Re: [Freeipa-users] Keycloak + FreeIPA New password expiry

2017-01-25 Thread Brian Candler
On 25/01/2017 13:48, Georgijs Radovs wrote: Is it possible to configure FreeIPA server so it does not mark new passwords, set by Keycloak's LDAP bind user, expired? Yes, you need to configure the privileged LDAP bind user in passSyncManagersDNs: dn: cn=ipa_pwd_extop,cn=plugins,cn=config

Re: [Freeipa-users] Not able to replicate user keys across master and client

2017-01-15 Thread Brian Candler
On 12/01/2017 10:59, hirofumi.morik...@accenture.com wrote: Let me further clarify the question that is asked by Niraj below. Currently, we have 1 master FreeIPA server and 1 client server. Evaluating your product for production deployment Master and client connectivity is established and

Re: [Freeipa-users] Windows Server can't use FreeIPA's DNS server

2017-01-15 Thread Brian Candler
On 14/01/2017 20:01, Raul Dias wrote: I am migrating a network to FreeIPA. LDAP, NFS, no Active Directory. A Windows Server 2008 R2, cannot use FreeIPAs bind to resolve DNS query. This server works fine with my old bind server, google's dns server (8.8.8.8), but not FreeIPA's. Using

Re: [Freeipa-users] Windows Server can't use FreeIPA's DNS server

2017-01-16 Thread Brian Candler
On 16/01/2017 00:52, Raul Dias wrote: The packets are getting back That has being stablished already. With Wireshark at the 2008R2 end? I am looking for possible reasons it would disregard the answer, but accept when using a non-freeipa bind9 one. Look at wireshark detail on both sets of

Re: [Freeipa-users] Windows Server can't use FreeIPA's DNS server

2017-01-16 Thread Brian Candler
On 16/01/2017 16:37, Raul Dias wrote: Did some testing. From the windows server, did a port scanner on the IPA server (tcp + udp), no blocking between. (tested open). The IPA has DNSSEC on, but that is for the zones only, right? There is no indication of DNSSEC in the datagrams. You can

Re: [Freeipa-users] FreeIPA domains and sub-domains

2016-10-27 Thread Brian Candler
On 27/10/2016 09:30, Alexander Bokovoy wrote: Yes, you can do that, there is no issue at all. Thank you for confirming that. To the OP: in that case, I'd still recommend that you choose a distinct kerberos realm like IPA.YOURCOMPANY.COM, with associated primary domain "ipa.yourcompany.com",

Re: [Freeipa-users] FreeIPA domains and sub-domains

2016-10-27 Thread Brian Candler
On 26/10/2016 21:03, Ranbir wrote: If I have two networks, say A and B, and I want both to use the same FreeIPA server, should I have one Freeipa domain for network A and a sub-domain for network B, (domain.local and b.domain.local), or should I create two top level domains (a.local and

Re: [Freeipa-users] FreeIPA domains and sub-domains

2016-10-30 Thread Brian Candler
On 27/10/2016 10:07, Brian Candler wrote: To the OP: in that case, I'd still recommend that you choose a distinct kerberos realm like IPA.YOURCOMPANY.COM, with associated primary domain "ipa.yourcompany.com", and let FreeIPA manage that domain so that it sets up all the right S

Re: [Freeipa-users] system to pick up pa user-mod --uid change - how long?

2016-11-08 Thread Brian Candler
On 08/11/2016 13:57, lejeczek wrote: I've changed an uid of a.user but system: $ id a.user - still shows old id. When is the system supposed to notice that change? You might want to force the cache to expire early. Try: sss_cache -U or sss_cache -u (I'm afraid I don't know what

[Freeipa-users] FreeIPA as domain controller?

2016-10-17 Thread Brian Candler
Sorry if this is a frequently asked question, but it's not easy to find a simple answer. * Can I use FreeIPA (v4) as a domain controller for Windows machines to join? * If not, what's the recommended free/open solution? Would it be to set up a Samba4 domain controller, and then set up

Re: [Freeipa-users] FreeIPA as domain controller?

2016-10-18 Thread Brian Candler
On 17/10/2016 15:52, Alexander Bokovoy wrote: If you set ID range for corresponding AD domain in IPA to be 'ipa-ad-trust-posix' and make sure all users that need to logon to IPA have POSIX attributes, then it should work. I think most of this is described in the Windows Integration Guide for

Re: [Freeipa-users] Do expired passwords remain usable indefinitely?

2016-10-25 Thread Brian Candler
On 25/10/2016 10:50, Prasun Gera wrote: When is principal expiration triggered ? I haven't set it explicitly for any user, and ipa user-show doesn't show that attribute either. I'm not very familiar with kerberos. It doesn't show it unless it has been set. You can set it like this: # ipa

Re: [Freeipa-users] Do expired passwords remain usable indefinitely?

2016-10-25 Thread Brian Candler
On 25/10/2016 08:29, David Kupka wrote: If I understood Brian correctly he was asking about expiration of NTLM password hashes. Partly. As long as the hash remains in the database and is readable via LDAP, I know it will continue to work for authentication. However I was also asking

Re: [Freeipa-users] Do expired passwords remain usable indefinitely?

2016-10-25 Thread Brian Candler
On 25/10/2016 00:02, Prasun Gera wrote: I've seen some different behaviour. I've had errors for users (including the admin user) trying to log in with possibly an expired password. Both webui and ssh would fail, but kinit would work. I'm not sure if this is related to the password's expiration

Re: [Freeipa-users] Do expired passwords remain usable indefinitely?

2016-10-25 Thread Brian Candler
Looking in MIT krb5 source: $ grep -R ERR_NAME_EXP . ./src/include/k5-int.h:#define KDC_ERR_NAME_EXP1 /* Client's entry in DB expired */ ./src/kdc/kdc_util.c:return(KDC_ERR_NAME_EXP); ./src/lib/krb5/error_tables/krb5_err.et:error_code KRB5KDC_ERR_NAME_EXP,

[Freeipa-users] Do expired passwords remain usable indefinitely?

2016-10-21 Thread Brian Candler
Question: when a password expires, does it remain in a usable state in the database indefinitely? For example, if someone comes along a year after their password has expired, can they still login once with that password? This is actually what I want, but I just want to confirm there's not

Re: [Freeipa-users] Disabling Anonymous Binds (LDAP)

2016-11-17 Thread Brian Candler
On 16/11/2016 16:46, dan.finkelst...@high5games.com wrote: I've seen some discussion in the (distant) past about disabling anonymous binds to the LDAP component of IPA, and I'm wondering if there's a preferred method to do it. Further, are there any known problems with disabling anonymous

[Freeipa-users] LDAP bind permitted for expired passwords

2016-11-18 Thread Brian Candler
Looking at FreeIPA 4.2 under CentOS 7: I find that LDAP simple binds succeed even for DNs whose krbPasswordExpiration time has passed. Is this fixed, or is it possible to change this? The reason I ask is because some applications use LDAP bind as a password validation oracle: for example, if

Re: [Freeipa-users] mkhomedir difference between ipa master and ipa replica

2016-11-04 Thread Brian Candler
On 04/11/2016 12:20, Petr Vobornik wrote: You can check with what options authconfig was called by: # cat /var/log/ipaclient-install.log | grep authconfig if --enablemkhomedir is not there then it is possible that something else enabled it. It's not there: $ sudo cat

[Freeipa-users] mkhomedir difference between ipa master and ipa replica

2016-11-04 Thread Brian Candler
? Thanks, Brian Candler. --- fingerprint-auth-ac2016-11-04 11:23:08.0 + +++ fingerprint-auth-ac.replica2016-11-04 11:23:19.0 + @@ -16,7 +16,6 @@ session optional pam_keyinit.so revoke session required pam_limits.so -session optional

Re: [Freeipa-users] mkhomedir difference between ipa master and ipa replica

2016-11-04 Thread Brian Candler
On 04/11/2016 11:32, Brian Candler wrote: I notice that both ipa-server-install and ipa-replica-install have the following option: --mkhomedir create home directories for users on their first login but I did not supply this option in either case. I believe the actual options

Re: [Freeipa-users] FreeIPA as domain controller?

2016-10-17 Thread Brian Candler
On 17/10/2016 15:06, Alexander Bokovoy wrote: Would there be any benefit the other way round - creating identities in S4 and using them to login to FreeIPA-joined *nix boxes? I guess the problem then is where posix attributes like uid and gid come from. This works for Samba AD > 4.4. The code

Re: [Freeipa-users] Best and Secure Way for a System Account

2016-10-17 Thread Brian Candler
On 17/10/2016 14:56, freeipa-users-requ...@redhat.com wrote: But now I have to create for this user a ACI to read the uid, passwd,mail,mailAlternateAddress... mailAlternateAddress is in "objectClass mailrecipient" I mean I must have a ACI like access to attribute= Have any a hint

Re: [Freeipa-users] FreeIPA as domain controller?

2016-10-17 Thread Brian Candler
On 17/10/2016 11:14, Alexander Bokovoy wrote: We are not yet at the point you could use IPA-hosted identities to login to Windows machines joined to AD, though, regardless which AD implementation it is. That's very helpful, thank you. So basically it means that for the time being, our admins

[Freeipa-users] Removing DNS component

2016-12-08 Thread Brian Candler
FreeIPA (4.2.0) was installed with the DNS component enabled, but I want to pull this out. Is it possible to remove it and clean up the records which were already there? e.g. is it sufficient just to delete everything under cn=dns,dc=example,dc=com ? I notice there are bunch of permissions

Re: [Freeipa-users] Removing DNS component

2016-12-08 Thread Brian Candler
On 08/12/2016 17:05, Martin Basti wrote: I suggest to keep DNS tree there and all permissions, just remove all zones using IPA API and disable DNS service and dnssyncd service in LDAP, because removing DNS completely is unsupported and untested dn:

Re: [Freeipa-users] Still unclear about relation between IPA DNS domain and company DNS domain.

2016-12-09 Thread Brian Candler
On 08/12/2016 08:50, Pieter Nagel wrote: Concrete scenario, I wonder if this will work: A greenfields deployment, no other kerberos, no Active Directory. Internal DNS to be int.lautus.net and FreeIPA manages that DNS domain and adds internal hosts to it as they

Re: [Freeipa-users] ipa fails to start after centos 7.3 upgrade

2016-12-14 Thread Brian Candler
On 12/12/2016 19:53, Rob Verduijn wrote: I've recently upgraded to centos 7.3. Didn't intend to so soon but should have checked the anounce lists before launching my ansible update playbook. Most of my servers came through, and mostly also the ipa server. There were duplicate rpms and a

Re: [Freeipa-users] Kerberos realm for different domain

2016-12-15 Thread Brian Candler
On Sun, Dec 11, 2016 at 11:31 PM, David Kupka > wrote: yes you can do it. DNS domain and Kerberos realm are two different things. It's common and AFAIK recommended to capitalize DNS domain to get the realm but it's not required. If

Re: [Freeipa-users] Kerberos realm for different domain

2016-12-16 Thread Brian Candler
On 16/12/2016 08:21, Alexander Bokovoy wrote: So you can have IPA masters with FQDNs in totally different DNS domains than dictated by their Kerberos realm and --domain options. That I understand - not only can the IPA masters have FQDNs in different DNS domains, but indeed the member

Re: [Freeipa-users] Still unclear about relation between IPA DNS domain and company DNS domain.

2016-12-07 Thread Brian Candler
On 07/12/2016 08:58, freeIPA users list wrote: On ke, 07 joulu 2016, List dedicated to discussions about use, configuration and deployment of the IPA server. wrote: I know the Quick Start Guide and Deployment Recommendations cover this in depth, but there are still some ambiguities. I'm

Re: [Freeipa-users] 2FA and AllowNTHash

2017-01-03 Thread Brian Candler
On 03/01/2017 15:28, Maciej Drobniuch wrote: We have a topo with 3x IPA servers + freeradius. Freeradius is being used to do mschap with wifi APs. Freeradius connects over ldap to IPA. In order to do the challange-response thing, freeipa has AllowNTHash enabled. So I wanted to enable

Re: [Freeipa-users] 2FA and AllowNTHash

2017-01-05 Thread Brian Candler
On 05/01/2017 10:57, Maciej Drobniuch wrote: Maybe I'll paraphrase the question. It would suffice if I could tell IPA to use pass+otp only instead of both (Password+ pass+otp) for particular hosts. So for example users from hosts X can login with OTP only. Sorry, I don't understand that.

Re: [Freeipa-users] DNS wildcards record for domain

2016-12-31 Thread Brian Candler
On 31/12/2016 03:08, Outback Dingo wrote: a bit at a loss here, whats the proper way to add a DNS wildcard for a domain name to resolve to www.acmewidgets.com if someone type just the domain acmewigets.com in a browser ? That's not a wildcard. What you're asking for is two normal records:

Re: [Freeipa-users] modify schema - add group email and display attribute

2017-01-02 Thread Brian Candler
On 02/01/2017 11:53, Sandor Juhasz wrote: I would be really happy if anybody could assign an OID for the new objectcalss You can get your own enterprise OID for free from here: http://pen.iana.org/pen/PenApplication.page Note that you only get one, so it's up to you to subdivide the space.

Re: [Freeipa-users] Still unclear about relation between IPA DNS domain and company DNS domain.

2016-12-23 Thread Brian Candler
On 22/12/2016 20:53, Martin Basti wrote: (1) This introduces a concept of an "IPA Primary Domain". Is that just the DNS domain which holds the SRV records which point to the realm's kerberos/ldap servers, or does it have any other function? In other words, what other effects would there be

Re: [Freeipa-users] Still unclear about relation between IPA DNS domain and company DNS domain.

2016-12-23 Thread Brian Candler
On 23/12/2016 09:47, Brian Candler wrote: /etc/pki/pki-tomcat/ca/CS.cfg:ca.defaultOcspUri=http://ipa-ca.bar.example.com/ca/ocsp However the installation process didn't actually create this DNS entry, so the ipa-ca hostname is not resolvable. Aside: I think this was because

Re: [Freeipa-users] Still unclear about relation between IPA DNS domain and company DNS domain.

2016-12-23 Thread Brian Candler
On 23/12/2016 10:31, Alexander Bokovoy wrote: ipa-ca used to be a CNAME, you cannot handle CNAME via /etc/hosts. However, multiple replicas cannot me specified via CNAME, so we had to fix https://fedorahosted.org/freeipa/ticket/3547. Absolutely - I have no problem with ipa-ca being real A

Re: [Freeipa-users] Still unclear about relation between IPA DNS domain and company DNS domain.

2016-12-22 Thread Brian Candler
On 20/12/2016 08:07, Petr Spacek wrote: I've tried to clarify things in man pages and on web as well. Please have a look to changes and let us know if it is better or not, and preferably what can be improved and in which way The modified deployment page is here:

[Freeipa-users] NTLM SASL?

2016-12-22 Thread Brian Candler
Question: does FreeIPA (or specifically the 389 directory server) implement the NTLM SASL mechanism? It appears not at first attempt: # yum install cyrus-sasl-ntlm # ldapsearch -Y NTLM SASL/NTLM authentication started ldap_sasl_interactive_bind_s: Authentication method not supported (7)

Re: [Freeipa-users] Kerberos realm for different domain

2016-12-16 Thread Brian Candler
On 16/12/2016 10:19, Alexander Bokovoy wrote: I want to allow users in the AD.EXAMPLE.COM realm to login to machines in the IPA.EXAMPLE.COM realm. Will this still work when the machines are in different DNS domains? Yes, it will. Here is the catch: you need to make sure these different DNS

Re: [Freeipa-users] NTLM SASL?

2016-12-22 Thread Brian Candler
On 22/12/2016 12:48, Simo Sorce wrote: Sorry Brian but we do not support SASL NTLM or SASL SPNEGO/NTLM at this time, to do that you not only need the mechanism but also a way for that mechanism to either contact a NT-like Domain Controller or have direct access to the NT password hashes for any

Re: [Freeipa-users] NTLM SASL?

2016-12-22 Thread Brian Candler
On 22/12/2016 14:08, Alexander Bokovoy wrote: dn: cn=config changetype: modify replace: nsslapd-allowed-sasl-mechanisms - # accepted, but doesn't change the value of the attribute So for now, I've set "nsslapd-allowed-sasl-mechanisms: GSSAPI EXTERNAL". But that means this server is in a

Re: [Freeipa-users] NTLM SASL?

2016-12-22 Thread Brian Candler
On 22/12/2016 11:42, Brian Candler wrote: Now, under cn=config, I see: nsslapd-allowed-sasl-mechanisms: (i.e. empty). I tried changing this to "NTLM" and it accepted the change. Aside: I'm also stuck changing it back to what it was :-( None of these works: dn: cn=config

[Freeipa-users] Disabling OTP for sudo

2017-03-07 Thread Brian Candler
Question: can I remove the need for OTP for sudo access, when used with an account that has OTP enabled? All I could find was this mail from mid-2015: https://www.redhat.com/archives/freeipa-users/2015-July/msg00336.html It said that sssd would need some changes. I don't know how sssd itself

Re: [Freeipa-users] ubuntu 16.04 freeipa-client + sssd + sudo: "policy plugin returns 0"

2017-05-03 Thread Brian Candler
It turns out we had another 16.04 machine which was working fine. But as soon as I updated its sudo from 1.8.16-0ubuntu1.2 to 1.8.16-0ubuntu1.3, it stopped working too. So it looks like I have a reproducing case for this and I can investigate further - I suspect it's a behaviour change from

[Freeipa-users] ubuntu 16.04 freeipa-client + sssd + sudo: "policy plugin returns 0"

2017-05-03 Thread Brian Candler
nd "sss_cache -UG" shows a lot of noise but no obvious errors. I've also upgraded to the latest sudo_1.8.19-3_amd64.deb package from https://www.sudo.ws/download.html, but this makes no difference. Has anyone seen this problem before, or have some ideas where else to look? Thanks, Br

Re: [Freeipa-users] ubuntu 16.04 freeipa-client + sssd + sudo: "policy plugin returns 0"

2017-05-03 Thread Brian Candler
> do you have 'sudo: files sss" or "sudoers: files sss"? The former doesn't do anything, the latter is correct. My mistake, I meant sudoers: files sss But oddly, out of the three 16.04 boxes I set up and enrolled, it was missing on one of them - and this happened to be the one I was checking

Re: [Freeipa-users] ubuntu 16.04 freeipa-client + sssd + sudo: "policy plugin returns 0"

2017-05-05 Thread Brian Candler
On 03/05/2017 15:05, Brian Candler wrote: It turns out we had another 16.04 machine which was working fine. But as soon as I updated its sudo from 1.8.16-0ubuntu1.2 to 1.8.16-0ubuntu1.3, it stopped working too. So it looks like I have a reproducing case for this and I can investigate further