[Freeipa-users] REPOST: Rebooted IPA Server and AD Trusts shows offline
Applied OS Patches to the server this weekend. Now some of my IPA Clients are not accepting passwords. id and getent passwd for the user work fine. wbinfo --online-status on the ipa server shows offline for the AD domain wbinfo -n 'DOMAIN\User' get's: failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND Could not lookup name KLAS\mark Sumit Bose, I sent you the winbind logs on July 7th. Here's an updated one. From the logs, it looks like it can't find the domain controller. log.wb-KLAS Description: Binary data -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Help: Rebooted IPA server and AD Trust shows offline
Was trying to add an external ad group to IPA, it kept failing with unable to connect to server. Figured I'd reboot to clear things up. Oops. Now wbinfo --online-status shows are AD as offline. wbinfo -u shows blank wbinfo -n 'DOMAIN\user' gives the following message: failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND could not lookup 'Domain\user' I saw a similar post in the freeipa-users archive about adding client min protocol = CORE client max protocol = SMB2_02 to the samba config; restarted winbind and still getting errors FreeIPA 3.0 Windows 2008 R2. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] IPA + AD Integration - Auditor wants verification of integration
Since this information isn't in the Web Interface. How do I find query the ipa ldap server to proof that IPA is talking to our AD server in order to get identity and authorization information. Yes we know we've established a trust for our linux subdomain. But theres nothing that I can find that says it's our ad server. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA Clients and Firewall rules
Does all communication used for the FreeIPA client go between the FreeIPA client and the FreeIPA server? Or if we're using FreeIPA / AD Trusts, does some communication go to the AD Server? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] freeIPA client sudo / sssd setup
I know I'm missing something simple. But I just can't get this ipa client to accept any sudo rules. -sh-4.1$ sudo -l [sudo] password for test...@domain.com: User test...@domain.com is not allowed to run sudo on cypress. -sh-4.1$ id uid=11659(test...@domain.com) gid=11659(test...@domain.com) groups=11659(testadm@domain. com),16047(ad_klasadm) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 -sh-4.1$ kinit admin Password for ad...@hosted.domain.com: -sh-4.1$ ipa sudorule-show operations Rule name: operations Description: KLAS / System Admins Enabled: TRUE Command category: all Users: localadm User Groups: ad_operations, ad_operations_external, ad_klasadm, ad_klasadm_external /var/log/sssd/sssd_sudo.log (Tue Apr 8 15:08:46 2014) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [testadm] from [DOMAIN.COM] (Tue Apr 8 15:08:46 2014) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requestinginfo about [test...@domain.com] (Tue Apr 8 15:08:46 2014) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [test...@domain.com] (Tue Apr 8 15:08:46 2014) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving rules for [test...@domain.com] from [DOMAIN.COM] (Tue Apr 8 15:08:46 2014) [sssd[sudo]] [sysdb_search_group_by_gid] (0x0400): No such entry (Tue Apr 8 15:08:46 2014) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [((objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser= test...@domain.com )(sudoUser=#11659)(sudoUser=%ad_klasadm)(sudoUser=+*))((dataExpireTimestamp=1396984126)))] (Tue Apr 8 15:08:46 2014) [sssd[sudo]] [sysdb_search_group_by_gid] (0x0400): No such entry (Tue Apr 8 15:08:46 2014) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [((objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=test...@domain.com )(sudoUser=#11659)(sudoUser=%ad_klasadm)(sudoUser=+*)))] (Tue Apr 8 15:08:46 2014) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 1 rules for [test...@domain.com] (Tue Apr 8 15:08:46 2014) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! [root@cypress etc]# cat nsswitch.conf # # /etc/nsswitch.conf # # An example Name Service Switch config file. This file should be # sorted with the most-used services at the beginning. # # The entry '[NOTFOUND=return]' means that the search for an # entry should stop if the search in the previous entry turned # up nothing. Note that if the search failed due to some other reason # (like no NIS server responding) then the search continues with the # next entry. # # Valid entries include: # # nisplus Use NIS+ (NIS version 3) # nis Use NIS (NIS version 2), also called YP # dns Use DNS (Domain Name Service) # files Use the local files # db Use the local database (.db) files # compat Use NIS on compat mode # hesiod Use Hesiod for user lookups # [NOTFOUND=return] Stop searching if not found so far # # To use db, put the db in front of files for entries you want to be # looked up first in the databases # # Example: #passwd:db files nisplus nis #shadow:db files nisplus nis #group: db files nisplus nis passwd: files sss shadow: files sss group: files sss sudoers:files sss #hosts: db files nisplus nis dns hosts: files dns # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc:nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc:files services: files sss netgroup: files sss publickey: nisplus automount: files aliases:files nisplus [root@cypress etc]# cd sssd [root@cypress sssd]# ls sssd.conf sssd.conf.deleted sssd.conf.sv [root@cypress sssd]# cat sssd.conf [domain/hosted.domain.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = hosted.domain.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = cypress.hosted.domain.com chpass_provider = ipa ipa_dyndns_update = True ipa_server = _srv_, ipa.hosted.domain.com ldap_tls_cacert = /etc/ipa/ca.crt debug_level=6 # # sudo integration # sudo_provider = ldap ldap_uri = ldap://ipa.hosted.domain.com ldap_sudo_search_base = ou=sudoers,dc=hosted,dc=domain,dc=com ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/cypress.hosted.domain.com ldap_sasl_realm = HOSTED.DOMAIN.COM krb5_server = ipa.hosted.domain.com [sssd] services = nss, pam, ssh, pac, sudo config_file_version = 2 domains = hosted.domain.com debug_level=6 [nss] [pam] [sudo]
[Freeipa-users] Recommend version of Samba for a CentOS 6.5 IPA client?
Before I go installing Samba for File Sharing. I wanted to make sure I was installing the correct version of Samba without conflicting with the Linux server being an IPA client. Currently installed sambaX packages: samba-client.x86_64 3.6.9-167.el6_5 @updates samba-common.x86_64 3.6.9-167.el6_5 @updates samba-winbind.x86_643.6.9-167.el6_5 @updates samba-winbind-clients.x86_643.6.9-167.el6_5 @updates samba4-libs.x86_64 4.0.0-60.el6_5.rc4 @updates So do I uninstall samba 3.6.9 and install the appropriate samba4 packages or just yum install samba? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Fwd: More SSO Strangeness
-- Forwarded message -- From: Mark Gardner malek...@gmail.com Date: Thu, Feb 6, 2014 at 12:29 PM Subject: Re: [Freeipa-users] More SSO Strangeness To: Sumit Bose sb...@redhat.com Bingo! I checked my AD user login name which was mark@TEST.LOCAL, But the Pre Win2000 name was TEST\Mark Changed to TEST\mark, logged out of WinClient, then back in and into ipa client with successful SSO. Thanks!!! On Thu, Feb 6, 2014 at 12:20 PM, Sumit Bose sb...@redhat.com wrote: On Thu, Feb 06, 2014 at 12:04:24PM -0500, Mark Gardner wrote: Using username mark@test.local. Unauthorized access is prohibited. mark@test.lo...@ipaclient.hosted.test.local's password: Last login: Thu Feb 6 12:00:50 2014 from server2012.test.local Authorized uses only. All activity may be monitored and reported. -sh-4.1$ klist Ticket cache: FILE:/tmp/krb5cc_1063801109_S3Ew2U Default principal: mark@TEST.LOCAL Valid starting ExpiresService principal 02/06/14 12:03:18 02/06/14 22:02:37 krbtgt/TEST.LOCAL@TEST.LOCAL renew until 02/07/14 12:03:18 sorry, I meant the credentials on the Windows client where you call putty. bye, Sumit On Thu, Feb 6, 2014 at 11:47 AM, Sumit Bose sb...@redhat.com wrote: On Thu, Feb 06, 2014 at 10:56:31AM -0500, Mark Gardner wrote: getent passwd mark@test.local worked Here's the ssh info from /var/log/secure ... Feb 6 10:50:03 ipaclient sshd[1623]: debug3: mm_request_receive entering Feb 6 10:50:03 ipaclient sshd[1622]: debug3: monitor_read: checking request 42 Feb 6 10:50:03 ipaclient sshd[1622]: debug3: mm_answer_gss_userok: sending result 0 Feb 6 10:50:03 ipaclient sshd[1622]: debug3: mm_request_send entering: type 43 Feb 6 10:50:03 ipaclient sshd[1623]: debug3: mm_ssh_gssapi_userok: user not authenticated Feb 6 10:50:03 ipaclient sshd[1623]: debug3: Wrote 96 bytes for a total of 2869 Feb 6 10:50:03 ipaclient sshd[1622]: Failed gssapi-with-mic for mark@test.local from 192.168.100.145 port 60426 ssh2 Feb 6 10:50:03 ipaclient sshd[1622]: debug3: mm_request_receive entering Feb 6 10:50:08 ipaclient sshd[1623]: debug1: userauth-request for user mark@test.local service ssh-connection method password are you sure that you are using the right credentials? According to the log you are using putty. Have you logged in as 'mark' on the Windows client? Please call klist in a command window and check thar your Kerberos principal is 'mark@TEST.LOCAL' bye, Sumit ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] CentOS IPA Client using Fedora IPA Server - SSO Fails from AD Trust domain
Thanks, That was what I missed. On Wed, Feb 5, 2014 at 2:39 AM, Alexander Bokovoy aboko...@redhat.comwrote: On Tue, 04 Feb 2014, Mark Gardner wrote: I'm trying to configure our CentOS IPA Client for Single Sign On from our trusted AD domain. SSO works fine when I ssh to the IPA server, but not to the CentOS Client. It prompts for password which it accepts, so it's getting the authentication from the AD domain. Fedora 20 IPA Server CentOS 6.5 IPA Client Win 2012 AD Domain Server Setup as IPA as a subdomain of AD. AD Domain: test.local IPA Domain: hosted.test.local Anybody run into this? Suggestions? Each client needs to be configured to accept AD users' SSO. Check that /etc/krb5.conf contains auth_to_local rules mapping principals from AD to their names as returned by SSSD. SSH daemon is picky about principal/name mapping. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] More SSO Strangeness
Okay, Spent some time on this one... Some users can login SSO no problem, others have to put in their password. Strange as it seems, if the length of the username was greater than 4, the SSO worked. So markg@test.local works, but mark@test.local doesn't. My guess is something to do with the NetBios name length? Fedora 20 IPA Server CentOS 6.5 IPA Client Win 2012 AD Domain Server Setup as IPA as a subdomain of AD. AD Domain: test.local IPA Domain: hosted.test.local ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] CentOS IPA Client using Fedora IPA Server - SSO Fails from AD Trust domain
I'm trying to configure our CentOS IPA Client for Single Sign On from our trusted AD domain. SSO works fine when I ssh to the IPA server, but not to the CentOS Client. It prompts for password which it accepts, so it's getting the authentication from the AD domain. Fedora 20 IPA Server CentOS 6.5 IPA Client Win 2012 AD Domain Server Setup as IPA as a subdomain of AD. AD Domain: test.local IPA Domain: hosted.test.local Anybody run into this? Suggestions? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users