Re: [Freeipa-users] Issues with FreeIPA SSH Key authentication

[Venkataramana Kintali]

Thank you Lukas.
The issue , not being able to login to some servers in our setup with ssh
keys, was due to incorrect permissions on /usr directory,per the following
entry in /var/log/secure.

*sshd[12856]: error: bad ownership or modes for AuthorizedKeysCommand path
component "/usr"*

After setting up the permissions for /usr to 755, I was able to login to
these servers with ssh private keys.

Thank you again,Lukas, for your help.

Regards
Venkataramana






On Fri, Sep 16, 2016 at 11:51 AM, Lukas Slebodnik 
wrote:

> On (15/09/16 11:46), Venkataramana Kintali wrote:
> >Hi Lukas,
> >ssh_config is also same on all servers.
> >Our need is to do it both  ways, to be able to login with ssh public
> >keys(uploaded in IPA) and disable password login, and be able to access
> >allhosts within the same IPA domain silently from any host.
> >Hoping the configs will help, I am including the configurations here.
> >
> >ssh_config file :  http://pastebin.com/MWHyH1Qw
> >sshd_config file: http://pastebin.com/gpn5XhXM
> >sssd_config file: http://pastebin.com/5Pby6xKp
> >
> Looks good to me
>
> >I just used some placeholders for sssd_config file in pastebin instead of
> >actual values.
> >
>
> In initial mail you wrote:
> >I am able to login to some IPA clients but not able to login to other IPA
> >clients with putty using private key and passphrase.
> Therefore your previous test case is wrong.
> If you want to test authentication with public keys
> then you cannot obtain krb5 ticket with kinit.
>
> I would also recommend to call kdestory before
> authentication with ssh to be sure that gssapi
> authentication will not be used.
>
> I would recomment to set "debug_level = 7" in domain and ssh section
> on the server where you woudl like to authenticate.
> then restart sssd and try to authenticate with ssh + verbose mode
> e.g. ssh -v u...@remote.host
>
> Then I would recommend to compare logs from working server
> and from broken server.
>
> LS
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Issues with FreeIPA SSH Key authentication

[Lukas Slebodnik]

On (15/09/16 11:46), Venkataramana Kintali wrote:
>Hi Lukas,
>ssh_config is also same on all servers.
>Our need is to do it both  ways, to be able to login with ssh public
>keys(uploaded in IPA) and disable password login, and be able to access
>allhosts within the same IPA domain silently from any host.
>Hoping the configs will help, I am including the configurations here.
>
>ssh_config file :  http://pastebin.com/MWHyH1Qw
>sshd_config file: http://pastebin.com/gpn5XhXM
>sssd_config file: http://pastebin.com/5Pby6xKp
>
Looks good to me

>I just used some placeholders for sssd_config file in pastebin instead of
>actual values.
>

In initial mail you wrote:
>I am able to login to some IPA clients but not able to login to other IPA
>clients with putty using private key and passphrase.
Therefore your previous test case is wrong.
If you want to test authentication with public keys
then you cannot obtain krb5 ticket with kinit.

I would also recommend to call kdestory before
authentication with ssh to be sure that gssapi
authentication will not be used.

I would recomment to set "debug_level = 7" in domain and ssh section
on the server where you woudl like to authenticate.
then restart sssd and try to authenticate with ssh + verbose mode
e.g. ssh -v u...@remote.host

Then I would recommend to compare logs from working server
and from broken server.

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Issues with FreeIPA SSH Key authentication

[Venkataramana Kintali]

Hi Lukas,
ssh_config is also same on all servers.
Our need is to do it both  ways, to be able to login with ssh public
keys(uploaded in IPA) and disable password login, and be able to access
allhosts within the same IPA domain silently from any host.
Hoping the configs will help, I am including the configurations here.

ssh_config file :  http://pastebin.com/MWHyH1Qw
sshd_config file: http://pastebin.com/gpn5XhXM
sssd_config file: http://pastebin.com/5Pby6xKp

I just used some placeholders for sssd_config file in pastebin instead of
actual values.


Thanks
Venkataramana



On Thu, Sep 15, 2016 at 10:09 AM, Lukas Slebodnik 
wrote:

> On (15/09/16 09:56), Venkataramana Kintali wrote:
> >Hi Lukas,
> >Thank you for responding.
> >I compared the configs.(sshd_config and sssd.conf ),they are same.
> Is /etc/ssh/ssh_config the same as well?
> NOTE: (ssh_config is not the same as sshd_config //extra 'd' in name)
>
> >sssd  and sshd services are running on all the servers(IPA clients).
> >PubKey Authentication is enabled on all the servers.
> >I am not able to login with sshkeys.
> >
> >But I am able to ssh to these servers from the other IPA clients I am able
> >to connect to with ssh keys(after doing a kinit).
> >
> If I remeber correctly GSSAPI has higher priority then public keys.
> So the behaviour is expected.
>
> You should decide whether you want to authenticate
> with ssh keys stored in IPA or with kerberos ticket (GSSAPI)
> or you can change sshd configuration to allow only authentication
> with public keys.
>
> LS
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Issues with FreeIPA SSH Key authentication

[Lukas Slebodnik]

On (15/09/16 09:56), Venkataramana Kintali wrote:
>Hi Lukas,
>Thank you for responding.
>I compared the configs.(sshd_config and sssd.conf ),they are same.
Is /etc/ssh/ssh_config the same as well?
NOTE: (ssh_config is not the same as sshd_config //extra 'd' in name)

>sssd  and sshd services are running on all the servers(IPA clients).
>PubKey Authentication is enabled on all the servers.
>I am not able to login with sshkeys.
>
>But I am able to ssh to these servers from the other IPA clients I am able
>to connect to with ssh keys(after doing a kinit).
>
If I remeber correctly GSSAPI has higher priority then public keys.
So the behaviour is expected.

You should decide whether you want to authenticate
with ssh keys stored in IPA or with kerberos ticket (GSSAPI)
or you can change sshd configuration to allow only authentication
with public keys.

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Issues with FreeIPA SSH Key authentication

[Venkataramana Kintali]

Hi Lukas,
Thank you for responding.
I compared the configs.(sshd_config and sssd.conf ),they are same.
sssd  and sshd services are running on all the servers(IPA clients).
PubKey Authentication is enabled on all the servers.
I am not able to login with sshkeys.

But I am able to ssh to these servers from the other IPA clients I am able
to connect to with ssh keys(after doing a kinit).


Thanks
Venkataramana

On Fri, Sep 9, 2016 at 1:22 PM, Lukas Slebodnik  wrote:

> On (07/09/16 17:39), Venkataramana Kintali wrote:
> >Hi,
> >Of late, I am learning FreeIPA . I have installed IPA server and few
> >clients (Version 3.0.0)
> >I am facing an issue with ssh key authentication in my setup.
> >I generated a putty ssh private key (using putty keygen) ,and uploaded it
> >under a user through IPA GUI.
> I assume you uploaded public key to the IPA
> otherwise you did something wrong and I wonder why it works on some
> machines.
>
> >I am able to login to some IPA clients but not able to login to other IPA
> >clients with putty using private key and passphrase.
> >
> Is sssd_ssh running on all clients? (Is sssd.conf almost the same on all
> machines)
> Is sshd configuration the same on all machines?
> /etc/ssh/ssh_config /etc/ssh/sshd_config
>
> >Public Key Authentication is enabled on all clients.
> >I am able to from one client to other clients successfully (after doing
> >kinit) without promting password.
> >
> >Can someone  please throw some light on this as to what the issue could be
> >here and what else I can check to understand where  the problem is ?
> >
> >I searched this online but couldn't find any solution in the context of
> IPA.
> >
>
> LS
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Issues with FreeIPA SSH Key authentication

[Lukas Slebodnik]

On (07/09/16 17:39), Venkataramana Kintali wrote:
>Hi,
>Of late, I am learning FreeIPA . I have installed IPA server and few
>clients (Version 3.0.0)
>I am facing an issue with ssh key authentication in my setup.
>I generated a putty ssh private key (using putty keygen) ,and uploaded it
>under a user through IPA GUI.
I assume you uploaded public key to the IPA
otherwise you did something wrong and I wonder why it works on some machines.

>I am able to login to some IPA clients but not able to login to other IPA
>clients with putty using private key and passphrase.
>
Is sssd_ssh running on all clients? (Is sssd.conf almost the same on all
machines)
Is sshd configuration the same on all machines?
/etc/ssh/ssh_config /etc/ssh/sshd_config

>Public Key Authentication is enabled on all clients.
>I am able to from one client to other clients successfully (after doing
>kinit) without promting password.
>
>Can someone  please throw some light on this as to what the issue could be
>here and what else I can check to understand where  the problem is ?
>
>I searched this online but couldn't find any solution in the context of IPA.
>

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Issues with FreeIPA SSH Key authentication

[Venkataramana Kintali]

On Sep 7, 2016 8:09 PM, "Venkataramana Kintali" <
venkataramana.kint...@gmail.com> wrote:
>
> Hi,
> Of late, I am learning FreeIPA . I have installed IPA server and few
clients (Version 3.0.0)
> I am facing an issue with ssh key authentication in my setup.
> I generated a putty ssh private key (using putty keygen) ,and uploaded it
under a user through IPA GUI.
> I am able to login to some IPA clients but not able to login to other IPA
clients with putty using private key and passphrase.
I forgot to mention the error .
I am getting "server refused our key" for the servers I am unable to login
to.
>
> Public Key Authentication is enabled on all clients.
> I am able to from one client to other clients successfully (after doing
kinit) without promting password.
>
> Can someone  please throw some light on this as to what the issue could
be here and what else I can check to understand where  the problem is ?
>
> I searched this online but couldn't find any solution in the context of
IPA.
>
>
> Thanks
> Venkataramana
>
>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Issues with FreeIPA SSH Key authentication

[Venkataramana Kintali]

Hi,
Of late, I am learning FreeIPA . I have installed IPA server and few
clients (Version 3.0.0)
I am facing an issue with ssh key authentication in my setup.
I generated a putty ssh private key (using putty keygen) ,and uploaded it
under a user through IPA GUI.
I am able to login to some IPA clients but not able to login to other IPA
clients with putty using private key and passphrase.

Public Key Authentication is enabled on all clients.
I am able to from one client to other clients successfully (after doing
kinit) without promting password.

Can someone  please throw some light on this as to what the issue could be
here and what else I can check to understand where  the problem is ?

I searched this online but couldn't find any solution in the context of IPA.


Thanks
Venkataramana
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Issues with 'A replication agreement for the host already exists', when it very much doesn't

[Ludwig Krispenz]

On 12/21/2015 05:49 PM, Alex Williams wrote:
I began installing a new ipa4 replica this morning and it all went 
wrong. The ipa-replica-install script got all the way to restarting 
ipa with systemctl at the very end, having set up replication and then 
fell over, because systemctl couldn't find the ipa service. I removed 
the replica from our master, I deleted the host from there too, I 
un-installed ipa-server on the new replica machine, I even created a 
new replica-prepare script on the master, but now the server just 
errors immediately with:


A replication agreement for this host already exists. It needs to 
be removed.


I've verified several times, that no replica, or host with the same 
name exists in the master, there are no ldap entries under masters, 
with that hostname, nothing. There is literally no trace of the new 
host, on the old master. Running `ipa-replica-manage list` shows just 
the 3 ipa servers we have already, no sign of this new host. Yet, if I 
run `ipa-replica-manage del hostname --force` on the master, it will 
in fact say that it's forcing removal, skipping checking if anything 
will be orphaned and that no RUV records were found.


I'm now lost, I really don't know where to start with fixing this.
we should first try to get a clear picture of existing agreements and 
state of replication. Could you on all servers do the following searches 
(as directory manager)


ldapsearch -LLL -o ldif-wrap=no  . -b "cn=config" 
"objectclass=nsds5replicationagreement" nsDS5ReplicaRoot nsDS5ReplicaHost
ldapsearch -LLL -o ldif-wrap=no .. -b "cn=config" 
"objectclass=nsds5replica" nsDS5ReplicaRoot nsDS5ReplicaId nsds50ruv


Not sure if this is relevant or not, but I'd rather bring it up and it 
not be, than not mention it and it turn out to be the reason. Our yum 
mirror is unfortunately now holding rhel7.2 packages, whilst our 
servers, are still on rhel7.1, which means our existing IPA servers, 
are ipa4.1 and the new one I tried to install, was ipa4.2, but on a 
rhel7.1 box. I had previously attributed the failed systemctl command, 
to the fact that I was trying to run ipa4.2 on a rhel7.1 box, as I'm 
told there were a lot of modifications to systemctl in rhel7.2, but I 
need to fix this replication agreement issue, before I can try again 
with the box upgraded to rhel7.2.


Any ideas?

Cheers

Alex



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Issues with 'A replication agreement for the host already exists', when it very much doesn't

[Alex Williams]

I began installing a new ipa4 replica this morning and it all went 
wrong. The ipa-replica-install script got all the way to restarting ipa 
with systemctl at the very end, having set up replication and then fell 
over, because systemctl couldn't find the ipa service. I removed the 
replica from our master, I deleted the host from there too, I 
un-installed ipa-server on the new replica machine, I even created a new 
replica-prepare script on the master, but now the server just errors 
immediately with:


A replication agreement for this host already exists. It needs to 
be removed.


I've verified several times, that no replica, or host with the same name 
exists in the master, there are no ldap entries under masters, with that 
hostname, nothing. There is literally no trace of the new host, on the 
old master. Running `ipa-replica-manage list` shows just the 3 ipa 
servers we have already, no sign of this new host. Yet, if I run 
`ipa-replica-manage del hostname --force` on the master, it will in fact 
say that it's forcing removal, skipping checking if anything will be 
orphaned and that no RUV records were found.


I'm now lost, I really don't know where to start with fixing this.

Not sure if this is relevant or not, but I'd rather bring it up and it 
not be, than not mention it and it turn out to be the reason. Our yum 
mirror is unfortunately now holding rhel7.2 packages, whilst our 
servers, are still on rhel7.1, which means our existing IPA servers, are 
ipa4.1 and the new one I tried to install, was ipa4.2, but on a rhel7.1 
box. I had previously attributed the failed systemctl command, to the 
fact that I was trying to run ipa4.2 on a rhel7.1 box, as I'm told there 
were a lot of modifications to systemctl in rhel7.2, but I need to fix 
this replication agreement issue, before I can try again with the box 
upgraded to rhel7.2.


Any ideas?

Cheers

Alex

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Issues

[Alexander Bokovoy]

- Original Message -
> This is a virtual machine,  rng-tools-5-4.fc22.x86_64 is installed  ...
> I did just try to create a gpg key and it seemed to have entropy
> issues... I did however run the command
> $ rngd -W 4096
> $ cat /proc/sys/kernel/random/entropy_avail
> to fill the entropy up again (previously reporting around 3081), now it
> is at 4094.  gpg works now with no issues, redid the install but still
> failed at the same step.
Ok, then you need to provide logs. IPA's install log is 
/var/log/ipaserver-install.log,
at the end of it there will be output of our communication with dogtag.

Also dogtag logs in /var/log/pki/.

-- 
/ Alexander Bokovoy

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Issues

[James Benson]

This is a virtual machine,  rng-tools-5-4.fc22.x86_64 is installed  ... 
I did just try to create a gpg key and it seemed to have entropy 
issues... I did however run the command

$ rngd -W 4096
$ cat /proc/sys/kernel/random/entropy_avail
to fill the entropy up again (previously reporting around 3081), now it 
is at 4094.  gpg works now with no issues, redid the install but still 
failed at the same step.



On 06/18/2015 10:53 AM, Alexander Bokovoy wrote:



- Original Message -

Hi all,
I'm a fairly advanced user, however, having issues with setting up
freeIPA.  I've started with Fedora 22 server (both with minimal install
and basic install), modified the hosts and hostname file respectively to
xx.xx.xx.xx ipa.cloud.local ipa
cloud.local
and began the install options selected were:
no
ipa.cloud.local
cloud.local
CLOUD.LOCAL
Directory Manager Password: set
IPA admin password: set
yes

But I always get this error:
CA did not start in 300.0s


I've modified the
/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py  to
increase the timeout value, but no luck.

Suggestions?

Is this a VM? Do you have a driver for random number generator added to it? 
like virtio-rng for libvirtd/kvm.
It might well be that the VM struggles to get enough entropy to generate 
certificates.





smime.p7s
Description: S/MIME Cryptographic Signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Issues

[Petr Spacek]

On 18.6.2015 17:08, James Benson wrote:
> Hi all,
> I'm a fairly advanced user, however, having issues with setting up freeIPA. 
> I've started with Fedora 22 server (both with minimal install and basic
> install), modified the hosts and hostname file respectively to
> xx.xx.xx.xx ipa.cloud.local ipa
> cloud.local

BTW never ever use .local otherwise you will have terrible problems in future.

Please see http://www.freeipa.org/page/Deployment_Recommendations#DNS before
you start installing your FreeIPA servers and let us know if you have further
questions.

Petr^2 Spacek

> and began the install options selected were:
> no
> ipa.cloud.local
> cloud.local
> CLOUD.LOCAL
> Directory Manager Password:set
> IPA admin password:set
> yes
> 
> But I always get this error:
> CA did not start in 300.0s
> 
> 
> I've modified the
> /usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py  to increase
> the timeout value, but no luck.
> 
> Suggestions?
> 
> Thanks,
> 
> James

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Issues

[Simo Sorce]

On Thu, 2015-06-18 at 10:47 -0500, James Benson wrote:
> Freeipa 4.1.4

Please run rpm -qi pki-base

> On 06/18/2015 10:28 AM, Simo Sorce wrote:
> > On Thu, 2015-06-18 at 10:08 -0500, James Benson wrote:
> >> Hi all,
> >> I'm a fairly advanced user, however, having issues with setting up
> >> freeIPA.  I've started with Fedora 22 server (both with minimal install
> >> and basic install), modified the hosts and hostname file respectively to
> >> xx.xx.xx.xx ipa.cloud.local ipa
> >> cloud.local
> >> and began the install options selected were:
> >> no
> >> ipa.cloud.local
> >> cloud.local
> >> CLOUD.LOCAL
> >> Directory Manager Password:set
> >> IPA admin password:set
> >> yes
> >>
> >> But I always get this error:
> >> CA did not start in 300.0s
> >>
> >>
> >> I've modified the
> >> /usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py  to
> >> increase the timeout value, but no luck.
> >>
> >> Suggestions?
> >
> > What pki-base package version do you have installed ?
> >
> > Simo.
> >
> 


-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Issues

[Alexander Bokovoy]

- Original Message -
> Hi all,
> I'm a fairly advanced user, however, having issues with setting up
> freeIPA.  I've started with Fedora 22 server (both with minimal install
> and basic install), modified the hosts and hostname file respectively to
> xx.xx.xx.xx ipa.cloud.local ipa
> cloud.local
> and began the install options selected were:
> no
> ipa.cloud.local
> cloud.local
> CLOUD.LOCAL
> Directory Manager Password:   set
> IPA admin password:   set
> yes
> 
> But I always get this error:
> CA did not start in 300.0s
> 
> 
> I've modified the
> /usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py  to
> increase the timeout value, but no luck.
> 
> Suggestions?
Is this a VM? Do you have a driver for random number generator added to it? 
like virtio-rng for libvirtd/kvm.
It might well be that the VM struggles to get enough entropy to generate 
certificates.
-- 
/ Alexander Bokovoy

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Issues

[James Benson]

Freeipa 4.1.4

On 06/18/2015 10:28 AM, Simo Sorce wrote:

On Thu, 2015-06-18 at 10:08 -0500, James Benson wrote:

Hi all,
I'm a fairly advanced user, however, having issues with setting up
freeIPA.  I've started with Fedora 22 server (both with minimal install
and basic install), modified the hosts and hostname file respectively to
xx.xx.xx.xx ipa.cloud.local ipa
cloud.local
and began the install options selected were:
no
ipa.cloud.local
cloud.local
CLOUD.LOCAL
Directory Manager Password: set
IPA admin password: set
yes

But I always get this error:
CA did not start in 300.0s


I've modified the
/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py  to
increase the timeout value, but no luck.

Suggestions?


What pki-base package version do you have installed ?

Simo.





smime.p7s
Description: S/MIME Cryptographic Signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Issues

[Simo Sorce]

On Thu, 2015-06-18 at 10:08 -0500, James Benson wrote:
> Hi all,
> I'm a fairly advanced user, however, having issues with setting up 
> freeIPA.  I've started with Fedora 22 server (both with minimal install 
> and basic install), modified the hosts and hostname file respectively to
> xx.xx.xx.xx ipa.cloud.local ipa
> cloud.local
> and began the install options selected were:
> no
> ipa.cloud.local
> cloud.local
> CLOUD.LOCAL
> Directory Manager Password:   set
> IPA admin password:   set
> yes
> 
> But I always get this error:
> CA did not start in 300.0s
> 
> 
> I've modified the 
> /usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py  to 
> increase the timeout value, but no luck.
> 
> Suggestions?

What pki-base package version do you have installed ?

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Issues

[James Benson]

Hi all,
I'm a fairly advanced user, however, having issues with setting up 
freeIPA.  I've started with Fedora 22 server (both with minimal install 
and basic install), modified the hosts and hostname file respectively to

xx.xx.xx.xx ipa.cloud.local ipa
cloud.local
and began the install options selected were:
no
ipa.cloud.local
cloud.local
CLOUD.LOCAL
Directory Manager Password: set
IPA admin password: set
yes

But I always get this error:
CA did not start in 300.0s


I've modified the 
/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py  to 
increase the timeout value, but no luck.


Suggestions?

Thanks,

James



smime.p7s
Description: S/MIME Cryptographic Signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Issues with SNI+Kerberos

[Rob Crittenden]

Brian Topping wrote:

Hi all,

I've been trying to work through the instructions at 
https://www.freeipa.org/page/Apache_SNI_With_Kerberos and have not been having 
much luck. I've followed the instructions there exactly, ending with the 
following command:


ipa-getcert request -r -f /etc/httpd/certs/example.crt -k 
/etc/httpd/certs/example.key -N CN=www.example.com -D www.example.com -K 
HTTP/www.example.com


but I keep getting the following:


ca-error: Server at https://ipa.example.com/ipa/xml denied our request, giving 
up: 2100 (RPC failed at server.  Insufficient access: not allowed to perform 
this command).


What's interesting is it creates the private key file but the certificate 
fails. I cannot find anything in the logs on either the ipa or the client 
machine that would indicate what that failure is.

Does anyone recognize this situation where the key file is created but the 
certificate is not created?


Key generation is done locally.

The failure is pretty clear, your host isn't allowed to do this: 
Insufficient access: not allowed to perform this command


The Apache error log should contain this error as well.

What version of IPA is this?

And more information on what you're doing is needed, obfuscate as 
needed, but what host are you running this on? I assume you want to 
create an SNI for www.example.com on .example.com?


rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Issues with SNI+Kerberos

[Brian Topping]

Hi all,

I've been trying to work through the instructions at 
https://www.freeipa.org/page/Apache_SNI_With_Kerberos and have not been having 
much luck. I've followed the instructions there exactly, ending with the 
following command:

> ipa-getcert request -r -f /etc/httpd/certs/example.crt -k 
> /etc/httpd/certs/example.key -N CN=www.example.com -D www.example.com -K 
> HTTP/www.example.com

but I keep getting the following:

> ca-error: Server at https://ipa.example.com/ipa/xml denied our request, 
> giving up: 2100 (RPC failed at server.  Insufficient access: not allowed to 
> perform this command).

What's interesting is it creates the private key file but the certificate 
fails. I cannot find anything in the logs on either the ipa or the client 
machine that would indicate what that failure is.

Does anyone recognize this situation where the key file is created but the 
certificate is not created?

Thanks!

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] issues with secondary groups? (sssd)

[James Shubin]

On Mon, 2015-03-02 at 13:25 +0100, Jakub Hrozek wrote:
> On Mon, Mar 02, 2015 at 04:09:34AM -0800, Janelle wrote:
> > That was the point. The clients were not installed with IPA client install.
> > I have 2000 clients and still working on a simple way to automate the 
> > client install with ansible or puppet. Currently just trying to get it 
> > working with simple sssd/ldap only auth.
> 
> I would recommend against enrolling clients in any other way than with
> ipa-client-install.
> 
> I've CC-ed James Shubin, who worked on automating client installs with
> Puppet (and Puppet-iting IPA in general), I wonder if there's some howto
> we can link to?

The Puppet-IPA module has documentation:
https://github.com/purpleidea/puppet-ipa/blob/master/DOCUMENTATION.md

It has a client section too.

HTH,
James



signature.asc
Description: This is a digitally signed message part
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] issues with secondary groups? (sssd)

[Jan Pazdziora]

On Mon, Mar 02, 2015 at 04:09:34AM -0800, Janelle wrote:
> That was the point. The clients were not installed with IPA client install.
> I have 2000 clients and still working on a simple way to automate the client 
> install with ansible or puppet. Currently just trying to get it working with 
> simple sssd/ldap only auth.

You might want to check Foreman and its realm feature:

http://theforeman.org/manuals/1.7/index.html#4.3.9Realm

That way OTP authentication will be used.

-- 
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] issues with secondary groups? (sssd)

[Baird, Josh]

There is active development on the puppet-ipaclient module [1].  You should see 
a new release in the next few days that adds better support for ipa4, exposes 
sssd options and more.

[1] https://forge.puppetlabs.com/stbenjam/ipaclient

We will be using this module to automate the client install on a group of ~500 
RHEL servers.

Thanks,

Josh

> -Original Message-
> From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
> boun...@redhat.com] On Behalf Of Jakub Hrozek
> Sent: Monday, March 02, 2015 7:26 AM
> To: Janelle
> Cc: James Shubin; freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] issues with secondary groups? (sssd)
> 
> On Mon, Mar 02, 2015 at 04:09:34AM -0800, Janelle wrote:
> > That was the point. The clients were not installed with IPA client install.
> > I have 2000 clients and still working on a simple way to automate the client
> install with ansible or puppet. Currently just trying to get it working with
> simple sssd/ldap only auth.
> 
> I would recommend against enrolling clients in any other way than with ipa-
> client-install.
> 
> I've CC-ed James Shubin, who worked on automating client installs with
> Puppet (and Puppet-iting IPA in general), I wonder if there's some howto
> we can link to?
> 
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] issues with secondary groups? (sssd)

[Jakub Hrozek]

On Mon, Mar 02, 2015 at 04:09:34AM -0800, Janelle wrote:
> That was the point. The clients were not installed with IPA client install.
> I have 2000 clients and still working on a simple way to automate the client 
> install with ansible or puppet. Currently just trying to get it working with 
> simple sssd/ldap only auth.

I would recommend against enrolling clients in any other way than with
ipa-client-install.

I've CC-ed James Shubin, who worked on automating client installs with
Puppet (and Puppet-iting IPA in general), I wonder if there's some howto
we can link to?

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] issues with secondary groups? (sssd)

[Janelle]

That was the point. The clients were not installed with IPA client install.
I have 2000 clients and still working on a simple way to automate the client 
install with ansible or puppet. Currently just trying to get it working with 
simple sssd/ldap only auth.

~J



> On Mar 2, 2015, at 01:12, Jakub Hrozek  wrote:
> 
>> On Sat, Feb 28, 2015 at 11:07:20AM -0800, Janelle wrote:
>> Hello,
>> 
>> I was wondering - I have searched around and seen a few questions and
>> solutions, but nothing I try is fixing my environment.
>> 
>> Things have been working quite well with IPA 4.0.5, simple things with auth
>> and logins - some with full ipa-client-install configured, others just using
>> LDAP and that is where the strangeness comes from.
>> 
>> with full IPA client integration, secondary groups work just find, as do
>> base commands like "id" and "getent". However, the "ldap" users, never show
>> the secondary group for their uid?
>> 
>> Any pointers you might suggest? I have tried the sssd.conf of
>> "ldap_group_member = uniqeMember" - no change.
>> 
>> a simple secondary group is defined:
>> 
>> dn: cn=web_users,cn=groups,cn=accounts,dc=example,dc=com
>> cn: web_users
>> objectClass: ipaobject
>> objectClass: extensibleobject
>> objectClass: top
>> objectClass: ipausergroup
>> objectClass: posixgroup
>> objectClass: groupofnames
>> objectClass: nestedgroup
>> memberUid: user1
>> memberUid: user2
>> memberUid: user3
>> memberUid: user4
>> memberUid: user5
>> member: uid=user1,cn=users,cn=accounts,dc=example,dc=com
>> member: uid=user2,cn=users,cn=accounts,dc=example,dc=com
>> member: uid=user3,cn=users,cn=accounts,dc=example,dc=com
>> member: uid=user4,cn=users,cn=accounts,dc=example,dc=com
>> member: uid=user5,cn=users,cn=accounts,dc=example,dc=com
>> 
>> and yet with debug_level = 7 -- sssd still says:
>> [sdap_process_ghost_members] (0x0400): Group has 0 members
> 
> Was the client installed with ipa-client-install? There I would suggest
> to just use the defaults and everything should work.
> 
> Can you try again, this time with default configuration of
> id_provider=ipa ? You might need to clear the cache (rm
> /var/lib/sss/db/cache_*) if you were playing around with the schema..
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] issues with secondary groups? (sssd)

[Jakub Hrozek]

On Sat, Feb 28, 2015 at 11:07:20AM -0800, Janelle wrote:
> Hello,
> 
> I was wondering - I have searched around and seen a few questions and
> solutions, but nothing I try is fixing my environment.
> 
> Things have been working quite well with IPA 4.0.5, simple things with auth
> and logins - some with full ipa-client-install configured, others just using
> LDAP and that is where the strangeness comes from.
> 
> with full IPA client integration, secondary groups work just find, as do
> base commands like "id" and "getent". However, the "ldap" users, never show
> the secondary group for their uid?
> 
> Any pointers you might suggest? I have tried the sssd.conf of
> "ldap_group_member = uniqeMember" - no change.
> 
> a simple secondary group is defined:
> 
> dn: cn=web_users,cn=groups,cn=accounts,dc=example,dc=com
> cn: web_users
> objectClass: ipaobject
> objectClass: extensibleobject
> objectClass: top
> objectClass: ipausergroup
> objectClass: posixgroup
> objectClass: groupofnames
> objectClass: nestedgroup
> memberUid: user1
> memberUid: user2
> memberUid: user3
> memberUid: user4
> memberUid: user5
> member: uid=user1,cn=users,cn=accounts,dc=example,dc=com
> member: uid=user2,cn=users,cn=accounts,dc=example,dc=com
> member: uid=user3,cn=users,cn=accounts,dc=example,dc=com
> member: uid=user4,cn=users,cn=accounts,dc=example,dc=com
> member: uid=user5,cn=users,cn=accounts,dc=example,dc=com
> 
> and yet with debug_level = 7 -- sssd still says:
> [sdap_process_ghost_members] (0x0400): Group has 0 members

Was the client installed with ipa-client-install? There I would suggest
to just use the defaults and everything should work.

Can you try again, this time with default configuration of
id_provider=ipa ? You might need to clear the cache (rm
/var/lib/sss/db/cache_*) if you were playing around with the schema..

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] issues with secondary groups? (sssd)

[Janelle]

Hello,

I was wondering - I have searched around and seen a few questions and 
solutions, but nothing I try is fixing my environment.


Things have been working quite well with IPA 4.0.5, simple things with 
auth and logins - some with full ipa-client-install configured, others 
just using LDAP and that is where the strangeness comes from.


with full IPA client integration, secondary groups work just find, as do 
base commands like "id" and "getent". However, the "ldap" users, never 
show the secondary group for their uid?


Any pointers you might suggest? I have tried the sssd.conf of 
"ldap_group_member = uniqeMember" - no change.


a simple secondary group is defined:

dn: cn=web_users,cn=groups,cn=accounts,dc=example,dc=com
cn: web_users
objectClass: ipaobject
objectClass: extensibleobject
objectClass: top
objectClass: ipausergroup
objectClass: posixgroup
objectClass: groupofnames
objectClass: nestedgroup
memberUid: user1
memberUid: user2
memberUid: user3
memberUid: user4
memberUid: user5
member: uid=user1,cn=users,cn=accounts,dc=example,dc=com
member: uid=user2,cn=users,cn=accounts,dc=example,dc=com
member: uid=user3,cn=users,cn=accounts,dc=example,dc=com
member: uid=user4,cn=users,cn=accounts,dc=example,dc=com
member: uid=user5,cn=users,cn=accounts,dc=example,dc=com

and yet with debug_level = 7 -- sssd still says: 
[sdap_process_ghost_members] (0x0400): Group has 0 members

and "id" or "getent" of any of user1..5 just returns the primary GID.

Any ideas? Tips? What else might you want to see?

~J

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] issues with sudo on RHEL5.8

[Nicolas Zin]

sure.

Let me come back on that matter a bit later on next week.


- Mail original -
De: "Dmitri Pal" 
À: freeipa-users@redhat.com
Envoyé: Mardi 17 Février 2015 19:39:40
Objet: Re: [Freeipa-users] issues with sudo on RHEL5.8

On 02/17/2015 05:18 AM, Nicolas Zin wrote:
> Thanks,
>
> that helps!
> I mistyped binddn and bindpw
>
> - Mail original -
> De: "Lukasz Jaworski" 
> À: "Nicolas Zin" 
> Cc: freeipa-users@redhat.com
> Envoyé: Mardi 17 Février 2015 13:31:20
> Objet: Re: [Freeipa-users] issues with sudo on RHEL5.8
>
>> With a RHEL7 IDM installation, I try to make sudo working.
>> On RHEL6 no problem (via sssd)
>> On RHEL5.8 I don't manage to make it working (credential are good, I manage 
>> to request the schema, see below)
>> Where can I found more logs?
>> What did I forget?
>> [root@srv-rhel58-01 ~]# cat /etc/nss_ldap.conf
>> bindn uid=sudo,cn=sysaccounts,cn=etc,dc=company,dc=com
>> binpw redhat5Sudo
>> ssl start_tls
>> tls_cacertfile /etc/openldap/cacerts/ipa.crt
>> #tls_cacert /etc/openldap/cacerts/ipa.crt
>> tls_checkpeer yes
>> #uri ldap://srv-idm7-01.company.com, ldap://srv-idm7-02.company.com
>> uri ldap://srv-idm7-01.company.com
>> sudoers_base ou=SUDOers,dc=company,dc=com
>> sudoers_debug: 2
> change last line (remove ":") to:
> sudoers_debug 2
>
> And then try sudo.
>
> Check:
> /etc/nsswitch.conf
> should be:
> sudoers: files ldap
>
> Best regards,
> Ender
>
We quite frequently get questions about how to configure SUDO with IPA 
from RHEL5.x clients.
Would you mind sharing this configuration as a howto solution?
http://www.freeipa.org/page/HowTos

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] issues with sudo on RHEL5.8

[Dmitri Pal]

On 02/17/2015 05:18 AM, Nicolas Zin wrote:

Thanks,

that helps!
I mistyped binddn and bindpw

- Mail original -
De: "Lukasz Jaworski" 
À: "Nicolas Zin" 
Cc: freeipa-users@redhat.com
Envoyé: Mardi 17 Février 2015 13:31:20
Objet: Re: [Freeipa-users] issues with sudo on RHEL5.8


With a RHEL7 IDM installation, I try to make sudo working.
On RHEL6 no problem (via sssd)
On RHEL5.8 I don't manage to make it working (credential are good, I manage to 
request the schema, see below)
Where can I found more logs?
What did I forget?
[root@srv-rhel58-01 ~]# cat /etc/nss_ldap.conf
bindn uid=sudo,cn=sysaccounts,cn=etc,dc=company,dc=com
binpw redhat5Sudo
ssl start_tls
tls_cacertfile /etc/openldap/cacerts/ipa.crt
#tls_cacert /etc/openldap/cacerts/ipa.crt
tls_checkpeer yes
#uri ldap://srv-idm7-01.company.com, ldap://srv-idm7-02.company.com
uri ldap://srv-idm7-01.company.com
sudoers_base ou=SUDOers,dc=company,dc=com
sudoers_debug: 2

change last line (remove ":") to:
sudoers_debug 2

And then try sudo.

Check:
/etc/nsswitch.conf
should be:
sudoers: files ldap

Best regards,
Ender

We quite frequently get questions about how to configure SUDO with IPA 
from RHEL5.x clients.

Would you mind sharing this configuration as a howto solution?
http://www.freeipa.org/page/HowTos

--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] issues with sudo on RHEL5.8

[Nicolas Zin]

Thanks,

that helps!
I mistyped binddn and bindpw

- Mail original -
De: "Lukasz Jaworski" 
À: "Nicolas Zin" 
Cc: freeipa-users@redhat.com
Envoyé: Mardi 17 Février 2015 13:31:20
Objet: Re: [Freeipa-users] issues with sudo on RHEL5.8

> 
> With a RHEL7 IDM installation, I try to make sudo working.
> On RHEL6 no problem (via sssd)
> On RHEL5.8 I don't manage to make it working (credential are good, I manage 
> to request the schema, see below)
> Where can I found more logs?
> What did I forget?
> [root@srv-rhel58-01 ~]# cat /etc/nss_ldap.conf
> bindn uid=sudo,cn=sysaccounts,cn=etc,dc=company,dc=com
> binpw redhat5Sudo
> ssl start_tls
> tls_cacertfile /etc/openldap/cacerts/ipa.crt
> #tls_cacert /etc/openldap/cacerts/ipa.crt
> tls_checkpeer yes
> #uri ldap://srv-idm7-01.company.com, ldap://srv-idm7-02.company.com
> uri ldap://srv-idm7-01.company.com
> sudoers_base ou=SUDOers,dc=company,dc=com
> sudoers_debug: 2

change last line (remove ":") to:
sudoers_debug 2

And then try sudo.

Check:
/etc/nsswitch.conf
should be:
sudoers: files ldap

Best regards,
Ender

-- 
Łukasz Jaworski


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] issues with sudo on RHEL5.8

[Jakub Hrozek]

On Tue, Feb 17, 2015 at 03:52:31AM -0500, Nicolas Zin wrote:
> Hi,
> 
> With a RHEL7 IDM installation, I try to make sudo working.
> On RHEL6 no problem (via sssd)
> On RHEL5.8 I don't manage to make it working (credential are good, I manage 
> to request the schema, see below)
> Where can I found more logs?
> What did I forget?
> 
> 
> [root@srv-rhel58-01 ~]# cat /etc/nss_ldap.conf
> bindn uid=sudo,cn=sysaccounts,cn=etc,dc=company,dc=com
> binpw redhat5Sudo
> ssl start_tls
> tls_cacertfile /etc/openldap/cacerts/ipa.crt
> #tls_cacert /etc/openldap/cacerts/ipa.crt
> tls_checkpeer yes
> #uri ldap://srv-idm7-01.company.com, ldap://srv-idm7-02.company.com
> uri ldap://srv-idm7-01.company.com
> sudoers_base ou=SUDOers,dc=company,dc=com
> sudoers_debug: 2
> 
> 
> 
> 
> 
> [root@srv-rhel58-01 ~]# ldapsearch -x -ZZ -D 
> "uid=sudo,cn=sysaccounts,cn=etc,dc=company,dc=com" -b 
> "ou=SUDOers,dc=company,dc=com" -h srv-idm7-01.company.com -W
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base  with scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
> 
> # sudoers, company.com
> dn: ou=sudoers,dc=company,dc=com
> objectClass: extensibleObject
> ou: sudoers
> 
> # sudo4admin, sudoers, company.com
> dn: cn=sudo4admin,ou=sudoers,dc=company,dc=com
> objectClass: sudoRole
> sudoUser: nzin
> sudoHost: ALL
> sudoCommand: ALL
> cn: sudo4admin
> 
> # search result
> search: 3
> result: 0 Success
> 
> # numResponses: 3
> # numEntries: 2
> 
> 
> 
> 
> 
> In /var/log/secure:
> Feb 17 04:35:59 srv-rhel58-01 sudo: pam_unix(sudo-i:auth): authentication 
> failure; logname=nzin uid=0 euid=0 tty=/dev/pts/3 ruser= rhost=  user=nzin
> Feb 17 04:35:59 srv-rhel58-01 sudo: pam_sss(sudo-i:auth): authentication 
> success; logname=nzin uid=0 euid=0 tty=/dev/pts/3 ruser= rhost= user=nzin
> Feb 17 04:35:59 srv-rhel58-01 sudo: nzin : user NOT in sudoers ; 
> TTY=pts/3 ; PWD=/home/nzin ; USER=root ; COMMAND=/bin/bash
> 
> 
> 
> 
> Regards,

I don't have a 5.8 machine around, but I would suggest to enable
debugging from sudo itself. In newer versions, there is a Debug
directive in sudo.conf, IIRC in earlier versions there was a '-D'
option.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] issues with sudo on RHEL5.8

[Nicolas Zin]

Hi,

With a RHEL7 IDM installation, I try to make sudo working.
On RHEL6 no problem (via sssd)
On RHEL5.8 I don't manage to make it working (credential are good, I manage to 
request the schema, see below)
Where can I found more logs?
What did I forget?


[root@srv-rhel58-01 ~]# cat /etc/nss_ldap.conf
bindn uid=sudo,cn=sysaccounts,cn=etc,dc=company,dc=com
binpw redhat5Sudo
ssl start_tls
tls_cacertfile /etc/openldap/cacerts/ipa.crt
#tls_cacert /etc/openldap/cacerts/ipa.crt
tls_checkpeer yes
#uri ldap://srv-idm7-01.company.com, ldap://srv-idm7-02.company.com
uri ldap://srv-idm7-01.company.com
sudoers_base ou=SUDOers,dc=company,dc=com
sudoers_debug: 2





[root@srv-rhel58-01 ~]# ldapsearch -x -ZZ -D 
"uid=sudo,cn=sysaccounts,cn=etc,dc=company,dc=com" -b 
"ou=SUDOers,dc=company,dc=com" -h srv-idm7-01.company.com -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base  with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# sudoers, company.com
dn: ou=sudoers,dc=company,dc=com
objectClass: extensibleObject
ou: sudoers

# sudo4admin, sudoers, company.com
dn: cn=sudo4admin,ou=sudoers,dc=company,dc=com
objectClass: sudoRole
sudoUser: nzin
sudoHost: ALL
sudoCommand: ALL
cn: sudo4admin

# search result
search: 3
result: 0 Success

# numResponses: 3
# numEntries: 2





In /var/log/secure:
Feb 17 04:35:59 srv-rhel58-01 sudo: pam_unix(sudo-i:auth): authentication 
failure; logname=nzin uid=0 euid=0 tty=/dev/pts/3 ruser= rhost=  user=nzin
Feb 17 04:35:59 srv-rhel58-01 sudo: pam_sss(sudo-i:auth): authentication 
success; logname=nzin uid=0 euid=0 tty=/dev/pts/3 ruser= rhost= user=nzin
Feb 17 04:35:59 srv-rhel58-01 sudo: nzin : user NOT in sudoers ; TTY=pts/3 
; PWD=/home/nzin ; USER=root ; COMMAND=/bin/bash




Regards,



Nicolas Zin
nicolas@savoirfairelinux.com
Ligne directe: 514-276-5468 poste 135

Fax : 514-276-5465
7275 Saint Urbain
Bureau 200
Montréal, QC, H2R 2Y5



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Issues with new install - Configuration of CA failed

[Martin Kosek]

On 01/13/2015 09:06 PM, Megan . wrote:
> I am having a very difficult time getting the ipa server installed on
> our test server.
> 
> 
> 
> CentOS release 6.6 (Final)
> Linux test1-vm.example.com 2.6.32-504.3.3.el6.x86_64 #1 SMP Wed Dec 17
> 01:55:02 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
> 
> ipa-server-3.0.0-42.el6.centos.x86_64
> 
> 
> I tried to reinstall pki-selinux, reboot, relabel and that didn't help
>  yum reinstall pki-selinux
> 
> I reviewed a number of threads and didn't seem to see my issue of
> Request:java.net.ConnectException: Connection refused at step 2/20
> 
> https://www.redhat.com/archives/freeipa-users/2014-April/msg00278.html
> 
> 
> 
> Any suggestions would be greatly appreciated.
> 
> I used:  ipa-server-install --no-ntp
> 
> 
> Continue to configure the system with these values? [no]: yes
> 
> 
> The following operations may take some minutes to complete.
> 
> Please wait until the prompt is returned.
> 
> 
> Configuring directory server for the CA (pkids): Estimated time 30 seconds
> 
>   [1/3]: creating directory server user
>   [2/3]: creating directory server instance
>   [3/3]: restarting directory server
> 
> Done configuring directory server for the CA (pkids).
> 
> Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds
>   [1/20]: creating certificate server user
>   [2/20]: configuring certificate server instance
> 
> ipa : CRITICAL failed to configure ca instance Command
> '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
> test1-vm.example.com -cs_port 9445 -client_certdb_dir /tmp/tmp-WQ28_w
> -client_certdb_pwd  -preop_pin MvLsuha0GPxvJSnYoL5u
> -domain_name IPA -admin_user admin -admin_email root@localhost
> -admin_  -agent_name ipa-ca-agent -agent_key_size 2048
> -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=EXAMPLE.COM
> -ldap_host test1-vm.example.com -ldap_port 7389 -bind_dn cn=Directory
> Manager -bind_  -base_dn o=ipaca -db_name ipaca
> -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12
> true -backup_pwd  -subsystem_name pki-cad -token_name internal
> -ca_subsystem_cert_subject_name CN=CA Subsystem,O=EXAMPLE.COM
> -ca_subsystem_cert_subject_name CN=CA Subsystem,O=EXAMPLE.COM
> -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=EXAMPLE.COM
> -ca_server_cert_subject_name CN=test1-vm.example.com,O=EXAMPLE.COM
> -ca_audit_signing_cert_subject_name CN=CA Audit,O=EXAMPLE.COM
> -ca_sign_cert_subject_name CN=Certificate Authority,O=EXAMPLE.COM
> -external false -clone false' returned non-zero exit status 255
> 
> Configuration of CA failed
> 
> 
> 
> 
> install log:
> 
> 
> [root@test1-vm log]# cat ipaserver-install.log
> 2015-01-13T19:47:59Z DEBUG Loading StateFile from
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2015-01-13T19:47:59Z DEBUG Loading Index file from
> '/var/lib/ipa/sysrestore/sysrestore.index'
> 2015-01-13T19:47:59Z DEBUG httpd is not configured
> 2015-01-13T19:47:59Z DEBUG kadmin is not configured
> 2015-01-13T19:47:59Z DEBUG dirsrv is not configured
> 2015-01-13T19:47:59Z DEBUG pki-cad is not configured
> 2015-01-13T19:47:59Z DEBUG pki-tomcatd is not configured
> 2015-01-13T19:47:59Z DEBUG pkids is not configured
> 2015-01-13T19:47:59Z DEBUG install is not configured
> 2015-01-13T19:47:59Z DEBUG krb5kdc is not configured
> 2015-01-13T19:47:59Z DEBUG ntpd is not configured
> 2015-01-13T19:47:59Z DEBUG named is not configured
> 2015-01-13T19:47:59Z DEBUG ipa_memcached is not configured
> 2015-01-13T19:47:59Z DEBUG filestore is tracking no files
> 2015-01-13T19:47:59Z DEBUG Loading Index file from
> '/var/lib/ipa-client/sysrestore/sysrestore.index'
> 2015-01-13T19:47:59Z DEBUG /usr/sbin/ipa-server-install was invoked
> with options: {'zone_refresh': 0, 'reverse_zone': None, 'realm_name':
> None, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': False,
> 'subject': None, 'no_forwarders': False, 'persistent_search': True,
> 'ui_redirect': True, 'domain_name': None, 'idmax': 0, 'hbac_allow':
> False, 'no_reverse': False, 'dirsrv_pkcs12': None, 'unattended':
> False, 'selfsign': False, 'trust_sshfp': False, 'external_ca_file':
> None, 'no_host_dns': False, 'http_pkcs12': None, 'zone_notif': False,
> 'forwarders': None, 'idstart': 184480, 'external_ca': False,
> 'ip_address': None, 'conf_ssh': True, 'serial_autoincrement': True,
> 'zonemgr': None, 'setup_dns': False, 'host_name': None, 'debug':
> False, 'external_cert_file': None, 'uninstall': False}
> 2015-01-13T19:47:59Z DEBUG missing options might be asked for
> interactively later
> 
> 2015-01-13T19:47:59Z DEBUG Loading Index file from
> '/var/lib/ipa/sysrestore/sysrestore.index'
> 2015-01-13T19:47:59Z DEBUG Loading StateFile from
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2015-01-13T19:47:59Z DEBUG args=/usr/sbin/httpd -t -D DUMP_VHOSTS
> 2015-01-13T19:47:59Z DEBUG stdout=VirtualHost configuration:
> wildcard NameVirtualHosts and _default_ servers:
> _default_:8443 test1

[Freeipa-users] Issues with new install - Configuration of CA failed

[Megan .]

I am having a very difficult time getting the ipa server installed on
our test server.



CentOS release 6.6 (Final)
Linux test1-vm.example.com 2.6.32-504.3.3.el6.x86_64 #1 SMP Wed Dec 17
01:55:02 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

ipa-server-3.0.0-42.el6.centos.x86_64


I tried to reinstall pki-selinux, reboot, relabel and that didn't help
 yum reinstall pki-selinux

I reviewed a number of threads and didn't seem to see my issue of
Request:java.net.ConnectException: Connection refused at step 2/20

https://www.redhat.com/archives/freeipa-users/2014-April/msg00278.html



Any suggestions would be greatly appreciated.

I used:  ipa-server-install --no-ntp


Continue to configure the system with these values? [no]: yes


The following operations may take some minutes to complete.

Please wait until the prompt is returned.


Configuring directory server for the CA (pkids): Estimated time 30 seconds

  [1/3]: creating directory server user
  [2/3]: creating directory server instance
  [3/3]: restarting directory server

Done configuring directory server for the CA (pkids).

Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds
  [1/20]: creating certificate server user
  [2/20]: configuring certificate server instance

ipa : CRITICAL failed to configure ca instance Command
'/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
test1-vm.example.com -cs_port 9445 -client_certdb_dir /tmp/tmp-WQ28_w
-client_certdb_pwd  -preop_pin MvLsuha0GPxvJSnYoL5u
-domain_name IPA -admin_user admin -admin_email root@localhost
-admin_  -agent_name ipa-ca-agent -agent_key_size 2048
-agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=EXAMPLE.COM
-ldap_host test1-vm.example.com -ldap_port 7389 -bind_dn cn=Directory
Manager -bind_  -base_dn o=ipaca -db_name ipaca
-key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12
true -backup_pwd  -subsystem_name pki-cad -token_name internal
-ca_subsystem_cert_subject_name CN=CA Subsystem,O=EXAMPLE.COM
-ca_subsystem_cert_subject_name CN=CA Subsystem,O=EXAMPLE.COM
-ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=EXAMPLE.COM
-ca_server_cert_subject_name CN=test1-vm.example.com,O=EXAMPLE.COM
-ca_audit_signing_cert_subject_name CN=CA Audit,O=EXAMPLE.COM
-ca_sign_cert_subject_name CN=Certificate Authority,O=EXAMPLE.COM
-external false -clone false' returned non-zero exit status 255

Configuration of CA failed




install log:


[root@test1-vm log]# cat ipaserver-install.log
2015-01-13T19:47:59Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2015-01-13T19:47:59Z DEBUG Loading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'
2015-01-13T19:47:59Z DEBUG httpd is not configured
2015-01-13T19:47:59Z DEBUG kadmin is not configured
2015-01-13T19:47:59Z DEBUG dirsrv is not configured
2015-01-13T19:47:59Z DEBUG pki-cad is not configured
2015-01-13T19:47:59Z DEBUG pki-tomcatd is not configured
2015-01-13T19:47:59Z DEBUG pkids is not configured
2015-01-13T19:47:59Z DEBUG install is not configured
2015-01-13T19:47:59Z DEBUG krb5kdc is not configured
2015-01-13T19:47:59Z DEBUG ntpd is not configured
2015-01-13T19:47:59Z DEBUG named is not configured
2015-01-13T19:47:59Z DEBUG ipa_memcached is not configured
2015-01-13T19:47:59Z DEBUG filestore is tracking no files
2015-01-13T19:47:59Z DEBUG Loading Index file from
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2015-01-13T19:47:59Z DEBUG /usr/sbin/ipa-server-install was invoked
with options: {'zone_refresh': 0, 'reverse_zone': None, 'realm_name':
None, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': False,
'subject': None, 'no_forwarders': False, 'persistent_search': True,
'ui_redirect': True, 'domain_name': None, 'idmax': 0, 'hbac_allow':
False, 'no_reverse': False, 'dirsrv_pkcs12': None, 'unattended':
False, 'selfsign': False, 'trust_sshfp': False, 'external_ca_file':
None, 'no_host_dns': False, 'http_pkcs12': None, 'zone_notif': False,
'forwarders': None, 'idstart': 184480, 'external_ca': False,
'ip_address': None, 'conf_ssh': True, 'serial_autoincrement': True,
'zonemgr': None, 'setup_dns': False, 'host_name': None, 'debug':
False, 'external_cert_file': None, 'uninstall': False}
2015-01-13T19:47:59Z DEBUG missing options might be asked for
interactively later

2015-01-13T19:47:59Z DEBUG Loading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'
2015-01-13T19:47:59Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2015-01-13T19:47:59Z DEBUG args=/usr/sbin/httpd -t -D DUMP_VHOSTS
2015-01-13T19:47:59Z DEBUG stdout=VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
_default_:8443 test1-vm.example.com (/etc/httpd/conf.d/nss.conf:84)

2015-01-13T19:47:59Z DEBUG stderr=Syntax OK

2015-01-13T19:48:02Z DEBUG Check if test1-vm.example.com is a primary
hostname for localhost
2015-01-13T19:48:02Z DEBUG Primary hostname for localhost: test1-vm.example.com
2015

Re: [Freeipa-users] issues with nfs4 privileges.

[Simo Sorce]

On Fri, 2014-06-20 at 19:51 +0200, Rob Verduijn wrote:
> Considering the root immplications.
> 
> Handing out root to all nfs clients is indeed something that is undesirable.
> However personally I believe manually creating homedirs to be a
> procedure from the previous millenium.
> 
> Can I get freeipa to do this automatically the right way ? (respecting 
> security)

Not yet, because it is complicated, the problem is that the FreeIPA
server doesn't necessarily know "where" the home directories are.
We assume the user want's to provide them from a dedicated NAS or other
NFS Server.

We are tracking the desire to perform operations (like home directory
creation) when a user is created here:
https://fedorahosted.org/freeipa/ticket/2156

In the meanwhile I can suggest using some script in a cronjob on the NFS
Server that fetches the users list from ldap and proceed to create a
home directory from the homeDirectory attribute, if it is missing.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] issues with nfs4 privileges.

[Rob Verduijn]

Considering the root immplications.

Handing out root to all nfs clients is indeed something that is undesirable.
However personally I believe manually creating homedirs to be a
procedure from the previous millenium.

Can I get freeipa to do this automatically the right way ? (respecting security)

Rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] issues with nfs4 privileges.

[Rob Verduijn]

Hi,

I have not touched pulse audio configuration, it's set to default, I
can see in the logs the pulseaudio daemon assumes the user id.
rtkit-daemon[697]: Successfully made thread 3299 of process 3299
(/usr/bin/pulseaudio) owned by '4701' high priority at nice level
-11.
rtkit-daemon[697]: Supervising 5 threads of 2 processes of 2 users.
pulseaudio[3299]: [pulseaudio] core-util.c: Failed to create secure
directory (/home/rob/.config/pulse): Permission denied

The directory already exists, I tried removing it, which did not help.

Rob

2014-06-20 19:14 GMT+02:00 Simo Sorce :
> On Fri, 2014-06-20 at 18:57 +0200, Rob Verduijn wrote:
>> Hi Simo,
>>
>> Thanx for the quick answer, i will consider the root implications.
>> However, what about pulse audio not working ?
>> The logs complain about that one not beeing able to write in home as well.
>
> Is it running as the "pulse" user ?
> If so it would be the same issue, but I thought pulseaudio runs as the
> user by default, have you changed its configuration to run one instance
> per system by chance ?
>
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] issues with nfs4 privileges.

[Simo Sorce]

On Fri, 2014-06-20 at 18:57 +0200, Rob Verduijn wrote:
> Hi Simo,
> 
> Thanx for the quick answer, i will consider the root implications.
> However, what about pulse audio not working ?
> The logs complain about that one not beeing able to write in home as well.

Is it running as the "pulse" user ?
If so it would be the same issue, but I thought pulseaudio runs as the
user by default, have you changed its configuration to run one instance
per system by chance ?

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] issues with nfs4 privileges.

[Rob Verduijn]

Hi Simo,

Thanx for the quick answer, i will consider the root implications.
However, what about pulse audio not working ?
The logs complain about that one not beeing able to write in home as well.

Rob

2014-06-20 18:27 GMT+02:00 Simo Sorce :
> On Fri, 2014-06-20 at 18:02 +0200, Rob Verduijn wrote:
>> Hello,
>>
>> I'm a bit at loss with my freeipa kerberized nfs4 shares.
>>
>> the nfs4 shares mount fine and users can read and write their files.
>> However pulse audio does not work properly, and some programs fail to start.
>> When logging in with a local account using a local homedrive
>> pulseaudio works, and the programs also work.
>> Also oddjob is not capable of creating a home dir for a new user.
>>
>> root is not allowed to write in the home mount on the client (mkdir
>> test and touch test get a Permission denied)
>>
>> I don't think its selinux, because setenforce 0 on the nfs-server and
>> setenforce 0 on the nfs client did not help.
>
> Indeed it is not selinux nor anything client related, when you use
> kerberized NFSv4 *all* accesses including root must be authenticated.
>
> When your "local" root user tries to access the mount point, either it
> cannot authenticate or it uses the system keytab to authenticate, in
> both cases, w/o further configuration on the server these accesses are
> mapped to the nobody user or refused outright.
>
> If you really want to trust *every* client to have full *root* access on
> your server then you need to make sure the client is using the host
> keytab when acting as root (default unless you pass -n to rpc.gssd) then
> you need to map explicitly the client's hosts keys to the root account
> on the server.
> add:
>  host/client.host.name@YOUR.REALM = root
> in the [static] section of idmapd.conf
>
> See idmapd.conf(5) for details.
>
>> freeipa policies seem to be working fine, sudo rules are applied the
>> way I expect them.
>> Logging in on all the machines works, automounting works like a charm,
>> except for the situations described above.
>>
>> server details are below
>>
>> Anybody who can tell me what I've missed ?
>
> What you've missed is simply that clients are not allowed to act as root
> on NFS mounts by default, it's a security issue, because a compromised
> client can then do what it want's with all NFS shared data regardless of
> user permissions.
>
> HTH,
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] issues with nfs4 privileges.

[Simo Sorce]

On Fri, 2014-06-20 at 18:02 +0200, Rob Verduijn wrote:
> Hello,
> 
> I'm a bit at loss with my freeipa kerberized nfs4 shares.
> 
> the nfs4 shares mount fine and users can read and write their files.
> However pulse audio does not work properly, and some programs fail to start.
> When logging in with a local account using a local homedrive
> pulseaudio works, and the programs also work.
> Also oddjob is not capable of creating a home dir for a new user.
> 
> root is not allowed to write in the home mount on the client (mkdir
> test and touch test get a Permission denied)
> 
> I don't think its selinux, because setenforce 0 on the nfs-server and
> setenforce 0 on the nfs client did not help.

Indeed it is not selinux nor anything client related, when you use
kerberized NFSv4 *all* accesses including root must be authenticated.

When your "local" root user tries to access the mount point, either it
cannot authenticate or it uses the system keytab to authenticate, in
both cases, w/o further configuration on the server these accesses are
mapped to the nobody user or refused outright.

If you really want to trust *every* client to have full *root* access on
your server then you need to make sure the client is using the host
keytab when acting as root (default unless you pass -n to rpc.gssd) then
you need to map explicitly the client's hosts keys to the root account
on the server.
add:
 host/client.host.name@YOUR.REALM = root
in the [static] section of idmapd.conf

See idmapd.conf(5) for details.

> freeipa policies seem to be working fine, sudo rules are applied the
> way I expect them.
> Logging in on all the machines works, automounting works like a charm,
> except for the situations described above.
> 
> server details are below
> 
> Anybody who can tell me what I've missed ?

What you've missed is simply that clients are not allowed to act as root
on NFS mounts by default, it's a security issue, because a compromised
client can then do what it want's with all NFS shared data regardless of
user permissions.

HTH,
Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] issues with nfs4 privileges.

[Rob Verduijn]

Hello,

I'm a bit at loss with my freeipa kerberized nfs4 shares.

the nfs4 shares mount fine and users can read and write their files.
However pulse audio does not work properly, and some programs fail to start.
When logging in with a local account using a local homedrive
pulseaudio works, and the programs also work.
Also oddjob is not capable of creating a home dir for a new user.

root is not allowed to write in the home mount on the client (mkdir
test and touch test get a Permission denied)

I don't think its selinux, because setenforce 0 on the nfs-server and
setenforce 0 on the nfs client did not help.

freeipa policies seem to be working fine, sudo rules are applied the
way I expect them.
Logging in on all the machines works, automounting works like a charm,
except for the situations described above.

server details are below

Anybody who can tell me what I've missed ?
Rob

the freeipa server is a dedicated fedora20 x86_64 machine with the
latest updates applied

the nfs-server is a fedora20 x86_64 machine with the latest updates applied

these booleans have been applied on the nfs server
nfs_export_all_ro --> on
nfs_export_all_rw --> on

The exports are :
/exports *(rw,no_root_squash,crossmnt,fsid=0,sec=krb5p)
/exports/homes *(rw,no_root_squash,no_subtree_check,sec=krb5p)

/exports/homes is a bind mount from :
/data3/homes

selinux contexts of the dirs:
ls -dalsZ /data3/homes
drwxr-xr-x. root root system_u:object_r:user_home_t:s0 /data3/homes
ls -dalsZ /exports/homes
drwxr-xr-x. root root system_u:object_r:user_home_t:s0 /exports/homes

/exportes/homes is automounted by systemd using this unit file:
cat /etc/systemd/system/exports-homes.automount
[Unit]
Description=/exports/homes Directory Automount Point
Wants=network.target statd.service
After=network.target statd.service
[Automount]
Where=/exports/homes

   [Install]
WantedBy=multi-user.target

and the matching unit mount:
cat /etc/systemd/system/exports-homes.mount
[Unit]
Description=Exports Homes Directory
Wants=network.target statd.service
After=network.target statd.service
[Mount]
What=/data3/homes
Where=/exports/homes
Type=none
Options=bind
DirectoryMode=0755

the nfs client is a fedora20 x86_64 machine with al the latest patches applied
This boolean has been set:
use_nfs_home_dirs --> on

ls -dalsZ /home/
drwxr-xr-x. root root system_u:object_r:user_home_t:s0 /home/

the home folder is automounted by systemd using this unit file :
cat /etc/systemd/system/home.automount
[Unit]
Description=Home Directory Automount Point
Wants=network.target statd.service
After=network.target statd.service
[Automount]
Where=/home
[Install]
WantedBy=multi-user.target

and the matching unit mount
cat /etc/systemd/system/home.mount
[Unit]
Description=Home Directory
Wants=network.target statd.service
After=network.target statd.service
[Mount]
What=172.16.1.1:/homes
Where=/home
Type=nfs4
Options=timeo=14,noatime,timeo=14,soft,sec=krb5p,context=system_u:object_r:user_home_t:s0
DirectoryMode=0750

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Issues creating trust with AD.

[Sumit Bose]

On Fri, Feb 21, 2014 at 11:17:38PM +0200, Genadi Postrilko wrote:
> I would like to clarify myself, i wasn't accurate when i compared it to :
> https://bugzilla.redhat.com/show_bug.cgi?id=878564.
> 

...

> 
> *But kinit with AD users failed:*
> 
> [root@ipaserver1 ~]# kinit gen...@adexample.com
> kinit: Cannot resolve servers for KDC in realm "ADEXAMPLE.COM" while
> getting initial credentials
> 
> *But after few minutes i was able to to kinit with AD users agian:*
> 
> [root@ipaserver1 ~]# kinit gen...@adexample.com
> Password for gen...@adexample.com:

The AD KDC is resolved by doing DNS SRV lookup, e.g.

dig SRV _kerberos._udp.adexample.com

So I would assume a DNS related issue. Did the IP address of you AD
server changed after the reboot? Or did you call kinit early during the
AD boot process so that the DNS server were not running?

If you see this isse again, please call

KRB5_TRACE=/dev/stdout kinit gen...@adexample.com

This will print lots of debug information what libkrb5 is doing and
might help to identify the origin of the issue.

bye,
Sumit

> 
> I think i was too fast on making conclusions.
> Not sure if opening a bug is needed.
> 
> 

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Issues creating trust with AD.

[Genadi Postrilko]

I would like to clarify myself, i wasn't accurate when i compared it to :
https://bugzilla.redhat.com/show_bug.cgi?id=878564.

I have tried to reproduce the bug by restarting the AD.

*I was able to preform winbindd commands:*

[root@ipaserver1 ~]# wbinfo -u
ADEXAMPLE\administrator
ADEXAMPLE\guest
ADEXAMPLE\genadi
ADEXAMPLE\krbtgt
ADEXAMPLE\linux$
ADEXAMPLE\daniel
[root@ipaserver1 ~]# wbinfo -g
admins
editors
default smb group
ad_users
ADEXAMPLE\domain computers
ADEXAMPLE\domain controllers
ADEXAMPLE\schema admins
ADEXAMPLE\enterprise admins
ADEXAMPLE\domain admins
ADEXAMPLE\domain users
ADEXAMPLE\domain guests
ADEXAMPLE\group policy creator owners
ADEXAMPLE\read-only domain controllers
ADEXAMPLE\enterprise read-only domain controllers
ADEXAMPLE\dnsupdateproxy
[root@ipaserver1 ~]# wbinfo -n "ADEXAMPLE\administrator"
S-1-5-21-2887728911-2909484380-3974070232-500 SID_USER (1)
[root@ipaserver1 ~]# wbinfo -n "ADEXAMPLE\guest"
S-1-5-21-2887728911-2909484380-3974070232-501 SID_USER (1)
[root@ipaserver1 ~]# wbinfo -n "ADEXAMPLE\genadi"
S-1-5-21-2887728911-2909484380-3974070232-1000 SID_USER (1)
[root@ipaserver1 ~]# wbinfo -n "ADEXAMPLE\krbtgt"
S-1-5-21-2887728911-2909484380-3974070232-502 SID_USER (1)
[root@ipaserver1 ~]# wbinfo -n "ADEXAMPLE\linux$"
S-1-5-21-2887728911-2909484380-3974070232-1104 SID_USER (1)
[root@ipaserver1 ~]# wbinfo -n "ADEXAMPLE\daniel"
S-1-5-21-2887728911-2909484380-3974070232-1105 SID_USER (1)

*But kinit with AD users failed:*

[root@ipaserver1 ~]# kinit gen...@adexample.com
kinit: Cannot resolve servers for KDC in realm "ADEXAMPLE.COM" while
getting initial credentials

*But after few minutes i was able to to kinit with AD users agian:*

[root@ipaserver1 ~]# kinit gen...@adexample.com
Password for gen...@adexample.com:

I think i was too fast on making conclusions.
Not sure if opening a bug is needed.



2014-02-21 17:38 GMT+02:00 Simo Sorce :

> On Fri, 2014-02-21 at 00:27 +0200, Genadi Postrilko wrote:
> > Update:
> > For some reason the AD server has rebooted himself.
> > After the reboot i couldn't preform kinit with AD users.
> > I found a bugzilla that describes the symptoms that i experienced :
> > https://bugzilla.redhat.com/show_bug.cgi?id=878564
> > Not sure if it is the same bug - the bugzilla reports bug in
> > samba4-4.0.0-48.el6.rc4.x86_64
> > while my version is samba4-4.0.0-58.el6.rc4.x86_64 (after downgrade).
> >
> > I have rebooted the IPA server to see if it changes anything.
> > After the reboot i was able to kinit with AD users, but not only that -
> now
> > i am able to
> > login with AD users to client machines.
> >
> > Any idea on what just happened?
>
> Sounds like a bug in windbindd which we currently use to talk to the
> Windows DCs for this functionality.
> Apparently winbindd failed to detect the DC came back online.
> A restart of the ipa server caused winbindd to restart and retry to get
> online.
>
> Can you please open a bug to track this issue ?
>
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Issues creating trust with AD.

[Simo Sorce]

On Fri, 2014-02-21 at 00:27 +0200, Genadi Postrilko wrote:
> Update:
> For some reason the AD server has rebooted himself.
> After the reboot i couldn't preform kinit with AD users.
> I found a bugzilla that describes the symptoms that i experienced :
> https://bugzilla.redhat.com/show_bug.cgi?id=878564
> Not sure if it is the same bug - the bugzilla reports bug in
> samba4-4.0.0-48.el6.rc4.x86_64
> while my version is samba4-4.0.0-58.el6.rc4.x86_64 (after downgrade).
> 
> I have rebooted the IPA server to see if it changes anything.
> After the reboot i was able to kinit with AD users, but not only that - now
> i am able to
> login with AD users to client machines.
> 
> Any idea on what just happened?

Sounds like a bug in windbindd which we currently use to talk to the
Windows DCs for this functionality.
Apparently winbindd failed to detect the DC came back online.
A restart of the ipa server caused winbindd to restart and retry to get
online.

Can you please open a bug to track this issue ?

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Issues creating trust with AD.

[Genadi Postrilko]

Update:
For some reason the AD server has rebooted himself.
After the reboot i couldn't preform kinit with AD users.
I found a bugzilla that describes the symptoms that i experienced :
https://bugzilla.redhat.com/show_bug.cgi?id=878564
Not sure if it is the same bug - the bugzilla reports bug in
samba4-4.0.0-48.el6.rc4.x86_64
while my version is samba4-4.0.0-58.el6.rc4.x86_64 (after downgrade).

I have rebooted the IPA server to see if it changes anything.
After the reboot i was able to kinit with AD users, but not only that - now
i am able to
login with AD users to client machines.

Any idea on what just happened?

Thanks.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Issues creating trust with AD.

[Sumit Bose]

On Wed, Feb 19, 2014 at 12:17:59AM +0200, Genadi Postrilko wrote:
> After i restarted SSSD nothing changed - still cannot login via ssh/su.
> I have increased debug level to 6:
> https://gist.github.com/anonymous/9081367
> (krb5_child was empty)

The LDAP extented operation which should fetch the user data of the AD
user fails:

(Tue Feb 18 11:34:57 2014) [sssd[be[linux.adexample.com]]] [ipa_s2n_exop_send] 
(0x0400): Executing extended operation
(Tue Feb 18 11:34:57 2014) [sssd[be[linux.adexample.com]]] [ipa_s2n_exop_done] 
(0x0400): ldap_extended_operation result: Operations error(1), (null)
(Tue Feb 18 11:34:57 2014) [sssd[be[linux.adexample.com]]] 
[ipa_s2n_get_user_done] (0x0040): s2n exop request failed.

hence the user is not available on the client and the login fails.

Since winbind is working correctly on the server as shown by the wbinfo
output below and the client is able to talk to the LDAP server in the
IPA server I assume that there is an issue in processing the exop
request or in the communication between the LDAP server and winbind.

For the second you might want to check if there are any SELinux denials
in your audit log.

For the first you should enable debug logging for the LDAP server, see
http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting for details.
The log level which is needed here is 65536 'Plug-in debugging'. The
logs might be too large for a mailing-list, fell free to send them to me
directly.

bye,
Sumit

> 
> Thank you.
> 
> 
> 
> 
> 2014-02-18 11:38 GMT+02:00 Sumit Bose :
> 
> > On Tue, Feb 18, 2014 at 01:11:38AM +0200, Genadi Postrilko wrote:
> > > Thank you for the help!
> > > I have preformed downgrade:
> > >
> > > yum downgrade samba4*
> > >
> > > [root@ipaserver1 ~]# rpm -qa | grep samb
> > > samba4-python-4.0.0-58.el6.rc4.x86_64
> > > samba4-winbind-4.0.0-58.el6.rc4.x86_64
> > > samba4-common-4.0.0-58.el6.rc4.x86_64
> > > samba4-winbind-clients-4.0.0-58.el6.rc4.x86_64
> > > samba4-libs-4.0.0-58.el6.rc4.x86_64
> > > samba4-client-4.0.0-58.el6.rc4.x86_64
> > > samba4-4.0.0-58.el6.rc4.x86_64
> > >
> > > And it worked !
> > >
> > > *I am now able to perform login via "ssh" and su on to the ipaserver with
> > > AD users:*
> > >
> > > [root@ipaserver1 ~]# su gen...@adexample.com
> > > sh-4.1$
> > >
> > > *and wbinfo and getent return values:*
> > >
> > > [root@ipaserver1 ~]# wbinfo -u
> > > ADEXAMPLE\administrator
> > > ADEXAMPLE\guest
> > > ADEXAMPLE\genadi
> > > ADEXAMPLE\krbtgt
> > > ADEXAMPLE\linux$
> > > ADEXAMPLE\daniel
> > >
> > > [root@ipaserver1 ~]# wbinfo -g
> > > admins
> > > editors
> > > default smb group
> > > ad_users
> > > ADEXAMPLE\domain computers
> > > ADEXAMPLE\domain controllers
> > > ADEXAMPLE\schema admins
> > > ADEXAMPLE\enterprise admins
> > > ADEXAMPLE\domain admins
> > > ADEXAMPLE\domain users
> > > ADEXAMPLE\domain guests
> > > ADEXAMPLE\group policy creator owners
> > > ADEXAMPLE\read-only domain controllers
> > > ADEXAMPLE\enterprise read-only domain controllers
> > > ADEXAMPLE\dnsupdateproxy
> > >
> > > [root@ipaserver1 ~]# getent passwd gen...@adexample.com
> > > gen...@adexample.com:*:699001000:699001000::/home/adexample.com/genadi:
> >
> > Thanks a lot for confirming that -58 is working on the FreeIPA server.
> >
> > >
> > > *After this success, i have tried to execute a login on client machine
> > > (using AD user), but it did not work:*
> > >
> > > [root@ipaclient1 ~]# su gen...@adexample.com
> > > su: user gen...@adexample.com does not exist
> > >
> > > *Also wbinfo and getent do not return value:*
> > >
> > > [root@ipaclient1 ~]# wbinfo -u
> > > [root@ipaclient1 ~]# wbinfo -g
> > > [root@ipaclient1 ~]# getent passwd gen...@adexample.com
> >
> > Winbind is not running on the IPA client. SSSD running on the IPA client
> > use a LDAP extended operation to get the basic data about AD users and
> > group. Please try to restart SSSD on the client. If this does not help,
> > please send me the client's SSSD log files.
> >
> > bye,
> > Sumit
> >

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Issues creating trust with AD.

[Genadi Postrilko]

After i restarted SSSD nothing changed - still cannot login via ssh/su.
I have increased debug level to 6:
https://gist.github.com/anonymous/9081367
(krb5_child was empty)

Thank you.




2014-02-18 11:38 GMT+02:00 Sumit Bose :

> On Tue, Feb 18, 2014 at 01:11:38AM +0200, Genadi Postrilko wrote:
> > Thank you for the help!
> > I have preformed downgrade:
> >
> > yum downgrade samba4*
> >
> > [root@ipaserver1 ~]# rpm -qa | grep samb
> > samba4-python-4.0.0-58.el6.rc4.x86_64
> > samba4-winbind-4.0.0-58.el6.rc4.x86_64
> > samba4-common-4.0.0-58.el6.rc4.x86_64
> > samba4-winbind-clients-4.0.0-58.el6.rc4.x86_64
> > samba4-libs-4.0.0-58.el6.rc4.x86_64
> > samba4-client-4.0.0-58.el6.rc4.x86_64
> > samba4-4.0.0-58.el6.rc4.x86_64
> >
> > And it worked !
> >
> > *I am now able to perform login via "ssh" and su on to the ipaserver with
> > AD users:*
> >
> > [root@ipaserver1 ~]# su gen...@adexample.com
> > sh-4.1$
> >
> > *and wbinfo and getent return values:*
> >
> > [root@ipaserver1 ~]# wbinfo -u
> > ADEXAMPLE\administrator
> > ADEXAMPLE\guest
> > ADEXAMPLE\genadi
> > ADEXAMPLE\krbtgt
> > ADEXAMPLE\linux$
> > ADEXAMPLE\daniel
> >
> > [root@ipaserver1 ~]# wbinfo -g
> > admins
> > editors
> > default smb group
> > ad_users
> > ADEXAMPLE\domain computers
> > ADEXAMPLE\domain controllers
> > ADEXAMPLE\schema admins
> > ADEXAMPLE\enterprise admins
> > ADEXAMPLE\domain admins
> > ADEXAMPLE\domain users
> > ADEXAMPLE\domain guests
> > ADEXAMPLE\group policy creator owners
> > ADEXAMPLE\read-only domain controllers
> > ADEXAMPLE\enterprise read-only domain controllers
> > ADEXAMPLE\dnsupdateproxy
> >
> > [root@ipaserver1 ~]# getent passwd gen...@adexample.com
> > gen...@adexample.com:*:699001000:699001000::/home/adexample.com/genadi:
>
> Thanks a lot for confirming that -58 is working on the FreeIPA server.
>
> >
> > *After this success, i have tried to execute a login on client machine
> > (using AD user), but it did not work:*
> >
> > [root@ipaclient1 ~]# su gen...@adexample.com
> > su: user gen...@adexample.com does not exist
> >
> > *Also wbinfo and getent do not return value:*
> >
> > [root@ipaclient1 ~]# wbinfo -u
> > [root@ipaclient1 ~]# wbinfo -g
> > [root@ipaclient1 ~]# getent passwd gen...@adexample.com
>
> Winbind is not running on the IPA client. SSSD running on the IPA client
> use a LDAP extended operation to get the basic data about AD users and
> group. Please try to restart SSSD on the client. If this does not help,
> please send me the client's SSSD log files.
>
> bye,
> Sumit
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Issues creating trust with AD.

[Sumit Bose]

On Tue, Feb 18, 2014 at 01:11:38AM +0200, Genadi Postrilko wrote:
> Thank you for the help!
> I have preformed downgrade:
> 
> yum downgrade samba4*
> 
> [root@ipaserver1 ~]# rpm -qa | grep samb
> samba4-python-4.0.0-58.el6.rc4.x86_64
> samba4-winbind-4.0.0-58.el6.rc4.x86_64
> samba4-common-4.0.0-58.el6.rc4.x86_64
> samba4-winbind-clients-4.0.0-58.el6.rc4.x86_64
> samba4-libs-4.0.0-58.el6.rc4.x86_64
> samba4-client-4.0.0-58.el6.rc4.x86_64
> samba4-4.0.0-58.el6.rc4.x86_64
> 
> And it worked !
> 
> *I am now able to perform login via "ssh" and su on to the ipaserver with
> AD users:*
> 
> [root@ipaserver1 ~]# su gen...@adexample.com
> sh-4.1$
> 
> *and wbinfo and getent return values:*
> 
> [root@ipaserver1 ~]# wbinfo -u
> ADEXAMPLE\administrator
> ADEXAMPLE\guest
> ADEXAMPLE\genadi
> ADEXAMPLE\krbtgt
> ADEXAMPLE\linux$
> ADEXAMPLE\daniel
> 
> [root@ipaserver1 ~]# wbinfo -g
> admins
> editors
> default smb group
> ad_users
> ADEXAMPLE\domain computers
> ADEXAMPLE\domain controllers
> ADEXAMPLE\schema admins
> ADEXAMPLE\enterprise admins
> ADEXAMPLE\domain admins
> ADEXAMPLE\domain users
> ADEXAMPLE\domain guests
> ADEXAMPLE\group policy creator owners
> ADEXAMPLE\read-only domain controllers
> ADEXAMPLE\enterprise read-only domain controllers
> ADEXAMPLE\dnsupdateproxy
> 
> [root@ipaserver1 ~]# getent passwd gen...@adexample.com
> gen...@adexample.com:*:699001000:699001000::/home/adexample.com/genadi:

Thanks a lot for confirming that -58 is working on the FreeIPA server.

> 
> *After this success, i have tried to execute a login on client machine
> (using AD user), but it did not work:*
> 
> [root@ipaclient1 ~]# su gen...@adexample.com
> su: user gen...@adexample.com does not exist
> 
> *Also wbinfo and getent do not return value:*
> 
> [root@ipaclient1 ~]# wbinfo -u
> [root@ipaclient1 ~]# wbinfo -g
> [root@ipaclient1 ~]# getent passwd gen...@adexample.com

Winbind is not running on the IPA client. SSSD running on the IPA client
use a LDAP extended operation to get the basic data about AD users and
group. Please try to restart SSSD on the client. If this does not help,
please send me the client's SSSD log files.

bye,
Sumit

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Issues creating trust with AD.

[Genadi Postrilko]

Thank you for the help!
I have preformed downgrade:

yum downgrade samba4*

[root@ipaserver1 ~]# rpm -qa | grep samb
samba4-python-4.0.0-58.el6.rc4.x86_64
samba4-winbind-4.0.0-58.el6.rc4.x86_64
samba4-common-4.0.0-58.el6.rc4.x86_64
samba4-winbind-clients-4.0.0-58.el6.rc4.x86_64
samba4-libs-4.0.0-58.el6.rc4.x86_64
samba4-client-4.0.0-58.el6.rc4.x86_64
samba4-4.0.0-58.el6.rc4.x86_64

And it worked !

*I am now able to perform login via "ssh" and su on to the ipaserver with
AD users:*

[root@ipaserver1 ~]# su gen...@adexample.com
sh-4.1$

*and wbinfo and getent return values:*

[root@ipaserver1 ~]# wbinfo -u
ADEXAMPLE\administrator
ADEXAMPLE\guest
ADEXAMPLE\genadi
ADEXAMPLE\krbtgt
ADEXAMPLE\linux$
ADEXAMPLE\daniel

[root@ipaserver1 ~]# wbinfo -g
admins
editors
default smb group
ad_users
ADEXAMPLE\domain computers
ADEXAMPLE\domain controllers
ADEXAMPLE\schema admins
ADEXAMPLE\enterprise admins
ADEXAMPLE\domain admins
ADEXAMPLE\domain users
ADEXAMPLE\domain guests
ADEXAMPLE\group policy creator owners
ADEXAMPLE\read-only domain controllers
ADEXAMPLE\enterprise read-only domain controllers
ADEXAMPLE\dnsupdateproxy

[root@ipaserver1 ~]# getent passwd gen...@adexample.com
gen...@adexample.com:*:699001000:699001000::/home/adexample.com/genadi:

*After this success, i have tried to execute a login on client machine
(using AD user), but it did not work:*

[root@ipaclient1 ~]# su gen...@adexample.com
su: user gen...@adexample.com does not exist

*Also wbinfo and getent do not return value:*

[root@ipaclient1 ~]# wbinfo -u
[root@ipaclient1 ~]# wbinfo -g
[root@ipaclient1 ~]# getent passwd gen...@adexample.com

*Therefore i have preformed downgrade:*

yum downgrade samba4*

[root@ipaclient1 ~]# rpm -qa | grep samb
samba-winbind-clients-3.6.9-167.el6_5.x86_64
samba-common-3.6.9-167.el6_5.x86_64
samba-winbind-3.6.9-167.el6_5.x86_64
samba4-libs-4.0.0-58.el6.rc4.x86_64


*After the downgrade the login attempt still failed:*
[root@ipaclient1 ~]# su gen...@adexample.com
su: user gen...@adexample.com does not exist

*I wonder if the fact that ipa-windbind-client is 3.6.9, is the cause.*

*Also here are the client configuration file:*



*sssd*
[root@ipaclient1 ~]# cat /etc/sssd/sssd.conf
[domain/linux.adexample.com]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = linux.adexample.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipaclient1.linux.adexample.com
chpass_provider = ipa
ipa_dyndns_update = True
ipa_server = _srv_, ipaserver1.linux.adexample.com
ldap_tls_cacert = /etc/ipa/ca.crt
subdomains_provider = ipa
[sssd]
services = nss, pam, ssh, pac
config_file_version = 2

domains = linux.adexample.com
[nss]

[pam]

[sudo]

[autofs]

[ssh]

[pac]


*krb5*

[root@ipaclient1 ~]# cat /etc/krb5.conf
#File modified by ipa-client-install

includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
  default_realm = LINUX.ADEXAMPLE.COM
  dns_lookup_realm = true
  dns_lookup_kdc = true
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes

[realms]
  LINUX.ADEXAMPLE.COM = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
auth_to_local = RULE:[1:$1@$0](^.*@ADEXAMPLE.COM$)s/@
ADEXAMPLE.COM/@adexample.com/
auth_to_local = DEFAULT
  }

[domain_realm]
  .linux.adexample.com = LINUX.ADEXAMPLE.COM
  linux.adexample.com = LINUX.ADEXAMPLE.COM


*And again - Thanks you. I was stuck on it for log time.*



2014-02-17 10:34 GMT+02:00 Sumit Bose :

> On Sat, Feb 15, 2014 at 12:14:58AM +0200, Genadi Postrilko wrote:
> > I have seen threads where opened on trust issues:
> > "AD - Freeipa trust confusion"
> > "Cross domain trust"
> > "Cannot loging via SSH with AD user TO IPA Domain" - which I opened.
> >
> > It looks like after creation of trust, TGT ticket can be issued from AD,
> > but "su" and "ssh" do not allow a log in with AD user.
> > I'm not sure if a conclusion has been reached on this subject.
> >
> > I gave it a try again and attempted to create a trust with IPA as a DNS
> > subdomain of AD.
> > I followed :
> >
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-ipa-subdomain.html
> >
> > AD domain: ADEXAMPLE.COM
> > IPA subdoamin: LINUX.ADEXAMPLE.COM
> >
> > When i finished the necessary steps i attempted to retrieve a TGT from AD
> > (while logged in to IPA server):
> >
> > [root@ipaserver1 sbin]# kinit administra...@adexample.com
> > Password for administra...@adexample.com:
> > [root@ipaserver1 sbin]# klist
> > Ticket cache: FILE:/tmp/krb5cc_0
> > Default principal: administra...@adexample.com
> >
> > Valid starting ExpiresService principal
> > 02/14/14 07:50:21  02/14/14 17:50:20  krbtgt/adexample@adexample.com
> > renew until 02/15/14 07:50:21
> >
> > But logging in by "ssh" and "su" ended in failure:
> >
> > login as: administra...@adexample.com
> > administra...@addc.com@192.168.227.201's password:
> > Access denied
> >
> > After reading
> >
> http://www.freeipa.org/page/

Re: [Freeipa-users] Issues creating trust with AD.

[Sumit Bose]

On Sat, Feb 15, 2014 at 12:14:58AM +0200, Genadi Postrilko wrote:
> I have seen threads where opened on trust issues:
> "AD - Freeipa trust confusion"
> "Cross domain trust"
> "Cannot loging via SSH with AD user TO IPA Domain" - which I opened.
> 
> It looks like after creation of trust, TGT ticket can be issued from AD,
> but "su" and "ssh" do not allow a log in with AD user.
> I'm not sure if a conclusion has been reached on this subject.
> 
> I gave it a try again and attempted to create a trust with IPA as a DNS
> subdomain of AD.
> I followed :
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-ipa-subdomain.html
> 
> AD domain: ADEXAMPLE.COM
> IPA subdoamin: LINUX.ADEXAMPLE.COM
> 
> When i finished the necessary steps i attempted to retrieve a TGT from AD
> (while logged in to IPA server):
> 
> [root@ipaserver1 sbin]# kinit administra...@adexample.com
> Password for administra...@adexample.com:
> [root@ipaserver1 sbin]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: administra...@adexample.com
> 
> Valid starting ExpiresService principal
> 02/14/14 07:50:21  02/14/14 17:50:20  krbtgt/adexample@adexample.com
> renew until 02/15/14 07:50:21
> 
> But logging in by "ssh" and "su" ended in failure:
> 
> login as: administra...@adexample.com
> administra...@addc.com@192.168.227.201's password:
> Access denied
> 
> After reading
> http://www.freeipa.org/page/IPAv3_testing_AD_trust#Create_a_trust_to_an_AD_domaini
> did the following on the AD server:
> 
> Administrative Tools -> Active Directory Domains and Trust ->
> adexample.com(right click) -> Properties -> Trust -> Domain Trusted by
> this domain
> (outgoing trust) -> Properties -> General -> Validate
> 
> *After doing this i was able to login via "ssh" and "su" with
> "Administrator" **user :*
> 
> login as: administra...@adexample.com
> administra...@adexample.com@192.168.227.201's password:
> Last login: Wed Feb 12 14:39:49 2014 from 192.168.227.1
> Could not chdir to home directory /home/adexample.com/administrator: No
> such file or directory
> /usr/bin/xauth:  error in locking authority file /home/
> adexample.com/administrator/.Xauthority
> -sh-4.1$
> 
> *But still not able to login with other AD accounts:*
> 
> [root@ipaserver1 sbin]# su gen...@adexample.com
> su: user gen...@adexample.com does not exist
> 
> After reading the other threads, ill try and provide as much information as
> i can:
> 
> *wbinfo -u does not return values.*
> [root@ipaserver1 sbin]# wbinfo -u
> [root@ipaserver1 sbin]#
> 
> *wbinfo -u output:*
> [root@ipaserver1 sbin]# wbinfo -g
> admins
> editors
> default smb group
> ad_users
> 
> *wbinfo --online-status shows ADEXAMPLE is offline*
> [root@ipaserver1 ~]# wbinfo --online-status
> BUILTIN : online
> LINUX : online
> ADEXAMPLE : offline
> 
> *getent for Administrator does return value.*
> [root@ipaserver1 sbin]# getent passwd administra...@adexample.com
> administra...@adexample.com:*:699000500:699000500::/home/
> adexample.com/administrator:
> 
> *getent for other AD users does not return value.*
> [root@ipaserver1 sbin]# getent passwd gen...@adexample.com
> [root@ipaserver1 sbin]#
> 
> 
> *System info/configurations:*
> 
> [root@ipaserver1 ~]# cat /etc/redhat-release
> Red Hat Enterprise Linux Server release 6.2 Beta (Santiago)
> 
> [root@ipaserver1 sbin]# rpm -qa | grep ipa
> ipa-python-3.0.0-37.el6.x86_64
> ipa-client-3.0.0-37.el6.x86_64
> libipa_hbac-python-1.9.2-129.el6.x86_64
> ipa-pki-common-theme-9.0.3-7.el6.noarch
> ipa-server-trust-ad-3.0.0-37.el6.x86_64
> libipa_hbac-1.9.2-129.el6.x86_64
> ipa-admintools-3.0.0-37.el6.x86_64
> ipa-server-selinux-3.0.0-37.el6.x86_64
> ipa-pki-ca-theme-9.0.3-7.el6.noarch
> ipa-server-3.0.0-37.el6.x86_64
> python-iniparse-0.3.1-2.1.el6.noarch
> 
> [root@ipaserver1 ~]# rpm -qa | grep sssd
> sssd-1.9.2-129.el6.x86_64
> sssd-client-1.9.2-129.el6.x86_64
> 
> [root@ipaserver1 sbin]# rpm -qa | grep samb
> samba4-common-4.0.0-60.el6_5.rc4.x86_64
> samba4-winbind-clients-4.0.0-60.el6_5.rc4.x86_64
> samba4-libs-4.0.0-60.el6_5.rc4.x86_64
> samba4-python-4.0.0-60.el6_5.rc4.x86_64
> samba4-4.0.0-60.el6_5.rc4.x86_64
> samba4-client-4.0.0-60.el6_5.rc4.x86_64
> samba4-winbind-4.0.0-60.el6_5.rc4.x86_64

Thank you very much for the detailed report. Looks like  you are hit by
the 'NT_STATUS_INVALID_PARAMETER_MIX' issue (see log.wb-ADEXAMPLE). We
are currently investigating this issue.

I you would like to help it would be nice if you can try to downgrade
the samba4 packages to the -58 release and see if this works any better
for you.

Currently I'll try tor reproduce this issue locally and will give you an
update as soon as I find anything which might help to get around this
issue.

bye,
Sumit

> 
> *SSSD*
> 
> [root@ipaserver1 ~]# cat /etc/sssd/sssd.conf
> [domain/linux.adexample.com]
> 
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = linux.adexample.com
> 

[Freeipa-users] Issues creating trust with AD.

[Genadi Postrilko]

I have seen threads where opened on trust issues:
"AD - Freeipa trust confusion"
"Cross domain trust"
"Cannot loging via SSH with AD user TO IPA Domain" - which I opened.

It looks like after creation of trust, TGT ticket can be issued from AD,
but "su" and "ssh" do not allow a log in with AD user.
I'm not sure if a conclusion has been reached on this subject.

I gave it a try again and attempted to create a trust with IPA as a DNS
subdomain of AD.
I followed :
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-ipa-subdomain.html

AD domain: ADEXAMPLE.COM
IPA subdoamin: LINUX.ADEXAMPLE.COM

When i finished the necessary steps i attempted to retrieve a TGT from AD
(while logged in to IPA server):

[root@ipaserver1 sbin]# kinit administra...@adexample.com
Password for administra...@adexample.com:
[root@ipaserver1 sbin]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administra...@adexample.com

Valid starting ExpiresService principal
02/14/14 07:50:21  02/14/14 17:50:20  krbtgt/adexample@adexample.com
renew until 02/15/14 07:50:21

But logging in by "ssh" and "su" ended in failure:

login as: administra...@adexample.com
administra...@addc.com@192.168.227.201's password:
Access denied

After reading
http://www.freeipa.org/page/IPAv3_testing_AD_trust#Create_a_trust_to_an_AD_domaini
did the following on the AD server:

Administrative Tools -> Active Directory Domains and Trust ->
adexample.com(right click) -> Properties -> Trust -> Domain Trusted by
this domain
(outgoing trust) -> Properties -> General -> Validate

*After doing this i was able to login via "ssh" and "su" with
"Administrator" **user :*

login as: administra...@adexample.com
administra...@adexample.com@192.168.227.201's password:
Last login: Wed Feb 12 14:39:49 2014 from 192.168.227.1
Could not chdir to home directory /home/adexample.com/administrator: No
such file or directory
/usr/bin/xauth:  error in locking authority file /home/
adexample.com/administrator/.Xauthority
-sh-4.1$

*But still not able to login with other AD accounts:*

[root@ipaserver1 sbin]# su gen...@adexample.com
su: user gen...@adexample.com does not exist

After reading the other threads, ill try and provide as much information as
i can:

*wbinfo -u does not return values.*
[root@ipaserver1 sbin]# wbinfo -u
[root@ipaserver1 sbin]#

*wbinfo -u output:*
[root@ipaserver1 sbin]# wbinfo -g
admins
editors
default smb group
ad_users

*wbinfo --online-status shows ADEXAMPLE is offline*
[root@ipaserver1 ~]# wbinfo --online-status
BUILTIN : online
LINUX : online
ADEXAMPLE : offline

*getent for Administrator does return value.*
[root@ipaserver1 sbin]# getent passwd administra...@adexample.com
administra...@adexample.com:*:699000500:699000500::/home/
adexample.com/administrator:

*getent for other AD users does not return value.*
[root@ipaserver1 sbin]# getent passwd gen...@adexample.com
[root@ipaserver1 sbin]#


*System info/configurations:*

[root@ipaserver1 ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.2 Beta (Santiago)

[root@ipaserver1 sbin]# rpm -qa | grep ipa
ipa-python-3.0.0-37.el6.x86_64
ipa-client-3.0.0-37.el6.x86_64
libipa_hbac-python-1.9.2-129.el6.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
ipa-server-trust-ad-3.0.0-37.el6.x86_64
libipa_hbac-1.9.2-129.el6.x86_64
ipa-admintools-3.0.0-37.el6.x86_64
ipa-server-selinux-3.0.0-37.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-server-3.0.0-37.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch

[root@ipaserver1 ~]# rpm -qa | grep sssd
sssd-1.9.2-129.el6.x86_64
sssd-client-1.9.2-129.el6.x86_64

[root@ipaserver1 sbin]# rpm -qa | grep samb
samba4-common-4.0.0-60.el6_5.rc4.x86_64
samba4-winbind-clients-4.0.0-60.el6_5.rc4.x86_64
samba4-libs-4.0.0-60.el6_5.rc4.x86_64
samba4-python-4.0.0-60.el6_5.rc4.x86_64
samba4-4.0.0-60.el6_5.rc4.x86_64
samba4-client-4.0.0-60.el6_5.rc4.x86_64
samba4-winbind-4.0.0-60.el6_5.rc4.x86_64

*SSSD*

[root@ipaserver1 ~]# cat /etc/sssd/sssd.conf
[domain/linux.adexample.com]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = linux.adexample.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipaserver1.linux.adexample.com
chpass_provider = ipa
ipa_server = ipaserver1.linux.adexample.com
ldap_tls_cacert = /etc/ipa/ca.crt
subdomains_provider = ipa
debug_level = 6
[sssd]
services = nss, pam, ssh, pac
config_file_version = 2

domains = linux.adexample.com
debug_level = 6
[nss]
debug_level = 6
[pam]
debug_level = 6
[sudo]
debug_level = 6
[autofs]
debug_level = 6
[ssh]
debug_level = 6
[pac]
debug_level = 6

*KRB5*

[root@ipaserver1 ~]# cat /etc/krb5.conf
includedir /var/lib/sss/pubconf/krb5.include.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = LINUX.ADEXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = true
 rdns = false
 t

Re: [Freeipa-users] Issues after setup

[Jakub Hrozek]

On Wed, Apr 10, 2013 at 02:49:46PM -0400, Shawn wrote:
> Yep, sure does. Thanks much.
> 
> If selinux is disabled, why does it care?
> 

It's an SSSD bug:
https://bugzilla.redhat.com/show_bug.cgi?id=914433

We didn't realize that SELinux disabled might mean that the directory is
not there at all. Luckily there is a simple workaround.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Issues after setup

[Shawn]

Yep, sure does. Thanks much.

If selinux is disabled, why does it care?




On Wed, Apr 10, 2013 at 2:37 PM, Jakub Hrozek  wrote:

> On Wed, Apr 10, 2013 at 02:34:06PM -0400, Shawn wrote:
> > [root@freeclient1 sssd]# sestatus
> > SELinux status: disabled
> > [root@freeclient1 sssd]# ls -ldZ /etc/selinux/
> > drwxr-xr-x root root ?/etc/selinux/
> > [root@freeclient1 sssd]#
>
> I take it there is no directory /etc/selinux/targeted/logins (or
> /etc/selinux/targeted/ for that matter?)
>
> Does mkdir -p /etc/selinux/targeted/logins solve things for you?
>
> >
> >
> >
> > On Wed, Apr 10, 2013 at 2:31 PM, Jakub Hrozek 
> wrote:
> >
> > > On Wed, Apr 10, 2013 at 02:27:36PM -0400, Shawn wrote:
> > > > (Wed Apr 10 14:22:45 2013) [sssd[pam]] [write_selinux_login_file]
> > > (0x0040):
> > > > creating the temp file for SELinux data failed.
> > > > /etc/selinux/targeted/logins/staajtlQ108(Wed Apr 10 14:22:45 2013)
> > > > [sssd[pam]] [pam_reply] (0x0100): blen: 30
> > >
> > > I think this is the smoking gun.
> > >
> > > What state is SELinux in? (run sestate)
> > > Are there any AVC denials that would indicate the directory is
> > > mislabeled?
> > >
> > > What is the output of:
> > > # ls -ldZ /etc/selinux/targeted/ /etc/selinux/targeted/logins
> > >
> >
> >
> >
> > --
> > *- Shawn Taaj*
>



-- 
*- Shawn Taaj*
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Issues after setup

[Jakub Hrozek]

On Wed, Apr 10, 2013 at 02:34:06PM -0400, Shawn wrote:
> [root@freeclient1 sssd]# sestatus
> SELinux status: disabled
> [root@freeclient1 sssd]# ls -ldZ /etc/selinux/
> drwxr-xr-x root root ?/etc/selinux/
> [root@freeclient1 sssd]#

I take it there is no directory /etc/selinux/targeted/logins (or
/etc/selinux/targeted/ for that matter?)

Does mkdir -p /etc/selinux/targeted/logins solve things for you?

> 
> 
> 
> On Wed, Apr 10, 2013 at 2:31 PM, Jakub Hrozek  wrote:
> 
> > On Wed, Apr 10, 2013 at 02:27:36PM -0400, Shawn wrote:
> > > (Wed Apr 10 14:22:45 2013) [sssd[pam]] [write_selinux_login_file]
> > (0x0040):
> > > creating the temp file for SELinux data failed.
> > > /etc/selinux/targeted/logins/staajtlQ108(Wed Apr 10 14:22:45 2013)
> > > [sssd[pam]] [pam_reply] (0x0100): blen: 30
> >
> > I think this is the smoking gun.
> >
> > What state is SELinux in? (run sestate)
> > Are there any AVC denials that would indicate the directory is
> > mislabeled?
> >
> > What is the output of:
> > # ls -ldZ /etc/selinux/targeted/ /etc/selinux/targeted/logins
> >
> 
> 
> 
> -- 
> *- Shawn Taaj*

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Issues after setup

[Shawn]

[root@freeclient1 sssd]# sestatus
SELinux status: disabled
[root@freeclient1 sssd]# ls -ldZ /etc/selinux/
drwxr-xr-x root root ?/etc/selinux/
[root@freeclient1 sssd]#



On Wed, Apr 10, 2013 at 2:31 PM, Jakub Hrozek  wrote:

> On Wed, Apr 10, 2013 at 02:27:36PM -0400, Shawn wrote:
> > (Wed Apr 10 14:22:45 2013) [sssd[pam]] [write_selinux_login_file]
> (0x0040):
> > creating the temp file for SELinux data failed.
> > /etc/selinux/targeted/logins/staajtlQ108(Wed Apr 10 14:22:45 2013)
> > [sssd[pam]] [pam_reply] (0x0100): blen: 30
>
> I think this is the smoking gun.
>
> What state is SELinux in? (run sestate)
> Are there any AVC denials that would indicate the directory is
> mislabeled?
>
> What is the output of:
> # ls -ldZ /etc/selinux/targeted/ /etc/selinux/targeted/logins
>



-- 
*- Shawn Taaj*
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Issues after setup

[Jakub Hrozek]

On Wed, Apr 10, 2013 at 02:27:36PM -0400, Shawn wrote:
> (Wed Apr 10 14:22:45 2013) [sssd[pam]] [write_selinux_login_file] (0x0040):
> creating the temp file for SELinux data failed.
> /etc/selinux/targeted/logins/staajtlQ108(Wed Apr 10 14:22:45 2013)
> [sssd[pam]] [pam_reply] (0x0100): blen: 30

I think this is the smoking gun.

What state is SELinux in? (run sestate)
Are there any AVC denials that would indicate the directory is
mislabeled?

What is the output of:
# ls -ldZ /etc/selinux/targeted/ /etc/selinux/targeted/logins

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Issues after setup

[Shawn]

(Wed Apr 10 14:22:45 2013) [sssd[pam]] [sss_parse_name_for_domains]
(0x0200): name 'staaj' matched without domain, user is staaj
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [sss_parse_name_for_domains]
(0x0200): using default domain [(null)]
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): command:
PAM_ACCT_MGMT
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): domain:
not set
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): user:
staaj
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): service:
sshd
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): ruser:
not set
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): rhost:
50.59.202.7
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok
type: 0
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok
size: 0
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100):
newauthtok type: 0
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100):
newauthtok size: 0
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): cli_pid:
23185
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [sss_ncache_check_str] (0x2000):
Checking negative cache for [NCE/USER/company-dev.com/staaj]
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [sss_dp_issue_request] (0x0400):
Issuing request for [0x41b300:3:st...@vocal-dev.com]
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [sss_dp_get_account_msg] (0x0400):
Creating request for [company-dev.com][3][1][name=staaj]
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [sbus_add_timeout] (0x2000): 0xb39fd0
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [sss_dp_internal_get_send] (0x0400):
Entering request [0x41b300:3:st...@company-dev.com]
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [sbus_remove_timeout] (0x2000):
0xb39fd0
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn:
B35A10
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [sbus_dispatch] (0x4000):
Dispatching.
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [sss_dp_get_reply] (0x1000): Got
reply from Data Provider - DP error code: 0 errno: 0 error message: Success



(Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending
request with the following data:
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): command:
PAM_ACCT_MGMT
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): domain:
company-dev.com
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): user:staaj
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): service:
sshd
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): ruser:
not set
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): rhost:
50.59.202.7
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok
type: 0
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok
size: 0
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100):
newauthtok type: 0
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100):
newauthtok size: 0
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): cli_pid:
23185
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [sbus_add_timeout] (0x2000): 0xb41990
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_dom_forwarder] (0x0100):
pam_dp_send_req returned 0
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [sss_dp_req_destructor] (0x0400):
Deleting request: [0x41b300:3:st...@company-dev.com]

only thing i see about selinux is here

(Wed Apr 10 14:22:45 2013) [sssd[pam]] [write_selinux_login_file] (0x0040):
creating the temp file for SELinux data failed.
/etc/selinux/targeted/logins/staajtlQ108(Wed Apr 10 14:22:45 2013)
[sssd[pam]] [pam_reply] (0x0100): blen: 30

# rpm -qa |grep sssd
sssd-client-1.9.2-82.4.el6_4.x86_64
sssd-1.9.2-82.4.el6_4.x86_64





On Wed, Apr 10, 2013 at 2:15 PM, Jakub Hrozek  wrote:

> On Wed, Apr 10, 2013 at 02:11:14PM -0400, Rob Crittenden wrote:
> > Shawn wrote:
> > >[root@freeipa ~]# ipa hbactest --user=myuser --host=my.fqdn.
> --service=sshd
> > >
> > >Access granted: True
> > >
> > >   Matched rules: allow_all
> > >[root@freeipa ~]#
> > >
> > >
> > >└─> ssh myus...@ec2-54-xxx.xxx.compute-1.amazonaws.com
> > > -i
> > >/home/user/.ssh/key
> > >Connection closed by 54x.x.x.x
> > >
> > >(client server logs)
> > >Apr 10 13:59:04 ip-10-152-174-17 sshd[22868]: pam_sss(sshd:account):
> > >Access denied for user myuser: 4 (System error)
> > >Apr 10 13:59:04 ip-10-152-174-17 sshd[22872]: fatal: Access denied for
> > >user client by PAM account configuration
> > >
> > >
> > >(client ipa versions)
> > >

Re: [Freeipa-users] Issues after setup

[Jakub Hrozek]

On Wed, Apr 10, 2013 at 02:11:14PM -0400, Rob Crittenden wrote:
> Shawn wrote:
> >[root@freeipa ~]# ipa hbactest --user=myuser --host=my.fqdn. --service=sshd
> >
> >Access granted: True
> >
> >   Matched rules: allow_all
> >[root@freeipa ~]#
> >
> >
> >└─> ssh myus...@ec2-54-xxx.xxx.compute-1.amazonaws.com
> > -i
> >/home/user/.ssh/key
> >Connection closed by 54x.x.x.x
> >
> >(client server logs)
> >Apr 10 13:59:04 ip-10-152-174-17 sshd[22868]: pam_sss(sshd:account):
> >Access denied for user myuser: 4 (System error)
> >Apr 10 13:59:04 ip-10-152-174-17 sshd[22872]: fatal: Access denied for
> >user client by PAM account configuration
> >
> >
> >(client ipa versions)
> >ipa-admintools-3.0.0-26.el6_4.2.x86_64
> >ipa-client-3.0.0-26.el6_4.2.x86_64
> >ipa-python-3.0.0-26.el6_4.2.x86_64
> >
> >
> >(master ipa versions)
> >[root@freeipa ~]# rpm -qa |grep ipa-
> >
> >ipa-pki-common-theme-9.0.3-7.el6.noarch
> >ipa-pki-ca-theme-9.0.3-7.el6.noarch
> >ipa-client-3.0.0-26.el6_4.2.x86_64
> >ipa-python-3.0.0-26.el6_4.2.x86_64
> >ipa-admintools-3.0.0-26.el6_4.2.x86_64
> >ipa-server-selinux-3.0.0-26.el6_4.2.x86_64
> >ipa-server-3.0.0-26.el6_4.2.x86_64
> >[root@freeipa ~]#
> 
> An error is occurring somewhere which is why access is denied. This
> isn't HBAC, that looks like:
> 
> pam_sss(sshd:account): Access denied for user admin: 6 (Permission denied)
> 
> You need to crank up debugging in sssd and see what its logs say.
> 
> rob

What SSSD version is there on the client?

It's possible that it might be a similar issue to one Jan-Frode had with
SELinux.

Rob is right, please raise the debug_level in the [pam] and [domain]
sections and attach or paste the relevant portions of (sanitized) logs.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Issues after setup

[Rob Crittenden]

Shawn wrote:

[root@freeipa ~]# ipa hbactest --user=myuser --host=my.fqdn. --service=sshd

Access granted: True

   Matched rules: allow_all
[root@freeipa ~]#


└─> ssh myus...@ec2-54-xxx.xxx.compute-1.amazonaws.com
 -i
/home/user/.ssh/key
Connection closed by 54x.x.x.x

(client server logs)
Apr 10 13:59:04 ip-10-152-174-17 sshd[22868]: pam_sss(sshd:account):
Access denied for user myuser: 4 (System error)
Apr 10 13:59:04 ip-10-152-174-17 sshd[22872]: fatal: Access denied for
user client by PAM account configuration


(client ipa versions)
ipa-admintools-3.0.0-26.el6_4.2.x86_64
ipa-client-3.0.0-26.el6_4.2.x86_64
ipa-python-3.0.0-26.el6_4.2.x86_64


(master ipa versions)
[root@freeipa ~]# rpm -qa |grep ipa-

ipa-pki-common-theme-9.0.3-7.el6.noarch
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-client-3.0.0-26.el6_4.2.x86_64
ipa-python-3.0.0-26.el6_4.2.x86_64
ipa-admintools-3.0.0-26.el6_4.2.x86_64
ipa-server-selinux-3.0.0-26.el6_4.2.x86_64
ipa-server-3.0.0-26.el6_4.2.x86_64
[root@freeipa ~]#


An error is occurring somewhere which is why access is denied. This 
isn't HBAC, that looks like:


pam_sss(sshd:account): Access denied for user admin: 6 (Permission denied)

You need to crank up debugging in sssd and see what its logs say.

rob


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Issues after setup

[Shawn]

[root@freeipa ~]# ipa hbactest --user=myuser --host=my.fqdn. --service=sshd

Access granted: True

  Matched rules: allow_all
[root@freeipa ~]#


└─> ssh myus...@ec2-54-xxx.xxx.compute-1.amazonaws.com -i
/home/user/.ssh/key
Connection closed by 54x.x.x.x

(client server logs)
Apr 10 13:59:04 ip-10-152-174-17 sshd[22868]: pam_sss(sshd:account): Access
denied for user myuser: 4 (System error)
Apr 10 13:59:04 ip-10-152-174-17 sshd[22872]: fatal: Access denied for user
client by PAM account configuration


(client ipa versions)
ipa-admintools-3.0.0-26.el6_4.2.x86_64
ipa-client-3.0.0-26.el6_4.2.x86_64
ipa-python-3.0.0-26.el6_4.2.x86_64


(master ipa versions)
[root@freeipa ~]# rpm -qa |grep ipa-

ipa-pki-common-theme-9.0.3-7.el6.noarch
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-client-3.0.0-26.el6_4.2.x86_64
ipa-python-3.0.0-26.el6_4.2.x86_64
ipa-admintools-3.0.0-26.el6_4.2.x86_64
ipa-server-selinux-3.0.0-26.el6_4.2.x86_64
ipa-server-3.0.0-26.el6_4.2.x86_64
[root@freeipa ~]#




On Thu, Apr 4, 2013 at 5:06 PM, KodaK  wrote:

> Run an hbactest:
>
> ipa hbactest --user=youruser --host=fqdn.of.host --service=sshd
>
> Make sure that works, if it does, then you can move on to troubleshooting
> the host itself.
>
>
> On Thu, Apr 4, 2013 at 2:27 PM, Shawn  wrote:
>
>> Hi,
>>
>> I have configured a ipa-server, replica and client.
>>
>> In the GUI I can see that all hosts are in the "hosts" list.. I have
>> created a single user as well and attached that user to the client.
>>
>> When trying to login as the user to the client, I see this in the
>> secure.log.
>>
>> fatal: Access denied for user  by PAM account configuration.
>>
>> any suggestions on steps to troubleshoot this?
>>
>> Thanks
>>
>>
>> --
>> *- Shawn Taaj*
>>
>> ___
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>
>
>
> --
> The government is going to read our mail anyway, might as well make it
> tough for them.  GPG Public key ID:  B6A1A7C6
>



-- 
*- Shawn Taaj*
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Issues after setup

[KodaK]

Run an hbactest:

ipa hbactest --user=youruser --host=fqdn.of.host --service=sshd

Make sure that works, if it does, then you can move on to troubleshooting
the host itself.


On Thu, Apr 4, 2013 at 2:27 PM, Shawn  wrote:

> Hi,
>
> I have configured a ipa-server, replica and client.
>
> In the GUI I can see that all hosts are in the "hosts" list.. I have
> created a single user as well and attached that user to the client.
>
> When trying to login as the user to the client, I see this in the
> secure.log.
>
> fatal: Access denied for user  by PAM account configuration.
>
> any suggestions on steps to troubleshoot this?
>
> Thanks
>
>
> --
> *- Shawn Taaj*
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>



-- 
The government is going to read our mail anyway, might as well make it
tough for them.  GPG Public key ID:  B6A1A7C6
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Issues after setup

[Jakub Hrozek]

On Thu, Apr 04, 2013 at 03:27:37PM -0400, Shawn wrote:
> Hi,
> 
> I have configured a ipa-server, replica and client.
> 
> In the GUI I can see that all hosts are in the "hosts" list.. I have
> created a single user as well and attached that user to the client.
> 
> When trying to login as the user to the client, I see this in the
> secure.log.
> 
> fatal: Access denied for user  by PAM account configuration.
> 
> any suggestions on steps to troubleshoot this?

Hi Shawn,

I would start with checking the HBAC rules using the ipa hbactest
command.

$ ipa hbactest --help

might get you started.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Issues after setup

[Rob Crittenden]

Shawn wrote:

Hi,

I have configured a ipa-server, replica and client.

In the GUI I can see that all hosts are in the "hosts" list.. I have
created a single user as well and attached that user to the client.

When trying to login as the user to the client, I see this in the
secure.log.

fatal: Access denied for user  by PAM account configuration.


Did you disable or remove the default allow_all HBAC rule?

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Issues after setup

[Shawn]

Rob,

Nope that's still enabled.


On Thu, Apr 4, 2013 at 4:50 PM, Rob Crittenden  wrote:

> Shawn wrote:
>
>> Hi,
>>
>> I have configured a ipa-server, replica and client.
>>
>> In the GUI I can see that all hosts are in the "hosts" list.. I have
>> created a single user as well and attached that user to the client.
>>
>> When trying to login as the user to the client, I see this in the
>> secure.log.
>>
>> fatal: Access denied for user  by PAM account configuration.
>>
>
> Did you disable or remove the default allow_all HBAC rule?
>
> rob
>
>


-- 
*- Shawn Taaj*
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Issues after setup

[Shawn]

I am able to login to my replica and master with users no problem, just
having issues with clients..


On Thu, Apr 4, 2013 at 3:27 PM, Shawn  wrote:

> Hi,
>
> I have configured a ipa-server, replica and client.
>
> In the GUI I can see that all hosts are in the "hosts" list.. I have
> created a single user as well and attached that user to the client.
>
> When trying to login as the user to the client, I see this in the
> secure.log.
>
> fatal: Access denied for user  by PAM account configuration.
>
> any suggestions on steps to troubleshoot this?
>
> Thanks
>
>
> --
> *- Shawn Taaj*
>



-- 
*- Shawn Taaj*
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Issues after setup

[Shawn]

Hi,

I have configured a ipa-server, replica and client.

In the GUI I can see that all hosts are in the "hosts" list.. I have
created a single user as well and attached that user to the client.

When trying to login as the user to the client, I see this in the
secure.log.

fatal: Access denied for user  by PAM account configuration.

any suggestions on steps to troubleshoot this?

Thanks


-- 
*- Shawn Taaj*
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] issues + docs

[Christian Horn]

On Thu, Jun 23, 2011 at 02:33:43PM -0400, Deon Lackey wrote:
> 
> I'm culling through some of the recent issues on this list to make
> sure they end up on the FreeIPA wiki or in the FreeIPA guide 
> (https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/index.html).

Really nice to see the multi stages concept with development
happening at Fedora and the code used in a enterprise grade
supported product extended to documentation here :)

Christian

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] issues + docs

[Deon Lackey]

Steven Jones wrote, on 06/23/2011 05:16 PM:

Wow this looks like a huge improvement...I can see my next few days is booked.

More pictures showing how to do things please
  

For you, I'll do it! But only for you. :)

Actually, it's already on my project to-do list. FreeIPAv2.1 is having a 
big UI facelift, so I'll probably wait till that's more complete before 
I start grabbing screenshots. I'm estimating about a month or so. It's 
coming:

https://fedorahosted.org/freeipa-guide/roadmap

(I'll be adding tickets for the roadmap soon.)

In the meantime, I'm going to work on enhancing the CLI examples for the 
existing procedures. Any and all input is welcome.

Deon

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] issues + docs

[Steven Jones]

Wow this looks like a huge improvement...I can see my next few days is booked.

More pictures showing how to do things please

regards

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] issues + docs

[Deon Lackey]

Hey, guys.

I'm culling through some of the recent issues on this list to make sure 
they end up on the FreeIPA wiki or in the FreeIPA guide 
(https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/index.html).


Just as a side note, I have created a doc wiki page to help trac the 
issues that crop up on the mailing list, so feel free to drop anything 
you want into that page:

https://fedorahosted.org/freeipa-guide/wiki/CommunityDocIssues

Or you can always email me or file a bugzilla. :)

Thanks!
Deon (the docs person)


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users