Re: [Freeipa-users] FreeIPA 4.3.0 Kerberos client referrals not working?
On Wed, Feb 17, 2016 at 09:13:00AM +0100, Sumit Bose wrote: > On Tue, Feb 16, 2016 at 10:23:30PM +, Nathan Peters wrote: > > I have created a trust between my FreeIPA domain and an active directory > > domain. I can get a kerberos ticket properly from the other domain at the > > command line on the IPA server. > > I have also created sudo and HBAC rules to allow my AD users to logon to > > the IPA domain controller using the recommended nested external group setup. > > However, I can not actually login to the machines. > > > > I should note that our AD domain is office.mydomain.net, but we use > > alternative UPN suffixes so the usernames are u...@mydomain.net. > > > > I read the patch notes and apparently support for client referrals that > > will allow alternate UPN suffixes in trusted domains was added in FreeIPA > > 4.2.1. > > While client referrals with the realm derived from the domain name > already work the UPN support is currently WIP > (https://fedorahosted.org/freeipa/ticket/5354). Several users have reported that a workaround of: subdomain_inherit = ldap_user_principal ldap_user_principal = phonyattr solves their issue, but it's just a workaround, not a real solution.. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA 4.3.0 Kerberos client referrals not working?
On Tue, Feb 16, 2016 at 10:23:30PM +, Nathan Peters wrote: > I have created a trust between my FreeIPA domain and an active directory > domain. I can get a kerberos ticket properly from the other domain at the > command line on the IPA server. > I have also created sudo and HBAC rules to allow my AD users to logon to the > IPA domain controller using the recommended nested external group setup. > However, I can not actually login to the machines. > > I should note that our AD domain is office.mydomain.net, but we use > alternative UPN suffixes so the usernames are u...@mydomain.net. > > I read the patch notes and apparently support for client referrals that will > allow alternate UPN suffixes in trusted domains was added in FreeIPA 4.2.1. While client referrals with the realm derived from the domain name already work the UPN support is currently WIP (https://fedorahosted.org/freeipa/ticket/5354). HTH bye, Sumit > > Is there anything special I need to do to configure it beyond the creation of > the original trust? Do I need to set special options in krb5.conf or > sssd.conf to get it to work? > > ==Kinit works== > [root@dc1-ipa-dev-nvan log]# kinit nathan.pet...@office.mydomain.net > Password for nathan.pet...@office.mydomain.net: > [root@dc1-ipa-dev-nvan log]# klist > Ticket cache: KEYRING:persistent:0:krb_ccache_V7hjacL > Default principal: nathan.pet...@office.mydomain.net > > Valid starting ExpiresService principal > 16/02/16 14:05:33 17/02/16 14:05:30 > krbtgt/office.mydomain@office.mydomain.net > > /var/log/messages during login failure=== > Feb 16 14:10:14 dc1-ipa-dev-nvan audit: CRYPTO_SESSION pid=2019 uid=0 > auid=4294967295 ses=4294967295 msg='op=start direction=from-client > cipher=aes256-ctr ksize=256 mac=hmac-sha2-256 pfs=diffie-hellman-group14-sha1 > spid=2020 suid=74 rport=9577 laddr=10.178.0.99 lport=22 exe="/usr/sbin/sshd" > hostname=? addr=10.8.134.154 terminal=? res=success' > Feb 16 14:10:20 dc1-ipa-dev-nvan audit: USER_AUTH pid=2019 uid=0 > auid=4294967295 ses=4294967295 msg='op=gssapi > acct="nathan.pet...@mydomain.net" exe="/usr/sbin/sshd" hostname=? > addr=10.8.134.154 terminal=ssh res=failed' > Feb 16 14:10:23 dc1-ipa-dev-nvan audit: USER_AUTH pid=2019 uid=0 > auid=4294967295 ses=4294967295 msg='op=PAM:authentication grantors=? > acct="nathan.pet...@mydomain.net" exe="/usr/sbin/sshd" hostname=10.8.134.154 > addr=10.8.134.154 terminal=ssh res=failed' > Feb 16 14:10:23 dc1-ipa-dev-nvan audit: USER_AUTH pid=2019 uid=0 > auid=4294967295 ses=4294967295 msg='op=password > acct="nathan.pet...@mydomain.net" exe="/usr/sbin/sshd" hostname=? > addr=10.8.134.154 terminal=ssh res=failed' > Feb 16 14:10:25 dc1-ipa-dev-nvan audit: CRYPTO_KEY_USER pid=2019 uid=0 > auid=4294967295 ses=4294967295 msg='op=destroy kind=server > fp=SHA256:28:cf:eb:e1:3f:61:00:c5:ff:62:da:54:cc:bb:62:7c:e5:07:d1:3a:62:9e:7c:c0:3b:bc:8e:08:90:9a:9b:83 > direction=? spid=2020 suid=74 exe="/usr/sbin/sshd" hostname=? > addr=10.8.134.154 terminal=? res=success' > Feb 16 14:10:25 dc1-ipa-dev-nvan audit: CRYPTO_KEY_USER pid=2019 uid=0 > auid=4294967295 ses=4294967295 msg='op=destroy kind=session fp=? > direction=both spid=2020 suid=74 rport=9577 laddr=10.178.0.99 lport=22 > exe="/usr/sbin/sshd" hostname=? addr=10.8.134.154 terminal=? res=success' > Feb 16 14:10:25 dc1-ipa-dev-nvan audit: CRYPTO_KEY_USER pid=2019 uid=0 > auid=4294967295 ses=4294967295 msg='op=destroy kind=server > fp=SHA256:f2:5c:54:6f:2a:0e:38:19:8c:e4:94:ef:53:2e:9b:ce:07:7f:bb:af:e0:65:7d:11:82:30:cf:03:0d:35:1b:ca > direction=? spid=2019 suid=0 exe="/usr/sbin/sshd" hostname=? > addr=10.8.134.154 terminal=? res=success' > Feb 16 14:10:25 dc1-ipa-dev-nvan audit: CRYPTO_KEY_USER pid=2019 uid=0 > auid=4294967295 ses=4294967295 msg='op=destroy kind=server > fp=SHA256:4b:0e:be:22:b5:28:65:28:72:90:5b:81:70:99:ff:47:5d:3c:90:a8:81:12:d1:1f:a0:e7:a3:d0:29:d1:25:1e > direction=? spid=2019 suid=0 exe="/usr/sbin/sshd" hostname=? > addr=10.8.134.154 terminal=? res=success' > Feb 16 14:10:25 dc1-ipa-dev-nvan audit: CRYPTO_KEY_USER pid=2019 uid=0 > auid=4294967295 ses=4294967295 msg='op=destroy kind=server > fp=SHA256:28:cf:eb:e1:3f:61:00:c5:ff:62:da:54:cc:bb:62:7c:e5:07:d1:3a:62:9e:7c:c0:3b:bc:8e:08:90:9a:9b:83 > direction=? spid=2019 suid=0 exe="/usr/sbin/sshd" hostname=? > addr=10.8.134.154 terminal=? res=success' > Feb 16 14:10:25 dc1-ipa-dev-nvan audit: USER_LOGIN pid=2019 uid=0 > auid=4294967295 ses=4294967295 msg='op=login > acct="nathan.pet...@mydomain.net" exe="/usr/sbin/sshd" hostname=? > addr=10.8.134.154 terminal=ssh res=failed' > > ===/var/log/secure during login failure=== > Feb 16 14:09:56 dc1-ipa-dev-nvan polkitd[604]: Registered Authentication > Agent for unix-process:1968:182654681 (system bus name :1.222 > [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path >
Re: [Freeipa-users] FreeIPA 4.3.0 Kerberos client referrals not working?
On Tue, 16 Feb 2016, Nathan Peters wrote: I have created a trust between my FreeIPA domain and an active directory domain. I can get a kerberos ticket properly from the other domain at the command line on the IPA server. I have also created sudo and HBAC rules to allow my AD users to logon to the IPA domain controller using the recommended nested external group setup. However, I can not actually login to the machines. I should note that our AD domain is office.mydomain.net, but we use alternative UPN suffixes so the usernames are u...@mydomain.net. I read the patch notes and apparently support for client referrals that will allow alternate UPN suffixes in trusted domains was added in FreeIPA 4.2.1. Is there anything special I need to do to configure it beyond the creation of the original trust? Do I need to set special options in krb5.conf or sssd.conf to get it to work? Not sure what are you trying to achieve. In the output of your 'kinit' call you are not talking to IPA KDC. Instead, you are talking directly to your AD DCs. You can verify it by setting KRB5_TRACE=/dev/stderr in the environment where you would run 'kinit user@AD'. How is IPA KDC involved? Feb 16 14:10:23 dc1-ipa-dev-nvan sshd[2019]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.8.134.154 user=nathan.pet...@mydomain.net Feb 16 14:10:23 dc1-ipa-dev-nvan sshd[2019]: pam_sss(sshd:auth): received for user nathan.pet...@mydomain.net: 4 (System error) Feb 16 14:10:23 dc1-ipa-dev-nvan sshd[2019]: Failed password for nathan.pet...@mydomain.net from 10.8.134.154 port 9577 ssh2 Feb 16 14:10:25 dc1-ipa-dev-nvan sshd[2019]: error: Received disconnect from 10.8.134.154: 13: Unable to authenticate [preauth] Feb 16 14:10:25 dc1-ipa-dev-nvan sshd[2019]: Disconnected from 10.8.134.154 [preauth] Use https://fedorahosted.org/sssd/wiki/Troubleshooting to produce sssd logs that can be analyzed. The logs above are mostly useless, they don't tell anything. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA 4.3.0 Kerberos client referrals not working?
I have created a trust between my FreeIPA domain and an active directory domain. I can get a kerberos ticket properly from the other domain at the command line on the IPA server. I have also created sudo and HBAC rules to allow my AD users to logon to the IPA domain controller using the recommended nested external group setup. However, I can not actually login to the machines. I should note that our AD domain is office.mydomain.net, but we use alternative UPN suffixes so the usernames are u...@mydomain.net. I read the patch notes and apparently support for client referrals that will allow alternate UPN suffixes in trusted domains was added in FreeIPA 4.2.1. Is there anything special I need to do to configure it beyond the creation of the original trust? Do I need to set special options in krb5.conf or sssd.conf to get it to work? ==Kinit works== [root@dc1-ipa-dev-nvan log]# kinit nathan.pet...@office.mydomain.net Password for nathan.pet...@office.mydomain.net: [root@dc1-ipa-dev-nvan log]# klist Ticket cache: KEYRING:persistent:0:krb_ccache_V7hjacL Default principal: nathan.pet...@office.mydomain.net Valid starting ExpiresService principal 16/02/16 14:05:33 17/02/16 14:05:30 krbtgt/office.mydomain@office.mydomain.net /var/log/messages during login failure=== Feb 16 14:10:14 dc1-ipa-dev-nvan audit: CRYPTO_SESSION pid=2019 uid=0 auid=4294967295 ses=4294967295 msg='op=start direction=from-client cipher=aes256-ctr ksize=256 mac=hmac-sha2-256 pfs=diffie-hellman-group14-sha1 spid=2020 suid=74 rport=9577 laddr=10.178.0.99 lport=22 exe="/usr/sbin/sshd" hostname=? addr=10.8.134.154 terminal=? res=success' Feb 16 14:10:20 dc1-ipa-dev-nvan audit: USER_AUTH pid=2019 uid=0 auid=4294967295 ses=4294967295 msg='op=gssapi acct="nathan.pet...@mydomain.net" exe="/usr/sbin/sshd" hostname=? addr=10.8.134.154 terminal=ssh res=failed' Feb 16 14:10:23 dc1-ipa-dev-nvan audit: USER_AUTH pid=2019 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication grantors=? acct="nathan.pet...@mydomain.net" exe="/usr/sbin/sshd" hostname=10.8.134.154 addr=10.8.134.154 terminal=ssh res=failed' Feb 16 14:10:23 dc1-ipa-dev-nvan audit: USER_AUTH pid=2019 uid=0 auid=4294967295 ses=4294967295 msg='op=password acct="nathan.pet...@mydomain.net" exe="/usr/sbin/sshd" hostname=? addr=10.8.134.154 terminal=ssh res=failed' Feb 16 14:10:25 dc1-ipa-dev-nvan audit: CRYPTO_KEY_USER pid=2019 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:28:cf:eb:e1:3f:61:00:c5:ff:62:da:54:cc:bb:62:7c:e5:07:d1:3a:62:9e:7c:c0:3b:bc:8e:08:90:9a:9b:83 direction=? spid=2020 suid=74 exe="/usr/sbin/sshd" hostname=? addr=10.8.134.154 terminal=? res=success' Feb 16 14:10:25 dc1-ipa-dev-nvan audit: CRYPTO_KEY_USER pid=2019 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=session fp=? direction=both spid=2020 suid=74 rport=9577 laddr=10.178.0.99 lport=22 exe="/usr/sbin/sshd" hostname=? addr=10.8.134.154 terminal=? res=success' Feb 16 14:10:25 dc1-ipa-dev-nvan audit: CRYPTO_KEY_USER pid=2019 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:f2:5c:54:6f:2a:0e:38:19:8c:e4:94:ef:53:2e:9b:ce:07:7f:bb:af:e0:65:7d:11:82:30:cf:03:0d:35:1b:ca direction=? spid=2019 suid=0 exe="/usr/sbin/sshd" hostname=? addr=10.8.134.154 terminal=? res=success' Feb 16 14:10:25 dc1-ipa-dev-nvan audit: CRYPTO_KEY_USER pid=2019 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:4b:0e:be:22:b5:28:65:28:72:90:5b:81:70:99:ff:47:5d:3c:90:a8:81:12:d1:1f:a0:e7:a3:d0:29:d1:25:1e direction=? spid=2019 suid=0 exe="/usr/sbin/sshd" hostname=? addr=10.8.134.154 terminal=? res=success' Feb 16 14:10:25 dc1-ipa-dev-nvan audit: CRYPTO_KEY_USER pid=2019 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:28:cf:eb:e1:3f:61:00:c5:ff:62:da:54:cc:bb:62:7c:e5:07:d1:3a:62:9e:7c:c0:3b:bc:8e:08:90:9a:9b:83 direction=? spid=2019 suid=0 exe="/usr/sbin/sshd" hostname=? addr=10.8.134.154 terminal=? res=success' Feb 16 14:10:25 dc1-ipa-dev-nvan audit: USER_LOGIN pid=2019 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct="nathan.pet...@mydomain.net" exe="/usr/sbin/sshd" hostname=? addr=10.8.134.154 terminal=ssh res=failed' ===/var/log/secure during login failure=== Feb 16 14:09:56 dc1-ipa-dev-nvan polkitd[604]: Registered Authentication Agent for unix-process:1968:182654681 (system bus name :1.222 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_CA.UTF-8) Feb 16 14:09:56 dc1-ipa-dev-nvan polkitd[604]: Unregistered Authentication Agent for unix-process:1968:182654681 (system bus name :1.222, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_CA.UTF-8) (disconnected from bus) Feb 16 14:09:56 dc1-ipa-dev-nvan polkitd[604]: Registered Authentication Agent for