Re: [Freeipa-users] IPA Ldap only as Client on different IPA server
You are almost right, the box only needs to lookup users/groups from another IPA server for environment admins. The "LDAP Only" on this IPA server (and client) won't do anything on the whole network layer, only some webapp is talking to it and use users don't have anything todo with the network at all but I think it's nice when I don't have to maintain my local users there to login to the box for maintenance so I thought it would be nice when SSSD checked my default IPA-environment server for that. 2017-04-07 23:24 GMT+02:00 Rob Crittenden : > Matt . wrote: >> Nope, I provision my servers and they are added to my FreeIPA >> environment which auths my systeadmins. But on a server I provisioned >> I need to install FreeIPA as well, but without dns and ca, so it's >> doing ldap only actually. >> >> When I want to install FreeIPA server on this IPA client it tells me >> (which is logical): >> >> ipa.ipapython.install.cli.install_tool(Server): ERRORIPA client is >> already configured on this system. >> Please uninstall it before configuring the IPA server, using >> 'ipa-client-install --uninstall' >> >> So what I want to do is install FreeIPA server on it but using local >> system accounts to be auth against the former IPA server the client >> was assigned to. >> >> So: >> >> IPA01 get's a host which is LDAP01 but LDAP01 needs to be installed >> with FreeIPA (no dns and CA) as well but I want to have local >> sysaccounts that login to cli and such auth against IPA01 after it's >> installed with FreeIPA and the clientconfig for sssd is not there >> anymore because of the 'ipa-client-install --uninstall' > > Still very confusing. LDAP has nothing to do with this. IPA is always at > least LDAP + Kerberos + Apache + a few other minor services. So it's > better to just say no DNS and no CA, though that isn't really relevant > since those are always optional. > > It sounds like what you want to do is, on the same box, install IPA > server and configure the local machine to point to a DIFFERENT IPA > server for user/group lookups? > > You might be able to do it via sssd but it would be an unsupportable > nightmare. > > rob > >> >> 2017-04-07 23:11 GMT+02:00 Rob Crittenden : >>> Matt . wrote: When I have a full ipa setup and I want to add a host to it that is installed or needs to be installed as IPA LDAP server only, is that possible ? >>> >>> If you're asking if only 389-ds can be configured on an IPA server, no, >>> not using any IPA tools in any case. >>> Of course the ipa-server-install complains that the agent is already configured on the host but there might be a way ? Or just copy the config back faster the IPA LDAP only server is installed ? >>> >>> I don't understand. Seeing the error message and commands might help. >>> >>> rob >>> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Ldap only as Client on different IPA server
Matt . wrote: > Nope, I provision my servers and they are added to my FreeIPA > environment which auths my systeadmins. But on a server I provisioned > I need to install FreeIPA as well, but without dns and ca, so it's > doing ldap only actually. > > When I want to install FreeIPA server on this IPA client it tells me > (which is logical): > > ipa.ipapython.install.cli.install_tool(Server): ERRORIPA client is > already configured on this system. > Please uninstall it before configuring the IPA server, using > 'ipa-client-install --uninstall' > > So what I want to do is install FreeIPA server on it but using local > system accounts to be auth against the former IPA server the client > was assigned to. > > So: > > IPA01 get's a host which is LDAP01 but LDAP01 needs to be installed > with FreeIPA (no dns and CA) as well but I want to have local > sysaccounts that login to cli and such auth against IPA01 after it's > installed with FreeIPA and the clientconfig for sssd is not there > anymore because of the 'ipa-client-install --uninstall' Still very confusing. LDAP has nothing to do with this. IPA is always at least LDAP + Kerberos + Apache + a few other minor services. So it's better to just say no DNS and no CA, though that isn't really relevant since those are always optional. It sounds like what you want to do is, on the same box, install IPA server and configure the local machine to point to a DIFFERENT IPA server for user/group lookups? You might be able to do it via sssd but it would be an unsupportable nightmare. rob > > 2017-04-07 23:11 GMT+02:00 Rob Crittenden : >> Matt . wrote: >>> When I have a full ipa setup and I want to add a host to it that is >>> installed or needs to be installed as IPA LDAP server only, is that >>> possible ? >> >> If you're asking if only 389-ds can be configured on an IPA server, no, >> not using any IPA tools in any case. >> >>> Of course the ipa-server-install complains that the agent is already >>> configured on the host but there might be a way ? Or just copy the >>> config back faster the IPA LDAP only server is installed ? >> >> I don't understand. Seeing the error message and commands might help. >> >> rob >> -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Ldap only as Client on different IPA server
Nope, I provision my servers and they are added to my FreeIPA environment which auths my systeadmins. But on a server I provisioned I need to install FreeIPA as well, but without dns and ca, so it's doing ldap only actually. When I want to install FreeIPA server on this IPA client it tells me (which is logical): ipa.ipapython.install.cli.install_tool(Server): ERRORIPA client is already configured on this system. Please uninstall it before configuring the IPA server, using 'ipa-client-install --uninstall' So what I want to do is install FreeIPA server on it but using local system accounts to be auth against the former IPA server the client was assigned to. So: IPA01 get's a host which is LDAP01 but LDAP01 needs to be installed with FreeIPA (no dns and CA) as well but I want to have local sysaccounts that login to cli and such auth against IPA01 after it's installed with FreeIPA and the clientconfig for sssd is not there anymore because of the 'ipa-client-install --uninstall' 2017-04-07 23:11 GMT+02:00 Rob Crittenden : > Matt . wrote: >> When I have a full ipa setup and I want to add a host to it that is >> installed or needs to be installed as IPA LDAP server only, is that >> possible ? > > If you're asking if only 389-ds can be configured on an IPA server, no, > not using any IPA tools in any case. > >> Of course the ipa-server-install complains that the agent is already >> configured on the host but there might be a way ? Or just copy the >> config back faster the IPA LDAP only server is installed ? > > I don't understand. Seeing the error message and commands might help. > > rob > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Ldap only as Client on different IPA server
Matt . wrote: > When I have a full ipa setup and I want to add a host to it that is > installed or needs to be installed as IPA LDAP server only, is that > possible ? If you're asking if only 389-ds can be configured on an IPA server, no, not using any IPA tools in any case. > Of course the ipa-server-install complains that the agent is already > configured on the host but there might be a way ? Or just copy the > config back faster the IPA LDAP only server is installed ? I don't understand. Seeing the error message and commands might help. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] IPA Ldap only as Client on different IPA server
When I have a full ipa setup and I want to add a host to it that is installed or needs to be installed as IPA LDAP server only, is that possible ? Of course the ipa-server-install complains that the agent is already configured on the host but there might be a way ? Or just copy the config back faster the IPA LDAP only server is installed ? Thanks, Matt -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] user keytab retrieval
On Thu, 2017-04-06 at 22:18 +0200, Stijn De Weirdt wrote: > hi rob, > > > > i'm a bit puzzled by the following: i want to retrieve a user > > > keytab > > > using ipa-getkeytab -r (since the keytab for the same user was > > > already > > > retrieved on another host). > > > > > > when doing so, i get > > > > > > Failed to parse result: Insufficient access rights > > > > > > however, i can get the keytab without the -r option. > > > > > > anyone care to explain what access rights are required (or why > > > this > > > error occurs)? > > > > Being able to retrieve an existing key means being able to read it > > which > > isn't granted by default. > > ok, but why is a "regular" ipa-getkeytab no problem? A regular keytab fetch operation invalidates previously obtained keys, so when that happens, if the owner has not done it, it figures out pretty quickly. Reading out keys leaves no traces, so that operation is restricted, otherwise a rogue admin could exfiltrate all keys from a realm, undetected. You should create a host-group for each "cluster" of servers that need to present the same identity, then allow this group read to the specific key you want them to access. Ideally using the host's key to fetch the shared service key. Simo. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] RHEL 6.9 AD Smart Card login
On Thu, Apr 06, 2017 at 06:36:43PM +, spammewo...@cox.net wrote: > I have created a two way trust between my IDM server and Active Directory. > I have been able to successful get RHEL 7.3 IDM server and RHEL 7.3 IDM > clients to allow Active Directory login using CAC smart cards into Gnome. > I'm using SSSD for the smart card login process instead of authconfig and > pkcs11. I'm currently trying to get the same thing working for RHEL 6.9, > but I have not been able to get it to work. The latest version of SSSD on > RHEL 6.9 is 1.13.3 and from my understanding I need to have at least 1.14.0 > for SSSD to handle AD smart card logins.So, I have tried to configure The Smartcard authentication feature was backported to RHEL-6.9. Please note that the GDM Smartcard feature must be configured differently in RHEL6 then in RHEL7, details for RHEL-6.9 can e.g. found in https://bugzilla.redhat.com/show_bug.cgi?id=1300421#c13 HTH bye, Sumit > pam_pkcs11.conf file to use the pwent mapper to link the Common Name (CN) to > the Active Directory User account. I have created an User ID Override for > the AD user and added CN name from the Certificate on the smart card into > the GECOS field. I also have added all three certificates from the CAC > smart card into the User ID Override. > > When I try and log in, I get this error message in /var/log/secure: > Apr 6 13:21:57 site-lws05 pam: gdm-smartcard: > pam_pkcs11(gdm-smartcard:auth): pam_get_pwd() failed: Conversation error > Apr 6 13:22:17 site-lws05 pam: gdm-smartcard: > pam_pkcs11(gdm-smartcard:auth): find_user() failed: on cert #1 > Apr 6 13:22:17 site-lws05 pam: gdm-smartcard: > pam_pkcs11(gdm-smartcard:auth): find_user() failed: on cert #2 > Apr 6 13:22:17 site-lws05 pam: gdm-smartcard: > pam_pkcs11(gdm-smartcard:auth): no valid certificate which meets all > requirements found > > Here is the some details: > IDM Domain: idm.domain.local > Windows Domain: domain.local > RHEL 7.3 IDM Server: site-idm01.idm.domain.local > RHEL 6.9 IDM Client : site-lws05.idm.domain.local > > When I run the getent command on local accounts and IDM accounts I get user > details, but when I run the command on AD accounts it doesn't find them. > So, I'm wondering if that's why its not finding the CN name in the GECOS > field.I'm trying to avoid using the cn_map on the clients, because we > have a large amount of users and thats alot of extra work to manage that > file.That's why I wanted to use the pwent mapper. > Here is my SSSD config file from the RHEL 6.9 client: > [domain/idm.domain.local] > override_shell = /bin/bash > debug_level = 9 > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = idm.domain.local > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ipa_hostname = site-lws05.idm.domain.local > chpass_provider = ipa > ipa_server = _srv_, site-idm01.idm.domain.local > ldap_tls_cacert = /etc/ipa/ca.crt > [sssd] > debug_level = 9 > services = nss, sudo, pam, ssh, ifp > domains = idm.domain.local > certificate_verification = no_ocsp > ldap_user_certificate = userCertificate;binary > [nss] > debug_level = 9 > homedir_substring = /home > [pam] > debug_level = 9 > pam_cert_auth = True > [sudo] > debug_level = 9 > [autofs] > debug_level = 9 > [ssh] > debug_level = 9 > [pac] > debug_level = 9 > [ifp] > debug_level = 9 > > Here is my nssswitch file from the RHEL 6.9 client: > # /etc/nsswitch.conf > # > # An example Name Service Switch config file. This file should be > # sorted with the most-used services at the beginning. > # > # The entry '[NOTFOUND=return]' means that the search for an > # entry should stop if the search in the previous entry turned > # up nothing. Note that if the search failed due to some other reason > # (like no NIS server responding) then the search continues with the > # next entry. > # > # Valid entries include: > # > # nisplus Use NIS+ (NIS version 3) > # nis Use NIS (NIS version 2), also called YP > # dns Use DNS (Domain Name Service) > # files Use the local files > # db Use the local database (.db) files > # compat Use NIS on compat mode > # hesiod Use Hesiod for user lookups > # [NOTFOUND=return] Stop searching if not found so far > # > # To use db, put the "db" in front of "files" for entries you want to be > # looked up first in the databases > # > # Example: > #passwd:db files nisplus nis > #shadow:db files nisplus nis > #group: db files nisplus nis > passwd: files sss > shadow: files sss > group: files sss > #hosts: db files nisplus nis dns > hosts: files dns > # Example - obey only what nisplus tells us... > #services: nisplus [NOTFOUND=return] files > #networks: nisplus [NOTFOUND=return] files > #protocols: nisplus [NOTFOUND=return] files > #rpc:
Re: [Freeipa-users] Password-based authentication with AD users does not work
On Fri, Apr 07, 2017 at 09:46:45AM +0200, Ronald Wimmer wrote: > On 2017-04-06 20:50, Sumit Bose wrote: > > On Thu, Apr 06, 2017 at 01:55:02PM +0200, Ronald Wimmer wrote: > > > On 2017-04-06 12:16, Sumit Bose wrote: > > > > On Thu, Apr 06, 2017 at 12:58:32PM +0200, Ronald Wimmer wrote: > > > > [...] > > > > > AD trust: > > > > > mydomain.at (forest root) > > > > > xyz (subdomain -> where myuser resides) > > > > > > > > > > BCC (appearing in krb5_child.log) is not a domain here. It is my > > > > > company's > > > > > name and might derive from some information in the AD. > > > > Yes, it is about the userPrincipalName attribute read from AD. Which IPA > > > > server version do you use? Since RHEL-7.3 IPA supports those principals > > > > coming from AD. For older versions you should add a workaround which is > > > > e.g. described at the end of > > > > https://www.redhat.com/archives/freeipa-users/2016-November/msg00069.html > > > > > > > > HTH > > > > > > > > bye, > > > > Sumit > > > > > > I am using an up-to-date RHEL 7.3 IPA master. Is there no possibility to > > > override it? > > > > Please check on the server with > > > > ipa trust-find > > > > if the BCC domain is listed as 'UPN suffixes:'. If not please try > > > > ipa trust-fetch-domains > > > > and check again. If the domain is listed then a 7.3 IPA client should be > > able to detect it automatically on older clients you should set > > 'krb5_use_enterprise_principal = True' manually in sssd.conf. > > I just checked with our AD guys. ipa trust-find only shows five UPN > suffixes. There are many more which are not shown inlcuding bcc.mydomain.at > > Any idea why only a subset is shown? I'm not aware of any limitation here. Have you tried to run 'ipa trust-fetch-domains ad.forest.root' to update the list? If this does not help please add 'log level = 100' to /usr/share/ipa/smb.conf.empty so that it looks like: [global] log level = 100 and run trust-fetch-domains again. The debug output can then be found in /var/log/httpd/error_log. The logs might contain data which should not be shared publicly, so feel free to send them to me directly. bye, Sumit > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Password-based authentication with AD users does not work
On 2017-04-06 20:50, Sumit Bose wrote: On Thu, Apr 06, 2017 at 01:55:02PM +0200, Ronald Wimmer wrote: On 2017-04-06 12:16, Sumit Bose wrote: On Thu, Apr 06, 2017 at 12:58:32PM +0200, Ronald Wimmer wrote: [...] AD trust: mydomain.at (forest root) xyz (subdomain -> where myuser resides) BCC (appearing in krb5_child.log) is not a domain here. It is my company's name and might derive from some information in the AD. Yes, it is about the userPrincipalName attribute read from AD. Which IPA server version do you use? Since RHEL-7.3 IPA supports those principals coming from AD. For older versions you should add a workaround which is e.g. described at the end of https://www.redhat.com/archives/freeipa-users/2016-November/msg00069.html HTH bye, Sumit I am using an up-to-date RHEL 7.3 IPA master. Is there no possibility to override it? Please check on the server with ipa trust-find if the BCC domain is listed as 'UPN suffixes:'. If not please try ipa trust-fetch-domains and check again. If the domain is listed then a 7.3 IPA client should be able to detect it automatically on older clients you should set 'krb5_use_enterprise_principal = True' manually in sssd.conf. I just checked with our AD guys. ipa trust-find only shows five UPN suffixes. There are many more which are not shown inlcuding bcc.mydomain.at Any idea why only a subset is shown? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
