Re: [Freeipa-users] passwords expiration against IPA v.3.0.0-37 using ldap not kerberos
On Fri, Jul 18, 2014 at 11:22:05AM -0400, Lance Reed wrote: I am having a problem with sssd (1.9.2) and passwords expiration against IPA v.3.0.0-37. I have setup sssd to use IPA with LDAP not Kerberos since this is in EC2 and I don’t want to deal with assigning tickets to each ephemeral host. So far things are working great, with the one exception that due to IPA using “krbPasswordExpiration” instead of “shadowExpire” breaks the usage of expired passwords. I tried setting “ldap_pwd_policy = mit_kerberos”, which does allow expired passwords to be recognized, but then breaks the users ability to change passwords. I suspect it causes sssd to use al Kerberos code paths, which won’t work in this case. e.g added [domain/LDAP] trying to see if will work. id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_schema = IPA #ldap_pwd_policy = mit_kerberos ldap_account_expire_policy = mit_kerberos If anyone has any ideas on this I would appreciate and feedback. Thanks in advance. fyi, this question was asked on sssd-users, too and the discussion is ongoing on that list: https://lists.fedorahosted.org/pipermail/sssd-users/2014-July/001957.html -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Adding cross realm trust principals
Hello, i want to migrate an existing MIT Kerberos Realm to IPA and want to setup a cross realm trust relationship. I exactly have the problem discussed on this Mailinglist https://www.redhat.com/archives/freeipa-users/2013-November/msg00213.html and want to ask if there is now a new way to create trust principals without using kadmin.local -x ipa-setup-override-restrictions. Regards, Andreas -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Adding cross realm trust principals
On Mon, 21 Jul 2014, Andreas Ladanyi wrote: Hello, i want to migrate an existing MIT Kerberos Realm to IPA and want to setup a cross realm trust relationship. I exactly have the problem discussed on this Mailinglist https://www.redhat.com/archives/freeipa-users/2013-November/msg00213.html and want to ask if there is now a new way to create trust principals without using kadmin.local -x ipa-setup-override-restrictions. No changes yet. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Adding cross realm trust principals
On 21.7.2014 09:30, Alexander Bokovoy wrote: On Mon, 21 Jul 2014, Andreas Ladanyi wrote: Hello, i want to migrate an existing MIT Kerberos Realm to IPA and want to setup a cross realm trust relationship. I exactly have the problem discussed on this Mailinglist https://www.redhat.com/archives/freeipa-users/2013-November/msg00213.html and want to ask if there is now a new way to create trust principals without using kadmin.local -x ipa-setup-override-restrictions. No changes yet. Let me elaborate. We haven't had time to work on this but it would be really valuable if you could experiment with it a little bit. Simo, Alexander, could you propose some dirty tricks to try? -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Adding cross realm trust principals
On Mon, 21 Jul 2014, Petr Spacek wrote: On 21.7.2014 09:30, Alexander Bokovoy wrote: On Mon, 21 Jul 2014, Andreas Ladanyi wrote: Hello, i want to migrate an existing MIT Kerberos Realm to IPA and want to setup a cross realm trust relationship. I exactly have the problem discussed on this Mailinglist https://www.redhat.com/archives/freeipa-users/2013-November/msg00213.html and want to ask if there is now a new way to create trust principals without using kadmin.local -x ipa-setup-override-restrictions. No changes yet. Let me elaborate. We haven't had time to work on this but it would be really valuable if you could experiment with it a little bit. Simo, Alexander, could you propose some dirty tricks to try? The thread mentioned above has all needed information already. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] 4.0.0 password migration trouble
On 07/19/2014 01:08 AM, Nordgren, Bryce L -FS wrote: So if I understand the 389-ds ticket correctly, I can add pre-hashed passwords via ldapmodify to the 389 server using directory manager as the bind dn? I just can't use the ipa command line tool/script. The short answer is no. Trying to add the userPassword attribute with ldapmodify binding as cn=directory manager fails with operation error. Error log attached to the ticket Rob made: https://fedorahosted.org/freeipa/ticket/4450 To summarize: No password migration via ipa migrate-ds; No password migration via ipa user-add --setattr userPassword={SHA}...; No password migration via 'ldapmodify -D cn=directory manager'. Do you think a solution will be forthcoming, or is it a ways off? I can leave my old ldap directory up for a little while. I did couple tests with a custom build of 389-ds-base and I made the migration working after switching the new configuration option. See details and the transcript in the ticket: https://fedorahosted.org/freeipa/ticket/4450#comment:5 I will work with DS team to backport the switch option to Fedora 20 389-ds-base and to release FreeIPA 4.0.1 with appropriate patch to fix this problem ASAP, ideally this week. Thanks for your patience, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] ldap modify
On 07/21/2014 01:14 PM, Martin Kosek wrote: On 07/21/2014 01:04 PM, Atanas Bachvaroff wrote: Hello, I've been experiencing strange problems trying to manually modify the userPassword attributes in the FreeIPA's 389 directory (FreeIPA 3.3.4 on Fedora 20). I'm using the following script: CUT [nasko@ipa ~]$ cat change_pass.sh #!/bin/sh if test -z ${1}; then echo no dn supplied exit 1 fi if test -z ${2}; then PASS=`pwgen 10 1` else PASS=${2} fi echo ${PASS} PASS_HASH=`pwdhash ${PASS}` ( echo dn: ${1} echo changetype: modify echo replace: userPassword echo userPassword: ${PASS_HASH} ) | ldapmodify -h localhost -p 389 -D cn=directory manager -w [nasko@ipa ~]$ ./change_pass.sh 'uid=,cn=users,cn=accounts,dc=uni-sofia,dc=bg' nohshohwoo modifying entry uid=,cn=users,cn=accounts,dc=uni-sofia,dc=bg ldap_modify: Operations error (1) [nasko@ipa ~]$ CUT and so on and so on, ldapmodify returing the same error every time, on any dn. Any suggestions? P.S. The server is in migration mode at this time. Hello Atanas, This issue is already discussed in https://fedorahosted.org/freeipa/ticket/4450 and thread [Freeipa-users] 4.0.0 password migration trouble, you will find some information there. Ludwig, this issue is completely different than nsslapd-allow-hashed-passwords, correct? no, don't think so. pwdhash XXX returns {SSSH}hgjhdgjah so it matches 389 ticket 47389 But anyway, changing password via ldapmodify and supplying pre-hashed password will not work well and you will need to run through the migration mode even after ticket 4450 is fixed. If you have a clear text available (which I assume based on `pwdhash ${PASS}` construct), I would rather suggest changing it via ldappasswd script so that FreeIPA can also generate all the Kerberos attributes. HTH, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] ldap modify
Martin Kosek wrote: On 07/21/2014 01:04 PM, Atanas Bachvaroff wrote: Hello, I've been experiencing strange problems trying to manually modify the userPassword attributes in the FreeIPA's 389 directory (FreeIPA 3.3.4 on Fedora 20). I'm using the following script: CUT [nasko@ipa ~]$ cat change_pass.sh #!/bin/sh if test -z ${1}; then echo no dn supplied exit 1 fi if test -z ${2}; then PASS=`pwgen 10 1` else PASS=${2} fi echo ${PASS} PASS_HASH=`pwdhash ${PASS}` ( echo dn: ${1} echo changetype: modify echo replace: userPassword echo userPassword: ${PASS_HASH} ) | ldapmodify -h localhost -p 389 -D cn=directory manager -w [nasko@ipa ~]$ ./change_pass.sh 'uid=,cn=users,cn=accounts,dc=uni-sofia,dc=bg' nohshohwoo modifying entry uid=,cn=users,cn=accounts,dc=uni-sofia,dc=bg ldap_modify: Operations error (1) [nasko@ipa ~]$ CUT and so on and so on, ldapmodify returing the same error every time, on any dn. Any suggestions? P.S. The server is in migration mode at this time. Hello Atanas, This issue is already discussed in https://fedorahosted.org/freeipa/ticket/4450 and thread [Freeipa-users] 4.0.0 password migration trouble, you will find some information there. Ludwig, this issue is completely different than nsslapd-allow-hashed-passwords, correct? But anyway, changing password via ldapmodify and supplying pre-hashed password will not work well and you will need to run through the migration mode even after ticket 4450 is fixed. If you have a clear text available (which I assume based on `pwdhash ${PASS}` construct), I would rather suggest changing it via ldappasswd script so that FreeIPA can also generate all the Kerberos attributes. HTH, Martin Unfortunately, I don't have access to the cleartext passwords ('coz I'm migrating from existing 389 / OpenLDAP directories) and ipa migrate-ds failed miserably with hashed passwords constraint violations, so I cloned the 389s etc., deleted the the userPassword attributes and tried to restore 'em with the script above, taking the PASS=${2} branch, which failed. It appears that #4450 is very close to my issues. -- Best regards, / Mit freundlichen Grüßen, / Met vriendelijke groeten, Atanas Bachvaroff / Atanas Batschwaroff / Ätänas Batsjwärow -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] ldap modify
On 07/21/2014 01:30 PM, Atanas Bachvaroff wrote: Martin Kosek wrote: On 07/21/2014 01:04 PM, Atanas Bachvaroff wrote: Hello, I've been experiencing strange problems trying to manually modify the userPassword attributes in the FreeIPA's 389 directory (FreeIPA 3.3.4 on Fedora 20). I'm using the following script: CUT [nasko@ipa ~]$ cat change_pass.sh #!/bin/sh if test -z ${1}; then echo no dn supplied exit 1 fi if test -z ${2}; then PASS=`pwgen 10 1` else PASS=${2} fi echo ${PASS} PASS_HASH=`pwdhash ${PASS}` ( echo dn: ${1} echo changetype: modify echo replace: userPassword echo userPassword: ${PASS_HASH} ) | ldapmodify -h localhost -p 389 -D cn=directory manager -w [nasko@ipa ~]$ ./change_pass.sh 'uid=,cn=users,cn=accounts,dc=uni-sofia,dc=bg' nohshohwoo modifying entry uid=,cn=users,cn=accounts,dc=uni-sofia,dc=bg ldap_modify: Operations error (1) [nasko@ipa ~]$ CUT and so on and so on, ldapmodify returing the same error every time, on any dn. Any suggestions? P.S. The server is in migration mode at this time. Hello Atanas, This issue is already discussed in https://fedorahosted.org/freeipa/ticket/4450 and thread [Freeipa-users] 4.0.0 password migration trouble, you will find some information there. Ludwig, this issue is completely different than nsslapd-allow-hashed-passwords, correct? But anyway, changing password via ldapmodify and supplying pre-hashed password will not work well and you will need to run through the migration mode even after ticket 4450 is fixed. If you have a clear text available (which I assume based on `pwdhash ${PASS}` construct), I would rather suggest changing it via ldappasswd script so that FreeIPA can also generate all the Kerberos attributes. HTH, Martin Unfortunately, I don't have access to the cleartext passwords ('coz I'm migrating from existing 389 / OpenLDAP directories) and ipa migrate-ds failed miserably with hashed passwords constraint violations, so I cloned the 389s etc., deleted the the userPassword attributes and tried to restore 'em with the script above, taking the PASS=${2} branch, which failed. It appears that #4450 is very close to my issues. Ok. When 4450 is fixed (I would like to get it done this week), you should be able to just run migrate-ds and have pre-hashed user passwords stored. Given you are running on 3.3.4 (why not the latest 3.3.5?), we should also release fixed FreeIPA build in Fedora 20. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Disable AES256 Encryption
On 07/21/2014 03:38 PM, Eldo Joseph wrote: Is it possible to disable AES256 Encryption from IPA, while making Kerberos principals... -Eldo- I think you would need to hand update krbDefaultEncSaltTypes in cn=YOUR-REALM,cn=kerberos,SUFFIX (via ldapmodify) to make this working. Can you share what is the motivation for this change? I see requests to rather add additional (older) encryption types, not removing the current ones. Thanks, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] User auth for Samba 3 file server against IPA 3.0.0
Dmitri, thanks for your answer. On Wed, 16 Jul 2014, Dmitri Pal wrote: On 07/16/2014 07:16 AM, dbisc...@hrz.uni-kassel.de wrote: I have IPA running on a CentOS 6 server. This server also acts as NFS- and Samba server. My Linux clients (openSUSE 13.1) work fine (NFS, automount, user auth for ssh and display manager). Since I also have some Windows users, I want them to be able to mount their homes via Samba using their IPA password. Just that, no AD or other fancy stuff. Support of Windows users is still where it was. Code might have changed so the solution might not apply any more cleanly. Our general vision is that windows users belong to Windows and have to be either in AD or in Samba4. As soon as Samba 4 supports cross forest trusts we will make it supported. Then we will be able to support cases like you describe. Also right now Samba FS as a member of IPA domain does not work well. It should work better with SSSD 1.12.1 and IPA 4.1 when we make sure that all parts are in place but that would still have some problems when one has to come from windows client as there is no SSSD equivalent for windows clients. Bottom line: no, there is no better info, sorry. Bummer. Just to make sure: I don't want my Windows users to be able to log on to their systems using IPA auth, they all have local accounts. I just want them to be able to manually mount their home shares. Since I'm still more or less testing stuff, I wonder where to go from here. Before biting the bullet having separate Samba accounts: Would it help to switch to Samba 4? This post https://www.redhat.com/archives/freeipa-users/2013-April/msg00248.html suggests that it's possible. Somebody out there did it successfully? [1] http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/ Mit freundlichen Gruessen/With best regards, --Daniel. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA server in Docker container
Hello, if you need a way to quickly run FreeIPA server on your machine while keeping the machine open to installation and configuration of other software which would otherwise clash with the FreeIPA server, you can try FreeIPA in a Docker container. We currently see it as a proof of concept, for testing or demo purposes. The Dockerfiles with other content are available at https://github.com/adelton/docker-freeipa with branches for Fedora 20, rawhide, and RHEL 7. Automated built images are available in Docker index: https://hub.docker.com/u/adelton/ with Fedora 20 and rawhide content. Also available are client repositories and images, to quickly start another container and let it IPA-enroll to the server in a container. At this point, the containers need to be run as --privileged. We plan to track the progress of the effort at http://www.freeipa.org/page/Docker Any comments or improvements are welcome, -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Disable AES256 Encryption
Martin, Application compatible issue, AES256 is not been supported. Thanks, Eldo On 21/07/2014 7:15 pm, Martin Kosek mko...@redhat.com wrote: On 07/21/2014 03:38 PM, Eldo Joseph wrote: Is it possible to disable AES256 Encryption from IPA, while making Kerberos principals... -Eldo- I think you would need to hand update krbDefaultEncSaltTypes in cn=YOUR-REALM,cn=kerberos,SUFFIX (via ldapmodify) to make this working. Can you share what is the motivation for this change? I see requests to rather add additional (older) encryption types, not removing the current ones. Thanks, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Disable AES256 Encryption
Ok, though in that case the application has 3 other encryption types to kinit with (in default configuration) Martin On 07/21/2014 04:28 PM, Eldo Joseph wrote: Martin, Application compatible issue, AES256 is not been supported. Thanks, Eldo On 21/07/2014 7:15 pm, Martin Kosek mko...@redhat.com wrote: On 07/21/2014 03:38 PM, Eldo Joseph wrote: Is it possible to disable AES256 Encryption from IPA, while making Kerberos principals... -Eldo- I think you would need to hand update krbDefaultEncSaltTypes in cn=YOUR-REALM,cn=kerberos,SUFFIX (via ldapmodify) to make this working. Can you share what is the motivation for this change? I see requests to rather add additional (older) encryption types, not removing the current ones. Thanks, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Disable AES256 Encryption
Eldo Joseph wrote: Martin, Application compatible issue, AES256 is not been supported. So you need a keytab without AES? You can pass the encryption types you want to ipa-getkeytab using the -e option. This way you don't need to disable AES system-wide due to one application. rob Thanks, Eldo On 21/07/2014 7:15 pm, Martin Kosek mko...@redhat.com wrote: On 07/21/2014 03:38 PM, Eldo Joseph wrote: Is it possible to disable AES256 Encryption from IPA, while making Kerberos principals... -Eldo- I think you would need to hand update krbDefaultEncSaltTypes in cn=YOUR-REALM,cn=kerberos,SUFFIX (via ldapmodify) to make this working. Can you share what is the motivation for this change? I see requests to rather add additional (older) encryption types, not removing the current ones. Thanks, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] 4.0.0 password migration trouble
I will work with DS team to backport the switch option to Fedora 20 389-ds- base and to release FreeIPA 4.0.1 with appropriate patch to fix this problem ASAP, ideally this week. Thanks much, Martin! This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Correct syntax for round-robin DNS srv records
Hi All, I had some off-list exchanges with Petr Spacek on this but am still trying to work out the correct syntax. I have 2 hosts: - foo1.example.com - foo2.example.com and would like to create a round-robin DNS srv record for both called foo.example.com I already have DNS entries for both hosts in IPA: # ipa dnsrecord-show example.com foo1 Record name: foo1 A record: 10.0.0.1 # ipa dnsrecord-show example.com foo2 Record name: foo2 A record: 10.0.0.2 I'd like to get the correct syntax for adding the srv record for foo. My understanding is that it should be something like this: # ipa dnsrecord-add example.com _foo.tcp --srv-rec=0 50 53 foo1.example.com Record name: _foo.tcp SRV record: 0 50 53 foo1.example.com # ipa dnsrecord-add example.com _foo.tcp --srv-rec=0 50 53 foo2.example.com Record name: _foo.tcp SRV record: 0 50 53 foo2.example.com which seemed to be added ok but on second glance I think not: # host -t srv _foo.tcp.example.com _foo.tcp..example.com has SRV record 0 50 53 foo1.example.com.example.com. _foo.tcp..example.com has SRV record 0 50 53 foo2.example.com.example.com. In looking over the description of rfc2782 http://en.wikipedia.org/wiki/SRV_record it appears the IPA syntax is a little different, and the documentation is scarce so admittedly I'm taking a swag at this ;-) I can do this fine without srv but don't have enough familiarity with DNS srv here. Can anyone help clarify what I'm missing? I'd like to have equal weighting, priority to both hosts - I'm assuming the port (53) is correct for DNS here as well. Thank you very much, -m -- Red Hat Reference Architectures Follow Us: https://twitter.com/RedHatRefArch Plus Us: https://plus.google.com/u/0/b/114152126783830728030/ Like Us: https://www.facebook.com/rhrefarch -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project