Re: [Freeipa-users] ipa-backup and ipa-restore
On (25/05/15 10:00), Bob Hinton wrote: Hi Martin, Yes. This fixes the problem on a newly recreated ipamaster - it didn't work on the one I'd been playing around with. So the complete rebuild sequence was... 1) On old ipamaster VM ipa004 (did this on 22/05/2015) login as an admin user with sudo to root access sudo -i ipa-backup tar cvfPz ipa004_backups_22052015.tgz /var/lib/ipa/backup scp ipa004_backups_22052015.tgz to a backup system, destroy old ipamaster VM 2) Recreate ipamaster VM (identical configuration to original) From backup system - scp ipa004_backups_22052015.tgz admin@ipa004: ssh admin@ipa004 su (enter root password - no users with sudo access exist yet) tar xvfPz ipa004_backups_22052015.tgz ipa-restore ipa-full-2015-05-22-17-28-01 systemctl stop sssd rm -f /var/lib/sss/db/* systemctl start sssd Could ipa-restore do previous 3 operations? LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-backup and ipa-restore
On 05/27/2015 08:04 AM, Lukas Slebodnik wrote: On (25/05/15 10:00), Bob Hinton wrote: Hi Martin, Yes. This fixes the problem on a newly recreated ipamaster - it didn't work on the one I'd been playing around with. So the complete rebuild sequence was... 1) On old ipamaster VM ipa004 (did this on 22/05/2015) login as an admin user with sudo to root access sudo -i ipa-backup tar cvfPz ipa004_backups_22052015.tgz /var/lib/ipa/backup scp ipa004_backups_22052015.tgz to a backup system, destroy old ipamaster VM 2) Recreate ipamaster VM (identical configuration to original) From backup system - scp ipa004_backups_22052015.tgz admin@ipa004: ssh admin@ipa004 su (enter root password - no users with sudo access exist yet) tar xvfPz ipa004_backups_22052015.tgz ipa-restore ipa-full-2015-05-22-17-28-01 systemctl stop sssd rm -f /var/lib/sss/db/* systemctl start sssd Could ipa-restore do previous 3 operations? LS It could - on IPA master that is being restored. We still need to address the other masters and clients... -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-backup and ipa-restore
On 05/23/2015 01:51 PM, Bob Hinton wrote:
Hello,
I've been trying to rebuild an ipamaster by using ipa-backup, destroying
and recreating the ipamaster VM then using ipa-restore on the rebuilt
master.
Most functions of the newly built master work. Logging-in via ssh with
keys works but using passwords produces Permission denied, please try
again.
Password attempts are logged with Authentication Failure in /var/log/secure
May 23 12:17:10 ipa004 sshd[6374]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1 user=auser
May 23 12:17:10 ipa004 sshd[6374]: pam_sss(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1 user=auser
May 23 12:17:10 ipa004 sshd[6374]: pam_sss(sshd:auth): received for user
auser: 7 (Authentication failure)
May 23 12:17:17 ipa004 sshd[6374]: pam_sss(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1 user=auser
May 23 12:17:17 ipa004 sshd[6374]: pam_sss(sshd:auth): received for user
auser: 7 (Authentication failure)
May 23 12:17:20 ipa004 sshd[6374]: PAM 1 more authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1 user=auser
May 23 12:17:32 ipa004 sshd[6382]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1
user=adminuser
May 23 12:17:33 ipa004 sshd[6382]: pam_sss(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1
user=adminuser
May 23 12:17:33 ipa004 sshd[6382]: pam_sss(sshd:auth): received for user
adminuser: 7 (Authentication failure)
May 23 12:17:38 ipa004 sshd[6382]: pam_sss(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1
user=adminuser
May 23 12:17:38 ipa004 sshd[6382]: pam_sss(sshd:auth): received for user
adminuser: 7 (Authentication failure)
I have two test users adminuser and auser. I've tried various things
with auser involving kadmin.local to attempt to change the kerberos
password and ipa user-mod auser --principal-expiration=2012-01-01Z to
try and force the user keytab to be invalid in the hope that it would be
recreated, but this hasn't had any impact apart from slightly different
errors in /var/log/krb5kdc.log (see below).
I've also tried replacing the keytab by using ipa-getkeytab -p
host/ipa004.test.jackland...@test.jackland.uk -k temp.keytab -s
localhost to create a new one and then copy it over /etc/krb5.keytab,
but this also didn't have any impact.
Can anyone tell me what I need to do to make ssh password authentication
work on an newly created ipamaster with ipa populated via ipa-restore ?
The VM is RHEL7.1 with the following versions of ipa-server and
ipa-client installed.
Many thanks
Bob
Name: ipa-server
Arch: x86_64
Version : 4.1.0
Release : 18.el7_1.3
Size: 4.2 M
Repo: installed
From repo : rhel-7-server-rpms
Summary : The IPA authentication server
URL : http://www.freeipa.org/
Licence : GPLv3+
Description : IPA is an integrated solution to provide centrally managed
Identity (machine,
: user, virtual machines, groups, authentication
credentials), Policy
: (configuration settings, access control information) and
Audit (events,
: logs, analysis thereof). If you are installing an IPA
server you need
: to install this package (in other words, most people
should NOT install
: this package).
Name: ipa-client
Arch: x86_64
Version : 4.1.0
Release : 18.el7_1.3
Size: 440 k
Repo: installed
From repo : rhel-7-server-rpms
Summary : IPA authentication for use on clients
URL : http://www.freeipa.org/
Licence : GPLv3+
Description : IPA is an integrated solution to provide centrally managed
Identity (machine,
: user, virtual machines, groups, authentication
credentials), Policy
: (configuration settings, access control information) and
Audit (events,
: logs, analysis thereof). If your network uses IPA for
authentication,
: this package should be installed on every client machine.
May 23 12:09:20 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 172.16.128.159: error decoding FAST:
unknown client for unknown server, Decrypt integrity check failed
while handling ap-request armor
May 23 12:09:20 ipa004.test.jackland.uk krb5kdc[2724](info): closing
down fd 11
May 23 12:10:19 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 172.16.128.159: NEEDED_PREAUTH:
host/ipa004.test.jackland...@test.jackland.uk for
krbtgt/test.jackland...@test.jackland.uk, Additional pre-authentication
required
May 23 12:10:19 ipa004.test.jackland.uk krb5kdc[2724](info): closing
down fd 11
May 23 12:10:19
Re: [Freeipa-users] ipa-backup and ipa-restore
Good, thanks for confirmation. I filed Bugzilla to add this information to the IPA guide: https://bugzilla.redhat.com/show_bug.cgi?id=1224682 Please feel free to add any useful information you would like to see in the guide to the Bugzilla comment. Thank you, Martin On 05/25/2015 11:00 AM, Bob Hinton wrote: Hi Martin, Yes. This fixes the problem on a newly recreated ipamaster - it didn't work on the one I'd been playing around with. So the complete rebuild sequence was... 1) On old ipamaster VM ipa004 (did this on 22/05/2015) login as an admin user with sudo to root access sudo -i ipa-backup tar cvfPz ipa004_backups_22052015.tgz /var/lib/ipa/backup scp ipa004_backups_22052015.tgz to a backup system, destroy old ipamaster VM 2) Recreate ipamaster VM (identical configuration to original) From backup system - scp ipa004_backups_22052015.tgz admin@ipa004: ssh admin@ipa004 su (enter root password - no users with sudo access exist yet) tar xvfPz ipa004_backups_22052015.tgz ipa-restore ipa-full-2015-05-22-17-28-01 systemctl stop sssd rm -f /var/lib/sss/db/* systemctl start sssd Many thanks Bob On 25/05/2015 07:10, Martin Kosek wrote: On 05/23/2015 01:51 PM, Bob Hinton wrote: Hello, I've been trying to rebuild an ipamaster by using ipa-backup, destroying and recreating the ipamaster VM then using ipa-restore on the rebuilt master. Most functions of the newly built master work. Logging-in via ssh with keys works but using passwords produces Permission denied, please try again. Password attempts are logged with Authentication Failure in /var/log/secure May 23 12:17:10 ipa004 sshd[6374]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1 user=auser May 23 12:17:10 ipa004 sshd[6374]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1 user=auser May 23 12:17:10 ipa004 sshd[6374]: pam_sss(sshd:auth): received for user auser: 7 (Authentication failure) May 23 12:17:17 ipa004 sshd[6374]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1 user=auser May 23 12:17:17 ipa004 sshd[6374]: pam_sss(sshd:auth): received for user auser: 7 (Authentication failure) May 23 12:17:20 ipa004 sshd[6374]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1 user=auser May 23 12:17:32 ipa004 sshd[6382]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1 user=adminuser May 23 12:17:33 ipa004 sshd[6382]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1 user=adminuser May 23 12:17:33 ipa004 sshd[6382]: pam_sss(sshd:auth): received for user adminuser: 7 (Authentication failure) May 23 12:17:38 ipa004 sshd[6382]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1 user=adminuser May 23 12:17:38 ipa004 sshd[6382]: pam_sss(sshd:auth): received for user adminuser: 7 (Authentication failure) I have two test users adminuser and auser. I've tried various things with auser involving kadmin.local to attempt to change the kerberos password and ipa user-mod auser --principal-expiration=2012-01-01Z to try and force the user keytab to be invalid in the hope that it would be recreated, but this hasn't had any impact apart from slightly different errors in /var/log/krb5kdc.log (see below). I've also tried replacing the keytab by using ipa-getkeytab -p host/ipa004.test.jackland...@test.jackland.uk -k temp.keytab -s localhost to create a new one and then copy it over /etc/krb5.keytab, but this also didn't have any impact. Can anyone tell me what I need to do to make ssh password authentication work on an newly created ipamaster with ipa populated via ipa-restore ? The VM is RHEL7.1 with the following versions of ipa-server and ipa-client installed. Many thanks Bob Name: ipa-server Arch: x86_64 Version : 4.1.0 Release : 18.el7_1.3 Size: 4.2 M Repo: installed From repo : rhel-7-server-rpms Summary : The IPA authentication server URL : http://www.freeipa.org/ Licence : GPLv3+ Description : IPA is an integrated solution to provide centrally managed Identity (machine, : user, virtual machines, groups, authentication credentials), Policy : (configuration settings, access control information) and Audit (events, : logs, analysis thereof). If you are installing an IPA server you need : to install this package (in other words, most people should NOT install : this package). Name: ipa-client Arch: x86_64 Version : 4.1.0 Release : 18.el7_1.3 Size: 440 k Repo: installed
