Re: [Freeipa-users] Sudo command not working
Hello! Should I reboot the machine after changing sudo.conf file? On 08/12/2015 09:26 PM, Jakub Hrozek wrote: On Wed, Aug 12, 2015 at 07:44:15PM +0700, Dewangga Bachrul Alam wrote: Hello! On 08/12/2015 07:36 PM, Jakub Hrozek wrote: On Wed, Aug 12, 2015 at 07:30:52PM +0700, Dewangga Bachrul Alam wrote: Hello! I'm having problem with sudo command, the sudo command was sucessfully initiated. But user still requested for password. For example : ipa-client $ sudo -l Matching Defaults entries for subhan on this host: requiretty, !visiblepw, always_set_home, env_reset, env_keep=COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS, env_keep+=MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE, env_keep+=LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES, env_keep+=LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE, env_keep+=LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY, secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User subhan may run the following commands on this host: (subhan) NOPASSWD: /bin/tail, /usr/bin/tail ipa-server $ ipa user-show subhan User login: subhan First name: [REMOVED] Last name: [REMOVED] Home directory: /home/subhan Login shell: /bin/bash Email address: [REMOVED] UID: 64207 GID: 64207 Job Title: Developer Account disabled: False Password: False Member of groups: g_gmt_developer, developer Member of Sudo rule: gmt_developer Member of HBAC rule: gmt_webserver Kerberos keys available: False SSH public key fingerprint: [REMOVED] ipa-server $ ipa sudocmd-find --- 2 Sudo Commands matched --- Sudo Command: /bin/tail Sudo Command Groups: reading-files Sudo Command: /usr/bin/tail Sudo Command Groups: reading-files ipa-server $ ipa sudorule-show gmt_developer Rule name: gmt_developer Enabled: TRUE Users: subhan User Groups: g_gmt_developer Host Groups: gmt_webserver Sudo Allow Command Groups: reading-files RunAs Users: subhan Sudo Option: !authenticate ipa-client $ sudo tail -f /var/log/nginx/access.log [sudo] password for subhan: ipa-client $ sudo tail /var/log/nginx/access.log [sudo] password for subhan: There's nothing information from sssd_sudo.log about this issue. In general sssd acts as a cache of the sudo rules, the decision to auth or not is done by sudo. So on the sssd side you can make sure the sudo option value was fetched, but you'll probably get a more useful debugging from sudo itself. Here is the sudo message from /var/log/secure : Aug 12 19:41:05 rosaliaindah su: pam_unix(su-l:session): session opened for user subhan by dewangga(uid=0) Aug 12 19:41:14 rosaliaindah sudo: pam_unix(sudo:auth): conversation failed Aug 12 19:41:14 rosaliaindah sudo: pam_unix(sudo:auth): auth could not identify password for [subhan] Aug 12 19:41:14 rosaliaindah sudo: pam_sss(sudo:auth): authentication failure; logname=dewangga uid=64207 euid=0 tty=/dev/pts/0 ruser=subhan rhost= user=subhan Aug 12 19:41:14 rosaliaindah sudo: pam_sss(sudo:auth): received for user subhan: 7 (Authentication failure) Aug 12 19:41:14 rosaliaindah sudo: subhan : command not allowed ; TTY=pts/0 ; PWD=/home/subhan ; USER=root ; COMMAND=/bin/tail -f /var/log/nginx/error.log The sudo option (!authenticate) should be working, because I can invoke `sudo -l` command without password. So I think sssd is not the problem. CMIIW. :) Look into man sudo.conf, depending on your sudo version the options to enable debugging for sudo differ. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi Matt - CentOS : Did you copy ipasam.so and change your smb.conf accordingly? sambaSamAccount is not needed anymore that way. - Default IPA Way : won't work if your Windows is not part of a domain controller. DOMAIN\username may work for some users using Windows 7 - not 8 nor 10 (it did for me but I was the only one at the office... quite useless) This config may work on your CentOS (for the ipasam way): workgroup = TEST realm = TEST.NET kerberos method = dedicated keytab dedicated keytab file = FILE:/./samba.keytab create krb5 conf = no security = user encrypt passwords = true passdb backend = ipasam:ldaps://youripa.test.net ldapsam:trusted = yes ldapsuffix = test.net ldap user suffix = cn=users,cn=accounts ldap group suffix = cn=groups,cn=accounts -- Youenn Piolet piole...@gmail.com 2015-08-12 22:15 GMT+02:00 Matt . yamakasi@gmail.com: Hi, OK the default IPA way works great actually when testing it as described here: http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA On the samba server I can auth and see my share where I want to connect to. The issue is, on Windows I cannot auth, even when I do DOMAIN\username as username So, the IPA way should work. Any comments here ? Cheers, Matt 2015-08-12 19:00 GMT+02:00 Matt . yamakasi@gmail.com: HI GUys, I'm testing this out and I think I almost setup, this on a CentOS samba server. I'm using the ipa-adtrust way of Youeen but it seems we still need to add (objectclass=sambaSamAccount)) ? Info is welcome! I will report back when I have it working. Thanks! Matt 2015-08-10 11:16 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com : The next route I will try - is the one Youeen took, using ipa-adtrust From: Matt . yamakasi@gmail.com To: Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com freeipa-users@redhat.com Date: 10.08.2015 10:03 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi Chris, Okay this is good to hear. But don't we want a IPA managed Scheme ? When I did a ipa-adtrust-install --add-sids it also wanted a local installed Samba and I wonder why. Good that we make some progres on making it all clear. Cheers, Matt 2015-08-10 6:12 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com : ldapsam + the samba extensions, pretty much as described in the Techslaves article. Once I have a draft for the wiki page, I will mail you. From: Matt . yamakasi@gmail.com To: Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com freeipa-users@redhat.com Date: 09.08.2015 21:17 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi, Yes I know about anything but which way did you use now ? 2015-08-09 20:56 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt I am on OEL 7.1. - so anything that works on that should be good for RHEL and Centos 7.x I intend to add a how-to to the FreeIPA Wiki over the next few days. As we have suggested earlier, we will likely end up with several, one for each of the possible integration paths. Chris From: Matt . yamakasi@gmail.com To: Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com freeipa-users@redhat.com Date: 09.08.2015 16:45 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi Chris, This sounds great! What are you using now, both CentOS ? So Samba and FreeIPA ? Maybe it's good to explain which way you used now in steps too, so we can combine or create multiple howto's ? At least we are going somewhere! Thanks, Matt 2015-08-09 14:54 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt My test integration of FreeIPA 4.x and Samba 4.x with the good old Samba Schema extensions) is up and working, almost flawlessly. I can add users and groups via the FreeIPA CLI, and they get the correct ObjectClasses / attributes required for Samba. So far I have not yet bothered to try the extensions to the WebUI, because it is currently giving me the classic Your session has expired. Please re-login. error which renders the WebUI useless. The only problem I have so far encountered managing Samba / FreeIPA users via FreeIPA CLI commands is with the handling of the attribute sambaPwdLastSet. This is the subject of an existing thread, also updated today. There is also an existing alternative to hacking group.py, using Class of Service (Cos) documented in this thread from February 2015 https://www.redhat.com/archives/freeipa-users/2015-February/msg00172.html . I have not yet tried it, but it sounds reasonable. Chris From: Matt . yamakasi@gmail.com To: Christopher
Re: [Freeipa-users] Sudo command not working
Hello! On 08/13/2015 03:09 PM, Jakub Hrozek wrote: On Thu, Aug 13, 2015 at 03:01:40PM +0700, Dewangga Bachrul Alam wrote: Hello! Should I reboot the machine after changing sudo.conf file? No, it's read by sudo on every invocation. There is no sudo deamon or such. Yes, I found the problem :) Missconfig on `As Whom` category, the current user should not be insert there :D Got the clue from sudo debug. ... snip ... Aug 13 15:48:06 sudo[26020] searching SSSD/LDAP for sudoers entries Aug 13 15:48:06 sudo[26020] sssd/ldap sudoRunAsUser 'subhan' ... not ... snip ... Thanks Jakub. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IDM/ipa slow login
In the logs, there is lots of warnings concerning pki tomcat server : Aug 13 09:51:56 lead.bioinf.local systemd[1]: Started The Apache HTTP Server. Aug 13 09:51:56 lead.bioinf.local systemd[1]: Starting system-pki\x2dtomcatd.slice. Aug 13 09:51:56 lead.bioinf.local systemd[1]: Created slice system-pki\x2dtomcatd.slice. Aug 13 09:51:56 lead.bioinf.local systemd[1]: Starting PKI Tomcat Server. Aug 13 09:51:56 lead.bioinf.local systemd[1]: Reached target PKI Tomcat Server. Aug 13 09:51:56 lead.bioinf.local systemd[1]: Starting PKI Tomcat Server pki-tomcat... Aug 13 09:51:57 lead.bioinf.local systemd[1]: Started PKI Tomcat Server pki-tomcat. Aug 13 09:51:57 lead.bioinf.local server[5213]: Java virtual machine used: /usr/bin/java Aug 13 09:51:57 lead.bioinf.local server[5213]: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar Aug 13 09:51:57 lead.bioinf.local server[5213]: main class used: org.apache.catalina.startup.Bootstrap Aug 13 09:51:57 lead.bioinf.local server[5213]: flags used: -DRESTEASY_LIB=/usr/share/java/resteasy-base Aug 13 09:51:57 lead.bioinf.local server[5213]: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djav Aug 13 09:51:57 lead.bioinf.local server[5213]: arguments used: start Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM org.apache.catalina.startup.SetAllPropertiesRule begin Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'enableOCSP' to 'false' did not find a matching property. Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM org.apache.catalina.startup.SetAllPropertiesRule begin Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderURL' to 'http://lead.bioinf.local:9080/ca/ocsp' did not find a matching property. Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM org.apache.catalina.startup.SetAllPropertiesRule begin Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderCertNickname' to 'ocspSigningCert cert-pki-ca' did not find a matching property. Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM org.apache.catalina.startup.SetAllPropertiesRule begin Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspCacheSize' to '1000' did not find a matching property. Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM org.apache.catalina.startup.SetAllPropertiesRule begin Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMinCacheEntryDuration' to '60' did not find a matching property. Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM org.apache.catalina.startup.SetAllPropertiesRule begin Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMaxCacheEntryDuration' to '120' did not find a matching property. Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM org.apache.catalina.startup.SetAllPropertiesRule begin Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspTimeout' to '10' did not find a matching property. Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM org.apache.catalina.startup.SetAllPropertiesRule begin Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'strictCiphers' to 'true' did not find a matching property. Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM org.apache.catalina.startup.SetAllPropertiesRule begin Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslOptions' to 'ssl2=true,ssl3=true,tls=true' did not find a matching property. Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM org.apache.catalina.startup.SetAllPropertiesRule begin Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl2Ciphers' to '-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM org.apache.catalina.startup.SetAllPropertiesRule begin Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
Re: [Freeipa-users] IDM/ipa slow login
On Thu, Aug 13, 2015 at 12:12:03PM +0200, seli irithyl wrote: In the logs, there is lots of warnings concerning pki tomcat server : Aug 13 09:51:56 lead.bioinf.local systemd[1]: Started The Apache HTTP Server. Aug 13 09:51:56 lead.bioinf.local systemd[1]: Starting system-pki\x2dtomcatd.slice. Aug 13 09:51:56 lead.bioinf.local systemd[1]: Created slice system-pki\x2dtomcatd.slice. Aug 13 09:51:56 lead.bioinf.local systemd[1]: Starting PKI Tomcat Server. Aug 13 09:51:56 lead.bioinf.local systemd[1]: Reached target PKI Tomcat Server. Aug 13 09:51:56 lead.bioinf.local systemd[1]: Starting PKI Tomcat Server pki-tomcat... Aug 13 09:51:57 lead.bioinf.local systemd[1]: Started PKI Tomcat Server pki-tomcat. Aug 13 09:51:57 lead.bioinf.local server[5213]: Java virtual machine used: /usr/bin/java Aug 13 09:51:57 lead.bioinf.local server[5213]: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar Aug 13 09:51:57 lead.bioinf.local server[5213]: main class used: org.apache.catalina.startup.Bootstrap Aug 13 09:51:57 lead.bioinf.local server[5213]: flags used: -DRESTEASY_LIB=/usr/share/java/resteasy-base Aug 13 09:51:57 lead.bioinf.local server[5213]: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djav Aug 13 09:51:57 lead.bioinf.local server[5213]: arguments used: start Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM org.apache.catalina.startup.SetAllPropertiesRule begin Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'enableOCSP' to 'false' did not find a matching property. Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM org.apache.catalina.startup.SetAllPropertiesRule begin Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderURL' to 'http://lead.bioinf.local:9080/ca/ocsp' did not find a matching property. Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM org.apache.catalina.startup.SetAllPropertiesRule begin Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderCertNickname' to 'ocspSigningCert cert-pki-ca' did not find a matching property. Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM org.apache.catalina.startup.SetAllPropertiesRule begin Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspCacheSize' to '1000' did not find a matching property. Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM org.apache.catalina.startup.SetAllPropertiesRule begin Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMinCacheEntryDuration' to '60' did not find a matching property. Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM org.apache.catalina.startup.SetAllPropertiesRule begin Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMaxCacheEntryDuration' to '120' did not find a matching property. Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM org.apache.catalina.startup.SetAllPropertiesRule begin Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspTimeout' to '10' did not find a matching property. Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM org.apache.catalina.startup.SetAllPropertiesRule begin Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'strictCiphers' to 'true' did not find a matching property. Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM org.apache.catalina.startup.SetAllPropertiesRule begin Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslOptions' to 'ssl2=true,ssl3=true,tls=true' did not find a matching property. Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM org.apache.catalina.startup.SetAllPropertiesRule begin Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl2Ciphers' to '-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi Youenn, OK thanks! this takes me a little but futher now and I see some good stuff in my logging. I'm testing on a Windows 10 Machine which is not member of an AD or so, so that might be my issue for now ? When testing on the samba box itself as my user I get: [myusername@smb-01 ~]$ smbclient //smb-01.domain.local/shares ... Checking NTLMSSP password for MSP\myusername failed: NT_STATUS_WRONG_PASSWORD ... SPNEGO login failed: NT_STATUS_WRONG_PASSWORD Maybe I have an issue with encrypted passwords ? When we have this all working, I think we have a howto :D Thanks! Matt 2015-08-13 10:53 GMT+02:00 Youenn PIOLET piole...@gmail.com: Hi Matt - CentOS : Did you copy ipasam.so and change your smb.conf accordingly? sambaSamAccount is not needed anymore that way. - Default IPA Way : won't work if your Windows is not part of a domain controller. DOMAIN\username may work for some users using Windows 7 - not 8 nor 10 (it did for me but I was the only one at the office... quite useless) This config may work on your CentOS (for the ipasam way): workgroup = TEST realm = TEST.NET kerberos method = dedicated keytab dedicated keytab file = FILE:/./samba.keytab create krb5 conf = no security = user encrypt passwords = true passdb backend = ipasam:ldaps://youripa.test.net ldapsam:trusted = yes ldapsuffix = test.net ldap user suffix = cn=users,cn=accounts ldap group suffix = cn=groups,cn=accounts -- Youenn Piolet piole...@gmail.com 2015-08-12 22:15 GMT+02:00 Matt . yamakasi@gmail.com: Hi, OK the default IPA way works great actually when testing it as described here: http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA On the samba server I can auth and see my share where I want to connect to. The issue is, on Windows I cannot auth, even when I do DOMAIN\username as username So, the IPA way should work. Any comments here ? Cheers, Matt 2015-08-12 19:00 GMT+02:00 Matt . yamakasi@gmail.com: HI GUys, I'm testing this out and I think I almost setup, this on a CentOS samba server. I'm using the ipa-adtrust way of Youeen but it seems we still need to add (objectclass=sambaSamAccount)) ? Info is welcome! I will report back when I have it working. Thanks! Matt 2015-08-10 11:16 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: The next route I will try - is the one Youeen took, using ipa-adtrust From: Matt . yamakasi@gmail.com To: Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com freeipa-users@redhat.com Date: 10.08.2015 10:03 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi Chris, Okay this is good to hear. But don't we want a IPA managed Scheme ? When I did a ipa-adtrust-install --add-sids it also wanted a local installed Samba and I wonder why. Good that we make some progres on making it all clear. Cheers, Matt 2015-08-10 6:12 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: ldapsam + the samba extensions, pretty much as described in the Techslaves article. Once I have a draft for the wiki page, I will mail you. From: Matt . yamakasi@gmail.com To: Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com freeipa-users@redhat.com Date: 09.08.2015 21:17 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi, Yes I know about anything but which way did you use now ? 2015-08-09 20:56 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt I am on OEL 7.1. - so anything that works on that should be good for RHEL and Centos 7.x I intend to add a how-to to the FreeIPA Wiki over the next few days. As we have suggested earlier, we will likely end up with several, one for each of the possible integration paths. Chris From: Matt . yamakasi@gmail.com To: Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com freeipa-users@redhat.com Date: 09.08.2015 16:45 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi Chris, This sounds great! What are you using now, both CentOS ? So Samba and FreeIPA ? Maybe it's good to explain which way you used now in steps too, so we can combine or create multiple howto's ? At least we are going somewhere! Thanks, Matt 2015-08-09 14:54 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt My test integration of FreeIPA 4.x and Samba 4.x with the good old Samba Schema extensions) is up and working, almost flawlessly. I can add users and groups via the FreeIPA CLI, and they get the correct ObjectClasses / attributes required for Samba. So far I have not yet bothered to try the extensions to the WebUI, because it is currently giving me the classic Your session has
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi, I might have found somthing which I already seen in the logs. I did a smbpasswd my username on the samba server, it connects to ldap very well. I give my new password and get the following: smbldap_search_ext: base = [dc=my,dc=domain], filter = [((objectClass=ipaNTGroupAttrs)(|(ipaNTSecurityIdentifier=S-1my--sid---)))], scope = [2] Attribute [displayName] not found. Could not retrieve 'displayName' attribute from cn=Default SMB Group,cn=groups,cn=accounts,dc=my,dc=domain Sid S-1my--sid--- - MYDOMAIN\Default SMB Group(2) So something is missing! Thanks so far guys! Cheers, Matt 2015-08-13 12:02 GMT+02:00 Matt . yamakasi@gmail.com: Hi Youenn, OK thanks! this takes me a little but futher now and I see some good stuff in my logging. I'm testing on a Windows 10 Machine which is not member of an AD or so, so that might be my issue for now ? When testing on the samba box itself as my user I get: [myusername@smb-01 ~]$ smbclient //smb-01.domain.local/shares ... Checking NTLMSSP password for MSP\myusername failed: NT_STATUS_WRONG_PASSWORD ... SPNEGO login failed: NT_STATUS_WRONG_PASSWORD Maybe I have an issue with encrypted passwords ? When we have this all working, I think we have a howto :D Thanks! Matt 2015-08-13 10:53 GMT+02:00 Youenn PIOLET piole...@gmail.com: Hi Matt - CentOS : Did you copy ipasam.so and change your smb.conf accordingly? sambaSamAccount is not needed anymore that way. - Default IPA Way : won't work if your Windows is not part of a domain controller. DOMAIN\username may work for some users using Windows 7 - not 8 nor 10 (it did for me but I was the only one at the office... quite useless) This config may work on your CentOS (for the ipasam way): workgroup = TEST realm = TEST.NET kerberos method = dedicated keytab dedicated keytab file = FILE:/./samba.keytab create krb5 conf = no security = user encrypt passwords = true passdb backend = ipasam:ldaps://youripa.test.net ldapsam:trusted = yes ldapsuffix = test.net ldap user suffix = cn=users,cn=accounts ldap group suffix = cn=groups,cn=accounts -- Youenn Piolet piole...@gmail.com 2015-08-12 22:15 GMT+02:00 Matt . yamakasi@gmail.com: Hi, OK the default IPA way works great actually when testing it as described here: http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA On the samba server I can auth and see my share where I want to connect to. The issue is, on Windows I cannot auth, even when I do DOMAIN\username as username So, the IPA way should work. Any comments here ? Cheers, Matt 2015-08-12 19:00 GMT+02:00 Matt . yamakasi@gmail.com: HI GUys, I'm testing this out and I think I almost setup, this on a CentOS samba server. I'm using the ipa-adtrust way of Youeen but it seems we still need to add (objectclass=sambaSamAccount)) ? Info is welcome! I will report back when I have it working. Thanks! Matt 2015-08-10 11:16 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: The next route I will try - is the one Youeen took, using ipa-adtrust From: Matt . yamakasi@gmail.com To: Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com freeipa-users@redhat.com Date: 10.08.2015 10:03 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi Chris, Okay this is good to hear. But don't we want a IPA managed Scheme ? When I did a ipa-adtrust-install --add-sids it also wanted a local installed Samba and I wonder why. Good that we make some progres on making it all clear. Cheers, Matt 2015-08-10 6:12 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: ldapsam + the samba extensions, pretty much as described in the Techslaves article. Once I have a draft for the wiki page, I will mail you. From: Matt . yamakasi@gmail.com To: Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com freeipa-users@redhat.com Date: 09.08.2015 21:17 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi, Yes I know about anything but which way did you use now ? 2015-08-09 20:56 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt I am on OEL 7.1. - so anything that works on that should be good for RHEL and Centos 7.x I intend to add a how-to to the FreeIPA Wiki over the next few days. As we have suggested earlier, we will likely end up with several, one for each of the possible integration paths. Chris From: Matt . yamakasi@gmail.com To: Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com freeipa-users@redhat.com Date: 09.08.2015 16:45 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi Chris, This sounds great! What are you using now, both CentOS ? So Samba and
Re: [Freeipa-users] IDM/ipa slow login
Here's the sssd_domain log part during an ssh (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [be_get_account_info] (0x0200): Got request for [0x3][1][name=test] (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [be_req_set_domain] (0x0400): Changing request domain from [bioinf.local] to [bioinf.local] (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=bioinf,dc=local] (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [((uid=test)(objectclass=posixAccount)((uidNumber=*)(!(uidNumber=0][cn=accounts,dc=bioinf,dc=local]. (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] (0x0400): Save user (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_primary_name] (0x0400): Processing object test (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] (0x0400): Processing user test (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] (0x0400): Adding original memberOf attributes to [test]. (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] (0x0400): Adding user principal [test@BIOINF.LOCAL] to attributes of [test]. (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] (0x0400): Storing info for user test (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_primary_name] (0x0400): Processing object test (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [((|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=ipausers,cn=groups,cn=accounts,dc=bioinf,dc=local]. (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [((|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=bioinfo,cn=groups,cn=accounts,dc=bioinf,dc=local]. (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_primary_name] (0x0400): Processing object ipausers (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_primary_name] (0x0400): Processing object bioinfo (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [cn=accounts,dc=bioinf,dc=local] (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [((gidNumber=1713400050)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)((gidNumber=*)(!(gidNumber=0][cn=accounts,dc=bioinf,dc=local]. (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_nested_group_recv] (0x0400): 0 users found in the hash table (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_nested_group_recv] (0x0400): 1 groups found in the hash table (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_primary_name] (0x0400): Processing object test (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_save_group] (0x0400): Processing group test (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_process_ghost_members] (0x0400): The group has 0 members (Thu Aug 13 15:22:32 2015)
Re: [Freeipa-users] Kerberized NFS with Synology NAS
After some more investigation, I feel the problem I described can be considered off topic, sorry about that. Initially I had the impression it could have been more freeIPA-related. It is sometimes difficult to tell whether the issue would show up regardless of using freeIPA or not. Should anyone be curious, these are my findings about using a Synology disk station for NFSv4+krb5 exports in my freeIPA domain: - Still no idea why I see all those Unspecified GSS failure from gssproxy on the client side. Google tells me that many before me have wondered about it. Has anyone a clue? - The NFS4+krb5 mounting works, but what I ran into is the nobody issue. NFSv4 relies on idmapd to map users correctly, but this goes wrong, hence the nobody issue - One first problem is that I had not set the domain. My bad. Fixed and got one step further. in idmapd.conf: Domain = hq.spinque.com - The second problem is that idmapd.conf in my synology says: Method=nsswitch GSS-Methods=static,synomap No idea what synomap would be, but I guess GSS-Methods should be more like static,nsswitch,synomap Indeed, everything works fine if I make static mappings for each LDAP user to a local user in Synology. But that's not how I want it. - Problem with all this is: no matter how I change these files, the next time I would save something from the Synology UI, these files would be overwritten Frustrating :( On 12 August 2015 at 13:33, Roberto Cornacchia roberto.cornacc...@gmail.com wrote: Enabled verbose output for rpc.idmapd as well, and now I see: nfsidmap[5034]: nss_getpwnam: name 'test1_l@localdomain' does not map into domain 'hq.spinque.com' On 12 August 2015 at 12:28, Roberto Cornacchia roberto.cornacc...@gmail.com wrote: I have used RPCGSSDARGS=-vvv RPCSVCGSSDARGS=-vvv in /etc/sysconfig/nfs , as suggested in http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/Installing_the_IPA_Client_on_Linux.html In the excerpt below, taken during the mount, meson is the client, spinque03 is the nfs server (synology). It still doesn't tell me much, perhaps I'm missing something? rpc.gssd[838]: handling gssd upcall (nfs/clnt19) rpc.gssd[838]: handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 ' rpc.gssd[3328]: handling krb5 upcall (nfs/clnt19) rpc.gssd[3328]: process_krb5_upcall: service is 'null' rpc.gssd[3328]: Full hostname for 'spinque03.hq.spinque.com' is ' spinque03.hq.spinque.com' rpc.gssd[3328]: Full hostname for 'meson.hq.spinque.com' is ' meson.hq.spinque.com' rpc.gssd[3328]: No key table entry found for MESON$@HQ.SPINQUE.COM while getting keytab entry for 'MESON$@HQ.SPINQUE.COM' rpc.gssd[3328]: No key table entry found for root/ meson.hq.spinque@hq.spinque.com while getting keytab entry for 'root/ meson.hq.spinque@hq.spinque.com' rpc.gssd[3328]: No key table entry found for nfs/ meson.hq.spinque@hq.spinque.com while getting keytab entry for 'nfs/ meson.hq.spinque@hq.spinque.com' rpc.gssd[3328]: Success getting keytab entry for 'host/ meson.hq.spinque@hq.spinque.com' rpc.gssd[3328]: Successfully obtained machine credentials for principal 'host/meson.hq.spinque@hq.spinque.com' stored in ccache 'FILE:/tmp/ krb5ccmachine_HQ.SPINQUE.COM' rpc.gssd[3328]: INFO: Credentials in CC 'FILE:/tmp/ krb5ccmachine_HQ.SPINQUE.COM' are good until 1439461246 rpc.gssd[3328]: using FILE:/tmp/krb5ccmachine_HQ.SPINQUE.COM as credentials cache for machine creds rpc.gssd[3328]: using environment variable to select krb5 ccache FILE:/tmp/krb5ccmachine_HQ.SPINQUE.COM gssproxy[809]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found gssproxy[798]: gssproxy[809]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found rpc.gssd[3328]: creating tcp client for server spinque03.hq.spinque.com rpc.gssd[3328]: DEBUG: port already set to 2049 rpc.gssd[3328]: creating context with server n...@spinque03.hq.spinque.com rpc.gssd[3328]: DEBUG: serialize_krb5_ctx: lucid version! rpc.gssd[3328]: prepare_krb5_rfc4121_buffer: protocol 1 rpc.gssd[3328]: prepare_krb5_rfc4121_buffer: serializing key with enctype 18 and size 32 rpc.gssd[3328]: doing downcall: lifetime_rec=86399 acceptor= n...@spinque03.hq.spinque.com rpc.gssd[838]: handling gssd upcall (nfs/clnt19) rpc.gssd[838]: handle_gssd_upcall: 'mech=krb5 uid=1005 enctypes=18,17,16,23,3,1,2 ' rpc.gssd[3337]: handling krb5 upcall (nfs/clnt19) rpc.gssd[3337]: process_krb5_upcall: service is 'null' gssproxy[809]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found gssproxy[798]: gssproxy[809]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found rpc.gssd[3337]: creating tcp client for server
Re: [Freeipa-users] Kerberized NFS with Synology NAS
On Thu, 13 Aug 2015, Roberto Cornacchia wrote: After some more investigation, I feel the problem I described can be considered off topic, sorry about that. Initially I had the impression it could have been more freeIPA-related. It is sometimes difficult to tell whether the issue would show up regardless of using freeIPA or not. Should anyone be curious, these are my findings about using a Synology disk station for NFSv4+krb5 exports in my freeIPA domain: - Still no idea why I see all those Unspecified GSS failure from gssproxy on the client side. Google tells me that many before me have wondered about it. Has anyone a clue? - The NFS4+krb5 mounting works, but what I ran into is the nobody issue. NFSv4 relies on idmapd to map users correctly, but this goes wrong, hence the nobody issue - One first problem is that I had not set the domain. My bad. Fixed and got one step further. in idmapd.conf: Domain = hq.spinque.com - The second problem is that idmapd.conf in my synology says: Method=nsswitch GSS-Methods=static,synomap No idea what synomap would be, but I guess GSS-Methods should be more like static,nsswitch,synomap Indeed, everything works fine if I make static mappings for each LDAP user to a local user in Synology. But that's not how I want it. - Problem with all this is: no matter how I change these files, the next time I would save something from the Synology UI, these files would be overwritten Frustrating :( I would only suggest you to raise the problem with Synology support and convince them adding SSSD build and use it. SSSD has nfsidmap module 'sss' that does the right job on mapping based on what SSSD knows about Kerberos principals and user mapping for the domain. On 12 August 2015 at 13:33, Roberto Cornacchia roberto.cornacc...@gmail.com wrote: Enabled verbose output for rpc.idmapd as well, and now I see: nfsidmap[5034]: nss_getpwnam: name 'test1_l@localdomain' does not map into domain 'hq.spinque.com' On 12 August 2015 at 12:28, Roberto Cornacchia roberto.cornacc...@gmail.com wrote: I have used RPCGSSDARGS=-vvv RPCSVCGSSDARGS=-vvv in /etc/sysconfig/nfs , as suggested in http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/Installing_the_IPA_Client_on_Linux.html In the excerpt below, taken during the mount, meson is the client, spinque03 is the nfs server (synology). It still doesn't tell me much, perhaps I'm missing something? rpc.gssd[838]: handling gssd upcall (nfs/clnt19) rpc.gssd[838]: handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 ' rpc.gssd[3328]: handling krb5 upcall (nfs/clnt19) rpc.gssd[3328]: process_krb5_upcall: service is 'null' rpc.gssd[3328]: Full hostname for 'spinque03.hq.spinque.com' is ' spinque03.hq.spinque.com' rpc.gssd[3328]: Full hostname for 'meson.hq.spinque.com' is ' meson.hq.spinque.com' rpc.gssd[3328]: No key table entry found for MESON$@HQ.SPINQUE.COM while getting keytab entry for 'MESON$@HQ.SPINQUE.COM' rpc.gssd[3328]: No key table entry found for root/ meson.hq.spinque@hq.spinque.com while getting keytab entry for 'root/ meson.hq.spinque@hq.spinque.com' rpc.gssd[3328]: No key table entry found for nfs/ meson.hq.spinque@hq.spinque.com while getting keytab entry for 'nfs/ meson.hq.spinque@hq.spinque.com' rpc.gssd[3328]: Success getting keytab entry for 'host/ meson.hq.spinque@hq.spinque.com' rpc.gssd[3328]: Successfully obtained machine credentials for principal 'host/meson.hq.spinque@hq.spinque.com' stored in ccache 'FILE:/tmp/ krb5ccmachine_HQ.SPINQUE.COM' rpc.gssd[3328]: INFO: Credentials in CC 'FILE:/tmp/ krb5ccmachine_HQ.SPINQUE.COM' are good until 1439461246 rpc.gssd[3328]: using FILE:/tmp/krb5ccmachine_HQ.SPINQUE.COM as credentials cache for machine creds rpc.gssd[3328]: using environment variable to select krb5 ccache FILE:/tmp/krb5ccmachine_HQ.SPINQUE.COM gssproxy[809]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found gssproxy[798]: gssproxy[809]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found rpc.gssd[3328]: creating tcp client for server spinque03.hq.spinque.com rpc.gssd[3328]: DEBUG: port already set to 2049 rpc.gssd[3328]: creating context with server n...@spinque03.hq.spinque.com rpc.gssd[3328]: DEBUG: serialize_krb5_ctx: lucid version! rpc.gssd[3328]: prepare_krb5_rfc4121_buffer: protocol 1 rpc.gssd[3328]: prepare_krb5_rfc4121_buffer: serializing key with enctype 18 and size 32 rpc.gssd[3328]: doing downcall: lifetime_rec=86399 acceptor= n...@spinque03.hq.spinque.com rpc.gssd[838]: handling gssd upcall (nfs/clnt19) rpc.gssd[838]: handle_gssd_upcall: 'mech=krb5 uid=1005 enctypes=18,17,16,23,3,1,2 ' rpc.gssd[3337]: handling krb5 upcall (nfs/clnt19) rpc.gssd[3337]: process_krb5_upcall: service is 'null' gssproxy[809]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide
[Freeipa-users] time restricted access
Hello, I've installed freeIPA 4.1.0 under CentOS 7 and I need to restric authentication to one or more time ranges but I failed to find such a configuration... TIA -- Marcelo ¿No será acaso que esta vida moderna está teniendo más de moderna que de vida? (Mafalda) -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] time restricted access
On 13/08/15 17:01, Marcelo Roccasalva wrote: Hello, I've installed freeIPA 4.1.0 under CentOS 7 and I need to restric authentication to one or more time ranges but I failed to find such a configuration... TIA Hello, you're probably looking for Time-Based Account Policies. This is currently WIP, you can find more on freeipa-devel list. -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] users- ssh keys self service
Hi, So I still have been unable to find the problem with blank screens for users when they login to the gui and can not manage anything other than OTP. Out of the box, vanilla install of FreeOTP on RHEL 7.x and using IPA 4.1.4, a user logs in, you see ALL the fields for a split second, before they go blank and there is no way to bring them back. This is over course frustrating since users can not add their SSH keys. They can change there PW, since that is on the ACTION button, which remains visible. Are there any troubleshooting suggestions for this? I have not customized anything. Thank you ~J -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] users- ssh keys self service
AHA!!! The problem is found, but the solution eludes me. Any user migrated in compat mode has the problem. NEW users do not. Thoughts? Ideas? troubleshooting? What do I need to make visible for users to edit their settings? ~J On 8/13/15 9:58 AM, Janelle wrote: Hi, So I still have been unable to find the problem with blank screens for users when they login to the gui and can not manage anything other than OTP. Out of the box, vanilla install of FreeOTP on RHEL 7.x and using IPA 4.1.4, a user logs in, you see ALL the fields for a split second, before they go blank and there is no way to bring them back. This is over course frustrating since users can not add their SSH keys. They can change there PW, since that is on the ACTION button, which remains visible. Are there any troubleshooting suggestions for this? I have not customized anything. Thank you ~J -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IDM/ipa slow login
Hi Seli, In /etc/sssd/sssd.conf add below: selinux_provider=none to the domain section. Then restart sssd. -- john 2015-08-13 16:23 GMT+02:00 seli irithyl seli.irit...@gmail.com: Here's the sssd_domain log part during an ssh (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [be_get_account_info] (0x0200): Got request for [0x3][1][name=test] (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [be_req_set_domain] (0x0400): Changing request domain from [bioinf.local] to [bioinf.local] (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=bioinf,dc=local] (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [((uid=test)(objectclass=posixAccount)((uidNumber=*)(!(uidNumber=0][cn=accounts,dc=bioinf,dc=local]. (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] (0x0400): Save user (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_primary_name] (0x0400): Processing object test (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] (0x0400): Processing user test (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] (0x0400): Adding original memberOf attributes to [test]. (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] (0x0400): Adding user principal [test@BIOINF.LOCAL] to attributes of [test]. (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] (0x0400): Storing info for user test (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_primary_name] (0x0400): Processing object test (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [((|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=ipausers,cn=groups,cn=accounts,dc=bioinf,dc=local]. (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [((|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=bioinfo,cn=groups,cn=accounts,dc=bioinf,dc=local]. (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_primary_name] (0x0400): Processing object ipausers (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_primary_name] (0x0400): Processing object bioinfo (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [cn=accounts,dc=bioinf,dc=local] (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [((gidNumber=1713400050)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)((gidNumber=*)(!(gidNumber=0][cn=accounts,dc=bioinf,dc=local]. (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_nested_group_recv] (0x0400): 0 users found in the hash table (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_nested_group_recv] (0x0400): 1 groups found in the hash table (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_primary_name] (0x0400): Processing object test (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_save_group] (0x0400): Processing group test (Thu Aug 13 15:22:32
[Freeipa-users] reverse DNS lookup does not work
reverse DNS lookup stopped working after I broke some replication agreements (perhaps unrelated, but worth mentioning). Regular A records resolve fine. The records can be seen in LDAP (using ldapsearch with GSSAPI after kinit -t /etc/named.keytab): the zone: # 0.63.10.in-addr.arpa., dns, ipa.example.net dn: idnsname=0.63.10.in-addr.arpa.,cn=dns,dc=ipa,dc=example,dc=net idnsUpdatePolicy: grant IPA.example.NET krb5-self * PTR; grant IPA.example.NET krb5-self * SSHFP; idnsAllowDynUpdate: TRUE idnsForwarders: 172.23.1.5 idnsAllowSyncPTR: TRUE idnsSOAserial: 1439302482 idnsSOArName: hostmaster.ipa.example.net. idnsZoneActive: TRUE idnsSOAexpire: 1209600 nSRecord: ldap1.example.lan. idnsSOAminimum: 3600 objectClass: idnszone objectClass: top objectClass: idnsrecord idnsAllowTransfer: none; idnsSOAretry: 900 idnsSOArefresh: 3600 idnsAllowQuery: any; idnsName: 0.63.10.in-addr.arpa. idnsSOAmName: ldap1.example.lan. the entry: # 68, 0.63.10.in-addr.arpa., dns, ipa.example.net dn: idnsname=68,idnsname=0.63.10.in-addr.arpa.,cn=dns,dc=ipa,dc=example,dc=net objectClass: top objectClass: idnsrecord cNAMERecord: ds02.example.lan. idnsName: 68 but the reverse dns lookup fails anyway: [root@ldap1 ~]# dig -x 10.63.0.68 ; DiG 9.9.6-P1-RedHat-9.9.6-8.P1.fc21 -x 10.63.0.68 ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 59911 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;68.0.63.10.in-addr.arpa. IN PTR ;; AUTHORITY SECTION: 10.in-addr.arpa. 86400 IN SOA 10.in-addr.arpa. . 0 28800 7200 604800 86400 ;; Query time: 4 msec ;; SERVER: 172.23.1.5#53(172.23.1.5) ;; WHEN: Tue Aug 11 14:40:08 UTC 2015 ;; MSG SIZE rcvd: 87 [root@ldap1 ~]# Any thoughts? -- S poštovanjem / Regards, Nikola Kržalić. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ipa directory inconsistencies
Hi, I'm having an issue re-adding a client to freeipa (same hostname). When I removed the client from the domain I uninstalled freeipa on the client (using ipa-client-install --uninstall), removed the keytab, and ran ipa host-del FQDN on the the freeipa master. Everything has been rebooted. I cannot re-add the client to the domain (running ipa-client-install) and receive this error : Joining realm failed. RPC failed @ server. Hostname already exists. If I look in the UI I see the hostname under hosts, but it does not show the host as enrolled and throws an error that the host doesn't exist. Running ipa host-find FQDN shows 1 host matched. Running ipa host-show FQDN says the hosts doesn't exist. If I run ipa del-host FQDN I receive an error that the host was not found. If I run ipa host-add FQDN I receive an error that the host already exists. Please Advise, I'm wondering if there is some record in LDAP that is maybe causing this problem. Thanks, Alicia CONFIDENTIALITY NOTICE: This email constitutes an electronic communication within the meaning of the Electronic Communications Privacy Act, 18 U.S.C. 2510, and its disclosure is strictly limited to the named recipient(s) intended by the sender of this message. This email, and any attachments, may contain confidential and/or proprietary information of Scientific Research Corporation. If you are not a named recipient, any copying, using, disclosing or distributing to others the information in this email and attachments is STRICTLY PROHIBITED. If you have received this email in error, please notify the sender immediately and permanently delete the email, any attachments, and all copies thereof from any drives or storage media and destroy any printouts or hard copies of the email and attachments. EXPORT COMPLIANCE NOTICE: This email and any attachments may contain technical data subject to U.S export restrictions under the International Traffic in Arms Regulations (ITAR) or the Export Administration Regulations (EAR). Export or transfer of this technical data and/or related information to any foreign person(s) or entity(ies), either within the U.S. or outside of the U.S., may require advance export authorization by the appropriate U.S. Government agency prior to export or transfer. In addition, technical data may not be exported or transferred to certain countries or specified designated nationals identified by U.S. embargo controls without prior export authorization. By accepting this email and any attachments, all recipients confirm that they understand and will comply with all applicable ITAR, EAR and embargo compliance requirements. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Kerberized NFS and home automount issues
Where are you trying to create the home directories ? Is your NFS server the same as the IPA server ? You can only create home directories on the NFS home server unless the nfs-client sees the export option no_root_squash. That is not recommended though. On Thu, Aug 13, 2015 at 9:49 AM, Youenn PIOLET piole...@gmail.com wrote: Hi, I'm currently trying to configure automount for home directories with Kerberized NFSv4. I'm struggling with two issues that may or may not be related: 1) Can't read my home directory. I have to type kinit manually first on each integrated client for this to work. I think it is related to the latest versions of sssd on Centos 7 / Fedora 21 (1.12.2-58), ipa of maybe nss, a 1 or 2 months outdate centos was working first and got broken after an update. 2) Can't create home directories for new users : Permission denied for oddjob-mkhomedir script. I can also experience this as root : can't mkdir /home/someuser, permission denied (see my mount chain in freeipa below). Related to NFSv4? Here is my setup and various information: - I'm not using selinux - Exports : /home.shared *(rw,sec=krb5:krb5i:krb5p) - Mount chain : * -fstype=nfs4,sec=krb5i,rw,proto=tcp,port=2049,rsize=8192,wsize=8192 home01.net:/home.shared/ - Experienced on Centos 7 and Fedora 21 - FreeIPA server 4.1.4 - I used ipa-client-automount on clients and server. - Same behavior with/without a dedicated service principal on client - Some errors in NFS server logs : rpc.gssd - WARNING: can't create tcp rpc_clnt to server ipa-server for user with uid 0: RPC: Remote system error - No route to host -- at different times oddjobd: Error org.freedesktop.DBus.Error.SELinuxSecurityContextUnknown: Could not determine security context for '1:###' -- before oddjob-mkhomedir on new user Have you got the same problems and did you manage to fix them? Thanks by advance, -- Youenn Piolet piole...@gmail.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Having problem with pwd_expiration
Dewangga Bachrul Alam wrote: I've tried both of them (web ui CLI), still no luck. Screenshoot attached, the password expired not follow the global_policy. I've create another new user, it was same with user `subhan`. The password expired not follow global_policy. http://www.freeipa.org/page/New_Passwords_Expired rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project