Re: [Freeipa-users] ipactl services running, but auth not working

[pgb205]

there are reports from multiple clients being unable to authenticate.
ipactl status shows all services as running.The problem is fixed when I 'ipactl 
restart'.
  From: "Sullivan, Daniel [CRI]" 
 To: pgb205  
Cc: Freeipa-users 
 Sent: Friday, February 3, 2017 2:47 PM
 Subject: Re: [Freeipa-users] ipactl services running, but auth not working
   
What exactly are you seeing to determine that the server is actually failing?  
Is it not possible that sssd (the client) is timing out?  Will 389ds service an 
LDAP request, i.e. can you run

ldapsearch -D "cn=Directory Manager" -w  -s base -b "cn=config" 
"(objectclass=*)”

What exactly are you trying to do?  Just password authentication to an sssd 
client?  Are you operating in a trusted AD environment?

Dan

On Feb 3, 2017, at 11:26 AM, pgb205 > 
wrote:

My problem is with the server itself seemingly not providing services even 
though it claims to do so. would be curious to know what to look at on freeipa 
server or how to inrease logging


From: "Sullivan, Daniel [CRI]" 
>
To: pgb205 >
Cc: Freeipa-users >
Sent: Thursday, February 2, 2017 5:16 PM
Subject: Re: [Freeipa-users] ipactl services running, but auth not working

Have you looked at the sssd logs yet?

Dan

On Feb 2, 2017, at 4:13 PM, pgb205 
>>
 wrote:

We have multiple ipa servers but only one is continuously affected by the 
strange problem described in the subject line.
Users report not being able to login to servers that are using a specific 
ipa_server. Looking at this server ipactl shows
everything as RUNNING. ipactl restart fixes the issue until the next time.

My questions are:
1. What could be causing this, and what can I check.
2. What logging should I enable on the server.
3. We are currently monitoring for processes 'Running' but clearly that is not 
fool-proof way to check if the service is actually up.
What would be a definitive method to check if Freeipa is up and functional in 
all respects. I was thinking of setting up cron job
that attempts to do kinit  on a client machine. The problems that I 
foresee with this method is caching that might give false negatives.

thanks

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org  for more info on the project






   -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Smart Card login into an Active Directory User

[spammewoods]

 Sumit Bose  wrote: 
> On Fri, Feb 03, 2017 at 09:33:13AM +0100, Sumit Bose wrote:
> On Thu, Feb 02, 2017 at 11:03:28AM -0800, spammewo...@cox.net wrote:
> > I am running an IPA server (4.4.0) on RHEL 7.3 which is integrated with a 
> > Windows Active Directory server.   I am trying to configure the IPA server 
> > to allow the Active Directory Users to log into Gnome with a CAC smart 
> > card.  I’m having a hard time finding any instructions on how to do this.  
> > The problem I’m having is the Common Name from the smart card is not 
> > getting associated with the Active Directory account.  I added the 
> > certificate from the smart card to the IPA server by creating a User ID 
> > override for the AD user account.  I made sure to not use authconfig to 
> > configure smart cards and I added ifp to the services line in the sssd.conf 
> > file.
> > 
> > I have the following packages installed:
> > ipa-admintools.noarch   4.4.0-14.el7_3.4
> > 
> > ipa-client.x86_64   4.4.0-14.el7_3.4
> > 
> > ipa-client-common.noarch   4.4.0-14.el7_3.4 
> >   
> > ipa-common.noarch   4.4.0-14.el7_3.4
> >   
> > ipa-python-compat.noarch   4.4.0-14.el7_3.4 
> > 
> > ipa-server.x86_64   4.4.0-14.el7_3.4
> > 
> > ipa-server-common.noarch   4.4.0-14.el7_3.4 
> > 
> > ipa-server-dns.noarch  4.4.0-14.el7_3.4
> > ipa-server-trust-ad.x86_64  4.4.0-14.el7_3.4
> > 
> > I can log in with AD user accounts that are configured with UserName and 
> > Passswords, so I know that the integration is working.   When I try to log 
> > into GDM with my smart card,  I don’t get prompted for a PIN number.  It 
> > only asks for the password from the AD account.   
> 
> Please have a look at the steps described in
> https://bugzilla.redhat.com/show_bug.cgi?id=1300420#c9 . Please let me
> know if you run into issues.

Please also check if you followed the steps in
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/smart-cards.html

HTH

bye,
Sumit

-- 
Hello Sumit,
I followed the instructions in comment #9.I modified the 
/etc/pam.d/smartcard-auth file and the two files that are under 
/etc/dconf/db/distro.d/.   But it still doesn't work.   GDM will prompt me for 
a password not the PIN when I plug in the smart card.Do I need to run 
"authconfig --enablesmartcard --smartcardmodule=no_module --update" before I 
change the files ?Should I remove pam_pkcs11 too ?I have been able to 
get AD smart card login working using standard authconfig, pam_pkcs11, and the 
cn_map.I just don't want to use the cn_map file and have to list all of my 
user's "Common Names" in this file.


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipactl services running, but auth not working

[Sullivan, Daniel [CRI]]

What exactly are you seeing to determine that the server is actually failing?  
Is it not possible that sssd (the client) is timing out?  Will 389ds service an 
LDAP request, i.e. can you run

ldapsearch -D "cn=Directory Manager" -w  -s base -b "cn=config" 
"(objectclass=*)”

What exactly are you trying to do?  Just password authentication to an sssd 
client?  Are you operating in a trusted AD environment?

Dan

On Feb 3, 2017, at 11:26 AM, pgb205 > 
wrote:

My problem is with the server itself seemingly not providing services even 
though it claims to do so. would be curious to know what to look at on freeipa 
server or how to inrease logging


From: "Sullivan, Daniel [CRI]" 
>
To: pgb205 >
Cc: Freeipa-users >
Sent: Thursday, February 2, 2017 5:16 PM
Subject: Re: [Freeipa-users] ipactl services running, but auth not working

Have you looked at the sssd logs yet?

Dan

On Feb 2, 2017, at 4:13 PM, pgb205 
>>
 wrote:

We have multiple ipa servers but only one is continuously affected by the 
strange problem described in the subject line.
Users report not being able to login to servers that are using a specific 
ipa_server. Looking at this server ipactl shows
everything as RUNNING. ipactl restart fixes the issue until the next time.

My questions are:
1. What could be causing this, and what can I check.
2. What logging should I enable on the server.
3. We are currently monitoring for processes 'Running' but clearly that is not 
fool-proof way to check if the service is actually up.
What would be a definitive method to check if Freeipa is up and functional in 
all respects. I was thinking of setting up cron job
that attempts to do kinit  on a client machine. The problems that I 
foresee with this method is caching that might give false negatives.

thanks

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org  for more info on the project





-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Wrong principal in request in NFS mount

[Matthew Carter]

So I have two test machines that I set up because of this same problem 
on my secure offline network. One of the test machines is a server that 
has FreeIPA and NFS running on it, the other test machine is a client 
that mounts two NFS shares from the server using krb5i sec.


Upon initial install, everything works as it is supposed to. The domain 
users can log in just fine, the mount mounts perfectly.


If I remove the client from the domain using:

ipa-client-automount --uninstall

ipa-client-install --uninstall


And then on the server:

ipa-client-automount --uninstall

ipa-server-install --uninstall

then delete the ca.crt, run sss -E (to clear the sssd caches), rm 
/tmp/krb5*



and then reinstall the server:

ipa-server-install

service sshd restart

kinit admin

ipa service-add nfs/server.dar.lan

ipa-getkeytab -s server.dar.lan -p host/server.dar.lan -k 
/etc/krb5.keytab


ipa-getkeytab -s server.dar.lan -p nfs/server.dar.lan -k 
/etc/krb5.keytab


ipa-client-automount


and reinstall on the client:

ipa-client-install

ipa-client-automount


I believe I now have the same setup as I had before.

I can kinit and get a ticket:

Ticket cache: FILE:/tmp/krb5cc_61520_TinxaO
Default principal: ad...@dar.lan

Valid starting ExpiresService principal
02/03/17 12:54:02  02/04/17 12:53:59 krbtgt/dar@dar.lan

My domain users can log in to their desktops.

But I can't mount the shares.

I get:

mount.nfs4: timeout set for Fri Feb  3 12:58:36 2017
mount.nfs4: trying text-based options 
'sec=krb5i,proto=tcp,port=2049,rsize=8192,wsize=8192,timeo=14,intr,addr=137.67.205.1,clientaddr=137.67.205.11'

mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting 
server:/NFS_SHARE/USERS

mount.nfs4: timeout set for Fri Feb  3 12:58:36 2017
mount.nfs4: trying text-based options 
'sec=krb5i,proto=tcp,port=2049,rsize=8192,wsize=8192,timeo=14,intr,addr=137.67.205.1,clientaddr=137.67.205.11'

mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting 
server:/NFS_SHARE/admin



Originally I chased permissions, but when I started looking at 
/var/log/messages on the server, I noticed that rpcgssd was complaining  
about a wrong principal.


On the server I executed kadmin.local and then listprincs

K/m...@dar.lan
krbtgt/dar@dar.lan
kadmin/server.dar@dar.lan
kadmin/ad...@dar.lan
kadmin/chang...@dar.lan
ldap/server.dar@dar.lan
host/server.dar@dar.lan
HTTP/server.dar@dar.lan
nfs/server.dar@dar.lan
s_shar...@dar.lan
host/as1.dar@dar.lan

and then a getprinc on nfs/server.dar@dar.lan:

Principal: nfs/server.dar@dar.lan
Expiration date: [never]
Last password change: Thu Feb 02 15:31:24 EST 2017
Password expiration date: [none]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Thu Feb 02 15:31:24 EST 2017 
(nfs/server.dar@dar.lan)

Last successful authentication: Thu Feb 02 16:52:16 EST 2017
Last failed authentication: Fri Feb 03 12:09:14 EST 2017
Failed password attempts: 1
Number of keys: 4
Key: vno 3, aes256-cts-hmac-sha1-96, no salt
Key: vno 3, aes128-cts-hmac-sha1-96, no salt
Key: vno 3, des3-cbc-sha1, no salt
Key: vno 3, arcfour-hmac, no salt
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: [none]

looking at my keytab, klist -ke /etc/krb5.keytab

   12 host/server.dar@dar.lan
   21 nfs/server.dar@dar.lan
   33 host/server.dar@dar.lan
   43 host/server.dar@dar.lan
   53 host/server.dar@dar.lan
   63 host/server.dar@dar.lan
   72 nfs/server.dar@dar.lan
   82 nfs/server.dar@dar.lan
   92 nfs/server.dar@dar.lan
  102 nfs/server.dar@dar.lan

I saw I had two extra older kt's so I used kadmin.local to remove them 
with modprinc. Not sure where they came from. . .


I again tried to mount, this time using -vvv in /etc/sysconfig/nfs for 
rpcgssd, rpcsvcgssd, and rpcbind and /var/log/messages output this on 
the server (I'll only paste the data from one mount attempt as there is 
two mounts and they're complaining identically.):


Feb  3 12:25:32 server rpc.svcgssd[4796]: leaving poll
Feb  3 12:25:32 server rpc.svcgssd[4796]: handling null request
Feb  3 12:25:32 server rpc.svcgssd[4796]: svcgssd_limit_krb5_enctypes: 
Calling gss_set_allowable_enctypes with 7 enctypes from the kernel
Feb  3 12:25:32 server rpc.svcgssd[4796]: WARNING: 
gss_accept_sec_context failed
Feb  3 12:25:32 server rpc.svcgssd[4796]: ERROR: GSS-API: error in 
handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS 
failure.  Minor code may provide more information) - Wrong principal in 
request

Feb  3 12:25:32 server rpc.svcgssd[4796]: sending null reply
Feb  3 12:25:32 server 

Re: [Freeipa-users] ipactl services running, but auth not working

[pgb205]

My problem is with the server itself seemingly not providing services even 
though it claims to do so. would be curious to know what to look at on freeipa 
server or how to inrease logging
  From: "Sullivan, Daniel [CRI]" 
 To: pgb205  
Cc: Freeipa-users 
 Sent: Thursday, February 2, 2017 5:16 PM
 Subject: Re: [Freeipa-users] ipactl services running, but auth not working
   
Have you looked at the sssd logs yet?

Dan

On Feb 2, 2017, at 4:13 PM, pgb205 > 
wrote:

We have multiple ipa servers but only one is continuously affected by the 
strange problem described in the subject line.
Users report not being able to login to servers that are using a specific 
ipa_server. Looking at this server ipactl shows
everything as RUNNING. ipactl restart fixes the issue until the next time.

My questions are:
1. What could be causing this, and what can I check.
2. What logging should I enable on the server.
3. We are currently monitoring for processes 'Running' but clearly that is not 
fool-proof way to check if the service is actually up.
What would be a definitive method to check if Freeipa is up and functional in 
all respects. I was thinking of setting up cron job
that attempts to do kinit  on a client machine. The problems that I 
foresee with this method is caching that might give false negatives.

thanks
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


   -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] client in many IPA domains

[Raul Dias]

Hello,

Can ipa-client (e.g., anotebook) be in more than one realm? e.g. 
depending on the network where it is connected.


-rsd

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA installation on centos 7

[deepak dimri]

Thanks Rob

Is there a place/link i can download the release for centos 7?

~Amit

On Fri, Feb 3, 2017 at 3:03 PM, Rob Crittenden  wrote:

> amit bhatt wrote:
>
>> My QA development setup is running with IPA VERSION: 4.2.0 on centos 7
>> and I want to install the same version in my production environment as
>> well.  however when i am running yum install ipa-server i am getting
>> VERSION: 4.4.0 (package ipa-server-4.4.0-14.el7.centos.4.x86_64)
>> installed.
>>
>> How can i force IPA server to install 4.2.0 and not 4.4.0?
>>
>
> You'd need to create your own yum repository with the older bits and
> install from there (or push the packages onto your system and do a local
> install).
>
> Note that the IPA packages are tested against the current versions of the
> release which means that some packages may be newer and are therefore
> untested against IPA 4.2.x. Chances are things will work fine but there are
> no guarantees when mixing packages.
>
> rob
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Trust between freeipa servers of different domains

[ivan lago]

Hello,

Is it possible to configure 2 freeipa servers, serving different domains (let’s 
sal dom1.com  and dom2.com ) to estabilish 
a trust so that users form one domain can use resources under the control of 
the other one?
And if it is possible, would it be doable to estabilish cross-servers user 
groups, with users from both the servers?

Initially I would be in control of both of servers, so I would be able to do 
any needed “hack” on the configuration.

Thanks,

Ivan-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Trust between freeipa servers of different domains

[Martin Babinsky]

On 02/03/2017 03:49 PM, ivan lago wrote:

Hello,

Is it possible to configure 2 freeipa servers, serving different domains
(let’s sal dom1.com  and dom2.com ) to
estabilish a trust so that users form one domain can use resources under
the control of the other one?
And if it is possible, would it be doable to estabilish cross-servers
user groups, with users from both the servers?

Initially I would be in control of both of servers, so I would be able
to do any needed “hack” on the configuration.

Thanks,

Ivan




Hi Ivan,

there is no IPA-IPA trust functionality implemented. It is on the 
roadmap but the work on the feature won't start anytime soon.


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Can too many group memberships for an AD user cause SSSD or IPA problems?

[Chris Dagdigian]

I've got a case where "id @AD-DOMAIN" hangs forever after 
partially resolving and I think it may because they are in way too many 
AD groups?


The 'id' command resolve the user but hangs before completing. There is 
a large amount of group data returned from the AD forest for this user 
and the 'id' command seems to pause/hang right at the 3024th character 
returned.


Looking for pointers / tips. I'm thinking the AD user is in way too many 
groups but I don't know if this is a real limit or what the limit may 
be.  Any other reason why an 'id' command may start to work but hang 
before completion for an AD-defined user?


Regards,
Chris



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How to enable krb5_child log

[Kees Bakker]

On 03-02-17 10:43, Kees Bakker wrote:
> On 03-02-17 10:17, Jakub Hrozek wrote:
>> On Fri, Feb 03, 2017 at 09:45:34AM +0100, Kees Bakker wrote:
>>
>>> Then, at the very same time user "someuser", on his own login, gets this:
>>> $ klist
>>> klist: Invalid UID in persistent keyring name while getting default ccache
>>>
>>> One more thing I should mention. It may be of influence. The "someuser"
>>> is a local user in /etc/passwd, _and_ it is a user in IPA, with different 
>>> uid's.
>>> Could that trigger the error?
>> Yes, if the UID of the local user and the IPA user differ.
>>
>> If you need to use the user from passwd and authenticate the user with
>> his IPA credentials, then you can't use id_provider=ipa in sssd.conf,
>> but id_provider=proxy and auth_provider=krb5.
>>
> Thanks, Jakub. I really appreciate your feedback.
> I'll test what you suggested.

Alas, still, no success. :-(
-- 
Kees

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Smart Card login into an Active Directory User

[Sumit Bose]

On Fri, Feb 03, 2017 at 09:33:13AM +0100, Sumit Bose wrote:
> On Thu, Feb 02, 2017 at 11:03:28AM -0800, spammewo...@cox.net wrote:
> > I am running an IPA server (4.4.0) on RHEL 7.3 which is integrated with a 
> > Windows Active Directory server.   I am trying to configure the IPA server 
> > to allow the Active Directory Users to log into Gnome with a CAC smart 
> > card.  I’m having a hard time finding any instructions on how to do this.  
> > The problem I’m having is the Common Name from the smart card is not 
> > getting associated with the Active Directory account.  I added the 
> > certificate from the smart card to the IPA server by creating a User ID 
> > override for the AD user account.  I made sure to not use authconfig to 
> > configure smart cards and I added ifp to the services line in the sssd.conf 
> > file.
> > 
> > I have the following packages installed:
> > ipa-admintools.noarch   4.4.0-14.el7_3.4
> > 
> > ipa-client.x86_64   4.4.0-14.el7_3.4
> > 
> > ipa-client-common.noarch   4.4.0-14.el7_3.4 
> >   
> > ipa-common.noarch   4.4.0-14.el7_3.4
> >   
> > ipa-python-compat.noarch   4.4.0-14.el7_3.4 
> > 
> > ipa-server.x86_64   4.4.0-14.el7_3.4
> > 
> > ipa-server-common.noarch   4.4.0-14.el7_3.4 
> > 
> > ipa-server-dns.noarch  4.4.0-14.el7_3.4
> > ipa-server-trust-ad.x86_64  4.4.0-14.el7_3.4
> > 
> > I can log in with AD user accounts that are configured with UserName and 
> > Passswords, so I know that the integration is working.   When I try to log 
> > into GDM with my smart card,  I don’t get prompted for a PIN number.  It 
> > only asks for the password from the AD account.   
> 
> Please have a look at the steps described in
> https://bugzilla.redhat.com/show_bug.cgi?id=1300420#c9 . Please let me
> know if you run into issues.

Please also check if you followed the steps in
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/smart-cards.html

HTH

bye,
Sumit

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How to enable krb5_child log

[Kees Bakker]

On 03-02-17 10:17, Jakub Hrozek wrote:
> On Fri, Feb 03, 2017 at 09:45:34AM +0100, Kees Bakker wrote:
>> On 02-02-17 17:32, Jakub Hrozek wrote:
>>> On Thu, Feb 02, 2017 at 05:19:07PM +0100, Kees Bakker wrote:
 Hi

 Sorry, I did search wherever I could but I couldn't find it.
 How do I enable krb5_child debug log? I'm on an Ubuntu
 system which by default writes an empty /var/log/krb5_child.log

 Is it a section in /etc/sssd/sssd.conf? Is it in /etc/krb5.conf? What
 do I have to add where to get logging in krb5_child.log?
>>> add debug_level= to the [domain] section.
>> OK. I've done that before with 0x3ff0 , but this time I used level 6
>> (which I read somewhere as being the old method). And now I see
>> output in krb5_child.log
>> Thanks
>>
>> What's weird though. On another system I'm doing the exactly same.
>> Nothing is logged in krb5_child.log.
>>
 BTW. I'm trying to debug a problem that results in
   "Invalid UID in persistent keyring"
 The weird thing is, if I become root (via another ssh login) and
 then do a "su - user" (the same user with the error), the problem
 does not show up. Meanwhile that user keeps getting the above
 error (for klist kdestroy, klist).
>>> su as root gets automatically authenticated by the pam_rootok.so
>>> module..
>>>
>> Hmm.
>> I'm not sure if you understood what I was doing:
>>
>> The "root" way
>> $ ssh r...@xyz.example.com
>> # su - someuser
> As you can see you were not prompted for a password. This is the
> pam_rootok.so module in action that just flipped the current user to
> someuser.
>
>> $ klist someuser
>> klist: Credentials cache keyring 'persistent:1013:1013' not found
> This is expected, since pam_sss.so wasn't invoked because the PAM
> conversation finished after pam_rootok.so was called.

Ah, OK. Thanks for clarifying.
Learn something new everyday :-)

>> $ kinit someuser
>> Password for someu...@example.com:
>> The latter seems to be working (I can't finish because I don't have that
>> password).
> Then you won't be able to kinit as the user because you need either to
> know the password or have the keytab to decrypt the KDC response with.

Yes, I did expect that.

>> Then, at the very same time user "someuser", on his own login, gets this:
>> $ klist
>> klist: Invalid UID in persistent keyring name while getting default ccache
>>
>> One more thing I should mention. It may be of influence. The "someuser"
>> is a local user in /etc/passwd, _and_ it is a user in IPA, with different 
>> uid's.
>> Could that trigger the error?
> Yes, if the UID of the local user and the IPA user differ.
>
> If you need to use the user from passwd and authenticate the user with
> his IPA credentials, then you can't use id_provider=ipa in sssd.conf,
> but id_provider=proxy and auth_provider=krb5.
>

Thanks, Jakub. I really appreciate your feedback.
I'll test what you suggested.
-- 
Kees


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA installation on centos 7

[Rob Crittenden]

amit bhatt wrote:

My QA development setup is running with IPA VERSION: 4.2.0 on centos 7
and I want to install the same version in my production environment as
well.  however when i am running yum install ipa-server i am getting
VERSION: 4.4.0 (package ipa-server-4.4.0-14.el7.centos.4.x86_64) installed.

How can i force IPA server to install 4.2.0 and not 4.4.0?


You'd need to create your own yum repository with the older bits and 
install from there (or push the packages onto your system and do a local 
install).


Note that the IPA packages are tested against the current versions of 
the release which means that some packages may be newer and are 
therefore untested against IPA 4.2.x. Chances are things will work fine 
but there are no guarantees when mixing packages.


rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] FreeIPA installation on centos 7

[amit bhatt]

My QA development setup is running with IPA VERSION: 4.2.0 on centos 7 and I
want to install the same version in my production environment as well.
 however when i am running yum install ipa-server i am getting VERSION:
4.4.0 (package ipa-server-4.4.0-14.el7.centos.4.x86_64) installed.

How can i force IPA server to install 4.2.0 and not 4.4.0?

Thanks for your help in advance
~Amit
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How to enable krb5_child log

[Jakub Hrozek]

On Fri, Feb 03, 2017 at 09:45:34AM +0100, Kees Bakker wrote:
> On 02-02-17 17:32, Jakub Hrozek wrote:
> > On Thu, Feb 02, 2017 at 05:19:07PM +0100, Kees Bakker wrote:
> >> Hi
> >>
> >> Sorry, I did search wherever I could but I couldn't find it.
> >> How do I enable krb5_child debug log? I'm on an Ubuntu
> >> system which by default writes an empty /var/log/krb5_child.log
> >>
> >> Is it a section in /etc/sssd/sssd.conf? Is it in /etc/krb5.conf? What
> >> do I have to add where to get logging in krb5_child.log?
> > add debug_level= to the [domain] section.
> 
> OK. I've done that before with 0x3ff0 , but this time I used level 6
> (which I read somewhere as being the old method). And now I see
> output in krb5_child.log
> Thanks
> 
> What's weird though. On another system I'm doing the exactly same.
> Nothing is logged in krb5_child.log.
> 
> >
> >> BTW. I'm trying to debug a problem that results in
> >>   "Invalid UID in persistent keyring"
> >> The weird thing is, if I become root (via another ssh login) and
> >> then do a "su - user" (the same user with the error), the problem
> >> does not show up. Meanwhile that user keeps getting the above
> >> error (for klist kdestroy, klist).
> > su as root gets automatically authenticated by the pam_rootok.so
> > module..
> >
> 
> Hmm.
> I'm not sure if you understood what I was doing:
> 
> The "root" way
> $ ssh r...@xyz.example.com
> # su - someuser

As you can see you were not prompted for a password. This is the
pam_rootok.so module in action that just flipped the current user to
someuser.

> $ klist someuser
> klist: Credentials cache keyring 'persistent:1013:1013' not found

This is expected, since pam_sss.so wasn't invoked because the PAM
conversation finished after pam_rootok.so was called.

> $ kinit someuser
> Password for someu...@example.com:
> The latter seems to be working (I can't finish because I don't have that
> password).

Then you won't be able to kinit as the user because you need either to
know the password or have the keytab to decrypt the KDC response with.

> 
> Then, at the very same time user "someuser", on his own login, gets this:
> $ klist
> klist: Invalid UID in persistent keyring name while getting default ccache
> 
> One more thing I should mention. It may be of influence. The "someuser"
> is a local user in /etc/passwd, _and_ it is a user in IPA, with different 
> uid's.
> Could that trigger the error?

Yes, if the UID of the local user and the IPA user differ.

If you need to use the user from passwd and authenticate the user with
his IPA credentials, then you can't use id_provider=ipa in sssd.conf,
but id_provider=proxy and auth_provider=krb5.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How to enable krb5_child log

[Kees Bakker]

On 02-02-17 17:32, Jakub Hrozek wrote:
> On Thu, Feb 02, 2017 at 05:19:07PM +0100, Kees Bakker wrote:
>> Hi
>>
>> Sorry, I did search wherever I could but I couldn't find it.
>> How do I enable krb5_child debug log? I'm on an Ubuntu
>> system which by default writes an empty /var/log/krb5_child.log
>>
>> Is it a section in /etc/sssd/sssd.conf? Is it in /etc/krb5.conf? What
>> do I have to add where to get logging in krb5_child.log?
> add debug_level= to the [domain] section.

OK. I've done that before with 0x3ff0 , but this time I used level 6
(which I read somewhere as being the old method). And now I see
output in krb5_child.log
Thanks

What's weird though. On another system I'm doing the exactly same.
Nothing is logged in krb5_child.log.

>
>> BTW. I'm trying to debug a problem that results in
>>   "Invalid UID in persistent keyring"
>> The weird thing is, if I become root (via another ssh login) and
>> then do a "su - user" (the same user with the error), the problem
>> does not show up. Meanwhile that user keeps getting the above
>> error (for klist kdestroy, klist).
> su as root gets automatically authenticated by the pam_rootok.so
> module..
>

Hmm.
I'm not sure if you understood what I was doing:

The "root" way
$ ssh r...@xyz.example.com
# su - someuser
$ klist someuser
klist: Credentials cache keyring 'persistent:1013:1013' not found
$ kinit someuser
Password for someu...@example.com:
The latter seems to be working (I can't finish because I don't have that
password).

Then, at the very same time user "someuser", on his own login, gets this:
$ klist
klist: Invalid UID in persistent keyring name while getting default ccache

One more thing I should mention. It may be of influence. The "someuser"
is a local user in /etc/passwd, _and_ it is a user in IPA, with different uid's.
Could that trigger the error?
-- 
Kees


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Smart Card login into an Active Directory User

[Sumit Bose]

On Thu, Feb 02, 2017 at 11:03:28AM -0800, spammewo...@cox.net wrote:
> I am running an IPA server (4.4.0) on RHEL 7.3 which is integrated with a 
> Windows Active Directory server.   I am trying to configure the IPA server to 
> allow the Active Directory Users to log into Gnome with a CAC smart card.  
> I’m having a hard time finding any instructions on how to do this.  The 
> problem I’m having is the Common Name from the smart card is not getting 
> associated with the Active Directory account.  I added the certificate from 
> the smart card to the IPA server by creating a User ID override for the AD 
> user account.  I made sure to not use authconfig to configure smart cards and 
> I added ifp to the services line in the sssd.conf file.
> 
> I have the following packages installed:
> ipa-admintools.noarch   4.4.0-14.el7_3.4  
>   
> ipa-client.x86_64   4.4.0-14.el7_3.4  
>   
> ipa-client-common.noarch   4.4.0-14.el7_3.4   
> 
> ipa-common.noarch   4.4.0-14.el7_3.4  
> 
> ipa-python-compat.noarch   4.4.0-14.el7_3.4   
>   
> ipa-server.x86_64   4.4.0-14.el7_3.4  
>   
> ipa-server-common.noarch   4.4.0-14.el7_3.4   
>   
> ipa-server-dns.noarch  4.4.0-14.el7_3.4
> ipa-server-trust-ad.x86_64  4.4.0-14.el7_3.4
> 
> I can log in with AD user accounts that are configured with UserName and 
> Passswords, so I know that the integration is working.   When I try to log 
> into GDM with my smart card,  I don’t get prompted for a PIN number.  It only 
> asks for the password from the AD account.   

Please have a look at the steps described in
https://bugzilla.redhat.com/show_bug.cgi?id=1300420#c9 . Please let me
know if you run into issues.

HTH

bye,
Sumit

> 
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project