Re: [Freeipa-users] ipa-backup and ipa-restore
On (25/05/15 10:00), Bob Hinton wrote: Hi Martin, Yes. This fixes the problem on a newly recreated ipamaster - it didn't work on the one I'd been playing around with. So the complete rebuild sequence was... 1) On old ipamaster VM ipa004 (did this on 22/05/2015) login as an admin user with sudo to root access sudo -i ipa-backup tar cvfPz ipa004_backups_22052015.tgz /var/lib/ipa/backup scp ipa004_backups_22052015.tgz to a backup system, destroy old ipamaster VM 2) Recreate ipamaster VM (identical configuration to original) From backup system - scp ipa004_backups_22052015.tgz admin@ipa004: ssh admin@ipa004 su (enter root password - no users with sudo access exist yet) tar xvfPz ipa004_backups_22052015.tgz ipa-restore ipa-full-2015-05-22-17-28-01 systemctl stop sssd rm -f /var/lib/sss/db/* systemctl start sssd Could ipa-restore do previous 3 operations? LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-backup and ipa-restore
On 05/27/2015 08:04 AM, Lukas Slebodnik wrote: On (25/05/15 10:00), Bob Hinton wrote: Hi Martin, Yes. This fixes the problem on a newly recreated ipamaster - it didn't work on the one I'd been playing around with. So the complete rebuild sequence was... 1) On old ipamaster VM ipa004 (did this on 22/05/2015) login as an admin user with sudo to root access sudo -i ipa-backup tar cvfPz ipa004_backups_22052015.tgz /var/lib/ipa/backup scp ipa004_backups_22052015.tgz to a backup system, destroy old ipamaster VM 2) Recreate ipamaster VM (identical configuration to original) From backup system - scp ipa004_backups_22052015.tgz admin@ipa004: ssh admin@ipa004 su (enter root password - no users with sudo access exist yet) tar xvfPz ipa004_backups_22052015.tgz ipa-restore ipa-full-2015-05-22-17-28-01 systemctl stop sssd rm -f /var/lib/sss/db/* systemctl start sssd Could ipa-restore do previous 3 operations? LS It could - on IPA master that is being restored. We still need to address the other masters and clients... -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-backup and ipa-restore
On 05/23/2015 01:51 PM, Bob Hinton wrote: Hello, I've been trying to rebuild an ipamaster by using ipa-backup, destroying and recreating the ipamaster VM then using ipa-restore on the rebuilt master. Most functions of the newly built master work. Logging-in via ssh with keys works but using passwords produces Permission denied, please try again. Password attempts are logged with Authentication Failure in /var/log/secure May 23 12:17:10 ipa004 sshd[6374]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1 user=auser May 23 12:17:10 ipa004 sshd[6374]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1 user=auser May 23 12:17:10 ipa004 sshd[6374]: pam_sss(sshd:auth): received for user auser: 7 (Authentication failure) May 23 12:17:17 ipa004 sshd[6374]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1 user=auser May 23 12:17:17 ipa004 sshd[6374]: pam_sss(sshd:auth): received for user auser: 7 (Authentication failure) May 23 12:17:20 ipa004 sshd[6374]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1 user=auser May 23 12:17:32 ipa004 sshd[6382]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1 user=adminuser May 23 12:17:33 ipa004 sshd[6382]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1 user=adminuser May 23 12:17:33 ipa004 sshd[6382]: pam_sss(sshd:auth): received for user adminuser: 7 (Authentication failure) May 23 12:17:38 ipa004 sshd[6382]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1 user=adminuser May 23 12:17:38 ipa004 sshd[6382]: pam_sss(sshd:auth): received for user adminuser: 7 (Authentication failure) I have two test users adminuser and auser. I've tried various things with auser involving kadmin.local to attempt to change the kerberos password and ipa user-mod auser --principal-expiration=2012-01-01Z to try and force the user keytab to be invalid in the hope that it would be recreated, but this hasn't had any impact apart from slightly different errors in /var/log/krb5kdc.log (see below). I've also tried replacing the keytab by using ipa-getkeytab -p host/ipa004.test.jackland...@test.jackland.uk -k temp.keytab -s localhost to create a new one and then copy it over /etc/krb5.keytab, but this also didn't have any impact. Can anyone tell me what I need to do to make ssh password authentication work on an newly created ipamaster with ipa populated via ipa-restore ? The VM is RHEL7.1 with the following versions of ipa-server and ipa-client installed. Many thanks Bob Name: ipa-server Arch: x86_64 Version : 4.1.0 Release : 18.el7_1.3 Size: 4.2 M Repo: installed From repo : rhel-7-server-rpms Summary : The IPA authentication server URL : http://www.freeipa.org/ Licence : GPLv3+ Description : IPA is an integrated solution to provide centrally managed Identity (machine, : user, virtual machines, groups, authentication credentials), Policy : (configuration settings, access control information) and Audit (events, : logs, analysis thereof). If you are installing an IPA server you need : to install this package (in other words, most people should NOT install : this package). Name: ipa-client Arch: x86_64 Version : 4.1.0 Release : 18.el7_1.3 Size: 440 k Repo: installed From repo : rhel-7-server-rpms Summary : IPA authentication for use on clients URL : http://www.freeipa.org/ Licence : GPLv3+ Description : IPA is an integrated solution to provide centrally managed Identity (machine, : user, virtual machines, groups, authentication credentials), Policy : (configuration settings, access control information) and Audit (events, : logs, analysis thereof). If your network uses IPA for authentication, : this package should be installed on every client machine. May 23 12:09:20 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 172.16.128.159: error decoding FAST: unknown client for unknown server, Decrypt integrity check failed while handling ap-request armor May 23 12:09:20 ipa004.test.jackland.uk krb5kdc[2724](info): closing down fd 11 May 23 12:10:19 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 172.16.128.159: NEEDED_PREAUTH: host/ipa004.test.jackland...@test.jackland.uk for krbtgt/test.jackland...@test.jackland.uk, Additional pre-authentication required May 23 12:10:19 ipa004.test.jackland.uk krb5kdc[2724](info): closing down fd 11 May 23 12:10:19
Re: [Freeipa-users] ipa-backup and ipa-restore
Good, thanks for confirmation. I filed Bugzilla to add this information to the IPA guide: https://bugzilla.redhat.com/show_bug.cgi?id=1224682 Please feel free to add any useful information you would like to see in the guide to the Bugzilla comment. Thank you, Martin On 05/25/2015 11:00 AM, Bob Hinton wrote: Hi Martin, Yes. This fixes the problem on a newly recreated ipamaster - it didn't work on the one I'd been playing around with. So the complete rebuild sequence was... 1) On old ipamaster VM ipa004 (did this on 22/05/2015) login as an admin user with sudo to root access sudo -i ipa-backup tar cvfPz ipa004_backups_22052015.tgz /var/lib/ipa/backup scp ipa004_backups_22052015.tgz to a backup system, destroy old ipamaster VM 2) Recreate ipamaster VM (identical configuration to original) From backup system - scp ipa004_backups_22052015.tgz admin@ipa004: ssh admin@ipa004 su (enter root password - no users with sudo access exist yet) tar xvfPz ipa004_backups_22052015.tgz ipa-restore ipa-full-2015-05-22-17-28-01 systemctl stop sssd rm -f /var/lib/sss/db/* systemctl start sssd Many thanks Bob On 25/05/2015 07:10, Martin Kosek wrote: On 05/23/2015 01:51 PM, Bob Hinton wrote: Hello, I've been trying to rebuild an ipamaster by using ipa-backup, destroying and recreating the ipamaster VM then using ipa-restore on the rebuilt master. Most functions of the newly built master work. Logging-in via ssh with keys works but using passwords produces Permission denied, please try again. Password attempts are logged with Authentication Failure in /var/log/secure May 23 12:17:10 ipa004 sshd[6374]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1 user=auser May 23 12:17:10 ipa004 sshd[6374]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1 user=auser May 23 12:17:10 ipa004 sshd[6374]: pam_sss(sshd:auth): received for user auser: 7 (Authentication failure) May 23 12:17:17 ipa004 sshd[6374]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1 user=auser May 23 12:17:17 ipa004 sshd[6374]: pam_sss(sshd:auth): received for user auser: 7 (Authentication failure) May 23 12:17:20 ipa004 sshd[6374]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1 user=auser May 23 12:17:32 ipa004 sshd[6382]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1 user=adminuser May 23 12:17:33 ipa004 sshd[6382]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1 user=adminuser May 23 12:17:33 ipa004 sshd[6382]: pam_sss(sshd:auth): received for user adminuser: 7 (Authentication failure) May 23 12:17:38 ipa004 sshd[6382]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1 user=adminuser May 23 12:17:38 ipa004 sshd[6382]: pam_sss(sshd:auth): received for user adminuser: 7 (Authentication failure) I have two test users adminuser and auser. I've tried various things with auser involving kadmin.local to attempt to change the kerberos password and ipa user-mod auser --principal-expiration=2012-01-01Z to try and force the user keytab to be invalid in the hope that it would be recreated, but this hasn't had any impact apart from slightly different errors in /var/log/krb5kdc.log (see below). I've also tried replacing the keytab by using ipa-getkeytab -p host/ipa004.test.jackland...@test.jackland.uk -k temp.keytab -s localhost to create a new one and then copy it over /etc/krb5.keytab, but this also didn't have any impact. Can anyone tell me what I need to do to make ssh password authentication work on an newly created ipamaster with ipa populated via ipa-restore ? The VM is RHEL7.1 with the following versions of ipa-server and ipa-client installed. Many thanks Bob Name: ipa-server Arch: x86_64 Version : 4.1.0 Release : 18.el7_1.3 Size: 4.2 M Repo: installed From repo : rhel-7-server-rpms Summary : The IPA authentication server URL : http://www.freeipa.org/ Licence : GPLv3+ Description : IPA is an integrated solution to provide centrally managed Identity (machine, : user, virtual machines, groups, authentication credentials), Policy : (configuration settings, access control information) and Audit (events, : logs, analysis thereof). If you are installing an IPA server you need : to install this package (in other words, most people should NOT install : this package). Name: ipa-client Arch: x86_64 Version : 4.1.0 Release : 18.el7_1.3 Size: 440 k Repo: installed