognized. * Closing connection 0 curl: (60) Peer's Certificate issuer is not recognized. More details here: http://curl.haxx.se/docs/sslcerts.html You need to add the intermediate digicert certrificate, it seems. Thanks! -- regards, natxo -- -- Groeten, natxo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Announcing FreeIPA 4.2.0
On 07/10/2015 04:51 PM, Jan Pazdziora wrote: On Fri, Jul 10, 2015 at 04:09:45PM +0200, Petr Vobornik wrote: Some of the dependencies are still in updates-testing repository. They have been added to the COPR repository. Now FreeIPA 4.2 could be installed even with the updates-testing repo disabled. Sorry for your inconvenience. I confirm things work now, I'm able to install and setup FreeIPA 4.2 server on Fedora 22 with the copr repo. Thank you! Any plans for the RHEL/CentOS 7 copr repo? I'm sorry, I don't have a date for you yet. But as IPA 4.1 has Epel 7 COPR repo, IPA 4.2 will have it as well. -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Announcing FreeIPA 4.2.0
On 07/10/2015 02:55 PM, Jan Pazdziora wrote: On Fri, Jul 10, 2015 at 02:40:58PM +0200, Jan Pazdziora wrote: On Fri, Jul 10, 2015 at 10:26:11AM +0200, Petr Vobornik wrote: The FreeIPA team is proud to announce FreeIPA v4.2.0 release! It can be downloaded from http://www.freeipa.org/page/Downloads. The builds for Fedora 22 and Fedora Rawhide will be available in the official COPR repository https://copr.fedoraproject.org/coprs/mkosek/freeipa-4.2/. Any ETA about the availability of the Fedora 22 bits? I can see https://copr.fedoraproject.org/coprs/mkosek/freeipa-4.2/build/103134/ succeeded but when I try to install with that repo enabled on my Fedora 22, I don't get the 4.2.0 packages. Hmm, when I run dnf install freeipa-server the 4.1.4-4 from fedora updates repository gets put to the transaction. When I specify dnf install freeipa-server-4.2.0 I get Error: nothing provides 389-ds-base = 1.3.4.0 needed by freeipa-server-4.2.0-0.fc22.x86_64 Some of the dependencies are still in updates-testing repository. They have been added to the COPR repository. Now FreeIPA 4.2 could be installed even with the updates-testing repo disabled. Sorry for your inconvenience. # dnf clean metadata # dnf install freeipa-server --disablerepo=*testing # rpm -q freeipa-server freeipa-server-4.2.0-0.fc22.x86_64 ... -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Cannot find KDC for realm MYDOMAIN.NET - AD trust and UPN issues
On Thu, Jul 09, 2015 at 08:59:11PM -0700, Angelo Pantano wrote: I have the exact same problem, have a windows AD that trusts IPA server and an IPA client that connect to the IPA server via sssd.If I try to ssh on the IPA client using an AD user it fails authentication. The same happens if I try to su - ADuser. Basically IPA server is not correctly proxying the requests to AD, I can pull the info with getent, so I know the trust is working, Are you sure SSSD is not just returning records from cache? Do you have full SSSD logs? but when I try to authenticate it's always failing. The relevant bits I found in the sssd logs suggests a problem contacting the AD subdomain via kerberos (Thu Jul 9 20:42:15 2015) [[sssd[krb5_child[12110 [get_and_save_tgt] (0x0020): 996: [-1765328230][Cannot find KDC for realm AD.LOCAL] The original poster had non-standard UPNs, so the users with those UPNs were failing. Is that your case also or do all users fail like this? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Cannot find KDC for realm MYDOMAIN.NET - AD trust and UPN issues
I have the exact same problem, have a windows AD that trusts IPA server and an IPA client that connect to the IPA server via sssd.If I try to ssh on the IPA client using an AD user it fails authentication. The same happens if I try to su - ADuser. Basically IPA server is not correctly proxying the requests to AD, I can pull the info with getent, so I know the trust is working, but when I try to authenticate it's always failing. The relevant bits I found in the sssd logs suggests a problem contacting the AD subdomain via kerberos (Thu Jul 9 20:42:15 2015) [[sssd[krb5_child[12110 [get_and_save_tgt] (0x0020): 996: [-1765328230][Cannot find KDC for realm AD.LOCAL] is there manual customization that I am missing that I need to put on krb5 or sssd.conf? Angelo On 05/06/2015 12:14 AM, Nathan Peters wrote: From this link : https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/active-directory-trust.html#comp-trust-krb The diagram in that section shows the client communicating with FreeIPA and FreeIPA contacting AD. So why are you saying the client authenticates with the AD DC directly? You are looking at the older documentation. It is for RHEL6. Please use RHEL7.1 docs to get the latest info about 4.1 functionality. Well according to the 7 docs here https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/active-directory-trust.html it still shows in section 5.1.3.1 of that page that the sssd sends the request on behalf of the client and the client never directly connects to the AD dc. Both the 6 and 7 docs show the exact same diagram. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] wbinfo cannot pull Active Directory domain users
I have a freeipa server trusting an active directory domain, if I ssh to the ipa server everything works, but if I try to ssh on an ipa client the authentication fails. I noticed on the server that the wbinfo -n 'AD\Domain Users' is failing: failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND Also in the logs I see: log.winbindd-dc-connect: get_sorted_dc_list: attempting lookup for name ad.local (sitename NULL) everything else works though, I can getent users and group just fine. Can you please help me? Angelo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] wbinfo cannot pull Active Directory domain users
On Fri, 10 Jul 2015, Angelo Pantano wrote: I have a freeipa server trusting an active directory domain, if I ssh to the ipa server everything works, but if I try to ssh on an ipa client the authentication fails. I noticed on the server that the wbinfo -n 'AD\Domain Users' is failing: failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND Also in the logs I see: log.winbindd-dc-connect: get_sorted_dc_list: attempting lookup for name ad.local (sitename NULL) everything else works though, I can getent users and group just fine. Can you please help me? We don't use wbinfo and don't recommend it with FreeIPA AD trusts -- at least with Fedora 18+ and RHEL7+. When your FreeIPA server is deployed on those platforms, SSSD is used to resolve users, not winbindd. Winbindd is only used to manage forest topology. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] wbinfo cannot pull Active Directory domain users
On Fri, 10 Jul 2015, Angelo Pantano wrote: and this is the error I see in krb5_child.log (Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235 [main] (0x0400): Will perform online auth (Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235 [get_and_save_tgt] (0x0400): Attempting kinit for realm [AD.TWEEK] (Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235 [get_and_save_tgt] (0x0020): 996: [-1765328378][Client 'freeipa@AD.TWEEK' not found in Kerberos database] (Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235 [map_krb5_error] (0x0020): 1065: [-1765328378][Client 'freeipa@AD.TWEEK' not found in Kerberos database] also # kinit freeipa@AD.TWEEK kinit: Cannot find KDC for realm AD.TWEEK while getting initial credentials any idea what's the problem? It seems kerberos cannot find users in the AD subdomain Run KRB5_TRACE=/dev/stderr kinit freeipa@AD.TWEEK to see what Kerberos library tries to connect to. If AD.TWEEK is your Active Directory's domain realm, then according to your krb5.conf it should be discovered via SRV records and appropriate AD DC would be contacted. This is first part to solve. The rest (sssd output above) is due to SSSD not being able to find out proper AD DC to talk to and thus talks to IPA DC which doesn't know this principal and errors out. this is my sssd.conf [domain/ipa.tweek] debug_level = 6 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = ipa.tweek id_provider = ipa auth_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = someaddress_here chpass_provider = ipa ipa_server = _srv_, centos.ipa.tweek dns_discovery_domain = ipa.tweek cn=ad_admins_external,cn=groups,cn=accounts,dc=ipa,dc=tweek ^^ what is this? subdomains_provider = ipa -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] wbinfo cannot pull Active Directory domain users
On Fri, 10 Jul 2015, Angelo Pantano wrote: I am using sssd and from ipa clients the authentication is not working (works fine if I ssh on the ipa-server). I thought it could be due to the external groups being empty and not mapping the AD users. Anyway this is the krb5.conf on the ipa client: #File modified by ipa-client-install includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = IPA.TWEEK dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] IPA.TWEEK = { kdc = centos.ipa.tweek:88 master_kdc = centos.ipa.tweek:88 admin_server = centos.ipa.tweek:749 default_domain = ipa.tweek pkinit_anchors = FILE:/etc/ipa/ca.crt auth_to_local = RULE:[1:$1@$0](^.*@AD.TWEEK$)s/@AD.TWEEK/@ad.tweek/ auth_to_local = DEFAULT } AD.TWEEK = { kdc = centos.ipa.tweek:88 pkinit_anchors = FILE:/etc/ipa/ca.crt } Why did you override AD.TWEEK KDC to point to FreeIPA? Remove AD.TWEEK stanza completely. You have 'dns_lookup_realm' and 'dns_lookup_kdc' to allow automatic discovery via DNS SRV records. [domain_realm] .ipa.tweek = IPA.TWEEK ipa.tweek = IPA.TWEEK .ad.tweek = AD.TWEEK ad.tweek = AD.TWEEK and this is the error I see in krb5_child.log (Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235 [main] (0x0400): Will perform online auth (Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235 [get_and_save_tgt] (0x0400): Attempting kinit for realm [AD.TWEEK] (Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235 [get_and_save_tgt] (0x0020): 996: [-1765328378][Client 'freeipa@AD.TWEEK' not found in Kerberos database] (Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235 [map_krb5_error] (0x0020): 1065: [-1765328378][Client 'freeipa@AD.TWEEK' not found in Kerberos database] also # kinit freeipa@AD.TWEEK kinit: Cannot find KDC for realm AD.TWEEK while getting initial credentials any idea what's the problem? It seems kerberos cannot find users in the AD subdomain this is my sssd.conf [domain/ipa.tweek] debug_level = 6 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = ipa.tweek id_provider = ipa auth_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = someaddress_here chpass_provider = ipa ipa_server = _srv_, centos.ipa.tweek dns_discovery_domain = ipa.tweek cn=ad_admins_external,cn=groups,cn=accounts,dc=ipa,dc=tweek subdomains_provider = ipa [sssd] services = nss, pam, pac, ssh config_file_version = 2 debud_level = 6 domains = ipa.tweek On Fri, Jul 10, 2015 at 12:29 PM, Alexander Bokovoy aboko...@redhat.com wrote: On Fri, 10 Jul 2015, Angelo Pantano wrote: I have a freeipa server trusting an active directory domain, if I ssh to the ipa server everything works, but if I try to ssh on an ipa client the authentication fails. I noticed on the server that the wbinfo -n 'AD\Domain Users' is failing: failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND Also in the logs I see: log.winbindd-dc-connect: get_sorted_dc_list: attempting lookup for name ad.local (sitename NULL) everything else works though, I can getent users and group just fine. Can you please help me? We don't use wbinfo and don't recommend it with FreeIPA AD trusts -- at least with Fedora 18+ and RHEL7+. When your FreeIPA server is deployed on those platforms, SSSD is used to resolve users, not winbindd. Winbindd is only used to manage forest topology. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] wbinfo cannot pull Active Directory domain users
I am using sssd and from ipa clients the authentication is not working (works fine if I ssh on the ipa-server). I thought it could be due to the external groups being empty and not mapping the AD users. Anyway this is the krb5.conf on the ipa client: #File modified by ipa-client-install includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = IPA.TWEEK dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] IPA.TWEEK = { kdc = centos.ipa.tweek:88 master_kdc = centos.ipa.tweek:88 admin_server = centos.ipa.tweek:749 default_domain = ipa.tweek pkinit_anchors = FILE:/etc/ipa/ca.crt auth_to_local = RULE:[1:$1@$0](^.*@AD.TWEEK$)s/@AD.TWEEK/@ad.tweek/ auth_to_local = DEFAULT } AD.TWEEK = { kdc = centos.ipa.tweek:88 pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .ipa.tweek = IPA.TWEEK ipa.tweek = IPA.TWEEK .ad.tweek = AD.TWEEK ad.tweek = AD.TWEEK and this is the error I see in krb5_child.log (Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235 [main] (0x0400): Will perform online auth (Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235 [get_and_save_tgt] (0x0400): Attempting kinit for realm [AD.TWEEK] (Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235 [get_and_save_tgt] (0x0020): 996: [-1765328378][Client 'freeipa@AD.TWEEK' not found in Kerberos database] (Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235 [map_krb5_error] (0x0020): 1065: [-1765328378][Client 'freeipa@AD.TWEEK' not found in Kerberos database] also # kinit freeipa@AD.TWEEK kinit: Cannot find KDC for realm AD.TWEEK while getting initial credentials any idea what's the problem? It seems kerberos cannot find users in the AD subdomain this is my sssd.conf [domain/ipa.tweek] debug_level = 6 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = ipa.tweek id_provider = ipa auth_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = someaddress_here chpass_provider = ipa ipa_server = _srv_, centos.ipa.tweek dns_discovery_domain = ipa.tweek cn=ad_admins_external,cn=groups,cn=accounts,dc=ipa,dc=tweek subdomains_provider = ipa [sssd] services = nss, pam, pac, ssh config_file_version = 2 debud_level = 6 domains = ipa.tweek On Fri, Jul 10, 2015 at 12:29 PM, Alexander Bokovoy aboko...@redhat.com wrote: On Fri, 10 Jul 2015, Angelo Pantano wrote: I have a freeipa server trusting an active directory domain, if I ssh to the ipa server everything works, but if I try to ssh on an ipa client the authentication fails. I noticed on the server that the wbinfo -n 'AD\Domain Users' is failing: failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND Also in the logs I see: log.winbindd-dc-connect: get_sorted_dc_list: attempting lookup for name ad.local (sitename NULL) everything else works though, I can getent users and group just fine. Can you please help me? We don't use wbinfo and don't recommend it with FreeIPA AD trusts -- at least with Fedora 18+ and RHEL7+. When your FreeIPA server is deployed on those platforms, SSSD is used to resolve users, not winbindd. Winbindd is only used to manage forest topology. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa client on ubuntu and sudo rules
On (10/07/15 16:19), Karl Forner wrote: Hello, I setup an ubuntu client for freeIPA 4.1.4, and sudo rules do not seem to work. I then realized that I used ipa-client-install version 3.3.4. Is this a plausible cause ? And if so, where can I get a more recent version for ubuntu/debian ? Never version of ipa-client configures sssd integration with sudo by default. Please follow intructions from manual page sssd-sudo and you should be able to configure it yourself. Different version of sssd requires different configuration with ipa provider. IIRC sssd 1.10 nas native ipa sudo provider so you need't to configure sudo ldap provider with IPA. That's the reason why it's better to follow instruction form man page sssd-sudo. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] wbinfo cannot pull Active Directory domain users
On Fri, 10 Jul 2015, Angelo Pantano wrote: I still had it because I am in the middle of a PoC for a migration, the legacy used pam_ldap and if I just remove it not only the error does not go away, but in the secure logs you also see this new error: Jul 10 14:08:17 ip-10-237-186-172 sshd[7361]: PAM unable to dlopen(/lib64/security/pam_ldap.so): /lib64/security/pam_ldap.so: cannot open shared object file: No such file or directory Jul 10 14:08:17 ip-10-237-186-172 sshd[7361]: PAM adding faulty module: /lib64/security/pam_ldap.so You should just remove it from the PAM config files, not the pam_ldap.so. From what I see, you broke default configuration and pam_ldap module actually returns an error code that SSH interprets as a signal to deny logon. You may, of course, spend time fighting this but I don't really see a benefit. If you need to authenticate/get identities from older LDAP server, just configure a second domain in sssd.conf and use 'id_provider=ldap' there to point to your LDAP server. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] wbinfo cannot pull Active Directory domain users
On Fri, 10 Jul 2015, Angelo Pantano wrote: ok I managed to fix it by running: yum remove pam_ldap; sed -i '/pam_ldap/d' /etc/pam.d/* Thanks for pointing me to the dns problem though, that was the real deal. Is there a way to setup ipa-client without messing up with resolv.conf? like disabling the discovery or using just a forwarder? ipa-client-install doesn't override /etc/resolv.conf. It only reads /etc/resolv.conf to understand what domains are served. If you have working DNS setup that properly handles queries for IPA domain, that's all you need. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-replica-prepare error
On 07/08/2015 11:31 AM, Orion Poplawski wrote: But then when I go to make a replica: # ipa-replica-prepare ipa1.nwra.com --dirsrv_pkcs12=nwra.com.p12 --dirsrv_pin=XX --http_pkcs12=nwra.com.p12 --http_pin=XX Directory Manager (existing master) password: (SEC_ERROR_LIBRARY_FAILURE) security library failure. Which looks like others are experiencing (with not resolution that I could see) https://www.redhat.com/archives/freeipa-users/2015-April/msg00514.html Putting AddTrustExternalCARoot into nwra.com.p12 doesn't appear to help. Filed https://fedorahosted.org/freeipa/ticket/5117 -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 http://www.nwra.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] wbinfo cannot pull Active Directory domain users
I removed the stanza, but anyway I found one problem was the DNS. I needed to setup the nameserver in resolv.conf with the ip of the ipa server. I can kinit now but ssh is still failing, connection gets closed instead of letting me in: secure.log says: Jul 10 13:19:01 ip-10-237-186-172 sshd[5581]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.61.205.107 user=apantano@ad.tweek Jul 10 13:19:02 ip-10-237-186-172 sshd[5581]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.61.205.107 user=apantano@ad.tweek Jul 10 13:19:22 ip-10-237-186-172 sshd[5581]: pam_ldap: ldap_starttls_s: Can't contact LDAP server Jul 10 13:19:22 ip-10-237-186-172 sshd[5581]: Failed password for apantano@ad.tweek from 10.61.205.107 port 61833 ssh2 Jul 10 13:19:22 ip-10-237-186-172 sshd[5581]: fatal: Access denied for user apantano@ad.tweek by PAM account configuration [preauth] That's odd in so many ways, I got both a failure from pam_unix and a success from pam_sss... On Fri, Jul 10, 2015 at 12:50 PM, Alexander Bokovoy aboko...@redhat.com wrote: On Fri, 10 Jul 2015, Angelo Pantano wrote: I am using sssd and from ipa clients the authentication is not working (works fine if I ssh on the ipa-server). I thought it could be due to the external groups being empty and not mapping the AD users. Anyway this is the krb5.conf on the ipa client: #File modified by ipa-client-install includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = IPA.TWEEK dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] IPA.TWEEK = { kdc = centos.ipa.tweek:88 master_kdc = centos.ipa.tweek:88 admin_server = centos.ipa.tweek:749 default_domain = ipa.tweek pkinit_anchors = FILE:/etc/ipa/ca.crt auth_to_local = RULE:[1:$1@$0](^.*@AD.TWEEK$)s/@AD.TWEEK/@ad.tweek/ auth_to_local = DEFAULT } AD.TWEEK = { kdc = centos.ipa.tweek:88 pkinit_anchors = FILE:/etc/ipa/ca.crt } Why did you override AD.TWEEK KDC to point to FreeIPA? Remove AD.TWEEK stanza completely. You have 'dns_lookup_realm' and 'dns_lookup_kdc' to allow automatic discovery via DNS SRV records. [domain_realm] .ipa.tweek = IPA.TWEEK ipa.tweek = IPA.TWEEK .ad.tweek = AD.TWEEK ad.tweek = AD.TWEEK and this is the error I see in krb5_child.log (Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235 [main] (0x0400): Will perform online auth (Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235 [get_and_save_tgt] (0x0400): Attempting kinit for realm [AD.TWEEK] (Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235 [get_and_save_tgt] (0x0020): 996: [-1765328378][Client 'freeipa@AD.TWEEK' not found in Kerberos database] (Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235 [map_krb5_error] (0x0020): 1065: [-1765328378][Client 'freeipa@AD.TWEEK' not found in Kerberos database] also # kinit freeipa@AD.TWEEK kinit: Cannot find KDC for realm AD.TWEEK while getting initial credentials any idea what's the problem? It seems kerberos cannot find users in the AD subdomain this is my sssd.conf [domain/ipa.tweek] debug_level = 6 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = ipa.tweek id_provider = ipa auth_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = someaddress_here chpass_provider = ipa ipa_server = _srv_, centos.ipa.tweek dns_discovery_domain = ipa.tweek cn=ad_admins_external,cn=groups,cn=accounts,dc=ipa,dc=tweek subdomains_provider = ipa [sssd] services = nss, pam, pac, ssh config_file_version = 2 debud_level = 6 domains = ipa.tweek On Fri, Jul 10, 2015 at 12:29 PM, Alexander Bokovoy aboko...@redhat.com wrote: On Fri, 10 Jul 2015, Angelo Pantano wrote: I have a freeipa server trusting an active directory domain, if I ssh to the ipa server everything works, but if I try to ssh on an ipa client the authentication fails. I noticed on the server that the wbinfo -n 'AD\Domain Users' is failing: failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND Also in the logs I see: log.winbindd-dc-connect: get_sorted_dc_list: attempting lookup for name ad.local (sitename NULL) everything else works though, I can getent users and group just fine. Can you please help me? We don't use wbinfo and don't recommend it with FreeIPA AD trusts -- at least with Fedora 18+ and RHEL7+. When your FreeIPA server is deployed on those platforms, SSSD is used to resolve users, not winbindd. Winbindd is only used to manage forest topology. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- / Alexander Bokovoy -- Manage your subscription for the
Re: [Freeipa-users] wbinfo cannot pull Active Directory domain users
On Fri, 10 Jul 2015, Angelo Pantano wrote: I removed the stanza, but anyway I found one problem was the DNS. I needed to setup the nameserver in resolv.conf with the ip of the ipa server. I can kinit now but ssh is still failing, connection gets closed instead of letting me in: secure.log says: Jul 10 13:19:01 ip-10-237-186-172 sshd[5581]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.61.205.107 user=apantano@ad.tweek Jul 10 13:19:02 ip-10-237-186-172 sshd[5581]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.61.205.107 user=apantano@ad.tweek Jul 10 13:19:22 ip-10-237-186-172 sshd[5581]: pam_ldap: ldap_starttls_s: Can't contact LDAP server Jul 10 13:19:22 ip-10-237-186-172 sshd[5581]: Failed password for apantano@ad.tweek from 10.61.205.107 port 61833 ssh2 Jul 10 13:19:22 ip-10-237-186-172 sshd[5581]: fatal: Access denied for user apantano@ad.tweek by PAM account configuration [preauth] That's odd in so many ways, I got both a failure from pam_unix and a success from pam_sss... That's how it should be, it is a _stack_ of authentication modules. pam_unix doesn't know anything beyond /etc/passwd and /etc/shadow. I don't understand *why* do you have pam_ldap configured. You only need pam_sss, remove pam_ldap, this is definitely not a default configuration. On Fri, Jul 10, 2015 at 12:50 PM, Alexander Bokovoy aboko...@redhat.com wrote: On Fri, 10 Jul 2015, Angelo Pantano wrote: I am using sssd and from ipa clients the authentication is not working (works fine if I ssh on the ipa-server). I thought it could be due to the external groups being empty and not mapping the AD users. Anyway this is the krb5.conf on the ipa client: #File modified by ipa-client-install includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = IPA.TWEEK dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] IPA.TWEEK = { kdc = centos.ipa.tweek:88 master_kdc = centos.ipa.tweek:88 admin_server = centos.ipa.tweek:749 default_domain = ipa.tweek pkinit_anchors = FILE:/etc/ipa/ca.crt auth_to_local = RULE:[1:$1@$0](^.*@AD.TWEEK$)s/@AD.TWEEK/@ad.tweek/ auth_to_local = DEFAULT } AD.TWEEK = { kdc = centos.ipa.tweek:88 pkinit_anchors = FILE:/etc/ipa/ca.crt } Why did you override AD.TWEEK KDC to point to FreeIPA? Remove AD.TWEEK stanza completely. You have 'dns_lookup_realm' and 'dns_lookup_kdc' to allow automatic discovery via DNS SRV records. [domain_realm] .ipa.tweek = IPA.TWEEK ipa.tweek = IPA.TWEEK .ad.tweek = AD.TWEEK ad.tweek = AD.TWEEK and this is the error I see in krb5_child.log (Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235 [main] (0x0400): Will perform online auth (Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235 [get_and_save_tgt] (0x0400): Attempting kinit for realm [AD.TWEEK] (Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235 [get_and_save_tgt] (0x0020): 996: [-1765328378][Client 'freeipa@AD.TWEEK' not found in Kerberos database] (Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235 [map_krb5_error] (0x0020): 1065: [-1765328378][Client 'freeipa@AD.TWEEK' not found in Kerberos database] also # kinit freeipa@AD.TWEEK kinit: Cannot find KDC for realm AD.TWEEK while getting initial credentials any idea what's the problem? It seems kerberos cannot find users in the AD subdomain this is my sssd.conf [domain/ipa.tweek] debug_level = 6 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = ipa.tweek id_provider = ipa auth_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = someaddress_here chpass_provider = ipa ipa_server = _srv_, centos.ipa.tweek dns_discovery_domain = ipa.tweek cn=ad_admins_external,cn=groups,cn=accounts,dc=ipa,dc=tweek subdomains_provider = ipa [sssd] services = nss, pam, pac, ssh config_file_version = 2 debud_level = 6 domains = ipa.tweek On Fri, Jul 10, 2015 at 12:29 PM, Alexander Bokovoy aboko...@redhat.com wrote: On Fri, 10 Jul 2015, Angelo Pantano wrote: I have a freeipa server trusting an active directory domain, if I ssh to the ipa server everything works, but if I try to ssh on an ipa client the authentication fails. I noticed on the server that the wbinfo -n 'AD\Domain Users' is failing: failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND Also in the logs I see: log.winbindd-dc-connect: get_sorted_dc_list: attempting lookup for name ad.local (sitename NULL) everything else works though, I can getent users and group just fine. Can you please help me? We don't use wbinfo and don't recommend it with FreeIPA AD trusts -- at least with Fedora 18+ and RHEL7+. When your FreeIPA server is deployed on those platforms, SSSD is used to resolve users, not winbindd. Winbindd is only used to manage forest topology. -- / Alexander Bokovoy --
Re: [Freeipa-users] wbinfo cannot pull Active Directory domain users
I still had it because I am in the middle of a PoC for a migration, the legacy used pam_ldap and if I just remove it not only the error does not go away, but in the secure logs you also see this new error: Jul 10 14:08:17 ip-10-237-186-172 sshd[7361]: PAM unable to dlopen(/lib64/security/pam_ldap.so): /lib64/security/pam_ldap.so: cannot open shared object file: No such file or directory Jul 10 14:08:17 ip-10-237-186-172 sshd[7361]: PAM adding faulty module: /lib64/security/pam_ldap.so I even tried to invoke authconfig to force disable pam_ldap and enable only sssd but instead it absurdly stops sssd and starts oddjobd in its place On Fri, Jul 10, 2015 at 2:04 PM, Alexander Bokovoy aboko...@redhat.com wrote: On Fri, 10 Jul 2015, Angelo Pantano wrote: I removed the stanza, but anyway I found one problem was the DNS. I needed to setup the nameserver in resolv.conf with the ip of the ipa server. I can kinit now but ssh is still failing, connection gets closed instead of letting me in: secure.log says: Jul 10 13:19:01 ip-10-237-186-172 sshd[5581]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.61.205.107 user=apantano@ad.tweek Jul 10 13:19:02 ip-10-237-186-172 sshd[5581]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.61.205.107 user=apantano@ad.tweek Jul 10 13:19:22 ip-10-237-186-172 sshd[5581]: pam_ldap: ldap_starttls_s: Can't contact LDAP server Jul 10 13:19:22 ip-10-237-186-172 sshd[5581]: Failed password for apantano@ad.tweek from 10.61.205.107 port 61833 ssh2 Jul 10 13:19:22 ip-10-237-186-172 sshd[5581]: fatal: Access denied for user apantano@ad.tweek by PAM account configuration [preauth] That's odd in so many ways, I got both a failure from pam_unix and a success from pam_sss... That's how it should be, it is a _stack_ of authentication modules. pam_unix doesn't know anything beyond /etc/passwd and /etc/shadow. I don't understand *why* do you have pam_ldap configured. You only need pam_sss, remove pam_ldap, this is definitely not a default configuration. On Fri, Jul 10, 2015 at 12:50 PM, Alexander Bokovoy aboko...@redhat.com wrote: On Fri, 10 Jul 2015, Angelo Pantano wrote: I am using sssd and from ipa clients the authentication is not working (works fine if I ssh on the ipa-server). I thought it could be due to the external groups being empty and not mapping the AD users. Anyway this is the krb5.conf on the ipa client: #File modified by ipa-client-install includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = IPA.TWEEK dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] IPA.TWEEK = { kdc = centos.ipa.tweek:88 master_kdc = centos.ipa.tweek:88 admin_server = centos.ipa.tweek:749 default_domain = ipa.tweek pkinit_anchors = FILE:/etc/ipa/ca.crt auth_to_local = RULE:[1:$1@$0](^.*@AD.TWEEK$)s/@AD.TWEEK/@ad.tweek/ auth_to_local = DEFAULT } AD.TWEEK = { kdc = centos.ipa.tweek:88 pkinit_anchors = FILE:/etc/ipa/ca.crt } Why did you override AD.TWEEK KDC to point to FreeIPA? Remove AD.TWEEK stanza completely. You have 'dns_lookup_realm' and 'dns_lookup_kdc' to allow automatic discovery via DNS SRV records. [domain_realm] .ipa.tweek = IPA.TWEEK ipa.tweek = IPA.TWEEK .ad.tweek = AD.TWEEK ad.tweek = AD.TWEEK and this is the error I see in krb5_child.log (Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235 [main] (0x0400): Will perform online auth (Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235 [get_and_save_tgt] (0x0400): Attempting kinit for realm [AD.TWEEK] (Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235 [get_and_save_tgt] (0x0020): 996: [-1765328378][Client 'freeipa@AD.TWEEK' not found in Kerberos database] (Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235 [map_krb5_error] (0x0020): 1065: [-1765328378][Client 'freeipa@AD.TWEEK' not found in Kerberos database] also # kinit freeipa@AD.TWEEK kinit: Cannot find KDC for realm AD.TWEEK while getting initial credentials any idea what's the problem? It seems kerberos cannot find users in the AD subdomain this is my sssd.conf [domain/ipa.tweek] debug_level = 6 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = ipa.tweek id_provider = ipa auth_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = someaddress_here chpass_provider = ipa ipa_server = _srv_, centos.ipa.tweek dns_discovery_domain = ipa.tweek cn=ad_admins_external,cn=groups,cn=accounts,dc=ipa,dc=tweek subdomains_provider = ipa [sssd] services = nss, pam, pac, ssh config_file_version = 2 debud_level = 6 domains = ipa.tweek On Fri, Jul 10, 2015 at 12:29 PM, Alexander Bokovoy aboko...@redhat.com wrote: On Fri, 10 Jul 2015, Angelo