Re: [Freeipa-users] Spam
to be more precise, a few minutes after I post, and a few seconds after I get the mail with my post from freeipa-users From: Christopher Lamb/Switzerland/IBM@IBMCH To: "freeipa-users@redhat.com" Date: 17/05/2017 06:26 Subject:Re: [Freeipa-users] Spam Sent by:freeipa-users-boun...@redhat.com and I was feeling left out because I wasn't getting any spam, despite other users reporting it. Then I posted a new thread a few days ago, and within seconds I got several spams, and did so for each post I made on that thread. So I as far as I can see something is picking up fresh posts, and responding to those. I will probably get another dose (of spam) following this post . Chris Inactive hide details for Andrey Dudin ---17/05/2017 03:58:00---Me too. I received a lot of spam messages from Amy Kristen. сAndrey Dudin ---17/05/2017 03:58:00---Me too. I received a lot of spam messages from Amy Kristen. ср, 17 мая 2017 г. в 3:16, Vinny Del Si From: Andrey Dudin To: Andrew Holway , Vinny Del Signore Cc: "freeipa-users@redhat.com" Date: 17/05/2017 03:58 Subject: Re: [Freeipa-users] Spam Sent by: freeipa-users-boun...@redhat.com Me too. I received a lot of spam messages from Amy Kristen. ср, 17 мая 2017 г. в 3:16, Vinny Del Signore : Hi Andrew, I just sent my first mail today around 5:30pm EST and have already received five spam e-mails from "Amy Kristen". Three of these included nude photos. These are the two e-mail addresses used so far. Hoping this stops. -Vin Amy Kristen Amy Kristen Vin Andrew Holway ---05/16/2017 07:54:37 PM---Whats up with this wierd spam. This is the only list where I see this. -- From: Andrew Holway To: "freeipa-users@redhat.com" Date: 05/16/2017 07:54 PM Subject: [Freeipa-users] Spam Sent by: freeipa-users-boun...@redhat.com Whats up with this wierd spam. This is the only list where I see this.-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- С уважением Дудин Андрей[attachment "graycol.gif" deleted by Christopher Lamb/Switzerland/IBM] -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Spam
and I was feeling left out because I wasn't getting any spam, despite other users reporting it. Then I posted a new thread a few days ago, and within seconds I got several spams, and did so for each post I made on that thread. So I as far as I can see something is picking up fresh posts, and responding to those. I will probably get another dose (of spam) following this post . Chris From: Andrey Dudin To: Andrew Holway , Vinny Del Signore Cc: "freeipa-users@redhat.com" Date: 17/05/2017 03:58 Subject:Re: [Freeipa-users] Spam Sent by:freeipa-users-boun...@redhat.com Me too. I received a lot of spam messages from Amy Kristen. ср, 17 мая 2017 г. в 3:16, Vinny Del Signore : Hi Andrew, I just sent my first mail today around 5:30pm EST and have already received five spam e-mails from "Amy Kristen". Three of these included nude photos. These are the two e-mail addresses used so far. Hoping this stops. -Vin Amy Kristen Amy Kristen Vin Andrew Holway ---05/16/2017 07:54:37 PM---Whats up with this wierd spam. This is the only list where I see this. -- From: Andrew Holway To: "freeipa-users@redhat.com" Date: 05/16/2017 07:54 PM Subject: [Freeipa-users] Spam Sent by: freeipa-users-boun...@redhat.com Whats up with this wierd spam. This is the only list where I see this.-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- С уважением Дудин Андрей[attachment "graycol.gif" deleted by Christopher Lamb/Switzerland/IBM] -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Kerberos clients, service tickets, and client to KDC interaction
Hi Simo Thanks, I was hoping you would throw your hat in the ring! The background to the question, is that I have a throwaway Python Kerberos Client using the GSS-API that caches service tickets, an a non-throwaway Java Kerberos Client, also using the GSS-API that does not (yet) cache service tickets. This implies the Java Client could be hammering the KDC with requests. I should now be able to confirm this with /var/log/krb5kdc.log on my KDC. On the issue of the Java Client non-caching service tickets I posted a Stack Overflow question last night. http://stackoverflow.com/questions/43786908/java-gss-api-service-ticket-not-saved-in-credentials-cache-using-java thanks Chris From: Simo Sorce To: Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com Date: 05/05/2017 11:40 Subject:Re: [Freeipa-users] Kerberos clients, service tickets, and client to KDC interaction On Thu, 2017-05-04 at 18:02 +0200, Christopher Lamb wrote: > Hi All > > Is the following statement correct? > > "If a kerberos client (e.g. a FreeIPA client) holds a service ticket > to a service principal in its credentials cache, it no longer needs > to interact with the KDC to access the service (assuming the ticket > is still valid). i.e. if a kerberos client is not caching service > tickets, each interaction with the service principal will require > getting a new ticket from the KDC." Yes this statement is correct. > Are there logs on my FreeIPA-Server I can use to track ticket > requests from clients, and prove or disprove my statement above? On each KDC you can check /var/log/krb5kdc.log which contains a log of all requests received, if you have multiple IPa servers, you may need to collect all server's logs to see a complete picture as a service may request a ticket from any of the KDCs (although normally an ipa client sticks to the same KDC via a locator plugin for libkrb5 and only falls back to other KDCs if the preferred KDC is unreachable). Simo. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Kerberos clients, service tickets, and client to KDC interaction
Hi All Is the following statement correct? "If a kerberos client (e.g. a FreeIPA client) holds a service ticket to a service principal in its credentials cache, it no longer needs to interact with the KDC to access the service (assuming the ticket is still valid). i.e. if a kerberos client is not caching service tickets, each interaction with the service principal will require getting a new ticket from the KDC." Are there logs on my FreeIPA-Server I can use to track ticket requests from clients, and prove or disprove my statement above? Cheers Chris -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA, Samba and how can a Windows client access it
HI Detlev Yes we have it working with Samba 4.x and IPA 4.x, pretty much as described in the techslaves article. I did intend to write a "how-to", but 1000 other things took over ... I made some notes at the time, which I will try and dig out. We did not use ipa-adtrust-install, so I can't comment on that. Chris From: Detlev Habicht To: freeipa-users@redhat.com Date: 16.06.2016 14:10 Subject:Re: [Freeipa-users] IPA,Samba and how can a Windows client access it Sent by:freeipa-users-boun...@redhat.com Thank you, i found an old post from you with this smb.conf: security = user passdb backend = ldapsam:ldap://ldap.my.example.com ldap suffix = dc=my,dc=example,dc=com ldap admin dn = cn=Directory Manager ldap ssl = off Is this still working with Samba 4.x und IPA 4.x? I will try it soon. Will "ipa-adtrust-install --add-sids" do all the config i need for this? I think, your hint with techslaves is good, but not uptodate. Detlev P.S.: Yes, i want the same, this clients are not a member of a domain ... -- Detlev | Institut fuer Mikroelektronische Systeme Habicht | D-30167 Hannover +49 511 76219662 habi...@ims.uni-hannover.de + Handy+49 172 5415752 --- Am 16.06.2016 um 12:52 schrieb Christopher Lamb < christopher.l...@ch.ibm.com>: Hi Detlev If I have understood you correctly, you want to let Windows users access Samba "shares" using their IPA username/passwords? If so it is possible. We have both Windows and OSX workstations accessing unix fileshares like that. We did it more or less along the lines described here: http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/ If you search the archives of this forum with FreeIPA Samba Lamb you will find some previous threads on this topic. Chris Detlev Habicht ---06/16/2016 10:49:49---Hi, first i thought, it is an awkward question, but my smart colleague here also From: Detlev Habicht To: freeipa-users@redhat.com Date: 06/16/2016 10:49 Subject: [Freeipa-users] IPA, Samba and how can a Windows client access it Sent by: freeipa-users-boun...@redhat.com Hi, first i thought, it is an awkward question, but my smart colleague here also cannot help me, so i try it: I read this and i have installed it: "Howto/Integrating a Samba File Server With IPA" http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA This is working as described. But this works only for Linux so far. We are not able to find a configuration, so a single Windows client have access to the Samba Server. Only with his IPA account (username and password)! I don’t want to use something like trusted AD. As i said, for the Windows clients i want only to use an username and password for Samba, using IPA. Well, this is the configuration as described in the docu: [global] workgroup = MY realm = MY.REALM dedicated keytab file = FILE:/etc/samba/samba.keytab kerberos method = dedicated keytab log file = /var/log/samba/log.%m security = ads Any idea what i can do for my wishes? Thank you! Detlev -- Detlev | Institut fuer Mikroelektronische Systeme Habicht | D-30167 Hannover +49 511 76219662 habi...@ims.uni-hannover.de + Handy +49 172 5415752 --- -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA, Samba and how can a Windows client access it
Hi Detlev If I have understood you correctly, you want to let Windows users access Samba "shares" using their IPA username/passwords? If so it is possible. We have both Windows and OSX workstations accessing unix fileshares like that. We did it more or less along the lines described here: http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/ If you search the archives of this forum with FreeIPA Samba Lamb you will find some previous threads on this topic. Chris From: Detlev Habicht To: freeipa-users@redhat.com Date: 06/16/2016 10:49 Subject:[Freeipa-users] IPA, Samba and how can a Windows client access it Sent by:freeipa-users-boun...@redhat.com Hi, first i thought, it is an awkward question, but my smart colleague here also cannot help me, so i try it: I read this and i have installed it: "Howto/Integrating a Samba File Server With IPA" http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA This is working as described. But this works only for Linux so far. We are not able to find a configuration, so a single Windows client have access to the Samba Server. Only with his IPA account (username and password)! I don’t want to use something like trusted AD. As i said, for the Windows clients i want only to use an username and password for Samba, using IPA. Well, this is the configuration as described in the docu: [global] workgroup = MY realm = MY.REALM dedicated keytab file = FILE:/etc/samba/samba.keytab kerberos method = dedicated keytab log file = /var/log/samba/log.%m security = ads Any idea what i can do for my wishes? Thank you! Detlev -- Detlev | Institut fuer Mikroelektronische Systeme Habicht | D-30167 Hannover +49 511 76219662 habi...@ims.uni-hannover.de + Handy+49 172 5415752 --- -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Trouble creating userobjectlass sambaSAMAccount
Hi Jeff As far as I can see, your command looks ok (though I don't know what your dn should look like). Did you run the "kinit admin" command before? When I was doing the Samba + FreeIPA integration I found using an LDAP browser (Apache Directory Studio) very useful to visualise the LDAP "tree" (and even if required to manually edit objects ) Chris From: Jeff Goddard To: Christopher Lamb/Switzerland/IBM@IBMCH Cc: freeipa-users@redhat.com Date: 18.03.2016 16:43 Subject:Re: [Freeipa-users] Trouble creating userobjectlass sambaSAMAccount Christopher, Thank you for the response. IT seems my syntax is still not correct. HEre is the command and output I received: [root@id-management-1 ~]# ldapmodify -Y GSSAPI < wrote: Hi Jeff When I last integrated FreeIPA and Samba I used ldapmodify to successfully add sambaSAMAccount and sambaGroupMapping. ldapmodify -Y GSSAPI < To: freeipa-users@redhat.com Date: 18.03.2016 16:11 Subject: [Freeipa-users] Trouble creating userobjectlass sambaSAMAccount Sent by: freeipa-users-boun...@redhat.com Hello all, I'm following this guide: https://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html in attempts to have a SAMBA server with freeipa as the back-end authentication method. My problem is that the command: ipa config-mod --userobjectclasses=top,person,organizationalperson,inetorgperson,inetuser,posixaccount,krbprincipalaux,krbticketpolicyaux,ipaobject,sambaSAMAccount fails with the message: ipa: ERROR: objectclass top,person,organizationalperson,inetorgperson,inetuser,posixaccount,krbprincipalaux,krbticketpolicyaux,ipaobject,sambaSAMAccount not found. Using the web GUI I was able to add this field but it doesn't dynamically add it to my existing users and so I get errors such as: [2016/03/18 10:20:21.052605, 3] ../source3/lib/smbldap.c:579 (smbldap_start_tls) StartTLS issued: using a TLS connection [2016/03/18 10:20:21.052661, 2] ../source3/lib/smbldap.c:794 (smbldap_open_connection) smbldap_open_connection: connection opened [2016/03/18 10:20:21.055250, 3] ../source3/lib/smbldap.c:1013 (smbldap_connect_system) ldap_connect_system: successful connection to the LDAP server [2016/03/18 10:20:21.056774, 4] ../source3/passdb/pdb_ldap.c:1496 (ldapsam_getsampwnam) ldapsam_getsampwnam: Unable to locate user [jgoddard] count=0 [2016/03/18 10:20:21.056856, 3, pid=9121, effective(0, 0), real(0, 0), class=auth] ../source3/auth/check_samsec.c:400(check_sam_security) check_sam_security: Couldn't find user 'jgoddard' in passdb. [2016/03/18 10:20:21.056890, 5, pid=9121, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:252(auth_check_ntlm_password) check_ntlm_password: sam authentication for user [jgoddard] FAILED with error NT_STATUS_NO_SUCH_USER [2016/03/18 10:20:21.056944, 2, pid=9121, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:315(auth_check_ntlm_password) check_ntlm_password: Authentication for user [jgoddard] -> [jgoddard] FAILED with error NT_STATUS_NO_SUCH_USER [2016/03/18 10:20:21.056972, 2] ../auth/gensec/spnego.c:746 (gensec_spnego_server_negTokenTarg) SPNEGO login failed: NT_STATUS_NO_SUCH_USER [2016/03/18 10:20:21.057837, 3] ../source3/smbd/server_exit.c:249 (exit_server_common) Server exit (NT_STATUS_CONNECTION_RESET) When trying to authenticate to my share. The search from the samba server: ldapsearch -LLL -x -h id-management-1.internal.emerlyn.com uid=jgoddard does not return a value for sambaSAMAccount either. Can anyone provide me a pointer or documentation on where I'm going wrong? Thanks, Jeff-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Trouble creating userobjectlass sambaSAMAccount
Hi Jeff When I last integrated FreeIPA and Samba I used ldapmodify to successfully add sambaSAMAccount and sambaGroupMapping. ldapmodify -Y GSSAPI < To: freeipa-users@redhat.com Date: 18.03.2016 16:11 Subject:[Freeipa-users] Trouble creating userobjectlass sambaSAMAccount Sent by:freeipa-users-boun...@redhat.com Hello all, I'm following this guide: https://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html in attempts to have a SAMBA server with freeipa as the back-end authentication method. My problem is that the command: ipa config-mod --userobjectclasses=top,person,organizationalperson,inetorgperson,inetuser,posixaccount,krbprincipalaux,krbticketpolicyaux,ipaobject,sambaSAMAccount fails with the message: ipa: ERROR: objectclass top,person,organizationalperson,inetorgperson,inetuser,posixaccount,krbprincipalaux,krbticketpolicyaux,ipaobject,sambaSAMAccount not found. Using the web GUI I was able to add this field but it doesn't dynamically add it to my existing users and so I get errors such as: [2016/03/18 10:20:21.052605, 3] ../source3/lib/smbldap.c:579 (smbldap_start_tls) StartTLS issued: using a TLS connection [2016/03/18 10:20:21.052661, 2] ../source3/lib/smbldap.c:794 (smbldap_open_connection) smbldap_open_connection: connection opened [2016/03/18 10:20:21.055250, 3] ../source3/lib/smbldap.c:1013 (smbldap_connect_system) ldap_connect_system: successful connection to the LDAP server [2016/03/18 10:20:21.056774, 4] ../source3/passdb/pdb_ldap.c:1496 (ldapsam_getsampwnam) ldapsam_getsampwnam: Unable to locate user [jgoddard] count=0 [2016/03/18 10:20:21.056856, 3, pid=9121, effective(0, 0), real(0, 0), class=auth] ../source3/auth/check_samsec.c:400(check_sam_security) check_sam_security: Couldn't find user 'jgoddard' in passdb. [2016/03/18 10:20:21.056890, 5, pid=9121, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:252(auth_check_ntlm_password) check_ntlm_password: sam authentication for user [jgoddard] FAILED with error NT_STATUS_NO_SUCH_USER [2016/03/18 10:20:21.056944, 2, pid=9121, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:315(auth_check_ntlm_password) check_ntlm_password: Authentication for user [jgoddard] -> [jgoddard] FAILED with error NT_STATUS_NO_SUCH_USER [2016/03/18 10:20:21.056972, 2] ../auth/gensec/spnego.c:746 (gensec_spnego_server_negTokenTarg) SPNEGO login failed: NT_STATUS_NO_SUCH_USER [2016/03/18 10:20:21.057837, 3] ../source3/smbd/server_exit.c:249 (exit_server_common) Server exit (NT_STATUS_CONNECTION_RESET) When trying to authenticate to my share. The search from the samba server: ldapsearch -LLL -x -h id-management-1.internal.emerlyn.com uid=jgoddard does not return a value for sambaSAMAccount either. Can anyone provide me a pointer or documentation on where I'm going wrong? Thanks, Jeff-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Fw: [Centos7.2 Freeipa 4.2] browser : your session has expired
Hi Martin, Good points Web UI Cannot authenticate to Web UI Make sure that the user can authenticate in CLI, e.g. with kinit $USER --> yes the user can ssh to FreeIPA hosts, and can call kinit without error. Make sure that httpd, dirsrv and ipa_memcached services on the affected FreeIPA server are running. --> httpd, slapd and memcached all running (proved by pgrep -l) Make sure there are no related SELinux AVCs -- SELinux is disabled Make sure that cookies are enabled on the client browser --> enabled Make sure that the time on the FreeIPA server is up to date and there is no (significant) clock skew (freeipa-users thread) --> no clock skew Search for any related errors in /var/log/httpd/error_log --> no errors today Chris From: Martin Kosek To: Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com Cc: Alexander Bokovoy Date: 02.02.2016 09:53 Subject:Re: [Freeipa-users] Fw: [Centos7.2 Freeipa 4.2] browser : your session has expired On 02/02/2016 09:49 AM, Christopher Lamb wrote: > > > Sorry, Notes is playing up, and sent the last before I could type any text! > > The POST /ipa/session/login_password is successful. > > but the POST /ipa/session/json and GET /ipa/session/login_kerberos both > give 401 unathorized > > Chris Just to make sure we have covered all possible pit holes we have already gathered on our Troubleshooting page, did check all the advise in this list http://www.freeipa.org/page/Troubleshooting#Cannot_authenticate_to_Web_UI ? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Fw: [Centos7.2 Freeipa 4.2] browser : your session has expired
Sorry, Notes is playing up, and sent the last before I could type any text! The POST /ipa/session/login_password is successful. but the POST /ipa/session/json and GET /ipa/session/login_kerberos both give 401 unathorized Chris - Forwarded by Christopher Lamb/Switzerland/IBM on 02.02.2016 09:46 - From: Christopher Lamb/Switzerland/IBM@IBMCH To: Alexander Bokovoy Cc: freeipa-users@redhat.com Date: 02.02.2016 09:42 Subject:Re: [Freeipa-users] [Centos7.2 Freeipa 4.2] browser : your session has expired Sent by:freeipa-users-boun...@redhat.com Inactive hide details for Alexander Bokovoy ---02.02.2016 09:32:00---On Tue, 02 Feb 2016, Christopher Lamb wrote: >Alexander Bokovoy ---02.02.2016 09:32:00---On Tue, 02 Feb 2016, Christopher Lamb wrote: > From: Alexander Bokovoy To: Christopher Lamb/Switzerland/IBM@IBMCH Cc: Petr Vobornik , freeipa-users@redhat.com, wodel youchi Date: 02.02.2016 09:32 Subject: Re: [Freeipa-users] [Centos7.2 Freeipa 4.2] browser : your session has expired On Tue, 02 Feb 2016, Christopher Lamb wrote: > >Hi Petr > >I get exactly the same behaviour ever so often. We are running IPA server >4.2.0 15.0.1.el7_2.3, (though we got the same problem with earlier releases >too). > >In my case the laptop running Firefox / FreeIPA WebUI, and the OEL Server >running the IPA server have time within seconds / milliseconds of one >another. The server uses NTPD (and has full missile lock on the NTP pool >servers), and the laptop uses whatever OSX uses to keep time accurate. > >As I only need to use the FreeIPA WebUI rarely (every few months or so) the >exact behaviour is difficult to pin down. It seems to work like this: > >a) I will sometimes have access without the "your session has expired" >error. Typically this is when I have not used FreeIPA for a long time >(months). > >b) then some days later, when I revisit the WebUI, the "your session has >expired" error will crop up. > >c) as I have access to several workstations, each with several browsers >installed (IE, FF, Chrome, Safari etc.), I may get luck and find one that >does not give the error (while the others do). > >Just like the OP, the workstations are not FreeIPA hosts (or servers), and >we use login /pw for the WebUI. Can you hit ctrl+shift+I in Firefox (open development console), select 'Network' tab there, hit reload, and explore the requests/responses there when the error is manifested. Unfortunately, there is no way to copy out the whole traffic but you can at least make screenshots. This approach allows you to see what's happening inside the communication without need to decode SSL traffic in Wireshark. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] [Centos7.2 Freeipa 4.2] browser : your session has expired
From: Alexander Bokovoy To: Christopher Lamb/Switzerland/IBM@IBMCH Cc: Petr Vobornik , freeipa-users@redhat.com, wodel youchi Date: 02.02.2016 09:32 Subject:Re: [Freeipa-users] [Centos7.2 Freeipa 4.2] browser : your session has expired On Tue, 02 Feb 2016, Christopher Lamb wrote: > >Hi Petr > >I get exactly the same behaviour ever so often. We are running IPA server >4.2.0 15.0.1.el7_2.3, (though we got the same problem with earlier releases >too). > >In my case the laptop running Firefox / FreeIPA WebUI, and the OEL Server >running the IPA server have time within seconds / milliseconds of one >another. The server uses NTPD (and has full missile lock on the NTP pool >servers), and the laptop uses whatever OSX uses to keep time accurate. > >As I only need to use the FreeIPA WebUI rarely (every few months or so) the >exact behaviour is difficult to pin down. It seems to work like this: > >a) I will sometimes have access without the "your session has expired" >error. Typically this is when I have not used FreeIPA for a long time >(months). > >b) then some days later, when I revisit the WebUI, the "your session has >expired" error will crop up. > >c) as I have access to several workstations, each with several browsers >installed (IE, FF, Chrome, Safari etc.), I may get luck and find one that >does not give the error (while the others do). > >Just like the OP, the workstations are not FreeIPA hosts (or servers), and >we use login /pw for the WebUI. Can you hit ctrl+shift+I in Firefox (open development console), select 'Network' tab there, hit reload, and explore the requests/responses there when the error is manifested. Unfortunately, there is no way to copy out the whole traffic but you can at least make screenshots. This approach allows you to see what's happening inside the communication without need to decode SSL traffic in Wireshark. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] [Centos7.2 Freeipa 4.2] browser : your session has expired
Hi Petr I get exactly the same behaviour ever so often. We are running IPA server 4.2.0 15.0.1.el7_2.3, (though we got the same problem with earlier releases too). In my case the laptop running Firefox / FreeIPA WebUI, and the OEL Server running the IPA server have time within seconds / milliseconds of one another. The server uses NTPD (and has full missile lock on the NTP pool servers), and the laptop uses whatever OSX uses to keep time accurate. As I only need to use the FreeIPA WebUI rarely (every few months or so) the exact behaviour is difficult to pin down. It seems to work like this: a) I will sometimes have access without the "your session has expired" error. Typically this is when I have not used FreeIPA for a long time (months). b) then some days later, when I revisit the WebUI, the "your session has expired" error will crop up. c) as I have access to several workstations, each with several browsers installed (IE, FF, Chrome, Safari etc.), I may get luck and find one that does not give the error (while the others do). Just like the OP, the workstations are not FreeIPA hosts (or servers), and we use login /pw for the WebUI. Chris From: Petr Vobornik To: wodel youchi , Alexander Bokovoy Cc: freeipa-users@redhat.com Date: 02.02.2016 08:48 Subject:Re: [Freeipa-users] [Centos7.2 Freeipa 4.2] browser : your session has expired Sent by:freeipa-users-boun...@redhat.com On 01/31/2016 09:49 AM, wodel youchi wrote: > Hi, > > I miss explained myself apparently, here it is: > > I open a session with login/password, I do some work, I left it for a > while, the session disconnects which is normal. > I come back, I try to authenticate with login/password it keeps telling me > : your session has expired. > > Regards. Is there a time difference between a machine with browser and an IPA server? > > 2016-01-30 17:54 GMT+01:00 Alexander Bokovoy : > >> >> >> - Original Message - >>> Hi, >>> >>> When accessing the webui of Freeipa from the browser using login >> password, I >>> get your session has expired. >>> >>> >>> As a workaround I have to either : >>> - Delete the https certificate of the ipa server from the browser and >> delete >>> history then relogin again. >>> - Restart ipa services : ipactl restart >> - delete cookies in the browser corresponding to IPA server. >> >>> PS: The machine I am using to connect to the webui of freeipa is not >> enrolled >>> in it, I am using login/pass to connect not kerberos. >> Web UI session is set to 30 minutes or so. >> >> -- >> / Alexander Bokovoy >> > > > -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Browser login to IPA "Authentication Required"prompt
>From memory (and this may have changed since) Firefox is the only supported browser for the FreeIPA WebUI. Having said that I would welcome other common browsers working (Chrome, Safari etc) From: Adam Kaczka To: Martin Kosek , "freeipa-users@redhat.com" , Petr Vobornik Date: 18.01.2016 16:03 Subject:Re: [Freeipa-users] Browser login to IPA "Authentication Required" prompt Sent by:freeipa-users-boun...@redhat.com This happens with FreeIPA version 4.2.0 and also version 3.0.0 with latest Chrome (47.0.2526.111 m) and IE 11 (11.63.10586.0). The issue does not occur with FF (43.0.4). I tried the demo page and same thing happened. Also when using IE the login prompt is the Windows Security domain login prompt. On Mon, Jan 18, 2016 at 3:20 AM Martin Kosek wrote: On 01/15/2016 09:20 PM, Adam Kaczka wrote: > Hello, > > This has been bugging me for awhile but how do I turn off the > "Authentication Required" prompt that pops up on the GUI when I login to > IPA through browser? I can cancel it and lands on the /ipa/ui page but I'd > like to not see it by default. > > Also I take it that the prompt is related to Kerberos login; is the prompt > meant to be used as a 2 factor authentication for browser login? CCing Petr to be aware of this question. But first, I would be curious - what browser version do you use and what FreeIPA version do you use? Do you see the same troubling behavior with FreeIPA demo [1]? [1] http://www.freeipa.org/page/Demo -- Best Regards, - Adam-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Invalid UID in persistent keyring name while getting default cache. on OEL 7.1
Now it works: First I edited /etc/login.defs UID_MIN to 500 Then I ran "authconfig --update" to make the change(s) to login.defs active. After that, users with uids >=500 were able to login again. In our case we have both system users (application) and "long term employees, user account predates LDAP" with such low ids. Chris From: Christopher Lamb/Switzerland/IBM@IBMCH To: Sumit Bose Cc: freeipa-users@redhat.com Date: 19.11.2015 11:20 Subject:Re: [Freeipa-users] Invalid UID in persistent keyring name while getting default cache. on OEL 7.1 Sent by:freeipa-users-boun...@redhat.com Hi Sumit Thanks, I too have found /etc/login.defs https://fedoraproject.org/wiki/Features/1000SystemAccounts I have changed the UID_MIN to 500, and rebooted, but it seems to have no effect. Reading between the lines in the link above, it looks like this value may have to be set pre-install. Maybe I need to do something else to change the value? Chris Inactive hide details for Sumit Bose ---19.11.2015 10:38:49---On Thu, Nov 19, 2015 at 10:25:02AM +0100, Christopher Lamb wrote:Sumit Bose ---19.11.2015 10:38:49---On Thu, Nov 19, 2015 at 10:25:02AM +0100, Christopher Lamb wrote: > HI From: Sumit Bose To: Christopher Lamb/Switzerland/IBM@IBMCH Cc: Jakub Hrozek , freeipa-users@redhat.com Date: 19.11.2015 10:38 Subject: Re: [Freeipa-users] Invalid UID in persistent keyring name while getting default cache. on OEL 7.1 On Thu, Nov 19, 2015 at 10:25:02AM +0100, Christopher Lamb wrote: > HI > > The plot thickens. I think I actually have 2 issues: > > The first issue is that in the title of this thread, and was caused by "the > wrong kernel". > > The second issue, that some ipa users cannot log on (but mine can), is > (probably) unrelated. > > The clue was my point below "no obvious horrible error". > > That led my to look in /var/log/secure, where I found the following: > > Nov 19 09:06:59 my-ipahost sshd[6075]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=xx.my-domain.xx.domain.com user=bimbo > Nov 19 09:06:59 my-ipahost sshd[6075]: pam_succeed_if(sshd:auth): > requirement "uid >= 1000" not met by user "bimbo" > Nov 19 09:07:01 my-ipahost sshd[6075]: Failed password for bimbo from > 9.164.17.110 port 49332 ssh2 > > Both my user, and an additional test user this morning have uids > 1000, > and can successfully login -->OK > > The 2 other users I tested with yesterday (one application user, and one > real user) have ids < 1000, and therefore (on this host) cannot logon. > > Now I need to google further to find where this rule is configured / > hidden. The '1000' is written by authconfig into the pam configuration. Afaik authconfig uses the UID_MIN form /etc/login.defs here. HTH bye, Sumit > > Cheers > > Chris > > > > > > From: Christopher Lamb/Switzerland/IBM@IBMCH > To: Jakub Hrozek > Cc: freeipa-users@redhat.com > Date: 19.11.2015 10:05 > Subject: Re: [Freeipa-users] Invalid UID in persistent keyring name > while getting default cache. on OEL 7.1 > Sent by: freeipa-users-boun...@redhat.com > > > > Hi Jakub > > I have restarted sssd with debug_level=6 > > Then I made one (failed) attempt to login via ssh with the user "bimbo". > > Logs, anonymised are attached. > > To my untrained eyes, nothing shouts "horrible error" to me. > > Chris > > (See attached file: sssd_logs.zip) > > > Inactive hide details for Jakub Hrozek ---18.11.2015 19:30:29---On Wed, Nov > 18, 2015 at 04:34:39PM +0100, Christopher Lamb wrotJakub Hrozek > ---18.11.2015 19:30:29---On Wed, Nov 18, 2015 at 04:34:39PM +0100, > Christopher Lamb wrote: > > > From: Jakub Hrozek > To: freeipa-users@redhat.com > Date: 18.11.2015 19:30 > Subject: Re: [Freeipa-users] Invalid UID in persistent keyring name while > getting default cache. on OEL 7.1 > Sent by: freeipa-users-boun...@redhat.com > > > > On Wed, Nov 18, 2015 at 04:34:39PM +0100, Christopher Lamb wrote: > > > > I have a newly installed OEL 7.1 server (7.0 DVD, then yum updated to > 7.1) > > The ipa-client is installed, making this server an ipa host. > > > > > > > > > getent passwd > > > > is successful for ipa users. -->OK > > > > However I cannot log on to the host with ipa users (direct or ssh). --> > NOT > > > > OK > > > > > > > > When logged on as root (local user), I can “su -“ to my ipa user. -->OK > > > > > > > > "> systemctl status sssd" and "> kinit" > > > &
Re: [Freeipa-users] Invalid UID in persistent keyring name while getting default cache. on OEL 7.1
Hi Sumit Thanks, I too have found /etc/login.defs https://fedoraproject.org/wiki/Features/1000SystemAccounts I have changed the UID_MIN to 500, and rebooted, but it seems to have no effect. Reading between the lines in the link above, it looks like this value may have to be set pre-install. Maybe I need to do something else to change the value? Chris From: Sumit Bose To: Christopher Lamb/Switzerland/IBM@IBMCH Cc: Jakub Hrozek , freeipa-users@redhat.com Date: 19.11.2015 10:38 Subject:Re: [Freeipa-users] Invalid UID in persistent keyring name while getting default cache. on OEL 7.1 On Thu, Nov 19, 2015 at 10:25:02AM +0100, Christopher Lamb wrote: > HI > > The plot thickens. I think I actually have 2 issues: > > The first issue is that in the title of this thread, and was caused by "the > wrong kernel". > > The second issue, that some ipa users cannot log on (but mine can), is > (probably) unrelated. > > The clue was my point below "no obvious horrible error". > > That led my to look in /var/log/secure, where I found the following: > > Nov 19 09:06:59 my-ipahost sshd[6075]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=xx.my-domain.xx.domain.com user=bimbo > Nov 19 09:06:59 my-ipahost sshd[6075]: pam_succeed_if(sshd:auth): > requirement "uid >= 1000" not met by user "bimbo" > Nov 19 09:07:01 my-ipahost sshd[6075]: Failed password for bimbo from > 9.164.17.110 port 49332 ssh2 > > Both my user, and an additional test user this morning have uids > 1000, > and can successfully login -->OK > > The 2 other users I tested with yesterday (one application user, and one > real user) have ids < 1000, and therefore (on this host) cannot logon. > > Now I need to google further to find where this rule is configured / > hidden. The '1000' is written by authconfig into the pam configuration. Afaik authconfig uses the UID_MIN form /etc/login.defs here. HTH bye, Sumit > > Cheers > > Chris > > > > > > From: Christopher Lamb/Switzerland/IBM@IBMCH > To:Jakub Hrozek > Cc:freeipa-users@redhat.com > Date: 19.11.2015 10:05 > Subject: Re: [Freeipa-users] Invalid UID in persistent keyring name > while getting default cache. on OEL 7.1 > Sent by: freeipa-users-boun...@redhat.com > > > > Hi Jakub > > I have restarted sssd with debug_level=6 > > Then I made one (failed) attempt to login via ssh with the user "bimbo". > > Logs, anonymised are attached. > > To my untrained eyes, nothing shouts "horrible error" to me. > > Chris > > (See attached file: sssd_logs.zip) > > > Inactive hide details for Jakub Hrozek ---18.11.2015 19:30:29---On Wed, Nov > 18, 2015 at 04:34:39PM +0100, Christopher Lamb wrotJakub Hrozek > ---18.11.2015 19:30:29---On Wed, Nov 18, 2015 at 04:34:39PM +0100, > Christopher Lamb wrote: > > > From: Jakub Hrozek > To: freeipa-users@redhat.com > Date: 18.11.2015 19:30 > Subject: Re: [Freeipa-users] Invalid UID in persistent keyring name while > getting default cache. on OEL 7.1 > Sent by: freeipa-users-boun...@redhat.com > > > > On Wed, Nov 18, 2015 at 04:34:39PM +0100, Christopher Lamb wrote: > > > > I have a newly installed OEL 7.1 server (7.0 DVD, then yum updated to > 7.1) > > The ipa-client is installed, making this server an ipa host. > > > > > > > > > getent passwd > > > > is successful for ipa users. -->OK > > > > However I cannot log on to the host with ipa users (direct or ssh). --> > NOT > > > > OK > > > > > > > > When logged on as root (local user), I can “su -“ to my ipa user. -->OK > > > > > > > > "> systemctl status sssd" and "> kinit" > > > > both show: > > > > “Invalid UID in persistent keyring name while getting default cache.” > > > > > > > > Having googled with this error, I saw some indications that it could be > > > > related to the kernel. > > > > https://bugzilla.redhat.com/show_bug.cgi?id=1017683 > > > > https://bugzilla.redhat.com/show_bug.cgi?id=1029110 > > > > > > > > For a fresh OEL install, the default kernel is the uek version. "Aha" I > > > > thought, let’s change back to the standard RHEL kernel. > > > > After a reboot with the RHEL kernel, I was still not able to log in with > my > > > > ipa user. > > > > > > > > I then logged on as root,
Re: [Freeipa-users] Invalid UID in persistent keyring name while getting default cache. on OEL 7.1
HI The plot thickens. I think I actually have 2 issues: The first issue is that in the title of this thread, and was caused by "the wrong kernel". The second issue, that some ipa users cannot log on (but mine can), is (probably) unrelated. The clue was my point below "no obvious horrible error". That led my to look in /var/log/secure, where I found the following: Nov 19 09:06:59 my-ipahost sshd[6075]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xx.my-domain.xx.domain.com user=bimbo Nov 19 09:06:59 my-ipahost sshd[6075]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "bimbo" Nov 19 09:07:01 my-ipahost sshd[6075]: Failed password for bimbo from 9.164.17.110 port 49332 ssh2 Both my user, and an additional test user this morning have uids > 1000, and can successfully login -->OK The 2 other users I tested with yesterday (one application user, and one real user) have ids < 1000, and therefore (on this host) cannot logon. Now I need to google further to find where this rule is configured / hidden. Cheers Chris From: Christopher Lamb/Switzerland/IBM@IBMCH To: Jakub Hrozek Cc: freeipa-users@redhat.com Date: 19.11.2015 10:05 Subject:Re: [Freeipa-users] Invalid UID in persistent keyring name while getting default cache. on OEL 7.1 Sent by:freeipa-users-boun...@redhat.com Hi Jakub I have restarted sssd with debug_level=6 Then I made one (failed) attempt to login via ssh with the user "bimbo". Logs, anonymised are attached. To my untrained eyes, nothing shouts "horrible error" to me. Chris (See attached file: sssd_logs.zip) Inactive hide details for Jakub Hrozek ---18.11.2015 19:30:29---On Wed, Nov 18, 2015 at 04:34:39PM +0100, Christopher Lamb wrotJakub Hrozek ---18.11.2015 19:30:29---On Wed, Nov 18, 2015 at 04:34:39PM +0100, Christopher Lamb wrote: > From: Jakub Hrozek To: freeipa-users@redhat.com Date: 18.11.2015 19:30 Subject: Re: [Freeipa-users] Invalid UID in persistent keyring name while getting default cache. on OEL 7.1 Sent by: freeipa-users-boun...@redhat.com On Wed, Nov 18, 2015 at 04:34:39PM +0100, Christopher Lamb wrote: > > I have a newly installed OEL 7.1 server (7.0 DVD, then yum updated to 7.1) > The ipa-client is installed, making this server an ipa host. > > > > > getent passwd > > is successful for ipa users. -->OK > > However I cannot log on to the host with ipa users (direct or ssh). --> NOT > > OK > > > > When logged on as root (local user), I can “su -“ to my ipa user. -->OK > > > > "> systemctl status sssd" and "> kinit" > > both show: > > “Invalid UID in persistent keyring name while getting default cache.” > > > > Having googled with this error, I saw some indications that it could be > > related to the kernel. > > https://bugzilla.redhat.com/show_bug.cgi?id=1017683 > > https://bugzilla.redhat.com/show_bug.cgi?id=1029110 > > > > For a fresh OEL install, the default kernel is the uek version. "Aha" I > > thought, let’s change back to the standard RHEL kernel. > > After a reboot with the RHEL kernel, I was still not able to log in with my > > ipa user. > > > > I then logged on as root, and changed to my ipa user via su. > > > klist -l > > produced: > > KEYRING:persistent:93397:krb_cache_76B9lf2 (Expired) I'm surprised you had any ccache at all, because login as root bypasses PAM. But in general, if you login with sssd and the cache is expired a long time ago (1970), that means sssd logged you in offline and the ccache is a placeholder for when sssd switches to online mode. > > > > I therefore deleted the key: > > > kdestroy -A > > Then I stopped the sssd service, and cleared the cache in /var/lib/sss/db/, > > then restarted sssd > > > > After that I was now able to log on with my ipa user (both direct and via > > ssh). > > > > However I cannot get any other ipa users to logon to this host! --> NOT OK > > The same users can successfully logon to other ipa hosts in the same > > domain. > > > > My ipa user was the one used to enroll the host. > > > > Any ideas? Not without logs, see: https://fedorahosted.org/sssd/wiki/Troubleshooting -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project [attachment "sssd_logs.zip" deleted by Christopher Lamb/Switzerland/IBM] -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Invalid UID in persistent keyring name while getting default cache. on OEL 7.1
I have a newly installed OEL 7.1 server (7.0 DVD, then yum updated to 7.1) The ipa-client is installed, making this server an ipa host. > getent passwd is successful for ipa users. -->OK However I cannot log on to the host with ipa users (direct or ssh). -->NOT OK When logged on as root (local user), I can “su -“ to my ipa user. -->OK "> systemctl status sssd" and "> kinit" both show: “Invalid UID in persistent keyring name while getting default cache.” Having googled with this error, I saw some indications that it could be related to the kernel. https://bugzilla.redhat.com/show_bug.cgi?id=1017683 https://bugzilla.redhat.com/show_bug.cgi?id=1029110 For a fresh OEL install, the default kernel is the uek version. "Aha" I thought, let’s change back to the standard RHEL kernel. After a reboot with the RHEL kernel, I was still not able to log in with my ipa user. I then logged on as root, and changed to my ipa user via su. > klist -l produced: KEYRING:persistent:93397:krb_cache_76B9lf2 (Expired) I therefore deleted the key: > kdestroy -A Then I stopped the sssd service, and cleared the cache in /var/lib/sss/db/, then restarted sssd After that I was now able to log on with my ipa user (both direct and via ssh). However I cannot get any other ipa users to logon to this host! --> NOT OK The same users can successfully logon to other ipa hosts in the same domain. My ipa user was the one used to enroll the host. Any ideas? sssd version = 1.12.2 58.el7_1.18 ipa-client version = 4.1.0 18.0.1.el7_1.4 kernels: Oracle Linux Server, with Unbreakable Enterprise Kernel 3.8.13-98.5.2.el7uek.x86_64 Oracle Linux Server, with Linux 3.10.0-229.20.1.el7.x86_64 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Matt Once I got Samba and FreeIPA integrated (by the "good old extensions" path), I always use FreeIPA to administer users. I have never tried the samba tools like smbpasswd. I still have a wiki how-to in the works, but I had to focus on some other issues for a while. Chris From: "Matt ." To: Youenn PIOLET Cc: Christopher Lamb/Switzerland/IBM@IBMCH, "freeipa-users@redhat.com" Date: 20.08.2015 08:12 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA HI Guys, Anyone still a working clue/test here ? I didn't came further as it seems there need to be some domain join / match following the freeipa devs. Thanks! Matt 2015-08-13 13:09 GMT+02:00 Matt . : > Hi, > > I might have found somthing which I already seen in the logs. > > I did a smbpasswd my username on the samba server, it connects to ldap > very well. I give my new password and get the following: > > smbldap_search_ext: base => [dc=my,dc=domain], filter => > [(&(objectClass=ipaNTGroupAttrs)(| (ipaNTSecurityIdentifier=S-1my--sid---)))], > scope => [2] > Attribute [displayName] not found. > Could not retrieve 'displayName' attribute from cn=Default SMB > Group,cn=groups,cn=accounts,dc=my,dc=domain > Sid S-1my--sid--- -> MYDOMAIN\Default SMB Group(2) > > So something is missing! > > Thanks so far guys! > > Cheers, > > Matt > > 2015-08-13 12:02 GMT+02:00 Matt . : >> Hi Youenn, >> >> OK thanks! this takes me a little but futher now and I see some good >> stuff in my logging. >> >> I'm testing on a Windows 10 Machine which is not member of an AD or >> so, so that might be my issue for now ? >> >> When testing on the samba box itself as my user I get: >> >> >> [myusername@smb-01 ~]$ smbclient //smb-01.domain.local/shares >> >> ... >> Checking NTLMSSP password for MSP\myusername failed: NT_STATUS_WRONG_PASSWORD >> ... >> SPNEGO login failed: NT_STATUS_WRONG_PASSWORD >> >> >> Maybe I have an issue with encrypted passwords ? >> >> >> When we have this all working, I think we have a howto :D >> >> Thanks! >> >> Matt >> >> 2015-08-13 10:53 GMT+02:00 Youenn PIOLET : >>> Hi Matt >>> >>> - CentOS : Did you copy ipasam.so and change your smb.conf accordingly? >>> sambaSamAccount is not needed anymore that way. >>> - Default IPA Way : won't work if your Windows is not part of a domain >>> controller. DOMAIN\username may work for some users using Windows 7 - not 8 >>> nor 10 (it did for me but I was the only one at the office... quite useless) >>> >>> This config may work on your CentOS (for the ipasam way): >>> workgroup = TEST >>> realm = TEST.NET >>> kerberos method = dedicated keytab >>> dedicated keytab file = FILE:/<.>/samba.keytab >>> create krb5 conf = no >>> security = user >>> encrypt passwords = true >>> passdb backend = ipasam:ldaps://youripa.test.net >>> ldapsam:trusted = yes >>> ldapsuffix = test.net >>> ldap user suffix = cn=users,cn=accounts >>> ldap group suffix = cn=groups,cn=accounts >>> >>> >>> -- >>> Youenn Piolet >>> piole...@gmail.com >>> >>> >>> 2015-08-12 22:15 GMT+02:00 Matt . : >>>> >>>> Hi, >>>> >>>> OK the default IPA way works great actually when testing it as described >>>> here: >>>> >>>> http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA >>>> >>>> On the samba server I can auth and see my share where I want to connect >>>> to. >>>> >>>> The issue is, on Windows I cannot auth, even when I do DOMAIN\username >>>> as username >>>> >>>> So, the IPA way should work. >>>> >>>> Any comments here ? >>>> >>>> Cheers, >>>> >>>> Matt >>>> >>>> 2015-08-12 19:00 GMT+02:00 Matt . : >>>> > HI GUys, >>>> > >>>> > I'm testing this out and I think I almost setup, this on a CentOS samba >>>> > server. >>>> > >>>> > I'm using the ipa-adtrust way of Youeen but it seems we still need to >>>> > add (objectclass=sambaSamAccount)) ? >>>> > >>>> > Info is welcome! >>>> > >>>> > I will report back when I have it working. >>>> > >>&
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
The next route I will try - is the one Youeen took, using ipa-adtrust From: "Matt ." To: Christopher Lamb/Switzerland/IBM@IBMCH, "freeipa-users@redhat.com" Date: 10.08.2015 10:03 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi Chris, Okay this is good to hear. But don't we want a IPA managed Scheme ? When I did a "ipa-adtrust-install --add-sids" it also wanted a local installed Samba and I wonder why. Good that we make some progres on making it all clear. Cheers, Matt 2015-08-10 6:12 GMT+02:00 Christopher Lamb : > ldapsam + the samba extensions, pretty much as described in the Techslaves > article. Once I have a draft for the wiki page, I will mail you. > > > > From: "Matt ." > To: Christopher Lamb/Switzerland/IBM@IBMCH, > "freeipa-users@redhat.com" > Date: 09.08.2015 21:17 > Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA > > > > Hi, > > Yes I know about "anything" but which way did you use now ? > > > > 2015-08-09 20:56 GMT+02:00 Christopher Lamb : >> Hi Matt >> >> I am on OEL 7.1. - so anything that works on that should be good for RHEL >> and Centos 7.x >> >> I intend to add a how-to to the FreeIPA Wiki over the next few days. As > we >> have suggested earlier, we will likely end up with several, one for each > of >> the possible integration paths. >> >> Chris >> >> >> >> >> >> From: "Matt ." >> To: Christopher Lamb/Switzerland/IBM@IBMCH, >> "freeipa-users@redhat.com" >> Date: 09.08.2015 16:45 >> Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >> >> >> >> Hi Chris, >> >> This sounds great! >> >> What are you using now, both CentOS ? So Samba and FreeIPA ? >> >> Maybe it's good to explain which way you used now in steps too, so we >> can combine or create multiple howto's ? >> >> At least we are going somewhere! >> >> Thanks, >> >> Matt >> >> 2015-08-09 14:54 GMT+02:00 Christopher Lamb > : >>> Hi Matt >>> >>> My test integration of FreeIPA 4.x and Samba 4.x with the "good old > Samba >>> Schema extensions) is up and working, almost flawlessly. >>> >>> I can add users and groups via the FreeIPA CLI, and they get the correct >>> ObjectClasses / attributes required for Samba. >>> >>> So far I have not yet bothered to try the extensions to the WebUI, >> because >>> it is currently giving me the classic "Your session has expired. Please >>> re-login." error which renders the WebUI useless. >>> >>> The only problem I have so far encountered managing Samba / FreeIPA > users >>> via FreeIPA CLI commands is with the handling of the attribute >>> sambaPwdLastSet. This is the subject of an existing thread, also updated >>> today. >>> >>> There is also an existing alternative to hacking group.py, using "Class >> of >>> Service" (Cos) documented in this thread from February 2015 >>> > https://www.redhat.com/archives/freeipa-users/2015-February/msg00172.html >> . >>> I have not yet tried it, but it sounds reasonable. >>> >>> Chris >>> >>> >>> >>> >>> >>> From: "Matt ." >>> To: Christopher Lamb/Switzerland/IBM@IBMCH >>> Cc: "freeipa-users@redhat.com" , Youenn >>> PIOLET >>> Date: 06.08.2015 16:19 >>> Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >>> >>> >>> >>> Hi Chris, >>> >>> OK, than we might create two different versions of the wiki, I think >>> this is nice. >>> >>> I'm still figuring out why I get that: >>> >>> IPA Error 4205: ObjectclassViolation >>> >>> missing attribute "sambaGroupType" required by object class >>> "sambaGroupMapping" >>> >>> Matt >>> >>> 2015-08-06 16:09 GMT+02:00 Christopher Lamb >> : >>>> Hi Matt >>>> >>>> As far as I can make out, there are at least 2 viable Samba / FreeIPA >>>> integration paths. >>>> >>>> The route I took is suited where there is no Active Directory involved: >>> In >>>> my case all the Windows, OSX and Linux c
Re: [Freeipa-users] FreeIPA and sambaPwdLastSet
Hi having done some more experimentation with creating users, changing passwords, and the attribute sambaPwdLast set, it is time to reactivate this old thread. I have a newly setup FreeIPA 4.1 Server configured with the "good old" Samba schema extensions for FreeIPA. I have established the following: 1) user created via CLI with no initial password given: # ipa user-add usr1--first=Aunt --last=Agatha # ipa group-add-member smbgrp --users=usr1 --> The user has neither the smbPwdLastSet nor sambaNTPassword attributes --> NOT OK 2) Now set an initial pwd for the same user # ipa user-mod usr1 --password --> The user has sambaNTPassword, but NOT smbPwdLastSet 3) user created via CLI with initial password given: # ipa user-add usr2--first=Bertie --last=Wooster # ipa group-add-member smbgrp --users=usr2 --> The user has both the smbPwdLastSet nor sambaNTPassword attributes. smbPwdLastSet = 0 --> OK 4) Now let usr2 set his real password: # su usr2 # kinit usr2 --> The user has both the smbPwdLastSet nor sambaNTPassword attributes. smbPwdLastSet remains = 0 --> NOT OK, smbPwdLastSet should now be a positive number! At this stage usr2 cannot access Samba shares. Of course, I can use an LDAP browser or CLI commands to set smbPwdLastSet=1, but that is easily forgotten. The next test (result still open) is to set what happens with smbPwdLastSet on password expiry. To do this I have created a fast expiring password group policy, added usr2 to that group, and then let usr2 change his password to ensure the new policy is active. # ipa group-add fastexpire --desc="group with a fast expiring pwd policy" # ipa group-add-member fastexpire --users=usr2 # ipa pwpolicy-add fastexpire --minlife=0 --maxlife=1 --history=1 --priority=1 # su usr2 # ipa user-mod usr2 --password Results of this test tomorrow Chris From: Alexander Bokovoy To: Rob Crittenden Cc: Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com Date: 20.07.2015 15:52 Subject:Re: [Freeipa-users] FreeIPA and sambaPwdLastSet On Mon, 20 Jul 2015, Rob Crittenden wrote: >Christopher Lamb wrote: >>Hi Alexander >> >>This issue got overtaken by others, and slipped off my radar for a bit... >> >>While the solution suggested earlier in this thread at >> http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA >>sounds interesting (and we are running the correct versions of OEL 7.1 and >>SSSD), it seems to require the Windows clients to be members of an Active >>Diretory trusted by IPA. >> >>Unfortunately there is no AD in our architecture - our Windows and OSX >>clients are effectively islands. That would seem to leave us stuck with >>sambaPwdLastSet. >> >>After a user has had his password reset via the IPA WebUi to a temporary >>value, the user then logs on using the temporary password, and is asked to >>enter a new password. At his point sambaPwdLastSet should be set to a >>positive value. However our testing indicates that it is not. We have tried >>3 techniques: >> >>1) User connects to LDAP server via remote ssh. >> >>2) kinit >> >>3) su - over an existing ssh session with another user (e.g. mine) >> >>In all three cases the user is able to set their password, but >>sambaPwdLastSet remains set to 0. >> >>As a workaround we use Apache Directory Studio to manually set >>sambaPwdLastSet once the user has changed his password. >> >>Chris > >AFAICT the user needs the sambaSamAccount objectclass in order for >this to work. Is that the case? Yes, exactly. This object class is not used by IPA integration with Samba, so we don't give it to users by default. The code in IPA password plugin checks if there is an object class named SambaSamAccount on the user entry and then manipulates sambaPwdLastSet as required. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi Alexander As this particular stick has many ends, it is easy to grab the wrong one! 8-) So it sounds like there are / will be at least four integration paths to integrate Samba and FreeIPA. For clarity my current understanding is as follows: 1) The longer term path via SSSD and NTLMSSP 1.1) Documentation: Not yet documented, as under development 1.2) Viability 4.x/4.x: In development, not yet available. (??? Any idea of a possible timeline ???) 1.3) Schema Extensions: Will this path use the AD Trust Extensions? ipasam module? 1.4) Active Directory: Will this path work without AD (like 2) below)? 1.5) Other: Should be more scalable (less duplication of function e.g. connections, caches) 2) A path using the IPASAM module + AD Trust Extensions to the FreeIPA schema, 2.1) Documentation: Is currently best documented further back in this thread (post(s) from Youeen) 2.2) Viability 4.x/4.x: Is viable for FreeIPA 4.x / Samba 4.x. This is the path successfully tested / implemented by Youeen. However, while viable, this solution is not actively supported, as efforts are focussed on 1) above. 2.3) Schema Extensions: Requires schema extensions (ipa-adtrust-install). 2.4) Active Directory: Despite the AD extensions, NO Active Directory required in the architecture. 2.5) Other: half LDAP (to read NTHash/SID), half Kerberos (to bind samba to the LDAP). 3) A path using the LDAPSAM module + Samba Extensions to the FreeIPA schema. 3.1) Documentation: Is best documented under http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/, (although this article contains some small errors). 3.2) Viability 4.x/4.x: May no longer be fully viable for FreeIPA 4.x / Samba 4.x, or only viable with some quirks / workarounds. 3.3) Schema Extensions: Requires schema extensions via LDAPMODIFY / LDAPADD scripts + changes to FreeIPA python scripts and WebUI 3.4) Active Directory: NO Active Directory required in the architecture. (Samba clients can be “islands”). 3.5) Other: Is the path that I am currently using in production (originally with 3.x/3.x, now with 4.x/4.x) 4) A path using the kerberos module and Active Directory + AD Trust Extensions to the FreeIPA schema. 4.1) Documentation: Is documented under: https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA 4.2) Viability 4.x/4.x: ??? The article above mentions FreeIPA 3.3 +, but also RHEL 7.1 preferred / sssd 1.12.2+, which suggests 4.x / 4.x. 4.3) Schema Extensions: Requires schema extensions (ipa-adtrust-install) 4.4) Active Directory: Requires Active Directory + Domain in the architecture. (i.e. Samba clients are NOT “islands”). If we can confirm / correct the above, it can serve as the basis for a FreeIPA Wiki Page, with child How-to articles for each of the viable solutions. As I am using solution 3) in production, yet other have problems getting it working at all, I have now set up a throwaway VM running FreeIPA 4.1 and Samba 4.1.12, and can experiment freely with 3), and after that with 2). Cheers Chris From: Alexander Bokovoy To: Christopher Lamb/Switzerland/IBM@IBMCH Cc: "Matt ." , "freeipa-users@redhat.com" Date: 07.08.2015 23:09 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA On Thu, 06 Aug 2015, Christopher Lamb wrote: >Hi Matt > >As far as I can make out, there are at least 2 viable Samba / FreeIPA >integration paths. > >The route I took is suited where there is no Active Directory involved: In >my case all the Windows, OSX and Linux clients are islands that sit on the >same network. > >The route that Youenn has taken (unless I have got completely the wrong end >of the stick) requires Active Directory in the architecture. Yes, you are at the wrong end of the stick. You don't need AD in the architecture here. You can reuse IPA design for AD integration via trust for normal Samba integration but use ipasam.so instead of ldapsam.so. This is what Youenn did. The only way we don't support it (yet) is because we think doing a longer term solution via SSSD and NTLMSSP support is better scalability vise -- your SSSD client is already having LDAP connection and is already holding identity mappings in the cache so there is no need to run separate LDAP connection in smbd/winbindd for that and cache the same data in a different way. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi Matt As far as I can make out, there are at least 2 viable Samba / FreeIPA integration paths. The route I took is suited where there is no Active Directory involved: In my case all the Windows, OSX and Linux clients are islands that sit on the same network. The route that Youenn has taken (unless I have got completely the wrong end of the stick) requires Active Directory in the architecture. Chris From: "Matt ." To: Youenn PIOLET Cc: Christopher Lamb/Switzerland/IBM@IBMCH, "freeipa-users@redhat.com" Date: 06.08.2015 14:42 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi, OK, this sounds already quite logical, but I'm still refering to the old howto we found earlier, does that one still apply somewhere or not at all ? Thanks, Matt 2015-08-06 12:23 GMT+02:00 Youenn PIOLET : > Hey guys, > > I'll try to make a tutorial soon, sorry I'm quite in a rush these days :) > > General idea: > > On FreeIPA (4.1) > - `ipa-adtrust-install --add-sids` (creates ipaNTsecurityidentifier > attribude, also known as SID) > - regenerate each user password to build ipaNTHash attribute, not here by > default on users > - use your ldap browser to check ipaNTHash values are here on user objects > - create a CIFS service for your samba server > - Create user roles/permissions as described here: > http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa > so that CIFS service will be able to read ipaNTsecurityidentifier and > ipaNTHash attributes in LDAP (ACI) > - SCP ipasam.so module to your cifs server (this is the magic trick) : scp > /usr/lib64/samba/pdb/ipasam.so > root@samba-server.domain:/usr/lib64/samba/pdb/ You can also try to recompile > it. > > On SAMBA Server side (CentOS 7...) > - Install server keytab file for CIFS > - check ipasam.so is here. > - check you can read password hash in LDAP with `ldapsearch -Y GSSAPI > uid=admin ipaNTHash` thanks to kerberos > - make your smb.conf following the linked thread and restart service > > I don't know if it works in Ubuntu. I know sssd has evolved quickly and > ipasam may use quite recent functionalities, the best is to just try. You > can read in previous thread : "If you insist on Ubuntu you need to get > ipasam somewhere, most likely to compile it yourself". > > Make sure your user has ipaNTHash attribute :) > > You may want to debug authentication on samba server, I usually do this: > `tail -f /var/log/samba/log* | grep > > Cheers > -- > Youenn Piolet > piole...@gmail.com > > > 2015-08-05 17:40 GMT+02:00 Matt . : >> >> Hi, >> >> This sounds great to me too, but a howto would help to make it more >> clear about what you have done here. The thread confuses me a little >> bit. >> >> Can you paste your commands so we can test out too and report back ? >> >> Thanks! >> >> Matt >> >> 2015-08-05 15:18 GMT+02:00 Christopher Lamb : >> > Hi Youenn >> > >> > Good news that you have got an integration working >> > >> > Now you have got it going, and the solution is fresh in your mind, how >> > about adding a How-to page on this solution to the FreeIPA wiki? >> > >> > Chris >> > >> > >> > >> > From: Youenn PIOLET >> > To: "Matt ." >> > Cc: Christopher Lamb/Switzerland/IBM@IBMCH, >> > "freeipa-users@redhat.com" >> > Date: 05.08.2015 14:51 >> > Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >> > >> > >> > >> > Hi guys, >> > >> > Thank you so much your previous answers. >> > I realised my SID were stored in ipaNTsecurityidentifier, thanks to >> > ipa-adtrust-install --add-sids >> > >> > I found an other way to configure smb here: >> > >> > http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa >> > It works perfectly. >> > >> > I'm using module ipasam.so I have manually scp to the samba server, >> > Samba is set to use kerberos + ldapsam via this ipasam module. >> > Following the instructions, I created a user role allowing service >> > principal to read ipaNTHash value from the LDAP. >> > ipaNTHash are generated each time a user changes his password. >> > Authentication works perfectly on Windows 7, 8 and 10. >> > >> > For more details, the previously linked thread is quite clear. >> > >> > Cheers >> > >> > -- >> > Youenn
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
@Youenn. Thanks for the clarification. At least 3 Integration paths, so we may end up with 3 Wiki how-tos: @Matt I now have a throwaway VM with FreeIPA 4.1 Server installed, that I can play around with over the next few days, but as this is "in my free time, on the train on the way home" type activity, I don't know how fast I will be. From: Youenn PIOLET To: "Matt ." Cc: Christopher Lamb/Switzerland/IBM@IBMCH, "freeipa-users@redhat.com" Date: 06.08.2015 17:16 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi, There is no Active Directory in my solution, just freeipa adtrust extensions - necessary to generate SIDs. To me, there are 3 integration paths: - ldapsam module without AD, using LDAP directly : you need samba extensions in FreeIPA's LDAP, that's what you tried to achieve in this thread. - kerberos module with AD, this is the tutorial from the official documentation https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA but it won't work on Windows if you don't have domain because of NTLM problems - ipasam module, the solution I used: half LDAP (to read NTHash/SID), half Kerberos (to bind samba to the LDAP). In all solutions, extra schemas are needed for FreeIPA directory. `ipa-adtrust-install` can install these extensions, or you can do it manually. I prefer the IPA automatic way to LDIF's :) ipa-adtrust-install also generate automaticaly SID and Password Hash needed by CIFS when you add an user or a group in FreeIPA. No need to patch interface to generate correct attributes. What I also understood: ipa-adtrust-install doesn't use the good old samba extensions (with things like sambaSID, sambaGroupType, sambaSamAccount, etc.) but new ipaNTHash/ipaNTsecurityIdentifier values. This must be the reason why ldapsam solution doesn't work directly after a ipa-adtrust-install. To ask CIFS service to read them instead of the classic ones, we use ipasam. @Matt . You're currently trying ldapsam solution. The problem is to make FreeIPA interface able to work with samba "good old extensions". Theses extensions contain the classes like "sambaSamAccount" or "sambaGroupMapping". To make CIFS able to read groups from LDAP, groups need to instanciate some samba classes (same for users). When you instanciate the class sambaGroupMapping, the value sambaGroupType is compulsory, but FreeIPA doesn't build the value correctly, even with the group.js patch previously linked. I think some dev is needed to fix this if you want to do it this way. To my opinion, the 'ipasam' way is much more easier, and seems to be the way redhat/devs/freeipa want to support in the future. Cheers, -- Youenn Piolet piole...@gmail.com 2015-08-06 16:19 GMT+02:00 Matt . : Hi Chris, OK, than we might create two different versions of the wiki, I think this is nice. I'm still figuring out why I get that: IPA Error 4205: ObjectclassViolation missing attribute "sambaGroupType" required by object class "sambaGroupMapping" Matt 2015-08-06 16:09 GMT+02:00 Christopher Lamb : > Hi Matt > > As far as I can make out, there are at least 2 viable Samba / FreeIPA > integration paths. > > The route I took is suited where there is no Active Directory involved: In > my case all the Windows, OSX and Linux clients are islands that sit on the > same network. > > The route that Youenn has taken (unless I have got completely the wrong end > of the stick) requires Active Directory in the architecture. > > Chris > > > > From: "Matt ." > To: Youenn PIOLET > Cc: Christopher Lamb/Switzerland/IBM@IBMCH, > "freeipa-users@redhat.com" > Date: 06.08.2015 14:42 > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA > > > > Hi, > > OK, this sounds already quite logical, but I'm still refering to the > old howto we found earlier, does that one still apply somewhere or not > at all ? > > Thanks, > > Matt > > > > 2015-08-06 12:23 GMT+02:00 Youenn PIOLET : >> Hey guys, >> >> I'll try to make a tutorial soon, sorry I'm quite in a rush these days :) >> >> General idea: >> >> On FreeIPA (4.1) >> - `ipa-adtrust-install --add-sids` (creates ipaNTsecurityidentifier >> attribude, also known as SID) >> - regenerate each user password to build ipaNTHash attribute, not here by >> default on users >> - use your ldap browser to check ipaNTHash values are here on user > objects >> - create a CIFS service for your samba server >> - Create user roles
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi Youenn Good news that you have got an integration working Now you have got it going, and the solution is fresh in your mind, how about adding a How-to page on this solution to the FreeIPA wiki? Chris From: Youenn PIOLET To: "Matt ." Cc: Christopher Lamb/Switzerland/IBM@IBMCH, "freeipa-users@redhat.com" Date: 05.08.2015 14:51 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi guys, Thank you so much your previous answers. I realised my SID were stored in ipaNTsecurityidentifier, thanks to ipa-adtrust-install --add-sids I found an other way to configure smb here: http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa It works perfectly. I'm using module ipasam.so I have manually scp to the samba server, Samba is set to use kerberos + ldapsam via this ipasam module. Following the instructions, I created a user role allowing service principal to read ipaNTHash value from the LDAP. ipaNTHash are generated each time a user changes his password. Authentication works perfectly on Windows 7, 8 and 10. For more details, the previously linked thread is quite clear. Cheers -- Youenn Piolet piole...@gmail.com 2015-08-05 11:10 GMT+02:00 Matt . : Hi Chris. Yes, Apache Studio did that but I was not sure why it complained it was "already" there. I'm still getting: IPA Error 4205: ObjectclassViolation missing attribute "sambaGroupType" required by object class "sambaGroupMapping" When adding a user. I also see "class" as fielname under my "Last name", this is not OK also. We sure need to make some howto, I think we can nail this down :) Thanks for the heads up! Matthijs 2015-08-05 7:51 GMT+02:00 Christopher Lamb : > Hi Matt > > If I use Apache Directory Studio to add an attribute ipaCustomFields to > cn=ipaConfig,cn=etc, the operation it performs is a modify, as shown below: > > #!RESULT OK > #!CONNECTION ldap://xxx-ldap2.my.silly.example.com:yyy > #!DATE 2015-08-05T05:45:04.608 > dn: cn=ipaConfig,cn=etc,dc=my,dc=silly,dc=example,dc=com > changetype: modify > add: ipaCustomFields > ipaCustomFields: Samba Group Type,sambagrouptype,true > > After that I then have a visible attribute ipaCustomFields as expected. > > When adding the attribute, the wizard offered me "ipaCustomFields" as > attribute type in a drop down list. > > Once we get this cracked, we really must write a how-to on the FreeIPA > Wiki. > > Chris > > > > From: Christopher Lamb/Switzerland/IBM@IBMCH > To: "Matt ." > Cc: "freeipa-users@redhat.com" > Date: 05.08.2015 07:31 > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA > Sent by: freeipa-users-boun...@redhat.com > > > > Hi Matt > > I also got the same result at that step, but can see nothing in Apache > Directory Studio. > > As I am using existing Samba / FreeIPA groups migrated across, they > probably were migrated with all the required attributes. > > Looking more closely at that LDIF: I wonder should it not be: > > ldapmodify -Y GSSAPI < dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld > changetype: modify > add: ipaCustomFields > ipaCustomFields: "Samba Group Type,sambagrouptype,true" > EOF > > i.e. changetype: modify, instead of changetype add ? > > I don't want to play around with my prod directory - I will setup an EL 7.1 > VM and install FreeIPA 4.x and Samba 4.x That will allow me to play around > more destructively. > > Chris > > > > > > From: "Matt ." > To: Christopher Lamb/Switzerland/IBM@IBMCH > Cc: Youenn PIOLET , " freeipa-users@redhat.com" > > Date: 05.08.2015 01:01 > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA > > > > Hi Chris, > > I'm at the right path, but my issue is that: > > ldapmodify -Y GSSAPI < dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld > changetype: add > add: ipaCustomFields > ipaCustomFields: "Samba Group Type,sambagrouptype,true" > EOF > > Does say it exists, my ldap explorer doesn't show it, and when I add > it manually as an attribute it still fails when I add a user on this > sambagrouptype as it's needed by the other attributes > > So that is my issue I think so far. > > Any clue about that ? > > No problem "you don't know something or are no guru" we are al
Re: [Freeipa-users] FreeIPA user ID differs
Check also that the compat tree plugin is enabled, and enable it if not: ipa-compat-manage status ipa-compat-manage enable ipactl restart Cheers, Chris From: Loris Santamaria To: freeipa-users@redhat.com Date: 05.08.2015 14:26 Subject:Re: [Freeipa-users] FreeIPA user ID differs Sent by:freeipa-users-boun...@redhat.com Hi, the compat tree is generated dynamically based on the cn=accounts tree and from information retrieved by server-mode SSSD. If the compat tree gets out of sync, a restart of the ipa server and SSSD should fix it. Best regards El mié, 05-08-2015 a las 12:14 +, markus@mc.ingenico.com escribió: > Hi Christopher, > > how to update the compat tree accordingly? Our developers edited the > values in FreeIPA but don´t see the nis id´s and therefore can´t edit > them. > > -Ursprüngliche Nachricht----- > Von: Christopher Lamb [mailto:christopher.l...@ch.ibm.com] > Gesendet: Dienstag, 4. August 2015 11:27 > An: Moj, Markus > Cc: freeipa-users@redhat.com > Betreff: Re: [Freeipa-users] FreeIPA user ID differs > > Markus > > Have you checked both the cn=accounts and cn=compat trees?. Users > and groups are stored in both, and both would need manipulation... > > Ciao > > Chris > > > > From: > To: > Date: 04.08.2015 11:14 > Subject: [Freeipa-users] FreeIPA user ID differs > Sent by: freeipa-users-boun...@redhat.com > > > > Hi @all, > > I´ve encountered a strange „error“. I´ve created a user with a > generated UID from the predefined range. After creation I´ve had to > manipulate the UID to fit an old NIS configuration and set the UID to > the old NIS value. > FreeIPA shows the correct UID as well as ldapsearch. But if I logon > onto a host and enter `id ` I receive the old UID, GID and > groups information instead of the corrected one. > > Maybe someone can help me out to pinpoint the error and to fix it. > > Cheers, > Markus-- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Loris Santamaria linux user #70506 xmpp:lo...@lgs.com.ve Links Global Services, C.A.http://www.lgs.com.ve Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:1...@lgs.com.ve -------- "If I'd asked my customers what they wanted, they'd have said a faster horse" - Henry Ford [attachment "smime.p7s" deleted by Christopher Lamb/Switzerland/IBM] -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi Matt If I use Apache Directory Studio to add an attribute ipaCustomFields to cn=ipaConfig,cn=etc, the operation it performs is a modify, as shown below: #!RESULT OK #!CONNECTION ldap://xxx-ldap2.my.silly.example.com:yyy #!DATE 2015-08-05T05:45:04.608 dn: cn=ipaConfig,cn=etc,dc=my,dc=silly,dc=example,dc=com changetype: modify add: ipaCustomFields ipaCustomFields: Samba Group Type,sambagrouptype,true After that I then have a visible attribute ipaCustomFields as expected. When adding the attribute, the wizard offered me "ipaCustomFields" as attribute type in a drop down list. Once we get this cracked, we really must write a how-to on the FreeIPA Wiki. Chris From: Christopher Lamb/Switzerland/IBM@IBMCH To: "Matt ." Cc: "freeipa-users@redhat.com" Date: 05.08.2015 07:31 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Sent by:freeipa-users-boun...@redhat.com Hi Matt I also got the same result at that step, but can see nothing in Apache Directory Studio. As I am using existing Samba / FreeIPA groups migrated across, they probably were migrated with all the required attributes. Looking more closely at that LDIF: I wonder should it not be: ldapmodify -Y GSSAPI < To: Christopher Lamb/Switzerland/IBM@IBMCH Cc: Youenn PIOLET , "freeipa-users@redhat.com" Date:05.08.2015 01:01 Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi Chris, I'm at the right path, but my issue is that: ldapmodify -Y GSSAPI <: > Hi Matt, Youeen > > Just to set the background properly, I did not invent this process. I know > only a little about FreeIPA, and almost nothing about Samba, but I guess I > was lucky enough to get the integration working on a Sunday afternoon. (I > did have an older FreeIPA 3.x / Samba 3.x installation as a reference). > > It sounds like we need to step back, and look at the test user and group in > the FreeIPA LDAP tree. I find using an LDAP browser makes this much easier. > > My FreeIPA / Samba Users have the following Samba extensions in FreeIPA > (cn=accounts, cn=users): > > * objectClass: sambasamaccount > > * Attributes: sambaSID, sambaNTPassword, sambaPwdLastSet > > My FreeIPA / Samba Groups have the following Samba extensions in FreeIPA > (cn=accounts, cn=groups): > > * objectClass: sambaGroupMapping > > * Attributes: sambaGroupType, sambaSID > > The Users must belong to one or more of the samba groups that you have > setup. > > If you don't have something similar to the above (which sounds like it is > the case), then something went wrong applying the extensions. It would be > worth testing comparing a new user / group created post adding the > extensions to a previous existing user. > > i.e. > are the extensions missing on existing users / groups? > are the extensions missing on new users / groups? > > Cheers > > Chris > > > > > > From: Youenn PIOLET > To: "Matt ." > Cc: Christopher Lamb/Switzerland/IBM@IBMCH, > "freeipa-users@redhat.com" > Date: 04.08.2015 18:56 > Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA > > > > Hi there, > > I have difficulties to follow you at this point :) > Here is what I've done and what I've understood: > > ## SMB Side > - Testparm OK > - I've got the same NT_STATUS_NO_SUCH_USER when I try to connect. > - pdbedit -Lv output is all successfull but I can see there is a filter : > (&(uid=*)(objectclass=sambaSamAccount). In LDAP, the users don't have > sambaSamAccount. > > ## LDAP / FreeIPA side > - Since SMB server uses LDAP, I did ipa-adtrust-install on my FreeIPA > server to get samba LDAP extensions. > - I can see samba classes exist in LDAP but are not used on my group > objects nor my user objects > - I have add sambaSamAccount in FreeIPA default user classes, > and sambaGroupMapping to default group classes. In that state I can't > create user nor groups anymore, as new samba attributes are needed for > instantiation. > - I have add in etc ipaCustomFields: 'Samba Group Type,sambagrouptype,true' > but I don't get what it does. > - I tried to add the samba.js plugin. It works, and adds the "local" option > when creating a group in FreeIPA, supposed to set sambagrouptype to 4 or 2 > (domain). It doesn't work and tells that sambagrouptype attribute doesn't > exist (but it should now I put sambaGroupType class by default...) > > ## Questions > 0) Can I ask samba not to search sambaSamAccount and use unix / posix > instead? I guess no. > 1) How to generate the user/group SIDs ? They are re
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi Matt I also got the same result at that step, but can see nothing in Apache Directory Studio. As I am using existing Samba / FreeIPA groups migrated across, they probably were migrated with all the required attributes. Looking more closely at that LDIF: I wonder should it not be: ldapmodify -Y GSSAPI < To: Christopher Lamb/Switzerland/IBM@IBMCH Cc: Youenn PIOLET , "freeipa-users@redhat.com" Date: 05.08.2015 01:01 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi Chris, I'm at the right path, but my issue is that: ldapmodify -Y GSSAPI <: > Hi Matt, Youeen > > Just to set the background properly, I did not invent this process. I know > only a little about FreeIPA, and almost nothing about Samba, but I guess I > was lucky enough to get the integration working on a Sunday afternoon. (I > did have an older FreeIPA 3.x / Samba 3.x installation as a reference). > > It sounds like we need to step back, and look at the test user and group in > the FreeIPA LDAP tree. I find using an LDAP browser makes this much easier. > > My FreeIPA / Samba Users have the following Samba extensions in FreeIPA > (cn=accounts, cn=users): > > * objectClass: sambasamaccount > > * Attributes: sambaSID, sambaNTPassword, sambaPwdLastSet > > My FreeIPA / Samba Groups have the following Samba extensions in FreeIPA > (cn=accounts, cn=groups): > > * objectClass: sambaGroupMapping > > * Attributes: sambaGroupType, sambaSID > > The Users must belong to one or more of the samba groups that you have > setup. > > If you don't have something similar to the above (which sounds like it is > the case), then something went wrong applying the extensions. It would be > worth testing comparing a new user / group created post adding the > extensions to a previous existing user. > > i.e. > are the extensions missing on existing users / groups? > are the extensions missing on new users / groups? > > Cheers > > Chris > > > > > > From: Youenn PIOLET > To: "Matt ." > Cc: Christopher Lamb/Switzerland/IBM@IBMCH, > "freeipa-users@redhat.com" > Date: 04.08.2015 18:56 > Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA > > > > Hi there, > > I have difficulties to follow you at this point :) > Here is what I've done and what I've understood: > > ## SMB Side > - Testparm OK > - I've got the same NT_STATUS_NO_SUCH_USER when I try to connect. > - pdbedit -Lv output is all successfull but I can see there is a filter : > (&(uid=*)(objectclass=sambaSamAccount). In LDAP, the users don't have > sambaSamAccount. > > ## LDAP / FreeIPA side > - Since SMB server uses LDAP, I did ipa-adtrust-install on my FreeIPA > server to get samba LDAP extensions. > - I can see samba classes exist in LDAP but are not used on my group > objects nor my user objects > - I have add sambaSamAccount in FreeIPA default user classes, > and sambaGroupMapping to default group classes. In that state I can't > create user nor groups anymore, as new samba attributes are needed for > instantiation. > - I have add in etc ipaCustomFields: 'Samba Group Type,sambagrouptype,true' > but I don't get what it does. > - I tried to add the samba.js plugin. It works, and adds the "local" option > when creating a group in FreeIPA, supposed to set sambagrouptype to 4 or 2 > (domain). It doesn't work and tells that sambagrouptype attribute doesn't > exist (but it should now I put sambaGroupType class by default...) > > ## Questions > 0) Can I ask samba not to search sambaSamAccount and use unix / posix > instead? I guess no. > 1) How to generate the user/group SIDs ? They are requested to add > sambaSamAccount classes. > This article doesn't seem relevant since we don't use domain controller > http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html > and netgetlocalsid returns an error. > 2) How to fix samba.js plugin? > 3) I guess an equivalent of samba.js is needed for user creation, where can > I find it? > 4) Is your setup working with Windows 8 / Windows 10 and not only Windows > 7? > > Thanks a lot for your previous and future answers > > -- > Youenn Piolet > piole...@gmail.com > > > 2015-08-04 17:55 GMT+02:00 Matt . : > Hi, > > Yes, log is anonymised. > > It's strange, my user doesn't have a SambaPwdLastSet, also when I > change it's password it doesn't get it in ldap. > > There must be something going wrong I guess. > > Matt > > 2015-08-04 17:45 GMT+02:00 Christopher Lamb >: > >
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi Matt, Youeen Just to set the background properly, I did not invent this process. I know only a little about FreeIPA, and almost nothing about Samba, but I guess I was lucky enough to get the integration working on a Sunday afternoon. (I did have an older FreeIPA 3.x / Samba 3.x installation as a reference). It sounds like we need to step back, and look at the test user and group in the FreeIPA LDAP tree. I find using an LDAP browser makes this much easier. My FreeIPA / Samba Users have the following Samba extensions in FreeIPA (cn=accounts, cn=users): * objectClass: sambasamaccount * Attributes: sambaSID, sambaNTPassword, sambaPwdLastSet My FreeIPA / Samba Groups have the following Samba extensions in FreeIPA (cn=accounts, cn=groups): * objectClass: sambaGroupMapping * Attributes: sambaGroupType, sambaSID The Users must belong to one or more of the samba groups that you have setup. If you don't have something similar to the above (which sounds like it is the case), then something went wrong applying the extensions. It would be worth testing comparing a new user / group created post adding the extensions to a previous existing user. i.e. are the extensions missing on existing users / groups? are the extensions missing on new users / groups? Cheers Chris From: Youenn PIOLET To: "Matt ." Cc: Christopher Lamb/Switzerland/IBM@IBMCH, "freeipa-users@redhat.com" Date: 04.08.2015 18:56 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi there, I have difficulties to follow you at this point :) Here is what I've done and what I've understood: ## SMB Side - Testparm OK - I've got the same NT_STATUS_NO_SUCH_USER when I try to connect. - pdbedit -Lv output is all successfull but I can see there is a filter : (&(uid=*)(objectclass=sambaSamAccount). In LDAP, the users don't have sambaSamAccount. ## LDAP / FreeIPA side - Since SMB server uses LDAP, I did ipa-adtrust-install on my FreeIPA server to get samba LDAP extensions. - I can see samba classes exist in LDAP but are not used on my group objects nor my user objects - I have add sambaSamAccount in FreeIPA default user classes, and sambaGroupMapping to default group classes. In that state I can't create user nor groups anymore, as new samba attributes are needed for instantiation. - I have add in etc ipaCustomFields: 'Samba Group Type,sambagrouptype,true' but I don't get what it does. - I tried to add the samba.js plugin. It works, and adds the "local" option when creating a group in FreeIPA, supposed to set sambagrouptype to 4 or 2 (domain). It doesn't work and tells that sambagrouptype attribute doesn't exist (but it should now I put sambaGroupType class by default...) ## Questions 0) Can I ask samba not to search sambaSamAccount and use unix / posix instead? I guess no. 1) How to generate the user/group SIDs ? They are requested to add sambaSamAccount classes. This article doesn't seem relevant since we don't use domain controller http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html and netgetlocalsid returns an error. 2) How to fix samba.js plugin? 3) I guess an equivalent of samba.js is needed for user creation, where can I find it? 4) Is your setup working with Windows 8 / Windows 10 and not only Windows 7? Thanks a lot for your previous and future answers -- Youenn Piolet piole...@gmail.com 2015-08-04 17:55 GMT+02:00 Matt . : Hi, Yes, log is anonymised. It's strange, my user doesn't have a SambaPwdLastSet, also when I change it's password it doesn't get it in ldap. There must be something going wrong I guess. Matt 2015-08-04 17:45 GMT+02:00 Christopher Lamb : > Hi Matt > > I assume [username] is a real username, identical to that in the FreeIPA > cn=accounts, cn=users tree? (i.e. you anonymised the log extract). > > You user should be a member of the appropriate samba groups that you setup > in FreeIPA. > > You should check that the user attribute SambaPwdLastSet is set to a > positive value (e.g. 1). If not you get an error in the Samba logs - I > would need to play around again with a test user to find out the exact > error. > > I don't understand what you mean about syncing the users local, but we did > not need to do anything like that. > > Chris > > > > > From: "Matt ." > To: Christopher Lamb/Switzerland/IBM@IBMCH > Cc: "freeipa-users@redhat.com" > Date: 04.08.2015 15:33 > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA > > > > Hi Chris, > > A puppet run added another passdb backend, that was causing my issue. > > What I still experience is: > > &
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi Matt I assume [username] is a real username, identical to that in the FreeIPA cn=accounts, cn=users tree? (i.e. you anonymised the log extract). You user should be a member of the appropriate samba groups that you setup in FreeIPA. You should check that the user attribute SambaPwdLastSet is set to a positive value (e.g. 1). If not you get an error in the Samba logs - I would need to play around again with a test user to find out the exact error. I don't understand what you mean about syncing the users local, but we did not need to do anything like that. Chris From: "Matt ." To: Christopher Lamb/Switzerland/IBM@IBMCH Cc: "freeipa-users@redhat.com" Date: 04.08.2015 15:33 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi Chris, A puppet run added another passdb backend, that was causing my issue. What I still experience is: [2015/08/04 15:29:45.477783, 3] ../source3/auth/check_samsec.c:399(check_sam_security) check_sam_security: Couldn't find user 'username' in passdb. [2015/08/04 15:29:45.478026, 2] ../source3/auth/auth.c:288(auth_check_ntlm_password) check_ntlm_password: Authentication for user [username] -> [username] FAILED with error NT_STATUS_NO_SUCH_USER I also wonder if I shall still sync the users local, or is it needed ? Thanks again, Matt 2015-08-04 14:16 GMT+02:00 Christopher Lamb : > Hi Matt > > From our smb.conf file: > > [global] >security = user >passdb backend = ldapsam:ldap://xxx-ldap2.my.silly.example.com >ldap suffix = dc=my,dc=silly,dc=example,dc=com >ldap admin dn = cn=Directory Manager > > So yes, we use Directory Manager, it works for us. I have not tried with a > less powerful user, but it is conceivable that a lesser user may not see > all the required attributes, resulting in "no such user" errors. > > Chris > > > > > From: "Matt ." > To: Christopher Lamb/Switzerland/IBM@IBMCH > Cc: "freeipa-users@redhat.com" > Date: 04.08.2015 13:32 > Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA > > > > Hi Chris, > > Thanks for the heads up, indeed local is 4 I see now when I add a > group from the GUI, great thanks! > > But do you use Directory Manager as ldap admin user or some other > admin account ? > > I'm not sure id DM is needed and it should get that deep into IPA. > Also when starting samba it cannot find "such user" as that sounds > quite known as it has no UID. > > From your config I see you use DM, this should work ? > > Thanks! > > > Matt > > 2015-08-04 13:15 GMT+02:00 Matt . : >> Hi Chris, >> >> Thanks for the heads up, indeed local is 4 I see now when I add a >> group from the GUI, great thanks! >> >> But do you use Directory Manager as ldap admin user or some other >> admin account ? >> >> I'm not sure id DM is needed and it should get that deep into IPA. >> Also when starting samba it cannot find "such user" as that sounds >> quite known as it has no UID. >> >> From your config I see you use DM, this should work ? >> >> Thanks! >> >> Matt >> >> 2015-08-03 17:17 GMT+02:00 Christopher Lamb > : >>> Hi Matt >>> >>> It sounds like you now have prepared FreeIPA for Samba >>> >>> I assume you have already configured Samba to authenticate via FreeIPA >>> (changes to the [global] section of your smb.conf file, secrets.tdb etc. >>> >>> Next you need to add your samba groups to FreeIPA. (i.e FreeIPA groups, >>> with SambaGroupType = 4) >>> >>> For example: >>> >>> In FreeIPA under cn=accounts, cn=users we have a group called > "smb-junit". >>> >>> This group has (among others) the attribute SambaGroupType = 4 >>> >>> We can then use the name of the group in the smb.conf file >>> >>> [junit] >>> comment = JUnit Share >>> path = /samba/junit >>> browseable = no >>> valid users = @smb-junit >>> write list = @smb-junit >>> force group = smb-junit >>> create mask = 0770 >>> >>> >>> Ciao >>> >>> Chris >>> >>> >>> >>> From: "Matt ." >>> To: Christopher Lamb/Switzerland/IBM@IBMCH >>> Cc: "freeipa-users@redhat.com" , Petr >>> Vobornik >>> Date: 03.08.2015 16:03 >>> Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >>>
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi Matt >From our smb.conf file: [global] security = user passdb backend = ldapsam:ldap://xxx-ldap2.my.silly.example.com ldap suffix = dc=my,dc=silly,dc=example,dc=com ldap admin dn = cn=Directory Manager So yes, we use Directory Manager, it works for us. I have not tried with a less powerful user, but it is conceivable that a lesser user may not see all the required attributes, resulting in "no such user" errors. Chris From: "Matt ." To: Christopher Lamb/Switzerland/IBM@IBMCH Cc: "freeipa-users@redhat.com" Date: 04.08.2015 13:32 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi Chris, Thanks for the heads up, indeed local is 4 I see now when I add a group from the GUI, great thanks! But do you use Directory Manager as ldap admin user or some other admin account ? I'm not sure id DM is needed and it should get that deep into IPA. Also when starting samba it cannot find "such user" as that sounds quite known as it has no UID. >From your config I see you use DM, this should work ? Thanks! Matt 2015-08-04 13:15 GMT+02:00 Matt . : > Hi Chris, > > Thanks for the heads up, indeed local is 4 I see now when I add a > group from the GUI, great thanks! > > But do you use Directory Manager as ldap admin user or some other > admin account ? > > I'm not sure id DM is needed and it should get that deep into IPA. > Also when starting samba it cannot find "such user" as that sounds > quite known as it has no UID. > > From your config I see you use DM, this should work ? > > Thanks! > > Matt > > 2015-08-03 17:17 GMT+02:00 Christopher Lamb : >> Hi Matt >> >> It sounds like you now have prepared FreeIPA for Samba >> >> I assume you have already configured Samba to authenticate via FreeIPA >> (changes to the [global] section of your smb.conf file, secrets.tdb etc. >> >> Next you need to add your samba groups to FreeIPA. (i.e FreeIPA groups, >> with SambaGroupType = 4) >> >> For example: >> >> In FreeIPA under cn=accounts, cn=users we have a group called "smb-junit". >> >> This group has (among others) the attribute SambaGroupType = 4 >> >> We can then use the name of the group in the smb.conf file >> >> [junit] >> comment = JUnit Share >> path = /samba/junit >> browseable = no >> valid users = @smb-junit >> write list = @smb-junit >> force group = smb-junit >> create mask = 0770 >> >> >> Ciao >> >> Chris >> >> >> >> From: "Matt ." >> To: Christopher Lamb/Switzerland/IBM@IBMCH >> Cc: "freeipa-users@redhat.com" , Petr >> Vobornik >> Date: 03.08.2015 16:03 >> Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >> >> >> >> Hi, >> >> OK, I have a Samba Group Type now in my groups details list and also >> in the groups settings tab. >> >> I'm not 100% how this is managed. I have Grouptype 4, in the groups >> overview it's still empty. But how to manage this between samba and >> ipa ? What should be the reference between the group(names) ? >> >> Thanks again! >> >> Matt >> >> 2015-08-03 13:20 GMT+02:00 Christopher Lamb : >>> HI Matt >>> >>> It looks like I skipped that step ... (And as we already had samba groups >>> in place, did not need to make new ones via the WebUI). >>> >>> However a quick google trawled up this old thread that has a possible >>> answer from Peter. (I have not tested it yet myself). >>> >>> https://www.redhat.com/archives/freeipa-users/2014-May/msg00137.html >>> >>> Chris >>> >>> >>> >>> From: "Matt ." >>> To: >>> Cc: "freeipa-users@redhat.com" >>> Date: 03.08.2015 12:45 >>> Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >>> Sent by:freeipa-users-boun...@redhat.com >>> >>> >>> >>> In my previous reply, I ment "no group.js at all" . >>> >>> >>> 2015-08-03 12:17 GMT+02:00 Matt . : >>>> Hi Chris, >>>> >>>> Thanks for that verification! >>>> >>>> It seems that: >>>> >>>> /usr/share/ipa/ui/group.js >>>> >>>> Is not there on IPA.4.1, also there is no .js at all on the whole >> system. >>>> &g
Re: [Freeipa-users] FreeIPA user ID differs
Markus Have you checked both the cn=accounts and cn=compat trees?. Users and groups are stored in both, and both would need manipulation... Ciao Chris From: To: Date: 04.08.2015 11:14 Subject:[Freeipa-users] FreeIPA user ID differs Sent by:freeipa-users-boun...@redhat.com Hi @all, I´ve encountered a strange „error“. I´ve created a user with a generated UID from the predefined range. After creation I´ve had to manipulate the UID to fit an old NIS configuration and set the UID to the old NIS value. FreeIPA shows the correct UID as well as ldapsearch. But if I logon onto a host and enter `id ` I receive the old UID, GID and groups information instead of the corrected one. Maybe someone can help me out to pinpoint the error and to fix it. Cheers, Markus-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi Matt It sounds like you now have prepared FreeIPA for Samba I assume you have already configured Samba to authenticate via FreeIPA (changes to the [global] section of your smb.conf file, secrets.tdb etc. Next you need to add your samba groups to FreeIPA. (i.e FreeIPA groups, with SambaGroupType = 4) For example: In FreeIPA under cn=accounts, cn=users we have a group called "smb-junit". This group has (among others) the attribute SambaGroupType = 4 We can then use the name of the group in the smb.conf file [junit] comment = JUnit Share path = /samba/junit browseable = no valid users = @smb-junit write list = @smb-junit force group = smb-junit create mask = 0770 Ciao Chris From: "Matt ." To: Christopher Lamb/Switzerland/IBM@IBMCH Cc: "freeipa-users@redhat.com" , Petr Vobornik Date: 03.08.2015 16:03 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi, OK, I have a Samba Group Type now in my groups details list and also in the groups settings tab. I'm not 100% how this is managed. I have Grouptype 4, in the groups overview it's still empty. But how to manage this between samba and ipa ? What should be the reference between the group(names) ? Thanks again! Matt 2015-08-03 13:20 GMT+02:00 Christopher Lamb : > HI Matt > > It looks like I skipped that step ... (And as we already had samba groups > in place, did not need to make new ones via the WebUI). > > However a quick google trawled up this old thread that has a possible > answer from Peter. (I have not tested it yet myself). > > https://www.redhat.com/archives/freeipa-users/2014-May/msg00137.html > > Chris > > > > From: "Matt ." > To: > Cc: "freeipa-users@redhat.com" > Date: 03.08.2015 12:45 > Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA > Sent by:freeipa-users-boun...@redhat.com > > > > In my previous reply, I ment "no group.js at all" . > > > 2015-08-03 12:17 GMT+02:00 Matt . : >> Hi Chris, >> >> Thanks for that verification! >> >> It seems that: >> >> /usr/share/ipa/ui/group.js >> >> Is not there on IPA.4.1, also there is no .js at all on the whole system. >> >> Any idea there ? >> >> Thanks again! >> >> Matt >> >> 2015-08-03 9:53 GMT+02:00 Christopher Lamb : >>> Hi Matt >>> >>> Thankfully I saved the output from those ldapmodify commands (against >>> FreeIPA 4.1) and was able to find it again! >>> >>> In our case sambagrouptype also seems to have already been present, so > that >>> should not hurt. >>> >>> [root@xxx-ldap2 samba]# ldapmodify -Y GSSAPI <>>> dn: cn=ipaconfig,cn=etc,dc=my,dc=silly,dc=example,dc=com >>>> changetype: add >>>> add: ipaCustomFields >>>> ipaCustomFields: "Samba Group Type,sambagrouptype,true" >>>> EOF >>> SASL/GSSAPI authentication started >>> SASL username: l...@my.silly.example.com >>> SASL SSF: 56 >>> SASL data security layer installed. >>> adding new entry "cn=ipaconfig,cn=etc,dc=my,dc=silly,dc=example,dc=com" >>> ldap_add: Already exists (68) >>> >>> Chris >>> >>> >>> >>> >>> From: "Matt ." >>> To: >>> Cc: "freeipa-users@redhat.com" >>> Date: 02.08.2015 13:33 >>> Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >>> Sent by:freeipa-users-boun...@redhat.com >>> >>> >>> >>> Chris, >>> >>> Are you doing this on 3.x or also 4.x ? >>> >>> As the following already exists: >>> >>> ldapmodify -Y GSSAPI <>> dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld >>> changetype: add >>> add: ipaCustomFields >>> ipaCustomFields: "Samba Group Type,sambagrouptype,true" >>> EOF >>> >>> >>> And I'm unsure about the pyton files are they are sligtly different on > 4.1 >>> >>> >>> Thanks! >>> >>> >>> 2015-08-01 19:51 GMT+02:00 Matt . : >>>> Hi, >>>> >>>> Yes I found that earlier, that looks good and even better when you >>>> confirm this as really usable. >>>> >>>> For Samba 4 the IPA devs are very busy but I wonder indeed what >>>> happends when we "need" to move because integration has been improved. >>>> >>>&
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
HI Matt It looks like I skipped that step ... (And as we already had samba groups in place, did not need to make new ones via the WebUI). However a quick google trawled up this old thread that has a possible answer from Peter. (I have not tested it yet myself). https://www.redhat.com/archives/freeipa-users/2014-May/msg00137.html Chris From: "Matt ." To: Cc: "freeipa-users@redhat.com" Date: 03.08.2015 12:45 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Sent by:freeipa-users-boun...@redhat.com In my previous reply, I ment "no group.js at all" . 2015-08-03 12:17 GMT+02:00 Matt . : > Hi Chris, > > Thanks for that verification! > > It seems that: > > /usr/share/ipa/ui/group.js > > Is not there on IPA.4.1, also there is no .js at all on the whole system. > > Any idea there ? > > Thanks again! > > Matt > > 2015-08-03 9:53 GMT+02:00 Christopher Lamb : >> Hi Matt >> >> Thankfully I saved the output from those ldapmodify commands (against >> FreeIPA 4.1) and was able to find it again! >> >> In our case sambagrouptype also seems to have already been present, so that >> should not hurt. >> >> [root@xxx-ldap2 samba]# ldapmodify -Y GSSAPI <>> dn: cn=ipaconfig,cn=etc,dc=my,dc=silly,dc=example,dc=com >>> changetype: add >>> add: ipaCustomFields >>> ipaCustomFields: "Samba Group Type,sambagrouptype,true" >>> EOF >> SASL/GSSAPI authentication started >> SASL username: l...@my.silly.example.com >> SASL SSF: 56 >> SASL data security layer installed. >> adding new entry "cn=ipaconfig,cn=etc,dc=my,dc=silly,dc=example,dc=com" >> ldap_add: Already exists (68) >> >> Chris >> >> >> >> >> From: "Matt ." >> To: >> Cc: "freeipa-users@redhat.com" >> Date: 02.08.2015 13:33 >> Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >> Sent by:freeipa-users-boun...@redhat.com >> >> >> >> Chris, >> >> Are you doing this on 3.x or also 4.x ? >> >> As the following already exists: >> >> ldapmodify -Y GSSAPI <> dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld >> changetype: add >> add: ipaCustomFields >> ipaCustomFields: "Samba Group Type,sambagrouptype,true" >> EOF >> >> >> And I'm unsure about the pyton files are they are sligtly different on 4.1 >> >> >> Thanks! >> >> >> 2015-08-01 19:51 GMT+02:00 Matt . : >>> Hi, >>> >>> Yes I found that earlier, that looks good and even better when you >>> confirm this as really usable. >>> >>> For Samba 4 the IPA devs are very busy but I wonder indeed what >>> happends when we "need" to move because integration has been improved. >>> >>> I try to keep IPA as native as I can. >>> >>> So this is the best way to go for now, even when this thread is such >> "old" ? >>> >>> Thanks! >>> >>> Matt >>> >>> >>> 2015-08-01 9:48 GMT+02:00 Christopher Lamb : >>>> Hi Matt >>>> >>>> For a "how to" of Samba FreeIPA integration using schema extensions, see >>>> this previous thread >>>> >>>> https://www.redhat.com/archives/freeipa-users/2015-May/msg00124.html >>>> >>>> That should point to this techslaves article with the detailed >> instructions >>>> that we followed: >>>> >>>> http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/ >>>> >>>> The main reason we went that way is that we have no AD domain, which >> seems >>>> to be required by other integration paths. >>>> >>>> Note we are running FreeIPA and Samba on OEL servers (first 6.x, now >> 7.x). >>>> So things may be different on Ubuntu. >>>> >>>> As always, when changing the LDAP schema, an LDAP browser like Apache >>>> Directory Studio is very useful to visualise what is going on and to >> verify >>>> if your changes are present! (and is sometime easier to manually change >>>> attributes rather than by LDAPMODIFY script) >>>> >>>> There is another ongoing thread in this mailing list about problems with >>>> the attribute SambaPwdLastSet. >>>> >>>> Chris >>>> >>>> >>>> >>>> From: "Matt .&q
Re: [Freeipa-users] Admin password not accepted during replica install
Have you considered clock skew? It is probably not the cause here, but is worth eliminating "just in case". A difference as small as 5 minutes between the clocks of the client and server can cause problems with authentication. Chris From: Martin Kosek To: "Matt ." , Janelle Cc: "freeipa-users@redhat.com" Date: 03.08.2015 08:49 Subject:Re: [Freeipa-users] Admin password not accepted during replica install Sent by:freeipa-users-boun...@redhat.com When this command failed for me, it usually was a problem with SSSD on the master. The service was down, offline or simply something wrong was with it. On the master, I would try: $ id admin $ ssh admin@localhost # (with password) If that works, try manual $ ssh admin@ipa.master.server # with password and $ kinit admin #(you can use temporary krb5.conf pointing to IPA master) $ ssh admin@ipa.master.server # with password to see what's really wrong. Martin On 08/01/2015 11:05 PM, Matt . wrote: > I even checked working version (IPA clusters) and they don't even have > this AllowGroups. > > Am I missing something ? > > 2015-08-01 22:52 GMT+02:00 Janelle : >> which points to the configuration of sssd.conf and/or nsswitch.conf >> It is in there. If you say there are no AllowGroups in sshd, it has to be in >> one of those 2 places. >> >> ~J >> >> >> On 8/1/15 1:26 PM, Matt . wrote: >>> >>> kinit admin works perfectly, that is such strange. >>> >>> 2015-08-01 22:15 GMT+02:00 Janelle : lastly -- on the master - do you get the same error if you "kinit admin"? ~J On 8/1/15 1:05 PM, Matt . wrote: > > This actually the most important part, and the GSS Failure concerns me: > > debug1: SSH2_MSG_SERVICE_ACCEPT received > debug2: key: /root/.ssh/id_rsa ((nil)), > debug2: key: /root/.ssh/id_dsa ((nil)), > debug2: key: /root/.ssh/id_ecdsa ((nil)), > debug2: key: /root/.ssh/id_ed25519 ((nil)), > debug1: Authentications that can continue: > publickey,gssapi-keyex,gssapi-with-mic,password > debug3: start over, passed a different list > publickey,gssapi-keyex,gssapi-with-mic,password > debug3: preferred > gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password > debug3: authmethod_lookup gssapi-keyex > debug3: remaining preferred: > gssapi-with-mic,publickey,keyboard-interactive,password > debug3: authmethod_is_enabled gssapi-keyex > debug1: Next authentication method: gssapi-keyex > debug1: No valid Key exchange context > debug2: we did not send a packet, disable method > debug3: authmethod_lookup gssapi-with-mic > debug3: remaining preferred: publickey,keyboard-interactive,password > debug3: authmethod_is_enabled gssapi-with-mic > debug1: Next authentication method: gssapi-with-mic > debug1: Unspecified GSS failure. Minor code may provide more > information > No Kerberos credentials available > > debug1: Unspecified GSS failure. Minor code may provide more > information > No Kerberos credentials available > > debug1: Unspecified GSS failure. Minor code may provide more > information > > > debug1: Unspecified GSS failure. Minor code may provide more > information > No Kerberos credentials available > > debug2: we did not send a packet, disable method > debug3: authmethod_lookup publickey > debug3: remaining preferred: keyboard-interactive,password > debug3: authmethod_is_enabled publickey > debug1: Next authentication method: publickey > debug1: Trying private key: /root/.ssh/id_rsa > debug3: no such identity: /root/.ssh/id_rsa: No such file or directory > debug1: Trying private key: /root/.ssh/id_dsa > debug3: no such identity: /root/.ssh/id_dsa: No such file or directory > debug1: Trying private key: /root/.ssh/id_ecdsa > debug3: no such identity: /root/.ssh/id_ecdsa: No such file or directory > debug1: Trying private key: /root/.ssh/id_ed25519 > debug3: no such identity: /root/.ssh/id_ed25519: No such file or > directory > debug2: we did not send a packet, disable method > debug3: authmethod_lookup password > debug3: remaining preferred: ,password > debug3: authmethod_is_enabled password > debug1: Next authentication method: password > admin@ipa-01.domain.local's password: > debug3: packet_send2: adding 64 (len 58 padlen 6 extra_pad 64) > debug2: we sent a password packet, wait for reply > debug1: Authentications that can continue: > publickey,gssapi-keyex,gssapi-with-mic,password > Permission denied, please try again. > > 2015-08-01 22:02 GMT+02:00 Janelle : >> >> What is in the logs on the machine that is failing? Can you login to >> admin >> from anywhere? Logs are you best friend. >> Also, a simply "ssh -vvv" will help. >> >> ~J >> >> >> On 8/1/15 12:51 PM, M
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi Matt Thankfully I saved the output from those ldapmodify commands (against FreeIPA 4.1) and was able to find it again! In our case sambagrouptype also seems to have already been present, so that should not hurt. [root@xxx-ldap2 samba]# ldapmodify -Y GSSAPI < dn: cn=ipaconfig,cn=etc,dc=my,dc=silly,dc=example,dc=com > changetype: add > add: ipaCustomFields > ipaCustomFields: "Samba Group Type,sambagrouptype,true" > EOF SASL/GSSAPI authentication started SASL username: l...@my.silly.example.com SASL SSF: 56 SASL data security layer installed. adding new entry "cn=ipaconfig,cn=etc,dc=my,dc=silly,dc=example,dc=com" ldap_add: Already exists (68) Chris From: "Matt ." To: Cc: "freeipa-users@redhat.com" Date: 02.08.2015 13:33 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Sent by:freeipa-users-boun...@redhat.com Chris, Are you doing this on 3.x or also 4.x ? As the following already exists: ldapmodify -Y GSSAPI <: > Hi, > > Yes I found that earlier, that looks good and even better when you > confirm this as really usable. > > For Samba 4 the IPA devs are very busy but I wonder indeed what > happends when we "need" to move because integration has been improved. > > I try to keep IPA as native as I can. > > So this is the best way to go for now, even when this thread is such "old" ? > > Thanks! > > Matt > > > 2015-08-01 9:48 GMT+02:00 Christopher Lamb : >> Hi Matt >> >> For a "how to" of Samba FreeIPA integration using schema extensions, see >> this previous thread >> >> https://www.redhat.com/archives/freeipa-users/2015-May/msg00124.html >> >> That should point to this techslaves article with the detailed instructions >> that we followed: >> >> http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/ >> >> The main reason we went that way is that we have no AD domain, which seems >> to be required by other integration paths. >> >> Note we are running FreeIPA and Samba on OEL servers (first 6.x, now 7.x). >> So things may be different on Ubuntu. >> >> As always, when changing the LDAP schema, an LDAP browser like Apache >> Directory Studio is very useful to visualise what is going on and to verify >> if your changes are present! (and is sometime easier to manually change >> attributes rather than by LDAPMODIFY script) >> >> There is another ongoing thread in this mailing list about problems with >> the attribute SambaPwdLastSet. >> >> Chris >> >> >> >> From: "Matt ." >> To: >> Cc: "freeipa-users@redhat.com" >> Date: 31.07.2015 16:58 >> Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >> Sent by:freeipa-users-boun...@redhat.com >> >> >> >> Hi, >> >> This is nice to have confirmed. >> >> Is it possible for you to descrive what you do ? It might be handy to >> add this to the IPA documentation also with some explanation why... >> >> Cheers, >> >> Matt >> >> 2015-07-31 16:55 GMT+02:00 Christopher Lamb : >>> Hi >>> >>> We use the Samba extensions for FreeIPA. Windows 7 users connect to the >>> "shares" using their FreeIPA credentials. The only password mgmt problem >>> that we have is, that the users get no notice of password expiry until >>> "suddenly" their Samba user (really the FreeIPA user) password is not >>> accepted when trying to connect to a share. Once the password is reset >> (via >>> CLI or FreeIPA WebUi), they can access the shares again. >>> >>> Chris >>> >>> >>> >>> From: Youenn PIOLET >>> To: "Matt ." >>> Cc: "freeipa-users@redhat.com" >>> Date: 31.07.2015 16:21 >>> Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >>> Sent by:freeipa-users-boun...@redhat.com >>> >>> >>> >>> Hi, >>> I asked the very same question a few weeks ago, but no answer yet. >>> http://comments.gmane.org/gmane.linux.redhat.freeipa.user/18174 >>> >>> The only method I see is to install samba extensions in FreeIPA's LDAP >>> directory, and bind samba with LDAP. There may be a lot of difficulties >>> with password management doing this, that's why I'd like to get a better >>> solution :) >>> >>> Anyone? >>> >>> >>> -- >>> Youenn Piolet &
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi Matt When we originally integrated FreeIPA and Samba we were on 3.x for both products. We are now on 4.x for both. The FreeIPA server was a new setup, with users and hosts migrated across (not replicated). We then ran the scripts in the techslave article. I will look back and see If I can find any notes from the time we did the integration. Chris From: "Matt ." To: Cc: "freeipa-users@redhat.com" Date: 02.08.2015 13:33 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Sent by:freeipa-users-boun...@redhat.com Chris, Are you doing this on 3.x or also 4.x ? As the following already exists: ldapmodify -Y GSSAPI <: > Hi, > > Yes I found that earlier, that looks good and even better when you > confirm this as really usable. > > For Samba 4 the IPA devs are very busy but I wonder indeed what > happends when we "need" to move because integration has been improved. > > I try to keep IPA as native as I can. > > So this is the best way to go for now, even when this thread is such "old" ? > > Thanks! > > Matt > > > 2015-08-01 9:48 GMT+02:00 Christopher Lamb : >> Hi Matt >> >> For a "how to" of Samba FreeIPA integration using schema extensions, see >> this previous thread >> >> https://www.redhat.com/archives/freeipa-users/2015-May/msg00124.html >> >> That should point to this techslaves article with the detailed instructions >> that we followed: >> >> http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/ >> >> The main reason we went that way is that we have no AD domain, which seems >> to be required by other integration paths. >> >> Note we are running FreeIPA and Samba on OEL servers (first 6.x, now 7.x). >> So things may be different on Ubuntu. >> >> As always, when changing the LDAP schema, an LDAP browser like Apache >> Directory Studio is very useful to visualise what is going on and to verify >> if your changes are present! (and is sometime easier to manually change >> attributes rather than by LDAPMODIFY script) >> >> There is another ongoing thread in this mailing list about problems with >> the attribute SambaPwdLastSet. >> >> Chris >> >> >> >> From: "Matt ." >> To: >> Cc: "freeipa-users@redhat.com" >> Date: 31.07.2015 16:58 >> Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >> Sent by:freeipa-users-boun...@redhat.com >> >> >> >> Hi, >> >> This is nice to have confirmed. >> >> Is it possible for you to descrive what you do ? It might be handy to >> add this to the IPA documentation also with some explanation why... >> >> Cheers, >> >> Matt >> >> 2015-07-31 16:55 GMT+02:00 Christopher Lamb : >>> Hi >>> >>> We use the Samba extensions for FreeIPA. Windows 7 users connect to the >>> "shares" using their FreeIPA credentials. The only password mgmt problem >>> that we have is, that the users get no notice of password expiry until >>> "suddenly" their Samba user (really the FreeIPA user) password is not >>> accepted when trying to connect to a share. Once the password is reset >> (via >>> CLI or FreeIPA WebUi), they can access the shares again. >>> >>> Chris >>> >>> >>> >>> From: Youenn PIOLET >>> To: "Matt ." >>> Cc: "freeipa-users@redhat.com" >>> Date: 31.07.2015 16:21 >>> Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >>> Sent by:freeipa-users-boun...@redhat.com >>> >>> >>> >>> Hi, >>> I asked the very same question a few weeks ago, but no answer yet. >>> http://comments.gmane.org/gmane.linux.redhat.freeipa.user/18174 >>> >>> The only method I see is to install samba extensions in FreeIPA's LDAP >>> directory, and bind samba with LDAP. There may be a lot of difficulties >>> with password management doing this, that's why I'd like to get a better >>> solution :) >>> >>> Anyone? >>> >>> >>> -- >>> Youenn Piolet >>> piole...@gmail.com >>> >>> >>> 2015-07-31 16:03 GMT+02:00 Matt . : >>> Hi Guys, >>> >>> I'm really struggeling getting a NON AD Samba server authing against a >>> FreeIPA server: >>> >>> Ubuntu 14.04 -> Samba (no AD)
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi Matt For a "how to" of Samba FreeIPA integration using schema extensions, see this previous thread https://www.redhat.com/archives/freeipa-users/2015-May/msg00124.html That should point to this techslaves article with the detailed instructions that we followed: http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/ The main reason we went that way is that we have no AD domain, which seems to be required by other integration paths. Note we are running FreeIPA and Samba on OEL servers (first 6.x, now 7.x). So things may be different on Ubuntu. As always, when changing the LDAP schema, an LDAP browser like Apache Directory Studio is very useful to visualise what is going on and to verify if your changes are present! (and is sometime easier to manually change attributes rather than by LDAPMODIFY script) There is another ongoing thread in this mailing list about problems with the attribute SambaPwdLastSet. Chris From: "Matt ." To: Cc: "freeipa-users@redhat.com" Date: 31.07.2015 16:58 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Sent by:freeipa-users-boun...@redhat.com Hi, This is nice to have confirmed. Is it possible for you to descrive what you do ? It might be handy to add this to the IPA documentation also with some explanation why... Cheers, Matt 2015-07-31 16:55 GMT+02:00 Christopher Lamb : > Hi > > We use the Samba extensions for FreeIPA. Windows 7 users connect to the > "shares" using their FreeIPA credentials. The only password mgmt problem > that we have is, that the users get no notice of password expiry until > "suddenly" their Samba user (really the FreeIPA user) password is not > accepted when trying to connect to a share. Once the password is reset (via > CLI or FreeIPA WebUi), they can access the shares again. > > Chris > > > > From: Youenn PIOLET > To: "Matt ." > Cc: "freeipa-users@redhat.com" > Date: 31.07.2015 16:21 > Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA > Sent by:freeipa-users-boun...@redhat.com > > > > Hi, > I asked the very same question a few weeks ago, but no answer yet. > http://comments.gmane.org/gmane.linux.redhat.freeipa.user/18174 > > The only method I see is to install samba extensions in FreeIPA's LDAP > directory, and bind samba with LDAP. There may be a lot of difficulties > with password management doing this, that's why I'd like to get a better > solution :) > > Anyone? > > > -- > Youenn Piolet > piole...@gmail.com > > > 2015-07-31 16:03 GMT+02:00 Matt . : > Hi Guys, > > I'm really struggeling getting a NON AD Samba server authing against a > FreeIPA server: > > Ubuntu 14.04 -> Samba (no AD) / SSD 1.12.5 > CentOS 7.1 -> FreeIPA 4.1 > > Now this seems to be the way: > > https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA > > > But as this, which I also found on the mailinglists: > > NOTE: Only Kerberos authentication will work when accessing Samba > shares using this method. This means that Windows clients not joined > to Active Directory forest trusted by IPA would not be able to access > the shares. This is related to SSSD not yet being able to handle > NTLMSSP authentication. > > It might not be that easy to have a Samba Shares only server. > > Any idea here how to accomplish ? > > Cheers, > > Matt > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi We use the Samba extensions for FreeIPA. Windows 7 users connect to the "shares" using their FreeIPA credentials. The only password mgmt problem that we have is, that the users get no notice of password expiry until "suddenly" their Samba user (really the FreeIPA user) password is not accepted when trying to connect to a share. Once the password is reset (via CLI or FreeIPA WebUi), they can access the shares again. Chris From: Youenn PIOLET To: "Matt ." Cc: "freeipa-users@redhat.com" Date: 31.07.2015 16:21 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Sent by:freeipa-users-boun...@redhat.com Hi, I asked the very same question a few weeks ago, but no answer yet. http://comments.gmane.org/gmane.linux.redhat.freeipa.user/18174 The only method I see is to install samba extensions in FreeIPA's LDAP directory, and bind samba with LDAP. There may be a lot of difficulties with password management doing this, that's why I'd like to get a better solution :) Anyone? -- Youenn Piolet piole...@gmail.com 2015-07-31 16:03 GMT+02:00 Matt . : Hi Guys, I'm really struggeling getting a NON AD Samba server authing against a FreeIPA server: Ubuntu 14.04 -> Samba (no AD) / SSD 1.12.5 CentOS 7.1 -> FreeIPA 4.1 Now this seems to be the way: https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA But as this, which I also found on the mailinglists: NOTE: Only Kerberos authentication will work when accessing Samba shares using this method. This means that Windows clients not joined to Active Directory forest trusted by IPA would not be able to access the shares. This is related to SSSD not yet being able to handle NTLMSSP authentication. It might not be that easy to have a Samba Shares only server. Any idea here how to accomplish ? Cheers, Matt -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA and sambaPwdLastSet
ldapsearch -x -h localhost -p 389 -b "dc=my,dc=silly,dc=example,dc=com" "(&(objectClass=sambaSamAccount)(uid=bilbo))" and ldapsearch -x -h localhost -p 389 -b "dc=my,dc=silly,dc=example,dc=com" "(&(objectClass=sambaSAMAccount)(uid=bilbo))" and ldapsearch -x -h localhost -p 389 -b "dc=my,dc=silly,dc=example,dc=com" "(&(objectClass=sambasamaccount)(uid=bilbo))" all give me a result, indicating case is not important. From: Rich Megginson To: freeipa-users@redhat.com Date: 20.07.2015 16:24 Subject:Re: [Freeipa-users] FreeIPA and sambaPwdLastSet Sent by: freeipa-users-boun...@redhat.com On 07/20/2015 07:56 AM, Christopher Lamb wrote: > Hi Rob > > The users do have the sambaSamAccount ObjectClass. > > Or to be more precise, some have sambasamaccount (all lower case), and some > have sambaSAMAccount (mixed case) > > Are objectclasses case sensitive? No, unless there is a bug in the objectclass matching/comparison code. > > Chris > > > > From: Rob Crittenden > To:Christopher Lamb/Switzerland/IBM@IBMCH, Alexander Bokovoy > > Cc:freeipa-users@redhat.com > Date: 20.07.2015 15:47 > Subject: Re: [Freeipa-users] FreeIPA and sambaPwdLastSet > > > > Christopher Lamb wrote: >> Hi Alexander >> >> This issue got overtaken by others, and slipped off my radar for a bit... >> >> While the solution suggested earlier in this thread at >> > http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA >> sounds interesting (and we are running the correct versions of OEL 7.1 > and >> SSSD), it seems to require the Windows clients to be members of an Active >> Diretory trusted by IPA. >> >> Unfortunately there is no AD in our architecture - our Windows and OSX >> clients are effectively islands. That would seem to leave us stuck with >> sambaPwdLastSet. >> >> After a user has had his password reset via the IPA WebUi to a temporary >> value, the user then logs on using the temporary password, and is asked > to >> enter a new password. At his point sambaPwdLastSet should be set to a >> positive value. However our testing indicates that it is not. We have > tried >> 3 techniques: >> >> 1) User connects to LDAP server via remote ssh. >> >> 2) kinit >> >> 3) su - over an existing ssh session with another user (e.g. mine) >> >> In all three cases the user is able to set their password, but >> sambaPwdLastSet remains set to 0. >> >> As a workaround we use Apache Directory Studio to manually set >> sambaPwdLastSet once the user has changed his password. >> >> Chris > AFAICT the user needs the sambaSamAccount objectclass in order for this > to work. Is that the case? > > rob > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA and sambaPwdLastSet
Hi Rob The users do have the sambaSamAccount ObjectClass. Or to be more precise, some have sambasamaccount (all lower case), and some have sambaSAMAccount (mixed case) Are objectclasses case sensitive? Chris From: Rob Crittenden To: Christopher Lamb/Switzerland/IBM@IBMCH, Alexander Bokovoy Cc: freeipa-users@redhat.com Date: 20.07.2015 15:47 Subject:Re: [Freeipa-users] FreeIPA and sambaPwdLastSet Christopher Lamb wrote: > Hi Alexander > > This issue got overtaken by others, and slipped off my radar for a bit... > > While the solution suggested earlier in this thread at > http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA > sounds interesting (and we are running the correct versions of OEL 7.1 and > SSSD), it seems to require the Windows clients to be members of an Active > Diretory trusted by IPA. > > Unfortunately there is no AD in our architecture - our Windows and OSX > clients are effectively islands. That would seem to leave us stuck with > sambaPwdLastSet. > > After a user has had his password reset via the IPA WebUi to a temporary > value, the user then logs on using the temporary password, and is asked to > enter a new password. At his point sambaPwdLastSet should be set to a > positive value. However our testing indicates that it is not. We have tried > 3 techniques: > > 1) User connects to LDAP server via remote ssh. > > 2) kinit > > 3) su - over an existing ssh session with another user (e.g. mine) > > In all three cases the user is able to set their password, but > sambaPwdLastSet remains set to 0. > > As a workaround we use Apache Directory Studio to manually set > sambaPwdLastSet once the user has changed his password. > > Chris AFAICT the user needs the sambaSamAccount objectclass in order for this to work. Is that the case? rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA and sambaPwdLastSet
Hi Alexander
This issue got overtaken by others, and slipped off my radar for a bit...
While the solution suggested earlier in this thread at
http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA
sounds interesting (and we are running the correct versions of OEL 7.1 and
SSSD), it seems to require the Windows clients to be members of an Active
Diretory trusted by IPA.
Unfortunately there is no AD in our architecture - our Windows and OSX
clients are effectively islands. That would seem to leave us stuck with
sambaPwdLastSet.
After a user has had his password reset via the IPA WebUi to a temporary
value, the user then logs on using the temporary password, and is asked to
enter a new password. At his point sambaPwdLastSet should be set to a
positive value. However our testing indicates that it is not. We have tried
3 techniques:
1) User connects to LDAP server via remote ssh.
2) kinit
3) su - over an existing ssh session with another user (e.g. mine)
In all three cases the user is able to set their password, but
sambaPwdLastSet remains set to 0.
As a workaround we use Apache Directory Studio to manually set
sambaPwdLastSet once the user has changed his password.
Chris
From: Alexander Bokovoy
To: Christopher Lamb/Switzerland/IBM@IBMCH
Date: 28.04.2015 20:37
Subject:Re: [Freeipa-users] FreeIPA and sambaPwdLastSet
On Tue, 28 Apr 2015, Christopher Lamb wrote:
>Hi Alexander
>
>one of those days?
>
>I have just snapshotted the VM running FreeIPA, and will give your
>suggestion a whirl, and then report back to the list.
>
>I am running both FreeIPA and Samba on the same VM, which should make
>things easier.
>
>All the bits required are either already installed or in the yum repo, so
I
>am ready to go...
Here is the problem. In the case of Samba running on IPA master you
really really want to use freeipa-server-trust-ad (or
ipa-server-trust-ad in RHEL/CentOS) package and use ipa-adtrust-install
to configure it.
We have done a lot of work to make sure IPA masters can work as 'AD DCs'
of sorts for cross-forest trusts to Active Directory. Part of it
includes specialized PDB module (ipasam) and appropriate management
around it. The solution about using SSSD libwbclient parts is built
around that too -- you are expected to configure your IPA masters with
ipa-adtrust-install and then run Samba file server on an IPA client with
SSSD.
If you want to have shares on IPA master directly, all you need to do is
to run ipa-adtrust-install to configure Samba and then use 'net conf
addshare' to configure shares. Using 'net conf' is a key here because we
use registry to store smb.conf and things in /etc/samba/smb.conf will be
ignored.
See https://www.redhat.com/archives/freeipa-users/2013-April/msg00270.html
for examples.
>
>Must get off the train now ...
>
>thanks
>
>chris
>
>
>
>From: Alexander Bokovoy
>To: Christopher Lamb/Switzerland/IBM@IBMCH
>Cc: freeipa-users@redhat.com
>Date: 28.04.2015 20:11
>Subject:Re: [Freeipa-users] FreeIPA and sambaPwdLastSet
>
>
>
>Resending it to the right list. :) Not my evening.
>
>On Tue, 28 Apr 2015, Alexander Bokovoy wrote:
>>On Tue, 28 Apr 2015, Christopher Lamb wrote:
>>>
>>>Hi All
>>>
>>>I wish to pick your brains on the attribute sambaPwdLastSet
>>>
>>>We have a newly setup FreeIPA 4.1.0, with users and groups migrated from
>an
>>>old 3.0.0 instance.
>>>
>>>We are also running Samba to share files to Windows and OSX users. This
>>>means that all the FreeIPA user accounts have the attribute
>>>sambaPwdLastSet.
>>>
>>>If this has the value 0, our users cannot map Samba shares, so we need
to
>>>make sure the value is a positive integer.
>>>
>>>In an attempt to do this, I modified user.py, adding the attribute to
the
>>>takes_params for the class user as follows:
>>>
>>>class user(LDAPObject):
>>> . . .
>>> takes_params = (
>>> . . .
>>> Int('sambapwdlastset?',
>>> label=_('sambaPwdLastSet'),
>>> doc=_('Date as an integer when the samba password was last
>set'
>>>),
>>> default=1,
>>> autofill=True,
>>> ),
>>> . . .
>>>
>>>This works fine if I create a user via the CLI.
>>>
>>>However if I create a user via the Web UI, or use the Web UI to reset a
>>>user's password, then the attribute sambaPwdLastSet is set to zero.
>>>
>>>So what scripts do I need to change to m
Re: [Freeipa-users] Rename or not to rename (packages only)? freeipa-server -> ipa-server?
Consistency sounds good. How would the name change affect yum update? Chris From: Petr Spacek To: freeipa-users@redhat.com Date: 17.07.2015 10:49 Subject:[Freeipa-users] Rename or not to rename (packages only)? freeipa-server -> ipa-server? Sent by:freeipa-users-boun...@redhat.com Hello users and developers, I wonder what do you think about naming inconsistency in FreeIPA packages. Packages in Fedora are prefixed with freeipa-* but in RHEL (and derivatives) the packages are named as ipa-*. Given that command line interface is in all cases 'ipa', it seems like a inconsistency. Are there any reasons not to rename freeipa-* *packages* to ipa-*? Naturally name of project would still be FreeIPA :-) This rename would remove the inconsistency which drives me crazy when I need to script something universally for RHEL and Fedora. Have a nice day! -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] LDAP authentication for JIRA using FreeIPA
Hi Martin I have taken the plunge, and created a detailed HOWTO at http://www.freeipa.org/page/HowTos/LDAP_authentication_for_Atlassian_JIRA_using_FreeIPA @Petr, for the moment I have left your HOWTO / link in place, but have also linked to that thread from my HOWTO. I hope it helps Chris From: Martin Kosek To: Brian Topping , Sandor Juhasz Cc: freeipa-users@redhat.com Date: 10.06.2015 12:13 Subject:Re: [Freeipa-users] LDAP authentication for JIRA using FreeIPA Sent by:freeipa-users-boun...@redhat.com Cool, I am glad you made this working. BTW, would any of you mind volunteering and helping the FreeIPA community with contributing a HOWTO article on "how to configure FreeIPA and Jira"? It is still missing in FreeIPA.org wiki. All we have right now is the link to this discussion, that Petr Spacek added to http://www.freeipa.org/page/HowTos#Web_Services It would be really nice to also have a real page that others can follow and use. Thank you! Martin On 06/10/2015 11:29 AM, Brian Topping wrote: > FYI, that mirrors my configuration. Not sure if this was covered previously, but for my setup, only JIRA connects to IPA. All the other atleasian products contact JIRA for their information. > > Cheers, Brian > >> On Jun 10, 2015, at 12:47 AM, Sandor Juhasz wrote: >> >> Hi, >> >> here are our working configurations. Might be useful. >> We use compat tree for auth. >> We use user in group matching. >> We use group filter for login authorization. >> We use FedoraDS as ldap connector on JIRA's side. >> We don't use pw change or user create in IPA from JIRA side. >> Watch out not to have matching local users/groups or you will suffer bigtime. >> Initially it was setup not to use ldap groups, but was changed afterwards by >> creating all new groups in ldap for this purpose and readding the users. >> We use ldap service user for binding - https://www.freeipa.org/page/Zimbra_Collaboration_Server_7.2_Authentication_and_GAL_lookups_against_FreeIPA . >> >> Attributes: >> "autoAddGroups": "" >> "com.atlassian.crowd.directory.sync.currentstartsynctime": "null" >> "com.atlassian.crowd.directory.sync.issynchronising": "false" >> "com.atlassian.crowd.directory.sync.lastdurationms": "373" >> "com.atlassian.crowd.directory.sync.laststartsynctime": "1433920165776" >> "crowd.sync.incremental.enabled": "false" >> "directory.cache.synchronise.interval": "3600" >> "ldap.basedn": "dc=" >> "ldap.connection.timeout": "0" >> "ldap.external.id": "" >> "ldap.group.description": "description" >> "ldap.group.dn": "cn=groups,cn=compat" >> "ldap.group.filter": "(&(objectClass=posixgroup)(| (cn=)(cn=)(cn=)))" >> "ldap.group.name": "cn" >> "ldap.group.objectclass": "groupOfUniqueNames" >> "ldap.group.usernames": "memberUid" >> "ldap.local.groups": "false" >> "ldap.nestedgroups.disabled": "true" >> "ldap.pagedresults": "false" >> "ldap.pagedresults.size": "1000" >> "ldap.password": >> "ldap.pool.initsize": "null" >> "ldap.pool.maxsize": "null" >> "ldap.pool.prefsize": "null" >> "ldap.pool.timeout": "0" >> "ldap.propogate.changes": "false" >> "ldap.read.timeout": "12" >> "ldap.referral": "false" >> "ldap.relaxed.dn.standardisation": "true" >> "ldap.roles.disabled": "true" >> "ldap.search.timelimit": "6" >> "ldap.secure": "false" >> "ldap.url": "ldap://" >> "ldap.user.displayname": "cn" >> "ldap.user.dn": "cn=users,cn=accounts" >> "ldap.user.email": "mail" >> "ldap.user.encryption": "sha" >> "ldap.user.filter": "(&(objectclass=posixAccount)(memberOf=cn=,cn=groups,cn=accounts,dc=))" >> "ldap.user.firstname": "givenName" >> "ldap.user.group": "memberOf" >> "ldap.user.lastname": "sn" >> "ldap.user.objectclass": "person" >> "ldap.user.password": "userPassword" &g
Re: [Freeipa-users] FreeIPA mail object to use in 3rd party tool
Hi Markus I can now replicate FreeIPA groups / group membership to Jira Local Directory /var/log/dirsrv/slapd-*/access showed me the queries Jira is performing to get the groups. Comparing this to the FreeIPA structure using Apache Directory Studio gave the answer. Under Group Schema Settings, change * Group Object Class from groupOfUniqueNames to groupOfNames * Group Object Filter from (objectclass=groupOfUniqueNames) to (objectclass=groupOfNames) Under Membership Schema Setting change * Group Members Attribute from uniqueMember to Member Chris From: To: Christopher Lamb/Switzerland/IBM@IBMCH, , Cc: Date: 06.07.2015 08:00 Subject:AW: AW: [Freeipa-users] FreeIPA mail object to use in 3rd party tool Hi Chris, thanks for your help. Now we are able to login and have our mails delivered. Do you maybe know which configuration objects needs to be used in Jira to be able to use the FreeIPA groups? We have configured all necessary Jira Groups in FreeIPA but it doesn´t work as it should. -Ursprüngliche Nachricht- Von: Christopher Lamb [mailto:christopher.l...@ch.ibm.com] Gesendet: Mittwoch, 1. Juli 2015 09:31 An: Moj, Markus; aboko...@redhat.com; mko...@redhat.com Cc: freeipa-users@redhat.com Betreff: Re: AW: [Freeipa-users] FreeIPA mail object to use in 3rd party tool Hi Markus It is a pleasure. It was serendipity that we were working on the same problem at the same time. Your thread prompted me to take a different look at the question and find a viable solution. Let us know if it works for you. What intrigues me is: with my solution we had to change from an anonymous bind to a simple bind via user / pw to get one extra attribute: mail. This raises the question: Is there some way to configure IPA to determine which user attributes are returned to anonymous binds? Cheers Chris From: To: Christopher Lamb/Switzerland/IBM@IBMCH, , Cc: Date:01.07.2015 07:54 Subject: AW: [Freeipa-users] FreeIPA mail object to use in 3rd party tool Hi Christopher, thanks very much for your help, I appreciate it. I will reconfigure our Jira and see how it works out. -Ursprüngliche Nachricht- Von: Christopher Lamb [mailto:christopher.l...@ch.ibm.com] Gesendet: Montag, 29. Juni 2015 16:08 An: Alexander Bokovoy; Moj, Markus; Martin Kosek Cc: freeipa-users@redhat.com Betreff: Re: [Freeipa-users] FreeIPA mail object to use in 3rd party tool Hi As of a few minutes ago, we can now replicate FreeIPA users to JIRA, including the vital mail attribute! Note there are probably other solutions that work as well, but this is the one that works for us. Key points: a) Integration Style: "Internal Directory with LDAP Authentication" --> only those users that attempt to login are replicated, useful if your JIRA users are a subset of your FreeIPA users. b) LDAP Type = Generic LDAP --> JIRA does not yet have native FreeIPA Support. c) bind = via user / password --> we first tried anonymous bind (w/o user). While this replicated users and logins worked, the all important mail attribute was not replicated. d) as the password of the bind user is stored in plaintext in the jira db, make sure this is a limited user (member of the default ipa-users group is sufficient). e.g. don't use the Directory Manager user! e) ldap.user.filter=(objectclass=inetorgperson) ensures that replies DO NOT come from the compat tree (no mail attribute). We want replies from cn=users,cn=accounts, which does have the mail attribute Below is the config direct from the Jira database (of course we made the config changes via the Jira admin GUI, which has a nifty Test function. mysql> select attribute_name, attribute_value from mysql> cwd_directory_attribute where directory_id = 10001; ++-+ | attribute_name | attribute_value | ++-+ | autoAddGroups | jira-users | | crowd.delegated.directory.auto.create.user | true | | crowd.delegated.directory.auto.update.user | true | | crowd.delegated.directory.importGroups | false | | crowd.delegated.directory.type | com.atlassian.crowd.directory.GenericLDAP | | ldap.basedn| dc=my,dc=silly,dc=example,dc=com| | ldap.external.id | uid | | ldap.group.description | description | | ldap.group.dn | | | ldap.group.filter | (objectclass=groupOfUniqueNames)| | ldap.group.name|
Re: [Freeipa-users] Trace / Debug LDAP queries from 3rd Party Tools against FreeIPA Server
Rich, Martin Thanks, I saw the query Jira was performing to retrieve the groups in /var/log/dirsrv/slapd-*/access, and have been able to correctly configure Jira accordingly Chris From: Rich Megginson To: freeipa-users@redhat.com Date: 07.07.2015 18:15 Subject:Re: [Freeipa-users] Trace / Debug LDAP queries from 3rd Party Tools against FreeIPA Server Sent by:freeipa-users-boun...@redhat.com On 07/07/2015 10:09 AM, Martin Basti wrote: > On 07/07/15 17:39, Christopher Lamb wrote: >> Hi All >> >> Is there any way on the FreeIPA side to log / debug / trace the LDAP >> queries made by 3rd Party Tools against a FreeIPA Server? >> >> In another thread we are trying to solve some problems with >> integration of >> JIRA to FreeIPA. I think if I can see the exact LDAP queries JIRA is >> making >> against FreeIPA, then we will be well on the road to finding out what is >> going wrong / needs to be changed. >> >> I will be asking a similar question to Atlassian support for LDAP >> logging >> on the JIRA side (there I already have partial success, but am not >> seeing >> everything I want to see). >> >> Cheers >> >> Chris >> > Hello, > > all LDAP queries are logged in this log > /var/log/dirsrv/slapd-*/access > If by "query" you mean "search request", then all of the search request data is logged in the dirsrv access log. If you need details about other operations, you'll want to enable the audit log. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Trace / Debug LDAP queries from 3rd Party Tools against FreeIPA Server
Hi All Is there any way on the FreeIPA side to log / debug / trace the LDAP queries made by 3rd Party Tools against a FreeIPA Server? In another thread we are trying to solve some problems with integration of JIRA to FreeIPA. I think if I can see the exact LDAP queries JIRA is making against FreeIPA, then we will be well on the road to finding out what is going wrong / needs to be changed. I will be asking a similar question to Atlassian support for LDAP logging on the JIRA side (there I already have partial success, but am not seeing everything I want to see). Cheers Chris -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA mail object to use in 3rd party tool
Hi Markus
The short answer is no.
The longer answer is:
We replicated only users, and manage groups within JIRA. The delegated LDAP
approach ("Connecting to an Internal Directory with LDAP Authentication")
allows you to either synchronise groups and group membership from FreeIPA
to Jira, or to automatically add FreeIPA users to Jira groups.
We chose the second approach: All users are automatically added to the
jira-users and jira-developers groups on first log in. This suits our
purposes, as basically all our JIra users should have the same rights,
other than admins.
Note also that the delegated LDAP approach does not allow you to configure
the LDAP properties JIRA accesses groups and membership, but the full
synchronised approach does.
On our first attempt to integrate FreeIPA and JIRA we tried to replicate
both users and group, but only succeeded in replicating users, not the
groups (or to be precise, group-membership). A bit of googling showed that
others had problems with the groups bit.
My initial guess is that, just like the mail attribute, very likely the
compat tree is getting in the way of group membership.
Using Apache Directory Studio to see how group membership is modelled in
the compat and accounts trees I see the following.
cn=compat, cn=groups, cn=admins, memberUid --> set of users belonging to
the group admins
cn=compat, cn=users, uid=bilbo No attibute showing which groups this user
belongs to.
cn=accounts, cn=groups, cn=ipausers, member --> set of users belonging to
the group ipausers
cn=accounts, cn=users, uid=bilbo, memberOf --> list of groups user bilbo is
a member of
Here are some ldapsearch queries to simulate what JIRA might be doing to
retrieve group membership
—reply from accounts tree only
ldapserach -x -D
"uid=bilbo,cn=users,cn=accounts,dc=my,dc=silly,dc=example,dc=com" -W -h
localhost -p 389 -b "dc=my,dc=silly,dc=example,dc=com"
"(&(objectClass=groupofnames)(cn=admins))" member
—reply from both compat tree and accounts tree. (reply from compat tree is
empty, reply from accounts tree has values)
ldapserach -x -D
"uid=bilbo,cn=users,cn=accounts,dc=my,dc=silly,dc=example,dc=com" -W -h
localhost -p 389 -b "dc=my,dc=silly,dc=example,dc=com" "(cn=admins)" member
—reply from compat tree only
ldapserach -x -D
"uid=bilbo,cn=users,cn=accounts,dc=my,dc=silly,dc=example,dc=com" -W -h
localhost -p 389 -b "dc=my,dc=silly,dc=example,dc=com" "(cn=admins)"
memberUid
Chris
From:
To: Christopher Lamb/Switzerland/IBM@IBMCH, ,
Cc:
Date: 06.07.2015 08:00
Subject:AW: AW: [Freeipa-users] FreeIPA mail object to use in 3rd party
tool
Hi Chris,
thanks for your help. Now we are able to login and have our mails
delivered. Do you maybe know which configuration objects needs to be used
in Jira to be able to use the FreeIPA groups? We have configured all
necessary Jira Groups in FreeIPA but it doesn´t work as it should.
-Ursprüngliche Nachricht-
Von: Christopher Lamb [mailto:christopher.l...@ch.ibm.com]
Gesendet: Mittwoch, 1. Juli 2015 09:31
An: Moj, Markus; aboko...@redhat.com; mko...@redhat.com
Cc: freeipa-users@redhat.com
Betreff: Re: AW: [Freeipa-users] FreeIPA mail object to use in 3rd party
tool
Hi Markus
It is a pleasure. It was serendipity that we were working on the same
problem at the same time. Your thread prompted me to take a different look
at the question and find a viable solution. Let us know if it works for
you.
What intrigues me is: with my solution we had to change from an anonymous
bind to a simple bind via user / pw to get one extra attribute: mail. This
raises the question: Is there some way to configure IPA to determine which
user attributes are returned to anonymous binds?
Cheers
Chris
From:
To: Christopher Lamb/Switzerland/IBM@IBMCH, ,
Cc:
Date:01.07.2015 07:54
Subject: AW: [Freeipa-users] FreeIPA mail object to use in 3rd
party
tool
Hi Christopher,
thanks very much for your help, I appreciate it. I will reconfigure our
Jira and see how it works out.
-Ursprüngliche Nachricht-
Von: Christopher Lamb [mailto:christopher.l...@ch.ibm.com]
Gesendet: Montag, 29. Juni 2015 16:08
An: Alexander Bokovoy; Moj, Markus; Martin Kosek
Cc: freeipa-users@redhat.com
Betreff: Re: [Freeipa-users] FreeIPA mail object to use in 3rd party tool
Hi
As of a few minutes ago, we can now replicate FreeIPA users to JIRA,
including the vital mail attribute!
Note there are probably other solutions that work as well, but this is the
one that works for us.
Key points:
a) Integration Style: "Internal Directory with LDAP Authentication" -->
only those users that attempt to login are replicated, useful if your JIRA
users are a subset of your FreeIPA users.
b) LDAP Type = Generic LDAP --> JIRA
Re: [Freeipa-users] samba vs ipa without kerberos
Hi Christoph have you seen this earlier thread? https://www.redhat.com/archives/freeipa-users/2015-May/msg00124.html I guess as that solution adds some custom fields it would break your requirement "no schema extensions"., but meet the requirement "user authenticates with password". mfg Chris From: Christoph Kaminski To: FreeIPA Date: 03.07.2015 12:26 Subject:[Freeipa-users] samba vs ipa without kerberos Sent by:freeipa-users-boun...@redhat.com Hi it is possible (without extra patch/schema extension) to use samba shares without kerberos? Possibly is there something like a auth proxy for it? I mean the user authenticates with a password and the proxy checks it securly against ipa... any howtos/docs/ideas? (have ipa 4.1 and samba 4.1.12 here) Greetz Christoph Kaminski -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA mail object to use in 3rd party tool
Hi Markus It is a pleasure. It was serendipity that we were working on the same problem at the same time. Your thread prompted me to take a different look at the question and find a viable solution. Let us know if it works for you. What intrigues me is: with my solution we had to change from an anonymous bind to a simple bind via user / pw to get one extra attribute: mail. This raises the question: Is there some way to configure IPA to determine which user attributes are returned to anonymous binds? Cheers Chris From: To: Christopher Lamb/Switzerland/IBM@IBMCH, , Cc: Date: 01.07.2015 07:54 Subject:AW: [Freeipa-users] FreeIPA mail object to use in 3rd party tool Hi Christopher, thanks very much for your help, I appreciate it. I will reconfigure our Jira and see how it works out. -Ursprüngliche Nachricht- Von: Christopher Lamb [mailto:christopher.l...@ch.ibm.com] Gesendet: Montag, 29. Juni 2015 16:08 An: Alexander Bokovoy; Moj, Markus; Martin Kosek Cc: freeipa-users@redhat.com Betreff: Re: [Freeipa-users] FreeIPA mail object to use in 3rd party tool Hi As of a few minutes ago, we can now replicate FreeIPA users to JIRA, including the vital mail attribute! Note there are probably other solutions that work as well, but this is the one that works for us. Key points: a) Integration Style: "Internal Directory with LDAP Authentication" --> only those users that attempt to login are replicated, useful if your JIRA users are a subset of your FreeIPA users. b) LDAP Type = Generic LDAP --> JIRA does not yet have native FreeIPA Support. c) bind = via user / password --> we first tried anonymous bind (w/o user). While this replicated users and logins worked, the all important mail attribute was not replicated. d) as the password of the bind user is stored in plaintext in the jira db, make sure this is a limited user (member of the default ipa-users group is sufficient). e.g. don't use the Directory Manager user! e) ldap.user.filter=(objectclass=inetorgperson) ensures that replies DO NOT come from the compat tree (no mail attribute). We want replies from cn=users,cn=accounts, which does have the mail attribute Below is the config direct from the Jira database (of course we made the config changes via the Jira admin GUI, which has a nifty Test function. mysql> select attribute_name, attribute_value from mysql> cwd_directory_attribute where directory_id = 10001; ++-+ | attribute_name | attribute_value | ++-+ | autoAddGroups | jira-users | | crowd.delegated.directory.auto.create.user | true | | crowd.delegated.directory.auto.update.user | true | | crowd.delegated.directory.importGroups | false | | crowd.delegated.directory.type | com.atlassian.crowd.directory.GenericLDAP | | ldap.basedn| dc=my,dc=silly,dc=example,dc=com| | ldap.external.id | uid | | ldap.group.description | description | | ldap.group.dn | | | ldap.group.filter | (objectclass=groupOfUniqueNames)| | ldap.group.name| cn | | ldap.group.objectclass | groupOfUniqueNames | | ldap.group.usernames | uniqueMember | | ldap.nestedgroups.disabled | true | | ldap.pagedresults | false | | ldap.pagedresults.size | 1000 | | ldap.password | x | | ldap.referral | false | | ldap.url | ldap://xxx-ldap.my.silly.example.com:389| | ldap.user.displayname | displayName | | ldap.user.dn | cn=accounts | | ldap.user.email| mail | | ldap.user.filter | (objectclass=inetorgperson) | | ldap.user.firstname| givenName | | ldap.user.group| memberOf | | ldap.user.lastname | sn | | ldap.user.objectclass | inetorgperson | | ldap.user.username | uid | | ldap.user.username.rdn | cn | | ldap.userdn| uid=,cn=users,cn=accounts,dc=my,dc=silly,dc=example,dc=com | | ldap.usermembership.use| false | | ldap.usermembership.
Re: [Freeipa-users] FreeIPA mail object to use in 3rd party tool
Hi As of a few minutes ago, we can now replicate FreeIPA users to JIRA, including the vital mail attribute! Note there are probably other solutions that work as well, but this is the one that works for us. Key points: a) Integration Style: "Internal Directory with LDAP Authentication" --> only those users that attempt to login are replicated, useful if your JIRA users are a subset of your FreeIPA users. b) LDAP Type = Generic LDAP --> JIRA does not yet have native FreeIPA Support. c) bind = via user / password --> we first tried anonymous bind (w/o user). While this replicated users and logins worked, the all important mail attribute was not replicated. d) as the password of the bind user is stored in plaintext in the jira db, make sure this is a limited user (member of the default ipa-users group is sufficient). e.g. don't use the Directory Manager user! e) ldap.user.filter=(objectclass=inetorgperson) ensures that replies DO NOT come from the compat tree (no mail attribute). We want replies from cn=users,cn=accounts, which does have the mail attribute Below is the config direct from the Jira database (of course we made the config changes via the Jira admin GUI, which has a nifty Test function. mysql> select attribute_name, attribute_value from cwd_directory_attribute where directory_id = 10001; ++-+ | attribute_name | attribute_value | ++-+ | autoAddGroups | jira-users | | crowd.delegated.directory.auto.create.user | true | | crowd.delegated.directory.auto.update.user | true | | crowd.delegated.directory.importGroups | false | | crowd.delegated.directory.type | com.atlassian.crowd.directory.GenericLDAP | | ldap.basedn| dc=my,dc=silly,dc=example,dc=com| | ldap.external.id | uid | | ldap.group.description | description | | ldap.group.dn | | | ldap.group.filter | (objectclass=groupOfUniqueNames)| | ldap.group.name| cn | | ldap.group.objectclass | groupOfUniqueNames | | ldap.group.usernames | uniqueMember | | ldap.nestedgroups.disabled | true | | ldap.pagedresults | false | | ldap.pagedresults.size | 1000 | | ldap.password | x | | ldap.referral | false | | ldap.url | ldap://xxx-ldap.my.silly.example.com:389| | ldap.user.displayname | displayName | | ldap.user.dn | cn=accounts | | ldap.user.email| mail | | ldap.user.filter | (objectclass=inetorgperson) | | ldap.user.firstname| givenName | | ldap.user.group| memberOf | | ldap.user.lastname | sn | | ldap.user.objectclass | inetorgperson | | ldap.user.username | uid | | ldap.user.username.rdn | cn | | ldap.userdn| uid=,cn=users,cn=accounts,dc=my,dc=silly,dc=example,dc=com | | ldap.usermembership.use| false | | ldap.usermembership.use.for.groups | false | ++-+ @Martin K In an earlier thread on FreeIPA / JIRA integration you asked for contributions to a "How to Article". I think the solution above could be the basis of such an article. Cheers Chris From: Christopher Lamb/Switzerland/IBM@IBMCH To: Alexander Bokovoy , markus@mc.ingenico.com Cc: freeipa-users@redhat.com Date: 29.06.2015 11:27 Subject:Re: [Freeipa-users] FreeIPA mail object to use in 3rd party tool Sent by:freeipa-users-boun...@redhat.com Hi all I am fighting this exact problem too. We had setup Jira, integrated to FreeIPA with the option "Internal Directory with LDAP Authentication", using anonymous bind. This integration path means that when a FreeIPA user attempts to logon to Jira with his FreeIPA Credentials, his user is replicated from FreeIPA to the Jira user directory. https://confluence.atlassian.com/display/JIRA/Connecting+to+an+Internal +Directory+with+LDAP+Authentication While this allows FreeIPA users to successfully log in to Jira, the user was replicated without email, whi
Re: [Freeipa-users] FreeIPA mail object to use in 3rd party tool
Hi all I am fighting this exact problem too. We had setup Jira, integrated to FreeIPA with the option "Internal Directory with LDAP Authentication", using anonymous bind. This integration path means that when a FreeIPA user attempts to logon to Jira with his FreeIPA Credentials, his user is replicated from FreeIPA to the Jira user directory. https://confluence.atlassian.com/display/JIRA/Connecting+to+an+Internal +Directory+with+LDAP+Authentication While this allows FreeIPA users to successfully log in to Jira, the user was replicated without email, which renders Jira as useful as a chocolate teepot. Alexanders's reply prompted me to "go back to basics". So I fired up Apache Directory Studio, and the command line to do some ldapsearchs, to see what was returned. This should then guide me how to configure the JIRA / FreeIPA integration. Query 1: Anonymous bind, filter is uid = bilbo [root@xxx-ldap ~]# ldapsearch -x -h localhost -p 389 -b "dc=my,dc=silly,dc=example,dc=com" "(uid=bilbo)" # extended LDIF # # LDAPv3 # base with scope subtree # filter: (uid=bilbo) # requesting: ALL # # bilbo, users, compat, my.ch.example.com dn: uid=bilbo,cn=users,cn=compat,dc=my,dc=silly,dc=example,dc=com cn: bilbo bagins objectClass: posixAccount objectClass: top gidNumber: 1175800010 gecos: bilbo bagins uidNumber: 1175800010 loginShell: /bin/sh homeDirectory: /home/bilbo uid: bilbo # bilbo, users, accounts, my.ch.example.com dn: uid=bilbo,cn=users,cn=accounts,dc=my,dc=silly,dc=example,dc=com displayName: bilbo bagins cn: bilbo bagins objectClass: ipaobject objectClass: person objectClass: top objectClass: ipasshuser objectClass: inetorgperson objectClass: sambaSAMAccount objectClass: organizationalperson objectClass: krbticketpolicyaux objectClass: krbprincipalaux objectClass: inetuser objectClass: posixaccount objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry loginShell: /bin/sh initials: bb gecos: bilbo bagins homeDirectory: /home/bilbo uid: bilbo givenName: bilbo sn: bagins uidNumber: 1175800010 gidNumber: 1175800010 # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 This returns 2 replies, inc one from the compat tree, as suggested by Alexander. Note however, neither reply has the mail attribute! // Query 2: Anonymous bind, filtered on objectClass = inetorgperson AND uid = bilbo (This is probably close to the JiRA query, which includes inetorgperson) [root@xxx-ldap ~]# ldapsearch -x -h localhost -p 389 -b "dc=my,dc=silly,dc=example,dc=com" "(&(objectClass=inetorgperson)(uid=bilbo))" # extended LDIF # # LDAPv3 # base with scope subtree # filter: (&(objectClass=inetorgperson)(uid=bilbo)) # requesting: ALL # # bilbo, users, accounts, my.ch.example.com dn: uid=bilbo,cn=users,cn=accounts,dc=my,dc=silly,dc=example,dc=com displayName: bilbo bagins cn: bilbo bagins objectClass: ipaobject objectClass: person objectClass: top objectClass: ipasshuser objectClass: inetorgperson objectClass: sambaSAMAccount objectClass: organizationalperson objectClass: krbticketpolicyaux objectClass: krbprincipalaux objectClass: inetuser objectClass: posixaccount objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry loginShell: /bin/sh initials: bb gecos: bilbo bagins homeDirectory: /home/bilbo uid: bilbo givenName: bilbo sn: bagins uidNumber: 1175800010 gidNumber: 1175800010 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 This now returns 1 record, from users, accounts, but still no mail attribute // Ah! me thinks - what about a search with user and password? Does this get us something different? Query 3: same as query 2, but no longer anonymous: [root@xxx-ldap ~]# ldapsearch -x -D "uid=bilbo,cn=users,cn=accounts,dc=my,dc=silly,dc=example,dc=com" -W -h localhost -p 389 -b "dc=my,dc=silly,dc=example,dc=com" "(&(objectClass=inetorgperson)(uid=bilbo))" Enter LDAP Password: # extended LDIF # # LDAPv3 # base with scope subtree # filter: (&(objectClass=inetorgperson)(uid=bilbo)) # requesting: ALL # # bilbo, users, accounts, my.ch.example.com dn: uid=bilbo,cn=users,cn=accounts,dc=my,dc=silly,dc=example,dc=com displayName: bilbo bagins cn: bilbo bagins objectClass: ipaobject objectClass: person objectClass: top objectClass: ipasshuser objectClass: inetorgperson objectClass: sambaSAMAccount objectClass: organizationalperson objectClass: krbticketpolicyaux objectClass: krbprincipalaux objectClass: inetuser objectClass: posixaccount objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry loginShell: /bin/sh initials: bb gecos: bilbo bagins homeDirectory: /home/bilbo uid: bilbo mail: l...@ch.example.com krbPrincipalName: bi...@my.silly.example.com givenName: bilbo sn: bagins ipaUniqueID: 3bf7e2e0-0955-11e5-b065-080027f52872 uidNumber: 1175
Re: [Freeipa-users] hesitate to deploy freeipa
Hi Harold Perhaps you should not think of FreeIPA as a product. Perhaps a better analogy is a Product Stack. Another example would be LAMP. And as far as I can make out, the point of the FreeIPA project is to better integrate the various products that build the stack. A very important factor - at least to me is this community: It is vibrant and active, you get advice, "they" listen and change things. For example I can think of at least 3 changes made to the documentation in the last few months due to mistakes I had made! I second the use of Apache Directory Studio - very useful for peaking under the hood and studying the guts of your LDAP directory. Cheers Chris From: Rich Megginson To: freeipa-users@redhat.com Date: 25.06.2015 20:32 Subject:Re: [Freeipa-users] hesitate to deploy freeipa Sent by:freeipa-users-boun...@redhat.com On 06/25/2015 12:12 PM, Thomas Sailer wrote: > Am 25.06.2015 um 17:47 schrieb Simo Sorce: > >> Yes, the whole project is complex, but not because we like complexity, >> it is complex because the problem space is complex and we are bound to >> use existing protocols, which sometimes add in complexity, and we want >> to offer useful features to admins, so they can think about managing >> stuff and not about the plumbing all the time. > > Sure, the problem space is a lot more complex than say ls. > > But I think there is room for improvement, by making the individual > tools somewhat more resilient to unexpected behaviour in other > components. +1 - just look at the bug lists for freeipa, 389, sssd, dogtag, etc. > > For example, if there's any nsuniqueid group present in a users entry, > login authentication via sssd breaks with a cryptic error message. It > would be nice, IMO, if it didn't break or if it at least issued a > better error message. Sure. For starters, there's https://fedorahosted.org/389/ticket/48161 > > Furthermore, a good graphical generic LDAP editor would make the > admin's life significantly easier, IMO. I so far haven't found one. > There's gq, which works, mostly, but crashes relatively frequently. > I'm mostly using ldapvi now, which works quite well but only after > studying its manual. Have you tried Apache Directory Studio? > > Thomas > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] migrating 3.0 -> 4.1: passwords not migrated?
Hi Martin and Tamas
My source was a different one, i found a hint in a ipa python file!
Luckily I documented what we did in our internal wiki. I have found the
following section:
Migration from FreeIPA 3.0.0 to FreeIPA 4.1.0
> kinit admin
> ipa config-mod --enable-migration=TRUE
> ipa-compat-manage disable
> ipactl restart
The migration function uses the script
/usr/lib/python2.7/site-packages/ipalib/plugins/migration.py. This contains
some useful comments, including the parameters for an IPA to IPA migration!
> ipa migrate-ds --group-overwrite-gid
--user-container='cn=users,cn=accounts'
--group-container='cn=groups,cn=accounts' ldap://:389
> ipa-compat-manage enable
> ipactl restart
This copies all the users, and the groups - other than admin. This means
that users that were members of the admins group on the old instance will
not be added to admins group on the new instance. They must be readded,
either via the Web UI, or CLI:
> su - admin,
> ipa group-add-member admins --users=bilbo
Note that at the time we makng things up as we went along, so very possibly
this was not the best way 8-) but it worked for us.
Chris
From: Martin Kosek
To: Christopher Lamb/Switzerland/IBM@IBMCH, Tamas Papp
Cc: freeipa-users@redhat.com
Date: 10.06.2015 15:35
Subject:Re: [Freeipa-users] migrating 3.0 -> 4.1: passwords not
migrated?
On 06/10/2015 03:32 PM, Christopher Lamb wrote:
> Hi Tamas
>
> I think the general advice is to replicate rather than to migrate. I am
> sure Martin K will jump in on this.
Yes :-)
> However some weeks ago, when doing a very similar move to yours, we chose
> to migrate (we were misled by some very old FreeIPA docus that have since
> been archived).
>
> In our case passwords were successfully migrated, so the users were able
to
> use the same user / password combo as before.
>
>
> I will see if I can dig out the migrate command we used at the time.
Did you use the migration command advised in
https://www.freeipa.org/page/Howto/Migration#Migrating_from_other_FreeIPA_to_FreeIPA
?
>
> Chris
>
>
>
> From: Tamas Papp
> To:freeipa-users@redhat.com
> Date: 10.06.2015 15:19
> Subject: [Freeipa-users] migrating 3.0 -> 4.1: passwords not
migrated?
> Sent by: freeipa-users-boun...@redhat.com
>
>
>
> hi,
>
> Currently there are CentOS 6.5 servers and IPA 3.0.
>
> The goal is migrating users to CentOS 7.1 and IPA 4.1.
>
> This is the command I use:
>
>
> $ ipa migrate-ds ldap://ipa11
> --user-container=cn=users,cn=accounts,dc=foo
> --group-container=cn=groups,cn=accounts,dc=foo --base-dn=dc=foo
> --with-compat < ~/.pw.manager
>
>
> Users are migrated successfully but password must be reset, otherwise
> they cannot logon. Any idea, what's going on?
>
>
>
>
> I also have a bonus question.
> How can I migrate the cn=sysaccounts,cn=etc,dc=cxn tree? Do I need to
> export/import it as ldif and that's all?
>
>
> Thanks,
> tamas
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
>
>
>
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] migrating 3.0 -> 4.1: passwords not migrated?
Hi Tamas I think the general advice is to replicate rather than to migrate. I am sure Martin K will jump in on this. However some weeks ago, when doing a very similar move to yours, we chose to migrate (we were misled by some very old FreeIPA docus that have since been archived). In our case passwords were successfully migrated, so the users were able to use the same user / password combo as before. I will see if I can dig out the migrate command we used at the time. Chris From: Tamas Papp To: freeipa-users@redhat.com Date: 10.06.2015 15:19 Subject:[Freeipa-users] migrating 3.0 -> 4.1: passwords not migrated? Sent by:freeipa-users-boun...@redhat.com hi, Currently there are CentOS 6.5 servers and IPA 3.0. The goal is migrating users to CentOS 7.1 and IPA 4.1. This is the command I use: $ ipa migrate-ds ldap://ipa11 --user-container=cn=users,cn=accounts,dc=foo --group-container=cn=groups,cn=accounts,dc=foo --base-dn=dc=foo --with-compat < ~/.pw.manager Users are migrated successfully but password must be reset, otherwise they cannot logon. Any idea, what's going on? I also have a bonus question. How can I migrate the cn=sysaccounts,cn=etc,dc=cxn tree? Do I need to export/import it as ldif and that's all? Thanks, tamas -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] LDAP authentication for JIRA using FreeIPA
3600" >> "ldap.basedn": "dc=" >> "ldap.connection.timeout": "0" >> "ldap.external.id": "" >> "ldap.group.description": "description" >> "ldap.group.dn": "cn=groups,cn=compat" >> "ldap.group.filter": "(&(objectClass=posixgroup)(| (cn=)(cn=)(cn=)))" >> "ldap.group.name": "cn" >> "ldap.group.objectclass": "groupOfUniqueNames" >> "ldap.group.usernames": "memberUid" >> "ldap.local.groups": "false" >> "ldap.nestedgroups.disabled": "true" >> "ldap.pagedresults": "false" >> "ldap.pagedresults.size": "1000" >> "ldap.password": >> "ldap.pool.initsize": "null" >> "ldap.pool.maxsize": "null" >> "ldap.pool.prefsize": "null" >> "ldap.pool.timeout": "0" >> "ldap.propogate.changes": "false" >> "ldap.read.timeout": "12" >> "ldap.referral": "false" >> "ldap.relaxed.dn.standardisation": "true" >> "ldap.roles.disabled": "true" >> "ldap.search.timelimit": "6" >> "ldap.secure": "false" >> "ldap.url": "ldap://" >> "ldap.user.displayname": "cn" >> "ldap.user.dn": "cn=users,cn=accounts" >> "ldap.user.email": "mail" >> "ldap.user.encryption": "sha" >> "ldap.user.filter": "(&(objectclass=posixAccount)(memberOf=cn=,cn=groups,cn=accounts,dc=))" >> "ldap.user.firstname": "givenName" >> "ldap.user.group": "memberOf" >> "ldap.user.lastname": "sn" >> "ldap.user.objectclass": "person" >> "ldap.user.password": "userPassword" >> "ldap.user.username": "uid" >> "ldap.user.username.rdn": "" >> "ldap.userdn": "uid=,cn=sysaccounts,cn=etc,dc=" >> "ldap.usermembership.use": "false" >> "ldap.usermembership.use.for.groups": "false" >> "localUserStatusEnabled": "false" >> >> Sándor Juhász >> System Administrator >> ChemAxon Ltd. >> Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031 >> Cell: +36704258964 >> >> From: "Martin Kosek" >> To: "Christopher Lamb" , freeipa-users@redhat.com >> Sent: Wednesday, June 10, 2015 9:22:03 AM >> Subject: Re: [Freeipa-users] LDAP authentication for JIRA using FreeIPA >> >> On 06/08/2015 06:44 PM, Christopher Lamb wrote: >>> >>> Hi All >>> >>> we are interested to know if anybody has succeeded (or for that matter >>> failed) in using FreeIPA to provide user authentication for Atlassian >>> products such as JIRA or Confluence? >>> >>> Somewhere in an Atlassian ticket I saw that FreeIPA is not officially >>> supported, so I guess that should set our expectations . >>> >>> If anyone has succeeded, then of course any tips on how best to do so would >>> be fantastic! >> >> I saw reply in the threads, so it should be covered. >> >> BTW, please add +1s to respective Jira tickets to add proper FreeIPA support. >> It would be really cool if Jira would know FreeIPA out of the box and could >> connect to it natively! >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] LDAP authentication for JIRA using FreeIPA
Hi All we are interested to know if anybody has succeeded (or for that matter failed) in using FreeIPA to provide user authentication for Atlassian products such as JIRA or Confluence? Somewhere in an Atlassian ticket I saw that FreeIPA is not officially supported, so I guess that should set our expectations . If anyone has succeeded, then of course any tips on how best to do so would be fantastic! Thanks Chris -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Fw: ssh problem with migrated FreeIPA client on EL7.1 -->Solved
Hi Dmitri, Prasun
Thanks for those tickets. I have commented Dimitri's with a reference to
this thread.
Cheers
Chris
From: Dmitri Pal
To: freeipa-users@redhat.com
Date: 07.06.2015 22:33
Subject:Re: [Freeipa-users] Fw: ssh problem with migrated FreeIPA
client on EL7.1 -->Solved
Sent by:freeipa-users-boun...@redhat.com
On 06/05/2015 01:47 PM, Prasun Gera wrote:
I had faced a similar issue a month ago, for which I had created a
ticket. https://fedorahosted.org/freeipa/ticket/4956
On Fri, Jun 5, 2015 at 7:30 AM, Alexander Bokovoy <
aboko...@redhat.com> wrote:
On Fri, 05 Jun 2015, Christopher Lamb wrote:
Hi Martin
Thanks for updating the documenation!
The suggested solution works not only my test servers, but also
"in the
real world". This morning I migrated the last production server
(ipa host)
to the new FreeIPA KDC.
Just out of idle curiosity, why is the rm -f /var/lib/sss/db/*
step
required on our EL 7.1 + ipa-client 4.1 boxes, but not on our
older EL 6.5
+ ipa-client 3.3.3 machines?
Is the problem down to sssd? (on the EL 6.5 machines we are
running sssd
1.9.2, while on EL 7.1 we have sssd 1.12.2
I think there are more object types supported by newer SSSD
versions
which aren't invalidated like users or groups.
Cheers
Chris
From: Martin Kosek
To: Christopher Lamb/Switzerland/IBM@IBMCH, Rob Crittenden
, freeipa-users@redhat.com
Cc: Jakub Hrozek
Date: 05.06.2015 08:06
Subject:Re: [Freeipa-users] Fw: ssh problem with migrated
FreeIPA
client on EL7.1 -->Solved
On 06/04/2015 07:34 PM, Christopher Lamb wrote:
Hi All
I can now report back success (at least on my throwaway EL7.1
test VM).
To switch an EL 7.1 + ipa-client 4.1 host from an old FreeIPA
3.3.3 KDC
to
a new FreeIPA 4.1 KDC 3 steps are required:
1) ipa-client-install --uninstall
2) rm -f /var/lib/sss/db/*
3) ipa-client-install --server ldap.my.example.com --domain
my.example.com
-N
Having done this, my free-ipa user successfully authenticates
(e.g. ssh
remote login with free-ipa user / password
To switch EL 6.5 + ipa-client 3.3.3 hosts step 2) was not
required.
Kudos and thanks go to Rob C for suggesting step 2. (Note that
the
directory to be purged is /var/lib/sss/db/,
not /var/lib/sssd/db/ as
suggested earlier in this thread.
Cool! Thanks for reaching back. I added this advice to the FreeIPA
Troubleshooting guide too:
http://www.freeipa.org/page/Troubleshooting#Cannot_authenticate_on_client
Cheers
Chris
From:Martin Kosek
To: Christopher Lamb/Switzerland/IBM@IBMCH,
freeipa-users@redhat.com
Cc: Jakub Hrozek , Rob
Crittenden
Date:03.06.2015 10:39
Subject: Re: [Freeipa-users] Fw: ssh problem
with migrated
FreeIPA
client on EL7.1 -->Not Solved
On 06/03/2015 10:30 AM, Christopher Lamb wrote:
Hi all
This is a quick(ish) note to bring everybody up to speed on
this issue.
Yesterday we had some private mail exchange on this issue as I
did not
wish
to broadcast the krb5 and ipa install logs to the user list.
The basic situation is that we are in the process of migrating
from an
FreeIPA 3.3.3 Server (KDC) to a new FreeIPA 4.1 Server (KDC).
As
discussed
in a thread some weeks ago we did not do this by replicating
(as perhaps
we
should have done). Instead we migrated the users across.
We have 30+ servers that are IPA clients ("Hosts" in ipa-speak)
joined
to
the old KDC. We are now in the process of migrating these hosts
to the
new
4.1 KDC.
Most of the hosts run EL 6.5 + ipa-client 3.3.3. For all of
these
joining
to the new KDC was trouble free, taking a few minutes each.
After
joining
the new KDC FreeIPA users authenticated properly.
We also had a small number of new EL 7.1 + ipa-client 4.1 hosts
that
were
Re: [Freeipa-users] Fw: ssh problem with migrated FreeIPA client on EL7.1 -->Solved
Hi Martin
Thanks for updating the documenation!
The suggested solution works not only my test servers, but also "in the
real world". This morning I migrated the last production server (ipa host)
to the new FreeIPA KDC.
Just out of idle curiosity, why is the rm -f /var/lib/sss/db/* step
required on our EL 7.1 + ipa-client 4.1 boxes, but not on our older EL 6.5
+ ipa-client 3.3.3 machines?
Is the problem down to sssd? (on the EL 6.5 machines we are running sssd
1.9.2, while on EL 7.1 we have sssd 1.12.2
Cheers
Chris
From: Martin Kosek
To: Christopher Lamb/Switzerland/IBM@IBMCH, Rob Crittenden
, freeipa-users@redhat.com
Cc: Jakub Hrozek
Date: 05.06.2015 08:06
Subject:Re: [Freeipa-users] Fw: ssh problem with migrated FreeIPA
client on EL7.1 -->Solved
On 06/04/2015 07:34 PM, Christopher Lamb wrote:
> Hi All
>
> I can now report back success (at least on my throwaway EL7.1 test VM).
>
> To switch an EL 7.1 + ipa-client 4.1 host from an old FreeIPA 3.3.3 KDC
to
> a new FreeIPA 4.1 KDC 3 steps are required:
>
> 1) ipa-client-install --uninstall
>
> 2) rm -f /var/lib/sss/db/*
>
> 3) ipa-client-install --server ldap.my.example.com --domain
my.example.com
> -N
>
> Having done this, my free-ipa user successfully authenticates (e.g. ssh
> remote login with free-ipa user / password
>
>
> To switch EL 6.5 + ipa-client 3.3.3 hosts step 2) was not required.
>
> Kudos and thanks go to Rob C for suggesting step 2. (Note that the
> directory to be purged is /var/lib/sss/db/, not /var/lib/sssd/db/ as
> suggested earlier in this thread.
Cool! Thanks for reaching back. I added this advice to the FreeIPA
Troubleshooting guide too:
http://www.freeipa.org/page/Troubleshooting#Cannot_authenticate_on_client
>
> Cheers
>
> Chris
>
>
>
>
> From: Martin Kosek
> To:Christopher Lamb/Switzerland/IBM@IBMCH,
> freeipa-users@redhat.com
> Cc:Jakub Hrozek , Rob Crittenden
>
> Date: 03.06.2015 10:39
> Subject: Re: [Freeipa-users] Fw: ssh problem with migrated
FreeIPA
> client on EL7.1 -->Not Solved
>
>
>
> On 06/03/2015 10:30 AM, Christopher Lamb wrote:
>> Hi all
>>
>> This is a quick(ish) note to bring everybody up to speed on this issue.
>> Yesterday we had some private mail exchange on this issue as I did not
> wish
>> to broadcast the krb5 and ipa install logs to the user list.
>>
>> The basic situation is that we are in the process of migrating from an
>> FreeIPA 3.3.3 Server (KDC) to a new FreeIPA 4.1 Server (KDC). As
> discussed
>> in a thread some weeks ago we did not do this by replicating (as perhaps
> we
>> should have done). Instead we migrated the users across.
>>
>> We have 30+ servers that are IPA clients ("Hosts" in ipa-speak) joined
to
>> the old KDC. We are now in the process of migrating these hosts to the
> new
>> 4.1 KDC.
>>
>> Most of the hosts run EL 6.5 + ipa-client 3.3.3. For all of these
> joining
>> to the new KDC was trouble free, taking a few minutes each. After
joining
>> the new KDC FreeIPA users authenticated properly.
>>
>> We also had a small number of new EL 7.1 + ipa-client 4.1 hosts that
were
>> joined direct to the new 4.1 KDC, never having been joined of the 3.3.3
>> KDC. These were also trouble free.
>>
>> The problem occurs with a handful of existing EL 7.1 +ipa-client 4.1
> hosts
>> that were originally joined to the 3.3.3 KDC, and must be moved to join
> the
>> 4.1 KDC. These machines no longer authenticate valid FreeIPA users. I
> have
>> been able to reproduce this behaviour with a freshly setup VM joined
> first
>> to the 3.3.3 KDC, then moved to the 4.1 KDC.
>>
>> While the errors show in the krb5 child logs indicate that the password
> is
>> incorrect, the same user / password is happily accepted by all the other
>> hosts.
>>
>> It seems that in the process of moving / migrating the EL 7.1 /
> ipa-client
>> 4.1 from the old KDC to the new KDC, "something" is left behind that
> causes
>> problems. We have seen indications in the install logs that the kinit
> steps
>> called during ipa-client install are getting responses from the wrong
> (old)
>> KDC, and not from the new KDC.
>>
>> Frustratingly. over the weekend i managed to get one of the problem EL
> 7.1
>> boxes to work. However I can't work out exactly what I was that I did
> that
>> did the trick. However it seems that some kind of major de-install /
>> cleanup + reinstall of the ipa-client may be needed.
>>
&
Re: [Freeipa-users] Fw: ssh problem with migrated FreeIPA client on EL7.1 -->Solved
Hi All
I can now report back success (at least on my throwaway EL7.1 test VM).
To switch an EL 7.1 + ipa-client 4.1 host from an old FreeIPA 3.3.3 KDC to
a new FreeIPA 4.1 KDC 3 steps are required:
1) ipa-client-install --uninstall
2) rm -f /var/lib/sss/db/*
3) ipa-client-install --server ldap.my.example.com --domain my.example.com
-N
Having done this, my free-ipa user successfully authenticates (e.g. ssh
remote login with free-ipa user / password
To switch EL 6.5 + ipa-client 3.3.3 hosts step 2) was not required.
Kudos and thanks go to Rob C for suggesting step 2. (Note that the
directory to be purged is /var/lib/sss/db/, not /var/lib/sssd/db/ as
suggested earlier in this thread.
Cheers
Chris
From: Martin Kosek
To: Christopher Lamb/Switzerland/IBM@IBMCH,
freeipa-users@redhat.com
Cc: Jakub Hrozek , Rob Crittenden
Date: 03.06.2015 10:39
Subject:Re: [Freeipa-users] Fw: ssh problem with migrated FreeIPA
client on EL7.1 -->Not Solved
On 06/03/2015 10:30 AM, Christopher Lamb wrote:
> Hi all
>
> This is a quick(ish) note to bring everybody up to speed on this issue.
> Yesterday we had some private mail exchange on this issue as I did not
wish
> to broadcast the krb5 and ipa install logs to the user list.
>
> The basic situation is that we are in the process of migrating from an
> FreeIPA 3.3.3 Server (KDC) to a new FreeIPA 4.1 Server (KDC). As
discussed
> in a thread some weeks ago we did not do this by replicating (as perhaps
we
> should have done). Instead we migrated the users across.
>
> We have 30+ servers that are IPA clients ("Hosts" in ipa-speak) joined to
> the old KDC. We are now in the process of migrating these hosts to the
new
> 4.1 KDC.
>
> Most of the hosts run EL 6.5 + ipa-client 3.3.3. For all of these
joining
> to the new KDC was trouble free, taking a few minutes each. After joining
> the new KDC FreeIPA users authenticated properly.
>
> We also had a small number of new EL 7.1 + ipa-client 4.1 hosts that were
> joined direct to the new 4.1 KDC, never having been joined of the 3.3.3
> KDC. These were also trouble free.
>
> The problem occurs with a handful of existing EL 7.1 +ipa-client 4.1
hosts
> that were originally joined to the 3.3.3 KDC, and must be moved to join
the
> 4.1 KDC. These machines no longer authenticate valid FreeIPA users. I
have
> been able to reproduce this behaviour with a freshly setup VM joined
first
> to the 3.3.3 KDC, then moved to the 4.1 KDC.
>
> While the errors show in the krb5 child logs indicate that the password
is
> incorrect, the same user / password is happily accepted by all the other
> hosts.
>
> It seems that in the process of moving / migrating the EL 7.1 /
ipa-client
> 4.1 from the old KDC to the new KDC, "something" is left behind that
causes
> problems. We have seen indications in the install logs that the kinit
steps
> called during ipa-client install are getting responses from the wrong
(old)
> KDC, and not from the new KDC.
>
> Frustratingly. over the weekend i managed to get one of the problem EL
7.1
> boxes to work. However I can't work out exactly what I was that I did
that
> did the trick. However it seems that some kind of major de-install /
> cleanup + reinstall of the ipa-client may be needed.
>
> Rob has suggested that as part of such a cleanup I should do "rm
> -f /var/lib/sssd/db/*". I will test this later today and report back.
>
> Thanks to Rob, Jakub, Martin, Alexander et al for their help and
> suggestions so far.
>
> Chris
Thanks for the background. The pain you are getting is exactly the reason
why
migration via replication to RHEL-7.1 is a better choice :-) Please let us
know
the result, I am curious how this works out.
>
>
>
>
> From: Martin Kosek
> To:Christopher Lamb/Switzerland/IBM@IBMCH,
> freeipa-users@redhat.com, Jakub Hrozek
> Date: 03.06.2015 09:34
> Subject: Re: [Freeipa-users] Fw: ssh problem with migrated
FreeIPA
> client on EL7.1 -->Not Solved
>
>
>
> On 06/02/2015 06:15 PM, Christopher Lamb wrote:
>>
>> Hi
>>
>> Earlier today I setup 2 throwaway EL7.1 VMs to help narrow down the
cause
>> of this problem. Let's call them HOST09 and HOST10
>>
>> Both are mimimum installs of EL7.1, with NTPD installed and configured.
>>
>> HOST09 had ipa-client 4.1 installed via yum, and was configured to use
> our
>> new FreeIPA 4.1 server, right from the start. --> My FreeIPA user
>> authenticates successfully against this machine.
>>
>> HOST10 had ipa-client 4.1 installed as a dependency of one of our
> standard
>> config packages, and was first set to use o
Re: [Freeipa-users] Fw: ssh problem with migrated FreeIPA client on EL7.1 -->Not Solved
Hi all
This is a quick(ish) note to bring everybody up to speed on this issue.
Yesterday we had some private mail exchange on this issue as I did not wish
to broadcast the krb5 and ipa install logs to the user list.
The basic situation is that we are in the process of migrating from an
FreeIPA 3.3.3 Server (KDC) to a new FreeIPA 4.1 Server (KDC). As discussed
in a thread some weeks ago we did not do this by replicating (as perhaps we
should have done). Instead we migrated the users across.
We have 30+ servers that are IPA clients ("Hosts" in ipa-speak) joined to
the old KDC. We are now in the process of migrating these hosts to the new
4.1 KDC.
Most of the hosts run EL 6.5 + ipa-client 3.3.3. For all of these joining
to the new KDC was trouble free, taking a few minutes each. After joining
the new KDC FreeIPA users authenticated properly.
We also had a small number of new EL 7.1 + ipa-client 4.1 hosts that were
joined direct to the new 4.1 KDC, never having been joined of the 3.3.3
KDC. These were also trouble free.
The problem occurs with a handful of existing EL 7.1 +ipa-client 4.1 hosts
that were originally joined to the 3.3.3 KDC, and must be moved to join the
4.1 KDC. These machines no longer authenticate valid FreeIPA users. I have
been able to reproduce this behaviour with a freshly setup VM joined first
to the 3.3.3 KDC, then moved to the 4.1 KDC.
While the errors show in the krb5 child logs indicate that the password is
incorrect, the same user / password is happily accepted by all the other
hosts.
It seems that in the process of moving / migrating the EL 7.1 / ipa-client
4.1 from the old KDC to the new KDC, "something" is left behind that causes
problems. We have seen indications in the install logs that the kinit steps
called during ipa-client install are getting responses from the wrong (old)
KDC, and not from the new KDC.
Frustratingly. over the weekend i managed to get one of the problem EL 7.1
boxes to work. However I can't work out exactly what I was that I did that
did the trick. However it seems that some kind of major de-install /
cleanup + reinstall of the ipa-client may be needed.
Rob has suggested that as part of such a cleanup I should do "rm
-f /var/lib/sssd/db/*". I will test this later today and report back.
Thanks to Rob, Jakub, Martin, Alexander et al for their help and
suggestions so far.
Chris
From: Martin Kosek
To: Christopher Lamb/Switzerland/IBM@IBMCH,
freeipa-users@redhat.com, Jakub Hrozek
Date: 03.06.2015 09:34
Subject:Re: [Freeipa-users] Fw: ssh problem with migrated FreeIPA
client on EL7.1 -->Not Solved
On 06/02/2015 06:15 PM, Christopher Lamb wrote:
>
> Hi
>
> Earlier today I setup 2 throwaway EL7.1 VMs to help narrow down the cause
> of this problem. Let's call them HOST09 and HOST10
>
> Both are mimimum installs of EL7.1, with NTPD installed and configured.
>
> HOST09 had ipa-client 4.1 installed via yum, and was configured to use
our
> new FreeIPA 4.1 server, right from the start. --> My FreeIPA user
> authenticates successfully against this machine.
>
> HOST10 had ipa-client 4.1 installed as a dependency of one of our
standard
> config packages, and was first set to use our old FreeIPA 3.3.3 server.
-->
> My FreeIPA user authenticates successfully. against this machine.
>
> I then de-registered HOST10 from the FreeIPA 3.1 server, and registered
> against the new FreeIPA 4.1 server --> My FreeIPA users does NOT
> authenticate successfully.
>
> This replicates well the behaviour I saw with my production servers,
namely
> a) EL 7.1 hosts with ipa-client 4.1 registered directly against the new
4.1
> FreeIPA server authenticate properly.
>
> b) EL 7.1 hosts with ipa-client 4.1 first registered against the old
3.3.3
> FreeIPA server, then reregistered with the new 4.1 FreeIPA server do NOT
> authenticate properly
>
> Chris
Hello,
This is really strange. What I do not fully understand is what is the
"registration against a FreeIPA server". What server you install IPA client
should matter if the deployment is set up properly. The host enrollment
entry
should simply replicate to whole infrastructure. The only thing that will
probably differ is sssd.conf and krb5.conf as they will have different
primary
server set up, based on what your DNS setup is.
It rather seems that the "reregistration" is what causes the issue. It
looks
like something cleanup problem during the process. I will let Jakub to help
here, I would suggest including the SSSD logs from the failed login, it may
help.
>
>
>
> - Forwarded by Christopher Lamb/Switzerland/IBM on 02.06.2015 16:52
> -
>
> From: Christopher Lamb/Switzerland/IBM@IBMCH
> To:Jakub Hrozek
> Cc:freeipa-users@redhat.com
> Date:
Re: [Freeipa-users] Fw: ssh problem with migrated FreeIPA client on EL7.1 -->Not Solved
Hi Rob Thanks All those commands work, and give expected results. I will send you the install logs direct. Cheers Chris From: Rob Crittenden To: Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com, Jakub Hrozek Date: 02.06.2015 19:25 Subject:Re: [Freeipa-users] Fw: ssh problem with migrated FreeIPA client on EL7.1 -->Not Solved Christopher Lamb wrote: > > Hi > > To narrow down the cause even further, I reverted HOST10 via VM snapshot > back to the state after installing linux and configuring ntpd. > > This time I installed ipa-client 4.1 directly (rather then as a dependent > of our standard server packages). So this machine is a basic install of EL > 7.1 + ntpd + ipa-client, with nothing else extra. > > Again I first registered against the old 3.3.3 FreeIPA Server, then > switched to the new 4.1 Server. > > Once again my FreeIPA user does not authenticate. I'd start by simlifying things. Does kinit -kt /etc/krb5.keytab work? Do basic nss operations work? getent passwd admin id admin groups admin etc. Seeing the entire ipaclient-install.log after the 7.1 install may be helfpul. Cranking up sssd debuglevel may be helpful. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Fw: ssh problem with migrated FreeIPA client on EL7.1 -->Not Solved
Hi
To narrow down the cause even further, I reverted HOST10 via VM snapshot
back to the state after installing linux and configuring ntpd.
This time I installed ipa-client 4.1 directly (rather then as a dependent
of our standard server packages). So this machine is a basic install of EL
7.1 + ntpd + ipa-client, with nothing else extra.
Again I first registered against the old 3.3.3 FreeIPA Server, then
switched to the new 4.1 Server.
Once again my FreeIPA user does not authenticate.
Chris
- Forwarded by Christopher Lamb/Switzerland/IBM on 02.06.2015 18:38
-
From: Christopher Lamb/Switzerland/IBM@IBMCH
To: freeipa-users@redhat.com, Jakub Hrozek
Date: 02.06.2015 18:28
Subject:[Freeipa-users] Fw: ssh problem with migrated FreeIPA client on
EL7.1 -->Not Solved
Sent by:freeipa-users-boun...@redhat.com
Hi
Earlier today I setup 2 throwaway EL7.1 VMs to help narrow down the cause
of this problem. Let's call them HOST09 and HOST10
Both are mimimum installs of EL7.1, with NTPD installed and configured.
HOST09 had ipa-client 4.1 installed via yum, and was configured to use our
new FreeIPA 4.1 server, right from the start. --> My FreeIPA user
authenticates successfully against this machine.
HOST10 had ipa-client 4.1 installed as a dependency of one of our standard
config packages, and was first set to use our old FreeIPA 3.3.3 server. -->
My FreeIPA user authenticates successfully. against this machine.
I then de-registered HOST10 from the FreeIPA 3.1 server, and registered
against the new FreeIPA 4.1 server --> My FreeIPA users does NOT
authenticate successfully.
This replicates well the behaviour I saw with my production servers, namely
a) EL 7.1 hosts with ipa-client 4.1 registered directly against the new 4.1
FreeIPA server authenticate properly.
b) EL 7.1 hosts with ipa-client 4.1 first registered against the old 3.3.3
FreeIPA server, then reregistered with the new 4.1 FreeIPA server do NOT
authenticate properly
Chris
----- Forwarded by Christopher Lamb/Switzerland/IBM on 02.06.2015 16:52
-
From: Christopher Lamb/Switzerland/IBM@IBMCH
To: Jakub Hrozek
Cc: freeipa-users@redhat.com
Date:02.06.2015 10:40
Subject: Re: [Freeipa-users] Fw: ssh problem with migrated
FreeIPA
client on EL7.1 -->Not Solved
Sent by: freeipa-users-boun...@redhat.com
Hi Jakub
Yes root login works, that's how I've been getting into the box.
Surprisingly, kinit with my user seems to work on that box. After entering
my password when prompted, it returns to the commandline without error.
However if I try kinit with another FreeIPA user, then instead of prompting
for a password, it gives "Generic preauthentication failure while getting
initial credentials" error.
Having set debug_level=10, when I try and ssh in with my FreeIPA user, I
find errors like
"Retrieving host with result: .. Matching credential not found"
"Received error from KDC ... Additional pre-authentication required"
"Received error from KDC... Decrypt integrity check failed"
"Received error code 1432158219"
Cheers
Chris
From: Jakub Hrozek
To: Christopher Lamb/Switzerland/IBM@IBMCH
Cc: freeipa-users@redhat.com
Date: 02.06.2015 09:50
Subject: Re: [Freeipa-users] Fw: ssh problem
with
migrated
FreeIPA
client on EL7.1 -->Not Solved
On Tue, Jun 02, 2015 at 09:43:48AM +0200, Christopher Lamb wrote:
> Hi Jakub
>
> The same user / password works with all our FreeIPA hosts - just this one
> box is the problem. So the password should be good. Of course a type is
> always possible (especially for strong passwords), but I have tried many
> times which should eliminate the odd password typo. The user / password
> should also be good for both the old and the new FreeIPA Server.
Interesting, can you add debug_level=10 to the domain section of
sssd.conf? Then krb5_child.log should show Kerberos tracing info
including which exact KDC SSSD was talking to.
>
> As I can neither log in direct, or via ssh to this box with my FreeIPA
> user, I assume Kinit with my user won't work- i will try later in the
day.
Well, login as a UNIX user (root) should work..
>
> My working assumption is that the problem is related in some way to the
> fact the host originally was a FreeIPA 3.3.3 client, updated to FreeIPA
> 4.1, and switched between 2 FreeIPA servers. I am currently setting up 2
> throwaway EL 7.1 VMs to better test this. On one I will first install
> 3.3.3, then upgrade to 4.1. The second will have a direct install of 4.1
> client.
>
> Cheers
>
> Chris
>
>
>
> From:
[Freeipa-users] Fw: ssh problem with migrated FreeIPA client on EL7.1 -->Not Solved
Hi
Earlier today I setup 2 throwaway EL7.1 VMs to help narrow down the cause
of this problem. Let's call them HOST09 and HOST10
Both are mimimum installs of EL7.1, with NTPD installed and configured.
HOST09 had ipa-client 4.1 installed via yum, and was configured to use our
new FreeIPA 4.1 server, right from the start. --> My FreeIPA user
authenticates successfully against this machine.
HOST10 had ipa-client 4.1 installed as a dependency of one of our standard
config packages, and was first set to use our old FreeIPA 3.3.3 server. -->
My FreeIPA user authenticates successfully. against this machine.
I then de-registered HOST10 from the FreeIPA 3.1 server, and registered
against the new FreeIPA 4.1 server --> My FreeIPA users does NOT
authenticate successfully.
This replicates well the behaviour I saw with my production servers, namely
a) EL 7.1 hosts with ipa-client 4.1 registered directly against the new 4.1
FreeIPA server authenticate properly.
b) EL 7.1 hosts with ipa-client 4.1 first registered against the old 3.3.3
FreeIPA server, then reregistered with the new 4.1 FreeIPA server do NOT
authenticate properly
Chris
- Forwarded by Christopher Lamb/Switzerland/IBM on 02.06.2015 16:52
-
From: Christopher Lamb/Switzerland/IBM@IBMCH
To: Jakub Hrozek
Cc: freeipa-users@redhat.com
Date: 02.06.2015 10:40
Subject:Re: [Freeipa-users] Fw: ssh problem with migrated FreeIPA
client on EL7.1 -->Not Solved
Sent by:freeipa-users-boun...@redhat.com
Hi Jakub
Yes root login works, that's how I've been getting into the box.
Surprisingly, kinit with my user seems to work on that box. After entering
my password when prompted, it returns to the commandline without error.
However if I try kinit with another FreeIPA user, then instead of prompting
for a password, it gives "Generic preauthentication failure while getting
initial credentials" error.
Having set debug_level=10, when I try and ssh in with my FreeIPA user, I
find errors like
"Retrieving host with result: .. Matching credential not found"
"Received error from KDC ... Additional pre-authentication required"
"Received error from KDC... Decrypt integrity check failed"
"Received error code 1432158219"
Cheers
Chris
From:Jakub Hrozek
To: Christopher Lamb/Switzerland/IBM@IBMCH
Cc: freeipa-users@redhat.com
Date:02.06.2015 09:50
Subject: Re: [Freeipa-users] Fw: ssh problem with migrated
FreeIPA
client on EL7.1 -->Not Solved
On Tue, Jun 02, 2015 at 09:43:48AM +0200, Christopher Lamb wrote:
> Hi Jakub
>
> The same user / password works with all our FreeIPA hosts - just this one
> box is the problem. So the password should be good. Of course a type is
> always possible (especially for strong passwords), but I have tried many
> times which should eliminate the odd password typo. The user / password
> should also be good for both the old and the new FreeIPA Server.
Interesting, can you add debug_level=10 to the domain section of
sssd.conf? Then krb5_child.log should show Kerberos tracing info
including which exact KDC SSSD was talking to.
>
> As I can neither log in direct, or via ssh to this box with my FreeIPA
> user, I assume Kinit with my user won't work- i will try later in the
day.
Well, login as a UNIX user (root) should work..
>
> My working assumption is that the problem is related in some way to the
> fact the host originally was a FreeIPA 3.3.3 client, updated to FreeIPA
> 4.1, and switched between 2 FreeIPA servers. I am currently setting up 2
> throwaway EL 7.1 VMs to better test this. On one I will first install
> 3.3.3, then upgrade to 4.1. The second will have a direct install of 4.1
> client.
>
> Cheers
>
> Chris
>
>
>
> From: Jakub Hrozek
> To: freeipa-users@redhat.com
> Date: 02.06.2015 09:22
> Subject:Re: [Freeipa-users] Fw: ssh problem
> with
migrated
FreeIPA
> client on EL7.1 -->Not Solved
> Sent by:freeipa-users-boun...@redhat.com
>
>
>
> On Mon, Jun 01, 2015 at 07:35:11PM +0200, Christopher Lamb wrote:
> >
> > Hi All
> >
> > Bad news.
> >
> > Over the weekend I was able to get the original problem EL7.1 / FreeIPA
> 4.1
> > host (FreeIPA client) to authenticate FreeiPA users (my test being ssh
> > remote login with FreeIPA user and password).
> >
> > Today I tried a second machine, and had the same problem, ssh
connections
> > with FreeIPA user cause "[sssd[krb5_child[3445]]]: Decrypt integrity
> check
> > failed"
>
> This really just means wrong
Re: [Freeipa-users] Fw: ssh problem with migrated FreeIPA client on EL7.1 -->Not Solved
Hi Jakub Yes root login works, that's how I've been getting into the box. Surprisingly, kinit with my user seems to work on that box. After entering my password when prompted, it returns to the commandline without error. However if I try kinit with another FreeIPA user, then instead of prompting for a password, it gives "Generic preauthentication failure while getting initial credentials" error. Having set debug_level=10, when I try and ssh in with my FreeIPA user, I find errors like "Retrieving host with result: .. Matching credential not found" "Received error from KDC ... Additional pre-authentication required" "Received error from KDC... Decrypt integrity check failed" "Received error code 1432158219" Cheers Chris From: Jakub Hrozek To: Christopher Lamb/Switzerland/IBM@IBMCH Cc: freeipa-users@redhat.com Date: 02.06.2015 09:50 Subject:Re: [Freeipa-users] Fw: ssh problem with migrated FreeIPA client on EL7.1 -->Not Solved On Tue, Jun 02, 2015 at 09:43:48AM +0200, Christopher Lamb wrote: > Hi Jakub > > The same user / password works with all our FreeIPA hosts - just this one > box is the problem. So the password should be good. Of course a type is > always possible (especially for strong passwords), but I have tried many > times which should eliminate the odd password typo. The user / password > should also be good for both the old and the new FreeIPA Server. Interesting, can you add debug_level=10 to the domain section of sssd.conf? Then krb5_child.log should show Kerberos tracing info including which exact KDC SSSD was talking to. > > As I can neither log in direct, or via ssh to this box with my FreeIPA > user, I assume Kinit with my user won't work- i will try later in the day. Well, login as a UNIX user (root) should work.. > > My working assumption is that the problem is related in some way to the > fact the host originally was a FreeIPA 3.3.3 client, updated to FreeIPA > 4.1, and switched between 2 FreeIPA servers. I am currently setting up 2 > throwaway EL 7.1 VMs to better test this. On one I will first install > 3.3.3, then upgrade to 4.1. The second will have a direct install of 4.1 > client. > > Cheers > > Chris > > > > From: Jakub Hrozek > To:freeipa-users@redhat.com > Date: 02.06.2015 09:22 > Subject: Re: [Freeipa-users] Fw: ssh problem with migrated FreeIPA > client on EL7.1 -->Not Solved > Sent by: freeipa-users-boun...@redhat.com > > > > On Mon, Jun 01, 2015 at 07:35:11PM +0200, Christopher Lamb wrote: > > > > Hi All > > > > Bad news. > > > > Over the weekend I was able to get the original problem EL7.1 / FreeIPA > 4.1 > > host (FreeIPA client) to authenticate FreeiPA users (my test being ssh > > remote login with FreeIPA user and password). > > > > Today I tried a second machine, and had the same problem, ssh connections > > with FreeIPA user cause "[sssd[krb5_child[3445]]]: Decrypt integrity > check > > failed" > > This really just means wrong password, can you kinit as that user using > the same password? > > > > > Ahh I thought, I have a solution for that: just remove ipa-client and > > reinstall via yum, register with the new FreeIPA server > > > > Only with this second machine I still can't ssh in with a FreeIPA user. > > Argg. > > > > b.t.w, as this machine is a real physical server, I was able to try > logging > > in direct with my FreeIPA user --> "Authentication Failure" > > > > I now have > > * a whole bunch of EL6.5 / FreeIPA 3.3.3 hosts that migrated from the old > > FreeIPA server to the new without a hitch (i.e. they successfully > > authenticate FreeIPA users.) > > * one migrated EL7.1 / FreeIPA 4.1 host that I was able to migrate, but > > with problems > > * one migrated EL7.1 / FreeIPA 4.1 host that so far defies all attempts > to > > authenticate with a FreeIPA user > > * one EL7.1 / FreeIPA 4.1 host that was only ever registered with the new > > FreeIPA server, and successfully authenticates FreeIPA users. > > > > Any ideas? > > > > Chris > > > > > > - Forwarded by Christopher Lamb/Switzerland/IBM on 01.06.2015 19:17 > > - > > > > From: Christopher Lamb/Switzerland/IBM@IBMCH > > To: Alexander Bokovoy , > > freeipa-users@redhat.com > > Date: 30.05.2015 18:52 > > Subject: Re: [Freeipa-users] ssh pro
Re: [Freeipa-users] Fw: ssh problem with migrated FreeIPA client on EL7.1 -->Not Solved
Hi Jakub The same user / password works with all our FreeIPA hosts - just this one box is the problem. So the password should be good. Of course a type is always possible (especially for strong passwords), but I have tried many times which should eliminate the odd password typo. The user / password should also be good for both the old and the new FreeIPA Server. As I can neither log in direct, or via ssh to this box with my FreeIPA user, I assume Kinit with my user won't work- i will try later in the day. My working assumption is that the problem is related in some way to the fact the host originally was a FreeIPA 3.3.3 client, updated to FreeIPA 4.1, and switched between 2 FreeIPA servers. I am currently setting up 2 throwaway EL 7.1 VMs to better test this. On one I will first install 3.3.3, then upgrade to 4.1. The second will have a direct install of 4.1 client. Cheers Chris From: Jakub Hrozek To: freeipa-users@redhat.com Date: 02.06.2015 09:22 Subject:Re: [Freeipa-users] Fw: ssh problem with migrated FreeIPA client on EL7.1 -->Not Solved Sent by:freeipa-users-boun...@redhat.com On Mon, Jun 01, 2015 at 07:35:11PM +0200, Christopher Lamb wrote: > > Hi All > > Bad news. > > Over the weekend I was able to get the original problem EL7.1 / FreeIPA 4.1 > host (FreeIPA client) to authenticate FreeiPA users (my test being ssh > remote login with FreeIPA user and password). > > Today I tried a second machine, and had the same problem, ssh connections > with FreeIPA user cause "[sssd[krb5_child[3445]]]: Decrypt integrity check > failed" This really just means wrong password, can you kinit as that user using the same password? > > Ahh I thought, I have a solution for that: just remove ipa-client and > reinstall via yum, register with the new FreeIPA server > > Only with this second machine I still can't ssh in with a FreeIPA user. > Argg. > > b.t.w, as this machine is a real physical server, I was able to try logging > in direct with my FreeIPA user --> "Authentication Failure" > > I now have > * a whole bunch of EL6.5 / FreeIPA 3.3.3 hosts that migrated from the old > FreeIPA server to the new without a hitch (i.e. they successfully > authenticate FreeIPA users.) > * one migrated EL7.1 / FreeIPA 4.1 host that I was able to migrate, but > with problems > * one migrated EL7.1 / FreeIPA 4.1 host that so far defies all attempts to > authenticate with a FreeIPA user > * one EL7.1 / FreeIPA 4.1 host that was only ever registered with the new > FreeIPA server, and successfully authenticates FreeIPA users. > > Any ideas? > > Chris > > > - Forwarded by Christopher Lamb/Switzerland/IBM on 01.06.2015 19:17 > - > > From: Christopher Lamb/Switzerland/IBM@IBMCH > To:Alexander Bokovoy , > freeipa-users@redhat.com > Date: 30.05.2015 18:52 > Subject: Re: [Freeipa-users] ssh problem with migrated FreeIPA client on > EL7.1 --> Solved > Sent by: freeipa-users-boun...@redhat.com > > > > Hi All > > It gives me pleasure to report the problem is solved - a minute ago I was > able to login via ssh with my FreeIPA user to the problem server, while > sitting on my terrace with a glass of wine! > > Thanks to Alexander for his helpful advice - we had some mail exchange > outside the user list as I did not wish to broadcast content of keys, > config files etc. > > Regardless of what I did with commands like klist, kvno everything seemed > "ok", but I still could not ssh in. Even a ipa-getkeytab did not help. > > Therefore I decided to opt for brute force and (partial) ignorance. I > completely uninstalled the FreeIPA client, and then reinstalled, configured > - ét voilà I could ssh in! > > This leaves the enigma: what caused the problem? I suspect the following: > > The host is an EL 7.1, but the first FreeIPA client installed was version > 3.3.3 (installed as set of standard packages that we bung on all our > servers). > > This worked fine to authenticate against our "old" 3.x FreeIPA server, but > did not work against the "new" 4.1 FreeIPA Server. > > When I realised I could not ssh in, one of the first things I did was to > yum update the FreeIPA client from 3.3.3 to 4.1 - but that did not help. > The solution was to yum remove the FreeIPA client, then yum install the 4.1 > client. > > I have some more EL 7.1 servers with the FreeIPA 3.3.3 client installed, so > it will be interesting to see it the problem can be reproduced. > > Keep up the good work, > > Chris > > > > > > > > > From: Alexander Bokovoy &g
[Freeipa-users] Fw: ssh problem with migrated FreeIPA client on EL7.1 -->Not Solved
Hi All Bad news. Over the weekend I was able to get the original problem EL7.1 / FreeIPA 4.1 host (FreeIPA client) to authenticate FreeiPA users (my test being ssh remote login with FreeIPA user and password). Today I tried a second machine, and had the same problem, ssh connections with FreeIPA user cause "[sssd[krb5_child[3445]]]: Decrypt integrity check failed" Ahh I thought, I have a solution for that: just remove ipa-client and reinstall via yum, register with the new FreeIPA server Only with this second machine I still can't ssh in with a FreeIPA user. Argg. b.t.w, as this machine is a real physical server, I was able to try logging in direct with my FreeIPA user --> "Authentication Failure" I now have * a whole bunch of EL6.5 / FreeIPA 3.3.3 hosts that migrated from the old FreeIPA server to the new without a hitch (i.e. they successfully authenticate FreeIPA users.) * one migrated EL7.1 / FreeIPA 4.1 host that I was able to migrate, but with problems * one migrated EL7.1 / FreeIPA 4.1 host that so far defies all attempts to authenticate with a FreeIPA user * one EL7.1 / FreeIPA 4.1 host that was only ever registered with the new FreeIPA server, and successfully authenticates FreeIPA users. Any ideas? Chris ----- Forwarded by Christopher Lamb/Switzerland/IBM on 01.06.2015 19:17 ----- From: Christopher Lamb/Switzerland/IBM@IBMCH To: Alexander Bokovoy , freeipa-users@redhat.com Date: 30.05.2015 18:52 Subject:Re: [Freeipa-users] ssh problem with migrated FreeIPA client on EL7.1 --> Solved Sent by:freeipa-users-boun...@redhat.com Hi All It gives me pleasure to report the problem is solved - a minute ago I was able to login via ssh with my FreeIPA user to the problem server, while sitting on my terrace with a glass of wine! Thanks to Alexander for his helpful advice - we had some mail exchange outside the user list as I did not wish to broadcast content of keys, config files etc. Regardless of what I did with commands like klist, kvno everything seemed "ok", but I still could not ssh in. Even a ipa-getkeytab did not help. Therefore I decided to opt for brute force and (partial) ignorance. I completely uninstalled the FreeIPA client, and then reinstalled, configured - ét voilà I could ssh in! This leaves the enigma: what caused the problem? I suspect the following: The host is an EL 7.1, but the first FreeIPA client installed was version 3.3.3 (installed as set of standard packages that we bung on all our servers). This worked fine to authenticate against our "old" 3.x FreeIPA server, but did not work against the "new" 4.1 FreeIPA Server. When I realised I could not ssh in, one of the first things I did was to yum update the FreeIPA client from 3.3.3 to 4.1 - but that did not help. The solution was to yum remove the FreeIPA client, then yum install the 4.1 client. I have some more EL 7.1 servers with the FreeIPA 3.3.3 client installed, so it will be interesting to see it the problem can be reproduced. Keep up the good work, Chris From: Alexander Bokovoy To: Christopher Lamb/Switzerland/IBM@IBMCH Cc: freeipa-users@redhat.com Date:29.05.2015 18:04 Subject: Re: [Freeipa-users] ssh problem with migrated FreeIPA client on EL7.1 On Fri, 29 May 2015, Christopher Lamb wrote: > >Hi All > >Some weeks ago I setup a new FreeIPA 4.1.0 on an OEL 7.1 server to replace >the existing FreeIPA 3.0.0 running on OEL 6.5, and successfully migrated >across the users. > >We have 50 odd Servers that are FreeIPA clients. Today I started migrating >these one-by-one from the old FreeIPA 3.x server to the new FreeIPA 4 >server by doing an ipa-client-install --uninstall from the old, and >ipa-client-install to register with the new 4.1.0 server. > >Most of the FreeIPA clients are running OEL 6.5, and for these the >migration process above worked perfectly. After migrating the server, I >could ssh in with my FreeIPA user. > >Then I migrated an OEL 7.1 server. The migration itself seemed to work, and >getent passwd was successful for my FreeIPA user. However when I try and >ssh in, my FreeIPA user / password is not accepted. > >Before the migration I could ssh into the problem server (though evidently >it was using my FreeIPA user from the old FreeIPA server). > >I can ssh in with a local (non ldap) user, so ssh is running and working. > >>From user root I can successfully su to my FreeIPA user. > >Further investigation showed that version of ipa-client installed was >3.3.3, so I yum updated this to 4.1.0. > >However I still cannot ssh into the OEL 7.1 box with my FreeIPA user. The >same user continues to work for the 6.5 boxes. > >A colleague tried to ssh in with his FreeIPA user, and was also r
Re: [Freeipa-users] ssh problem with migrated FreeIPA client on EL7.1 --> Solved
Hi All It gives me pleasure to report the problem is solved - a minute ago I was able to login via ssh with my FreeIPA user to the problem server, while sitting on my terrace with a glass of wine! Thanks to Alexander for his helpful advice - we had some mail exchange outside the user list as I did not wish to broadcast content of keys, config files etc. Regardless of what I did with commands like klist, kvno everything seemed "ok", but I still could not ssh in. Even a ipa-getkeytab did not help. Therefore I decided to opt for brute force and (partial) ignorance. I completely uninstalled the FreeIPA client, and then reinstalled, configured - ét voilà I could ssh in! This leaves the enigma: what caused the problem? I suspect the following: The host is an EL 7.1, but the first FreeIPA client installed was version 3.3.3 (installed as set of standard packages that we bung on all our servers). This worked fine to authenticate against our "old" 3.x FreeIPA server, but did not work against the "new" 4.1 FreeIPA Server. When I realised I could not ssh in, one of the first things I did was to yum update the FreeIPA client from 3.3.3 to 4.1 - but that did not help. The solution was to yum remove the FreeIPA client, then yum install the 4.1 client. I have some more EL 7.1 servers with the FreeIPA 3.3.3 client installed, so it will be interesting to see it the problem can be reproduced. Keep up the good work, Chris From: Alexander Bokovoy To: Christopher Lamb/Switzerland/IBM@IBMCH Cc: freeipa-users@redhat.com Date: 29.05.2015 18:04 Subject:Re: [Freeipa-users] ssh problem with migrated FreeIPA client on EL7.1 On Fri, 29 May 2015, Christopher Lamb wrote: > >Hi All > >Some weeks ago I setup a new FreeIPA 4.1.0 on an OEL 7.1 server to replace >the existing FreeIPA 3.0.0 running on OEL 6.5, and successfully migrated >across the users. > >We have 50 odd Servers that are FreeIPA clients. Today I started migrating >these one-by-one from the old FreeIPA 3.x server to the new FreeIPA 4 >server by doing an ipa-client-install --uninstall from the old, and >ipa-client-install to register with the new 4.1.0 server. > >Most of the FreeIPA clients are running OEL 6.5, and for these the >migration process above worked perfectly. After migrating the server, I >could ssh in with my FreeIPA user. > >Then I migrated an OEL 7.1 server. The migration itself seemed to work, and >getent passwd was successful for my FreeIPA user. However when I try and >ssh in, my FreeIPA user / password is not accepted. > >Before the migration I could ssh into the problem server (though evidently >it was using my FreeIPA user from the old FreeIPA server). > >I can ssh in with a local (non ldap) user, so ssh is running and working. > >>From user root I can successfully su to my FreeIPA user. > >Further investigation showed that version of ipa-client installed was >3.3.3, so I yum updated this to 4.1.0. > >However I still cannot ssh into the OEL 7.1 box with my FreeIPA user. The >same user continues to work for the 6.5 boxes. > >A colleague tried to ssh in with his FreeIPA user, and was also rejected, >so the problem is not my user, but is probably for all FreeIPA users. > >A failed ssh login attempt causes the following error in /var/log/messages > >[sssd[krb5_child[5393]]]: Decrypt integrity check failed It means /etc/krb5.keytab contains keys from older system and SSSD picks them up. Can you show output of 'klist -kKet'? -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ssh problem with migrated FreeIPA client on EL7.1
Hi All Some weeks ago I setup a new FreeIPA 4.1.0 on an OEL 7.1 server to replace the existing FreeIPA 3.0.0 running on OEL 6.5, and successfully migrated across the users. We have 50 odd Servers that are FreeIPA clients. Today I started migrating these one-by-one from the old FreeIPA 3.x server to the new FreeIPA 4 server by doing an ipa-client-install --uninstall from the old, and ipa-client-install to register with the new 4.1.0 server. Most of the FreeIPA clients are running OEL 6.5, and for these the migration process above worked perfectly. After migrating the server, I could ssh in with my FreeIPA user. Then I migrated an OEL 7.1 server. The migration itself seemed to work, and getent passwd was successful for my FreeIPA user. However when I try and ssh in, my FreeIPA user / password is not accepted. Before the migration I could ssh into the problem server (though evidently it was using my FreeIPA user from the old FreeIPA server). I can ssh in with a local (non ldap) user, so ssh is running and working. >From user root I can successfully su to my FreeIPA user. Further investigation showed that version of ipa-client installed was 3.3.3, so I yum updated this to 4.1.0. However I still cannot ssh into the OEL 7.1 box with my FreeIPA user. The same user continues to work for the 6.5 boxes. A colleague tried to ssh in with his FreeIPA user, and was also rejected, so the problem is not my user, but is probably for all FreeIPA users. A failed ssh login attempt causes the following error in /var/log/messages [sssd[krb5_child[5393]]]: Decrypt integrity check failed Any ideas? Cheers Chris -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa-samba integration and windows clients
Hi Yes, it's possible to operate freeIPA and Samba as you suggest, we have been doing so for some years now (with several freeIPA and Samba versions). Our end users use a mix of Windows and OSX laptops / workstations. These are not members of any kind of domain. They access our file servers via Samba shares authenticated by freeIPA. The samba server is a freeIPA client. The samba config on the freeIPA side looks like it was done along the lines in the link http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/ The ldap config in our samba smb.conf looks like this: security = user passdb backend = ldapsam:ldap://ldap.my.example.com ldap suffix = dc=my,dc=example,dc=com ldap admin dn = cn=Directory Manager ldap ssl = off Cheers Chris From: box 31978 To: freeipa-users@redhat.com Date: 06.05.2015 23:18 Subject:[Freeipa-users] freeipa-samba integration and windows clients Sent by:freeipa-users-boun...@redhat.com Hello everyone, These days I'm testing integration between FreeIPA4 and Samba4 at file sharing level. Everything seems to work fine except share access from a standalone Windows client. This is the setup (everything is up-to-date): - ipa-server: CentOS 7.1, ipa-server 4.1, ipa-server-trust-ad plugin - file-server: CentOS 7.1, ipa-client 4.1, samba 4.1 (sharing home dirs, not a DC) - win-client: Windows 7 Home Premium Config is done following the FreeIPA's Samba integration guide, and testing with samba-client from ipa-server (or any other ipa-joined machine) to file-server using kerberos after calling kinit is successful (file manipulation included). Attempts to connect to the same share from win-client ends up with a log in error. Analyzing logs: Samba can't find the user because it can't find any DC, and that's because Samba can't resolve workgroup name (note that's not a question of SSO: win-client asks to type username and password). It seems that maybe Samba is not handling new kerberos ticket requests. By now, my questions are: - Can this setup work or it is absolutely necessary that any Windows client expecting to access Samba shares have to be already joined to a trusted domain? - If this setup can't be done, I'll go for an LDAP config in file-server against ipa-server, but then, can I maintain the file-server joined with ipa-client? Will it work? Feel free to ask whatever you want, any suggestions will be welcome. Thanks! Regards, A.-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Web ui error “Your session has expired. Please re-login.” from a browser on a remote client.
Hi Petr
Thanks, we solved this issue and reported that back on this thread. The
troubleshooting guide has even been updated as a result.
https://www.redhat.com/archives/freeipa-users/2015-April/msg00605.html
Your suggestion has however hit the nail on the head - the problem was
clock skew between the Server hosting freeIPA and the workstations.
Ironically, before installing freeIPA server we had no clock skew -clients
and workstation clocks were with seconds. Post freeIPA install, the server
was suddenly 2 hours in the future.
This seems to be because freeIPA had replaced the ntpd server entries in
the ntp.conf file. After reverting to our standard ntp.conf for a vm and
restarting ntpd the clock-skew vanished, as did the "Your session has been
expired" error on the the Web UI.
The 2 hours time difference was probably a result of the difference between
UTC and European Summer Time. It will likely be familiar to anybody who has
configured FIX interfaces in Europe.
Chris
b.t.w, the above applies to our new 4.1.0 installation. We get the same
"session has expired" error from our 3.0.0 freeIPA installation that we
will decommission shortly. On that machine the cause is not clock-skew.
From: Petr Vobornik
To: Christopher Lamb/Switzerland/IBM@IBMCH,
freeipa-users@redhat.com
Date: 30.04.2015 12:52
Subject:Re: [Freeipa-users] Web ui error “Your session has expired.
Please re-login.” from a browser on a remote client.
On 04/25/2015 02:58 AM, Christopher Lamb wrote:
>
> Hi All
>
> I too am suffering from the infamous Web ui error “Your session has
> expired. Please re-login.” using from browser(s) on remote client(s),
> similar to the existing tickets:
>
> https://www.redhat.com/archives/freeipa-users/2015-March/msg00211.html
> https://www.redhat.com/archives/freeipa-users/2015-February/msg00315.html
> https://www.redhat.com/archives/freeipa-users/2015-April/msg00047.html
>
> We have 2 FreeIPA installations:
> An “Old”, soon to be decommissioned v3.0.0, on OEL 6.5
> The “new” instance, v4.1.0, on a fresh install of OEL 7.0
>
> The error occurs on both instances.
>
> I get the error from OSX and Windows clients (Firefox, Chrome, Safar,i IE
> etc)
> Very sporadically one of the above browsers will “let me in” - If I cycle
> through all the browsers on various workstations / laptops on my desk
> somtimes I get lucky and one will work.
>
> kinit in a ssh session works.
>
> SELinux is disabled.
>
> All IPA Services are running.
>
> I can find no error(s) in /var/log/httpd/error_log
>
> In /var/log/krb5kdc.log I get entries like:
> Apr 25 02:17:44 ldap2.xxx-xx.xx.xx.com krb5kdc[1933](info): TGS_REQ (6
> etypes {18 17 16 23 25 26}) 9.159.8.200: ISSUE: authtime 1429921064,
etypes
> {rep=18 tkt=18 ses=18}, y...@xxx-xx.xx.xx.com for
> HTTP/bsc-ldap2.xxx-xx.xx.xxx@xxx-xx.xx.xxx.com
> Apr 25 02:17:44 ldap2.xxx-xx.xx.xxx.com krb5kdc[1933](info): closing down
> fd 12
>
> If I enter a wrong password, I correctly get “The password or username
you
> entered is incorrect. “, + errors in /var/log/httpd/error_log
>
> None of the browsers have a krb5 ticket installed.
>
> I get the error with both my user, and the default admin user.
>
>>From the same browsers I can successfully access the Web UI of the public
> demo on https://ipa.demo1.freeipa.org/ipa/ui/
>
Do the machines with browsers have synchronized time with IPA servers?
If a client machine with browser is 20min+ in a future compared to IPA
server, the browser will treat ipa_session cookie as expired because its
validity is auth_time + 20 min.
Could you enable server debug logging [1] and send me entries from
httpd/error_log and krb5kdc.log which were added upon Web UI forms-based
auth with correct username and password?
[1]
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/server-config.html#server-debug
--
Petr Vobornik
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA WebUI Logout logs back in
Hi all @Craig, and using the WebUI for that purpose is much more user friendly then doing the same via a ssh terminal session. @Simo, as requested I have opened a ticket on this issue https://fedorahosted.org/freeipa/ticket/5010 As this my first Fedora ticket, please forgive me If I didn't do it right 8-) Cheers Chris From: Craig White To: Christopher Lamb/Switzerland/IBM@IBMCH, Simo Sorce Cc: "freeipa-users@redhat.com" Date: 29.04.2015 18:03 Subject:RE: [Freeipa-users] FreeIPA WebUI Logout logs back in -Original Message- From: freeipa-users-boun...@redhat.com [ mailto:freeipa-users-boun...@redhat.com] On Behalf Of Christopher Lamb Sent: Tuesday, April 28, 2015 10:58 PM To: Simo Sorce Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FreeIPA WebUI Logout logs back in HI Simo, Dmitiri, Rob and co. Simos "log in with a different user" suggestion is pretty much what I was intending. I want to be able to log out of the web ui, then log back in with a different user. e.g. to allow a newly added user to change their password to something secret. On this particular workstation I have no kerberos ticket (double checking with klist at the terminal confirms this). I have not saved the password in Firefox (checking in the settings confirms this). I often have ssh sessons open via terminal to the FreeIPA Server, and even Apache Directory Studio open to browse the LDAP structure and content. I don't see how that can play a role, but I mention it for completeness. Seems that would be a useful option for me too. I normally login as myself but there are times when someone comes by and wants to change their password and it's easier if they do it on my system sometimes as the Kerberos auth prompt confuses them and I can coach them through. Also, I occasionally need to login as the primary 'admin' user as some of the options (ahem - Sudo rules on version 3.0.0) are not accessible regardless of the permissions given. Craig -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA WebUI Logout logs back in
HI Petr
thanks.
Can you qualify "has a valid Kerberos Ticket"?
In my case, my user has a valid ticket on the LDAP server, but not on the
OSX workstation from which I am using Firefox / Web UI.
Cheers
Chris
From: Petr Vobornik
To: d...@redhat.com, Rob Crittenden ,
Christopher Lamb/Switzerland/IBM@IBMCH
Cc: freeipa-users@redhat.com
Date: 29.04.2015 13:27
Subject:Re: [Freeipa-users] FreeIPA WebUI Logout logs back in
On 04/28/2015 11:53 PM, Dmitri Pal wrote:
> On 04/28/2015 05:39 PM, Rob Crittenden wrote:
>> Dmitri Pal wrote:
>>> On 04/28/2015 05:11 PM, Christopher Lamb wrote:
>>>> HI All
>>>>
>>>> I have just tested with the FreeIPA Web UI public demo
>>>> https://ipa.demo1.freeipa.org/ipa/ui/
>>>>
>>>> Using the public demo, when I log out, I get returned to the login
>>>> screen,
>>>> as expected. This allows me to log in with a different user.
>>>>
>>>> With our own installation FreeIPA, from exactly the same browser, I
get
>>>> logged straight back in to the Web UI - which makes logging out
>>>> pointless.
>>>>
>>>> still confused ...
>>> Do you have a kerberos ticket on your local system?
>>> Do klist.
>>> See which tickets you have.
>>> If you have tickets do kdestroy - this will remove the ability to SSO.
>>> If you then try to use your IPA server you will have the same
experience
>>> as with public demo.
>> I think this is a question for Petr. On logout one should be directed to
>> a page that doesn't require auth so it doesn't renegotiate the
>> connection.
>>
>> rob
> Petr can you reproduce this?
>
Yes.
User is automatically logged-in back if he has a valid Kerberos ticket.
The reason is that after showing the login form, the whole UI is
reloaded in order to forget everything in the app memory. It then
behaves as normal access and SSO kicks in.
IPA had a logout page but it was removed. One reason was that PatternFly
says that when a session expires(which, in a way, is a logout), user
should be presented with a login page. As we see, with SSO, the behavior
is a little bit different and unexpected.
I've created a new ticket:
https://fedorahosted.org/freeipa/ticket/5008
--
Petr Vobornik
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA WebUI Logout logs back in
HI Simo, Dmitiri, Rob and co.
Simos "log in with a different user" suggestion is pretty much what I was
intending. I want to be able to log out of the web ui, then log back in
with a different user. e.g. to allow a newly added user to change their
password to something secret.
On this particular workstation I have no kerberos ticket (double checking
with klist at the terminal confirms this). I have not saved the password in
Firefox (checking in the settings confirms this).
I often have ssh sessons open via terminal to the FreeIPA Server, and even
Apache Directory Studio open to browse the LDAP structure and content. I
don't see how that can play a role, but I mention it for completeness.
thanks
Chris
From: Simo Sorce
To: d...@redhat.com
Cc: Rob Crittenden , Christopher
Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com
Date: 29.04.2015 03:31
Subject:Re: [Freeipa-users] FreeIPA WebUI Logout logs back in
On Tue, 2015-04-28 at 17:53 -0400, Dmitri Pal wrote:
> On 04/28/2015 05:39 PM, Rob Crittenden wrote:
> > Dmitri Pal wrote:
> >> On 04/28/2015 05:11 PM, Christopher Lamb wrote:
> >>> HI All
> >>>
> >>> I have just tested with the FreeIPA Web UI public demo
> >>> https://ipa.demo1.freeipa.org/ipa/ui/
> >>>
> >>> Using the public demo, when I log out, I get returned to the login
> >>> screen,
> >>> as expected. This allows me to log in with a different user.
> >>>
> >>> With our own installation FreeIPA, from exactly the same browser, I
get
> >>> logged straight back in to the Web UI - which makes logging out
> >>> pointless.
> >>>
> >>> still confused ...
> >> Do you have a kerberos ticket on your local system?
> >> Do klist.
> >> See which tickets you have.
> >> If you have tickets do kdestroy - this will remove the ability to SSO.
> >> If you then try to use your IPA server you will have the same
experience
> >> as with public demo.
> > I think this is a question for Petr. On logout one should be directed
to
> > a page that doesn't require auth so it doesn't renegotiate the
connection.
> >
> > rob
> Petr can you reproduce this?
I've seen this in the past on my own IPA domain at home.
Perhaps what we should do is to have a logout option that says "log in
with a different user" and redirect to anon kerberized page that allows
you to do form based login.
This would address the case where a domain user wants to log in as admin
w/o exiting their user session or destroying there ccache (as that may
imply loosing access to email, other company websites, etc...).
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA WebUI Logout logs back in
HI All I have just tested with the FreeIPA Web UI public demo https://ipa.demo1.freeipa.org/ipa/ui/ Using the public demo, when I log out, I get returned to the login screen, as expected. This allows me to log in with a different user. With our own installation FreeIPA, from exactly the same browser, I get logged straight back in to the Web UI - which makes logging out pointless. still confused ... Chris From: Dmitri Pal To: freeipa-users@redhat.com Date: 27.04.2015 21:31 Subject:Re: [Freeipa-users] FreeIPA WebUI Logout logs back in Sent by:freeipa-users-boun...@redhat.com On 04/27/2015 12:39 PM, Christopher Lamb wrote: > Hi All > > When I use the logout dropdown the WebUI (top righthand corner of the > screen), it logs me out, then immediately reloads and logs me right back in > again to the Users screen. > > This prevents me from logging in with a different user. > > The FreeIPA Server is 4.1.0 on OEL 7.5. > > I am using Web UI from an OSX workstation (Firefox and Safari). > > We did not have this behaviour with FreeIPA 3.0.0 > > Thanks for your help > > Chris > Try kdestroy and then logout. I am not sure it worked differently in 3.0 may be you tried 3.0 when your Kerberis ticket already expired. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA and sambaPwdLastSet
Hi All
I wish to pick your brains on the attribute sambaPwdLastSet
We have a newly setup FreeIPA 4.1.0, with users and groups migrated from an
old 3.0.0 instance.
We are also running Samba to share files to Windows and OSX users. This
means that all the FreeIPA user accounts have the attribute
sambaPwdLastSet.
If this has the value 0, our users cannot map Samba shares, so we need to
make sure the value is a positive integer.
In an attempt to do this, I modified user.py, adding the attribute to the
takes_params for the class user as follows:
class user(LDAPObject):
. . .
takes_params = (
. . .
Int('sambapwdlastset?',
label=_('sambaPwdLastSet'),
doc=_('Date as an integer when the samba password was last set'
),
default=1,
autofill=True,
),
. . .
This works fine if I create a user via the CLI.
However if I create a user via the Web UI, or use the Web UI to reset a
user's password, then the attribute sambaPwdLastSet is set to zero.
So what scripts do I need to change to make sure the Web UI sets
sambaPwdLast Set to a positive value? (I don't want to run ldapmodify
scripts, or have to use Apache Directory Studio to hack the db..)
Or is there an altogether better approach to handling this field?
Thanks
Chris
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Fw: Web ui error “Your session has expired. Please re-login.” from a browser on a remote client.
Hi Martin That is great. However you may wish to qualify what "significant" is. In the case of the original clock-skew problems (between the IPA LDAP Server and sssd clients on other servers), a skew in the order of 5 minutes was enough to prevent us sshing into our servers with an ldap user. You might also want to repeat the hint that if the FreeIPA Server is running in a VM, it must NEVER be a NTPD server for other servers, as VMs are notorious for bad time keeping. Cheers Chris From: Martin Kosek To: Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com Date: 28.04.2015 14:13 Subject:Re: [Freeipa-users] Fw: Web ui error “Your session has expired. Please re-login.” from a browser on a remote client. On 04/27/2015 06:09 PM, Christopher Lamb wrote: > > Hi All > > I may have found a possible cause of our instance of the "Your session has > expired" Web UI error on our new FreeIPA 4.1.0 Server > > By chance I checked the date on the server hosting FreeIPA 4.1.0. To my > surprise, despite running ntpd it was 2 hours in the future! > > Some moons ago we suffering from clock-skew problems, and had spent a lot > of time understanding ntp, and setting up an optimal ntp > architecture /config. We were able to completely eliminate clock-skew > across all our servers. > > Digging into the /etc/ntp.conf file I saw that FreeIPA had replaced our 4 > NTPD servers with 4 RedHat NTPD servers. > > Therefore I returned the /etc/ntp.conf file to our default, restarted ntpd, > and time was correct again. > > Subsequent to this (at least at various points today) I have been able to > successfully log into the Web UI from Firefox and Safari on OSX, and > Firefox on Windows. On both platforms Chrome (not supported) does not work. > > I confess I have not had the time to return to the FreeIPA ntp config to > see if the 2 hour offset + Web UI session problem can be reproduced, so at > the moment this remains a credible, but not proven hypothesis. > > However I guess that 2 hour offset probably comes from the 2 hour > difference between UTC and European Summertime. > > I think it would be great if the changes made by FreeIPA setup to ntp.conf > were optional - we care strongly about the content of that file! > > Cheers > > Chris Good to know. I updated the Troubleshooting page with this tip: https://www.freeipa.org/page/Troubleshooting#Cannot_authenticate_to_Web_UI Thanks! Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA WebUI Logout logs back in
Hi All When I use the logout dropdown the WebUI (top righthand corner of the screen), it logs me out, then immediately reloads and logs me right back in again to the Users screen. This prevents me from logging in with a different user. The FreeIPA Server is 4.1.0 on OEL 7.5. I am using Web UI from an OSX workstation (Firefox and Safari). We did not have this behaviour with FreeIPA 3.0.0 Thanks for your help Chris -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Fw: Web ui error “Your session has expired. Please re-login.” from a browser on a remote client.
Hi All
I may have found a possible cause of our instance of the "Your session has
expired" Web UI error on our new FreeIPA 4.1.0 Server
By chance I checked the date on the server hosting FreeIPA 4.1.0. To my
surprise, despite running ntpd it was 2 hours in the future!
Some moons ago we suffering from clock-skew problems, and had spent a lot
of time understanding ntp, and setting up an optimal ntp
architecture /config. We were able to completely eliminate clock-skew
across all our servers.
Digging into the /etc/ntp.conf file I saw that FreeIPA had replaced our 4
NTPD servers with 4 RedHat NTPD servers.
Therefore I returned the /etc/ntp.conf file to our default, restarted ntpd,
and time was correct again.
Subsequent to this (at least at various points today) I have been able to
successfully log into the Web UI from Firefox and Safari on OSX, and
Firefox on Windows. On both platforms Chrome (not supported) does not work.
I confess I have not had the time to return to the FreeIPA ntp config to
see if the 2 hour offset + Web UI session problem can be reproduced, so at
the moment this remains a credible, but not proven hypothesis.
However I guess that 2 hour offset probably comes from the 2 hour
difference between UTC and European Summertime.
I think it would be great if the changes made by FreeIPA setup to ntp.conf
were optional - we care strongly about the content of that file!
Cheers
Chris
- Forwarded by Christopher Lamb/Switzerland/IBM on 27.04.2015 15:36
-
From: Christopher Lamb/Switzerland/IBM@IBMCH
To: freeipa-users@redhat.com
Date: 26.04.2015 01:29
Subject:[Freeipa-users] Web ui error “Your session has expired. Please
re-login.” from a browser on a remote client.
Sent by:freeipa-users-boun...@redhat.com
Hi All
I too am suffering from the infamous Web ui error “Your session has
expired. Please re-login.” using from browser(s) on remote client(s),
similar to the existing tickets:
https://www.redhat.com/archives/freeipa-users/2015-March/msg00211.html
https://www.redhat.com/archives/freeipa-users/2015-February/msg00315.html
https://www.redhat.com/archives/freeipa-users/2015-April/msg00047.html
We have 2 FreeIPA installations:
An “Old”, soon to be decommissioned v3.0.0, on OEL 6.5
The “new” instance, v4.1.0, on a fresh install of OEL 7.0
The error occurs on both instances.
I get the error from OSX and Windows clients (Firefox, Chrome, Safar,i IE
etc)
Very sporadically one of the above browsers will “let me in” - If I cycle
through all the browsers on various workstations / laptops on my desk
somtimes I get lucky and one will work.
kinit in a ssh session works.
SELinux is disabled.
All IPA Services are running.
I can find no error(s) in /var/log/httpd/error_log
In /var/log/krb5kdc.log I get entries like:
Apr 25 02:17:44 ldap2.xxx-xx.xx.xx.com krb5kdc[1933](info): TGS_REQ (6
etypes {18 17 16 23 25 26}) 9.159.8.200: ISSUE: authtime 1429921064, etypes
{rep=18 tkt=18 ses=18}, y...@xxx-xx.xx.xx.com for
HTTP/bsc-ldap2.xxx-xx.xx.xxx@xxx-xx.xx.xxx.com
Apr 25 02:17:44 ldap2.xxx-xx.xx.xxx.com krb5kdc[1933](info): closing down
fd 12
If I enter a wrong password, I correctly get “The password or username you
entered is incorrect. “, + errors in /var/log/httpd/error_log
None of the browsers have a krb5 ticket installed.
I get the error with both my user, and the default admin user.
>From the same browsers I can successfully access the Web UI of the public
demo on https://ipa.demo1.freeipa.org/ipa/ui/
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Old FreeIPA upstream guides removed (WAS: Re: Web UI: Migrated Admins missing action buttons)
Hi Martin Thanks: I am glad others can benefit from my mistakes. Cheers Chrsi From: Martin Kosek To: Alexander Bokovoy , Christopher Lamb/Switzerland/IBM@IBMCH Cc: freeipa-users@redhat.com, Robert Crittenden , Simo Sorce , Dmitri Pal Date: 27.04.2015 12:51 Subject:Old FreeIPA upstream guides removed (WAS: Re: [Freeipa-users] Web UI: Migrated Admins missing action buttons) > We really need to remove this version 1.x documentation, it is giving too much confusion. I agree, this was the last straw. I just did an update to FreeIPA.org mediawiki and (besides upgrading to new Mediawiki) replaced the deprecated FreeIPA 1.2.1 and 2.0.0 guides with a redirection to: http://www.freeipa.org/page/Upstream_User_Guide which contains the reasoning and updated list of deprecated guides and a link to the current documentations. HTH. If anyone needs the old guides, I can zip them and add as a download to Documentation section. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Web UI: Migrated Admins missing action buttons
Hi Rob and Dimitri Migrating via Replica is the obvious way that I would have gone, had the FreeIPA /RedHat documentation not suggested the replicas must have the same version. I think the link that put me off from replicating was: http://www.freeipa.org/docs/1.2/Installation_Deployment_Guide/en-US/html/sect-Installation_and_Deployment_Guide-Setting_up_Multi_Master_Replication-Creating_the_Replica_Information_File.html Looking at the link more closely I now see this applies to version 1.2 ., but from the page itself that was not obvious. it would be great if the version to which the IPA documentation applies was more obvious I am sure I am not the only user who enters the documentation via a search engine. The missing buttons turns out to be down to the fact that the admin group was not migrated, as it is present on both old and new, so while the "old" admin users were migrated (together with membership of all other groups), they were not added to the admin group on the new instance. I should have realised this sooner! # ipa user-show User login: . Member of groups: smb-delivery, smb-fssadmin, ipausers, smb-development, smb-software, smb-all, smb-implementation, dba, users # ipa user-show admin . Member of groups: ipausers, trust admins, adminonly, admins Adding "old" admin user via cli: # ipa group-add-member admins --users= # ipa user-show Member of groups: smb-delivery, smb-fssadmin, ipausers, smb-development, smb-software, admins, smb-all, smb-implementation, dba, users I guess that when the Web UI decides to cooperate, and let me in without "your session has expired" error (see other ticket), I will have the missing buttons Thanks for the help Chris From: Rob Crittenden To: d...@redhat.com, freeipa-users@redhat.com Date: 25.04.2015 07:05 Subject:Re: [Freeipa-users] Web UI: Migrated Admins missing action buttons Sent by:freeipa-users-boun...@redhat.com Dmitri Pal wrote: > On 04/24/2015 12:58 PM, Christopher Lamb wrote: >> Hi >> >> I am in the process of setting up and configuring a FreeIPA Server 4.1.0. >> >> I have successfully migrated all the users from an existing FreeIPA >> Server >> 3.0.0 with the following command: >> >> ipa migrate-ds --group-overwrite-gid >> --user-container='cn=users,cn=accounts' >> --group-container='cn=groups,cn=accounts' ldap://> server>:389 >> >> When I log into the 4.1.0 Web UI, with the default "admin" user, on the >> Identity/Users overview page, I have buttons for Delete, Add, Enable, >> Disable etc. >> >> If I log in with an imported admin user, these buttons are missing. >> >> If I log into the old 3.0.0 Web UI, these buttons are available with both >> users. > > This is most likely because the permissions changed in 4.0 and old admin > does not have the privileges that are now default in 4.1. He migrated rather than upgrading so this doesn't apply. So the question is: why did you migrate and not create a replica with 4.x and migrate that way? One needs to be a member of the admins group to be an admin, I'd start there. >> p.s. it would be great if the syntax for an IPA "old" to IPA "new" >> migration using ipa migrate-ds was included in the IPA documentation. >> I had >> to dig deep in the migration.py script to find the accepted format . There is a ticket for this but the expected upgrade path is to install a replica on the new version and once things are confirmed to be working, decommission the older ones. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Web ui error “Your session has expired. Please re-login.” from a browser on a remote client.
Hi All
I too am suffering from the infamous Web ui error “Your session has
expired. Please re-login.” using from browser(s) on remote client(s),
similar to the existing tickets:
https://www.redhat.com/archives/freeipa-users/2015-March/msg00211.html
https://www.redhat.com/archives/freeipa-users/2015-February/msg00315.html
https://www.redhat.com/archives/freeipa-users/2015-April/msg00047.html
We have 2 FreeIPA installations:
An “Old”, soon to be decommissioned v3.0.0, on OEL 6.5
The “new” instance, v4.1.0, on a fresh install of OEL 7.0
The error occurs on both instances.
I get the error from OSX and Windows clients (Firefox, Chrome, Safar,i IE
etc)
Very sporadically one of the above browsers will “let me in” - If I cycle
through all the browsers on various workstations / laptops on my desk
somtimes I get lucky and one will work.
kinit in a ssh session works.
SELinux is disabled.
All IPA Services are running.
I can find no error(s) in /var/log/httpd/error_log
In /var/log/krb5kdc.log I get entries like:
Apr 25 02:17:44 ldap2.xxx-xx.xx.xx.com krb5kdc[1933](info): TGS_REQ (6
etypes {18 17 16 23 25 26}) 9.159.8.200: ISSUE: authtime 1429921064, etypes
{rep=18 tkt=18 ses=18}, y...@xxx-xx.xx.xx.com for
HTTP/bsc-ldap2.xxx-xx.xx.xxx@xxx-xx.xx.xxx.com
Apr 25 02:17:44 ldap2.xxx-xx.xx.xxx.com krb5kdc[1933](info): closing down
fd 12
If I enter a wrong password, I correctly get “The password or username you
entered is incorrect. “, + errors in /var/log/httpd/error_log
None of the browsers have a krb5 ticket installed.
I get the error with both my user, and the default admin user.
>From the same browsers I can successfully access the Web UI of the public
demo on https://ipa.demo1.freeipa.org/ipa/ui/
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Web UI: Migrated Admins missing action buttons
Hi Dmitri I understand, maintaining documentation over multiple versions is hard work. You certainly don't want to prevent users from finding old documentation - as it is important for those of us still running old versions in production, but it would be great if it was immediately clear which version it applies to. Had that been the case, I might have "clicked" earlier, and sought out the equivalent pages in the current docus. Ideally each page would be clearly marked with the version(s) it applies to. As a side note, I tend to search via google (e.g. FreeIPA replicate), and have been using a mixture of Red-hat, Fedora and FreeIPA branded documentation. thanks for your help Chris From: Dmitri Pal To: Christopher Lamb/Switzerland/IBM@IBMCH, Rob Crittenden Cc: freeipa-users@redhat.com Date: 25.04.2015 15:08 Subject:Re: [Freeipa-users] Web UI: Migrated Admins missing action buttons On 04/25/2015 03:12 AM, Christopher Lamb wrote: > Hi Rob and Dimitri > > Migrating via Replica is the obvious way that I would have gone, had the > FreeIPA /RedHat documentation not suggested the replicas must have the same > version. > > I think the link that put me off from replicating was: > > http://www.freeipa.org/docs/1.2/Installation_Deployment_Guide/en-US/html/sect-Installation_and_Deployment_Guide-Setting_up_Multi_Master_Replication-Creating_the_Replica_Information_File.html > > Looking at the link more closely I now see this applies to version > 1.2 ., but from the page itself that was not obvious. it would be great > if the version to which the IPA documentation applies was more obvious > I am sure I am not the only user who enters the documentation via a search > engine. > > The missing buttons turns out to be down to the fact that the admin group > was not migrated, as it is present on both old and new, so while the "old" > admin users were migrated (together with membership of all other groups), > they were not added to the admin group on the new instance. I should have > realised this sooner! > > # ipa user-show >User login: >. >Member of groups: smb-delivery, smb-fssadmin, ipausers, smb-development, > smb-software, smb-all, smb-implementation, dba, users > # ipa user-show admin >. >Member of groups: ipausers, trust admins, adminonly, admins > > Adding "old" admin user via cli: > > # ipa group-add-member admins --users= > > # ipa user-show > >Member of groups: smb-delivery, smb-fssadmin, ipausers, smb-development, > smb-software, admins, smb-all, smb-implementation, dba, users > > I guess that when the Web UI decides to cooperate, and let me in without > "your session has expired" error (see other ticket), I will have the > missing buttons > > Thanks for the help > > Chris > > > > > From: Rob Crittenden > To:d...@redhat.com, freeipa-users@redhat.com > Date: 25.04.2015 07:05 > Subject: Re: [Freeipa-users] Web UI: Migrated Admins missing action > buttons > Sent by: freeipa-users-boun...@redhat.com > > > > Dmitri Pal wrote: >> On 04/24/2015 12:58 PM, Christopher Lamb wrote: >>> Hi >>> >>> I am in the process of setting up and configuring a FreeIPA Server > 4.1.0. >>> I have successfully migrated all the users from an existing FreeIPA >>> Server >>> 3.0.0 with the following command: >>> >>> ipa migrate-ds --group-overwrite-gid >>> --user-container='cn=users,cn=accounts' >>> --group-container='cn=groups,cn=accounts' ldap://>> server>:389 >>> >>> When I log into the 4.1.0 Web UI, with the default "admin" user, on the >>> Identity/Users overview page, I have buttons for Delete, Add, Enable, >>> Disable etc. >>> >>> If I log in with an imported admin user, these buttons are missing. >>> >>> If I log into the old 3.0.0 Web UI, these buttons are available with > both >>> users. >> This is most likely because the permissions changed in 4.0 and old admin >> does not have the privileges that are now default in 4.1. > He migrated rather than upgrading so this doesn't apply. > > So the question is: why did you migrate and not create a replica with > 4.x and migrate that way? > > One needs to be a member of the admins group to be an admin, I'd start > there. > >>> p.s. it would be great if the syntax for an IPA "old" to IPA "new" >>> migration using ipa migrate-ds was included in the IPA documenta
[Freeipa-users] Web UI: Migrated Admins missing action buttons
Hi I am in the process of setting up and configuring a FreeIPA Server 4.1.0. I have successfully migrated all the users from an existing FreeIPA Server 3.0.0 with the following command: ipa migrate-ds --group-overwrite-gid --user-container='cn=users,cn=accounts' --group-container='cn=groups,cn=accounts' ldap://:389 When I log into the 4.1.0 Web UI, with the default "admin" user, on the Identity/Users overview page, I have buttons for Delete, Add, Enable, Disable etc. If I log in with an imported admin user, these buttons are missing. If I log into the old 3.0.0 Web UI, these buttons are available with both users. thanks Chris Lamb p.s. it would be great if the syntax for an IPA "old" to IPA "new" migration using ipa migrate-ds was included in the IPA documentation. I had to dig deep in the migration.py script to find the accepted format . -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
