Re: [Freeipa-users] user certificate ldap EXTERNAL authentication

[Martin Kosek]

On 03/05/2016 12:08 AM, Natxo Asenjo wrote:
> On Fri, Mar 4, 2016 at 11:00 PM, Simo Sorce  wrote:
> 
>> On Fri, 2016-03-04 at 14:34 -0500, Rob Crittenden wrote:
>>> Natxo Asenjo wrote:
>>
 when I go to http://www.freeipa.org/page/Special:OpenIDLogin to login
 with the fedora account I get


   OpenID error

 An error occurred: an invalid token was found.

 Return to Main Page .


 So, sorry, I cannot edit the contribute to the wiki. I will write
 something down in my own wiki and post the link here, search engines
 will index this mailing list posts as well, so this knowledge will not
 go lost.
>>>
>>> It's not just you. I can't login either. I think Martin will need to
>>> poke at this on Monday.
>>
>> I tried this just now and it worked, maybe there was an issue that has
>> since resolved itself ?
>>
> 
> no, same error.
> 
> O well, I have this howto, just copy paste it from my mediawiki (public
> domain):
> 
> https://asenjo.nl/wiki/index.php/Client_certificate_authentication_ipa

I checked and I was also able to log in. I suspect it is a problem with your
browser then, maybe testing it with a clear session would help.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] SSSD does not fetch Sudo Rules anymore

[Zoske, Fabian]

Hi,

in our environment server (ipa-server-4.2.0-15.el7_2.6.x86_64 and 
sssd-1.13.0-40.el7_2.1.x86_64  on CentOS 7.2) and client 
(ipa-client-4.2.0-15.el7_2.6.x86_64 and sssd-1.13.0-40.el7_2.1.x86_64 on CentOS 
7.2) SUDO rules doesn’t get fetched anymore.

I debugged SSSD and SUDO and found out, that the first LDAP filter is 
(objectClass=sudoRule) and in our IPA-LDAP every rule has the class “sudoRole” 
not “sudoRule”.

Is there a way to fix this behavior?

Best regards,
Fabian
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Need help with AD 2012 and FreeIPA 4.2 sync

[Alexander Bokovoy]

On Fri, 04 Mar 2016, Csaba Patyi wrote:

Hi Everybody,

We are trying to create sync between Windows 2012 r2 AD and FreeIPA 4.2.0
(CentOS 7) and we run into an issue.

We are following this documentation:
https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/active-directory.html

I know it is a little bit old and now the preferred method is trust and not
sync. But if my understanding is correct in trust you has to use 2
different domain like company.net <--> company.com and can not be user as
company.com <--> company.com

Youre understanding is not fully correct.

You cannot have IPA machines in the same DNS zone as Active Directory.
You can have IPA machines in a subdomain or a completely separate zone.

If you need to present IPA machines as part of Active Directory DNS
zone, you can use CNAME trick where machines are actually in
.ipa.company.com (A/ in that DNS zone) and have a CNAME in
.company.com that points to the true name in .ipa.company.com.

Again, the reason for this is due to the fact that FreeIPA presents
itself as a separate Active Directory forest and it is impossible to
have two Active Directory forests to be in the same DNS zone. This is
Active Directory limitation, not FreeIPA.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Need help with AD 2012 and FreeIPA 4.2 sync

[Csaba Patyi]

Hi Everybody,

We are trying to create sync between Windows 2012 r2 AD and FreeIPA 4.2.0
(CentOS 7) and we run into an issue.

We are following this documentation:
https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/active-directory.html

I know it is a little bit old and now the preferred method is trust and not
sync. But if my understanding is correct in trust you has to use 2
different domain like company.net <--> company.com and can not be user as
company.com <--> company.com

So anyway we are struggling with the full sync. Currently username sync is
working, but their password are not.

Replication was specified:
ipa-replica-manage connect --winsync --binddn
cn=Syncadmin,cn=users,dc=company,dc=com --bindpw ad_password --passsync
syncpassword --cacert /etc/openldap/certs/company.cer
companypdc.company.com


On the Windows we installed and configured 389-PassSync-1.1.5-x86_64 and it
was configured as a following:

Hostname: name_of_centos_server
Password: syncpassword
Password field: userpassword
Port Number: 636
Search base cn=users,cn=compat,dc=company,dc=com
User Name uid/passync,cn=sysaccounts,cn=etc,dc=company,dc=com
User Name Field: ntuserdomainid


Log from passwordsync on windows:
03/04/16 16:45:07: Attempting to sync password for test.user
03/04/16 16:45:07: Searching for (ntuserdomainid=test.user)
03/04/16 16:45:07: There are no entries that match: test.user
03/04/16 16:45:07: Deferring password change for test.user
03/04/16 16:45:07: Backing off for 1024000ms


Trying user on CentOS:
kinit test.user -V
Using new cache: persistent:0:krb_ccache_wyIa8Nj
Using principal: test.u...@company.com
kinit: Generic preauthentication failure while getting initial credentials

log from /var/log/dirsrv/slapd-COMPANY-COM/access

[04/Mar/2016:17:10:08 +] conn=4 op=677 SRCH base="dc=jighi,dc=com"
scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=
test.u...@jighi.com))" attrs="krbPrincipalName krbCanonicalName
ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference
krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases
krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData
krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife
krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData
ipaUserAuthType ipatokenRadiusConfigLink objectClass"
[04/Mar/2016:17:10:08 +] conn=4 op=677 RESULT err=0 tag=101 nentries=1
etime=0
[04/Mar/2016:17:10:08 +] conn=4 op=678 SRCH
base="cn=JIGHI.COM,cn=kerberos,dc=jighi,dc=com"
scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife
krbMaxRenewableAge krbTicketFlags"
[04/Mar/2016:17:10:08 +] conn=4 op=678 RESULT err=0 tag=101 nentries=1
etime=0

Can somebody help in what we are missing?

Regards,
Csaba Patyi
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project