Re: [Freeipa-users] Add user - custom script
Sigbjorn Lie wrote:
On Fri, September 16, 2011 23:18, Rob Crittenden wrote:
Sigbjorn Lie wrote:
On 09/16/2011 10:29 AM, Alexander Bokovoy wrote:
On Fri, 16 Sep 2011, Dmitri Pal wrote:
On 09/15/2011 04:14 PM, Sigbjorn Lie wrote:
On 09/15/2011 09:59 PM, Dmitri Pal wrote:
On 09/15/2011 03:45 PM, Sigbjorn Lie wrote:
Hi,
Is there a custom script hook for when a user account is added using
either the cli, webui, or the winsync module?
I have a custom script I run when creating a user account, and having
this run automatically by IPA would make my life a lot easier.
Can you describe what kind of operations you need to do?
Have you looked at the automembership plugin?
I'm doing a SSH login on to a filer, creating a home folder ZFS
dataset for the new user, setting quota and ACL on the newly created dataset,
and adding
files from a skeleton folder into the home folder.
It might be a stupid question but... you seem to do all the operation
described above on the filer. I am not quite clear what part of it, if any,
needs to be run
on the server side, I mean on the IPA. Or you actually want to be able to
create an account
on the server side and make it trapped and send the event to the filer and run
a script
there?
We can't do it now. AFAIR there was a ticket about something like this
in the deferred bucket... Could not find it... But I remember a discussion. We
might need to
file a ticket to track this but sound like something that will take a lot of
time to
accomplish.
Attached untested patch is a proof of concept. If /etc/ipa/server.conf
has following setting:
ipa_user_script=/path/to/script
then during add/delete/modify of an user, it will be called with add/del/mod as
first
parameter and user's dn as second. Result of the call is ignored but return
from IPA server is
blocked by the execution so be quick in ipa_user_script!
I got the patch installed OK, env variable set, and the script is being
run when do user modifications. Great! :) But the action (add/del/mod) and the
dn is not being
supplied as arguments.
For testing's sake I've made a very simple script just to capture the
env variables.
Do you have any suggestion to why the arguments is not getting supplied
to the script?
#!/bin/bash
echo a:$1 u:$2 /tmp/ipa_custom_$$ env /tmp/ipa_custom_$$
The ipautil.run invocation should be:
ipautil.run([self.api.env.ipa_user_script,add, dn])
In other words, the whole thing needs to be in the list.
Note that a cleaner way of adding this without having to modify
ipa-provided files would be to write an extension plugin that does this
(untested):
from ipalib.plugins.user import user_add
def script_post_add_callback(inst, ldap, dn, attrs_list, *keys, **options):
inst.log.info('User
added') if 'ipa_user_script' in inst.api.env: try:
ipautil.run([inst.api.env.ipa_user_script,add, dn]) except:
pass
return dn
user_add.register_post_callback(script_post_add_callback)
Stick that into a file and drop it into the directory with the other
plugins and restart Apache and that should do it.
rob
I reverted the patched user.py file back to tbe unpatched user.py file.
I called the script you provided custom.py, and I've tried copying it to
/usr/lib/python2.7/site-packages/ipalib/plugins and
/usr/lib/python2.7/site-packages/ipaserver/plugins. Then I restarted httpd and
tomcat6. Now the
script is not called anymore.
Should the script be put anywhere else? Anything I didnt do?
It needs to be in ipalib/plugins.
Add:
from ipapython import ipautil
rob
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client logon
On Mon, 2011-09-19 at 10:10 -0400, Jimmy wrote: I have verified that the password set for the workstation in the kerberos host principal(using ipa-getkeytab) and the password on the host (using ksetup) are the same. I'm still getting the Decrypt integrity check failed errors. I have also verified that the system clock is accurate on both the KDC and the workstation. What else could be causing this? As I have said, this system authenticates flawlessly against other KDC's I have set up. The thing that is failing is your user password does not check with what the KDC thinks is the user's secret. You are not yet to the stage where the machine password is tried. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client logon
On Mon, 2011-09-19 at 10:58 -0400, Jimmy wrote: I think you're on to something here. I just reset the user's password on IPA and get the password expired message but I get that regardless of what I enter for the user's password. I'm confused as to why I can make the user auth work with a normal KDC but I'm having so much trouble with IPA-KDC. Going to wipe the Win7 config and start fresh on that system. Not sure wht you are having trouble, the KDC component of IPA is a stock MIT KDC with LDAP backend. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client logon
I have a WinXP client configured to authenticate now but it looks like
FreeIPA is sending the ticket encrypted with AES and XP does not support
AES. The user is getting authenticated, just not able to decrypt the ticket.
Sep 19 19:50:36 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (7 etypes {23
-133 -128 3 1 24 -135}) 192.168.201.150: NEEDED_PREAUTH: o...@pdh.csp for
krbtgt/pdh@pdh.csp, Additional pre-authentication required
Sep 19 19:50:36 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (1 etypes {23})
192.168.201.150: ISSUE: authtime 1316461836, etypes {rep=23 tkt=18 ses=23},
o...@pdh.csp for krbtgt/pdh@pdh.csp
Sep 19 19:50:37 csp-idm.pdh.csp krb5kdc[1246](info): TGS_REQ (7 etypes {23
-133 -128 3 1 24 -135}) 192.168.201.150: ISSUE: authtime 1316461836, etypes
{rep=23 tkt=18 ses=23}, o...@pdh.csp for host/crm1.pdh@pdh.csp
On Mon, Sep 19, 2011 at 1:32 PM, Simo Sorce s...@redhat.com wrote:
On Mon, 2011-09-19 at 13:05 -0400, Jimmy wrote:
Once I changed the password for 'admin' I now get this error on the
windows system:
Insufficient system resources exist to complete the requested service
and get this in the log no matter if I use the correct(changed)
password or if I use a known bad password:
Sep 19 17:01:19 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (7 etypes
{18 17 23 3 1 24 -135}) 192.168.201.9: NEEDED_PREAUTH: ad...@pdh.csp
for krbtgt/pdh@pdh.csp, Additional pre-authentication required
I even deleted the user and all associated profile information on the
windows system and still it won't work any more.
Ok somehow we generate a key the windows client doesn't like or know how
to work with. While MIT's clients are just fine with.
The way we generate keys is by setting a special random seed that is
handed back to the client when the preauth error is generated, perhaps
Windows is not liking what it sees ?
Any chance you can try with an older client, I wonder if it is a
regression in win7 ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client logon
I wonder if changing the defaults to exclude the use of AES would help
in your case.
Not ideal, but apparently something funny is going on there.
Simo.
On Mon, 2011-09-19 at 15:53 -0400, Jimmy wrote:
I have a WinXP client configured to authenticate now but it looks like
FreeIPA is sending the ticket encrypted with AES and XP does not
support AES. The user is getting authenticated, just not able to
decrypt the ticket.
Sep 19 19:50:36 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (7 etypes
{23 -133 -128 3 1 24 -135}) 192.168.201.150: NEEDED_PREAUTH:
o...@pdh.csp for krbtgt/pdh@pdh.csp, Additional pre-authentication
required
Sep 19 19:50:36 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (1 etypes
{23}) 192.168.201.150: ISSUE: authtime 1316461836, etypes {rep=23
tkt=18 ses=23}, o...@pdh.csp for krbtgt/pdh@pdh.csp
Sep 19 19:50:37 csp-idm.pdh.csp krb5kdc[1246](info): TGS_REQ (7 etypes
{23 -133 -128 3 1 24 -135}) 192.168.201.150: ISSUE: authtime
1316461836, etypes {rep=23 tkt=18 ses=23}, o...@pdh.csp for
host/crm1.pdh@pdh.csp
On Mon, Sep 19, 2011 at 1:32 PM, Simo Sorce s...@redhat.com wrote:
On Mon, 2011-09-19 at 13:05 -0400, Jimmy wrote:
Once I changed the password for 'admin' I now get this error
on the
windows system:
Insufficient system resources exist to complete the
requested service
and get this in the log no matter if I use the
correct(changed)
password or if I use a known bad password:
Sep 19 17:01:19 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ
(7 etypes
{18 17 23 3 1 24 -135}) 192.168.201.9: NEEDED_PREAUTH:
ad...@pdh.csp
for krbtgt/pdh@pdh.csp, Additional pre-authentication
required
I even deleted the user and all associated profile
information on the
windows system and still it won't work any more.
Ok somehow we generate a key the windows client doesn't like
or know how
to work with. While MIT's clients are just fine with.
The way we generate keys is by setting a special random seed
that is
handed back to the client when the preauth error is generated,
perhaps
Windows is not liking what it sees ?
Any chance you can try with an older client, I wonder if it is
a
regression in win7 ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client logon
What error exactly do you get on the client side ?
Simo.
On Mon, 2011-09-19 at 15:53 -0400, Jimmy wrote:
I have a WinXP client configured to authenticate now but it looks like
FreeIPA is sending the ticket encrypted with AES and XP does not
support AES. The user is getting authenticated, just not able to
decrypt the ticket.
Sep 19 19:50:36 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (7 etypes
{23 -133 -128 3 1 24 -135}) 192.168.201.150: NEEDED_PREAUTH:
o...@pdh.csp for krbtgt/pdh@pdh.csp, Additional pre-authentication
required
Sep 19 19:50:36 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (1 etypes
{23}) 192.168.201.150: ISSUE: authtime 1316461836, etypes {rep=23
tkt=18 ses=23}, o...@pdh.csp for krbtgt/pdh@pdh.csp
Sep 19 19:50:37 csp-idm.pdh.csp krb5kdc[1246](info): TGS_REQ (7 etypes
{23 -133 -128 3 1 24 -135}) 192.168.201.150: ISSUE: authtime
1316461836, etypes {rep=23 tkt=18 ses=23}, o...@pdh.csp for
host/crm1.pdh@pdh.csp
On Mon, Sep 19, 2011 at 1:32 PM, Simo Sorce s...@redhat.com wrote:
On Mon, 2011-09-19 at 13:05 -0400, Jimmy wrote:
Once I changed the password for 'admin' I now get this error
on the
windows system:
Insufficient system resources exist to complete the
requested service
and get this in the log no matter if I use the
correct(changed)
password or if I use a known bad password:
Sep 19 17:01:19 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ
(7 etypes
{18 17 23 3 1 24 -135}) 192.168.201.9: NEEDED_PREAUTH:
ad...@pdh.csp
for krbtgt/pdh@pdh.csp, Additional pre-authentication
required
I even deleted the user and all associated profile
information on the
windows system and still it won't work any more.
Ok somehow we generate a key the windows client doesn't like
or know how
to work with. While MIT's clients are just fine with.
The way we generate keys is by setting a special random seed
that is
handed back to the client when the preauth error is generated,
perhaps
Windows is not liking what it sees ?
Any chance you can try with an older client, I wonder if it is
a
regression in win7 ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client logon
Ah stupid me,
When using Windows XP you must generate a keytab that does not use the
AES enctype. If you include the AES enctype when generating keys for the
host, you are telling the KDC that the host knows how to use AES.
You should probably just use arcfour only for WinXP as that client only
understand RC4 and DES, and DES is not worth using.
Simo.
On Mon, 2011-09-19 at 15:53 -0400, Jimmy wrote:
I have a WinXP client configured to authenticate now but it looks like
FreeIPA is sending the ticket encrypted with AES and XP does not
support AES. The user is getting authenticated, just not able to
decrypt the ticket.
Sep 19 19:50:36 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (7 etypes
{23 -133 -128 3 1 24 -135}) 192.168.201.150: NEEDED_PREAUTH:
o...@pdh.csp for krbtgt/pdh@pdh.csp, Additional pre-authentication
required
Sep 19 19:50:36 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (1 etypes
{23}) 192.168.201.150: ISSUE: authtime 1316461836, etypes {rep=23
tkt=18 ses=23}, o...@pdh.csp for krbtgt/pdh@pdh.csp
Sep 19 19:50:37 csp-idm.pdh.csp krb5kdc[1246](info): TGS_REQ (7 etypes
{23 -133 -128 3 1 24 -135}) 192.168.201.150: ISSUE: authtime
1316461836, etypes {rep=23 tkt=18 ses=23}, o...@pdh.csp for
host/crm1.pdh@pdh.csp
On Mon, Sep 19, 2011 at 1:32 PM, Simo Sorce s...@redhat.com wrote:
On Mon, 2011-09-19 at 13:05 -0400, Jimmy wrote:
Once I changed the password for 'admin' I now get this error
on the
windows system:
Insufficient system resources exist to complete the
requested service
and get this in the log no matter if I use the
correct(changed)
password or if I use a known bad password:
Sep 19 17:01:19 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ
(7 etypes
{18 17 23 3 1 24 -135}) 192.168.201.9: NEEDED_PREAUTH:
ad...@pdh.csp
for krbtgt/pdh@pdh.csp, Additional pre-authentication
required
I even deleted the user and all associated profile
information on the
windows system and still it won't work any more.
Ok somehow we generate a key the windows client doesn't like
or know how
to work with. While MIT's clients are just fine with.
The way we generate keys is by setting a special random seed
that is
handed back to the client when the preauth error is generated,
perhaps
Windows is not liking what it sees ?
Any chance you can try with an older client, I wonder if it is
a
regression in win7 ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client logon
According to this:
http://mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-admin/Supported-Encryption-Types.htmlthere
are a ton of encryption options that XP does support, but I always get
this error if I define anything specific in the keytab:
Sep 19 20:09:30 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (7 etypes {23
-133 -128 3 1 24 -135}) 192.168.201.150: NEEDED_PREAUTH: o...@pdh.csp for
krbtgt/pdh@pdh.csp, Additional pre-authentication required
Sep 19 20:09:30 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (1 etypes {23})
192.168.201.150: ISSUE: authtime 1316462970, etypes {rep=23 tkt=18 ses=23},
o...@pdh.csp for krbtgt/pdh@pdh.csp
Sep 19 20:09:31 csp-idm.pdh.csp krb5kdc[1246](info): TGS_REQ (7 etypes {23
-133 -128 3 1 24 -135}) 192.168.201.150: BAD_ENCRYPTION_TYPE: authtime 0,
o...@pdh.csp for host/crm1.pdh@pdh.csp, KDC has no support for
encryption type
There is a fix for Win7. I have a technet article I will post the link as
soon as I can. I had the Win7 system working with the freeipa 'admin' user
before I changed the admin user password, now it's broken. The MIT KFW
client can authenticate and get a ticket, but I need to get the native
windows authentication working.
Thanks
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client logon
On Mon, 2011-09-19 at 16:17 -0400, Jimmy wrote:
According to this:
http://mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-admin/Supported-Encryption-Types.html
there are a ton of encryption options that XP does support, but I always get
this error if I define anything specific in the keytab:
I know for a fact that stock WinXp supports only RC4 and DES, no 3DES
nor AAES support there.
If you create the host keytab with only RC4 you should be able to make
WinXp happy.
Sep 19 20:09:30 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (7 etypes
{23 -133 -128 3 1 24 -135}) 192.168.201.150: NEEDED_PREAUTH:
o...@pdh.csp for krbtgt/pdh@pdh.csp, Additional pre-authentication
required
Sep 19 20:09:30 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (1 etypes
{23}) 192.168.201.150: ISSUE: authtime 1316462970, etypes {rep=23
tkt=18 ses=23}, o...@pdh.csp for krbtgt/pdh@pdh.csp
Sep 19 20:09:31 csp-idm.pdh.csp krb5kdc[1246](info): TGS_REQ (7 etypes
{23 -133 -128 3 1 24 -135}) 192.168.201.150: BAD_ENCRYPTION_TYPE:
authtime 0, o...@pdh.csp for host/crm1.pdh@pdh.csp, KDC has no
support for encryption type
There is a fix for Win7. I have a technet article I will post the link
as soon as I can.
Yes please let me know the link, I will try to investigate any Win7/W2K8
issues with AES and random salts asap, but not this week probably.
I had the Win7 system working with the freeipa 'admin' user before I
changed the admin user password, now it's broken. The MIT KFW client
can authenticate and get a ticket, but I need to get the native
windows authentication working.
Understood.
If AES is the issue, you could reconfigure FreeIPA to not allow AES, not
ideal, but it would be the fastest solution. Although it will probably
require also to change all passwords.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client logon
You are correct. As soon as I set the WinXP machine to arcfour-hmac it's working to authenticate all users against the FreeIPA realm. I just went into gpedit.msc on the Win7 system and ste it to only do rc4-hmac-md5 and maybe that will fix it, too. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client logon
That fixed Win7. Now I'm going to enable AES on Win7 to see if it breaks again. On Mon, Sep 19, 2011 at 4:44 PM, Jimmy g17ji...@gmail.com wrote: You are correct. As soon as I set the WinXP machine to arcfour-hmac it's working to authenticate all users against the FreeIPA realm. I just went into gpedit.msc on the Win7 system and ste it to only do rc4-hmac-md5 and maybe that will fix it, too. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client logon
I can't find the technet article right now, but here's what I did that makes Win7 work. Run gpedit.msc. Under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options open the key called “Network Security: Configure encryption types allowed for Kerberos” unselect everything except RC4_HMAC_MD5 and reboot. Step by step instructions below. AES worked at first for me but that was only for the IPA user `admin` and even that broke after I changed the `admin` password using the windows change password dialog. I will be submitting that tracefile and log to MS to see what might be happening. On FreeIPA: i.create the host principal in the web interface ii. create IPA users to correspond to windows users iii. reset the user's IPA password to a known password using the web interface, the user will be prompted to change at first log in. (is there a default password or is this random? sorry if that's somewhere else in docs and I missed it) iv.on the IPA server run `ipa-getkeytab -s [kdc DNS name] -p host/[machine-name] -e arcfour-hmac -k krb5.keytab.[machine-name] -P configure windows ksetup: i.ksetup /setdomain [REALM NAME] ii.ksetup /addkdc [REALM NAME] [kdc DNS name] iii.ksetup /addkpassword [REALM NAME] [kdc DNS name] iv.ksetup /setcomputerpassword [PASSWORD] v.ksetup /mapuser * * vi. Run gpedit.msc. Under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options open the key called “Network Security: Configure encryption types allowed for Kerberos” unselect everything except RC4_HMAC_MD5 vii.*** REBOOT *** viii. log in as [user]@[REALM] with the initial password, you will be prompted to change the password then logged in. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
