[Freeipa-users] HBAC not working, freeipa 4.4, sssd 1.15.1

[Lachlan Musicman]

I'm experiencing issues with HBAC and I think it's a bug in sssd. Not sure
if better to report to here or sssd mailing list. Also sssd in pagure is
bare and I didn't want to sully the blank slate.  (
https://pagure.io/sssd/issues )

The details:

env: CentOS 7.3, FreeIPA 4.4, sssd 1.15.1 from COPR

On the IPA server:

- "ipa hbactest ..." returns TRUE, so everything seems set up correctly.


When I try to login to the test client, I get denied.

On the test client:

 - hbac_eval_user_element is returning a wrong value. This is seen in
sssd_domain.log, it's returning 25. My test user is in 37 groups. This is
seen on the IPA server via id username. On the test client id username
returns 36 groups, the one missing is an IPA (not AD) group that was made
for HBAC rules. I have sanitized logs available.

 -  taking ldbsearch -H /var/lib/sss/db/cache_domain.com.ldb
'(objectclass=user)' and finding the record in question shows the same 36
groups available. The missing group shouldn't affect ability to login via
HBAC

 - getent group (groupname) works as expected. Also worth noting that the
group missing from id username shows that user in getent.

For reference, on the client the sssd service was stopped, the cache
deleted, and the service started again the night before after which the
server wasn't accessed by anyone. I find that this is necessary for the
cache to populate.

Should I put in a bug report against SSSD or FreeIPA?

While HBAC is in FreeIPA, I think that this is an issue in SSSD
(specifically ?


cheers
L.




--
The most dangerous phrase in the language is, "We've always done it this
way."

- Grace Hopper
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] replica install seems to hang forever when "--setup-ca" is enabled - any advice?

[Fraser Tweedale]

On Wed, Mar 15, 2017 at 06:32:42PM -0400, Chris Dagdigian wrote:
> 
> Any tips for diving into this a bit more to troubleshoot?
> 
> For the 1st time I'm setting up an ipa-server 4.4 replica with CA features
> enabled but the replica install seems to hang forever here:
> 
> ...
> ...
> ...
> Done configuring directory server (dirsrv).
> Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30
> seconds
>   [1/27]: creating certificate server user
>   [2/27]: configuring certificate server instance
>   [3/27]: stopping certificate server instance to update CS.cfg
>   [4/27]: backing up CS.cfg
>   [5/27]: disabling nonces
>   [6/27]: set up CRL publishing
>   [7/27]: enable PKIX certificate path discovery and validation
>   [8/27]: starting certificate server instance
> 
> < no output after this >
> 
> 
> The replica-install.log file ends here:
> 
> ...
> ...
> ...
> 2017-03-15T22:16:05Z DEBUG Starting external process
> 2017-03-15T22:16:05Z DEBUG args=/bin/systemctl is-active
> pki-tomcatd@pki-tomcat.service
> 2017-03-15T22:16:05Z DEBUG Process finished, return code=0
> 2017-03-15T22:16:05Z DEBUG stdout=active
> 
> 2017-03-15T22:16:05Z DEBUG stderr=
> 2017-03-15T22:16:05Z DEBUG wait_for_open_ports: localhost [8080, 8443]
> timeout 300
> 2017-03-15T22:16:06Z DEBUG Waiting until the CA is running
> 2017-03-15T22:16:06Z DEBUG request POST
> http://deawilidmp001.XXX.org:8080/ca/admin/ca/getStatus
> 2017-03-15T22:16:06Z DEBUG request body ''
> 
> 
> 
> 
> I've confirmed that SELINUX is disabled, there is no firewall and the AWS
> Security Groups are allowing TCP:8080 and TCP:8443 to the replica instance.
> The systemctl command also verifies that
> pki-tomcatd@pki-tomcat.service is "active" as well.
> 
> 
> Any tips for debugging further?
> 
Could you please provide the /var/log/pki/pki-tomcat/ca/debug log
file?

Thanks,
Fraser

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] replica install seems to hang forever when "--setup-ca" is enabled - any advice?

[Chris Dagdigian]

Any tips for diving into this a bit more to troubleshoot?

For the 1st time I'm setting up an ipa-server 4.4 replica with CA 
features enabled but the replica install seems to hang forever here:


...
...
...
Done configuring directory server (dirsrv).
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 
30 seconds

  [1/27]: creating certificate server user
  [2/27]: configuring certificate server instance
  [3/27]: stopping certificate server instance to update CS.cfg
  [4/27]: backing up CS.cfg
  [5/27]: disabling nonces
  [6/27]: set up CRL publishing
  [7/27]: enable PKIX certificate path discovery and validation
  [8/27]: starting certificate server instance

< no output after this >


The replica-install.log file ends here:

...
...
...
2017-03-15T22:16:05Z DEBUG Starting external process
2017-03-15T22:16:05Z DEBUG args=/bin/systemctl is-active 
pki-tomcatd@pki-tomcat.service

2017-03-15T22:16:05Z DEBUG Process finished, return code=0
2017-03-15T22:16:05Z DEBUG stdout=active

2017-03-15T22:16:05Z DEBUG stderr=
2017-03-15T22:16:05Z DEBUG wait_for_open_ports: localhost [8080, 8443] 
timeout 300

2017-03-15T22:16:06Z DEBUG Waiting until the CA is running
2017-03-15T22:16:06Z DEBUG request POST 
http://deawilidmp001.XXX.org:8080/ca/admin/ca/getStatus

2017-03-15T22:16:06Z DEBUG request body ''




I've confirmed that SELINUX is disabled, there is no firewall and the 
AWS Security Groups are allowing TCP:8080 and TCP:8443 to the replica 
instance. The systemctl command also verifies that

pki-tomcatd@pki-tomcat.service is "active" as well.


Any tips for debugging further?


Regards,
Chris


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Announcing SSSD 1.15.2

[Jakub Hrozek]

SSSD 1.15.2
===

The SSSD team is proud to announce the release of version 1.15.2 of the
System Security Services Daemon.

The tarball can be downloaded from https://releases.pagure.org/SSSD/sssd/

RPM packages will be made available for Fedora shortly.

Feedback

Please provide comments, bugs and other feedback via the sssd-devel or
sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users

Highlights
--
 * It is now possible to configure certain parameters of a trusted domain
   in a configuration file sub-section. In particular, it is now possible
   to configure which Active Directory DCs the SSSD talks to with a
   configuration like this::

[domain/ipa.test]
# IPA domain configuration. This domain trusts a Windows domain win.test

[domain/ipa.test/win.test]
ad_server = dc.win.test

 * Several issues related to socket-activating the NSS service, especially
   if SSSD was configured to use a non-privileged userm were fixed.
   The NSS service now doesn't change the ownership of its log files to
   avoid triggering a name-service lookup while the NSS service is not
   running yet. Additionally, the NSS service is started before any other
   service to make sure username resolution works and the other service
   can resolve the SSSD user correctly.

 * A new option "cache_first" allows the administrator to change the way
   multiple domains are searched. When this option is enabled, SSSD will
   first try to "pin" the requested name or ID to a domain by searching
   the entries that are already cached and contact the domain that contains
   the cached entry first. Previously, SSSD would check the cache and the
   remote server for each domain. This option brings performance benefit
   for setups that use multiple domains (even auto-discovered trusted
   domains), especially for ID lookups that would previously iterate over
   all domains. Please note that this option must be enabled with care as the
   administrator must ensure that the ID space of domains does not overlap.

 * The SSSD D-Bus interface gained two new methods:
   "FindByNameAndCertificate" and "ListByCertificate". These methods
   will be used primarily by IPA and
   `mod_lookup_identity 
   to correctly match multple users who use the same certificate for Smart
   Card login.

 * A bug where SSSD did not properly sanitize a username with a newline
   character in it was fixed.

Packaging Changes
-
None in this release

Documentation Changes
-
 * A new option "cache_first" was added. Please see the Highlights
   section for more details

 * The "override_homedir" option supports a new template expansion "l"
   that expands to the first letter of username


Tickets Fixed
-
Please note that due to a bug in the pagure.io tracker, some tickets that
have dependencies set to other tickets cannot be closed at the moment.

 *  - Newline characters (\n) must be 
sanitized before LDAP requests take place
 *  - sssd-secrets doesn't exit on idle 
 *  - sssd ignores entire groups from 
proxy provider if one member is listed twice 
 *  - when group is invalidated using 
sss_cache dataExpireTimestamp entry in the domain and timestamps cache are 
inconsistent 
 *  - [RFE] Add more flexible 
templating for override_homedir config option 
 *  - Make it possible to configure AD 
subdomain in the server mode 
 *  - chown in ExecStartPre of 
sssd-nss.service hangs forever 
 *   - Login time increases strongly if 
more than one domain is configured 
 *  - use the sss_parse_inp request in 
other responders than dbus 

Detailed Changelog
--
* Fabiano Fidêncio (7):

  * RESPONDER: Wrap up the code to setup the idle timeout
  * SECRETS: Shutdown the responder in case it becomes idle
  * CACHE_REQ: Move cache_req_next_domain() into a new tevent request
  * CACHE_REQ: Check the caches first
  * NSS: Don't set SocketUser/SocketGroup as "sssd" in sssd-nss.socket
  * NSS: Ensure the NSS socket is started before any other services' sockets
  * NSS: Don't call chown on NSS service's ExecStartPre

* Ignacio Reguero (1):

  * UTIL: first letter of user name template for override_homedir

* Jakub Hrozek (9):

  * Updating the version for the 1.15.2 release
  * Allow manual start for sssd-ifp
  * NSS: Fix invalidating memory cache for subdomain users
  * UTIL: Add a new macro SAFEALIGN_MEMCPY_CHECK
  * UTIL: Add a 

Re: [Freeipa-users] Windows Clients can´t access linux services using kerberos

[Carlos Raúl Laguna]

 still trying to understand why windows clients do not pass the
authentication on a kerberized proxy in a scheme where there is forests
trust, I assumed that in a  forests trust to cross-authentication between
realms was established automatically, i am wrong about this ?

i am using freeipa 4.4.3 and i can access to any linux host enrolled in IPA
with my windows credentials, the sso work just fine from any linux host any
idea what i am missing ? Thanks in advance

2017-03-15 3:18 GMT-04:00 Carlos Raúl Laguna :

> Hello everyone I need some help with this I have set up an IPA 4.4.3
> server and I have established a forest trust relationship with Active
> Directory, everything looks good, after following this guide
> http://www.freeipa.org/index. Php? Title = 
> Squid_Integration_with_FreeIPA_using_Single_Sign_On
> & redirect = no on linux clients has worked without problems but has not
> been so on my windows clients, I have overlooked something? How do the
> windows clients ticket should be register by the proxy? Thanks for your
> help any inside will help me .
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Announcing FreeIPA 4.5.0

[Martin Basti]

Release date: 2017-03-15

The FreeIPA team would like to announce FreeIPA 4.5.0 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for
Fedora 25 and Fedora 26 will be available soon in the official COPR
repository: 


This announcement is also available at
.


== Highlights in 4.5.0 ==

=== Enhancements ===
 AD User Short  Names 
Support for AD users short names has been added. Short names can be
enabled from CLI by setting `ipa config-mod
--domain-resolution-order="domain.test:ad.domain1.test:ad.domain2.test"`
or from WebUI under ''Configuration'' tab. No manual configuration on
SSSD side is required.

Please note that this feature is not supported by SSSD yet and the work
is tracked with 
* 

 FIPS 140-2 Support 
FreeIPA server and client can be installed on FIPS enabled systems. MD5
fingerprints have been replaced with SHA256. Variable ''fips_mode'' has
been added to env that indicates whether FIPS is turned on the server.

Please note that FIPS 140-2 support may not work on some platforms
because all dependencies of FreeIPA must support FIPS 140-2 what we
cannot guarantee. (Should work with RHEL 7.4+.) The FreeIPA code itself
is FIPS 140-2 compatible.
* 

 Certificate Identity Mapping 
Support for multiple certificates on Smart cards has been added. User
can choose which certificate is used to authenticate. This allows to
define multiple certificates per user.
The same certificate can be used by different accounts, and the mapping
between a certificate and an account can be done through binary match of
the whole certificate or a match on custom certificate attributes (such
as Subject + Issuer).
* 

 Improvements for Containerization 
AD trust and KRA can be installed in one step in containers without need
to call subsequent ipa-adtrust-install and ipa-kra-install in containers.
Option ''--setup-adtrust'' has been added to ''ipa-server-install'' and
''ipa-replica-install'', and option ''--setup-kra'' has been added to
''ipa-server-install''.
* 
* 

 Semi-automatic Integration with External DNS 
Option "--out" has been added to command "ipa
dns-update-system-records". This option allows to store IPA system DNS
records in nsupdate format in specified file and can be used with
nsupdate command to update records on an external DNS server. For more
details see this howto

* 

=== Known Issues ===
* CLI doesn't work after ''ipa-restore''

* AD Trust doesn't work with enabled FIPS mode

* ''cert-find'' does not find all certificates without sizelimit=0


=== Bug fixes ===
Contains all bugfixes and enhacements of 4.4.1, 4.4.2, 4.4.3 releases

 Installers Refactoring 
Installers code base has been migrated into modules and many code
duplication has been removed.
* 

 "Normal" group has been renamed to "Non-POSIX" in WebUI 
In the web UI, the group type label "Normal" has been changed to
"Non-POSIX" to be compatible with CLI options. The semantics of group
types is unchanged.
* 

 Build System Refactoring 
Several improvements of FreeIPA build system have been done. In case you
are package maintainer please read the following design document.
* 

 LDAP Connection Management Refactoring 
LDAP connection management has been standardized across FreeIPA and
should prevent LDAP connection issues during installation and upgrades
in future.
* 

 Do not fail when IPA server has shortname first in /etc/hosts 
Kerberos client library is now instructed to not attempt to canonicalize
hostnames when issuing TGS requests. This improves security by avoiding
DNS lookups during canonicalization and also improves robustness of
service principal lookups in more complex DNS environments (clouds,
containerized applications). Due to this change in behavior, care must
be taken to specify correct FQDN in host/service principals as no
attempt to resolve e.g. short names will be made.
* 

 Replica Connection Check Improvements 
Improved connection check reduces possibility of failure in further
installation steps. Now ports on both IPv4 and 

Re: [Freeipa-users] any idea this error ? relate to memory?

[Rob Crittenden]

Alexander Bokovoy wrote:
> On ke, 15 maalis 2017, barry...@gmail.com wrote:
>> 8443 port already firewall open but still fail..1G memory only in web
>> hosting..free 600 M still
>>
>> 2017-03-15T01:36:47Z DEBUG The ipa-server-install command failed,
>> exception: NetworkError: cannot connect to '
>> https://centralaws.ABC.com:8443/ca/rest/account/login': Could not connect
>> to centralaws.ABC.com using any address: (PR_ADDRESS_NOT_SUPPORTED_ERROR)
>> Network address type not supported.
>> 2017-03-15T01:36:47Z ERROR cannot connect to '
>> https://aws.ABC.com:8443/ca/rest/account/login': Could not connect to
>> centralaws.ABC.com using any address: (PR_ADDRESS_NOT_SUPPORTED_ERROR)
>> Network address type not supported.
>> 2017-03-15T01:36:47Z ERROR The ipa-server-install command failed. See
>> /var/log/ipaserver-install.log for more information
> PR_ADDRESS_NOT_SUPPORTED_ERROR means your kernel does not have support
> for IPv6, it seems.
> 

I think these are basically just standard connection issues. The NSPR
error is a bit misleading, it just means it tried IPv4 and failed, then
IPv6 and failed and then ran out of network types to try so it gave up.

But in my experience at least 1.5GB of RAM are required for an IPA
install with a CA. This is the minimum size I used when developing IPA
on Fedora.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Fedora 25 IPA smart card login

[Sumit Bose]

On Tue, Mar 14, 2017 at 04:29:58PM -0500, Michael Rainey (Contractor) wrote:
> Greetings,
> 
> I have been working on an issue with smart card logins on a Fedora 25
> system.  For a short time smart card logins have been working well, but
> suddenly the login process has suddenly stopped working.  I have verified
> that all appropriate certificates are installed, checked my dconf
> configuration, checked my PAM files, and reviewed the logs.  I have noticed
> a few issues, but changing them to match my SL7 systems did not resolve the
> problem.

At the first glance the config files are looking good.

Please send /var/log/secure or the PAM related journal data and the SSSD
logs files with debug_level=10. If you prefer you can send them directly
to me.

bye,
Sumit

> 
> My observation has been with my PAM files and authconfig.  I have noticed
> that when an update occurs, authconfig will run changing my PAM files.  Has
> IPA been integrated with authconfig or do I still need to keep the options
> in authconfig largely disabled and manually modify my PAM files?
> 
> System Information:
> 
> 
> Package:
> freeipa-client.x86_644.4.3-2.fc25
> 
> PAM:
> -
> smartcard-auth-ac
> -
> authrequired  pam_env.so
> authsufficientpam_sss.so allow_missing_name
> authrequired  pam_deny.so
> 
> account required  pam_unix.so
> account sufficientpam_localuser.so
> account sufficientpam_succeed_if.so uid < 1000 quiet
> account [default=bad success=ok user_unknown=ignore] pam_sss.so
> account required  pam_permit.so
> 
> 
> session optional  pam_keyinit.so revoke
> session required  pam_limits.so
> -session optional  pam_systemd.so
> session [success=1 default=ignore] pam_succeed_if.so service in crond
> quiet use_uid
> session required  pam_unix.so
> session optional  pam_sss.so
> 
> -
> password-auth-ac
> -
> authrequired  pam_env.so
> auth[default=1 success=ok] pam_localuser.so
> auth[success=done ignore=ignore default=die] pam_unix.so nullok
> try_first_pass
> authrequisite pam_succeed_if.so uid >= 1000 quiet_success
> authsufficientpam_sss.so forward_pass
> authrequired  pam_deny.so
> 
> account required  pam_unix.so
> account sufficientpam_localuser.so
> account sufficientpam_succeed_if.so uid < 1000 quiet
> account [default=bad success=ok user_unknown=ignore] pam_sss.so
> account required  pam_permit.so
> 
> passwordrequisite pam_pwquality.so try_first_pass local_users_only
> retry=3 authtok_type=
> passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass
> use_authtok
> passwordsufficientpam_sss.so use_authtok
> passwordrequired  pam_deny.so
> 
> session optional  pam_keyinit.so revoke
> session required  pam_limits.so
> -session optional  pam_systemd.so
> session [success=1 default=ignore] pam_succeed_if.so service in crond
> quiet use_uid
> session required  pam_unix.so
> session optional  pam_sss.so
> 
> -
> DCONF: org.gnome.login-screen
> -
> org.gnome.login-screen fallback-logo ''
> org.gnome.login-screen disable-user-list false
> org.gnome.login-screen allowed-failures 3
> org.gnome.login-screen enable-smartcard-authentication true
> org.gnome.login-screen banner-message-enable false
> org.gnome.login-screen enable-password-authentication true
> org.gnome.login-screen disable-restart-buttons false
> org.gnome.login-screen logo '/usr/share/pixmaps/fedora-gdm-logo.png'
> org.gnome.login-screen enable-fingerprint-authentication true
> org.gnome.login-screen banner-message-text ''
> 
> -- 
> *Michael Rainey*
> Network Representative
> Naval Research Latoratory, Code 7320
> Building 1009, Room C156
> Stennis Space Center, MS 39529
> 

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Replication issue

[tarak sinha]

Hi Guys,

I have multi-muster replication IPA server, is there any way to check the
status of  replication from all the nodes centrally. I have encountered
replication failed issue on my consumer while checking the slapd logs file.

Can anyone tell me to check the status of replication whether it is failed
or success.

-- 

*Thanks,*

*TN*
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] any idea this error ? relate to memory?

[Alexander Bokovoy]

On ke, 15 maalis 2017, barry...@gmail.com wrote:

8443 port already firewall open but still fail..1G memory only in web
hosting..free 600 M still

2017-03-15T01:36:47Z DEBUG The ipa-server-install command failed,
exception: NetworkError: cannot connect to '
https://centralaws.ABC.com:8443/ca/rest/account/login': Could not connect
to centralaws.ABC.com using any address: (PR_ADDRESS_NOT_SUPPORTED_ERROR)
Network address type not supported.
2017-03-15T01:36:47Z ERROR cannot connect to '
https://aws.ABC.com:8443/ca/rest/account/login': Could not connect to
centralaws.ABC.com using any address: (PR_ADDRESS_NOT_SUPPORTED_ERROR)
Network address type not supported.
2017-03-15T01:36:47Z ERROR The ipa-server-install command failed. See
/var/log/ipaserver-install.log for more information

PR_ADDRESS_NOT_SUPPORTED_ERROR means your kernel does not have support
for IPv6, it seems.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] any idea this error ? relate to memory?

[barrykfl]

8443 port already firewall open but still fail..1G memory only in web
hosting..free 600 M still

2017-03-15T01:36:47Z DEBUG The ipa-server-install command failed,
exception: NetworkError: cannot connect to '
https://centralaws.ABC.com:8443/ca/rest/account/login': Could not connect
to centralaws.ABC.com using any address: (PR_ADDRESS_NOT_SUPPORTED_ERROR)
Network address type not supported.
2017-03-15T01:36:47Z ERROR cannot connect to '
https://aws.ABC.com:8443/ca/rest/account/login': Could not connect to
centralaws.ABC.com using any address: (PR_ADDRESS_NOT_SUPPORTED_ERROR)
Network address type not supported.
2017-03-15T01:36:47Z ERROR The ipa-server-install command failed. See
/var/log/ipaserver-install.log for more information

thx
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Windows Clients can´t access linux services using kerberos

[Carlos Raúl Laguna]

Hello everyone I need some help with this I have set up an IPA 4.4.3 server
and I have established a forest trust relationship with Active Directory,
everything looks good, after following this guide
http://www.freeipa.org/index. Php? Title =
Squid_Integration_with_FreeIPA_using_Single_Sign_On & redirect = no on
linux clients has worked without problems but has not been so on my windows
clients, I have overlooked something? How do the windows clients ticket
should be register by the proxy? Thanks for your help any inside will help
me .
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project