Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

2015-08-19 Thread Christopher Lamb 
Matt

Once I got Samba and FreeIPA integrated (by the "good old extensions"
path), I always use FreeIPA to administer users. I have never tried the
samba tools like smbpasswd.

I still have a wiki how-to in the works, but I had to focus on some other
issues for a while.

Chris



From:   "Matt ." 
To: Youenn PIOLET 
Cc: Christopher Lamb/Switzerland/IBM@IBMCH,
"freeipa-users@redhat.com" 
Date:   20.08.2015 08:12
Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA



HI Guys,

Anyone still a working clue/test here ?

I didn't came further as it seems there need to be some domain join /
match following the freeipa devs.

Thanks!

Matt

2015-08-13 13:09 GMT+02:00 Matt . :
> Hi,
>
> I might have found somthing which I already seen in the logs.
>
> I did a smbpasswd my username on the samba server, it connects to ldap
> very well. I give my new password and get the following:
>
> smbldap_search_ext: base => [dc=my,dc=domain], filter =>
> [(&(objectClass=ipaNTGroupAttrs)(|
(ipaNTSecurityIdentifier=S-1my--sid---)))],
> scope => [2]
> Attribute [displayName] not found.
> Could not retrieve 'displayName' attribute from cn=Default SMB
> Group,cn=groups,cn=accounts,dc=my,dc=domain
> Sid S-1my--sid--- -> MYDOMAIN\Default SMB Group(2)
>
> So something is missing!
>
> Thanks so far guys!
>
> Cheers,
>
> Matt
>
> 2015-08-13 12:02 GMT+02:00 Matt . :
>> Hi Youenn,
>>
>> OK thanks! this takes me a little but futher now and I see some good
>> stuff in my logging.
>>
>> I'm testing on a Windows 10 Machine which is not member of an AD or
>> so, so that might be my issue for now ?
>>
>> When testing on the samba box itself as my user I get:
>>
>>
>> [myusername@smb-01 ~]$ smbclient //smb-01.domain.local/shares
>>
>> ...
>> Checking NTLMSSP password for MSP\myusername failed:
NT_STATUS_WRONG_PASSWORD
>> ...
>> SPNEGO login failed: NT_STATUS_WRONG_PASSWORD
>>
>>
>> Maybe I have an issue with encrypted passwords ?
>>
>>
>> When we have this all working, I think we have a howto :D
>>
>> Thanks!
>>
>> Matt
>>
>> 2015-08-13 10:53 GMT+02:00 Youenn PIOLET :
>>> Hi Matt
>>>
>>> - CentOS : Did you copy ipasam.so and change your smb.conf accordingly?
>>> sambaSamAccount is not needed anymore that way.
>>> - Default IPA Way : won't work if your Windows is not part of a domain
>>> controller. DOMAIN\username may work for some users using Windows 7 -
not 8
>>> nor 10 (it did for me but I was the only one at the office... quite
useless)
>>>
>>> This config may work on your CentOS (for the ipasam way):
>>> workgroup = TEST
>>> realm = TEST.NET
>>> kerberos method = dedicated keytab
>>> dedicated keytab file = FILE:/<.>/samba.keytab
>>> create krb5 conf = no
>>> security = user
>>> encrypt passwords = true
>>> passdb backend = ipasam:ldaps://youripa.test.net
>>> ldapsam:trusted = yes
>>> ldapsuffix = test.net
>>> ldap user suffix = cn=users,cn=accounts
>>> ldap group suffix = cn=groups,cn=accounts
>>>
>>>
>>> --
>>> Youenn Piolet
>>> piole...@gmail.com
>>>
>>>
>>> 2015-08-12 22:15 GMT+02:00 Matt . :

 Hi,

 OK the default IPA way works great actually when testing it as
described
 here:


http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA

 On the samba server I can auth and see my share where I want to
connect
 to.

 The issue is, on Windows I cannot auth, even when I do DOMAIN\username
 as username

 So, the IPA way should work.

 Any comments here ?

 Cheers,

 Matt

 2015-08-12 19:00 GMT+02:00 Matt . :
 > HI GUys,
 >
 > I'm testing this out and I think I almost setup, this on a CentOS
samba
 > server.
 >
 > I'm using the ipa-adtrust way of Youeen but it seems we still need
to
 > add (objectclass=sambaSamAccount)) ?
 >
 > Info is welcome!
 >
 > I will report back when I have it working.
 >
 > Thanks!
 >
 > Matt
 >
 > 2015-08-10 11:16 GMT+02:00 Christopher Lamb
 > :
 >> The next route I will try - is the one Youeen took, using
ipa-adtrust
 >>
 >>
 >>
 >> From:   "Matt ." 
 >> To: Christopher Lamb/Switzerland/IBM@IBMCH,
 >> "freeipa-users@redhat.com" 
 >> Date:   10.08.2015 10:03
 >> Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth
against
 >> IPA
 >>
 >>
 >>
 >> Hi Chris,
 >>
 >> Okay this is good to hear.
 >>
 >> But don't we want a IPA managed Scheme ?
 >>
 >> When I did a "ipa-adtrust-install --add-sids" it also wanted a
local
 >> installed Samba and I wonder why.
 >>
 >> Good that we make some progres on making it all clear.
 >>
 >> Cheers,
 >>
 >> Matt
 >>
 >> 2015-08-10 6:12 GMT+02:00 Christopher Lamb
 >> :
 >>> ldapsam + the samba extensions, pretty much as described in the
 >> Techslaves
 >>> article. Once I have a draft for the wiki page, I w

Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

2015-08-19 Thread Matt . 
HI Guys,

Anyone still a working clue/test here ?

I didn't came further as it seems there need to be some domain join /
match following the freeipa devs.

Thanks!

Matt

2015-08-13 13:09 GMT+02:00 Matt . :
> Hi,
>
> I might have found somthing which I already seen in the logs.
>
> I did a smbpasswd my username on the samba server, it connects to ldap
> very well. I give my new password and get the following:
>
> smbldap_search_ext: base => [dc=my,dc=domain], filter =>
> [(&(objectClass=ipaNTGroupAttrs)(|(ipaNTSecurityIdentifier=S-1my--sid---)))],
> scope => [2]
> Attribute [displayName] not found.
> Could not retrieve 'displayName' attribute from cn=Default SMB
> Group,cn=groups,cn=accounts,dc=my,dc=domain
> Sid S-1my--sid--- -> MYDOMAIN\Default SMB Group(2)
>
> So something is missing!
>
> Thanks so far guys!
>
> Cheers,
>
> Matt
>
> 2015-08-13 12:02 GMT+02:00 Matt . :
>> Hi Youenn,
>>
>> OK thanks! this takes me a little but futher now and I see some good
>> stuff in my logging.
>>
>> I'm testing on a Windows 10 Machine which is not member of an AD or
>> so, so that might be my issue for now ?
>>
>> When testing on the samba box itself as my user I get:
>>
>>
>> [myusername@smb-01 ~]$ smbclient //smb-01.domain.local/shares
>>
>> ...
>> Checking NTLMSSP password for MSP\myusername failed: NT_STATUS_WRONG_PASSWORD
>> ...
>> SPNEGO login failed: NT_STATUS_WRONG_PASSWORD
>>
>>
>> Maybe I have an issue with encrypted passwords ?
>>
>>
>> When we have this all working, I think we have a howto :D
>>
>> Thanks!
>>
>> Matt
>>
>> 2015-08-13 10:53 GMT+02:00 Youenn PIOLET :
>>> Hi Matt
>>>
>>> - CentOS : Did you copy ipasam.so and change your smb.conf accordingly?
>>> sambaSamAccount is not needed anymore that way.
>>> - Default IPA Way : won't work if your Windows is not part of a domain
>>> controller. DOMAIN\username may work for some users using Windows 7 - not 8
>>> nor 10 (it did for me but I was the only one at the office... quite useless)
>>>
>>> This config may work on your CentOS (for the ipasam way):
>>> workgroup = TEST
>>> realm = TEST.NET
>>> kerberos method = dedicated keytab
>>> dedicated keytab file = FILE:/<.>/samba.keytab
>>> create krb5 conf = no
>>> security = user
>>> encrypt passwords = true
>>> passdb backend = ipasam:ldaps://youripa.test.net
>>> ldapsam:trusted = yes
>>> ldapsuffix = test.net
>>> ldap user suffix = cn=users,cn=accounts
>>> ldap group suffix = cn=groups,cn=accounts
>>>
>>>
>>> --
>>> Youenn Piolet
>>> piole...@gmail.com
>>>
>>>
>>> 2015-08-12 22:15 GMT+02:00 Matt . :

 Hi,

 OK the default IPA way works great actually when testing it as described
 here:

 http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA

 On the samba server I can auth and see my share where I want to connect
 to.

 The issue is, on Windows I cannot auth, even when I do DOMAIN\username
 as username

 So, the IPA way should work.

 Any comments here ?

 Cheers,

 Matt

 2015-08-12 19:00 GMT+02:00 Matt . :
 > HI GUys,
 >
 > I'm testing this out and I think I almost setup, this on a CentOS samba
 > server.
 >
 > I'm using the ipa-adtrust way of Youeen but it seems we still need to
 > add (objectclass=sambaSamAccount)) ?
 >
 > Info is welcome!
 >
 > I will report back when I have it working.
 >
 > Thanks!
 >
 > Matt
 >
 > 2015-08-10 11:16 GMT+02:00 Christopher Lamb
 > :
 >> The next route I will try - is the one Youeen took, using ipa-adtrust
 >>
 >>
 >>
 >> From:   "Matt ." 
 >> To: Christopher Lamb/Switzerland/IBM@IBMCH,
 >> "freeipa-users@redhat.com" 
 >> Date:   10.08.2015 10:03
 >> Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against
 >> IPA
 >>
 >>
 >>
 >> Hi Chris,
 >>
 >> Okay this is good to hear.
 >>
 >> But don't we want a IPA managed Scheme ?
 >>
 >> When I did a "ipa-adtrust-install --add-sids" it also wanted a local
 >> installed Samba and I wonder why.
 >>
 >> Good that we make some progres on making it all clear.
 >>
 >> Cheers,
 >>
 >> Matt
 >>
 >> 2015-08-10 6:12 GMT+02:00 Christopher Lamb
 >> :
 >>> ldapsam + the samba extensions, pretty much as described in the
 >> Techslaves
 >>> article. Once I have a draft for the wiki page, I will mail you.
 >>>
 >>>
 >>>
 >>> From:   "Matt ." 
 >>> To: Christopher Lamb/Switzerland/IBM@IBMCH,
 >>> "freeipa-users@redhat.com" 
 >>> Date:   09.08.2015 21:17
 >>> Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against
 >>> IPA
 >>>
 >>>
 >>>
 >>> Hi,
 >>>
 >>> Yes I know about "anything" but which way did you use now ?
 >>>
 >>>
 >>>
 >>> 2015-08-09 20:56 GMT+02:00 Christopher Lamb
 >> :

Re: [Freeipa-users] HBAC rules not applying to Solaris clients

2015-08-19 Thread sipazzo 
Thanks Bob, I have tried to implement this and cannot seem to get it to work 
for me even though it seems straightforward. I tried both with using a 
user.allow file and adding the netgroup to /etc/passwd as well as moving lines 
around in the pam.conf and many different versions of pam.conf but it results 
in either everyone being able to login or no one being able to login. Do you 
mind sharing your pam.conf with me?
I have the following relevant entries in nsswitch.conf
passwd: files ldapgroup: files ldapshadow: files ldapnetgroup: ldap

 From: Bob 
 To: Natxo Asenjo  
Cc: Freeipa-users  
 Sent: Saturday, August 15, 2015 10:46 AM
 Subject: Re: [Freeipa-users] HBAC rules not applying to Solaris clients
   

For Solaris we are using the pam_list module to control which LDAP users can 
have system access. The pam_list module allow netgroups to be listed in a 
user.allow file. 

On Sat, Aug 15, 2015 at 1:05 PM, Natxo Asenjo  wrote:





On Sat, Aug 15, 2015 at 5:24 PM, Rob Crittenden  wrote:

sipazzo wrote:


and my users are able to authenticate to the directory but the hbac
rules are not being applied. Any user whether given access or not can
login to the Solaris systems. The "allow-all" rule has been disabled, my
nsswitch.conf file looks good and I have tried different configs of
pam.d, including the provided example to try to resolve the issue. Am I
missing some steps?


HBAC enforcement is provided by sssd so doesn't work in Solaris.


one might try using solaris' RBAC system:

http://www.oracle.com/technetwork/systems/security/custom-roles-rbac-jsp-140865.html

You would have to distribute your changes to all solaris systems.

There is a RBAC ldap schema 
http://docs.oracle.com/cd/E19455-01/806-5580/6jej518q5/index.html for solaris, 
but I have never tried using it with freeipa. 

--
Groeten,
natxo
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

  -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Cannot uninstall ipa-server

2015-08-19 Thread Rob Crittenden 

Janelle wrote:

ipa-server-install --uninstall --unattended


I don't think it is the prompt that's hanging. I'd either wait to see 
whether it clears things up itself or try to figure out what service is 
hanging. Some of the timeouts are 5 minutes IIRC so it may take a while 
in the worse case scenario.


The files/directories you refer to are the hints that the uninstaller 
uses to know how to restore the system to as close to pre-install 
condition as possible. I don't know that it is all that consumable if 
done manually.


rob



~J

On 8/19/15 7:41 AM, bahan w wrote:

Hello.

After an unsuccessfull installation of ipa-server, 3.0.0-42, I try to
uninstall it, but the uninstallation hangs at the following step :

###
ipa-server-install --uninstall

This is a NON REVERSIBLE operation and will delete all data and
configuration!

Are you sure you want to continue with the uninstall procedure? [no]: yes
Shutting down all IPA services

###

It hangs forever.

Anyway to perform the uninstallation manually ? I throught I saw a
method somewhere concerning the removal of the files contained in the
following folders :

###
/var/lib/ipa/sysrestore
/var/lib/ipa-client/sysrestore
###

Is it true ?

Best regards.

Bahan








--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC rules not applying to Solaris clients

2015-08-19 Thread sipazzo 
Ah I would love to help but have only been a Unix sysadmin for a couple years 
now (came from Windows side of house) and have little coding ability. Still 
happy to  help in any way I can though if you can find a place/need for me. You 
have all been very helpful to me so I would like to give back if I can.
   From: Jakub Hrozek 
 To: Martin Kosek  
Cc: Freeipa-users  
 Sent: Wednesday, August 19, 2015 12:23 AM
 Subject: Re: [Freeipa-users] HBAC rules not applying to Solaris clients
   
On Tue, Aug 18, 2015 at 09:05:14PM +0200, Martin Kosek wrote:
> On 08/15/2015 07:05 PM, Natxo Asenjo wrote:
> >
> >
> >On Sat, Aug 15, 2015 at 5:24 PM, Rob Crittenden  >> wrote:
> >
> >    sipazzo wrote:
> >
> >
> >        and my users are able to authenticate to the directory but the hbac
> >        rules are not being applied. Any user whether given access or not can
> >        login to the Solaris systems. The "allow-all" rule has been 
> >disabled, my
> >        nsswitch.conf file looks good and I have tried different configs of
> >        pam.d, including the provided example to try to resolve the issue. 
> >Am I
> >        missing some steps?
> >
> >
> >    HBAC enforcement is provided by sssd so doesn't work in Solaris.
> >
> >
> >one might try using solaris' RBAC system:
> >
> >http://www.oracle.com/technetwork/systems/security/custom-roles-rbac-jsp-140865.html
> >
> >You would have to distribute your changes to all solaris systems.
> >
> >There is a RBAC ldap schema
> >http://docs.oracle.com/cd/E19455-01/806-5580/6jej518q5/index.html for 
> >solaris,
> >but I have never tried using it with freeipa.
> >
> >--
> >Groeten,
> >natxo
> 
> Alternatively, you can also contribute to Jakub Hrozek's pam_hbac project:
> 
> https://github.com/jhrozek/pam_hbac

btw I have quite a few changes from the last weeks, so yes, I'm still
working on this, but the progress is slow, RHEL maintenance tends to eat
most time..



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


  -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Cannot uninstall ipa-server

2015-08-19 Thread Janelle 

ipa-server-install --uninstall --unattended


~J

On 8/19/15 7:41 AM, bahan w wrote:

Hello.

After an unsuccessfull installation of ipa-server, 3.0.0-42, I try to 
uninstall it, but the uninstallation hangs at the following step :


###
ipa-server-install --uninstall

This is a NON REVERSIBLE operation and will delete all data and 
configuration!


Are you sure you want to continue with the uninstall procedure? [no]: yes
Shutting down all IPA services

###

It hangs forever.

Anyway to perform the uninstallation manually ? I throught I saw a 
method somewhere concerning the removal of the files contained in the 
following folders :


###
/var/lib/ipa/sysrestore
/var/lib/ipa-client/sysrestore
###

Is it true ?

Best regards.

Bahan




-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Cannot uninstall ipa-server

2015-08-19 Thread bahan w 
Hello.

After an unsuccessfull installation of ipa-server, 3.0.0-42, I try to
uninstall it, but the uninstallation hangs at the following step :

###
ipa-server-install --uninstall

This is a NON REVERSIBLE operation and will delete all data and
configuration!

Are you sure you want to continue with the uninstall procedure? [no]: yes
Shutting down all IPA services

###

It hangs forever.

Anyway to perform the uninstallation manually ? I throught I saw a method
somewhere concerning the removal of the files contained in the following
folders :

###
/var/lib/ipa/sysrestore
/var/lib/ipa-client/sysrestore
###

Is it true ?

Best regards.

Bahan
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Public Key Authentication Failing

2015-08-19 Thread Yogesh Sharma 
Re-Enrolling the server has fixed it, but what has caused this, is still an
issue.

*Best Regards,*

*__*

*Yogesh Sharma*
*Email: yks0...@gmail.com  | Web: www.initd.in
 *

*RHCE, VCE-CIA, RACKSPACE CLOUD U Certified*

   



On Wed, Aug 19, 2015 at 1:23 AM, Yogesh Sharma  wrote:

> Majority of sssd logs are filled with below error:
>
> (Wed Aug 19 01:22:24 2015) [sssd[be[klikpay.int]]]
> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> domain SID from [(null)]
> (Wed Aug 19 01:22:24 2015) [sssd[be[klikpay.int]]]
> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> domain SID from [(null)]
> (Wed Aug 19 01:22:24 2015) [sssd[be[klikpay.int]]]
> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> domain SID from [(null)]
>
>
> *Best Regards,*
>
> *__*
>
> *Yogesh Sharma*
> *Email: yks0...@gmail.com  | Web: www.initd.in
>  *
>
> *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified*
>
>    
> 
> 
>
> On Wed, Aug 19, 2015 at 12:44 AM, Yogesh Sharma  wrote:
>
>> Team.
>>
>> We are using public key authentication instead of password. It was
>> working fine but a day latter it has stopped working. The same key is
>> working for if change the username.
>>
>> For eg:
>>
>> Initially we created a user - ipa1 with ssh public key, but after
>> sometime it has stopped working, now the same key is working if we create
>> ipa2 user but with ipa1 user it fail to accept the keys.
>>
>>
>>
>> Below are ssh logs of failed attempt:
>>
>> root@yogesh-ubuntu-pc:/home/yogesh# ssh -i /root/.ssh/id_rsa
>> vg4381@172.16.32.24 -vv
>> OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
>> debug1: Reading configuration data /etc/ssh/ssh_config
>> debug1: /etc/ssh/ssh_config line 19: Applying options for *
>> debug2: ssh_connect: needpriv 0
>> debug1: Connecting to 172.16.32.24 [172.16.32.24] port 22.
>> debug1: Connection established.
>> debug1: permanently_set_uid: 0/0
>> debug1: identity file /root/.ssh/id_rsa type 1
>> debug1: identity file /root/.ssh/id_rsa-cert type -1
>> debug1: Enabling compatibility mode for protocol 2.0
>> debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.2
>> debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
>> debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c00
>> debug2: fd 3 setting O_NONBLOCK
>> debug1: SSH2_MSG_KEXINIT sent
>> debug1: SSH2_MSG_KEXINIT received
>> debug2: kex_parse_kexinit: curve25519-sha...@libssh.org
>> ,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
>> debug2: kex_parse_kexinit: ssh-rsa-cert-...@openssh.com,
>> ssh-rsa-cert-...@openssh.com,ssh-rsa,
>> ecdsa-sha2-nistp256-cert-...@openssh.com,
>> ecdsa-sha2-nistp384-cert-...@openssh.com,
>> ecdsa-sha2-nistp521-cert-...@openssh.com,ssh-ed25519-cert-...@openssh.com
>> ,ssh-dss-cert-...@openssh.com,ssh-dss-cert-...@openssh.com
>> ,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-dss
>> debug2: kex_parse_kexinit:
>> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
>> aes128-...@openssh.com,aes256-...@openssh.com,
>> chacha20-poly1...@openssh.com
>> ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
>> rijndael-...@lysator.liu.se
>> debug2: kex_parse_kexinit:
>> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
>> aes128-...@openssh.com,aes256-...@openssh.com,
>> chacha20-poly1...@openssh.com
>> ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
>> rijndael-...@lysator.liu.se
>> debug2: kex_parse_kexinit: hmac-md5-...@openssh.com,
>> hmac-sha1-...@openssh.com,umac-64-...@openssh.com,
>> umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com,
>> hmac-sha2-512-...@openssh.com,hmac-ripemd160-...@openssh.com,
>> hmac-sha1-96-...@openssh.com,hmac-md5-96-...@openssh.com
>> ,hmac-md5,hmac-sha1,umac...@openssh.com,umac-...@openssh.com
>> ,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd...@openssh.com
>> ,hmac-sha1-96,hmac-md5-96
>> debug2: kex_parse_kexinit: hmac-md5-...@openssh.com,
>> hmac-sha1-...@openssh.com,umac-64-...@openssh.com,
>> umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com,
>> hmac-sha2-512-...@openssh.com,hmac-ripemd160-...@openssh.com,
>> hmac-sha1-96-...@openssh.com,hmac-md5-96-...@openssh.com
>> ,hmac-md5,hmac-sha1,umac...@openssh.com,umac-...@openssh.com
>> ,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd...@openssh.com
>> ,hmac-sha1-96,hmac-md5-96
>> debug2: kex_parse_kexinit: none,z..

Re: [Freeipa-users] ipa v4 on CentOS6

2015-08-19 Thread Ramy Allam 
Thanks for the valuable information. I will use CentOS7 for both client and
server.

Hope you all the best.

On Wed, Aug 19, 2015 at 9:22 AM, Jakub Hrozek  wrote:

> On Tue, Aug 18, 2015 at 09:02:14PM +0200, Martin Kosek wrote:
> > On 08/17/2015 01:15 PM, Ramy Allam wrote:
> > >Hello,
> > >
> > >I'm running ipa-server-4.1.0-18.el7.centos.4.x86_64 on a CentoOS 7
> machine. And
> > >need to setup ipa-4.1.0 on a CentOS *6* machine.
> > >
> > >CentOS 6 repo has ipa-client-3 available. Where can i find v4 for
> CentOS 6 please ?
> > >
> > >The reason i need to setup ipa-clientv4 on CentOS6 is clientv3 doesn't
> support
> > >OTP authentication.
> >
> > Hello,
> >
> > We do not plan backporting FreeIPA 4.0+ on CentOS-6, there is simply too
> > many dependencies that are not there. Running purely on CentOS-7.1 looks
> as
> > the least painful way to me.
> >
> > You can still of course have clients (SSSD) on CentOS-6. Jakub, can you
> > please remind me what are the limitation with regards to SSSD&OTP on
> RHEL-6?
>
> The SSSD code is there, but the Kerberos library version is the limit. We
> can't rebase to a newer one but at the same time it's impossible to
> backport
> the changes.
>
> Sorry, but new features sometimes require using a new system..
>
> >
> > Advanced conversations like https://fedorahosted.org/sssd/ticket/2335
> will
> > not be possible of course, that's expected.
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Public Key Authentication Failing + Failed to Authenticate New User with Public Key

2015-08-19 Thread Yogesh Sharma 
Any suggestion please.

*Best Regards,*

*__*

*Yogesh Sharma*
*Email: yks0...@gmail.com  | Web: www.initd.in
 *

*RHCE, VCE-CIA, RACKSPACE CLOUD U Certified*

   



On Wed, Aug 19, 2015 at 1:37 PM, Yogesh Sharma  wrote:

> Re-Enrolling the server has fixed it, but what has caused this, is still
> an issue.
>
> *Best Regards,*
>
> *__*
>
> *Yogesh Sharma*
> *Email: yks0...@gmail.com  | Web: www.initd.in
>  *
>
> *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified*
>
>    
> 
> 
>
> On Wed, Aug 19, 2015 at 1:23 AM, Yogesh Sharma  wrote:
>
>> Majority of sssd logs are filled with below error:
>>
>> (Wed Aug 19 01:22:24 2015) [sssd[be[klikpay.int]]]
>> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
>> domain SID from [(null)]
>> (Wed Aug 19 01:22:24 2015) [sssd[be[klikpay.int]]]
>> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
>> domain SID from [(null)]
>> (Wed Aug 19 01:22:24 2015) [sssd[be[klikpay.int]]]
>> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
>> domain SID from [(null)]
>>
>>
>> *Best Regards,*
>>
>> *__*
>>
>> *Yogesh Sharma*
>> *Email: yks0...@gmail.com  | Web: www.initd.in
>>  *
>>
>> *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified*
>>
>>    
>> 
>> 
>>
>> On Wed, Aug 19, 2015 at 12:44 AM, Yogesh Sharma 
>> wrote:
>>
>>> Team.
>>>
>>> We are using public key authentication instead of password. It was
>>> working fine but a day latter it has stopped working. The same key is
>>> working for if change the username.
>>>
>>> For eg:
>>>
>>> Initially we created a user - ipa1 with ssh public key, but after
>>> sometime it has stopped working, now the same key is working if we create
>>> ipa2 user but with ipa1 user it fail to accept the keys.
>>>
>>>
>>>
>>> Below are ssh logs of failed attempt:
>>>
>>> root@yogesh-ubuntu-pc:/home/yogesh# ssh -i /root/.ssh/id_rsa
>>> vg4381@172.16.32.24 -vv
>>> OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
>>> debug1: Reading configuration data /etc/ssh/ssh_config
>>> debug1: /etc/ssh/ssh_config line 19: Applying options for *
>>> debug2: ssh_connect: needpriv 0
>>> debug1: Connecting to 172.16.32.24 [172.16.32.24] port 22.
>>> debug1: Connection established.
>>> debug1: permanently_set_uid: 0/0
>>> debug1: identity file /root/.ssh/id_rsa type 1
>>> debug1: identity file /root/.ssh/id_rsa-cert type -1
>>> debug1: Enabling compatibility mode for protocol 2.0
>>> debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.2
>>> debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
>>> debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c00
>>> debug2: fd 3 setting O_NONBLOCK
>>> debug1: SSH2_MSG_KEXINIT sent
>>> debug1: SSH2_MSG_KEXINIT received
>>> debug2: kex_parse_kexinit: curve25519-sha...@libssh.org
>>> ,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
>>> debug2: kex_parse_kexinit: ssh-rsa-cert-...@openssh.com,
>>> ssh-rsa-cert-...@openssh.com,ssh-rsa,
>>> ecdsa-sha2-nistp256-cert-...@openssh.com,
>>> ecdsa-sha2-nistp384-cert-...@openssh.com,
>>> ecdsa-sha2-nistp521-cert-...@openssh.com,
>>> ssh-ed25519-cert-...@openssh.com,ssh-dss-cert-...@openssh.com,
>>> ssh-dss-cert-...@openssh.com
>>> ,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-dss
>>> debug2: kex_parse_kexinit:
>>> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
>>> aes128-...@openssh.com,aes256-...@openssh.com,
>>> chacha20-poly1...@openssh.com
>>> ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
>>> rijndael-...@lysator.liu.se
>>> debug2: kex_parse_kexinit:
>>> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
>>> aes128-...@openssh.com,aes256-...@openssh.com,
>>> chacha20-poly1...@openssh.com
>>> ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
>>> rijndael-...@lysator.liu.se
>>> debug2: kex_parse_kexinit: hmac-md5-...@openssh.com,
>>> hmac-sha1-...@openssh.com,umac-64-...@openssh.com,
>>> umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com,
>>> hmac-sha2-512-...@openssh.com,hmac-ripemd160-...@openssh.com,
>>> hmac-sha1-96-...@openssh.com,hmac-md5-96-...@openssh.com
>>> ,hmac-md5,hmac-sha1,umac...@openssh.com,umac-...@openssh.com
>>> ,hmac-sha2-256,hmac-sha2-512,hmac-ripem

Re: [Freeipa-users] Sudden replication failure

2015-08-19 Thread thierry bordaz 

On 08/18/2015 08:39 PM, Martin Kosek wrote:

On 08/10/2015 10:05 PM, Burke Rosen wrote:

Hello,

I'm running two replicated freeIPA servers. One of them spontaneously 
failed.
After taking the misbehaving server down, the remaining replicant 
handled

everything fine. I restored the system to its original working state by
uninstalling ipa-server from the non-functional server and 
re-replicating from
the working server. All is well, but I am trying to figure out what 
might have

caused the problem in the first place. Below are first few (presumably)
relevant lines of the the error log. Can someone help me interpret them?

Thank you,

-Burke Rosen




This line is interesting:


[08/Aug/2015:04:11:06 -0700] repl_version_plugin_recv_acquire_cb - [file
ipa_repl_version.c, line 119]: Incompatible IPA versions, pausing 
replication.

This server: "2010061412" remote server: "(null)".


But I wonder how it is possible this was triggered, we did not bump 
the data version in IPA Replica version plugin since 2010 as you can 
see. So for some reason, it seems that the version was not passed 
correctly when the connection between replicas was being established.


I guess we will not find out the root cause, given you successfully 
rebuilt the server. I am still CCing Ludwig and Thierry for reference.




Hello,

The DS master (or replica) sent a start-replication session with an 
empty GUID payload (added by ipa plugin). It should happen if you mixed 
DS and/or IPA version, is it the case ?


thanks
thierry
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa v4 on CentOS6

2015-08-19 Thread Jakub Hrozek 
On Tue, Aug 18, 2015 at 09:02:14PM +0200, Martin Kosek wrote:
> On 08/17/2015 01:15 PM, Ramy Allam wrote:
> >Hello,
> >
> >I'm running ipa-server-4.1.0-18.el7.centos.4.x86_64 on a CentoOS 7 machine. 
> >And
> >need to setup ipa-4.1.0 on a CentOS *6* machine.
> >
> >CentOS 6 repo has ipa-client-3 available. Where can i find v4 for CentOS 6 
> >please ?
> >
> >The reason i need to setup ipa-clientv4 on CentOS6 is clientv3 doesn't 
> >support
> >OTP authentication.
> 
> Hello,
> 
> We do not plan backporting FreeIPA 4.0+ on CentOS-6, there is simply too
> many dependencies that are not there. Running purely on CentOS-7.1 looks as
> the least painful way to me.
> 
> You can still of course have clients (SSSD) on CentOS-6. Jakub, can you
> please remind me what are the limitation with regards to SSSD&OTP on RHEL-6?

The SSSD code is there, but the Kerberos library version is the limit. We
can't rebase to a newer one but at the same time it's impossible to backport
the changes.

Sorry, but new features sometimes require using a new system..

> 
> Advanced conversations like https://fedorahosted.org/sssd/ticket/2335 will
> not be possible of course, that's expected.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC rules not applying to Solaris clients

2015-08-19 Thread Jakub Hrozek 
On Tue, Aug 18, 2015 at 09:05:14PM +0200, Martin Kosek wrote:
> On 08/15/2015 07:05 PM, Natxo Asenjo wrote:
> >
> >
> >On Sat, Aug 15, 2015 at 5:24 PM, Rob Crittenden  >> wrote:
> >
> >sipazzo wrote:
> >
> >
> >and my users are able to authenticate to the directory but the hbac
> >rules are not being applied. Any user whether given access or not can
> >login to the Solaris systems. The "allow-all" rule has been 
> > disabled, my
> >nsswitch.conf file looks good and I have tried different configs of
> >pam.d, including the provided example to try to resolve the issue. 
> > Am I
> >missing some steps?
> >
> >
> >HBAC enforcement is provided by sssd so doesn't work in Solaris.
> >
> >
> >one might try using solaris' RBAC system:
> >
> >http://www.oracle.com/technetwork/systems/security/custom-roles-rbac-jsp-140865.html
> >
> >You would have to distribute your changes to all solaris systems.
> >
> >There is a RBAC ldap schema
> >http://docs.oracle.com/cd/E19455-01/806-5580/6jej518q5/index.html for 
> >solaris,
> >but I have never tried using it with freeipa.
> >
> >--
> >Groeten,
> >natxo
> 
> Alternatively, you can also contribute to Jakub Hrozek's pam_hbac project:
> 
> https://github.com/jhrozek/pam_hbac

btw I have quite a few changes from the last weeks, so yes, I'm still
working on this, but the progress is slow, RHEL maintenance tends to eat
most time..

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project